File ZSoftUninstallerPortable_2.5_Rev_3.paf.exe

Size 1.4MB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f6ebc62443a256ded868e5e1fbdf23cb
SHA1 cf3142a5d3ee2f34adf52e51894b074130383e23
SHA256 b36ab0c62f6bd1c124a67c00ecb392359517d1558136b72ab6fca034ce93712f
SHA512
ba43aa262fea178b44f6783368803c019dcb2c73861bb39aefc735e26277abad60680362701db0b6a90204e66e9fb379dd8c88e6f88d7de70635a347fd692c25
CRC32 5A3927AC
ssdeep 24576:O09D2K2Qfw64bnTM5XtOICoR7NU8oVY6qqzIBn6FOzTzK0DVCYk/XCcpJGONAFb8:H9zfAnodONoRvoaAzIx6A/z9ioFPEzB
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -

Score

This file shows numerous signs of malicious behavior.

The score of this file is 2.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 9, 2019, 11:42 a.m. Jan. 9, 2019, 11:46 a.m. 255 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-09 11:42:12 2019-01-09 11:46:23

Analyzer Log

2019-01-09 03:11:59,030 [analyzer] DEBUG: Starting analyzer from: C:\njnba
2019-01-09 03:11:59,030 [analyzer] DEBUG: Pipe server name: \\.\PIPE\PHOYAleXQmghUlQZL
2019-01-09 03:11:59,030 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\wrVdtROlBwRsfcUZxLJf
2019-01-09 03:11:59,030 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-09 03:11:59,030 [analyzer] INFO: Automatically selected analysis package "exe"
2019-01-09 03:12:00,750 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-09 03:12:00,921 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,921 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:00,983 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-09 03:12:00,983 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-09 03:12:00,983 [analyzer] DEBUG: Started auxiliary module Human
2019-01-09 03:12:00,983 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-09 03:12:00,983 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-09 03:12:01,390 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-09 03:12:01,390 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-09 03:12:01,500 [lib.api.process] INFO: Successfully executed process from path u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\ZSoftUninstallerPortable_2.5_Rev_3.paf.exe' with arguments '' and pid 1440
2019-01-09 03:12:01,592 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:01,592 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-09 03:12:01,717 [analyzer] DEBUG: Loaded monitor into process with pid 1440
2019-01-09 03:12:01,842 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsx2.tmp
2019-01-09 03:12:01,905 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\LangDLL.dll
2019-01-09 03:12:01,967 [analyzer] DEBUG: Received request to inject pid=1440, but we are already injected there.
2019-01-09 03:12:02,155 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-09 03:12:03,187 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\System.dll
2019-01-09 03:12:03,312 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\FindProcDLL.dll
2019-01-09 03:12:03,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\ioSpecial.ini
2019-01-09 03:12:03,421 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-wizard.bmp
2019-01-09 03:12:03,453 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-header.bmp
2019-01-09 03:12:03,483 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\InstallOptions.dll
2019-01-09 03:12:04,217 [modules.auxiliary.human] INFO: Found button "&Next >", clicking it
2019-01-09 03:12:06,312 [modules.auxiliary.human] INFO: Found button "I &Agree", clicking it
2019-01-09 03:12:08,421 [modules.auxiliary.human] INFO: Found button "&Install", clicking it
2019-01-09 03:12:09,453 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\w7tbp.dll
2019-01-09 03:12:09,530 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\ZSoftUninstallerPortable.exe
2019-01-09 03:12:09,546 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\help.html
2019-01-09 03:12:09,562 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\readme.txt
2019-01-09 03:12:09,578 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\EULA.txt
2019-01-09 03:12:09,578 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon.ico
2019-01-09 03:12:09,578 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_128.png
2019-01-09 03:12:09,592 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_16.png
2019-01-09 03:12:09,592 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_32.png
2019-01-09 03:12:09,592 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appinfo.ini
2019-01-09 03:12:09,608 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\installer.ini
2019-01-09 03:12:09,625 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\Launcher\ZSoftUninstallerPortable.ini
2019-01-09 03:12:09,625 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareFiles.dat
2019-01-09 03:12:09,640 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareFolders.dat
2019-01-09 03:12:09,640 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareKeys.dat
2019-01-09 03:12:09,640 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareSearch.dat
2019-01-09 03:12:09,640 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareValues.dat
2019-01-09 03:12:09,655 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\settings.ini
2019-01-09 03:12:09,765 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\Uninstaller.exe
2019-01-09 03:12:09,905 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\UninstallerHelp.chm
2019-01-09 03:12:09,937 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Chinese (Simplified).lng
2019-01-09 03:12:09,953 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Chinese (Traditional).lng
2019-01-09 03:12:09,953 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Danish.lng
2019-01-09 03:12:09,953 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Dutch.lng
2019-01-09 03:12:09,967 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\English.lng
2019-01-09 03:12:09,967 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Francais.lng
2019-01-09 03:12:09,983 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\German.lng
2019-01-09 03:12:09,983 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Hungarian.lng
2019-01-09 03:12:09,983 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Italian.lng
2019-01-09 03:12:10,000 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Polish.lng
2019-01-09 03:12:10,000 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Portuguese.lng
2019-01-09 03:12:10,015 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Russian.lng
2019-01-09 03:12:10,015 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Spanish.lng
2019-01-09 03:12:10,015 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Swedish.lng
2019-01-09 03:12:10,062 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Valencian.lng
2019-01-09 03:12:10,092 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\donation_button.png
2019-01-09 03:12:10,108 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\favicon.ico
2019-01-09 03:12:10,108 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_background_footer.png
2019-01-09 03:12:10,125 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_background_header.png
2019-01-09 03:12:10,125 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_logo_top.png
2019-01-09 03:12:10,140 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\AppNamePortable.ini
2019-01-09 03:12:10,140 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\License.txt
2019-01-09 03:12:10,155 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\Readme.txt
2019-01-09 03:12:10,187 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\PortableApps.comInstallerCustom.nsh
2019-01-09 03:12:10,217 [analyzer] INFO: Added new file to list with pid 1440 and path C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Data\PortableApps.comInstaller\license.ini
2019-01-09 03:12:10,546 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:11,546 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:12,546 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:14,608 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:15,608 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:16,608 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:18,687 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:19,687 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:20,687 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:22,750 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:23,750 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:24,750 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:26,812 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:27,812 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:28,812 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:30,875 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:31,875 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:32,875 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:34,937 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:35,937 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:36,937 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:39,046 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:40,062 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:41,062 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:43,125 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:44,125 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:45,125 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:47,187 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:48,187 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:49,187 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:51,250 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:52,250 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:53,250 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:55,312 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:56,312 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:57,312 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:12:59,375 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:00,375 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:01,375 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:03,437 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:04,437 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:05,437 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:07,515 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:08,515 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:09,515 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:11,578 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:12,578 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:13,578 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:15,640 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:16,640 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:17,640 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:19,703 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:20,703 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:21,703 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:23,765 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:24,765 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:25,765 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:27,828 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:28,828 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:29,828 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:31,890 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:32,890 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:33,890 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:35,953 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:36,953 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:37,953 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:40,030 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:41,030 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:42,030 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:44,092 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:45,092 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:46,092 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:48,155 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:49,155 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:50,155 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:52,217 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:53,217 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:54,217 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:56,280 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:57,280 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:13:58,280 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:00,342 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:01,342 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:02,342 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:04,405 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:05,405 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:06,405 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:08,467 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:09,467 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:10,467 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:12,530 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:13,530 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:14,530 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:16,592 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:17,592 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:18,592 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:20,655 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:21,655 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:22,655 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:24,717 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:25,717 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:26,717 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:28,780 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:29,780 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:30,780 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:32,842 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:33,842 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:34,842 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:36,905 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:37,905 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:38,905 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:40,967 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:41,967 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:42,967 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:45,030 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:46,062 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:47,062 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:49,125 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:50,125 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:51,125 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:53,187 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:54,187 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:55,187 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:57,250 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:58,250 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:14:59,250 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:01,312 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:02,312 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:03,312 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:05,375 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:06,375 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:07,375 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:09,437 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:10,437 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:11,437 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:13,500 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:14,500 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:15,500 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:17,578 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:18,578 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:19,578 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:21,640 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:22,640 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:23,640 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:25,703 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:26,703 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:27,703 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:29,765 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:30,765 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:31,765 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:33,828 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:34,828 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:35,828 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:37,890 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:38,890 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:39,890 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:41,953 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:42,953 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:43,953 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:46,015 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:47,015 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:48,030 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:50,108 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:51,108 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:52,108 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:54,171 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:55,171 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:56,171 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:58,233 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:15:59,233 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:16:00,233 [modules.auxiliary.human] INFO: Found button "&Run ZSoft Uninstaller Portable", clicking it
2019-01-09 03:16:00,592 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-09 03:16:00,592 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-09 03:16:00,592 [lib.api.process] INFO: Successfully terminated process with pid 1440.
2019-01-09 03:16:00,592 [analyzer] INFO: Error dumping file from path "c:\documents and settings\zamen\local settings\temp\nsx2.tmp": [Errno 13] Permission denied: u'c:\\documents and settings\\zamen\\local settings\\temp\\nsx2.tmp'
2019-01-09 03:16:01,046 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-09 11:42:11,025 [lib.cuckoo.core.scheduler] INFO: Task #641: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-09 11:42:11,993 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 9944 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/641/dump.pcap)
2019-01-09 11:42:14,817 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-09 11:46:22,597 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-09 11:52:41,425 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-09 11:52:50,460 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50c37a50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:52:50,461 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50c37390>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:52:50,462 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50c370d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:52:50,462 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b50c37410>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-09 11:52:50,463 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50c37410>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b50c37410>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

The executable has PE anomalies (could be a false positive) (1 event)
section .ndata
Allocates read-write-execute memory (usually to unpack itself) (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Jan. 9, 2019, 12:12 a.m.
NtProtectVirtualMemory
base_address: 0x10004000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 1440
process_handle: 0xffffffff
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 5327288503566340
free_bytes_available: 204632325296160768
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable
total_number_of_bytes: 206884126735496290
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24102051840
free_bytes_available: 24102051840
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 0
free_bytes_available: 26761941483754
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable
total_number_of_bytes: 4296209312
failed 0 0
Jan. 9, 2019, 12:12 a.m.
GetDiskFreeSpaceExW
total_number_of_free_bytes: 24102051840
free_bytes_available: 24102051840
root_path: C:\Documents and Settings\zamen\Local Settings\Temp\
total_number_of_bytes: 31453437952
success 1 0
Creates executable files on the filesystem (7 events)
file C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\ZSoftUninstallerPortable.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\System.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\FindProcDLL.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\w7tbp.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\InstallOptions.dll
file C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\Uninstaller.exe
file C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\LangDLL.dll
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 event)
Sophos ZSoft Uninstaller (PUA)
The binary likely contains encrypted or compressed data. (3 events)
section {u'size_of_data': u'0x00019e00', u'virtual_address': u'0x00134000', u'entropy': 7.457905467865529, u'name': u'.rsrc', u'virtual_size': u'0x00019c80'} entropy 7.45790546787 description A section with a high entropy has been found
section {u'size_of_data': u'0x00001000', u'virtual_address': u'0x0014e000', u'entropy': 7.875653834843685, u'name': u'.reloc', u'virtual_size': u'0x00000f8a'} entropy 7.87565383484 description A section with a high entropy has been found
entropy 0.731292517007 description Overall entropy of this PE file is high

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process ZSoftUninstallerPortable_2.5_Rev_3.paf.exe (1440)

  • Opened files

    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable_2.5_Rev_3.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\Launcher
  • Written files

    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\German.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Italian.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareSearch.dat
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\help.html
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareFiles.dat
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\donation_button.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_background_footer.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Francais.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\favicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\Readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\AppNamePortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Chinese (Traditional).lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Spanish.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_32.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\ZSoftUninstallerPortable.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\Launcher\ZSoftUninstallerPortable.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appinfo.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Polish.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\System.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_128.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\w7tbp.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-wizard.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\InstallOptions.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_background_header.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Valencian.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsx2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareKeys.dat
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Dutch.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareFolders.dat
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Data\PortableApps.comInstaller\license.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Swedish.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\installer.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Danish.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\EULA.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Hungarian.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\PortableApps.comInstallerCustom.nsh
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\Uninstaller.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareValues.dat
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\License.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\settings.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_logo_top.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\LangDLL.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon.ico
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\readme.txt
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\ioSpecial.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Chinese (Simplified).lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Russian.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\English.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-header.bmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Portuguese.lng
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_16.png
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\UninstallerHelp.chm
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\FindProcDLL.dll
  • Files Read

    • C:\Documents and Settings\zamen\Local Settings\Temp\nsx2.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Data\PortableApps.comInstaller\license.ini
    • C:\WINDOWS\win.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable_2.5_Rev_3.paf.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\ioSpecial.ini

