Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 00:58:00	2025-06-13 01:29:02	1862 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,085 [root] INFO: Date set to: 20250612T19:05:23, timeout set to: 1800
2025-06-12 20:05:23,288 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 20:05:23,288 [root] DEBUG: Storing results at: C:\ugjpRu
2025-06-12 20:05:23,288 [root] DEBUG: Pipe server name: \\.\PIPE\IprPMTCJ
2025-06-12 20:05:23,304 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:05:23,304 [root] INFO: analysis running as an admin
2025-06-12 20:05:23,304 [root] INFO: analysis package specified: "exe"
2025-06-12 20:05:23,304 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:05:24,147 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:05:24,147 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:05:24,147 [lib.common.common] INFO: wrapping
2025-06-12 20:05:24,147 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:05:24,147 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\DNSQuerySniffer.exe
2025-06-12 20:05:24,147 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:05:24,147 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:05:24,147 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:05:24,163 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:05:24,428 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:05:24,475 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:05:24,507 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:05:24,522 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:05:24,538 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:05:24,538 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:05:24,538 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:05:24,538 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:05:24,538 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:05:24,538 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:05:24,554 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:05:24,554 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:05:24,554 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:05:24,554 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:05:24,554 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:05:24,554 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:05:24,554 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:05:24,554 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:05:36,225 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-12 20:05:36,225 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:05:36,225 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:05:36,225 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:05:36,225 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:05:36,225 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:05:36,225 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:05:36,225 [modules.auxiliary.disguise] INFO: Disguising GUID to 40e3f50e-e3ad-428d-ac6c-32516ae967dc
2025-06-12 20:05:36,225 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:05:36,241 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:05:36,241 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:05:36,241 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:05:36,241 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:05:36,241 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:05:36,241 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:05:36,241 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:05:36,241 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:05:36,241 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:05:36,241 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:05:36,241 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:05:36,241 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:05:36,241 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:05:36,241 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:05:36,241 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:05:36,241 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:05:36,257 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 20:05:36,257 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:05:36,257 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:05:36,257 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:05:36,272 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:05:36,272 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:05:36,272 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:05:36,272 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\OfUZSPk.dll, loader C:\tmp_gell1p8\bin\pLbotWiq.exe
2025-06-12 20:05:36,334 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:05:36,334 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\OfUZSPk.dll.
2025-06-12 20:05:36,366 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:05:36,366 [root] INFO: Disabling sleep skipping.
2025-06-12 20:05:36,366 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:05:36,366 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:05:36,366 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:05:36,366 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:05:36,366 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:05:36,381 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:05:36,381 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:05:36,381 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:05:36,381 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 5776, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-12 20:05:36,381 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:05:36,397 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:05:36,397 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:05:36,397 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\OfUZSPk.dll.
2025-06-12 20:05:36,397 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 20:05: <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 00:58:00	2025-06-13 01:28:43	none

File Details

File Name	DNSQuerySniffer.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	246136 bytes
MD5	de97ea0d9876a7a890696c029e814b76
SHA1	4f0bc4008491938ade3ce7ea9f7539b38e97b968
SHA256	7345d6ff5c72d2982b4c34e497d27cfe078832d4c15e483c6a3bfe728f0680a7 [VT] [MWDB] [Bazaar]
SHA3-384	a92fed6e8ac32530faa844113c3dbacb499dc2df76e7f4b6f1cabf553e54b422ec43afde398b4d37734458debf0c2251
CRC32	E39C44BE
TLSH	T157346C09A3F414A9E4B7D9B5CD638323FBB278544734870F4B609EAA1F63311FA25762
Ssdeep	6144:JOmUad9ob3YWJYZJQTj80ThMcBYQMILe/o:4za8JoJQTjPMcLMILe/o
PE	File Strings BinGraph Vba2Graph VirusTotal

X <NQMH0'

PA_A^A]A\_^]

LockResource

CreateCompatibleDC

FPD9%k

{Unknown}

oL$pf

0A_A\_

GetObjectW

Stack Data: %s

ShowInfoTip

@.data

InsertMenuW

Promiscuous Mode

CreateStatusWindowW

SelectObject

%USERTrust RSA Certification Authority

SetMenuItemInfoW

%2.2X

D8K1t

\$8Mc

P9UXRG;*

AlwaysOnTop

PnpInstanceID

D9yXA

O7HED</&

\Yn><

Ctrl+Plus

MarkOddEvenRows

t[D9s

ExitProcess

A]A\_

H9~hu

GetMenuStringW

LeaseTerminatesTime

I(91~

fD9-Z

GetStartupInfoW

Tabular Text File

L$DA+

x ATAUAWH

Ctrl+Q

GetParent

"%s" /nodlgstart

>H9>L

DhcpDefaultGateway

Response Code

Popup1

L$ Mc

__dllonexit

fD9=2

fclose

WATAUH

Reserved

ATAUAVH

t,f=?

VERSION.dll

x AUH

A;@(}

*.csv

Default

RegEnumKeyExW

fD92t`H

NetMon3AdapterName

GetMenuItemInfoW

CPHcx

European Union

Network Monitor Driver 3.x

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

ESI=%16.16I64X EDI=%16.16I64X EBP=%16.16I64X ESP=%16.16I64X

pcap_dispatch

Choose a capture file to load

fD9%4

f:\Projects\VS2005\DNSQuerySniffer\x64\Release\DNSQuerySniffer.pdb

Search all columns

0A^A]A\

Admin

wcsrchr

Format Error

]IMrV

EnumResourceTypesW

D9_(}

} A;\$

COMCTL32.dll

@A_A]A\

fD9=k

&Properties

FileVersion

NmGetAdapterCount

fopen

CreateWindowExW

menu_%d

Clear All Current Items

&View

WritePrivateProfileStringW

EndDialog

5DHF<+

D$PE3

NirSoft

SOFTWARE\Microsoft\Netmon3

IP Country

SetCursor

uNHcB<;

__C_specific_handler

NetMonAdapterName

Interface Guid

NmCloseHandle

AddExportHeaderLine

&Auto Size Columns

T$HfA

8"u8fff

X UVWATAUAVAWH

ImageList_AddMasked

GetSysColorBrush

fD9%-

CreateDialogParamW

2&-jWp

fD9-v

NmStartCapture

L$`Hc

strchr

MoveWindow

D;fH|

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

GeoLiteCity.dat.gz

F85?P

LoadAcceleratorsW

L$@Lc

OpenProcess

A\_^

TTL Display Mode

Server Failure

A_A\_

__set_app_type

040904E4

Refused

90705

Don't show records of the following domains/host names (comma-delimited list):

Hc^XH

DeleteObject

SetFilePointer

comdlg32.dll

t$ WH

_wcslwr

LoadIconW

-TLYZ5

EmptyClipboard

, %d Selected

RR set does not exist

pcap_findalldevs_ex

`H0`H0`H0`H0`H0`H0`H0`H0`H0`H0`H0

RtlIpv6AddressToStringW

D&eselect All

040904b0

The following application error has occurred:

WATAU

FileTimeToLocalFileTime

&HTML Report - All Items

AlignNumbersToRight

A;Ep}

190909000000Z

RegisterClassW

A^A]A\

181102000000Z

|g~}.

