File WinDirStatPortable_1.1.2.80_Rev_3.paf.exe

Size 947.8KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 884ae0063ec1ba535a3a3f7209032ec8
SHA1 05023799b9b9115c9b387c7a69d464ca4fe57919
SHA256 384d45d78fe1c75b3392d10025b713c77907517a45e7100eda88d05e1b087efa
SHA512
ee8e2746e375af5c283a1f51bed65ef956db680a84c8c4fe599612e1a57f2d9683f4ed95b4c7537a21e8a1f1407fa7c9944e10ea0cb669749222b5e2f64ae6bd
CRC32 DE2E8C07
ssdeep 24576:r29DAKs77mRkDQ64In4OP2VYoDsx6DlxECaJ1M89S:S9qPokDtHCIOm1JpS
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.0 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 11:25 a.m. Jan. 9, 2019, 11:29 a.m. 251 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 11:25:01 2019-01-09 11:29:12

Analyzer Log

2019-01-09 03:11:58,015 [analyzer] DEBUG: Starting analyzer from: C:\dzpxcde
2019-01-09 03:11:58,015 [analyzer] DEBUG: Pipe server name: \\.\PIPE\xLdiAvJbYxTPMbRlBUxhManF
2019-01-09 03:11:58,015 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\cctEWrSkxsYbHKrx
2019-01-09 03:11:58,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:58,015 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:59,467 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:59,625 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:59,625 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:59,687 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:59,687 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:59,687 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:59,687 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:59,687 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:12:00,030 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:12:00,030 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:12:00,140 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\WinDirStatPortable_1.1.2.80_Rev_3.paf.exe' with arguments '' and pid 1312
2019-01-09 03:12:00,233 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,233 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,358 [analyzer] DEBUG: Loaded monitor into process with pid 1312
2019-01-09 03:12:00,483 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nso2.tmp
2019-01-09 03:12:00,546 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\LangDLL.dll
2019-01-09 03:12:00,671 [analyzer] DEBUG: Received request to inject pid=1312, but we are already injected there.
2019-01-09 03:12:00,828 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-09 03:12:01,858 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\System.dll
2019-01-09 03:12:01,967 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\FindProcDLL.dll
2019-01-09 03:12:02,155 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\ioSpecial.ini
2019-01-09 03:12:02,171 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-wizard.bmp
2019-01-09 03:12:02,203 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-header.bmp
2019-01-09 03:12:02,312 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\InstallOptions.dll
2019-01-09 03:12:02,890 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:05,000 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:06,030 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\w7tbp.dll
2019-01-09 03:12:06,108 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\WinDirStatPortable.exe
2019-01-09 03:12:06,140 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\help.html
2019-01-09 03:12:06,140 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\ReadMe.txt
2019-01-09 03:12:06,155 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon.ico
2019-01-09 03:12:06,171 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:06,171 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:06,187 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:06,187 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:06,203 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher\WinDirStatPortable.ini
2019-01-09 03:12:06,217 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher\splash.jpg
2019-01-09 03:12:06,233 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat.reg
2019-01-09 03:12:06,250 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat_old.reg
2019-01-09 03:12:06,265 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh0407.chm
2019-01-09 03:12:06,296 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh040e.chm
2019-01-09 03:12:06,312 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh0415.chm
2019-01-09 03:12:06,328 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0405.dll
2019-01-09 03:12:06,358 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0407.dll
2019-01-09 03:12:06,375 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040a.dll
2019-01-09 03:12:06,390 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040b.dll
2019-01-09 03:12:06,390 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040c.dll
2019-01-09 03:12:06,405 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040e.dll
2019-01-09 03:12:06,437 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0410.dll
2019-01-09 03:12:06,453 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0413.dll
2019-01-09 03:12:06,453 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0415.dll
2019-01-09 03:12:06,467 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0419.dll
2019-01-09 03:12:06,483 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0425.dll
2019-01-09 03:12:06,500 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\windirstat.chm
2019-01-09 03:12:06,578 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\windirstat.exe
2019-01-09 03:12:06,703 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\donation_button.png
2019-01-09 03:12:06,733 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\favicon.ico
2019-01-09 03:12:06,750 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_background_footer.png
2019-01-09 03:12:06,750 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_background_header.png
2019-01-09 03:12:06,765 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_logo_top.png
2019-01-09 03:12:06,780 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:06,780 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\LauncherLicense.txt
2019-01-09 03:12:06,796 [analyzer] INFO: Added new file to list with pid 1312 and path C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\Readme.txt
2019-01-09 03:12:07,125 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:09,187 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:11,250 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:13,312 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:15,375 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:17,437 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:19,500 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:21,562 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:23,625 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:25,687 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:27,750 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:29,812 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:31,875 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:33,937 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:36,000 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:38,062 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:40,125 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:42,187 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:44,250 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:46,312 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:48,375 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:50,437 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:52,500 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:54,562 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:56,625 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:12:58,687 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:00,750 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:02,812 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:04,875 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:06,937 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:09,000 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:11,062 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:13,125 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:15,187 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:17,250 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:19,312 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:21,375 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:23,437 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:25,500 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:27,562 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:29,625 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:31,687 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:33,750 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:35,812 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:37,875 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:39,937 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:42,000 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:44,062 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:46,125 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:48,187 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:50,250 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:52,312 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:54,390 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:56,453 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:13:58,515 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:00,592 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:02,655 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:04,717 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:06,780 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:08,842 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:10,905 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:12,983 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:15,046 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:17,108 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:19,171 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:21,233 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:23,296 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:25,358 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:27,421 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:29,483 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:31,546 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:33,608 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:35,671 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:37,733 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:39,796 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:41,858 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:43,921 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:45,983 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:48,046 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:50,108 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:52,171 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:54,233 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:56,296 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:14:58,358 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:00,421 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:02,483 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:04,546 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:06,608 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:08,671 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:10,733 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:12,812 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:14,875 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:16,937 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:19,000 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:21,062 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:23,125 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:25,187 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:27,250 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:29,312 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:31,375 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:33,437 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:35,500 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:37,578 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:39,640 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:41,703 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:43,765 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:45,828 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:47,890 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:49,953 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:52,015 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:54,078 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:56,155 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:58,217 [modules.auxiliary.human] INFO: Found button "&Run WinDirStat Portable", clicking it
2019-01-09 03:15:59,328 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:59,342 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:59,342 [lib.api.process] INFO: Successfully terminated process with pid 1312.
2019-01-09 03:15:59,500 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nso2.tmp'" does not exist, skip.
2019-01-09 03:15:59,703 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 11:25:01,564 [lib.cuckoo.core.scheduler] INFO: Task #636: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 11:25:01,817 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 9187 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/636/dump.pcap)
2019-01-09 11:25:04,999 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 11:29:11,176 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 11:30:38,343 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 11:30:55,466 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b501f3bd0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:30:55,467 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b501f35d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:30:55,468 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b501f3a50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:30:55,469 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b501f37d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:30:55,469 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b501f37d0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b501f37d0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable is signed
The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1312
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1312
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5333524798242820
free_bytes_available: 213920999529775104
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable
total_number_of_bytes: 216172800966947938
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103403520
free_bytes_available: 24103403520
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 26761941418218
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable
total_number_of_bytes: 4296210764
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24103403520
free_bytes_available: 24103403520
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (20 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0415.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\LangDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0419.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat_old.reg
file C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\InstallOptions.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0405.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040c.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\windirstat.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0410.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\WinDirStatPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0413.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040b.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0407.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat.reg
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040e.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0425.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040a.dll
The binary likely contains encrypted or compressed data. (3 events)
section {u'size_of_data': u'0x0001b800', u'virtual_address': u'0x00130000', u'entropy': 7.289335287444081, u'name': u'.rsrc', u'virtual_size': u'0x0001b640'} entropy 7.28933528744 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x0014c000', u'entropy': 7.866475144296683, u'name': u'.reloc', u'virtual_size': u'0x00000f8a'} entropy 7.8664751443 description A section with a high entropy has been found
entropy 0.742671009772 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process WinDirStatPortable_1.1.2.80_Rev_3.paf.exe (1312)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable_1.1.2.80_Rev_3.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0415.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\LangDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0419.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0405.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_logo_top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0410.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher\splash.jpg
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040e.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0425.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh0407.chm
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_background_footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040a.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_background_header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\ReadMe.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\LauncherLicense.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher\WinDirStatPortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh040e.chm
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh0415.chm
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\WinDirStatPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0407.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat.reg
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat_old.reg
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\InstallOptions.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\donation_button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040c.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\windirstat.chm
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0413.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040b.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\windirstat.exe
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable_1.1.2.80_Rev_3.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nso2.tmp