Process ZSoftUninstallerPortable_2.5_Rev_3.paf.exe (1440)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewScrollOver
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewWatermark
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling

Process ZSoftUninstallerPortable_2.5_Rev_3.paf.exe (1440)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG

Process ZSoftUninstallerPortable_2.5_Rev_3.paf.exe (1440)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Data
    • C:\Documents and Settings\zamen\Local Settings\Temp\
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\Launcher
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Data\PortableApps.comInstaller
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp
  • Directories enumerated

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\7zTemp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\*.dat
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\7zTemp\7z.exe
    • C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable
    • C:\Documents and Settings\zamen\Local Settings\Temp\PortableApps.com\PortableAppsPlatform.exe
    • C:\PortableApps
    • E:\PortableApps
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen\PortableApps\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Data\PortableApps.comInstaller\license.ini
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\7zTemp\7z.dll
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\*.*
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\ZSoft_Uninstaller_2.5_Portable.zip
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\*.*

Process ZSoftUninstallerPortable_2.5_Rev_3.paf.exe (1440)

  • DLLs Loaded

    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsc3.tmp\LangDLL.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • SHFOLDER
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsc3.tmp\InstallOptions.dll
    • C:\WINDOWS\system32\browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsc3.tmp\System.dll
    • browseui.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsc3.tmp\FindProcDLL.dll
    • shell32.dll
    • UxTheme.dll
    • RichEd20
    • SHELL32.dll
    • C:\DOCUME~1\zamen\LOCALS~1\Temp\nsc3.tmp\w7tbp.dll
    • ole32.dll
    • SETUPAPI.dll
    • PSAPI.DLL

PE Compile Time

2012-02-24 14:19:59

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00006f10 0x00007000 6.49788465186
.rdata 0x00008000 0x00002a92 0x00002c00 4.39389365097
.data 0x0000b000 0x00067ebc 0x00000200 1.472782261
.ndata 0x00073000 0x000c1000 0x00000000 0.0
.rsrc 0x00134000 0x00019c80 0x00019e00 7.45790546787
.reloc 0x0014e000 0x00000f8a 0x00001000 7.87565383484

