魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2022-07-04 16:00:35	2022-07-04 16:02:49	134 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-shaapp03-1	win7-sp1-x64-shaapp03-1	KVM	2022-07-04 16:00:36	2022-07-04 16:02:50

魔盾分数
10.0 恶意的

文件详细信息

文件名	d_safe_2.1.6.5.zip
文件大小	6027576 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	EAF6E537
MD5	0fbe47bf825f546318dad989e689a9a7
SHA1	bc35414ea6b2c4df4581aef710ce02d5cd4bd07f
SHA256	e9876f391beba768208a45bcc4ae3d14527d79ef9b6b9638727e9f77ea6c7fc3
SHA512	c4c3bad77591ddd4660e57b4d6437d1f7600752664a76ad3cdbe2cd5d406fb64a5ac00fc932b48dc73641066e4f540699800e13b78c6a9373f8be3edd71c4fd4
Ssdeep	49152:Yfq8igHXGoSl05tzY5puW1YmwhRXiZPj6Pga2OS/f8JHOMDUf5wTQ8IkTnOapn1:YfNimVDbZTyZmIa2VXDMDUxMIhap1
PEiD	无匹配
Yara	IronTiger_ASPXSpy (ASPXSpy detection. It might be used by other fraudsters) CRC32_poly_Constant (Look for CRC32 [poly]) CRC32_table (Look for CRC32 table) MD5_Constants (Look for MD5 constants) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasOverlay (Detected Overlay signature) HasDigitalSignature (Detected Digital Signature) Borland (Detects Borland program) DebuggerTiming__PerformanceCounter () DebuggerTiming__Ticks (Detected timing ticks function) anti_dbg (Detected self protection if being debugged) create_service (Detected function for creating a windows service) network_tcp_listen (Listen for incoming communication) network_tcp_socket (Detected network communications over RAW socket) network_dns (Detected network communications use DNS) win_mutex (Create or check mutex) maldoc_OLE_file_magic_number (Detected OLE in the file) screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) persistence (Detected function for installing itself for autorun at Windows startup) escalate_priv (Detected escalate priviledges function) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) win_token (Affect system token) win_files_operation (Affect private profile) win_hook (Detected hook table access function) Maldun_Anomoly_Combined_Activities_Logging_Persistence (Spotted postential abnormal behaviors, like logging and persistenc3) Maldun_Anomoly_Combined_Activities_Doc (Spotted potential mallicious behaviors like persist, network and logging from a document target) Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
VirusTotal	VirusTotal查询失败

特征

创建RWX内存

发起了一些HTTP请求

URL: http://updata.d99net.net/d_safe_up/new.zip

URL: http://updata.d99net.net/d_safe_up/d_safe_crc.zip

URL: http://updata.d99net.net/d_safe_up/ws_lib/ws_lib_7BBB399B9DB1.zip

URL: http://updata.d99net.net/d_safe_up/d_safe_up_info.txt?soft_ver=v2.1.6.5&rule_ver=2&ws_lib_ver=18

URL: http://updata.d99net.net/d_safe_up/rule_lib/rule_B7E936A53324.zip

生成可疑网络流量，可能被用来进行恶意活动

signature: ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader

网络活动包含了一个以上的不重复的用户代理

Process: D_Safe_Manage.exe

User-Agent: Internet Explorer 6.0

Process: D_Safe_Manage.exe

User-Agent: D_SAFE_UP

从文件自身的二进制镜像中读取数据

self_read: process: D_Safe_Manage.exe, pid: 2820, offset: 0x00000000, length: 0x005bf938

通过进程尝试长时间延迟分析任务

Process: D_Safe_Manage.exe tried to sleep 240 seconds, actually delayed analysis time by 0 seconds

