File VMMapPortable_3.25_English_online.paf.exe

Size 928.7KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 fff50e3dd909ac8864d4508ee05293ce
SHA1 1bb6996c67fcf6f52347a327170e556b134a856b
SHA256 b110175f31297ce5845811c5c89efb326206b64e4094e874c0807ea32d17fb4f
SHA512
1bd2e627c7c367b97996a2a09de1de308fb42d5121ce97e9b5648f4bfa5aeea25b8ac482e7489bfc61d6a9b68914c3b7379c6f50b5ee0530c4f026e29bd9b837
CRC32 FEC95C06
ssdeep 24576:HS9DyXW4i14gvUyM/8zELK0T6P8oFZZq73k4:y98W4iWgUyM/8zGo/Z2F
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 3.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 11:16 a.m. Jan. 9, 2019, 11:20 a.m. 252 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 11:16:37 2019-01-09 11:20:49

Analyzer Log

2019-01-09 03:11:58,015 [analyzer] DEBUG: Starting analyzer from: C:\vgzrgmygnr
2019-01-09 03:11:58,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\jpUPPmBXhMVrmvKtgzZRbvo
2019-01-09 03:11:58,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\QvzaAmitUfGVLQuM
2019-01-09 03:11:58,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:58,030 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:59,467 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:59,640 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:59,640 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:59,703 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:59,703 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:59,703 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:59,703 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:59,703 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:12:00,000 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:12:00,000 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:12:00,125 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\VMMapPortable_3.25_English_online.paf.exe' with arguments '' and pid 400
2019-01-09 03:12:00,217 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,217 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,342 [analyzer] DEBUG: Loaded monitor into process with pid 400
2019-01-09 03:12:00,375 [analyzer] DEBUG: Received request to inject pid=400, but we are already injected there.
2019-01-09 03:12:00,500 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsh2.tmp
2019-01-09 03:12:00,592 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\System.dll
2019-01-09 03:12:00,750 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\FindProcDLL.dll
2019-01-09 03:12:00,890 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-header.bmp
2019-01-09 03:12:00,921 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-wizard.bmp
2019-01-09 03:12:01,171 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\nsDialogs.dll
2019-01-09 03:12:01,937 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:04,046 [modules.auxiliary.human] INFO: Found button "I &Agree", clicking it
2019-01-09 03:12:06,155 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:07,203 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\w7tbp.dll
2019-01-09 03:12:07,265 [analyzer] INFO: Added new file to list with pid 400 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\INetC.dll
2019-01-09 03:12:08,280 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:10,342 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:12,405 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:14,467 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:16,530 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:18,592 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:20,655 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:22,717 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:24,780 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:26,842 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:28,905 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:30,967 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:33,030 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:35,092 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:37,155 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:39,217 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-09 03:12:40,217 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:42,280 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:44,342 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:46,405 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:48,467 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:50,530 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:52,592 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:54,655 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:56,717 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:58,780 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:00,842 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:02,905 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:04,967 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:07,030 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:09,092 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:11,155 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:13,217 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:15,280 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:17,342 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:19,405 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:21,467 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:23,530 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:25,592 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:27,655 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:29,717 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:31,780 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:33,842 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:35,905 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:37,967 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:40,030 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:42,092 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:44,155 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:46,217 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:48,280 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:50,342 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:52,405 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:54,467 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:56,530 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:13:58,592 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:00,655 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:02,717 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:04,780 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:06,842 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:08,905 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:10,983 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:13,046 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:15,108 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:17,171 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:19,233 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:21,296 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:23,358 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:25,421 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:27,483 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:29,546 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:31,608 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:33,671 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:35,733 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:37,796 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:39,858 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:41,921 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:43,983 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:46,046 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:48,108 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:50,171 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:52,233 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:54,296 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:56,358 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:14:58,421 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:00,483 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:02,546 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:04,608 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:06,671 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:08,733 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:10,796 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:12,858 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:14,921 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:17,000 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:19,062 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:21,125 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:23,187 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:25,250 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:27,312 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:29,375 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:31,437 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:33,500 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:35,562 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:37,625 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:39,687 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:41,750 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:43,812 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:45,875 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:47,937 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:50,000 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:52,062 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:54,125 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:56,187 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:58,250 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:15:59,250 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:59,250 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:59,250 [lib.api.process] INFO: Successfully terminated process with pid 400.
2019-01-09 03:15:59,296 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nsh2.tmp'" does not exist, skip.
2019-01-09 03:15:59,328 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 11:16:37,395 [lib.cuckoo.core.scheduler] INFO: Task #634: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 11:16:37,545 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 9018 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/634/dump.pcap)
2019-01-09 11:16:40,607 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 11:20:48,161 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 11:21:16,252 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 11:21:23,157 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52f5df50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:21:23,158 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52f5d050>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:21:23,159 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52f5da10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:21:23,159 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52f5d610>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:21:23,160 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b52f5d610>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b52f5d610>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 400
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 400
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (7 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 18093906991513604
free_bytes_available: 203787883138515721
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable
total_number_of_bytes: 563877666357248
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103485440
free_bytes_available: 24103485440
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5333112431056983
free_bytes_available: 1126906453255584
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable
total_number_of_bytes: 5334452460847104
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103485440
free_bytes_available: 24103485440
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 24103432192
root_path: C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.IE5\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 24103432192
root_path: C:\Documents and Settings\zamen\Cookies\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 24103432192
root_path: C:\Documents and Settings\zamen\Local Settings\History\History.IE5\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (5 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\INetC.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\nsDialogs.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\FindProcDLL.dll
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)
Yandex Trojan.Agent!VTVt3VEVH3I
The binary likely contains encrypted or compressed data. (2 events)
section {u'size_of_data': u'0x00019e00', u'virtual_address': u'0x00201000', u'entropy': 7.506167155696262, u'name': u'.rsrc', u'virtual_size': u'0x00019ca0'} entropy 7.5061671557 description A section with a high entropy has been found
entropy 0.763837638376 description Overall entropy of this PE file is high
Attempts to disable browser security warnings (1 event)
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing

Network

DNS

Name Response Post-Analysis Lookup
download.sysinternals.com 152.199.19.160

Hosts

No hosts contacted.

