File QuickCribbagePortable_3.5.15.1_English.paf.exe

Size 1.4MB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ee76ade0850c16d1dafd126354e27ee1
SHA1 69aad9e617f155c8590bc6e03832b5f6fdcdbc9d
SHA256 23b494bee046fc467cb19820b911510ab7dca0babf80397182235ef88330f7d9
SHA512
f368958d553da3dd3b23fef9718566e066bdf9d0abc74e40a6e4bbe5c6e877a08dbfe694d22ad27b354675318fd33941ccc244aab0d98540a10ceab1afffe17b
CRC32 288A14ED
ssdeep 24576:a9DQyn4TKkRetAG6dQH6h7/Fkwf6/B4tLsZ0a9U4u/zeP4KZUeoDCO3ZqDt:a91ZAetyKH6hxkwf6/qNM0w8/yP48UeT
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01400_Obsidium_v1_0_0_61_ - [Obsidium v1.0.0.61]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 9:40 a.m. Jan. 9, 2019, 9:44 a.m. 261 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 09:40:07 2019-01-09 09:44:24

Analyzer Log

2019-01-09 03:11:53,015 [analyzer] DEBUG: Starting analyzer from: C:\eehbs
2019-01-09 03:11:53,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\aLBymguObezAmYBXwsIR
2019-01-09 03:11:53,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\pbBjbjlzUxncWyRpokfRVFERJFdzJIC
2019-01-09 03:11:53,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:53,030 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:55,265 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:55,390 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,390 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,453 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:55,453 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:55,453 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:55,453 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:55,453 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:11:55,703 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:11:55,703 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:11:55,828 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\QuickCribbagePortable_3.5.15.1_English.paf.exe' with arguments '' and pid 400
2019-01-09 03:11:55,921 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,921 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:56,046 [analyzer] DEBUG: Loaded monitor into process with pid 400
2019-01-09 03:11:56,217 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsr2.tmp
2019-01-09 03:11:56,280 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\System.dll
2019-01-09 03:11:56,437 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\FindProcDLL.dll
2019-01-09 03:11:56,578 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-header.bmp
2019-01-09 03:11:56,592 [analyzer] DEBUG: Received request to inject pid=400, but we are already injected there.
2019-01-09 03:11:56,608 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-wizard.bmp
2019-01-09 03:11:56,953 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\nsDialogs.dll
2019-01-09 03:11:57,717 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:11:59,828 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:00,875 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\w7tbp.dll
2019-01-09 03:12:00,953 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\QuickCribbagePortable.exe
2019-01-09 03:12:00,967 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\help.html
2019-01-09 03:12:00,983 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\readme.txt
2019-01-09 03:12:01,000 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon.ico
2019-01-09 03:12:01,000 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:01,015 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:01,015 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:01,015 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_75.png
2019-01-09 03:12:01,030 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:01,046 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\Launcher\QuickCribbagePortable.ini
2019-01-09 03:12:01,405 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\Quick Cribbage\QuickCribbage.exe
2019-01-09 03:12:01,592 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\donation_button.png
2019-01-09 03:12:01,592 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\favicon.ico
2019-01-09 03:12:01,608 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_background_footer.png
2019-01-09 03:12:01,608 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_background_header.png
2019-01-09 03:12:01,625 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_logo_top.png
2019-01-09 03:12:01,625 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:01,640 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\License.txt
2019-01-09 03:12:01,640 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\Readme.txt
2019-01-09 03:12:01,967 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:04,030 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:06,092 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:08,155 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:10,217 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:12,280 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:14,342 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:16,405 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:18,467 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:20,530 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:22,592 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:24,655 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:26,717 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:28,780 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:35,937 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:38,828 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:40,905 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:43,030 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:45,092 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:47,155 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:49,265 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:51,328 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:53,405 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:55,483 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:57,562 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:12:59,671 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:01,750 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:03,812 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:05,875 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:07,937 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:10,000 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:12,062 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:14,125 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:16,187 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:18,250 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:20,312 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:22,375 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:24,437 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:26,500 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:28,562 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:30,625 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:32,687 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:34,750 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:36,812 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:38,875 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:40,937 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:43,000 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:45,062 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:47,125 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:49,187 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:51,250 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:53,312 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:55,375 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:57,437 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:13:59,500 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:01,562 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:03,625 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:05,687 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:07,750 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:09,812 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:11,875 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:13,937 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:16,000 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:18,062 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:20,125 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:22,187 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:24,250 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:26,312 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:28,390 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:30,453 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:32,515 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:34,578 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:36,655 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:38,717 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:40,780 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:42,858 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:44,921 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:46,983 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:49,046 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:51,125 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:53,187 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:55,250 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:57,312 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:14:59,375 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:01,437 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:03,500 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:05,562 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:07,625 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:09,687 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:11,780 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:13,858 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:15,921 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:17,983 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:20,046 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:22,108 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:24,171 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:26,233 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:28,296 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:30,358 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:32,437 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:34,500 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:36,562 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:38,625 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:40,703 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:42,765 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:44,828 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:46,890 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:48,953 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:51,015 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:53,078 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:55,140 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:57,203 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:59,265 [modules.auxiliary.human] INFO: Found button "&Run Quick Cribbage Portable", clicking it
2019-01-09 03:15:59,858 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:59,858 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:59,858 [lib.api.process] INFO: Successfully terminated process with pid 400.
2019-01-09 03:15:59,875 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nsr2.tmp'" does not exist, skip.
2019-01-09 03:16:00,108 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 09:40:06,763 [lib.cuckoo.core.scheduler] INFO: Task #607: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 09:40:06,959 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2273 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/607/dump.pcap)
2019-01-09 09:40:10,856 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 09:44:23,787 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 09:45:45,194 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 09:45:55,646 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b51aa63d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:45:55,650 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.002s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b51aa6250>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:45:55,670 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b51aa6190>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:45:55,670 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b51aa66d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:45:55,671 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b51aa66d0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b51aa66d0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 400
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 400
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 18092335030992900
free_bytes_available: 193091834023510793
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable
total_number_of_bytes: 563886256291840
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103673856
free_bytes_available: 24103673856
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5339348723570775
free_bytes_available: 845431476544928
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable
total_number_of_bytes: 5340688753360896
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103673856
free_bytes_available: 24103673856
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (6 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\QuickCribbagePortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\Quick Cribbage\QuickCribbage.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\nsDialogs.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\System.dll
The binary likely contains encrypted or compressed data. (2 events)
section {u'size_of_data': u'0x00019a00', u'virtual_address': u'0x00056000', u'entropy': 7.534537436359846, u'name': u'.rsrc', u'virtual_size': u'0x000199b8'} entropy 7.53453743636 description A section with a high entropy has been found
entropy 0.767790262172 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process QuickCribbagePortable_3.5.15.1_English.paf.exe (400)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\Quick Cribbage
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable_3.5.15.1_English.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_background_header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_background_footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\License.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_logo_top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_75.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsr2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\Launcher\QuickCribbagePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\QuickCribbagePortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\Quick Cribbage\QuickCribbage.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\nsDialogs.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\donation_button.png
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsr2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable_3.5.15.1_English.paf.exe

Process QuickCribbagePortable_3.5.15.1_English.paf.exe (400)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_CURRENT_USER\Control Panel\Desktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\QuickCribbagePortable_3.5.15.1_English.paf.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopDebugLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductType
    • HKEY_CURRENT_USER\Control Panel\Desktop\LameButtonText
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ChkAccDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Compositing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt

Process QuickCribbagePortable_3.5.15.1_English.paf.exe (400)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process QuickCribbagePortable_3.5.15.1_English.paf.exe (400)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\Quick Cribbage
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Program Files\Microsoft Office\Office12
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\*.*
    • C:\WINDOWS\system32\ctfmon.exe
    • C:\WINDOWS\explorer.exe
    • C:\Python27\pythonw.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp
    • C:\WINDOWS\system32\lsass.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\*.*
    • C:\Program Files\Java\jre7\bin\jqs.exe
    • C:\Program Files\Java\jre7
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\WINDOWS
    • C:\PortableApps
    • C:\WINDOWS\system32\svchost.exe
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\*.*
    • C:\WINDOWS\system32
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\7zTemp\7z.exe
    • C:\Python27
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\WINDOWS\system32\services.exe
    • C:\Program Files\Java
    • E:\PortableApps
    • C:\Documents and Settings\zamen
    • C:\Program Files\Common Files\Java
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App
    • C:\Program Files\Java\jre7\bin
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable
    • C:\WINDOWS\system32\spoolsv.exe
    • C:\WINDOWS\system32\alg.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\7zTemp
    • C:\Program Files\Common Files\Java\Java Update\jusched.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other

