MalScore

32.5/100

7120.exe

Is DLL Packer Anti Debug Anti VM Signed XOR Related 18

File details Download PDF Report
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
File size:	254.45 KB (260552 bytes)
Compile time:	2015-02-15 09:00:31
MD5:	a8e200f1e66467d25a0a961fa69f9cbd
SHA1:	d74ca44189fde53b1358977feed32cc1ae50ea79
SHA256:	8d25031c713f945e26935953121ab7db9f3d71b60ce75d2a89284697426fc20a
Import hash:	4cfda23baf1e2e983ddfeca47a5c755a
Sections 4	.text .rdata .data .rsrc
Directories 5	import export resource debug security
First submission:	2022-04-21 03:00:06
Last submission:	2022-04-21 03:00:06
Filename detected:	- 7120.exe (1)

URL file hosting
hXXp://184.175.115.10/enzf/7120.exe

Antivirus Report
Report Date	Detection Ratio	Permalink	Update
No report available

PE Sections 0 suspicious
Name	VAddress	VSize	Size	MD5	SHA1
.text	0x1000	0x2878a	165888	d06d79869523ea3421d1bec81acb4dd3	ef43287f9744999877f97b0a4d6deae1c45995aa
.rdata	0x2a000	0x4fd3	20480	ae7c16bd625a124b8fbf6ecc9002c4ff	7cdb74324a6c4fd72aea036499c57b649fd308bb
.data	0x2f000	0x21428	5632	6754819d963e719555064632286f5a0d	95db54c6548fd28cb2d56c25c6226b18869cfe33
.rsrc	0x51000	0x44d8	17920	6aa2cae10e88f53028dea6fff76be49b	2cbb082e270d01816951f35f54f151f2cbeb8d10

Meta Info
No Meta found in this file

XOR
No XOR informations found in this file.

Signature
MD5:	46e063ea3fe41395f3b8903716790a99
SHA1:	8515eb98b211169180fe4b52f96f94e80a832ffe
Block Size:	6232
Virtual Address:	254320

Packer(s)
Microsoft Visual C++ 8
VC8 -> Microsoft Corporation

File found
FIle type: Temporary
%s.%d.tmp
winrarsfxmappingfile.tmp
FIle type: Data
version.dat
FIle type: Library
KERNEL32.dll
crypt32.dll
riched32.dll
riched20.dll
mscoree.dll
ADVAPI32.dll
SHLWAPI.dll
SHELL32.dll
OLEAUT32.dll
USER32.dll
comctl32.dll
comdlg32.dll
ole32.dll
GDI32.dll

IP Found
No IP detected

URL(s)
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://ts-ocsp.ws.symantec.com07
http://ocsp.digicert.com0C
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ocsp.digicert.com0N
http://crl3.digicert.com/sha2-assured-cs-g1.crl05
http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
http://ocsp.thawte.com0
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
https://www.digicert.com/CPS0
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven06_64	Seven06_64	VirtualBox	2022-04-21 02:49:57	2022-04-21 02:53:04	187

7 Behaviors detected by system signatures

Dynamic (imported) function loading detected Severity: Medium Confidence: Very High

DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: uxtheme.dll/ThemeInitApiHook
DynamicLoader: USER32.dll/IsProcessDPIAware
DynamicLoader: ole32.dll/CoGetMalloc
DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: uxtheme.dll/EnableThemeDialogTexture
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: uxtheme.dll/OpenThemeData
DynamicLoader: uxtheme.dll/IsThemePartDefined
DynamicLoader: uxtheme.dll/GetThemeMargins
DynamicLoader: uxtheme.dll/GetThemeBool
DynamicLoader: uxtheme.dll/GetThemeInt
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: COMCTL32.dll/HIMAGELIST_QueryInterface
DynamicLoader: COMCTL32.dll/DrawShadowText
DynamicLoader: COMCTL32.dll/DrawSizeBox
DynamicLoader: COMCTL32.dll/DrawScrollBar
DynamicLoader: COMCTL32.dll/SizeBoxHwnd
DynamicLoader: COMCTL32.dll/ScrollBar_MouseMove
DynamicLoader: COMCTL32.dll/ScrollBar_Menu
DynamicLoader: COMCTL32.dll/HandleScrollCmd
DynamicLoader: COMCTL32.dll/DetachScrollBars
DynamicLoader: COMCTL32.dll/AttachScrollBars
DynamicLoader: COMCTL32.dll/CCSetScrollInfo
DynamicLoader: COMCTL32.dll/CCGetScrollInfo
DynamicLoader: COMCTL32.dll/CCEnableScrollBar
DynamicLoader: COMCTL32.dll/QuerySystemGestureStatus
DynamicLoader: uxtheme.dll/
DynamicLoader: uxtheme.dll/CloseThemeData
DynamicLoader: uxtheme.dll/SetWindowTheme
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: uxtheme.dll/GetThemeFont
DynamicLoader: uxtheme.dll/GetThemeColor
DynamicLoader: IMM32.DLL/ImmIsIME
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: GDI32.dll/GetLayout
DynamicLoader: GDI32.dll/GdiRealizationInfo
DynamicLoader: GDI32.dll/FontIsLinked
DynamicLoader: ADVAPI32.dll/RegOpenKeyExW
DynamicLoader: ADVAPI32.dll/RegQueryInfoKeyW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: ADVAPI32.dll/RegEnumValueW
DynamicLoader: ADVAPI32.dll/RegCloseKey
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: ADVAPI32.dll/RegQueryValueExW
DynamicLoader: GDI32.dll/GetFontAssocStatus
DynamicLoader: ADVAPI32.dll/RegQueryValueExA
DynamicLoader: ADVAPI32.dll/RegEnumKeyExW
DynamicLoader: GDI32.dll/GetTextFaceAliasW
DynamicLoader: GDI32.dll/GetTextExtentExPointWPri
DynamicLoader: GDI32.dll/GdiIsMetaPrintDC
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CLSIDFromString
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: uxtheme.dll/GetThemePartSize
DynamicLoader: uxtheme.dll/GetThemeTextExtent
DynamicLoader: COMCTL32.dll/RegisterClassNameW
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CoInitializeEx
DynamicLoader: ole32.dll/CoUninitialize
DynamicLoader: ole32.dll/CoRegisterInitializeSpy
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmLockIMC
DynamicLoader: IMM32.DLL/ImmUnlockIMC
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmSetCompositionFontW
DynamicLoader: IMM32.DLL/ImmGetCompositionWindow
DynamicLoader: IMM32.DLL/ImmSetCompositionWindow
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: uxtheme.dll/BufferedPaintInit
DynamicLoader: uxtheme.dll/BufferedPaintRenderAnimation
DynamicLoader: uxtheme.dll/BeginBufferedAnimation
DynamicLoader: uxtheme.dll/IsThemeBackgroundPartiallyTransparent
DynamicLoader: uxtheme.dll/DrawThemeParentBackgroundEx
DynamicLoader: uxtheme.dll/DrawThemeBackground
DynamicLoader: uxtheme.dll/EndBufferedAnimation
DynamicLoader: uxtheme.dll/BeginBufferedPaint
DynamicLoader: uxtheme.dll/EndBufferedPaint
DynamicLoader: uxtheme.dll/GetThemeTransitionDuration
DynamicLoader: uxtheme.dll/DrawThemeParentBackground
DynamicLoader: uxtheme.dll/GetThemeBackgroundContentRect
DynamicLoader: uxtheme.dll/DrawThemeText
DynamicLoader: DUser.dll/InvalidateGadget
DynamicLoader: COMCTL32.dll/
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: COMCTL32.dll/

Reads data out of its own binary image Severity: Medium Confidence: Low

self_read: process: 7120.exe, pid: 2464, offset: 0x00000000, length: 0x00000007
self_read: process: 7120.exe, pid: 2464, offset: 0x00000000, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00000007, length: 0x0003f9c1
self_read: process: 7120.exe, pid: 2464, offset: 0x00001ff0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00003fe0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00005fd0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00007fc0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00009fb0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0000bfa0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0000df90, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0000ff80, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00011f70, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00013f60, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00015f50, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00017f40, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00019f30, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0001bf20, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0001df10, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0001ff00, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00021ef0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00023ee0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00025ed0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00027ec0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00029eb0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0002bea0, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0002de90, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x0002fe80, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00031e70, length: 0x00002000
self_read: process: 7120.exe, pid: 2464, offset: 0x00033800, length: 0x0000a970

Network activity detected but not expressed in API logs Severity: Medium Confidence: Very High

HTTP traffic contains suspicious features which may be indicative of malware related traffic Severity: Medium Confidence: Low

post_no_referer: HTTP traffic contains a POST request with no referer header
suspicious_request: http://ocsp.digicert.com/
suspicious_request: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
suspicious_request: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
suspicious_request: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA4rIkH1oBbcAQYnSqFeFd4%3D
suspicious_request: http://crl3.digicert.com/sha2-assured-cs-g1.crl
suspicious_request: http://crl4.digicert.com/sha2-assured-cs-g1.crl