Process WinDirStatPortable_1.1.2.80_Rev_3.paf.exe (1312)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling

Process WinDirStatPortable_1.1.2.80_Rev_3.paf.exe (1312)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process WinDirStatPortable_1.1.2.80_Rev_3.paf.exe (1312)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\*.*
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\7zTemp\7z.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\7zTemp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\*.*
    • C:\PortableApps
    • E:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\*.*

Process WinDirStatPortable_1.1.2.80_Rev_3.paf.exe (1312)

  • DLLs Loaded

    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsj3.tmp\w7tbp.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsj3.tmp\FindProcDLL.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsj3.tmp\LangDLL.dll
    • SHFOLDER
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsj3.tmp\InstallOptions.dll
    • C:\WINDOWS\system32\browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsj3.tmp\System.dll
    • browseui.dll
    • shell32.dll
    • UxTheme.dll
    • OLEAUT32.DLL
    • RichEd20
    • SHELL32.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • ole32.dll
    • SETUPAPI.dll
    • PSAPI.DLL
    • oleaut32.dll

PE Compile Time

2012-02-24 14:19:59

Signing Certificate

MD5 b00ca38f2601ac9a96aff38e64bc1cb7
SHA1 1a0a4873e1d74a9560fcb917e60536843b7cc2cb
Serial Number 932fc9af0efa79d8a3f771681fe20334
Common Name Rare Ideas, LLC
Country US
Locality New York

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006f10 0x00007000 6.49788465186
.rdata 0x00008000 0x00002a92 0x00002c00 4.39389365097
.data 0x0000b000 0x00067ebc 0x00000200 1.472782261
.ndata 0x00073000 0x000bd000 0x00000000 0.0
.rsrc 0x00130000 0x0001b640 0x0001b800 7.28933528744
.reloc 0x0014c000 0x00000f8a 0x00001000 7.8664751443