Summary

Process VMMapPortable_3.25_English_online.paf.exe (400)

  • Opened files

    • C:\WINDOWS\system32\oleaccrc.dll
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-wizard.bmp
    • C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable_3.25_English_online.paf.exe
    • C:\Documents and Settings\zamen\Cookies\index.dat
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    • C:\Documents and Settings\zamen\Local Settings\History\History.IE5\index.dat
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\INetC.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\nsDialogs.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsh2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\System.dll
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsh2.tmp
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable_3.25_English_online.paf.exe

Process VMMapPortable_3.25_English_online.paf.exe (400)

  • Registry keys opened

    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840386
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TEMPORARYFILES_FOR_NOCACHE_840387
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WPAD_STORE_URL_AS_FQDN_KB903926
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\VMMapPortable_3.25_English_online.paf.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\Debug
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CERT_TRUST_VERIFIED_KB936882
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
    • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CHUNK_TIMEOUT_KB914453
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Special Paths
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_DISABLE_NTLM_PREAUTH_IF_ABORTED_KB902409
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT\UserEra
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENSURE_FQDN_FOR_NEGOTIATE_KB899417
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_CURRENT_USER\Control Panel\Desktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_KEEP_CACHE_INDEX_OPEN_KB899342
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019010920190110
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AUTOPROXY_CACHE_ANAME_KB921400
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WAIT_TIME_THREAD_TERMINATE_KB886801
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\00000006
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AlwaysDrainOnRedirect
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\WinSock_Registry_Version
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReleaseSocketDuringAuth
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BadProxyExpiresTime
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLifeTime
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\TruncateFileName
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019010920190110\CachePath
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableWorkerThreadHibernation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketSendBufferLength
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopLogging
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductType
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HttpDefaultExpiryTimeSecs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019010920190110\CacheOptions
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ScavengeCacheFileLimit
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NonBlockingClient32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager\Compositing
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableGopher
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertCacheNoValidate
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendExtraCRLF
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\History
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisablePassport
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FtpDefaultExpiryTimeSecs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\LeashLegacyCookies
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNT4RasCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttpTrace
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableNTLMPreAuth
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MimeExclusionListForCache
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\FromCacheTimeout
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ScavengeCacheLowerBound
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableKeepAlive
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReleaseSocketDuring401Auth
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableBasicOverClearChannel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\Feature_ClientAuthCertFilter
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReleaseSocketDuring401Auth
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\NoCheckAutodialOverRide
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PerUserCookies
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableWorkerThreadHibernation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019010920190110\CachePrefix
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassFtpTimeCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WpadSearchAllDomains
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CacheMode
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DialupUseLanSettings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MinimumFreeMemPercentageToCreateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DontUseDNSLoadBalancing
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\KeepAliveTimeout
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Ws2_32NumHandleBuckets
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ServerInfoTimeout
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnAlwaysOnPost
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxHttpRedirects
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\FixupKey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019010920190110\CacheRepair
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ChkAccDebugLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserEnvDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheTimeout
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEnabled
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
    • HKEY_CURRENT_USER\Control Panel\Desktop\LameButtonText
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\RsopDebugLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableLegacyPreAuthAsServer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertRecving
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassSSLNoCacheCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019010920190110\CacheLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GopherDefaultExpiryTimeSecs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\DisableLegacyPreAuthAsServer
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Ws2_32SpinCount
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnZoneCrossing
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DnsCacheEntries
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnBadCertSending
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\HeaderExclusionListForCache
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SocketReceiveBufferLength
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MinimumFreeMemPercentageToCreateObject
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableReadRange
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\BypassHTTPNoCacheCheck

Process VMMapPortable_3.25_English_online.paf.exe (400)

  • Mutexes accessed

    • oleacc-msaa-loaded
    • MSCTF.Shared.MUTEX.EFG
    • WininetConnectionMutex

Process VMMapPortable_3.25_English_online.paf.exe (400)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\Downloaded
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\Downloaded\VMMap.zip
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\Downloaded\VMMap
    • C:\Program Files\Microsoft Office\Office12
    • C:\WINDOWS\system32\ctfmon.exe
    • C:\WINDOWS\explorer.exe
    • C:\Python27\pythonw.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\Downloaded
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable\Data\PortableApps.comInstaller\license.ini
    • C:\WINDOWS\system32\lsass.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable\*.*
    • C:\Program Files\Java\jre7\bin\jqs.exe
    • C:\Program Files\Java\jre7
    • C:\WINDOWS
    • C:\PortableApps
    • C:\WINDOWS\system32\svchost.exe
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\WINDOWS\system32
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMap.zip
    • C:\Python27
    • C:\Program Files\Common Files\Java
    • C:\WINDOWS\system32\services.exe
    • C:\Program Files\Java
    • E:\PortableApps
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\VMMap.zip
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Program Files\Java\jre7\bin
    • C:\WINDOWS\system32\spoolsv.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\VMMapPortable
    • C:\WINDOWS\system32\alg.exe
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files
    • C:\Program Files\Common Files\Java\Java Update\jusched.exe

Process VMMapPortable_3.25_English_online.paf.exe (400)

  • DLLs Loaded

    • C:\WINDOWS\system32\APPHELP.dll
    • C:\WINDOWS\system32\USERENV.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsm3.tmp\INetC.dll
    • kernel32.dll
    • UxTheme.dll
    • ws2_32
    • C:\WINDOWS\system32\OLEACC.dll
    • wsock32
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsm3.tmp\w7tbp.dll
    • C:\WINDOWS\system32\CRYPTBASE.dll
    • C:\WINDOWS\system32\browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsm3.tmp\System.dll
    • ole32.dll
    • WININET
    • C:\WINDOWS\system32\UXTHEME.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsm3.tmp\FindProcDLL.dll
    • C:\WINDOWS\system32\DWMAPI.dll
    • C:\WINDOWS\system32\RichEd20.dll
    • C:\WINDOWS\system32\PROPSYS.dll
    • C:\WINDOWS\system32\SETUPAPI.dll
    • C:\WINDOWS\system32\SHFOLDER.dll
    • SHELL32.dll
    • PSAPI.DLL
    • C:\WINDOWS\system32\CLBCATQ.dll
    • browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsm3.tmp\nsDialogs.dll
    • shell32.dll
    • SETUPAPI.dll

PE Compile Time

2018-01-29 22:58:43

Signing Certificate

MD5 da26be9659b0132c12c0fc4d24f038c5
SHA1 c0a448b9101f48309a8e5a67c11db09da14b54bb
Serial Number f0e150c304de35f2e9086185581f4053
Common Name Rare Ideas, LLC
Country US
Locality Astoria

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006409 0x00006600 6.40783079431
.rdata 0x00008000 0x0000138e 0x00001400 5.14383173215
.data 0x0000a000 0x00066358 0x00000600 4.00056108793
.ndata 0x00071000 0x00190000 0x00000000 0.0
.rsrc 0x00201000 0x00019ca0 0x00019e00 7.5061671557

