魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2018-03-23 22:39:48	2018-03-23 22:42:23	155 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-2	win7-sp1-x64-hpdapp01-2	KVM	2018-03-23 22:39:56	2018-03-23 22:42:19

魔盾分数
10.0 Androm

文件详细信息

文件名	d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d.exe
文件大小	137216 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	B1CA7288
MD5	53bee1572d43897c55e2df143a66da7c
SHA1	ba84eb93a12e8a6bae1e29fe02d2c5b04759263d
SHA256	d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d
SHA512	13f28a2210d05e492cd6b4007b4349c3f34eeac711c46f4cd21cd2ef4d49704e1743679ed383772365a80e7f3ff6abafa28c5b693a8d4b9a52f443b331563c2f
Ssdeep	3072:NNuTEjsCCRNqw5YbcPunZz3f9oeVeAmABb7Z:NNufCSNqcunZdMAmAt
PEiD	无匹配
Yara	IsPE32 () IsWindowsGUI () HasRichSignature (Rich Signature Check) Microsoft_Visual_Cpp_v50v60_MFC () without_attachments (Rule to detect the no presence of any attachment) without_images (Rule to detect the no presence of any image) without_urls (Rule to detect the no presence of any url) DebuggerHiding__Active () anti_dbg (Checks if being debugged) escalate_priv (Escalade priviledges) screenshot (Take screenshot) keylogger (Run a keylogger) win_mutex (Create or check mutex) win_registry (Affect system registries) win_token (Affect system token) win_files_operation (Affect private profile) win_hook (Affect hook table)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2018-03-17 14:01:05 扫描结果: 54/65

特征

发起了一些HTTP请求

url: http://www.bing.com/

url: http://cn.bing.com/

url: http://support.microsoft.com/

url: http://msdn.microsoft.com/vstudio

收集系统安装程序信息

创建RWX内存

从磁盘上删除自身的原始二进制

通过进程尝试延迟分析任务

Process: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d.exe tried to sleep 61 seconds, actually delayed analysis time by 0 seconds

Process: explorer.exe tried to sleep 86 seconds, actually delayed analysis time by 0 seconds

对一些具体的运行中的进程呈现出兴趣

process: svchost.exe

对一个无法找到的进程进行重复搜索，可能希望以startbrowser=1选项运行

创建一个隐藏文件或系统文件

file: C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe

file: C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh

魔盾wping.org IP地址信誉系统

Greylist: 139.59.208.246

Greylist: 210.16.102.127

二进制文件可能包含加密或压缩数据

section: name: .rdata, entropy: 6.83, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00009c00, virtual_size: 0x00009b1a

通过库文件检测是否存在Sandboxie系统

执行了一个进程并在其中注入代码（可能是在解包过程中）

尝试删除从因特网下载文件的证据

file: C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe:Zone.Identifier

将自己装载到Windows开机自动启动项目

key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Update

data: C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe

检查注册表中的磁盘驱动器，可能被用来实现反虚拟机

生成一个自己的复制文件

copy: C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe

文件已被至少十个VirusTotal上的反病毒引擎检测为病毒

Bkav: W32.CoinMinerDofoilTo.Worm

MicroWorld-eScan: Trojan.Agent.CVUG

nProtect: Backdoor/W32.Androm.137216.D

CAT-QuickHeal: Backdoor.Androm

McAfee: Proxy-FBA!53BEE1572D43

Cylance: Unsafe

Zillya: Backdoor.Androm.Win32.49777

K7GW: Trojan ( 005299ff1 )

K7AntiVirus: Trojan ( 005299ff1 )

Baidu: Win32.Trojan.WisdomEyes.16070401.9500.9998

Cyren: W32/Trojan.IMFB-5122

Symantec: W32.Mandaph

ESET-NOD32: a variant of Win32/Kryptik.GDYD

TrendMicro-HouseCall: TROJ_SHARIK.YUYMH

Paloalto: generic.ml

GData: Win32.Trojan.Dofoil.A

Kaspersky: Backdoor.Win32.Androm.pfss

BitDefender: Trojan.Agent.CVUG

NANO-Antivirus: Trojan.Win32.Androm.eyrixz

ViRobot: Trojan.Win32.S.Dofoil.137216

Avast: Win32:Generic-YP [Trj]

Tencent: Win32.Trojan.Inject.Auto

Ad-Aware: Trojan.Agent.CVUG

Sophos: Mal/CerberN-A

Comodo: UnclassifiedMalware

F-Secure: Trojan.Agent.CVUG

DrWeb: Trojan.DownLoad4.7705

VIPRE: Trojan.Win32.Generic!BT

TrendMicro: TROJ_SHARIK.YUYMH

McAfee-GW-Edition: BehavesLike.Win32.Ransomware.ch

Emsisoft: Trojan.Agent.CVUG (B)

F-Prot: W32/Dofoil.D.gen!Eldorado

Webroot: W32.Trojan.Gen

Avira: TR/Crypt.EPACK.fextv

Antiy-AVL: Trojan[Backdoor]/Win32.Androm

Endgame: malicious (high confidence)

Arcabit: Trojan.Agent.CVUG

AegisLab: Backdoor.W32.Androm!c

ZoneAlarm: Backdoor.Win32.Androm.pfss

Microsoft: TrojanDownloader:Win32/Dofoil.AB

AhnLab-V3: Malware/Win32.Generic.C2424288

ALYac: Trojan.SmokeLoader

AVware: Trojan.Win32.Generic!BT

MAX: malware (ai score=100)

VBA32: BScope.Backdoor.Androm

Malwarebytes: Trojan.SmokeLoader

Rising: Ransom.Locky!1.AE2E (CLASSIC)

Yandex: Backdoor.Androm!hfug/RW6PlA

Ikarus: Trojan.Win32.Crypt

Fortinet: W32/Kryptik.AVDS!tr

AVG: Win32:Generic-YP [Trj]

Panda: Trj/GdSda.A

CrowdStrike: malicious_confidence_100% (W)

