File RegshotPortable_1.9.0.paf.exe

Size 552.7KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 0c05cb7bfa2a9572b8d9bf3f52233315
SHA1 0afedfad85070975a40484d03d1197edbee747ee
SHA256 1c209b731ecb4c76bdac01ec789c8c8fce59bb7aa145c4791c8d4a4932bfdf74
SHA512
0094ef34fc68b959481c8b0b6d05e00a53959824c1c7cafa11e64861fdec07609042fad73f1fc5baa0c777bd048ec8154a94a22b29394df1a338d6d4a6ba87b1
CRC32 7351772D
ssdeep 12288:LEPr5nOE4wrXv2qNQ9vI5NCjtQAdL26hLr9KgCszAliz3/4reeGG:Li9Dz0I5NCjCAx26hLr0gCgAl83/4rvn
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 10:06 a.m. Jan. 9, 2019, 10:10 a.m. 253 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 10:06:26 2019-01-09 10:10:36

Analyzer Log

2019-01-09 03:11:53,000 [analyzer] DEBUG: Starting analyzer from: C:\bjkyyipne
2019-01-09 03:11:53,015 [analyzer] DEBUG: Pipe server name: \\.\PIPE\AcwhibmIFqAKbBDmIQN
2019-01-09 03:11:53,015 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\djtBbpuwmPSRAAmShbudBqQgAY
2019-01-09 03:11:53,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:53,015 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:54,625 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:54,780 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:54,780 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:54,842 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:54,842 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:54,842 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:54,842 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:54,842 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:11:55,155 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:11:55,155 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:11:55,265 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\RegshotPortable_1.9.0.paf.exe' with arguments '' and pid 196
2019-01-09 03:11:55,375 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,375 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:55,500 [analyzer] DEBUG: Loaded monitor into process with pid 196
2019-01-09 03:11:55,671 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj2.tmp
2019-01-09 03:11:55,828 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\LangDLL.dll
2019-01-09 03:11:55,983 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-09 03:11:55,983 [analyzer] DEBUG: Received request to inject pid=196, but we are already injected there.
2019-01-09 03:11:57,015 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\System.dll
2019-01-09 03:11:57,125 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\FindProcDLL.dll
2019-01-09 03:11:57,265 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\ioSpecial.ini
2019-01-09 03:11:57,280 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-wizard.bmp
2019-01-09 03:11:57,312 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-header.bmp
2019-01-09 03:11:57,437 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\InstallOptions.dll
2019-01-09 03:11:58,046 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:00,155 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:01,187 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\w7tbp.dll
2019-01-09 03:12:01,265 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\RegshotPortable.exe
2019-01-09 03:12:01,280 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\help.html
2019-01-09 03:12:01,296 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\ReadMe.txt
2019-01-09 03:12:01,312 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon.ico
2019-01-09 03:12:01,328 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:01,328 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:01,342 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:01,342 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:01,358 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher\RegshotPortable.ini
2019-01-09 03:12:01,375 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher\splash.jpg
2019-01-09 03:12:01,390 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings\RegShotPortableSettings.ini
2019-01-09 03:12:01,405 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings\regshot.ini
2019-01-09 03:12:01,405 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\License.txt
2019-01-09 03:12:01,421 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\history.txt
2019-01-09 03:12:01,437 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\language.ini
2019-01-09 03:12:01,437 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\readme.txt
2019-01-09 03:12:01,467 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot.exe
2019-01-09 03:12:01,483 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot_x64.exe
2019-01-09 03:12:01,530 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\donation_button.png
2019-01-09 03:12:01,546 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\favicon.ico
2019-01-09 03:12:01,546 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_background_footer.png
2019-01-09 03:12:01,546 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_background_header.png
2019-01-09 03:12:01,562 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_logo_top.png
2019-01-09 03:12:01,578 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\License.txt
2019-01-09 03:12:01,578 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\PortableApps.comLauncherLANG_ENGLISH.nsh
2019-01-09 03:12:01,592 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\Readme.txt
2019-01-09 03:12:01,592 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\RegshotPortable.ini
2019-01-09 03:12:01,592 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\RegshotPortableU.nsi
2019-01-09 03:12:01,608 [analyzer] INFO: Added new file to list with pid 196 and path C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\x64.nsh
2019-01-09 03:12:02,280 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:04,342 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:06,405 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:08,467 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:10,530 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:12,592 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:14,655 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:16,717 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:18,780 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:20,842 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:22,905 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:24,967 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:27,030 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:29,092 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:31,155 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:33,217 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:35,280 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:37,342 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:39,405 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:41,467 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:43,530 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:45,592 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:47,655 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:49,717 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:51,780 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:53,842 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:55,905 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:12:57,967 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:00,030 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:02,092 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:04,155 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:06,217 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:08,280 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:10,342 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:12,405 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:14,467 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:16,530 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:18,592 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:20,655 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:22,717 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:24,780 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:26,842 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:28,905 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:30,967 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:33,030 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:35,092 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:37,155 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:39,217 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:41,280 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:43,342 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:45,405 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:47,467 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:49,530 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:51,608 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:53,671 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:55,733 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:57,796 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:13:59,858 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:01,921 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:04,015 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:06,078 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:08,155 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:10,233 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:12,296 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:14,358 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:16,421 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:18,483 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:20,546 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:22,608 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:24,671 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:26,733 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:28,796 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:30,858 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:32,921 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:34,983 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:37,062 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:39,125 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:41,203 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:43,265 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:45,328 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:47,390 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:49,453 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:51,515 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:53,578 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:55,640 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:57,703 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:14:59,765 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:01,828 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:03,890 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:05,953 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:08,046 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:10,108 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:12,171 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:14,233 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:16,296 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:18,358 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:20,421 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:22,500 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:24,562 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:26,625 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:28,687 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:30,750 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:32,812 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:34,875 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:36,937 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:39,000 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:41,062 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:43,125 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:45,187 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:47,250 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:49,328 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:51,390 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:53,453 [modules.auxiliary.human] INFO: Found button "&Run Regshot Portable", clicking it
2019-01-09 03:15:54,296 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:54,296 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:54,296 [lib.api.process] INFO: Successfully terminated process with pid 196.
2019-01-09 03:15:54,500 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nsj2.tmp'" does not exist, skip.
2019-01-09 03:15:54,655 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 10:06:26,515 [lib.cuckoo.core.scheduler] INFO: Task #614: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 10:06:26,620 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2916 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/614/dump.pcap)
2019-01-09 10:06:29,499 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 10:10:35,665 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 10:12:38,797 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 10:12:47,291 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b528cc590>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:12:47,292 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b528ccd10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:12:47,293 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b528cc4d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:12:47,293 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b528cce50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 10:12:47,294 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b528cce50>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b528cce50>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 196
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:11 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 196
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5333524798242820
free_bytes_available: 213920999529775104
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable
total_number_of_bytes: 216172800966947938
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24104820736
free_bytes_available: 24104820736
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 26761941418218
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable
total_number_of_bytes: 4296210764
failed 0 0
Jan. 9, 2019, 12:11 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24104820736
free_bytes_available: 24104820736
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (8 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\RegshotPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot_x64.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\LangDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\InstallOptions.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot.exe
The binary likely contains encrypted or compressed data. (3 events)
section {u'size_of_data': u'0x0001b800', u'virtual_address': u'0x00130000', u'entropy': 7.287872326943119, u'name': u'.rsrc', u'virtual_size': u'0x0001b608'} entropy 7.28787232694 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x0014c000', u'entropy': 7.866475144296683, u'name': u'.reloc', u'virtual_size': u'0x00000f8a'} entropy 7.8664751443 description A section with a high entropy has been found
entropy 0.742671009772 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process RegshotPortable_1.9.0.paf.exe (196)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable_1.9.0.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\language.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_background_footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\LangDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher\RegshotPortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\License.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\InstallOptions.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\PortableApps.comLauncherLANG_ENGLISH.nsh
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings\regshot.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\RegshotPortableU.nsi
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_background_header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher\splash.jpg
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_logo_top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\RegshotPortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\x64.nsh
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\RegshotPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\ReadMe.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\donation_button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\License.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot_x64.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\history.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings\RegShotPortableSettings.ini
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable_1.9.0.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj2.tmp