Process QuickCribbagePortable_3.5.15.1_English.paf.exe (400)

  • DLLs Loaded

    • C:\WINDOWS\system32\USERENV.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • C:\WINDOWS\system32\RichEd20.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsw3.tmp\System.dll
    • C:\WINDOWS\system32\browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsw3.tmp\nsDialogs.dll
    • browseui.dll
    • C:\WINDOWS\system32\SETUPAPI.dll
    • shell32.dll
    • kernel32.dll
    • UxTheme.dll
    • C:\WINDOWS\system32\VERSION.dll
    • C:\WINDOWS\system32\SHFOLDER.dll
    • SHELL32.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsw3.tmp\FindProcDLL.dll
    • ole32.dll
    • SETUPAPI.dll
    • PSAPI.DLL
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsw3.tmp\w7tbp.dll
    • C:\WINDOWS\system32\UXTHEME.dll

PE Compile Time

2015-12-27 01:26:01

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0000615e 0x00006200 6.45573741094
.rdata 0x00008000 0x00001370 0x00001400 5.10214878839
.data 0x0000a000 0x00020358 0x00000600 4.0948532877
.ndata 0x0002b000 0x0002b000 0x00000000 0.0
.rsrc 0x00056000 0x000199b8 0x00019a00 7.53453743636

Imports

Library KERNEL32.dll:
0x408074 GetFileAttributesW
0x408078 GetFullPathNameW
0x40807c Sleep
0x408080 GetTickCount
0x408084 CreateFileW
0x408088 GetFileSize
0x40808c MoveFileW
0x408090 SetFileAttributesW
0x408094 GetModuleFileNameW
0x408098 CopyFileW
0x40809c ExitProcess
0x4080a8 GetTempPathW
0x4080ac GetCommandLineW
0x4080b0 GetVersion
0x4080b4 SetErrorMode
0x4080b8 lstrlenW
0x4080bc GetCurrentProcess
0x4080c0 CompareFileTime
0x4080c4 GlobalUnlock
0x4080c8 GlobalLock
0x4080cc CreateThread
0x4080d0 GetLastError
0x4080d4 CreateDirectoryW
0x4080d8 CreateProcessW
0x4080dc RemoveDirectoryW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 WriteFile
0x4080ec lstrcpyA
0x4080f0 lstrcpyW
0x4080f4 MoveFileExW
0x4080f8 lstrcatW
0x4080fc GetSystemDirectoryW
0x408100 LoadLibraryW
0x408104 GetProcAddress
0x408108 GetModuleHandleA
0x408110 GetShortPathNameW
0x408114 SearchPathW
0x408118 lstrcmpiW
0x40811c SetFileTime
0x408120 CloseHandle
0x408124 GlobalFree
0x408128 lstrcmpW
0x40812c GlobalAlloc
0x408130 WaitForSingleObject
0x408134 GetDiskFreeSpaceW
0x408138 lstrcpynW
0x40813c GetExitCodeProcess
0x408140 FindFirstFileW
0x408144 FindNextFileW
0x408148 DeleteFileW
0x40814c SetFilePointer
0x408150 ReadFile
0x408154 FindClose
0x408158 MulDiv
0x40815c MultiByteToWideChar
0x408160 lstrlenA
0x408164 WideCharToMultiByte
0x408170 FreeLibrary
0x408174 LoadLibraryExW
0x408178 GetModuleHandleW
Library USER32.dll:
0x40819c GetSystemMenu
0x4081a0 SetClassLongW
0x4081a4 IsWindowEnabled
0x4081a8 EnableMenuItem
0x4081ac SetWindowPos
0x4081b0 GetSysColor
0x4081b4 GetWindowLongW
0x4081b8 SetCursor
0x4081bc LoadCursorW
0x4081c0 CheckDlgButton
0x4081c4 GetMessagePos
0x4081c8 LoadBitmapW
0x4081cc CallWindowProcW
0x4081d0 IsWindowVisible
0x4081d4 CloseClipboard
0x4081d8 SetClipboardData
0x4081dc EmptyClipboard
0x4081e0 OpenClipboard
0x4081e4 wsprintfW
0x4081e8 ScreenToClient
0x4081ec GetWindowRect
0x4081f0 GetSystemMetrics
0x4081f4 SetDlgItemTextW
0x4081f8 GetDlgItemTextW
0x4081fc MessageBoxIndirectW
0x408200 CharPrevW
0x408204 CharNextA
0x408208 wsprintfA
0x40820c DispatchMessageW
0x408210 PeekMessageW
0x408214 ReleaseDC
0x408218 EnableWindow
0x40821c InvalidateRect
0x408220 SendMessageW
0x408224 DefWindowProcW
0x408228 BeginPaint
0x40822c GetClientRect
0x408230 FillRect
0x408234 DrawTextW
0x408238 EndDialog
0x40823c RegisterClassW
0x408244 CreateWindowExW
0x408248 GetClassInfoW
0x40824c DialogBoxParamW
0x408250 CharNextW
0x408254 ExitWindowsEx
0x408258 DestroyWindow
0x40825c CreateDialogParamW
0x408260 GetDC
0x408264 SetWindowTextW
0x408268 PostQuitMessage
0x40826c ShowWindow
0x408270 GetDlgItem
0x408274 IsWindow
0x408278 LoadImageW
0x40827c SetWindowLongW
0x408280 TrackPopupMenu
0x408284 AppendMenuW
0x408288 CreatePopupMenu
0x40828c EndPaint
0x408290 SetTimer
0x408294 FindWindowExW
0x408298 SendMessageTimeoutW
0x40829c SetForegroundWindow
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetBkMode
0x408054 CreateFontIndirectW
0x408058 SetTextColor
0x40805c DeleteObject
0x408060 GetDeviceCaps
0x408064 CreateBrushIndirect
0x408068 SetBkColor
Library SHELL32.dll:
0x408188 SHBrowseForFolderW
0x40818c SHGetFileInfoW
0x408190 ShellExecuteW
0x408194 SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegDeleteKeyW
0x408004 SetFileSecurityW
0x408008 OpenProcessToken
0x408014 RegOpenKeyExW
0x408018 RegEnumValueW
0x40801c RegDeleteValueW
0x408020 RegCloseKey
0x408024 RegCreateKeyExW
0x408028 RegSetValueExW
0x40802c RegQueryValueExW
0x408030 RegEnumKeyW
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 ImageList_Destroy
0x408044 None
Library ole32.dll:
0x4082a4 OleUninitialize
0x4082a8 OleInitialize
0x4082ac CoTaskMemFree
0x4082b0 CoCreateInstance

