File WindowsErrorLookupToolPortable_3.0.7_English.paf.exe

Size 706.6KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8c90db0373c5927b76764f5a42a49d59
SHA1 3ee9948f3c40addeb46e9109ded4f6def932d610
SHA256 6b02d1305936151043755bc23a178ffc0f25fcc00b63abe3eb399e9511827f81
SHA512
371393c5799d227bbd75834681ce6f42a74dee5778052c4099e8745a7a180bcbf27ced2729fe655b1ecbf06790d051c6253c7b343dc0288f170c491ca4e50214
CRC32 AA9DFDCC
ssdeep 12288:fEjr5nOE4wrLei8Gvl/xiPGPqV2P/IYgEJAFMHtjf79sglGX1uhQCVfQb3K5:fi9D/eiH5ieigSuXVJsqG6QCS65
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 11:29 a.m. Jan. 9, 2019, 11:33 a.m. 253 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 11:29:13 2019-01-09 11:33:24

Analyzer Log

2019-01-09 03:11:58,015 [analyzer] DEBUG: Starting analyzer from: C:\dhgyyhkpum
2019-01-09 03:11:58,015 [analyzer] DEBUG: Pipe server name: \\.\PIPE\fXrpQCnjdmkSkMApvls
2019-01-09 03:11:58,015 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\UzwHqKweZwUSKKIkOVYApgSxI
2019-01-09 03:11:58,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:58,015 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:11:59,421 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:11:59,592 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:59,592 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:11:59,655 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:11:59,655 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:11:59,655 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:11:59,655 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:11:59,655 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:11:59,983 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:11:59,983 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:12:00,092 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\WindowsErrorLookupToolPortable_3.0.7_English.paf.exe' with arguments '' and pid 1440
2019-01-09 03:12:00,203 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,203 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,328 [analyzer] DEBUG: Loaded monitor into process with pid 1440
2019-01-09 03:12:00,437 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsu2.tmp
2019-01-09 03:12:00,483 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\System.dll
2019-01-09 03:12:00,608 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\FindProcDLL.dll
2019-01-09 03:12:00,750 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\ioSpecial.ini
2019-01-09 03:12:00,750 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-wizard.bmp
2019-01-09 03:12:00,780 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-header.bmp
2019-01-09 03:12:00,780 [analyzer] DEBUG: Received request to inject pid=1440, but we are already injected there.
2019-01-09 03:12:00,812 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\InstallOptions.dll
2019-01-09 03:12:01,858 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:03,983 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:05,015 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\w7tbp.dll
2019-01-09 03:12:05,092 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\WindowsErrorLookupToolPortable.exe
2019-01-09 03:12:05,108 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\help.html
2019-01-09 03:12:05,125 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\Readme.txt
2019-01-09 03:12:05,140 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon.ico
2019-01-09 03:12:05,155 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:05,155 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:05,171 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:05,171 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:05,187 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher\WindowsErrorLookupToolPortable.ini
2019-01-09 03:12:05,203 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\Windows Error Lookup Tool.exe
2019-01-09 03:12:05,233 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\defines.db3
2019-01-09 03:12:05,328 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\sqlite3.dll
2019-01-09 03:12:05,375 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\versions.txt
2019-01-09 03:12:05,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\donation_button.png
2019-01-09 03:12:05,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\favicon.ico
2019-01-09 03:12:05,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_footer.png
2019-01-09 03:12:05,437 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_header.png
2019-01-09 03:12:05,437 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_logo_top.png
2019-01-09 03:12:05,453 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:05,453 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\IconReadme.txt
2019-01-09 03:12:05,467 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\LauncherLicense.txt
2019-01-09 03:12:05,467 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\PortableApps.comLauncher.ini
2019-01-09 03:12:05,483 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\Readme.txt
2019-01-09 03:12:06,108 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:07,108 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:09,217 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:10,217 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:12,280 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:13,280 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:15,375 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:16,375 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:18,437 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:19,437 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:21,500 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:22,500 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:24,562 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:25,562 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:27,625 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:28,625 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:30,687 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:31,687 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:33,750 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:34,750 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:36,842 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:37,842 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:39,905 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:40,905 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:42,967 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:43,967 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:46,030 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:47,030 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:49,092 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:50,092 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:52,155 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:53,155 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:55,217 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:56,217 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:58,280 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:12:59,280 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:01,342 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:02,342 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:04,405 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:05,405 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:07,467 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:08,467 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:10,530 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:11,530 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:13,608 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:14,608 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:16,671 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:17,671 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:19,733 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:20,733 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:22,796 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:23,796 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:25,858 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:26,858 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:28,921 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:29,921 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:31,983 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:32,983 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:35,046 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:36,046 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:38,108 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:39,125 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:41,187 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:42,187 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:44,250 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:45,250 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:47,312 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:48,312 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:50,375 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:51,375 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:53,437 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:54,437 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:56,500 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:57,500 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:13:59,562 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:00,562 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:02,625 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:03,625 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:05,703 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:06,717 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:08,796 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:09,796 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:11,858 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:12,858 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:14,921 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:15,921 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:17,983 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:18,983 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:21,046 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:22,046 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:24,108 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:25,108 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:27,171 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:28,171 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:30,233 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:31,233 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:33,296 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:34,296 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:36,390 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:37,390 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:39,467 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:40,467 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:42,530 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:43,530 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:45,592 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:46,592 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:48,655 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:49,655 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:51,717 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:52,717 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:54,780 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:55,780 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:57,842 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:14:58,842 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:00,905 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:01,905 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:03,983 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:04,983 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:07,046 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:08,046 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:10,108 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:11,108 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:13,171 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:14,171 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:16,233 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:17,233 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:19,296 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:20,296 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:22,358 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:23,358 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:25,421 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:26,421 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:28,483 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:29,483 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:31,562 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:32,562 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:34,640 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:35,640 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:37,703 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:38,703 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:40,765 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:41,765 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:43,828 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:44,828 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:46,890 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:47,890 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:49,953 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:50,953 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:53,015 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:54,015 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:56,078 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:57,078 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:59,171 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it
2019-01-09 03:15:59,217 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:15:59,217 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:15:59,217 [lib.api.process] INFO: Successfully terminated process with pid 1440.
2019-01-09 03:15:59,437 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temp\\nsu2.tmp'" does not exist, skip.
2019-01-09 03:15:59,467 [analyzer] INFO: Analysis completed.
2019-01-09 03:16:00,171 [modules.auxiliary.human] INFO: Found button "&Run Windows Error Lookup Tool Portable", clicking it

