MalScore
100/100
MalFamily
Hesv

PDFShrinkSetup.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 23/71 Related 41
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386, for MS Windows
File size: 9028.46 KB (9245144 bytes)
Compile time: 1992-06-20 00:22:17
MD5: 7cbba37732ae4284f66ed6d177fc12dc
SHA1: c7a730e31c35694854772aabd62aae6603ee6b18
SHA256: 80b0a2a6aff0c91680efcf509426c3c6d7a67684cc176bc52fe32599b3c589b4
Import hash: 2fb819a19fe4dee5c03e8c6a79342f79
Sections 8 CODE DATA BSS .idata .tls .rdata .reloc .rsrc
Directories 5 import resource tls relocation security
First submission: 2019-02-07 05:54:23
Last submission: 2019-02-07 05:54:23
Filename detected: - PDFShrinkSetup.exe (1)
URL file hosting
hXXp://file.foxitreader.cn/file/Channel/PDFShrink/PDFShrinkSetup.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2019-02-05 23:07:07 [23/71] VirusTotal
PE Sections 4 suspicious
Name VAddress VSize Size MD5 SHA1
CODE 0x1000 0xa1d0 41472 b7ea439d9c6d5ec722056c9243fb3054 448f38293276fdd5721deb66e9aab64e7eb86e6d
DATA 0xc000 0x250 1024 9b2268ed5360951559d8041925d025fb 92b3d0f7133ed41638b2883a6d2532b467edd641
BSS 0xd000 0xe94 0 d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709
.idata 0xe000 0x97c 2560 df5f31e62e05c787fd29eed7071bf556 3cfc95ebff0ce7dd7301eecc34bb84ee23beede8
.tls 0xf000 0x8 0 d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709
.rdata 0x10000 0x18 512 14dfa4128117e7f94fe2f8d7dea374a0 2b87a504cb33a3fbd0e12d47b5e2e300f8257779
.reloc 0x11000 0x91c 0 d41d8cd98f00b204e9800998ecf8427e da39a3ee5e6b4b0d3255bfef95601890afd80709
.rsrc 0x12000 0xc924 51712 0c2e646c6831373511ecb2b965a4102f 2c0dca18e4b1026b5ad7fd89912c81eb89b4368c
Meta Info
No Meta found in this file
XOR
No XOR informations found in this file.
Signature
MD5: bd03f2c1ed1227d9aa16e861f62c6dce
SHA1: bfecd527a7391f5ed4a72e8f52df86850d7decfd
Block Size: 7232
Virtual Address: 9237912
Packer(s)
Borland Delphi 3.0 (???)
Borland Delphi 4.0
File found
FIle type: Database
E{s.db
FIle type: Library
dwmapi.dll
comres.dll
cryptbase.dll
OLEACC.dll
USERENV.dll
propsys.dll
UxTheme.dll
profapi.dll
clbcatq.dll
OLEAUT32.dll
USER32.dll
ADVAPI32.dll
comctl32.dll
KERNEL32.dll
VERSION.dll
SETUPAPI.dll
apphelp.dll
SHELL32.dll
IP Found
No IP detected
URL(s)
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://certificates.godaddy.com/repository/0
http://ocsp.godaddy.com/05
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ocsp.godaddy.com/0@
http://certs.godaddy.com/repository/1301
http://certificates.godaddy.com/repository/gdig2.crt0
http://crl.godaddy.com/gdroot-g2.crl0F
http://crl.godaddy.com/gdig2s5-3.crl0
http://ocsp.godaddy.com/02
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
http://crl.godaddy.com/gdroot.crl0F
http://schemas.microsoft.com/SMI/2005/WindowsSettings
https://certs.godaddy.com/repository/0
http://ocsp.thawte.com0
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
http://ts-ocsp.ws.symantec.com07
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2019-02-07 05:49:20 2019-02-07 05:52:23 183

9 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2019-02-07 05:49:20 2019-02-07 05:52:23 183