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 CreateFileW
0x408098 GetFileSize
0x40809c GetModuleFileNameW
0x4080a0 GetCurrentProcess
0x4080a4 CopyFileW
0x4080a8 ExitProcess
0x4080b0 GetTempPathW
0x4080b4 GetCommandLineW
0x4080b8 SetErrorMode
0x4080bc CloseHandle
0x4080c0 lstrlenW
0x4080c4 lstrcpynW
0x4080c8 GetDiskFreeSpaceW
0x4080cc GlobalUnlock
0x4080d0 GlobalLock
0x4080d4 CreateThread
0x4080d8 LoadLibraryW
0x4080dc CreateProcessW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrcpynA
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
@.reloc
PWSVh@
#Vhh2@
Instu`
softuW
NulluN
SUVWj 3
D$8PUh
u}9-$.G
[j0Xjxf
D$$+D$
D$4+D$,P
PPPPPP
\u!f9O
QSUVWh
Ed+EL;E
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
Ed+EL;E
]4;Mhr
E89E0}s
u$9Uls
-)Uh)Ul3
Ed+EL;E
)Mh)Mlf
u$9Mls
)Mh)Mlf
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyExW
ADVAPI32
MoveFileExW
GetDiskFreeSpaceExW
KERNEL32
[Rename]
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
Kernel32.DLL
GetModuleBaseNameW
EnumProcessModules
EnumProcesses
PSAPI.DLL
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
WriteFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalFree
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION.dll
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.4-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
0.0;0I0]0j0
111;1D1Z1a1y1
4#464G4g4~4
5+5;5I5W5i5x5
6>6J6[6z6
797C7I7Y7|7
8,888J8e8y8
979D9L9w9
9::T:e:
;!;2;A;T;
;+<P<w<
?-?I?\?o?w?
020T0y0
1#101>1J1P1U1[1f1l1
2'2B2d2v2
4/4o4t4y4
4a5r5z5
7.7q7v7
8!808D8X8
9+9L9Z9
:-;[;c;l;
?1?<?X?t?
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2N2S2c2
3"3(30383I3P3e3n3t3|3
4"4(4-42484I4]4c4i4o4w4~4
5&5,5b5k5p5v5
6.6T6c6
80858A8i8n8x8
:-:8:>:C:H:S:Y:f:m:s:
;L;V;b;w;|;
<3<S<X<c<k<w<~<
=0=f=w=
>N>_>i>
?#?F?Y?n?z?
0'0D0M0o0
0-1R1r1~1
2?2P2b2q2{2
323V3j3
4%444@4I4X4
6#616i6n6
;6;;;Q;Y;^;d;j;p;~;
I0[0`0
0;1A1Z1
272q2}2
4"4/4C4_4i4
5"5:5]5m5s5
6.646B6H6Q6d6
767@7I7S7_7j7s7
8!828j8t8
909>9c9o9
:(:.:@:F:L:R:Y:_:g:r:x:
;!;';-;N;W;n;
<'<3<=<G<L<W<[<a<f<l<
=%=/=5=:=@=N=T=x=
>,>1>6>;>D>I>O>S>Y>_>v>
>"?@?Q?
1&2U2a2g2s2
3-3:3G3T3a3n3y3
4#4*484C4O4f4m4x4
576@6^6k6
77*757@7
8:8C8U8\8h8
9!9N9u9
99:f:{:
;#;A;H;`;u;
<+<4<J<U<m<v<
=*=9=C=M=
>&>P>^>e>}>
?2?B?_?j?
0Y0i0n0
223@3I3
5[>_>c>g>k>o>s>w>{>
0 0$0(0,0`0d0h0l0p0t0x0|0
NullsoftInst
Ow!["F
qPOZej
l@My(b
`a"K;TP
8VVuJeE
ojb1}cL<
+@tZNca
1#F7i8
XdQ<)'
/OA,%k`
~E4p7
tE*o@^?
C`[l%.C
jxIy*f
7=n|d
jVrV@jK*X
t5eEZ|
pYdIBb+$S
|h*wNJrh
8|$FOC
Kh+Gj;
kv)?LMoy
y!m3/}
If>h-C
rWH4JhCh
[t@G-:c
uh4cz=
%J jb
si+&y6
HDPzfP
3~!:TO
(.-#O=
BPYx0'
XmjpsZ
="mA9Q
^E1 dz
(3{69E:H
YiQ,Fv*
!81C)952
etv+M-[3f^
"sAhi%
[PW:O:
,GSVJY%w
!QR/R1
=Y% d>$
"AXp74
Dw{?nU
T1EI>p
5rRTM
|Y.IaO
M:b5"s
%z.f(B
Mp<c~u
#M~=/Z[M`
]*{a,#K
Ybei1i
V.d[s^\G
zMX(Ef
%l#B{U
{],z?N
Wo7 ?vX
NqS]%Q9D:o
'AEi~y
B6?k6oA
rWK\<D
oe+P1v!
>c%cfY[
j\F[~U
2MZ+dN
V.Iok%
l>Z1j=
qoXgI<8
qV|@EebV
^rY.>R
xKQx2Q+:yj
+T/'VgM
+*JF0z
:~g1&=
-'LKy9
g^zsqw
C4$x".
V\+~zJV@5^4
pYgEV`
oslh}
&8^Z#)
j`R6P
:<xrOa
xB[|$9
XG^\B]Y
0;G-Zu
W MRV[
r$j'8;
ycWtt{+
L UB@6
OjEqWz_1
GV(2?S|n
{0yOSC
[1^]1d@
YQN:y;
;tI,A2IN
%!J>kE
2*w=;
s;R=,m
&E]3`
*#]'*f
?<B]`^/
2'/iIP
/b4eM
ox?L#Q
1"49zz
z+]C$S
5j2,v{
bPu':\2X4
wlB)h7
e071%\
B`ZL*-s/M
(E<\DLS|
[W<QCr
#257x>u
`$%1iD
h(`@Hxf
>ST4M?
>*dT)w
m"ZsJw
JZzz5g
>l~Q??
0$E:FxL
i1j.ng
xA|<1t
#SpE9l
RAQb$.EX
ByZ)}M
;U;b1"
@ ^&~fv?
7If&\:D
hg<N63y
37)(LoJ
n9v|j3
l/s`,3
]rb(Fy
-<Qi)H+
7)-)c(p
}-p0vi
;RMmbu:
j?W}.8
(kN/|(
O[8ywE
z&#p#n
`mr[!O
=H9D9$
FQ+7C*
6t8LNYY
_fv"dr
u"FZ]6!/
h5OGzci
<bVlbU5
&H(y_b
_Hy3UGo
Dj24XQ
z!oY*HC&
(_.6Sg
f[wB,h4
umWG7Y
(_HCzD
IYs.3uis
n76:zO
./Xj)p
{?Wpp
^vdsQ
*n A&k
At:Z)jF6$
aFgeQ=eGA
j)}frV
_@puk8
mBA{TU
9Wqq_m>
(KE~fCZ
km]AGAR`
<l*pMEe~
S|^>-u
3Q#5Yg
q*.8>Y
*P_j7
"8:qGO
:~XPwD
<ut58R
4*"b)B
@D;xE>
u/K4Aqu
3jFrHzN
TMf-)82
lXz+do+B
!<3--D-
"]-fkW%
UuSb*V
e iJF,T
C8kN*0
FZ5OV#
Q\oEqrh
?EfrmI
>^OU]
M7e/fv
Z%`:;p
WyuT*nS
@E9*?V
rZ~gMyg
@r[1TV
({}YHk
W.Q)o~
=*?\/>
PeGR9GBh
;e,2tkG
YLdJn<
iX#vq@3#
}zhd3~
YeBd-h
!&0%/s
|b1(&)
EKv:5w
W)}Yek
OE2n\7c
U!zD+H
w?c,ib