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
SQSSSPW
Instu_
softuV
NulluM
Aj"A]f
D$ UPU
Vj%UUU
f9=H7B
D$$+D$
D$,+D$$P
\u f9O
90u'AAf
RichEd32
RichEd20
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
ReadFile
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
GetTempFileNameW
WriteFile
lstrcpyA
lstrcpyW
MoveFileExW
lstrcatW
GetSystemDirectoryW
LoadLibraryW
GetProcAddress
GetModuleHandleA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
ReleaseDC
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuW
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHBrowseForFolderW
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
SETUPAPI
USERENV
UXTHEME
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownW
RegDeleteKeyExW
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExW
SetDefaultDllDirectories
KERNEL32
[Rename]
%ls=%ls
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
746!%%A
IHa}?<<
42?D%'L
B?I;@;0
22Il*+X
DBTb>91
13nL05n
5:xL<A|
;?~LIK
BD|LRS
@Af]WY
QQoMhi
KLumhj
:;coAD
36p6:>y
`ZOIKF:
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b3</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
NullsoftInst
luAzM+
*O@uF?h
}7W/#"
Uv~ZeX
{f<q$|
.X)?16
o07o5UqGC
L5h0I
?pDOh4
S,>fbT/
rPu@%6
a!DDPi
$e1A<7+"
He5=%:`
(^aTR8
jHKw2+
wxul}wgxf
}$2vS/
[<:~5sX}
61 Nr@
;mDJlL
XLX=
LZ111_
f^KP[N
cWop&BHD
+(T9c<
?eb!in
,;o0Kw}b
%,9SwNIO1
W<ht45N
?s\WL9
3yDpS?
98x@4_t
]]7q0
lA+?aYA*
"u\Qr&>
wtS,HJ~19
MFa]ll
T)v=<7p5
EN(S%
p)2*IT
YRUk-a
f3FoU
})ILiJ
f"d{Ns
z2"Uhz
"Kb5zRO-P$J
j|?m%
HL<,vK
#{fJ73"
3x~/y_
.}#\[\_{
VB[$F
6-)_R=
aj%(G:
Z;B3(H
F~(y/,
Ytbl{[
jEO?,9
j"*+h:.;'M0
JVu{IR
Dtoe:x
\1Uoq?I
%<|n`?
XOK/Y$
\n*NA#:~xL
Y+09 s
:s[@vq
|qz*+.
*yiEk?
ir":`m
Orq\F)
A|N[SWI
19$og#K
{^-N+Y
EBV<Y4
9l[8ZT
l!g*1x
eP~"<@
l&rM"m
|HAf`Y
d:-SmU
Ys>&I@
nD?ZN1
7Odi:
{U1m+g
;^C)I"Vcq
d}nqL
0[z\NM
IDc1+^
.Y'rK#
Q~Fw/N
U=HFgRi,
$S*Q[T.
D1SFRS
"a~A{\B
PF[Rd/
q]"/dS
ZwOw>P6&5
:!h<t>
bgSK7?aF
Br"%2B
(K]dbwI
5I{)o*j,
BvmMmPj0
1m+r:h
.y0L-
l+x1qHe
@FJ~5*
h&wb;V
aMFZ&Lh
0DL}\3
RNc5P5('7
Q0|l2W
ou[`8r
x17/d@
"@&5|]
DlL{$.
GA1Vez
l/;X9D
z5?g!s
tCF&d<I
MEx9{#Y
A,_!7_7
$n sLL
r2S*n3
=\D,Gw5I
%n&KPp
Cj-z0p4
%NIey;~
|wxxUb
X#9DLGdns[3
V1w,*3h
(Mbju>S
0z'(Cu
@vZqd`
vdv0m23
fX9o{d
0'00^o>
x8~hx$
H#|e&w
Y`gJ}V
7l vgxZ
.Q0LCv
N/'dBw
0gf[W"
d*c/.J@
S[E2+J
4"$,PI
l,%-(b
s-v.>8
]9gJ,p
e8`eMdN
C}!*3cao
1aGL#,pv
iq&?-
_W:%5t
ME+G!zx
/L<YwdL
+LNLas
#\,Eq_
t;/;IL
sY(Qa1
T8!e]Il
VR"r. $
JIM5-8
VqWd[N9
u9FWY r
jI;Fr
6>Fsd!{
_8G>C'oy
&S>{$-
`iUSE<K
/|sV{6
][h#2T
Z,8rY4/
*e.llO
il9}S?
%nuW^
S4Q ML
z.R;8;m`:
7u=<N9rE
HtFSH`
?bWRq&e
@Dc7N}]
"z>wn|gf
;uigCW
"Jqu<>
[>v$kF
76:,s{
LRq_^V
{1@sjL;
F:[IrU
fw[M[R
[C*]f.
B#,DZ)~
r`bxm4
u*F'XP
E&Qau?9~
&\,Apog
\tk's_
&Hs[8M
hs*$>;
VpzNd5Kj
!9gC(B
W*SiX
zv5mtj
KM?w=if
O9E7X
s9"r~]
wQ>2jG
_YvID[
`k)Ta[
cc']qk~RT
q[,a7s
9P"@y0
@wm,$H
@z1L$1{
@j(pXI%
h(P\XA
nYTV5:
C!QdXb
j; O[QG
0c!dGh
YCw's%
*(V8O<
]84fu%
zX?<;x
.H_kD
I@zoB`iJ
tX&g3\
#P!A'K'T
yQ3RPU}
_BmyF&4(
V _Yx7(
8?Vo)1
"nO2LY
f0SY
D{BrAK
-WPjf
4g8xAe
Dm1'w[
t/Zb5<
?E|cLzQ
eC =WS
4:21f$
-7@`^v<l
H~Bx)}
Z*3Ns@%<_j
vJL&)di
v;D:ln,a
E`.];u:
7sKRa#
dQ84?4
5~x""I)
al`%$%
ASObgK
MqCPWIpb\
V!2rl53
N+<vO/
qSp<c[
y.T5y.
CgX82a
+Z5H4U
f *WZU
1[AxP>
61+A\^
@)3QYL;
S8<g8r
?|dR97
d&sM1V
I(45r^
ICEuBH
5UlH,Uu
,FEAx7nw~
'1);=9
^="V38yio
PNigE]~
df"dHM
F'\yA[
)"3yr:
j$^,='+a
^;)U[pD
9`NZVI+Q
]/p'wc
h)Si^o
]aph)47
r-T&=7>t
"-iM !
ZRvPlc7"
;^2 HzKo
mDHIEs.
p(!x8w\
?s]&952
S"X<f~
/e,0yY~
VFYk,
Xm}(Sn2
#)nbi>}
P:uzp&aF
80%YJ|
.U-LP3
E@iuB,
PeA!22
(>g@K]7
y4:7P~
JPv"3H
.b,Amd
En=K.x
_g#xo:P
rqcS<t6
,dX~,e
Z*04,1
O ]wjC
4Lz[&`2.I
tjG{J$h
h$<m%
z4$}JU
efNE]%|
pX_oQ$\
qz8Fg
[+zt.m
c6De63X
(cVM=8
9W-l;=
Y=mrGA
d)uga{
xxV(Aw
|/9fU!
Zn*{Zi
%=:V82p
vU8d}jV
/K'rc|
!%NN;$
y86Sp2
M9Lg`Q6
qx4*DH
fn&)4h#
4p-a#t_
D||%kb
mMe{5A
tjaRxg
-4<2V=