Process RegshotPortable_1.9.0.paf.exe (196)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling

Process RegshotPortable_1.9.0.paf.exe (196)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process RegshotPortable_1.9.0.paf.exe (196)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Data
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\7zTemp
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\PortableApps
    • E:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\7zTemp\7z.exe

Process RegshotPortable_1.9.0.paf.exe (196)

  • DLLs Loaded

    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nse3.tmp\w7tbp.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • SHFOLDER
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nse3.tmp\System.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nse3.tmp\LangDLL.dll
    • C:\WINDOWS\system32\browseui.dll
    • RichEd20
    • browseui.dll
    • shell32.dll
    • UxTheme.dll
    • PSAPI.DLL
    • SHELL32.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nse3.tmp\InstallOptions.dll
    • ole32.dll
    • SETUPAPI.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nse3.tmp\FindProcDLL.dll

PE Compile Time

2012-02-24 14:19:59

Signing Certificate

MD5 b00ca38f2601ac9a96aff38e64bc1cb7
SHA1 1a0a4873e1d74a9560fcb917e60536843b7cc2cb
Serial Number 932fc9af0efa79d8a3f771681fe20334
Common Name Rare Ideas, LLC
Country US
Locality New York

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006f10 0x00007000 6.49788465186
.rdata 0x00008000 0x00002a92 0x00002c00 4.39389365097
.data 0x0000b000 0x00067ebc 0x00000200 1.472782261
.ndata 0x00073000 0x000bd000 0x00000000 0.0
.rsrc 0x00130000 0x0001b608 0x0001b800 7.28787232694
.reloc 0x0014c000 0x00000f8a 0x00001000 7.8664751443