Performs some HTTP requests Severity: Medium Confidence: Low

url: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
url: http://ocsp.digicert.com/
url: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
url: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
url: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA4rIkH1oBbcAQYnSqFeFd4%3D
url: http://crl3.digicert.com/sha2-assured-cs-g1.crl
url: http://crl4.digicert.com/sha2-assured-cs-g1.crl

SetUnhandledExceptionFilter detected (possible anti-debug) Severity: Low Confidence: Very High

Presents an Authenticode digital signature Severity: Low Confidence: Low

md5_fingerprint: b7d94465f39fa62be8a44867f47a1681
sha1_fingerprint: 7b62cc0967472dbb891c20b71885cb7184c2325e
cn: Fujian NetDragon Computer Network Information Technology Co.,Ltd
sn: 18833155533680270880444459472188741086

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven06_64	Seven06_64	VirtualBox	2022-04-21 02:49:57	2022-04-21 02:53:04	187

9 Summary items with data

Files

\Device\KsecDD
C:\Users\Seven01\AppData\Local\Temp\7120.exe
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Seven01\AppData\Local\Temp\7120.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
C:\Windows\win.ini
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Users\Seven01\AppData\Local\Temp\__tmp_rar_sfx_access_check_28960765
C:\Users\Seven01\AppData\Local\Temp\ini\npc.ini
C:\Users\Seven01\AppData\Local\Temp\ini
C:\Users\Seven01\AppData\Local\Temp\version.dat
C:\Users\Seven01\AppData\Local\Temp\play.exe

Read Files

\Device\KsecDD
C:\Users\Seven01\AppData\Local\Temp\7120.exe
C:\Windows\SysWOW64\it-IT\USER32.dll.mui
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\win.ini
C:\Windows\Fonts\staticcache.dat
C:\Windows\SysWOW64\shell32.dll
C:\Windows\SysWOW64\it-IT\MSCTF.dll.mui
C:\Users\Seven01\AppData\Local\Temp\__tmp_rar_sfx_access_check_28960765

Write Files

C:\Users\Seven01\AppData\Local\Temp\__tmp_rar_sfx_access_check_28960765
C:\Users\Seven01\AppData\Local\Temp\ini\npc.ini
C:\Users\Seven01\AppData\Local\Temp\ini
C:\Users\Seven01\AppData\Local\Temp\version.dat

Delete Files

C:\Users\Seven01\AppData\Local\Temp\__tmp_rar_sfx_access_check_28960765

Keys

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\7120.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Append Completion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

DefaultTabtip-MainUI
Local\MSCTF.Asm.MutexDefault1

Resolved APIs

kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.SetDllDirectoryW
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
ole32.dll.CoGetMalloc
dwmapi.dll.DwmIsCompositionEnabled
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
uxtheme.dll.IsThemePartDefined
uxtheme.dll.GetThemeMargins
uxtheme.dll.GetThemeBool
uxtheme.dll.GetThemeInt
comctl32.dll.HIMAGELIST_QueryInterface
comctl32.dll.DrawShadowText
comctl32.dll.DrawSizeBox
comctl32.dll.DrawScrollBar
comctl32.dll.SizeBoxHwnd
comctl32.dll.ScrollBar_MouseMove
comctl32.dll.ScrollBar_Menu
comctl32.dll.HandleScrollCmd
comctl32.dll.DetachScrollBars
comctl32.dll.AttachScrollBars
comctl32.dll.CCSetScrollInfo
comctl32.dll.CCGetScrollInfo
comctl32.dll.CCEnableScrollBar
comctl32.dll.QuerySystemGestureStatus
uxtheme.dll.#49
uxtheme.dll.CloseThemeData
uxtheme.dll.SetWindowTheme
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeColor
imm32.dll.ImmIsIME
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
gdi32.dll.GdiIsMetaPrintDC
ole32.dll.CoCreateInstance
comctl32.dll.#320
comctl32.dll.#324
comctl32.dll.#411
comctl32.dll.#410
ole32.dll.CLSIDFromString
uxtheme.dll.GetThemePartSize
uxtheme.dll.GetThemeTextExtent
comctl32.dll.#413
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
imm32.dll.ImmGetContext
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmReleaseContext
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
imm32.dll.ImmAssociateContext
imm32.dll.ImmNotifyIME
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BufferedPaintRenderAnimation
uxtheme.dll.BeginBufferedAnimation
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.DrawThemeParentBackgroundEx
uxtheme.dll.DrawThemeBackground
uxtheme.dll.EndBufferedAnimation
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
uxtheme.dll.GetThemeTransitionDuration
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.DrawThemeText
duser.dll.InvalidateGadget
comctl32.dll.#412
comctl32.dll.#388
oleaut32.dll.#500
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321