Cuckoo Log

2019-01-09 11:29:13,083 [lib.cuckoo.core.scheduler] INFO: Task #637: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 11:29:13,321 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 9321 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/637/dump.pcap)
2019-01-09 11:29:16,200 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 11:33:23,408 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 11:40:45,274 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 11:40:53,439 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50302410>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:40:53,440 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b503023d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:40:53,440 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50302590>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:40:53,441 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50302510>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:40:53,442 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50302510>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50302510>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5333524794310660
free_bytes_available: 197032500923203584
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable
total_number_of_bytes: 199284302364308578
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24104562688
free_bytes_available: 24104562688
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 26761941418218
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable
total_number_of_bytes: 4296210764
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24104562688
free_bytes_available: 24104562688
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (7 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\Windows Error Lookup Tool.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\sqlite3.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\WindowsErrorLookupToolPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\InstallOptions.dll
The binary likely contains encrypted or compressed data. (3 events)
section {u'size_of_data': u'0x00019000', u'virtual_address': u'0x00130000', u'entropy': 7.558282034374395, u'name': u'.rsrc', u'virtual_size': u'0x00018f30'} entropy 7.55828203437 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x00149000', u'entropy': 7.876285501028333, u'name': u'.reloc', u'virtual_size': u'0x00000f8a'} entropy 7.87628550103 description A section with a high entropy has been found
entropy 0.724738675958 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process WindowsErrorLookupToolPortable_3.0.7_English.paf.exe (1440)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable_3.0.7_English.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\donation_button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\LauncherLicense.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\InstallOptions.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\FindProcDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\defines.db3
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\sqlite3.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\versions.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_logo_top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\IconReadme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\WindowsErrorLookupToolPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\Windows Error Lookup Tool.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\PortableApps.comLauncher.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher\WindowsErrorLookupToolPortable.ini
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable_3.0.7_English.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsu2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\ioSpecial.ini

Process WindowsErrorLookupToolPortable_3.0.7_English.paf.exe (1440)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling

Process WindowsErrorLookupToolPortable_3.0.7_English.paf.exe (1440)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process WindowsErrorLookupToolPortable_3.0.7_English.paf.exe (1440)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\7zTemp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\*.*
    • E:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\7zTemp\7z.exe

Process WindowsErrorLookupToolPortable_3.0.7_English.paf.exe (1440)

  • DLLs Loaded

    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsk3.tmp\w7tbp.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsk3.tmp\InstallOptions.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • SHFOLDER
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsk3.tmp\FindProcDLL.dll
    • C:\WINDOWS\system32\browseui.dll
    • browseui.dll
    • shell32.dll
    • UxTheme.dll
    • RichEd20
    • SHELL32.dll
    • ole32.dll
    • SETUPAPI.dll
    • PSAPI.DLL
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsk3.tmp\System.dll

PE Compile Time

2012-02-24 14:19:59

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006f10 0x00007000 6.49788465186
.rdata 0x00008000 0x00002a92 0x00002c00 4.39389365097
.data 0x0000b000 0x00067ebc 0x00000200 1.472782261
.ndata 0x00073000 0x000bd000 0x00000000 0.0
.rsrc 0x00130000 0x00018f30 0x00019000 7.55828203437
.reloc 0x00149000 0x00000f8a 0x00001000 7.87628550103

