魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2021-04-08 22:55:37	2021-04-08 22:57:43	126 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2021-04-08 22:55:37	2021-04-08 22:57:44

魔盾分数
10.0 恶意的

文件详细信息

文件名	王卡助手20210310.exe
文件大小	4534272 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	E199F0AB
MD5	6907cec51859b238c2b0225dcea38765
SHA1	4eaec64ed91407053a0cb14d7a6d5fc6cfeebeba
SHA256	166b82cd380506e97d7de60bda5744c24216ae7812849b750ab2bbf278bd0b57
SHA512	fde5dd79363846a0c3ddc346337d6933bc3b4a85ee1a9163eea0bbfe3fa5a848840c919050e8fc51166869d9b89f630d4e70af664cea7b3956e433a6f6f87b40
Ssdeep	49152:nEzuCLMLhzoHMRkHsVfPkOQ1mxVFy42XFSBFjPBFjAu1qr6O0qr6OTqr6Obis:5nVfPkOQcjFxkORZRAu1qr67qr6Kqr6s
PEiD	无匹配
Yara	Advapi_Hash_API (Looks for advapi API functions) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) BLOWFISH_Constants (Look for Blowfish constants) MD5_Constants (Look for MD5 constants) DES_sbox (Look for DES [sbox]) RijnDael_AES_CHAR (Look for RijnDael AES (check2) [char]) RijnDael_AES_LONG (Look for RijnDael AES) BASE64_table (Look for Base64 table) Chinese_Hacktool_1014 (Detects a chinese hacktool with unknown use) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) IsPacked (Detected Entropy signature) HasRichSignature (Detected Rich Signature) UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser () DebuggerTiming__Ticks (Detected timing ticks function) network_smtp_raw (Detect SMTP ability in RAW) network_http (Detected communications function over HTTP) win_mutex (Create or check mutex) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) win_files_operation (Affect private profile) win_hook (Detected hook table access function) win_private_profile (Detected private profile access function) Maldun_Anomoly_Combined_Activities_Network_Logging (Spotted potential abnormal behaviors, like logging and network communications) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) UPX (Detected UPX. Commonly used by RAT!)
VirusTotal	VirusTotal查询失败

特征

通过进程尝试延迟分析任务

Process: ____________20210310.exe tried to sleep 60 seconds, actually delayed analysis time by 0 seconds

创建RWX内存

在加密调用中发现至少一个IP地址，域名，或文件名

ioc: www.digicert.com1

发起了一些HTTP请求

url: http://www.iwzh.cn/api/updata/wkzsjbb/

url: http://www.iwzh.cn/api/wangkazhushou.php

二进制文件可能包含加密或压缩数据

section: name: .rdata, entropy: 7.51, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0023c000, virtual_size: 0x0023b46a

样本投放可执行文件到临时目录

查询磁盘信息，可能被用来实现反虚拟机

从文件自身的二进制镜像中读取数据

self_read: process: ____________20210310.exe, pid: 2464, offset: 0x00000000, length: 0x00000040

self_read: process: ____________20210310.exe, pid: 2464, offset: 0x00000000, length: 0x00453000

self_read: process: ____________20210310.exe, pid: 2464, offset: 0x00000108, length: 0x00000020

self_read: process: ____________20210310.exe, pid: 2464, offset: 0x0000018b, length: 0x00080000

尝试断开连接或更改沙箱进程监控的Windows功能

unhook: function_name: SetWindowLongA, type: modification

unhook: function_name: SetWindowLongW, type: modification

魔盾安全Yara规则检测结果 - 高危

Warning: Looks for advapi API functions

Warning: Look for RijnDael AES

Warning: Detects a chinese hacktool with unknown use

Informational: Detect SMTP ability in RAW

Critical: Spotted potential abnormal behaviors, like logging and network communications

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

Warning: Detected UPX. Commonly used by RAT!

运行截图

网络分析

域名解析

域名	响应
www.iwzh.cn	CNAME 557fff94dda76e14.cdn.jiashule.com A 39.106.132.118
api.freeyun.net	A 43.248.201.145
ss3.baidu.com	CNAME sslbaidu.jomodns.com A 180.163.198.33
acroipm.adobe.com	CNAME a1983.dscd.akamai.net CNAME acroipm.adobe.com.edgesuite.net A 104.91.68.27 A 104.91.68.75

TCP连接

IP地址	端口
104.91.68.27	80
180.163.198.33	443
39.106.132.118	80
43.248.201.145	443
43.248.201.145	443
43.248.201.145	443
43.248.201.145	443
43.248.201.145	443
43.248.201.145	443
43.248.201.145	443

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://www.iwzh.cn/api/updata/wkzsjbb/	GET /api/updata/wkzsjbb/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, / Accept-Encoding: gbk, GB2312 Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.iwzh.cn
http://www.iwzh.cn/api/wangkazhushou.php	GET /api/wangkazhushou.php HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: zh-cn Referer: http://www.iwzh.cn/api/wangkazhushou.php User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1) Host: www.iwzh.cn
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache

URL

HTTP数据

http://www.iwzh.cn/api/updata/wkzsjbb/

GET /api/updata/wkzsjbb/ HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, */*
Accept-Encoding: gbk, GB2312
Accept-Language: zh-cn
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: www.iwzh.cn

http://www.iwzh.cn/api/wangkazhushou.php

GET /api/wangkazhushou.php HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: http://www.iwzh.cn/api/wangkazhushou.php
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.iwzh.cn

http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x005b8fa0
声明校验值	0x00000000
实际校验值	0x004542de
最低操作系统版本要求	4.0
编译时间	2021-03-10 17:18:19
载入哈希	6f57a1bd79769bacc80f4df1abb834b9
图标
图标精确哈希值	1bca88d3f61fc22108bfeca5dc5a84cd
图标相似性哈希值	d2a275ade2a7e584a484dd6146324137

版本信息

LegalCopyright:	\xe7\xe4\xe5\xe6
FileVersion:	1.0.0.0
CompanyName:	\xe7\xe4\xe5\xe6
Comments:	\xe7\xe4\xe5\xe6
ProductName:	\xe7\xe4\xe5\xe6
ProductVersion:	1.0.0.0
FileDescription:	\xe7\xe4\xe5\xe6
Translation:	0x0804 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x001e73d5	0x001e8000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.41
.rdata	0x001e9000	0x0023b46a	0x0023c000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.51
.data	0x00425000	0x000a74d6	0x00025000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.53
.rsrc	0x004cd000	0x00008ef8	0x00009000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.62