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 CreateFileW
0x408098 GetFileSize
0x40809c GetModuleFileNameW
0x4080a0 GetCurrentProcess
0x4080a4 CopyFileW
0x4080a8 ExitProcess
0x4080b0 GetTempPathW
0x4080b4 GetCommandLineW
0x4080b8 SetErrorMode
0x4080bc CloseHandle
0x4080c0 lstrlenW
0x4080c4 lstrcpynW
0x4080c8 GetDiskFreeSpaceW
0x4080cc GlobalUnlock
0x4080d0 GlobalLock
0x4080d4 CreateThread
0x4080d8 LoadLibraryW
0x4080dc CreateProcessW
0x4080e0 lstrcmpiA
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrcpynA
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
@.reloc
PWSVh@
#Vhh2@
Instu`
softuW
NulluN
SUVWj 3
D$8PUh
u}9-$.G
[j0Xjxf
D$$+D$
D$4+D$,P
PPPPPP
\u!f9O
QSUVWh
Ed+EL;E
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
Ed+EL;E
]4;Mhr
E89E0}s
u$9Uls
-)Uh)Ul3
Ed+EL;E
)Mh)Mlf
u$9Mls
)Mh)Mlf
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyExW
ADVAPI32
MoveFileExW
GetDiskFreeSpaceExW
KERNEL32
[Rename]
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
Kernel32.DLL
GetModuleBaseNameW
EnumProcessModules
EnumProcesses
PSAPI.DLL
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
WriteFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalFree
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
GetTickCount
CreateFileW
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION.dll
:hW2e+S
B-o@mm=
zV@uM5'
!l|]R~!
T0/~Aw
p]Dm6M
@Gk3o#
by/1YZ
s]go`Q
s}}=G
$3?U,d
Gpo/U,
OA]]5w
Garjl2
O@ntBz.
!hni`a
6nh[15
r(t'PN
ICCc+454
>1iT=TkD~
MqT~x^^c
GkcPUU
gi4blk
olj}xyGK
K6#hqHx
tw-ezo
m[aYW;dr9
"_` `
!JR6;-,
@ ah"5
4ocOY)
:JuN:p
YAHRqE
Z;z8}h
P{nlmP
6j;4F#
c{hdt
k4s}J6
NQ3T[]
CWVWin|
_A>VS*
LJ'VqWe
w^ZH=b#^"
{D6Ium
Da5V} #
aq4j"K`
BBL#%9
0[Z;$J
1]lBK/`
0B>i#R
Z\rMM!%
H1Vfgh
Zlp)p$
)]@$2c`%
A:[bf<"R
8W,9+p
wd-8:@
7Hrhls
JZJ!5[
nk$'5;x
Q#kaQ
7\IE,)
O<AO=J
m'QQhF
g76j4>3I
RZdBD PS
, '-c&
?Da[+/
"1?2,1$
RG !/E
D^+x3x~
tnyU6E
O&'&C+
;8*wEZ
w^}CB>
!KI+OF
;-*<f"
p\cOdK!1
Gu6:Zs@;
9GWgoR.
;EyNS
20n2EB|6"
yldHp
'!;"00
PGCTl~aD
*Ujrj
MSs34lw
V5x!4R
S&M7wd
qJvly
Sghv~^
j'_FtYDk
KiT*t|a^
ejE",+
y#v`[=
5\Kv'R
4\x$N2
e5@B},
V&'i{w
{X7.C/
jh.b)*S}
a$2f3Su
J@6.Ms(J
9l<x@j
OKgNKC
dj359AGVWd
i:6?)@
;jKoo0
\EnK;#@{
^|D.Ne7
=vdqH!HZ
wE~d0H
{49=Ii
/sNx,u
!%r@C6
cWEnl!
483`kby
0&DiYlB
~p7b7Y673
Hj\("XMF
vSH@al6
tcsgx?
7L#i:F
*4'f`N
_^tvAY
:27Q6,4N
;5<w%&E
HCIs&%
97(?86I
B<1Y44V
!:5<~35\
D>Fz/*
<4*F:5L
<:;t54]
@;>n3&
<61W:=l
D=,'7:e
D?<JSRj
FCK{YY~
85HO\^
8>t`NP
=<^[_a
GA=;KJf
HDGPC<&
LGLtPPp
MG>BJI]
IDBD $DQ47
((L0,/d
*,Va37o
94**wma
40%.qh\
83('[TH
B<0crj]
?:.O[TH
C=1V;6+
=7+1JD7cRL@
JE8g>9,3
*%4r84Cp,#
0*"?%%B
-+-V,+O
4()E10N
QNSfef
RMMRIB6
MG@.USd
NH=!$&`DQS
"'f/EH
LGGNMKg
VSUbOI:
23Qe:?|
+-]q8<t
MN{]@>i
"%SG,.V
QK?I^YM
SMALHB7
pD?>A="
HO@DFFDD'!"
pFOOHSNNSMFB&%
jPOPLXmjVKKWMEA'n
niM48KWREBm
f58ksIN
j8WUHBYs
0WZHBMko:.2
N2WUIBIikK.28
(/iTG3CJWf,+*
iJWnTM
9nM603CIf9
ojI4($3C6f,
gx7+JG0
]a]a]]
abbab]\
\bvv]zz`
;4F?>@6.,
IEFNlD89A4/k
c@G0Ln9'
a9G1<h(
B=#$@9
TU]USQY
`^^^sS
\FmT69K!
8b{kw~
baP`g|
_jlvzyxb^
]buxyubO
+&/d,-U
VSX\il
XU_^RL;
GGg]OQ{
(*^cCCk
[UISaYNd|sg
aYNde^RgHB6
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
0.0;0I0]0j0
111;1D1Z1a1y1
4#464G4g4~4
5+5;5I5W5i5x5
6>6J6[6z6
797C7I7Y7|7
8,888J8e8y8
979D9L9w9
9::T:e:
;!;2;A;T;
;+<P<w<
?-?I?\?o?w?
020T0y0
1#101>1J1P1U1[1f1l1
2'2B2d2v2
4/4o4t4y4
4a5r5z5
7.7q7v7
8!808D8X8
9+9L9Z9
:-;[;c;l;
?1?<?X?t?
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2N2S2c2
3"3(30383I3P3e3n3t3|3
4"4(4-42484I4]4c4i4o4w4~4
5&5,5b5k5p5v5
6.6T6c6
80858A8i8n8x8
:-:8:>:C:H:S:Y:f:m:s:
;L;V;b;w;|;
<3<S<X<c<k<w<~<
=0=f=w=
>N>_>i>
?#?F?Y?n?z?
0'0D0M0o0
0-1R1r1~1
2?2P2b2q2{2
323V3j3
4%444@4I4X4
6#616i6n6
;6;;;Q;Y;^;d;j;p;~;
I0[0`0
0;1A1Z1
272q2}2
4"4/4C4_4i4
5"5:5]5m5s5
6.646B6H6Q6d6
767@7I7S7_7j7s7
8!828j8t8
909>9c9o9
:(:.:@:F:L:R:Y:_:g:r:x:
;!;';-;N;W;n;
<'<3<=<G<L<W<[<a<f<l<
=%=/=5=:=@=N=T=x=
>,>1>6>;>D>I>O>S>Y>_>v>
>"?@?Q?
1&2U2a2g2s2
3-3:3G3T3a3n3y3
4#4*484C4O4f4m4x4
576@6^6k6
77*757@7
8:8C8U8\8h8
9!9N9u9
99:f:{:
;#;A;H;`;u;
<+<4<J<U<m<v<
=*=9=C=M=
>&>P>^>e>}>
?2?B?_?j?
0Y0i0n0
223@3I3
5[>_>c>g>k>o>s>w>{>
0 0$0(0,0`0d0h0l0p0t0x0|0
NullsoftInst
aZMMGm
oF1Aq0
=XktV]5
Il"1'5
}W65
RyeoFN
Zu(Gf^
<I)}\7
gbcTqL
?AVIXz
L$^;W
i,s*HYJ
gjx$kX
Aq@!"_
{1,jJfK`
"d&'4B
oy9t6Y
F}M.XG
IEUR_T
Uo9:Lfmzz
]S7y2k
6d-\4K
`O8_&BX
nUEI]yrB
A%WQ~!Z
g{Etz
FfA\c+
8R+V?r
fL0=5v
nvV'g0
~eZqj3
E<Uuzy
^0]wt^@'
^2}+3a
~oY3I=
P..gv\_P
"n]=?w
Wd }t4Nd
W%=q;r
"n!g0zM
jq%C\H
%}K,jz
l|_AZ?
j\Lbfq
Pcf9J6f
;5}CVS.Y
jpPPF
K,,i.}
4T`=X
t_"M4@
=pJ(`c
Y;D`64
uP66+%&
@A"|C>Pg2n
e&Vp^2
D;k_/9Q
8^Vs66
&y[d s
`SzezG
>!|!Gd
c[h7}m
kEQ?:#z
aI'xx(
Q9y8[:!
bl+Pc\[
4D7XMfEn
a4OK^e
>/[j4~
gNjf{7
q5Z"17
d`YW>z
^;1Jwp
c|/$|YR3
<O:vc^
6;xXYBU
}aVkD9K
zA[`1
vCrUda
)+.WW$
XA;Gt'@
_>5/n?<
NPE*v(u
4GK7,
9vaJkx
HGILe''
(hrPfd
6z!uLS`
.qRd*O
O,P~]F
"B*hu#
$?([}T6
"\.^K~
/+h@:L6
&M-bIC
JC jK/
}q%T*A
G927.P
*69@ii
E@L-Av]s
5K(A^3#\6
#.,0}_
@C;1|2
,DGVy6
>t{s9ti
hC f<%N
TE[45F
'0P=dG8T
I{<;1
rbb[YC
QH#za7X8
TR-L}^BH
M^zDyH^
g;BHMV5
|wjRna
>rx#oA3=(F
ycKa.~
OO{9@)S
j;4LeE
Mted]]
ZS1jxc1P4
:]bY@S
a4lp>/
]H2,89
S`MVM.?
eQJ@Iz
xtIf%0IA
Kv.!UO
6L.q<c
k!.lD~
?Y|>{-
`o;-nf
zKHW[?k_
lq%*'(
1OBu:3
,7.Cehl.
6ZqMMv
;1hl)`
TVyf_7
:5r6$k
1W?%n=
WQ>0ucO94
rM9l)c
,xUs{`
]_7Ad\J
!pgq3(PB(
'k&u s
U7-6X+B
ATS@p/Jb
*b/yVC
@H~15@
c+28;f
I?BX2K
bxjmN,"E]y
QQfm`n
q:+H*d
]wT5Og
h1nmVp
0ue-|O+E
^,AGe%
|mV$Sf
I0 N8r
i$Jvm))
[*pOu|
iYv**Z
N\S)d&
sAAGgv"#@ic^#
qL>".?
&3\FEn
tmmt9A,
b2ky):}o
(8x@W!>A
a1QQ4RQ
ZFf~i6
\*-%Sg
8X;\BQ
kjJ"7{
`3r0Oh
qN1<\O
G%XcZi*
|,e]:o
qi-e#m
9SXD<r
TiB?-s4
!5RQ6w
aV.TPK
W\t<"X:B
9-B7
(d=%`a1
^sxfUu
2GAB~]
Cuf~*L
Xu&rn2
!/&!"8-v
KC]<h9
hI4P?X
k.6LwN
ox>-O4jtX
r6X\%}
Wk[!b@
wnki(P
KZXH=0
m2m&#\
kbaK}:
&O0Ah'3>
vxYi0dh
7u#[k0[
BguEt+-
+Z=Y(p
'-5mz`5
Q)|mxz
t$&"5+
HjWQW~6
y?hMFKq
S+*`Nq
]7M<va
5<w_B<
H[UYOb
05XENX
\3{S[!x|c6
aEIY49+
#-41Y,N
5)hp9.
Cm{'I}
lHgGNj
kui-^=
3>wv1[
K?93Z
*;j4n+Dl
eo8VsF
u01e$
Z"iHIal
)L<*J\K%
HM;Z.63
&;ZusKJ
@*;Qsh
&VPh'M
s,$njp
uj)/A\Wr
] 8!=6
v0P$giH
W6R.xo
~G[X";
BY$r!H
u-]0?u