9 Summary items with data

Files

C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Users\Seven01\AppData\Local\Temp\netmsg.dll
C:\Windows\System32\netmsg.dll
C:\Windows\System32\it-IT\netmsg.dll.mui
C:\Users\Seven01\AppData\Local\Temp\PDFShrinkSetup.exe
C:\Users\Seven01\AppData\Local\Temp
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\PDFShrinkSetup.tmp
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\it-IT\user32.dll.mui
\Device\KsecDD
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\netmsg.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\_isetup
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\_isetup\_setup64.tmp
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\isskin.dll
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\MFC42.DLL
C:\Windows\System32\mfc42.dll
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\ODBC32.dll
C:\Windows\System32\odbc32.dll
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\WINMM.dll
C:\Windows\System32\winmm.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\ISTask.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\UpdateIcon.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\FoxitShrink.cjstyles
C:\Users\Seven01\AppData\Local\Temp\wdmaud.drv
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\wdmaud.drv
C:\Windows\System32\wdmaud.drv
C:\Windows\System32\it-IT\wdmaud.drv.mui
C:\Windows\System32\it-IT\MMDevAPI.DLL.mui
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\FoxitShrink.cjstyles\NormalSkin.ini
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\PDFShrinkSetup.tmp.Local\
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
c:\directory
C:\Windows\System32\imageres.dll
C:\Windows\System32\it-IT\imageres.dll.mui
C:\Windows\System32\shell32.dll
C:\Windows\SysWOW64\it-IT\shell32.dll.mui
C:\Windows\win.ini

Read Files

C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\System32\netmsg.dll
C:\Windows\System32\it-IT\netmsg.dll.mui
C:\Users\Seven01\AppData\Local\Temp\PDFShrinkSetup.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\it-IT\user32.dll.mui
\Device\KsecDD
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\_isetup\_setup64.tmp
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\isskin.dll
C:\Windows\System32\mfc42.dll
C:\Windows\System32\odbc32.dll
C:\Windows\System32\winmm.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\UpdateIcon.dll
C:\Windows\System32\it-IT\wdmaud.drv.mui
C:\Windows\System32\it-IT\MMDevAPI.DLL.mui
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\FoxitShrink.cjstyles
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\imageres.dll
C:\Windows\System32\it-IT\imageres.dll.mui
C:\Windows\System32\shell32.dll
C:\Windows\SysWOW64\it-IT\shell32.dll.mui
C:\Windows\win.ini

Write Files

C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\PDFShrinkSetup.tmp
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\_isetup\_setup64.tmp
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\isskin.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\ISTask.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\UpdateIcon.dll
C:\Users\Seven01\AppData\Local\Temp\is-7G9U0.tmp\FoxitShrink.cjstyles

Delete Files

Nothing to display

Keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PDFShrinkSetup.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\C46B0283
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\FoxitShrink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DRIVERS32
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wdmaud.drv
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wavemapper
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midimapper
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent,0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold,0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma Armenian
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\David Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Miriam Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Fixed Miriam Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Rod Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\FangSong_GB2312
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\KaiTi_GB2312
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{F3EB9430-8D99-4121-9343-2D4920FBD08A}_is1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{F3EB9430-8D99-4121-9343-2D4920FBD08A}_is1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial

Read Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\C46B0283
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wave9
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi3
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi4
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi5
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi6
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi8
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midi9
HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wdmaud.drv
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{b41ad0c4-7b96-4b1a-bc86-d727b7c5e63f}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{f0a94b61-1058-4fc2-a399-e1993f00d33a}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{026e516e-b814-414b-83cd-856d6fef4822},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{b3f8fa53-0004-438e-9003-51a46e139bfc},1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\{8ffeba2b-46f7-4109-9e36-e28c93d90faa}\Properties\{1da5d803-d492-4edd-8c23-e0c0ffee7f0e},0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\wavemapper
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DRIVERS32\midimapper
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent,0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold,0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma Armenian
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\David Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Miriam Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Fixed Miriam Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Rod Transparent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\FangSong_GB2312
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\KaiTi_GB2312
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg

Write Keys

HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence

Delete Keys

Nothing to display

Mutexes

Local\MSCTF.Asm.MutexDefault1
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
\xc2\xb8\xc2\xa3\xc3\xaa\xc2\xbfPDF\xc3\x91\xc2\xb9\xc3\x8b\xc3\xb5\xc2\xb4\xc3\xb3\xc3\x8a\xc2\xa6
DefaultTabtip-MainUI