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
TEXTINCLUDE	0x004cdfac	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x004cdfac	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
TEXTINCLUDE	0x004cdfac	0x00000151	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.25	C source, ASCII text, with CRLF line terminators
WAVE	0x004ce100	0x00001448	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.35	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_CURSOR	0x004cfe68	0x00000134	LANG_ITALIAN	SUBLANG_ITALIAN	3.07	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_BITMAP	0x004d2760	0x00000144	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.88	data
RT_ICON	0x004d2cb4	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.05	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x004d2cb4	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.05	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0x004d2cb4	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.05	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_MENU	0x004d3d68	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_MENU	0x004d3d68	0x00000284	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.28	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_DIALOG	0x004d4fb0	0x0000018c	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.74	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_STRING	0x004d59f8	0x00000024	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	0.90	data
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x004d5aa8	0x00000022	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.25	MS Windows cursor resource - 2 icons, 32x256, hotspot @1x1
RT_GROUP_ICON	0x004d5af4	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x004d5af4	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_GROUP_ICON	0x004d5af4	0x00000014	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	2.02	MS Windows icon resource - 1 icon, 16x16, 16 colors
RT_VERSION	0x004d5b08	0x00000220	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.38	data
RT_MANIFEST	0x004d5d28	0x000001cd	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.08	XML 1.0 document, ASCII text, with very long lines, with no line terminators

导入

库 MSVFW32.dll:

• 0x5e9454 - DrawDibDraw

库 AVIFIL32.dll:

• 0x5e9018 - AVIStreamGetFrame

• 0x5e901c - AVIStreamInfoA

库 WINMM.dll:

• 0x5e97f0 - midiStreamRestart

• 0x5e97f4 - midiStreamClose

• 0x5e97f8 - midiOutReset

• 0x5e97fc - midiStreamStop

• 0x5e9800 - midiStreamOut

• 0x5e9804 - midiOutPrepareHeader

• 0x5e9808 - midiStreamProperty

• 0x5e980c - midiStreamOpen

• 0x5e9810 - midiOutUnprepareHeader

• 0x5e9814 - waveOutOpen

• 0x5e9818 - waveOutGetNumDevs

• 0x5e981c - waveOutClose

• 0x5e9820 - waveOutReset

• 0x5e9824 - waveOutPause

• 0x5e9828 - waveOutWrite

• 0x5e982c - waveOutPrepareHeader

• 0x5e9830 - waveOutUnprepareHeader

• 0x5e9834 - PlaySoundA

• 0x5e9838 - mciSendStringA

• 0x5e983c - mciSendCommandA

• 0x5e9840 - waveOutRestart

库 WS2_32.dll:

• 0x5e9860 - socket

• 0x5e9864 - setsockopt

• 0x5e9868 - recvfrom

• 0x5e986c - ioctlsocket

• 0x5e9870 - connect

• 0x5e9874 - htons

• 0x5e9878 - WSAAsyncSelect

• 0x5e987c - closesocket

• 0x5e9880 - send

• 0x5e9884 - select

• 0x5e9888 - WSACleanup

• 0x5e988c - ntohl

• 0x5e9890 - WSASetLastError

• 0x5e9894 - accept

• 0x5e9898 - getpeername

• 0x5e989c - recv

• 0x5e98a0 - inet_addr

• 0x5e98a4 - inet_ntoa

• 0x5e98a8 - gethostbyname

• 0x5e98ac - WSAStartup

• 0x5e98b0 - gethostname

库 RPCRT4.dll:

• 0x5e94d8 - RpcStringFreeA

• 0x5e94dc - UuidToStringA

库 RASAPI32.dll:

• 0x5e94cc - RasHangUpA

• 0x5e94d0 - RasGetConnectStatusA

库 KERNEL32.dll:

• 0x5e91fc - LeaveCriticalSection

• 0x5e9200 - EnterCriticalSection

• 0x5e9204 - ReleaseSemaphore

• 0x5e9208 - ResumeThread

• 0x5e920c - CreateSemaphoreA

• 0x5e9210 - SetFilePointer

• 0x5e9214 - GetFileSize

• 0x5e9218 - GetCurrentProcess

• 0x5e921c - TerminateProcess

• 0x5e9220 - GetWindowsDirectoryA

• 0x5e9224 - LoadLibraryExA

• 0x5e9228 - GetSystemDirectoryA

• 0x5e922c - MultiByteToWideChar

• 0x5e9230 - SetLastError

• 0x5e9234 - GetTimeZoneInformation

• 0x5e9238 - GetVersion

• 0x5e923c - Beep

• 0x5e9240 - GetTempFileNameA

• 0x5e9244 - InterlockedDecrement

• 0x5e9248 - InterlockedIncrement

• 0x5e924c - lstrcmpiA

• 0x5e9250 - TerminateThread

• 0x5e9254 - FileTimeToSystemTime

• 0x5e9258 - WideCharToMultiByte

• 0x5e925c - CreateMutexA

• 0x5e9260 - ReleaseMutex

• 0x5e9264 - SuspendThread

• 0x5e9268 - LocalFree

• 0x5e926c - FormatMessageA

• 0x5e9270 - FileTimeToLocalFileTime

• 0x5e9274 - lstrcpynA

• 0x5e9278 - DuplicateHandle

• 0x5e927c - FlushFileBuffers

• 0x5e9280 - LockFile

• 0x5e9284 - UnlockFile

• 0x5e9288 - SetEndOfFile

• 0x5e928c - GetThreadLocale

• 0x5e9290 - GlobalDeleteAtom

• 0x5e9294 - GlobalFindAtomA

• 0x5e9298 - GlobalAddAtomA

• 0x5e929c - GlobalGetAtomNameA

• 0x5e92a0 - lstrcmpA

• 0x5e92a4 - LocalAlloc

• 0x5e92a8 - TlsAlloc

• 0x5e92ac - GlobalHandle

• 0x5e92b0 - TlsFree

• 0x5e92b4 - TlsSetValue

• 0x5e92b8 - LocalReAlloc

• 0x5e92bc - TlsGetValue

• 0x5e92c0 - GetFileTime

• 0x5e92c4 - GetCurrentThread

• 0x5e92c8 - GlobalFlags

• 0x5e92cc - SetErrorMode

• 0x5e92d0 - GetProcessVersion

• 0x5e92d4 - GetCPInfo

• 0x5e92d8 - GetOEMCP

• 0x5e92dc - GetStartupInfoA

• 0x5e92e0 - RtlUnwind

• 0x5e92e4 - GetSystemTime

• 0x5e92e8 - GetLocalTime

• 0x5e92ec - RaiseException

• 0x5e92f0 - HeapSize

• 0x5e92f4 - GetACP

• 0x5e92f8 - SetStdHandle

• 0x5e92fc - GetFileType

• 0x5e9300 - UnhandledExceptionFilter

• 0x5e9304 - FreeEnvironmentStringsA

• 0x5e9308 - FreeEnvironmentStringsW

• 0x5e930c - GetEnvironmentStrings

• 0x5e9310 - GetEnvironmentStringsW

• 0x5e9314 - SetHandleCount

• 0x5e9318 - GetStdHandle

• 0x5e931c - GetEnvironmentVariableA

• 0x5e9320 - HeapDestroy

• 0x5e9324 - HeapCreate

• 0x5e9328 - VirtualFree

• 0x5e932c - SetEnvironmentVariableA

• 0x5e9330 - LCMapStringA

• 0x5e9334 - LCMapStringW

• 0x5e9338 - VirtualAlloc

• 0x5e933c - IsBadWritePtr

• 0x5e9340 - SetUnhandledExceptionFilter

• 0x5e9344 - GetStringTypeA

• 0x5e9348 - GetStringTypeW

• 0x5e934c - CompareStringA

• 0x5e9350 - CompareStringW

• 0x5e9354 - IsBadReadPtr

• 0x5e9358 - IsBadCodePtr

• 0x5e935c - WriteFile

• 0x5e9360 - WaitForMultipleObjects

• 0x5e9364 - CreateFileA

• 0x5e9368 - SetEvent

• 0x5e936c - FindResourceA

• 0x5e9370 - LoadResource

• 0x5e9374 - LockResource

• 0x5e9378 - ReadFile

• 0x5e937c - lstrlenW

• 0x5e9380 - GetModuleFileNameA

• 0x5e9384 - GetCurrentThreadId

• 0x5e9388 - ExitProcess

• 0x5e938c - GlobalSize

• 0x5e9390 - GlobalFree

• 0x5e9394 - DeleteCriticalSection

• 0x5e9398 - InitializeCriticalSection

• 0x5e939c - lstrcatA

• 0x5e93a0 - lstrlenA

• 0x5e93a4 - WinExec

• 0x5e93a8 - lstrcpyA

• 0x5e93ac - FindNextFileA

• 0x5e93b0 - GlobalReAlloc

• 0x5e93b4 - HeapFree

• 0x5e93b8 - HeapReAlloc

• 0x5e93bc - GetProcessHeap

• 0x5e93c0 - HeapAlloc

• 0x5e93c4 - GetUserDefaultLCID

• 0x5e93c8 - GetFullPathNameA

• 0x5e93cc - FreeLibrary

• 0x5e93d0 - LoadLibraryA

• 0x5e93d4 - GetLastError

• 0x5e93d8 - GetVersionExA

• 0x5e93dc - WritePrivateProfileStringA

• 0x5e93e0 - GetPrivateProfileStringA

• 0x5e93e4 - CreateThread

• 0x5e93e8 - CreateEventA

• 0x5e93ec - Sleep

• 0x5e93f0 - GlobalAlloc

• 0x5e93f4 - GlobalLock

• 0x5e93f8 - GlobalUnlock

• 0x5e93fc - GetTempPathA

• 0x5e9400 - FindFirstFileA

• 0x5e9404 - FindClose

• 0x5e9408 - SetFileAttributesA

• 0x5e940c - GetFileAttributesA

• 0x5e9410 - DeleteFileA

• 0x5e9414 - CreateDirectoryA

• 0x5e9418 - SetCurrentDirectoryA

• 0x5e941c - GetVolumeInformationA

• 0x5e9420 - GetModuleHandleA

• 0x5e9424 - GetProcAddress

• 0x5e9428 - MulDiv

• 0x5e942c - GetCommandLineA

• 0x5e9430 - GetTickCount

• 0x5e9434 - CreateProcessA

• 0x5e9438 - WaitForSingleObject

• 0x5e943c - CloseHandle

• 0x5e9440 - InterlockedExchange

• 0x5e9444 - GetProfileStringA

库 USER32.dll:

• 0x5e9500 - AdjustWindowRectEx

• 0x5e9504 - MapWindowPoints

• 0x5e9508 - SendDlgItemMessageA

• 0x5e950c - ScrollWindowEx

• 0x5e9510 - IsDialogMessageA

• 0x5e9514 - CheckMenuItem

• 0x5e9518 - SetMenuItemBitmaps

• 0x5e951c - GetMenuCheckMarkDimensions

• 0x5e9520 - CharNextA

• 0x5e9524 - SetWindowContextHelpId

• 0x5e9528 - MapDialogRect

• 0x5e952c - GetSysColorBrush

• 0x5e9530 - GetNextDlgGroupItem

• 0x5e9534 - PostThreadMessageA

• 0x5e9538 - GetPropA

• 0x5e953c - MoveWindow

• 0x5e9540 - CallWindowProcA

• 0x5e9544 - SetPropA

• 0x5e9548 - DrawTextA

• 0x5e954c - GetCursor

• 0x5e9550 - CreateIconIndirect

• 0x5e9554 - GetIconInfo

• 0x5e9558 - CopyIcon

• 0x5e955c - LoadStringA

• 0x5e9560 - SetWindowTextA

• 0x5e9564 - UnhookWindowsHookEx

• 0x5e9568 - SetWindowsHookExA

• 0x5e956c - CallNextHookEx

• 0x5e9570 - GetMenuItemCount

• 0x5e9574 - GetMenuItemID

• 0x5e9578 - GetMenuState

• 0x5e957c - GetWindowTextA

• 0x5e9580 - FindWindowExA

• 0x5e9584 - GetDlgItem

• 0x5e9588 - GetClassNameA

• 0x5e958c - GetDesktopWindow

• 0x5e9590 - MsgWaitForMultipleObjects

• 0x5e9594 - DrawStateA

• 0x5e9598 - FrameRect

• 0x5e959c - GetNextDlgTabItem

• 0x5e95a0 - LoadIconA

• 0x5e95a4 - TranslateMessage

• 0x5e95a8 - DrawFrameControl

• 0x5e95ac - DrawEdge

• 0x5e95b0 - DrawFocusRect

• 0x5e95b4 - WindowFromPoint

• 0x5e95b8 - GetMessageA

• 0x5e95bc - DispatchMessageA

• 0x5e95c0 - SetRectEmpty

• 0x5e95c4 - RegisterClipboardFormatA

• 0x5e95c8 - CreateIconFromResourceEx

• 0x5e95cc - CreateIconFromResource

• 0x5e95d0 - DrawIconEx

• 0x5e95d4 - CreatePopupMenu

• 0x5e95d8 - AppendMenuA

• 0x5e95dc - RegisterClassA

• 0x5e95e0 - CreateAcceleratorTableA

• 0x5e95e4 - GetDlgCtrlID

• 0x5e95e8 - GetSubMenu

• 0x5e95ec - RegisterHotKey

• 0x5e95f0 - ClientToScreen

• 0x5e95f4 - EnumDisplaySettingsA

• 0x5e95f8 - LoadImageA

• 0x5e95fc - SystemParametersInfoA

• 0x5e9600 - ShowWindow

• 0x5e9604 - IsWindowEnabled

• 0x5e9608 - TranslateAcceleratorA

• 0x5e960c - GetKeyState

• 0x5e9610 - CopyAcceleratorTableA

• 0x5e9614 - PostQuitMessage

• 0x5e9618 - IsZoomed

• 0x5e961c - GetClassInfoA

• 0x5e9620 - DefWindowProcA

• 0x5e9624 - GetSystemMenu

• 0x5e9628 - DeleteMenu

• 0x5e962c - GetMenu

• 0x5e9630 - SetMenu

• 0x5e9634 - PeekMessageA

• 0x5e9638 - IsIconic

• 0x5e963c - SetFocus

• 0x5e9640 - GetActiveWindow

• 0x5e9644 - GetWindow

• 0x5e9648 - DestroyAcceleratorTable

• 0x5e964c - SetWindowRgn

• 0x5e9650 - GetMessagePos

• 0x5e9654 - ScreenToClient

• 0x5e9658 - ChildWindowFromPointEx

• 0x5e965c - CopyRect

• 0x5e9660 - LoadBitmapA

• 0x5e9664 - WinHelpA

• 0x5e9668 - KillTimer

• 0x5e966c - SetTimer

• 0x5e9670 - ReleaseCapture

• 0x5e9674 - GetCapture

• 0x5e9678 - SetCapture

• 0x5e967c - GetScrollRange

• 0x5e9680 - SetScrollRange

• 0x5e9684 - SetScrollPos

• 0x5e9688 - SetRect

• 0x5e968c - InflateRect

• 0x5e9690 - IntersectRect

• 0x5e9694 - DestroyIcon

• 0x5e9698 - PtInRect

• 0x5e969c - OffsetRect

• 0x5e96a0 - IsWindowVisible

• 0x5e96a4 - EnableWindow

• 0x5e96a8 - RedrawWindow

• 0x5e96ac - GetWindowLongA

• 0x5e96b0 - SetWindowLongA

• 0x5e96b4 - GetSysColor

• 0x5e96b8 - SetActiveWindow

• 0x5e96bc - SetCursorPos

• 0x5e96c0 - LoadCursorA

• 0x5e96c4 - SetCursor

• 0x5e96c8 - GetDC

• 0x5e96cc - FillRect

• 0x5e96d0 - IsRectEmpty

• 0x5e96d4 - ReleaseDC

• 0x5e96d8 - IsChild

• 0x5e96dc - TrackPopupMenu

• 0x5e96e0 - DestroyMenu

• 0x5e96e4 - SetForegroundWindow

• 0x5e96e8 - GetWindowRect

• 0x5e96ec - EqualRect

• 0x5e96f0 - UpdateWindow

• 0x5e96f4 - ValidateRect

• 0x5e96f8 - InvalidateRect

• 0x5e96fc - GetClientRect

• 0x5e9700 - GetFocus

• 0x5e9704 - GetParent

• 0x5e9708 - GetTopWindow

• 0x5e970c - PostMessageA

• 0x5e9710 - IsWindow

• 0x5e9714 - SetParent

• 0x5e9718 - DestroyCursor

• 0x5e971c - SendMessageA

• 0x5e9720 - SetWindowPos

• 0x5e9724 - MessageBeep

• 0x5e9728 - MessageBoxA

• 0x5e972c - GetCursorPos

• 0x5e9730 - GetSystemMetrics

• 0x5e9734 - UnregisterClassA

• 0x5e9738 - ModifyMenuA

• 0x5e973c - GetScrollPos

• 0x5e9740 - GetClassLongA

• 0x5e9744 - RemovePropA

• 0x5e9748 - GetMessageTime

• 0x5e974c - GetLastActivePopup

• 0x5e9750 - RegisterWindowMessageA

• 0x5e9754 - GetWindowPlacement

• 0x5e9758 - EndDialog

• 0x5e975c - CreateDialogIndirectParamA

• 0x5e9760 - DestroyWindow

• 0x5e9764 - EndPaint

• 0x5e9768 - BeginPaint

• 0x5e976c - CharUpperA

• 0x5e9770 - GetWindowTextLengthA

• 0x5e9774 - CreateMenu

• 0x5e9778 - UnregisterHotKey

• 0x5e977c - EmptyClipboard

• 0x5e9780 - SetClipboardData

• 0x5e9784 - OpenClipboard

• 0x5e9788 - GetClipboardData

• 0x5e978c - CloseClipboard

• 0x5e9790 - wsprintfA

• 0x5e9794 - WaitForInputIdle

• 0x5e9798 - CreateWindowExA

• 0x5e979c - GetForegroundWindow

• 0x5e97a0 - GetMenuStringA

• 0x5e97a4 - GetTabbedTextExtentA

• 0x5e97a8 - GrayStringA

• 0x5e97ac - TabbedTextOutA

• 0x5e97b0 - WindowFromDC

• 0x5e97b4 - EnumChildWindows

• 0x5e97b8 - EnableMenuItem

• 0x5e97bc - GetWindowDC

库 GDI32.dll:

• 0x5e9078 - CombineRgn

• 0x5e907c - PatBlt

• 0x5e9080 - CreatePen

• 0x5e9084 - SelectObject

• 0x5e9088 - CreatePatternBrush

• 0x5e908c - CreateBitmap

• 0x5e9090 - CreateBrushIndirect

• 0x5e9094 - CreateDCA

• 0x5e9098 - CreateCompatibleBitmap

• 0x5e909c - GetPolyFillMode

• 0x5e90a0 - GetStretchBltMode

• 0x5e90a4 - GetROP2

• 0x5e90a8 - GetBkColor

• 0x5e90ac - GetBkMode

• 0x5e90b0 - GetTextColor

• 0x5e90b4 - CreateRoundRectRgn

• 0x5e90b8 - CreateEllipticRgn

• 0x5e90bc - PathToRegion

• 0x5e90c0 - EndPath

• 0x5e90c4 - BeginPath

• 0x5e90c8 - GetWindowOrgEx

• 0x5e90cc - GetViewportOrgEx

• 0x5e90d0 - GetWindowExtEx

• 0x5e90d4 - GetDIBits

• 0x5e90d8 - RealizePalette

• 0x5e90dc - SelectPalette

• 0x5e90e0 - StretchBlt

• 0x5e90e4 - CreatePalette

• 0x5e90e8 - GetSystemPaletteEntries

• 0x5e90ec - CreateRectRgn

• 0x5e90f0 - FillRgn

• 0x5e90f4 - CreateSolidBrush

• 0x5e90f8 - CreateRectRgnIndirect

• 0x5e90fc - Ellipse

• 0x5e9100 - Rectangle

• 0x5e9104 - LPtoDP

• 0x5e9108 - DPtoLP

• 0x5e910c - GetCurrentObject

• 0x5e9110 - RoundRect

• 0x5e9114 - CreateDIBSection

• 0x5e9118 - SetPixel

• 0x5e911c - ExtCreateRegion

• 0x5e9120 - SetStretchBltMode

• 0x5e9124 - GetClipRgn

• 0x5e9128 - CreatePolygonRgn

• 0x5e912c - CreateFontIndirectA

• 0x5e9130 - GetStockObject

• 0x5e9134 - GetObjectA

• 0x5e9138 - EndPage

• 0x5e913c - EndDoc

• 0x5e9140 - DeleteDC

• 0x5e9144 - SetBkColor

• 0x5e9148 - TextOutA

• 0x5e914c - SetBkMode

• 0x5e9150 - SetTextColor

• 0x5e9154 - SetDIBitsToDevice

• 0x5e9158 - CreateFontA

• 0x5e915c - FrameRgn

• 0x5e9160 - OffsetRgn

• 0x5e9164 - GetTextMetricsA

• 0x5e9168 - LineTo

• 0x5e916c - MoveToEx

• 0x5e9170 - SetWindowOrgEx

• 0x5e9174 - SaveDC

• 0x5e9178 - RestoreDC

• 0x5e917c - CreatePenIndirect

• 0x5e9180 - PtVisible

• 0x5e9184 - RectVisible

• 0x5e9188 - ExtTextOutA

• 0x5e918c - Escape

• 0x5e9190 - TranslateCharsetInfo

• 0x5e9194 - SetPolyFillMode

• 0x5e9198 - SetROP2

• 0x5e919c - SetMapMode

• 0x5e91a0 - SetViewportOrgEx

• 0x5e91a4 - OffsetViewportOrgEx

• 0x5e91a8 - SetViewportExtEx

• 0x5e91ac - ScaleViewportExtEx

• 0x5e91b0 - SetWindowExtEx

• 0x5e91b4 - ScaleWindowExtEx

• 0x5e91b8 - GetClipBox

• 0x5e91bc - ExcludeClipRect

• 0x5e91c0 - ExtSelectClipRgn

• 0x5e91c4 - GetViewportExtEx

• 0x5e91c8 - GetMapMode

• 0x5e91cc - DeleteObject

• 0x5e91d0 - CreateDIBitmap

• 0x5e91d4 - StartDocA

• 0x5e91d8 - StartPage

• 0x5e91dc - BitBlt

• 0x5e91e0 - GetPixel

• 0x5e91e4 - GetTextExtentPoint32A

• 0x5e91e8 - CreateCompatibleDC

• 0x5e91ec - SetPixelV

• 0x5e91f0 - GetDeviceCaps

• 0x5e91f4 - SelectClipRgn

库 MSIMG32.dll:

• 0x5e944c - GradientFill

库 WINSPOOL.DRV:

• 0x5e9848 - DocumentPropertiesA

• 0x5e984c - ClosePrinter

• 0x5e9850 - OpenPrinterA

库 comdlg32.dll:

• 0x5e98b8 - GetOpenFileNameA

• 0x5e98bc - GetSaveFileNameA

• 0x5e98c0 - GetFileTitleA

• 0x5e98c4 - ChooseFontA

• 0x5e98c8 - ChooseColorA

库 ADVAPI32.dll:

• 0x5e9000 - RegSetValueExA

• 0x5e9004 - RegOpenKeyExA

• 0x5e9008 - RegCloseKey

• 0x5e900c - RegCreateKeyExA

• 0x5e9010 - RegQueryValueA

库 SHELL32.dll:

• 0x5e94e4 - ShellExecuteA

• 0x5e94e8 - SHGetSpecialFolderPathA

• 0x5e94ec - DragQueryFileA

• 0x5e94f0 - DragAcceptFiles

• 0x5e94f4 - DragFinish

• 0x5e94f8 - Shell_NotifyIconA

库 ole32.dll:

• 0x5e98d0 - CLSIDFromString

• 0x5e98d4 - OleUninitialize

• 0x5e98d8 - OleInitialize

• 0x5e98dc - CoCreateGuid

• 0x5e98e0 - CoTaskMemFree

• 0x5e98e4 - ReleaseStgMedium

• 0x5e98e8 - CLSIDFromProgID

• 0x5e98ec - CoTaskMemAlloc

• 0x5e98f0 - OleRun

• 0x5e98f4 - CoCreateInstance

• 0x5e98f8 - CoGetClassObject

• 0x5e98fc - StgOpenStorageOnILockBytes

• 0x5e9900 - StgCreateDocfileOnILockBytes

• 0x5e9904 - CreateILockBytesOnHGlobal

• 0x5e9908 - CoFreeUnusedLibraries

• 0x5e990c - CoRegisterMessageFilter

• 0x5e9910 - CoRevokeClassObject

• 0x5e9914 - OleFlushClipboard

• 0x5e9918 - OleIsCurrentClipboard

• 0x5e991c - RevokeDragDrop

库 OLEAUT32.dll:

• 0x5e945c - VariantInit

• 0x5e9460 - SysAllocString

• 0x5e9464 - SafeArrayDestroy

• 0x5e9468 - SafeArrayCreate

• 0x5e946c - SafeArrayPutElement

• 0x5e9470 - RegisterTypeLib

• 0x5e9474 - LHashValOfNameSys

• 0x5e9478 - LoadTypeLib

• 0x5e947c - OleCreateFontIndirect

• 0x5e9480 - UnRegisterTypeLib

• 0x5e9484 - SysFreeString

• 0x5e9488 - SysStringLen

• 0x5e948c - SysAllocStringByteLen

• 0x5e9490 - VariantCopyInd

• 0x5e9494 - SysAllocStringLen

• 0x5e9498 - VariantTimeToSystemTime

• 0x5e949c - SafeArrayGetElement

• 0x5e94a0 - SafeArrayAccessData

• 0x5e94a4 - SafeArrayUnaccessData

• 0x5e94a8 - SafeArrayGetDim

• 0x5e94ac - SafeArrayGetLBound

• 0x5e94b0 - SafeArrayGetUBound

• 0x5e94b4 - GetErrorInfo

• 0x5e94b8 - VariantChangeType

• 0x5e94bc - VariantClear

• 0x5e94c0 - VariantCopy

• 0x5e94c4 - SafeArrayGetElemsize

库 COMCTL32.dll:

• 0x5e9024 - ImageList_Destroy

• 0x5e9028 - ImageList_Create

• 0x5e902c - ImageList_BeginDrag

• 0x5e9030 - ImageList_Add

• 0x5e9034 - ImageList_Draw

• 0x5e9038 - ImageList_AddMasked

• 0x5e903c - ImageList_DragEnter

• 0x5e9040 - ImageList_SetBkColor

• 0x5e9044 - ImageList_GetImageCount

• 0x5e9048 - ImageList_GetImageInfo

• 0x5e904c - ImageList_GetIcon

• 0x5e9050 - ImageList_DragLeave

• 0x5e9054 - ImageList_DragMove

• 0x5e9058 - ImageList_DragShowNolock

• 0x5e905c - ImageList_EndDrag

• 0x5e9060 - None

• 0x5e9064 - ImageList_Read

• 0x5e9068 - _TrackMouseEvent

• 0x5e906c - ImageList_Duplicate

• 0x5e9070 - ImageList_DrawIndirect

库 oledlg.dll:

• 0x5e9924 - None

库 WININET.dll:

• 0x5e97c4 - InternetCanonicalizeUrlA

• 0x5e97c8 - InternetCrackUrlA

• 0x5e97cc - HttpOpenRequestA

• 0x5e97d0 - HttpSendRequestA

• 0x5e97d4 - HttpQueryInfoA

• 0x5e97d8 - InternetReadFile

• 0x5e97dc - InternetConnectA

• 0x5e97e0 - InternetSetOptionA

• 0x5e97e4 - InternetOpenA

• 0x5e97e8 - InternetCloseHandle

库 WLDAP32.dll:

• 0x5e9858 - None

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

____________20210310.exe PID: 2464, 上一级进程 PID: 2168

访问的文件

C:\Users\test\AppData\Local\Temp\kernel32.dll
C:\Users\test\AppData\Local\Temp\Kernel32.dll
C:\Users\test\AppData\Local\Temp\kernel32.DLL
C:\Users\test\AppData\Local\Temp\msvcrt.dll
C:\Users\test\AppData\Local\Temp\ntdll.dll
C:\Users\test\AppData\Local\Temp\?\xe9\x9d\xaa
C:\Users\test\AppData\Local\Temp\____________20210310.exe
C:\Users\test\AppData\Local\Temp\Psapi.dll
C:\Users\test\AppData\Local\Temp\ole32.dll
C:\Users\test\AppData\Local\Temp\Winhttp.dll
C:\Windows\SysWOW64\stdole2.tlb
C:\Program Files (x86)\Common Files\System\ado\msado15.dll
C:\Users\test\AppData\Local\Temp\iphlpapi.dll
\??\PhysicalDrive0
C:\Users\test\AppData\Local\Temp\ntdll.DLL
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\tzres.dll
C:\Users\test\AppData\Local\Temp\advapi32.dll
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Windows\System32\dnsapi.dll
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Users\test\AppData\Local\Temp\config.conf
C:\Windows\SysWOW64\msscript.ocx
C:\Windows\System32\winhttp.dll
C:\Users\test\AppData\Local\Temp\\xe9\x85\x8d\xe7\xbd\xae.ini
C:\
C:\Users\test\AppData\Local\Temp\*.dat
C:\Users\test\AppData\Local\Temp\pid_2464.dat
C:\Users\test\AppData\Local\Temp\shlwapi.dll
C:\Users\test\Documents\
C:\Windows\winhlp32.exe
C:\Users\test\AppData\Local\Temp\user32.DLL
C:\Users\test\AppData\Local\Temp\oleaut32.dll
C:\Users\test\AppData\Local\Temp\\xe8\xbd\xaf\xe4\xbb\xb6\xe6\x97\xa5\xe5\xbf\x97
C:\Users\test\AppData\Local\Temp\\xe8\xbd\xaf\xe4\xbb\xb6\xe6\x97\xa5\xe5\xbf\x97\[ 12-10 \xe4\xb8\x8a\xe5\x8d\x88]Lizhi.20201210072307.Log

读取的文件

C:\Users\test\AppData\Local\Temp\?\xe9\x9d\xaa
C:\Users\test\AppData\Local\Temp\____________20210310.exe
C:\Windows\SysWOW64\stdole2.tlb
C:\Program Files (x86)\Common Files\System\ado\msado15.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\tzres.dll
C:\Users\test\AppData\Local\Temp\config.conf
C:\Windows\SysWOW64\msscript.ocx
C:\Windows\System32\winhttp.dll
C:\Users\test\AppData\Local\Temp\pid_2464.dat
C:\Windows\winhlp32.exe
C:\Users\test\AppData\Local\Temp\\xe9\x85\x8d\xe7\xbd\xae.ini

修改的文件

C:\Users\test\AppData\Local\Temp\____________20210310.exe
C:\Users\test\AppData\Local\Temp\pid_2464.dat
C:\Users\test\AppData\Local\Temp\config.conf
C:\Users\test\AppData\Local\Temp\\xe8\xbd\xaf\xe4\xbb\xb6\xe6\x97\xa5\xe5\xbf\x97\[ 12-10 \xe4\xb8\x8a\xe5\x8d\x88]Lizhi.20201210072307.Log

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\TypeLib
HKEY_CURRENT_USER\Software\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4b\AAF68885
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\039EEDB80BE7A03C6953893B20D2D9323A4C2AFD\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\58E8ABB0361533FB80F79B1B6D29D3FF8D5F00F0
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\58E8ABB0361533FB80F79B1B6D29D3FF8D5F00F0\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\9F744E9F2B4DBAEC0F312C50B6563B8E2D93C311
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\9F744E9F2B4DBAEC0F312C50B6563B8E2D93C311\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\B31EB1B740E36C8402DADC37D44DF5D4674952F9
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\B31EB1B740E36C8402DADC37D44DF5D4674952F9\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_CURRENT_USER\Software\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe7\xad\x89\xe7\xba\xbf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\____________20210310.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WOW\boot
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\039EEDB80BE7A03C6953893B20D2D9323A4C2AFD\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\03A5B14663EB12023091B84A6D6A68BC871DE66B\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\36527D4FA26A68F9EB4596F1D99ABB2C0EA76DFA\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\503006091D97D4F5AE39F7CBE7927D7D652D3431\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\58E8ABB0361533FB80F79B1B6D29D3FF8D5F00F0\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\9F744E9F2B4DBAEC0F312C50B6563B8E2D93C311\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\B31EB1B740E36C8402DADC37D44DF5D4674952F9\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{0E59F1D2-1FBE-11D0-8FF2-00A0D10038BC}\1.0\0\win32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe7\xad\x89\xe7\xba\xbf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext

修改的注册表键

HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\AAF68885\LanguageList
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib\ 800x600x24(BGR 0)

删除的注册表键 无信息

API解析

kernel32.dll.IsProcessorFeaturePresent
cryptbase.dll.SystemFunction036
kernel32.dll.GetProcessHeap
kernel32.dll.HeapAlloc
kernel32.dll.InitializeCriticalSection
msvcrt.dll.time
ntdll.dll.NtQuerySystemTime
kernel32.dll.VirtualAlloc
kernel32.dll.RtlMoveMemory
kernel32.dll.lstrcpynA
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualProtect
kernel32.dll.VirtualFree
comctl32.dll.ImageList_Draw
gdi32.dll.BitBlt
msimg32.dll.TransparentBlt
msvcrt.dll.free
msvfw32.dll.DrawDibOpen
user32.dll.GetDC
kernel32.dll.MulDiv
kernel32.dll.FlushInstructionCache
kernel32.dll.GetCurrentProcess
kernel32.dll.GetTickCount
kernel32.dll.VirtualQuery
kernel32.dll.SetFilePointer
kernel32.dll.GlobalAlloc
kernel32.dll.GlobalLock
kernel32.dll.GlobalUnlock
kernel32.dll.GlobalReAlloc
kernel32.dll.GlobalFree
kernel32.dll.FindResourceA
kernel32.dll.LoadResource
kernel32.dll.LockResource
kernel32.dll.SizeofResource
kernel32.dll.FreeLibrary
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.GetVersion
kernel32.dll.GetCurrentThreadId
kernel32.dll.CreateFileA
kernel32.dll.GetFileSize
kernel32.dll.CloseHandle
kernel32.dll.ReadFile
kernel32.dll.SetLastError
comctl32.dll.ImageList_GetIcon
comctl32.dll.ImageList_GetImageInfo
comctl32.dll.ImageList_GetIconSize
gdi32.dll.SetWindowExtEx
gdi32.dll.SetWindowOrgEx
gdi32.dll.SetMapMode
gdi32.dll.SelectClipPath
gdi32.dll.EndPath
gdi32.dll.BeginPath
gdi32.dll.TextOutA
gdi32.dll.GetClipRgn
gdi32.dll.GetPixel
gdi32.dll.CreatePatternBrush
gdi32.dll.CreateFontIndirectA
gdi32.dll.SetViewportOrgEx
gdi32.dll.GetStockObject
gdi32.dll.GetTextExtentPoint32A
gdi32.dll.CreateRoundRectRgn
gdi32.dll.CreateFontA
gdi32.dll.SetViewportExtEx
gdi32.dll.SelectClipRgn
gdi32.dll.SelectObject
gdi32.dll.CreateCompatibleDC
gdi32.dll.DeleteDC
gdi32.dll.OffsetRgn
gdi32.dll.CombineRgn
gdi32.dll.CreateRectRgn
gdi32.dll.CreatePen
gdi32.dll.ExtCreateRegion
gdi32.dll.DeleteObject
gdi32.dll.Rectangle
gdi32.dll.SetPixel
gdi32.dll.PtInRegion
gdi32.dll.SetTextColor
gdi32.dll.SetBkMode
gdi32.dll.PatBlt
gdi32.dll.CreateDIBSection
gdi32.dll.GetObjectA
gdi32.dll.CreateCompatibleBitmap
gdi32.dll.GetTextExtentPointA
gdi32.dll.ExtTextOutA
gdi32.dll.ExtTextOutW
gdi32.dll.SetBkColor
gdi32.dll.GetTextColor
gdi32.dll.CreateSolidBrush
msvcrt.dll.??3@YAXPAX@Z
msvcrt.dll.__CxxFrameHandler
msvcrt.dll.??2@YAPAXI@Z
msvcrt.dll._ftol
msvcrt.dll._mbsstr
msvcrt.dll._mbscmp
msvcrt.dll.__dllonexit
msvcrt.dll.malloc
msvcrt.dll._initterm
msvcrt.dll._adjust_fdiv
msvcrt.dll._onexit
msvcrt.dll.memcpy
msvfw32.dll.DrawDibDraw
msvfw32.dll.DrawDibClose
user32.dll.SetWindowsHookExA
user32.dll.UnhookWindowsHookEx
user32.dll.CallNextHookEx
user32.dll.GetClassNameA
user32.dll.IsWindow
user32.dll.EnumThreadWindows
user32.dll.EnumChildWindows
user32.dll.LockWindowUpdate
user32.dll.DestroyIcon
user32.dll.DrawStateA
user32.dll.ShowWindow
user32.dll.GetMenuItemID
user32.dll.GetWindowRgn
user32.dll.SetMenu
user32.dll.GetMenu
user32.dll.GetSubMenu
user32.dll.TrackPopupMenu
user32.dll.CreateWindowExA
user32.dll.DestroyWindow
user32.dll.GetWindowInfo
user32.dll.SetWindowPos
user32.dll.GetClassLongA
user32.dll.ScreenToClient
user32.dll.SystemParametersInfoA
user32.dll.GetSystemMetrics
user32.dll.MenuItemFromPoint
user32.dll.GetMenuItemRect
user32.dll.GetMenuItemCount
user32.dll.SetMenuItemInfoA
user32.dll.IsMenu
user32.dll.GetUpdateRect
user32.dll.EqualRect
user32.dll.ShowScrollBar
user32.dll.SetWindowRgn
user32.dll.WindowFromDC
user32.dll.MoveWindow
user32.dll.GetSysColor
user32.dll.EnableScrollBar
user32.dll.GetScrollBarInfo
user32.dll.GetCapture
user32.dll.SetScrollPos
user32.dll.SetScrollInfo
user32.dll.GetScrollRange
user32.dll.GetScrollPos
user32.dll.GetScrollInfo
user32.dll.ReleaseDC
user32.dll.GetWindowDC
user32.dll.GetDCEx
user32.dll.EndPaint
user32.dll.BeginPaint
user32.dll.GetWindowLongW
user32.dll.SetWindowLongW
user32.dll.SetWindowLongA
user32.dll.ClientToScreen
user32.dll.FindWindowExA
user32.dll.GetMenuItemInfoA
user32.dll.GetParent
user32.dll.GetComboBoxInfo
user32.dll.TrackMouseEvent
user32.dll.GetIconInfo
user32.dll.GetClientRect
user32.dll.GetFocus
user32.dll.InflateRect
user32.dll.InvalidateRect
user32.dll.SetPropA
user32.dll.RemovePropA
user32.dll.CallWindowProcA
user32.dll.GetPropA
user32.dll.SetTimer
user32.dll.OffsetRect
user32.dll.KillTimer
user32.dll.EnableWindow
user32.dll.GetWindowLongA
user32.dll.SetRectEmpty
user32.dll.DrawIconEx
user32.dll.GetWindowTextA
user32.dll.DrawTextA
user32.dll.IsRectEmpty
user32.dll.IsIconic
user32.dll.IsZoomed
user32.dll.GetSystemMenu
user32.dll.GetMenuState
user32.dll.ReleaseCapture
user32.dll.GetMessageA
user32.dll.SetScrollRange
user32.dll.DispatchMessageA
user32.dll.SetRect
user32.dll.IsWindowVisible
user32.dll.RegisterClassExA
user32.dll.DefWindowProcA
user32.dll.IsWindowEnabled
user32.dll.SendMessageA
user32.dll.GetCursorPos
user32.dll.LoadCursorA
user32.dll.SetCursor
user32.dll.GetWindowRect
user32.dll.PtInRect
user32.dll.SetCapture
user32.dll.UpdateLayeredWindow
user32.dll.SetLayeredWindowAttributes
dciman32.dll.DCIOpenProvider
dciman32.dll.DCICloseProvider
dciman32.dll.DCICreatePrimary
dciman32.dll.DCIEndAccess
dciman32.dll.DCIBeginAccess
dciman32.dll.DCIDestroy
kernel32.dll.GetCurrentProcessId
psapi.dll.GetModuleFileNameExA
ole32.dll.CoInitialize
winhttp.dll.WinHttpCheckPlatform
kernel32.dll.MultiByteToWideChar
ntdll.dll.RtlMoveMemory
kernel32.dll.HeapFree
winhttp.dll.WinHttpCrackUrl
shlwapi.dll.StrCmpNW
kernel32.dll.lstrlenW
kernel32.dll.WideCharToMultiByte
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpAddRequestHeaders
shlwapi.dll.#153
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpQueryHeaders
ole32.dll.CoUninitialize
winhttp.dll.WinHttpCloseHandle
rpcrt4.dll.RpcBindingFree
iphlpapi.dll.GetAdaptersAddresses
kernel32.dll.HeapReAlloc
kernel32.dll.GlobalSize
kernel32.dll.DeviceIoControl
ntdll.dll.RtlGetNtVersionNumbers
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
uxtheme.dll.EnableThemeDialogTexture
comctl32.dll.InitCommonControlsEx
gdi32.dll.GetTextExtentExPointWPri
kernel32.dll.GetLocalTime
advapi32.dll.CryptAcquireContextA
cryptsp.dll.CryptAcquireContextA
advapi32.dll.CryptHashData
cryptsp.dll.CryptHashData
advapi32.dll.CryptCreateHash
cryptsp.dll.CryptCreateHash
advapi32.dll.CryptGetHashParam
cryptsp.dll.CryptGetHashParam
advapi32.dll.CryptDestroyHash
cryptsp.dll.CryptDestroyHash
advapi32.dll.CryptReleaseContext
cryptsp.dll.CryptReleaseContext
kernel32.dll.SetHandleCount
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyKey
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ncrypt.dll.SslEncryptPacket
ncrypt.dll.SslDecryptPacket
ws2_32.dll.#22
crypt32.dll.CertFreeCertificateContext
ncrypt.dll.SslDecrementProviderReferenceCount
ncrypt.dll.SslFreeObject
ws2_32.dll.#3
ole32.dll.CoGetObjectContext
ole32.dll.CoCreateInstance
advapi32.dll.RegCreateKeyA
oleaut32.dll.#161
oleaut32.dll.#8
oleaut32.dll.#28
oleaut32.dll.#9
oleaut32.dll.#12
oleaut32.dll.#4
oleaut32.dll.#6
oleaut32.dll.#2
ole32.dll.CreateStreamOnHGlobal
ole32.dll.GetHGlobalFromStream
oleaut32.dll.#411
oleaut32.dll.#23
oleaut32.dll.#24
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.Module32First
kernel32.dll.OpenFile
kernel32.dll.EnterCriticalSection
kernel32.dll.LeaveCriticalSection
kernel32.dll.WriteFile
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
shlwapi.dll.PathIsDirectoryA
uxtheme.dll.SetWindowTheme
urlmon.dll.#414
kernel32.dll.lstrcpyn
ole32.dll.CoInitializeEx
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
kernel32.dll.CreateWaitableTimerA
kernel32.dll.SetWaitableTimer
user32.dll.MsgWaitForMultipleObjects
user32.dll.GetInputState
kernel32.dll.CreateThread
oleaut32.dll.#500
kernel32.dll.GetLocaleInfoA
oleaut32.dll.VariantTimeToSystemTime
kernel32.dll.GetDateFormatA
kernel32.dll.GetTimeFormatA
kernel32.dll.InterlockedCompareExchange
kernel32.dll.InterlockedExchange
msvcrt.dll.localtime
msvcrt.dll._snprintf
msvcrt.dll._open
msvcrt.dll._filelengthi64
msvcrt.dll._write
kernel32.dll.InterlockedExchangeAdd
gdi32.dll.GetFontAssocStatus
ws2_32.dll.#116