分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2020-09-25 18:21:10 2020-09-25 18:23:37 147 秒

魔盾分数

10.0

危险的

文件详细信息

文件名 2、国产远程利器ToDesk​.rar ==> ToDesk.exe
文件大小 3751800 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f5187a4abe17de8912b979cd1f2f09cb
SHA1 15cb52032a31dbe5ed02a89ee787f60a80e27192
SHA256 89b7ff1acae881b776beb246217b9fca4199b6301778fa4da83b04e8689c0600
SHA512 c6a11c31e809ec7e1e1691edf62c98fa27fc76e51ac1864c81151cdf6ed4c51de279e33823f2dee0be5b31135f2ed5e0a48f53ae956583c5032f2093d5e7cf4f
CRC32 C3460AA7
Ssdeep 98304:LTXayQ8QthiwEWWAUIBQBbyPCt1Zht5ezKYUB/ufcq774:/48GhiwPw+QBGK7ZeKYOQ774
Yara
  • Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
  • Detected Digital Signature
样本下载 提交误报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net
A 184.28.188.184
A 184.28.188.195

摘要

\Device\KsecDD
\??\MountPointManager
C:\Users\test\AppData\Local\Temp\
C:\Users\test\AppData\Local\Temp
C:\Users\test\AppData\Local\Temp\nsj3F7F.tmp
C:\Users\test\AppData\Local\Temp\rar-tmp\ToDesk.exe
C:\Users\test\AppData\Local\Temp\nso403B.tmp
C:\Users\test\AppData\Local\Temp\nse404C.tmp
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp\nse404C.tmp\System.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\nse404C.tmp\FindProcDLL.dll
C:\Program Files (x86)\ToDesk
C:\Program Files (x86)
C:\
C:\Program Files (x86)\
C:\Users\test\AppData\Local\Temp\nse404C.tmp\SimpleSC.dll
C:\Users\test\AppData\Local\Temp\rar-tmp
C:\Users\test\AppData\Local\Temp\nse404C.tmp\SimpleSC.CHS
C:\Users\test\AppData\Local\Temp\nse404C.tmp\SimpleSC.CHS.DLL
C:\Users\test\AppData\Local\Temp\nse404C.tmp\SimpleSC.CH
C:\Users\test\AppData\Local\Temp\nse404C.tmp\SimpleSC.CH.DLL
C:\Program Files (x86)\ToDesk\CrashReport.exe
C:\Program Files (x86)\ToDesk\ToDesk.exe
C:\Program Files (x86)\ToDesk\ToDesk_Service.exe
C:\Program Files (x86)\ToDesk\ToDesk_Session.exe
C:\Program Files (x86)\ToDesk\todeskupd.exe
C:\Program Files (x86)\ToDesk\\xe6\x9b\xb4\xe6\x96\xb0\xe6\x97\xa5\xe5\xbf\x97.txt
C:\Program Files (x86)\ToDesk\drivers
C:\Program Files (x86)\ToDesk\drivers\MirrInst32.exe
C:\Program Files (x86)\ToDesk\drivers\MirrInst64.exe
C:\Program Files (x86)\ToDesk\drivers\instdrv.exe
C:\Users\test\AppData\Local\Temp\nse404C.tmp\nsExec.dll
\Device\NamedPipe\
C:\Users\test\AppData\Local\Temp\nse404C.tmp\AccessControl.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\nsisFirewall.dll
C:\ProgramData
C:\ProgramData\Microsoft
C:\ProgramData\Microsoft\Windows
C:\ProgramData\Microsoft\Windows\Start Menu
C:\ProgramData\Microsoft\Windows\Start Menu\Programs
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk
C:\Program Files (x86)\desktop.ini
\??\PIPE\srvsvc
C:\DosDevices\pipe\
C:\Program Files (x86)\ToDesk\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\ToDesk.lnk
C:\Users\Public\Desktop\ToDesk.lnk
C:\Program Files (x86)\ToDesk\uninstall.exe
C:\Users\test\AppData\Local\Temp\nst533D.tmp
C:\Users\test\AppData\Local\Temp\nsz535E.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp\System.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\MirrInst32.exe
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\MirrInst64.exe
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.cat
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.inf
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.sys
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\dfmirage.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\dfmirage.sys
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.CHS
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.CHS.DLL
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.CH
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.CH.DLL
C:\Users\test\AppData\Local\Temp\nso536E.tmp\nsExec.dll
\Device\NamedPipe
C:\Users\test\AppData\Local\Temp\nso536E.tmp\*.*
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\*.*
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\*.*
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\*.*
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dflogging.dll
C:\Windows\sysnative\dflogging.dll
C:\Windows\system\dflogging.dll
C:\Windows\dflogging.dll
C:\ProgramData\Oracle\Java\javapath\dflogging.dll
C:\Windows\sysnative\wbem\dflogging.dll
C:\Windows\sysnative\WindowsPowerShell\v1.0\dflogging.dll