LoadLibraryExW

CheckMenuItem

Ctrl+A

memcmp

dialog_%d

fD9"t

S&top Capture

T$@D)oHD

MAC Address

SizeofResource

_XcptFilter

AddToWindowsFirewall

wcslen

cARSDS]

A_A^A]

<td bgcolor=#%s>%s

D$"H;

Instance ID

*.pcap;*.cap

D9fp~WL

|$XHc

PCapAdapterName

Response Time

wpcap.dll

ReleaseDC

TimeDisplayMode

t$8A+t$

Show &Tooltips

VerQueryValueW

QB@UYSN6#L

STATIC

Column Settings

EnableDHCP

9D$H~AA

D9~|t

Domain name should not exist

A]A\_

A_A^A]A\_^]

NmApiClose

D;fp|

%USERTrust RSA Certification Authority0

CaptureOnProgramStart

Ctrl+C

%s: %s, %s: %d, %s: %d, %s: %d

SysListView32

x ATAUAV

<wt-<ru.H

invalid distance code

WS2_32.dll

PeekMessageW

GetWindowRect

strcmp

D;S(|

D$ Lc

/deleteregkey

A\_^H

GlobalLock

Priority

D;\$|u

_initterm

DeleteFileW

TranslateMessage

UseDontShowHostNames

GetPrivateProfileStringW

<?xml version="1.0" ?>

` AUH

L$@A;

GDI32.dll

/stabular

EndPaint

SHAutoComplete

A\_^H

EnumProcessModules

s}5Ic

city_name

fD9h8u

LoadLibraryW

GetClientRect

IsDialogMessageW

\StringFileInfo\

,/KPip

InvalidateRect

f!D$0H

&Find

GetStockObject

A_A^A\_^

CreateToolhelp32Snapshot

ReadFile

L$ fE

Put Icon On Tray

*.xml

*;IG1,%

E;sH}

GetModuleBaseNameW

.pdata

wcschr

WideCharToMultiByte

RegQueryValueExW

A^A]A\_^][

OH;H(s

I091~

GetModuleFileNameExW

SetClipboardData

!897$

npptools.dll

VarFileInfo

D9c@t

c:5U}

l$ VWATH

Sectigo RSA Time Stamping CA0

QuickFilterShowHide

d$<fD

Ic]XI

_fmode

Error: Cannot load the common control classes.

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

Copy Exception

Description

L$ Lc

u6M9i

D9)tZ

%2.2X%2.2X%2.2X

Dakar 21, Unit 821

Expire

Nir Sofer1

d$@Ic

InternalName

/nosaveload

GetDateFormatW

Request Time

230909235959Z0q1

SetMenu

SHGetSpecialFolderPathW

UseShowOnlyHostNames

malloc

RR set should not exist

tTf!T$0H

DrawTextExW

</asmv3:application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

D$ Hc

*.txt

H!\$ L

Ctrl+H

&Options

GetFileVersionInfoW

Properties

l$ VWATAUAVH

8A_A^A]A\_^][

Process32Next

ReadProcessMemory

%%-%d.%ds

SubnetMask

5U}5U}5U}

GetMessageW

comctl32.dll

<font

sprintf

SYSTEM\CurrentControlSet

Continue

CreateFileW

(t$PI

GlobalAlloc

GetDC

RtlIpv6StringToAddressW

fD9-f

L$XE3

D9o\u

EndDeferWindowPos

_exit

SetTextColor

fD9%!

NmApi.dll

sysdatetimepick32

A_A^A]A\_^]H

%c%c%c%c%c%c%c%c%c%c

@.rsrc

NmGetAdapter

tvf9}

mt^Ju~

FindNextFileW

Align Numeric Columns To Right

Jersey City1

Y@t H

FileTimeToDosDateTime

OLEAUT32.dll

kernel32.dll

NirSoft HTTPNetworkSniffer

L$0t$

L$PE3

UVWATAUAVAW

pcap_close

B[ijgP:$

ServiceName

<body>

\YwEB

DnsQuery_W

H62CJ

FindClose

LogFilename

FormatMessageW

D;GH|

</table><p>

Request Type

^.o 3

Wntdll.dll

|$ ATH

A;@H}"

`A_A^A]A\_^]

pcap_compile

Retry

D9!tf

Arial

fD9x@t

VATAUAVAWH

dnsapi.dll

VWATAVAWH

D9S(~.E

UVWATAUH

H9~Ht

LegalCopyright

GetTempPathW

GetNetworkInfoFromBlob

Auto &Scroll On New Line

VS_VERSION_INFO

H9\$8t

NmGetRawFrameLength

general

color="#%s"

D$0fA

TFt1b

Module32First

;wH}T

A_A^A]A\_

9\$PA

QuickFilterColumnsMode

Host Name

\$0E3

GetCurrentProcessId

shell32.dll

D9)tb

SetCurrentDirectoryW

?,;>>=7"

Move &Up

towupper

D$0|_

GetSaveFileNameW

A^A]A\

u#9\$P

D+d$TH

_memicmp

GetWindowLongW

MonitorFromWindow

Save All Items

TTLDisplayMode

L$DD+D$H

Loopback Interface

A3D$$A

~ 9yX~

A_A]A\

pcap_findalldevs

l$XD;

Select &All

Nh;_X|

GetPrivateProfileIntW

CoCreateInstance

HTML Report - All Items

EAX=%16.16I64X EBX=%16.16I64X ECX=%16.16I64X EDX=%16.16I64X

l$\+l$TD

pcap_next

@A]A\_^]

DnsRecordListFree

D;fp}

F tFH

A;A(}

_strcmpi

5U}XXXXXXXXXXXXXXX

301231235959Z0|1

report.html

fD9-R

@A_A^A]A\_^]

fD9-w

|$8A^A]A\

GetMenuItemCount

MapWindowPoints

GetFileSize

GetFileAttributesW

GetCursorPos

%d item(s)