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 CreateFileW
0x408098 GetFileSize
0x40809c GetModuleFileNameW
0x4080a0 GetCurrentProcess
0x4080a4 CopyFileW
0x4080a8 ExitProcess
0x4080b0 GetTempPathW
0x4080b4 GetCommandLineW
0x4080b8 SetErrorMode
0x4080bc CloseHandle
0x4080c0 lstrlenW
0x4080c4 lstrcpynW
0x4080c8 GetDiskFreeSpaceW
0x4080cc GlobalUnlock
0x4080d0 GlobalLock
0x4080d4 CreateThread
0x4080d8 LoadLibraryW
0x4080dc CreateProcessW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrcpynA
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
@.reloc
PWSVh@
#Vhh2@
Instu`
softuW
NulluN
SUVWj 3
D$8PUh
u}9-$.G
[j0Xjxf
D$$+D$
D$4+D$,P
PPPPPP
\u!f9O
QSUVWh
Ed+EL;E
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
Ed+EL;E
]4;Mhr
E89E0}s
u$9Uls
-)Uh)Ul3
Ed+EL;E
)Mh)Mlf
u$9Mls
)Mh)Mlf
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyExW
ADVAPI32
MoveFileExW
GetDiskFreeSpaceExW
KERNEL32
[Rename]
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
Kernel32.DLL
GetModuleBaseNameW
EnumProcessModules
EnumProcesses
PSAPI.DLL
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
WriteFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalFree
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION.dll
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
0.0;0I0]0j0
111;1D1Z1a1y1
4#464G4g4~4
5+5;5I5W5i5x5
6>6J6[6z6
797C7I7Y7|7
8,888J8e8y8
979D9L9w9
9::T:e:
;!;2;A;T;
;+<P<w<
?-?I?\?o?w?
020T0y0
1#101>1J1P1U1[1f1l1
2'2B2d2v2
4/4o4t4y4
4a5r5z5
7.7q7v7
8!808D8X8
9+9L9Z9
:-;[;c;l;
?1?<?X?t?
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2N2S2c2
3"3(30383I3P3e3n3t3|3
4"4(4-42484I4]4c4i4o4w4~4
5&5,5b5k5p5v5
6.6T6c6
80858A8i8n8x8
:-:8:>:C:H:S:Y:f:m:s:
;L;V;b;w;|;
<3<S<X<c<k<w<~<
=0=f=w=
>N>_>i>
?#?F?Y?n?z?
0'0D0M0o0
0-1R1r1~1
2?2P2b2q2{2
323V3j3
4%444@4I4X4
6#616i6n6
;6;;;Q;Y;^;d;j;p;~;
I0[0`0
0;1A1Z1
272q2}2
4"4/4C4_4i4
5"5:5]5m5s5
6.646B6H6Q6d6
767@7I7S7_7j7s7
8!828j8t8
909>9c9o9
:(:.:@:F:L:R:Y:_:g:r:x:
;!;';-;N;W;n;
<'<3<=<G<L<W<[<a<f<l<
=%=/=5=:=@=N=T=x=
>,>1>6>;>D>I>O>S>Y>_>v>
>"?@?Q?
1&2U2a2g2s2
3-3:3G3T3a3n3y3
4#4*484C4O4f4m4x4
576@6^6k6
77*757@7
8:8C8U8\8h8
9!9N9u9
99:f:{:
;#;A;H;`;u;
<+<4<J<U<m<v<
=*=9=C=M=
>&>P>^>e>}>
?2?B?_?j?
0Y0i0n0
223@3I3
5[>_>c>g>k>o>s>w>{>
0 0$0(0,0`0d0h0l0p0t0x0|0
NullsoftInst
Qz5EY{
J5nV;B2
`^W\z@z(
=<' IX
?^UI}
@Vzdh93%0
AS,j9W
NnV:j
DfcQJ*
Gg"VD]e
V;ZTk)
C\5erC\
"Q~-Rw*
+Ewl`*ZL
C DED]
Pm}]/l
5udWM!
EF;r~4
%4!R."
k<vc1r
%#xm5(
cn|<`L
'EXEF1Y
BU,T|hA
fx85;~
\vA3k&p
KgCZ(U
D?NJ7j_
S3%![b2|ho@
(ko:|"
jYgk8Nk
x1&2p/
#x<k:;?.z
|D1<6K
YQ-@B7
GUoq#W
;mBIY+
}C4(E-
u"c3,L4h
e]u5p
|yAqQn
5[ISv6
2<*Ww2
ws?,#^k
(Ae~.A
/)dukIR
]G>znG
< xn\*
/[phce
b^NM'[
0 ,'*J!`9^/\[h
,{"SM1
OWc1WV
m}_1ES
BASbM3
u|$_ROG
b>_ulH
vV. CI@
(ZKf8
]MtjM{H
p=}")$Z
]mJF+D
alp0o^
]ZUH(j+!m
J=xuEp
D2IVeT
"H:*sQ
q{<bUg
R(og#@
Q8ygC5
my.[QX
wdnjM(6
Tx2WMWWg
[Q_lH+
@(m~*4d
5V5#`'Z+6z
0HBVl<
0/8&+i
`TWYA7%
=&HqPp
1cB \
Fre#BJ
,F3IYUkG
b3G)GZ
(Zlk{R
<Mv3[U
C Pz<F
F[#Jw=UuH
mQuXe)
3)+_-G/
h]tZMM
5#=*UQ
se6Pnr
g,LEAv
l6O\zN7;f
ea?_Ax
pL*SgA
cx7,l"
jqo^?m
r=T39q
bNJzI3
(`AwA
qJ\VWt=LG6"
HB%`_l
{@_g-J
>m>^n(
~k%5r#
t*;tNC9
b%D1%yb3
V*/p!?
x5$~m0
YQz`Uo
K/e9sB
/yu]Wv
FaJec;
|@XPgl
JUHtF+
m};c.|
v>ZljE
M}M<:
]eufhZADt
;BZ%+D`Q
\*b".5
BVZ;>1
k+g|Xl
^amw~
`-(tp(
9#B]@-
ranqXe
2ys[Du[
n`]`,v9
Pi~QUsY
2]^6`i;
|,}S5fLa!Y
!/NKiX
Ff {;A
Fytx.V`+5
NbcaQB
s~C=.{F
6MY`6-
tPPblS
#|>Swc
M0]h 9E
tilBVv
GM.^{
%AvYz.
(fj!jkb
hhFQy;
M?DY<,
_Q)Dm>
xj^ul^
dLCCsQ6
K]KBFO
"#S(cz
ss9UX
9X,A%c}
(D6/K nwowj
cU<DcN
:O_q9`
$nf0}d
IsX,8k
gVg;:
1K!sAd
8$CXl@
VKq0g%1