魔盾安全Yara规则检测结果 - 极度危险

Blacklist: ASPXSpy detection. It might be used by other fraudsters

Warning: Detected function for creating a windows service

Critical: Detected OLE in the file

Warning: Detected function for installing itself for autorun at Windows startup

Critical: Spotted postential abnormal behaviors, like logging and persistenc3

Critical: Spotted potential mallicious behaviors like persist, network and logging from a document target

Critical: Spotted potential mallicious behaviors like logging and network communication

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

访问主机记录

直接访问	IP地址	国家名
否	104.208.16.93	United States
否	118.126.82.32	China

域名解析

域名	响应
updata.d99net.net	A 118.126.82.32
watson.microsoft.com	A 104.208.16.93 CNAME legacywatson.trafficmanager.net CNAME onedsblobprdcus07.centralus.cloudapp.azure.com

TCP连接

IP地址	端口
118.126.82.32	80
208.185.115.99	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
http://updata.d99net.net/d_safe_up/d_safe_up_info.txt?soft_ver=v2.1.6.5&rule_ver=2&ws_lib_ver=18	GET /d_safe_up/d_safe_up_info.txt?soft_ver=v2.1.6.5&rule_ver=2&ws_lib_ver=18 HTTP/1.1 User-Agent: Internet Explorer 6.0 Host: updata.d99net.net Cache-Control: no-cache
http://updata.d99net.net/d_safe_up/new.zip	GET /d_safe_up/new.zip HTTP/1.1 User-Agent: D_SAFE_UP Host: updata.d99net.net Cache-Control: no-cache Cookie: _d_id=60b84d109401ba57a4096bcb0c0d6e
http://updata.d99net.net/d_safe_up/ws_lib/ws_lib_7BBB399B9DB1.zip	GET /d_safe_up/ws_lib/ws_lib_7BBB399B9DB1.zip HTTP/1.1 User-Agent: D_SAFE_UP Host: updata.d99net.net Cache-Control: no-cache Cookie: _d_id=606349d9f09cd9bc2509a8120c0d6e
http://updata.d99net.net/d_safe_up/rule_lib/rule_B7E936A53324.zip	GET /d_safe_up/rule_lib/rule_B7E936A53324.zip HTTP/1.1 User-Agent: D_SAFE_UP Host: updata.d99net.net Cache-Control: no-cache Cookie: _d_id=60ba4dd34dbca2487209a8120c0d6e
http://updata.d99net.net/d_safe_up/d_safe_crc.zip	GET /d_safe_up/d_safe_crc.zip HTTP/1.1 User-Agent: D_SAFE_UP Host: updata.d99net.net Cache-Control: no-cache Cookie: _d_id=60ba4dd34dbca2487209a8120c0d6e

静态分析

投放文件

D_Safe_Manage.exe

文件名	D_Safe_Manage.exe
相关文件	C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.exe
文件大小	6027576 bytes
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	0fbe47bf825f546318dad989e689a9a7
SHA1	bc35414ea6b2c4df4581aef710ce02d5cd4bd07f
SHA256	e9876f391beba768208a45bcc4ae3d14527d79ef9b6b9638727e9f77ea6c7fc3
SHA512	c4c3bad77591ddd4660e57b4d6437d1f7600752664a76ad3cdbe2cd5d406fb64a5ac00fc932b48dc73641066e4f540699800e13b78c6a9373f8be3edd71c4fd4
Ssdeep	49152:Yfq8igHXGoSl05tzY5puW1YmwhRXiZPj6Pga2OS/f8JHOMDUf5wTQ8IkTnOapn1:YfNimVDbZTyZmIa2VXDMDUxMIhap1
VirusTotal	搜索相关分析

行为分析

互斥量(Mutexes)

