魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2017-12-15 11:32:43	2017-12-15 11:35:07	144 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp03-2	win7-sp1-x64-hpdapp03-2	KVM	2017-12-15 11:32:48	2017-12-15 11:35:07

魔盾分数
10.0 Sharik

文件详细信息

文件名	4.exe
文件大小	215040 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	294E131E
MD5	1c8bc73dcd85cb6bdece3c05e74a1887
SHA1	05c6dd41dec0fb4eca39a32970e341b96b53c4af
SHA256	291ed3b7c84c59637a0ee2c4b51b7c46695cbe97d0c40c5881e6ffb1c08e3f89
SHA512	c3d57a2711da38272832310a9da326149ee1ade93cad4203ca4ae4ed64406a8ebc2f93871ee0d982336b3e91dc448e90e7e33c6beaa039b4d00216a3581d9338
Ssdeep	3072:j/Xb8YZDjwbseaXdQbMUPbUJl/9siaYNBGrxK0itljcs:j/Xb8YZDjBXdQAUbGnaG0E0iTP
PEiD	无匹配
Yara	Str_Win32_Wininet_Library (Match Windows Inet API library declaration) IsPE32 () IsWindowsGUI () HasDebugData (DebugData Check) HasRichSignature (Rich Signature Check) without_images (Rule to detect the no presence of any image) without_attachments (Rule to detect the no presence of any attachment) anti_dbg (Checks if being debugged) screenshot (Take screenshot) win_registry (Affect system registries) VC8_Microsoft_Corporation () Microsoft_Visual_Cpp_8 () without_urls (Rule to detect the no presence of any url)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2017-12-14 21:41:58 扫描结果: 44/68

特征

发起了一些HTTP请求

url: http://www.bing.com/

url: http://cn.bing.com/

url: http://msdn.microsoft.com/vstudio

url: http://support.microsoft.com/

url: http://bbank.bit/

收集系统安装程序信息

创建RWX内存

对一些具体的运行中的进程呈现出兴趣

process: lsm.exe

process: System

process: svchost.exe

对一个无法找到的进程进行重复搜索，可能希望以startbrowser=1选项运行

创建一个隐藏文件或系统文件

file: C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe

file: C:\Users\test\AppData\Roaming\Microsoft\dviwsasf

file: C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\dviwsasf

魔盾wping.org IP地址信誉系统

Greylist: 139.59.208.246

Greylist: 23.198.128.9

HTTP数据流中包含可疑的恶意软件数据

post_no_referer: HTTP traffic contains a POST request with no referer header

suspicious_request: http://bbank.bit/

通过库文件检测是否存在Sandboxie系统

执行了一个进程并在其中注入代码（可能是在解包过程中）

从磁盘上删除自身的原始二进制

尝试删除从因特网下载文件的证据

file: C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe:Zone.Identifier

通过进程尝试长时间延迟分析任务

Process: 4.exe tried to sleep 61 seconds, actually delayed analysis time by 0 seconds

Process: explorer.exe tried to sleep 138 seconds, actually delayed analysis time by 0 seconds

将自己装载到Windows开机自动启动项目

key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update

data: C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe

检查注册表中的磁盘驱动器，可能被用来实现反虚拟机

生成一个自己的复制文件

copy: C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe

异常的二进制特征

anomaly: Actual checksum does not match that reported in PE header

生成可疑网络流量，可能被用来进行恶意活动

signature: ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check

文件已被至少十个VirusTotal上的反病毒引擎检测为病毒

MicroWorld-eScan: Trojan.GenericKD.12674758

CAT-QuickHeal: Backdoor.Androm

Cylance: Unsafe

K7GW: Trojan-Downloader ( 004f875e1 )

K7AntiVirus: Trojan-Downloader ( 004f875e1 )

Arcabit: Trojan.Generic.DC166C6

Invincea: heuristic

Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9996

Symantec: Trojan.Gen

TrendMicro-HouseCall: TROJ_GEN.R00EC0WLE17

Avast: FileRepMalware

ClamAV: Win.Trojan.Agent-6399167-0

Kaspersky: Backdoor.Win32.Androm.osiq

BitDefender: Trojan.GenericKD.12674758

Paloalto: generic.ml

AegisLab: Backdoor.W32.Androm!c

Tencent: Suspicious.Heuristic.Gen.b.0

Ad-Aware: Trojan.GenericKD.12674758

Emsisoft: Trojan.GenericKD.12674758 (B)

F-Secure: Trojan.GenericKD.12674758

DrWeb: Trojan.DownLoader26.793

TrendMicro: TROJ_GEN.R00EC0WLE17

McAfee-GW-Edition: Artemis

Sophos: Mal/Generic-S

SentinelOne: static engine - malicious

Cyren: W32/Trojan.PEQT-6726

Webroot: W32.Trojan.Gen

Avira: TR/Crypt.Xpack.mgkwj

Microsoft: TrojanDownloader:Win32/Dofoil.AC

Endgame: malicious (high confidence)

ZoneAlarm: Backdoor.Win32.Androm.osiq

GData: Trojan.GenericKD.12674758

AhnLab-V3: Win-Trojan/Sagecrypt.Gen

McAfee: Artemis!1C8BC73DCD85

AVware: Trojan.Win32.Generic!BT

MAX: malware (ai score=100)

Malwarebytes: Trojan.SmokeLoader

ESET-NOD32: Win32/TrojanDownloader.Zurgop.CO

Ikarus: Trojan-Downloader.Win32.Zurgop

Fortinet: W32/Zurgop.CO!tr.dldr

AVG: FileRepMalware

Panda: Trj/CI.A

CrowdStrike: malicious_confidence_90% (W)

Qihoo-360: Trojan.Generic

运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
是	139.59.208.246	Singapore
否	172.231.74.187	United States
否	202.89.233.100	China
否	202.89.233.101	China
否	23.198.128.9	United States
是	47.88.216.71	Canada
否	65.54.226.150	United States

域名解析

域名	响应
www.bing.com	A 202.89.233.101 CNAME cn.cn-0001.cn-msedge.net CNAME cn-0001.cn-msedge.net A 202.89.233.100
cn.bing.com	CNAME cn-bing-com.cn.a-0001.a-msedge.net
go.microsoft.com	CNAME go.microsoft.com.edgekey.net CNAME e11290.dspg.akamaiedge.net A 172.231.74.187
msdn.microsoft.com	A 65.54.226.150 CNAME msdn.microsoft.akadns.net
support.microsoft.com	CNAME e3843.g.akamaiedge.net CNAME ev.support.microsoft.com.edgekey.net A 23.198.128.9

TCP连接

IP地址	端口
139.59.208.246	53
139.59.208.246	53
172.231.74.187	80
202.89.233.100	80
202.89.233.101	80
23.198.128.9	80
23.198.128.9	443
47.88.216.71	80
47.88.216.71	80
65.54.226.150	80
65.54.226.150	80
65.54.226.150	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://www.bing.com/	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.bing.com
http://cn.bing.com/	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: cn.bing.com
http://go.microsoft.com/fwlink/?LinkId=133405	POST /fwlink/?LinkId=133405 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 42 Host: go.microsoft.com
http://msdn.microsoft.com/vstudio	GET /vstudio HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: msdn.microsoft.com
http://go.microsoft.com/fwlink/?LinkId=286133	POST /fwlink/?LinkId=286133 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 42 Host: go.microsoft.com
http://support.microsoft.com/	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: support.microsoft.com
http://go.microsoft.com/fwlink/?LinkId=133405	POST /fwlink/?LinkId=133405 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 79 Host: go.microsoft.com
http://go.microsoft.com/fwlink/?LinkId=286133	POST /fwlink/?LinkId=286133 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 124 Host: go.microsoft.com
http://bbank.bit/	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded Host: bbank.bit User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 63
http://go.microsoft.com/fwlink/?LinkId=286133	POST /fwlink/?LinkId=286133 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 138 Host: go.microsoft.com
http://go.microsoft.com/fwlink/?LinkId=133405	POST /fwlink/?LinkId=133405 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 145 Host: go.microsoft.com

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00407b5e
声明校验值	0x0003e49d
实际校验值	0x0004449d
最低操作系统版本要求	5.1
PDB路径	C:\Simulation\HashtagO.pdb
编译时间	2015-01-20 00:44:13
载入哈希	3facaeea87d5a2bb0a0aa7e756b1728d
图标
图标精确哈希值	92b41776b582644438095f04c113e59d
图标相似性哈希值	c4371c12668f99cf2b2726140ec97ac6

版本信息

LegalCopyright:	\xa9Adaptive Biotechnologies. All rights reserved.
CompanyName:	Adaptive Biotechnologies
LegalTrademarks:	\xa9Adaptive Biotechnologies. All rights reserved.
ProductName:	CellEched
ProductVersion:	9.7.78.9
FileDescription:	Exposes Tasks 70s Null Geotrust Itzik
OriginalFilename:	CellEched.exe
Translation:	0x0409 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00011099	0x00011200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.54
.rdata	0x00013000	0x00004fd2	0x00005000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.17
.data	0x00018000	0x00001f7c	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.75
.rsrc	0x0001a000	0x0001fe3c	0x0001d000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.28

资源

名称	偏移量	大小	语言	子语言	熵(Entropy)	文件类型
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
PNG	0x0001e7f4	0x0000039d	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.68	PNG image data, 17 x 32, 8-bit/color RGBA, non-interlaced
RCDATA	0x000243a4	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	data
RCDATA	0x000243a4	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	data
RCDATA	0x000243a4	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	data
RCDATA	0x000243a4	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	data
RCDATA	0x000243a4	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	data
RCDATA	0x000243a4	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	data
RCDATA	0x000243a4	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	data
RT_CURSOR	0x00025f54	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	data
RT_CURSOR	0x00025f54	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	data
RT_CURSOR	0x00025f54	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	data
RT_CURSOR	0x00025f54	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	data
RT_CURSOR	0x00025f54	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	data
RT_CURSOR	0x00025f54	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_BITMAP	0x000293c4	0x00000088	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	data
RT_ICON	0x000350a4	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.68	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x000350a4	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.68	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x000350a4	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.68	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x000350a4	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.68	dBase III DBT, version number 0, next free block index 40
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_DIALOG	0x000364fc	0x00000214	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	data
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_CURSOR	0x000367c4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	MS Windows cursor resource - 1 icon, 32x256, hotspot @1x1
RT_GROUP_ICON	0x000367d8	0x0000003e	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	MS Windows icon resource - 4 icons, 72x72
RT_VERSION	0x00036818	0x00000360	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.46	data
RT_MANIFEST	0x00036b78	0x000002c1	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.03	XML 1.0 document, ASCII text, with CRLF line terminators

导入

库 KERNEL32.dll:

• 0x413060 - HeapSize

• 0x413064 - IsValidCodePage

• 0x413068 - GetOEMCP

• 0x41306c - GetACP

• 0x413070 - GetCPInfo

• 0x413074 - RtlUnwind

• 0x413078 - GetSystemTimeAsFileTime

• 0x41307c - GetCurrentProcessId

• 0x413080 - GetTickCount

• 0x413084 - QueryPerformanceCounter

• 0x413088 - GetFileType

• 0x41308c - SetHandleCount

• 0x413090 - GetEnvironmentStringsW

• 0x413094 - WideCharToMultiByte

• 0x413098 - HeapReAlloc

• 0x41309c - InterlockedDecrement

• 0x4130a0 - GetCurrentThreadId

• 0x4130a4 - InterlockedIncrement

• 0x4130a8 - TlsFree

• 0x4130ac - TlsSetValue

• 0x4130b0 - TlsGetValue

• 0x4130b4 - TlsAlloc

• 0x4130b8 - Sleep

• 0x4130bc - TerminateProcess

• 0x4130c0 - IsDebuggerPresent

• 0x4130c4 - SetUnhandledExceptionFilter

• 0x4130c8 - UnhandledExceptionFilter

• 0x4130cc - LoadLibraryW

• 0x4130d0 - IsProcessorFeaturePresent

• 0x4130d4 - LCMapStringW

• 0x4130d8 - GetStringTypeW

• 0x4130dc - lstrcpyA

• 0x4130e0 - GetModuleHandleA

• 0x4130e4 - EnumDateFormatsA

• 0x4130e8 - GetModuleFileNameA

• 0x4130ec - LoadLibraryA

• 0x4130f0 - GetProcAddress

• 0x4130f4 - SetLastError

• 0x4130f8 - GetLastError

• 0x4130fc - MultiByteToWideChar

• 0x413100 - FreeEnvironmentStringsW

• 0x413104 - MulDiv

• 0x413108 - GetLocaleInfoW

• 0x41310c - GetSystemDefaultLCID

• 0x413110 - GetUserDefaultLCID

• 0x413114 - HeapAlloc

• 0x413118 - EnterCriticalSection

• 0x41311c - VirtualQuery

• 0x413120 - LeaveCriticalSection

• 0x413124 - DeleteCriticalSection

• 0x413128 - InitializeCriticalSectionAndSpinCount

• 0x41312c - EncodePointer

• 0x413130 - HeapCreate

• 0x413134 - GetModuleFileNameW

• 0x413138 - GetStdHandle

• 0x41313c - WriteFile

• 0x413140 - HeapFree

• 0x413144 - RaiseException

• 0x413148 - GetStartupInfoW

• 0x41314c - HeapSetInformation

• 0x413150 - GetCommandLineA

• 0x413154 - FreeLibrary

• 0x413158 - FindResourceExW

• 0x41315c - GetCurrentProcess

• 0x413160 - lstrlenA

• 0x413164 - DecodePointer

• 0x413168 - ExitProcess

• 0x41316c - GetModuleHandleW

库 USER32.dll:

• 0x41319c - GetIconInfo

• 0x4131a0 - MoveWindow

• 0x4131a4 - GetClassLongA

• 0x4131a8 - GetDialogBaseUnits

• 0x4131ac - DestroyIcon

• 0x4131b0 - GetDlgItemTextA

• 0x4131b4 - LoadImageA

• 0x4131b8 - SetWindowTextA

• 0x4131bc - GetSystemMetrics

• 0x4131c0 - IsWindow

• 0x4131c4 - DestroyWindow

• 0x4131c8 - GetSystemMenu

• 0x4131cc - HideCaret

• 0x4131d0 - GetWindowRect

• 0x4131d4 - FillRect

• 0x4131d8 - DrawTextA

• 0x4131dc - LoadStringA

• 0x4131e0 - IsDlgButtonChecked

• 0x4131e4 - AttachThreadInput

• 0x4131e8 - LoadIconA

• 0x4131ec - DrawIcon

• 0x4131f0 - GetClientRect

• 0x4131f4 - SendMessageA

• 0x4131f8 - GetFocus

• 0x4131fc - GetDC

• 0x413200 - DrawFocusRect

• 0x413204 - GetForegroundWindow

• 0x413208 - DrawStateA

• 0x41320c - SetRect

• 0x413210 - CreateWindowExA

• 0x413214 - EnableMenuItem

• 0x413218 - MonitorFromWindow

• 0x41321c - SetClassLongA

• 0x413220 - GetDlgItem

• 0x413224 - ShowWindow

• 0x413228 - SetMenu

库 GDI32.dll:

• 0x41301c - DeleteDC

• 0x413020 - GetDeviceCaps

• 0x413024 - CreateFontIndirectA

• 0x413028 - SetBrushOrgEx

• 0x41302c - GetDIBits

• 0x413030 - CreateDCA

• 0x413034 - DeleteObject

• 0x413038 - SelectObject

• 0x41303c - CreateCompatibleDC

• 0x413040 - SetMapMode

• 0x413044 - CreateCompatibleBitmap

• 0x413048 - Chord

• 0x41304c - GetPixel

• 0x413050 - CreateDiscardableBitmap

• 0x413054 - TextOutA

• 0x413058 - BitBlt

库 ADVAPI32.dll:

• 0x413000 - RegOpenKeyExA

• 0x413004 - RegCloseKey

• 0x413008 - RegQueryValueExW

库 SHELL32.dll:

• 0x413184 - SHGetFileInfoA

• 0x413188 - SHBrowseForFolderA

库 ODBC32.dll:

• 0x41317c - None

库 WININET.dll:

• 0x41323c - InternetGetLastResponseInfoW

• 0x413240 - FtpCommandW

库 USERENV.dll:

• 0x413230 - ProcessGroupPolicyCompleted

• 0x413234 - RegisterGPNotification

库 MSIMG32.dll:

• 0x413174 - AlphaBlend

库 COMCTL32.dll:

• 0x413010 - None

• 0x413014 - ImageList_Create

库 Secur32.dll:

• 0x413190 - QuerySecurityPackageInfoA

• 0x413194 - EnumerateSecurityPackagesA

投放文件

jeetbsrj.exe

文件名	jeetbsrj.exe
相关文件	C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe
文件大小	215040 bytes
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	1c8bc73dcd85cb6bdece3c05e74a1887
SHA1	05c6dd41dec0fb4eca39a32970e341b96b53c4af
SHA256	291ed3b7c84c59637a0ee2c4b51b7c46695cbe97d0c40c5881e6ffb1c08e3f89
SHA512	c3d57a2711da38272832310a9da326149ee1ade93cad4203ca4ae4ed64406a8ebc2f93871ee0d982336b3e91dc448e90e7e33c6beaa039b4d00216a3581d9338
Ssdeep	3072:j/Xb8YZDjwbseaXdQbMUPbUJl/9siaYNBGrxK0itljcs:j/Xb8YZDjBXdQAUbGnaG0E0iTP
VirusTotal	搜索相关分析

dviwsasf

文件名	dviwsasf
相关文件	C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\dviwsasf
文件大小	13889 bytes
文件类型	data
MD5	e260288041bb406f47075e139a557269
SHA1	03c6783befa9ada27c27c1fdc20131044b6bdd30
SHA256	9578ca3dbfc04c977bb7776f62b866a0f8b310ccfe1f781474ecc6003f5f6caa
SHA512	64872b2a89d74123578a8961ffb3a5f4fa3934b9f6531943bd5106fa6bd9c94aaf52c8b70c17568efde38ac8cd30b38deb1a6563a39177c289dbc7e88d23d61a
Ssdeep	384:LyYKagaO3yvZ59XzroDMQ5coVZfNNIzc1j3:LqZyvZXoDMQ6oz2c1z
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes)

3E8FB0B5696B2E59FF15370F5DC8C381944C1BA9

执行的命令

explorer.exe

创建的服务 无信息

启动的服务 无信息

进程

4.exe PID: 2004, 上一级进程 PID: 272

explorer.exe PID: 1140, 上一级进程 PID: 2004

explorer.exe PID: 2248, 上一级进程 PID: 1140

explorer.exe PID: 2340, 上一级进程 PID: 1140

访问的文件

C:\Users\test\AppData\Local\Temp\GPSVC.dll
C:\Windows\System32\GPSVC.dll
C:\Windows\system\GPSVC.dll
C:\Windows\GPSVC.dll
C:\ProgramData\Oracle\Java\javapath\GPSVC.dll
C:\Windows\System32\wbem\GPSVC.dll
C:\Windows\System32\WindowsPowerShell\v1.0\GPSVC.dll
C:\Program Files (x86)\WinRAR\GPSVC.dll
C:\Users\test\AppData\Local\Temp\winhttp.DLL
C:\Windows\System32\winhttp.dll
C:\Users\test\AppData\Local\Temp\webio.dll
C:\Windows\System32\webio.dll
C:\Users\test\AppData\Local\Temp\dnsapi.DLL
C:\Windows\System32\dnsapi.dll
C:\
C:\Windows\SysWOW64\winhttp.dll
C:\Windows\SysWOW64\webio.dll
C:\Windows\SysWOW64\dnsapi.dll
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe
C:\Users\test\AppData\Local\Temp\4.exe
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe:Zone.Identifier
C:\Windows\System32\advapi32.dll
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\dviwsasf
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Windows\Globalization\Sorting\sortdefault.nls

读取的文件

C:\Windows\System32\winhttp.dll
C:\Windows\System32\webio.dll
C:\Windows\System32\dnsapi.dll
C:\Windows\SysWOW64\winhttp.dll
C:\Windows\SysWOW64\webio.dll
C:\Windows\SysWOW64\dnsapi.dll
C:\Users\test\AppData\Local\Temp\4.exe
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\dviwsasf
C:\Windows\Globalization\Sorting\sortdefault.nls