C:\Program Files (x86)\WinRAR\dflogging.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\inf\
C:\Windows\inf\setupapi.dev.log
C:\Windows\sysnative\DriverStore\infpub.dat
C:\Windows\sysnative\DriverStore\infstor.dat
C:\Windows\sysnative\DriverStore\infstrng.dat
C:\Windows\sysnative\DriverStore\drvindex.dat
C:\Windows\sysnative\DriverStore\INFCACHE.0
C:\Windows\sysnative\DriverStore\INFCACHE.1
C:\Windows\sysnative\DriverStore\INFCACHE.2
C:\Windows\sysnative\p2pcollab.dll
C:\Windows\sysnative\QAGENTRT.DLL
C:\Windows\sysnative\dnsapi.dll
C:\Windows\sysnative\fveui.dll
C:\Windows\inf\oem*.inf
C:\Windows\inf\dfmirage.inf
C:\Windows\sysnative\DriverStore
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\dfmirage.dll
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\dfmirage.sys
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\dfmirage.cat
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\dfmirage.inf
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.dll
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCEB3.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.sys
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCF02.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF51.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF91.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\*
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\*
C:\Windows\sysnative\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
C:\Windows\sysnative\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
C:\Windows\sysnative\catroot2\dberr.txt
C:\Windows\sysnative\catroot
C:\Windows\sysnative\catroot2
C:\Windows\inf\oem2.inf
C:\Windows\inf\oem2.PNF
C:\Windows\sysnative\dispci.dll
C:\Windows\sysnative\DispCI.dll.Manifest
C:\Windows\setupact.log
C:\Windows\setuperr.log
C:\Windows\sysnative\DriverStore\FileRepository\dfmirage.inf_amd64_neutral_83b5f055f9286973\dfmirage.inf
C:\Windows\sysnative\DriverStore\FileRepository\dfmirage.inf_amd64_neutral_83b5f055f9286973\dfmirage.PNF
\Device\KsecDD
C:\Users\test\AppData\Local\Temp\nsj3F7F.tmp
C:\Users\test\AppData\Local\Temp\rar-tmp\ToDesk.exe
C:\Users\test\AppData\Local\Temp\nso403B.tmp
C:\Users\test\AppData\Local\Temp\nse404C.tmp
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\nse404C.tmp\System.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\FindProcDLL.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\SimpleSC.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\nsExec.dll
\Device\NamedPipe\
C:\Users\test\AppData\Local\Temp\nse404C.tmp\AccessControl.dll
C:\Program Files (x86)\ToDesk
C:\Program Files (x86)\ToDesk\drivers
C:\Users\test\AppData\Local\Temp\nse404C.tmp\nsisFirewall.dll
C:\
C:\Program Files (x86)\desktop.ini
C:\Program Files (x86)
\??\PIPE\srvsvc
C:\Program Files (x86)\ToDesk\ToDesk.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\ToDesk.lnk
C:\Users\Public\Desktop\ToDesk.lnk
C:\Users\test\AppData\Local\Temp\nst533D.tmp
C:\Program Files (x86)\ToDesk\drivers\instdrv.exe
C:\Users\test\AppData\Local\Temp\nsz535E.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp\System.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\nsExec.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\inf\setupapi.dev.log
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.inf
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.cat
C:\Windows\sysnative\DriverStore\infpub.dat
C:\Windows\sysnative\DriverStore\infstrng.dat
C:\Windows\sysnative\DriverStore\infstor.dat
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.dll
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCEB3.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.sys
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCF02.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF51.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF91.tmp
C:\Windows\sysnative\catroot2\dberr.txt
C:\Windows\inf\oem2.PNF
C:\Windows\inf\oem2.inf
C:\Windows\sysnative\dispci.dll
C:\Windows\setupact.log
C:\Windows\setuperr.log
C:\Windows\sysnative\DriverStore\FileRepository\dfmirage.inf_amd64_neutral_83b5f055f9286973\dfmirage.PNF
C:\Users\test\AppData\Local\Temp\nso403B.tmp
C:\Users\test\AppData\Local\Temp\nse404C.tmp\System.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\FindProcDLL.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\SimpleSC.dll
C:\Program Files (x86)\ToDesk\CrashReport.exe