Imports

Library KERNEL32.dll:
0x408070 ExitProcess
0x408074 SetFileAttributesW
0x408078 Sleep
0x40807c GetTickCount
0x408080 CreateFileW
0x408084 GetFileSize
0x408088 GetModuleFileNameW
0x40808c GetCurrentProcess
0x408094 GetFileAttributesW
0x4080a0 GetTempPathW
0x4080a4 GetCommandLineW
0x4080a8 GetVersion
0x4080ac SetErrorMode
0x4080b0 lstrlenW
0x4080b4 lstrcpynW
0x4080b8 CopyFileW
0x4080bc GetShortPathNameW
0x4080c0 GlobalLock
0x4080c4 CreateThread
0x4080c8 GetLastError
0x4080cc CreateDirectoryW
0x4080d0 CreateProcessW
0x4080d4 RemoveDirectoryW
0x4080d8 lstrcmpiA
0x4080dc GetTempFileNameW
0x4080e0 WriteFile
0x4080e4 lstrcpyA
0x4080e8 MoveFileExW
0x4080ec lstrcatW
0x4080f0 GetSystemDirectoryW
0x4080f4 GetProcAddress
0x4080f8 GetModuleHandleA
0x4080fc GetExitCodeProcess
0x408100 WaitForSingleObject
0x408104 lstrcmpiW
0x408108 MoveFileW
0x40810c GetFullPathNameW
0x408110 SetFileTime
0x408114 SearchPathW
0x408118 CompareFileTime
0x40811c lstrcmpW
0x408120 CloseHandle
0x408128 GlobalFree
0x40812c GlobalUnlock
0x408130 GetDiskFreeSpaceW
0x408134 GlobalAlloc
0x408138 FindFirstFileW
0x40813c FindNextFileW
0x408140 DeleteFileW
0x408144 SetFilePointer
0x408148 ReadFile
0x40814c FindClose
0x408150 lstrlenA
0x408154 MulDiv
0x408158 MultiByteToWideChar
0x40815c WideCharToMultiByte
0x408168 FreeLibrary
0x40816c LoadLibraryExW
0x408170 GetModuleHandleW
Library USER32.dll:
0x408194 GetSystemMenu
0x408198 SetClassLongW
0x40819c EnableMenuItem
0x4081a0 IsWindowEnabled
0x4081a4 SetWindowPos
0x4081a8 GetSysColor
0x4081ac GetWindowLongW
0x4081b0 SetCursor
0x4081b4 LoadCursorW
0x4081b8 CheckDlgButton
0x4081bc GetMessagePos
0x4081c0 LoadBitmapW
0x4081c4 CallWindowProcW
0x4081c8 IsWindowVisible
0x4081cc CloseClipboard
0x4081d0 SetClipboardData
0x4081d4 EmptyClipboard
0x4081d8 OpenClipboard
0x4081dc ScreenToClient
0x4081e0 GetWindowRect
0x4081e4 GetDlgItem
0x4081e8 GetSystemMetrics
0x4081ec SetDlgItemTextW
0x4081f0 GetDlgItemTextW
0x4081f4 MessageBoxIndirectW
0x4081f8 CharPrevW
0x4081fc CharNextA
0x408200 wsprintfA
0x408204 DispatchMessageW
0x408208 PeekMessageW
0x40820c ReleaseDC
0x408210 EnableWindow
0x408214 InvalidateRect
0x408218 SendMessageW
0x40821c DefWindowProcW
0x408220 BeginPaint
0x408224 GetClientRect
0x408228 FillRect
0x40822c DrawTextW
0x408230 EndDialog
0x408234 RegisterClassW
0x40823c CreateWindowExW
0x408240 GetClassInfoW
0x408244 DialogBoxParamW
0x408248 CharNextW
0x40824c ExitWindowsEx
0x408250 DestroyWindow
0x408254 GetDC
0x408258 SetTimer
0x40825c SetWindowTextW
0x408260 LoadImageW
0x408264 SetForegroundWindow
0x408268 ShowWindow
0x40826c IsWindow
0x408270 SetWindowLongW
0x408274 FindWindowExW
0x408278 TrackPopupMenu
0x40827c AppendMenuW
0x408280 CreatePopupMenu
0x408284 EndPaint
0x408288 CreateDialogParamW
0x40828c SendMessageTimeoutW
0x408290 wsprintfW
0x408294 PostQuitMessage
Library GDI32.dll:
0x40804c SelectObject
0x408050 SetBkMode
0x408054 CreateFontIndirectW
0x408058 SetTextColor
0x40805c DeleteObject
0x408060 GetDeviceCaps
0x408064 CreateBrushIndirect
0x408068 SetBkColor
Library SHELL32.dll:
0x40817c ShellExecuteExW
0x408184 SHBrowseForFolderW
0x408188 SHGetFileInfoW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408004 RegCreateKeyExW
0x408008 RegOpenKeyExW
0x40800c SetFileSecurityW
0x408010 OpenProcessToken
0x408018 RegEnumValueW
0x40801c RegDeleteKeyW
0x408020 RegDeleteValueW
0x408024 RegCloseKey
0x408028 RegSetValueExW
0x40802c RegQueryValueExW
0x408030 RegEnumKeyW
Library COMCTL32.dll:
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 ImageList_Destroy
0x408044 None
Library ole32.dll:
0x40829c OleUninitialize
0x4082a0 OleInitialize
0x4082a4 CoTaskMemFree
0x4082a8 CoCreateInstance

