File ProcessHackerPortable_2.39_English.paf.exe

Size 2.0MB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b6ab864f014d0c4a35b7641d1b586f6d
SHA1 1eee4113978deb0cf77ebec21bb8feccbbfd592d
SHA256 b0668b6596578d5d918c8d29083423c8025bd49328130383841139dd575868c6
SHA512
4eed7a1f6fe73a04c38c63c547e65df5f5ad62777216b2f485471b7c38ec37261c70cd8f8bb85d830ee19a1b10d9493014443b24d7b7d87be5faf7604417feb1
CRC32 6152A900
ssdeep 49152:a96+cwM33aKYwbHFg4kYG10DV5YnpuCQSPe/EXT+2:3nXKq4YGiw4f/8
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01400_Obsidium_v1_0_0_61_ - [Obsidium v1.0.0.61]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 9:33 a.m. Jan. 9, 2019, 9:38 a.m. 294 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 09:34:22 2019-01-09 09:38:34

Analyzer Log

2019-01-09 03:11:51,015 [analyzer] DEBUG: Starting analyzer from: C:\ndzcoz
2019-01-09 03:11:51,015 [analyzer] DEBUG: Pipe server name: \\.\PIPE\iJIrbqEgxRUNsTka
2019-01-09 03:11:51,015 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\ueIbVcvVKxxKdarQ
2019-01-09 03:11:51,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:51,030 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:52,983 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:53,155 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:53,155 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:53,217 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:53,217 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:53,217 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:53,217 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:53,217 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:11:53,733 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:11:53,733 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:11:53,828 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\ProcessHackerPortable_2.39_English.paf.exe' with arguments '' and pid 400
2019-01-09 03:11:53,921 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:53,921 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:54,046 [analyzer] DEBUG: Loaded monitor into process with pid 400
2019-01-09 03:11:54,390 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nst2.tmp
2019-01-09 03:11:54,453 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\System.dll
2019-01-09 03:11:54,625 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\FindProcDLL.dll
2019-01-09 03:11:54,890 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-header.bmp
2019-01-09 03:11:54,905 [analyzer] DEBUG: Received request to inject pid=400, but we are already injected there.
2019-01-09 03:11:54,921 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-wizard.bmp
2019-01-09 03:11:55,905 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\nsDialogs.dll
2019-01-09 03:11:56,530 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:11:58,655 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:11:59,687 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\w7tbp.dll
2019-01-09 03:11:59,780 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\ProcessHackerPortable.exe
2019-01-09 03:11:59,828 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\help.html
2019-01-09 03:11:59,828 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\Readme.txt
2019-01-09 03:11:59,842 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon.ico
2019-01-09 03:11:59,875 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_128.png
2019-01-09 03:11:59,875 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_16.png
2019-01-09 03:11:59,875 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_32.png
2019-01-09 03:11:59,890 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_75.png
2019-01-09 03:11:59,890 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appinfo.ini
2019-01-09 03:11:59,905 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\Custom.nsh
2019-01-09 03:11:59,921 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\ProcessHackerPortable.ini
2019-01-09 03:11:59,921 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\splash.jpg
2019-01-09 03:11:59,953 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\DefaultData\ProcessHacker.exe.settings.xml
2019-01-09 03:11:59,953 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\CHANGELOG.txt
2019-01-09 03:11:59,967 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\COPYRIGHT.txt
2019-01-09 03:11:59,983 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\LICENSE.txt
2019-01-09 03:11:59,983 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\README.txt
2019-01-09 03:12:00,203 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\ProcessHacker.exe
2019-01-09 03:12:00,405 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\ProcessHacker.sig
2019-01-09 03:12:00,421 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\kprocesshacker.sys
2019-01-09 03:12:00,453 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\peview.exe
2019-01-09 03:12:00,500 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\DotNetTools.dll
2019-01-09 03:12:00,530 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedNotifications.dll
2019-01-09 03:12:00,562 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedServices.dll
2019-01-09 03:12:00,592 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedTools.dll
2019-01-09 03:12:00,625 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\HardwareDevices.dll
2019-01-09 03:12:00,655 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\NetworkTools.dll
2019-01-09 03:12:00,703 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\OnlineChecks.dll
2019-01-09 03:12:00,733 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\SbieSupport.dll
2019-01-09 03:12:00,765 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ToolStatus.dll
2019-01-09 03:12:00,780 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:00,812 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\Updater.dll
2019-01-09 03:12:00,828 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\UserNotes.dll
2019-01-09 03:12:00,858 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\WindowExplorer.dll
2019-01-09 03:12:01,030 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\ProcessHacker.exe
2019-01-09 03:12:01,155 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\ProcessHacker.sig
2019-01-09 03:12:01,171 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\kprocesshacker.sys
2019-01-09 03:12:01,203 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\peview.exe
2019-01-09 03:12:01,250 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\DotNetTools.dll
2019-01-09 03:12:01,280 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedNotifications.dll
2019-01-09 03:12:01,296 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedServices.dll
2019-01-09 03:12:01,342 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedTools.dll
2019-01-09 03:12:01,437 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\HardwareDevices.dll
2019-01-09 03:12:01,467 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\NetworkTools.dll
2019-01-09 03:12:01,530 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\OnlineChecks.dll
2019-01-09 03:12:01,562 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\SbieSupport.dll
2019-01-09 03:12:01,592 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ToolStatus.dll
2019-01-09 03:12:01,640 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\Updater.dll
2019-01-09 03:12:01,671 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\UserNotes.dll
2019-01-09 03:12:01,703 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\WindowExplorer.dll
2019-01-09 03:12:01,765 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Donation_Button.png
2019-01-09 03:12:01,796 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Favicon.ico
2019-01-09 03:12:01,812 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Background_Footer.png
2019-01-09 03:12:01,812 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Background_Header.png
2019-01-09 03:12:01,828 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Logo_Top.png
2019-01-09 03:12:01,858 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:01,858 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\LauncherLicense.txt
2019-01-09 03:12:01,858 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\Readme.txt
2019-01-09 03:12:02,842 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:04,905 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:06,967 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:09,030 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:11,092 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:13,155 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:15,217 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:17,280 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:19,342 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:21,405 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:23,467 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:25,530 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:27,592 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:29,655 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:31,717 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:33,780 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:35,842 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:37,905 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:39,967 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:42,030 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:44,092 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:46,155 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:48,217 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:50,280 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:52,342 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:54,405 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:56,467 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:12:58,530 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:00,592 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:02,655 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:04,717 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:06,780 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:08,842 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:10,905 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:12,967 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:15,030 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:17,092 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:19,155 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:21,217 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:23,280 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:25,342 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:27,405 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:29,467 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:31,530 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:33,592 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:35,655 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:37,717 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:39,780 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:41,842 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:43,905 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:45,967 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:48,030 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:50,092 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:52,155 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:54,217 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:56,296 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:13:58,358 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:00,437 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:02,500 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:04,562 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:06,625 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:08,687 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:10,750 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:12,812 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:14,890 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:16,953 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:19,015 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:21,078 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:23,140 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:25,203 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:27,265 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:29,328 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:31,390 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:33,453 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:35,515 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:37,578 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:39,655 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:41,717 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:43,780 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:45,842 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:47,905 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:49,967 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:52,030 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:54,092 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:56,155 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:14:58,217 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:00,280 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:02,342 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:04,405 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:06,467 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:08,530 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:10,592 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:12,655 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:14,717 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:16,796 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:18,858 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:20,921 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:22,983 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:25,078 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:27,140 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:29,203 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:31,265 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:33,328 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:35,405 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:37,467 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:39,530 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:41,592 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:43,671 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:45,733 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:47,796 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:49,858 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:51,921 [modules.auxiliary.human] INFO: Found button "&Run Process Hacker Portable", clicking it
2019-01-09 03:15:52,905 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:52,905 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:52,905 [lib.api.process] INFO: Successfully terminated process with pid 400.
2019-01-09 03:15:53,265 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nst2.tmp'" does not exist, skip.
2019-01-09 03:15:53,655 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 09:34:22,246 [lib.cuckoo.core.scheduler] INFO: Task #602: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 09:34:22,471 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 1747 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/602/dump.pcap)
2019-01-09 09:34:25,645 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 09:38:33,054 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 09:40:16,117 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 09:41:10,582 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9aca1d2b90>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:41:10,602 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b51b44490>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:41:10,624 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b503b57d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:41:10,628 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9aca1d2b90>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:41:10,629 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9aca1d2b90>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9aca1d2b90>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 400
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 400
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 18092335030992900
free_bytes_available: 193091834023510793
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable
total_number_of_bytes: 563886256291840
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24099606528
free_bytes_available: 24099606528
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5339348723570775
free_bytes_available: 845422886610336
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable
total_number_of_bytes: 5340688753360896
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24099606528
free_bytes_available: 24099606528
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (33 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedNotifications.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ToolStatus.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\HardwareDevices.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\DotNetTools.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ToolStatus.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\OnlineChecks.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\UserNotes.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\ProcessHacker.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\WindowExplorer.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\Updater.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\SbieSupport.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\ProcessHacker.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\NetworkTools.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedServices.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\WindowExplorer.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\DotNetTools.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedTools.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\peview.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedServices.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\SbieSupport.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\OnlineChecks.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\UserNotes.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedTools.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\NetworkTools.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\peview.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\ProcessHackerPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedNotifications.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\HardwareDevices.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\Updater.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\nsDialogs.dll
The binary likely contains encrypted or compressed data. (2 events)
section {u'size_of_data': u'0x00019a00', u'virtual_address': u'0x00056000', u'entropy': 7.534073584099858, u'name': u'.rsrc', u'virtual_size': u'0x000199b0'} entropy 7.5340735841 description A section with a high entropy has been found
entropy 0.767790262172 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process ProcessHackerPortable_2.39_English.paf.exe (400)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable_2.39_English.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\Updater.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nst2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\DefaultData\ProcessHacker.exe.settings.xml
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedNotifications.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ToolStatus.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\HardwareDevices.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\DotNetTools.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Background_Header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ToolStatus.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\OnlineChecks.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Logo_Top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\LauncherLicense.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\UserNotes.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\ProcessHacker.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\WindowExplorer.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\Updater.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\WindowExplorer.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\SbieSupport.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\ProcessHackerPortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\SbieSupport.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Background_Footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\ProcessHacker.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedServices.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Donation_Button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\NetworkTools.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_75.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedServices.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\kprocesshacker.sys
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\ProcessHacker.sig
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\DotNetTools.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedTools.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\ProcessHacker.sig
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\COPYRIGHT.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedTools.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\peview.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\splash.jpg
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\OnlineChecks.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\UserNotes.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\kprocesshacker.sys
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\NetworkTools.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\peview.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\ProcessHackerPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedNotifications.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\HardwareDevices.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\LICENSE.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\Custom.nsh
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\nsDialogs.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\README.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\CHANGELOG.txt
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable_2.39_English.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nst2.tmp

Process ProcessHackerPortable_2.39_English.paf.exe (400)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_CURRENT_USER\Control Panel\Desktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\ProcessHackerPortable_2.39_English.paf.exe
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopDebugLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductType
    • HKEY_CURRENT_USER\Control Panel\Desktop\LameButtonText
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ChkAccDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Compositing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt

Process ProcessHackerPortable_2.39_English.paf.exe (400)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process ProcessHackerPortable_2.39_English.paf.exe (400)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Program Files\Microsoft Office\Office12
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\7zTemp
    • C:\WINDOWS\system32\ctfmon.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other
    • C:\WINDOWS\explorer.exe
    • C:\Python27\pythonw.exe
    • C:\WINDOWS\system32\lsass.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\*.*
    • C:\Program Files\Java\jre7\bin\jqs.exe
    • C:\Program Files\Java\jre7
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\WINDOWS
    • C:\PortableApps
    • C:\WINDOWS\system32\svchost.exe
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\WINDOWS\system32
    • C:\Python27
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\WINDOWS\system32\services.exe
    • C:\Program Files\Java
    • E:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\*.*
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App
    • C:\Program Files\Common Files\Java
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\7zTemp\7z.exe
    • C:\Program Files\Java\jre7\bin
    • C:\WINDOWS\system32\spoolsv.exe
    • C:\WINDOWS\system32\alg.exe
    • C:\Program Files\Common Files\Java\Java Update\jusched.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp

Process ProcessHackerPortable_2.39_English.paf.exe (400)

  • DLLs Loaded

    • browseui.dll
    • C:\WINDOWS\system32\USERENV.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • C:\WINDOWS\system32\RichEd20.dll
    • C:\WINDOWS\system32\browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsz3.tmp\FindProcDLL.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsz3.tmp\w7tbp.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsz3.tmp\nsDialogs.dll
    • C:\WINDOWS\system32\SETUPAPI.dll
    • shell32.dll
    • kernel32.dll
    • UxTheme.dll
    • C:\WINDOWS\system32\VERSION.dll
    • C:\WINDOWS\system32\SHFOLDER.dll
    • SHELL32.dll
    • ole32.dll
    • SETUPAPI.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsz3.tmp\System.dll
    • PSAPI.DLL
    • C:\WINDOWS\system32\UXTHEME.dll

PE Compile Time

2015-12-27 01:26:01

Signing Certificate

MD5 bcb29618979e6c3e95136644ee68ede2
SHA1 cb467db43d8acfc40e71c5f65d15df4e3e332fa8
Serial Number c305c21b2ae2979f1788fc7abb06f7df
Common Name Rare Ideas, LLC
Country US
Locality New York

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0000615e 0x00006200 6.45573741094
.rdata 0x00008000 0x00001370 0x00001400 5.10214878839
.data 0x0000a000 0x00020358 0x00000600 4.0948532877
.ndata 0x0002b000 0x0002b000 0x00000000 0.0
.rsrc 0x00056000 0x000199b0 0x00019a00 7.5340735841