Qihoo-360: Win32/Trojan.Multi.daf

运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
否	104.115.243.63	United States
是	139.59.208.246	Singapore
否	172.231.74.187	United States
否	202.89.233.100	China
否	202.89.233.101	China
是	210.16.102.127	India
否	23.45.156.221	Netherlands
否	23.47.120.240	United States
是	37.46.135.49	Russian Federation
否	65.54.226.150	United States

域名解析

域名	响应
www.bing.com	A 202.89.233.101 CNAME cn.cn-0001.cn-msedge.net CNAME cn-0001.cn-msedge.net A 202.89.233.100
cn.bing.com	CNAME cn-bing-com.cn.a-0001.a-msedge.net
go.microsoft.com	CNAME go.microsoft.com.edgekey.net CNAME e11290.dspg.akamaiedge.net A 172.231.74.187
support.microsoft.com	A 23.47.120.240 CNAME e3843.g.akamaiedge.net CNAME ev.support.microsoft.com.edgekey.net A 23.45.156.221 A 104.115.243.63
msdn.microsoft.com	A 65.54.226.150 CNAME msdn.microsoft.akadns.net

TCP连接

IP地址	端口
104.115.243.63	443
104.115.243.63	443
104.115.243.63	443
139.59.208.246	53
139.59.208.246	53
172.231.74.187	80
202.89.233.100	80
202.89.233.101	80
23.45.156.221	443
23.45.156.221	443
23.47.120.240	80
23.47.120.240	443
23.47.120.240	443
23.47.120.240	443
65.54.226.150	80
65.54.226.150	80
65.54.226.150	80
65.54.226.150	80
65.54.226.150	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://www.bing.com/	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.bing.com
http://cn.bing.com/	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: cn.bing.com
http://go.microsoft.com/fwlink/?LinkId=286133	GET /fwlink/?LinkId=286133 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: go.microsoft.com
http://support.microsoft.com/	GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: support.microsoft.com
http://go.microsoft.com/fwlink/?LinkId=133405	GET /fwlink/?LinkId=133405 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: go.microsoft.com
http://msdn.microsoft.com/vstudio	GET /vstudio HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: msdn.microsoft.com
http://go.microsoft.com/fwlink/?LinkId=249109	GET /fwlink/?LinkId=249109 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: go.microsoft.com

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x004012c0
声明校验值	0x00000000
实际校验值	0x0002e4cd
最低操作系统版本要求	5.0
编译时间	2018-03-07 00:08:29
载入哈希	f9865239b4efd9f2cb68d199b75cd8c0

版本信息

LegalCopyright:	NCH Software
InternalName:	TexTally
FileDescription:	TexTally
FileVersion:	1.10
CompanyName:	NCH Software
Translation:	0x0c09 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00001a86	0x00001c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.37
.rdata	0x00003000	0x00009b1a	0x00009c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.83
.data	0x0000d000	0x00000428	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.41
.rsrc	0x0000e000	0x000157f8	0x00015800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.75

导入

库 KERNEL32.dll:

• 0x40332c - WriteFile

• 0x403330 - WriteConsoleW

• 0x403334 - WriteConsoleOutputCharacterW

• 0x403338 - WriteConsoleA

• 0x40333c - WideCharToMultiByte

• 0x403340 - WaitForSingleObject

• 0x403344 - WaitForMultipleObjects

• 0x403348 - VirtualFree

• 0x40334c - VirtualAlloc

• 0x403350 - VerifyVersionInfoW

• 0x403354 - VerSetConditionMask

• 0x403358 - VerLanguageNameA

• 0x40335c - UnhandledExceptionFilter

• 0x403360 - TlsSetValue

• 0x403364 - TlsGetValue

• 0x403368 - TlsFree

• 0x40336c - TlsAlloc

• 0x403370 - TerminateThread

• 0x403374 - TerminateProcess

• 0x403378 - Sleep

• 0x40337c - SizeofResource

• 0x403380 - SetVolumeLabelW

• 0x403384 - SetUnhandledExceptionFilter

• 0x403388 - SetThreadPriority

• 0x40338c - SetStdHandle

• 0x403390 - SetNamedPipeHandleState

• 0x403394 - SetLastError

• 0x403398 - SetHandleCount

• 0x40339c - SetFilePointer

• 0x4033a0 - SetFileAttributesW

• 0x4033a4 - SetEvent

• 0x4033a8 - SetErrorMode

• 0x4033ac - SetEnvironmentVariableW

• 0x4033b0 - SetEnvironmentVariableA

• 0x4033b4 - SetEndOfFile

• 0x4033b8 - SetCurrentDirectoryW

• 0x4033bc - SetConsoleCursorPosition

• 0x4033c0 - RtlUnwind

• 0x4033c4 - ResumeThread

• 0x4033c8 - RequestWakeupLatency

• 0x4033cc - ReplaceFile

• 0x4033d0 - RemoveDirectoryW

• 0x4033d4 - ReadFile

• 0x4033d8 - ReadConsoleOutputCharacterA

• 0x4033dc - RaiseException

• 0x4033e0 - QueryPerformanceFrequency

• 0x4033e4 - QueryPerformanceCounter

• 0x4033e8 - QueryDosDeviceW

• 0x4033ec - Process32NextW

• 0x4033f0 - Process32FirstW

• 0x4033f4 - PeekNamedPipe

• 0x4033f8 - OutputDebugStringW

• 0x4033fc - OpenProcess

• 0x403400 - MultiByteToWideChar

• 0x403404 - MulDiv

• 0x403408 - MoveFileW

• 0x40340c - MoveFileA

• 0x403410 - LockResource

• 0x403414 - LocalFree

• 0x403418 - LocalAlloc

• 0x40341c - LoadResource

• 0x403420 - LoadModule

• 0x403424 - LoadLibraryW

• 0x403428 - LoadLibraryExW

• 0x40342c - LoadLibraryA

• 0x403430 - LeaveCriticalSection

• 0x403434 - LCMapStringW

• 0x403438 - LCMapStringA

• 0x40343c - IsValidLocale

• 0x403440 - IsValidLanguageGroup

• 0x403444 - IsValidCodePage

• 0x403448 - IsDebuggerPresent

• 0x40344c - IsBadStringPtrA

• 0x403450 - IsBadReadPtr

• 0x403454 - InterlockedIncrement

• 0x403458 - InterlockedExchange

• 0x40345c - InterlockedDecrement

• 0x403460 - InterlockedCompareExchange

• 0x403464 - InitializeCriticalSectionAndSpinCount

• 0x403468 - InitializeCriticalSection

• 0x40346c - HeapSize

• 0x403470 - HeapReAlloc

• 0x403474 - HeapFree

• 0x403478 - HeapCreate

• 0x40347c - HeapAlloc

• 0x403480 - Heap32ListNext

• 0x403484 - GlobalUnlock

• 0x403488 - GlobalSize

• 0x40348c - GlobalLock

• 0x403490 - GlobalGetAtomNameW

• 0x403494 - GlobalFree

• 0x403498 - GlobalAlloc

• 0x40349c - GetWindowsDirectoryA

• 0x4034a0 - GetVolumeInformationW

• 0x4034a4 - GetVersionExW

• 0x4034a8 - GetUserDefaultLCID

• 0x4034ac - GetTimeZoneInformation

• 0x4034b0 - GetTimeFormatA

• 0x4034b4 - GetThreadTimes

• 0x4034b8 - GetTempPathW

• 0x4034bc - GetTempFileNameW

• 0x4034c0 - GetTempFileNameA

• 0x4034c4 - GetSystemTimeAsFileTime

• 0x4034c8 - GetSystemTime

• 0x4034cc - GetSystemDirectoryW

• 0x4034d0 - GetSystemDefaultUILanguage

• 0x4034d4 - GetStringTypeW

• 0x4034d8 - GetStringTypeA

• 0x4034dc - GetStdHandle

• 0x4034e0 - GetStartupInfoA

• 0x4034e4 - GetProcessHeap

• 0x4034e8 - GetProcAddress

• 0x4034ec - GetOEMCP

• 0x4034f0 - GetModuleHandleW

• 0x4034f4 - GetModuleHandleA

• 0x4034f8 - GetModuleFileNameW

• 0x4034fc - GetModuleFileNameA

• 0x403500 - GetLogicalDriveStringsW

• 0x403504 - GetLocaleInfoW

• 0x403508 - GetLocaleInfoA

• 0x40350c - GetLastError

• 0x403510 - GetFullPathNameW

• 0x403514 - GetFullPathNameA

• 0x403518 - GetFileType

• 0x40351c - GetFileTime

• 0x403520 - GetFileSize

• 0x403524 - GetFileAttributesW

• 0x403528 - GetFileAttributesExW

• 0x40352c - GetExitCodeThread

• 0x403530 - GetExitCodeProcess

• 0x403534 - GetEnvironmentVariableW

• 0x403538 - GetEnvironmentStringsW

• 0x40353c - GetEnvironmentStrings

• 0x403540 - GetDriveTypeW

• 0x403544 - GetDriveTypeA

• 0x403548 - GetDiskFreeSpaceW

• 0x40354c - GetDiskFreeSpaceExW

• 0x403550 - GetDiskFreeSpaceExA

• 0x403554 - GetDefaultCommConfigW

• 0x403558 - GetDateFormatA

• 0x40355c - GetCurrentThreadId

• 0x403560 - GetCurrentThread

• 0x403564 - GetCurrentProcessId

• 0x403568 - GetCurrentProcess

• 0x40356c - GetCurrentDirectoryA

• 0x403570 - GetConsoleScreenBufferInfo

• 0x403574 - GetConsoleOutputCP

• 0x403578 - GetConsoleMode

• 0x40357c - GetConsoleCP

• 0x403580 - GetComputerNameW

• 0x403584 - GetCommandLineW

• 0x403588 - GetCommandLineA

• 0x40358c - GetCPInfo

• 0x403590 - ChangeTimerQueueTimer

• 0x403594 - GetBinaryTypeW

• 0x403598 - GetACP

• 0x40359c - FreeLibrary

• 0x4035a0 - FreeEnvironmentStringsW

• 0x4035a4 - FreeEnvironmentStringsA

• 0x4035a8 - FreeConsole

• 0x4035ac - FormatMessageW

• 0x4035b0 - FlushFileBuffers

• 0x4035b4 - FindResourceW

• 0x4035b8 - FindNextFileW

• 0x4035bc - FindFirstFileW

• 0x4035c0 - FindClose

• 0x4035c4 - FillConsoleOutputCharacterW

• 0x4035c8 - FileTimeToSystemTime

• 0x4035cc - FileTimeToLocalFileTime

• 0x4035d0 - ExpandEnvironmentStringsW

• 0x4035d4 - ExitThread

• 0x4035d8 - ExitProcess

• 0x4035dc - EnumSystemLocalesA

• 0x4035e0 - EnterCriticalSection

• 0x4035e4 - DuplicateHandle

• 0x4035e8 - DeviceIoControl

• 0x4035ec - DeleteFileW

• 0x4035f0 - DeleteFileA

• 0x4035f4 - DeleteCriticalSection

• 0x4035f8 - DebugActiveProcess

• 0x4035fc - CreateToolhelp32Snapshot

• 0x403600 - CreateThread

• 0x403604 - CreateProcessW

• 0x403608 - CreatePipe

• 0x40360c - CreateMutexW

• 0x403610 - CreateMailslotW

• 0x403614 - CreateFileW

• 0x403618 - CreateFileA

• 0x40361c - CreateEventW

• 0x403620 - CreateDirectoryW

• 0x403624 - CreateDirectoryExA

• 0x403628 - CreateDirectoryA

• 0x40362c - CopyFileW

• 0x403630 - CopyFileA

• 0x403634 - CompareStringW

• 0x403638 - CompareStringA

• 0x40363c - CloseHandle

• 0x403640 - GetTickCount

库 USER32.dll:

• 0x403708 - TrackPopupMenu

• 0x40370c - SystemParametersInfoW

• 0x403710 - ShowWindow

• 0x403714 - ShowCursor

• 0x403718 - SetWindowsHookExW

• 0x40371c - SetWindowTextW

• 0x403720 - SetWindowRgn

• 0x403724 - SetWindowPos

• 0x403728 - SetWindowLongW

• 0x40372c - SetTimer

• 0x403730 - SetThreadDesktop

• 0x403734 - SetScrollInfo

• 0x403738 - SetRectEmpty

• 0x40373c - SetRect

• 0x403740 - SetParent

• 0x403744 - SetMenuItemInfoW

• 0x403748 - SetMenu

• 0x40374c - SetForegroundWindow

• 0x403750 - SetFocus

• 0x403754 - SetCursorPos

• 0x403758 - SetCursor

• 0x40375c - SetCaretBlinkTime

• 0x403760 - SetCapture

• 0x403764 - SetActiveWindow

• 0x403768 - SendMessageW

• 0x40376c - ScrollWindowEx

• 0x403770 - ScrollWindow

• 0x403774 - ScreenToClient

• 0x403778 - RemoveMenu

• 0x40377c - ReleaseDC

• 0x403780 - ReleaseCapture

• 0x403784 - RegisterWindowMessageW

• 0x403788 - RegisterHotKey

• 0x40378c - RegisterDeviceNotificationW

• 0x403790 - RegisterClipboardFormatW

• 0x403794 - RegisterClipboardFormatA

• 0x403798 - RegisterClassW

• 0x40379c - RedrawWindow

• 0x4037a0 - PtInRect

• 0x4037a4 - PostQuitMessage

• 0x4037a8 - PostMessageW

• 0x4037ac - PeekMessageW

• 0x4037b0 - OpenClipboard

• 0x4037b4 - OffsetRect

• 0x4037b8 - OemToCharBuffA

• 0x4037bc - OemToCharA

• 0x4037c0 - MsgWaitForMultipleObjects

• 0x4037c4 - MoveWindow

• 0x4037c8 - ModifyMenuW

• 0x4037cc - MessageBoxW

• 0x4037d0 - MessageBeep

• 0x4037d4 - MapWindowPoints

• 0x4037d8 - MapVirtualKeyW

• 0x4037dc - MapVirtualKeyExA

• 0x4037e0 - LoadMenuW

• 0x4037e4 - LoadImageW

• 0x4037e8 - LoadIconW

• 0x4037ec - LoadCursorW

• 0x4037f0 - LoadBitmapW

• 0x4037f4 - LoadBitmapA

• 0x4037f8 - KillTimer

• 0x4037fc - IsZoomed

• 0x403800 - IsWindowVisible

• 0x403804 - IsWindowEnabled

• 0x403808 - IsWindow

• 0x40380c - IsRectEmpty

• 0x403810 - IsMenu

• 0x403814 - IsIconic

• 0x403818 - IsDialogMessageW

• 0x40381c - IsClipboardFormatAvailable

• 0x403820 - IsCharUpperA

• 0x403824 - IsCharLowerW

• 0x403828 - IsCharLowerA

• 0x40382c - InvalidateRect

• 0x403830 - InsertMenuW

• 0x403834 - InsertMenuItemW

• 0x403838 - InflateRect

• 0x40383c - HiliteMenuItem

• 0x403840 - HideCaret

• 0x403844 - GetWindowThreadProcessId

• 0x403848 - GetWindowTextW

• 0x40384c - GetWindowTextLengthW

• 0x403850 - GetWindowRect

• 0x403854 - GetWindowPlacement

• 0x403858 - GetWindowLongW

• 0x40385c - GetWindowDC

• 0x403860 - GetWindow

• 0x403864 - GetUpdateRgn

• 0x403868 - GetSystemMetrics

• 0x40386c - GetSystemMenu

• 0x403870 - GetSysColorBrush

• 0x403874 - GetSysColor

• 0x403878 - GetSubMenu

• 0x40387c - GetShellWindow

• 0x403880 - GetScrollInfo

• 0x403884 - GetParent

• 0x403888 - TranslateAcceleratorW

• 0x40388c - GetMessageTime

• 0x403890 - GetMessagePos

• 0x403894 - GetMenuState

• 0x403898 - GetMenuItemInfoW

• 0x40389c - GetMenuItemID

• 0x4038a0 - GetMenuItemCount

• 0x4038a4 - GetKeyboardLayoutNameW

• 0x4038a8 - GetKeyState

• 0x4038ac - GetIconInfo

• 0x4038b0 - GetForegroundWindow

• 0x4038b4 - GetFocus

• 0x4038b8 - GetDoubleClickTime

• 0x4038bc - GetDlgItemTextW

• 0x4038c0 - GetDlgItem

• 0x4038c4 - GetDialogBaseUnits

• 0x4038c8 - GetDesktopWindow

• 0x4038cc - GetDC

• 0x4038d0 - GetCursorPos

• 0x4038d4 - GetClipboardViewer

• 0x4038d8 - GetClipboardFormatNameW

• 0x4038dc - GetClipboardData

• 0x4038e0 - GetClientRect

• 0x4038e4 - GetClassNameW

• 0x4038e8 - GetClassLongW

• 0x4038ec - GetCapture

• 0x4038f0 - GetAsyncKeyState

• 0x4038f4 - GetActiveWindow

• 0x4038f8 - FlashWindow