D_SAFE
Global\d_a_m_sock_1F046F0E73F19134BC1F0A46_s_New_data_mutex
Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

cmd.exe PID: 2676, 上一级进程 PID: 2196

D_Safe_Manage.exe PID: 2820, 上一级进程 PID: 2676

访问的文件

C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.exe
C:\Users
C:\Users\test
C:\Users\test\AppData
C:\Users\test\AppData\Local
C:\Users\test\AppData\Local\Temp
C:\Users\test\AppData\Local\Temp\zip-tmp
C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.zh-CN
C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.zh-Hans
C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.zh
C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.en-US
C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.en
C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.CHS
C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.CH
C:\Windows\System32\tzres.dll
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\zip-tmp\
C:\Users\test\AppData\Local\Temp\zip-tmp\x32\web_safe.dll
\??\PIPE\samr
C:\DosDevices\pipe\
C:\Users\test\AppData\Local\Temp\zip-tmp\DirMon\
C:\Users\test\AppData\Local\Temp\zip-tmp\ws_gl\d_ws_info.mdb
C:\Windows\System32\inetsrv\iis.msc
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\ws_lib.db
C:\Users\test\AppData\Local\Temp\zip-tmp\Rule\v2_Rule.dat
C:\Windows\sysnative\inetsrv\config\
C:\Users\test\AppData\Local\Temp\zip-tmp\Rule
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.exe
C:\Users\test\AppData\Local\Temp\zip-tmp\d_safe_manage.exe
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\x64\web_safe.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\x64\load_manage.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\x32\load_manage.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\activeds.dll
C:\Windows\System32\activeds.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\adsldpc.dll
C:\Windows\System32\adsldpc.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\ATL.DLL
C:\Windows\System32\atl.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.zh-CN
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.zh-Hans
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.zh
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.en-US
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.en
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.CHS
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.CH
C:\Users\test\AppData\Local\Temp\zip-tmp\[\xe5\x85\xa8\xe9\x83\xa8\xe7\xab\x99\xe7\x82\xb9]
C:\Users\test\AppData\Local\Temp\zip-tmp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui

读取的文件

C:\Windows\System32\tzres.dll
\Device\KsecDD
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
\??\PIPE\samr
C:\Windows\sysnative\inetsrv\config\
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\ws_lib.db
C:\Users\test\AppData\Local\Temp\zip-tmp\Rule\v2_Rule.dat
C:\Users\test\AppData\Local\Temp\zip-tmp\d_safe_manage.exe
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\x64\web_safe.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\x64\load_manage.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\x32\web_safe.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\x32\load_manage.dll
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\d_manage.exe
C:\Windows\System32\activeds.dll
C:\Windows\System32\adsldpc.dll
C:\Windows\System32\atl.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\zh-CN\imageres.dll.mui
C:\Windows\sysnative\zh-CN\imageres.dll.mui
C:\Windows\System32\zh-Hans\imageres.dll.mui
C:\Windows\System32\zh\imageres.dll.mui
C:\Windows\System32\en-US\imageres.dll.mui

修改的文件

\??\PIPE\samr
C:\Users\test\AppData\Local\Temp\zip-tmp\Modules\ws_lib.db
C:\Users\test\AppData\Local\Temp\zip-tmp\Rule\v2_Rule.dat