%2.2X-%2.2X-%2.2X-%2.2X-%2.2X-%2.2X

Records Count

GetSystemMetrics

GetWindow

<0:08

L$,rO

Display TTL in HH:MM:SS Format

Kx${Xw

fread

T$0fA

CompareFileTime

t$ WATAUH

GAKALASKAHALALABAMAIARARKANSASHAZARIZONAKCACALIFORNIAICOCOLORADOLCTCONNECTICUTUDCDISTRICT OF COLUMBIAIDEDELAWAREHFLFLORIDAHGAGEORGIAGHIHAWAIIEIAIOWAFIDIDAHOIILILLINOISHININDIANAGKSKANSASIKYKENTUCKYJLALOUISIANANMAMASSACHUSETTSIMDMARYLANDFMEMAINEIMIMICHIGANJMNMINNESOTAIMOMISSOURILMSMISSISSIPPIHMTMONTANAONCNORTH CAROLINAMNDNORTH DAKOTAINENEBRASKANNHNEW HAMPSHIREKNJNEW JERSEYKNMNEW MEXICOGNVNEVADAINYNEW YORKEOHOHIOIOKOKLAHOMAGOROREGONMPAPENNSYLVANIALPRPUERTO RICOMRIRHODE ISLANDOSCSOUTH CAROLINAMSDSOUTH DAKOTAJTNTENNESSEEFTXTEXASNUSUNITED STATESEUTUTAHIVAVIRGINIAVVIVIRGIN ISLANDS OF USAHVTVERMONTKWAWASHINGTONJWIWISCONSINNWVWEST VIRGINIAHWYWYOMINGQMHMARSHALL ISLANDSAPADLAFAFGHANISTANHALALBANIAHDZALGERIAOASAMERICAN SAMOAHADANDORRAGAOANGOLAIAIANGUILLAKAQANTARCTICATAGANTIGUA AND BARBUDAJARARGENTINAHAMARMENIAFAWARUBAQACASCENSION ISLANDJAUAUSTRALIAHATAUSTRIAKAZAZERBAIJANHBSBAHAMASHBHBAHRAINKBDBANGLADESHIBBBARBADOSHBYBELARUSHBEBELGIUMGBZBELIZEFBJBENINHBMBERMUDAGBTBHUTANHBOBOLIVIAWBABOSNIA AND HERZEGOWINAIBWBOTSWANANBVBOUVET ISLANDGBRBRAZIL_IOBRITISH INDIAN OCEAN TERRITORYRBNBRUNEI DARUSSALAMIBGBULGARIAMBFBURKINA FASOHBIBURUNDIIKHCAMBODIAICMCAMEROONGCACANADAKCVCAPE VERDEOKYCAYMAN ISLANDSYCFCENTRAL AFRICAN REPUBLICETDCHADFCLCHILEFCNCHINAQCXCHRISTMAS ISLANDXCCCOCOS (KEELING) ISLANDSICOCOLOMBIAHKMCOMOROSeCDCONGO THE DEMOCRATIC REPUBLIC OF THEFCGCONGOMCKCOOK ISLANDSKCRCOSTA RICANCICOTE D'IVOIREHHRCROATIAECUCUBAGCYCYPRUSOCZCZECH REPUBLICHDKDENMARKIDJDJIBOUTIIDMDOMINICASDODOMINICAN REPUBLICKTPEAST TIMORHECECUADORFEGEGYPTLSVEL SALVADORRGQEQUATORIAL GUINEAHERERITREAHEEESTONIAIETETHIOPIAOEUEUROPEAN UNION\FKFALKLAND ISLANDS (MALVINAS)NFOFAROE ISLANDSEFJFIJIHFIFINLANDMFXFRANCE METROGFRFRANCENGFFRENCH GUIANAQPFFRENCH POLYNESIA\TFFRENCH SOUTHERN TERRITORIESFGAGABONGGMGAMBIAHGEGEORGIAHDEGERMANYFGHGHANAJGIGIBRALTARGGRGREECEJGLGREENLANDHGDGRENADAKGPGUADELOUPEEGUGUAMJGTGUATEMALAIGGGUERNSEYGGNGUINEANGWGUINEA-BISSAUGGYGUYANAFHTHAITI\HMHEARD AND MC DONALD ISLANDS^VAHOLY SEE (VATICAN CITY STATE)IHNHONDURASJHKHONG KONGHHUHUNGARYHISICELANDFININDIAJIDINDONESIA[IRIRAN (ISLAMIC REPUBLIC OF)EIQIRAQHIEIRELANDLIMISLE OF MANGILISRAELFITITALYHJMJAMAICAFJPJAPANGJEJERSEYGJOJORDANKKZKAZAKHSTANFKEKENYAIKIKIRIBATIfKPKOREA DEMOCRATIC PEOPLE'S REPUBLIC OFRKRKOREA REPUBLIC OFGKWKUWAITKKGKYRGYZSTANaLALAO PEOPLE'S DEMOCRATIC REPUBLICGLVLATVIAHLBLEBANONHLSLESOTHOHLRLIBERIAWLYLIBYAN ARAB JAMAHIRIYANLILIECHTENSTEINJLTLITHUANIAKLULUXEMBOURGFMOMACAUJMKMACEDONIAKMGMADAGASCARGMWMALAWIIMYMALAYSIAIMVMALDIVESEMLMALIFMTMALTAQMHMARSHALL ISLANDSKMQMARTINIQUEKMRMAURITANIAJMUMAURITIUSHYTMAYOTTEGMXMEXICO_FMMICRONESIA FEDERATED STATES OFTMDMOLDOVA REPUBLIC OFGMCMONACOIMNMONGOLIAKMSMONTSERRATHMAMOROCCOKMZMOZAMBIQUEHMMMYANMARKMEMontenegroHNANAMIBIAFNRNAURUFNPNEPALUANNETHERLANDS ANTILLESLNLNETHERLANDSNNCNEW CALEDONIALNZNEW ZEALANDJNINICARAGUAFNENIGERHNGNIGERIAENUNIUE[APNON-SPEC ASIA PAS LOCATIONONFNORFOLK ISLANDYMPNORTHERN MARIANA ISLANDSGNONORWAYEOMOMANIPKPAKISTANFPWPALAU_PSPALESTINIAN TERRITORY OCCUPIEDGPAPANAMAQPGPAPUA NEW GUINEAIPYPARAGUAYEPEPERULPHPHILIPPINESIPNPITCAIRNGPLPOLANDIPTPORTUGALLPRPUERTO RICOFQAQATARIZZRESERVEDHREREUNIONHROROMANIASRURUSSIAN FEDERATIONGRWRWANDAVKNSAINT KITTS AND NEVISLLCSAINT LUCIAaVCSAINT VINCENT AND THE GRENADINESFWSSAMOAKSMSAN MARINOVSTSAO TOME AND PRINCIPEMSASAUDI ARABIAHSNSENEGALKSCSEYCHELLESMSLSIERRA LEONEJSGSINGAPORE[SKSLOVAKIA (Slovak Republic)ISISLOVENIAPSBSOLOMON ISLANDSHSOSOMALIAMZASOUTH AFRICAmGSSOUTH GEORGIA AND THE SOUTH SANDWICH ISLANDSFESSPAINJLKSRI LANKAKSHST. HELENAXPMST. PIERRE AND MIQUELONFSDSUDANISRSURINAME_SJSVALBARD AND JAN MAYEN ISLANDSJSZSWAZILANDGSESWEDENLCHSWITZERLANDUSYSYRIAN ARAB REPUBLICVCSSerbia and MontenegroVYUSerbia and MontenegroGRSSerbiaGTWTAIWANKTJTAJIKISTAN\TZTANZANIA UNITED REPUBLIC OFITHTHAILANDLTLTIMOR-LESTEETGTOGOHTKTOKELAUFTOTONGATTTTRINIDAD AND TOBAGOHTNTUNISIAGTRTURKEYMTMTURKMENISTANYTCTURKS AND CAICOS ISLANDSGTVTUVALUGUGUGANDAHUAUKRAINEUAEUNITED ARAB EMIRATESOGBUNITED KINGDOMOUKUNITED KINGDOMeUMUNITED STATES MINOR OUTLYING ISLANDSNUSUNITED STATESHUYURUGUAYKUZUZBEKISTANHVUVANUATUJVEVENEZUELAIVNVIET NAMYVGVIRGIN ISLANDS (BRITISH)VVIVIRGIN ISLANDS (U.S.)ZWFWALLIS AND FUTUNA ISLANDSOEHWESTERN SAHARAFYEYEMENGZMZAMBIAIZWZIMBABWENAXALAND ISLANDSMMFSAINT MARTINA

D+D$P

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

%s (%s)

ShowOnlyHostNames

Columns

GetDeviceCaps

I0G0E

&Refresh

LoadStringW

ImageList_ReplaceIcon

lstrcpyW

DestroyMenu

&About

GetIfTable

Ctrl+S

ASCII

/nosort

Capture Method

http://ocsp.usertrust.com0

GetAdaptersInfo

NmApiInitialize

GetDlgItem

CloseClipboard

380118235959Z0}1

Add Header Line To CSV/Tab-Delimited File

MS Shell Dlg

Gp9G|r

GetStdHandle

Select network adapter:

D$DA+

GetDesktopWindow

DispatchMessageW

Sectigo RSA Code Signing CA

(0vtt@x@P

NmGetFrameTimeStamp

EIP=%16.16I64X

201023000000Z

Raw Sockets (Windows 2000/XP)

F()x(H

List1

Maxmind File Loaded

TranslatorURL

CPMc,

EnumResourceNamesW

Serial

wcscpy

ShowTimeInGMT

/nocapdriver

strlen

&Save Selected Items

APNIC

country_name

Ctrl+X

<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s

WriteFile

___XVs

Quick Filter

LoadMenuW

ImageList_Create

L$0A;

CreatePopupMenu

OriginalFileName

Sectigo Limited1$0"

\$t+\$l3

FileDescription

D+D$DD+L$@D

!This program cannot be run in DOS mode.

