File Q-DirPortable_7.22.paf.exe

Size 1.4MB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0cb0d50a81c148d3d1ac8cad0928a8f4
SHA1 f28109ef0f2cf7773fbb2fcb0917768f6dfe8511
SHA256 12df53baac3af3f40ef50fbf2bff06f75ebdb16aae493194b8d4870365d1f85f
SHA512
5e8d55e2bd55ebe74c59e5d5255c6d6aaa595669e575e1b1eb15277e461f6e1921c3624fe710283099a6ffb7b6f23696dcd54790f7ce87e8381fbb0710fa365e
CRC32 52306722
ssdeep 24576:D/9DvTfWLlH5LLItXdIvCvlgRiuu4ddLDCVmyx0Ta94CWYKL58tXOEfeoFCx:T9XfWxZLsnOIuu4dFDifx0OaCWYK9SOf
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 9:39 a.m. Jan. 9, 2019, 9:39 a.m. 28 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 09:39:03 2019-01-09 09:39:31

Analyzer Log

2019-01-09 03:11:52,015 [analyzer] DEBUG: Starting analyzer from: C:\yxhlyhsn
2019-01-09 03:11:52,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\YWOOocdYUwLWKjyUPKsgasZk
2019-01-09 03:11:52,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\HCuyZcIeSwkReKLAM
2019-01-09 03:11:52,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:52,030 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:53,780 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:53,983 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:53,983 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:54,046 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:54,046 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:54,046 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:54,046 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:54,046 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:11:54,483 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:11:54,483 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:11:54,608 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\Q-DirPortable_7.22.paf.exe' with arguments '' and pid 1584
2019-01-09 03:11:54,717 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:54,717 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:54,875 [analyzer] DEBUG: Loaded monitor into process with pid 1584
2019-01-09 03:11:54,937 [analyzer] DEBUG: Received request to inject pid=1584, but we are already injected there.
2019-01-09 03:11:55,078 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsb2.tmp
2019-01-09 03:11:55,203 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\LangDLL.dll
2019-01-09 03:11:56,312 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-09 03:11:57,342 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\System.dll
2019-01-09 03:11:57,467 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\FindProcDLL.dll
2019-01-09 03:11:57,625 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-header.bmp
2019-01-09 03:11:57,655 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-wizard.bmp
2019-01-09 03:11:57,858 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\nsDialogs.dll
2019-01-09 03:11:58,375 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:00,500 [modules.auxiliary.human] INFO: Found button "I &Agree", clicking it
2019-01-09 03:12:02,592 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:03,625 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\w7tbp.dll
2019-01-09 03:12:03,703 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Q-DirPortable.exe
2019-01-09 03:12:03,733 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\help.html
2019-01-09 03:12:03,750 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\EULA.txt
2019-01-09 03:12:03,750 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon.ico
2019-01-09 03:12:03,765 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:03,765 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:03,765 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:03,780 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_75.png
2019-01-09 03:12:03,780 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:03,796 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\installer.ini
2019-01-09 03:12:03,796 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\pac_installer_log.ini
2019-01-09 03:12:03,812 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\Launcher\Q-DirPortable.ini
2019-01-09 03:12:03,828 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData\Q-Dir.ini
2019-01-09 03:12:03,983 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir.exe
2019-01-09 03:12:04,296 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir_x64.exe
2019-01-09 03:12:04,717 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:04,890 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Donation_Button.png
2019-01-09 03:12:04,890 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Favicon.ico
2019-01-09 03:12:04,905 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Background_Footer.png
2019-01-09 03:12:04,905 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Background_Header.png
2019-01-09 03:12:04,921 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Logo_Top.png
2019-01-09 03:12:04,937 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:04,937 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\LauncherLicense.txt
2019-01-09 03:12:04,937 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\Readme.txt
2019-01-09 03:12:04,983 [analyzer] INFO: Added new file to list with pid 1584 and path C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Data\PortableApps.comInstaller\license.ini
2019-01-09 03:12:06,625 [analyzer] INFO: Process with pid 1584 has terminated
2019-01-09 03:12:06,625 [analyzer] INFO: Process list is empty, terminating analysis.
2019-01-09 03:12:07,625 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:12:07,655 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nsb2.tmp'" does not exist, skip.
2019-01-09 03:12:08,280 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 09:39:03,546 [lib.cuckoo.core.scheduler] INFO: Task #605: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 09:39:03,665 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2082 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/605/dump.pcap)
2019-01-09 09:39:11,933 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 09:39:30,747 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 09:40:01,140 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 09:40:02,745 [modules.processing.network] ERROR: Unable to open /opt/cuckoo/storage/analyses/605/dump_sorted.pcap
2019-01-09 09:40:14,296 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b503e2210>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:40:14,300 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b503e28d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:40:14,302 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b503e2850>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:40:14,304 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b503e2bd0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:40:14,306 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b503e2bd0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b503e2bd0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1584
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1584
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 18093906994659332
free_bytes_available: 217298682020627209
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable
total_number_of_bytes: 563877666357248
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103231488
free_bytes_available: 24103231488
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5333112431056983
free_bytes_available: 1126897863320992
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable
total_number_of_bytes: 5334452460847104
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103231488
free_bytes_available: 24103231488
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (8 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\LangDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Q-DirPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\nsDialogs.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir_x64.exe
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)
Bkav HW32.Packed.
Trapmine malicious.moderate.ml.score
The binary likely contains encrypted or compressed data. (2 events)
section {u'size_of_data': u'0x0001d000', u'virtual_address': u'0x001e1000', u'entropy': 7.185653724856848, u'name': u'.rsrc', u'virtual_size': u'0x0001ce98'} entropy 7.18565372486 description A section with a high entropy has been found
entropy 0.783783783784 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process Q-DirPortable_7.22.paf.exe (1584)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo
    • C:\WINDOWS\system32\oleaccrc.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-wizard.bmp
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable_7.22.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData\Favoriten\Quick-Link
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\pac_installer_log.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData\Favoriten
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_75.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\installer.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\LauncherLicense.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\EULA.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Data\PortableApps.comInstaller\license.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Background_Footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Logo_Top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Donation_Button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsb2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\Launcher\Q-DirPortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir_x64.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\pac_installer_log.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Q-DirPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Background_Header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\LangDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\nsDialogs.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData\Q-Dir.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_16.png
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Data\PortableApps.comInstaller\license.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\pac_installer_log.ini
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsb2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable_7.22.paf.exe

Process Q-DirPortable_7.22.paf.exe (1584)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_CURRENT_USER\Control Panel\Desktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
    • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Q-DirPortable_7.22.paf.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductType
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Compositing
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MinimumFreeMemPercentageToCreateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ChkAccDebugLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Control Panel\Desktop\LameButtonText
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MinimumFreeMemPercentageToCreateObject

Process Q-DirPortable_7.22.paf.exe (1584)

  • Mutexes accessed

    • oleacc-msaa-loaded
    • MSCTF.Shared.MUTEX.EFG

Process Q-DirPortable_7.22.paf.exe (1584)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData\Favoriten
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData\Favoriten\Quick-Link
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Data\PortableApps.comInstaller
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help
  • Directories removed

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\
  • Directories enumerated

    • C:\Documents and Settings
    • C:\WINDOWS\system32\wuauclt.exe
    • C:\Program Files\Microsoft Office\Office12
    • C:\WINDOWS\system32\ctfmon.exe
    • C:\WINDOWS\explorer.exe
    • C:\Python27\pythonw.exe
    • C:\WINDOWS\system32\lsass.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Data\PortableApps.comInstaller\license.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable
    • C:\Program Files\Java\jre7\bin\jqs.exe
    • C:\Program Files\Java\jre7
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\WINDOWS
    • C:\PortableApps
    • C:\WINDOWS\system32\svchost.exe
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\WINDOWS\system32
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\*.*
    • C:\Python27
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\WINDOWS\system32\services.exe
    • C:\Program Files\Java
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp
    • E:\PortableApps
    • C:\Documents and Settings\zamen
    • C:\Program Files\Common Files\Java
    • C:\Program Files\Java\jre7\bin
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other
    • C:\WINDOWS\system32\spoolsv.exe
    • C:\WINDOWS\system32\alg.exe
    • C:\Program Files\Common Files\Java\Java Update\jusched.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\*.*

Process Q-DirPortable_7.22.paf.exe (1584)

  • DLLs Loaded

    • C:\WINDOWS\system32\APPHELP.dll
    • C:\WINDOWS\system32\USERENV.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • kernel32.dll
    • UxTheme.dll
    • C:\WINDOWS\system32\OLEACC.dll
    • C:\WINDOWS\system32\CRYPTBASE.dll
    • C:\WINDOWS\system32\browseui.dll
    • ole32.dll
    • C:\WINDOWS\system32\UXTHEME.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsl3.tmp\System.dll
    • C:\WINDOWS\system32\DWMAPI.dll
    • C:\WINDOWS\system32\RichEd20.dll
    • C:\WINDOWS\system32\PROPSYS.dll
    • C:\WINDOWS\system32\SETUPAPI.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsl3.tmp\FindProcDLL.dll
    • C:\WINDOWS\system32\SHFOLDER.dll
    • SHELL32.dll
    • PSAPI.DLL
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsl3.tmp\w7tbp.dll
    • C:\WINDOWS\system32\CLBCATQ.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsl3.tmp\nsDialogs.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsl3.tmp\LangDLL.dll
    • browseui.dll
    • shell32.dll
    • SETUPAPI.dll

PE Compile Time

2018-01-29 22:58:43

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006409 0x00006600 6.40783079431
.rdata 0x00008000 0x0000138e 0x00001400 5.14383173215
.data 0x0000a000 0x00066358 0x00000600 4.00056108793
.ndata 0x00071000 0x00170000 0x00000000 0.0
.rsrc 0x001e1000 0x0001ce98 0x0001d000 7.18565372486

Imports

Library KERNEL32.dll:
0x408070 ExitProcess
0x408074 SetFileAttributesW
0x408078 Sleep
0x40807c GetTickCount
0x408080 CreateFileW
0x408084 GetFileSize
0x408088 GetModuleFileNameW
0x40808c GetCurrentProcess
0x408094 GetFileAttributesW
0x4080a0 GetTempPathW
0x4080a4 GetCommandLineW
0x4080a8 GetVersion
0x4080ac SetErrorMode
0x4080b0 lstrlenW
0x4080b4 lstrcpynW
0x4080b8 CopyFileW
0x4080bc GetShortPathNameW
0x4080c0 GlobalLock
0x4080c4 CreateThread
0x4080c8 GetLastError
0x4080cc CreateDirectoryW
0x4080d0 CreateProcessW
0x4080d4 RemoveDirectoryW
0x4080d8 lstrcmpiA
0x4080dc GetTempFileNameW
0x4080e0 WriteFile
0x4080e4 lstrcpyA
0x4080e8 MoveFileExW
0x4080ec lstrcatW
0x4080f0 GetSystemDirectoryW
0x4080f4 GetProcAddress
0x4080f8 GetModuleHandleA
0x4080fc GetExitCodeProcess
0x408100 WaitForSingleObject
0x408104 lstrcmpiW
0x408108 MoveFileW
0x40810c GetFullPathNameW
0x408110 SetFileTime
0x408114 SearchPathW
0x408118 CompareFileTime
0x40811c lstrcmpW
0x408120 CloseHandle
0x408128 GlobalFree
0x40812c GlobalUnlock
0x408130 GetDiskFreeSpaceW
0x408134 GlobalAlloc
0x408138 FindFirstFileW
0x40813c FindNextFileW
0x408140 DeleteFileW
0x408144 SetFilePointer
0x408148 ReadFile
0x40814c FindClose
0x408150 lstrlenA
0x408154 MulDiv
0x408158 MultiByteToWideChar
0x40815c WideCharToMultiByte
0x408168 FreeLibrary
0x40816c LoadLibraryExW
0x408170 GetModuleHandleW
Library USER32.dll:
0x408194 GetSystemMenu
0x408198 SetClassLongW
0x40819c EnableMenuItem
0x4081a0 IsWindowEnabled
0x4081a4 SetWindowPos
0x4081a8 GetSysColor
0x4081ac GetWindowLongW
0x4081b0 SetCursor
0x4081b4 LoadCursorW
0x4081b8 CheckDlgButton
0x4081bc GetMessagePos
0x4081c0 LoadBitmapW
0x4081c4 CallWindowProcW
0x4081c8 IsWindowVisible
0x4081cc CloseClipboard
0x4081d0 SetClipboardData
0x4081d4 EmptyClipboard
0x4081d8 OpenClipboard
0x4081dc ScreenToClient
0x4081e0 GetWindowRect
0x4081e4 GetDlgItem
0x4081e8 GetSystemMetrics
0x4081ec SetDlgItemTextW
0x4081f0 GetDlgItemTextW
0x4081f4 MessageBoxIndirectW
0x4081f8 CharPrevW
0x4081fc CharNextA
0x408200 wsprintfA
0x408204 DispatchMessageW
0x408208 PeekMessageW
0x40820c ReleaseDC
0x408210 EnableWindow
0x408214 InvalidateRect
0x408218 SendMessageW
0x40821c DefWindowProcW
0x408220 BeginPaint
0x408224 GetClientRect
0x408228 FillRect
0x40822c DrawTextW
0x408230 EndDialog
0x408234 RegisterClassW
0x40823c CreateWindowExW
0x408240 GetClassInfoW
0x408244 DialogBoxParamW
0x408248 CharNextW
0x40824c ExitWindowsEx
0x408250 DestroyWindow
0x408254 GetDC
0x408258 SetTimer
0x40825c SetWindowTextW
0x408260 LoadImageW
0x408264 SetForegroundWindow
0x408268 ShowWindow
0x40826c IsWindow
0x408270 SetWindowLongW
0x408274 FindWindowExW
0x408278 TrackPopupMenu
0x40827c AppendMenuW
0x408280 CreatePopupMenu
0x408284 EndPaint
0x408288 CreateDialogParamW
0x40828c SendMessageTimeoutW
0x408290 wsprintfW
0x408294 PostQuitMessage
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetBkMode
0x408054 CreateFontIndirectW
0x408058 SetTextColor
0x40805c DeleteObject
0x408060 GetDeviceCaps
0x408064 CreateBrushIndirect
0x408068 SetBkColor
Library SHELL32.dll:
0x40817c ShellExecuteExW
0x408184 SHBrowseForFolderW
0x408188 SHGetFileInfoW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408004 RegCreateKeyExW
0x408008 RegOpenKeyExW
0x40800c SetFileSecurityW
0x408010 OpenProcessToken
0x408018 RegEnumValueW
0x40801c RegDeleteKeyW
0x408020 RegDeleteValueW
0x408024 RegCloseKey
0x408028 RegSetValueExW
0x40802c RegQueryValueExW
0x408030 RegEnumKeyW
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 ImageList_Destroy
0x408044 None
Library ole32.dll:
0x40829c OleUninitialize
0x4082a0 OleInitialize
0x4082a4 CoTaskMemFree
0x4082a8 CoCreateInstance

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
Instu_
softuV
NulluM
SVWj _3
Aj"A[f
D$$SPS
Vj%SSS
f9=(gD
D$$+D$
D$,+D$$P
\u f9O
90u'AAf
UXTHEME
USERENV
SETUPAPI
APPHELP
PROPSYS
DWMAPI
CRYPTBASE
OLEACC
CLBCATQ
RichEd32
RichEd20
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
ReadFile
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
GetTempFileNameW
WriteFile
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
ReleaseDC
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuW
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
SHGetFileInfoW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownW
RegDeleteKeyExW
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExW
SetDefaultDllDirectories
KERNEL32
[Rename]
%ls=%ls
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
746!%%A
IHa}?<<
42?D%'L
B?I;@;0
22Il*+X
DBTb>91
13nL05n
5:xL<A|
;?~LIK
BD|LRS
@Af]WY
QQoMhi
KLumhj
:;coAD
36p6:>y
`ZOIKF:
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.03</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
NullsoftInst\
Z.C`N~
mQ>\HKQ
rQ9xm{
YBSm+@I
71V+{*
a$FH:^,
1rD=ToU
<|-(yS
M5]09L
W}xHk*
kz=[yR
G}IJ<i6
{XQK/R
mB17(NG
?AB'M}
cFqLUo
v|d[Ji[
Z,jeo|s!
4sKNmLs
"8_,2[
-;"!V,
VRev:F
!;\9F1
Zd`!-Co)
SA`4<T1Z
#{"yqd
fPvQWE
Dlq&p,X
mcyO8i
!Q?lq+
vXZ!o
VX/EWL
tP]HEc
BaB]cz
=%D79)\*
tOy(7>
5nu.}[
s(L57*
BN~v>K=
"WQ-P *
h)&xhH
YY0s2/
Kl v]6
^%3..~
Ffp7)t
P64vMs
`]w7#7
*KuOc_,
/hBr._
()?EnqO
G$TnPM
gz*rt[f
gX'i$!_
W$r<.
;2f@)u
gUjCHa
~:;)}&
@~gX!I
_:>4Z2%
i:csuu]9c,4
( PL50
jM*mR@
PM_Io3
e3V?2oz
V,x],
>YlB}Y
Cw}5!#Mv
gP@0xbP
b+g}3nW5
V5DQ\
I7XTW)
(&ma|c
S"o(Il
0ANeSZ
aI?kd{%jm!
^Bu@ks<o
!uNi,0
Mp+-<#l
dZ`[:OQ
_Cy95y^
Js4vE{
/6D8Y-Z
`WX/nB
iP-TOBD
` 21^h
#pp;\*
TjmYMRm
ou)X1}Z
S:lr9N
h0?1#n
1fRx=N
$6ivn/
yCBS!N{#l
xH't(>
3K&47W)
+y[-=
*-bl\^
Wd#.{\
KXD8L:v
5XLK7Yu
yHU4{u?
_sJ<E1:
jybRS.
.8noDKgm_
\?1E2
H'l:{]
`pBq\V
,jC\.|{3
)#m$mC
!y:yTF
Er}1y<|
Uc0V{F
O;>Id~
hR;c,9
k^Tfrg
kBY<`CG
,YwCuN
)t*Dzt,
mE",B"_|`
_\N1\k*
I7j*?"
gonwRH
Pi"e+
Cvxv{l
:>H2ckJ
~B~Rku
Oim%U1=
lNPXn3i
M#bl$-B
rKsElj
`XI/XqE
h+F*rE
gW}a<S
9c]+4,
$aE=yCw2)hH
:@+}dii
w\.4y#MY
bE~+c<
k2|z/ZQ
4C9/&-
qY8[m
DB1"m
\(jQe4,
*[J(0n
T7]V3+
o6l$l{f
e*@Z/~%
mYTmO<
#BD*~aO
\sFw+1y
w^f=LO
4@>#v&~
RF1\B
eM8rWp
<viWzl
XHwQUN
y1'!D1|i
Bx'_2@
B07Oi
rpK#3l
={SWyBQ
Nyg.9j
I~1I[kyw
ekm''_,
^ sX{~iHZ
q%#:Hq
~dT-:Ro
R](dnw
Jk;A}~
mL_>s]V
{!dtX"
.g"wTxf
x<TXhm
9W}s<Y
9nj3>_
XSWpl|pi
^."unWy
ij(4;^l
'K=k-'
6GPWQ&
[d0/Wk
,eJ'Dv
pYIe)K
3^msK=5
uNlZ36tUX|
v9Bv=N
dWnTH>
* ]^.M
Wjr3>~
7[gkr^
&TTX_S
1V1Ms
C2ytK9(
h)%,-A
)(T<r=%-2
5j3kSl
R%OUor=h
n]xQ(Q
wOj)k/=
|tw$vm
fne3iB
IlE=gm
HDE9=
o7[L,F
0Rtu7#T
$dJs74
p\jgK1
)x!7Ixz
nF=6 L
m^xV+.
T*%Qw3
q 56W*|sI
;+J{p'
!;@Yy@
B}G)KG
.t=K80A
wb(%z|
=8cw.(L
9F%1x5>
iL8fB9
~K#8L<
W64={Y
d>$3,54
XFtA~s
'A}?a,
=o0bBGN
#h'69;
j[[z~Ev
D#`F7]q
=ZoP!(
dj4>Je8
TFvma
W#)Dg
0V <<T
6H7VP/
,7Hp/$K<
+|~MxNaZ
fYl?aJ
B+M;5+
{]t+b~
$$YaXP~
!]GlkHSJ+
<1xC}\BD
X"0wOy
?y60kX
yQhPl1
NsH&~9Nu
@wI(jr
S"=W_?s
|<;Aaj
oKY4m7s
wi1'Yn
^y5x1+&
(Jchv>
0R+PrV
+/:}p;
AYd>[
W+~V_&
Gy"9c
8'ZtC`3=U
R$Ym\m
b2odDp
)gKh;^#\
XPD1@ ?
r\[8X;
<@Bc,x
QYY}~3
v!:3e'
zDngRj
|Zj]{-
ixEx6?
W#wdK&[9
U=<bm"
`ZhsKrR
d\Z1%^
<wC'Ui~.
~[""|v
[>)2$=
71IX\ K
H9PX*ODg
I&nTP!I=
.&b:Od
M.~l@}
(ay-(&-i[,-X^
C!E>Nm
H+b"+,_
yz,E"q
Gg$4&o
dkrm*T
Gw.p'#
@ekS1Cg
3cnm"N
UeE<cl
By708>Dg
?7dJ{b
wn8~J4
t@9Tts
TvNHqZG>
>=x U>
fh/hG
DfV:}2
)/U;_u
0pr{l(
moVldt
w?c3b`WEh
/7aOA&
,HygTFg
"G)wDev
:/92@xk
!W38I<48
.L8tjE
#lr%\*
a>R:v9
1N @S@N
K1MNcp
G7c^af@L
f]tQ5Z
/g/BL4
v~s/g3~
on|z`Y
FC{_O
F?D_()6
=F`):&
C,Y`A
<GWP)`s
ol]~u+
{3,+ruH
ur]oY`6/
n^~OCh
e= F%U1
4E$J+ 0
6l]{t7
(&8"`g
o( 8Pg
;{}^k9J
`<>+W_
1\7>1P
w2<A{+}_
uM5Ktp
2;/"'En
Eda#<)
J"gxM+
HD_A.Z
U'I]ucRb
N{d9Z5iU
Dg,#X %#$
)F+2d-D
AssM_O<
T4_;g^)
>WJ9Q
4z-kR<,8
ziOsx^
9_da U
^!}&wfb7*XR
o\yN:{
A>My>`
)wg-YV'
dVTVEd
Qj:J_M
($/p$JNig%'
.9_+&
pw9i7fp
_:9a"S)#Jm(N
Z5[L*6
R|aZ1?N
Jf9Ij;
-N-^(n
PfVZ{kn%
U_lXi
CwlrHd
?LSm'
Nle^<c}
}fL"QFf36\
2um61Eil
)ix-Y$
m0rFSg
{Cus/x^
(Y8Edr
KZ"hq-
a6oA^
oU/Xpi
Z>#u>'
X_*<MW9z
(qtz[Z
TtTHKA
4TV_l>`
/v!g$1d
~Zo]Vc<
jQWHnq
B2$WGJ
~d<3=KjL
Hx5$dN
ey1k`^<
xT+1X3
@W_,I=
IO(uTk'
0s$72{
Cz=FkKk
Zy~NBI
}sGi,X
D$ 4Gx_
JWlPh,
|#D-~/
)i3h}.
(K,.jkB
*CfU5l|Wf
6=hyY
O2hIE>d
k.6Tja
[!qtE"
@OlM4^
v;4:/vn
]kHD$@E
"q5IUT
!9oY^,g
1(|)fK
O.|wd|
@Rz%'T
.72XZ|
WPUu*!
UZ]>OA
FXL-%3
^k;l!N
Z&lZq1C&c
TJGDD;
r.@^B<
Y#/k%Y
zk9n|i0
KuX}Pq
UHmkU
h%hU8^
-y<ayL
}2;H8h
%/U^N
71lLXD<J;
=+iKR{
(8QT/s
2CRY5w;
`Gr&WO
hHDz,s_|;
W#cjJN|
FM|V2~
Yk/7h:
$\e!c]
sL$qa#
YbFBJX
vKHJ53
T#AFXu
"]d7Gt
I6*V6!
jh5/T]
(Hs&3.>
XCl}OC
Nfq@#$
]iJ17=
l}4U"B#
Z?s6r3g
9*(X]nK
#4H1/C
OiA6d-
dW=~,\v
f'W/T.
78("'7
WS~<F~eQ:
o4ixJjg
v4*G'zu
6Y2SRpWy/
; 5ES
>s!9qn[
p:\nF]
o^W'&L
8Zaz+{=GAy
xR+Rsr
cr(%#34s
ck2`aM
Rk-E-+
](!]WHUj?W
~yKu}@IV
|_OcNa'
4}q';z
B*^b+M
+}YPKt
1'(%O.
jHl/~$i
awg[Y
^|La[iR
VCN|Uj
k&C)e\
4#3*uRR
(Bq48X
z^nM|M
MukLr+
7Ei`l|A
G=%iPg
0wNo0&
B<?FL:
W?fX#:o
NkIPqG
^dgx[N'
L}&H8^h
.Wr<)]
'q %=9
bilnp,
8Y$SZU
X~,6OG
NMwttY
MMXO<}!
.(@`O!
RDr@g|O'
LjeJ<A
~6qXqJ
#|suwa
3cZJPT
pWLdtF1|
6_ac1Vs
;2q0f
Me]VJ@g
)iNx4W
09kID[H
\:lR~0xXL
BcUWq#
<:h0ai,
%-hI=4
h-WK%0O
g6($im
"+OZU'_
5#Wa[B
36/ARE
x!,bN>W2{
X+ecn
S@X>]
V7tPep
K:HyM`
&>ut"0
-H?^cj
NdLgb$7
;S&d!N
a6nqQ
)gnaq3
3QKyY>
*6^5V7+
0[#18!
UM*3mk
}n_4yllKMR
GlgG}$JZf
oUh$*x
n|Nj1S
ifICgo
hQU;#`F
4#-`o
E9NNeF
F`0H+]Z
5?U(0
dPxN-J|
GWL_q/d
*bpLUXT
u-38_q
LDCr0P
Lr:l%yHS
a7t2Y-
jn=,aX`B
0]#}L.
Tp\m2b
-]_f43
?ira6;'}
3.Q2&T
;-!h?TX
pRJ6d;
p:yP<y
>gkM6fY'!
r]r9dJ
"#1.yA
2H:]!$9
vJGT^-
-?"pMI
?L{\mK
pL,b!oE
L1%~F0C
L#^ME!
*c8\i#
|H|E{>
I}c=D,r
=ZE'(>
+J*]K
87kFK}
R04xS}w>
18Hv">
9e#w74b
-Th^V"
(Vx%N{]Bq
`3@`I6
)D.8>>
8W8TU6
1MRJFN
g9Jusb
Q'~/kd(
p^0iOLa*
W^eNO}
/ZWY|_
<\<yl}2$AFK
[g,nga
ET),3
)Y]R13D
&o+r<?Cq:v
|s"hUN
?"2}96,]
:Ik c<
DCZn}.
r:3R|&
Pz|Jv#
,rew"'
A]zO v
pEO[eO[
56jg"\I
&Wq,lr
Dsk$E#
5!6>y2
2H?/;v
le2twFy
X(c5\4M
Wrgsd
m!e#h
htELc.
e*UbZD
pqec]y
K9H)ef
Ta1}:R
Uu/CvI
{@BN^z
BYI4Bw5
}q&0j"0r84
%34]YC-
9kRC1t3
ntH4+5
yvO:MJz
$j'&_Z
e,"RUn
O36Js8
||?0Tf
:j\Nf&[
S1al|\{
*k(YE
n(&UU;)
QP8%uPP
f9SMzi
#Ix9j]
4w/;&q
R7oVP)
+s$iM`
Rxc`,ZmD
!dso62
Z2*:4@(
Hs"2{5
cm,CpB
iK^:"vha
s|zuPMG
Nd&AOuH
B,93p]
H5\$qLw
wUxvPn
6@p,{0
TKWzk%
qBvv:g
v16?#/
/VjF! !P&
8/fh_:
yy3A9E
+CJ!}+E
ri6va]
]^]#_v
)=&gI6
,Q;8U=
}s?ob0
F5Gd@E;>
caryl@
^X'>;
ozuD!k
:$oSJNeMU
tHSI,v
K>/a4zI
JWq,|E
l=0\Sql
S@~.VA
`;%1KL
$zaDTR
eFP93;
EmX]0g
zLQW5#
stg[0@O
~CCk1h
d@QH}o
wmYAw0
Qf=J6Q
6UV~+>
j("Y%*
-G]1l~y
OK`RM6s
x%{9b0
L-PWT1
53>\Uvt
az%FMf
u_=@Yj
j)6GtQ
\|;vw8
hAs[vK
ZVOz7oH
$ Q="
~cN3&|v
O;JwRW
D{JI?H
8*X..5)
pQr@VQ$Q.S50
huQA*B[
T,mh3c%cP
pxy*o%
8NxOe07
f=/@=D
HH!m=%
lbeDTDW
lbqpSt
O?)r1S^
BFx4yq
DUlH" vI8
;CGCCI
4fY%M(i1
:z_u$?SZ"
}fu#:[K
<;sv!N
,Vbm;5LK
bR"2`u
qE8j-w
v&.;!
Gt};Y%
F0'"j#
&O&>WA"
|EgK6jj
D;$!j0
fi)Qb4^
E\95BV
,s|Xi/
&q1}_K
f3k/M
<S1?L*
]-z'Lr
olm[97
iVv_lwg
hlUI1w]tmY
)#O#_I
0*'L7(
A{j?Z_X
hpEt^k
;xiSX$
EI}]t@
A=B|$5
.}/VL&
j,ati\`
sTh<5@
z/u)a<
sHHUrO
u18#06p`
zP[;zm
G@FFg_
db]QKJ
nxt)EX
7=*Vf?t-
[{np'
Xr.\{^6
6ilk!S
'hxp`>
rU&h;\I
FV/&2xg&FQ?
^hrm=3
];g *oU
n}0o!
%hwt%e
F_C7$Wd8
,DL`n4|
kEF[WR
RZYwKw
uUA@i=
:F6RVb
4n/,_]
J.SgO~<
eS$(.%
FJqRD+
+(ZXLhL
FT%V$"
k)yJ<M
:eqgl;
wl)@0Z
{+8=0i
wVjsgW
HA-uxd
0<BV7
8$1u^j
9IRet.
JK#vNu
!FcoHA
h!Q>g3~
9=I])p4
w^yB<$
ysS%Q@
>*N#N\2
d02EzD
T]Atyy
('6rlp
Iv0GUAh
%5WY5v
qjStd(
?KC1cl
:;4B6"`
^^/q64
5o&r3y
C:;_a/
fJ\KI-
{:J5%t-Wb
w3B[AZT@?
B4k<rE}
:Qm)}0"'
P.f2 {
s8Qq+
3FdCn
LOmbw
tyC8:{
V}Y.^E
,k^<;{
S";{Ck
%A;z{)
WgB,re
QzC9;I
+-}]5*
nq8mV~
#F;SCJ
X+!!qR
NHwl_W1>
DGCrQR
n>"`*"g
x>0Oy7
rALY;a
$uKTNU
Y-h\_{vz
R/ypY=
)`?h4v
a"A$O*
ga;+h}
H@Q<.T%
?N48&j
*'Idlpq3
qdHwhk
cPGCuY
-vt{*PC
Q4w8v2
?1/0+@
Rl>|\W
F1r\sx
5/5'beE
?epl-U&
!+TdxS
'sdbP@
AYe"*w{/
"E=G>%R
\uLg@'98
yZtX~A
mmA+NS
T.8Q;>L=&
LG"g7Z2p
BJt"SCrHN/Qw
Il]~2/
&4O$4v
:wY} e
UM-D+o
93/q~|
F;+\ g
VRZk;2D
wsg9+=
mb""1r^
\aBkL)R=
{sc3Da
RJ253,"
~%b8\w
]2~9D&
A1EPpKr
. 3OJ_
DT&l8
Hq`lf~
m(hTyMA
Ea&C7e
D#-Drv
]c.wD}
+Ox%=E
EsM<;J
du}X,2
_zYRDXEg
tC"|vpJ
Ex#Yc1
lK~Tbb
@`1QaR
yH{xTn
sBcbSwG
_`e_u`
n3D48&
N>)<`r
!FAsY*
1)AStW
0R5sx9
Zgpdl-dU
J`qw=;
rpp(h+
?&`zwv-&
?O8Z|4
~M|ylp{{
8!?mC%
+aD`4@
tA#1et
|;l:m'
uH_0hk
aY bbI
I~5,*;
\3o+]8
hUB*oMd
pw-|z^^
@|ivA\9
`bi;49
0tHlT)
"S8{;2
r` L+F
a-5/I7"
c"q)E=w
g2Pc$I
Vkm/M}
ny?<,}
#@'Tq4U
7_9o#)
1{QY90
6b\Qv_
T-gB8]]T-
cX)N'!
M7L")Brx
Qteq>p
L&9\xu
$gSwB;
wP2alVzg!
[*"#3
fI'R-%
=[Q_4W"
uzKeZa
@ FDSb
#KuCER
xQiI+(
r,LSQO
fT@?g]s
%OLr.3p
*7mM.[<
ff"Y\X
<\PYaC
uSpzZDFI
7vH3h`{
dt\l0gx
'h=nBKw
DQr%>
Z)eZ6
0'-<jdNrd
5-4}>kI)
@b3Jwd
XJY.84D
yIqPuN^]P&u
NRt}S
eB8Gj\
{g1&l
Z^$5!9
JEdN]E
;XH&%7
&P[ntUZ
yr4K}0L
)k!\ayk
$zA&`?
Y?S:5P_xq;
Jz|Qs*
Ze[[W]
<@[0HW
>wu$JM
!2[r"D
_6ub(V
3gTg@Ns
$9zG5Kv
M%,[a|
k(GxaAo.#(
h3IZ'1
+L"02
T/7NLh:4
]g7klv
R8Ml.q6
UBqdLGZ:
$w,~H
__E.GGs,
(~+H^;
H_z]M1
&6m 3P=@
d]qa2o
/\l0_.
PrP&c@
%rsA,Kx
T[ij+*M
L-5"%
W6VvWv
)\&_;!
89[@`'
Lh'UUA
6Ofz7%
8E,N\v
N4[\}6
d}sUA)
'TrE2H
,`X9wD`=
omqZO^!i
k}|,q8);Sw
I-<w$N
sl!5{S#|
tw Cb-
SETh3v
z$OgoK
Ax> P'
RD>Zt
%O_@!0q
^=7Vjaa
d7Y?Y1UK
jufn)604
34c>yZ
$te9P=
3[T(h>
u>u\;r_
fXGN2,
&g<7v
yiJ `F
j|FzAH
VWi:%8
1#my=D
-)4Ytj
wJA+.BD_
u]@Lfa
|<yaP4
<WPNiG
X~=Uhy
~{DT>>
,g[4[I3
KxOQ?P
j$(A8p
>o\d.$
)[W~?x
E{0_}Eo!
j}0hCF
uhR5ih
|Ux[bS
()r|k
PvNA3(:
I:Du8?
jr$>r`sv5
OZFUaxi
Pi_{i:
VyPt
A##Lsu/819
J*KLt.+{
]%-ZXF
k,hHyn
M"!7V0.
`/+&6\
C67$n{
P}/8Pw#
=9[A;0
5*L9B*
K e(kf
d2~d_f
GX$u>>
=as<L*
ezw|wft
X4lWCq
gsT'}
&eKQY5
tQ#;"M
\e')(TOH&%:
-|2Pww
+hk~1t
5uY<O$~
Sx,%^v
]eHugUp
T\68Ze6}
2ou8VI7v
~$e+.q
O5jvce3
0j)j5bu
Q15<x6
BKr>$rBb
xM4]uw
i hWa|hG
_K5Y^R
4#8A`B
.aiitp
@G{.O?
c0d)s?
yW~Kj|)c
LAmL(c
%qSR7\
P7lf^i
^j-|H#
,?PREY
kLD,qG
y!"$2U
#<5Y4B
k75{6F,!
PAWj?)
`eU?Ecd
BY7:VsV
VO"QF`,
$t~tgf
l}_!~7
LNPF2H_
_n<(Rq
%LDCP;WFT
.HjB<ZF
')n&t}
t5~jIm
@GPNLd/
jS0O}7u
fi3N]^
~y$XU&
ZF|qxD
}O]8nY
[5&,vLMC
5jzo69^
%}9MX}K
lhV+Y&
oN,Wm\
Wa_,Nf}
,%]#0$
ILA;S"S
fpsn4Q
&yK[qU
F26fo5
n4acu;
v=y^X>
j& bZtKj
$=A[/*
HCPz)/{.
9`h$YqhR%
XMghm;
EYG,2a;
AkqtCZ
u&;/U;}.
WHGKP)
sJhJu-
Io>K{
|dy:Qgt
i(.$wk
H:S,$5
K|dQyB[
k9*nKLw<
fR<{9+
SBg.m@U
v`[x?u]
*G0ds5
R^[zr!
Sh_X)
Sc4WW?o'
Q\s> CDY5
8C6m46
fz'x4C
GpCii}{&
jDq#2"
n+VgN*
?]ln)W
NBd-&5
n|)*FE
iqc]os
c.J%H-
Qvag9t
9q`{u0#
-/| =PK
&>V A5
c(??R%
n!<Yu^
ztzVOZ
.gbdcF
&J:79
[;+u{p
%KT+q~
^z|gPZV
0f60Z<{
9GFBMT
nL~4<v
*a[&Te
7%'e+<}?
a<_M/i
E#Xyv8
*:x2y9\
dVfcsd
tH^~3}V4D
{U&oO'
a;8:RS
y[WW}
o^WZ3J
_Te7w)C
5mFdX#
i(N2en
#4)"k)
#"x;oP
bx]e7sl
7UW%S'
@>#lg^nj14
qNc[_x
/P{N '
~vL>i!
Mz_n9p
ImH&?Z
KYloMvN
3]: ;B
riL>u^
Fc+)c.
+Kn>CL
's]ifvN
f/q2'Bc
R^9Z]y
~.z#gx
pfQ8d]
OTWf `W
w< %7i
j Wduz
%!?ZsT
ckvMt'
;BpEn8
lCWvhN
46s\X?
1ZB1?S
G,tg-P
(g[7Cw
UA vf)
@/b0lM~n
<-uD,b]
]aBc2Ib
Ud&bm`'
GGr\BP=
6ee=]{&
6<|(,+
7y}YT:
l|A;f2/
mH?8zj %1
+0ezNF
4i.EZ+
b^7Z8h
-.fGWU
B;g=~z
E"4I;`E
3l1Y>./
6[:XQj_
s8_(Ep!
|U6)Xs
K>O/yO
k~UTXV
iR@DYI
POwP#'
xy1+tbO
xadz!I
K>`EPg
cV"[F.
F>kgH
(g[(-
bo'B{G
3'p8U$
lVLSlP
f4pDy|k
ZvLcg>
wQ;'h~RQ
$#\qlDc
<Hera4B@G
gI[^dXYO
7JSR((N
#[eQls&
}nf~"x
q&m?Q-
!::a\w?
'Bw%~N%
m@[d7
xW$|O.
]DABrH
-pVSk/)({R
ToXnn*n
eS<*O?r04
POnU)_
?N"ge&=
c WsnV
%I.<SRJ
t]'Z- Ql
vqev5<
rk?!OQ
:l}Tw.Uq
(K<!]/
pk>$/M
SvS4[Z1
0piM.$
aHpE@!
j@/R2)
5XQ:z*
jwh#%|
j-,~HC%uv
l^ene!
D1sI,I:
=BxPda
dD,_dG
$h]C6[
-pm/d'
$eF:]qI
7hJ?c]
i|g8Y;z
^De8-d
^E/qcC
rm4^YW
b!+Dg1C
] "yhb
fq%*@E
/~60"?F
X9NVQR
7R]9C<OI,eY
Sb?BN)
7>r'w)
&FKzZ][\
. 6^36
E!["^Z
Ramyr%
"t{CPn
Z#+@a3
i\K7_c
7W(rI-
Y@PNm[
~!T<&\',
k?L{I
vk6V/X
:_KQ{{
.B^^[X
Ky}oPsAH{
Q7_op6+-
\=tCW,
Eb|o#$
uH0(K4g
dp)>!F
dt.VFO
u,~M"E,-
Jyt0z8
#n7'/`
0\aJpez*[
-0Yl6v
8ReA[&
vK-F\f
cV9}?h@
m6ZGs]
$Szhct
YZ:]wS
:4R/\3
?Rbz4O
FS`{ET
xC"(yr
]#m|z
CEp[rJ
%OZ:^oyp
-ok,Ib0
o~@o PU
g0@ewF
QXJ^p`h
"BrSkG
#<:fn6
%Pu64+D
2~1(;{
4&.Z;1
KL|`p.^yB
KY quT
?vuoZ8
0n9q"f:s*
#g{u0Y
C~&*4|
=s:nxP
p\M7zonK*
l$"Tpi
ipf]@/2
]N@mVo
]6]&cX:
Ls|lK5k
p+&{a5
*idWz8?`
s~whce
Yv`|'1Z
(vZcUW
IjKrMx
'?l}wf
f73iY3
D,$p$~
L}JRdX
FAJ +=Y
P:XuvR
eK9]v`
=JA2mZ
a;}s}wk
KS.1"QQ
z\J\&G
{W4T#Q:
Q B4[AD
<wLfkXPE
'$kESu
1yYgCG
K&<OfI: @
qz jMPb
JlOtNG
j6YvJQ
gi)yPQM
h?(70
guf?ad
4c;+Ew
r{`+J(
cn77I#%
5d]KO`
9@ `e<
(Gs]<D#
^6n|jr
YEX$O#S
Ra_{a&
aT:;q#
$3b'>/
vagxwNa
]ThHW5
$'($}y
r|Z+eH
IV2p+C
){hlBd}
`ZbA+1O
pnv=0[
n$s0y6
1%TZ}
7 &9EE
2|tF2}
Y*K>{/
kKpXL~!
A|~z<h[
R%b91e
CGDOki
CasVS]
tifgjCm\
A!f Nkg
vz#04h
q\;jV-LH
Q^"pRD6
v>dWgS
Ase_l
,\uZ9.+d
SZ+V&u
q1(zZ+
x*CA^]
yxLbE[$
s'[J+-
t"Y\nE>
?u{gd/
c7%]80
(!Lu&8
SebUCJ
SXo&5#
6@Hyd{.Eg
h^)Y4fs
3EBzU,
-c Sbe
I~T&I6
,{TL9t
"z-m+~
;w6&-l
~j7~\x
Thu,+=
vvQ&uk
xhXK}
]C}p_w
tO5?0;v)
<NufC
!6uA,$K
k;!/
[8XS"P
{szV*:
rp>_ZT2
nA`{61
J$V{L*vZ
*\ "WO
>MU\n/
AFLc~b
6r:Q[{B
~UR9FED
pJx5=${
QQa5W[S
%Glz$"
uDZ{~U
&/<Z4.S
|7yRnp
^}5xa2
ZX&HX%
aW@^@#
a!j|^0
YX"cyi
~XHVm3
D7ZJA[
^18IKDX
Q)t~D?
y*1~>%
gK)vbX+?
fi0"GLw
"nP)Ga
m{`[K;
r@PWd9
6)6|5R.
^i[;1$#E
gV=S?P
[e5F^w7
4<R(`J
")`X_K
/yboKF
xa-$:7
}4H>v>
<I.~;eL
C*N_,W
/F;^Wh
%\ZeRc
0:S)Ak
KmlF@F
_Ov[%R)Is6
lw8/x
^b.}hg~
HV5{E5
b1kMYm
y SY*K
3UY*o$;
9xl#kW[
oAG3RD
:g_z+O2
;OgsqKd
D<k4;FO
z=:8"\
xO9sHy
:xrM+X
eS"ye{
/$*mpjq
q/%$D7
[)5n$
AJ5)&38
u.*;LN)]d#
CvSYC>
"~vh`7
wx#>_
{Ke!'%
8p;ZK=$
jdM<Pxu
^2l+z\jc
#<e&SW
"B{CI2l
*Is %#
9+mS/_
J"gfOt2
jPV,E
'</sv:G
yF'|M<
EH]AGy
+1o]KF
\e#L*'
ewnkx!
O4?]@@
mZX"fP
Y5?`Q#:z
/Ikqx6<
uwYF@
hqqGNgh
`4*bjS
O: `C!0b
J)HdZ^&
z9fE&i
r[qKB*5
z*x6"7
KQ/m{Nf
-?K:9q
2^vO"i&
G"rQ'|
0Gp~o7
N3F.7m
C5M*NFi
W.)0s/&
6*oI;,u
[z+$ f
|&"R!t
3a-e A
^%o@JFM
xdjC\W
@ ik2G
`6JGL3
U\LhxB
>kP't
W|&9)|~1
eg02h,~
&},Smi
D>&=V2
gQXlN]
HXlMq:
M*sg4z
jH,W2W4hUv
e)2}099
bfhL2U
eiKM@
G\f}q
/na+-
#M32fG
AaQ_G<^
os*<Ej
;YJ[1"
0O\*?G
1V]\0y
<kc{}H
!_1 3r
^g^hA>
uG(`8d
qNn@fS
%6:5xm[
q E#F^
>5IrcE
4d"M>8,
pAX /z
e1#p,6
i4A$:O
od{65d
N{yD9i~
 2SMj
8lWTAh
U.7A[R
r-5W[<i1td<3w
2q*8Q
==.5#i
kYR>ou
lP|*8lh
CN",Fm
|Nol7wY14P
T8Xr0K
Mw)<X1J
bNU1BC
:jm|'mcm
Lt\t{mI
:QZl_.
+LP%2>"y
PT|D^V
HJgm98
tP6Aiw
Z\o']V
iFU{&u
<FAA=
<.sN[>Ov
aI$?;E
>bB*Yb
CE[Zcg8t
;ci7J$
=l;Etz
CL_@2f
-hI1c$n
)~OE"( 7
eVn;>*'
CvH,nU
<&*:*o
6JX,$6
99&Kg`4
GYHh %^<
~<Xk!Qq
gXSjNI
KC3"zKe
{cl=s-,
>U#F\
a`o9DZ1
z(A[Ds
Olp=S_
B$EbU'
"nzXm>Y
N+0/@J
Y=HT^u
~B7lpP
: C!!7
PyGo8>D
)W1":]
m/p!}u
fj5QK[>
nLp9&WJ
v5 HM$M
@dSpZe;i
KAn=x`
1CQH!)]U
*!=XR.
;b-riZ
{MsC0p
:r)+v]
XHCCHi
gp>2c
Cw4h>%Rn
r|ap8}
wf5LwEZZ
prTa38
N8?(uACf0
_e q6N
oAy)Zn
]BV%~
3x;Mh*Y
rn.0{\
^<U%^o
K^5xqt
GB>*Os
!v hp4
8hPyy&
]kvY--
[D|DY$
Z#|8R~
_x{F,A
zyQBI2&
&yy6q,
u+4c0l
aWk?y:?
tN\EkR2bz
%8+qxYr.
#/?ed6Z
Fcr]E
9qP -F
i,![(E
BLG`rV
~!41=6$:
rSS/4?kH
7-S/17
Q^%6&E
xtM{h1uJTD4/
GAm(4JA{
-gJL/&
!IoDfJ
!3\Hb{
(O,zRf
Z}qvj[
+Di6#PV
`EWPiP
{H/WB&
9]?R&$f
W_lv6W
fnR>0KCrKe
>PU0v!
=Xs>g/;
Xyj6j;K
R>QeJ $
^y6;]B
q\:p$'O
[ ZV>r
IPr?xZ
`:-lV
C-)>YO
BXW*2>d._
C>)S><P
Qj`I`H
FdTz?b
6[hyu[
`6CQ{
s`n=4y
yxz+//
S2De>if.
7M/-t3
Y:HV'S
%tsH`\
,WGhf1)
Sm:q0/i
=i9Rt
HGbCL@c*~
S~7,J@
yJq>tc
MV!YG#
jaMrcm
E$7$<0
=#T2MLIfv
}f%D}[
hxpJP*
Hd$PE
\33\}'
"3:{H\!
ctfLsX
9Z!vOuDoy9
&pT_`m
v3]6WS
MH4 w
?v(x-U)
#P9)|u
avbTkd
Oy&C3
}\'jyS
i.C{*I3
5Hg]e{0
?^[yp
G{E%=bl
dSa^iXr+
&C:j*N(v
mgU7!m
*S!%yS
L6Rq25
_W5HrK[
Z%=qmH
&r\%82
"7(*Im
>7p1>V{
rOSz-75
^vkrVh
ig42yJ
S;0TJy
}Ut.6<>
t'O?Ah
`&}.j_
%l<'ES
oL3KmI
`}G(t`
F/n%,vH
5D-_nj
pV(RWp
^kT6E"
erFU,f
|DR&{
uKlJ1WT
7Xs;Och
r\o,*0
qA:8x]
RI#Vik
00pZMn
aPemk=.2
N<T)@!
2';I__
ve0(TA
2+1Hge
AHy*TS
mx"h-b
A*+>Mk
eKmz'#
nX;\v]u
%5>n28
TYZ6;.I
xyxnRr
.ZY!8`?x
Atu-m$.E
I|RI8"
n<kv(HBP
e;E"nc|
U[U|-
;Q_%B*P
RDq}/
T13q8ac
4/6fE{
Hs09cL
7Rk0;i
t&Z!c
+}(k1b
xQhF]r9
pZAww2~
wOeacn
*_J=kd:
r>b;x`
#_d[J!5
$SVmW#dE}s
N}!&:
'vUvHPf
7'a-<S
_Y>[p5
7CyzW,4
np*u3^
WAHMu!
f{8RfY
.w'I^wGS
W\Y'$O
Ah[G0G
QMms\Zt.G
sK?N^8
tQgPGtt
u1{:,")
X"n[;5
BdNoM7!
N'>[[{
3G60IX:Z
|,24'p
2=Qo:=Bo
fCPB(9
rM=W|]
YDuO3J
:@13g U6`
L1nf&s
?JRw".
UfuFP
edD4]5
["WdP\
6}\70b
/Vpp77
Q.zJVM
o2lQ.4
BEB@/L/
=;'wCj^
DgJ$fN
'2ZDZz
o$I&YA
HKYGJq>z
K0;U[@n
'(m%26
Z-@6`1V
TMgCx;
/{A!{u
:y[Uj]y
EpTz7(
QGC~/$
Djf^l4o}?j3
+@I"&c
G"h{mC
hymL,-
XGyAAsTNr
t9)lyc%
<jApZ.
5K`tS1
VMW]f_
lu'GXn3
KZOM :g
GE<.j4
fGe2Tb
$iXg{JY
r(z;G!#%
_JFQRk#
QyD,X
Co5HD7
&>[)S
3(z#z=}<c
0f1~km{
m,4Sz"
hQ<8(Jlq
lfu8^xdr
-9i?A~)
1{EW\J
)s>"E0
*'BWJS=n
+3?jW(
k7CMy4VeVO
a ZVEI
'aZg=l
}f\%]P
2lc-x!\;h
8Jj>S)
ndIA5O1
"G=9|mE
K)mpzX
c+5vwl
1_$0\%Hx
^ILE{i
}_9tB;
$B>S:@N
j9;B:`
5VU46.g*
kGX<n"r
$H;tsS
@?|Qg$
$t[r+DilX
}/g5J]Hi
Lk >IM
k(@P;z
MsdZFh9\
m(@MXp
&.Ag\B!+>
$hRHH0
sKMuk]5
Ew}Q:B
j<,oo\
:hJ,4k
i?~RrN
9M>sh>
]nrXR,`s
")I<-8
9}o/3p
aka5,i
8x~20
uPYFj@
oM>,!-
Q.5}}
BJnfIg_
,0OJ6
sJ~D!
_>QwjB
PQ-JB]
)Qi&}i
5*P_x*DVa
YqgXQA
bV<1OC
CK(.&
SRG+}!
bw1U-9\
23G!98
CJ|xfU
#sc_L!
=M(XES
LwgI<'
^c9_lB
h.wo"(y
}0\:z^
g*]j\~
#[XcL5
kSGdJM
QWBVH@f
.y<6w|^
u3!'Se^
*"r@{<
gIGhF
~6j&e[
t$ue]]
x]y_|~
q>thnL
x3&8a
0r=ex!
azpDD,}A{Y
a)skIw@
~C_d)L
D9kbrd}
pMIdDiC
Xs1*&0
,I8Kyf
I\S0B@
Ks[c`8N
]Ou ;pq
)Ay*X^
k7HCzl
6mG@*Vn
YME5Qd<
EUt+Z!468
'|SA1>
+(k0MM/W=
>_%DlI
{`yMUE3zE
6_mW?V
E[Ljq|V0
R&GZhR
SB<SkM2
/pjrg]g
^~HQ]^pA
&QV>D?q
CIu7|VHE$
FQ)P-Y
c'8h{ql
OvUFO(
8(y=m
g]BB$&
~o$FiJIzx
H.Zc]4H
5']?V__
&Jx\X:
>q^6{Cg
'7B/>!
v^-]JBw
[i,Ko5
VRP4'6\
9T4;`,'
"9#>,%
=/)=_$
H7r%~.Q
N>t|'2
C.?/7|8
uXXRA/S
.OhBWY
[un]/d96
Q\CBlA
Qkl;YP
`u!0e&aO7
0,sl}|
xr5\.t
t@`^ru
sbN:~$
U0e@=5
efNKzx
sRFDpoT:,6
fj+H;~
B6uj62t
`(LE{D9
U9Yaik-u
r>3=%./
Ui@wzV>o
VS5hc`w^u
_u_.df@
WT\`$B
8yc:pR
Eo~[9z
:(~EOY1
:*S~|ao
?0Uh@3
kx&.=]
"X/zvQ
.<ouNI
8F;dvH]
qm'74pV
E?zZ!G
*B|B?wu[
y|>@z6
+v|/kU$
M-p4c5
Xv3N0 w
Y`HQE$
(q#/l{
w\;^=o
YxU=(4U
: fgde
V!I(Dz
Yb/=:)
|&tJqb\Y
|D%X#xuVD*5
W%um)n
Jd<C^9
jLD,4Y
sJm]Y
tL4mGL.
eod3t+X
<|"}D!
~B=p.]
H6IV\=HM
a9ON<?m
VGffT(|
^_e`0N
ipc 7d
:{G%s'&6
PwhC,+6
:?T+uV
.Ph0HU
C0_MQw
{xF,^ XQ
cXhh<
CXYR9
r:8ew6G
Q%D82v
4bUw}+
<T0nE+
L)|.^-_p
1ry&-5@
>Dckb;l{xi
0=[U)vv`
v,BYQ
8C4WdC
;MNgD}
Fg! `~0
sr\BD/
&2glME
wHY}""z
*R]l')9
6zgp9MG
t489/fM$s
^mZ#Vj
wS'ppN
*p)k0x
/-#Sp~
9Ize*6
"Naf7V
e&rZZ<
=\>}Hn
'dxUdt
ax5@,w
m;NL.i
OCFXHKpGf%
S-%s&#Y
'<cZ-z
;PF}AvFD
.1ncyiBOF
(yc83F
:zX{0[+JcU
O@-uTHH
nugT/ZE
/k*UW{d
bb+B@(:
8H%[Z_
@bjc_G
eh+AMX
K]"IY?
JE/4B
rAI1U1d
D7-zGt
[ScQ,j"
^_Y8a}
W?JVh4
s:[([xc
J*:tA5
uyT6;kJ
?x=PAa
L[buLY[q@|
,j>C0azD
?&fW1J
hy5{`M0
I-,%!S
begW4
!*MY2n(
yP#3{
-|wCTK
{"w]Y1
d4E@t=K
B .TK/9
^zYGI
ZrTrgR
v5HY#{wv
IX-h23i
&C_+|U
'"V_ZE
jV=8tS5
CH\sa=#3D8
#T-aMm
!ojnZL
R$,jHA
d#]|JI
QnJL:\
ZF[5(c
n|*6#t
8B4+5k
?Dy7u.#
SCdH^67a
2+(0_F7H
y7_++8
bAb]f
TtbBzR
V1YE3#
Qoqbe6U
aI&lW>
j0|`>W
F*auYd[
= B:,z2a;
YNghE:m
oG$eWgf
B_mE.#XG
XE_(8o
askY>]
!1M37A
2<)'@fC
b)^OSHa
9Z:~f)
1147{v
aM.:Bee
a2"[-L
k{\j q
WWs]g2
0K!W?
M>5,m{H/
RQcOG
j==3"A
B=ahT[R
,?I)~d
*(nu8K
vtDtbJ
Cw("}_
eIc}!!
1xmXlQ
%/s'x5
!k |@TX(H
[`2VOf
}\PGc&Y
RQ:qe@
;<52a-
=u$i=Z
buG`v8-
nTEHf*z
q\u=t&k?
Lb~s%a
YkA<"]
7?KpIuQ
.Q]h5b
e)I_j9TT,
|]+4=+o
UyMNmk
{6tjPi
xpmSp9
/2BXYu
|FRoBK)
)V{ 8A
maGko|T(
IJ.[]~=
)-oUr`
<j{HW+s-
EsZa90eC
BHAy2{
F$Y|D`
W=,xng57-
GxG91v)
.&FRsn}k8s"
RmE3{0'x
K'?<{;
n##$1X_
,vW 70
f~2\#E
F;P*3*
]Xv>ZD
h"v`O}(
\'tf<*
+-^;dQ
aVSgp999
]D-7AW
&3Q|'[
K9T`%?=~
.!b;[*
]M0w*
=X,z?t
7j(B9E
]ez5Gz
=j.RBG
k8ATSY 'Q
,"hqcO]
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
NSIS Error
%u.%u%s%s
*?|<>/":
%s%S.dll
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
Q-Dir Portable
FileVersion
7.22.0.0
InternalName
Q-Dir Portable
LegalCopyright
2007-2017 PortableApps.com, PortableApps.com Installer 3.5.11.0
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
Q-DirPortable_7.22.paf.exe
PortableApps.comAppID
Q-DirPortable
PortableApps.comFormatVersion
3.5.11
PortableApps.comInstallerVersion
3.5.11.0
ProductName
Q-Dir Portable
ProductVersion
7.22.0.0
VarFileInfo
Translation
Antivirus Signature
Bkav HW32.Packed.
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
AegisLab Clean
Trustlook Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
Invincea Clean
Baidu Clean
Babable Clean
F-Prot Clean
Symantec Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Clean
ViRobot Clean
Rising Clean
Ad-Aware Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Fortinet Clean
Trapmine malicious.moderate.ml.score
TheHacker Clean
Ikarus Clean
Cyren Clean
Jiangmin Clean
Webroot Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
Sophos Clean
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
ALYac Clean
TACHYON Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
ESET-NOD32 Clean
Tencent Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Paloalto Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


Q-DirPortable_7.22.paf.exe, PID: 1584, Parent PID: 1392

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 189b1af95d661151_launcherlicense.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\LauncherLicense.txt
Size 18.0KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 ffa10f40b98be2c2bc9608f56827ed23
SHA1 dc8f2e570bf431427dbc3bab9d4d551b53a60208
SHA256 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b
CRC32 A6D3A2F5
ssdeep 384:H4j2PmwE3b6k/iAVX/dUY2ZpEGMOZ77oPpDqHZ:H46uh1iYWrTXoPpDqHZ
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 5907b111b4bf77e2_q-dirportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Q-DirPortable.exe
Size 161.4KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 06a77b9fdc5880622560deed33056c0d
SHA1 41a634e0cfd8daf5c41a789503e93dab890adfc7
SHA256 5907b111b4bf77e231a7324c989b74a268e8b829ad15f19726c8d245b4fa1c0e
CRC32 509657FA
ssdeep 3072:yweqOYEUXPnhK1GaLACoGHe5+7kjmazLLl9aRev0e:PEUXY1GaLAC+GkfLlI5e
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name ada3c3e8a81a022b_q-dir_x64.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir_x64.exe
Size 1.8MB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 ccab95352d9ce9f7bf761fe9d804c865
SHA1 090336bddbf41eef0734a9f939f501bfff03497c
SHA256 ada3c3e8a81a022b50dd540053df6e22da7b5dfd98fc6ffb5eccd2ec87be424d
CRC32 3A731AD1
ssdeep 24576:LpOrBqGWQe+HxPR2X0exotBCDQ3YlfeNOyndU9HTHxT1Use08PoWs0:LSBLDe+HxPR2kemtcDQvZUraze0
Yara
  • IsPE64 -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01129_Microsoft_WAV_Audio_file_ - [Microsoft WAV Audio file]
  • PEiD_01130_Microsoft_Windows_Shortcut_file_ - [Microsoft Windows Shortcut file]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_80_DLL -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 45707a596c0c4491_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appinfo.ini
Size 626.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 30f205072b0c9aa4fedf443c0cbb20b1
SHA1 19ed08fe086bd05c7a82fdddd3c386c8513f8202
SHA256 45707a596c0c449183aeec314f1e5878b295243eac5dadd5db5654ff555bdf25
CRC32 1CBD12CB
ssdeep 12:kiQPJNdYlfb8P/xyhKK6n9y42WvAUvMrHehKFHXVcqBIIu8cqBI48bo:kHPdIz8PQd69y4r0rsKTc6IQc6I46o
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1052bda69dda0c4a_license.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Data\PortableApps.comInstaller\license.ini
Size 44.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 db36c1ead29ba787daa9ea7a98bc27f7
SHA1 8c8fd1a6b0e38c71a048924e4ebac51d60b8740c
SHA256 1052bda69dda0c4a04ef3ef9465007026ca5737a2296e7539529871029024f42
CRC32 77606081
ssdeep 3:WB/WyJXLpkzGUov:WppXLKwv
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ced685b3e709cc09_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\help.html
Size 5.7KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 25fdf7c4c6962b9e79fc3586425c9e43
SHA1 0cbe78640f66aaddab671e748bc802c6d3466202
SHA256 ced685b3e709cc09a3c3d437b5893161fcab3ce7135e0ab129a4f698f29a13df
CRC32 9CE0953A
ssdeep 96:M53KeLV12hKyQCABwwduWipBcZEHFCAMyxyzvhcxB:M53Pf2hKHCuwfxCFcj
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Logo_Top.png
Size 2.5KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Background_Footer.png
Size 168.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 5e0263c2e8321e8c_eula.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\EULA.txt
Size 1.1KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 6fb3ee2c6fdd6a99361877926baaa102
SHA1 26e3fa7d3707396ed8534466ade08d99530b9107
SHA256 5e0263c2e8321e8c75b78e885794cca0e188d9e37d3eda71d8bda16a44d4d682
CRC32 AD72B680
ssdeep 24:FdezwwXcU3EPxu+D8P8F6PHuasAyhOk5KHTVObDZCmfTHOQtiJl8:FdQwwXpUP4Q8P8UPHuasTf4HT4D0YHTj
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ee13539f3d66cc05_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-wizard.bmp
Size 603.5KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PC bitmap, Windows 3.x format, 328 x 628 x 24
MD5 4df53efcaa2c52f39618b2aad77bb552
SHA1 542de62a8a48a3ff57cf7845737803078062e95b
SHA256 ee13539f3d66cc0592942ea1a4c35d8fd9af67b1a7f272d0d791931e6e9ce4eb
CRC32 1CDF967B
ssdeep 1536:9Bn13fmACap7r33OCINrac3aKumetKPKqDjoo+1q7C3DNgbgNgLg7gRgeHRVAVVi:90aZr33XW1
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 10fcba54442d33ac_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\Readme.txt
Size 2.1KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 a42885c42905e847163ce511686463ed
SHA1 74e0c76047cde5e4d8c2dab2c6a7e12d91f14f83
SHA256 10fcba54442d33acc2b58f92ebcff3ce4910e13a0250f57bd11fc8a5e59e7598
CRC32 C6348B74
ssdeep 48:poqWahdxHxG2NlNKxYT9c72bpbGTY/ZzywG2lMI:m3ah3x5Tkxc9n1GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsq1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name feb6364375d0ab08_nsDialogs.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\nsDialogs.dll
Size 9.5KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ca95c9da8cef7062813b989ab9486201
SHA1 c555af25df3de51aa18d487d47408d5245dba2d1
SHA256 feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
CRC32 9D200B7A
ssdeep 192:oF8cSzvTyl4tgi8pPjQM0PuAg0YNy8IFtSP:EBSzm+t18pZ0WAg0R8IFg
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
VirusTotal Search for analysis
Name fdd54e63ad0e3c4f_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_32.png
Size 164.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 098caeda0533188c50fbb241cf3a61cb
SHA1 77d5fedf88d6ef2d1b049aa513343ce5644c9395
SHA256 fdd54e63ad0e3c4fc3fc28367178aeffe0c0b7aadef2ff7641c856d16c11b71e
CRC32 E0BDFB65
ssdeep 3:yionv//thPl3xWrq/Oou6/wl4ITVlM4DpFlLRimPXe5nAG6vllL5TRdEdp:6v/lhPK+91FIw4DpjRimfs56vzxRdsp
Yara None matched
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\w7tbp.dll
Size 2.5KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 67b916d1aae1417b_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_128.png
Size 989.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 b037ff8fc71647969899305e44da0299
SHA1 bcdf48d78d20aecc5fbd76e5a59be74bdbf03bfd
SHA256 67b916d1aae1417b0ba784f0145c29f7fccbd801407e2dff0047f9280b3c4d4f
CRC32 F44D0B70
ssdeep 24:sPmfO35tfSVJm/L46D4IOPKSA3Tjv69WyUfvt+dYMv1:sPmfyt6M/LFDgtA3T+5Ufvtot
Yara None matched
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Donation_Button.png
Size 1.7KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 37082026e1e73e62_appicon_75.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_75.png
Size 5.2KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 75 x 75, 8-bit/color RGBA, non-interlaced
MD5 c8b1c3b6973015c326811157deb2de2e
SHA1 a2fc1289b4eb63827b514b55a2748967d9e5edbd
SHA256 37082026e1e73e62937b0d46cc9ca72ae16c35a487eaef7fb266e0adeb1ed8f2
CRC32 E7DB35BF
ssdeep 96:LY22fhEkBAtzsU6Hv2gNvn3ghTqP1+2rbN+iI0WDt3/JY6clx/:LeEkjlv2gNv33PYmI0cthYFH/
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name 86cff5eaca76c49f_LangDLL.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\LangDLL.dll
Size 5.5KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 3dd80dff583544514eeb3a5ed851a519
SHA1 56f7324d9d4230c96d1963e7b3e02b05a6cf5c24
SHA256 86cff5eaca76c49f924cb123d242fdcfd45ab99c4b638d3b8f4a8cfb1970ab5b
CRC32 8DDEA4F1
ssdeep 48:S46+/p2TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mhofjLl:zf2uPbOBtWZBV8jAWiAJCdv2CmwL
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Help_Background_Header.png
Size 269.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 42f45cb1e17fede2_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\modern-header.bmp
Size 100.2KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PC bitmap, Windows 3.x format, 300 x 114 x 24
MD5 9b00859b987f539b9d48edcce6e30506
SHA1 a098d9bd79a6f557c27a50f7fa8c9edb31a932b1
SHA256 42f45cb1e17fede2dc040346b05553f738717f3dedc127c30f8cc53b0a23ed6e
CRC32 778222CB
ssdeep 1536:t5DrxHn5DrxHVALALAEr8UPLUPLUPJcUx+k+z+pf+z+z+oALA6O5KHhQKHh+KHhz:lw
Yara None matched
VirusTotal Search for analysis
Name 493c207d380e4056_pac_installer_log.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\pac_installer_log.ini
Size 550.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 3813c6612fbd5f74ec64e795b1075467
SHA1 67ca37ba8312572faea612bccad00cfb430996e6
SHA256 493c207d380e40567bdae38184425a56068cc03a24338a112ef4b2e55b4352c8
CRC32 0805F07A
ssdeep 12:EpXSg0uU/DA5WV9ARjUR0PXFj02PXFxxBAh9jAqK6oILdKiL0KygHNXbjyhov:E5SZ+WoUuvR02vL+jLK61dj0IHFbWov
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\Other\Help\images\Favicon.ico
Size 1.1KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name 6f1aff083665a024_q-dir.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\DefaultData\Q-Dir.ini
Size 274.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8ccb8ebaed9fccebed89310462d98bf8
SHA1 e431f5e145c421dd1e46557e216774127bb96f3f
SHA256 6f1aff083665a024d44fc65efeda28c18ea0e1feedd59d8732123ffab30dd71a
CRC32 2542496B
ssdeep 6:fgor+xDj1hY31vcf4yg0IC2ownNrpMSomWvXaEaZTrZAQL9h1eD:Yoip1hGUf1gZowNGSomWvfaZTreQL7Y
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e73fd7317c99328d_q-dir.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\Q-Dir\Q-Dir.exe
Size 930.9KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 a31d9dd74b09be657225766fac62f499
SHA1 160f49a6a2dc9d93cda1708c5d721e89fb68b6eb
SHA256 e73fd7317c99328db3ef9d3e40fde86dc70cd6994025b0ddc60452876bdb7d12
CRC32 38056651
ssdeep 12288:JC8KiuSoykNHwyJFaNymWrZG8JKPXrguKxT1Use0/rYnQ+r2tWk9OW:JC12yFaNybrZ6PXMHxT1Use08PoWs
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01004_MASM_TASM___sig1_h__ - [MASM/TASM - sig1(h)]
  • PEiD_01007_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01129_Microsoft_WAV_Audio_file_ - [Microsoft WAV Audio file]
  • PEiD_01130_Microsoft_Windows_Shortcut_file_ - [Microsoft Windows Shortcut file]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01414_Obsidium_V1_3_0_4____Obsidium_Software_ - [Obsidium V1.3.0.4 -> Obsidium Software]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • DebuggerCheck__QueryInfo -
  • anti_dbg - Checks if being debugged
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v171 -
  • Microsoft_Visual_Cpp_v60 -
  • Microsoft_Visual_Cpp_v50v60_MFC_additional -
  • Microsoft_Visual_Cpp_50 -
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Armadillo_v171_additional -
  • Microsoft_Visual_Cpp -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 69635373974e84af_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon_16.png
Size 155.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 cd7e98fb89a9695876521eb4ee1225fa
SHA1 0fd865cea2bd667569b6f582ed50d71ff069098d
SHA256 69635373974e84af068fd1c28c623f7d5080b661f3c06312784de267c03f9e25
CRC32 D49A3507
ssdeep 3:yionv//thPl9vt3ldeabfGZlfImn1TCq3eGkpiEr8AT3jqEOJ/ljp:6v/lhPFqZOm5X3ur8m32nJ/Vp
Yara None matched
VirusTotal Search for analysis
Name 2ffe1ac2555e822b_FindProcDLL.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\FindProcDLL.dll
Size 4.0KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ba4c1dfe226d573d516c0529f263011e
SHA1 d726e947633ea75c09bba1cb6a14a79ce953be24
SHA256 2ffe1ac2555e822b4a383996168031e456f09f9cf3bb763fccee35be178cf58a
CRC32 B076F3F7
ssdeep 48:qv1AJiDhU8UsnL0C8EA4G1zkxU5NMsH7pWIa1B3yx3s2mRUyNi7ftUgwQagqlNt/:uJnQChA4nsNMg0I8GiR+Uget
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 1ce8d004513f0e99_installer.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\installer.ini
Size 45.0B
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 32612183ba9be71bbc20939976ac202e
SHA1 e81d8aca618d43acb86dffa6092992bfa7884313
SHA256 1ce8d004513f0e9952d2c3b08e319b63aaf7d3d02f9f13a1675832e5e0c084ef
CRC32 4A714F70
ssdeep 3:UTRSW9A3AQGRakW9n:WRM3TGRin
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9aa6c2cc05908623_q-dirportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\Launcher\Q-DirPortable.ini
Size 1.0KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 e51c3d10873cd1de3c9430a217aca5f0
SHA1 ab540feec7d06d07cfd4ccabfceaa87bfee991b1
SHA256 9aa6c2cc05908623f588cd93968d7fd077318d9369012f8e3cd469d44d150d6e
CRC32 9C78126F
ssdeep 24:J9DnSNeVpVeFhMeQLe12VfqHywoSrbiBh5F2JbeV:J9D93ErQM4W36BhFV
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name a632d74332b3f08f_System.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsl3.tmp\System.dll
Size 11.5KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
CRC32 BFE90AC5
ssdeep 192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 44870a98757f7950_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\Q-DirPortable\App\AppInfo\appicon.ico
Size 24.9KB
Processes 1584 (Q-DirPortable_7.22.paf.exe)
Type MS Windows icon resource - 7 icons, 48x48, 256-colors
MD5 5d81a3b212b0748d2870fcbc60375588
SHA1 835acdbf8c3acf1087cf598c5c02676906d14d42
SHA256 44870a98757f7950ae3e49454469e4a5bcd7103b29a57f6dc27249867dd835cd
CRC32 C18D009E
ssdeep 192:MphYnrtDINynT+vohYnrtDINynT+viNhYnrtDINynT+vW2kk9amtkkkP4Cs44Gid:suBuruTsKbak0is
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 605
Mongo ID 5c3607db11d3080d16cdb323
Cuckoo release 2.0-dev