T+wU+j
sF_e5t
k_w=QxG
ZfnbQL
Jczz_=%
L6`eD
lnRC:>6
uG/,_7
Yko:Oz6
7vxa1 b
MX^9\?wr
7Nc*IW
I`P'PQ
%/cBS&Q
/h?WTR
xTIrd~
<l^_@q11
079-O>')G
#H8k=U2
CL$CVE
,d(p2>4
<=Fx}7.
8|g{nb
HLkxT'K
R&b"cb
bCvo\~
I1}2^}
USjjgv
hS{q9HB0
l#gp&RR
u6.I-}|
/t*eb
D2;Rm{
,]K4i,
X$/KAF3
zADnh^
Gm7be)j
lj1bS-;khS
;UFw>p
X[y,@F
+DFF;<FT
)T+*W3
OXW8~~o
L(hbmPW
!?<@X\
5m0Wrr
\U|[f,-
aR}d. e
j\8wB7
114Gc_
ES@24g
kZ.j4zuLl
}Ye|Gd
8=_KK_h3
=cqsk6
FPKEE:
2feTMz
G$.5T!j>
WAZg'_V4
m8)gce
X8qF`c
>xGZ~yk
06c1~/4
1Ek;3G
K[J?q`/
xEs$Z-@
5.osN.
U;x}}$
ZPM(Gn
{9,#wD
a,::|U
Uh%|)[k0#
iUWp<:
1]BX[
&^RNgO
>S3H{5
1buP#C
D:Bqr\
U<`Ms~
oZ`b0d
m!aNZ8
}WTk;UJ
n F`2!\-
_kKD$]
g/ab7AC>
tiF%:Sv
ui:sHH
NkfsS4k
O1/\vW
uI"Q5P
sT8Vxc
~+%H2?
(Bl`jR
}n4f(]$U
mGV1f4
1P*X2S
V&462:a$LO
w[#f;ps
;^Nn`C
s./Q:zRv
]ygOq;
HAecR!
%}F=T;X>
8-Eiscb
sWnMJ
aR&a*]
gY.uAP9
(_zk)*i
4qlPJc
TBHDr^
`WLxw%
2b?$!V
1)arx`
uL !#6
`rN$c6
nf0D]{
$kDFiT"2
D(,K|3
IAG~,*G
E%Pk<'{
tR<C.0
u e$G+
t)p41(
\Td^!'
s9"WG{
EVJCE
eAjBLA
*9o'Z<
AmbiHT
{.uFQs
1+~P@3{
D"+YF
);hl?+
NusGzn
yf3I$i
pi@68
\<".pWj
p4)Gy}
hWww+K
:6[7a;
rfBrd"
'v]`}/\
9FPwt{
i%~n<E
y[0##lYj
I u0+4
\lA~vH
K!$bA2
|zY>VT
0mS)%w
U.;S5-
K9%t`F
LB&:Ix
p C^%v
sW[fsy
@nUZ 0
zy6 ?Y
(W(%AXI
=3J$T5
B`' |#
^`iomI
U:/f6T
,jFr4M
W#5{}&
G^$[8+
m~+[,#
j4?4N?;&9
TS6m-Z
!!P.6.
{-X5$`
WY*F%-z
LaQ[~%l
zYRr]o
|#@hnk
@ ;!T/?T8
J'lMLN
uzXtll
~08S94
P88_0^Dt$
j|s9T6h
BI^/H
IjUFd^
s"jgf
Y29+#=i
az6G6C5
3z+E=
OOqjHG6
AYB1N;JRH
5oi9:/
kzX}14n1
O'RI{oFu
e6wbSH
yhOq,!
r<5/%4n
^i7x@.G
uiTsYx
iD>-?)
U:a0*A
,0\1-MM
@:3&Qjh3
$R"_.y
,E~^\K
[|wBo=
J$ZyjN
}?+t*.
cKp=iF
lre4f4{
i0f&MZ5
A.ItL&
bv!b$p
fB`215
Q$J.vT
J:Vy8zdJ7
t0.I?#hm
&v@$t(MOmilO
LrM~#=b
:P%hOX
0ggDnP
6/MZy"
}VdA8V
O).-_F
w3I-,/E =(,<s
VpD0#v
`KV?<9
DY@g,a
d2>qr\
jyaHuz
7;s6)X[q
W(+?X!
t]iXsgyg0
wC4JzT,
H57yDW
]'%kg"
u6%-"G
=S#h_J
I#ezF>-
M >8^jB
482{{P
+1x5rn
G]S_?9G
%J]y|v
Qu/3Ec
mf{iu7
:X4/.6
E=T|}|
tO3)My(T!
s76{_A
7lD1}x
8NQZI]
C+D,rG
:I/VmY
4Zr9Ly
36Q0Ik
;%Wsc)F
0^FQl4
Emzq[S^e
l+9'hB
(RT~#-
'?Y%3
q|YFjK!]6
k~L/AR
F(z<`w
(Nuz-%
=hgyh?
MRx#/&
K(XbvH
a0|#{|A-
1\3~D:
!D+R;*
yOvjHl
KAFp"d
!;5Vq?+
N1p]K/
[cIAj
ykKY\D
;f8\z;
g^rw6Hz
=cc<9c0|
42Lk_
a_&O_&ZOy
Sr-'$h
@rXv@
AMJ&&>
'9cOS!
|i?w%7E
S"GJV8
wAIX#)
VJuaA;
RPg.hxc
z?}lsM&r
5Q39\c
76S03l
CM-R%
i6"g@e
,)49t(3JT
phxa)B
Ay9(bQy
]y=,1.
xa`$TV
kFDE#m
;OeDy{
Zqw3tp
%"`e1:C
^ )c;L
&ec?]iV
4==k+`
`^+@6,
i%ghYw
; X-L&
[:|/ h
D};IbB
QOB+?op~1q0
T _I^Nn
t"5HG
KSG%(T
\#r^@' b
P*1aO
E|iPtC
wt4O} 9
Z`PW0:
F=y)w(
8`jIwd
e1evB9"
rL4uaz
+0eq/E
y<6yKAXj
;'x(xk8
$<u`T(
lNazf7
Q944KY
dZm!3]
a*Sx$e
NS9@S@
|<F6])
XN;L*(
L+w/rgJ
ck@#uN
0-DVhq,
O1Q 0&&
e4,0+,><
ge-5W;
r:r(;6
5RH{@m,Gm4
"Q91'g
w;R(Wv
xc]UT+
'bTxLD
^~i~&vB
9}MHuM
FyNj7]k
fR7mu[
V R\J5"?K
On\eW6>6
kCLPn6
k||o\8
ypqh=W
.xP`[~Q
(pGfc1
UZ`?MEF
u 2.Ox:
s}u81s
aD/}5{
/dge1-
X2/<h0
]1F">%
PmCb>J
,iB0/u3
:Vn9Q/
JVo+N
"Xt@0Q\v
`,PIL_
%a4EQh
2`9ei}
x}Povi
d<K(&w
ftRfw@Si
f:X,40
Op\p^A
_)I)[%Q
n}wTWs
djP)x"
)_#~d
>}c.WK
(Q-+o1z
v6(sjeF/
YE5,s~
=V=jFAI
G.s,?y
[v:r=m
lh~+[}
,5[^>r
^LmdU$
[~PEam
pSLKs
Y,^x}$_
?%)zh'(~T
X^4?pl
iAg#ma
`I:~,J
0q&Xba
m,TuKQ
!QRMQiu
zB\GBw
2z)F-!
HAP1,O*
G2FcIdrj
Ycp"<3
:#>bqSd1AsZ
N?CpRux
mnmK\=
F.pJ{jv
Jdi2`A
'P'*4[
Xq_r?p
:!D<X(
~"{v/I
"{Fh54
3R8HTMg
^d.q_Oi
z|MAr9B
r/sq<1*
Pkf;bH-
vZ~Xl{Jc
u:|i{AG2
WA%RBNw
+7{:P N
KBD](`
_53e@kB
m,,[.[
{'50cS,y
n^&2\Z
O[^z3\r
U}ItncS
jc0a%M&|
j} oG)
-GD06VL
}EyFc13
@N~Z5L
>iK<U#
AYFI+.D@
1pY>k#
pTU&+{
XNn%#O
0~YjRp
P0Xe[o
p7&$;z
<{q`D@"
Lw7*a_
\J[-28i
S.Os.5
]A0W\
n#4syn
W.u$H/j
"yf~wB7peg_H
*c0ucT1-
\B=[Lb
PP.1E[
6L:2Dk
^%'Vox
"EtmpO
v/l<=Yq'
@Y.aws
Vc.C@
[6%*t\}p
g>\}m`[
zGs$z"
kr>HO9
5]~J_.
]vci)X=
>9mkMw
61]**g
CZJut-
"GVbjm$
@3yUwz@
6Sb1sJ
un.Yr.*
lqRjt,
g8=\&2K
n;`4_}
X^T+-S
+8+)V}
hcyM=Mxh69
eUIB|k
iT.6G7
](5vzH
})>17X
?5WELQ
aH|Xy|G
"~IXIQh
<KX5'
BmX&c*
tkPuzh}
vxX{*M
r4[biI]
h2;H/?
HH29l44
.p9z?
8{B9QS
()g)Af
T+t.Py
#`Z,f0
p3,sGT
jU|ATU
c4:e5|
6ic4$"m
>['!c%
rN@*I
k^]P';
!,mJF-
awW<ze
\:d4<KW
7=j*8/
Goc/_/Z
'3F`Or
u=3#w!-|
E<vRjFLt-
I\bY}*
~@AXVV
`+>^u5D
2KetyYY
?-x?
rCIvP2
3B,] l
;a`91b
`2dqUc
zIa+QR
QYNNwE
YM{eWG
e=<@@O
O?g,V6
tIL89WSwa
[h"<LI
:VT L
AZZk>@8+