C:\Program Files (x86)\ToDesk\ToDesk.exe
C:\Program Files (x86)\ToDesk\ToDesk_Service.exe
C:\Program Files (x86)\ToDesk\ToDesk_Session.exe
C:\Program Files (x86)\ToDesk\todeskupd.exe
C:\Program Files (x86)\ToDesk\\xe6\x9b\xb4\xe6\x96\xb0\xe6\x97\xa5\xe5\xbf\x97.txt
C:\Program Files (x86)\ToDesk\drivers\MirrInst32.exe
C:\Program Files (x86)\ToDesk\drivers\MirrInst64.exe
C:\Program Files (x86)\ToDesk\drivers\instdrv.exe
C:\Users\test\AppData\Local\Temp\nse404C.tmp\nsExec.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\AccessControl.dll
C:\Users\test\AppData\Local\Temp\nse404C.tmp\nsisFirewall.dll
\??\PIPE\srvsvc
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ToDesk\ToDesk.lnk
C:\Users\Public\Desktop\ToDesk.lnk
C:\Program Files (x86)\ToDesk\uninstall.exe
C:\Users\test\AppData\Local\Temp\nsz535E.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp\System.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\MirrInst32.exe
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\MirrInst64.exe
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.cat
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.inf
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.sys
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\dfmirage.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\dfmirage.sys
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\nsExec.dll
\Device\NamedPipe
C:\Windows\inf\setupapi.dev.log
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCEB3.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\dfmirage.dll
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCF02.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\dfmirage.sys
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF51.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\dfmirage.cat
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF91.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\dfmirage.inf
C:\Windows\sysnative\catroot2\dberr.txt
C:\Windows\sysnative\DriverStore\infpub.dat
C:\Windows\sysnative\DriverStore\infstrng.dat
C:\Windows\inf\oem2.PNF
C:\Windows\setupact.log
C:\Windows\setuperr.log
C:\Users\test\AppData\Local\Temp\nsj3F7F.tmp
C:\Users\test\AppData\Local\Temp\nse404C.tmp
C:\Users\test\AppData\Local\Temp\nst533D.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp
C:\Users\test\AppData\Local\Temp\nso536E.tmp\nsExec.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\SimpleSC.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\System.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.cat
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.inf
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\MirrInst32.exe
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\MirrInst64.exe
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\dfmirage.sys
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x64\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\dfmirage.dll
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\dfmirage.sys
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\x86\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\
C:\Users\test\AppData\Local\Temp\nso536E.tmp\
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCEB3.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\SETCF02.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF51.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\SETCF91.tmp
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\dfmirage.cat
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\dfmirage.inf
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\dfmirage.dll
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64\dfmirage.sys
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}\x64
C:\Users\test\AppData\Local\Temp\{0566862a-fb33-55b8-db3d-db474c5f604f}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ToDesk.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\rar-tmp\ToDesk.exe
HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Documents
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\CommonPictures
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\CommonMusic
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\CommonVideo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{DE92C1C7-837F-4F69-A3BB-86E631204A23}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Music