Z nkX=/4$9
fF1><w"
av>qxGS?TY
!KM?c|
'C=$5bD
A8vU~f
m5kw24?
XgOak1,
k=.bP]
a:G["r]
q.%ce2
v!RoI'OStnS
tAz~lO
O_SZ(f
z,|v:m
7mu$#08Clv
Dk%:KmT
I%q&<pR
^O!z$)
uQvg\#M\w
WT|Z/S;
c=U,l
;>[JNW
EfBWpm
BK#[5ng
!f[A2pf
w]bI<+
;47s/
J|["c'
20On66
Lkn\|
rHc)cC
})@vAS
Q,3BOz-
D4F89jI
Zy%.,C=1
}3!wN;[
|$<m6t
Q@jB+$
~-k\#.F
`u3B#w
wA=3d\!
xHbZ<.
YX#T*`
3 \lSi
vn&4a:L
===K(`
PG)o5I
YB]uiu/
]Q<!L_L
Vf\"mp6|
s# 0Q}
+o&u3B
"ioDH9[
o:qX/^i
i8;jZU
U>&\ e)
1L6c}Z
lt?@ixD
F3E|{u
(-16Du
M-kS'_o-
eUeq\n?
~7_~B\
H=y<w&
gL`?|"
Dlf=Q#Eq
cP1n3n
LyaS<b
YuB^U3 R!
IO1O?B
}ki-mSP
m$yybB
=P8%sv
50i&n_
Em(v{n*
`.azmp_
'r{CP
pZ9yb
fMb#,"o
Ly=d%
4TCSxc
.9 &>%
#@-W*E?t
Oos@C!
<kP&u4
ItVI.0
?s/%F
B3%`q[
{fz:!T
'U@B|E
EgU4uW@
Y_{J.d<
\Jjc QJ
.qB$/i}
}u{NC$j
Q"EHx1A
D.^|b)"
0TO$Q=@
1cZ@#U
e/FMQG
_y/nhG
0 ]Qt`
v3c25m
BzUJ$=BY
>ZWWR$B2
RqH/JL
eO?05%
) IyJN
%{ef1/S
9*PBhk
X7b bK
01C+mlfl{
rV_N`6
{JMkFM
H^p;e@
x_Zczp
ZUGDT?I
><O$SM
_URPVX
eY[(fNH
ZL.hvht
qz^#ri
@~3Lh[
nnh#Zo`
9V|hbT
cD0-!j;
~,&zy18
>=&/|'
}'f#Q6Md^zA
XnAMktR3i
S5(=Yx+5
Q'9]*2
fX])\c
Yvqm&4
Lf'>BSUZ>U
X/xZaM
k6818p
`25sL,
9){\E3
?<EBAi(
HbJJa,oz
XKP1r#
@ej+.c
Lb_!<aL
Ex"IQh
{K;185
S<5+@v2
nLYm}Z
2H'oAV
cpu2|~
NCHCf5
rL'uUHv
'050|B
KZf{^%
&"6fZ`
L>5}N1
aVS(e<
'M]P{>
Z/9yde
46DU97
O*^eLe
]_idf(q
~WbUBao'
a4W<*O
+#tf_Qs=
K4JpM=Ni|
=pa`Q6V
^e@5x}
kU$!ev
x7Cm_`
I5N0a|
+yY>nw
jkY._D
A*>)gn
#M:Fc:
FdW+ZZ=&
jf+'[O
72>U?k
tB5VB!
6J^wJ49
-xfN5[
B3S(#\E||
^ZFIOy
M9i"Cb
rVv1|
A XRuWE7\XR
^\)-zC#
'$L}HX
6,wwz7
A4Vj;FA
kaAl'[
|1YWKN`
=.La&2
.<$r5D!
?m%w}`
?VEO;w]u&
{3m@>H"
`=gjB$
m2?h1w
.e3N<
S VykGJe
m_-2D*
KK7T9V
wB{FR]gR
LtkR{I
;V/kN6
s*epCj
"1&j=:
*yT=<<
f<~8]0p
#N0va%k
hJcS\?
S|PgQHa
NkOTKA)<
1*SY\P8O{.
|rqTiV
H`|/+[
{.]W<l
!nF2$.\`
p'@e.a!
|{_KD8
RH=\O[6
B5@0zw*
'@OC.;
`$YMXL
+Bqz(Y
J&30Y#
&i6L.N
lPf"4>|
T%S@:m
?:@mx2
,|FPIs_L
\/Y,*VnB
Q_^BM=
$^b+zk
gKj2&I
Z4O,K%
imG9chR
}AU[ )
4,SVhZ
af@1>Q
]~NYWu
alzxL9]>
PJ*^*t
Y'KGSy
/r/bOz
TLRU^C
MZz;XTUr
FHKa$&
LMe@D'
f!j6$?
-akL\~
['}&<F
1{O;ng
Xkut\}
YQ=}qC%S]
WyDi0H[?
C5;? e}
gGkzi|
VTH/CYz
]<U?o\]
G)M6+}u
`~RCI{
xv/+w}
KN`,%=
(i)h~~X
HPhW1v
}ttB#*E
Hk{% R
Q,{9p_
u5g?/S
a!y'&Ry
s:"J;l
NorZBj,
BB0]ME
>@,l60S
=~lt{~
/`B51gG
rB~@TM
e6s/>-7
DFCr<=!+
Wf9Ag`X{
Q{N`e$U
8gwLX?
Wyt<fT
]lmk)o~
ym4H /
9citOKU
F(:_pm3AnC
B>o7dR
$>z%6^
Y;CY/H
BGNF<~
3]b];j:]
g|iv&d,!
'"Z/UB
NnI>D/^
uZ%w:b
@odW{<
^'i$U]
.}bPip
jTYEZZ{pAPYo
2:r0mz
qLfW{^
UsI`.Ih
<-sOu
=cG:Ke
&W#RO
K"D\H\
<*Sw/P
Y]J a9H
2TSG?:
TkSF~8
(hLe@F$
U?5`kf:\
&5{qzI8U
BrlBq'k
wMApd0
{oh)@]U
BN9o'~Wj
YDi%H93x
=vmB*b
n9G/%T
9.NzMvl
W{DFrO
,;Y2=<B
V'PXxf
H&*+vl-"
?)hmg%
#TA&O\
BrucZc
7sHqfmv
f%w(+8
:|#2Xb`
sj<A}Rs
w:XUI`
FJJ^WV
(6T4>
E{1:C`
o^9R2^
7Q#t3^
\6c$LL
D`@Gt
jg4"f3w
kMW^%V1
F~|NHrD
ORXItX
V7o8i
bHaIb
m`~|=.
m;Q_!F
locu?*
iP 6x
C_3JRF
pgN&_M
iZxY'?':
ewcl=k{,2
|RxGy
#J9B{0
J&j9Fw)
`e*$Cpu$
"D>&n
U&v^8y
.&Z~\E
/o` s.
QHrv<K
ECqK^N
eiqi$U
<sx+]{
*TEzYW
IQ65MsO
i1N<m%
>vaWyFg
}G^/\d
d~`SIt
S0n}rd
7B$db}}
>$sLNE
3IC,F
dc_t6_6
JOmc@G
`J_|aO2>
+(mo}2)
`O7T_d
tAAX)B
qZ+bI+X
%e6T\P
B]Ky%O
06BqTe
l4,rte
[LCZ,c
\x-DP6r
uiK\=U
yyXEhE#T
IIJ)}s
(O[sZK
(n._'g
LaUFM]f
qKs9\`
J#IkfJ-
s^mM,u
}yh0G
#Mt7<w3-
Hw^r#ZM
1aw+[W
c5Oj^iM
Sq\g@e
jJEAiv
5+NO}`
@&j ]wR
p">ZK]2
ZA6pZg
&?y'iz
urhK8I
8[%Z6e
M"xR|J
szAUt,6
H<A'_m
T(&VMM[
Ep-Q'OV
o!|3VR
`b2y9s
71E}vo
AjXUwW
W.%suoIT
1}0**t
]WVbFl
%{uy`8f
:5M4<
>>Ckm)
q/doKX
EH,MK
vyOu1;[
r-Qw!U\
|'{zCm
F<h+)"
jaV6prq
UB2oKZ>=
'?F\.'
/~;&Vm
S"u3|D
.(\;FA9
{wYfUV
_KG&w^g
AzltN
Q[F?g9
8vIZB7
6ouJo
]5_)TW
pl~&k<3]
u0t2`i8F
2dQ.F4
r&TzFwk$
RHe}a-
1g 9<,(d
_}F5%t
9SsO}7
ypk`kv
r2.C,!
L:I64R
h)RGk=
XVOd8[w
YX*19~
f7!{Qt
n t?"
u0"<Gso)Q,
E<&KMr&R
z\?J9+!~`[
C-Mcwp
lPfFr>D
MW]P^koz
z[K..'
O%'oU|7Z
>Tk@+`
8yaNB}Y
5o}QMw
RJ2K<O9p
:\+G'bj
g99<zdi'
98KQ
EXdwN01
1=a(8
eG>RR:
YywJnEp
_Fry8[8M%}
uWzR|'
6^K.{L
*U7q)u
9'Jm<c
51q1]X
QthSIo
tn>CuT
B+\yCo
=rHYl-
<23OHS