T$ D;

OH;H8s

HTML File - Horizontal

??2@YAPEAX_K@Z

oZ%pb

D$(Hc

C6KOI>9#

WaitForSingleObject

@SUVWATAUAVAW

netmsg.dll

PromiscuousMode

-4=-4=-4=-4=

DestroyWindow

D$(fB

SetPixel

https://sectigo.com/CPS0C

WSAIoctl

x ATAUAW

[%.2d:%.2d:%2.2d]

%s.%3.3d

InsertMenuItemW

</table>

DhcpIPAddress

New Jersey1

DhcpSubnetMask

If this problem persists, copy the above exception information to the clipboard, and send it to the author of this software.

lstrlenW

Check the columns that you would like to make visible. Use the Move Up and Move Down buttons to reorder the columns

L$0A+@

L$ fB

qsort

Sectigo RSA Time Stamping CA

Auto Size Columns On Every Update

UTF-16

\$,HcK

T$ fA

e)5*-

NoDeleteOnCaptureStart

%d ms

charset

BeginPaint

IPAddress

9_X~O

a$5U}

fD9=!

|D u

ModifyMenuW

y6ppp

CA[]ZTJ>

71351171

K?:W8

bgcolor="%s"

*.cap

K0LcC<D9

E&xit

Show only items match the filter Hide items that match the filter

\VarFileInfo\Translation

MessageBoxW

fprintf

ChildWindowFromPoint

commdlg_FindReplace

D$@H!|$8H!|$0!|$(!|$ E3

Port Number

D91t^A

SetWindowTextW

USER32.dll

Sectigo RSA Code Signing CA0

S8H!{(

D$TfD9

Software\Microsoft\Windows NT\CurrentVersion\NetworkCards

320122235959Z0

DeviceDesc

Comma Delimited Text File

2013 - 2021 Nir Sofer

CLD#K|L#

SetWindowPlacement

D9~XE

D$@Hk

LogFileEncoding

DeleteDC

Ctrl+F

Query ID

u_9_H

SetWindowLongPtrW

<th%s>%s%s%s

memcpy

<td bgcolor=#%s nowrap>%s

SetForegroundWindow

;|$@r

B0*)(3

&Help

Not Implemented

fA94$t

Z8`hcRJ5(

SetWindowLongW

/savelangfile

__wgetmainargs

/sort

IPNetInfo.exe

|$4fD

D9yX~=

l$0E3

TranslatorName

GetFileVersionInfoSizeW

LoadCursorW

EnableMenuItem

GeoLiteCity.dat

A_A\_

NmOpenCaptureEngine

F t0H

-4=5U}````````````

Code Data: %s

CreateFontIndirectW

WWK7P

A_A^A]A\^

SetErrorMode

Connection Name

Width of selected column (in pixels):

Weight

DontShowHostNames

</%s>

/scomma

NameServer

DNS RecordsDFailed to start capturing packets from the current network adapter !\Failed to start the capturing process. Do you want to run DNSQuerySniffer as administrator ?

_errno

f!t$ 3

190502000000Z

D$@Lc

LoadImageW

D9oHL

L$HD+K8+S<A+H

&Start Capture

u,HcC H

WinPos

Sort By

NmGetFrameCount

GetDlgItemInt

EnumChildWindows

GeoLite2-City-Blocks-IPv4.csv

Created by using

D$AHk

RunAs

c"pppppp

&Time Display Mode

SendDlgItemMessageW

msvcrt.dll

\$ UVWATAUAVAWH

StringFileInfo

DNSQuerySniffer.exe

ExpandEnvironmentStringsW

AutoScrollDown

D9_0}

strings

pcap_open_live

t5H9~ t/H9~0t)H9~8t#H9~@t

Software

Adapter Name

fD9=[

ole32.dll

GetCurrentProcess

IP-Country File Loaded

UseLogFile

Always On Top

GetSysColor

L$0E3

__setusermatherr

6ip>%

Translation:

0A]A\_

GetMenu

t$4A+

<%s>%s</%s>

9kX~L

Greater Manchester1

u0IcY

!\$P9

GetOpenFileNameW

SaveFilterIndex

GetTickCount

SHGetFileInfoW

MainFont

D9oXu$H

country_iso_code

Registers:

Microsoft\Windows NT\CurrentVersion\NetworkCards

IPNetInfo - A Record

D$@A+

Add all DNS queries

fD9-1

Display TTL in Seconds

_lng.ini

Network Monitor Driver

AEMPNG;

).-+&!

f!t$ H

LocalFree

u~L95

GetCurrentDirectoryW

Exception !

IP Address

A^A]A\_^

wcscat

D$DfB

+D$hD+t$x

Module32Next

GlobalUnlock

PostMessageW

pcap_loop

; uaE

ImageList_SetImageCount

[%d]

&Copy Selected Items

Not authoritative for zone

&Load From Capture File

x ATAUAVH

</item>

PacketSnifferClass1

5U}5U}

Wshlwapi.dll

fD91uYA

StretchBlt

Mark &Odd/Even Rows

fA9Lu

8?5U}

fE9&t

;zH}!L;

QuickFilterFindMode

Translation

A_A^A]A\_^]

%2.2X

#+3;CScs

L$PMc

t9D9o

Add only failed DNS queries

SetDlgItemInt

FindWindowW

SUVWATAUAVAWH

\$0Hc_(

GeoLite2-Country-Blocks-IPv4.csv

caption

L$0Mc

AutoSizeColumnsOnUpdate

d$8fD

;D$dtGI

D9GHH

wcsncat

tffD9

size="%d"

Source Address

MultiByteToWideChar

GetDlgCtrlID

LACNIC

pcap_setfilter

LogFileType

Advanced Options

` AUAVAWH

InitCommonControlsEx

H9~Pt

SetStretchBltMode

Show &Grid Lines

ShowGridLines

BeginDeferWindowPos

GeoLite2-Country-Locations-en.csv

L9%>P

,\$0L

T$@E3

%s - %s, %s, %s

&Relative To Capture Start

Destination Address

SortOnEveryUpdate

D9qXu

210722110339Z0?

GeoLite2-Country-Blocks-IPv6.csv

Refresh

AFRINIC

L$0H;

K(HcC89

GetTempFileNameW

g0e0>

_c_exit

geoname_id

nowrap

ProductVersion

Show Time In &GMT

MS Sans Serif

NmGetRawFrame

</asmv3:windowsSettings>

D$(Hi

127.0.0.1

HTML R&eport - Selected Items

t{9oXtv+w

T$ E3

CLD#C|L#

_wtoi

lD I+

UpdateWindow

h0f0?