删除的文件 无信息

注册表键

HKEY_CURRENT_USER\Software\Embarcadero\Locales
HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales
HKEY_CURRENT_USER\Software\CodeGear\Locales
HKEY_LOCAL_MACHINE\Software\CodeGear\Locales
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.exe
HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe6\x96\xb0\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\D_Safe_Manage.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe6\x96\xb0\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Fixedsys
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\RULE_VER
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_CRC_TEST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_TEMP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MON_DIR
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\U_SEARCH_DIR
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PASS_APPPOOLS
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SCRIPT_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\INCLUDE_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\IIS_CAMOUFLAGE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SESSION_SAFE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\LOAD_DLL_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_ALL_REQUEST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\IIS_CAMOUFLAGE_TXT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CLEAR_PHP_NET_VER
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_CONTENT_CHARSET
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MSG_BOX_STATE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_DANGER_SQL
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_XSS_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\DB_LOGIN_DO_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_NET_CONN
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\EVAL_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\NET_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_CC_IP
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_PROXY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_CHECK_POST_COUNT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_BUSY_JMP_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\ONLY_GET_POST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_PASS_IP_SWITCH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_STOP_IP_SWITCH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_PHAR_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_PHP_FILTER
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\X_FRAME_OPTIONS
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_EX_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\NAME_LEN_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CONTENT_DISPOSITION_LEN_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_S_W_SCRIPT_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_CODE_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\ASP_STOP_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\ASPX_STOP_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PHP_STOP_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_WS_LEVEL
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\VAR_FUN_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_UP_EX_HEAD
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_PASS_EX
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_STOP_EX
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_DOWN_EX
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MORE_WIN_API_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PROXY_ERR_STOP_DO
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\REFERER_ERR_STOP_DO
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_HTTP_DISCONNECT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SHOW_CC_LOG
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_CONNECTION_CLOSE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\START_MYSQL_DB_BAK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_DATA_PATH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_BAK_PATH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_BAK_TIME
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_BAK_DAY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_CHECK_SPACE_CLEAR
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_SPACE_CLEAR_PERCENTAGE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_SPACE_CLEAR_DAY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_P_DIRS
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_CLEAR_LOG
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\GMT_TIME_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\LOAD_IIS_LOG_DAY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\IIS_LOG_PAGE_SHOW_LINE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\APPPOOL_ERR_AUTO_START
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_ADMIN_CREATE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_LOGIN_LOG_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_UPDATA_WS_LIB
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_UPDATA_RULE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_COMPUTERNAME_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_LOGIN_USER_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_LOCAL_LOGIN
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_PASS_IP_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_COMPUTERNAME_LIST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_LOGIN_USER_LIST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_PASS_IP_LIST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\USER_AGENT_RULE_OPTION
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\INCLUDE_RULE
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\USER_RULE_V2
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PASS_IP_S_
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_IP_S_
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PASS_WEB_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\USER_AGENT_RULE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\web_do_state
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_TEMP_DATA
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\NEW_UP_DO
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_FILE_MANAGE_CRC
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_SERVICE_R_ID
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_WEB_R_ID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\d_manage.dll
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SEARCH_PASS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804

读取的注册表键

HKEY_CURRENT_USER\Software\Borland\Locales\C:\Users\test\AppData\Local\Temp\zip-tmp\D_Safe_Manage.exe
HKEY_CURRENT_USER\Software\Borland\Locales\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe6\x96\xb0\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_CRC_TEST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_TEMP
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MON_DIR
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\U_SEARCH_DIR
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PASS_APPPOOLS
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SCRIPT_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\INCLUDE_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\IIS_CAMOUFLAGE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SESSION_SAFE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\LOAD_DLL_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_ALL_REQUEST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\IIS_CAMOUFLAGE_TXT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CLEAR_PHP_NET_VER
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_CONTENT_CHARSET
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MSG_BOX_STATE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_DANGER_SQL
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_XSS_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\DB_LOGIN_DO_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_NET_CONN
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\EVAL_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\NET_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_CC_IP
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_PROXY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_CHECK_POST_COUNT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_BUSY_JMP_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\ONLY_GET_POST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_PASS_IP_SWITCH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_STOP_IP_SWITCH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_PHAR_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_PHP_FILTER
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\X_FRAME_OPTIONS
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_EX_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\NAME_LEN_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CONTENT_DISPOSITION_LEN_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_S_W_SCRIPT_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_CODE_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\ASP_STOP_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\ASPX_STOP_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PHP_STOP_SCRIPT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_WS_LEVEL
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\VAR_FUN_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CHECK_UP_EX_HEAD
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_PASS_EX
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_STOP_EX
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_DOWN_EX
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MORE_WIN_API_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PROXY_ERR_STOP_DO
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\REFERER_ERR_STOP_DO
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_HTTP_DISCONNECT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SHOW_CC_LOG
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_CONNECTION_CLOSE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\CC_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\START_MYSQL_DB_BAK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_DATA_PATH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_BAK_PATH
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_BAK_TIME
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_BAK_DAY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_CHECK_SPACE_CLEAR
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_SPACE_CLEAR_PERCENTAGE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_SPACE_CLEAR_DAY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\MYSQL_P_DIRS
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_CLEAR_LOG
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\GMT_TIME_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\LOAD_IIS_LOG_DAY
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\IIS_LOG_PAGE_SHOW_LINE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\APPPOOL_ERR_AUTO_START
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_ADMIN_CREATE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_LOGIN_LOG_MODE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_UPDATA_WS_LIB
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\AUTO_UPDATA_RULE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_COMPUTERNAME_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_LOGIN_USER_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_LOCAL_LOGIN
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_PASS_IP_CHECK
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_COMPUTERNAME_LIST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_LOGIN_USER_LIST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\WTS_PASS_IP_LIST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\USER_AGENT_RULE_OPTION
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\INCLUDE_RULE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\USER_RULE_V2
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PASS_IP_S_
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\STOP_IP_S_
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\PASS_WEB_LIMIT
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\USER_AGENT_RULE
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\web_do_state
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\NEW_UP_DO
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_FILE_MANAGE_CRC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\d_manage.dll
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\SEARCH_PASS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16