M<*K.Cx%
k=L{<?
k$zqG.
aT`Oxq9{@e
'Mh:'0N
rt"P3O
=`dv%/
QuyUGq{
04a>x9M
KYsH"'R
2'Nk.S
7 W$-&,~
Dergqt
$k3vAQG
tEVvAa.
C[Q+|q
unQ]P:
H-bRt4
f`6WxA
Q1x"b0
@QwoTI"C=
1*/m#;
ID]o=;_
{|"pFM
GD+BWD
2Uxj7\CT
V-t1io
Pq:>d"C<+U
_T}pL+
Z/qO2kc
>vJAm>
Hr(<^mu
RNbW2~
l}46SSs
8?m>kDe
+s*RE{
|_'Atq
OPvJAH
RT=Ei!
vKT/d#
U,5+?L
RJC"~Ry
2R D|e3
'6Arp
7T o7i
1dwOZj
@V=!Zj
&5Z9In
,=Vb6*
R}q4QL
R J^9iJ,@
HeaYJ|J
A=inM
wbA6Z6
0cC$h"I
-%b21z
2:"#{`
j=g*Og
*q0S+P
gcq@c/
V"l[Pn$6
l906M!
9=ChJS%
wCGAf
f\,QW&
28MOQS
/#qU%-[
j9^Zl_%
lOOJyg
N-jB"j
-VHenvu
u2;emz#
KM)+b{_
v'P!*D
dw]UKc
nH_etT
p"2Rw?xp
kn`<SD
!B{JX
x)_`Q4
{#f^4*
{Bas+[
[!%(\r
NpJE9$
3>eO;]
\zuz2cek
71Ggs7R[
0W>GEp
Rx8+Ci>O
r%C_S"
*i+4H*
R$QbM.
U&>)b"
]I/7G&
`'3zVZ
?F]u0OG
j~-<?U
Z2(d.N
{RV\9f
TExEZg
N}>X$b
[||M:}>|
&LVYgd
bC;1drn
7YhD!h
j]@tZb'n
:B_.5e
+Pnsm[
w,M0Ih
]j:-Wi
b$us9 p?
pBe|J7
<Y"09n
x(y5M\;
Y[AJy
$ZRSz$
vo,v}K6
Dp0_1R
F`YgfM
`TGG(~
Q"=Q(4
_bR^$$
v,MZ/d
deGMTT
P@Hwk#
{kAV|#
J*+jGv
wQ9"S0g
k DS_F
RuVS!E
u0^~B)yJ@
$kmK)t
UIUEl3
[h$AG~gK
~Q2[':9
W?o]vd
%+`OS
S,+lJc
3J0wd&.
tw)ly$
0.;(6b
y<wE^OW
{xw"0B
e'0cFj
W'#It3RY
|EO46N
Dvt^g\m69
i4nU[0E
)TNB%~
5nlqgC
?p`#'(o?Aa}
AhI7,s
P04}>q
)?^1m7
/3|Zc7{
VHKc?u0
J~~|&JW
r;B R\
Yv'UM'
l~on;V
kq3jFN
j!^<^7
8'|)+!
J 4{)xZZ
J8)"P6B
tu-*<Z
Lu8`k3
yy6%bT
h=}E-+`
='W%.yH
Sgi.GI~Rv
y]]Fxg
9"U319
[?G9OD
ZKsMYI}UG[g
y+5#-1
JpD&UDa
]b'GSi-
sYw<;jU
elx&TQ
KU<aw>7
UIT{Tq
>YF ID
&"!Mr}
NfQ+e[
{]G?I6
B2e~2V
tb~7g&
I-*klm8
5%mN7u
YH'&n=.
J@w_'_
,#,fFyd
D Sn==
(nS@D^
.P*n#"YW
oSwePJ
@kP"Z
0|.YKN
fHceq%
kNrP,IG2r
Z-v6\E
8ux8P2
U9o!*!G
)`^Obf
_IG6DUd
^VuQmG^
T=RPz)
!|5otoH2s`l
,[#Z<:
|wj(r,
|mXX x]P
PD*FqC
6Bf5Yi
lk{@t+
zuGa #
&="-C~$
:S(-@r
xS%RF)|`
{:zAyT
$c&?lHs
JMWt.K
z>OZBZ
9el7iu4
ap<e:<
4[kz9]
PoD)b#7
(\\7x/.
p0VN(OX
v?~nTr
Yolx^j
g4yNgU
BVDh'Y
2(,H3t
GIh6p#
'xHU%L
K]1/&+
@JyMM`"
bRvbVY_
xSJ>P
(d{^3~m
T2vQFNS
S3|Rc|JMD4
?Vy7ut
GF~%v/
&rMG2E
U!T9#9y
F$"\`E
gFIJ,R
6RLskC
8^/wL*
Q9Z&H<eqK
hg.5(P{%
-;,n;s
:/;"k/F
tZNwz9
86Njcj
<j27f{t}B
`rLev?eX}9
N[Q>n}O
%C2@><
bhY %hP
ps$N,8U
ahh1k2 K0
QjwVh
r9>Puh%,
u4h"y?-
XZ!D$
fWY ufT
I9owh>}~
b$E<Y)uh
/O1)GT
WFh*z8
%r<`b-
PTzIjJ
y`K{/CY]
Jf~@=0W
sA ~wd
9facpW
;3V{MX
[s$bKo]
M};;pW7V
r/o%gt0
z\C|kV
%YN5q-
^WkT[W
w#\aUi
Tn;_2b:
]RNvvm7M
XM00hp
#%fK ,bi
{L<,S$
UZdQ;D
j+TL )H
Z,IjP;`
<LFwoQ\
;s~D'i
C4f#RyS#"0
5LKp~'d
a`dwQz&
4EpqCu
PP]C2`
SzLzOm
j^NKHr
Fh6Qa
|'pS'_L
nnwB]b
mJuxm!;5
40Zc=Of2
9aIr"`B
-)N`/t
hkA|A.I
s&ZF|X
zd@A!]
xIx-Ka
.rbfOP
FwFzWA
X'wAXT
j}3ys9
D}'mI9
0-PhEO
Wcg6!5
W[[;~lM=
[ZC8rk
W<Uq]&D
WT)Y~=
&A8 u
5t`op%_X
;/CNE
F$J9;&3
En'qn=
Hfn^SS6&
<<:QHMb:
']90aV
KqU= w
q]wm,^
a^7NvL
)54kD[
tRw &R
ObDNc%
->w'[J
,6EG9(
w/nmfU
Rh"%C/
CSsV9D /
VM7>]q>
1ymF#LHH>
4>LJIn
RW:6?O
#|H{5E
zVt.P
~fqMyRV
T1XR'.k
Yba85H
Xp!,f^
{.q2%X
`oL)Jw
.8DWSu
I`x*%,
gh\HZv
+m6'*U
i0rr^]q
m|e7gh
3KE>x}
+.oKgsb
q%E0{Bzm
CuoH+
?*Ud8F8
H}Nh=*QG
za=Bp_*
],>T0u^
HU5,MQ
:dAXqV
Tn/,pF
mm)""
'v1w59Ln
[G0|09s
J3>w'H
!=]TPj
9VMo}S
ruZ$L&'
Yn>%p,4
"Sf~s2
'I6nSY
QObb[q0
*adjOuH:
0M6'wEU
0.OkCc
.r9KxWhOnV]
I5+9r\
Pm;flZb!
V+EC&o~
YJ@@kZ0
JlwUU?
{$%P[~
_YRa_b
%S{k$'
w!(q>kk
n=vn}#Z
/}'>"DmC
dOaji6
:M9&_B
[wfG?4z
!Xf|KCq!
+@T&L2
{)MM%G2
5jz[+=
Y\=`/Y
LV*+P?
C^y;m
!E|U`>
x?~Ay!p
'hi# 0I0
:4@UA}
P0u^J
VM-E6
nfUD:x
bTY5RP
D5$#sS
k#fV2:
0ljTDR
7zO%H,o8
`=?0ak
L\Md!9V
.d?&HS
N:$q8e
2nN X7
&ZSe"U1
vu9CR,
F%?6]E
?2VXlR; /P
{Tn|"h4
CsQQMea=
#|r~#E
9/`9=!
X -y"2
p/=7y;
s\ZCS!
K/vF'vh
&s8T8#Vntd
`DP]'-
<9':C@0
CwKCtJ
S)E3m?
$0?-~&1
O[8A~4A
GyvXg%=
?P.e|/E
LPsBcQC}
6.Y?%&JR
rVE.!?>
M]Bo 4
ZDY@fg88
`&%p&-
UGQK[=
ww(#X]
D~z0-0l
LK%O!@
H#,Qzl
T(~T4w0dX
Lj0*0}k<
\h?si_
d2y5,p
S(" P3
B'0(IL
W6^dS=
\&TEs"`L
]<e@[t
5&I;l
*2UaSTt
OBe:{bp1
N!N9G'Yw
{SGiA<
^~E*xe
fz@%h]5
([I9'k
>TnPc,
I%Ik};
TFn+'I
{(LmF>g
ur:+O[
>e=:/2uG
lJo,V6
`|*/X>
Ql5%o
oz)[wW
a}fhXj
sCCh{"
Bf,sGL
pC2\U
;w*m.b
Pn}~m %
gz|`F\
!oRq8eP
klf>\+|