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
Instu_
softuV
NulluM
SVWj _3
Aj"A[f
D$$SPS
Vj%SSS
f9=(gD
D$$+D$
D$,+D$$P
\u f9O
90u'AAf
UXTHEME
USERENV
SETUPAPI
APPHELP
PROPSYS
DWMAPI
CRYPTBASE
OLEACC
CLBCATQ
RichEd32
RichEd20
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
ReadFile
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
GetTempFileNameW
WriteFile
lstrcpyA
MoveFileExW
lstrcatW
GetSystemDirectoryW
GetProcAddress
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
ReleaseDC
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuW
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
SHGetFileInfoW
SHBrowseForFolderW
SHGetPathFromIDListW
ShellExecuteExW
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueW
RegEnumKeyW
RegQueryValueExW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegDeleteKeyW
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
SetFileSecurityW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownW
RegDeleteKeyExW
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExW
SetDefaultDllDirectories
KERNEL32
[Rename]
%ls=%ls
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
746!%%A
IHa}?<<
42?D%'L
B?I;@;0
22Il*+X
DBTb>91
13nL05n
5:xL<A|
;?~LIK
BD|LRS
@Af]WY
QQoMhi
KLumhj
:;coAD
36p6:>y
`ZOIKF:
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.03</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
NullsoftInstJ
>-5Qc}
cn 0Bw&
w2a$h>~J
L9F8-.
P(vEoUs
>Z4jnpq["
Cdmg&^
=Z>\2<
U^~qL&y5X
U`"ac~;
F'~mi2LX
W3ck
9pZG"
:W$gCVl
p"g=k
H"t?^n
]%(~92
E i$u<
/kBN_/
c,0YUX*
oI;(ry
+`B4[$EU
mK"g-gN{
^*=j`V
*$x 4&/
[Ufr.s1
*se]V]6
j$g(T:
xX6,#I
{e28xHE
asaoq`
%\6<q*wk
hV=v|L
M^QJm~7
!.l:3`
2duTD{q
k:(9Ts
9hDP A
D[%.5v$
V5WQK
SK@md(t
+o,M"h
#^ma$.
^\;.g~
N*|xS(f
Y=k"m
P_FY4F
P"Tu%u
L.c|@i6
`"ra[27L?A
~Wg14.
-I)_1(*
#g#q{qg
h@W$u
o}F\$r
B[YxX:
$("E6|~FS
2-S@K%r
z*(?U#
T#\JU,
X_j^ou
ucV7f
c6OGM5I
&D9=f!q
'!s<](
05rq/E
P"(=!r
|Ndorc*U
37nK>*
)zd-^q
Ih?;J*
HFU.BX
dU]G<_
;FTt|3
A12F_|
$b8Q,s
j[0u0^f
sw}@bJt
ori`^>nM
{"i!gJ=u:
me{|
\$^,?&
=/8H_!!
$lJW<4C
3DbQ9#/
%0vFp_
L3Q cM
RcInDS7U
~`7wYN
5+rD6?
C-}#@l
lu4Ulx
($"Q!%
@s}r:&
U~)_6UF
DB-VJN
cqr&?C
F0cK~D*
ly,1ieJ
ogNoO_
u'n:J\8H9B
OcN^8dp
_c6!)j
(,u.@
mxiB#
u`_9j\
3e]/d5
-eg-)q}
Uk'5Fq
tgvaDT
~(Z]i}
-2l4cH
?_QpD%
YY)W`o
qs_iI_
#%@18mw
3bGFEc
&Nnumui+
V<eece
_,ylS`
Uog^PwB
CiFC/'7
|6#eKx
hVOmh(#
T3v'3:@8
nbq{Lw
P\j8b`
$huwpK
2'>K5h
myT3!Q\
:UI+ft
!g))9zm
ZGC{\$
8nrGwN
+k LA1
@:XxyVY7
ZD,{h0
<G+z)!F
K;22$6[
_rB1~
qt=q{$
mYip+r
JQ|-,z
YEWKi~,
kYR3<f)$
r1tr?x
665HCp
oh]jOj
r^l;.`
Xsfux/
i"o(VKq
yLEJzA8
lb`{K:
w;<.U'%
#1RYoREH
mHlbW3Y
C91Gf?
/m!;wgs}
1!@/JJ!
WyjQ@sy)
T@uX`F`
%;?3K~2
BMY/s/
%.3Q5*
0,Z.1vW
UAecxD6
\'Wt}w
zG;'M
j}'Gwd
>+J/CAo
p)[a@I
[mY6Y\
&?C%&FE}
tMfK^r
aHFTfNz
A;4Sf~M8
),A 3P
B5uz(p0
2>&jDrMjZ^
T8@8f)
:H]9:??+Wj
Y+mMCc
]|~P\Q
!RI *5C
}ME<[0
auU7EO@5
QY g9(
p-ZV=9
sr=fKa
w2H<v{
L4.tI3
k$6_<Y&
ZE\v!
9?VEzKqt
$(EG!A
wnbCzT
nAue>A
Y2c_fF
[+XO~'
e)G.I*c
rV{KdtV
WMn\N%0
dw}!3_
0o'w=[
T}FPG
*068y_
~^941+
|j@HM5
u4AH2lfC;g
{k^"c9
6_k4{]
ig[]*H2;
obG MN
!!w-|M
9i-g`M
uks,![h
w-v"m&c
0B~lj3f
G]ftw(
Hq};kG
'#{P,8
ya2-3'
4G KQ;W
Y]CbI"
0Nk@/sK
W?_@7I
+.BU&l`q
<fQ.zg
2LOxJl
,sx0FI
a8LmK?
nE9XyB
0~xj8TK[9
lSYTeakKF
6Hmvk>"
ESI/yZr
D|IOcEu
tpNKN[
^\2b0?
O,S[8]
/Y~"Ep
9+2s{
bmxZrq
GW2/ZP
^1h)x(
84I9 R
PA^r7
&Rois=
}M#\q
BGB#)L
+`Sh."#}l
l@wX0[
Cqhu0E n
k$"}$w
aRD\`v
G0diAj
0o5,[&
"j[a>r
T'lg[G`
Lpf'DB
Yyc*`g1Z
S.2/b=
6cdXRW
~*'OED
1Bof|p
a?zR9Y
IR=\@!T
<Ry[,W!
q^j_J.
[|K>hA
E#mpL~
i;A$$T`
YKT$/
T%Xm}
BSOE9h
DRgwR3!
0+GRUf
qJ{46+GE
|Re=f]
CO8>gp
P^h7_,
q1.x-l
Lq{xXJ
2O5S5X
0h$p(|`
]A#`dl
kf"y0T
&*"1&+
K5.Aed
2Ro)"e
X{vX<n!N
/3:YCqmik
s rfRwMS
$/<)^z
Kq*3@h
G#!)#l)3
xGh+?`
qJ<X|6
ibUY:|
M<kE:;j*
OgrW*^
uF<c@
]b#KF2
/{lr{x
8yNgT
JxYXwz
={r?_n
nvVQ[
[ Uwsp
+_BZpQ
Hgp1</
mPSxJG
227)Yt
6:)osc
H]obXM
}zyzxg
&sDrv@
xP?N.!k
18d)"'6~
;$xmwB
ge~_Q0
jlFLl
Q/X^JL
Y=b%$1,r
.UXGF:
&2NX@=V
`j+AjcNHP
b?Hyl442$
bT$J#I<&3
j%yYB
Tj1(WR
u{p)Hq
fN6PzU
Mb/S73
#W9d*'|
r>|UG.
5NVLE-
8}$bZ*
7`i~'^&
,{y)m|
[HzG.x/t.
8Z>mDIK;