</body></html>

Ctrl+I

HTML Report - Selected Items

KillTimer

9YX~,

rRj;B7|

WFbfe]K/

fD9-A

SetDlgItemTextW

fD9-p

<item>

w9Yxt 9YX~

/stext

wcstoul

_itow

ShowWindow

@SUVWATAUAV

_onexit

The USERTRUST Network1.0,

Copy Host Names

SHELL32.dll

Exception %8.8X at address %16.16I64X in module %s

WATAWH

Automatically add DNSQuerySniffer to Windows firewall on capture start and remove it when capture is stopped (This option is needed for 'Raw Sockets' method)

a<D9 H

D9~xt

l$ fD

Salford1

DestroyBlob

Don't Display TTL

GetModuleHandleW

pcap_freecode

/ P6pL

(|$@L

GetTimeFormatW

[C]e=P

ferror

GetModuleInformation

Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection

D;S(}

L$ E3

TranslateAcceleratorW

&Edit

H9\$8

)_HD9oH

Choose Colum&ns

@A]A\_

GeoLite2-Country-Locations*.csv

iphlpapi.dll

&Show

D$0E3

%%0.%df

D8d$pt#I

SystemTimeToFileTime

%-18s: %s

T$`Hc

_wcmdln

network

H9~XH

x AVH

CreateProcessW

GetModuleFileNameW

Move &Down

A^A]A\_^

D$(u$H

??3@YAXPEAX@Z

Cancel

OriginalFilename

VWATAUAVH

WATAUAVAWH

%s - %s, %s

WinPcap Packet Capture Driver

HTML File - Vertical

WinPcap capture file*Microsoft Network Monitor 3.x capture file

fA!,CM

DNSQuerySniffer

/sverhtml

\systemroot

fE90u

ShellExecuteW

<?xml version="1.0" encoding="ISO-8859-1" ?>

Show only records of the following domains/host names (comma-delimited list):

d$0E3

SetTimer

CheckMenuRadioItem

CaptureMethod

GeoLite2-City-Locations-en.csv

psapi.dll

%.2d:%.2d:%2.2d.%.3d

0A\_^

l$LD+t$@D+l$D

D9)t[

FileTimeToSystemTime

Show Only Failed Queries

Deselect All

Npcap\wpcap.dll

hb|.PO

D9 ~4H

Shift+Ctrl+S

Add DNS queries to the following log file:

9)t]A

LogFileMode

%m2QU

General

?\uGf

NmOpenCaptureFile

A_A^A]A\_

h VWATH

LoopbackInterface

4LRQJ:#

/stab

&File

pcap_next_ex

uTf!T$ H

Capture Options

oL$`fD

Duration

Npcap

\$HfA

KERNEL32.dll

VWATH

D$5u>A

r7xxx

ADVAPI32.dll

CreateCompatibleBitmap

Ic9I

T$XA;

D#G|D

GetSubMenu

&Capture Options

Name Error

pcap_open_offline

pcap_open

l$ H;

x ATH

DnsGetCacheDataTable

invalid literal/length code

_atoi64

CreateThread

t]f=*

ImageList_Add

SetBkMode

|$HLc

_wcsicmp

TrackPopupMenu

EnableWindow

A;4$r

%4.4X%4.4X

Search only visible columns

width="%s"

w H9_

DialogBoxParamW

FreeLibrary

Error

CreateToolbarEx

GetWindowTextW

/sxml

FindResourceW

GetWindowsDirectoryW

DefWindowProcW

dLCYOD7

UVWATAUAVAWH

H9~`t

support@nirsoft.net0

fD9-5

Q$'/21(!

_cexit

FindTextW

u|kt~

CloseHandle

D$Zs'3

x ATAUAVAW3

Shift+Plus

XML File

Name is not zone

,\$(@

pcap_freealldevs

GetVersionExW

@SUVWATAUAVAWH

#Sectigo RSA Time Stamping Signer #20

GeoLite2-City-Locations*.csv

GetKeyState

_Au$M;

%d.%d.%d.%d

UseQuickFilter

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

/StartCapture

Find one string*Find multiple words (space-delimited list),Find multiple strings (comma-delimited list)2Find records with all words (space-delimited list)4Find records with all strings (comma-delimited list)OFind records that match the specified host name wildcard (comma-delimited list)

*.htm;*.html

8"u!I

GetMonitorInfoW

c"xxx

;GxudH

GetSystemDirectoryW

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

CompanyName

Sort On Every &Update

You can also specify wildcard, for example: *.com, *.net

d$:fD

u.D9k<u H

GetWindowPlacement

CreateNPPInterface

t$ WATAUAVAWH

_purecall

NmGetFrame

LoadResource

</compatibility></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADx!

GetLastError

GetCurrentThreadId

_commode

D#C|D

\IpToCountry.csv

DosDateTimeToFileTime

&Computer Time

GetSystemTimeAsFileTime

#Sectigo RSA Time Stamping Signer #2

5U}5U}5U}5U}5U}5U}5U}5U}

Sectigo Limited1,0*

@A^A]A\

Select a filename to save

c"hhhhhhhhh

DefaultGateway

toMcD$

f9QDu

Select Another &Font

&Hide

p WATAUAVAWH

AdapterName

Services\Tcpip\Parameters\Interfaces

PostQuitMessage

u@M9p

Tab Delimited Text File

EnumProcesses

LD@fD

x ATAUAVAWD

9wp~M

Use Quick Filter

DhcpServer

CNAME

DnsExtractRecordsFromMessage_W

GetPixel

</application>

GPLch

_snwprintf

Nir Sofer0

fD9 u

u(HcS

Sleep

Use Default Font

%s: %s, %s: %s, %s: %d, %s: %d, %s: %d, %s: %d, %s: %d

strcpy

H!|$`3

l$`Hc+H

Shell_NotifyIconW

D9)tbA

SendMessageW

RegisterWindowMessageW

subdivision_1_name

Capture On &Program Start

Process32First

L$@Hc

NmStopCapture

Error %d: %s

SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\%s

A_A]A\

Default TTL

_stricmp

RemoveMenu

%s (%d)

NmConfigAdapter

|$HHc

Loading... %d

Text File

oxD9oXu

wcscmp

GetTextExtentPoint32W

j0h0?