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\{3D644C9B-1FB8-4F30-9B45-F670235F79C0}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\ToDesk.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\ToDesk.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\UninstallString
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\DisplayIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\Publisher
HKEY_CURRENT_USER\Software\Borland\Locales\C:\Program Files (x86)\ToDesk\drivers\instdrv.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus\setupapi.dev.log
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4b\AAF68885
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\380D660E
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\133121
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllCreateIndirectData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\dfmirage\DEVICE0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\dfmirage
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\dfmirage\DEVICE0\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\rar-tmp\ToDesk.exe
HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Documents
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\CommonPictures
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\CommonMusic
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\CommonVideo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{DE92C1C7-837F-4F69-A3BB-86E631204A23}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Music
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\{3D644C9B-1FB8-4F30-9B45-F670235F79C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\Common Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{52A4F021-7B75-48A9-9F6B-4B87A210BC8F}
HKEY_CURRENT_USER\Software\Borland\Locales\C:\Program Files (x86)\ToDesk\drivers\instdrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\qagentrt.dll,-10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileBufferedSynchronousIo
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileChunkSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\CopyFileOverlappedCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\380D660E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\133121
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus\setupapi.dev.log
HKEY_LOCAL_MACHINE\SYSTEM\Setup\UpgradeInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\UninstallString
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\DisplayIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\DisplayVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01F79EE3-1012-42FF-BEA7-A17EE6C384DC}_is1\Publisher
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus\setupapi.dev.log
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\LanguageList
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\dfmirage\DEVICE0
version.dll.GetFileVersionInfoA
shfolder.dll.SHGetFolderPathA
shlwapi.dll.#437
cryptbase.dll.SystemFunction036
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
kernel32.dll.GetUserDefaultUILanguage
shell32.dll.#680
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
system.dll.Call
kernel32.dll.CreateMutexA
findprocdll.dll.FindProc
psapi.dll.EnumProcesses
psapi.dll.EnumProcessModules
psapi.dll.GetModuleBaseNameA
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
kernel32.dll.GetDiskFreeSpaceExA
imm32.dll.ImmGetContext
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmReleaseContext
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
shlwapi.dll.SHAutoComplete
ole32.dll.CoCreateInstance
comctl32.dll.#411
comctl32.dll.#410
ole32.dll.CLSIDFromString
comctl32.dll.#413
gdi32.dll.GetFontAssocStatus
gdi32.dll.GdiIsMetaPrintDC
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
comctl32.dll.#412
comctl32.dll.#388
uxtheme.dll.BufferedPaintUnInit
kernel32.dll.GetLongPathNameA
simplesc.dll.ServiceIsStopped
simplesc.dll.RemoveService
kernel32.dll.GetVersionExA
system.dll.Free
nsexec.dll.Exec
kernel32.dll.IsWow64Process
accesscontrol.dll.GrantOnFile
advapi32.dll.ConvertStringSidToSidA
advapi32.dll.GetNamedSecurityInfoA
advapi32.dll.SetEntriesInAclA
advapi32.dll.SetNamedSecurityInfoA
nsisfirewall.dll.AddAuthorizedApplication
propsys.dll.PSCreateMemoryPropertyStore
linkinfo.dll.CreateLinkInfoW