L,j)VD
nJ(sg*
D-T53p
('I]Tr~
BabGZl
{lB?}Y
%o:;CW
@5,Ac0
 6>#2@
}S3}[X
4C>,u|
_JC:*a`R
r* :5@
`hK&1B#Kj
O`Ct "YB
|mxiZ*
gSrhp
TM)E?|
B<&C`G&
=Y(>uCFZ
4Sn;8]
UrVpz5
o9rKrm1
:2yw\i
dt.oO4
O3hG;=4M
ls?y[7
x(`lH*
-\E/:(
h1g3)*VkI
vb|9K)
=J6"a$
`ON||A
aVP<EdA
~%MMU6-
J, ;)B/^
O{31gzZ
6a}](t
_<N"^<
Z}r:9Xw
`6Oh4F,
|!FK0}
[JgVdOs
VhZz*:
8GM^~&
)qbZ:c
0$U .j0@9
!& }T[Z
tV&rSm
js_=4+
]4R\un
KR]V'`
&-vNI
y^/8%,
;H`0O^
1JHa?x
zCo~c /i
HDbH~_v?
3yC6qP
L=EaJZ
uHfAT]
qS7EB
\||Q_
D11MIf
bOzCl)
Ngi$Q![
31ahpN$
0.<>0#>
gpYp#
M!Mp.A
%1Y>Q0
dA$2/R
6`m')XXc
"Z!k8Y
+DJ]'"<
>yXd|w
kbP/b:
Ok?R/)
(>@L\ep
~+,iu[
7!pCo#&
P{qMHy
/(K`lZ
3k`u+4
d@)#BC
@WHq/Qb
F<tAD
r*qfP$
@Vp|9`F
s'@Klr
HHX^Vg
pCV-Z>
W1&L_E
e+}^h:
!"n({+\#7n
6jj1W;
pnsXQO
Y97mr]c#<
hFj.De
w:pcwb
9r$&KY
o5}@2b=
w|`*{G
pY*5t]
WErI-&a
s,9),^
!j,tB*6
kqCgJ}
_I_(i*
ZcF_Y_?
SY'D<XJR
9F!cwE
FhyK H&D
OW:'pR
MWG<.N~
d]*v3+
mk'(M"
uQ@^gK
"@KPXY
PR6&CYP
Wq,O?s
cQo]81[7
8"7|){
f_KjT
o-}Jo\0
R7<}@k
hTaxgZ
w@~_Jc
u0_fn#
#3TPVI
6_:SSV9
j8o\s;$6_`
MQ7vy=
k93av<
j*;OEYe.U
i#E_a_
Nl< i6
=0;<AK
>ylnh8
FrlmBD
,=~d}Y
n5,Ww)
o#w#1=&X
u)Y7(
fMG$0Pa
nti+\{
rI-?##
1cqe"onmE
Wg]")]k
)h3-@og
$X%I=<
,fHmsY
i9fS;!7;
g~I&x~l
")d^pL
kSD9]R
9;%WMY/
w\XA"Fi
n$r=hB
6h['oF
Jt[]9G|
K^ Rqn
P;L?1&
-/uSRi
bZ""B
a?L*R"<l
EKL?)z
M-UBR;
6!?XMH
+Mg.3<#
}4hPK\{#
!v!0.Sx
%3N`I%
"pe9i\
1kn5=K
Gj|yr/
~&Le&*
$#Z(OiPm
t%_l+tR
[TBkr.
jY]yZO
%vMKes
]|;JU 7
e5T`F*U
nk6'vy
aVNQJRUc
X=|b,z
u5b1+Po
Xi]$`p
:=$5N*&
?o~:+-
pN> n:u
{mhsf~q F@
uMN\.!I
GB'9Y5
nL]28Xb
-mM9*$
|M8ztF
wv2QC0
np(Wq>
{7v]wY
j1|y;h
27[hVw
g/'tVL
!ivYiW
^*yz~!3x
a8ny%CW
U9RhH0
J~bVxA
P.jvFQ
g&SoG<
^`o@t1
ovj!7a
*w/UuG g
T5=YT%
*r4+E/R
/A%!)u.
@yC#bF/
L(p@|4
*xD|)$
/['3((
h_e[{t3M
mN"K;I
njpp4t
BNvfSL#
L)ssAQ
clNG@>
CI.!Rh5
EM:SdwT
LvULk1
Mq5BO6
+t8L#n
f>& mO
Qgk_)sWhP
+Em"]!N)
1A,WreXx.
Ci;JR;E
]L\WHC
1Oyc99hw
vC4k7
RW|wm.O
;%x)0u
MLc`]om
b:D_59h
8zM,|t
X76!P|
RT!bjniYk]
nGd@V}
M!>_@$
qRGoCH
6%LTrN
U49^w]
{Wl[;0(
AY!U,H_
8n`kH
{]A:KZ6
JptPTi
hn5_vs6
$7.(;E;}5
/_o0E<^
|!vpm~
Q^+<G&
WeAv$j[
FfL/eZ
c_\"Wrg&
h^b`J4r
T-,j2J
M$--=;Ie
C.1xHLg)Zj%0
P]~mA^
;Hv*'JG
ZK3Ta.
FpjpYj
]Y7-g
`4qN[>l
)>dIiJC
8i($o{I
*2>l46=
FxN+YX{
TQcqI6
b'>uGOo
AkJ]<e
(KAr>%
xPY7W;\(h
^:E`g:
lY5m&y
=L},?ZY
j-kdR%
\~|!D2
VmZ@a7$
toMRZf
^((O7(
yZ2@Z>
7yX]V~
qE^7Z|
24v~kp<]d,
ggt5729
bImkN<
R#)QV
j{iqaW
f!Z!t,
s=5:fE0
'Y:%tO
/eO"^H
fs_mkl
A,Z:1L(
"&^o${
m_v4t!
90gU"r
.FvFas
c,_:-P
$"TT7R
..V+}k
HA<#AE
saxBXw+F
(R_d^n0
[@QS{H
<C1d:5iu)
x(Px7{
I_Ne?L
aj iQ
~*I| =
#\b2b>
[a@$g/D
E=}s/yi
{s~]]=v
NA~)LX0G
sF$20i
CS8xcq)
v7Y["?wK
%4Ho*z
'hn_Vr
RwyS`ZX{P
]6a~L6
bs7+}.t
{pS5~Ky
qaJt<QI
9$NoaTb#z@
7.wIwz
%V<y~&
uFUGH{&
{)I8+a
:`q$yahz
3XAl,,
n!orO_
d"l,@
mIfxa`*
:nLtj58
@7S_EU:
Jy;)pn
&EO0sTG9RepS
(#GiYN
Qs|fd"FbXQ
%wz$-r
a70O&L
u5xr3(e
Uc;M$@8<5S`
?oxio?w8
u Puj~
,P'f8@
robBp&-
VNu/}"
r1_1s
W$Vxbm
dT][MX
Bs@kgj
=pBFG?>:
>aMXA$
n\b<uQf7i
ht[,.&}
td\q?FW
Atd!kL
IS81szl
/~VQ+vLb
*~*Mp?
^`wdh7
A2)tv_
= qn9R
n0H{)w&
RXmzU(
B~UdCn+
%nD&45
iK6!&("
lGl(W?~
xQ[2S@
kCpS!.B
/wz.Wv
kA4TDQ)
@mz<+8
E, ,>3P
c+.D5"4="C4
b?8:Ti
%Q:t+
t)tjSyO
&>o>iQF
}+X&45*|
V n-0@
rKR<#$Y
n{=6kG
NCXJIn
(WIu#y
O:9-je
Om/QJ&
pUgLZ:
8f:h`f
_k{pLt^
Apyja6
-,sBhKkk
*aw#B2
7Yz~,D
nHJI{m
[>yUt(!
4nTKcTJ9
]]aXzO
4=ZJMX
>Rqp'9
q(N+`*
p6H?/X
74FxPnR
p7Z`3"
@0{>l#
bA$a2
vd@lx~_^v
}~zQstB
zT<'XW'
bcj)Ks,
8Y3lhr
3Zg,KD0
(WNBtnW
"=[Er.
gu<h2FM
HHEVD;-]
4?N&Q^
=mA-C9
HcA[3/
yTBD5S
oK C;h
kfbWW
>uy,{M
'AN`rl
F]Ghgd|
3%MF!N
b8eJUW
4Oi+V8
n|*<qwp
=F|/}T
)q 7,'
/Re*!Z
q;Qkx{
74>.uMq&-
gECSN
A::x*v
OVg0p@t
kCys}Z
qW5W]eU4
[-@l*s
z}@s~8NU
C"6.N?
0T|{<m
.Fy&=X#
KZ=XI#
FWz_a((}
t/yTT*
$c+|dq
9dZCkP
I/%Fa%;
Y(/STY
"~)!v@
;-*s>k
/H6r%V
]$n-[(
tA9msW
&N4,my
AD&o]
P_Wl{b
+xN!-B
WKe)`H
n'L#/]
N;5c+`
?ks@3N
8N?B4t
I_Re-#
sS+=3d
JGDBBA
rg&pK|
0Lxt`]|
hAP%WT%
PSDemyTq
0W1pq,
3t.=YM
V]H,-l
n?mJe|
D(xj*.
+=0VXy
f2Q/M}Sw
[ike-S
D)[Q1T*6
S4TG`E
bDj:4[
xR"S~w
3{i74i
O=F,ni
"qA%\P
r?7sT%%
eP8G0v
/A]J{e
t$9YY|
z]Dc~sT4
CW7!2L
?WzEQ#2
w,k%:&
7uzp"$
=t(N~L
Pe'D!B
sr,Va'nt
.I`k3XS
OYlwY`
uT!}((
xs0KOf
v_k[TU
^O\9o9
~N2_7DF
q3h#!N
C$6QIs
1o=i;n
t_-qLe
{k$c`K
M<3p9$
,U$b-e
"]ZnvQ