.)f*tY'
bvQNpep6KW]
X,xRoY
JeT@/ S
-IXu\^
Uda#r#
%X@/|o8
Rr:=ph
7@rN=V
YY&S !
OS#rf-1
uXeH,lx
G$Nx1G
]< c[/D
hq/D9Y
o PF6g,#
;JWz7|>8-e
CTKehc
i|URbdr
to?I2B/
(3!Jv$
Gr(ef!,-
c-.'-[
F?$3v"3&
L'ya{~
$"tAS
>JzxyO
{]|}xo
V_i&I#
?AM>u;
&U$cC@
@uJJT3H
EX)v*$
cHcErQL
d!ZZ8}Gl
Je[)Ju
Q.P,In
0AcHTT
;ibH=?
&xDWi'
n>efN?
0[ga
LT|OT/
4v/]`ba
\%<]Ht
*q8Z}9
<<JjQ\
LQl}=Z
8)a"EI
q$&5'N,C
# oENx
iJX`F$
WY[:A\G
eJ482I1
y_V/U<
VEeV9~
m-~<Xv=>r
^>(o%v
qs|z2+>&
<l|{.D
_[}6jzD
aRVqle
7J^hW3/
Wljv]j`U
"h#bhi
_wER05G
UBPEEf
iA;,YZ
7t%S@,D
%_-R;G
w%^-dQf?
M>M>&k
>9:}0%r
7`1%_M
'E$}Ln
R8wmY\
P<5{&*h
r)$w>#
z}A${)y
"[AH`Fc
SSU9cY5p
Upqcb_1
LF06?N,d
-o%GBQ
]nJ40oS
Ls>{e`
Wv)mB#u
0TV`wR
N(3XiG(
1)rAcm
9eFk;!y%
N_p_v7
U75=,T
.}B\u)A
duUv]so
Z>,;9"
I!ilAK
IJ5s6,
;oiUXy=
[Ikqr~
|pb.b
L1Gs{D>
m0 z/O
,6F~rkj[
hpiC1P
}EyKmT
$A[54Cu
_FDAPr
{(!d(x
sq)<deT
a71vNki
)ql6Uy
=4A"yn_d
!'Ji3]
?Z#VE:l
)S(@1tE
z8E>^n
6zT]|v
V,\&I3
`w((`a
C+lhEk!A(
D2DK.
Tv8Kee
B$;dRdT
g+puZU@
sEoUMb
a`"xzCDB
4@y_aF
;[~}Pvhz^5
l\8;j
3IH:h>
.1,}x#
os4Ls<
Y*dPNgL
BQpdWt
nT*SEK
gIoyDI
'l#`@.$
A{F .:
_I{W"cu
;3y4kgK
f>zc{}IjV]
DVCx/[l=
xe-Q}
|aT'e8F
sv09{1;
/>xh<|
<Q23(7
XC1>EL
)C ]HF
0tOF}Ab
S>r6LR
h6"q%TJQ
o"tdNT
u}@m>Y.
>Mb5[an]
=W7;p"
}Y(QeTvr
KiT.qQ<
`x<G~}
jGEUAg[J
bWDqBVB
tf5{mD
+|{LmUa
e-8Gd`
Dlyh&ft\g=k
EeJ,2Tn&
[u8rPx1[
q3Y%0Xa
7~\?l
UW*E?3`
urR=IIT
a]lgtu
Z_eCw
OxsDuw
?:lrO|
8f@f*Vf
l@zA,s
t\8m6>
JYR]jN
-Vwq>u
2B8n'BI
lA;u^7r
LAUf3z$
aX3m\m
@0sH$O
o;}f<_
k9_pPHRo
P:4S]1=
O:<!/d^
m|EgBv
ruC,;g<
gox8f`
%aD_l+
bWc\LX
r2OM?!J
!_Z}uR
2,Rcrw
"pGn!em
o1*O#,
yaqM"<$
0.^[G&
H-BTJt
g9\}bS
MA"?x$8
U*2%1ZY
iG"g)$(
osJ:&Z
e6>NeN
#RXK%3I
6]SOL.
BMzn?H
YyU<Z0
O4Zz5e
xt(8Lj0iT
?qf%X#
j}|'D
Z)S1oD
^Y9x0q
U{K{%`1
xY3ytf
ZAwAW}
<jqS_C<
*kbrxV
Mu$uTc
w-=TG;@
F(#?6"m
9[Ba:}
E[2iAd[
nGL*)*
d0"Fc2
q%L4,iK
DJi7s
t_mujK
Ev`z`oBv
NYoHcJ
}Bd(vj
..87mg'4
`(c{5O
/4i8io
%*j!t
6p$Glbs
A>kvb?
9#Gvf
c.}dg`
JYUY:D
]YKeFCx
G/{6NF!/
+B:Q?c
,p'PRVh
[GzF3JiS
7S<B^xC
J9}pNrh
<Q"YNK
E?R0b;
1"T97,
'-wsh!
[8m&*-,
W9O<S/
|i!)cMx]
Tw&`oT
kaX%wz"w&
@<d$+=
tl"a5u
^WKO_1o
1;@~gm
8Nh%P
aG7}!^
aGgVx
q8kyv2x
d{8,y%
BQ:\TE
tA!s#
nANrKg
{'<nh<
i,Vu)P
&ob|^o
5,?L~d
d%Z0kT$
SQQxgV
]f|jM[
WQh#qp
%D)Rc}
=H-I>m
*.}7o
rOko!)x
Zu!Kzt
.o3p4
~D]wIx
7U0=PV
czDX%+
a2~+p:^
u1.XH
_5J+&>
rm-a7CD
'xnFE<
V>q7s,
j yKDD|
iq2Q<r
FmC0UP
&Q<-WU@u}w
7Y^0li,
@7qP~J
pFCxDO
~>YSe@
Gmz!%]K
|aG\1vc
^kP B\
'( $<A
)Mp(l7
-Bg$Dat
5Dd*e
z+t(6
XKDJ[r
!zA%_[
rQI4)}
zZeK[]
RJ83s)
+{nlfz
XcEVg'
$KE&5A
;h\/[g5Xp
]3c]~H
x{[\Bj
pCc,e8Bl
TAN8+i8
$]$bc_
[EO;yD
UVsN,7g*
@yU0e(
m/{w<Z
"2sIH]
&qv,,:H
Y79K:F
=Kb%U{g
X;q5_
Si?=\(n
o]{>:W
00 hed$
*/X9^%
l_27!x
"5k)2,X
F}nqy8$
v+vn8l
S*|D$y|
K}e~e-n][
9RE/dr
gvAb.[
Lb7Cw%:
vjC_|[
'QUN\t
=Xol5,\
!l7y#d
sJT^Vr
]'Q-~b
Z?`BL9)
@H]vuXQI>
C&]I,\H
j> ZTS
Pu4/Cw.
,H$-"Z
,+;i>-
|(sp k
V9$?4-
M]hK"q
i<OEti
>1n)[6
#VB ft
`a[B6)
Cb$\5=
fkAFTQ
"N?SY?E1Dzm
[-%Wwj
Z6t,BawjS
{,3M~1
s%7XY)S
"{3-F}
e_2=3)B
HV;m9@,
FJ_!0_
@74Nn
@*Gt3^
$!uu:*=W
^<+E%h
@\6qQt4
)0Qiq^')S
vT?#A%
}O9sOf3
+Ov`L+
5o\o'0
O`0^/[
+8L7We
3W*fkn
>kNjIj-Dp
Q[Mxwg
gXTGX
cD &7~
Ncn5Z'X
F~/>3Q
,ZhMG,
krd[ 2
A~P~=Ed
,MTkg&d
L39X-!
AG+4Xc
2Cv;Zv
dsLQ#_>
P`Pl_S
^"lZ=
]Qp;lp
_PO3evr
0D_)^ib
X:] %V
C?p<}[)
h<]geA~
4|bx`N
#x[iCZ
:aa!v|,
<RO>@h
25:X'-f
0x3c+=U
|o(#:]i
ji_FY[_s
+2e3N($
xZ)67E
ug"EWJ
s^2=#w
Q!DGve
'O@O?\a
|t~/G,s
FC'u)y+6
Q5=Bu
)^N&*5
|\6l?2
H4;tl_
gIuo\Qr
;jXl/J
~"G)sR0>k"
SsoP=dD
U}xJpGG
WV+a-(
#ocS7=
cs|7\8
m:/@hx
(c[HP2t
i0X1Vfr
oo>O@Q
wdFB0"Ap
I@)K^q
Dy)&NT
\#~|I<&
iyYs$W[zg
/[_zqB
l+$kC.
%9CX6$
6#uP4gr|=
`0o9\B
MHto(M
u0IhCb
5~_uGm
Nf`p+R=*>fO
3#W21zEi
0y0f`+
T5M2OqS
"olZal]
>iLwkmK|C
^uCe`?
<|p`}6
aWk0pj
s8F;)b
QyC3*;
,$\ieFr
?F<|Ch
Aq<8KsB
*|KrTL
/%`NbT(
AQDXP5
_sR^+#
s\}=(t
B[L{gp]
m^~r=
eB\ZIw
JNOXbc;m
16 4&+7@
Jdw.3k
Plre<7
pT&8ht
SE7OXh
v9{^(
v%#3]X
CBH0nv
'ez[5`c
:xvz<gS
x?nB*P
<?Lw024
,T3hGv
f,k2.r
e7)~0-
W\Bu>Z4
~bOrJ!C
&qcUw]'
9cM|+)
GzHlg~
n8g= \
vM\aH99
s^<MHP/jW
En3{}x
D!sL~I
1Y.R4)
af6UlR
aZ>&T4
\W)lwB
WK:HKai
}G fb'
%-aaEtt3
Y#,usoUMC
F_v\*W
j<^tQd
AUBByb
f6_ya6
[/Na!
txne34
~2\'Q6
XxR8V.w
rh}YPf
5UguN"
3M_ufW:8J5
UEGG}
q;eE^Ac
eO;B}s
e&f&t'2j
"tm"^@
?z_+)T0
e4J'\=&0/%
D=ARCL
BYVfBW
C|$c'0
`5aFZ$g
?s6,D.
 *OD=
H+f,.U
X.iQHh
/=_%uk
mnAfA&
SZh(!\
BA}>..XX
pUFpQO-
Qh?^?R$7
x7x7Q4
f4"+DGf$
"?MN\x
,csVw
+*j5r}
Ckstol
Gtxm|u
s6&{O(
k>4PaV
M-wYPx
Ec{8_;YH
MSUfcQ
ZY<<2^
$B"=cP
G'd=#J+
p\Y qa
s:hpo6
CoT81'j
2<DI'_?i2C
/K8Q9T
H:,mO
((l.\6
ZwA(*)
!qk21"
Zf%oEY
.9.a[
B20?S'
Tyf/x+
_iT._=
wZ&4j$
/+~]%r
Px^0-/
j4]>;J6I
SdRa1/
eb"%Ef
JP*v&n
g;"sCW
0NpX;HW
B;=Z:\
`2WVuY)
Z_:/]mw
W 7LMuOO
?>)/^7O
tZG"r
e?Yrx>
fRXw+9Z5
j?i)#8
-76)Y2
2.aF`_Y5I3
pw~O+[
7c<J[sx
~Q*:<rm&X
R3xq7
Z+FPZ1{
aci)gx
o(Q~]/
.r.E4Q
ykP0:U
U'j+QT
jAC\7t
AC}TjU
yQ;KtFD
d~c9*1~
NeZXN$w
o"PlYdPK
*St`jo,
c~3NxDWs
,%_Kyr
We|}zd
$F@+!R
wufh
_n=Y=L0{
Ecm:^!
B}gpFd
DlgtyuR
z~xs3|
03eJQ:#
f6T]/m
;uni)Yl
h'FmM=
NgHc*)mj
6I?<C0d
pevHA$RZ
I resW:
dHs}"o
)OE.xQ
D2~Y3HK
[0}4unZ
v^<osX
HJ|Cy_
4*]Wi(
4G+a+:
b@TDUeO
J75 IQ
zWJ;^?
p!Fy\~
>*Mnh$
t93`(#
osVV6Z
|!#+'eC
pZp_sY0()
p-zaf[
9vq<EJ
n7F4.K
Jr_q7;)<
/rSQ^}
U:\'{mUQ
;ppZAFm
Jkh:f+
I5L,rv
@[T-#\*s
z*&p<kB
Gi6C|D\
=Y|UUo
mA2#<K
iA_,3
V S\r^
O5/F+>u
)z`&E+
I1)Y_`^
!q:F|c
'aV1Ol_0N)
NZ8u#5J
P:-jSJ
tB'gSI
yk4FC~
0!hF)y
qF?V5w
[tf<N3
Tom~UElW
z1JjN>b+1m,"eHR
.yhmW4c
p;E9|k
\<&+"V
4N4`cb
NS,y%
GRx`81
6;.=Wtj
SD2,fv
[No37t
^$Kk~&
9Ph0'yT
^#g4aa
l$l_If
o6R]*mvKSo/
O!65W`
ildqqOQ
89/M)?
&u2[pi
$i(aZs
uBbtoU
`o{s#4G
o3+"$F_nP
a{Sb\}Z
qJ1OnT
`99` p:
TtuHijTZD
#X*>RO=wV
t8S%!=
potgh@
cFSU_%
uTYAs
'|f.Ac
D5cG5M
Hx>nBLD
cHw`qqp
+&z0\cD
jA9Wt0
OqeWk"M
"-:-uQ
#44)UD/E-
*8>Vyw
!4 519
PG}t9(
Ybw@s\
KGslH>
}wk=."
6|d(Ku
&!;!Xr
`~oMg%
{oX/Bq
h?6*0<
7wfxV1R
C{b*SN
|cT-PJ
_h/0kM$
dNPu84A
SL99X?
LhB^wx
kU)Zu-
ev >:A
kJV0CD
Ab]Mnm
0@+J!J
Qu5^ev
!I?K^D.p
:$h}S,
5y&WSI
P!2@ \!
#%-\=ga
\p+jKX
5,3&\i
nTtB~}@
'Qu8N
aBZ|5h
_V`dTQ0
SJ~|$i
2r`QD~
Pv(1`T
+I,s3G
nCQT\G
%iO\D3
:i!)q.I
\7zNh%U
Z~QK/t
ldl%ta1
2K`m(
D(vfpf
T>2K,y
3hGZR}
V[.lWjc6W
rPlq*T-
;F+_D8gt:%
<nKxxcEt
:coZGT
C.jwLn(VP
PSe~4q
DQ[EOq
%e(>3"
<3]2j7N+
'b\fuNYc
cT"jwry
""=C5}-k