-)t.uV
m}OBH}
^;&(/@
F:u[-P
fAlkpr
Dm2*D#
g(yXt$9
ltXY14
^('g0J
w<@kZOo
t=g?}!B
4-{UFC?
:eBG4q
NsLN-%
nv)_%U
-#B6l5
=haQ<_T
^,i*k!
oIOhJ~
B\x%6A{v9
\K<t*NB
RFe.?'
%)"R&s
'c.Kbk
"cDy@f
uUa+@>
^uK}iMdM
ij9931
7KdFf(
?1yJzS}
Ra~qvt"
6f_u25e
l*}G,
x(UFk%t
de#o@?
KMN5yn
CwjJ<8
Q<$$RL
fP>b"E
u6Q0g-
TJ($i1
h=9bQ&
3A67M
oNf]tl
1:>r6D#
}lX|e(
V0za{}
&[<K1D
1y%sKC
r@t.fn
[3cP{r)
]y6F2l
n<;y:KE
0fm$#EVI
z>bnUu]B
pfyFvon
wKlVxl!
F!uuUst
EuQEpp]
4Ho9rE
J6I?&2
!H*YR*WXZ
`#|c7U
tjtr`!
hm)$KU
#+<Yb(w#
&ujZ)c(
@G'"+Q:
<[B9?tB
_OUAF.Q
xq<pp"
2*\};R
yjPy@z
HAR9.
~HTL`s
4WK@_iq
Z> g=#_MKp
E`Lj^c
mM[ZdgM=f
A3x!0X
MU?f<B
q'vi_
!{NzoC
0EG7H3
S@R __-GVc
hrOM'#
3xRlG3Lc
Nc 6-P
B<3%^}
d@lKo[B~
FvI%SQv
Y>bJN-
x?0HX\
;/TJT
p2v(iP*
\inV-7NeWo
;={*{R
SaGYR2
?"!+Kk`xo/
81iC?Q
gk~^=
%acY$ps[y
wBWz7Z
NkN^N@\
FD7M=fo
vuOl:o
OEvfh+
XHaR2q`h
MB$P"k
(JIdkD
7 L}[j4
.&h1s-+
c2qh@s
tsr6R!
Gi!&.P
$/mk;E
3nIY>lA
3=*%%C
uS[g<N
cg!K>=
)"eOIpA
r'.bcs
2+luR9Q
u3|Q!N
V0\k)
+H_QXi
A@f,_#9
"K+oN|
L_d;oK
5e{#X(E
DDpQzGK
N)2A(f
Cg7C&b
*?`3d2
S20Es4{
R&Bu1v
QBf_164
A-]9gFV
c]/s<(uq
y3@s\8
[}oN>c
d6$}_WG
EALA\8
9VW,t'
/>R`ZB
r=RzzOT
FYp-?tp
hW*"\l
b[?R2\.
a'Lwe
_S HY4
GLRpSN
GStN#[-
(_9v;\\
tp}2P19
WD7a}W
|WzO<b
O3@Ukn
Bs+SSQ
XFA-uG
1ui6T!f9
@-oK>LB
@ZPeyw
uQDZb2
HfGHb?E
ik(N#Y
MyO94ZM
!pz^du
fkl6kXZ
)),WWd]V
Qxu&72
m%<|":
;jVSi^W
`x+VZd[
CcR~*+R
PY#OS\
4!cz%wX
;dmZ=\iW?
Nd5X]#m-
iTYOM
J8cpe)
cURG+0
g{<Oc
g1<#M]t
Y0jkBZ
OE|5K4
W>6R,
2m`Civ
sBGE&o
?}#z7T
9]yG%e
mk13!1
)bDJEIg]s
j"F&]%
x/_/~dD
<562'o8}m
,;;/sw
{)OW66l
;<Z+;9
"/V3$z.l
bRM|D6
!r~n8e
k3p9SO
ZN'Rl&M
xy@H;7T
R}oXGx
q!1**a
D3);>@=
}XIP/bs
jP;:5B
GETrE?
:$x1`Xi
35]y@:
ux zwE
`ON[E
j'N=={
3/EG~D
I5xN|X,
}1ayHo"
xwait=
j}1'&z
{5L%&_
oiCvns
"MyJ&E
.d?M>Q
L0qWwf
$L8Dio
y({:>,@\
n{@MwnC
AM2rjExy
bcA-=1l
6WTj!3
vbOn1(
XzImtT
cY:({|
OPyiY-
zd$O ^
&TZn#k
q'>cVCm
Sy} f0
\`R90]
Bfd+5HNI
ni?@PO
i`@1PD8
4>ee_Tn@
;xi&bS
>e4&Xty
A 55KK
puwn>x
:}1wuu
se`hwr
-v&'iQ[x-
<X*5~f
)mc.w El
ZzQM*m
I|)7y"
IFM-54
b@jUof6C
.-4<-
~%ud.F
\K[(Vv(H
rzJh_}
hm{!|7
-;raJ#l
;]=!u?9N
y;:4;GY"
&`3hF_p
6^6z;sD
|.6^oDR?
1XP:MNK
P"NIb$
!:!DBf
J^ewDE
zy8=P)
njENK!
PjWGz~?
.^uf%q
[+%G?f
^yB*1s
|xlf'#
A_'`!/
-O4:_6
$j;VLN+
)jB de
9`[{m-U3
9BKP>}
N8uET
i"2dQ\
]j}K}t^
FAuC6~
t55rm\
d3IZR0r
RaAU[6
~v'/S7s
I5A3zg
X GoR:
v2;kR'
]|8$Vm'i
;wl:T!
18o5~y
}5!pWWj
Z!c]\>[
;f,Fnu
To~p"|-
8v78f
hVfXw(
z(;@'Q
Zg[eq#`=o3%G
lh`}Sl
ahyy-A%d
qY'%bD
b+5}lF
ak?2Rn
Zm.:4FrR;
5+f>$gr
Pct?6UN
X[x~KA|
R.9uI&
pG&hJLA
y%z9 {p}
6E9I&`
N?\YWb
p><6JMK
r8xX,
mcMt6Q
m^j4Cl
0uz=[]
gbEuq{
A@,*"E
7mV!BGF
~mZ4'<
L2#^5[
~$YNr=
`}JQTD
XxG:S[R
*_C&Zu
I6wiS%
\?Z&XuD
u TOGhVv
8D{G3
:_Ql9n
eFhUik
m0p&B/
rDblDY
^oKEg+
;bE\w@
iuHMkuba BS
|U>AJ
#iSF_g
7Y$tn`
)l$1S
t<j"15R^
IAa'@Z
V&DgU
(Z[JEd,
wAxpag
vB%lI[i
r~].u)e&<
A{>QUbF
tJc|L
Fg&<@D
)2>5eN
"3/:B\#cH)
P7?&S#
JTX/~rL
Fw1Ou.
p.>;p_>
K'~Bt9s
](# C7w5s
CT0k#E
l{`h(0nJ
q72.{4
PxQr:MA
a=IoJa%t
"RL\\}/3
%2~6-g
H!D27{:
/SYaQvTR
8Qdaxs
>d^RfD
?V5+2Yp)&
u!oQ@O
XKNw2T/
|z.11DH
#KwYX
~RX^%0y
h:,~v02]
(Mawep
v0s}j.
9@cKU4
C^Y!"lo
DPEi_{
}N*M0{
^}/teDx
#CxsZu
p3:^ 1
d$>_<Q%'
z(+%0
J=6qz!
`ut?DexO7_
/*n=/G
k[rqg7
_b1v7u
%_DFa{
%fmKAi]
cb1vM2
evF_}:
0to'=o
=",H\q
(C)XPW
~;F?8
FzX:T&
Z"`{_J
qqloa7
R/[be&9g
z,gmd|R
bv~oF?
6p=e:sS>4
ttq0Fv
^twBMK/
\qTZ4I
; .9Oc^]
S`"*-D
aB?s2E
j.}nIA
wXLrjp$)
TY%<xC
/ZZGPw
]0!hfe
[-W'}+
A)~)%i
Gw "kx;ht[G
]C4g)/
fFn,*Ve>
Z3>|vz/u
C-%!sVQ
ZDSly]$S
qJ!)7!
E%C;bi
&d<<"
ygu/u:
74/wG*
z{6G?{
auyD$t
5hQmN#
INu.ez
yMdBJQ
@v(?=s`
zX[W_Ng2^
B$F;u
P&%W{v
QwHq6,,G
:dO(EO
GX_jh&
!eoQ2e
UF5fgI!L
A1;(\+
%CTx0*
(_T.7J
V..U.I
0ZZ)X3
A*6I}mW
aUP}6uY
GTnCYs|1,_