x'g"#6
[H($ZsB(
5PumeN
ZkzFRZ
a%#T6L
ZCT-t:
K!5Js
'5CH""5
`+Vw3^
r5-u.7aA
M:S()s/
Twg3uJ
{P2+Q"}
,s4^=N
?xiGA9
f/Vir#
r4g/9p
b]Pq`kx
C-E7uC
k5LHMM
xv.`k%
$Hq~,Fu
> ?C04E
eb0(M~F
tl&9&N
.aeT]$
n.M*W@
5^}[}q
;tbrdyI
L}bU/G
f_]La&
|}:15!
cpsJ#8
v3bau|
,hclVj+
PCcqil
M:zw7v
y.bUo/
!0ag!3
2dM~H{
=<}Z+d
:j8CX@
y|RR&q
0S|x5 h
J#A~5x
`QLZUY
P$S%/8
LkMB&V9
)&D;U
I1*Xs|
+D!Y%A
w^W2[^
3?g&1D
yn^Dt,
<VNy8Y60
trs_Eh
2@;yhu
g.lTY-
PnIVpD
4^lfD&
DR;,T>
Sf8xF]
1xcx{n
U=mf6T
-CL'yj
]GnGk0*
R(FnOHk~0
t#+hYP
XX.a?'&2
\(J>~A
xYq_tm
Fd+G6}
Zng.SrH35
ic;yO /.
<131=N)C
\/f"_/
"nxFhY
C#wi6;
sh)Co5(?]
>K,vda
/nAh|
/F@b4~
"[-T[1
&&zM;Y{1
'sG[{K
&qL!Tl
=;="%)
N/aG`F
0Z]c~p>
J{036o
I08`3B
AQbc#\
c2 G7
lM]c?41
h{#&ITj8
rZFr3PA
N3$M~R
EL6Xrl
"~c]24XPF
C\f(/y
GuJv\U
q"QrUPs
?rC_~G`
[],=#l
.E{Xo?$
dWMKAa
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
120501000000Z
121231235959Z0b1
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G30
3nfZ^R7
"http://crl.verisign.com/tss-ca.crl0
http://ocsp.verisign.com0
TSA1-30
Western Cape1
Durbanville1
Thawte1
Thawte Certification10
Thawte Timestamping CA0
031204000000Z
131203235959Z0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
http://ocsp.verisign.com0
0http://crl.verisign.com/ThawteTimestampingCA.crl0
TSA2048-1-530
?7!Op1
AddTrust AB1&0$
AddTrust External TTP Network1"0
AddTrust External CA Root0
050607080910Z
200530104838Z0
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
http://ocsp.usertrust.com0
9f*<Z,m
Salt Lake City1
The USERTRUST Network1!0
http://www.usertrust.com1
UTN-USERFirst-Object0
110824000000Z
200530104838Z0{1
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
http://ocsp.usertrust.com0
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 20
120216000000Z
130215235959Z0
100091
New York1
PO Box 2271
Rare Ideas, LLC1
Rare Ideas, LLC0
https://secure.comodo.net/CPS0A
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
http://ocsp.comodoca.com0
Greater Manchester1
Salford1
COMODO CA Limited1!0
COMODO Code Signing CA 2
mmox$W
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA
120724214606Z0#
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
HideWindow
Pop: stack empty
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: error, user cancel
File: skipped: "%s" (overwriteflag=%d)
File: error, user abort
File: error, user retry
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
BringToFront
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
NSIS Error
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%02x%c
Unknown
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
GetTTFNameString
Version
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
msctls_progress32
SysListView32
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
WinDirStat Portable
FileVersion
1.1.2.83
InternalName
WinDirStat Portable
LegalCopyright
PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
WinDirStatPortable_1.1.2.80_Rev_3.paf.exe
PortableApps.comAppID
WinDirStatPortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.0.4.0
ProductName
WinDirStat Portable
ProductVersion
1.1.2.83
VarFileInfo
Translation
<<<Obsolete>>
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
AegisLab Clean
TheHacker Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
Arcabit Clean
Invincea Clean
Baidu Clean
NANO-Antivirus Clean
Cyren Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
Babable Clean
SUPERAntiSpyware Clean
Tencent Clean
Ad-Aware Clean
Trustlook Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Trapmine Clean
Sophos Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
Webroot Clean
Avira Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
Endgame Clean
ViRobot Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Clean
TACHYON Clean
Acronis Clean
VBA32 Clean
ALYac Clean
MAX Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
Rising Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
Fortinet Clean
AVG Clean
Cybereason Clean
Avast Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