JRWTa?Wm@
00O'rK
xgk%O
+rMMB
_UQoT:
V]{uv"
^^Ng!nLj1"l$
d:^dM;
snKIRB
l_JR{I
,.4-fZ
Kk0O<`
.^2fgI
!X8n'K
Rih_k;
4:i@e
'(lLT6
v/+PW]
0i@QOL
#`ZHG
5|#@EA
Na7msa:N
_lX&Cj
"3w~\
_`COX:
2*fN(Gu
'Ommqeq
sZw<A}
y^|3iU'O
V66.I<e
+fhAw
[W9a&Ip
,ss>W7
F4}15/
bRUkt
Hc`Y;x
vyb'sz
d*ZG/5
*)xi%
}D5]d5:*
iG,5o]0
)EjT&G
4cpL,x
5%~EL{
ID}lC;
ofbb:T}
ifF=$b
6J2Q@1
=zlNb(
~JkEn'
z8xZ%5
}iT@LOz
o!}k?a
1^':{z
en wzZ
k;p[mNt
R#,0_cx
j[Sb5~-
:K<<5p
'&X6A+n
P\h+-J5%
e}!3(
b]^zu}
,f^HQ%y
AqkcPu
FE@wPT
Ys*w3ER
dK)!Eu
0H~uW"b
_Dou8b<
mX/E M
F}9|&q
lpb8gMdH
powg1`
jQVoTp
]jdvrj
["RH=0
iyuWt%
Yo.0_%
5<uTfG
5X-s-[
vE>Q#_t
0zL*w%
dvM<&o|
VCo>4tu(I
gK>X2
Wm IhUu
URA-q|
Z*.*:J
ihVX(MX
c8?+(*'
Dg_b}A-
_{&cIP
Qd7? D
ejo>Fv
ya%|@3
af(Mke
-:bE][
+rexJ(@
D[ZXZ$S<4
~o)s#I
/F'L=F
0+BNE'g
b[36k)
C$1a*k
eD}%jW
"T@Wp(
8xVt4I
)sf 7L
CF>MM*S
TncR h
J+)\AL
UGcCk`
tbaoek
5G.Le*
do=8_X}
uijT^=
eHDa8K
|1Jq8X
\"k-LV.
Z"]:|0Z
`,7{8QKA
d4F0 7
m!z=QO
VvqGwm
RnFC-?
Rgd/f
(N=h#
tn8:"s
4j,s[e
Oi~-hqw
!H2`Z~
Gu8H$N
g.HA~1
+/?4*qt
^gWO/2
e5eh]t[
X1RhJ5
f.NRUP
+:rYlj ,m
I_bd>u
1w=|E`_
G[+|WW
I,*U->
Z?#KD6
R?7*"}
y9l30Na
"VxAC\
@:-YYB@
%YqgYJ
,m"+;!$
0!z_qn
~Nr+(Y
PQuHx-Y
hSbo|G
al>$+&
eWc3U%l
R/13A_]C
YOKD9{
^ABem&
jA*n!m
IQ@vpE
]PUfOm
eoIxgP~
!<woo8\
3t (k?x
]L\'N^?i(ws
{W"m$k
k}.d%[
Ag,_nG
vGh<Nat
^8B7ON
K^,5Vhse
Z(00g
J7b;D~)K$
G3>nq}
=9xG[3=\1
8 /7^i
xFd$f}b
;)AitK
i8?r,dE
?D0b%[
<J{6C0
/sV#X
T6nXEI
|k08BP
erYo@b
3V`4[T
4:7Z{j
,[eG~F~
yL&$Gj>WK
w|K">Y
08c<f,^4
RMC?>k<GC
xX~_.j
lt1oFZ
==)Z|D
z}f$$<
p&=[/dB
Zmzi!qx+
R+Hd~V z1@
{K;VoM
*4CA0x
3+Jz{8
1*{mJ]
M5-D,I
fJw"U/
-ONGd(>
f!M>g?
R<LT/{
r:h[hu#
^c.sIZ
^}"qrp
Jh:4i(
n,A6z}e_
e|;8d3
wENY"i
(/.7;p
'yc3vt
;jZ1U
ZdV@i]
bahd$-
fOwsU7W
|q.2}Yi
r`uhv0r
=@ch@E
fjLsEk
#*F2uqm
$xoH <
H>pg<+
Ly0y&
bjQCe%
Wo%R/I
!3CXmo
><|@e?
8f$[p0o~
n$A2@m
ohi/M>>9#@
q%)t\]
}W0clbwv
:WUPc
&L:f9QS=BV
O8=siH
&U]rbB
|[^dNF
!bh/7M
HeaXjM
g2>bx)o
>J!?ar0
ta=Y%7N5
5Hj[.r#
=`W=?-
^"kM7C;
z_'!^e,
VsPIg.;
e0vxM%_c
Bx1aw+@
V&rXQ@0
|~M=Oz
B@,vUJ
tLkNWg
YXD3%X
XU[NQ4o
z}T&`{
A[ellp
/@}jL68n
pWO&B.H
Taq5:ne
EQ41-WF
9mNd,d,
vPvY{
QPg){1
Jn$o<d
RVJe$Q
,Cfv8]
KlCRY6
}qsX8Q
;x!L#;h
j`d39Zm
o"gcZ[
S0loul
`!SAAf
+2`q8YZ?
B/U"Kd
T_[p8}z
gQnFM\M
b/H<#e<
eV}m.D_F/
"RX;PH{
-y3TTZR
!J%X|
J*7t%)
4CcDYdP
_]Oh!b!
qF6,LU
]!Nu+N
nJd?Z~
4czI_c
{w2}"W
k>zlb<5
+A~|vnmBB
e'DhfF7S
:9Pq@;BzB
p^_lk
6v(Tj"
yyUWn`
@c\]QTL
&Y/-l7
V5&R_v
}ME)po
YG2Yg*s
+A,#Ck
4?b#?
3Pkm":
dVa[SUm
jo\#+s
_"7f#H
\W-aiY{s
?Ef#.};
q`m#JM1n
l[fEj|
fIe~Bi
NrA0eSI
}8nd1,
J:".~HK
y^R8NI
e/(ek[
}69q3}:
8Ik;rf
{c'xQt`
@!DX'!
G`ij;
rp?7PS
M+FW+)^
zNVLUG
+>P?Ib
)I$nGv
JKStWJ
TV0SC}
6 3~(a
^@S6!i
gVx7P'<
$b&cA
Yd&3ge
,rciEO
4(]@?_
h:?nk+bz
$Ll]jI
?N#YQg
s|"v60
!x%a~?
o\45X5
fi.)aL
NK=r0C
s[/rv>
LET%v
8~PUbupA
BTG#}3
_^V]ra3=
@S>i}a>b
FZ|JcRS
bHpj)16
mGS%(
>MZo4|E
IcG$t
HZ`9RQK
rA1M9p
1]3(:`
Z]^A Y
"4ahLx
BklMnm[
|=vk;.
={z;:2
?JDPaxu
L0!Y_ku=
VT7iHz
l5alJ?
:W&u0%e
G4)MsH
o]OP+.P
^~|J3MJ
KMo#5u
EssQ5k?u
JGEbJW
6r`YFC
z3DId+
g4~waa
8y?%B[
]nDdz;r
Y!>^tK
`7cpT,
m;t9/t
U]=):p
Hsrqu;
&5F.d$
O[B=9i
O-FfoY
FD(q^.m
8lKFjaS
b17F9|
DCn=9xTM
6nBjUlq^
bj5|Vm
_aYo?/
7mo4%fQE
?H\r]D+
/FH'4q
#qGcNx_|1e(
U{P#B'
@KnV0p0
B{8W#W
IpO]Z]
h"3I>Ui
^h\O7f
A p#Uq\
p5x+Fr
sLc&KiR
UxiADu
Qj1!5=,`
Nohc{h
7}z@_"
e9Oms`
5o;D m
ac?Q]
U}'3$EH
@V3@8b
;u=*Sq
cZz7x&
3;Gt,
*(ocUB
b%|~;U
gU%.X?)<]
Zf]+q!E
%yiEhS
-{j{S;
S%Igi/
j./LJi
M Tdhe
%>5hD_
;|6oho!)z;a
rn_=t0
dWNTR=KE&
)ow2!N$
\8q5v;
]PN5%q
=QmtHd
2X6.]nt
#QfVK1
?bNq`NX
;ijK7GC
7V/u1(B
Cd(ke6
T2'ffNi
<F \Mp
E?K$^5
:Y|6<h
dl_\m/
9&+!PA
M+q>AB
u(=`|XX
6T`iCZ
T!espg
C8^zU"
W}o=4qY
RDSi7j
&X]SbB
)0kE{e!%
zVQW;q
'D69W"qo#i
jU)j2_
T)<5&y
H&~Rfx
8eqsrV
TFgD)=D
j.zI1J
kp3B&mRi
yNbk8J_
70Dw^~
l7Rh}oAW
kaD@|
!5'wnD|STP
D1/t2l)
>0}fqs,
S,_9Ad
&L-aD[~
U/W547M8
d$}hev
ZSf\&Y
8PVt L
<?\vTv
n+0w.$
X<q;-K6
# }3U| U
M"=I^A
n|^F"
4FmE#6
(ruP4Y
~;V%K
f]_iv6
HE6>cw
}f(WXX
_/HT[A
H[0TFsz+
d[# O
='14/s
O^Zlx\
Ud2g(8
bL{}WS
q!?|1S
J_&/qg
Q-oW2o
g.IZ7}
iL\fA=
F<1/e3:
0JbA$|
6V,@%k
46QF|w?
A+)|hwi
6_:IzOZ
j<ge(=J
OvNk[dd
uqG)W~
}C0+`8vK"
.L!w%
9^L3L!
g)=#?ny
=05K.X7)=o
qXCCW<