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 CreateFileW
0x408098 GetFileSize
0x40809c GetModuleFileNameW
0x4080a0 GetCurrentProcess
0x4080a4 CopyFileW
0x4080a8 ExitProcess
0x4080b0 GetTempPathW
0x4080b4 GetCommandLineW
0x4080b8 SetErrorMode
0x4080bc CloseHandle
0x4080c0 lstrlenW
0x4080c4 lstrcpynW
0x4080c8 GetDiskFreeSpaceW
0x4080cc GlobalUnlock
0x4080d0 GlobalLock
0x4080d4 CreateThread
0x4080d8 LoadLibraryW
0x4080dc CreateProcessW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrcpynA
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
@.reloc
PWSVh@
#Vhh2@
Instu`
softuW
NulluN
SUVWj 3
D$8PUh
u}9-$.G
[j0Xjxf
D$$+D$
D$4+D$,P
PPPPPP
\u!f9O
QSUVWh
Ed+EL;E
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
Ed+EL;E
]4;Mhr
E89E0}s
u$9Uls
-)Uh)Ul3
Ed+EL;E
)Mh)Mlf
u$9Mls
)Mh)Mlf
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyExW
ADVAPI32
MoveFileExW
GetDiskFreeSpaceExW
KERNEL32
[Rename]
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
Kernel32.DLL
GetModuleBaseNameW
EnumProcessModules
EnumProcesses
PSAPI.DLL
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
WriteFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalFree
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION.dll
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
0.0;0I0]0j0
111;1D1Z1a1y1
4#464G4g4~4
5+5;5I5W5i5x5
6>6J6[6z6
797C7I7Y7|7
8,888J8e8y8
979D9L9w9
9::T:e:
;!;2;A;T;
;+<P<w<
?-?I?\?o?w?
020T0y0
1#101>1J1P1U1[1f1l1
2'2B2d2v2
4/4o4t4y4
4a5r5z5
7.7q7v7
8!808D8X8
9+9L9Z9
:-;[;c;l;
?1?<?X?t?
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2N2S2c2
3"3(30383I3P3e3n3t3|3
4"4(4-42484I4]4c4i4o4w4~4
5&5,5b5k5p5v5
6.6T6c6
80858A8i8n8x8
:-:8:>:C:H:S:Y:f:m:s:
;L;V;b;w;|;
<3<S<X<c<k<w<~<
=0=f=w=
>N>_>i>
?#?F?Y?n?z?
0'0D0M0o0
0-1R1r1~1
2?2P2b2q2{2
323V3j3
4%444@4I4X4
6#616i6n6
;6;;;Q;Y;^;d;j;p;~;
I0[0`0
0;1A1Z1
272q2}2
4"4/4C4_4i4
5"5:5]5m5s5
6.646B6H6Q6d6
767@7I7S7_7j7s7
8!828j8t8
909>9c9o9
:(:.:@:F:L:R:Y:_:g:r:x:
;!;';-;N;W;n;
<'<3<=<G<L<W<[<a<f<l<
=%=/=5=:=@=N=T=x=
>,>1>6>;>D>I>O>S>Y>_>v>
>"?@?Q?
1&2U2a2g2s2
3-3:3G3T3a3n3y3
4#4*484C4O4f4m4x4
576@6^6k6
77*757@7
8:8C8U8\8h8
9!9N9u9
99:f:{:
;#;A;H;`;u;
<+<4<J<U<m<v<
=*=9=C=M=
>&>P>^>e>}>
?2?B?_?j?
0Y0i0n0
223@3I3
5[>_>c>g>k>o>s>w>{>
0 0$0(0,0`0d0h0l0p0t0x0|0
NullsoftInst0
n`@`b
^'5iZ!Z
+7?3d;-Q
eT9n>8
F+mqMw
%F~V,G
GHRz'u
K'Ffk%
})"Vdd
t5"L]}
Ar6B4Z
Ze.7^fn
3ETmY9
(*|LaN
k7X.:z{
zFCTCx
.|&qc*w
1&1)ju
6"5(Q9
a[SGr+
!Ds*B"<
VO&)bG4
@1q)zO
gLVtQ}
`"~qP#
^ >G vK,C
ghED
-W6[X2i
4A{c0
@d:zW%
0%;IQ]
kWq3=0
N^yJX<
?rF-q^
10qab;
Zt~>cp
Y4Rm!d?
`e2|t2
"J<@-8r
>a`3>-
(;YH(VP
&0%=3"
>.U/aO
=^Dm'u
|}WfDW
X{0|zD
XSS44/3
r95],d
=Z0Wsh|
i/wdWLT
B|(u[m\
')q_T)
<`P5O?
7FoHdiK
}|#z7bD
>QP%a6
Hs2"wW
HM?2fK
f 'px~n
B*R)k7
vqxb~X
{wE-nt
NqFPU_
Dw$L!y
a]l_&N
pzm,9R
uSL (#
_,o}'s
}pV!Is
%|3;7,G
;7D%/~
dvD,:u
4k4[Zb
0.D}qB
0fiXI}
S0z!$
uAZc:O
m,3g!o
zFyE*h=u
HtCO<3
d_=|H
x%s_ a
F#r-;V,%|"
e*}1Of
YE=pJ,E
aEmmns
v13E#R
M1NAZdF
BV`4AA