修改的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\RULE_VER
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_CRC_TEST
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_TEMP_DATA
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\NEW_UP_DO
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\UP_FILE_MANAGE_CRC
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_SERVICE_R_ID
HKEY_LOCAL_MACHINE\SOFTWARE\d99net\dsafe\D_WEB_R_ID

删除的注册表键 无信息

API解析

kernel32.dll.GetThreadPreferredUILanguages
kernel32.dll.SetThreadPreferredUILanguages
kernel32.dll.GetThreadUILanguage
kernel32.dll.GetLongPathNameW
kernel32.dll.GetNativeSystemInfo
kernel32.dll.GetDiskFreeSpaceExW
kernel32.dll.GetLogicalProcessorInformation
oleaut32.dll.VariantChangeTypeEx
oleaut32.dll.VarNeg
oleaut32.dll.VarNot
oleaut32.dll.VarAdd
oleaut32.dll.VarSub
oleaut32.dll.VarMul
oleaut32.dll.VarDiv
oleaut32.dll.VarIdiv
oleaut32.dll.VarMod
oleaut32.dll.VarAnd
oleaut32.dll.VarOr
oleaut32.dll.VarXor
oleaut32.dll.VarCmp
oleaut32.dll.VarI4FromStr
oleaut32.dll.VarR4FromStr
oleaut32.dll.VarR8FromStr
oleaut32.dll.VarDateFromStr
oleaut32.dll.VarCyFromStr
oleaut32.dll.VarBoolFromStr
oleaut32.dll.VarBstrFromCy
oleaut32.dll.VarBstrFromDate
oleaut32.dll.VarBstrFromBool
kernel32.dll.InitializeConditionVariable
kernel32.dll.WakeConditionVariable
kernel32.dll.WakeAllConditionVariable
kernel32.dll.SleepConditionVariableCS
ole32.dll.CoCreateInstanceEx
ole32.dll.CoInitializeEx
ole32.dll.CoAddRefServerProcess
ole32.dll.CoReleaseServerProcess
ole32.dll.CoResumeClassObjects
ole32.dll.CoSuspendClassObjects
cryptbase.dll.SystemFunction036
wtsapi32.dll.WTSRegisterSessionNotification
user32.dll.IsWindow
user32.dll.GetWindowThreadProcessId
winsta.dll.WinStationRegisterConsoleNotification
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
advapi32.dll.CreateWellKnownSid
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingSetAuthInfoExW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.RpcAsyncInitializeHandle
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.NdrAsyncClientCall
uxtheme.dll.BufferedPaintInit
user32.dll.AnimateWindow
comctl32.dll.InitializeFlatSB
comctl32.dll.UninitializeFlatSB
comctl32.dll.FlatSB_GetScrollProp
comctl32.dll.FlatSB_SetScrollProp
comctl32.dll.FlatSB_EnableScrollBar
comctl32.dll.FlatSB_ShowScrollBar
comctl32.dll.FlatSB_GetScrollRange
comctl32.dll.FlatSB_GetScrollInfo
comctl32.dll.FlatSB_GetScrollPos
comctl32.dll.FlatSB_SetScrollPos
comctl32.dll.FlatSB_SetScrollInfo