"q9$GcKjV
8GEG(l
Rqj6R{
}qGZa!
5'0p)a
#|(Hp*vw
15G/(CE
mG?9qcW
c'+:Y&R
2"f)xri
'OUSpm
,:zul|
2qBtaKW/
|@YOd43
f(VGmo
%sI.*{
`+Cp_{
kObl W
bu/gln^
+Ci{z<
`"/M7=
6BT,q(
%8j{qL
Jva@=6
#b5le+l
YHt}D<
Ky*I^y
3,)YY]0
Riir>t
a8q~^i
+w/!C33L
@JO?hj
>z[qB8P
#*FVp7X
qKX{"hq
`+4PN>
Yj<0E"
3asRQc
ss94<g
u2XQBG
9OU&poXG?SL
<rU=`Sq{
p%nPtkG
;5i]Pm[
V0\jSp
e6E"rg
P#zS$X@`
0@GcK
~<=a]:
47pmoa
uvEAP<
rEuoQ@
n3&ew#
o M(kZ
``E/9K
gbQ8nr
(Khi|i
d|YjK27
v%0yX9
I%;EF(
V7&TNd``V1
kIt3sk
9zaS}&
ZMTy=!H
Q5{>fR
Pu94[?1
A~pfJ7
h7Y(_`e
[DdEbuv
4.uD}_4
(YUb*E
6_cT8Dp
1@Ee<M9
yB#Q$
gX$Y'9<
ET/(dJL
[L)nNu
,Jqe|P
4V7Rs`!
7P9`"h8=`R
UF^v})
GLl,X
3:R@,Ht
[T4YqZ
M6g}O+
l[_0[G1
z=yYKj
|+WQ2`
vM%G-
'-a?x,
>+c?F.`\~?D
XK[}V0
svM_[mAV
wGL;:Mf
?07&I#
YV&Oi#
O8|'set
RstNoI
Z\|0Q:}
g>9xP0
=0*RQLETsL6g
jc[0kO
L'C,4\
yj]%mR
W8TwZ
|~EhM\
.#SDS)
w>[!R[
c{DFcS
6lHc)1
L&'W($Boa
TMv3Od
>1kRM T%)
U"4)[#
rD.+}v@
794?1a
kQ-I-gm
q"C:pU[
~sP8Qe`VCz
i7"[/G
FCiwo~
AKT>n!$T
-an8Xs*f
6Ipy5(eY
D*|%-2-
KA4c.V
zA?Ku1^
35L?|m
K~dLJ?}
?5B+38
N@6nK'W
][u|@#
NJKo[
1x$D*&
IB|;MOm
O8zag%DoT
l9$gWO
~$6=nR
br&t%DN
W.\q@L&
*_R7Gs2
^VplboZmV
f8odEL
qIUZ7 L
Nflun(
&GaC&xs
Pm<|kt
<jHSg;j
@=:0=*D
bAB#w*I
*#jN*vp
2oK@\-
:vyIhW
TOmCJj
v(g5f}
[BG[:a
h/_dYf
oX6qvZ@O
\j~>Mv
J8)$u\
DuqfwE3
)O!A'$6
6k{@f{
W0]G^t,
dP?G$~
?i*E^\
9Nl $u
+v%Atf
g8Z)zj5
K*cM2e
0WLncsSB
XF%9O}
TqV(rM9|K
DCaq *h
'rcJ1%qB
\W0p!o
ZV(HeLV
I<L*1H
Y/(yD{
1)Z|A1
.[e;bI
C}%a^>
Gz6ta$
P^~K}$&
/e|v9?`'b=
I~rsQd
'9H2_YJ
SAG3aA
IuYmg5
C%hF!)<q
o0rbv>
?KOFJc
[~.l'Pjc
QTQDrb
8n#izT(
6!w6ad
hibQ-1
.Rz]oP
Yt/W#m
Oz`};1
6^G`20
Nndg2
-X?5_:&
@FAMFR
m|DhL5
A}=|Vv{
W3Pjx
!x{nx.
'Rg6Tc;
(`]AX"
Tc=7EhXx
`kLX(fs
?o ~x4
6+YoUaV
4(S@S1(pttum
TSR|Tx
@n*fd9
t52zIgb
\6NU\D
^4h_Qx
au l<@
)~h?M-
`L5{exQ
=Df? $
+.^ogK
`_zOC"
,J)=J@
5L-dI%
hiY{<#
}ctp#"
R206sSq
jGrWEy
{P)01\
JGa?s4B
DnoT;;
>/Hrt5
7l6IeN
:y0QzN^
d`H~.BRjg
fJzgv
H~%!Tg
Rp(\1)
Bl~,@]}
9b)z7)
wvDd#$I
3,wA(nb
3O_8 F
]%Enkh-T
?yUUB?#
fxt6`,Yb
u\&_Y;nE.
a8Y8:/k
=&D?atYc.4hK
uH*?}x
8&LsjQ
,hb(D-
Anf=':S
gn8G/r
1*3\he
Di=(d*
?76Knx
z$#=lS
lV(~G;
LYC>Zh
CLQliW
&du(E
q=C,OJ
gGrf{%
>]E>@9
N|TT9%
@5%vxy
0J]~/}
r7NnTvMV
CR@g=+
P!-}r,
RCBLIs
y&%D~t\-
@g7/B@*
Kd #w6
ttZODK
{u{+:;
s\3A=m
/$r,N/
E[pOrk
MJUm4d0
RVqM0\SFA,
9Vz)'K8
9n!sB9
EG`1)MK
)`W6X3
kMg"((
Rr|=fl
`5'5KTFeF
%wRku.
AJ[:nn
{y@tw*
v%5r99
t?'O*D
X}z"VUc
LJr[.5
RE]/'IY
/DAS4c)v
^`< Fi\
2S@poUg
*RZw%{
7qoD5.
>UWa7-
v[+1el\
-Eunt%
t@.Gi:"
xlH5o)
ivN-6M
+;Y-M>
3n0ga@
sgoZM!q
CE2g|e
.\, <je
"w9YqQ
0&!%V?
.\hU/0
A4G4cQn
#]W>6dp
r/6f58
:V!GV
`gtbOI7
gip2;S
m$<E_BAT
[<i'Iy
9Obdg9!d|
_#s]m1
Ca;dtD
ac-vo>P3
GF}L_p
ZF!y/G
VC$=;!A
iFu`,Y
F`?9&U
FU,t+-
!Joi=U
!cPjtU
-<#l.R
m~e#"a
bq/4<^
sr#I_I
/t1BNV
,H?w$t
P/!/,
Y#J4Q7i)1wt
{x2uEb
wiqo&l
}/$;a<
Xwy\N!
|`#;0r
#aw8RR
O1e8L
Da_&ze
Q=,1Wx(
}Yf5}|
o&GAAe
;UkN^`
rp^/=
iu9:dB
BoX-;7k
_hBC&a&%>
|\SGD$
],T|Ek7
.'G1Oz
*rX~t!'
Q"Vv`W
tzBD@Wgb
@%4iv7
D-61w`
OJTky9pf
KHLXR]F
kmcz2t
,#Jrc,
]$7?PR
XnorQ"
1e1rW!
hFtZp`o
_G>Gb5
fN%W.cm4
s"3|$[
3ChU0y
k@C)bG(
ngcl[by
(rGs0ir
C_Ur%c
{XTO{:
-R(J;'
y^OC<Hc%i
KS}/>Y
s^j53c
kEKKat
7#Qzb7i
<$*H)4P
5DuLxD
bh3OQi
aT//73
)eIb$s`
&8$vI8
JC]+R{
jmzmHL
XV168:
2=3Bv0v
nDC;d}U
7-)58EI
>2wKcr,D
Ay!e27
U}n47">d
/qCRYU
%B]fH/
Ju-:
2WW~nU
ghyLg=
ijmwv8
i4,!n;~
m7)hTR5
GurIt$s
<*f"00
"KnU'4
S_{FuZ
#j$s*6zs
-LVM`
]8Gd&P
!r)J'G
sk*n.ur
{)63m
'zeFcS
wI?MdU
dO\xEoyu
|~|02]%_
9wjQfJ
.f[d;rt
N;6LId#
bm%vEZ
DLA_j\Z
@!wEpq
7^wk9,
)J "**A
A!IYma
#c3+mF
DTxdFrX
.9254\
9zENwk
<c^SXB
[OlrhjWHpV2
vB`y$6d
aEEhd1
pI1L:\
8W2iN3
\xgd]T
x'5.&>
kZjjOIh
,+4;&Y/
]k\y4W
Q?bLDk
XI2:)
9G0"X.
XIgqgpf
v8I}hP
%'3QB1
xnr+u9
aQhm5?
`:_}iI
S;$Y!c
>%^mCGQ
2@zRm)
=+m6WOAh
L9Y+0&
SHQCC4
SlTTbQg
U)KVh2o
5N0JO
9S`s)ko
+[Qbw
^rEnba
{eTQ7a&T*
0V9Ii%
khFf_&
n%j^Ch
lrea*2"
FfpB1V
mfq<W_
a=#n?;
}M,@|^
5I\hlE
tDPhHT
UlIi,a
_;LOa.
ergqwZ
a>r6U%
*NHVm:
{)9P[(
`.dO1+(jFR
;uX?qq
$JX~"/%
a7H4>pc
6af7^61
=8@~q#
!Jt;a~
<ly1/T
B%{rR(
bHz3RC
JGXcTO
KB<gfo
*I/gl4j
l6[c/W
F>MB-d_HGK
0G{9|3
&x^cZo
=iOMv.H
;]Fyzk
>ce&uv
Western Cape1
Durbanville1
Thawte1
Thawte Certification10
Thawte Timestamping CA0