user32.dll.IsCharAlphaW
user32.dll.CharPrevW
ntshrui.dll.GetNetResourceFromLocalPathW
srvcli.dll.NetShareEnum
cscapi.dll.CscNetApiGetInterface
slc.dll.SLGetWindowsInformationDWORD
shlwapi.dll.PathRemoveFileSpecW
linkinfo.dll.DestroyLinkInfo
oleaut32.dll.#500
simplesc.dll.ServiceIsRunning
kernel32.dll.GetCurrentProcess
system.dll.Int64Op
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
setupapi.dll.CMP_WaitNoPendingInstallEvents
setupapi.dll.SetupDiGetClassDevsW
setupapi.dll.SetupDiDestroyDeviceInfoList
setupapi.dll.SetupDiEnumDeviceInfo
setupapi.dll.SetupDiGetDeviceInstanceIdW
setupapi.dll.SetupDiGetDeviceRegistryPropertyW
setupapi.dll.SetupDiSetDeviceRegistryPropertyW
setupapi.dll.SetupDiCreateDeviceInfoList
setupapi.dll.SetupDiGetINFClassW
setupapi.dll.SetupDiClassGuidsFromNameW
setupapi.dll.SetupDiClassNameFromGuidW
setupapi.dll.SetupDiCreateDeviceInfoW
setupapi.dll.SetupDiDeleteDeviceInfo
setupapi.dll.SetupDiRegisterDeviceInfo
setupapi.dll.SetupDiBuildDriverInfoList
setupapi.dll.SetupDiDestroyDriverInfoList
setupapi.dll.SetupDiEnumDriverInfoW
setupapi.dll.SetupDiSetSelectedDevice
setupapi.dll.SetupDiSetSelectedDriverW
setupapi.dll.SetupDiSetClassInstallParamsW
setupapi.dll.SetupDiGetDeviceInstallParamsW
setupapi.dll.SetupDiSetDeviceInstallParamsW
setupapi.dll.SetupDiCallClassInstaller
setupapi.dll.SetupDiChangeState
setupapi.dll.SetupDiEnumDeviceInterfaces
setupapi.dll.SetupDiRemoveDeviceInterface
setupapi.dll.SetupCopyOEMInfW
setupapi.dll.SetupDiRemoveDevice
newdev.dll.UpdateDriverForPlugAndPlayDevicesW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
devrtl.dll.DevRtlGetThreadLogToken
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegCloseKey
kernel32.dll.RegCreateKeyExW
kernel32.dll.RegSetValueExW
devrtl.dll.DevRtlSetThreadLogToken
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
drvstore.dll.DriverStoreFindW
kernel32.dll.GetSystemDefaultUILanguage
crypt32.dll.CryptQueryObject
cryptsp.dll.CryptAcquireContextA
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
crypt32.dll.CertGetCTLContextProperty
crypt32.dll.CertFreeCTLContext
ncrypt.dll.BCryptDestroyHash
advapi32.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll.IsValidSecurityDescriptor
advapi32.dll.OpenThreadToken
advapi32.dll.OpenProcessToken
advapi32.dll.GetKernelObjectSecurity
advapi32.dll.DuplicateTokenEx
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.SetThreadToken
advapi32.dll.SetFileSecurityW
drvstore.dll.DriverStoreSetLogContext
drvstore.dll.DriverStoreImportW
kernel32.dll.RegQueryValueExW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.CheckTokenMembership
advapi32.dll.FreeSid
cabinet.dll.#20
cabinet.dll.#22
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
user32.dll.GetThreadDesktop
cfgmgr32.dll.CM_Add_Driver_PackageW
spinf.dll.SpInfSetDirIdHandler
spinf.dll.SpInfLoadInfFile
spinf.dll.SpInfFindFirstLine
spinf.dll.SpInfLockInf
spinf.dll.SpInfLineFromContext
spinf.dll.SpInfGetField
spinf.dll.SpInfUnlockInf
spinf.dll.SpInfGetVersionNode
spinf.dll.SpInfGetVersionDatum
spinf.dll.SpInfFreeInfFile
wintrust.dll.CryptCATAdminCalcHashFromFileHandle
wintrust.dll.CryptSIPPutSignedDataMsg
wintrust.dll.CryptSIPCreateIndirectData
wintrust.dll.WVTAsn1SpcLinkEncode
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
wintrust.dll.CryptCATAdminAcquireContext
wintrust.dll.CryptCATAdminAddCatalog
sechost.dll.ConvertStringSidToSidW
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceConfigA
sechost.dll.QueryServiceStatus
sechost.dll.CloseServiceHandle
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
sechost.dll.LookupAccountNameLocalW
wintrust.dll.CryptCATAdminReleaseCatalogContext
wintrust.dll.CryptCATAdminReleaseContext
devrtl.dll.DevRtlWriteTextLog
dispci.dll.DisplayClassInstaller
setupapi.dll.SetupOpenLog
setupapi.dll.SetupDiGetDriverInstallParamsW
setupapi.dll.CM_Get_Device_IDW
setupapi.dll.SetupCloseLog
ntmarta.dll.GetMartaExtensionInterface
cabinet.dll.#23
C:\Program Files (x86)\ToDesk\drivers\instdrv.exe
"C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\MirrInst64.exe" -i "dfmirage" "Mirage Driver" "C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\" "C:\Users\test\AppData\Local\Temp\nso536E.tmp\todesk_drivers\dfmirage.inf"
Local\MSCTF.Asm.MutexDefault1
ToDesk.exe
DefaultTabtip-MainUI
SetuplogMutex
没有信息显示.
DD"gU
`f#Dv)&
没有防病毒引擎扫描信息!