2H4eq8
_~!E2U
rM4Vze
1-Y:$yfZz~a
k>8N;O
Ypo+lOh
_5}xJ<Pl
RmQ\$NS
B{o;vT|
ym8(]OmO
>/M8E1~7
v#q.&V
f!WxL5H
ZH$^c9a>R
FTK$h1
VN8#''}?
ktW%)ojVR
F'hT-dQ+$oNT
E%[&+RB
qy<b,t
|e/[JQ
$2G.(e3
JisA`x
|@ QcIc_
u@-yDVLjg
843:AR
+51ete
esrVrf
TTEAdK
~vP2)yXxE
j?=^>C
og,Y'
0YuNTZ
gG//"s
}u]_)
917>q9;GQ8
V!&pMr
5L1w$B[
/lY6\]OR8C|
,Lh/YAk
AO}`]|
D@<G7a
rw;ygcC
#Gh}Oo
&/o=6Q
Bj.W1|
f98uln
lR-AS
loa#&S
|TI`Bx
&,3Og4
FW`d?V
S#?a&s`/
DW s{`
5P)Ah@h
J]E[f^
B1XMk\*
brQC5L
C@(n&*7-S
}\@cxv}
\G6u`#
;l#E{C<
wZMk@l
h"@,[}Z>
v*P:SY
R05((w
6m-e?\
i>s0v.
bW@)pZq
/$*4fk
[oX*u&#I
RG[G#~y
Western Cape1
Durbanville1
Thawte1
Thawte Certification10
Thawte Timestamping CA0
121221000000Z
201230235959Z0^1
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
TimeStamp-2048-10
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
050607080910Z
200530104838Z0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
http://ocsp.usertrust.com0
9f*<Z,m
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
121018000000Z
201229235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G40
http://ts-ocsp.ws.symantec.com07
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
TimeStamp-2048-20
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
110824000000Z
200530104838Z0{1
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
http://ocsp.usertrust.com0
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
120216000000Z
130215235959Z0
100091
New York1
PO Box 2271
Rare Ideas, LLC1
Rare Ideas, LLC0
https://secure.comodo.net/CPS0A
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
http://ocsp.comodoca.com0
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 2
-!B,5Jcf
^@d|-L
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
130207010402Z0#
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
HideWindow
Pop: stack empty
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: error, user cancel
File: skipped: "%s" (overwriteflag=%d)
File: error, user abort
File: error, user retry
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
BringToFront
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
NSIS Error
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%02x%c
Unknown
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
GetTTFNameString
Version
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
Regshot Portable
FileVersion
1.9.0.0
InternalName
Regshot Portable
LegalCopyright
PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
RegshotPortable_1.9.0.paf.exe
PortableApps.comAppID
RegshotPortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.0.5.0
ProductName
Regshot Portable
ProductVersion
1.9.0.0
VarFileInfo
Translation
<<<Obsolete>>
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
VIPRE Clean
AegisLab Clean
TheHacker Clean
Alibaba Clean
K7GW Clean
K7AntiVirus Clean
Invincea Clean
Baidu Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Babable Clean
SUPERAntiSpyware Clean
Tencent Clean
Ad-Aware Clean
Trustlook Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Trapmine Clean
Emsisoft Clean
Ikarus Clean
Cyren Clean
Jiangmin Clean
Webroot Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Endgame Clean
Arcabit Clean
ViRobot Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Clean
AhnLab-V3 Clean
Acronis Clean
VBA32 Clean
ALYac Clean
TACHYON Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
Rising Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
Fortinet Clean
AVG Clean
Cybereason Clean
Avast Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