D91teA

GlobalFree

TrayIcon

%4.4X

Alt+Enter

D9)t`

Auto Size Columns+Headers

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

A;AX}

A_A^A]A\_^][

{49K4u

DrawFrameControl

IcN(I

WATAW

OpenClipboard

ShellExecuteExW

A94$vf

QuickFilterString

.text

Gt9G|

Don't Delete Items On Capture Start

Version

Primary Server

;BH}!H;

ubD8e

GetNPPBlobTable

memset

ChooseFontW

</font>

QC3-,+0M

/shtml

`.rdata

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

https://sectigo.com/CPS0D

LeaseObtainedTime

#jYhRB_

ShowIcon

Sectigo Limited1%0#

H9sXuAH

D9)t^

L$2tD

RegQueryInfoKeyW

RegOpenKeyExW

SetWindowPos

+D$|I

f!T$0H

D9)tiA

invalid distance too far back

uID9o\uC

SetFocus

RegCloseKey

20210722110339Z

WUpKN

DeferWindowPos

D90t^A

ShowOnlyFailed

SetBkColor

/-P?pR

Terminate Application

GetProcAddress

InstallDir

4V]\WI=)

GetDlgItemTextW

ftell

http://ocsp.sectigo.com0

GeoLite2-City-Blocks-IPv6.csv

%s <h3>%s</h3>

a8D9 H

tFD9c

=0;09

Fpt;H9~

DhcpNameServer

FindFirstFileW

ProductName

GetClassNameW

Ctrl+D

|!E;s(}

NirSoft_IPNetInfo

D$"fD9 u

A_A^A]A\

L$"E3

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x140000000	0x000257a0	0x0004854f	0x0004854f	4.0	f:\Projects\VS2005\DNSQuerySniffer\x64\Release\DNSQuerySniffer.pdb	2021-07-22 10:56:58	ed39882eeaa63dd7be4b147a44900fff		e27108221e8616d52641f271fdae41ec	499d9d3a811b52e42460084414062639	8a94cc2e166aaa83

Version Infos

CompanyName	NirSoft
FileDescription	DNSQuerySniffer
FileVersion	1.85
InternalName	DNSQuerySniffer
LegalCopyright	Copyright Â© 2013 - 2021 Nir Sofer
OriginalFilename	DNSQuerySniffer.exe
ProductName	DNSQuerySniffer
ProductVersion	1.85
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00025077	0x00025200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.34
.rdata	0x00025600	0x00027000	0x0000740a	0x00007600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.85
.data	0x0002cc00	0x0002f000	0x00012e48	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.69
.pdata	0x0002ee00	0x00042000	0x00001464	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.00
.rsrc	0x00030400	0x00044000	0x00009bc4	0x00009c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.57

Overlay

Offset	0x0003a000
Size	0x00002178

Name	Offset	Size	Language	Sub-language	Entropy	File type
BIN	0x00044a98	0x0000029d	LANG_HEBREW	SUBLANG_DEFAULT	4.26	None
BIN	0x00044d38	0x00000dec	LANG_HEBREW	SUBLANG_DEFAULT	4.57	None
RT_CURSOR	0x00045b24	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.78	None
RT_BITMAP	0x00045c58	0x00001828	LANG_HEBREW	SUBLANG_DEFAULT	5.39	None
RT_BITMAP	0x00047480	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.41	None
RT_BITMAP	0x00047558	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.45	None
RT_ICON	0x00047630	0x000010a8	LANG_HEBREW	SUBLANG_DEFAULT	5.85	None
RT_ICON	0x000486d8	0x00000468	LANG_HEBREW	SUBLANG_DEFAULT	6.30	None
RT_ICON	0x00048b40	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	4.97	None
RT_ICON	0x000490a8	0x00000468	LANG_HEBREW	SUBLANG_DEFAULT	5.94	None
RT_ICON	0x00049510	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	5.19	None
RT_ICON	0x00049a78	0x00000468	LANG_HEBREW	SUBLANG_DEFAULT	6.94	None
RT_ICON	0x00049ee0	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	4.86	None
RT_ICON	0x0004a448	0x00000468	LANG_HEBREW	SUBLANG_DEFAULT	6.00	None
RT_MENU	0x0004a8b0	0x00000970	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.44	None
RT_MENU	0x0004b220	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.22	None
RT_DIALOG	0x0004b420	0x000000bc	LANG_HEBREW	SUBLANG_DEFAULT	2.87	None
RT_DIALOG	0x0004b4dc	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	3.38	None
RT_DIALOG	0x0004b774	0x000003ec	LANG_HEBREW	SUBLANG_DEFAULT	3.48	None
RT_DIALOG	0x0004bb60	0x000000fa	LANG_HEBREW	SUBLANG_DEFAULT	3.09	None
RT_DIALOG	0x0004bc5c	0x000000f8	LANG_HEBREW	SUBLANG_DEFAULT	3.01	None
RT_DIALOG	0x0004bd54	0x0000039a	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.54	None
RT_DIALOG	0x0004c0f0	0x00000472	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.48	None
RT_STRING	0x0004c564	0x000002a6	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.33	None
RT_STRING	0x0004c80c	0x0000002e	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.19	None
RT_STRING	0x0004c83c	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.04	None
RT_STRING	0x0004c954	0x0000009c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.75	None
RT_STRING	0x0004c9f0	0x00000044	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.88	None
RT_STRING	0x0004ca34	0x0000028a	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_STRING	0x0004ccc0	0x000000a0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.53	None
RT_STRING	0x0004cd60	0x00000092	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_STRING	0x0004cdf4	0x0000008a	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.03	None
RT_STRING	0x0004ce80	0x00000108	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.42	None
RT_STRING	0x0004cf88	0x00000096	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.82	None
RT_STRING	0x0004d020	0x0000003c	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.75	None
RT_STRING	0x0004d05c	0x0000004c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.24	None
RT_STRING	0x0004d0a8	0x0000008c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.98	None
RT_STRING	0x0004d134	0x0000006c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.49	None
RT_STRING	0x0004d1a0	0x00000130	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.99	None
RT_STRING	0x0004d2d0	0x00000040	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.23	None
RT_STRING	0x0004d310	0x00000030	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.18	None
RT_STRING	0x0004d340	0x00000026	LANG_ENGLISH	SUBLANG_ENGLISH_US	0.70	None
RT_ACCELERATOR	0x0004d368	0x00000088	LANG_HEBREW	SUBLANG_DEFAULT	3.16	None
RT_GROUP_CURSOR	0x0004d3f0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.84	None
RT_GROUP_ICON	0x0004d404	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.31	None
RT_GROUP_ICON	0x0004d428	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.45	None
RT_GROUP_ICON	0x0004d44c	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.33	None
RT_GROUP_ICON	0x0004d470	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.39	None
RT_VERSION	0x0004d494	0x000002e8	LANG_HEBREW	SUBLANG_DEFAULT	3.39	None
RT_MANIFEST	0x0004d77c	0x00000447	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.40	None

Imports

Name	Address
__wgetmainargs	0x140027740
_wcmdln	0x140027748
exit	0x140027750
_wcslwr	0x140027758
qsort	0x140027760
_purecall	0x140027768
_strcmpi	0x140027770
strchr	0x140027778
_atoi64	0x140027780
_cexit	0x140027788
wcstoul	0x140027790
_initterm	0x140027798
wcscmp	0x1400277a0
strlen	0x1400277a8
malloc	0x1400277b0
_wcsicmp	0x1400277b8
free	0x1400277c0
modf	0x1400277c8
??3@YAXPEAX@Z	0x1400277d0
??2@YAPEAX_K@Z	0x1400277d8
wcslen	0x1400277e0
_wtoi	0x1400277e8
memcmp	0x1400277f0
__setusermatherr	0x1400277f8
_commode	0x140027800
_fmode	0x140027808
__set_app_type	0x140027810
towupper	0x140027818
wcsrchr	0x140027820
_memicmp	0x140027828
wcschr	0x140027830
_itow	0x140027838
memcpy	0x140027840
wcscpy	0x140027848
memset	0x140027850
_stricmp	0x140027858
strcpy	0x140027860
strcmp	0x140027868
_exit	0x140027870
_c_exit	0x140027878
_XcptFilter	0x140027880
__C_specific_handler	0x140027888
_onexit	0x140027890
__dllonexit	0x140027898
sprintf	0x1400278a0
fclose	0x1400278a8
ftell	0x1400278b0
wcsncat	0x1400278b8
_snwprintf	0x1400278c0
wcscat	0x1400278c8
_errno	0x1400278d0
fopen	0x1400278d8
fread	0x1400278e0
fprintf	0x1400278e8
ferror	0x1400278f0