""Uu'H
{szI{s5V
XJg5U,
p&.2~
r=C0@o
s(\9$>)v
-f9+2
<6Mk1a
[^`4`S
SYfC.q
`=$S`
jmlgflFK
Lg\#MO
my`5I /
;k8sonw
H+<lUsy
3X@[fk
_G &t$v
7h&V`P
L#8Gt>
C|-D]?
jhKeId
5puB<1
p`9LN`s
^Bz>h!1sI7
rm"TH^)
P'EZ@b
#|;-ri
VSK|*f
xV6iJ0#|T
;5A1:1
@'H@:y
>_K=k}
|J:?((^
Slvs$^
>TGc_K
'k#<`5
XC({@/
3},6@
UMU$2$iN
*2_hW)
Z~KG,OD9C
`m.Jl5RK
_I5{Gz
OBt!6@)
A~Q:sCA
kUeF)X6
ceRVrf6XI
\e[k)&
/VpmEw;
`noO~VM
R:* 0C
weCm;N]g
YKroaiig
7vc@W9
Y,PirXu
X_jJNC
o9vh5$j!
o]NhdUW
_]CSf:
>Mqa~b
bBhj[u
uxu\W3
]^zSFK
i<c':7K
j0U16r
/2X^Am#p
-JQ:`Iu
+^9;5D
-?o[g
],j0oI
q,QV`:
;B3\O$
mD=S[8
yVjUUSw
YnBZ"y0q
We?0J=
+1.<N,
YRjS#>W
R`&.~\)
$`5/Fh
@e//;Z
cFAn:+$`%]
LCfF.e
G(n9My
U46[P,
R/^a_kj[
Gq%YZYi
k{ )lJ
vbwJleDR
$e|}k0r
KywPnj
p>NKCH@
U4ZPT+j
EJ@1b-
>MeJbe-
A,mM=B
=~iILA
lL=wT>j
u|nb}0
0S1Sx\
o]S+`l=
tDF2Kc
Qg\K)eh
uY.TB1
&$whp
x]CO>q
U'Iq4$
ic6L_D$
T^'Xig
J9q?f#[
'f6?[z
b$J<qp
UJ$-4K=
IV9)N-k
'<H+AEA
{:Bk/W
^3p?:x
8g/8J</C
VhFXTH-
ZABW`%
Med/dG<q
%z NaM~
5c\HZ
;{AjMs
\?we}h
~8IOQ5
8~eoGS
&)-nV6
]59c:4
FtdNkw
S1@MqH
pR;V,'
Q@nMiN
(!7]u
?t}fVq
Rt*Tlt
T ,1_A
ihJ0:pg
zhO|xb*
$VoLJ{
838kE+
9:s%>
<{nopER
TakVV}
V-J#sI
\gb{%G
2zt8\*
:i:sCc+
TYNWu/
nH'0u9v
H"|H)&
~Jy4K-
5x"djy
dL4=U&cr
^Frj>R
\l/1cp
BW"0DP
B'cN)3
!\@u6?7
xr^D]'
l<&k0
z'c?Phr
&NDW8gg`!
_qC2$4u
$0Z]dud'@@
Is=#w5
.v_61i
&{N*</
OA<|<e0
,[fjj"
,s?2W)3
\3qS4FaY
M:m`?>
#$(<6&
yzN(Kvj
jG%|m9
zKu';v
b/=nC/
#Hogk+
p5kEt\3"
Tq3=g,.
J+;7V@
U` 7~"i
$V?Zdy>
x W]gy
)Qg.B/
TK*Jj.
L-:vFA84
Ug<(xb
/e-Z/a
S17@SMt
*XI}]S
*Re4w"
DgYUdPp
[b]ytR
'H9853
MUTe,.
*?ceA
cnU&wzv0
*0:x*lHK
J{[]I)r
&eS;\(*
er;}wC
=hO+9J
&BQ'f]
Rw8l$m&
X|#~5<
5/J!sa
<uBQk\
`]_h|
6R<i2h
BK$qX'y
^9P(fC
G=M|0
|.V9i.
;]M$mz
]jvxgL
A68@[jmt4*l
ZC5w2J~f
;iOP#.T?
?7ET5<
q]v<q6
.]Mg+x\~
NZwC'@
m+dqmm
r`v00J
AG';6H
M:'j
?W,rj
]``0W1q
8fhxi;2
9TnspT>
-dusOY&B
Jk&u[l
PN7efRfel
>N\Oq4!mn8K
MA%+Ik
&\s3CW
8|[Te>
3f(&"+5
cQKR5=
n8O9Q%EN
p@lM"+
I[Y@lz
H)ul}UZ
)MO ]m
O?+qz<N
_r#/o.
sN+#{9
X{Fm0pD2
(FjJBA
po`;TaJq;
\NQ&^u
_j4SvL
YpZfVm
pvZ4SU
zO qlU
Kr~k$YH<
TZ3+}+
Brt{/lS
i AdaPnv5/
IhVvXo
0'+HD>j-
>8nlgp
XRpt"E
,N#F3<b#m
p8"` T
DYVZr1
Bnb{y#E
G1[x>s
If3Mm^
_wHqAu2
KC|k?h
IcmYq8
Y$T;r|
<#m.J^<
R/uM7:T
?x65AXn
$9w$OW
bL%9}|
C=hFWOx1(
rGSN-B
.[SG&l
908=[b
E1`b.W
?6Uq+I
zE/tN37X
2Q33P_
k7H0a8
["=}6n
isAtM8
X4xx93
XQWe8UN
z,f9nN
>v~bd*
E;Ns<v
v54`8X
.x aoVr
t=&W$n
`2M^n>$j7
xKyh.w.
d>ZpiaS
d^?]-S
P#b'S"
`EbX?+
dzc\Upg?
iJMNCQ
EOk$wR
{R$hl~
V8([rm7
QdfIJt
ddkrhW
*#}xrsa[4
`ze8mm)S
;iR@r
5Mm_+T!
EHMh6f
C!lou
55R;@u
D9e8kfHk
{T~\py
;*j+%Uk
8)Zv*v
io2B5}jQ
a9aI+`tp
$S{jq&
r~CaBh
eF;HGcq
m'Mc"+1
8@U,N|
7Yrz*[
~^FjG_
xoc/&3
zjtZ/g
u}010Z7}
gT3BYH
;K`ya-
-g,Y:K
MR2u!i
ZX.x3g
$OZSQH
1$C;j-
@}/]n<
HAl\3/d&7
f1x''K
_SPa#v-]i
:5>PI]:fp G2
=DZn+y
y7%Ptg|t
O<-#`!
z!^3~K$#{-
+8gg]j
#5{dQ/
\l]$}z
!Ty^5M
FJZKE\u
ECv4Am
2QN2(T3
Z(yJI?
{EUNj(
8G?9y.o
4RAb-c
i.a%J/cY
il%JN^a
x)qbdt
`Rx@C;
0c)DUjQ
6Ix|uG
;P_/s"-
_4M},b&p
p%@9s^
}Sz$GRBu~
`eV`_8
Gjr2-Z
V*A]ALU
_{_<~K
0=I}>X
q4XR=o[%@
2C>A5Gy
eS#jpU
/kwzuT
w&XF1p8A
EYXJq9Q