RegshotPortable_1.9.0.paf.exe, PID: 196, Parent PID: 152

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name b7e2c0fdcc0b9e4f_regshotportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher\RegshotPortable.ini
Size 691.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 3b6a958daccfc0212af6bd07b44396fc
SHA1 dfd55daf570af8c5c020fc90b6b34b47349d9594
SHA256 b7e2c0fdcc0b9e4fda2ae7bc8b1baeb679ece2fc87239e90595e8b98c6ea2ca1
CRC32 EBBFFB93
ssdeep 12:M8tG9+tNodfghyYt12t8v+bevk2t8v+Bbm/bmm2t8v++2:JC+cKz1g8vXvkg8vsbybZg8vO
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name eae2b033f0b08229_license.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\License.txt
Size 17.9KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 dfb340fbcd40576fcc15069591f30a92
SHA1 358f72786c97f5a0c5b1e591230c592c55b4ca13
SHA256 eae2b033f0b0822913c076f36d498e51450c712b3229c1c83c7d12198fa097ee
CRC32 FA343E8A
ssdeep 384:lq2PmwERb6k/iAVX/dUY2ZpEGMOZ77o6LDMj:lzun1iYWrTXo6LDMj
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 8247f57eb6c30b59_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-header.bmp
Size 25.2KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PC bitmap, Windows 3.x format, 150 x 57 x 24
MD5 b617a4b2c35c2a1f89a30a10bb02df6f
SHA1 f45ef6fefdaffde81d99806e71a624b4d46fab8e
SHA256 8247f57eb6c30b59f803a3a3a461d68bb870504f1b90d871f1ab81d948b8edc5
CRC32 9D26A10C
ssdeep 96:1++k59H0U84SfupRR27l5mxF9uYVTN7ms:SER4SCQl5mxFT1H
Yara None matched
VirusTotal Search for analysis
Name d4cba517118ff995_regshot.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot.exe
Size 120.0KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 b663e3ff65fff422545278a1dd17ebc5
SHA1 add2ee66037798f5f1ac03b1831f8f65064f3f4e
SHA256 d4cba517118ff995bcafa3538fbdaee99212fe1fbc2147c0c6dc440e991b6ec9
CRC32 DBF65425
ssdeep 3072:9fqJFPiHqQwkdyrY80cLBoEuMbtJhQV1ovFATUx:hqJFqqrkdS0cLqEiSvFA
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • VC8_Microsoft_Corporation -
  • Microsoft_Visual_Cpp_8 -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name e3a881502590bb5a_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appinfo.ini
Size 489.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 2cf2470ff8cf6522a55cd0fda9226ae3
SHA1 61aca5ca832cc9276f7c8dddac8909d36d96745b
SHA256 e3a881502590bb5a89f438c489238c6f0b210a814a6ddd0594d62f49bd38b7a9
CRC32 AB78E22F
ssdeep 12:kihD2ZUCfmulKK0yhKkVO+y42WcAUvMrHQ3DyVzB:kIMeulzv9py4k0rw3w
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ba5eebcb5a599fa6_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\readme.txt
Size 6.2KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ISO-8859 text, with CRLF line terminators
MD5 b0e9a8f2d415d73ce0551cb2f7d1052d
SHA1 4a33f69fd78b1c24a88bfcacb645aabb6aa2f7cb
SHA256 ba5eebcb5a599fa68b001f0bfa03440c1ae353d55c7b1b2e6aecde96f71d8a25
CRC32 A6E7F058
ssdeep 96:YMBUWp/RCZZ380DLAZp7hFhbNPf1eyIpmOprWm:j5NR0ZsH7hFhbNYyI4urWm
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e1a2e73a72152b19_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_16.png
Size 832.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 d3e3cba856ae3b9b619969e146e86a9b
SHA1 5c461512409d7a202f3b6df3d9ee5b85e91743d1
SHA256 e1a2e73a72152b1958d465ead6903539ff06eae4f86d45c4c71a2a218d39ee46
CRC32 5D57D55C
ssdeep 24:GV9bu8oDOU02WEIcPVJnZ4r3m/34yZJhTbNI20qN:MKCU02nV8WthHNI2x
Yara None matched
VirusTotal Search for analysis
Name 299702f56210ab18_regshot_x64.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\regshot_x64.exe
Size 133.5KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 c48a906a47d7e66366435b6d9d3d0be1
SHA1 a9ead0de5d5648695932f2f415b82076d16189b7
SHA256 299702f56210ab1860ad4b6ad7611e22abcb048114a52f15a04c896bd33cd2d9
CRC32 8F2BF538
ssdeep 3072:ao9jbiWCo52DOI3Jnr0Nd07GbYmdCsXmfwNTfuocbtmm2S5TovFAX:NMYdkstmkTdm2vFA
Yara
  • IsPE64 -
  • IsWindowsGUI -
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Cpp_80_DLL -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 141ffbd6943d5002_regshot.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings\regshot.ini
Size 146.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 817c7ae330bf2d8b033d7e522271f414
SHA1 7a264fdfcb0748c673b02705f33d1cb382fa5bb0
SHA256 141ffbd6943d50023eb5c45c3b4ea676afbca8a321d3f4982d5443acfb2a3bf4
CRC32 E5D4494D
ssdeep 3:TFYvIWkrRpRfB/WpWNKRCGc2oJALpY5l8VwBa1y1Vv:xsGR3pIW8CGc2oJALS5aV30Vv
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 0a9a711b205dc87b_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\modern-wizard.bmp
Size 150.9KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PC bitmap, Windows 3.x format, 164 x 314 x 24
MD5 55204d08cff24975e88885403f13fd59
SHA1 1aad4f3ceb1c8bdd348385228ea3043f1f0b2427
SHA256 0a9a711b205dc87b6b0fe491253bc1ddb4a46a02f26ab622c209b1311125dd20
CRC32 95D95148
ssdeep 1536:BUPy+RPMI0gVQC6AKEbOOukOtYzpz400XveEDSrP1:2Py+RPMcQCDKzuJ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 47b9e251c9c90f43_langdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\LangDLL.dll
Size 5.0KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 a1cd3f159ef78d9ace162f067b544fd9
SHA1 72671fdf4bfeeb99b392685bf01081b4a0b3ae66
SHA256 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6
CRC32 A7504246
ssdeep 48:apTVWFeApYx2lxaKe3yfeEIWCGWNpBWLGGrx3pMt4z8mtJ7HofYZVSLa:RFG0xaKkyfjIWTW7BYrhSbmtJ7/V