/9\B O
"KW IU
UTh5=hc
*e)Ol:1
}#w"AZ
jZFh5<]jj
*uw/rD
P,?]n1
Y"kKCR
>Z%6A[
Z2}?:=zw
X~S;>q,_
gAz` B
rk"%HP
KGfFe3
=h<jE.A
mY}'T4!<
Q6MmU5
gBso\Z&
k2;&*lp
Dp7^&Y
6BhD,v_B
\~}j\5g
Dl~6U6hK
w8I9e,
kE!"^N
.UXedd:
"2iV_MVP
&oblp5
!Jhfq)
1raIP(,R
]T~u9u
%Ni#U1D
-kTB'N'
zsX?jJ
"aa2]Q
oYjG>kt
KkC%t8"D
M`q99Jh
8a-loYb
2WGII9
JaPAQ}Q|
#a043;
i3&Pfc
hd""\|
t{*uVnTR,5
uX)gbR
I-dq3?
Cc[`_sq
JVa4Ue
w`5]xd.]
w^M;t#
ha)*EF
b@WEuE
k^MJAW|3
NR}h%[
lJaRIE.A
uR\9]l
~^4rs
S+m&}.E
3J<EwVMO
`jZKcU
MNrXD_
^(yJ 8RH
>mD',
uOYb:)]
7pEPsC
gT[3`q
67{@[;G
=2/ nZ
ief*nS
Etlu3u
F1-\n@
A"&~<$z
0}DjDBhq+
X?s|bY
ix)A`
e&3<Q_+M
/ZLTw<
5=Vj_m
~rr>1_
FO2c4R
2wKF8tm
#&y6-lA8
r0HK>V2
qA"&D7t
&9' ";
uqwUUG
^6o6eP
oc]mT<
)nU2z%
UNvRC|$
DCX`dO
Abm47&
=SO}D
,KY(b"
2L7xhd
u]pgw|
%U!`yj
~H![7q?j
{%(0@4,
q]7J{b6D
E.E;A'
5[$SJ!
Tdz~S4
#{4e;K
&|D4=]Yo
bu]^B//
~YE3AV
j zkyg
66.3w8m
+7eI:@S
tg<~Hc
*pOl4v
$L7w~=4
's,JVs
:Jd!dd
qs_Seh
w[kN{,
NG}o68
so?JrrJ
]=%E"g
'NGP$
j2dwC+
lRO}hky?
G?ID]F8
:6>3~'sEa
\vFxC3
c;W9:hH
b#(SC
6`0@7Q?8ql
w9T{a_
c[Y@aUX
;f%]M_}
F/>';_$
RAQZ,h
jGM:t2
LH\t{,=Wb
ZLp\0L
JY,s=
yx]9k
AT.oTG/
GXIEoZ
I73$>x
|#?o.Eu
Y?zW^</
M>o]A~
2xUxJ)
dL)DbC
g1F\gzu
YUfrZG
9"WL}j
G<}^ikoc8
.0yKQL
%jTzP>
T!xn'K
Q@Y1(=
QeMh+H
'tou_z
c6tbou
v*DHd*/#
0Ftz4@
Kur%<e
klE=6c
0ARE9$
Sd]U(S
&usLAy
FvHdj@
K6&DA8
@2\^g
)2_}VG
):^87J
Fg0.s$
Vpri2Q
~>,MjnA=
*;z*-!
tan/EW
q*v/_N
|!o202
p_WvvO
,5%*3t#
3GA6&ER:
!oT=T^0
*|4k'Fd?
2BhU&@Z
4q{gify
#e]9o
isT6@!
=6KF+Y
Ld>zC-
(5mEu=sK
eUCMNa_
6 7|Um
f}shm7U2S
8M BZUQ
vj=e]7_
e|_oLg
xaG<Db
ALaRn *
::?)0!
7b:Ye*
gK |jx
2I5yM$
76j%x5
0t*^x2
^O"z8g
l06ML.
kxX$BIR
6aKl}@
ScEI Q_
erg7Gv~
UA,p_[S
*yOK}Nc.C\
Y6(}6`#d
h]R ;)
cR6pOJA[F
>nknop
ct%]/o
.0aPsCy
<' #r<~
2V3YZBc
WT/Y\T
3vg]:9
&(x;>3
[z/WKb
ES!%lc
?.-:#L
^'OW~j
s6*.>T
Ie:ax9
q\'aGW
(ne;r%
rbG64]
%:d`?'
uh|jHJ+r
d*uk&c
l$,a^i
(=@Tz,
ap!0/?
xC)b2A
9y7<fn/
nL:o(p
H*\1-
{F+I%J
r>nA8%%
WlP.Qu
B!,L/W8
rVy;B|
5x.-+_
5Z!>fS
LZC6JJ
M_0]a$
TU=1R)7
V/vB&`u
<}4>/s
=+b|W1
|*ymnP
6$WoQb
#6H*~@'
/s>W@|
09qzm|
|\QjN ix
7dw;:I!q
UaCx0>
;`tW}m
*ZaQ`*
7$2+QPi
qfJG6Tk
!!ME8
B]"AmW
2>E!Fl
8k$Jvx*
8n>atP
c^3@u
a)!)1
s&?]b.
VJtRVw
r}=\79B
YQbzCrP
X]o~d`
N$rjx5J
&%:$q83<
EI-2SW
{L}-mD}
VZ-`[m
AVQ+fo
5}T/2#!
%1)]h^
Q4I dKA
*[fO8~A
Q=;jX)
OX5paD
1}zS5c
d,6d=EG
;/_Yi`s
NV_{v;
'rh5~
W/amc$L
GgRX'}
=Ndv)rF.iz].m
|2pVgS
%%T21p
mhXjJ9*
FWM~_GM
DTu)oN
k@G^68|
PfQ?zX*p:p
CtT<jI
L$MDJ:
i6DyCI
,k#[n5
9H~}zR
i1Bm>X
48Q;7Q%{
</W]Iu
j8hF?FFTr
Ihb9kdVJw
wNj{h@S
.>6@U|)
WqL]FV
_9RoAG
EP~";i
M'D()>m*k
3%n4CjAp
)iq:p.
d6Da#R
{?hO<i
N&Wcn?
STvDd&
*>?!W2n
ks#?M{e.
DW:<`
P^3_<Z
^z])EV>:i5
-Cx{n7
38!nbY
},W4tv5(
}Kekk]]
\y@h,L8@j
fK/`G\
AVXS,A#
rn"|:/
H#+kKj
C?~6cs
5gS]~'
dw`Hl
Il+GBc
J'n['(z[ '
A}w5Y
:<{siD
-g57l?
Lx')Il
EXY^%r
098!=C
ASO"Kl;
Jm|1D`
+WF$:7A
-Vh">m
9z]n-5
F3Nh0j
t2A!$<G
o<$)py
R5VXsg
"yb@p?
Gl1-'R:
uqbgm>o
!jO'(]
^i<I08
ZE(+(W
f&<]S-J
VnzIxcm
h+yIq)
Q.Yur+
mLGmB6
h[mIDK
~uh9zi;tZ
LgSLc' C.
!9k=|P3{5
&RU-9BL)
EW+2)T
[NN`Se
!1CisA
0*YGVy
?rV;yqa'
\53C2W
2NU?)>+
|keO8a7
.]+e}<
(TXlD)
N`!ccu
Rm;v,&PH
9IIo\Q
Q$yM1W
$u:amYrp
z&``N\$_M
eV41tB
<:D="#
n8iS8Y
tK 1*[D
D;H'ur
]4ieeb
UN]|/(/
q4Y@*3
|DQ/QB
_/@xJ`
fHC?*d
'}_bKg
Tsin#X
E)05?i
Yo0#}
hJZzA
S4}6'.
sbHTmL
/NGgA^
+E!;++
"S|!p}B55
d sdW?8
X{GTK
mb&mg
;^SOH23
12<7M~
xIEze15p
KYQ)Y)
;*OW;K
qOJP@a&_
6A_N8]
!k`s4d
q*$%$4
"V6_d=
)*Jkr}`
NyM7]DV
m\:\35
0j[b,u
6!}!c;
! &=w?:
|WRBdp,
-iW?~e
O/cGeO
]^&x,t
`$i\T/3
_8*[Ba
CC~+@%`
)}X.Z(s=4p
zUXzHM
%2mom3
VU0?2;
ta0z,1
l2PwOB[R
-yv)u%
%RMd7:
3W8"$'5
1}5r*:
i;t_1'
$!(l'B9
BTKx!"
UJyB8xQ
{}*w5f
T7U~e%
d}WFty
nm"}SK,
JD9rA[
_w`-uV
W^Cl;@
ce}j(;8
24/$~@
"vw&O=
]>P^T1G
K@*DO"
'mr$9[
v,V$r
jB'"vi3
}AO-'.
-qMqp7
BwU{VQp
$/2,@Bv
{CtxL:
3hsJwL
%&fV!v
N5X16|N
Ly#JDZ
Od+&+)t
KA$O5ccR
e[l=#
4;cDdR
\v n'c:
sgk]U
T4VfJ/
Gz_0rZ
8V22y#
&M"Md=
-UA}au
//Gc9o;O
$*<r#%
;`3R~dc
4v;Zzk
Qm<}kx
PJVyqdvu
T4"R '
b5~>}w
fyxBw%
[xcs]c
66qIN:3
\b.kj8
C[E0#E
6s'A@+,
) tfGR
RhPc"U
+JI'E]
uZ2JhN
p"X(_
.jgA#V
b5hI%F
gc,au1j
,4qL_0
A)[&R|
DAwV'
q].)J?
9{01-cp
#Ph]t9
ed>^Jb
CZU7z;
GhlXB!
k)gzE:|
^>Q}RI
<o/3Iqo
PU6}K~3-~
95?rh45.
T`zx.`@
:XnYfj
:4^'aC
dk8fN*
=X3;"B
6._,!)
R#|%bJ
$L]s=i
.E@Fom&
4MYqmD
[Aoe;>3
eG@HMa
!+in^$
5]yeUr
'}_zrs$
E0['68
/Ly,'+
|P?D.F
J\'}2Y
iJ:kHQ"d
vE0%`F
w;-zZM
pwa1v
(}Y1|;
Lfq}=H|A
}?td!T
:b@6A|
xZgX~7
5%n8s%
#927om
o|}}m$
y-(fd^
DT=9$9
qL>Xc@E+
f.ni{&n
RDu!i(b
eg+E<?
{q*WCB
^u i@f
{NqA!@
RMbYwCc
&a1UKh
0OgcF)
+M_M{9`R
j)"^\)
WrKxAfB`e
%c<D'N
NXbqX6
*re(-)
H'"Hv~
%0W?.#+
$7 $=OC
#t:WF?
*P[O[^
6[vDf8
)X%6UO
6Xb5DV
-e o-i
qkk}~PLv
]~9b/j
kW1DGBC
hQVy@"*n
)~(eU`yZ5Q2kM
^]`>ozs7
y+%2DY&
+WZ(FEc
_Bnz*D
1>Mi)cLU@
J-+$oLUSdS_
8f(r>3
/}^U~&
H2}rH|
yPA2nY
et4m-Aq
oll\;l
4/_^J9
NLtw:SZ
Ufu>RU:
Ro~OiI
HxmM'#Q
FG+aYt
oMpwsg
nkmiMi
ec*RA^
O%[4={m&
H7Grb
F8O:6W
DDAtNQ
=XrW5G
0pYH"9"
BB0(fQ
LPN,ME/
8a0$l%a
|RBB/$
UknZ#&
-'odWM
C3S$$6c
a7|}w
{jQ$/5
TdO.kB
Ge;=bi
]=HK(Z0
l)aWy
1)q_w@
+WO|=*
<UMN/\
]S)DE*
PkE2rZ
#M0qfZ
a(J$7\
7X%u31^
OG5Q[?
"tQ{XQ
iCjqQ?M
)0,b ]
Qz73l9
=s"LX1$
j>jaM\
2\N!.|ZV
^HJT3=
4JNq:-
.MpBfx
< %Vd-
6(F2@~
+\j9I_
k5U`md
qSI-(!n
(NI#]P
NHE9j
*BRxtT$
}G4_sXTM
VA{T:wO
m'r|2]0
GRIsf\w
g?+&I;A
g,j%M
'Dt[X4
9AMk3Gs
yW?P>^0
14d1=X
>_[S0
Up;$).R0
}%'gi]X
WB6>N:
)}Uj*@
~Vm(dlB
IM9:Gx
FL^9PF
K%AMJ-
8TgB,+
Ozp\_*
N~Qzaj
,"'*{K
Gv\l~q
{FuV[9
.0(6HR
ArZ_?,]
FWD;d<
M`wFcd
9i)n1}
@L7UG,
[JQ/=S
$nXxCB
,>p"P1
@q"6*;
`>)pJ)A
Ww%Al$
|&0t@XN
tHKD+W
^pzrr&
/Lf,s<
G-<N(1
|Y@t?wu
If/P;n
1!#kwN!&_
%'q`D(
yhwFDl
PD<4i0
X5%<L
Na<Vmyg
xiyjH-
0{!Pp\
0{&0]
h+i$Fn
"nOr\G
bx.\HaX&U&
dO9}3H
&jfcj]
6GCa{7qk
b[\]rr
":RvLR
-dl(P:
0!I4_r:[
'b;*0[
>_r;h%
!z#:mp
8L(X@C
WQeW%[
.m0#f&
,/_pth
QvA^3Q
uxE&jA5
Dx:1H
)ToS)RC
O1LLi9
i5X#s
#d flS2
[y&4k1"
w .1$[
$#C[(3
>,4_My
&XESoi8^9
}JA+_j
-,D<hu]
0i!;;&
C_*<wp
.e(LL}V
LL[0#dE
jZ9|2%O
XgNyZ4
n }C8v<
aw);l1
FW[eK
~-q%}t.v
e}6N5</,
S^Ury^X
wa:oWA
P/GZ t
{[]a{\
/`,tHW
Et2GwJ%
_}Ds=&8
JUZ;1
CZ3 72
t%u-y&9
1fJn,K5
+^F@9#+.
5m6M~X
uxD9&>?
5h[D:cp
EkK{?6
:m3K!4
91,"n
u=B!0\
7[}k,_
43]4]a
/0,ap
lI<~ky
{4=7T0q
L>s/G:
SyD`0y
SLGY!S
`zhc)t
qQ4 U
(?.hfrZ+
X!7nT4
Y8^{1:
qL ;,j
ajsTL>
1Y`],2Bb