YHI5z^Ik
>my$Y
+1#+ip0
/**fpu
2s(~y_
?1[{}N
"lZ?Fs;
Gl H}C
jGp.EM
K1c;>'
]Qr$RO
z/k}qk
>6a%@u
WKMKAry
Q$Mz@)8
M$eKD'
6>KV@'{
=qO=:`
8K#,<f
k%l(1Y
%R;O>F
_]4W*Q
]^+iGN
UK'eH]
}3I`&#l#7|
avJt>&
bI<IU,
v1:Q4qC
K_n@dYc
xDYX0b{
UvQC2d
<f'LE:{-z
B6u-T~Y
r5 duk
x9rJrP
>wn44X
ymPz~?e
Ak,&BVR0
Q;(DrTl
!2vep3
bK`T)f
9#8wF%-Q
@L$Pf}
~)T%B{A
&k=$JCz6
])]'~9
0:Kh|b
fm"p`|J2%
\VN`G?
+YaO=\h
hw'Vt,
<!+]jj
K&MfC6
gFpsX%
R%Gj;#r`!}P
&5me^9N
dW{(H0
'B17@;
]Xf8:(
@IxXBJ9
o3[*+RL
VQfBt8
h}6@v
?(0!CG
j{WT\D?
-e]fP
_U_c~'
Mb'<.V
O=XdgI
{i-rs
4n)Aq
|[x: u
Q p9{R
s{#FTu
/,., #
*M)<Oi
nO`&_'i
LsFE,/@
r%W$E]Z
!n&wq[~
*FL>0rLP
\w:"F
~qbLe
i4xzu{
s\|Syt
:yU<GJ'b
^;!`Xg
*K?1y@
]"MGq#
\2MMzl
U:y[t]E
K3Aili
gwX;RE~q+
aNoU8'
JZ%Gt^
g&s1&A
w8Kqj+
Kq!N6$L
i58_t'(
f;Hk_4
ZsA=&!Ic
Cy+ Wf
mZ|?}+
g)Vvwplz
L!@0MAA
s0>4D*
ipCa7;+w
QC!=N]
vTx8s0
ZnM-[n
vfoIHt
czN+.b
v[>NB5
!5mPz-e
tT&Wz):
]b|Gpl;
^j8UT
;R43mq
4v,vt?.Ih
wOAG(i
#sbB*w
R`f?mb
#acHMN
/6d$gV)
ang=a;SE-<
U-=^1v:
stY;g-6]
{%beE3
#(BT(b%
>PCjz]"
zFowS_
bo^)p#|
aI\7.H[H
&/l)'c
5AXQg
7FbawjXU
G5`F;|
q}9p]*
r8ww*#3xPv
tG^XMn
2qk[h:}
4/A/i]c
wK{|}z
7Om#7L
wTd$tU
6p?9oW
bTfra$
$@OssP
$A]Fd_
ArJ?5>
#=e/m
~Wy"rO
Q>|#I^
nakms~
R4N1;=
vbk0:;Nf
-E'puN
uh+zX.
k<a">O
CvYmNR
pD*fW8
zF"b@1
.1VDi?{uH
(w~k5Tn
j\f_Ht
|%WJv1
F}o(xW
5EfMOKM
'j8{st
xE3 ~r
@|aZz.w
GV&?+Ks
#9W_/
=F;r,sg~
[InQ[Wk
UR9i{V
[umTPeT
:WoU]+
Lt:ot9
eI+y%*
9~"Kq"
cQf,H($6
;DUr:K
/(,^nO
W3w2nv
OP&}Yv8
'_O1f_'
{kfb/voQ!
8WD_/%3X
#m,H9
Sd^G}E
ly hB[
QQku@+
Gi)xCs%-Iwc
,f9&9CI
wqBJd+Ql
Q9<s7
vtAts+`
hz>6F]R
hN1j$1
U3-$\p
R[3h{,
,<Y`L8
Ee{Eaw
@Hx:.>
nMZ}:l
1RFd\SC
:#49Z0}f?
hi&^k}
bvzNB2
agTyTJG
aP2%Q
JP[=^s
2W7??C.
4X;TDO
4tnD=V\4:!Z
l.9l!Z
SN*M&m
5}o[Qp8
vGr2M+
`$}+0Z;
[2me0/H
&:]ZB+
(?/:A%
qv-s_hl6v
_EAdG4
O%{Dl%
2Km%RF
%4\!y1
gdfel2
ciF*~#qU
ua`#Cu#
G7'C8,|
ln4oaZ^2
Jp6{rsO
v~q3F&s
=B|pWJ
M_^]>Jc
ePzXCz(G
>YwYeb
tt?Twf
#GO4A8
C?"FRg
9ywj5M
>zw97-
i~rOmp
A@X4`@p
dx~Ty=
Nrj7@P`
*iEtXhy
.#ptC^('
D~(yF0
W~z=[{).
JQQ<RHr
@g_0!n
kZNi5O|OS
i#fMx9
7(5f2a
hiKF930
z_|J%b
Pj}(03
e_Q7_|
Hc/-`A
;ur6hO4
<a/g)D\
`9IqkWbt
rv$jhY
zEIBy|
9H2%eQ
CPg40A
>gO,M0sN
[[mmZN\a
eIF{hE
.[,g7a
$w@L#A?j
%Y\QU.
[BL]X
6&I&u*I
`gah=+1E
t#> )0
S`q|k$
]| _n*
M-waZM
-L%]16
sQ-F0q
9h"SGa
C<yV~0_
=enboY
dk@YXW=
RzATMf
5(!~Zy5
+(sZ3 \
p6YPVNhO7
Z8|!el)
b\MxbXIp
,q>e.[4
,0@EW~
W;>o7M
~Lo@FS?ge
J='=In
bYG6_+
N9E\jT
TmV7`D
hYmn=j
g#:/fr
3Xs~g2
[O4['.
@5pQr[
{RiLAt
]d9V>7
M*Fk[l
6Ui 4t
e7H^-Q
"b]Y}YH
6Ezt55
YNdDL"P
S6U6ON
]`Xb]f
s9ae~Au
lR<49sh
`Xp[:G
yM#{?a
0Ly R`
6R@\0j
KW"CYJ
]MG!&5
0u:7&b
T]7I?X
6.6%^-s/
jbSnkV
"e2IHu
ylZV43
"p3FeX
"ShOb4aO#v
!`pC`}
9nrP3Fbu
FO4K[K
CC%r}G
KS}Jbr
|s?a}"K
h3*@oU
-OB33?
~4o-%6
a|t>GMr
yWn7tJ
Eg X'N\f;N
NLK{uk
Q{r_u^
Nz~'Vl;
N;p{,p
|eq=|(
+\<oMW
#>b\@e
*jYet0
/u99<*
N7`}?X
$kjt@(si
k!L~?E
=t2!3je~Y
WCFuid
9IgL k
RK55\v
d{MgOj
~<ptK-x
^m$a/2
~rBm4"wk#
n<Bk)w
,cjM)w
E8ftUZ
t\m] q
"+P~5G{
DkNbnc
ft$PB
~8Mj]~Qy
3DMZ87
j' IQx
zTSWt7
BY~L7"
YC`8o
:/.]^h'
Y6!@i;
(.fKt}
pEUr1,
Fs6Mx
,,CR$R[c
mWRmMB
?oaraaT
R*NL60
pOmT[
SQ-mC0
r$}u49
Cf(h_\
I1RO1@
K+6EU#n
=.|+]"
H46%Lat)
GEAz9X~
YVj#td
;uc)/:
`QM/=}
v8|bM-N
o}H?Ga
zXAkG=
n33og3%
nA:ueW
QXKTZ,
e_lzni
!$KG&z
zW0&V\
&i|RU<
$F6)/3
R`SqH#"
:l"xKT
fb?;nH
xk.uhG
MlTuh}D
7@6$WvX
-6;`]n
sDOC{
widtr
p?WP27
?4Sd|E
IRy2u|
mLzZKuc
v8|fz%s
/#=z9,
3c_]bX`
|%35cQ
BJ'qp/
Jm"MDj
\2fF}9TiO
qy*7:{
,CU+F]sw
m"b+6Z7i
[Dj&>[
D'EWq'+D'
AWA/E
_!D/8Z
n=&.wA
$s3fe@W
0-"6r$
ojTR+7T7
32jH,
Z!qmti
dy;)h\
~n^% z
@hJ(R:
c_h0]%Va(
r~0+c]
E^bXDYLn@
z#'WV)
Ql;.=8s
C+B7&t
Xy+$M&
PE8WW-c
}[<ay&j
j1@#Pe
Vm/k@SU
_1MP=iRJ
.M5@f9
M,kOXh
'~+N$t
@##9gP
VVwwoL
gn|i.JM
g"8N #&*f?(3|Q
u}I3Z,
W@up@1
-9^ONj
'k)C,2Kw
c;5RO
w},il|`
,yP3uX
Z`p|jp
#QuHWR
F>xgr%v|
\Iv[PJ
4DisKP
0%q*]{
V|Z;18
j[a+d'
L"1S^
DrO#dx
AxdAy"
TF?F!u
UcldBI
[QzJ70F
86(,*&
6U#NRU
mT3]TN5s
-LbjKm
Ut@(a(
<h_f%e
<.mZaZ%
bq8DoZ
:Mrkh"1
hi&-#9
m:<ZC%
R~Zq,u
j,PJF}
q~d.AY
>{0+EF
Kmzc7C
FJ3@:/
mX;g%y^
C202R?2
';/5jA
/n0/^$
I}'=-<
yj^F[{\
5K#jp?
D#COSeA
.{blG+
IiLizX
|;rY$_
!Z)Q4)~PM
/O(^T'
*|9/TQ}
m6VTVH4k
)1UKX2
EIw/G?
/)T>~h
)ll|I
eT6JPD
w&3%:l
W$Q4/B
HxL%xL
V6" Vr`I
69_<->
cl7oTt
y\*.n[
O5HuUK_Y|Y
V5S99`
*#fDfZ
B$)fz|A~>3
'[UcD}c
+MHQ4@
%171uu
FX20fP
~^]wVfX5
3B|_0,
xeH\_z9
c,PYMY
34xWre>Z
#W0}O
H]&OTg'd
+g4:#"N
+nt`$k
blxfgn
gCBU3e
Bm1*Gn1P
Cna[yz69
f=9Oxn
xiCY]B
Xw2Dhe
{7e&db
81U,{~
KEUX]3
[g<&|1E
}i;}):K
r$U5+A}
:j9vfO
nuCq$e
.MKiL8
^nOy><
82D<2w
)6Sq@F
.'}~R!
x`phfM
3e?y_&\(
30gdp3]
9GE>vGB
}6XWy5Y
?(9|i'
7aLbI5
|n*pSKt
:]VJ.t
!#sv3l
@etH^2
X,LmLl
l>g 0
G`R>HY7
BayT_P
hJC;-|
#wQ_qAt
JP3`Ys/
g'_wg@
lA<."*
6ky!O;it
VuW}')
-e4e4H
[!~0Zm3"
9&o}YL
rl4jug+
C|Qu)K
*HXoN(
*:[l3g]
p1A7x@
JoTHi[)B$
u^eo,@
~yc&3.;((
}7F{qEM
?fw?-i
vbXoNK
a}/_R8
n>mNf8
1*)"2h
7d]M|H
FXcw>q
v7+}m
fC_&&@@U
mt+<w2
aB0_!M
bH(8k!O
-4XjQq&M
O{fLZY
|mnr<\
HjR:/|
HwH"M&
x7})E7
+H<Nx
WQ )#
~yi0(H
B)xaSw
vFU= S
kp=)[9xJ6
Xv|/KOkbe
R`sfEL
T5Otkv-
zR_cc
[&Sr^V0
N3i\;;
^db^B'
v:UCy;
`$,nJ(
c2c;;Ue
((=Uku@6m
g.\EW7
=@wz]g
Y;nJi
8]NNM'
cZ5mO[Q
+u`tHi
HX~yxl
)FFP|3c
><d+y{
|$zt(x_
h/l=AE
;g!axK
s85~MS}
eM#|13
MwHv4MS
"7Kh2'
]\ie9uz
{R/Xwx
jL[wmS
,8K`ivj
8,liB%J
jqoKvE
d#9Cj&Q
yPF PM
czS44>
#+d71&
8?k:bg
2laR8
5'QK4A
A"c"M1)
x`e_0w~.
|e/]2IjF](H<
.[uZwe
'!roN:
fma(JF
k)z[i&
l2co/]Z
tBO:#N
x@"A</Pm
eo./Dr
,]1epb
2p,;'|
|`[.a#c+
P:7G~*
qA^*"5
r &]#n&
p,!Wcp
F8[a7.
fg&R/M]
d6Gbm+7
#.H<NW
D`hs,*
C;eFFa
Z;VzOf
__Fyop
guvvw%
9C+G!
umUbcR
nrFJx?
RVTNAYt
YyWK<4
c5/iKz
n[Yi0[
+_mvpQ
Q{[<KQ
j2f0ve
yMB0GX
PNhpz_+8g
\{0FOEV
@N)')6
El?3)d,=}
A3J/kK
^z6Opz
XHs=Iyp`
Xfq9d`VC
"im4g`
vTo5OtQY
87(4rY
u#-kSr
DK%[S6
BHYb2x
X#:ax+%
WD`ZQ6~
06\mnm
snlp^a
7glm^EE
X^I7J*
a(!k6!M
U!=)1~0.M
=y[Fu3
Win6SG
'/"4rE
0bv335
5d(U,~
IJ3;.U
Wp& [me"
9".mHO[
,v[gb_
aINxJE
Ry1$ O
}H&>@0OPhXf
|3y[nmN
/M/\|q
ocmi?Ov
su8MDY
}yss|x
MV"D&*
f<"Hc)
>g3/87&m
l}>C~$"
5]]Bg1
_F)7X2
j;G\&)
(8R:Pj
{1SRdEXp
meFs%+V1
mgUN&@
?xi!"
a@33cU
1_wO|Q1
eDN#5)k
P.3#L?D
:($40e
d2cPxcX
Le6":lX
a*rW@`
a\iNG64H
dBc@="
H-R,kO
2WP5SL
vhmiM%
w)GnBJNA
w`z|av3
~=T~{QW
S>U0hs
sa[{Pq
U$kt2U?L
:YIg]d
' N_;Go2
]%uqL
2vNs =
R\H40|C
IE_czF
c;Sgk#
c,Hir=
gyK)e!
~ppK'@
#dymP*
0s+\2J
=b>eY{
zF |Ch
N/}AR)4
J#)#6)
B] QPa-
p={`x1=
M[{!nX:
VZ[SBc9f(
1UYVj-
:ri)zh
FlYF^S7S
h.oYGecK
1z4tLh
?aWXA=
cW^hq(
!%0(Xz[
7 ^\*2
Euo8{v_?
x/kDW~
XIh6Mt
K@YF?Y
>g`;HA
XoP0~W0p0
u+>]m8C
5lmsq_o
`5&>(t
"kj,JP
GpoS,M
_UFz/<o
$/(@$J
CmR[g"Z
rmO:~t
!CUN;'X
t|tT^I
$FSpDs
UO<X3'
S3LY?|o
sb2\>D
#(Afm$
wGO~c0
ZKZDEEJ
|27]}/
d-O=_"
KHMw6(h*
S>w]
D_A|Ht
w0qI~S
Y%-V\s
0bY:I?
Nl3_My_
y5/xCL.
>(.Zt~
O298h7
blQb|v$OWk}
7HlEij
.?"th6
:cUhl5
8?)sQ*
HCX^a}
gSFY[C
gk;=c1j(
wYl"*G
80%21z
9'3s>I
>FGf{;lPi
.4$(Aw#
cxw22>5
*E"S`N
FxNBN2
3W^nWY-fL
/<NUR%<
?a}S]>
y6:AvOz/
L?zi@Ng
I/HRF!
)bOGjU
ip%UJMY
,w>-I*
zl|=3
g]pTN]#
~2uFFi
{} ydR
_&9R!j
"\>T|X
_8dUh~
9OubR3
S(H0xv
V+IJ:V
s760`On
SM=')I
8$U'b|
P3,v/o
3 3 (8
^CnuYu
(Vm<p y
]rq5`>
Ui:H*\
s?' y4
TB1t^<
NR]Q]^
G+i]Sc
SmG?O"f
wT)VyNA
6!StcX
n!V}/R
@k?SC?
\321,G
"x|~j"-Z
Pxkq[u
u6n&`K
'HEvzM~
It(<@c
;a/a1
nXdV<;=
yE%# V
(>3}LE
{x3_Y7
QhI##6J
LQYnI8
)0ZDmQ
S;)Zx
<K4tg+
W'*MD
UjgmBW
d~e9zx
J~v?*H!
!W~-O\ p
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
NSIS Error
%u.%u%s%s
*?|<>/":
%s%S.dll
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
Quick Cribbage Portable
FileVersion
3.5.15.1
InternalName
Quick Cribbage Portable
LegalCopyright
2007-2015 PortableApps.com, PortableApps.com Installer 3.1.0.0
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
QuickCribbagePortable_3.5.15.1_English.paf.exe
PortableApps.comAppID
QuickCribbagePortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.1.0.0
ProductName
Quick Cribbage Portable
ProductVersion
3.5.15.1
VarFileInfo
Translation
No antivirus signatures available.

Process Tree


QuickCribbagePortable_3.5.15.1_English.paf.exe, PID: 400, Parent PID: 196

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name eae2b033f0b08229_license.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\License.txt
Size 17.9KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 dfb340fbcd40576fcc15069591f30a92
SHA1 358f72786c97f5a0c5b1e591230c592c55b4ca13
SHA256 eae2b033f0b0822913c076f36d498e51450c712b3229c1c83c7d12198fa097ee
CRC32 FA343E8A
ssdeep 384:lq2PmwERb6k/iAVX/dUY2ZpEGMOZ77o6LDMj:lzun1iYWrTXo6LDMj
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 01b4b8b0b1617047_quickcribbageportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\QuickCribbagePortable.exe
Size 159.5KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 6bdd4422e63f637b2d5e255cc4c1aa2b
SHA1 83bd3864c45c7d8a81c24986d52de720d26dc475
SHA256 01b4b8b0b1617047d09752b8097c887dd347135569ed638968dc9fadcf415704
CRC32 B7939E07
ssdeep 3072:pweqOYEUXPn48KHr+MdZ3i5/+gKbYaFLM/YmO5GwT2F:OEUXqL+Mzi5/+gKbBjyF
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 215813036afecc15_quickcribbageportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\Launcher\QuickCribbagePortable.ini
Size 353.0B
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 404e74bd6c69dd7b0a14bab980ac6e2d
SHA1 147ced73493afa11dcd4599f94a9bf3033ef2df2
SHA256 215813036afecc15706f2a9df0b8e1a2354c1b2d5256e53fe7c7bb829ed4bc71
CRC32 57297EC2
ssdeep 6:MgZXtJZi5nDkn5czr0unXro9HqikNg83onZm5owAMokug83onZm5oMyg83oHr:M8tT+I5E061BwZXqgwZXM8M
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 8ac754b981f295ec_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\Readme.txt
Size 2.2KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 3fe05586f4960954f4afc98804ec4881
SHA1 0c08abd4c39904ea0b1a8d0de1e0e7f8279736f7
SHA256 8ac754b981f295ec9443049ec652671b0a5979ac9033fdddfbc4088064e29087
CRC32 16356406
ssdeep 48:pofWahjhG4NjHLGQxMTC+F2bpbGTY/ZzywG2lMI:mOahtn9HaQxoCV1GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name fb037c43521cb198_appicon_75.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_75.png
Size 7.0KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 75 x 75, 8-bit/color RGBA, non-interlaced
MD5 25f63eff8cf4b83ccfef5cd46b1b3536
SHA1 897b4c2e30d73b5387a4d77f8175dec5095a719e
SHA256 fb037c43521cb198b2644955b2604aca0f7c474d5dd0a7396e6cdbca86a636ef
CRC32 9C41F8B4
ssdeep 192:zDwEavnKIusFeBsM8mDyhjr05uZBMM3AUndT:vwEavNzsBsM8mOWgZ9z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 895853f79e8f7358_quickcribbage.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\Quick Cribbage\QuickCribbage.exe
Size 2.0MB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5 fa75a7ec6354d9836133bfbe31efd6f2
SHA1 470e8cbece75db9ff1645cede7e677823aa9e51c
SHA256 895853f79e8f7358da497bfafa6b4d95d5e2149fcb1b8c2e1a941bb520ee9c68
CRC32 AA7DBCF0
ssdeep 49152:dmIC7TC9y0+5NHNDPXlzxg9AQMEQgHsyThTz2:dhxy0APVC9AQMEQMtTx2
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01129_Microsoft_WAV_Audio_file_ - [Microsoft WAV Audio file]
  • PEiD_01140_MinGW_GCC_DLL_v2xx_ - [MinGW GCC DLL v2xx]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • PEiD_02498_Video_Lan_Client_ - [Video-Lan-Client]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 464a0e8068e8fad8_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_32.png
Size 1.1KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 acc77b8065f100396fedb66374207379
SHA1 50be7a583535b538e4a1c4e6535e0680947bceba
SHA256 464a0e8068e8fad848a4d79c8fe68b28ac251e0ef6d39fa34331ea84f84b176f
CRC32 3132377D
ssdeep 24:MNPpMPCXllemJmNOOnXTcAGSzMsasVnHHdi2rsQ1HAQKYpUE49:ZCKmJm8OXTcA5TVnnYc9AQxP49
Yara None matched
VirusTotal Search for analysis
Name 2ffe1ac2555e822b_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\FindProcDLL.dll
Size 4.0KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ba4c1dfe226d573d516c0529f263011e
SHA1 d726e947633ea75c09bba1cb6a14a79ce953be24
SHA256 2ffe1ac2555e822b4a383996168031e456f09f9cf3bb763fccee35be178cf58a
CRC32 B076F3F7
ssdeep 48:qv1AJiDhU8UsnL0C8EA4G1zkxU5NMsH7pWIa1B3yx3s2mRUyNi7ftUgwQagqlNt/:uJnQChA4nsNMg0I8GiR+Uget
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_logo_top.png
Size 2.5KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_background_footer.png
Size 168.0B
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ee13539f3d66cc05_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-wizard.bmp
Size 603.5KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PC bitmap, Windows 3.x format, 328 x 628 x 24
MD5 4df53efcaa2c52f39618b2aad77bb552
SHA1 542de62a8a48a3ff57cf7845737803078062e95b
SHA256 ee13539f3d66cc0592942ea1a4c35d8fd9af67b1a7f272d0d791931e6e9ce4eb
CRC32 1CDF967B
ssdeep 1536:9Bn13fmACap7r33OCINrac3aKumetKPKqDjoo+1q7C3DNgbgNgLg7gRgeHRVAVVi:90aZr33XW1
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6de8cca93f7aeedd_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon.ico
Size 22.0KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type MS Windows icon resource - 6 icons, 48x48, 256-colors
MD5 f11358aaa0ba9476b64e25256bebf8b7
SHA1 e3b0115ac287e072fe5b9e1937c1aa87311fe8ae
SHA256 6de8cca93f7aeeddfbf2f4b9dd44cc4065e58f37982fcb1ecc9a6ab6f384c06b
CRC32 0E38FEBD
ssdeep 192:05YnrtDINynT+v1bReuxfnT+vHhGdG+RX7rtDINynT+v9CqEstEf7T:UuCxi48Un
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3981167b60f335bc_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\help.html
Size 4.8KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type HTML document, ASCII text, with CRLF, LF line terminators
MD5 980b3339a65a36f3dd758dec145ecdf4
SHA1 de84ff30a6eda6223620bc130bba650236b8fc14
SHA256 3981167b60f335bc922d5b7b0b514621844243823986089dd5560fb14c70f48b
CRC32 BBA4D173
ssdeep 96:i7tLFGkz2/iQWnMn1rt6BxOXmHrZta0ZE0dcAurzvhcxqN:i7tL4biQWnMn1fOEg8h
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e94a1f7bcd7e0d53_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\System.dll
Size 11.5KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ee260c45e97b62a5e42f17460d406068
SHA1 df35f6300a03c4d3d3bd69752574426296b78695
SHA256 e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
CRC32 CEC99AA3
ssdeep 192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\w7tbp.dll
Size 2.5KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\donation_button.png
Size 1.7KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\help_background_header.png
Size 269.0B
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\Other\Help\images\favicon.ico
Size 1.1KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name 80d84f6c405f4e7b_nsdialogs.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\nsDialogs.dll
Size 9.5KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 477b78e5db22b4e651b6bec39d5c1acf
SHA1 418038f8d4db22471f55206aa8eb372f3f133d0d
SHA256 80d84f6c405f4e7b51d3e0c7c10b06ce60b28a43451bbe0e6e464d5e4783fc35
CRC32 9A20E416
ssdeep 192:oB8cxzvTyl4tgi8pPjQM0PuAg0YNyPIFtSP:oBxzm+t18pZ0WAg0RPIFg
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
VirusTotal Search for analysis
Name 9b5cd67685397aa9_readme.txt
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name ea388a42320caf77_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appinfo.ini
Size 488.0B
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 677f05f8e2e3640335a171a8e656666f
SHA1 04ba9dd5e0192bbc79075cab6f91acfb0bfbebb0
SHA256 ea388a42320caf77321bb0cd27f814650666f1e39e603981e8354910c1b58bfe
CRC32 746B51B5
ssdeep 12:kihtKN3biuonuaervqZ2WvAUvMrHpR1DVN9:kItQbiuonuaeor0rJR1X9
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 42e2b8afce1c12b4_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_128.png
Size 1.9KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 e3ec62ba66f4a84971de6c729ae7e7db
SHA1 cbc1eda4e7b9f087fca99122ce15a107d31650c8
SHA256 42e2b8afce1c12b4b96eb5b878e53ce0525f4139280994a909500fb9b3a39a5d
CRC32 6BB333FB
ssdeep 48:Yr4taTsAoyVznW7c5T0tVaN7DKD2V96HYo6WT7Fa7:s6aQARVi7sk8N7DKyD6HS+G
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsw1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 5fa8d055cf00ed9b_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsw3.tmp\modern-header.bmp
Size 100.2KB
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PC bitmap, Windows 3.x format, 300 x 114 x 24
MD5 ef748c5f6a794977476e82611d9415f5
SHA1 7e56447750d36f26191ed802028b0a3c3a96466b
SHA256 5fa8d055cf00ed9b996fed8dac21297f978577d2593b308e36876534be2a66c6
CRC32 2D7237D3
ssdeep 192:pQHeI948c+A0TBVapexbPoHn7eZynf0kLhdLM:pbQg+rrjxbPoHn7eZkfJ3LM
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers2 - Looks for big numbers 48:sized
  • Big_Numbers3 - Looks for big numbers 64:sized
VirusTotal Search for analysis
Name 13fa124cd2246c5d_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\QuickCribbagePortable\App\AppInfo\appicon_16.png
Size 514.0B
Processes 400 (QuickCribbagePortable_3.5.15.1_English.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 6b4031cc846671ad3f0b7899ca3302a1
SHA1 534ffeca48b563394a06006c7ccfe51a85f61552
SHA256 13fa124cd2246c5d0b26cbb3b238c27b066f47b064ad543bbde558633cc96ed1
CRC32 AFDE8DC2
ssdeep 12:6v/7Td/TxRLhZAhd9alGXjeok4qKb9naO6XvwTn18WnQc:Wd/FRNlGSoLqRX818s5
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 607
Mongo ID 5c36092811d3080d16cdba02
Cuckoo release 2.0-dev