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name a32778185b14ab29_language.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\language.ini
Size 27.1KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type Non-ISO extended-ASCII text, with CRLF, NEL line terminators
MD5 2d65330dcc9b0924139bc5ffd7793abc
SHA1 12ed209af10d60ac10971f2620968dbcb2923c37
SHA256 a32778185b14ab299fe0fb946327fb2a7b35a5012290cd7396d0b72af809b580
CRC32 8753D7F6
ssdeep 384:WzDHZy4SjitTn8sR7DoHfuef8JUeRlOy8jstSFDLslGybzVsu+oDF7RA3fyjlflf:cj8k7DleUJdlQ6SxwB+QdA3fwca
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1e7e6bae5a5bde32_license.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\License.txt
Size 26.4KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 b0d181292c99cf9bb2ae9166dd3a0239
SHA1 972ec154b19bb6fb9298453a7b7b57472ad8ceae
SHA256 1e7e6bae5a5bde32f1ae5a7c37a082d1ab03cf89354f7f936ac40be9e39a6531
CRC32 61855588
ssdeep 384:4jJBIk+x/vIqk018X6sT6AATeINgKP+nHQ41fgcmmItyOQeM9YfWEJZBfuoQ:41BJs/8OTeDnLqFXTflJZBfuoQ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name bb307c2b64da02e7_regshotportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\RegshotPortable.ini
Size 329.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 c37e6ababfd9c66d4f0cb687ee2d578d
SHA1 8677196c1e70b57426af09bdcddb145624be9f73
SHA256 bb307c2b64da02e784c119e041651662a7d871bc19ed81aa8f5fd355aa80209d
CRC32 A6FEFAD6
ssdeep 6:ACGun3AdLh6ywK+KV78yE7Em2VPVJSy+OUJJQ/qJevknqMwIjAIMLyJQBAf:AU3eL0s+JL2hfrv/qJujI8IMee2f
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_logo_top.png
Size 2.5KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_background_footer.png
Size 168.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7ae1dc86354e00a0_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_32.png
Size 2.3KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 849042d12bef7c7a1d3dcb209563358f
SHA1 378e5ee6ba9872366f6687f87ff827a5c82874b0
SHA256 7ae1dc86354e00a0db099aaadf44001456f01b133aa16cc85e8a388df2a348a6
CRC32 9FE20F69
ssdeep 48:Nse8sJrP8lczM2MEM3x594NtJPHC/07GQLzswH5NisawSxC/bSiK1dsjzGKxd5IN:7V9IwMB3mHfCcBLIwHX0wQC/A12zBdyN
Yara None matched
VirusTotal Search for analysis
Name f530069ef87a1c16_installoptions.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\InstallOptions.dll
Size 15.0KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
CRC32 7FB8A1B8
ssdeep 384:/MnT0MKT/Xwr2izZQ86mpAT8F9lN8Ov0J:EQMKzwTFnVX8i0
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name af40c95ddcee74f6_regshotportableu.nsi
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\RegshotPortableU.nsi
Size 7.4KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 b3be84c85501b05a43c4f1ec3c04e7f6
SHA1 67aa8d217981c0fe8d81d2797f5156c1f9e6e854
SHA256 af40c95ddcee74f6579884f0f7b6f5db3396bf779a6b6ef57c2eb9509af3db80
CRC32 92578053
ssdeep 192:ekgEj0Bn/GRpUnqnBw7EnbnlKKtXfWn/npndnOBaK:bg//GRpukE+zlLtXQPpV07
Yara
  • win_mutex - Create or check mutex
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name da5edfaceb62f3ff_x64.nsh
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\x64.nsh
Size 1.3KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5 4cc224ea0f3d5d26c888548abf56febe
SHA1 c520efd2779a0f563beb7cf8116111ee11c82e6a
SHA256 da5edfaceb62f3ff4b8c82f9533a8a331ab927ec63854b3e6896741922c72bbb
CRC32 4A140F3A
ssdeep 24:uD3OXc0Els3bQPCykRMV/qwuxdwr/iv2Zr2tZosro/XCO20Zl+MVZlLQO9:urOBEurQ8RMViLxdE/ivir2flro/ColR
Yara
  • IsSuspicious - Might be PE Virus
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e25a4a2cf1ad1af9_portableapps.comlauncherlang_english.nsh
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\PortableApps.comLauncherLANG_ENGLISH.nsh
Size 1.2KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 95d32ff1f72a2b9401151b233ef23d63
SHA1 2472117817c40489ee3b6d4a2bcceadb00b7fc3d
SHA256 e25a4a2cf1ad1af9ebfca693ec05f12551793279dba80de999c106863dfd1305
CRC32 4FC3B7D4
ssdeep 24:95TSL8pioLIGP9xGaFzPSxmuKfikMYjZBQm/mLZezbRSNRhTwXIYtE:DTSLjokGPGaRSsMYvhVSdwXI0E
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9037342330c2754a_regshotportablesettings.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\DefaultData\settings\RegShotPortableSettings.ini
Size 86.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 e4471786e6eefe7148a7ac3a51a44336
SHA1 fa6325b6d5e47be6820619b020ee10c5a8d47d95
SHA256 9037342330c2754acc798a5bba0a2b9ae9ee2120c5558e8b23eaeb0997dfb471
CRC32 3B682B0D
ssdeep 3:hKABGToMLV4yt309XWsXA/IAB/WpWNKRCGNv:hKABGEMxb309wpIW8CG9
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name eebb107124f6e96a_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\help.html
Size 4.6KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type HTML document, ASCII text, with CRLF, LF line terminators
MD5 0f439a3c402132c0a1d46b3b8864193b
SHA1 eb0269b0628cf19286002c59ddb5290453565786
SHA256 eebb107124f6e96a0058f05acfe221b4f43a8ab358a3cb2ec87d2e6c8966385f
CRC32 6DC4F26A
ssdeep 96:igpvcz2xym30bysMywr6T7XF+XyE7lBo/4nPR+I:iykC3Y+XP
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 161df7935496f020_splash.jpg
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\Launcher\splash.jpg
Size 35.6KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type JPEG image data, JFIF standard 1.02
MD5 a355c12b1d14b4a25292f0eefbd6c24a
SHA1 48e6707d67650f9bbc45f981f26e0e775e8b408e