Imports

Library KERNEL32.dll:
0x408074 GetFileAttributesW
0x408078 GetFullPathNameW
0x40807c Sleep
0x408080 GetTickCount
0x408084 CreateFileW
0x408088 GetFileSize
0x40808c MoveFileW
0x408090 SetFileAttributesW
0x408094 GetModuleFileNameW
0x408098 CopyFileW
0x40809c ExitProcess
0x4080a8 GetTempPathW
0x4080ac GetCommandLineW
0x4080b0 GetVersion
0x4080b4 SetErrorMode
0x4080b8 lstrlenW
0x4080bc GetCurrentProcess
0x4080c0 CompareFileTime
0x4080c4 GlobalUnlock
0x4080c8 GlobalLock
0x4080cc CreateThread
0x4080d0 GetLastError
0x4080d4 CreateDirectoryW
0x4080d8 CreateProcessW
0x4080dc RemoveDirectoryW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 WriteFile
0x4080ec lstrcpyA
0x4080f0 lstrcpyW
0x4080f4 MoveFileExW
0x4080f8 lstrcatW
0x4080fc GetSystemDirectoryW
0x408100 LoadLibraryW
0x408104 GetProcAddress
0x408108 GetModuleHandleA
0x408110 GetShortPathNameW
0x408114 SearchPathW
0x408118 lstrcmpiW
0x40811c SetFileTime
0x408120 CloseHandle
0x408124 GlobalFree
0x408128 lstrcmpW
0x40812c GlobalAlloc
0x408130 WaitForSingleObject
0x408134 GetDiskFreeSpaceW
0x408138 lstrcpynW
0x40813c GetExitCodeProcess
0x408140 FindFirstFileW
0x408144 FindNextFileW
0x408148 DeleteFileW
0x40814c SetFilePointer
0x408150 ReadFile
0x408154 FindClose
0x408158 MulDiv
0x40815c MultiByteToWideChar
0x408160 lstrlenA
0x408164 WideCharToMultiByte
0x408170 FreeLibrary
0x408174 LoadLibraryExW
0x408178 GetModuleHandleW
Library USER32.dll:
0x40819c GetSystemMenu
0x4081a0 SetClassLongW
0x4081a4 IsWindowEnabled
0x4081a8 EnableMenuItem
0x4081ac SetWindowPos
0x4081b0 GetSysColor
0x4081b4 GetWindowLongW
0x4081b8 SetCursor
0x4081bc LoadCursorW
0x4081c0 CheckDlgButton
0x4081c4 GetMessagePos
0x4081c8 LoadBitmapW
0x4081cc CallWindowProcW
0x4081d0 IsWindowVisible
0x4081d4 CloseClipboard
0x4081d8 SetClipboardData
0x4081dc EmptyClipboard
0x4081e0 OpenClipboard
0x4081e4 wsprintfW
0x4081e8 ScreenToClient
0x4081ec GetWindowRect
0x4081f0 GetSystemMetrics
0x4081f4 SetDlgItemTextW
0x4081f8 GetDlgItemTextW
0x4081fc MessageBoxIndirectW
0x408200 CharPrevW
0x408204 CharNextA
0x408208 wsprintfA
0x40820c DispatchMessageW
0x408210 PeekMessageW
0x408214 ReleaseDC
0x408218 EnableWindow
0x40821c InvalidateRect
0x408220 SendMessageW
0x408224 DefWindowProcW
0x408228 BeginPaint
0x40822c GetClientRect
0x408230 FillRect
0x408234 DrawTextW
0x408238 EndDialog
0x40823c RegisterClassW
0x408244 CreateWindowExW
0x408248 GetClassInfoW
0x40824c DialogBoxParamW
0x408250 CharNextW
0x408254 ExitWindowsEx
0x408258 DestroyWindow
0x40825c CreateDialogParamW
0x408260 GetDC
0x408264 SetWindowTextW
0x408268 PostQuitMessage
0x40826c ShowWindow
0x408270 GetDlgItem
0x408274 IsWindow
0x408278 LoadImageW
0x40827c SetWindowLongW
0x408280 TrackPopupMenu
0x408284 AppendMenuW
0x408288 CreatePopupMenu
0x40828c EndPaint
0x408290 SetTimer
0x408294 FindWindowExW
0x408298 SendMessageTimeoutW
0x40829c SetForegroundWindow
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetBkMode
0x408054 CreateFontIndirectW
0x408058 SetTextColor
0x40805c DeleteObject
0x408060 GetDeviceCaps
0x408064 CreateBrushIndirect
0x408068 SetBkColor
Library SHELL32.dll:
0x408188 SHBrowseForFolderW
0x40818c SHGetFileInfoW
0x408190 ShellExecuteW
0x408194 SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegDeleteKeyW
0x408004 SetFileSecurityW
0x408008 OpenProcessToken
0x408014 RegOpenKeyExW
0x408018 RegEnumValueW
0x40801c RegDeleteValueW
0x408020 RegCloseKey
0x408024 RegCreateKeyExW
0x408028 RegSetValueExW
0x40802c RegQueryValueExW
0x408030 RegEnumKeyW
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 ImageList_Destroy
0x408044 None
Library ole32.dll:
0x4082a4 OleUninitialize
0x4082a8 OleInitialize
0x4082ac CoTaskMemFree
0x4082b0 CoCreateInstance