Execute Commands

play.exe

Started Services

Nothing to display

Created Services

Nothing to display

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven06_64	Seven06_64	VirtualBox	2022-04-21 02:49:57	2022-04-21 02:53:04	187

8 HTTP Request(s) detected

http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt

Hostname: cacerts.digicert.com
IP Address: 172.64.149.82
Port: 80
Count: 1

GET /DigiCertAssuredIDRootCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: cacerts.digicert.com

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D

Hostname: ocsp.digicert.com
IP Address: 93.184.220.29
Port: 80
Count: 1

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

http://ocsp.digicert.com/

Hostname: ocsp.digicert.com
IP Address: 93.184.220.29
Port: 80
Count: 2

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/ocsp-request
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Content-Length: 83
Host: ocsp.digicert.com

http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl

Hostname: crl4.digicert.com
IP Address: 93.184.220.29
Port: 80
Count: 1

GET /DigiCertAssuredIDRootCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl4.digicert.com

http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl

Hostname: crl3.digicert.com
IP Address: 93.184.220.29
Port: 80
Count: 1

GET /DigiCertAssuredIDRootCA.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl3.digicert.com

http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA4rIkH1oBbcAQYnSqFeFd4%3D

Hostname: ocsp.digicert.com
IP Address: 93.184.220.29
Port: 80
Count: 1

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEA4rIkH1oBbcAQYnSqFeFd4%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com

http://crl3.digicert.com/sha2-assured-cs-g1.crl

Hostname: crl3.digicert.com
IP Address: 93.184.220.29
Port: 80
Count: 1

GET /sha2-assured-cs-g1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl3.digicert.com

http://crl4.digicert.com/sha2-assured-cs-g1.crl

Hostname: crl4.digicert.com
IP Address: 93.184.220.29
Port: 80
Count: 1

GET /sha2-assured-cs-g1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl4.digicert.com

Import Hash: 4cfda23baf1e2e983ddfeca47a5c755a
Submission	File name	MD5
2016-06-23 13:39:04	j4v4upd4t3rL0ads.exe	c512897eee0b35457bf43c6a83f8034f
2016-06-23 13:42:04	Off1cce365upd4te.exe	b16dcc2782a1f4c47b32cb593a73a32c
2016-06-23 13:45:04	ad0v3f1ashplay3r.exe	08d57c9a390da5861ffe6fdbeee97f41
2016-08-08 17:18:06	j4v4upd4t3rL0ad1s.exe	8ba75de55191a7b284c87450d7ec168e
2016-08-08 17:21:05	Off1cce365upd4te.exe	0ccf64103df597108d163158e56ce5e4
2016-08-08 17:24:06	ad0v3f1ashplay3rall.exe	45e68e5bc35e6b0ac6b49dc0fd7717b4
2016-08-25 18:06:18	Off1cce365upd4te.exe	489f31e974898cc0209b26ba6ed67bab
2016-08-31 13:51:15	0fficekeyserial16.exe	edef36195c2e7d4b2ef2e041f9269114
2016-09-06 21:36:07	0fficekeyserial16.exe	0f9b9f5cb4f606f84405698d943f6ba5
2017-05-31 05:24:13	app.exe	125104c1a6d60b9fbd23477853fb6c49
2018-12-28 14:51:11	bigvn.exe	419225ebb43e58f71cd907ade42ee73c
2019-01-29 04:07:17	doyo_setup_3074_s.exe	4bf75369fa8b32c8beac3475b9d1ae9b
2019-04-12 16:47:52	vJoySetup.exe	7165bba148e053b677bc6da305d1008c
2019-04-12 16:49:16	activtrades4.exe	783667bec59c505f0f26299ede5522c5
2019-04-12 16:49:16	activtrades4.exe	76929480f7be10ef76f98870ecc80cb3
2019-04-12 16:50:49	java.exe	62e654d9dd4d5d08849d3c5304b68227
2019-04-12 16:50:50	java.exe	a4641af4736dc18f2d0c6cfd2300fa3f
2019-07-03 16:24:13	scan.exe	44bc631acf8510b05915e245b6258ebe

#infosec #automation

TheSystem Itself @ 2022-04-21 03:00:07