Resolved APIs

kernel32.dll.SetDllDirectoryW
kernel32.dll.SetSearchPathMode
kernel32.dll.SetProcessDEPPolicy
kernel32.dll.Wow64DisableWow64FsRedirection
kernel32.dll.Wow64RevertWow64FsRedirection
kernel32.dll.GetUserDefaultUILanguage
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
uxtheme.dll.EnableThemeDialogTexture
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
uxtheme.dll.OpenThemeData
uxtheme.dll.CloseThemeData
uxtheme.dll.DrawThemeBackground
uxtheme.dll.DrawThemeText
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.GetThemePartSize
uxtheme.dll.GetThemeTextExtent
uxtheme.dll.GetThemeTextMetrics
uxtheme.dll.GetThemeBackgroundRegion
uxtheme.dll.HitTestThemeBackground
uxtheme.dll.DrawThemeEdge
uxtheme.dll.DrawThemeIcon
uxtheme.dll.IsThemePartDefined
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeMetric
uxtheme.dll.GetThemeString
uxtheme.dll.GetThemeBool
uxtheme.dll.GetThemeInt
uxtheme.dll.GetThemeEnumValue
uxtheme.dll.GetThemePosition
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeRect
uxtheme.dll.GetThemeMargins
uxtheme.dll.GetThemeIntList
uxtheme.dll.GetThemePropertyOrigin
uxtheme.dll.SetWindowTheme
uxtheme.dll.GetThemeFilename
uxtheme.dll.GetThemeSysColor
uxtheme.dll.GetThemeSysColorBrush
uxtheme.dll.GetThemeSysBool
uxtheme.dll.GetThemeSysSize
uxtheme.dll.GetThemeSysFont
uxtheme.dll.GetThemeSysString
uxtheme.dll.GetThemeSysInt
uxtheme.dll.IsThemeActive
uxtheme.dll.IsAppThemed
uxtheme.dll.GetWindowTheme
uxtheme.dll.IsThemeDialogTextureEnabled
uxtheme.dll.GetThemeAppProperties
uxtheme.dll.SetThemeAppProperties
uxtheme.dll.GetCurrentThemeName
uxtheme.dll.GetThemeDocumentationProperty
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.EnableTheming
user32.dll.NotifyWinEvent
shell32.dll.SHCreateItemFromParsingName
shell32.dll.SHPathPrepareForWriteA
kernel32.dll.VerSetConditionMask
kernel32.dll.VerifyVersionInfoW
kernel32.dll.GetNativeSystemInfo
kernel32.dll.IsWow64Process
kernel32.dll.GetSystemWow64DirectoryA
advapi32.dll.RegDeleteKeyExA
shell32.dll.SHGetKnownFolderPath
user32.dll.DisableProcessWindowsGhosting
advapi32.dll.CheckTokenMembership
user32.dll.ShutdownBlockReasonDestroy
user32.dll.ShutdownBlockReasonCreate
shfolder.dll.SHGetFolderPathA
rstrtmgr.dll.RmStartSession
rstrtmgr.dll.RmRegisterResources
rstrtmgr.dll.RmGetList
rstrtmgr.dll.RmShutdown
rstrtmgr.dll.RmRestart
rstrtmgr.dll.RmEndSession
bcryptprimitives.dll.GetHashInterface
isskin.dll.LoadSkin
isskin.dll.UnloadSkin
user32.dll.ShowWindow
updateicon.dll.UpdateIcon
comctl32.dll.DllGetVersion
user32.dll.SetWinEventHook
user32.dll.UnhookWinEvent
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.QueryServiceStatus
sechost.dll.CloseServiceHandle
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
mmdevapi.dll.#3
wdmaud.drv.DriverProc
wdmaud.drv.modMessage
wdmaud.drv.midMessage
rpcrt4.dll.NdrClientCall2
wdmaud.drv.wodMessage
mmdevapi.dll.DllGetClassObject
ole32.dll.CoCreateFreeThreadedMarshaler
setupapi.dll.SetupDiCreateDeviceInfoList
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegCloseKey
wdmaud.drv.mxdMessage
ole32.dll.CoTaskMemAlloc
shlwapi.dll.#487
ole32.dll.CoTaskMemFree
ole32.dll.PropVariantClear
setupapi.dll.SetupDiOpenDeviceInfoW
setupapi.dll.SetupDiGetDeviceInstanceIdW
setupapi.dll.SetupDiGetDevicePropertyW
shlwapi.dll.SHStrDupW
audioses.dll.DllGetClassObject
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
wdmaud.drv.widMessage
msacm32.drv.DriverProc
msacm32.drv.wodMessage
msacm32.drv.widMessage
midimap.dll.DriverProc
midimap.dll.modMessage
kernel32.dll.LoadLibraryA
psapi.dll.EnumProcessModules
psapi.dll.GetModuleInformation
kernel32.dll.LoadLibraryW
kernel32.dll.LoadLibraryExA
kernel32.dll.LoadLibraryExW
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
kernel32.dll.CreateThread
user32.dll.RegisterClassA
user32.dll.RegisterClassW
user32.dll.GetSysColor
user32.dll.GetSysColorBrush
user32.dll.DrawEdge
user32.dll.FillRect
gdi32.dll.DeleteObject
user32.dll.DrawFrameControl
user32.dll.SetScrollInfo
user32.dll.SetScrollPos
user32.dll.GetScrollInfo
user32.dll.EnableScrollBar
user32.dll.DrawMenuBar
user32.dll.SystemParametersInfoA
user32.dll.AdjustWindowRectEx
user32.dll.GetSystemMetrics
user32.dll.TrackPopupMenu
user32.dll.TrackPopupMenuEx
user32.dll.DefWindowProcA
user32.dll.DefWindowProcW
user32.dll.DefFrameProcA
user32.dll.DefFrameProcW
user32.dll.DefDlgProcA
user32.dll.DefDlgProcW
user32.dll.DefMDIChildProcA
user32.dll.DefMDIChildProcW
user32.dll.CallWindowProcA
user32.dll.CallWindowProcW
comctl32.dll.HIMAGELIST_QueryInterface
comctl32.dll.DrawShadowText
comctl32.dll.DrawSizeBox
comctl32.dll.DrawScrollBar
comctl32.dll.SizeBoxHwnd
comctl32.dll.ScrollBar_MouseMove
comctl32.dll.ScrollBar_Menu
comctl32.dll.HandleScrollCmd
comctl32.dll.DetachScrollBars
comctl32.dll.AttachScrollBars
comctl32.dll.CCSetScrollInfo
comctl32.dll.CCGetScrollInfo
comctl32.dll.CCEnableScrollBar
comctl32.dll.QuerySystemGestureStatus
uxtheme.dll.#49
msimg32.dll.GradientFill
msimg32.dll.AlphaBlend
msimg32.dll.TransparentBlt
user32.dll.ChangeWindowMessageFilterEx
gdi32.dll.GetTextExtentExPointWPri
imm32.dll.ImmIsIME
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
user32.dll.MonitorFromRect
user32.dll.GetMonitorInfoA
shlwapi.dll.SHAutoComplete
comctl32.dll.#411
comctl32.dll.#410
ole32.dll.CLSIDFromString
comctl32.dll.#413