V1sTu_
ksf6b{
cxAH`a
>S@"pG
Ac&!EE
Ph!U9q
kJC-j/
?E]kRI
G <F SA
tkT,O5
k;(1_
C_0{V[p
~z;-cl
mi!LIM
z"XfV1
n~~HD|
v6X~pN
$?hFvj[+
Dx0,81
,5H$w{
!9L|.:
|b(L&T
jW4x]%
9@ Dxa
3),C5-*
T^S7M?
;>k;vP
Da=Cx(
m+%wb6
%@4vFS
0<{%Je
Zr&]3Xa
EjZsO\
&+|O /VH
ixH\vw
][_A1k
-gNL 
`HP*1>
7Q!W36
%f!brZ
^)W&7X
JI+%vl
]wD-~Xl
SrV|^7}7!$
=!ftF8P19
j3!&$R[
d'J4[W
g,&&gj
-6{Y`xo
G3"T@)
$g:7|r
TsY(z9
f"!ZqDj
pg:s[D
g]ri41&`
h6G/5U4
i\Cgv
S{jjq[
E1HTd#3p
kDHv!
f2|f#<
'l!1]2
zuwurh} 7
#yhctWz2
\;}Udku
[b<1%1f
OpUSo2
nT`Z&)Cd
}(k!78
6EH~Rf=#Vr
Y[}_1H
(SIB(
Up!w)o
7C3P"f
M0~dw9
9:3@.A
FImbK
I5=r*$
M(q[(m
<;dZXE
Xn>6S(
*"a)$[
Vi<w~'u7
eB1~!r
Cx}*=e{
9xhqFT
j"TgNt
8kv.mR
L@]N5_
+cKa`x
Ik+k1>M
d^D[1V44
yCmXos
~_GZ)2`
9c*Cw
\.@dX
Ft_B;$
b!q: qdABf
/#_WG!S
-IL=H9!
m*L3LQL
s.WFzn
_A#fI-
Vw-_i*
#"[j"0k
f2,yxc
[s^;[2
1aI#E8x@=
[7+W*%:
|o ; p
fQ +P?
Gvdkj`
:H)"iP
gx%CE}
vsc)5$
PmZ!WZ
xQs(FN)}
\Wy^~Y
Xw}RR"
#\ L3
C-~ @z
A]9R@IC
;aBn]C
$OkADmx
jb*^A>
@0J?gS
Min|D
ixp0P{
P:|Uie
[94BMR
5vn$,\
d62:.(
/7&XD0s
sCyK~|GJ
"+FR'5
p^B%!s
aH*<Op
iz4;+,
hrj3n*ML
&,m90q
6d]w)K
F3s.Ye
fJj?y`
hZx'1E
J{x80/h
O[vQA'
sh}/$1
"@AclI
W]#d\'U
7>bgryw
4Dm^.*
K\&N~
ww73#R
oPyVi|
o')%bw
09VmZ[
li^HdI
/"K=hf
`@-BIZC
'H%E[&;
![1]?VQ3h
kIj#!5
rT3`1#-
UPbwNQ
O !R6Xn:
:oT<-;-
)1g#Uy
FI)h6D
lnd_:u/
,k;wp6
`WXZ$2
,j%Y<;
pm&I.*
Y~9WWJ
A4-sJD
yp:SE(W
@*~Oc0
+82NI(Z
"YwX([
(2Z<M1
F&f$I=
"%|2C]
E~iPZP
[\2`.?i
\ka/$g
:qoWR?G
{/zE3
Ag}~t6A|G
Rs0yhj3o~
|PP+!3Z
4RG4aP|C
hg,+[
2H!ogfVi
Xt6R@^
AO\*8C
ZaJ4z'.z @
,Kc2B&
]#7L%7/
9{c:#k
FhS~f_r
vSG>XH)
{~#0mC
xMn2O\E~
0*RTk&i
6PN\6~
#:Kmtx
fLUxj!
3(~]~7
xT=='/
cg&WH[
oC6NX
B-iBpW
aH #?vt6K|
tZ:JINy
7eDmC2
rf")]D
5:N@//
LJ!Xbm_
&LQ"~|Yu
HgncSJ
'?sK_=E~@
B!l&x;ZV
_~VE1vm
+GUl^-
nVFOT@
3\WkmV
Q8kTr2
eJ\;_<Q'
Ka8h{+
Em|6Ii
iH.Ome<
N}e8=D
p4!e4K
Oyn1hZ
>puqe[
+6tbrJq
!n*/<r
x~:TrO
HX@C*/-'~
@:&,lQk
/b3{fW
K,^,Aa
Bb*+d(z.
lvR)Rr+Y
ptn`%^
$2PEOd
!hS}x7
'To!Ci
no)''s
-=W0_k
GXoTp'
{_m{_Q
%L7"VI
L4---&
R2#RA/
yx+/Z2
fN;+Yj
J(%rQ:
08c$.P
= i4+
fC|&}3
O-.Pzc
FZ:AN&
\qJpIT
i9^9$C
J?e.1S
k<-o$
-R3SHw
kpLf99
1R4h4x
qo_"?o
S]50Y5
&%8Zph
c%H-[ET
#edxJ@
OG+'B:
b%Pe0
i`KVqy
.uO$Uw
p&^Q7@
,I;t=<
"pVS~>
DYTj$HP
CZKgo`4
1hb!t2o
c[Yq s
nSz *H
7=`8>p
V\T(&r|
s-^9,fi5
'M1P7F
/y]ZnNb
gr*o7f`U
<[9o6mi
_+9v{R
+#rv|#[
uX;'q?
3<=J-Of
hbUM8o?E
J;Y@%uKN
L4 -2n)
lQx`R>
V*$#2A
0syOdN
N(2.H
4Ru (i>
xV^\0W
2y'{eWa
nS=qA+kMu
\,9@ID
bbM0<9
b.,:Wlp
sK`G_h
+0C!4vC
Bsrj!^
]3XJ>F~$
x"#Vnhd FO
76)29A
9YNFqQ#
TiTH?[
3H@oz5
}u.&D'
@u%e f
2Lx-*+A
fG1T7x
iV[aXX&
StxV8z6
p:>;;
A>heyk
!&}=2H\
oL*nPh
B1EgieOx
^p9DVYxS
l:(u1Z
K7XdyW#M
3pb}Pb
!_[erZ
F=zAmX
Prpc5|"C
^CT[J
{(3\Ih
M(t9g b
+^TY_
ktweNI
(-1-b#
=LTxN5x
<+U_~
rt$W0kfk1
F"V8e1
o#l1>k
(l,mV-
B45k7R
JY%h12o
|Mdj#U
B~t"50
Cn71g
=wAS2w3
0&W.Y75.${
2u&C:,dI
Kc0\vl
Q[`B84\
Me{s`K%n
y`u0Xh,e
</;qk4
L^]+j
\?()(u
ozJ^EP;
LoHh%U30
}bvJC/
,nn>o[
^pR_[t
S5_/x
ZsTvvXh
R~=Na\b
vj8wU]
q6~Ul
Jbw.RU-
&{QFE@
+6bL.:
y1'Lmf
~2>eZ*
vN._CPz
{m>)`&;
B]&ZA*
(~}p!2
vNo5=bVy~
X`BM*^E
Tmb!!$
T]j7Uc.S6
3wlYVb