• 0x4038fc - FindWindowExW

• 0x403900 - FillRect

• 0x403904 - ExitWindowsEx

• 0x403908 - EnumDisplaySettingsW

• 0x40390c - EndPaint

• 0x403910 - EndDeferWindowPos

• 0x403914 - EnableWindow

• 0x403918 - EnableScrollBar

• 0x40391c - EnableMenuItem

• 0x403920 - EmptyClipboard

• 0x403924 - DrawTextW

• 0x403928 - DrawStateW

• 0x40392c - DrawMenuBar

• 0x403930 - DrawIconEx

• 0x403934 - DrawFrameControl

• 0x403938 - DrawFocusRect

• 0x40393c - DrawEdge

• 0x403940 - DragObject

• 0x403944 - DlgDirSelectComboBoxExW

• 0x403948 - DispatchMessageW

• 0x40394c - DestroyWindow

• 0x403950 - DestroyMenu

• 0x403954 - DestroyIcon

• 0x403958 - DestroyCursor

• 0x40395c - DestroyAcceleratorTable

• 0x403960 - DeferWindowPos

• 0x403964 - DefWindowProcW

• 0x403968 - DefFrameProcW

• 0x40396c - DdeUninitialize

• 0x403970 - DdeSetUserHandle

• 0x403974 - DdeQueryStringW

• 0x403978 - DdeQueryConvInfo

• 0x40397c - DdePostAdvise

• 0x403980 - DdeNameService

• 0x403984 - DdeInitializeW

• 0x403988 - DdeGetLastError

• 0x40398c - DdeGetData

• 0x403990 - DdeFreeStringHandle

• 0x403994 - DdeFreeDataHandle

• 0x403998 - DdeDisconnectList

• 0x40399c - DdeDisconnect

• 0x4039a0 - DdeCreateStringHandleW

• 0x4039a4 - DdeCreateDataHandle

• 0x4039a8 - DdeConnect

• 0x4039ac - DdeClientTransaction

• 0x4039b0 - CreateWindowExW

• 0x4039b4 - CreatePopupMenu

• 0x4039b8 - CreateMenu

• 0x4039bc - CreateMDIWindowA

• 0x4039c0 - TranslateMessage

• 0x4039c4 - UnhookWindowsHookEx

• 0x4039c8 - UnionRect

• 0x4039cc - UnregisterClassW

• 0x4039d0 - CharNextA

• 0x4039d4 - GetInputState

• 0x4039d8 - CopyIcon

• 0x4039dc - CharLowerW

• 0x4039e0 - GetCursor

• 0x4039e4 - IsCharAlphaNumericA

• 0x4039e8 - GetClipboardSequenceNumber

• 0x4039ec - ShowCaret

• 0x4039f0 - GetMenuCheckMarkDimensions

• 0x4039f4 - GetProcessWindowStation

• 0x4039f8 - EndMenu

• 0x4039fc - IsCharAlphaW

• 0x403a00 - GetQueueStatus

• 0x403a04 - CharLowerA

• 0x403a08 - GetDlgCtrlID

• 0x403a0c - OpenIcon

• 0x403a10 - VkKeyScanA

• 0x403a14 - WindowFromDC

• 0x403a18 - GetKeyboardLayout

• 0x403a1c - GetKBCodePage

• 0x403a20 - GetMessageExtraInfo

• 0x403a24 - GetTopWindow

• 0x403a28 - IsCharUpperW

• 0x403a2c - GetWindowContextHelpId

• 0x403a30 - LoadCursorFromFileA

• 0x403a34 - GetWindowTextLengthA

• 0x403a38 - CloseWindowStation

• 0x403a3c - PaintDesktop

• 0x403a40 - GetOpenClipboardWindow

• 0x403a44 - OemKeyScan

• 0x403a48 - wvsprintfW

• 0x403a4c - wsprintfW

• 0x403a50 - keybd_event

• 0x403a54 - WindowFromPoint

• 0x403a58 - WaitForInputIdle

• 0x403a5c - AdjustWindowRectEx

• 0x403a60 - AppendMenuW

• 0x403a64 - AttachThreadInput

• 0x403a68 - BeginDeferWindowPos

• 0x403a6c - BeginPaint

• 0x403a70 - BringWindowToTop

• 0x403a74 - CallNextHookEx

• 0x403a78 - CallWindowProcW

• 0x403a7c - ChangeDisplaySettingsW

• 0x403a80 - CharUpperA

• 0x403a84 - CheckMenuItem

• 0x403a88 - CheckMenuRadioItem

• 0x403a8c - ChildWindowFromPoint

• 0x403a90 - ChildWindowFromPointEx

• 0x403a94 - ClientToScreen

• 0x403a98 - CloseClipboard

• 0x403a9c - CopyRect

• 0x403aa0 - CreateAcceleratorTableW

• 0x403aa4 - CreateDesktopW

• 0x403aa8 - WINNLSGetEnableStatus

• 0x403aac - VkKeyScanW

• 0x403ab0 - ValidateRgn

• 0x403ab4 - ValidateRect

• 0x403ab8 - UpdateWindow

• 0x403abc - UnregisterHotKey

• 0x403ac0 - GetMessageW

• 0x403ac4 - UnregisterDeviceNotification

• 0x403ac8 - CreateIconIndirect

• 0x403acc - CreateIcon

• 0x403ad0 - CreateDialogParamW

• 0x403ad4 - CreateDialogIndirectParamW

• 0x403ad8 - PostThreadMessageW

库 GDI32.dll:

• 0x4030fc - GetObjectW

• 0x403100 - GetOutlineTextMetricsW

• 0x403104 - GetPaletteEntries

• 0x403108 - GetPixel

• 0x40310c - GetRegionData

• 0x403110 - GetRgnBox

• 0x403114 - GetStockObject

• 0x403118 - GetSystemPaletteEntries

• 0x40311c - GetTextExtentExPointW

• 0x403120 - GetTextExtentPoint32W

• 0x403124 - GetTextExtentPointA

• 0x403128 - GetTextMetricsW

• 0x40312c - GetViewportOrgEx

• 0x403130 - LineTo

• 0x403134 - MaskBlt

• 0x403138 - MoveToEx

• 0x40313c - OffsetRgn

• 0x403140 - Pie

• 0x403144 - PlayEnhMetaFile

• 0x403148 - PolyBezier

• 0x40314c - PolyPolygon

• 0x403150 - Polygon

• 0x403154 - Polyline

• 0x403158 - PtInRegion

• 0x40315c - RealizePalette

• 0x403160 - RectInRegion

• 0x403164 - Rectangle

• 0x403168 - ResetDCW

• 0x40316c - RoundRect

• 0x403170 - STROBJ_dwGetCodePage

• 0x403174 - SelectClipRgn

• 0x403178 - SelectObject

• 0x40317c - SelectPalette

• 0x403180 - SetAbortProc

• 0x403184 - SetBkColor

• 0x403188 - SetBkMode

• 0x40318c - SetBrushOrgEx

• 0x403190 - GetObjectType

• 0x403194 - SetMapMode

• 0x403198 - SetPixel

• 0x40319c - SetPolyFillMode

• 0x4031a0 - SetROP2

• 0x4031a4 - SetStretchBltMode

• 0x4031a8 - SetTextColor

• 0x4031ac - SetViewportExtEx

• 0x4031b0 - SetViewportOrgEx

• 0x4031b4 - SetWindowExtEx

• 0x4031b8 - SetWindowOrgEx

• 0x4031bc - SetWorldTransform

• 0x4031c0 - StartDocW

• 0x4031c4 - StartPage

• 0x4031c8 - StretchBlt

• 0x4031cc - StretchDIBits

• 0x4031d0 - StrokePath

• 0x4031d4 - SaveDC

• 0x4031d8 - GetDCPenColor

• 0x4031dc - DeleteColorSpace

• 0x4031e0 - GetSystemPaletteUse

• 0x4031e4 - CreateHalftonePalette

• 0x4031e8 - GetDCBrushColor

• 0x4031ec - PathToRegion

• 0x4031f0 - GetROP2

• 0x4031f4 - FillPath

• 0x4031f8 - AbortDoc

• 0x4031fc - GetMapMode

• 0x403200 - SwapBuffers

• 0x403204 - GetPixelFormat

• 0x403208 - DeleteMetaFile

• 0x40320c - GetEnhMetaFileA

• 0x403210 - GdiGetBatchLimit

• 0x403214 - FlattenPath

• 0x403218 - CloseMetaFile

• 0x40321c - GetPolyFillMode

• 0x403220 - CloseFigure

• 0x403224 - GetNearestPaletteIndex

• 0x403228 - GetEnhMetaFileW

• 0x40322c - GetEnhMetaFileHeader

• 0x403230 - GetEUDCTimeStamp

• 0x403234 - GetDeviceCaps

• 0x403238 - GetDIBits

• 0x40323c - GetColorSpace

• 0x403240 - GetDIBColorTable

• 0x403244 - GetClipBox

• 0x403248 - GetCharABCWidthsW

• 0x40324c - GetBkColor

• 0x403250 - GdiSetServerAttr

• 0x403254 - GdiSetPixelFormat

• 0x403258 - GdiQueryFonts

• 0x40325c - GdiProcessSetup

• 0x403260 - GdiInitializeLanguagePack

• 0x403264 - GdiFlush

• 0x403268 - GdiEntry11

• 0x40326c - GdiDeleteSpoolFileHandle

• 0x403270 - FloodFill

• 0x403274 - FONTOBJ_pvTrueTypeFontFile

• 0x403278 - ExtTextOutW

• 0x40327c - ExtSelectClipRgn

• 0x403280 - ExtFloodFill

• 0x403284 - ExtCreateRegion

• 0x403288 - ExtCreatePen

• 0x40328c - ExcludeClipRect

• 0x403290 - EqualRgn

• 0x403294 - EnumICMProfilesW

• 0x403298 - EnumICMProfilesA

• 0x40329c - EnumFontsA

• 0x4032a0 - EnumFontFamiliesExW

• 0x4032a4 - EnumEnhMetaFile

• 0x4032a8 - EngFreeModule

• 0x4032ac - EngEraseSurface

• 0x4032b0 - EndPath

• 0x4032b4 - EndPage

• 0x4032b8 - EndDoc

• 0x4032bc - Ellipse

• 0x4032c0 - DeleteObject

• 0x4032c4 - DeleteEnhMetaFile

• 0x4032c8 - DeleteDC

• 0x4032cc - CreateSolidBrush

• 0x4032d0 - CreateRectRgnIndirect

• 0x4032d4 - CreateRectRgn

• 0x4032d8 - CreatePen

• 0x4032dc - CreatePatternBrush

• 0x4032e0 - CreatePalette

• 0x4032e4 - CreateICW

• 0x4032e8 - CreateHatchBrush

• 0x4032ec - CreateFontIndirectW

• 0x4032f0 - CreateEnhMetaFileW

• 0x4032f4 - CreateDIBitmap

• 0x4032f8 - CreateDIBSection

• 0x4032fc - CreateDCW

• 0x403300 - CreateCompatibleDC

• 0x403304 - CreateCompatibleBitmap

• 0x403308 - CreateBitmap

• 0x40330c - CombineRgn

• 0x403310 - CloseEnhMetaFile

• 0x403314 - BitBlt

• 0x403318 - Arc

• 0x40331c - SetEnhMetaFileBits

库 COMDLG32.dll:

• 0x4030dc - PageSetupDlgW

• 0x4030e0 - GetSaveFileNameW

• 0x4030e4 - GetOpenFileNameW

• 0x4030e8 - CommDlgExtendedError

• 0x4030ec - ChooseFontW

• 0x4030f0 - ChooseColorW

• 0x4030f4 - PrintDlgW

库 ADVAPI32.dll:

• 0x403000 - RegOpenKeyW

• 0x403004 - AddAccessAllowedAce

• 0x403008 - AdjustTokenPrivileges

• 0x40300c - AllocateAndInitializeSid

• 0x403010 - CloseServiceHandle

• 0x403014 - DuplicateToken

• 0x403018 - FreeSid

• 0x40301c - GetLengthSid

• 0x403020 - GetUserNameW

• 0x403024 - InitializeAcl

• 0x403028 - InitializeSecurityDescriptor

• 0x40302c - IsValidSecurityDescriptor

• 0x403030 - LookupPrivilegeValueW

• 0x403034 - OpenProcessToken

• 0x403038 - OpenSCManagerW

• 0x40303c - OpenServiceW

• 0x403040 - OpenThreadToken

• 0x403044 - QueryServiceStatus

• 0x403048 - RegCloseKey

• 0x40304c - RegCreateKeyExW

• 0x403050 - RegDeleteKeyW

• 0x403054 - SetSecurityDescriptorOwner

• 0x403058 - SetSecurityDescriptorGroup

• 0x40305c - SetSecurityDescriptorDacl

• 0x403060 - RegSetValueExW

• 0x403064 - RegQueryValueExW

• 0x403068 - AccessCheck

• 0x40306c - RegOpenKeyExW

• 0x403070 - RegEnumValueW

• 0x403074 - RegEnumKeyW

• 0x403078 - RegEnumKeyExW

• 0x40307c - RegDeleteValueW

库 SHELL32.dll:

• 0x403648 - SHChangeNotify

• 0x40364c - ShellHookProc

• 0x403650 - ShellExecuteW

• 0x403654 - ShellExecuteExW

• 0x403658 - ShellExecuteExA

• 0x40365c - ShellAboutA

• 0x403660 - SHLoadNonloadedIconOverlayIdentifiers

• 0x403664 - DoEnvironmentSubstA

• 0x403668 - DragAcceptFiles

• 0x40366c - DragFinish

• 0x403670 - DragQueryFile

• 0x403674 - DragQueryFileW

• 0x403678 - DragQueryPoint

• 0x40367c - ExtractAssociatedIconA

• 0x403680 - ExtractAssociatedIconExA

• 0x403684 - ExtractAssociatedIconExW

• 0x403688 - ExtractAssociatedIconW

• 0x40368c - ExtractIconA

• 0x403690 - ExtractIconExW

• 0x403694 - ExtractIconW

• 0x403698 - FindExecutableW

• 0x40369c - SHBrowseForFolderW

• 0x4036a0 - Shell_NotifyIconW

• 0x4036a4 - SHCreateDirectoryExA

• 0x4036a8 - SHCreateDirectoryExW

• 0x4036ac - SHCreateProcessAsUserW

• 0x4036b0 - SHEmptyRecycleBinW

• 0x4036b4 - SHFileOperationA

• 0x4036b8 - SHFormatDrive

• 0x4036bc - SHFreeNameMappings

• 0x4036c0 - SHGetFileInfoW

• 0x4036c4 - SHGetFolderLocation

• 0x4036c8 - SHGetFolderPathW

• 0x4036cc - SHGetIconOverlayIndexA

• 0x4036d0 - SHGetMalloc

• 0x4036d4 - SHGetPathFromIDList

• 0x4036d8 - SHGetPathFromIDListW

• 0x4036dc - SHGetSpecialFolderLocation

• 0x4036e0 - SHIsFileAvailableOffline

库 ole32.dll:

• 0x403ae0 - RevokeDragDrop

• 0x403ae4 - ReleaseStgMedium

• 0x403ae8 - RegisterDragDrop

• 0x403aec - OleUninitialize

• 0x403af0 - OleSetContainedObject

• 0x403af4 - OleSetClipboard

• 0x403af8 - OleRun

• 0x403afc - OleLockRunning

• 0x403b00 - OleIsCurrentClipboard

• 0x403b04 - OleInitialize

• 0x403b08 - OleGetClipboard

• 0x403b0c - OleFlushClipboard

• 0x403b10 - CoUninitialize

• 0x403b14 - CoTaskMemAlloc

• 0x403b18 - CoLockObjectExternal

• 0x403b1c - CoInitialize

• 0x403b20 - CoCreateInstance

• 0x403b24 - CoCreateGuid

库 SHLWAPI.dll:

• 0x4036e8 - StrFormatKBSizeW

• 0x4036ec - StrRChrA

• 0x4036f0 - StrRStrIW

• 0x4036f4 - StrStrA

• 0x4036f8 - StrStrIW

• 0x4036fc - StrFormatByteSizeW

• 0x403700 - StrToIntW

库 COMCTL32.dll:

• 0x403084 - CreatePropertySheetPageA

• 0x403088 - ImageList_Add

• 0x40308c - ImageList_AddMasked

• 0x403090 - ImageList_BeginDrag

• 0x403094 - ImageList_Create

• 0x403098 - ImageList_Destroy

• 0x40309c - ImageList_DragEnter

• 0x4030a0 - ImageList_DragLeave

• 0x4030a4 - ImageList_DragMove

• 0x4030a8 - ImageList_Draw

• 0x4030ac - ImageList_EndDrag

• 0x4030b0 - ImageList_GetIconSize

• 0x4030b4 - ImageList_GetImageCount

• 0x4030b8 - ImageList_GetImageInfo

• 0x4030bc - ImageList_Remove

• 0x4030c0 - ImageList_Replace

• 0x4030c4 - ImageList_ReplaceIcon

• 0x4030c8 - ImageList_SetBkColor

• 0x4030cc - ImageList_SetDragCursorImage

• 0x4030d0 - InitCommonControlsEx

• 0x4030d4 - PropertySheetA

库 IMM32.dll:

• 0x403324 - ImmDisableIME

投放文件

jeetbsrj.exe

文件名	jeetbsrj.exe
相关文件	C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe
文件大小	137216 bytes
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	53bee1572d43897c55e2df143a66da7c
SHA1	ba84eb93a12e8a6bae1e29fe02d2c5b04759263d
SHA256	d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d
SHA512	13f28a2210d05e492cd6b4007b4349c3f34eeac711c46f4cd21cd2ef4d49704e1743679ed383772365a80e7f3ff6abafa28c5b693a8d4b9a52f443b331563c2f
Ssdeep	3072:NNuTEjsCCRNqw5YbcPunZz3f9oeVeAmABb7Z:NNufCSNqcunZdMAmAt
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes)