Execute Commands

"C:\Users\Seven01\AppData\Local\Temp\is-DSNVD.tmp\PDFShrinkSetup.tmp" /SL5="$5015A,8957225,98304,C:\Users\Seven01\AppData\Local\Temp\PDFShrinkSetup.exe"

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2019-02-07 05:49:20 2019-02-07 05:52:23 183

9 HTTP Request(s) detected

http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
  • Hostname: ocsp.godaddy.com
  • IP Address: 50.63.243.230
  • Port: 80
  • Count: 1

GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Cache-Control: max-age = 112236
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 05 Apr 2016 07:16:06 GMT
If-None-Match: "a3cdacf3131b1bb14b520f95976de9a4b547e0c2"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com

http://ocsp.godaddy.com/
  • Hostname: ocsp.godaddy.com
  • IP Address: 50.63.243.230
  • Port: 80
  • Count: 1

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 70
Host: ocsp.godaddy.com

http://ocsp.godaddy.com/
  • Hostname: ocsp.godaddy.com
  • IP Address: 50.63.243.230
  • Port: 80
  • Count: 1

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 68
Host: ocsp.godaddy.com

http://ocsp.godaddy.com/
  • Hostname: ocsp.godaddy.com
  • IP Address: 50.63.243.230
  • Port: 80
  • Count: 1

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 75
Host: ocsp.godaddy.com

http://crl.godaddy.com/gdroot.crl
  • Hostname: crl.godaddy.com
  • IP Address: 50.63.243.228
  • Port: 80
  • Count: 1

GET /gdroot.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com

http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
  • Hostname: ocsp.godaddy.com
  • IP Address: 50.63.243.230
  • Port: 80
  • Count: 1

GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Cache-Control: max-age = 121768
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 05 Apr 2016 10:03:19 GMT
If-None-Match: "3a6d9c0494f9f339b0ccb367a194bfdd86d62700"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com

http://crl.godaddy.com/gdroot-g2.crl
  • Hostname: crl.godaddy.com
  • IP Address: 50.63.243.228
  • Port: 80
  • Count: 1

GET /gdroot-g2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com

http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDasA3qoHWP9
  • Hostname: ocsp.godaddy.com
  • IP Address: 50.63.243.230
  • Port: 80
  • Count: 1

GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDasA3qoHWP9 HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com

http://crl.godaddy.com/gdig2s5-3.crl
  • Hostname: crl.godaddy.com
  • IP Address: 50.63.243.228
  • Port: 80
  • Count: 1

GET /gdig2s5-3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com

#infosec #automation

TheSystem Itself @ 2019-02-07 05:54:26

Detected family: #Hesv

TheSystem Itself @ 2019-02-07 06:00:03