Name	Address
CreateToolbarEx	0x140027030
CreateStatusWindowW	0x140027038
ImageList_Create	0x140027040
ImageList_Add	0x140027050
ImageList_AddMasked	0x140027058
ImageList_SetImageCount	0x140027060
ImageList_ReplaceIcon	0x140027068

Name	Address
GetFileVersionInfoW	0x140027678
GetFileVersionInfoSizeW	0x140027680
VerQueryValueW	0x140027688

Name	Address
htons	0x140027698
recv	0x1400276a0
bind	0x1400276a8
socket	0x1400276b0
WSASetLastError	0x1400276b8
setsockopt	0x1400276c0
WSAGetLastError	0x1400276c8
closesocket	0x1400276d0
WSAAsyncSelect	0x1400276d8
WSAStartup	0x1400276e0
WSAIoctl	0x1400276e8
connect	0x1400276f0
inet_addr	0x1400276f8
inet_ntoa	0x140027700
WSACleanup	0x140027708

Name	Address
OpenProcess	0x140027108
GlobalFree	0x140027110
CreateThread	0x140027118
GetCurrentProcess	0x140027120
ExitProcess	0x140027128
ReadProcessMemory	0x140027130
FindFirstFileW	0x140027138
GetCurrentThreadId	0x140027140
WaitForSingleObject	0x140027148
SetCurrentDirectoryW	0x140027150
GetStartupInfoW	0x140027158
GetVersionExW	0x140027160
FindNextFileW	0x140027168
EnumResourceTypesW	0x140027170
ExpandEnvironmentStringsW	0x140027178
GetCurrentProcessId	0x140027180
DeleteFileW	0x140027188
CreateProcessW	0x140027190
Sleep	0x140027198
SetErrorMode	0x1400271a0
GetCurrentDirectoryW	0x1400271a8
GetStdHandle	0x1400271b0
GetPrivateProfileStringW	0x1400271b8
GetPrivateProfileIntW	0x1400271c0
EnumResourceNamesW	0x1400271c8
WritePrivateProfileStringW	0x1400271d0
DosDateTimeToFileTime	0x1400271d8
FileTimeToDosDateTime	0x1400271e0
LoadResource	0x1400271e8
GetWindowsDirectoryW	0x1400271f0
FindResourceW	0x1400271f8
GetModuleFileNameW	0x140027200
ReadFile	0x140027208
WriteFile	0x140027210
GetFileAttributesW	0x140027218
GetTimeFormatW	0x140027220
WideCharToMultiByte	0x140027228
FileTimeToSystemTime	0x140027230
SystemTimeToFileTime	0x140027238
CloseHandle	0x140027240
GetFileSize	0x140027248
FileTimeToLocalFileTime	0x140027250
GetSystemTimeAsFileTime	0x140027258
SetFilePointer	0x140027260
CompareFileTime	0x140027268
CreateFileW	0x140027270
MultiByteToWideChar	0x140027278
FreeLibrary	0x140027280
GetModuleHandleW	0x140027288
LoadLibraryW	0x140027290
GetProcAddress	0x140027298
GetTickCount	0x1400272a0
GlobalAlloc	0x1400272a8
LoadLibraryExW	0x1400272b0
GetSystemDirectoryW	0x1400272b8
lstrlenW	0x1400272c0
LocalFree	0x1400272c8
LockResource	0x1400272d0
lstrcpyW	0x1400272d8
GlobalUnlock	0x1400272e0
GetTempPathW	0x1400272e8
GetDateFormatW	0x1400272f0
GetTempFileNameW	0x1400272f8
GlobalLock	0x140027300
SizeofResource	0x140027308
GetLastError	0x140027310
FormatMessageW	0x140027318
FindClose	0x140027320

Name	Address
GetMenuItemCount	0x140027370
SetForegroundWindow	0x140027378
PeekMessageW	0x140027380
MonitorFromWindow	0x140027388
GetMonitorInfoW	0x140027390
TranslateMessage	0x140027398
IsDialogMessageW	0x1400273a0
RemoveMenu	0x1400273a8
InsertMenuW	0x1400273b0
GetMessageW	0x1400273b8
PostQuitMessage	0x1400273c0
TrackPopupMenu	0x1400273c8
DrawTextExW	0x1400273d0
RegisterWindowMessageW	0x1400273d8
DispatchMessageW	0x1400273e0
CreatePopupMenu	0x1400273e8
GetKeyState	0x1400273f0
SetMenuItemInfoW	0x1400273f8
GetWindowTextW	0x140027400
DestroyWindow	0x140027408
GetDesktopWindow	0x140027410
LoadStringW	0x140027418
EnumChildWindows	0x140027420
DialogBoxParamW	0x140027428
CreateDialogParamW	0x140027430
DestroyMenu	0x140027438
GetDlgCtrlID	0x140027440
GetMenuItemInfoW	0x140027448
ModifyMenuW	0x140027450
GetDC	0x140027458
GetSysColorBrush	0x140027460
ShowWindow	0x140027468
LoadCursorW	0x140027470
SetCursor	0x140027478
ChildWindowFromPoint	0x140027480
GetSystemMetrics	0x140027488
EndPaint	0x140027490
DeferWindowPos	0x140027498
BeginPaint	0x1400274a0
GetClientRect	0x1400274a8
CreateWindowExW	0x1400274b0
SendDlgItemMessageW	0x1400274b8
GetWindow	0x1400274c0
EndDialog	0x1400274c8
GetDlgItem	0x1400274d0
DrawFrameControl	0x1400274d8
SetWindowTextW	0x1400274e0
UpdateWindow	0x1400274e8
InvalidateRect	0x1400274f0
GetWindowRect	0x1400274f8
SendMessageW	0x140027500
SetDlgItemTextW	0x140027508
GetDlgItemTextW	0x140027510
GetDlgItemInt	0x140027518
SetWindowLongPtrW	0x140027520
GetWindowPlacement	0x140027528
SetDlgItemInt	0x140027530
SetWindowPlacement	0x140027538
DefWindowProcW	0x140027540
PostMessageW	0x140027548
RegisterClassW	0x140027550
MessageBoxW	0x140027558
TranslateAcceleratorW	0x140027560
SetMenu	0x140027568
SetWindowPos	0x140027570
LoadAcceleratorsW	0x140027578
LoadImageW	0x140027580
FindWindowW	0x140027588
LoadIconW	0x140027590
GetSysColor	0x140027598
SetWindowLongW	0x1400275a0
GetWindowLongW	0x1400275a8
EndDeferWindowPos	0x1400275b0
BeginDeferWindowPos	0x1400275b8
SetFocus	0x1400275c0
SetTimer	0x1400275c8
GetParent	0x1400275d0
KillTimer	0x1400275d8
EmptyClipboard	0x1400275e0
EnableMenuItem	0x1400275e8
GetSubMenu	0x1400275f0
GetClassNameW	0x1400275f8
MoveWindow	0x140027600
OpenClipboard	0x140027608
InsertMenuItemW	0x140027610
CheckMenuItem	0x140027618
ReleaseDC	0x140027620
GetMenuStringW	0x140027628
CheckMenuRadioItem	0x140027630
GetCursorPos	0x140027638
SetClipboardData	0x140027640
EnableWindow	0x140027648
MapWindowPoints	0x140027650
CloseClipboard	0x140027658
GetMenu	0x140027660
LoadMenuW	0x140027668