comctl32.dll.FlatSB_SetScrollRange
user32.dll.SetLayeredWindowAttributes
uxtheme.dll.OpenThemeData
uxtheme.dll.CloseThemeData
uxtheme.dll.DrawThemeBackground
uxtheme.dll.DrawThemeText
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.GetThemeBackgroundExtent
uxtheme.dll.GetThemePartSize
uxtheme.dll.GetThemeTextExtent
uxtheme.dll.GetThemeTextMetrics
uxtheme.dll.GetThemeBackgroundRegion
uxtheme.dll.HitTestThemeBackground
uxtheme.dll.DrawThemeEdge
uxtheme.dll.DrawThemeIcon
uxtheme.dll.IsThemePartDefined
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeMetric
uxtheme.dll.GetThemeString
uxtheme.dll.GetThemeBool
uxtheme.dll.GetThemeInt
uxtheme.dll.GetThemeEnumValue
uxtheme.dll.GetThemePosition
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeRect
uxtheme.dll.GetThemeMargins
uxtheme.dll.GetThemeIntList
uxtheme.dll.GetThemePropertyOrigin
uxtheme.dll.SetWindowTheme
uxtheme.dll.GetThemeFilename
uxtheme.dll.GetThemeSysColor
uxtheme.dll.GetThemeSysColorBrush
uxtheme.dll.GetThemeSysBool
uxtheme.dll.GetThemeSysSize
uxtheme.dll.GetThemeSysFont
uxtheme.dll.GetThemeSysString
uxtheme.dll.GetThemeSysInt
uxtheme.dll.IsThemeActive
uxtheme.dll.IsAppThemed
uxtheme.dll.GetWindowTheme
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.IsThemeDialogTextureEnabled
uxtheme.dll.GetThemeAppProperties
uxtheme.dll.SetThemeAppProperties
uxtheme.dll.GetCurrentThemeName
uxtheme.dll.GetThemeDocumentationProperty
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.EnableTheming
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
msimg32.dll.AlphaBlend
gdi32.dll.GdiIsMetaPrintDC
comctl32.dll.InitCommonControlsEx
imm32.dll.ImmAssociateContext
comctl32.dll.RegisterClassNameW
imm32.dll.ImmIsIME
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
shell32.dll.#66
ole32.dll.CoTaskMemFree
samlib.dll.SamConnect
rpcrt4.dll.RpcBindingFree
samlib.dll.SamOpenDomain
samlib.dll.SamLookupNamesInDomain
samlib.dll.SamOpenAlias
samlib.dll.SamFreeMemory
samlib.dll.SamCloseHandle
samlib.dll.SamGetMembersInAlias
advapi32.dll.LsaOpenPolicy
advapi32.dll.LsaLookupSids
advapi32.dll.LsaClose
advapi32.dll.LsaFreeMemory
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
oleaut32.dll.#500
rasapi32.dll.RasConnectionNotificationW
sechost.dll.OpenServiceA
sechost.dll.NotifyServiceStatusChangeA
imm32.dll.ImmAssociateContextEx
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
d_manage.dll.d_manage_interface
d_manage.dll.d_get_ws_lib_ver
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString