File RapidCRCUnicodePortable_0.3.27_English.paf.exe

Size 661.8KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 01a44b9dfc9e65193b83091a7a98dd80
SHA1 b4fd814b116398d46a104bbe21a837d7853bf6f7
SHA256 ca065bf631a96d791351dfb02d9855fe79f60b30a3d334015378ad827a50b5ef
SHA512
fd0232e67c6d1d2a6ff500172898d75d8b679d4e7ef9e37f447ed209a154e8ca4c29218676b62b1d98023212b0a2de6b9336931dfac45eba2e109a0883412bea
CRC32 8E92834C
ssdeep 12288:h76r5nOE4wDMG3eReXOP5/U3H6taY6IA2mGmE3TtIpZZPWgcTc7:h769DwG3eaOxM3ateI1TtIpZ0gco7
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 9:53 a.m. Jan. 9, 2019, 9:57 a.m. 251 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 09:53:21 2019-01-09 09:57:32

Analyzer Log

2019-01-09 03:11:53,015 [analyzer] DEBUG: Starting analyzer from: C:\oyunm
2019-01-09 03:11:53,015 [analyzer] DEBUG: Pipe server name: \\.\PIPE\idlPscwCCKRYaGvQ
2019-01-09 03:11:53,015 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\pQSTKodBjYjRYwvNvSdxPZNGUNf
2019-01-09 03:11:53,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:53,015 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:54,765 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:54,937 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:54,937 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,000 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:55,000 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:55,000 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:55,000 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:55,000 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:11:55,187 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:11:55,187 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:11:55,296 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\RapidCRCUnicodePortable_0.3.27_English.paf.exe' with arguments '' and pid 1440
2019-01-09 03:11:55,390 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,390 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,515 [analyzer] DEBUG: Loaded monitor into process with pid 1440
2019-01-09 03:11:55,578 [analyzer] DEBUG: Received request to inject pid=1440, but we are already injected there.
2019-01-09 03:11:55,687 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj2.tmp
2019-01-09 03:11:55,733 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\System.dll
2019-01-09 03:11:55,890 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\FindProcDLL.dll
2019-01-09 03:11:56,046 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-header.bmp
2019-01-09 03:11:56,062 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-wizard.bmp
2019-01-09 03:11:56,375 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\nsDialogs.dll
2019-01-09 03:11:57,203 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:11:59,312 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:00,342 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\w7tbp.dll
2019-01-09 03:12:00,483 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\RapidCRCUnicodePortable.exe
2019-01-09 03:12:00,500 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\help.html
2019-01-09 03:12:00,515 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\readme.txt
2019-01-09 03:12:00,530 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon.ico
2019-01-09 03:12:00,530 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:00,530 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:00,546 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:00,562 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_75.png
2019-01-09 03:12:00,562 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:00,562 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\installer.ini
2019-01-09 03:12:00,562 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\pac_installer_log.ini
2019-01-09 03:12:00,578 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher\Custom.nsh
2019-01-09 03:12:00,592 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher\RapidCRCUnicodePortable.ini
2019-01-09 03:12:00,608 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\DefaultData\settings\options_unicode.bin
2019-01-09 03:12:00,765 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\RapidCRC.exe
2019-01-09 03:12:00,858 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\rcrcshex.dll
2019-01-09 03:12:01,015 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\RapidCRC.exe
2019-01-09 03:12:01,155 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\rcrcshex64.dll
2019-01-09 03:12:01,217 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\donation_button.png
2019-01-09 03:12:01,217 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\favicon.ico
2019-01-09 03:12:01,233 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_background_footer.png
2019-01-09 03:12:01,233 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_background_header.png
2019-01-09 03:12:01,250 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_logo_top.png
2019-01-09 03:12:01,250 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:01,265 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\LauncherLicense.txt
2019-01-09 03:12:01,265 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\Readme.txt
2019-01-09 03:12:01,437 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:03,500 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:05,562 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:07,625 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:09,687 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:11,750 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:13,812 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:15,875 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:17,937 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:20,000 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:22,062 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:24,125 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:26,187 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:28,250 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:30,312 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:32,375 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:34,437 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:36,500 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:38,562 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:40,625 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:42,687 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:44,750 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:46,812 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:48,875 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:50,937 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:53,000 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:55,062 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:57,125 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:12:59,187 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:01,250 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:03,312 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:05,375 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:07,437 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:09,500 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:11,562 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:13,625 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:15,687 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:17,750 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:19,812 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:21,875 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:23,937 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:26,000 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:28,062 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:30,125 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:32,187 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:34,250 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:36,312 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:38,375 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:40,437 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:42,515 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:44,578 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:46,640 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:48,703 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:50,765 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:52,828 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:54,890 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:56,953 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:13:59,015 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:01,078 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:03,140 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:05,203 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:07,265 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:09,328 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:11,390 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:13,453 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:15,515 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:17,578 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:19,640 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:21,703 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:23,765 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:25,828 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:27,890 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:29,953 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:32,015 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:34,078 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:36,140 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:38,203 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:40,265 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:42,328 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:44,390 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:46,453 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:48,515 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:50,578 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:52,640 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:54,703 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:56,765 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:14:58,828 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:00,905 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:02,967 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:05,030 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:07,092 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:09,155 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:11,217 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:13,280 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:15,342 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:17,405 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:19,483 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:21,546 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:23,608 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:25,671 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:27,733 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:29,812 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:31,875 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:33,937 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:36,015 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:38,078 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:40,140 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:42,203 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:44,265 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:46,328 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:48,390 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:50,453 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:52,530 [modules.auxiliary.human] INFO: Found button "&Run Rapid CRC Unicode Portable", clicking it
2019-01-09 03:15:54,405 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:54,405 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:54,405 [lib.api.process] INFO: Successfully terminated process with pid 1440.
2019-01-09 03:15:54,765 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nsj2.tmp'" does not exist, skip.
2019-01-09 03:15:54,796 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 09:53:21,579 [lib.cuckoo.core.scheduler] INFO: Task #610: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 09:53:21,772 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2553 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/610/dump.pcap)
2019-01-09 09:53:24,955 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 09:57:31,750 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 09:59:04,842 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 09:59:15,884 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50208dd0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:59:15,885 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50208610>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:59:15,885 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50208290>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:59:15,886 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50208390>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 09:59:15,887 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50208390>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50208390>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 18093906989154308
free_bytes_available: 193654783976932105
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable
total_number_of_bytes: 563886256291840
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24105783296
free_bytes_available: 24105783296
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5339348723570775
free_bytes_available: 845431476544928
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable
total_number_of_bytes: 5340688753360896
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24105783296
free_bytes_available: 24105783296
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (9 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\nsDialogs.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\RapidCRC.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\rcrcshex64.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\RapidCRCUnicodePortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\rcrcshex.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\RapidCRC.exe
The binary likely contains encrypted or compressed data. (2 events)
section {u'size_of_data': u'0x00019a00', u'virtual_address': u'0x00056000', u'entropy': 7.534852603803474, u'name': u'.rsrc', u'virtual_size': u'0x000199d8'} entropy 7.5348526038 description A section with a high entropy has been found
entropy 0.762081784387 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process RapidCRCUnicodePortable_0.3.27_English.paf.exe (1440)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable
    • C:\WINDOWS\system32\oleaccrc.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\pac_installer_log.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\DefaultData\settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable_0.3.27_English.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-wizard.bmp
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\RapidCRC.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher\Custom.nsh
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\donation_button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\LauncherLicense.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_75.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\DefaultData\settings\options_unicode.bin
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher\RapidCRCUnicodePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\rcrcshex.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\installer.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\rcrcshex64.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_logo_top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\RapidCRC.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\nsDialogs.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_background_header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\RapidCRCUnicodePortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_background_footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\pac_installer_log.ini
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\pac_installer_log.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable_0.3.27_English.paf.exe

Process RapidCRCUnicodePortable_0.3.27_English.paf.exe (1440)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_CURRENT_USER\Control Panel\Desktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\RapidCRCUnicodePortable_0.3.27_English.paf.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
    • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopDebugLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MinimumFreeMemPercentageToCreateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductType
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Control Panel\Desktop\LameButtonText
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MinimumFreeMemPercentageToCreateObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ChkAccDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Compositing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt

Process RapidCRCUnicodePortable_0.3.27_English.paf.exe (1440)

  • Mutexes accessed

    • oleacc-msaa-loaded
    • MSCTF.Shared.MUTEX.EFG

Process RapidCRCUnicodePortable_0.3.27_English.paf.exe (1440)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\DefaultData\settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE1
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE2
  • Directories removed

    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE1\
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE2\
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Program Files\Microsoft Office\Office12
    • C:\WINDOWS\system32\ctfmon.exe
    • C:\WINDOWS\explorer.exe
    • C:\Python27\pythonw.exe
    • C:\WINDOWS\system32\lsass.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE2
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE1
    • C:\Program Files\Java\jre7\bin\jqs.exe
    • C:\Program Files\Java\jre7
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE2\options_unicode.bin
    • C:\WINDOWS
    • C:\PortableApps
    • C:\WINDOWS\system32\svchost.exe
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\WINDOWS\system32
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\~PRESERVEFILE1\options_unicode.bin
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\options_unicode.bin
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\*.*
    • C:\Python27
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\WINDOWS\system32\services.exe
    • C:\Program Files\Java
    • E:\PortableApps
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\options_unicode.bin
    • C:\Program Files\Common Files\Java
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\*.*
    • C:\Program Files\Java\jre7\bin
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\WINDOWS\system32\spoolsv.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App
    • C:\WINDOWS\system32\alg.exe
    • C:\Program Files\Common Files\Java\Java Update\jusched.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\*.*

Process RapidCRCUnicodePortable_0.3.27_English.paf.exe (1440)

  • DLLs Loaded

    • C:\WINDOWS\system32\APPHELP.dll
    • C:\WINDOWS\system32\USERENV.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nso3.tmp\System.dll
    • kernel32.dll
    • UxTheme.dll
    • oleaut32.dll
    • C:\WINDOWS\system32\OLEACC.dll
    • C:\WINDOWS\system32\CRYPTBASE.dll
    • C:\WINDOWS\system32\browseui.dll
    • OLEAUT32.DLL
    • ole32.dll
    • C:\WINDOWS\system32\UXTHEME.dll
    • C:\WINDOWS\system32\DWMAPI.dll
    • C:\WINDOWS\system32\RichEd20.dll
    • C:\WINDOWS\system32\PROPSYS.dll
    • C:\WINDOWS\system32\SETUPAPI.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nso3.tmp\nsDialogs.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nso3.tmp\w7tbp.dll
    • C:\WINDOWS\system32\SHFOLDER.dll
    • SHELL32.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nso3.tmp\FindProcDLL.dll
    • PSAPI.DLL
    • C:\WINDOWS\system32\CLBCATQ.dll
    • browseui.dll
    • shell32.dll
    • SETUPAPI.dll

PE Compile Time

2018-01-29 22:57:41

Signing Certificate

MD5 da26be9659b0132c12c0fc4d24f038c5
SHA1 c0a448b9101f48309a8e5a67c11db09da14b54bb
Serial Number f0e150c304de35f2e9086185581f4053
Common Name Rare Ideas, LLC
Country US
Locality Astoria

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006409 0x00006600 6.4162226664
.rdata 0x00008000 0x0000138e 0x00001400 5.14383173215
.data 0x0000a000 0x00020358 0x00000600 4.00440232134
.ndata 0x0002b000 0x0002b000 0x00000000 0.0
.rsrc 0x00056000 0x000199d8 0x00019a00 7.5348526038

Imports

Library KERNEL32.dll:
0x408070 ExitProcess
0x408074 SetFileAttributesW
0x408078 Sleep
0x40807c GetTickCount
0x408080 CreateFileW
0x408084 GetFileSize
0x408088 GetModuleFileNameW
0x40808c GetCurrentProcess
0x408094 GetFileAttributesW
0x4080a0 GetTempPathW
0x4080a4 GetCommandLineW
0x4080a8 GetVersion
0x4080ac SetErrorMode
0x4080b0 lstrlenW
0x4080b4 lstrcpynW
0x4080b8 CopyFileW
0x4080bc GetShortPathNameW
0x4080c0 GlobalLock
0x4080c4 CreateThread
0x4080c8 GetLastError
0x4080cc CreateDirectoryW
0x4080d0 CreateProcessW
0x4080d4 RemoveDirectoryW
0x4080d8 lstrcmpiA
0x4080dc GetTempFileNameW
0x4080e0 WriteFile
0x4080e4 lstrcpyA
0x4080e8 MoveFileExW
0x4080ec lstrcatW
0x4080f0 GetSystemDirectoryW
0x4080f4 GetProcAddress
0x4080f8 GetModuleHandleA
0x4080fc GetExitCodeProcess
0x408100 WaitForSingleObject
0x408104 lstrcmpiW
0x408108 MoveFileW
0x40810c GetFullPathNameW
0x408110 SetFileTime
0x408114 SearchPathW
0x408118 CompareFileTime
0x40811c lstrcmpW
0x408120 CloseHandle
0x408128 GlobalFree
0x40812c GlobalUnlock
0x408130 GetDiskFreeSpaceW
0x408134 GlobalAlloc
0x408138 FindFirstFileW
0x40813c FindNextFileW
0x408140 DeleteFileW
0x408144 SetFilePointer
0x408148 ReadFile
0x40814c FindClose
0x408150 lstrlenA
0x408154 MulDiv
0x408158 MultiByteToWideChar
0x40815c WideCharToMultiByte
0x408168 FreeLibrary
0x40816c LoadLibraryExW
0x408170 GetModuleHandleW
Library USER32.dll:
0x408194 GetSystemMenu
0x408198 SetClassLongW
0x40819c EnableMenuItem
0x4081a0 IsWindowEnabled
0x4081a4 SetWindowPos
0x4081a8 GetSysColor
0x4081ac GetWindowLongW
0x4081b0 SetCursor
0x4081b4 LoadCursorW
0x4081b8 CheckDlgButton
0x4081bc GetMessagePos
0x4081c0 LoadBitmapW
0x4081c4 CallWindowProcW
0x4081c8 IsWindowVisible
0x4081cc CloseClipboard
0x4081d0 SetClipboardData
0x4081d4 EmptyClipboard
0x4081d8 OpenClipboard
0x4081dc ScreenToClient
0x4081e0 GetWindowRect
0x4081e4 GetDlgItem
0x4081e8 GetSystemMetrics
0x4081ec SetDlgItemTextW
0x4081f0 GetDlgItemTextW
0x4081f4 MessageBoxIndirectW
0x4081f8 CharPrevW
0x4081fc CharNextA
0x408200 wsprintfA
0x408204 DispatchMessageW
0x408208 PeekMessageW
0x40820c ReleaseDC
0x408210 EnableWindow
0x408214 InvalidateRect
0x408218 SendMessageW
0x40821c DefWindowProcW
0x408220 BeginPaint
0x408224 GetClientRect
0x408228 FillRect
0x40822c DrawTextW
0x408230 EndDialog
0x408234 RegisterClassW
0x40823c CreateWindowExW
0x408240 GetClassInfoW
0x408244 DialogBoxParamW
0x408248 CharNextW
0x40824c ExitWindowsEx
0x408250 DestroyWindow
0x408254 GetDC
0x408258 SetTimer
0x40825c SetWindowTextW
0x408260 LoadImageW
0x408264 SetForegroundWindow
0x408268 ShowWindow
0x40826c IsWindow
0x408270 SetWindowLongW
0x408274 FindWindowExW
0x408278 TrackPopupMenu
0x40827c AppendMenuW
0x408280 CreatePopupMenu
0x408284 EndPaint
0x408288 CreateDialogParamW
0x40828c SendMessageTimeoutW
0x408290 wsprintfW
0x408294 PostQuitMessage
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetBkMode
0x408054 CreateFontIndirectW
0x408058 SetTextColor
0x40805c DeleteObject
0x408060 GetDeviceCaps
0x408064 CreateBrushIndirect
0x408068 SetBkColor
Library SHELL32.dll:
0x40817c ShellExecuteExW
0x408184 SHBrowseForFolderW
0x408188 SHGetFileInfoW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408004 RegCreateKeyExW
0x408008 RegOpenKeyExW
0x40800c SetFileSecurityW
0x408010 OpenProcessToken
0x408018 RegEnumValueW
0x40801c RegDeleteKeyW
0x408020 RegDeleteValueW
0x408024 RegCloseKey
0x408028 RegSetValueExW
0x40802c RegQueryValueExW
0x408030 RegEnumKeyW
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 ImageList_Destroy
0x408044 None
Library ole32.dll:
0x40829c OleUninitialize
0x4082a0 OleInitialize
0x4082a4 CoTaskMemFree
0x4082a8 CoCreateInstance

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
Instu_
softuV
NulluM
SVWj _3
Aj"A[f
D$$SPS
Vj%SSS
f9=(7B
D$$+D$
D$,+D$$P
\u f9O
90u'AAf
UXTHEME
USERENV
SETUPAPI
APPHELP
PROPSYS
DWMAPI
CRYPTBASE
OLEACC
CLBCATQ
RichEd32
RichEd20
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
ReadFile
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
GetTempFileNameW
WriteFile
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
ReleaseDC
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuW
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
SHGetFileInfoW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownW
RegDeleteKeyExW
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExW
SetDefaultDllDirectories
KERNEL32
[Rename]
%ls=%ls
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
746!%%A
IHa}?<<
42?D%'L
B?I;@;0
22Il*+X
DBTb>91
13nL05n
5:xL<A|
;?~LIK
BD|LRS
@Af]WY
QQoMhi
KLumhj
:;coAD
36p6:>y
`ZOIKF:
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.03</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
NullsoftInst
~xI|cl
GZOxWGI
=*Wep2
D8pYiYZ
~%e+&A
}pRd:iH
4[}`6N
Cs=C6U
1 0Cb!
v,l]t{v
"{Vs(b
Uz:%&E
lhf78G3G
~F)X!Sfs
Vj6{[D
bi/4Qj;
XCAu(R
%=ZaMo
ci=irz
4(+U#D
y=s+'Z
ls5EJ0
_=w"[2
r%l<F\N
!?<uZymOg
\b&"N6
8`}/c0
ejF)0Mw7
STD K\
Pl+sDD
G[E=vYP
]Ra$$k
-l`%I"&
UXu#o&
X/<PbE
g{B!b%2dn
^U+y%$
cQ|,0s
{#j>ukn`<L/>
EDUp.~pN
P>+!/R
`lDred
m|Nk =7
=S(k[h
+qL^V$
fr(mz6
a:KR1eY
@lj]ic
><3BBP
F;:>@5
?\3u/MV<
oU-,c`
~txA{s
\'cW=s
y<4yhm
^egdSV_
6~ANO/
6KkXDX
RV4i-l
6BrZEWD
0_Dn1`
8{#5yR[Z
w"S{v_
[$Uu_<
Kc"))$
x-H:!w+cO)
?p!pUq
`c3!Xr
tGX#[&
I{HV'F
r103Ej5
'VPe:j;
;84 l/
B{8b*W
q(>i6@FT
1m66KH
j!c_|"9
m,!Vk^
ciH{:O
b,T:L9
rybI;.Q
o|d9-1]
R|>qCw
_Q= pH
1.A5gR
h w6kc
jKg:t;
tO)"M-
mHa?03
rb`W4"2
;OHIZ0
A+Du\fE
SVnFU6W
@)&YyD&
)ZF(b*
,w+4><l^
d*=$LaV
f1JMN
XDh?z[
zw6\w{
ddSvwl/r
b,s{MYNW
?}mgX;
}"Y-ORQ
3N7.Z
I!Y+{]
Uu^[xi|
#89O=;
X*yRGX
(s?1.(`
nt+)M
idpgzu
+dtiE]
o>Kyl
8ed,{
(n;oT<
^d\~*0
@HwliE
B$@3Kv!
O;rn=)
Z.=`C%
U.Tl6W
bj`W6
kWDPu
bj*{0<5
^T3<CB
=MH!M>
,L8hA$
!9Dk@B,My
$0WE+2}
7Gf?s+{
qoj<g3
^+<U?]
p5,h67bv
`.KL[=
0s,5w\>
hG=uUn
_l;ed.g
6YD.Iu
q[ [>L
o3VM~*
STI"Da
EUmPJ&
uPwB48
fU{;JC&
tVcZS-o
]GIpzI\
aI!~dJv
{m4a]y
<aun)E
k(uW g
B0a(g
EbG8R=~$
Ek6s?Dn
(aP>9t[V
Q/l@pk
:/bB9
DTXD:4
Eu}Qxm
.jt2@+
h\M$la
7ZEe:L
[W'vY@o=S
r[fdag8_v=
6"Oyo:
t#~d?!
Zz1f"q
H;L`e~T
RUWy(Zun-
Yg\Ceq
Va`QiHC
$REa1$
KeekH?
Q`S/9W
efDB]I58
/BP5Bnaz&
_XKuz_LAl
7q04;K
cIrS&/
MfDGzk
{?EhF|
iCX[#)
>N\`6O`
See@TL5
?7BYSt
a.a,U*
TbINtp
2&q2O>
hjW"nyK
}k7}"XH`
^-ViDBIBSAtr
L#FX b
^.1*G^
}E9x40
It7AhG
~D|gqw}
oI!@Yk
]F)5"&)/8
-$_<@W
L.zZ0E
iA0TGMK
N`EHv<
(M|!1]w
44eQtq
.oMnG{
"GhHie
F(,*Af
#:5}N4
{BI2<2
b+^)Ia
q9i4]W
P]iN.
Bz|"C-F
&#c@ZM>qq
uMo~D
sV>vJ*
ao;3rHB
fT&!>F
=#Nu3i
6|?P5\3
Xqd)Tm
gb\>,"
Z%xw-~
hfWD4"Z
^b;8k#
wpTdSVl
Qj7/vh
YbntwgL
l~kBNm0YG
{;VypD
N!KHH]
}mAFCD?%x
9UPCi!<9
U)NU|:
0:dPQvowA
i,}:e
Dk<Q#*
v&FR!*l
>Fuc}0
Ckjc_{
%"fC^R
^KE$Z]5
t(Z-lS
E%icLw
o;J|H&;
~p<N;>
nM}Dv6
:@($9-7
VC%Oc3n
.!~kI@rd
[R'1W^
Zh_+3A
aoZ(<0=
*GD@ @
ko<N]A
q_}Q;z
eS~(}c9
XL&nq!
!+F}+&
rEDn!N
vE.lnm=rsg
mMK<6c
SGW,\"]6J
s6rc&]
.%?BGM
XC19_w
<;'*H{
CX[XKjO
Xo\2jd6
R]F]k"
,ntzqh8
:kZ(0z
>H7:Gh
t(f'Dl
,T%!A+
NbYEby
IBoO@P`
fV/)S`N
vj,jTT
\"!Rn(
z%WdUT
"0h?*CcYW
bFF(l;
6aGNSS-
1x=^Q0
%d$o:w
UuaL^X
!7`.$`
>9{@,u
+ n:t.
}sMp#"
foc`{9o+
^UcpP%
adu8(<
@>[2MybLV
5A5*{G5
Y(]sVRU
Wr=Z({{jHq
16fGQ+
B]:>?Y B
D1'nkr97
Mc%>&5
E[Cxwq
"\<i`q
7~(H^%
7rrj,;
"d''+z&
]"J<]p
6NEIk'=ia|G
Ra}eWln
9Lj3@y
lKD>|n
p5`kC{
@(|$\'
$/~C?d
$WlIw@~
4Bs !
R}XH!)
%JSNR2
QoG+ O7'
7s##:L
6s*UeHz
a`H4>A
$@T8.8
5<`ZZ]
uc7?)5t
> Mttn
MK;EN~~C%
Wp`bloN
r"-U}N
lxsGOHc
t3xL{?
>&{8GwKy
%[nb `g!
0b/' 8
d;kX"ka
7[8@'.
QWVW-e
)L|yTR
4[G]iX
vOK:d}
@K&ccfyg
n|3@o@a
+7uKc"
yGMUTUG
x'&>KAr
N]=N`*
dCXiH0
a^G}L4
;C3]yBPT
$e`2o&
?S>5ju
yQ*TuA
=eGzC'
CA<&\4
Vb}t N
&<q-js
<^$w-!
)HS'h!f
54;o */
2TB7`N
5X(?-fv059
7$_!VE
H|^'*9
`CK'c+9j
KKl tx
Fqo_IN
MFA24
Rj_W@L(
um9$@J
x\_8fT
JnjTFq7/
_1.KCh
~;8gU(
B')@xZ
aKCqbWG
rYVS!&
}$k[rJ
ij7O(e
@JFK$}
<Z$)hQ0!
9IM^Y.
A?F%#Hc
X5f":'
MG[2]m
JpWyx/
]$GrHbT
^[zSDe
Ne'Q/p
)=@p88d
S8QP>?
+UA]X
&GG5[v
SlwXSp
2^PJ_6@
yu7xRO
LBQ.CJ
rsf;Ly~)
8^LxP_
VjZl
)3SX0A
NGH z-<
kT>@eD
q2ac+B
z@Ht{q&
G(0Z-]
e\QWAi
4p9rUu
>pEK+!
[yWZuO
\w-Qp
^*qiJs[
f_Q7CJ
&<]nVd
\9y/vj
QzQ|(6
5@j=YK2
%EE7(8
g-VqQ?2
/Flj-$u
RW$#S|
Fe8K{'
:TZ#7`
3GkCW8
uZIDj]
ItC8'?
;CviIU
`5+j1T
GK:D[*
H:h`D@T
s1BR+no
/1`,a:
*E}HnZM
euSuk.R
k*mH_%x
eJ+,sO[
VY>58X
K/zr6J
A>*r;|
5ZhNp4
~,YLr#
f}t{\F
nQ$RA"
&@CEWtP
,YeGu:
oB!:?[
{rI$~s
VYnX&0
Iu|i c
FIoSJz
`;jcj<
Iwuff)Bn
4ach6hLq}
`.k/3o
]TX3W.
6Z$AXV]
~l`vMi
BaPkz:
{2%FU
Yb,<dT
]6"]zi
*ulTi>
l2R$r!
C^n^6$
n^"vj p8
I,Pv{#
0f3qU^I
8d>62(b
pA#2PK
cyw'gI
m;rSNz<
^dFg|2
&4 :j#kZ D
8V"!li
AedvK);
Z5\W{s
/<"Dr'
n};uqP
_]6s"r
\.DQ/&
9/wXUo
4jjS.Q
*[,|Jm
^%:z[k
k>CNN5
+PuE]y
0*JHx]
lFB.J
/](5ES=
_`E!d`t
#-fb?3
IW]opXE
T[n{XAG
vAq.AG
q3L:Ah
*3Hl5:=9C
N/XK^r
F?*md
3|Z?gi
q9#KM55
nm s!k
A3t1)
5,SKK9
zTdn`Z.
Z`G|^#d
H[t"g5
&EGc4FOE^
jcYUD(T
`^%7vu
5%Ibl\
16&):c
wumNg1
I5*$pT
F2u'P5
D7U:vL
CNK=A+
atP<>V
Nq&wb
#Ke3<
vHxu0|
?sGT?o
gk#G1AB
D~\n|F
u>3hv+
$i2ScB2
QN-C
R.]$"e
Q4B'8"
Vns3tn
-R028\
KA85['
.E)L_a
H0|z]Zi
g%9/{i
)3}SSa
5*jW`M
KMifi2
z__u7`
'%Y97V/Z
"YrjXd
GwEr{S
^@hzv*8
E]?O*I
GH*Wrgy
>N0YMu3
jR-;z}pM
aT:vgQ
{TU!rh
s[?EoFck
u*LZ:.O
o|8egc
x*%R8)
QV{~x.~e
:yb"+*1
?4b}_F
Q|Tp,_
6^-QbE d.
H~cJGq
>(zn&i
6M35G*
)a'`>P
uLS,J#
A\8u3
@n dA?;v
(z_t}h
=331Qt
,W:t87
=F^!z6m7
LNh#Ix
;A`*i7
{c#s?8
2jc]d=
jd3/Fk
`4qV'w
:!Q8n"
`ni]>WJ
utN2q8
)% K]N
i'x6%
;d .kF
tctaQB
HHV'W}
Z+QPxWvd
&R#)]Z
?@6+63
}m)i:a&
ubt`hu
3Zv%=;
>Y(7]<
YA$P#
f|y:+z
YYAP"C3
SGXY&]
q"8KXj
- k9Jk
"sr_'v
sG/'WIUN
rs,lUnb
9c1kaP
m2BJ Do
,\80gl
!@#H;Y
jiw/Dj
ayDG%h
9:wdZK
cav|K`4
[MMDi8
22*$dw
Z\t}i^
m!Kk_+m
l?Xf5G
,kgwirK
m_yP=]
I5h+LQ
2T?CYV
$^8r(YB<3G
aw;T#.
C#WU/E
((CTw
A-6.SC
>*jaVI
8*k}uh'BS
5i\Xr<
{}=*7:
lQATL)6
@Kh[Bbt
xxH"22A
,p83@E?w
?`zP, #
2JTKBS
y4|7hy
PpuHSMeU
K@DZS=Ls
&FBKg
|,;y33
e<!tQ4r>g
x`+}T5
XoR[HyoI
.23u.!;
*L#6Os/
jlZ`oE
pmpw8
vW}PrOPX~
M00OTL
"S[E^f
f`m#7q
o}hXjb'9
x@#f"F
fYksK(I9+j
{P+YHjB
7wb@U[
@cZ%q]
(<3bB~})
7W&l0&50
.&+a!Zt
5FI3go
CWu\scs.k
%z\}(*
mog*(7
\_9A+E
@+a$/_
_9Li[R
b2rmP<
P|-Xf%
% {Z"'
RgZ2'=
nS'v~kr
3H}r<U
(U]U8+
~MdP#
K^fj/?
d$?br[vN
2ceu1]}
WUTRV=&H
OC_5^+
yfe2[g
uj4tg&
/$+5//
@rL'0p!
<*U^q[R
d>vN<T
j?@`X"R-
cac,AvC
WWnCE0
,1B;3a
*kRN[,xi
wFLwW4
<"''j)
)|vU,h
qrlgi1/
PYeSe\I
4sB0?s*
*ZkJv8
O ~i6}d
J#W yN
s%7bQ.
oqpxDz
K&phf5m
,VQLY4.
5[jQZ5
O];_gI
eztCu=
0Hlq3C
'p"VLt
sLg8+=
CH{t\
vd3|d}
f=w1TZ
WQxQnP
<KgpX-
k~5?p"
BkfI@K%$jZ
m`Nn({DY
5c!7VA
)d>vd4:
^VYOOH
~uhS
Ko(*7I
[oA7#9
Yqk%-+
18rXz?
%:%YyYg
C&zq^'
8'QjfNx$
Q. [*Jl
m^7];pp
RkOUbp
:z{o*j
!m;)'4$
L2V\le
'IdU<>
Vaq~7s
v`tLG"
fAlGwF
|VET&@
eVmtW!
5s52r<H
J)$s)G
d%y:.Q3
ImLxSJ
wA>,/&
+kr@w?M[hL
U{zQGc
iIq2.vC
|%|Ul>
^XaLl?
XmXPfZ
|jp{,V
lA^#G\
$x>`o/
*p^G}<
AN7q;,
v_d)qa
uCcHV@u
iObFS'
cf>DD3
QeW>#|
Fj?wSadB4
]kE%9F
?bA::o
'Kg%Zb
F.$Sg7
lhq$M.$
&)+rRl+D
sg9LS%B,
1Ben?=-
qDh&bM
|)T>Ha@
@}h}aM
qaL>uGU
rU^}Y7H
oU<Yq*Q<
{%Z:TL
C5t>6VE
jk;gyy
av:cs!
X`{Uc@,
4]tYk!
y{n2Ja
Qbrt=S
l.` MAsm
#o(H1d
,x \C[
CAUqBeh
;"75<E
5=:.b0
KJan3}}A
:;0|ig
=P[_Sm
twDL\E
V4 B;,p
`!DG:+?
^5n^"VJu>{
zI1eIc
7$hA(3
h7}jSC
IPdQws
FF#G~x
Wa(Rct
, em&d
;IdAI,
X"qx}C1
~{1?Cd%
i=w_}.N
LFyOuT
xl}&2_
!XOHk%
h%ms(nCdvO
`Buxgv
b|g0q8
&|Tn<.
.Lg~7y
!Q^_mN
9E:{3@
$Z{TVW
%Gr*C+
t8c^LS
OYt;2@:
!C/v-7p
M*@;+p
_y%$2@[
(aKG/*
*#:q{a
!w=X!.
9KwW:n$
\{g+^Q
g^i>|N
_)/Py9S
5wty+m
([pI&$V
DTa,6+"
C>\)81O
H=7k|V
+eF5rc
ykN`#n
vD7#A^
,j}K_.
OZ[ N(
!7M}8'
p[V[n<
7{O(F$
P1=eFJfG
"5CJQ#
D ,8x63
P(07?9mf
qGvUC/
kgYbTm
I8e$<)
Dt$I0Big
hg&O]U
7h/-<BI37
"a#8.I5
GxxIW x
+[eJ;V
NGK~,@D
IklaUK
>6\p8!
CpC:~/7
~tGN7
SHNV|+
T2pDp;
m]0}tOj
kO8f#!
V*[Rv:Jz
1x?L`O
z_i_mC
NEsZ+A
Am8(\^
8`AX,Z
m\lh9Oe
= yh}nm
;A3!v%"
4~Mw!>
[*get%
RKLOs#*CQ#
\;]a1:
|f?@Y2#j
;Dsf')q
+NBuk,
Gs47'C
nfWDYK
RRH]FP/
Y6`1np
5D|91z1
lx2+R4T
_r!{4/3
BFWS^}
p]EO=>.
'='-vz
z|p+T]|
A`D'.S
/SEZt21)w]
8<nv+v
LXN]mq&
x#dNg"
fS.c&7
:Sj9Wd
'T31YfC
r5H`,j
.wbs&D
RKn=</
gVRqCw[
r?QsG:
Western Cape1
Durbanville1
Thawte1
Thawte Certification10
Thawte Timestamping CA0
121221000000Z
201230235959Z0^1
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
TimeStamp-2048-10
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
121018000000Z
201229235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G40
http://ts-ocsp.ws.symantec.com07
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
TimeStamp-2048-20
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
180220000000Z
190220235959Z0
111081
New York1
Astoria1!0
350 Fifth Ave Suite 52091
Rare Ideas, LLC1
Rare Ideas, LLC0
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
contact@rareideas.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
180621163120Z0#
S8+:F#
C<T!2.
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
180220000000Z
190220235959Z0
111081
New York1
Astoria1!0
350 Fifth Ave Suite 52091
Rare Ideas, LLC1
Rare Ideas, LLC0
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
contact@rareideas.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
20180621163121Z
-0+1)0'
GlobalSign TSA for Advanced - G2
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G20
180219000000Z
290318100000Z0+1)0'
GlobalSign TSA for Advanced - G20
&https://www.globalsign.com/repository/0
5http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
<http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0<
0http://ocsp2.globalsign.com/gstimestampingsha2g20
<W"=0
GlobalSign Root CA - R31
GlobalSign1
GlobalSign0
110802100000Z
290329100000Z0[1
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G20
x"6kwy
&https://www.globalsign.com/repository/06
%http://crl.globalsign.net/root-r3.crl0
=dj;^NF
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G2
180621163121Z0/
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G2
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
NSIS Error
%u.%u%s%s
*?|<>/":
%s%S.dll
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
Rapid CRC Unicode Portable
FileVersion
0.3.27.0
InternalName
Rapid CRC Unicode Portable
LegalCopyright
2007-2017 PortableApps.com, PortableApps.com Installer 3.5.8.0
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
RapidCRCUnicodePortable_0.3.27_English.paf.exe
PortableApps.comAppID
RapidCRCUnicodePortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.5.8.0
ProductName
Rapid CRC Unicode Portable
ProductVersion
0.3.27.0
VarFileInfo
Translation
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
Zillya Clean
AegisLab Clean
TheHacker Clean
Alibaba Clean
K7GW Clean
K7AntiVirus Clean
Invincea Clean
Baidu Clean
NANO-Antivirus Clean
Cyren Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Babable Clean
SUPERAntiSpyware Clean
Avast Clean
Tencent Clean
Ad-Aware Clean
Trustlook Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Trapmine Clean
Emsisoft Clean
SentinelOne Clean
F-Prot Clean
Jiangmin Clean
Webroot Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Endgame Clean
Arcabit Clean
ViRobot Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Clean
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
ALYac Clean
TACHYON Clean
Malwarebytes Clean
Zoner Clean
Rising Clean
Yandex Clean
Ikarus Clean
eGambit Clean
Fortinet Clean
AVG Clean
Cybereason Clean
Panda Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


RapidCRCUnicodePortable_0.3.27_English.paf.exe, PID: 1440, Parent PID: 1312

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 75a6a3a4c11e4068_pac_installer_log.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\pac_installer_log.ini
Size 549.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 014b0b6cd7bb28f8277add837c045902
SHA1 5a6202fd8a77957afaf69c7eb79d70e783b1c150
SHA256 75a6a3a4c11e4068e7d661e86dafc4edbe863314ed169f615377f6640bb42550
CRC32 4F609135
ssdeep 12:EpXSg0uU/DA5WV9ARjUR0PXFj02PXFxxBAh9jAqK6oILVKivyKyNBXZjyXHn:E5SZ+WoUuvR02vL+jLK61V3yfZ6
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 189b1af95d661151_launcherlicense.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\LauncherLicense.txt
Size 18.0KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 ffa10f40b98be2c2bc9608f56827ed23
SHA1 dc8f2e570bf431427dbc3bab9d4d551b53a60208
SHA256 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b
CRC32 A6D3A2F5
ssdeep 384:H4j2PmwE3b6k/iAVX/dUY2ZpEGMOZ77oPpDqHZ:H46uh1iYWrTXoPpDqHZ
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name f1945cd6c19e56b3_options_unicode.bin
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\DefaultData\settings\options_unicode.bin
Size 3.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type UTF-8 Unicode text, with no line terminators
MD5 ecaa88f7fa0bf610a5a26cf545dcd3aa
SHA1 57218c316b6921e2cd61027a2387edc31a2d9471
SHA256 f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5
CRC32 011097E1
ssdeep 3:g:g
Yara None matched
VirusTotal Search for analysis
Name feb6364375d0ab08_nsdialogs.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\nsDialogs.dll
Size 9.5KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ca95c9da8cef7062813b989ab9486201
SHA1 c555af25df3de51aa18d487d47408d5245dba2d1
SHA256 feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
CRC32 9D200B7A
ssdeep 192:oF8cSzvTyl4tgi8pPjQM0PuAg0YNy8IFtSP:EBSzm+t18pZ0WAg0R8IFg
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
VirusTotal Search for analysis
Name 44fc27685e8607c0_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_32.png
Size 3.1KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 09d2e3709fdcc45152b9b6559480a5b9
SHA1 f6621491f7ff3d9c0c14f1a846074e8784eb2b77
SHA256 44fc27685e8607c0c36f98f6fa0974c294c8d2b6c3b3745e3d0a2fa36e25f9b5
CRC32 4468397A
ssdeep 96:aY2ks0G1nkBouGnPN8KjE8+ztInw63VFhg1:aLdnHnPNb+YVbg1
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name 13466d6a3d72e47b_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\help.html
Size 4.6KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type HTML document, ASCII text, with CRLF line terminators
MD5 629bac026fa00cefd8d2f15e3d7896cb
SHA1 f80b06f9c49a0e804284e166588b574a28df4750
SHA256 13466d6a3d72e47bf71460a204c715964e4bbe2d1eb962a08fe6f3746da0bd8f
CRC32 41738988
ssdeep 96:7bgLFGkz2/iQWnMn1rt6BxOXmHrZ6NtEzvhcxD:7bgL4biQWnMn1Z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 33727567e8a9ffea_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_128.png
Size 6.6KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 f05bf94b9f7a5fa5a1207f43235399c8
SHA1 ce0e74f7280277e5913f416a9ab3fb37e8f6a684
SHA256 33727567e8a9ffea46ddd4e10ebaad16882fa39dcc4ae54e56c3514cfa2d45dc
CRC32 B42B2358
ssdeep 96:0Y2DkhzturCHKw7RH0DKc2OGPabXJmKu4S3rF8T9Bjx20htBr78rkHF2RsI5oeBE:0Cz0mBOGYJafx85Jx20hbvl0X5NWfHR9
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name 7ede0d49d77e9041_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon.ico
Size 38.2KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type MS Windows icon resource - 7 icons, 48x48, 256-colors
MD5 bb358f2518534380c1aac703d8ddabb0
SHA1 c35375ac2e2a94d1a8a24a5e199bd0c017a77f4b
SHA256 7ede0d49d77e90418ab7eae16d66defcf99d6c480eaf59368a0b2efedc7dca7e
CRC32 D6C29497
ssdeep 768:ljyCsoUtuNRwrA2YdHXXDhqctTss/CxVSHDjHH2n4:4oU6wrA1Xy2jHx
Yara None matched
VirusTotal Search for analysis
Name a632d74332b3f08f_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\System.dll
Size 11.5KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
CRC32 BFE90AC5
ssdeep 192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nso1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 2ffe1ac2555e822b_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\FindProcDLL.dll
Size 4.0KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ba4c1dfe226d573d516c0529f263011e
SHA1 d726e947633ea75c09bba1cb6a14a79ce953be24
SHA256 2ffe1ac2555e822b4a383996168031e456f09f9cf3bb763fccee35be178cf58a
CRC32 B076F3F7
ssdeep 48:qv1AJiDhU8UsnL0C8EA4G1zkxU5NMsH7pWIa1B3yx3s2mRUyNi7ftUgwQagqlNt/:uJnQChA4nsNMg0I8GiR+Uget
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_logo_top.png
Size 2.5KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_background_footer.png
Size 168.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ee13539f3d66cc05_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-wizard.bmp
Size 603.5KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PC bitmap, Windows 3.x format, 328 x 628 x 24
MD5 4df53efcaa2c52f39618b2aad77bb552
SHA1 542de62a8a48a3ff57cf7845737803078062e95b
SHA256 ee13539f3d66cc0592942ea1a4c35d8fd9af67b1a7f272d0d791931e6e9ce4eb
CRC32 1CDF967B
ssdeep 1536:9Bn13fmACap7r33OCINrac3aKumetKPKqDjoo+1q7C3DNgbgNgLg7gRgeHRVAVVi:90aZr33XW1
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 39c4f0b0c0aaa21a_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appinfo.ini
Size 488.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text
MD5 385dac8ddf87bcb9d12cf11c9337b93f
SHA1 1dc3ce626e53a9c8fa74850f85ac8992a44b36c6
SHA256 39c4f0b0c0aaa21a5ce4881039de51fc9f0b4079c8e13d688a2f7f2a176048f2
CRC32 797B38B7
ssdeep 12:mMiy5FZXM155JxMmuz5VH5/zRn7y8N0TDICGRaI0seHTLhhHuLyvy:rNXGOmuz5R5wBotenh9EQy
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name c93e2a059e2929cd_rcrcshex64.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\rcrcshex64.dll
Size 475.5KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 f007daf7a1bb4375fa7c1e41884bd1d2
SHA1 fa7d88f59451489386418551c15ff8f6fa552d91
SHA256 c93e2a059e2929cdd5a4f7b4bf68c4ab2d126a22c1027f861271a61642ad0952
CRC32 191ABE31
ssdeep 12288:buBWqbsb/mMv+Jj0hd9Kkb3Xf4RVlavGB:b8WqE
Yara
  • IsPE64 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • PEiD_02191_tElock_0_99___1_0_private____tE__ - [tElock 0.99 - 1.0 private -> tE!]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name b664ac13ef77b57d_rapidcrc.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC64\RapidCRC.exe
Size 1.3MB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 3fb9a356342997e0d82f82d92ea38e73
SHA1 3cf4123a224122a249350cb7dc3119aa681bf226
SHA256 b664ac13ef77b57d4f1fb3a990f6c5e42392cf91f2f5fcee42d4f61fac6b6312
CRC32 9C4BD1C2
ssdeep 12288:095OJmXA3gOzo9a+OmMv+Jj0hd9Kkb3Xf4RVlavGBe:095OJmXA3g2oHub
Yara
  • IsPE64 -
  • IsWindowsGUI -
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_80_DLL -
  • Advapi_Hash_API - Looks for advapi API functions
  • CRC32c_poly_Constant - Look for CRC32c (Castagnoli) [poly]
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • CRC32_table - Look for CRC32 table
  • MD5_Constants - Look for MD5 constants
  • RIPEMD160_Constants - Look for RIPEMD-160 constants
  • SHA1_Constants - Look for SHA1 constants
  • SHA512_Constants - Look for SHA384/SHA512 constants
  • maldoc_suspicious_strings -
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
VirusTotal Search for analysis
Name c3aaef73d55a2211_appicon_75.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_75.png
Size 5.0KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 75 x 75, 8-bit/color RGBA, non-interlaced
MD5 844076041becefc8b10581cf9b204763
SHA1 fd062d976ca2e8aedc7852ee3faedbdad83479dc
SHA256 c3aaef73d55a22114e5bae2518e2b4508162c8ab56dae07dfbc12949ae4b4b69
CRC32 0D8256F2
ssdeep 96:PSC8f6vWaphBLnkz+BsbDZkFL2ARTsXJopgHHDcyeNcOluXi9Gv3Q:PSCYYprLnQ+BseZTs5lcrjWio3Q
Yara None matched
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3bd14a3555ad5eb5_installer.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\installer.ini
Size 114.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text
MD5 c38219a858e5d1b25a10431020019273
SHA1 f7233c56de4ef311bca8d2fd9047b5f077d07124
SHA256 3bd14a3555ad5eb5e77e04acb9075188478ce803901dcd1ca9b940a3fb1a2cb1
CRC32 BB3E25CE
ssdeep 3:PBv1X99BkxsOLHaAQXsS9Z/5sv3EHaAA:5tXX/OL6XnPsvU69
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 732c7fc99e92d6fa_custom.nsh
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher\Custom.nsh
Size 554.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 d1dd3e5ec0736f7d9c7d94193b3578de
SHA1 9ae20ce793257150d2b752b9efba480189a90d3d
SHA256 732c7fc99e92d6fa3ad1486ff40824debd0d4396b592032abb1919d920822088
CRC32 231EBABF
ssdeep 12:b3SaPEv6qoV1d2U+ZUe2jUZos692T89LEm6lcJCpzYllcJCLf1X:+aPECTRr+Zr2jUZos5qEmecvcE
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\w7tbp.dll
Size 2.5KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name f342a7d21cc0a220_rapidcrc.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\RapidCRC.exe
Size 790.0KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fca0a6cc0c50972223f389c2fea13676
SHA1 6ff9dc2c1e84b3467c45abca5dd57b0d300cded3
SHA256 f342a7d21cc0a2201b5692902d8f0304d2fba4100dbabb3d2959131d1434b719
CRC32 2B02941D
ssdeep 12288:G3Pu113BkXVii+rLVyt/BnnpmMv+Jj0hd9Kkb3Xf4RVlavGBe:cPEzkIi+fVs/Bnnvb
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01400_Obsidium_v1_0_0_61_ - [Obsidium v1.0.0.61]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • keylogger - Run a keylogger
  • win_mutex - Create or check mutex
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • VC8_Microsoft_Corporation -
  • Microsoft_Visual_Cpp_8 -
  • CRC32c_poly_Constant - Look for CRC32c (Castagnoli) [poly]
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • CRC32_table - Look for CRC32 table
  • MD5_Constants - Look for MD5 constants
  • RIPEMD160_Constants - Look for RIPEMD-160 constants
  • SHA1_Constants - Look for SHA1 constants
  • SHA512_Constants - Look for SHA384/SHA512 constants
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_getEIP_method_1 -
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\donation_button.png
Size 1.7KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6a1039b4cbfa217e_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\appicon_16.png
Size 1.7KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 551fb474577e4ae15faca82c009ae138
SHA1 8e9705265ab57bc580b9336ae6960f54e429fe6f
SHA256 6a1039b4cbfa217e0442dab3bd59885c1240b5f336c64d3271246a880f9a86a8
CRC32 E797B430
ssdeep 48:JwqQNn2xnlPMGGJ3njpg8vHCciE/1+AhIPARmIO8aN5:nY2hlEGkjpg8vHCDENTnO9
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name 0d9a006e72244e3a_rcrcshex.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\RapidCRC\rcrcshex.dll
Size 464.5KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 04219d94b262dc8f53c7f059919f33c3
SHA1 41a21c450975c18c0c0bc296aa9bd6b017613f3e
SHA256 0d9a006e72244e3a70993cee8c0d2a9f616113611621c495654ec2a70329fa20
CRC32 A73CCE96
ssdeep 12288:5+GYu2tC/mMv+Jj0hd9Kkb3Xf4RVlavGB:Nt
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • PEiD_02191_tElock_0_99___1_0_private____tE__ - [tElock 0.99 - 1.0 private -> tE!]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Visual_Cpp_2005_DLL_Microsoft -
  • Visual_Cpp_2003_DLL_Microsoft -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\help_background_header.png
Size 269.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Help\images\favicon.ico
Size 1.1KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name 48cb9e08589fa8c1_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nso3.tmp\modern-header.bmp
Size 100.2KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PC bitmap, Windows 3.x format, 300 x 114 x 24
MD5 9c418dbe055994aea0f328f34eb8f947
SHA1 32f95655c445eb6b9720e2f0e51c2aef1f1eebb8
SHA256 48cb9e08589fa8c1ab718a2686d342eb4c0e1bda895c8b5952f0c50c4b87e87f
CRC32 AF388022
ssdeep 192:MPMXI75kff9H0gKjw8oqxjrFk/nCeajOIRJBbYJzuXDT:8MYFkfpnqJKqv
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9b5cd67685397aa9_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\readme.txt
Size 182.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text
MD5 194d2c44058761b9b0e5b6add7eee271
SHA1 b08d45917e2f9a0a1db15094d0bdade408198b30
SHA256 9b5cd67685397aa998d9f1cc483444588725d99f789a224c5d40311fd812b8c4
CRC32 2622745F
ssdeep 3:SMbKyPXtH+XR5WOpH/VVJYMQr6eGRMeMQxF+YEJRi6Xt2vGARFKGRjZUvxW9OSbe:DdH+XR5WKoPbzQDuJRPt6zKGRjUQwumJ
Yara None matched
VirusTotal Search for analysis
Name 16dd88c8c4487b04_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\Other\Source\Readme.txt
Size 2.2KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 43909ad9285f9a61b5826fbce305b1e5
SHA1 d7b0d784780c36840a64e4e868c8208c175b7bcb
SHA256 16dd88c8c4487b04de30a656eb466edc119136b73bf4a24b72534a3c68d9c8b6
CRC32 55D01CBA
ssdeep 48:poqWahdxHxG2NlNKxgM2T98Ai72bpbGTY/ZzywG2lMI:m3ah3x5TkxgMO98A51GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7948078452daa4e0_rapidcrcunicodeportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\RapidCRCUnicodePortable.exe
Size 174.9KB
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2c8ad55842f16f96e0c054cb108be1f9
SHA1 5b16c184a408ce88425bb0dacc0debc482623339
SHA256 7948078452daa4e0ca3a0ceef87b33da27fe305b2c7bde4b2bf6c0c8221450f5
CRC32 55D62262
ssdeep 3072:8weqOYEUXPnLywHUw0G+TTE1kU2Tf7bIaN2IABVyOPBHi+0C:9EUXDLOJTw32TT7UDVPGC
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 89cc4809a5e72e04_rapidcrcunicodeportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RapidCRCUnicodePortable\App\AppInfo\Launcher\RapidCRCUnicodePortable.ini
Size 192.0B
Processes 1440 (RapidCRCUnicodePortable_0.3.27_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 d15e2eb826f3b3402d13369f2c903326
SHA1 bcc486271f2b0d40c4fb911875528edaf6fb1021
SHA256 89cc4809a5e72e049b599f59401c66608c01f164bda1136131b4dac333d466a8
CRC32 29B3E0F4
ssdeep 3:MotXKCXEoGEEX365mKHKUEoGEEcRa8AmeE1QXMquYxfDwLczoacIzX5ov3Mx5vHL:MgZXtJ51HptDRaDmJn5czrcICg5v6xgn
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 610
Mongo ID 5c360c4811d3080d16cdbbb2
Cuckoo release 2.0-dev