修改的文件

C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\dviwsasf

删除的文件

C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe
C:\Users\test\AppData\Local\Temp\4.exe
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\jeetbsrj.exe:Zone.Identifier
C:\Users\test\AppData\Roaming\Microsoft\dviwsasf\dviwsasf

注册表键

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_CLASSES_ROOT\\xef\xbe\xa8\x07
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\svcVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\URLInfoAbout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4a\AAF68885
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\svcVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\URLInfoAbout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress

修改的注册表键

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Google Update
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\LanguageList

删除的注册表键 无信息

API解析

kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
sechost.dll.ConvertSidToStringSidW
kernel32.dll.HeapCreate
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
shlwapi.dll.StrCmpNW
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
rpcrt4.dll.RpcBindingFree
ws2_32.dll.WSAGetOverlappedResult
ws2_32.dll.#3
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyKey
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ncrypt.dll.SslEncryptPacket
ncrypt.dll.SslDecryptPacket
crypt32.dll.CertFreeCertificateContext
ws2_32.dll.#22
kernel32.dll.LoadLibraryA
kernel32.dll.GetProcAddress
kernel32.dll.VirtualProtect
kernel32.dll.VirtualAlloc
kernel32.dll.VirtualFree
dnsapi.dll.DnsFree
ntdll.dll.RtlAdjustPrivilege
shlwapi.dll.StrToIntA
user32.dll.wsprintfW
winhttp.dll.WinHttpOpen
ws2_32.dll.#12
advapi32.dll.CryptHashData
crypt32.dll.CryptBinaryToStringA
ntdll.dll.NtCreateSection
user32.dll.wsprintfA
kernel32.dll.Sleep
kernel32.dll.TerminateProcess
kernel32.dll.CreateFileW
kernel32.dll.lstrcatA
kernel32.dll.MultiByteToWideChar
kernel32.dll.GetTempPathW
kernel32.dll.RtlMoveMemory
kernel32.dll.lstrcmpiA
kernel32.dll.OpenProcess
kernel32.dll.lstrcatW
kernel32.dll.CreateToolhelp32Snapshot
kernel32.dll.CloseHandle
kernel32.dll.DeleteFileW
kernel32.dll.OpenFileMappingA
kernel32.dll.RtlZeroMemory
kernel32.dll.WriteFile
kernel32.dll.GetProcessHeap
kernel32.dll.Process32First
kernel32.dll.HeapFree
kernel32.dll.HeapAlloc
kernel32.dll.CreateProcessW
kernel32.dll.VirtualQuery
kernel32.dll.UnmapViewOfFile
kernel32.dll.MapViewOfFile
kernel32.dll.lstrlenA
kernel32.dll.HeapReAlloc
kernel32.dll.Process32Next
kernel32.dll.GetTempFileNameW
dnsapi.dll.DnsQuery_W
ntdll.dll.NtUnmapViewOfSection
user32.dll.ExitWindowsEx
user32.dll.CharLowerA
winhttp.dll.WinHttpGetProxyForUrl
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpSetOption
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.ReadProcessMemory
kernel32.dll.LeaveCriticalSection
kernel32.dll.Thread32Next
kernel32.dll.ExitThread
kernel32.dll.lstrcmpW
kernel32.dll.lstrlenW
kernel32.dll.GlobalUnlock
kernel32.dll.GetLastError
kernel32.dll.EnterCriticalSection
kernel32.dll.GetLocalTime
kernel32.dll.OpenThread
kernel32.dll.Thread32First
kernel32.dll.IsWow64Process
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetModuleHandleA
kernel32.dll.CreateMutexA
kernel32.dll.GetCurrentThreadId
kernel32.dll.GetCurrentProcessId
kernel32.dll.WriteProcessMemory
kernel32.dll.SuspendThread
kernel32.dll.ResumeThread
kernel32.dll.lstrcpyW
kernel32.dll.CreateThread
kernel32.dll.CreateRemoteThread
kernel32.dll.InitializeCriticalSection
kernel32.dll.GlobalLock
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptCreateHash
ntdll.dll.NtMapViewOfSection
ntdll.dll.LdrProcessRelocationBlock
user32.dll.GetClassNameW
user32.dll.GetWindowTextW
user32.dll.GetForegroundWindow
user32.dll.GetKeyboardState
user32.dll.ToUnicode