(D?C]M$
xL0Iloh
`LN1sttB
Ci(]`=J
zCBjiE
*L5\<<
m'fcGi
Hh=^w-
qZNOZ6*
\Idq'b
>Kd[n?s8
33/,lN9
Eq8XN
sg&'Ws
C{</mu
kioe6^
mRZGrJ
c?f'hy
r"<C_(
Mb{U7Q_
:G4QpPH
7T4yok
8\(/(!
-4Fu_I1
"T'W(`
uiAo@,
~@Os9>Q
FE69Mf
Pj4=WA
Ix(X_r&
F2['MM
G6C/ Q:A
nM0Eg48
hR|5~:
u4o6^ug
A( PxbP
rk.7i.p
O|rgyLN
*h#AS,w,
c9,6uQ
,}4MqG?
~SXgOW%
O]Ux#D
8/2weR
wr{l1F%
G2hVo7
%NbPp!
A'cVr;
n7F60;*
&'|Ss9
o9~sz|
0C/;O!
<#,;E_
HH416`
},R%9;,b
ug<0K_
&!]ird
H)5{-v'
h6PA99~9
%_Z/c%
Y]L<cR>
=z@n]o<
1? "&i
U5!<6I
O&G7`x
>d#)0@
>3TOg:Tb`pz
QK+x;Z
[ts-hy
RLqc6X
peu,Ko`
"%}v$S
S[!+iaV
In }JQNa
:2y9C>b
8w)xlc
u.PzlE: _=
r&n2/i
jcs-I4
B%p;k@
r?,cu0t
L-XY@wY
*9kQ5+w
?^T;GWV
/c*CiK+
6IoF!Td
R%kqc+
+_s-gu
o/eJUC
Gf\9[
HyP*jL
\YxEtx
V3$"A;6
;L2(Rf
l< J&
CoRF(F)
Lwaz!c4
-mx:Jmq:
&yR6Li
AT^vJ.
] Ihl*
^+`rr)
_VCt9l
bkA\rm
*iK3|k
U'!R_~
2pCfA/
[W:B(8~FB
VdoWqT
^`.P!_
AejO!%2"
ehZE~I
B&$CUs
=|61;+
*4YDR5
6<eDq
JL9`=qyF
7(@m__
jG6)9b
vP,2NP
;xM>>|
~}~^+;d
Dnsf:DGY
~A"f^i
l\]vg:
;*Vc,)
s}D'&mNr
MS{UM$
vd1hT+-~>
FC]k]G
ub'9[*kM
.?[g?+b
se8L/:
?chRdB
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
HideWindow
Pop: stack empty
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: error, user cancel
File: skipped: "%s" (overwriteflag=%d)
File: error, user abort
File: error, user retry
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
BringToFront
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
NSIS Error
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%02x%c
Unknown
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
GetTTFNameString
Version
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
Windows Error Lookup Tool Portable
FileVersion
3.0.7.0
InternalName
Windows Error Lookup Tool Portable
LegalCopyright
PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
WindowsErrorLookupToolPortable_3.0.7_English.paf.exe
PortableApps.comAppID
WindowsErrorLookupToolPortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.0.6.0
ProductName
Windows Error Lookup Tool Portable
ProductVersion
3.0.7.0
VarFileInfo
Translation
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Cylance Clean
VIPRE Clean
AegisLab Clean
TheHacker Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
Invincea Clean
Baidu Clean
NANO-Antivirus Clean
Cyren Clean
Symantec Clean
TotalDefense Clean
TrendMicro-HouseCall Clean
Avast Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
Babable Clean
ViRobot Clean
Rising Clean
Ad-Aware Clean
Trustlook Clean
Sophos Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Fortinet Clean
Trapmine Clean
Emsisoft Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
Webroot Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
AhnLab-V3 Clean
Acronis Clean
McAfee Clean
AVware Clean
TACHYON Clean
VBA32 Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
ESET-NOD32 Clean
Tencent Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Paloalto Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


WindowsErrorLookupToolPortable_3.0.7_English.paf.exe, PID: 1440, Parent PID: 1312

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 189b1af95d661151_launcherlicense.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\LauncherLicense.txt
Size 18.0KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 ffa10f40b98be2c2bc9608f56827ed23
SHA1 dc8f2e570bf431427dbc3bab9d4d551b53a60208
SHA256 189b1af95d661151e054cea10c91b3d754e4de4d3fecfb074c1fb29476f7167b
CRC32 A6D3A2F5
ssdeep 384:H4j2PmwE3b6k/iAVX/dUY2ZpEGMOZ77oPpDqHZ:H46uh1iYWrTXoPpDqHZ
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 4908c164f5952428_portableapps.comlauncher.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\PortableApps.comLauncher.ini
Size 272.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 02b82ea3f0ac163db0e0d265787da974
SHA1 aa8693fecc07026b8e89b7a73259a34b459cb092
SHA256 4908c164f5952428b417cb4ecad2912437f9cae551f02531142ecb101108e835
CRC32 07024378
ssdeep 6:Wpe3yE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:EeL2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 0a9a711b205dc87b_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-wizard.bmp
Size 150.9KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PC bitmap, Windows 3.x format, 164 x 314 x 24
MD5 55204d08cff24975e88885403f13fd59
SHA1 1aad4f3ceb1c8bdd348385228ea3043f1f0b2427
SHA256 0a9a711b205dc87b6b0fe491253bc1ddb4a46a02f26ab622c209b1311125dd20
CRC32 95D95148
ssdeep 1536:BUPy+RPMI0gVQC6AKEbOOukOtYzpz400XveEDSrP1:2Py+RPMcQCDKzuJ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name c633bce09c9d4af1_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appinfo.ini
Size 632.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 10b1a71daf0ee2203de81d4bf883e75d
SHA1 cc615cb98e9f7109637bf9f924ba6e58bb3ba823
SHA256 c633bce09c9d4af12a5a3c7759e3687d829aaf4d699252c736657b72c8c5b204
CRC32 6C3B5B63
ssdeep 12:kihMTN01ifmug0yhfKDTNXFtdcrU+oM6eEqZ2WvAUvMrHqeV2:kIWeugvApe1Zr0rKN
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsa1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_logo_top.png
Size 2.5KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_footer.png
Size 168.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 4de7b4eedcab4c21_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_32.png
Size 2.2KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 4d1d916415c26405637aeb299a67647b
SHA1 d196e1918d32589b8e6daee193a38e6b323bd296
SHA256 4de7b4eedcab4c21e858a5079f95b1f16a209c5c12dcf6e8e5efcb8ec2e74af5
CRC32 03F52C67
ssdeep 48:33H+WtrVSJ/KRZ1F+X3LUnq0R2wLKFBDop1KDKhPZcnrQkcsMLU7VgytJZS+x:n+Chjr+XB0Nyds1aKRZcnPoytJLx
Yara None matched
VirusTotal Search for analysis
Name 8af54a6dd1bfc3ea_windowserrorlookuptoolportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher\WindowsErrorLookupToolPortable.ini
Size 183.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 26418c6034c73bcbe130931f94ec5ce4
SHA1 54f13af86fce79b0970cc1354182da39e11c0e73
SHA256 8af54a6dd1bfc3ea06572d51e02674280b60e4c31dabc86ffb25ffe7c4b6b19b
CRC32 4A03E59C
ssdeep 3:MotXKCXEoGEEXysya9HKXToQvMS0dAoxXjLwQkpfkVgslMquYxfDwLczoacIzX5l:MgZXtPOdKXTNVmxTzgfkVgsU5czrcICM
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name cf7718e82afa1af0_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\Readme.txt
Size 185.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 9d3d2c85756ff419cec6da38bd89a37b
SHA1 2f722064cefd0d48c5f5d03956a7040900d7f8b1
SHA256 cf7718e82afa1af00882af5a9b80cb1640fbfadad56d218a78371b9bcb649170
CRC32 A50CC39C
ssdeep 3:SMbKyPXtH+XR5WOpH/VVJYMQr3MeMQxF+YEJRi6Xt2vGARFKGRjZUovQ3OSbmSWe:DdH+XR5WKo8zQDuJRPt6zKGRjjRumA
Yara None matched
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name f530069ef87a1c16_installoptions.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\InstallOptions.dll
Size 15.0KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
CRC32 7FB8A1B8
ssdeep 384:/MnT0MKT/Xwr2izZQ86mpAT8F9lN8Ov0J:EQMKzwTFnVX8i0
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 9c73f6d0b8d851b5_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon.ico
Size 60.4KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type MS Windows icon resource - 7 icons, 48x48, 256-colors
MD5 0494b2ad97729d28fa66287c50d06051
SHA1 cd1d113e72435f5fa6b0ced4332b2eacf4354818
SHA256 9c73f6d0b8d851b56cc0abbb4bca7292de0201f230015c4aa2bc13a73bf3c945
CRC32 7203FBA0
ssdeep 1536:zJRRs+NfK8TUf3mHz3MgnqowaxzhWR0C3D:raYK8TkyTMgqMzhWRX
Yara None matched
VirusTotal Search for analysis
Name 30b0d0e1bfe1dde7_windowserrorlookuptoolportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\WindowsErrorLookupToolPortable.exe
Size 190.6KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 232c9d2bd83cb2ea5c55a3fdc67c4e17
SHA1 9e32dd06fc778a2dcde1f6dbfc1c38a24e65fa10
SHA256 30b0d0e1bfe1dde730ce5edb6fa7868fa2ae4c57d0cc3822588c26e8eae50df8
CRC32 F8583471
ssdeep 3072:iweqOYEUXPnkYK8TkyTMgqMzhuRESTKwewvrUp87/qIf6QNcLuA77u:fEUXMyTMvKpcrU6SIf6jVy
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\w7tbp.dll
Size 2.5KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\donation_button.png
Size 1.7KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6830a4756719649d_windows error lookup tool.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\Windows Error Lookup Tool.exe
Size 41.0KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 cd261071eca30e16c34d919234044590
SHA1 4640d83999bc19144409ed156d65f318a5f2c633
SHA256 6830a4756719649d4d61fa23f85b7544a468455f5427fc29cc74c653f9611e7c
CRC32 65ADAC20
ssdeep 384:lVdiB19ig3EngA0tY2rz3GQGwS65uQy/VCtvRjEOpXMbWUw937vHKzQNBw2PmjTB:Y1HBAuP5847Mav937vzNe2P5g4+S9Kh
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01004_MASM_TASM___sig1_h__ - [MASM/TASM - sig1(h)]
  • PEiD_01007_MASM_TASM___sig4__h__ - [MASM/TASM - sig4 (h)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02185_TASM___MASM_ - [TASM / MASM]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_private_profile - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Microsoft_Visual_Basic_v50 -
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 7851cb12fa4131f1_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\System.dll
Size 11.0KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
CRC32 81CA71BF
ssdeep 192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_header.png
Size 269.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name a86a39236bbac16e_versions.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\versions.txt
Size 380.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 b1a554f1054c242c2d80f8be883b385f
SHA1 12637483ddcb7de3aaf9ce2879a648b9f36fffae
SHA256 a86a39236bbac16ecdad88c0f8181008f7139ed2dfdf7565d37ea50186b809d3
CRC32 FA827071
ssdeep 6:MEovPvm5j3Po1E8QANNykAP9jxElEsQaXMFrQ6ut5SfG7HBgajQ7VERPefFROlF:MEof8j3PGx7tcBxU5M2rtEfQ6ilRaFRy
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name bef2d256a0c4b7d9_defines.db3
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\defines.db3
Size 296.0KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type SQLite 3.x database
MD5 3517a9269d78dde7e0b1ac52a1778359
SHA1 62b727da11289dbe0826135353edf1ee70b9414e
SHA256 bef2d256a0c4b7d9a36a917a20183e907b03c4b94c42312c51a996b65ea78767
CRC32 9B8CC3A2
ssdeep 3072:C5J0vR9HJ0v6Ux+6ypAfv27HYXYoaFHUHJ/SgoaVnPasxWKWSFzOsrv4xz5utG:Cy3US6yyvoHYX1lHRaspzfv46G
Yara
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Help\images\favicon.ico
Size 1.1KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name 18ae4ca24f69c768_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_128.png
Size 15.1KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 7ea1aaaca833dac20be85c308c587cd8
SHA1 e6b8ff1ad252ba472cbfb8bf123ebb71f048106d
SHA256 18ae4ca24f69c7687228573255d72389d3dd2dd7c4f7db3c86dda200b83bf255
CRC32 4CD2443A
ssdeep 384:hnuVoDCoYYYwkCK2zkZTnh7p9GpaUyL0xVXmUY:hnOcCzYBkCBkNhDGpaUywxVXY
Yara None matched
VirusTotal Search for analysis
Name 7ac2582c2bc91753_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\modern-header.bmp
Size 25.2KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PC bitmap, Windows 3.x format, 150 x 57 x 24
MD5 2916c1894626a9aaca1f0d98c1625637
SHA1 e17362b4a027662bd46d7cafae0b9402fed98cd7
SHA256 7ac2582c2bc91753c8da7cfa801b32eb7361c742db541087aba7aa75f79348a4
CRC32 4E434530
ssdeep 48:SaPImvz4J1L5vQxGR+RU/5647TvHKatEYZgLTXzravMh1S:jbApQOvVEYZg/PaUS
Yara None matched
VirusTotal Search for analysis
Name 7c522f997edb0eb2_iospecial.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\ioSpecial.ini
Size 1.4KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 f0e94c7b41c46ae4b49784f2b7583635
SHA1 7984fdca65d419438745d4079d4d5c36b2bcf540
SHA256 7c522f997edb0eb25eb20ff5ef85dc2d153be4771c9e0640a5d076765b04d45e
CRC32 CCBC8D72
ssdeep 24:Q+sxvtSSAD5ylSXgqWCs7y6Guy9ni/6k8lJEg9n7CsGNC54u6CEg9nx3HTCaH65c:rsx9AQSwqQku7N8llnS4xeaNse
Yara None matched
VirusTotal Search for analysis
Name de6e8fa954dae725_sqlite3.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\WELT\sqlite3.dll
Size 567.1KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5 47a89aaed60e9f7daa7206e6d09fe8ce
SHA1 9c19a3f83c368d87decb4622ab8f92a6a4149948
SHA256 de6e8fa954dae725c52001c55f213e5abb9937f16fdcad35b5d6f5d81e476660
CRC32 CA33D77D
ssdeep 12288:tyHhUc7ZFbin/xjTMtM4lrM7GJfPJFAvKqsJDL+nENwQ:tfeni/xj4tM4lrOwFmE+Q
Yara
  • IsPE32 -
  • IsDLL -
  • IsConsole -
  • HasOverlay - Overlay Check
  • MinGW_1 -
  • PEiD_00055_Alias_PIX_Vivid_IMG_Graphics_format_ - [Alias PIX/Vivid IMG Graphics format]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01140_MinGW_GCC_DLL_v2xx_ - [MinGW GCC DLL v2xx]
  • PEiD_01272_Neolite_v2_0_ - [Neolite v2.0]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_01693_pex_V0_99____params_ - [pex V0.99 -> params]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_mutex - Create or check mutex
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
  • maldoc_suspicious_strings -
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
  • spyeye - SpyEye X.Y memory
VirusTotal Search for analysis
Name c88b6762a4492b7d_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_16.png
Size 812.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 008a69e45dc1b9794f8f704d3da25330
SHA1 b2368464f2f9083359b0293c239ddd2ac5ae56f2
SHA256 c88b6762a4492b7d946d78447f7e30465607d5718f0c4d88caccf3b452300ab6
CRC32 D59CD41A
ssdeep 12:6v/7E2I90UR/ph11EqQvHCQCzHyNgkOPmlh9GIJKvlfPTopVAV8dIzJF/YUgWvl:LNZphzEvBOPmlrpEvRPy1GVxYUgWt
Yara None matched
VirusTotal Search for analysis
Name d3b45137fa6a62e7_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\Readme.txt
Size 2.2KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 197b0d5b9545bbb07f8e73d3e9982599
SHA1 52f2aec5f94381abee16db1b69b3a690ab378748
SHA256 d3b45137fa6a62e7021ff7055468f04f219fb017de36611d5eb71ef5a812666a
CRC32 04B88C41
ssdeep 48:poqWahdxHxG2NlNKx4Dm+THH72bpbGTY/ZzywG2lMI:m3ah3x5TkxB+THQ1GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 69f746d10e25e2f7_iconreadme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\Other\Source\IconReadme.txt
Size 223.0B
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type ASCII text, with no line terminators
MD5 d42a51865f0ebe36784966a00e1b79f4
SHA1 99636b5a89597c1487f290b2b9b6316c436be30f
SHA256 69f746d10e25e2f7a8e4f3c1571f10fd5da3f4d6b587384ea8488feec7fb58af
CRC32 A07637DF
ssdeep 6:daQBA3LM2utj5JFwQWIIjJL+R3MP3RKwNo:db2342wVwQtmCR3+6
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9c32ed3abaf4ff86_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\WindowsErrorLookupToolPortable\help.html
Size 5.4KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 4655cd5336181d14416ae39e7fac7327
SHA1 96b10eae0590915a1f112edd40b1cc7f52802ff5
SHA256 9c32ed3abaf4ff862f8c7704bf628311a61076f4123c8f9f8454da7e7a4cc1fd
CRC32 90166FCD
ssdeep 96:Mr3KeLV12hKyQCABwwduyFlzec58/2fMyxyzvhcxB:Mr3Pf2hKHCuPze1cj
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6eb09ce25c7fc62e_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsk3.tmp\FindProcDLL.dll
Size 27.5KB
Processes 1440 (WindowsErrorLookupToolPortable_3.0.7_English.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
CRC32 F238428A
ssdeep 384:DZoRF0XXUuJReQg0Tw67ADWBTgmldIogUD3GLgFmyaX/fVYcWJQCDmrinogRdBl:DZaF0HtTwuz9yu3KgwRX1nWJ1q+noI
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00153_Armadillo_v1_xx___v2_xx_ - [Armadillo v1.xx - v2.xx]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01071_Microsoft_Visual_C___6_0_DLL__Debug__ - [Microsoft Visual C++ 6.0 DLL (Debug)]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v1xx_v2xx_additional -
  • Microsoft_Visual_Cpp_v70_DLL -
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Microsoft_Visual_Cpp_60_DLL_Debug -
  • Armadillo_v1xx_v2xx -
  • Microsoft_Visual_Cpp_v60_DLL -
  • Microsoft_Visual_Cpp_60 -
  • Armadillov1xxv2xx -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 637
Mongo ID 5c36241911d3080d16cdea04
Cuckoo release 2.0-dev