121221000000Z
201230235959Z0^1
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
TimeStamp-2048-10
Symantec Corporation100.
'Symantec Time Stamping Services CA - G20
121018000000Z
201229235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G40
http://ts-ocsp.ws.symantec.com07
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
TimeStamp-2048-20
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
180220000000Z
190220235959Z0
111081
New York1
Astoria1!0
350 Fifth Ave Suite 52091
Rare Ideas, LLC1
Rare Ideas, LLC0
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
contact@rareideas.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
Symantec Corporation100.
'Symantec Time Stamping Services CA - G2
181213172305Z0#
*Qm^y2
*gg(|x
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
180220000000Z
190220235959Z0
111081
New York1
Astoria1!0
350 Fifth Ave Suite 52091
Rare Ideas, LLC1
Rare Ideas, LLC0
https://secure.comodo.net/CPS0C
2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
http://ocsp.comodoca.com0
contact@rareideas.com0
Greater Manchester1
Salford1
COMODO CA Limited1+0)
"COMODO RSA Certification Authority0
130509000000Z
280508235959Z0}1
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA0
;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
http://ocsp.comodoca.com0
SN20s
Greater Manchester1
Salford1
COMODO CA Limited1#0!
COMODO RSA Code Signing CA
20181213172305Z
-0+1)0'
GlobalSign TSA for Advanced - G2
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G20
180219000000Z
290318100000Z0+1)0'
GlobalSign TSA for Advanced - G20
&https://www.globalsign.com/repository/0
5http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
<http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0<
0http://ocsp2.globalsign.com/gstimestampingsha2g20
<W"=0
GlobalSign Root CA - R31
GlobalSign1
GlobalSign0
110802100000Z
290329100000Z0[1
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G20
x"6kwy
&https://www.globalsign.com/repository/06
%http://crl.globalsign.net/root-r3.crl0
=dj;^NF
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G2
181213172305Z0/
GlobalSign nv-sa110/
(GlobalSign Timestamping CA - SHA256 - G2
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
NSIS Error
%u.%u%s%s
*?|<>/":
%s%S.dll
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
040904b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
VMMap Portable
FileVersion
3.25.0.0
InternalName
VMMap Portable
LegalCopyright
2007-2017 PortableApps.com, PortableApps.com Installer 3.5.11.0
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
VMMapPortable_3.25_English_online.paf.exe
PortableApps.comAppID
VMMapPortable
PortableApps.comDownloadFileName
VMMap.zip
PortableApps.comDownloadKnockURL
${DownloadKnockURL}
PortableApps.comDownloadMD5
987e8749630864b86697b5f99ed424f2
PortableApps.comDownloadName
PortableApps.comDownloadURL
http://download.sysinternals.com/files/VMMap.zip
PortableApps.comFormatVersion
3.5.11
PortableApps.comInstallerVersion
3.5.11.0
ProductName
VMMap Portable
ProductVersion
3.25.0.0
VarFileInfo
Translation
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Cylance Clean
VIPRE Clean
AegisLab Clean
TheHacker Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
Invincea Clean
Baidu Clean
NANO-Antivirus Clean
Cyren Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
GData Clean
Kaspersky Clean
Alibaba Clean
Babable Clean
ViRobot Clean
Tencent Clean
Ad-Aware Clean
Trustlook Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Trapmine Clean
Sophos Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
Webroot Clean
Avira Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
TACHYON Clean
AhnLab-V3 Clean
Acronis Clean
McAfee Clean
MAX Clean
VBA32 Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
Rising Clean
Yandex Trojan.Agent!VTVt3VEVH3I
SentinelOne Clean
eGambit Clean
Fortinet Clean
AVG Clean
Cybereason Clean
Paloalto Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