Name	Address
GetTextExtentPoint32W	0x140027078
GetStockObject	0x140027080
SetBkColor	0x140027088
CreateCompatibleBitmap	0x140027090
StretchBlt	0x140027098
SetPixel	0x1400270a0
SelectObject	0x1400270a8
CreateCompatibleDC	0x1400270b0
GetObjectW	0x1400270b8
DeleteDC	0x1400270c0
GetPixel	0x1400270c8
SetTextColor	0x1400270d0
CreateFontIndirectW	0x1400270d8
GetDeviceCaps	0x1400270e0
SetBkMode	0x1400270e8
DeleteObject	0x1400270f0
SetStretchBltMode	0x1400270f8

Name	Address
FindTextW	0x140027718
GetOpenFileNameW	0x140027720
GetSaveFileNameW	0x140027728
ChooseFontW	0x140027730

Name	Address
RegEnumKeyExW	0x140027000
RegQueryValueExW	0x140027008
RegQueryInfoKeyW	0x140027010
RegCloseKey	0x140027018
RegOpenKeyExW	0x140027020

Name	Address
Shell_NotifyIconW	0x140027348
ShellExecuteW	0x140027350
SHGetFileInfoW	0x140027358
ShellExecuteExW	0x140027360

Name	Address
CoCreateInstance	0x140027900

Name	Address
SysAllocString	0x140027330
SysFreeString	0x140027338

Reports: JSON

Statistics (32.17)

Usage

Processing ( 32.07 seconds )

31.362 ProcessMemory
0.581 CAPE
0.115 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.009 antiav_detectreg
0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.004 infostealer_ftp
0.004 territorial_disputes_sigs
0.004 ursnif_behavior
0.003 antiav_detectfile
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.002 masquerade_process_name
0.001 antidebug_devices
0.001 antivm_generic_diskreg
0.001 antivm_parallels_keys
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 antivm_xen_keys
0.001 ketrican_regkeys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 revil_mutexes
0.001 modirat_behavior
0.001 recon_fingerprint
0.001 lokibot_mutexes

Reporting ( 0.03 seconds )

0.025 CAPASummary
0.005 JsonDump

Signatures

Queries the keyboard layout

The PE file contains a PDB path

pdbpath: f:\Projects\VS2005\DNSQuerySniffer\x64\Release\DNSQuerySniffer.pdb

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 5712 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Installs WinPCAP

file: C:\Windows\System32\Npcap\wpcap.dll

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\SystemResources\DNSQuerySniffer.exe.mun
C:\Windows\System32\Npcap\wpcap.dll
C:\Users\Packager\AppData\Local\Temp\DNSQuerySniffer_lng.ini
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\DNSQuerySniffer.cfg
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\IPNetInfo.exe
C:\Users\Packager\AppData\Local\Temp\GeoLiteCity.dat
C:\Users\Packager\AppData\Local\Temp\GeoLiteCity.dat.gz
C:\Users\Packager\AppData\Local\Temp\GeoLite2-City-Locations-en.csv
C:\Users\Packager\AppData\Local\Temp\GeoLite2-City-Locations*.csv
C:\Users\Packager\AppData\Local\Temp\GeoLite2-City-Blocks-IPv4.csv
C:\Users\Packager\AppData\Local\Temp\GeoLite2-City-Blocks-IPv6.csv
C:\Users\Packager\AppData\Local\Temp\GeoLite2-Country-Locations-en.csv
C:\Users\Packager\AppData\Local\Temp\GeoLite2-Country-Locations*.csv
C:\Users\Packager\AppData\Local\Temp\GeoLite2-Country-Blocks-IPv4.csv
C:\Users\Packager\AppData\Local\Temp\GeoLite2-Country-Blocks-IPv6.csv
C:\Users\Packager\AppData\Local\Temp\IpToCountry.csv
\Device\Afd\AsyncSelectHlp

\Device\Afd\AsyncSelectHlp

HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Netmon3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\DNSQuerySniffer.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpIPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpSubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpDefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\Connection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0825E3C8-F6B1-44C5-9707-BE5A20D7A8F5}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0825E3C8-F6B1-44C5-9707-BE5A20D7A8F5}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0825E3C8-F6B1-44C5-9707-BE5A20D7A8F5}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpIPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpSubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpDefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\Connection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0B3CC30E-0931-43E7-8F7B-5BE2FCC6F17F}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0B3CC30E-0931-43E7-8F7B-5BE2FCC6F17F}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0B3CC30E-0931-43E7-8F7B-5BE2FCC6F17F}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\IPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\SubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\DefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\NameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\Connection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpIPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpSubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpDefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{b6767322-347b-409e-8d77-0268b7aaa738}\Connection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B6767322-347B-409E-8D77-0268B7AAA738}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B6767322-347B-409E-8D77-0268B7AAA738}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B6767322-347B-409E-8D77-0268B7AAA738}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\IPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\SubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\DefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\NameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\Connection
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\11\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\11\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\12\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\12\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2\Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_10D3&SUBSYS_00008086&REV_00\4&336a283&0&0010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\5&24692d7b&0&080010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\ROOT\KDNIC\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\ROOT\KDNIC\0000\DeviceDesc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_8086&DEV_10D3&SUBSYS_00008086&REV_00\4&12829b10&0&0014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Sans Serif
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpIPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpSubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpDefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0825e3c8-f6b1-44c5-9707-be5a20d7a8f5}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0825E3C8-F6B1-44C5-9707-BE5A20D7A8F5}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0825E3C8-F6B1-44C5-9707-BE5A20D7A8F5}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0825E3C8-F6B1-44C5-9707-BE5A20D7A8F5}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpIPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpSubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpDefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0b3cc30e-0931-43e7-8f7b-5be2fcc6f17f}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0B3CC30E-0931-43E7-8F7B-5BE2FCC6F17F}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0B3CC30E-0931-43E7-8F7B-5BE2FCC6F17F}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0B3CC30E-0931-43E7-8F7B-5BE2FCC6F17F}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\IPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\SubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\DefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\NameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{27e3d6d8-a922-11ef-90c1-806e6f6e6963}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpIPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpSubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpDefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpNameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{b6767322-347b-409e-8d77-0268b7aaa738}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B6767322-347B-409E-8D77-0268B7AAA738}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B6767322-347B-409E-8D77-0268B7AAA738}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{B6767322-347B-409E-8D77-0268B7AAA738}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\MTU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\EnableDHCP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\IPAddress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\SubnetMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\DefaultGateway
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\NameServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\DhcpServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\LeaseObtainedTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\LeaseTerminatesTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\T1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{cc6eeb36-5ae2-46be-81a9-5f0b62ecf81f}\T2
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}\Connection\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}\Connection\PnpInstanceID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}\Connection\ShowIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\11\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\11\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\12\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\12\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\2\Description
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\ROOT\KDNIC\0000\DeviceDesc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel

Local\SM0:5712:304:WilStaging_02
Local\SM0:5712:120:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.