SHA256 161df7935496f0204d7ae60c4becbd00b4c8d643836eb1d1f3dc15ad9e1d579d
CRC32 4D2E63A7
ssdeep 768:CUoUoUcj5B6uqIlHXMdlEDE400rAM3aeYRLlMyx//UngF+LDFd5THC:CDD3Vc1IlHcdlif8M33Yzl+n5C
Yara None matched
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\w7tbp.dll
Size 2.5KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\donation_button.png
Size 1.7KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7851cb12fa4131f1_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\System.dll
Size 11.0KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
CRC32 81CA71BF
ssdeep 192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\help_background_header.png
Size 269.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Help\images\favicon.ico
Size 1.1KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name 4ac2560bbda8ec83_history.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\regshot\history.txt
Size 7.3KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ISO-8859 text, with CRLF line terminators
MD5 e53f54cdce34a25fefa7ad62389443d3
SHA1 415cd0766c2373eb71c919244e288b24592f4d79
SHA256 4ac2560bbda8ec833060d7a7c9eb81316f88083d25b9b43c4bd4eee83acb4999
CRC32 57E04654
ssdeep 192:bLNYTUQsnpONdEDMY3NE+Oj40WN/eIatDPy2550JDKwqPwvyD:RyuvNJc8eIaZKs501OD
Yara
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 57c2506cee54acf8_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon_128.png
Size 21.2KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 bb711a91b83f70dc2f17733e112b9d88
SHA1 fc2fd1ef8e221c564a27008ad27ec2de83042808
SHA256 57c2506cee54acf88d20f821d305de63fa5aefeaa92e362c9e71b5f532e7d9b7
CRC32 7A255100
ssdeep 384:uZ1gNrK5beHSocEy6s7EXAKRm3EAvshnlgwrtgphBUla+6veidEJL+DIv/V8+UAq:uZmNm5Cyo66s7cAKY3EAve+wJgQ6veid
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3cd16a06ee3202ba_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\Other\Source\Readme.txt
Size 3.3KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with very long lines, with CRLF line terminators
MD5 e66685421e41496d43097eec9e34cd14
SHA1 3995f693ce714a8b0f4842289eac2b53e9666db0
SHA256 3cd16a06ee3202badc3005d65c1bd4a19a166432cb89d3eaf4d31665fcf772a5
CRC32 088F9206
ssdeep 48:9rdPDoXNygHWTbr/4hSD/tN6pLVtkL65wCkC+u5GpsEbGTPfTj:jroXTWvr/4xLuNu5GOwGTPfP
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name e151b6757cbe46e0_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\ReadMe.txt
Size 107.0B
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type ASCII text, with no line terminators
MD5 7f9699fa052c6fca5fbf1f49e282590c
SHA1 a066cb2dcf074da2f7f131592c116b3d3f5d0e77
SHA256 e151b6757cbe46e0fcef916750cf8947909e9b2472a6f47514dbe7109db8aa47
CRC32 A2167A05
ssdeep 3:hBWtHdTiFD8DXNQRH/VVL5DKQ+nWYApZR4n:hBmHt08DdsdH+nETR4
Yara None matched
VirusTotal Search for analysis
Name 9d9dd44c508af2fe_regshotportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\RegshotPortable.exe
Size 152.6KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ddc559ab995e489f7ad9c37d3203f0cf
SHA1 9d32f3248bef553b666e6b3c7e382ab151a16837
SHA256 9d9dd44c508af2fe864a8264ba5833d7c47fd21fe1b4c72ff6e05f7da94c288f
CRC32 60AC5BCF
ssdeep 3072:HfweqOYEUXPn4tvFGRfIyZR2di/YB+KYzK3pCW6WG:oEUXWvF2fJZR6K+16K3e
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 78485e4529135643_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\RegshotPortable\App\AppInfo\appicon.ico
Size 22.0KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type MS Windows icon resource - 6 icons, 48x48, 256-colors
MD5 45d07bf99367887bcc9a65bcaea00a2b
SHA1 b232175ce06b3fbc994d1d30543b7c8ae93a8190
SHA256 78485e452913564380d4a62ce71f83ea187f24d936ac64ab3ec529ebdefdf2a8
CRC32 07B5DA29
ssdeep 384:4K9OBg/UPWuv2MHV8LmcVNdWBLCtuJIHocX2:4gOBDV2qV8Sc7daLYIc2
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6eb09ce25c7fc62e_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\FindProcDLL.dll
Size 27.5KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
CRC32 F238428A
ssdeep 384:DZoRF0XXUuJReQg0Tw67ADWBTgmldIogUD3GLgFmyaX/fVYcWJQCDmrinogRdBl:DZaF0HtTwuz9yu3KgwRX1nWJ1q+noI
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00153_Armadillo_v1_xx___v2_xx_ - [Armadillo v1.xx - v2.xx]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01071_Microsoft_Visual_C___6_0_DLL__Debug__ - [Microsoft Visual C++ 6.0 DLL (Debug)]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v1xx_v2xx_additional -
  • Microsoft_Visual_Cpp_v70_DLL -
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Microsoft_Visual_Cpp_60_DLL_Debug -
  • Armadillo_v1xx_v2xx -
  • Microsoft_Visual_Cpp_v60_DLL -
  • Microsoft_Visual_Cpp_60 -
  • Armadillov1xxv2xx -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nse1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 05934f54764a3482_iospecial.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nse3.tmp\ioSpecial.ini
Size 1.3KB
Processes 196 (RegshotPortable_1.9.0.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 60587c7936f0d65909c497e5d7d73780
SHA1 527f59b27aeabedc4e4eed82e2376e9ce941b44c
SHA256 05934f54764a34826fbdcbe19b3c1e180fe79acc4fc9ac425dd19d38218a9359
CRC32 BBE0E657
ssdeep 24:Q+sxvtSSAD5ylSXgqWCs7y6GuY9ni/6k8lROn7CsGNC54u6iOnx3HTCaH65OoOne:rsx9AQSwqQkulN8lenS/xeaNLe
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 614
Mongo ID 5c360f7311d3080d16cdbe33
Cuckoo release 2.0-dev