VMMapPortable_3.25_English_online.paf.exe, PID: 400, Parent PID: 196

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
download.sysinternals.com 152.199.19.160

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 1025 192.168.128.111 53
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name feb6364375d0ab08_nsdialogs.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\nsDialogs.dll
Size 9.5KB
Processes 400 (VMMapPortable_3.25_English_online.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ca95c9da8cef7062813b989ab9486201
SHA1 c555af25df3de51aa18d487d47408d5245dba2d1
SHA256 feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
CRC32 9D200B7A
ssdeep 192:oF8cSzvTyl4tgi8pPjQM0PuAg0YNy8IFtSP:EBSzm+t18pZ0WAg0R8IFg
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
VirusTotal Search for analysis
Name 3c48e17d7c174d71_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-header.bmp
Size 100.2KB
Processes 400 (VMMapPortable_3.25_English_online.paf.exe)
Type PC bitmap, Windows 3.x format, 300 x 114 x 24
MD5 df97bdc3f3286f663d90352ef0eda52e
SHA1 a11ca6a59a23d20ef0b2a05d5ddadc19cb626803
SHA256 3c48e17d7c174d71a2ca46f63ca744b3900c8f7ef770e5618f74fd954c4298b0
CRC32 36AE6867
ssdeep 24:F+lm11111111111111111111111111111111111111111111111111111111111E:4R
Yara None matched
VirusTotal Search for analysis
Name a632d74332b3f08f_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\System.dll
Size 11.5KB
Processes 400 (VMMapPortable_3.25_English_online.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 75ed96254fbf894e42058062b4b4f0d1
SHA1 996503f1383b49021eb3427bc28d13b5bbd11977
SHA256 a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
CRC32 BFE90AC5
ssdeep 192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 2ffe1ac2555e822b_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\FindProcDLL.dll
Size 4.0KB
Processes 400 (VMMapPortable_3.25_English_online.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 ba4c1dfe226d573d516c0529f263011e
SHA1 d726e947633ea75c09bba1cb6a14a79ce953be24
SHA256 2ffe1ac2555e822b4a383996168031e456f09f9cf3bb763fccee35be178cf58a
CRC32 B076F3F7
ssdeep 48:qv1AJiDhU8UsnL0C8EA4G1zkxU5NMsH7pWIa1B3yx3s2mRUyNi7ftUgwQagqlNt/:uJnQChA4nsNMg0I8GiR+Uget
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name ee13539f3d66cc05_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\modern-wizard.bmp
Size 603.5KB
Processes 400 (VMMapPortable_3.25_English_online.paf.exe)
Type PC bitmap, Windows 3.x format, 328 x 628 x 24
MD5 4df53efcaa2c52f39618b2aad77bb552
SHA1 542de62a8a48a3ff57cf7845737803078062e95b
SHA256 ee13539f3d66cc0592942ea1a4c35d8fd9af67b1a7f272d0d791931e6e9ce4eb
CRC32 1CDF967B
ssdeep 1536:9Bn13fmACap7r33OCINrac3aKumetKPKqDjoo+1q7C3DNgbgNgLg7gRgeHRVAVVi:90aZr33XW1
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name c1e568e25ec11118_inetc.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\INetC.dll
Size 24.5KB
Processes 400 (VMMapPortable_3.25_English_online.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 640bff73a5f8e37b202d911e4749b2e9
SHA1 9588dd7561ab7de3bca392b084bec91f3521c879
SHA256 c1e568e25ec111184deb1b87cfda4bfec529b1abeab39b66539d998012f33502
CRC32 D07E1399
ssdeep 384:wv1j9e9dEs+rN+qFLAjNXT37vYnOrvFhSL+ZwcSyekzANZBJ:w1AvEs3HBLzYn29vYh
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • network_http - Communications over HTTP
  • network_ftp - Communications over FTP
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
  • Str_Win32_Wininet_Library - Match Windows Inet API library declaration
  • Str_Win32_Internet_API - Match Windows Inet API call
  • Str_Win32_Http_API - Match Windows Http API call
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsm3.tmp\w7tbp.dll
Size 2.5KB
Processes 400 (VMMapPortable_3.25_English_online.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsw1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 634
Mongo ID 5c361f8511d3080d16cde6cc
Cuckoo release 2.0-dev