DEF5EE571EE80BA052D5B209BC8A77AA944C1BA9

执行的命令

explorer.exe

创建的服务 无信息

启动的服务 无信息

进程

d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d.exe PID: 220, 上一级进程 PID: 1976

explorer.exe PID: 1944, 上一级进程 PID: 220

访问的文件

C:\Users\test\AppData\Local\Temp\gipOoZaUyi
C:\Users\test\AppData\Local\Temp\OPENGL32.DLL
C:\Windows\System32\opengl32.dll
C:\Users\test\AppData\Local\Temp\GLU32.dll
C:\Windows\System32\glu32.dll
C:\Users\test\AppData\Local\Temp\DDRAW.dll
C:\Windows\System32\ddraw.dll
C:\Users\test\AppData\Local\Temp\DCIMAN32.dll
C:\Windows\System32\dciman32.dll
C:\Users\test\AppData\Local\Temp\dwmapi.dll
C:\Windows\System32\dwmapi.dll
C:\Users\test\AppData\Local\Temp\DbhDJcFbNe
C:\Windows\System32\DbhDJcFbNe
C:\Windows\system\DbhDJcFbNe
C:\Windows\DbhDJcFbNe
C:\ProgramData\Oracle\Java\javapath\DbhDJcFbNe
C:\Windows\System32\wbem\DbhDJcFbNe
C:\Windows\System32\WindowsPowerShell\v1.0\DbhDJcFbNe
C:\Program Files (x86)\WinRAR\DbhDJcFbNe
C:\Users\test\AppData\Local\Temp\NxsGeVuOLC
C:\Users\test\AppData\Local\Temp\ViwtkMrRpg
C:\Users\test\AppData\Local\Temp\1444444444
C:\Users\test\AppData\Local\Temp\winhttp.DLL
C:\Windows\System32\winhttp.dll
C:\Users\test\AppData\Local\Temp\webio.dll
C:\Windows\System32\webio.dll
C:\Users\test\AppData\Local\Temp\dnsapi.DLL
C:\Windows\System32\dnsapi.dll
C:\
C:\Windows\SysWOW64\winhttp.dll
C:\Windows\SysWOW64\webio.dll
C:\Windows\SysWOW64\dnsapi.dll
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe
C:\Users\test\AppData\Local\Temp\d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d.exe
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe:Zone.Identifier
C:\Windows\System32\advapi32.dll
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\uvwfvvfh
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\test\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*

读取的文件

C:\Users\test\AppData\Local\Temp\gipOoZaUyi
C:\Windows\System32\opengl32.dll
C:\Windows\System32\glu32.dll
C:\Windows\System32\ddraw.dll
C:\Windows\System32\dciman32.dll
C:\Windows\System32\dwmapi.dll
C:\Users\test\AppData\Local\Temp\NxsGeVuOLC
C:\Users\test\AppData\Local\Temp\ViwtkMrRpg
C:\Users\test\AppData\Local\Temp\1444444444
C:\Windows\System32\winhttp.dll
C:\Windows\System32\webio.dll
C:\Windows\System32\dnsapi.dll
C:\Windows\SysWOW64\winhttp.dll
C:\Windows\SysWOW64\webio.dll
C:\Windows\SysWOW64\dnsapi.dll
C:\Users\test\AppData\Local\Temp\d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d.exe
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\uvwfvvfh

修改的文件

C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh

删除的文件

C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe
C:\Users\test\AppData\Local\Temp\d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d.exe
C:\Users\test\AppData\Roaming\Microsoft\uvwfvvfh\jeetbsrj.exe:Zone.Identifier

注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_CLASSES_ROOT\interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\svcVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\URLInfoAbout
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\URLInfoAbout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Update
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4a\AAF68885
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\svcVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63DF5C4B-E3BF-3346-A033-C57B22F44C9E}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0028-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0000-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002A-0804-1000-0000000FF1CE}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 2052\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9CA44204-CCC7-337A-B039-3ABF998AB8A9}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B0037450-526D-3448-A370-CACBD87769A0}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B13B3E11-1555-353F-A63A-8933EE104FBD}\URLInfoAbout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\HelpLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\URLInfoAbout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\475BA6DA2AFD5AE3ADAE78A261CA0E3E548B9532\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A7217F919843199C958C128449DD52D2723B0A8A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D85213E038F309D02A40917B59E142368AE6B1C0\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DBB84423C928ABE889D0E368FC3191D151DDB1AB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress

修改的注册表键

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Google Update
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4A\AAF68885\LanguageList

删除的注册表键 无信息

API解析

kernel32.dll.RegQueryValueExW
gdi32.dll.GdiAddGlsRecord
gdi32.dll.GdiAddGlsBounds
gdi32.dll.GdiIsMetaPrintDC
opengl32.dll.wglSwapBuffers
kernel32.dll.VirtualAlloc
kernel32.dll.LoadLibraryExA
kernel32.dll.GetProcAddress
kernel32.dll.SetFilePointer
kernel32.dll.lstrlenA
kernel32.dll.lstrcatA
kernel32.dll.VirtualProtect
kernel32.dll.UnmapViewOfFile
kernel32.dll.GetModuleHandleA
kernel32.dll.WriteFile
kernel32.dll.CloseHandle
kernel32.dll.VirtualFree
kernel32.dll.GetTempPathA
kernel32.dll.CreateFileA
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
shlwapi.dll.StrCmpNW
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
rpcrt4.dll.RpcBindingFree
schannel.dll.SpUserModeInitialize
advapi32.dll.RegCreateKeyExW
advapi32.dll.RegQueryValueExW
advapi32.dll.RegCloseKey
secur32.dll.FreeContextBuffer
ncrypt.dll.SslOpenProvider
ncrypt.dll.GetSChannelInterface
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.SslIncrementProviderReferenceCount
ncrypt.dll.SslImportKey
bcryptprimitives.dll.GetCipherInterface
ncrypt.dll.SslLookupCipherSuiteInfo
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
ncrypt.dll.BCryptFinishHash
ncrypt.dll.BCryptDestroyHash
crypt32.dll.CertGetCertificateChain
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyKey
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
crypt32.dll.CertVerifyCertificateChainPolicy
crypt32.dll.CertFreeCertificateChain
crypt32.dll.CertDuplicateCertificateContext
ws2_32.dll.#3
crypt32.dll.CertFreeCertificateContext
ncrypt.dll.SslDecrementProviderReferenceCount
ncrypt.dll.SslFreeObject
ws2_32.dll.WSAGetOverlappedResult