WinDirStatPortable_1.1.2.80_Rev_3.paf.exe, PID: 1312, Parent PID: 152

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 189b1af95d661151_launcherlicense.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\LauncherLicense.txt
Size 18.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 ffa10f40b98be2c2bc9608f56827ed23
SHA1 dc8f2e570bf431427dbc3bab9d4d551b53a60208
SHA256 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b
CRC32 A6D3A2F5
ssdeep 384:H4j2PmwE3b6k/iAVX/dUY2ZpEGMOZ77oPpDqHZ:H46uh1iYWrTXoPpDqHZ
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 5dc0f096bc0d4687_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_32.png
Size 2.3KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 08cccf6b9613cae39a3f754321fa2f0f
SHA1 8eca09a3a0052b5d670b5c90d7362a8cf58bb462
SHA256 5dc0f096bc0d4687225f15e4a36517a140651bf8a4a4a18feefb13e39c1d28f3
CRC32 350CCB4D
ssdeep 48:WjbXmXQSreW+iTMW8CvicqgVL5YcCPOvSlP1wayCewQl1jWj5a1y:WjbXmXXnrge6cqEFCPyG1waWMn
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ef3fdae9692a7c56_windirstat.reg
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat.reg
Size 15.3KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 f559fdd7c1643f8c490a8c909053aea2
SHA1 70950745d542e2234feb3316ec5138061df95507
SHA256 ef3fdae9692a7c56bb5b7379d7c673285a774584ca185625b61a0eae62951280
CRC32 57DC7B95
ssdeep 192:6EJz8IjQIjBIjGIj3Ij8IjtIjyIjzIj4IjlZK4tUcE1cVpVvlJU4y:BZK4tUcEcLvzU4y
Yara None matched
VirusTotal Search for analysis
Name 09ffbd63fc1ce378_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_16.png
Size 914.0B
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 0457829f821fcc213c68ba91f34d9473
SHA1 229a71b65ee9781520e36cc5bd95b7d32fcce9b2
SHA256 09ffbd63fc1ce37890c35850fce7b1a251882f147ecdde9774e4e42e67254cfc
CRC32 21ADCE23
ssdeep 24:VX1+MG7V9gnxJ9DJOoO237lk4TPJXN8C2aKnK:h0Z9Kr9QvghkgPJ9TD
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 2d16bf996d7848d7_wdsr0407.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0407.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 757eacac305f2f3e2bc175e8f2a593db
SHA1 253f090d9f7a7eaf76d9ee3426b455919c16e24c
SHA256 2d16bf996d7848d7e942a192ceae6437f5f5b1b6b2bb10a96f9846be325dce67
CRC32 0EE8DDBC
ssdeep 1536:X94uigceDu4yqhzIpMbtZr47kZBheYr58vrAH:X94ui/QV9IpMbtZr47kDheYr58TK
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b12a98c80aa2f7b5_wdsr040a.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040a.dll
Size 80.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 e07dfb17582d76e5072adaca1557b48f
SHA1 8695f2483e2fe98bf1655b77eaa86319aed888a2
SHA256 b12a98c80aa2f7b509c19d0e8c52976b9a0850b1dbecb8354058bd478dbdaf5f
CRC32 B247239F
ssdeep 768:AJT4uz2gGQ2VjmnFDu4c/qhzcbbHgnCQOi2YZaKAqovr3wQ:AF4uigceDu4yqhzqeYifAqovrAQ
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 0a9a711b205dc87b_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-wizard.bmp
Size 150.9KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PC bitmap, Windows 3.x format, 164 x 314 x 24
MD5 55204d08cff24975e88885403f13fd59
SHA1 1aad4f3ceb1c8bdd348385228ea3043f1f0b2427
SHA256 0a9a711b205dc87b6b0fe491253bc1ddb4a46a02f26ab622c209b1311125dd20
CRC32 95D95148
ssdeep 1536:BUPy+RPMI0gVQC6AKEbOOukOtYzpz400XveEDSrP1:2Py+RPMcQCDKzuJ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 47b9e251c9c90f43_langdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\LangDLL.dll
Size 5.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 a1cd3f159ef78d9ace162f067b544fd9
SHA1 72671fdf4bfeeb99b392685bf01081b4a0b3ae66
SHA256 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6
CRC32 A7504246
ssdeep 48:apTVWFeApYx2lxaKe3yfeEIWCGWNpBWLGGrx3pMt4z8mtJ7HofYZVSLa:RFG0xaKkyfjIWTW7BYrhSbmtJ7/V
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 5cc6660995b461f3_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\ReadMe.txt
Size 105.0B
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type ASCII text, with no line terminators
MD5 7b5f08d6777c3dcd5c22857c99903337
SHA1 3569d85415e8bda0f24baf2110ade1a3ec041cf8
SHA256 5cc6660995b461f3ac89c9115eaa98e2986cad725db2f0b33832ba2664d72568
CRC32 5CD47A41
ssdeep 3:hBWtHdTiFD8DXNBVVuKXxS4KQ+nWYApZR4n:hBmHt08DdBzS4H+nETR4
Yara None matched
VirusTotal Search for analysis
Name b7cc55344528dbd3_wdsr0405.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0405.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 e788bd8c909fec165474d80df70c8a51
SHA1 c9174384c640ef4f7a51111e3622aa04cf941cbb
SHA256 b7cc55344528dbd3d2b277af012b01e86ec68bf883fd6f1988e897383cd1dcc0
CRC32 69DE40F0
ssdeep 1536:4+D4uigceDu4yqhzbB9oCUiI2qirOfIvrAJ:4+D4ui/QV9bB9BUsqirOfITQ
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01526_PE_PACK_v1_0_by_ANAKiN_1998_______ - [PE-PACK v1.0 by ANAKiN 1998 (???)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 38c46b8a0baac625_wdsr0415.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0415.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 96954cd1d3295fc94d50c9c32f96009b
SHA1 a64dfb422430bd3552e616a64dce54aff927fa00
SHA256 38c46b8a0baac62505581f8627aac2a5e6dcce2dfb51a85fe40d5dbccc8dc0f1
CRC32 8E4D2855
ssdeep 768:H+l4uz2gGQ2VjmnFDu4c/qhzcbHPnLQdtO4/BqCtZaKxv/zfvr3wP:Hq4uigceDu4yqhzk9M7VzfvrAP
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name bab7db85927f846a_wdsh0415.chm
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh0415.chm
Size 55.5KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type MS Windows HtmlHelp Data
MD5 de97a75cfa6d6cbf91ba68c0c90695c1
SHA1 5932fd0fadb6ef284605e2410b5045dcc131ac93
SHA256 bab7db85927f846a6ac584d5fc3fb522e812fc1e505e333728f85efd16b50238
CRC32 5C7D83C3
ssdeep 768:kb69pw0scpr+Mo4OiKvc7DqL1hjzZwAsGHJLg9KM9G/b0/P3eubAHOjDIhR7Iop/:kb6Xw07XXq9umATqMeWAHqvYnFHt
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name c83c05eb89faf7dc_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon.ico
Size 46.2KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type MS Windows icon resource - 7 icons, 48x48, 256-colors
MD5 e5b7c56fc0b4d781dc2c03730ce6e065
SHA1 5e74b40cadcb2514c965fc925a15943a58979815
SHA256 c83c05eb89faf7dc7d1ad890695ef0391453274a3555411c1e3259ec677c296d
CRC32 42C3A418
ssdeep 768:Y3WEoOfWkuUvdJJ2N/sgUugU1gi7nYHYVO4cH3PoejGp/ansXT7j:GHZ7FJslUup7eun+pQ3nj
Yara None matched
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_logo_top.png
Size 2.5KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_background_footer.png
Size 168.0B
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3351c8da4e7328d3_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appicon_128.png
Size 12.4KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 286897b12375622d3e3eee48c2effa4a
SHA1 8bb42b6119b700dae520f1d5f788acd3dbce7348
SHA256 3351c8da4e7328d30c999f5c837959547d6cfb7f3836e1dd429aaa75cfd4cc20
CRC32 01EC7BAF
ssdeep 192:tanDC2GMxC35m+WupWapaPKoyNc9GGu/qX9+ewvhju3qxgmlmucMVWzbyCB2Ko9L:sD5OLpWaUPKTc9ZuwcvvA3qZmBLbwnY+
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 567fbf1f9cc5b948_wdsr0419.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0419.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 a9095b2f5bacc9b91c8f66490fff4b0c
SHA1 80173bd1c19322d9ce1ffac90eec1dd13f3c0b9b
SHA256 567fbf1f9cc5b948966eecdf9cf9cedbda715a22de2a85e162ca56557cc55a2b
CRC32 70C18B61
ssdeep 1536:I14uigceDu4yqhzOsdGdRjcv2Nm/UWbPd2gBYfivrAK:I14ui/QV9OsdGdRjcv2Nm/UWbl28YfiL
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 62e81586af11f3bc_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\Readme.txt
Size 2.1KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 bdc4c737e121f91798d630b55cbf39de
SHA1 71d186fe2cf582792243042a402931ab46b7ad26
SHA256 62e81586af11f3bc93785304e766e7ade61835c1d2cf5840c9eef8a57cc22278
CRC32 BB630115
ssdeep 48:poqWahdxHxG2NlNKxGT9O72bpbGTY/ZzywG2lMI:m3ah3x5Tkxe9t1GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 5b43a1b4ea5f32fd_windirstat.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\windirstat.exe
Size 680.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 c6ac1a2aeb8c89a599fbc30924e5f743
SHA1 9c95d4832ff7d67baca2c2530c277759e79719e4
SHA256 5b43a1b4ea5f32fd3da714bf116dccb8e50d13e32e086ff85b6f998ab4e8c82b
CRC32 ECC96F90
ssdeep 12288:o5UnhjOmG0fJO6egoEQFauJsfmhR5ju0phsQkPaUynbiljjQt6pgS/HuGmHqSuSk:qUnxUjJVhRZdpmQkYyjjQtSgKoq3
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00003__EP_ExE_Pack__V1_4_lite_b2____6aHguT___g_l_u_k_ - [!EP(ExE Pack) V1.4 lite b2 -> 6aHguT & g-l-u-k]
  • PEiD_00035_ACProtect_UltraProtect_1_0X_2_0X____RiSco_ - [ACProtect/UltraProtect 1.0X-2.0X -> RiSco]
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00516_EmbedPE_V1_00_V1_24____cyclotron_ - [EmbedPE V1.00-V1.24 -> cyclotron]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01065_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01067_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01068_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01076_Microsoft_Visual_C___7_0_MFC_ - [Microsoft Visual C++ 7.0 MFC]
  • PEiD_01079_Microsoft_Visual_C___7_1_ - [Microsoft Visual C++ 7.1]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01110_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01116_Microsoft_Visual_C___v7_0_ - [Microsoft Visual C++ v7.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02161_Stranik_1_3_Modula_C_Pascal_ - [Stranik 1.3 Modula/C/Pascal]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_files_operation - Affect private profile
  • win_hook - Affect hook table
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v2xx_CopyMem_II_additional -
  • Microsoft_Visual_Cpp_70_MFC -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name f530069ef87a1c16_installoptions.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\InstallOptions.dll
Size 15.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
CRC32 7FB8A1B8
ssdeep 384:/MnT0MKT/Xwr2izZQ86mpAT8F9lN8Ov0J:EQMKzwTFnVX8i0
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name a6bd70faee9b17b9_wdsr0425.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0425.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 e382d1f0b0b61f7915b3faa09c09a615
SHA1 bd898468554a4814ebb626bb34de0ff3f74c389f
SHA256 a6bd70faee9b17b9c3d30052f3531b1a733f78ad4ecffaf2491826aa4b618e7a
CRC32 E6E7C839
ssdeep 768:rH24M4uz2gGQ2VjmnFDu4c/qhzcbNSBZsTA+4vdUZaKF4cvr3wQ:L2h4uigceDu4yqhz3+4FizvrAQ
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nst1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\w7tbp.dll
Size 2.5KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\donation_button.png
Size 1.7KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 364f29cdb2a4f87d_windirstatportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\WinDirStatPortable.exe
Size 176.6KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 ed515d4626ba1f62d3ae94bc35924982
SHA1 70c36631b846566ecbbf765d308b1fff4d607e82
SHA256 364f29cdb2a4f87d18378dcfcbea2ef8092c0dad4ab77f198bc7d55860cd4886
CRC32 CFE44A21
ssdeep 3072:SweqOYEUXPniFJslUuREQ33lgXBeFZoFs8L0gqoczF:vEUXBSuREwlOkFaN02czF
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 7851cb12fa4131f1_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\System.dll
Size 11.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
CRC32 81CA71BF
ssdeep 192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name c1a567f63c0734ac_wdsr040b.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040b.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 542358126c3977e387b0999504ea6a6a
SHA1 4f06b7fd751e28e77d630606a56dfc0cb314d41b
SHA256 c1a567f63c0734acc361ec3590e9cdebc33e42cfe17ce3d8261ba7d952393a16
CRC32 610756B4
ssdeep 768:/MPH4uz2gGQ2VjmnFDu4c/qhzcby6t6n/vAJhNSjA30ZaKdNDvr3wI:/Mv4uigceDu4yqhzVQJBSDvrAI
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\help_background_header.png
Size 269.0B
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9d1edf7d61291dce_wdsr040c.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040c.dll
Size 80.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 1a1a22c52979cba261edf8585d462bb4
SHA1 1a6d8bf53daf5656f9d02468ca5a092439f42872
SHA256 9d1edf7d61291dce15ab3a7baeb6ca2c37e36f1b04e9e064906ef3e47a10e129
CRC32 B6D470E7
ssdeep 768:NrcGO4uz2gGQ2VjmnFDu4c/qhzcbBnbLnmnfPhckjT4twZaK5sIznTwvLvrMwO:Nrch4uigceDu4yqhzuI9PsvrZO
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01526_PE_PACK_v1_0_by_ANAKiN_1998_______ - [PE-PACK v1.0 by ANAKiN 1998 (???)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\Other\Help\images\favicon.ico
Size 1.1KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name 181a23a56b7649d5_wdsh0407.chm
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh0407.chm
Size 54.6KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type MS Windows HtmlHelp Data
MD5 64aa305e920630d0f813691f4187c496
SHA1 4bbc9397c16de7cd9869252632fe038b8f8ad384
SHA256 181a23a56b7649d5e1c882786de531fedfb9e80a58c96ad92871f72a626eac14
CRC32 7256A707
ssdeep 1536:EN2/oYDyp7DUWsbIxXXVP2sQoizOut88vS:O2wYDyuWsUxHVP2sQoizJ88q
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7cb25ed057951ed0_wdsr040e.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr040e.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 92ee49a7f02d007e52be32913c4d348d
SHA1 0a70f5a56d7499b024b865f181bfb91fadd8b070
SHA256 7cb25ed057951ed086e29940f39f2381ff6db06451a29777b03ac6c68878d6b4
CRC32 7434E56F
ssdeep 1536:Tf4uigceDu4yqhz9uBnaYvH25c2GZC/+k8jQ+8xlVcvrAD:Tf4ui/QV99uBnaYvH25c2GZC/r8jQ+8H
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01526_PE_PACK_v1_0_by_ANAKiN_1998_______ - [PE-PACK v1.0 by ANAKiN 1998 (???)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name d38f4e54af78585f_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\modern-header.bmp
Size 25.2KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PC bitmap, Windows 3.x format, 150 x 57 x 24
MD5 406b095d3d7246a5ce9d4bdc04c94f74
SHA1 aef229a20f1b60e15b226d9e2981f2e9b53cdf4b
SHA256 d38f4e54af78585f9e80f4ccb84c1bdb1e970254a58fc687c6a20532a493738f
CRC32 C5158E95
ssdeep 48:FbTaCNN3K6rGz+v5XYJ/S3fiiNxBxkoq/SygNVaf:FbNFXKz+v5XUUtLkgygNC
Yara
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
VirusTotal Search for analysis
Name e51396890174f64b_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\help.html
Size 4.3KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type HTML document, ASCII text
MD5 d4f99833182599797f2a5381ca9cb8c6
SHA1 36eec74e32755cebffe26ec985a50b4d57a56dff
SHA256 e51396890174f64b6d7e947766fcf6d5fd9e2bd98ac2adb0c103c311aa7df788
CRC32 8AE7FDE7
ssdeep 48:izLaaXUNZlfCAYU0RCdGcLUpDiUSp8exlEDzmmhbzecrwiIKi1Zg862eSi0d0hPU:iafpwdNzexlEDFJzeowGeu8/d2H/K1ia
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9daadd6bcafcba0e_wdsr0410.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0410.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 14517b2a3a07b682322d0ef02c483268
SHA1 0974a2c5c3e3961a7bf1be97fdd7c8b6f7491e11
SHA256 9daadd6bcafcba0e8581bcca5a4c7cd943cba1991e1812f043588cea3156fbd8
CRC32 3D381202
ssdeep 768:L9L4uz2gGQ2VjmnFDu4c/qhzcbpw/nuTj1f30l6BVZZaK0Jvr3ww:LR4uigceDu4yqhzdunN30K0JvrAw
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1e87c07744054709_windirstat.chm
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\windirstat.chm
Size 50.3KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type MS Windows HtmlHelp Data
MD5 1bddb8a0e0f9cd90a5b3936ec2c2c4cf
SHA1 c8302168fb532fe03e76cb8a82aa53b49ee0bc44
SHA256 1e87c07744054709d271337d8ce06929429b334d70875605cb68ecc4c6610cd1
CRC32 FD34D90F
ssdeep 768:bGA4nw8h2r+N1m0WUrKI/vjf6NDxFfC/0L7qM+ZE+ox4nnW99vpuhzK10gim:bGAT62r+N1uUll/YQZFy4nQ/uxK1Gm
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9fbd076e1b46d2fa_wdsr0413.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsr0413.dll
Size 76.0KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 a364f783cb659a79acb4f7195919829d
SHA1 243183bedf391bdf6c014ba32accc89505c0b112
SHA256 9fbd076e1b46d2faeb19e67267ba51c80f18d9607d8c1d0ea34980f79bc444bb
CRC32 4201F3D6
ssdeep 1536:Kv/o4uigceDu4yqhzvYuDEyPYHisPn6sKtAapk/vrAX:q/o4ui/QV9vYuomYHvPnStAapk/Ta
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • ImportTableIsBad - ImportTable Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 17bc11d5247fd045_iospecial.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\ioSpecial.ini
Size 1.3KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 0b20fafab888b3c7584fc16d417d463c
SHA1 2c9402834bd7809d58e02f36055fde74e88ad93c
SHA256 17bc11d5247fd045eb21da739c987dae117cc58fecc22b4a7b0bbf257c58ebd3
CRC32 0723BBC3
ssdeep 24:Q+sxvtSSAD5ylSXgqWCs7y6GuP4e9ni/6k8l9n7CsGNC54u6Qnx3HTCaH65O+n5s:rsx9AQSwqQkuP4nN8llnSwxeaNke
Yara None matched
VirusTotal Search for analysis
Name 8e54bc2dd576d4bf_wdsh040e.chm
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\WinDirStat\wdsh040e.chm
Size 57.2KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type MS Windows HtmlHelp Data
MD5 bc90b966e06c5c20486815809606c77d
SHA1 12d7ba627d77187c1a41b552ab3c6556ba4a4823
SHA256 8e54bc2dd576d4bfe241e37305a525d80fd9839ed0de2e34abedf49c7f23f5cf
CRC32 3D429FF2
ssdeep 1536:V6iw3SziWVuxJ16cuZ4GMFtoEOq6YShAvLpAE/Q:IiJ2uux/6cuZVG/6lhOqYQ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 215a2c4093b02170_windirstatportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher\WinDirStatPortable.ini
Size 1.2KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 a2f266408a86817aa0040d30c042fbea
SHA1 12efb867fdc677527790dcf4b439f75e28b74e73
SHA256 215a2c4093b02170065bbca7c17c198db6a3224718d2d5af907051b09e6d84b0
CRC32 74BDDACD
ssdeep 24:J9G0ezVvZt12VfM3kQOcL4MoRBQWmCAgmSWYpVSWVv0r:JktzVvZb4trMGshCDVv0r
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6eb09ce25c7fc62e_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsj3.tmp\FindProcDLL.dll
Size 27.5KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
CRC32 F238428A
ssdeep 384:DZoRF0XXUuJReQg0Tw67ADWBTgmldIogUD3GLgFmyaX/fVYcWJQCDmrinogRdBl:DZaF0HtTwuz9yu3KgwRX1nWJ1q+noI
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00153_Armadillo_v1_xx___v2_xx_ - [Armadillo v1.xx - v2.xx]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01071_Microsoft_Visual_C___6_0_DLL__Debug__ - [Microsoft Visual C++ 6.0 DLL (Debug)]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v1xx_v2xx_additional -
  • Microsoft_Visual_Cpp_v70_DLL -
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Microsoft_Visual_Cpp_60_DLL_Debug -
  • Armadillo_v1xx_v2xx -
  • Microsoft_Visual_Cpp_v60_DLL -
  • Microsoft_Visual_Cpp_60 -
  • Armadillov1xxv2xx -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name bd90df3f8bd74466_splash.jpg
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\Launcher\splash.jpg
Size 39.6KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type JPEG image data, JFIF standard 1.02
MD5 ca3470144b796886f1c7d63065513353
SHA1 e10819e569f91e61ebfcc6fef7eaac00bc6bc953
SHA256 bd90df3f8bd74466afab9be48328ddbf65840ae1c59da2d7918a0371d52abde3
CRC32 331F1478
ssdeep 768:1cFS8XaUks4W26n76xcZUNMpXNSYJLQkRAAAADzQ9aF6Cj5iI:Ru/b4nagQnDTLQFk6Cf
Yara None matched
VirusTotal Search for analysis
Name 7d98292df59461c7_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\AppInfo\appinfo.ini
Size 562.0B
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 b03436249a09035a0b695ceb3628f1c8
SHA1 73a50bfeb869adf27b3e55a986e613746944f7e1
SHA256 7d98292df59461c7fc5bfd093d15bd2fd4334d3029a77b52af34a883afcb0282
CRC32 8B3A8540
ssdeep 12:kihic1Ffmum0yh/AKb+Hz0Ssy42WcAUvMrHbCV9:kIPeumvwnsy4k0r7u
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name dc208a353d5b55f6_windirstat_old.reg
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WinDirStatPortable\App\DefaultData\settings\WinDirStat_old.reg
Size 15.3KB
Processes 1312 (WinDirStatPortable_1.1.2.80_Rev_3.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 e0e608a1019a7b7fd059e9df76b09f19
SHA1 a2128563ca522c929b5ec1433602ebddd6c8e684
SHA256 dc208a353d5b55f6331a87cbdb8eb66c989a977c671136a6b65d8ae332671e27
CRC32 67548F17
ssdeep 192:6EJz8IjQIjBIjGIj3Ij8IjtIjyIjzIj4Ij9ZKbVmVltUcE1IlJU4g:ZZKp8ltUcEizU4g
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 636
Mongo ID 5c3621c311d3080d16cde83d
Cuckoo release 2.0-dev