进程树


cmd.exe, PID: 2812, 上一级进程 PID: 2184
ToDesk.exe, PID: 2876, 上一级进程 PID: 2812
instdrv.exe, PID: 1880, 上一级进程 PID: 2876
MirrInst64.exe, PID: 2292, 上一级进程 PID: 1880

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 184.28.188.195 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63282 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com CNAME a1983.dscd.akamai.net
CNAME acroipm.adobe.com.edgesuite.net
A 184.28.188.184
A 184.28.188.195

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 184.28.188.195 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63282 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
文件名 ToDesk.exe
相关文件
C:\Users\test\AppData\Local\Temp\rar-tmp\ToDesk.exe
文件大小 3751800 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f5187a4abe17de8912b979cd1f2f09cb
SHA1 15cb52032a31dbe5ed02a89ee787f60a80e27192
SHA256 89b7ff1acae881b776beb246217b9fca4199b6301778fa4da83b04e8689c0600
CRC32 C3460AA7
Ssdeep 98304:LTXayQ8QthiwEWWAUIBQBbyPCt1Zht5ezKYUB/ufcq774:/48GhiwPw+QBGK7ZeKYOQ774
下载提交魔盾安全分析
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 22.958 seconds )

  • 15.461 Suricata
  • 2.767 VirusTotal
  • 2.177 BehaviorAnalysis
  • 1.238 TargetInfo
  • 0.94 NetworkAnalysis
  • 0.212 Dropped
  • 0.134 AnalysisInfo
  • 0.025 Strings
  • 0.003 Memory
  • 0.001 Static

Signatures ( 2.838 seconds )

  • 1.851 md_url_bl
  • 0.101 api_spamming
  • 0.083 stealth_timeout
  • 0.071 stealth_decoy_document
  • 0.058 mimics_filetime
  • 0.053 antiav_detectreg
  • 0.048 reads_self
  • 0.042 stealth_file
  • 0.038 bootkit
  • 0.035 virus
  • 0.028 antivm_generic_disk
  • 0.024 md_domain_bl
  • 0.023 infostealer_ftp
  • 0.017 hancitor_behavior
  • 0.017 antiav_detectfile
  • 0.016 injection_createremotethread
  • 0.014 infostealer_browser
  • 0.014 infostealer_im
  • 0.012 infostealer_bitcoin
  • 0.011 maldun_anomaly_massive_file_ops
  • 0.011 antianalysis_detectreg
  • 0.01 maldun_malicious_write_executeable_under_temp_to_regrun
  • 0.01 maldun_anomaly_write_exe_and_obsfucate_extension
  • 0.01 injection_runpe
  • 0.009 ipc_namedpipe
  • 0.009 anomaly_persistence_autorun
  • 0.009 ransomware_extensions
  • 0.008 infostealer_browser_password
  • 0.008 securityxploded_modules
  • 0.008 infostealer_mail
  • 0.008 ransomware_files
  • 0.007 injection_explorer
  • 0.007 sets_autoconfig_url
  • 0.007 antivm_vbox_files
  • 0.007 geodo_banking_trojan
  • 0.006 stack_pivot
  • 0.006 ransomware_message
  • 0.006 kovter_behavior
  • 0.005 antivm_generic_services
  • 0.005 antivm_generic_scsi
  • 0.004 antivm_vbox_libs
  • 0.004 antisandbox_sleep
  • 0.004 maldun_anomaly_write_exe_and_dll_under_winroot_run
  • 0.004 anormaly_invoke_kills
  • 0.004 disables_wfp
  • 0.004 disables_browser_warn
  • 0.004 network_http
  • 0.003 tinba_behavior
  • 0.003 antiemu_wine_func
  • 0.003 hawkeye_behavior
  • 0.003 rat_nanocore
  • 0.003 disables_spdy
  • 0.003 rat_luminosity
  • 0.003 betabot_behavior
  • 0.003 kibex_behavior
  • 0.003 h1n1_behavior
  • 0.003 antivm_parallels_keys
  • 0.003 antivm_xen_keys
  • 0.003 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.003 network_torgateway
  • 0.002 network_tor
  • 0.002 antiav_avast_libs
  • 0.002 office_dl_write_exe
  • 0.002 office_write_exe
  • 0.002 antisandbox_sunbelt_libs
  • 0.002 shifu_behavior
  • 0.002 exec_crash
  • 0.002 cerber_behavior
  • 0.002 antidbg_devices
  • 0.002 antivm_generic_diskreg
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 darkcomet_regkeys
  • 0.002 md_bad_drop
  • 0.002 network_cnc_http
  • 0.002 rat_pcclient
  • 0.001 antivm_vmware_libs
  • 0.001 ursnif_behavior
  • 0.001 kazybot_behavior
  • 0.001 antisandbox_sboxie_libs
  • 0.001 antiav_bitdefender_libs
  • 0.001 encrypted_ioc
  • 0.001 antidbg_windows
  • 0.001 bypass_firewall
  • 0.001 antianalysis_detectfile
  • 0.001 antisandbox_productid
  • 0.001 antivm_hyperv_keys
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_files
  • 0.001 antivm_vmware_keys
  • 0.001 antivm_vpc_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 codelux_behavior
  • 0.001 malicous_targeted_flame
  • 0.001 maldun_anomaly_invoke_vb_vba
  • 0.001 rat_spynet
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.993 seconds )

  • 0.953 ReportHTMLSummary
  • 0.04 Malheur
Task ID 577677
Mongo ID 5f6dc55d2f8f2e0ab652cf23
Cuckoo release 1.4-Maldun