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
SQSSSPW
Instu_
softuV
NulluM
Aj"A]f
D$ UPU
Vj%UUU
f9=H7B
D$$+D$
D$,+D$$P
\u f9O
90u'AAf
RichEd32
RichEd20
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
ReadFile
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
GetTempFileNameW
WriteFile
lstrcpyA
lstrcpyW
MoveFileExW
lstrcatW
GetSystemDirectoryW
LoadLibraryW
GetProcAddress
GetModuleHandleA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
ReleaseDC
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuW
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
SETUPAPI
USERENV
UXTHEME
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownW
RegDeleteKeyExW
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExW
SetDefaultDllDirectories
KERNEL32
[Rename]
%ls=%ls
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
746!%%A
IHa}?<<
42?D%'L
B?I;@;0
22Il*+X
DBTb>91
13nL05n
5:xL<A|
;?~LIK
BD|LRS
@Af]WY
QQoMhi
KLumhj
:;coAD
36p6:>y
`ZOIKF:
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b3</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
NullsoftInst4
H;}TwCz?
Da]#1O[U
jBb:DA
I,vRj@
gIdT$
V(]_et
::_$Xa^
TzO|3b
L?uh)X
4Ig4nIW@
}1)q^6
I-#d:2y
`g),_6l}
?">=b>d
um|,|E
Psf>=b
^1v[As
`55fo8P{
]mg8`C
wxbKJ;4
%hTAI3}
0!7760
1\8<N?
u`HIkB:IV
:5"'r$x
Cu+J1--
3 (s\kC
_oaQ)m%7
>>}+>gV
5b@-z(
$g #;.]
m2o>?L
2>Q\%q
k:D]n'
$KZ4I4
!)xLbn
+On/PN
5mA<
X{'2l1
-!??\v
W{|t[e
jk1wNt=
V'{QV-
`3'kS-
^z`i@f
os5HB
K_YVIq
NI{ZFb
-zo)Y'
#%CO}^g
a}~\m,
(]h~4a
lAHx.O
'= :CA
y!"l%4Bk
^O:R%blq
yWlY|V
@.[Nrfr
nBAzG}
@" !u+
F,2[bt
9HTbBW
j#duDvB
-)v?x~e
@r<e'[Ey
%Z`YrVb
'r7=gY
wq^-q~o
/Hw8-D
8|_]yz
)CSn$A
^5+&4?w
B06eTE
QZfU`f0
;&aQV}
4oP"=]
z);AmnB
hjey%T1
2p.e~A
EV?A6Q
Tz8}wV
gk!MuE
=qKv]>R
gi-)vZ
NBhDIr
4nF,=!
B1.p>N<
\T*74`J
Ua=5-P
gkc)`4u
o1l:K)-
BWp:_&
Jh6VZR
yj7b>?
v!L2K2B
B{Kg!P
jHp}iu
!CM;Oid
@'xI,{c
MW6J7
pT!$R{
K0Nz8A!
~tWL]NV
Vwjv*
h_7aH
uYQ{[8;*i3
Ie|hscs
9w. U`
}lDiy~
:M>q-q
236ziU/
~zPxN?
~{XDRv
MZ<5Hdu(
7{p(M$
@(M^'z
d |Z/(
v]Qo5(I
y<TIz?
E~j4g
(&JI-/
T5<je<+
oq6lE4&
6MsfPP
JUp+Psu
$1NX<\
%u5#K}_4Z
k`7Kqh
JT}zCf2f
"=|>CnK!}B
q<6Yur
3!F._m
$!K74;
%5%sMjd*
Yt)`H9
ZON.z`D+-
9^c$S
tro2S/
c\oK8T
Yuze\b
=2bsg(I9
7U n2a
&:eXH/c"
7ZhSyV
8~]XkoX
@>lGc_
'n~*_T
X$v4'i
.WJibE
Xs"-Wx
,I-4M
0H!{*}
8F$q_$
qW2$W{Xy1,
M~n@E3
a7h}Kd
P9 7Dy
3\O7$[
AGzYa^
v-GMYu
11c!hv
:@ZP!C
kd7R;)%B
)0]$&^
9F~mtP"
NsT#r]&
\|UaK)
+zlKF
{AqJ?
{/vW7_
:|GN*Z
7Kz9=ZQ
HZS>n5
q/Xo[[>
r{K1O1`fOI
v1hKII
EyH->:
xJL)"k
NHX`*H=
t.^~;l
D$83}bn[
wqVpu]
Bh8IX@
Ty ,)&|
4.e^&
?luTM'
SKJ#r<
c6>OJ%
N/h}+C
XJx"5:
7!j?Jp
0Ht=}Z
5a}qZt
"j^y-1
JRLTzcR_
T;v}x:
(F?p(u
}#\) [_
W>9-jQ
8bhKHk)
@5X!p3|
X1O2xY
k@P,/V
6uX9FC?
pz+|Z"KKq
xz{~1&
Q.Z'YZ
^m;N/o>
*3$8`q
>'An6v
6kzwa)O
I-vy.g
}@teQv
AT"(0v
-s1rnz6
Uy'hf;a
~?(@v~,l
8PaqD3_V
xyW>+
]T|0r.
W*\[v}
yxhUxe
'pUyd0QBp
\w)G]3
'L$v(O
B'PsGL
S/,QgRVI
~<$ y6g!
h~YjB[
o;CNXk
XA8@>A
3)V})oQ
.e:Bh*
<Ihvz'l
*COt7{?
0$0uy`n
bWQfXsl
n:HQr<
Zlx4R[h
l&{cC_
Y~64Y=gq
~@Q0/?
=TAfUb
%bJFh$^
UPrF~:
9Q2a!^"
9mrt,,
j5vxW-
l+F%<c3R
yv3Q8+
e3`q:4
#d]OS^
8TrG|Xzx
os: H2Og
`2C*bI{
OfG5|Dw
MK{YwkM
9NO"u?
/+q[^{
Fn,Nys4
98_]#T
)Fv2mV
e7p/dY
2!/eF
+a?CB(7dp
qx_JPM
>23VYB
T8^/(/
SoL-NCH*Rp)6
*|W$oE]
\BH06h
y%zt`"}
?)n~BJ
-0@^?F\-
"SgSNA
s)$Mcz%
Az,\\E
<mSC2-
O,9@l4
*T~:Wu
@)3uGZO
_$E?q
4nq"bPg
6Vc*D(
G-9F/!
#y 0v*
?>@lNY
w&Zb0E^f
3IKd3n~
hZX82K
A^~M-&
e<..9aT
G*(d2a
xyZXrk~
_jsgD
JF:M4|%
70KP<Q
!xd0&y
o76rfMa"9
vBCOup#
wt!XbL
48ur`@F
Kt$CzE5
P#7AQH
u8bmT95#
7Lqmzh
I-}pm
2T1rg8I
(e@a>
]Ne_#h
8+7U;O2
F-gyj;
}C,3Tp
Yvb|P1
1rk1g2
[59:Y,
e)edb*
G([%C,t
A6l7_
_T4jx3
?T}N*l|
MBhtRtWLp
^d2o"t
$*}s^z@4y
Jclk}\
#'6Gwaq
z)n}`qS
Tba"]|
P&\2Xv
}rT@wq
/Gzuw/[kpt
QMv_`p
xb|^f%
/1'< D2
.|NRT-a\
fY3~\#
lprY.44
)^~f@^
IYA5yo.TT
K^TUnh
A"e:k;&
dh<7{w&
mcyEnX8=
0pBCe^OSHr
y{'d(
Lih&b7
1`CGb?
$<tu::uV
$.[bFG
Yn}^!uV
#?r_C/G
=25)!|
r"mB.|M
B@KMw(
xi:][0
"nhj+
KBK>8/4
s$&zxf9
qLXX(?!O!
n^Q&E,
QR')]B
LE QvG
st3,"G
KM,WGpP
8u]!G?V"
8m{"vh
`i#[oW
zC<UF4
cBI9R>V
ce%0$Q
g$S[5&
njwA|x
582JFHi
c}Gl1k
Z"N_E$
c&OLz6X
CCiy_.F
P$(tGN
.oPGLG
I oIH^;
ew+fIj
DJ*cZ
AKU7,|
?nC(oh
ai_(s=
G9m4*I
mxw/-
t/l.:{\^
!C#?[=*
>%+#aQ
RL9DM#HP
:'}/|K"W
C##{R_~
2":2qX
k4z{rq
kQ%jO(
T/xW#=
U[X/He`
f?h+mR
H2(Dl
LM&|%KH
Qr0<],
Js>Y7p)
vD$_}?2/=
q<1$Yq
V7)6jW
WZW*&`
ZN_'yXS
IA)zC!
.V!nq!
a$DmoW
}WSJa].
^NM5[*
gb4A_A`
5zvb<]
tjLxs~
uG+9g@
1Z"aFU
X{6Unp
_#"v,n
!TuH)"
28_RP=
@]EDZ
E_EwX
2\|0|hr)j
AS26u;
i^8p~{
!p5y3!
yV|QqU
[in?qI
'=\v9l
=3:pvx+&3
|3PlNQZX
Hhg&Fa
SQPyh}
U"O*b?
%t;F+)
tb1%Bm
Jx@K^*3`
X6~-eH9
[X7D<Y
")x?S
R##+c9
%!f#Aw
cb7e3b
>-f/g=h'
-~4E5O-
4{:v_c
kbBUJO^A"
UXl;8zT
LI5N]Ra2
PKCCwi
dcX!DLu
@X5Q$k
JM$u#o
c3c%rh
m'9+zy
u?swY_6
w1EnXL
1x<xy9
*C$2'Jw
[-)+^.R
Cp( V%
$cB(VPk
4ePpRQ
5{_<]O
A#;.IS
%1p~Hc
?a]/[D
>N[]3\
2pb%Ih
'gk@pMQ
)*oWFh
,,K$MU
Eq_m5D
[]$?W'
g1;[ROA8*
tR >f`
ll|qec
p7hP3d
NyG!Jd
!L(`eB/<
i@WimB
p|;,=}B
I,|nG+
]+uAhYY
6se Z\4<u1
H_EMm5W
u;>]3w
DI3-K1=
Nuh]euM]
^FlM=6
)uA1Q&
LEK_TU
M*x6mG
t[)ydT'
t'Aft+/3
i%jw%l
#||N=r
SUV_H!
[5Kw\TR-HQ
&e%'#f
87NssbB
SE*tGa
)$Tr[8
J~p#x\
J1>"sn
?a4cIh
g4-;n`
+gg*c"&
Gf21xK
OA`F5!
UJ?"fZ
@{3$S_E
'o?D6-
B\s6Ot2
6{cH[Pb
oq\-&W
tUF`#=&
w)g&6T2
:"#v5bhO<
A/f:?h7
Fw|SO+
|T*A1s
Y}Lo{~
PNv0Jd
,?lHEX
`8O|'69
X>gco;}
vNai8'$
My.}rnd
}Yq/^>
bE}]MP
_B%ezO
Ea\bzX
rRL I.
2`5l\eC
N(u&I
oX#VKv
?Z9Y@
Y~rwr]
zJn}%&
=h'&e*
Z]Wj,%
/?I)Kl
zzhoO3B
@#j1ipX
/L#e]z
FI e%i
&s%?Nz
& ?+2
r2FcSx
eMY-kB
43U#ZI
g>q]{H
1i4O]&
|"zqW~(
Cxjt&apb
s6{u.Nve@
"iheau
hs{m'IQkc
)Ew/r4
fgv>X+
Cnk-{$
TTRl_G
_zl1SyL"
f+k>Jd
[*BfDQ
R8=-oo~v
x08@z=
omu`;'0
qF+rgg
V1"z9my
MA)V[s
H5G&G|N
1d0PVR
u MxUg
,oRwAA
hk+p!Ve
Eq88Y'
t`{>bh
1G_\|GZp
-nZQ?/
|HhI$B
ILltz2
p -t`s
#mhH2[?
ww2"9]
cUW:4S
XOhn&2
3[vDU}!Y1S
88^o?M.
wA*R&
'0Q%wd
.`U*ZL
x(%P)Z
2?CG 1T=
CB8w,v
Kx,E})Tx
U+c8Uve
9e.e"h
MmN7'_
y3M_G
Q64Vqj
dB.qm,i
O4KDa:
(L$hHY
vjyS;-} A=
Z^jz^%
UZd`F8
56>/j#
]d0(Z2
=ts"Ms
bi2l8x
<?p6h8*
[`\D#
FP@`/B
\q50]@isJ`
q=U}91
o^>rr1Z
N';<7C
!uUdHE
r>x W3
jh}G-8+
^)ag-*
"t]j\:
)2r_.@
j7WI_9/<
-5o NP
MDL LM
i%`0*P(
!yJ1@,-U6
-`zfHY|tm
_SZ#jt
Z/*</d
/}]l"t#
PR{]Q>
~Z0bWN
|Pr$SF9
nH9~lj
p{97|N
]z^$>cG
J,s$v
vs*SdN
O59A0]
FwOz!c(
>oQ2&#
h(vNx=
uyif$w
`b LWw
7P&IYO
@HR2kD%k
og:PNK{Pj
RpN0"-E
|:P@t3
mSo]ZgJ%
{nVCy+
khKcVE-km
'A##(R6D
:Z7z#;B
0K3d0h@
V*;cMr
.5HM#K
-r%O+W
@qH.Y8(Y
,d`+ZqC
z>5A|z
mwrQ8*%
9LWhj)
,WWSEG
Yg'Z+U
Sz@fOB
=rs9#6
&K24o5
~}Ol6
cl :NJ
h &>>:;
=*/(E^r
~HW9}t
pXlM<K~
\$nFRt
?'v{1A
Zwx$vv6
r1~&Z>
|GbBm#@j
y-3jn3
6%D{g9
~</}ou
YS-"n-
FtqWquB
{Q0(?j
9E.FZb
1jc:"8?.^
|tJF}S
0FCE0T
!4`$r`
vGTG\^v
.QSSr@hX
O,Sfqa
Yk,G)w
_/0^[=E~
+#JS=G
4x+-jn
f"nnA7T\
FXd.5h
8]#f-f
-(`HL
nAW6LA
$a/Lb
^2^VU@
c[|177
#o._hQaT
)+;I8h
lz}q$P
dj?]q!
i+mM\(
\ue3!H
w@R]<=H
}um(6}v
,H}b0P
u'-z!"ZE
Lje4}+O
c5n';ol
L7EV?]
D:cs*2D
(C1,[=+
:uxIF
mG^~$yD
&ZS6_9
kn:aTy~e
]ZxV">
M_X0pr
^8<zw-#$rS*J
%`SMcv
'eE,m
*wrb`f
a%mAXK
B"o{:>
q~f.yC
`fv1&v
<nY:98
/Pdx6p
^vV>VlF
c]`xC*'
gYgaEN
Z,yoED
2Oz.O-
XWwp~FN?y{
tkjw{H%V
F?@%`,g}RyH
?) R%H
"%.y}l
Z-k*h-
`0c_K"
k?vZqi
y"S4rq
$;av93!
t^a+ou
uz~M)u
:{'E>_8
K'D$0|
jz4^)[
x:]OuN
3W*I G
W;Do@x
7U%!J.H
[%]jw[
roc^pda
DI:`#Vw g
(JN!U*^
*xkIwy&I
pjz0S.sR
B?<9+F?v
@|xtow
-)'<{l0
u_%n!<
*){**Mgv{
eIr`JN
3OzCeD
Z:%r`ji
vIg|56
nAwT\e
t58|`,
=*)+>5
Z*l+)]
TNQ'V
&)Z+x1
>1Y+Nr/AN
av|f>(
F4AxJ
*;dhT8
GT_[\}
fNAUIz
m5\JQd=
7-6.\6
A#"Ouf\
a(EMto
x.r}h;0
P)'%q})
ynQz}Ax
h^3GHb
l.=PKv
Y#pv&2
Na^R5G
<y' }s
nWdr~z
9T<udr
(N/u~3
~X12r!
34.:=5jV
9)L(yE
KvA/CUr
o[\`dX`w
E c@|>
v8?PR$X^R
P/!`eZ
jm9W("
mt30N
/0AiPy
UDj<as (-
bQh9<L
q(Y^vE9
-k=QRh
hwyznb
ch\eV4
QZ2miC
=r;.@w`f
RC$$_NB
?!.0-M
n7kAGJ
*]Nq*a
ats;Xk
l/nY^L
{y(+{v
kCXxd}
qgjBiB
:RiR7a
/zn.@C
h=k/=LP
![J"J4M
06`G0I
1}R"_,
>SpoVx
D^DhR;T
m<XMXo
UY^,M
JHI!rN-
RtP3wk\
ruR,&
VYA'a9
R8FP?
FcwnVhT
Z`}:zVl
<,dpW{
0SZ>uJ
c?Y2h#
cAx)k8
[l/C,zl
\<_3^fAx}
C{$CkJ
6G7#q
%k)gx#
gvGW]Hb
@)<*?E $
o[xM<'
;m$3=F
k6V"y-/
Mv ccX
J2C_J'
z3tDM
)|5;:H
!JO=._
BE1Ygr
_MY\@G
faqNRO
ZHrhjD
w6jW:V
aZ}N#B
8ftWI:
`h"&}b
o%vw5 u(
quof&e7
XUv X
_G.D3&
ReMTv(
8x.ijF
lud7p\%
NI!Bz`C
)5pSkSj:
,E5RY`
{dc(<_
)UStMi
V!(y q
cV?Y.>c
!)nM"2
'\m\"m~4
Smv<KB
N-Il^-@P
&^\J9.
>gv";9
bVF$hk
h[kf.:
g9`+=GU'
" _WuEX
D[OSRC1
H.sv?LBS
h[q7&K
uBL}U'"
3$^g3e
Cbj&NC
KwRfto
$[*(L<
R@4^J:ek
EZpH?//DA
[7&\k!
GEP27d
(%c!~M
5/Z]PF
:)3xZct6B'
Bojy<o
54Zw:q
Pmo&(q$
|#75?0
k@@@Q8
_-4tm|
pq:Kby
X+U;6
-t8Oo
A0oR;ITD
h/)]'F1_>}
Au|waoAL
\;>H;V
MyyjT|
->tZ((
(L\xaG
%DM],U
]ol9;<
!'Esm.O
^^oM"W]lE
9Q',B>'
sKn}CRs
;V?^9$
1J+*mGT
A'zNl@
q1o8S#)
Lb!d@^
-8''y$
?'>z93_
qxZ`:F~
.Eg<5=
.G>C."Z
^NLRf.
;Din};
2f+H'E
f[lghU
4fGO`W
_6F!IpL9
U1&bx
7}N)VHuM
^Mj{Tq9
*~F_PS
]~8e%[
QRC*x'
>[Jojn
l'g=SG
^pF)zP
Tt1C1t
W/yN}E
L<>\huGv-
Vhp +c
'7i~?a
2tS.3^Y
.C;R#ZsS
QkB,k\@z
xL8D^)*
gtc%#$lWB[T
mZ!nGs
1frEYoS
=A&4]GJ
DuB;N$.
JxVS[~
xkOU:9k
cN{;c_'
w!2WQ}
naD$A[
,wW<cn{"
!vTjt8
B@[x?4X
#SDHrb
,vcA/P
B/INCg
h^gYS4
ZG`wrBC[
fHsA\!b
PW1zdK
dt2,V~
b).)RW
$9?yQ%
ZyNs&d2v
_2>m@"
(HkG,G?#rk|
'6q48f\
uNgb_D
)irn$U
neat&J
:svaHf
&/6e}!
DjA?'8y
YWf d>
/O6QECO
,,DI9z
5`Lnjm
\v$.0F
t<2kj`
46=![
u%aG@O:
i*M|4k
W(Me{p
|+_U"T
|=nMe7
ED|iq!Q:
4v:r~c
B%+`jDS
H85";R
2aB,Yvc
uoI0Xi
IJv\{4
o{G/sRQ
B:WtE3A
-<jT|k
>\}^s%t
Y?7I[.
K-bJih4o
C+Nj0Y
-j+p9,
k=&vYvu%JJ
E`p}6{
'$eyS
/6KhE)
UrFs"T
tLu<VB
]Q7N" -'
]n/{Y'
):PKo<<-
$UX6CI
,j68to
b[Di83F
tIR]Q'
p+Ct4Zi
bO(*?!~M
n$4ES:g
pj4hL-C
4IpvKL6
9y?@,?
Zo,:Q2?
z=fi{P
dgA(l/
M9h;yKw1]
^L4G8/
QbMhQw8
C&rsqd]
nAm)(WC
3.S;qLI{
tC-..c
8'#Zw"0
Rs&e[Q
q_@.9;
P q_Yg
!\u+Jiz
0%\=L>
f`6qV[
01Lw]S
d2>_Rf
C\R>cw
o2^|dGB
+tQd-fQ
'/:bJHC
q>q;j7
<(|Xna
"h`Q.G
$;hGT(LI
@,C@_R(
^|NRR?
AD}z_1
7NPL?=
{U~$ eR~
4<9X3z,S
(~cT;n
@+eo0>>
8:jX*R
0!sB~e
4YO uo
saUZ{J
9m*t{}rh
V*GJn|a
,~eYWF-
?Ad3$l
~@H`UK{
h^4+R'
?"u=^7
);O{xpKf
w_G b4
}VcI=,
4}3+`$
kiQ!v_
zJ7nuO
z]G-V%
Fz^xS8
f-a8V9
BE,MSz
h9%HL5
vA.Hf~3
2y7SA4
CjDX8h
_64;s]
,H=axA
X5RM8Sl
m:S7z`Y1
&K@&6F,
#,$<n3
QBr%3,f
M@4B&9
| pOV?-
Bfi6t-
DP&,*|U~
is`9kB7!
(BtnT&~
-=0tsy
0XA3oC
+',D`d
+%GGS'
A^pD@?
VRZE[d
/UP;I
&XV/r'|
%GGLntO
3n*VsD
1*#l0z
h&q@C:M
!W#HB4
4(ymp?
1lS Zcl
G{M[h{t
~K^bXP
|zQJZW
A}Zf8S
nL"tb]
H0XoZH#
(*Y=+/
yF5Y-^
\MNb;S
i\R8;!T
}JNptH
L;jE{>
Hx]/;6
u|G/\q^I
QumuRiCi
."hZ^*
[KLNJk
zW,~Xj
jF*,c
D"Cx.E
eT=t'g
88/DgO
k4f\\I+T\2.T)
MOtzD}
n. dkM
l%Fy(U]
o{roc$
iS\#F@
N&1QyV
Uh[Q2
Q$noS2)
]q92aa\
y7UQKr?
15S]n(
IMro`B
DTSg-%
6>o' C*
4CX[P/v
mf_d/_
1+kchLN
K=mpkG
(u4L08
+f{P8#
y6J7f,
u?v'Q+G
sTy)%@
+ *:5m
,E>RFd
pb$|I6
4T<<*>
Hfjk=Qg!.
}tj6,q
~q\R0GLyl
2UV7sv:
e3H!HZS
=S2y`T62m
[u^5m;
O4_;eI
=4kRwaz
y2VL'^
g.-z6T
(RRvvZ
_h\\mW
L).E@;
Udom3Y
;QhjI`
H$v%YK(za
+RxGC=I
.8-U#N
/<9:'(
kZ?/l=
sk6;8|
A{")fj
_%}AV>
CN%GKt
q;5RY-
wICoh}
,a'fU~~
NHydbYK
Lu\}Z
:CuCjJ
} f/pr
-*4*^[
\.{GK~
*8R45|;
2N)P2+
Z<I*x
49CWQG
GZP4Q3
\$F85-
cm|/u%
!|<q./
iy7J0N
^pz! )7
fv^$T]
j"9Sp
(vcYLj
,a$K/
hHxpo+
Mryu&IS
>Gfq#K
h-}22D&]A
HY08Zf
g?cjN+
6<,Eh}O
[#a)yj
*@ak#<
edv+~
#dChc1
nP$x(xZ{
v_aVa\
WbSS^U3q
6ZhFSu
/mDk8H
vSg!D"
lX69Iq
aeca%q
-XwjX5
<OVod`=
e;WWVZ
cl?If k
*g,vgM
zaM'Mb
~qP5As
iM6vk
8r9qMC&
VAnX=lu
Tq*N35
V^$ DF
$SjD!6
7RK7Ab
'4;Y[[
@YmYI"*H
YXj*?
@3#yZ>
aoR6,
J@e~FE
cImO%
]Tpn%5
$_Fe)w5p
wN%%\#n)*
\/Zr6Dn%s
,w3td-
D8!L6.
zy~x],
lnTB-tY
~"X^9}4
9Nj=)}
}j/jAi
x6xrIleV#
eR3|CIe6t
;ee%E~.
*.4T+S
#dI%ax&
,PEufR
xDS_$O
Z|~L>P
r$a+V6>l
vx(`e?,
&yu_$B
%z[IL=,
*_D+Dc
fPj2i9
w:K:'$J
wH$Fw
PD]Fw+x
*wrbCr=C
0f`iH\@
`/{oc.ch$
'7+VKFx
m?vt-~
0&INkK
s&)%H
$0TtC$
P_K*zli
0l=1%u
XOG\1=<&s
dRV4xJ
"9V'XN
:KO'p_
H_~5x>
|GV0yN
eZ[N]0
] k)_=
2LSAk:
pL1./q6
*g+<d6
#r;"f%
C+fqyMI
%9CTnR
/!$1{K
A^}ZFQ
AD6Av`
uD;\fi
_CvpVj
M*I D`
ltH@3jVA/
SKY=e$u
lprMPs
e5vJC{x
wI8+,Z
P3@Kyg'
"4$+v^
K.]+kn
7g5v/g
MA`HYV
k~@qQ;
kaP~DTW>~
FG$;=,I
lEr,>3
S#gNIv
_pLMN|
0& Gx.
9V{X.<Ij
G"ohI!
#cXOYG
Vk4O4X
"S>e!["1qb
H$\=),
:`h5>p-q
CC(7)n
$<\I%v
>$k{Sm
S+[x3Jb
~vy80V#
P32TTJ4
z}PsE%P
aDx@eX
D;mhw,
20;uwx
Ss9@PK
B[U\[|
K`Z'3`
LN[cuu
.Kx|e
KHH~5$R
_j\0 };Z
H\D#B
*ASa}<
E!=Ld#fMgUP&
4:ph/_
P]?e%7
9P^eLH{
6;"cEC
E*+,%rb
oz2M_0
1(1nm#
OUEGRu
wYJgx(
N29kLm
;Ffmjo
5O!XQU
@>TC-4
`7b/w
a[W%AK\
[.q7z\.H
_w~O];Ae
)Z#B1e
Wr=T,z
'kM{wxAf#
RX}/a!F
6!:5~M
M9e}]mYy
_X@ M$T
UB\^Yu
7qN.~|
JC.*q:
!%{A&h
^et9a
J R3RK
Ax{`ZSH
4I{pck
(R#@-
`~mSisGHG
rjr(9;2)$
^Ui#]4PK
S;@zlJ
GMH\vnp
S'r<+E
?`:`R1
`#v1\V
20@%hL
66Dd3,
\n8n`"
.[fD24
bQm1VDsU
l#kv-:
{@3S:]}
pfkJrQL}
>IJxf[
5Z)E*gb$|+F
j uE&v
f(;OWbG
Qe4[.i
-i"Ea#\
t:A<@6
vs2wRs
[D-ciG
Abc_!c
kPOk1Z0
'J-Z#~
32kLnk
RsqVaJ)
?qGS&8
^Mw{E
{*zf}ZAc
Q@^W-5
53uBi$
0mrkUh
#o"/zn
.SEnqdp.
Z[||_5g
U8<h-M
[`u,eP
RHB0<M
QsqiDM>
qVMx8W
4>|Z]b8
HT+$$+
M0>_2B
hB{6XtX
\yuZww
zVd&>6
rvv&0G9
ecK^P@P
(';v8{`
?.chl|
=c)*hz{gv+U-6
jcmg":
BUu+-
ko;n-X`$
\9D3rs
Pd\%dkG
/Z%(4;
$"sZw,
D0$=)lA
$5L!@:
L/NeP`4
<-B]K@
[Xi'b
Xya6DC
gxmwJM|Wx
$(U2D-k
EzU.<i
xSo@H"@
YNh,g'f)~
w!5;`0
Ay6f6prX-
mE~1\<'
$E|KNf
/q7Dx#
iemeEQ#
PDBD6XoAT
@1.d%8
vD3SS2:
$-d-"Gr[
*S"y:A
6)b{@+
TL&vb$
Y;)Bw!
o#5(!-
<W$&Qk
eR!Cr!
jo%? |
w_fhN,`
[J)u.L
"|]w)wJT@n
!""Av7
CJGx+~#
<UzRq,
<[|o73
h1-UL|
}mV-5N
<{\4$U
(Ry/l
^$Af>hr
@Di)t$Z
D;e-Z[
@*Q?4K?
Hc,]y!
VQ)_n j
Ir3J="A
&,89kS
9+vRd.
7zUj[l
v}V9\lW
|(u>RL
t$qoNW
Y5Qa;j
?!`dyF
N=:j`mu
i|fXWePl
rm1~,B
Yi0;0_
:KWvSk
=<YSq]
$xXu_]
Xyi!6(
Q+]Cca
@v>0X91
ddxcR%
KYK&=sK^:y
c[~|lJ
c#r:0d
4FrMpe$
SP}L^}z
^+c"6rs
i3\Zq+Q(
^w =
7u=7a$
5C1W&;
/I+J>px
t"]{qK
Hs`gQX
T/Q9JG
V%V0@Q
V/pjF`
*{:beQ
2g<\#
BWOM`!
XwSHI
e*>_4}
vn%h`2
aQ+J{VN2Q
l=k^h<
3q'IcU
T:S>1C
^D|WZ
DeNl/N
:bbm=/
uzq,dz
ODPomx|
r3.%gMA
iVr%KC
UGX'A(0
"A}}/_
VC].\F
*qdgV`
!L}VK/
$1=_no
\DKL7X
s`_big#
Jk]qdC
a'f(c<
zD^/"2>
HP6}ho
$g cNJ
{'Ng."
2$A+N<
j?7Q*H
-J?DsZ
y_@xyS+
l.nJ+\r
LH<%xIMJMN)
*rm)4d
rRVqh{
!5} [~
mVu:8?
6=m) H
QT52#|ub
x\n.J8
R&3uaC
Gn/%x7a
hn@_:vY
Q~\(>\
6(MAF@,
s=t5HZQmF
Z.@$yH
T7l[315`
p,ld"
b.WN&D
F4q[3U,q
C]|\i
(hKpdsT
8mc5M%r
|Dorv^
Dz{m?K
u!(\"4
gpVFl)
*vMnuJe
Ss2R[-
yA44i|
Sti6#=*
dA>JzO
[J&L T
HC)F<R
mu?LQ+
WU@ZrE
Fq@U3B
l*wlm;l
'xFLmcO'_
*A^)Ko<
X%QA2d
I:iSyp
u `~@G
0p7<6v
Op?CUm
LG,CZv
BOCVt9
CxN6R%
N+C1nJu
;L~lu@!~
aJ&&98
n'),Qo
5fT8@|
s:G16M
J1}Xtm
^'5!u
e<%_*J
=^4ab6B
PFz_Qi
7A}MkD
Crx\i+
@&k'=)
D(/\^nQE
x Fb}
wPvXJy
;Tn9Yj
rR#:Eo
]U"nt=
x4L-*zQ$
lE6uVv!
i4]\2g
GVPhTZE
w|tf^4
C!(v-[
i;N^U-
ngNPj_
gY:6Hg
FEyT9U
X>fu0'
Sp-]mM
2|kvr>c64V
ulN`6\
ZSy.aH4
jA[a.(X
kinD-}T
zR&(d]z
4X(JA@
X,Rfb[
R*RTWc5\=
tz.TQv<
LT$K5
Wlzc~y
/./S$q
vm@7K<
U`E; {
<5}8U
zQ[vRQ
!dg][V&
i4Rvr/)
Q6N3)aL
S{`\Ko
G'lVsS
6v 0=#
9]a*m"bnn:
a=WnDl
Om<ELK
;<C4%'
+ms1od
CPj.1y
k3#LcMu
=G,Qeb
_P<^Jl
Wp2PH3b'
\YlqgZ]
.gAX0O
SWZ)U
c4_$;A
Od@oZi
\%Pu`a
d!@_%G
PclNM^
kv9}`EhlO
-Dq=T~
SV1H>%
;w3$EB
_\F?+H
(05QVl0
x,G,&Zu'
1{I_?V
\e\yB|
v_=( c
^73stK
;v~}(
lEb'=gL"N+
`]U`|^
ZZ2bGT
U-iZ^`!F
@T%y*.R
_G+5]e
dAa=[T*
mV&olHF
u-wv!4
fV'bLq
XMt7Y@.
E7(:6O
@2je0fQ
N!<C-O
V&i;I]
l(=,i,
#(TrX3
2qnCC
J6mA-7
AUs#xM
:c1E1CB
x[Mhys
KJ3I.V
"Ji]Ozb
dD8,L>
b{EU(u
V$3g|{$
mO;~%!
d-uX]5
jf'Qoo
Opz]/n
Y,Qfa
(Ly#<Ca
84}Zk2
nmT2|^g
e?MMLB
rPU}zW
0iU|a-
7><D9s$ON
{>q2:1x
ZwVwD
!Ng@~E)
Sb(0!~0V=.
>**.Hj
)6<|5Q3
bW("!KTAb
'T]7H;
"nB"4W.)P<
Qy=OY|
/lYT@tS
10UuNfr1}
pK}CT5
x]Ei~,
c|T!]F
uavrg3
4_X3ZNa
M/o}%4d
dgX-v'
bqW-@6k
LrL!]K
,<]&"[`=
<#T#WO\
EUdvK'k
kh6EsS
(]Mws$
5Q#VNQ
3B7K}Y
QRFg.W
X1Cj`
zn:8cx
"*yM:#
n4=|@Z
2Gwk9ER
;CKmw/Q
2LM_XO
5s:kBS
^l'?fY
z&yg>[\
pnVG"^$
|wYnk}
x#PIZL?
3wia[Z@
!9]{ZC
"+wj!h
c9]kVk
Pnnx!
+A&Uub
D:wF$e
fi:|A9Y
2ak!aYO
,}CM:9
T.cl5E
b39Y <U}
4sHPwq
Gm.xvU`
<PU=H)
^BF(Y,
Cf">mA
I!8KS~
/_w-s[
%M$BP
mVg.e
4W^|P=
WRQy#e
<pX=jt
4><pu!
%^B!ZS%1
<`V<J)
a,RmP<
9z :&4
bn01\%O)6n
'UtiFl
+;#cSMg%
%=+"Dh
iCiIT<
!Vy2}I
GMD~7/
x_PLR>
z}Xa'/s
1wdJvkc[rL
GUMkG=g
czu{i|
%=6?;Oa
c'BMmm
<%TVuwq 7
/\5SME
-Qy|LKX
MBRQ>K"
;/^u:9
5/#%oa
])__cx
0co7+_
dx_qUDc3
e)6Y4n#
t)`\p6
dGYhx?
eFf\EX
S;ZT%k
Ri,IZ.
#]:we^
4hD~0r
~p|tS/F
o*g^pyk
@`!cS/
HBwtPB
bXg:?W
WQtPfR
?(e:Zu{IB
1r5.g }
l\J/[Q
Y$+hh&
3XF-LHf4
9y)b c
bu2YUJ
Do\$oe
'aLzi=
f^Y1n8
xVGDVP
`'VqNB
/l$'N)
SPAk~$\
Ga}Ii$
z9YOp;
]*L];xQ
`t_K.0
,jQ8rq
AMwq.L
PSOK$T,p
s09{|c#Z
PC_%fp\QaB
y8S5:&
w'|^Gk
ci@#RI
=fk%Fo
xS-M]I
h2g]?
g?dWoH
%,vR$K
+_r7w9
L8YL&e
,&T~'z/
.'0\Zg
S3mPjA
W68("
_"DA'R3~
PIyN(hF
}d7eS>j
g[gi\OE0/
wUWh&&
2mz/T$c
W9aUeE
2";{}G
^KU,zTT
P-,&)k
f `4ur
kQ+XxQ
&sA3OL5
&w` ^\
0/iNU_cO4
*5IU7
tz$!E|U
n1iV,X
9hI`O8!
hx@)!O
k3?6Xm4>
5DuKF'
8Eyd(Q
]^7!A\-
mOIkaB6qK
^fe]5y
WvboPv
]C1-<M
]f(.QS.
$`[)"O
,|o?q+ie
QxKIAD
rSP?vf
MIkVQ3
{,3yHA3
=>m=L(
rw<%M"
Y1e.Iwg^cl
1DqvTv
A3PeSO
*M%(nI
f'p>>Y,
V$u`pu
YJNn5n
/y2T0~
*])@(H
(H-<()>:
rFr%MU6
^TNV(5
yZs<6@
hf[`4+
oGB!p
J>lNf4
G@YCh_
4KzD~\
DSfSBP
Gf+"vQ
=LYO.r
VpByjV
!U=B_4=
JF-=I''{
RUqD.32
BToWyk/Vqt
*&R5@k
'YVj4wPC
'N}}W'
W;"qJh
cRqeDg
DjKG%(
srqhw%
61<1g?1
wYs3|m
n#8jvrMj
o+V"tro$
M?}fyo
)$x]3_
$Mb`+^g
=`h)gs
8y)u%*
3kU~?Q
o,Va?
}\W`76
?}'[qL
h'-dp.
+UEt0'
?~oMNd
u'U)Kvo
zT*Lds
+_xz(u
"D{Sf<E"{
9J{3j`
}zMs+v
J8QXpJy
'*b=pra&
t CG8y
J{)`Wh;
.d/"S8
?04X.eC
#r`2U9
X+_tw)
sZYYRB
H>}Gtw
Mg uF
6GN=wps
)rla-f
/8MnP(]
Qco6AR>
F`o1./
!:z'APm#2
kpv_\kCQ
96bJ)4m
4*Ui16f{
^T,i?W
2z'*%/
#yw3hP
Xk\WF86
<,afq@V
g}!xN.
<1lET,
"YWN4(
PVX[kB
azTuW1
'vt&Z a
rNP& XI
)*<%s[
eI=g6?
Bu]~i"
N0:>\XC
^k1LsR
`*5:|[G
[%_vz
[s,*S
x2iD`V
IL@;S23v}uCXu
ep^zWs3
q5(zi&
tyU>-vK
ET\Dhsxel
R6;T,_
H$V_y+y
r.xJj@
WLqh&h
#/}Xjp
gPAR?tl
espF|
*qK~ndU
W7D|&a
dv>_%G
yJ13tX
m\D,H$C
nZ25EI
M%bJ5NU93
4m/ahc$\
TZcUm!
Qb1N34c
NP_eQ]w
=kudNXt
|vB*|5
d8C9`6
V[Yeqi
/qREyw%
uz.r6Xo
q,gDMbe
OH]I)w
5!|-KUbj
eKoho\
lg\.9o
eGbC:w
|dI=`Z;
!oFA:}E
+I_3lt
Ol/W,w
hYSE|*V
2]]<W!
Cj7oZm]
&68<;h
xk_5<!
c3+%PC
m,w#ln
3+t6IG
CV+hj2x
pEg|lT
A'C9{4u
/ROgu~j
^W=P"J
2M|Cn2<
,]WY@R
\<Lj6x
^\0J\=
GMSrnJ
.Ygs2eLH'
Ug^YV)|Gtn
16Je6$
!9==5k
s/a[%("
Z!{dpK
m:t^C!
~Icztk
WErva8tEX
qNCJ$@
[)0ks%IJ7
.1HyOeM
JE\S:u
P]?/a,
[&k?LXj9
w"<GT|
"[>$?^
{S_h7A
vqPf=9
]i1Mu,
5(a%o9>
LZTB}&
6jAt*`
`ne8P*
6vyMR8
],dm{]
'hz9Fd@
&z{D0nUyh'
7Z[:i
/S7F s
Q95uwas
b6?GaR
*Ke1w!
Qw4I^[
>O/|]$qK
%uz[~y?
Sv(6LN
@nFq$U
JadH8Y
*-~"O2$
M)KTH
>pl}PL
}21-B
0%ZSB{n
Q#_S2m{
JXM2U7F
SRx0b$
{*HONt
o!%F4
*:[Dd>
;rB*q2
<Z$S,m
;?OHZOG.C
.5fFa|
*o%cF*
qu^ZxqY
K3;j2F
5|[9/yi
Lf)oT"
R(uVu"
KtOG2_
G2<W/(e.
>b`P1j
{(JD=PdI
=Q5eMd#;
O{E/IBZ
'bz8dfp
,E]+tW
qwr_X$i
fA1K"b
CdBlbvX
nv11nf1
izA>5$
unn%6=
x:J#iD
>;x/oa"{
\w[X{MM
~66%wk
qGR:.3=
[yztSZq
3&Dm>8J;Rz
~9S8;g
fff<cz1
M&}2y_
rA+X_g
P&jkW&@
ctqqDt2Z
Q}hjX2e_92
]onH#UHAu
4*Mg%p(g
G8d%_1
+g8Q2^pgZ
T_[J[Zs
hEanjV
j"(X&z4
<E.Es6
@#:sv
jX>Wv=.
~J yVh
<wqw;1
"V^c
}C>i-3
p:v9(T
Q^jw`S
Je'5_`?
Zt!Y>~
$HL &O
[lVTQ]
bH'u[5
8k<`9R^
r#t,7/
})D{~
[EVS~a#
r|k1,@3~
A9."iCI
~4oI+2O
t`#?4%
vZIGZx
y.H^|~
"4Xn#*
U*T&Rf8
|dANxog
}2A)$g[
{}COEU&p'ux[
.HB|&n
\L>|<F
_-(zFQX
alpC{g
+?nQ&4
asr{D=1a
$G'vo~
AO[2iR
kAc4z)
f#-9~kf
>xQ.vq+
fcNMN*-
1YR2b
r;&CcU
XT8dwc
`<(W^I
x,8> ;
xoixi6
##|%;{${
GYG7Uq
Zv>Ahh
yCK&l#
OR<*qM
}vc\W=
e MA4r
722pYh
^![n* 8
P$4;_7_
3(o5d
O08~]W
#tvVSZ
C2QMY-0p
,BUO2]
l{He=S
)Cmst->
g7oQ?N
eq#XW%m1
co5%&W
_7)!;
A|&l4;&
joC\WInD
%NB#NU
VG4&Ai<-
nuo[5>
t y7Q(
rnTVpp9
4/iL`.o
F7VvVDe!*
^DV%;f
UZ;[Y,o
.i$9-"
-)\`&K(
T+#KUtpP
G*W0adv
At^_yU
UpL35]
xF M{m
(H}zsl
|8Vd=>C /
ubq>rB
(ohsU4
[}sWrdu
mPrBw6
*`'&v9a
Z{z9dw
7WyGSek&
ugygdGG
<8{T=Z
r\+H._
*i]6q7E
Wj@]}e
RH(565
J,9w7V
8he!+@K
[cWx"G
F'aI"&
zuY<R+
1nqvpf
4 .z/uH
_7eDhC`8
aReI2'
^kU_TJ
xa[9}C
DXJkL3
d\~on6
jlwPov7'
"`4FLc
Nq9,,*!
2D"v7{
Oxv["qBJ
#e;`5U
Lsl;nM
/QR0'yu
cZ.XB*
Ls ,Qy|
aR5;4MT
u}+cmtb
y#PZ7\
Rehg*E
H+usz4
e,r8b"
7_s5d
{Gc4\Fh
']%Wq7B,&m
?\M'N("@;5
QJ)LQu
KW]8i)u
P[{JW)
%P~a`Km!
wmp`iz
Xx,/qp
x.v+gd
L!S\xw<
G4>;rg
;=U`i'~`4
JQ@"E_*z
m}.#4.
^-.lRU
_M{G^RrQ
)=R0'h
C1PP+}Ch
nI=4$l>
}RF9Nx
nKDM{ LHTx
xhRaCV8
imSncaX0
7Q(&UJ
W]g@2X
@Sowvq
eP>JOh7
`frJ,b7e
!pI6_%
oUzPB6Sn
H[B:^A
QPPRz~P
N56ug^8
Y7Wp$l
s7H1z
bm_G[l]6O
)-[%YZ
^p _:Us
rtXYRH
:|o8wY:"
k"}D+N
Il!%vD
358]T!
^QmgjP
~KVgB&
4Ahj+H
`qjEMNCp
nSYHqG
c\2B)A
~aZ78p
!-//L*U
KY?",w
XP&W.;
"|oM3|j
*Wf,WM
jg?f9Q
BR0S=P"37|V2
=fj/6D
J.,QrZ
}xw,Y#
g] ;.7
ui,=V;(
RO]]"q
5o]l@E=ED
9f8C.c
Ofi=S\j
'UsVnI
8<VY902
!rQh#
fb~\NI
HMdNl;xJO
Y]QK].a
l-?Wj$Wz
-+p=.SF
+U{r:@
)+^A-DL
5`z:<(x
t*37\p
#1?{\:
Fp}Q3
_o}}-~^=
F$|}eX)8V
HrjT,I],
fL B@5
Dk(Bjv\
%]+1Zb
m"=yw4
fdm9~ :
V:,wH?
!=L8Zu:@
p:)>48z
BqWb?t=
{0Y:4r&
&Kc?D;
;@#R
,AeR!@O43KWI
EY#l+W
/96GlG
B^f-[x
%?t>ybh#
/;vYVJ
G+eJ6WO
.']scss3'
uF|^72
VypZ!`
2m~)<a
&OUK/S
;rW}yCj
BIhvr-7
<S!.S%
yn:$==
i@n|<@%
c>;iR
K{h_Zt
sydVO=
\*:4WU&
(a0$rM
5=b+0f#
4<t4Zu
4z"+G{gv\
!C9{J
Hsr*/=
*DULH#W
N:Cel6
/ q~[s
}17Tv$|
4T2LaV'|
._dZ%3
GeT5Cx
TwD]f@
LwPDq'X.
X|Bk]f>Ui
abTb6:
]yzDvV
>i+e}k
AE2+?!
svdi:~X
y::m9d
}8<6nV
pjr*7|
2z_B]i
woI</f
xQ5FPj
4aZ#G@
X*$8r#
6Lkaw|
Cg0>CX&
$r~4O<'u
n'}#5+(
nl00v:
&X@KS<
hSVBb6
b/lY|^
&Je.65
ChwYg]
:Bb$ta
Z;-Wp8b
-lB,-K
Bmub9On
p!;Qw2
|0US~@+5
is6A.M
H+Y+ebv
T-]AN[J
'hMFmQ8
{7V.Hw
N# ||B
_5<=bO#
Z L2'V
roFD${=K
}t)&5Af
+.Yk{I
(mWA`i
@H{X.8,
LSK/S-
=pEw[=
NdKN]V
}'$<k@
!|0u[4
tQ{UD*
~.E^=]
k&7:ZZ
yzd+q(T
,%>"*U'
}y:>6A0
2_W8]e
@d{S2<
eo<sd;-T
UrbGY
c-bxA3i
Gcl(Ml
Af3<Cb
V!W-FW
I]M ug"
w^TkCz
[.)@U9A
4\"hcJG
>jkpKV%
rpADcA
{6`cD=
;;7B0%~
4|tsF8
z@pNhT
Nw0^,S
xdZJd~2qn
L}h(2^
@j+6Kc
Gr,PtFOez
I5QBFz
jq7thI*
*4=/b/
]D[=+$R
?CWvdZ
|M#?B*2
%r-<}sic
)HXu7#\
sPcC[>
L@s"p/
ry/9Y<n
jH9ke\
pH;j&
t[},)@
nH=([Q
K_R#y0
~ICbV8
hUVSL8
9s{2VS
Cq8d%x56
D=#c"Z>^
gQMT?a
jK8DgJ1
WE7=[*pi9xU
2`lG#7eD
~5t+NJb
f1ZSJiV
h-LX|t
vz/s8_R{
x'~hSG
b|W"AH
~M!Ov2
FRjQY!?
9h^><)
C%<J};)
Nm]erv
V]i%T0
P)ylR5
$4-=Y?
dem+Ce
727zUJ
8fD>-F
2yi|rJH
u'{?h3
.j|/"R
*_O;AX|;1p
7R5S-%
9WB3By
1$HP/C
qT 1N=xWg
M]?WM6[<
tE:QBwT&
cM?d7W
r`C31u
A%L~`Lb
s,|nvB&{K
o2lev?Uln
hcj$72
xRQ3x=
d76UJ{
+XCoi!*
IrGBvp
Sw5_H9<
hGN> @
b'*S.i
B~%e/2:
f]Tn8+N
(X|+TH
Tl+n,aJd
{Fp_1%
/-YZ"$
AyE1@e
jp*6B`
cMdo)R|
(?lb -
}6[!+Z
0zoap4
YVU|>oe
b~Ey`)
\+2:Cq
@W`^=]
b ;Lb2{;
},h&xz
MIq*4M~
t)=:bq
C!gBc]
HUnTUsf
od+g/%
:D=7L3
CL]DHvw!k
%APP=DL
+Nu$x4
<"?lXn}BI
!E-QX
5_{s8e
K$k_KV
@ `FyS
~1q3..
EA4IDn
[cld{F
L-w0Of
\D>T#~~
9pnow
-WV4O'
6HiByq6`
P*=1l!C
z8FhIu
Iy^kMG
tMH/A
gM*xz
i].9VO-E26O~
0IUa,#e
bvr{Wc<j
w>Q>@F
[.%22g
vc=Deh
HQpH]%8
S\}MnY
k M]<y_
2BL$wS
8\NAEDEEV
fG7YDZW
\utGr8~e
=o1nF?
~bagU^Ak
Sw:`ua
|)I3bj
Cdg44*
f6t)=N
oh>-4TP
n1WXB'
m`9`~Z
!)PI|
6a!Sl"
tvz@1}_E
:f=Bc<
Xmn\rPm
UG%e;])
]"Z~qc
dMKT>"
Keoc\[
Ik/JdE8)
6Gb-1$
fTXSKi
A@0M /=
!EBI2K
A5iWr?F7}K
<,_.'5
]Kgh~_
Gs!^OM
Ug=g:+
L9I5)8
&^c4i8
0J?:{l
I_I<|Yb
Ct5f*L
e~$ y8,
.kEQEP:
^~dmE|
/ecYC&
08"}~p
J]IK
(K$'>~
Lo@>?"Q
/H^|XY
H.|~W7
"XHbm".
'z4^DO
}ch _$
!AR;?+
HXgz!k
0%D>Sk
'?:P%]
?so!:k
77&qkAvu
Tk-AgP
%;:&_
rz8b4f
C'Kw?.
IXe^_H
m[G,_s
-}(o_w
q,>O"*b
..7qbz
9R9:[
$;)w|Y
pGZ1k8
|OSqL0z
Vl=-eH6(
@Jb\(a
X86SW~
{A0KMT
$hE)C$
>sC"KVk
(`,X|W4
|=q`AI
[~O~9<
F'5=9
z@I$bn~
q?\#B"(
\>rPt2
O{#EFl
n&9MSl
q>[{aF=a
IBJ/UX
pW:"$
qn*&%3
c][{-F
"pcs>L
Iv?0Dl
:!Z.9n
bETht/
w}l5?x
FH5U9z
,5Q&Y
d?wc4k
SLl.{O
]Q;R40
7@|]ki
"Db*GN
,P^E5y
*U(E#V
X"Q>6\S3"
-,6b~-
Zsm`9a
w;*\-8
<i{t`G
Z(e5VL
T(Xmy#
9;sBlQ&/
7sl962
2fv*9`U
Wx&/jA
;4q-Xv+
yIU*rF
{eM$>I41
VTbFv@j1!`
QrWcC\
nfY!l!E
]Q^fN
9hz;H&
75r83Pm
o}*qC`0
fhv>OO
A%]$Qcj
6 &WBI
hesI7V
=%yn%*
mTUpI4!
#\N8P/
];np+9
l>~YaN
xl04pKA
MA(/T@
5Kh/6:Q
=0z4OT
w2w}XS
:JPtyVro
; dM`| A
Xt C/7
EEXVk&
<.+buNI<
4Ae1*&L
-?xuo
iNJ0Tm>
7w>I@<
Ci)k}>
kuUua'
e(j<wQ
^"ey]4e
Xa]r=r
mgbYsr^
{$6SR\
h%hH~,
4](Bwt
6c{,e[^3[{
[t>EKt\f
Y>,wU::
kO13kS
2d{,Gg
A+Zs/]
}3@e{G
!&P3nS
2IxI]~#
GrK"9q
mkKC{<
NX\7h^
,#/@6
Ic|dn|@=g&?0
FaHl+i~
3kg5>_
Bc(Pq/
G NZ8Q
|H$3=E
.]+ziz
{vL'@e
SXqv"l
UwTU#*
RD\@oO5/
!p6?Xg
6So%LP
F{3d~7)1x
TN'h9i
XocIfe
(@aO(p
vH,iNT
p,F u`x
u.|LdS!/
-5f]r,|
'uWu4w
EF5apV
)Go")2X]
pC-(1D&
<1p38{
OWyvmm
wp!-0}B
K,Auk6
Lo3X;2
_UWm/r
]M{vXX
"BCoDt
gd!|#<JX
}i;[#>
$<JH:3
\FqJwr
/nwx8d
v|uV .
V_)b,h
)OC3nX
t^?!w[
A3i};|,o
v8Fo!|
NM.%q9
)EhGGl
"YfQX5
q#[hlVv
h fE_>
%]#Gv!E
0)C:Wm
*l2FI}
w$_p"*
kCAZ5R
B,F4E~)
_KFn|)
)p!7l
2<4mn1n
;;j't]
if;&O`
:x_w$t
HVT0Y2,v
;/wBn,;
|.S\MJ
A'~d-4
&4n,QQ
Hk\2Y=
H:(dwA%7
txIaY
<&|'#j
Jx=zy3
rGP%rr
gqN]M*
K.z2pp
a+e]qeG
%o~\;W
zEQ!z8{E
_{@3Zx?
4AO+Q!
/W<!&t
%X_Xl`
s<Ll{^\
#%@sLE
'\j`lQ
|;!b[p
$|CVB}
J3wh0
~2dXI(
2MzS^5
y`XdRR
A}MTuE
H3TRhmx6I
BP[bxJ*
jOhK&Z
N4Q.1b,
}.##'^
l.0|v`
=,KzLP!R
,_+4"ll
NT<c{$.W
c_8._b:
)4AsN)
Br*.`I?
m|E3L@
g^'a_=w
IZcgS1
*)#"l*{
y{tc!Z
%my-u\
)gv;JA~
x/6I?3
>'|pEh
(-y%=up
?\|&~R
&JS*Kg
@(K/8p
nG;hL2
is3edl!-sE
VE2v|F
qfl88R
[J5xLy
{H'^,'
xA67RW6
SM02t
M=D;^(
'~ZFlq:
du.iNC5n
NpSJP>&
[bJI0H
Ef^'4)H
a48c{e
%RQPu7[
?c#u`-
wYQ -`O)
W<a5Mc~
4WyDxX]=
"ZZK`/q
d:Ogn:
!r@1Sw
HLGOPR
ZQr}c:
~U;-Qe
B_!`]T
NU6~pJ4
g>v'/ki
TFP 4
r*<VU0
Uh |1JEk
ZQB8($
6VA~:}(
AFrfMXJ
"-TjD}
uj5!(@
vgn8|VH
bh:o$N
MxUit&
EKJ9ol
U-CGbp
@{o-#l
USgmSz=7
5R("D!
9#uQa-
oi\X~3
MWL"t
y$YqQ]Bv.
c?)Jl3t
myDs/
Lf}UaO
ML@zQp
Y47`p1->
ZYp:nR
J %b/z
E9ZWLM
p<&6oe
=B,s|e
D0N')-"
d0(KG3
cNbH99X
vmaMCl
pwDZZj}
wrr>2(
UI4`ey
1%7P8Vgz[
Yoq-aI
c?rlT5
%l}M'D
"1D.C(
(~XDy3C
H3ls;/
Wr5CGRc
+e|8AW;d
'[lE<;h
c"e|60
3;[HK!
vDRxu6Z
XYNHlp'
4;oH@W
&m+=Y":
GeYC9+
316~<w
W4FMn2_
*s]%I#'+S
/+zays%
^[X>t}
zOqk~+h
Ne26)P
Y,Y~?}
AR$p[4
?kPhI6,
v<lZ3x
\l;{w
jEOxfADT
8iiZ?Y4
3:ZtG~G
GnC|Jf~
/<E# DM&
1>T&'b<<
MD!^BT
e.YlvS
K&y>!3
2H5Y&l
+Fm^BW
T7i!gt
.p`\psn
?*$7#@l
q?H[$L
@".EDzz
x14!M[n
L$MWro
ikOj&Q
RH0px)
ZEe)~Z
=qKH{UE)
p/)U.EI
3MXnm]
hM}&rGF
B7gKCw
kLG@}J#
1aiQ)wY3
vbQry:
b#,#((
1(aDh6
!G.Bk
&&eM6X
}xhSJ<
g_@8d*
q8)BtI'w
y;Bq`]
38Aq+,
h_vgL&
im$"E2
`5\I?U
Z h_E@
hXv`.!Z
{fN6}{
y)4U))
SFCxv3
.V`Nj_
r_w`"++
B~Om~o
F2-ty'1
3w\#w~
zj/F{)_
VHK@cP
sNf%d
KrN2|z
q33I9,
I<m_pI
P]O]-m
p7opZ v
+ r8U:
R{SxK_
"Iwie3=6
XZ1lZ0R
?4;'/X
CJ{A4[
*y~5g_6|
>jcN>
WU#a`z.E
~@#:{"tx
S5$8r^
MD3w|e
Ix@R+>
kO>Xcd
*M6|V]w`
d9eh>L
^TO'4$P
/"\aB
5&UrZ`S
a ?iHe
FGQ,|5
F][\BD
@>!E,+
(ihb69
Z!Bi3j`
-s9*:+
+'F]C}(
mz@vY
QftnDBv
uTT7Bgb
b<Iq*/
lNV#mRwIiQ-Gn
xuPJI@
T4H4H4B
!&0_O0\XQ
Zr."aQ
)b7D4fw
F[MUz/
R^X'b,
O}K1iu
rlqH7
SXY9!96
&n-_>6
MO[_j}c2m
JOjCh=tT
$V~/o[
m*`Py,T
$"d&zY
N'c\}x2
Jm@y1G
41vRnp
wB[oKMz
[&T J
j!"s>>
"+&%N5Q
.Ed.M?
`D#wZ/9S
wph|!'
qWZ9{;
P,}Hn[
OP-&fH
XT_3.]k"
')'Aw}
"YZm+g
sWE.]U
~P^(4>n
+7^tGl
$#zC\-
j^|@z!
k~l>u
",k9v
&6JH:;
<5>,P
I`N1r
q:)o\L
S3gb(
=DC>Lt
+[YXDf
k_[<{M\c
[L`p=l
v~,U4Q!
ngJLD=
_Ve{^;|
k$4ri[
4Pt07n
0U5F]D
k\?b>T
\s.#rp
&;Q"=*
Hm\pyq
N-U@Qe`
} iHLt
{C} tZ1
HvUm"1
ri@`e:
Yn/^x0
9TjH:?>
@10!rBH
TOyoEGL
p.\4A;=
Eyz!Q'
"gG+smA
(xTn')y
lb/z@\
SP!cWk
/f~bG?6C
rXG{q-
!sMf]*-"
' >;ez>\J
chLUcL
$C,mxN
`3otJT
\ eMb>
,(1 0dK
G?:q1!D$
)}a_m3(8
YW;P J
AVJnDn
L:?HgXD
Y4kgw>v
#)=HR;^
z Lu^NFQ
@%~2<W
Cy`23Yu
ML.N"]
wJM\|~
}-rq=~Vs
L!ti0F
"?m)M(
sQU/'QN
T&X[4"E0
3Y"|ek
0q1!qM|I(Y
alYjDN
N*'H1I^
77t&z>\
-pTF ?
#% ,hJy
2X>V;mi
Lwg',E
W*ihS!
9m=^ZfBSG
rU^dzA
# a\P?
h_D)%%o&
k`k!+])
#;~e^?D<
/r->i7
.y#]d$
4B6l9V
eBD<E;
Jd`U"X
=-;v,2
=@LNGJ_
H%m$|t
em`G_P
ZWD!/D.u^*
N:GFC1
C$~vK9
;k[& b
<RUE4K
~+x.Q^
`mFFg}
9'zMqc
E;Nlk+
]2>S_7
#lJHD!
ubkq7L
ET_U\B
VXje$^
E6%`4@
u7-=r>
,\LxW]
"EC(&q
M.\JpY$
~XQ5"%
T.nX]e
Ro&L8e
/ZEhqY
.A$ ;kFj
SQX#[$
qpg0a|
}PzE1e
f+%;}|
E;Icdd
RA%@TGc@
>:hwk
5##=k]
K350,#
kd"oT|?Z3
-itC$X$
q\rp;O
J0%t@F
z6oKP6
E'vyc,
ZPghOS
e?aj&0Q
Ku.~>S
WJ@|V]
NDnh^R
iQJ8K1"
(p3GGHw
uld:yRJi
WAWDf+
9"`;c@`
e6'B&7s
6^+k8n-i
rWJN|c
dh8.v
iv r@"7
oeP9~4d
V\B[GY
yh8Sc%>
Y@sR T"'
2Yu)wy
KN0T;qnFdk
-bzyNri
\jh1Om
kQ$OLH
\tl|f~
fepv=W=
(lN{O
P\QaP3
oYkm~(:
!f,FZi
6g5d^U
_m2tvYAA
|\CMce
2D^z+z
hBOM51
(,2f[tn
-sfzt-
+JN{zz
JND$'tMM
7`VY<A
z31dc{
7g;-C@
'4dla\0
XgoM\K!
h@y~en
E^EmXCK,g
c1 J7"
17O]H3
Z@6.6l~
ALc.(S
!L4s=z|
\*9'&Z
<758'&
jc(0`*
_ n.|1
yqpskk
<=$kO|
A|'+Fs
[_+cH
Vwhfwo/
o`4T|6
#,VY "
@pYr&n,
e|ySmg
U2hLjx
VXRc%t
;j*~6X`e
$*5FDC
sf{)P3*
/xXA;$
He 9[TJ
N6g$v
J<% F/!
4d"h--
d54]]!_
3rp'v.
nkYR/@I
's1}2]6
8t'Ye
I@A0@nm~w
#Q!K]E7
MhK/V3
y5?);9*
c>Z<_!F
1u=[Y8V
~=52PaNEu
uiOX6bq
g%y]hz
pCC$KDp
.6\YIw
&\n,-F
4Z%@;l
)(7YU9
2BP>(>
dH*7i%
DK%F3%J
)Q^TpQd
F2#6BX
GyUkn)
dyA(zX
1/X**&
q/uB2Y
5n3P'I
riuFIy]
<>)6P!
#W6Wzb
\ Q?A(
A.+ssK
cUzywlD
BZBwHe
uAu3)U
0.vid16
<)V-&wMP
h)81AO
a)I;/J
VC4pb8
8Z=ns"
%Mck0]
cPHSIV
Jhdqx{
GHl&e)(
tPz/),
k%=BQc
^$|c/+uk7;
oh}tn?C(OO
Tc&QXN
%aaAi&
/k{Fpe
k3*P#
G?f7#@
?OjRlf>HO
Western Cape1
Durbanville1
Thawte1
Thawte Certification10
Thawte Timestamping CA0
121221000000Z
201230235959Z0^1
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
TimeStamp-2048-10
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
121018000000Z
201229235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G40
http://ts-ocsp.ws.symantec.com07
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
TimeStamp-2048-20
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
160223000000Z
170222235959Z0
100091
New York1
PO Box 2271
Rare Ideas, LLC1
Rare Ideas, LLC0
-_ c|7Z
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
40NZ$7u
M4<$%z*
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
160520005826Z0#
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
160223000000Z
170222235959Z0
100091
New York1
PO Box 2271
Rare Ideas, LLC1
Rare Ideas, LLC0
-_ c|7Z
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
20160520005829Z
GMO GlobalSign Pte Ltd1)0'
GlobalSign TSA for Advanced - G2
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G20
150203000000Z
260303000000Z0Y1
GMO GlobalSign Pte Ltd1)0'
GlobalSign TSA for Advanced - G20
&https://www.globalsign.com/repository/0
5http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0X
<http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
<W"=0
GlobalSign Root CA - R31
GlobalSign1
GlobalSign0
110802100000Z
290329100000Z0[1
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G20
x"6kwy
&https://www.globalsign.com/repository/06
%http://crl.globalsign.net/root-r3.crl0
=dj;^NF
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G2
160520005829Z0/
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G2
a5124hwC
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
NSIS Error
%u.%u%s%s
*?|<>/":
%s%S.dll
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
Process Hacker Portable
FileVersion
2.39.0.0
InternalName
Process Hacker Portable
LegalCopyright
2007-2016 PortableApps.com, PortableApps.com Installer 3.2.0.0
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
ProcessHackerPortable_2.39_English.paf.exe
PortableApps.comAppID
ProcessHackerPortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.2.0.0
ProductName
Process Hacker Portable
ProductVersion
2.39.0.0
VarFileInfo
Translation
No antivirus signatures available.

Process Tree


ProcessHackerPortable_2.39_English.paf.exe, PID: 400, Parent PID: 196

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 5713d40dec146dbc_toolstatus.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ToolStatus.dll
Size 243.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 3788efff135f8b17a179d02334d505e6
SHA1 d6c965ba09b626d7d157372756ea1ec52a43f6b7
SHA256 5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab
CRC32 9B450F32
ssdeep 3072:tOHhxKcNnCYBFNFAKIkpgVIgHAuopbQfhVV2aOQE6o0bp94wZOeb299zBw8:UHhrtaV3AuopMMeb21w8
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name acd49f2aa36d4efb_hardwaredevices.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\HardwareDevices.dll
Size 180.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 a46c8bb886e0b9290e5dbc6ca524d61f
SHA1 cfc1b93dc894b27477fc760dfcfb944cb849cb48
SHA256 acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00
CRC32 234434D3
ssdeep 3072:MTvTGn6NTm+vpcUVBrM9mG56i5O6wKPudbCWT08hQPpoM:M/G69bvucA56iA6EM
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 0d7240d074ba544c_dotnettools.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\DotNetTools.dll
Size 111.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 15ab3740703138ed5c091ea7736620f4
SHA1 545a9e061fd25d5c42a7a105ae17008543e20406
SHA256 0d7240d074ba544c90df72d5e339978aa2edc19f4a02c0a302718d851b11c384
CRC32 3C3675A7
ssdeep 3072:6Rdqs04SELY/n6In9ss8TdTU4Sa0eLE9Q2MG2Cin:6RAs04XLU6CdYLG3in
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • keylogger - Run a keylogger
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 319cd301cf40be03_copyright.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\COPYRIGHT.txt
Size 6.3KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 39b07060a5c6199730219e29c747c061
SHA1 038a6a661f5415762ff82f908aaa77e8bb72ff76
SHA256 319cd301cf40be03c00cd086560d4e810e0f6d0dbfdc2d28d6af3522c027cf49
CRC32 F05D9435
ssdeep 96:daZxLiOBh+f2z0uGrJDHEboJHBrYJ1kF543V3i7wIy5eu+xaQ3iDdav:oD2OP+G0uGr48hrsiF543V3Fjeuoaqv
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 118192e0816876cb_onlinechecks.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\OnlineChecks.dll
Size 194.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 d811b73d47b603e0d212fe311409b5d8
SHA1 4d5fcccb3f3b4134b7c39f9ed81e5f3a707c6581
SHA256 118192e0816876cb1af3453a36ff2afdd48c09591399779c7b12dd083b1efcea
CRC32 CB652811
ssdeep 6144:51qMB/hGOvlvwdcc/VcVU07XqEFa2pIqFy:51qMB/hGOvlvwdcc/VmUelbpIqFy
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
  • Str_Win32_Http_API - Match Windows Http API call
VirusTotal Search for analysis
Name 189b1af95d661151_launcherlicense.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\LauncherLicense.txt
Size 18.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 ffa10f40b98be2c2bc9608f56827ed23
SHA1 dc8f2e570bf431427dbc3bab9d4d551b53a60208
SHA256 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b
CRC32 A6D3A2F5
ssdeep 384:H4j2PmwE3b6k/iAVX/dUY2ZpEGMOZ77oPpDqHZ:H46uh1iYWrTXoPpDqHZ
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name da34c37dfab96cf0_windowexplorer.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\WindowExplorer.dll
Size 114.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 677ba76c0fd853531c2fbed4450b972a
SHA1 3a7446f62ab8079a26d94f44e7a2ac46c8ac4ca5
SHA256 da34c37dfab96cf0c0af655602e41ee8dab8e6d692ce3a374943bb1dc010ad77
CRC32 E6162172
ssdeep 3072:GKP8p10sWUJswbuL7XR9yAvv3UQ0gR1f3o:GKP8pqsjuLw0p3o
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 69e38f590a9a25f6_changelog.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\CHANGELOG.txt
Size 25.4KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 b13de4e8531af294f87ffddccb08d7ce
SHA1 ad2ab669f274cacced734962292d87aeb374f51f
SHA256 69e38f590a9a25f656e7507af76229a3a6678a8c57b4e879ff8ce7e52fd704ff
CRC32 34BEB5AB
ssdeep 384:3p/4enLdz9LVEcMLwbKICT/ImYnV+e6e4bBaX3mUJalQszx7+A53pH:rfBEcMLsv4/ImaGe4b8uQsVHv
Yara
  • anti_dbgtools - Checks for the presence of known debug tools
  • antisb_threatExpert - Anti-Sandbox checks for ThreatExpert
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 57c56f7b312dc1f7_sbiesupport.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\SbieSupport.dll
Size 95.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 37cbfa73883e7e361d3fa67c16d0f003
SHA1 ffa24756cdc37dfd24dc97ba7a42d0399e59960a
SHA256 57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b
CRC32 57524259
ssdeep 1536:Im0GxwvasFsbgkc+kvtRSmgDzxdXsWZr9dlnVrUv0ukc:Im0hasFs8H+kvtRovrTxVrUv0vc
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 88153e591d184591_custom.nsh
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\Custom.nsh
Size 1.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 a416aad99903c503d5f81d4f26097505
SHA1 7ba23c1fb6179700a69c3e755cb995373462da00
SHA256 88153e591d184591497a53f8558f5db7078677ae726905cf4b4e1096a3b9f1fa
CRC32 3C315291
ssdeep 24:INBbQe/EccJrvccJnZB7BQoLVME2dB0gBPUevMbj6zUeQEddA34MQ:ubL8bbb3VRLVMEKB0gBPrvcjKrQffQ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e0c91ad1ead26ba9_hardwaredevices.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\HardwareDevices.dll
Size 157.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 7c35a25859271e4550580a5b6ec769fa
SHA1 b99b6c10bc2b95cbd5270ca7549f54b5d69f8eb2
SHA256 e0c91ad1ead26ba93257059b5a7600c6fc3baf3278499d850e9e884fea409761
CRC32 35073279
ssdeep 3072:2ELgmODhaGSOL6YBpBZilmm9/tfm9V5OrIkPxXSm4TRs8pPp/Batj:2ELgmODhaGSOL6YBpBolmm9wUrRxI37Q
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name a4ef4fa8a094983c_toolstatus.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ToolStatus.dll
Size 223.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 837ef2b8f202ab9f53545fa2bc7fe71e
SHA1 4fb675056cdcf97a6fde847bcdb7d8d591771387
SHA256 a4ef4fa8a094983ca9a532dad9866e27d0211db98a5def3a3c4eb73f6d92d233
CRC32 F737B2F6
ssdeep 3072:C8faMRFQENjlUcykpTRem9Z4wZOeb299zBwJY3G5:C8fFQEzUE9Ceb21wJY3G5
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 0c4f051675a690ea_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\README.txt
Size 2.4KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 72ac5a8dd6491e525b9783c9bc439fe6
SHA1 5044e673dcf85b27b846bf7216f332f429b52067
SHA256 0c4f051675a690ea4db6ab2eb81fdced6990e2538ad21dc4610aa5925253a090
CRC32 CED518A3
ssdeep 48:eKDBZKjZWYM4SItMT2vkce9Q+TIMKFwRDuLoMSJB9EaBDFaf9SYKB3lCgVAFWqrW:ND6jZWq4Ikc5+ueOiB91tZdADi
Yara
  • anti_dbgtools - Checks for the presence of known debug tools
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 68f4b47a99550472_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_16.png
Size 688.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 441522248fd78b731259a738191ff6f2
SHA1 01bfd30da7f1aaa9693879df11b41b803c507821
SHA256 68f4b47a99550472f0474974cc302b887763f0d5c33f9b1592436121afc485f6
CRC32 D9996D50
ssdeep 12:6v/78qQPKap6h/GsHPNHpUF/HEH6sXlAW4N5Lw8DSCIAk445EFRdcFlz:BqQC86h+sH1uGB4N588uCXs5E7er
Yara None matched
VirusTotal Search for analysis
Name e107b7d6b816a2d5_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_32.png
Size 2.6KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 f7c2f0ee9cb893586a1a7e2b429a31d4
SHA1 120a167dc5d3aec92a738525569b45df0e808161
SHA256 e107b7d6b816a2d59cfa88cbd1297df7ff53d20082955e55b6baba5fb8d55b14
CRC32 94BD04BB
ssdeep 48:wGbfMb0wnKlVsWZgN1u25h8uEqki/aheHsd/Qlcaxnoxur6towwDhFqlkiDk9:V37GNT5h8uEQ/y4sd4lcsocrCo7De6
Yara None matched
VirusTotal Search for analysis
Name b029eb3a7444fa33_extendedtools.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedTools.dll
Size 171.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 013dbb7c2ad8ba8b253a79c38caa5fe2
SHA1 5843281bcf9ee9bbc07179ef5032b5b7c8dcc555
SHA256 b029eb3a7444fa333daf8410dad0f770e2e9ff57a3ba6bbdd8b5d2696f43646d
CRC32 32BF00B9
ssdeep 3072:TACydNlIeMYoFoafAYDhjstr3cU/exUyND5VpCb2:TATeiNc3KU5Cb2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • disable_dep - Bypass DEP
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 2ffe1ac2555e822b_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\FindProcDLL.dll
Size 4.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ba4c1dfe226d573d516c0529f263011e
SHA1 d726e947633ea75c09bba1cb6a14a79ce953be24
SHA256 2ffe1ac2555e822b4a383996168031e456f09f9cf3bb763fccee35be178cf58a
CRC32 B076F3F7
ssdeep 48:qv1AJiDhU8UsnL0C8EA4G1zkxU5NMsH7pWIa1B3yx3s2mRUyNi7ftUgwQagqlNt/:uJnQChA4nsNMg0I8GiR+Uget
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Logo_Top.png
Size 2.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Background_Footer.png
Size 168.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ee13539f3d66cc05_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-wizard.bmp
Size 603.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PC bitmap, Windows 3.x format, 328 x 628 x 24
MD5 4df53efcaa2c52f39618b2aad77bb552
SHA1 542de62a8a48a3ff57cf7845737803078062e95b
SHA256 ee13539f3d66cc0592942ea1a4c35d8fd9af67b1a7f272d0d791931e6e9ce4eb
CRC32 1CDF967B
ssdeep 1536:9Bn13fmACap7r33OCINrac3aKumetKPKqDjoo+1q7C3DNgbgNgLg7gRgeHRVAVVi:90aZr33XW1
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1964009de29351fe_splash.jpg
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\splash.jpg
Size 39.3KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type JPEG image data, JFIF standard 1.02
MD5 a53d8c50c5bc3e2d6b5aa05a34e7e4fd
SHA1 39e9fce3f5b765c37a9f38bb6617cc31d2ad6d78
SHA256 1964009de29351fed47a050a101bd4322cfd62173aa6c44fb1fe005368614cf0
CRC32 2F245859
ssdeep 768:sah6xX6fESjqxw2hJU0p3bUtnWyj27D2A9C8FVXs48GNCds4444QBV7oL+ALyWYi:eXYf30Bb4WySRFVcGQVMWWYebp
Yara None matched
VirusTotal Search for analysis
Name fc9d0d0482c63ab7_usernotes.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\UserNotes.dll
Size 114.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 e48c789c425f966f5e5ee3187934174f
SHA1 96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d
SHA256 fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52
CRC32 66388136
ssdeep 1536:0fiz3P6ZDIigvpiwyXtHaGFKNQCf5FlvULnQDCdxNsW99dlhSkkOZ8DCuB8ViFw:3P6Z0iGNyd6Gi7f5/eQExdL1kY8DCurw
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • disable_dep - Bypass DEP
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 61e8cd8de80a5c0d_extendednotifications.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedNotifications.dll
Size 140.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 be4dc4d2d1d05001ab0bb2bb8659bfad
SHA1 c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e
SHA256 61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795
CRC32 A34BD9FD
ssdeep 3072:ucUs2pkSTVRC6//SZDTWeEd1D6gyqAnr6rw8N9TZof:ua2zRC6ncXWl4
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • network_tcp_socket - Communications over RAW socket
  • network_dns - Communications use DNS
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
VirusTotal Search for analysis
Name 4259e53d48a3fed9_peview.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\peview.exe
Size 229.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 dde1f44789cd50c1f034042d337deae3
SHA1 e7e494bfadb3d6cd221f19498c030c3898d0ef73
SHA256 4259e53d48a3fed947f561ff04c7f94446bedd64c87f52400b2cb47a77666aaa
CRC32 8C6797AD
ssdeep 3072:/U30KmLQQMpQZxRjsMUni4nuWKz+OHPKVgW9G0tpLmSlbJY/i:/UbmEQMp4TVtW0+Ovh
Yara
  • IsPE64 -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerHiding__Thread -
  • anti_dbg - Checks if being debugged
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_80_DLL -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name d28a6bd0cbbe33c0_sbiesupport.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\SbieSupport.dll
Size 81.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 4daa3b45699017dce248b0e6f634885f
SHA1 c155ec9e2b1ab9b6178074ac3f7900bedff89cae
SHA256 d28a6bd0cbbe33c05586edbfa7266c85355e5762afd89a3633a23136723b625e
CRC32 82DAD691
ssdeep 1536:c1CLBSfuO2cTwGQXmj51Dds5Ecj3ksWhcdgZCnQnmxukfK1:c1CVg51Dpcjlg8nQnmxuky1
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 7336d66588bbcfea_onlinechecks.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\OnlineChecks.dll
Size 222.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 12c25fb356e51c3fd81d2d422a66be89
SHA1 7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c
SHA256 7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de
CRC32 38F5A8F2
ssdeep 3072:VDy7cjwTlCAlW0InMxf08ZyIjSNVnKJ3HzuoX7o+ThTPD0r7NF4jM9Td2xOdj+C9:Vu71TtInMxf08gI2HnKJDuG73JtxE
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
  • Str_Win32_Http_API - Match Windows Http API call
VirusTotal Search for analysis
Name cf7718e82afa1af0_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\Readme.txt
Size 185.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 9d3d2c85756ff419cec6da38bd89a37b
SHA1 2f722064cefd0d48c5f5d03956a7040900d7f8b1
SHA256 cf7718e82afa1af00882af5a9b80cb1640fbfadad56d218a78371b9bcb649170
CRC32 A50CC39C
ssdeep 3:SMbKyPXtH+XR5WOpH/VVJYMQr3MeMQxF+YEJRi6Xt2vGARFKGRjZUovQ3OSbmSWe:DdH+XR5WKo8zQDuJRPt6zKGRjjRumA
Yara None matched
VirusTotal Search for analysis
Name 35db042e16c8a39c_processhacker.sig
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\ProcessHacker.sig
Size 64.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type data
MD5 98208b7641de5bd8dc9b524fe87a3c5f
SHA1 0e71eecf6a1b1a42d97c7db74d8be3a1b2c6a813
SHA256 35db042e16c8a39c8289660adc8cc493a800e392227d83380931dc28705af86e
CRC32 CE99B5D9
ssdeep 3:xoEz3mBIXRhi1if4zDHdL:S4UgRo184zDHJ
Yara None matched
VirusTotal Search for analysis
Name 602d54c15a34f5bd_appicon_75.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_75.png
Size 7.6KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 75 x 75, 8-bit/color RGBA, non-interlaced
MD5 1ef4c789ed875bc1be3a2b5ec74ea040
SHA1 7d6be2e8818a04312d74cd2662c5ada80e6ab1b1
SHA256 602d54c15a34f5bdb85f1ba9a7709a10ca07cc26fcda2abe7cbbe59c2f2079f9
CRC32 B95429A6
ssdeep 192:9eAT5FtoAPvztdfyeb1sZlOwX3eNPl8NJkq20FlTOTt:9pTpoqXfD1sfRX3eNPlTq2g5OTt
Yara None matched
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 519c2c2ca0caf00d_processhacker.sig
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\ProcessHacker.sig
Size 64.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type data
MD5 2ccb4420d40893846e1f88a2e82834da
SHA1 ef29efec7e3e0616948f9fe1fd016e43b6c971de
SHA256 519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4
CRC32 D403251D
ssdeep 3:dInY6sZhAO9UlE75MO6LppeU:Q/slNP6VwU
Yara None matched
VirusTotal Search for analysis
Name c1a74caa7da222a7_extendednotifications.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedNotifications.dll
Size 120.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 56cc0204d69be9fe0987f6570783a138
SHA1 f6024adbc00c3caef570331a82ce9535ddafd51d
SHA256 c1a74caa7da222a78715d4307f6247cb8aba4cb01434286e17d9cb18860aa612
CRC32 951499D9
ssdeep 3072:lQSnPFFFd7h7ZpcotN5grnrzAjixjIZo/dgo:lxnPTFZ17AFxqo
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • network_tcp_socket - Communications over RAW socket
  • network_dns - Communications use DNS
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
  • Str_Win32_Winsock2_Library - Match Winsock 2 API library declaration
VirusTotal Search for analysis
Name c38e811f6f834289_license.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\LICENSE.txt
Size 35.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 eb59e0a5d01d0a5b02da0c9e7786969f
SHA1 96eed0bf00ae770347861a02f8fd6b3603e12013
SHA256 c38e811f6f83428921d0cecd998a44b717149b577b4c1a63b66064f03c34e4e7
CRC32 354336EB
ssdeep 768:h7Y+tNdSz3ZlqXOWoInuzx3Y8N3WiYD0v:hVtNIq1uzZY1C
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 70211a3f90376bbc_kprocesshacker.sys
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\kprocesshacker.sys
Size 44.1KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (native) x86-64, for MS Windows
MD5 1b5c3c458e31bede55145d0644e88d75
SHA1 a21c84c6bf2e21d69fa06daaf19b4cc34b589347
SHA256 70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4
CRC32 2552E89F
ssdeep 768:ZkCOeX2Yg5KY6VgQqdzfVJdf/aEB2zBdZp0IfKg589z1hEn:nzn68BaIfRn
Yara
  • IsPE64 -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02191_tElock_0_99___1_0_private____tE__ - [tElock 0.99 - 1.0 private -> tE!]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_80_DLL -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 476aa6af14dd0b26_networktools.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\NetworkTools.dll
Size 134.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 d6bed1d6fdbed480e32fdd2dd4c13352
SHA1 544567d030a19e779629eed65d2334827dcda141
SHA256 476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e
CRC32 16148202
ssdeep 1536:mhhDibqaA8T+B++QWWEVGyEYfGup5oGjxNj8DsDdvsWch9dl/6RHyA8E0SHBZmA:ghGbA82+t6GLYfnoGjxp8e+ZB6RSALfr
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
  • Str_Win32_Http_API - Match Windows Http API call
VirusTotal Search for analysis
Name e94a1f7bcd7e0d53_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\System.dll
Size 11.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
CRC32 CEC99AA3
ssdeep 192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 9927c67e24bdf728_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon_128.png
Size 20.8KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 f8c95ee6871e19352d0c634e43c3e5b0
SHA1 9d2eafa271d8932efd13c9ae6ceafc32fc7454ea
SHA256 9927c67e24bdf728fb4e1db0a16ca33db966f8557b406dcb56a248ed11966c70
CRC32 8921F4FA
ssdeep 384:aDudNeUxpx4eOHdFhRyKGydkEJ62hcwGz1hC/UwuPj6glA2h2cI/:eWNeUrx4D/cXskEJ6VJa/UfL6O5hlu
Yara None matched
VirusTotal Search for analysis
Name 15d9f090b980dc2d_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\help.html
Size 5.1KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 01da68836843d30ee41ecadb263379ba
SHA1 b82c73bd2beea1c2ffa9f87c67f0ee7ce22ad79d
SHA256 15d9f090b980dc2d475cc5b9e86f5721bd6a18ec9301f45963edba433f9e09a9
CRC32 23F1DAED
ssdeep 48:tqEM283LWez/V1i/8C8E2goet9QZFxiQROZAcOlvIwdINEygdDKbhLaSHog4M4yT:Md3KeLV12hKyQCABwwdurFcuEFzvhcxB
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 62472b33ba6fe0f4_networktools.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\NetworkTools.dll
Size 116.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 a5de58251832d3aef63fee13c96b10d2
SHA1 9e598c1fd1539c1bfb5b55ebdacbe41c1ac26600
SHA256 62472b33ba6fe0f4c5f4997236b3e0d9053c9e2de9730e3db78d2749a2bea6c4
CRC32 ED40D0AB
ssdeep 1536:4zPf2Sz6wBaABOKcRmRkaPTTd4BXcVPZdjshsWk1cdeB7PIQl4jhNj:4zPf2SzuK9RkOTTd4BMdrEeB7AQl4j7
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
  • Str_Win32_Http_API - Match Windows Http API call
VirusTotal Search for analysis
Name 0f97f6d53fff4791_kprocesshacker.sys
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\kprocesshacker.sys
Size 40.6KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (native) Intel 80386, for MS Windows
MD5 6365fe1d37545c71cbe2719ac7831bdd
SHA1 9356d660cebd2604ec4e72967f44678741331d5a
SHA256 0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc
CRC32 C856533D
ssdeep 384:pJalhhQJoHFgsTogO19bgAiDLsC36Q8nyCbPtgfAODUAn0FYPggZouZZv/K6jGX3:QeodO1ZKXs8dfHxdDKgskC1hz
Yara
  • IsPE32 -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • contentis_base64 - This rule finds for base64 strings
  • Visual_Cpp_2003_DLL_Microsoft -
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 41967c3ee8b8e241_peview.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\peview.exe
Size 204.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 711be6337cb78a948f04759a0bd210ce
SHA1 20c48d7dc881d2066d7702e98796eb2024c77ca9
SHA256 41967c3ee8b8e2416ddb3e82d8df1219365a7b180138ca8c3256192794e5f8ff
CRC32 258D123C
ssdeep 3072:2u/fuFdRj5OJJMCTut5mK4o03KmDxfcpjs7LrV40iAAjViZ0W1mBiX/DF+jQC:2u/fOjuJMCCMKP+x4jsveNgvm
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerHiding__Thread -
  • anti_dbg - Checks if being debugged
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • VC8_Microsoft_Corporation -
  • Microsoft_Visual_Cpp_8 -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\w7tbp.dll
Size 2.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 647611756cac85d8_extendedservices.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\ExtendedServices.dll
Size 116.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 0c1a9c2a6190f1baab115316da215f89
SHA1 71326114c50ec7fd3afdf9ab43cc631fb32a40d0
SHA256 647611756cac85d8fcc8cd78efdc5712c68e4fe7bbcc8a64081900c68bcc0feb
CRC32 72638D4C
ssdeep 3072:uSRJylyd/ga0uHdtBTIzBHdcAOcn3+0ec7bOH/:BRJfJMmaORH/
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Donation_Button.png
Size 1.7KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 5351a73e39b4bb06_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Source\Readme.txt
Size 2.2KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 b2adab2586d2eb98f3bfeff357b869c1
SHA1 01d05f1b866bf0f9d65617533368261a8429b651
SHA256 5351a73e39b4bb061fd06d6d13a672fe7af24bf76e08ae8fe55652116c36fd9a
CRC32 C5D190C3
ssdeep 48:poqWahdxHxG2NlNKx026fDQ+A6Bd72bpbGTY/ZzywG2lMI:m3ah3x5Tkx/+41GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Help_Background_Header.png
Size 269.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 72688fb857179270_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\modern-header.bmp
Size 100.2KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PC bitmap, Windows 3.x format, 300 x 114 x 24
MD5 8a0c0a441c3255f197fabfc0cfa29f96
SHA1 53018877f8d3ad6d0652c297edafb1b3fa034a12
SHA256 72688fb8571792708fb095fe8fedac8f6825c005df940f3a4b10873319c9df1e
CRC32 A52F7CA4
ssdeep 384:2lzQ89VxRF+MHSQ0Nkb+MfL/Sr6666FNZ:2lxVlkQ0NR96666F7
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\Other\Help\Images\Favicon.ico
Size 1.1KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name bd2c2cf0631d881e_processhacker.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\ProcessHacker.exe
Size 1.6MB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 b365af317ae730a67c936f21432b9c71
SHA1 a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256 bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
CRC32 60F68D8D
ssdeep 24576:V7eokafnkAwgcU+29fR4PQviXq1pj3EDT5m+m8I:V6efnkdlUF92PGBOT3m8
Yara
  • IsPE64 -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • DebuggerHiding__Thread -
  • DebuggerHiding__Active -
  • DebuggerException__SetConsoleCtrl -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • disable_dep - Bypass DEP
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_80_DLL -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • CRC32_table - Look for CRC32 table
  • MD5_Constants - Look for MD5 constants
  • RIPEMD160_Constants - Look for RIPEMD-160 constants
  • SHA1_Constants - Look for SHA1 constants
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name a94d02d9645a4f4f_usernotes.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\UserNotes.dll
Size 96.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 7de6aa4f0d79e4b243a66b4db6f17fe9
SHA1 0137fd9f2e0115e88003b80942b137ad83b52f5b
SHA256 a94d02d9645a4f4fe0388bb40775862aa3f90d22a93fdb14870389ab891b486d
CRC32 FECFA8CF
ssdeep 3072:mEuN4hL6EK8WvWCR3RPPp9KjqzUJEAElDBUh3:9L88Wz3zYKKh3
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • disable_dep - Bypass DEP
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name 4f891adc5ddbe439_processhackerportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\Launcher\ProcessHackerPortable.ini
Size 1009.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 cc9ba08dc1a46e31649d31bf13afd14c
SHA1 235c4538ce97cff5132b1ee08b4c353e796cab99
SHA256 4f891adc5ddbe4391f603dbdfe1682d2ce5c2d282cc159a086f83949fcb4d079
CRC32 8AD3F9E8
ssdeep 24:JtnQADrQEXbX0DZV2gxrUOzkUEXUqbJbMUS:JtQADsEXbX4txrU4kUEXUepMUS
Yara
  • anti_dbgtools - Checks for the presence of known debug tools
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name badaddeeef941610_updater.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\plugins\Updater.dll
Size 94.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 0d69dbdafe0a75066405c10413c7eb7b
SHA1 df685b3cc0bff48424c52b18aca90e128ab531b9
SHA256 badaddeeef941610eb0912330848349a08fcac0983d7fb749c45f70b86c59c7c
CRC32 896628E5
ssdeep 1536:ZXRrbgI85UI2SgY5qvE5R4zAijcPLsW+ycdgTsGb+nBMWz6TKMI9kj+tN5Ka:RR/Y5q6G1QPqgTsGb+nBMc6TKMI9i+tx
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Borland_Delphi_30_additional -
  • Borland_Delphi_30_ -
  • Borland_Delphi_v40_v50 -
  • Borland_Delphi_v30 -
  • Borland_Delphi_DLL -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
  • Str_Win32_Http_API - Match Windows Http API call
VirusTotal Search for analysis
Name 0c11cdc3765ffb53_updater.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\Updater.dll
Size 110.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 6976b57c6391f54dbd2828a45ca81100
SHA1 a8c312a56ede6f4852c34c316c01080762aa5498
SHA256 0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e
CRC32 C1983B8E
ssdeep 3072:yy8QoSuThifQ0gUmL1lV51hdJFxZ9l1JtB9plRN51hdJFtVpRR5hJt0rsBLsGbOd:ZiYQ5UmBNerF
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • screenshot - Take screenshot
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
  • Str_Win32_Http_API - Match Windows Http API call
VirusTotal Search for analysis
Name 5ae7c0972fd4e4c4_extendedservices.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedServices.dll
Size 136.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 4858bdb7731bf0b46b247a1f01f4a282
SHA1 de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60
SHA256 5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60
CRC32 D0228EB6
ssdeep 1536:cjYKbIeoRGwasSxZVqHa0fdZ5OiRJjHlcUhzD55DBdisWpZ9dl3K+OL/VfRc2:diLhZCdZ5bHHlcUz5PaNKxjVpc2
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 80d84f6c405f4e7b_nsdialogs.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsz3.tmp\nsDialogs.dll
Size 9.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 477b78e5db22b4e651b6bec39d5c1acf
SHA1 418038f8d4db22471f55206aa8eb372f3f133d0d
SHA256 80d84f6c405f4e7b51d3e0c7c10b06ce60b28a43451bbe0e6e464d5e4783fc35
CRC32 9A20E416
ssdeep 192:oB8cxzvTyl4tgi8pPjQM0PuAg0YNyPIFtSP:oBxzm+t18pZ0WAg0RPIFg
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
VirusTotal Search for analysis
Name 0737efbfe48abb43_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appinfo.ini
Size 597.0B
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 75fe83eb362723699a2f153ce4c346b3
SHA1 932ba89dfb08175af6ee6103ed31a350d176f0c7
SHA256 0737efbfe48abb43210fa6440b9f1e8ffd2c2867ae4e3612e077e425e4281dd7
CRC32 FAE6839E
ssdeep 12:kirMB2cS4ifmuzyCRPiGaHlL8ci0yhqCqZ2WcAUvMrHc3arVBMSe:kGaJ7ieuzyCRPqKknk0r83LT
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsj1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name d4a0fe56316a2c45_processhacker.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x86\ProcessHacker.exe
Size 1.4MB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 68f9b52895f4d34e74112f3129b3b00d
SHA1 c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e
SHA256 d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f
CRC32 033989A0
ssdeep 24576:fsmjNvgp+pxECAucO9iWFT0z7rLuUhFP3MGX:PFgpAiIiWdzUz35X
Yara
  • GenerateTLSClientHelloPacket_Test -
  • IsPE32 -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • DebuggerHiding__Thread -
  • DebuggerHiding__Active -
  • DebuggerException__SetConsoleCtrl -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • disable_dep - Bypass DEP
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • VC8_Microsoft_Corporation -
  • Microsoft_Visual_Cpp_8 -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • CRC32_table - Look for CRC32 table
  • MD5_Constants - Look for MD5 constants
  • RIPEMD160_Constants - Look for RIPEMD-160 constants
  • SHA1_Constants - Look for SHA1 constants
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -
VirusTotal Search for analysis
Name b4cc0280e2caa033_dotnettools.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\DotNetTools.dll
Size 132.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 b16ce8ba8e7f0ee83ec1d49f2d0af0a7
SHA1 cdf17a7beb537853fae6214d028754ce98e2e860
SHA256 b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9
CRC32 F91A5EB9
ssdeep 3072:OkF+ncOyiGt9KQ130WlLJydacG3EkLLFjSeB:Oi+WH130U/
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • keylogger - Run a keylogger
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name f2805e0f81513641_extendedtools.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\ExtendedTools.dll
Size 196.0KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 bc61e6fb02fbbfe16fb43cc9f4e949f1
SHA1 307543fcef62c6f8c037e197703446fcb543424a
SHA256 f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87
CRC32 95A64C01
ssdeep 3072:kahH9o/M+4BoraGA7sYt/zVcfg8Snh/3RFjxabZ67DG3p+DbR17LhY:P0MGraz/zRNh/3RU+72
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • disable_dep - Bypass DEP
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name d6eea8eb72d166b3_processhackerportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\ProcessHackerPortable.exe
Size 225.7KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c461e898fa55d37618b6d8b9af0448c5
SHA1 1b43343bf5034c7716c6f85d861b4ecd327cc5f3
SHA256 d6eea8eb72d166b3dee65e632581a4fe27e91ba68386a98ed10cc618d258cb2a
CRC32 1D48C99D
ssdeep 3072:QweqOYEUXPnk1fRu1e16kWOIo0tIZoiLxBDKalStcozi8cAef6uwfCgt2SDDit7V:BEUX8139Yo069LxBD2Ofao6uo1MaDFA
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 282696487ea5dc78_windowexplorer.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\ProcessHacker\x64\plugins\WindowExplorer.dll
Size 133.5KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 0e8d04159c075f0048b89270d22d2dbb
SHA1 d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22
SHA256 282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a
CRC32 D40FEE5F
ssdeep 3072:FrcYzsiPpE70C5FwyJBId/GkWXaVJ32kZ8:Frc0s502FFnS8
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • anti_dbgtools - Checks for the presence of known debug tools
  • keylogger - Run a keylogger
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 1d64804a36063bc0_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\AppInfo\appicon.ico
Size 87.9KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type MS Windows icon resource - 7 icons, 48x48, 256-colors
MD5 5c34a59d67a098648ffe7c186debdff6
SHA1 ae4b02b59daeb67aaf05aeccc59434eead0f6600
SHA256 1d64804a36063bc03b66be1072d977a836007c5e50828cb9616e9803f4817510
CRC32 C3E67CD1
ssdeep 1536:qA4HcduaeTfL64uQjeP9lMgjmmUmxytbh6ihWOIhvmMuc+WxLTX2Yj:qZH1fRu1e16kWOIo0tt
Yara None matched
VirusTotal Search for analysis
Name f1b698d331d3a91a_processhacker.exe.settings.xml
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ProcessHackerPortable\App\DefaultData\ProcessHacker.exe.settings.xml
Size 8.8KB
Processes 400 (ProcessHackerPortable_2.39_English.paf.exe)
Type ASCII text, with CRLF, LF line terminators
MD5 34af44cc1bf89680c832a2871919f2c8
SHA1 7555a5ae45c0545cffe96f0c32778d055abecfba
SHA256 f1b698d331d3a91a7acf8b504fd109ee5f3a8634c70441504648a313a87851ee
CRC32 81CBD7D4
ssdeep 192:z617ih3mViVd/QqwffCrMiKHic7O9S/BZ:z9RVd/Qqwff3iKHic7O9Sv
Yara
  • Check_Dlls -
  • antisb_threatExpert - Anti-Sandbox checks for ThreatExpert
  • antisb_sandboxie - Anti-Sandbox checks for Sandboxie
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 602
Mongo ID 5c36081811d3080d16cdb738
Cuckoo release 2.0-dev