+C2r9v
B7u?Qbe
,xj5{{x
=c6`u"x
ghq4ev
k1X|%QJ
$&Ql=;
;)sI#=
/ECu"%
1s$`Zi'
_H0%p@
LJL/#l
:)|:0k
3xl/>w
Sc>umHG
L_Yfy`^
)[n82E
I$9+L+
FH,Baj2
`}z{h7
#:,!D,
+vbZSh
?>CNj`
l{\%5'
IN]"W(0
:M}|_
Hbs>0j
<f{JQI<
x(2FJZ
6@>Fz'
"_I:sI
)7-d5U*.
GN25Jl
^Dxus|
+rwk|S
]`VZSz@/
D-5UBA
Jn3AoW
R%[Ei(
6 U4I#
|y[UP5taT
V-!yUC
vj#)p,%op
Uo<yq
x(NUJ~oe$
HaQXJ.
'JIdA
w^{w
k3q"|M
$pGij[)
9{Y>k^
2xK0QH
+vl79QX
sa=4]F4
Y3a9Zq8
V3EG{r
!j"5L'
nou"aS
X*~'ex"\
|Tm@Bg
}K:UM{[g
^pqr>kt
<bf{PE
a~Y4wR
7uaybN
n!:B6p3D"
|26bAU,
8;2aDu
OAVoxS
josn:v
nU/;M!
F$/kx
,t}cp#ke
v^HO+I
W8TFQv
jM"i%S{({
/M=5xc
A0y&Mq
?}}w<#
W4,<RQ
Idys&1$g
^jlcAK
1lT"Dd
8+U}w*
xMO'c<5
BfAC;O
:S|Ky{
]^$EU[
Sy~K\[
5l+aq*
Y/\X~XM
}C&96lo
Do*8$+q
.ne27"
_~h&|>
vXc>%*
=ELY7U
y!Y3y4
@Q]`h)s
[!DUf
Nq?M+?
UO-3@l
`7%h$I
F<_"RB
H>(!0p
j,DJ-_
T^mDGc
bK~0t{Bz
MUs=P^
sUBY_OE
1u?mP
rt8S1}Q/
xyPNj$
KWRv+{l
%|o4}-
=Kv?e-
X@/5V,
0N=@8I
Z=B_=W=
d5TL)B}
?G){+{
1[gK@{!y
Y_'~a
J:&Ac5
hjD%aN
eO8m{1W>
Q?x|WC
M_DACMUgY
0+>_kq
1?&Tl|
;4)TU;
ikNsfZ
%f0oQ4x&
+`b^l`
%EhnwM<j
.-+"@<
7#z*Zp4
M^!~!'
/(q[B{
~I*7R|
*SR8WZ
N80bEY
/}mTr:SN
\C#Nk"
)<5EVN;
oHf>SL
0o+vVa
c<HtEU<4a
AD@Wp
Hv{&u)'
1+)1'#
x/hA=E
s9kW`cl
1oxr,~`
c@ZId3L
+k`"V
NVg,pJL
MX~/op
OA>F^]#}u
:FIjv
Y|n@=U
m\pHB]
GlI\RDe
VUe-j69
aF]w-d9sf
!wSh^P
?!):zT]
[2Lx5~
"?O}Y8
}=,Y2GwN
#:W1RV
t7D~r'
w/.v(5C
(KMI~xh
D\ySvz
:H5X@m"2_
h%AMry
x$GrSu
"1Zdd#
l>{P}J@
lnM1KK
=SfW/)E
4Rw\X>3
s&0]FFM
b?57:~
e>\nb3
@k\Rs[
_i[k7AU
\9zfK3
f7N6y!
gjHX:e
2#;`:@P[
@h$/"{
!9&tIUR
9N,-Dk
^}JQCvGH
~D|V1;9DG
um'{Hb
kK4b]c
t?+dE4
rJDg%T!H
.1#W.!
EPWXRji
Wn.01Ub
}w+;Xf
VXCV%.P
\kzf&o/
[]=ra~
4TfG"?W
%<9N_g
U"N?pFu
u=Gs"^
<^#&ihKq
:u^#TJA
JH&[A&
p)4R\G
Z^;=yM=h0
+!nj(n
Sm,"x^j
_){5BQ
qfEX9lB
aj#k;,P
e.k}PRn@x
1B&%f
862`eHo
VGxqwBj
D{|OcM
w8g\se
EOx,rm
%cB]CSu
fClKO.5
kcQ'[T
P)} '^&
ZX't~;+=R;
UL>~+x
j6nL?V
o6~G]{Vf
S?_>BI
ZR0F{?
YA[Kl
QuvF)x
\EMr5*
gC7?nQ
hyx5XP
Il~ytgejp
.1@LTc
4)}&xB'!
yWiz)#
}]@Gi/
8&uU#D
mzV92"
KVeMBD!m
f`x|J32
`_Xv[7
I0?{e
>]ddtw
+R';:$?Y(
q/WNz*-
V@#x7Qw
F^swGM
\m!vI0
lhb)0_is
f)6du}]
xt W=pTA
0+\@*
K0BT(
mdX/u
BbF\S
v732Uv
=7D\wc
ALid&L
Uz2@1q
31i^rm*
eHrvb=]w,
U}|vJ7V
Oyp'*[
7]{@i+$X
8th~T;
26i@,q
QM61PO,
V7<]^`
<{&~&z
+o5p ija
_BW.]y
sq\IEV
(yIZs+
Ofu2@|
XI^#lI
OIuh8#
3m;R}t
m/1y=\c?|V
m=)xp5
_}#~j!
T*l;pp".q
$"_}"N
b#+{n[
I23@fb
\~>.y>
O9FNi2#~O^V
gtEy?TD
Z}SOxd!b
k(k$Y7
1L:m>x
"8%j#q
?Krm`;
7rjv_$
tqN<L{+
LN8M[k
ObtA`x
S-[GX;
jD(KLKv
eWhoRQ
(cO kD
/WD[(P
%w/!6^
ZwNHIB
%7 II(
V5j56>Y
#4bz&z
zzj?u:
6q:B.]b
&Nh e/
I^C\|t
MtEAAX
pH`^^Bxm
4:XYG2YU
8VaEYM9
93o?Uh
k?wVYm
*9na&%*P
D7@CT2U
D{{ZFRX
3875HC0X
h:tlf18p,
7-j%bc
R)hz\,
I)VetK
hlsVk~
v[/Z0/
(`<V[t%
=<;(0&d.Rg
M!W_yF
8u20@{
uCRZ%
MGX;]k
5RybAj*
+j0,uu
nQ"@c~P
l2j'\Rb
/wQ,2%
snEj$O{
e(pnYz
op6Dq#
e.G*(@1
I1sNhe
3L>f<s
DNAW]V
tMv@7H<7M
<_r{Au
;"m_dh{G
_|-A)V
L}m>SO
&YO]01
g3~V(c
V\8E=I
A:eHZ+
l9<)xz
:p`gj.
BXIvP6
/lxmw-p
'RJ>ul
f/{$+
=rz:\Od
{&D9Y?
du{8._
viV7&/14
sptE$E
V[qW79
_~E.1MV
\Vf0Y)PMs
OgrbOePd
FM:rwI2
+8;v&v
[+-=8^
:)yOM-
:C_?='
Ak"Y~]{B
inR?Jq
Oi[<6s v{
g=e-n3
z-Cf]+A
7E.yv!
p:Ry9(
U,N3Z^!
~.akFs
Mb 0(
wq9EjSY
mbW:'}
09Q^W
&N=Z;Z
uT@wXd
Z;yz1!
YniS1#
1CpPZ9
*{xiZ+
3[_tB{gH
^6#rOD1
JY75Ux&
}WY,w)
>M%r4op
-me`g<y
l"#Vpb
nS4W%
Wgmnuw
3,sqx*D
"keg11
^&C?sT@
RG:(o%1
[^_5=v!
l@"e&Y
,jHl5v
9vOBU_
e:ky"d
j+C"lja1lK
'?gJc/
s,F$uy
rZ+=5O<H'
74< Uc
\Tgw4z
!Hz0U9C
yCl$G=d
?s32<|
.fW4Y3D
3F8+f8nI*
p0_dl-
K}uwTdD2>
?!tF3p(
^*.<S8
uG{L$I
1}i~]Qa
=0YHGj
(=+Lwj
nd-Xk<
6eEknF@
vj|Mm>ev
kh;u.fb
gGlhDK
uobKk%
A=&qXG
\qvn`z
GDqO(W
}Ce?PE
/#ctyu
KiBsMo
7I&g_}
yzYt%%
=yN8tG
BiapY6[2
21<k?xO
Q>fdU
EtG/Yw1?
U}7+?^
(+KxAy9
}3Sf^k
\4ogI
!QZyyehhg
{XO]k7
dK*WNx
X91uz+
1%4/1cSF
t/Jf00
k;Q^5O
V^kYVQ
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not initialize OLE
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
HideWindow
Pop: stack empty
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: error, user cancel
File: skipped: "%s" (overwriteflag=%d)
File: error, user abort
File: error, user retry
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes failed.
SetFileAttributes: "%s":%08X
BringToFront
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
NSIS Error
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
%02x%c
Unknown
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
GetTTFNameString
Version
/ P6pL
,/KPip
/-P?pR
MS Shell Dlg
RichEdit20W
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
RichEdit20W
msctls_progress32
SysListView32
Please wait while Setup is loading...
VS_VERSION_INFO
StringFileInfo
000004b0
Comments
For additional details, visit PortableApps.com
CompanyName
PortableApps.com
FileDescription
ZSoft Uninstaller Portable
FileVersion
2.5.0.2
InternalName
ZSoft Uninstaller Portable
LegalCopyright
PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks
PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename
ZSoftUninstallerPortable_2.5_Rev_3.paf.exe
PortableApps.comAppID
ZSoftUninstallerPortable
PortableApps.comFormatVersion
PortableApps.comInstallerVersion
3.0.6.0
ProductName
ZSoft Uninstaller Portable
ProductVersion
2.5.0.2
VarFileInfo
Translation
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
AegisLab Clean
TheHacker Clean
Alibaba Clean
K7GW Clean
K7AntiVirus Clean
Arcabit Clean
TrendMicro Clean
Baidu Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
BitDefender Clean
Babable Clean
ViRobot Clean
Tencent Clean
Endgame Clean
Trustlook Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
Invincea Clean
McAfee-GW-Edition Clean
Trapmine Clean
Sophos ZSoft Uninstaller (PUA)
Ikarus Clean
Cyren Clean
Jiangmin Clean
Webroot Clean
Avira Clean
MAX Clean
Antiy-AVL Clean
Kingsoft Clean
Microsoft Clean
SUPERAntiSpyware Clean
ZoneAlarm Clean
Avast-Mobile Clean
GData Clean
AhnLab-V3 Clean
VBA32 Clean
ALYac Clean
TACHYON Clean
Ad-Aware Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
Rising Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
Fortinet Clean
AVG Clean
Cybereason Clean
Avast Clean
CrowdStrike Clean
Qihoo-360 Clean

Process Tree


ZSoftUninstallerPortable_2.5_Rev_3.paf.exe, PID: 1440, Parent PID: 1312

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name eae2b033f0b08229_license.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\License.txt
Size 17.9KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Pascal source, ASCII text, with CRLF line terminators
MD5 dfb340fbcd40576fcc15069591f30a92
SHA1 358f72786c97f5a0c5b1e591230c592c55b4ca13
SHA256 eae2b033f0b0822913c076f36d498e51450c712b3229c1c83c7d12198fa097ee
CRC32 FA343E8A
ssdeep 384:lq2PmwERb6k/iAVX/dUY2ZpEGMOZ77o6LDMj:lzun1iYWrTXo6LDMj
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 5d418245822795ac_appinfo.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appinfo.ini
Size 533.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 ef6ff64b3df7a4cadacab89dc0d91e80
SHA1 5ee36d907f3e33dc7485168ad88bcd3a6ddc8d55
SHA256 5d418245822795ac7134aeef91debc2b0d104fa3cc2dbcafcf50d6573050f9bb
CRC32 A033B6AD
ssdeep 12:kihSDXF1uiXC9cfmunXCP0yh1XFinTyq3y42WvAU9xrHis3rgIVgXCo:kI0DgceuXKv/qTv3y4r9xrlkTB
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 8ac754b981f295ec_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\Readme.txt
Size 2.2KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 3fe05586f4960954f4afc98804ec4881
SHA1 0c08abd4c39904ea0b1a8d0de1e0e7f8279736f7
SHA256 8ac754b981f295ec9443049ec652671b0a5979ac9033fdddfbc4088064e29087
CRC32 16356406
ssdeep 48:pofWahjhG4NjHLGQxMTC+F2bpbGTY/ZzywG2lMI:mOahtn9HaQxoCV1GTYZzywG4MI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 90b91fd92a365158_appicon_128.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_128.png
Size 6.3KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5 031de8aca41dda19b105cc0fea0bda51
SHA1 83e9e6b12b6928462b6ea1b4bfcaa4ffe8988e43
SHA256 90b91fd92a365158ea3415e497c225f9b4cd3229658ef06726394b2928941bed
CRC32 C9B81CEF
ssdeep 96:VMiEefZPeSUnifvaO5i+L4ZOK5cm7C+wfHszaWE7OzR1UO4dCfJe:V1EWx+QA3ZOK5sfHswSzrU/i8
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name d00abb68b82f4daf_francais.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Francais.lng
Size 11.0KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 4c0711b9eee74ba05bd0b8058d5c44fc
SHA1 ac4f9adfd7c74f1610d3ea88d2bfb6216cbf4395
SHA256 d00abb68b82f4daf5c169c86732ebca85be565ac0debe7755da91cdc8c6411a2
CRC32 E33B8FB6
ssdeep 192:BV9VS9GWhsToAi+DaEBoU7IGgYN/cRpvH7IDCAHuU8ll/VEytCupsuE1fbQz:BV9VS9GWhuEU7IGgYNCpbIDCkZ8VE0Cc
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1052bda69dda0c4a_license.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Data\PortableApps.comInstaller\license.ini
Size 44.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 db36c1ead29ba787daa9ea7a98bc27f7
SHA1 8c8fd1a6b0e38c71a048924e4ebac51d60b8740c
SHA256 1052bda69dda0c4a04ef3ef9465007026ca5737a2296e7539529871029024f42
CRC32 77606081
ssdeep 3:WB/WyJXLpkzGUov:WppXLKwv
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 0a9a711b205dc87b_modern-wizard.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-wizard.bmp
Size 150.9KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PC bitmap, Windows 3.x format, 164 x 314 x 24
MD5 55204d08cff24975e88885403f13fd59
SHA1 1aad4f3ceb1c8bdd348385228ea3043f1f0b2427
SHA256 0a9a711b205dc87b6b0fe491253bc1ddb4a46a02f26ab622c209b1311125dd20
CRC32 95D95148
ssdeep 1536:BUPy+RPMI0gVQC6AKEbOOukOtYzpz400XveEDSrP1:2Py+RPMcQCDKzuJ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 47b9e251c9c90f43_langdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\LangDLL.dll
Size 5.0KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 a1cd3f159ef78d9ace162f067b544fd9
SHA1 72671fdf4bfeeb99b392685bf01081b4a0b3ae66
SHA256 47b9e251c9c90f43e3524965aecc07bd53c8e09c5b9f9862b44c306667e2b0b6
CRC32 A7504246
ssdeep 48:apTVWFeApYx2lxaKe3yfeEIWCGWNpBWLGGrx3pMt4z8mtJ7HofYZVSLa:RFG0xaKkyfjIWTW7BYrhSbmtJ7/V
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name ef3107063b21579b_dutch.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Dutch.lng
Size 11.3KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 001897b5a31fc9f14394172c93803a09
SHA1 2d96e6a409e4937853bc1103046cf2d0eb9a5c43
SHA256 ef3107063b21579b761113f4d44dd0d88fd7edc8926682fb4aeeb72ea0661c11
CRC32 2BB5F330
ssdeep 192:Kj5xb8PVzqEuaXTbYtfRKtP6tlsGeqPpKySi/sDYoT0J3pJRxIXq40dL313B35ab:KV5RaXMpPo5QXRx0ALACiHElbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 26d24f5cf604f940_chinese (simplified).lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Chinese (Simplified).lng
Size 7.6KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 6fcb1bf480bc385618d22b82b63afa41
SHA1 c12695b5b8df09062b90e0daa4acdeeed8f21484
SHA256 26d24f5cf604f9408afe5413ce6d35f7195c5a6e295535e33893f1ba43d91a1c
CRC32 1B2F11F3
ssdeep 96:ZFLNENpp6zX/AI3scq8itPtPJZyb90pev0OxemVJ8yuChHCp27ZpsuEHQu1tbObz:ZJN8MroksctuVhEseqytCupsuE1fbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 46a1d50a869dc7e2_help_logo_top.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_logo_top.png
Size 2.5KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PNG image data, 229 x 47, 8-bit/color RGBA, non-interlaced
MD5 0f024e316973b9d87f3f4c3a1f33c448
SHA1 8ccaf998d7b14731829c0d1104d6fa7a1adc7247
SHA256 46a1d50a869dc7e2c0511cfbc77a15f0092ad9fba0b068736f1e512683a47ee4
CRC32 8F37D7F3
ssdeep 48:NaRbpMYHmHcRu3nh77X9/aoy/b1MUOgmLFu2J:YRbqHSI7TZ/RgSuI
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 88c0749cc9ca14cc_help_background_footer.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_background_footer.png
Size 168.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PNG image data, 10 x 16, 8-bit/color RGB, non-interlaced
MD5 6af4a82693a403b0d0afde16972466f5
SHA1 1ab8a3d0cf22cde23173b6b41521377c0fdbeea8
SHA256 88c0749cc9ca14ccea1af39dffaccf7b7c35e5b5603b1e451fe7fce508252480
CRC32 8468EBFD
ssdeep 3:yionv//thPlHvtntCZRthwkBDsTBZtv9L//gbxCRQe1e//VHgNqUMwF/2g1p:6v/lhPo/nDspvmb8RQe1IgN1MwFdp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3828285f446db313_valencian.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Valencian.lng
Size 10.6KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 dc6b7252ef64dcbe019ac2f1bbea389f
SHA1 700b98f17421c46681a6c22ecedfca984e95978a
SHA256 3828285f446db31306cb1fa41d9c8ce248b53afa27abab54123bc379ef14bcf8
CRC32 8F234082
ssdeep 192:x2iSjYEf4AS9z1alRix9Iixxg1t865iln+W8k1qmV4mCZeqUre1alEnG6ytCupso:xSjYTz1alRm9I+xOKtzFVbCTUre1ayGd
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3674c2385187449a_badwarevalues.dat
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareValues.dat
Size 1.3KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 5c885e482c581e372c847280545561d2
SHA1 95d4083ffc3cd247edc6badcde6226ebac70b929
SHA256 3674c2385187449af557da48cf264c189af7e5d772287ac5bbc15379db04e6c0
CRC32 5E5C14FE
ssdeep 24:3jc0KGVNVV3V9DM3v7M3qMj20KqMV1V1ri1uSV1r+5V1rnVgVs:3jwGpFs3vY3bj6bffri1vfrMfrnqu
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 15dd9bec2d528168_portableapps.cominstallercustom.nsh
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\PortableApps.comInstallerCustom.nsh
Size 1.2KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 cb14142bbf359676cad15c2a86724dfe
SHA1 652dbe749be096d6e908a012058fbd4a6d679843
SHA256 15dd9bec2d52816854d0dac88cd8db247805bd4aa00adb5f0e515dde50abf484
CRC32 47D9E679
ssdeep 24:qf3bUTxzbh4JbpoGQzbz4JRrWGOzbur4JuJuDueGu2zbu/4JuFuGYuiGuq:oUlHhg+GQHzCiGOHurVJuaeGu2Hu/VFT
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 4dc1dc9523164b3c_installer.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\installer.ini
Size 302.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 a5051c9bbd865cfbb779e7145818acff
SHA1 950850d0552271e2446111bd008e5970eb89bb94
SHA256 4dc1dc9523164b3cd7a693e1c0ecdf9e055fb4681ef2e07ba65e2d841064f79a
CRC32 F867174F
ssdeep 6:SBDKH47tGQsXvixjnnYW6BeliRX1KGQlxQi3VYIHqlK1RWEgX76gXbzGr:SBWHSsQwKZnnH67X8GQjQ4wK1R8X77X4
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name fc8c58645344c259_italian.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Italian.lng
Size 11.5KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 07e6bfe751dd509df0a7caa2fb29aa47
SHA1 bfcc00d44d06572031818a2db167c6edb21857af
SHA256 fc8c58645344c259c2e8f1f307e24171731ac74e6cff20f3043e4941a007cd3f
CRC32 1A142C44
ssdeep 192:hksHp3B/hUrJrKGb0BrPS6tn5OvnUZAFk/XeqXCmytCupsuE1fbQz:hkop3BOJrKGQtLPZAFk/XeqF0CiHElbk
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name d227f06d42cc9d1f_swedish.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Swedish.lng
Size 10.0KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 099381b09729fcf3b46cf5a17a88c3d8
SHA1 7bb9fa3d26c94e7fb32fb5ef7e8ab6a5e0ea35b4
SHA256 d227f06d42cc9d1f4a64a21285038ea33072da545420e5c4cbe6a58639c91a2d
CRC32 E5C89C0E
ssdeep 192:gVoTeCtz1XFZU+X+0+JaXhPEIs8zOSqgJ7/fL018NFyJFAzOiNf7l3G9VqkEzLkc:8YAJaXhXzOUJFyS7lGMhFSxbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 58053a49f7c9d07f_appnameportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Source\AppNamePortable.ini
Size 244.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8634c50b01d5ea4adc0d9eca692cbb5b
SHA1 ce39ebe17200463b7625a07288bae88c688f0ab8
SHA256 58053a49f7c9d07faceb35c298022d31da5b00b8840e611074475b41ceb9b7e9
CRC32 0A3AE46A
ssdeep 6:IQE7Em2VPVJSgBYlyGqMwIjAIMLyJQBABCXh5XMWJk/71NLyJQBAK:It2hrY8fjI8IMee2cXhX28e2K
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name f530069ef87a1c16_installoptions.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\InstallOptions.dll
Size 15.0KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 89351a0a6a89519c86c5531e20dab9ea
SHA1 9e801aaaae9e70d8f7fc52f6f12cedc55e4c8a00
SHA256 f530069ef87a1c163c4fd63a3d5b053420ce3d7a98739c70211b4a99f90d6277
CRC32 7FB8A1B8
ssdeep 384:/MnT0MKT/Xwr2izZQ86mpAT8F9lN8Ov0J:EQMKzwTFnVX8i0
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name fd7396073b8b9a96_polish.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Polish.lng
Size 10.1KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 50a8fcae1c548879eb46b50a2f3023ec
SHA1 60e753a63fbfebe2accf2338c9783258e2f66c0b
SHA256 fd7396073b8b9a96a9ed9ffd464565d11d2274e2a62f419a8c52847a0362256e
CRC32 B7801549
ssdeep 192:1ZCr3B4JkiV9ZU2LhsfhsHQwpFXKBAFtakF4U4mPXwr8Cuy/Ct6kcmGHjvsSat1w:XCrB4JvRLyfyHQw/XKHzIPAr8Cuy/6cb
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name eeda8a874541d7d1_zsoftuninstallerportable.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\ZSoftUninstallerPortable.exe
Size 152.6KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 1d0d753a3f8c28a7e98545a82e9d2598
SHA1 41d0b65267d55ec67300c77bb3d79169b7f94ac0
SHA256 eeda8a874541d7d18b8db5e1465911a53b3204283970828886332f83680dea5f
CRC32 3E47AD40
ssdeep 3072:xweqOYEUXPn4ZEvqdtX9+kzr2PuTrBh9CiOV2LNHEzwrdCEvRofVC:GEUX6pN+GCmHBnCfCFdCEqfVC
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDigitalSignature - DigitalSignature Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • keylogger - Run a keylogger
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Nullsoft_PiMP_Stub_SFX -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 669022f4c8633dc3_badwarefolders.dat
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareFolders.dat
Size 762.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 76b1d006bace171860123cc05404c6b6
SHA1 725748603810520bf09242e724a3a8662f8e1c31
SHA256 669022f4c8633dc3c15eeaeac5f5d5ca405b9bb0cb8ffe28d8ed4c3c94688509
CRC32 08F8E55C
ssdeep 12:z0UbMEzrzlb4FVqGbYj79X+Rbjbjk6c5jk6cbKjFi+j5jFi+jbKjCm0E41ZAp/jt:z0UbMEznlbAVqGb01unypi2iA3EKE+36
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name cdd6549d79df3834_chinese (traditional).lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Chinese (Traditional).lng
Size 7.6KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 00129d3710bcc6a28aa9d96b6c2f5960
SHA1 1eb2bac372e5ce5713436b86ab62ce7b88961247
SHA256 cdd6549d79df38348419daa5015d24f29fc025d7efcbc48ee83eea183e990b2e
CRC32 AC909318
ssdeep 192:e+WbSj5d4NSNZ26ujL6y7hNi9sOLTw7nytCupsuE1fbQz:e+WKL5NyL64imYTw7n0CiHElbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3b0c44298fc1c14_nsm1.tmp
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 3ea5bd73c58c39a9_appicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon.ico
Size 22.0KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type MS Windows icon resource - 6 icons, 16x16, 256-colors
MD5 96591f00312a73a20e85349fe244efe4
SHA1 3728ce32185032f92aa02ea8822f5e706ac71956
SHA256 3ea5bd73c58c39a998f1b53244e352526579bd2da6882ea1deb261a3c09a6d1e
CRC32 62A1FF85
ssdeep 384:hnlit7ahXPpgZej02X/bWda65e3Y5ZbfqULmhbJaa:9liiXP2ZwbX/qdpyY50r
Yara
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 53bb519e32931649_w7tbp.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\w7tbp.dll
Size 2.5KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 9a3031cc4cef0dba236a28eecdf0afb5
SHA1 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
SHA256 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
CRC32 FF2B5710
ssdeep 24:etGS4R/39doyOzHaikQ7I9lYFxu3GUY1Bk5L2:64RVdojLJGWnWMi5L2
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 373a7b810e8559f1_english.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\English.lng
Size 10.1KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 889b313fb7e5752b7db3b8e2cb7fd5ca
SHA1 ed6b08b58ed21dcfd95f8c73d1274b1e42d55688
SHA256 373a7b810e8559f1e155049f6b3b98284cd6f9c3ecb961e1b31b130058aa6dd3
CRC32 742C02A3
ssdeep 192:f+fhbSZWUI+JaX7BfXCVTElb4ZPoot9NXEL8ll/VsytCupsuE1fbQz:uCJaX7BKKwQq9NXEL8Vs0CiHElbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
  • embedded_pe - Contains an embedded PE32 file
VirusTotal Search for analysis
Name 9abc52858ae4ddda_donation_button.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\donation_button.png
Size 1.7KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PNG image data, 110 x 23, 8-bit/color RGBA, non-interlaced
MD5 bab4268c0bc3b3051ff38b21dbe35a44
SHA1 ea7adbbd731bb1747afc9da72340a0444b29abbe
SHA256 9abc52858ae4ddda224ee9d229cb38d252ae9ba46633da4ac14fada25dd489c6
CRC32 F486C53D
ssdeep 24:aoPfexW3T0UjeA2fijjxMhDnUcO7QLgYNw69rFbyQCwbozK8yxkxuE3u5F3pKXTP:aw3T0GeA2yMhocrVN5uXwNF0FGpU
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7851cb12fa4131f1_system.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\System.dll
Size 11.0KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 bf712f32249029466fa86756f5546950
SHA1 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA256 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
CRC32 81CA71BF
ssdeep 192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_function_prolog_signature -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name 7616e38bb3b8cc29_zsoftuninstallerportable.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\Launcher\ZSoftUninstallerPortable.ini
Size 928.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 f96163ea0056077f1e56f0f22277dc05
SHA1 36ad45c716059c9827d3ece774c91a0f59e881ae
SHA256 7616e38bb3b8cc298d234f3d13d08f53eca220654eb22b7379d91b59a161121a
CRC32 6836324B
ssdeep 24:JPEwCye7nQ4PI2igTuPKPuF12VEvUi6Mgfbye7n:JPEw7hgIngTuPKPuz4CU6U
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 3959381aab454359_help_background_header.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\help_background_header.png
Size 269.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PNG image data, 10 x 42, 8-bit/color RGB, non-interlaced
MD5 a1eaee3ccb8169b680415d713720a2fa
SHA1 8cf2eff4faa05a34bfb0b641b8765773c7ac2ed6
SHA256 3959381aab4543593fa69fa7980946dbf0b0bab25924c8b38f6e88f7f69b9c19
CRC32 D14F00B1
ssdeep 6:6v/lhPTnDspO68hvS6IBe0ZZUngZlq+2dp:6v/7Uk68FS6c3UngZlq+2z
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 934e183e6db42c52_settings.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\settings.ini
Size 612.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 527a4e15f8e9f62be0e673ffd286e3ec
SHA1 ad0d54700bcc5d1f35d331c17393b18c26ec4044
SHA256 934e183e6db42c52efbef5c67074d5ec23219bd51fa8283fb62b85f0c9bb78b8
CRC32 42A7BEDF
ssdeep 12:lqeyL++m5KmN3QhQ8y536kAq84CVCntdjkdP3IWQnwQ0Qd0GSNYIp:keYlcDN3QhQ8rkR84oCJnFhd0GlIp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name b06b53681ea0ba09_favicon.ico
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\Other\Help\images\favicon.ico
Size 1.1KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type MS Windows icon resource - 1 icon
MD5 049a352aabb8ced245ceecb94c0a0b2d
SHA1 775b5b199e8312e18f0655daa7b25844fd768602
SHA256 b06b53681ea0ba09ddaa8f8066c990cf5a7c01e65a1910e687a993ac375d1781
CRC32 CE59ADD9
ssdeep 12:GxtRygJlM7LVtY7YMCQrCE+4hoJbmLbJk:ARvl0VaoQr8ntGJk
Yara None matched
VirusTotal Search for analysis
Name 784e27da0625ec7c_appicon_16.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_16.png
Size 735.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
MD5 4895e7ba20da51d050b0cb4ebb4f0880
SHA1 d245b0ab90a038c71405a25fa640b6e6b8b364a2
SHA256 784e27da0625ec7c283040f766588c50cbbd5d542517d6c081f89fafd29b06a5
CRC32 A737EC0A
ssdeep 12:6v/76vzudfY8y5I8SSY3ySb/bOUjrOBKmKrLsXzLhedZdt+b3FtSxiseEXtQp:XudA8YI8Spb/bOGJRIUQnSTNXtS
Yara None matched
VirusTotal Search for analysis
Name 12bead1a4e25c8ed_eula.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\EULA.txt
Size 379.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 d93329e6818edc2ec381232895d3586d
SHA1 d009e8c9ea0f900be00bf429f890e3d17f7beaab
SHA256 12bead1a4e25c8ede8d2e58284fec9a2d2bddf10789f8e938d6d673d86ad8d48
CRC32 D3429F91
ssdeep 6:yGXGDjH9SFJgQ5QmYKugvKFW1WMrub1Xy3FO5rmRBPVFtACCW7FPQGQPXM+j:FXGYJgU5eSWsEJy3FOWfpV7FP9QPX/j
Yara None matched
VirusTotal Search for analysis
Name 19b4b098b8b3aa27_spanish.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Spanish.lng
Size 10.9KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 0b0fdf2f87d4e421def42c39235d48b7
SHA1 991b43d6bb3fbc1bf144563256107f137da403ba
SHA256 19b4b098b8b3aa27451aeaaa9b658433e966d4d0153d6094ae9777ce4e583370
CRC32 BD706D81
ssdeep 192:bLku7cbDDcnxOAmRuabk+Uu8zP+g8ll/VEytCupsuE1fbQz:vNi2xFmRu+Gu8z+g8VE0CiHElbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e312456137523ded_russian.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Russian.lng
Size 10.4KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 a3638fd71a7e0bdb58c39dfe6b3ebfd7
SHA1 19fe2b936fa4b5cfdd7703e1a476d94d9dc61cb6
SHA256 e312456137523ded6d1bb00d36889726e31fa8f5d6eec693d5939e02095a0369
CRC32 58F5A75C
ssdeep 192:nBO/CNDoRfru2DgsNU2LlaFp/XYll/VEytCupsuE1fbQz:nsZuQATp/oVE0CiHElbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 38ccb14f95c41d67_german.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\German.lng
Size 11.2KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 042e533cac0a0ec9372558e00650c013
SHA1 f1f299bc6f5cd6941aae50a1e6dce9ad69046456
SHA256 38ccb14f95c41d671982a7847ebe1b67c0be0f147001133c938ca40f96f16a32
CRC32 D8739982
ssdeep 192:loWRC4ZRNFaWB+hY07j20RNW4nR2dOH0ytCupsuE1fbQz:D/RVB+hYDdOH00CiHElbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9f490c6ac7594fad_badwarefiles.dat
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareFiles.dat
Size 268.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 8c6846d470f8b2c5c21eb48f94893d57
SHA1 272a969b546e5663141ab247208ee8b307b07233
SHA256 9f490c6ac7594fad90c7c3763f3184e55d87edff41e20bb8d72d2408f7c23547
CRC32 B85928E8
ssdeep 6:zfxP3tsEFER5p6fxP3tsEFmLsQX2lkRO6oyXdBuO6oBk7R6on6VO6oBWRO6oCVoO:zzssG6zssv56RjfXDujKqsFjKWRjbWO
Yara None matched
VirusTotal Search for analysis
Name 1af847e6fc956ffb_iospecial.ini
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\ioSpecial.ini
Size 1.3KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
MD5 b669b2130cc420e43352f841155159e0
SHA1 a18d5a46884ee0d6df13230a8b6f3256c4912aff
SHA256 1af847e6fc956ffb8466e9da4f206c4c0a1356e5d161ed672c05e19f5bac9ac9
CRC32 BDF6452C
ssdeep 24:Q+sxvtSSAD5ylSXgqWCs7y6Gua9ni/6k8lDdn7CsGNC54u6Gdnx3HTCaH65Oodne:rsx9AQSwqQkuTN8lDFnSEFxeaNoFe
Yara None matched
VirusTotal Search for analysis
Name cb7ac7fe148e8021_modern-header.bmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\modern-header.bmp
Size 25.2KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PC bitmap, Windows 3.x format, 150 x 57 x 24
MD5 a719a35dd5b13986f681985656984e01
SHA1 f9382e2dbdbc59cdfccbbf8c93d7b9f8bd440b59
SHA256 cb7ac7fe148e80214a5aabd7264d01a8102e73d5c4e49dcd831daedf3bade1ab
CRC32 D0AC74DF
ssdeep 48:YeatvImQ3jSW08RhQ3qCtP/Ah5p6N8eAjD5xhSc0Ny2QvRhQuDCI0I:YuTpKrAPp6NCD5/d2MhQu/B
Yara None matched
VirusTotal Search for analysis
Name 9b5cd67685397aa9_readme.txt
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\readme.txt
Size 182.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text
MD5 194d2c44058761b9b0e5b6add7eee271
SHA1 b08d45917e2f9a0a1db15094d0bdade408198b30
SHA256 9b5cd67685397aa998d9f1cc483444588725d99f789a224c5d40311fd812b8c4
CRC32 2622745F
ssdeep 3:SMbKyPXtH+XR5WOpH/VVJYMQr6eGRMeMQxF+YEJRi6Xt2vGARFKGRjZUvxW9OSbe:DdH+XR5WKoPbzQDuJRPt6zKGRjUQwumJ
Yara None matched
VirusTotal Search for analysis
Name 0bfcc093880b7b73_danish.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Danish.lng
Size 10.6KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ISO-8859 text, with very long lines, with CRLF line terminators
MD5 6578557b71e1f7357811a54d4049f635
SHA1 541ad0ce1453cc3499daeeb3c4f360a2aa1a5bbd
SHA256 0bfcc093880b7b73721668a9371d089d7d59742cd62f6b772c521d2faf2c788c
CRC32 19AD83AC
ssdeep 192:GlGfTSh3RjKrUt6CAETCk5uaS3C/9piFFSELVw3A7TwCnivEDxmmokbzBTWovuAQ:G/pAsCWuaS3c9pCrFwtvEDxXoDJ3BbOS
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name a367d20b43096dfb_badwaresearch.dat
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareSearch.dat
Size 326.0B
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 f3014e0a25aeaee85ccde8bab837a7fc
SHA1 791705a24984ec1c7010bec8f35ce2f40bdf9f0f
SHA256 a367d20b43096dfb8596ceebbefc18795552fa5262d676300ee40f3cb0feeb26
CRC32 3872F972
ssdeep 6:AJhkDEXAcHm54tuvC4/JEjZJO802TcC1C/oYATWL8tEYBJ:AJhupECxJEH2/fLwBJ
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 163619fd954bc7a5_uninstallerhelp.chm
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\UninstallerHelp.chm
Size 503.0KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type MS Windows HtmlHelp Data
MD5 44123bceffda40b914bb6669d33d5b5f
SHA1 67e8220988998991e3f960b37577571c7b436f3f
SHA256 163619fd954bc7a58420198ee72488c2cc3ab5644555f05ae746ff8f4f3add90
CRC32 77F0FA24
ssdeep 12288:BeFGgntPwdNM07pi6U0yeQyes0Ki+UJuc/TI68Y:BWPtf0M9dtswuEmY
Yara
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6289dcc4ea810f9a_portuguese.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Portuguese.lng
Size 12.2KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ISO-8859 text, with very long lines, with CRLF line terminators
MD5 0c82ff51bbeb0ba7c7319b62b71f7781
SHA1 0f2e1d0eb872cf5d771deb0242af6af1bff3db24
SHA256 6289dcc4ea810f9af3ce24266b3e0b9eb5af5fafa03016d6448c71f4afcdccd7
CRC32 25AB3E21
ssdeep 192:E/uJh2BrhwWQAyzJ9DTbSyVH3r3nMNC/WqAqng9APA80bchukPP1Cp:pMtkTv+mH3r3SuXg92A80/k1Cp
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 05d30b95ba2af7cb_appicon_32.png
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\AppInfo\appicon_32.png
Size 2.2KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
MD5 7d9dfb95872c6d83e947c1d084d2130e
SHA1 9d797a3e02c62f9ae39e834a080b3b5478018c82
SHA256 05d30b95ba2af7cb56ae9d5eb169bd959e50f3e37e563f31f35b09015e7af688
CRC32 7A9AC9D0
ssdeep 48:rs5HcurjAHZ3Ur1ZyzFNQeAKAkDYGwYKg0jIttGtcoccUq/YFIDpUc:41curjA53URZeg3KHvpaqt6cR2/iipUc
Yara None matched
VirusTotal Search for analysis
Name c5e22c545161fcb2_badwarekeys.dat
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\DefaultData\badwareKeys.dat
Size 3.1KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type ASCII text, with CRLF line terminators
MD5 63033b6176cbb02418c6d2a9cff81f62
SHA1 38481ba25327fa36673d18b005b3751113a20f57
SHA256 c5e22c545161fcb249ff86107496d61ef2467d98b5efa108e76e5605c6e7fe98
CRC32 511B8120
ssdeep 96:WZXzgpHM0MhMGhZIvigZmYKvzk2dgcatdVuY:5AdY
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name 52bcc80558f664f0_help.html
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\help.html
Size 4.9KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type HTML document, ASCII text, with CRLF line terminators
MD5 739bfe1a670be73a3c5aa0fed393733d
SHA1 a231215c55649a0f3d5a522f9f2f6f0b4f81f59a
SHA256 52bcc80558f664f0b379441e231f1888113870c66441e7a61dd9754cf39e655e
CRC32 32D7D98D
ssdeep 96:7bspvcz2xym30bysMywr6T7XF+XyeBRzv4loYZHYokulY:7b2kC3Y+xwz+
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6eb09ce25c7fc62e_findprocdll.dll
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\nsc3.tmp\FindProcDLL.dll
Size 27.5KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 6f73b00aef6c49eac62128ef3eca677e
SHA1 1b6aff67d570e5ee61af2376247590eb49b728a1
SHA256 6eb09ce25c7fc62e44dc2f71761c6d60dd4b2d0c7d15e9651980525103aac0a9
CRC32 F238428A
ssdeep 384:DZoRF0XXUuJReQg0Tw67ADWBTgmldIogUD3GLgFmyaX/fVYcWJQCDmrinogRdBl:DZaF0HtTwuz9yu3KgwRX1nWJ1q+noI
Yara
  • IsPE32 -
  • IsDLL -
  • IsWindowsGUI -
  • HasRichSignature - Rich Signature Check
  • PEiD_00138_Armadillo_v1_71_ - [Armadillo v1.71]
  • PEiD_00153_Armadillo_v1_xx___v2_xx_ - [Armadillo v1.xx - v2.xx]
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_01071_Microsoft_Visual_C___6_0_DLL__Debug__ - [Microsoft Visual C++ 6.0 DLL (Debug)]
  • PEiD_01101_Microsoft_Visual_C___v5_0_v6_0__MFC__ - [Microsoft Visual C++ v5.0/v6.0 (MFC)]
  • PEiD_01103_Microsoft_Visual_C___v6_0_DLL_ - [Microsoft Visual C++ v6.0 DLL]
  • PEiD_01108_Microsoft_Visual_C___v6_0_ - [Microsoft Visual C++ v6.0]
  • PEiD_01125_Microsoft_Visual_C___ - [Microsoft Visual C++]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • Armadillo_v1xx_v2xx_additional -
  • Microsoft_Visual_Cpp_v70_DLL -
  • Microsoft_Visual_Cpp_v50v60_MFC -
  • Microsoft_Visual_Cpp_60_DLL_Debug -
  • Armadillo_v1xx_v2xx -
  • Microsoft_Visual_Cpp_v60_DLL -
  • Microsoft_Visual_Cpp_60 -
  • Armadillov1xxv2xx -
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Name f1f778c98eb0b160_hungarian.lng
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\lang\Hungarian.lng
Size 10.1KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type Non-ISO extended-ASCII text, with very long lines, with CRLF line terminators
MD5 7fdbc25bb1cebbbde3b690a4ca2f1b6a
SHA1 cfa91605d7b48a2bb187f032f743bd887702854b
SHA256 f1f778c98eb0b160b69430e13c97325981e77ae1125b40ab147db6c76812ca86
CRC32 760BBB34
ssdeep 192:7hhMIGcMTeHCSjzcbjbjDD89eQWZWyBQ0FrW1sKAmH8j0iytCupsuE1fbQz:1ycS3PTee5U0FrXQi0CiHElbQz
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name c3a6164ddcbbb67c_uninstaller.exe
Filepath C:\Documents and Settings\zamen\Local Settings\Temp\ZSoftUninstallerPortable\App\ZSoftUninstaller\Uninstaller.exe
Size 589.5KB
Processes 1440 (ZSoftUninstallerPortable_2.5_Rev_3.paf.exe)
Type PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5 38ae94b4c8ada4d8111c97a201856d84
SHA1 f7ef64b56792a68f671a185b236808e22e337a27
SHA256 c3a6164ddcbbb67cf4c7b00e1fd938433649413729732d8cb76ee10e4f1ca0c4
CRC32 5A0E8CC7
ssdeep 12288:BK347H39MT0TZvHzI8L3tuUGkU5ziEppWDy38ziwr3:B+47H3KT0vHzIM3tj+7QDQ8F
Yara
  • UPX -
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_02401_UPolyX_0_x____Delikon_ - [UPolyX 0.x -> Delikon]
  • PEiD_02408_UPX____www_upx_sourceforge_net_ - [UPX -> www.upx.sourceforge.net]
  • PEiD_02411_UPX_2_00_3_0X____Markus_Oberhumer___Laszlo_Molnar___John_Reiser_ - [UPX 2.00-3.0X -> Markus Oberhumer & Laszlo Molnar & John Reiser]
  • PEiD_02412_UPX_2_00_3_0X____Markus_Oberhumer__amp__Laszlo_Molnar__amp__John_Reiser_ - [UPX 2.00-3.0X -> Markus Oberhumer &amp; Laszlo Molnar &amp; John Reiser]
  • PEiD_02428_UPX_Protector_v1_0x__2__ - [UPX Protector v1.0x (2)]
  • PEiD_02445_UPX_v0_89_6___v1_02___v1_05___v1_22_Modified_ - [UPX v0.89.6 - v1.02 / v1.05 - v1.22 Modified]
  • PEiD_02447_UPX_v0_89_6___v1_02___v1_05__v1_22__Delphi__stub_ - [UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub]
  • PEiD_02452_UPX_v2_0____Markus__Laszlo___Reiser__h__ - [UPX v2.0 -> Markus, Laszlo & Reiser (h)]
  • PEiD_02453_UPX_v2_0____Markus__Laszlo___Reiser__h__ - [UPX v2.0 -> Markus, Laszlo & Reiser (h)]
  • PEiD_02454_UPX_V2_00_V2_90____Markus_Oberhumer__amp__Laszlo_Molnar__amp__John_Reiser_ - [UPX V2.00-V2.90 -> Markus Oberhumer &amp; Laszlo Molnar &amp; John Reiser]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • screenshot - Take screenshot
  • contentis_base64 - This rule finds for base64 strings
  • UPX_v0896_v102_v105_v122_Delphi_stub_additional -
  • UPX_v0896_v102_v105_v122_Delphi_stub_Laszlo_Markus -
  • UPX_wwwupxsourceforgenet_additional -
  • MSLRH_V031_emadicius -
  • yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h -
  • UPX_v0896_v102_v105_v122_Delphi_stub -
  • UPX_wwwupxsourceforgenet -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • Borland -
  • UPXv20MarkusLaszloReiser -
  • UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser -
  • UPXProtectorv10x2 -
  • UPX20030XMarkusOberhumerLaszloMolnarJohnReiser -
  • maldoc_suspicious_strings -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 641
Mongo ID 5c3626e711d3080d16cdeb92
Cuckoo release 2.0-dev