Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 10:13:18	2025-06-12 10:44:09	1851 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,194 [root] INFO: Date set to: 20250611T17:20:29, timeout set to: 1800
2025-06-11 18:20:29,582 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-11 18:20:29,582 [root] DEBUG: Storing results at: C:\edknEHS
2025-06-11 18:20:29,582 [root] DEBUG: Pipe server name: \\.\PIPE\QWjaLaT
2025-06-11 18:20:29,582 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 18:20:29,582 [root] INFO: analysis running as an admin
2025-06-11 18:20:29,582 [root] INFO: analysis package specified: "exe"
2025-06-11 18:20:29,582 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 18:20:30,097 [root] DEBUG: imported analysis package "exe"
2025-06-11 18:20:30,097 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 18:20:30,097 [lib.common.common] INFO: wrapping
2025-06-11 18:20:30,097 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 18:20:30,097 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupTo.exe
2025-06-11 18:20:30,097 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 18:20:30,097 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 18:20:30,097 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 18:20:30,097 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 18:20:30,394 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 18:20:30,441 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 18:20:30,472 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 18:20:30,472 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 18:20:30,488 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 18:20:30,488 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 18:20:30,488 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 18:20:30,504 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 18:20:30,504 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 18:20:30,504 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 18:20:30,504 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 18:20:30,504 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 18:20:30,504 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 18:20:30,504 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 18:20:30,504 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 18:20:30,504 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 18:20:30,504 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 18:20:30,504 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 18:20:30,644 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-11 18:20:30,644 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 18:20:31,097 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 18:20:31,097 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 18:20:31,097 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 18:20:31,097 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 18:20:31,097 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 18:20:31,097 [modules.auxiliary.disguise] INFO: Disguising GUID to c59a3e67-dd86-490e-8d0c-57bd409269e1
2025-06-11 18:20:31,097 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 18:20:31,097 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 18:20:31,097 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 18:20:31,097 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 18:20:31,097 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 18:20:31,097 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 18:20:31,097 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 18:20:31,097 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 18:20:31,097 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 18:20:31,097 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 18:20:31,097 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 18:20:31,097 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 18:20:31,097 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 18:20:31,097 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 18:20:31,097 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 18:20:31,097 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 18:20:31,097 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 18:20:31,113 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-11 18:20:31,113 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 18:20:31,113 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 18:20:31,113 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 18:20:31,113 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 18:20:31,113 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 18:20:31,113 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 18:20:31,129 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\PHaQKJO.dll, loader C:\tmpjeo7jmad\bin\twifUZhO.exe
2025-06-11 18:20:31,191 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 18:20:31,191 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\PHaQKJO.dll.
2025-06-11 18:20:31,222 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 18:20:31,222 [root] INFO: Disabling sleep skipping.
2025-06-11 18:20:31,222 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 18:20:31,222 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 18:20:31,222 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 18:20:31,222 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 18:20:31,222 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 18:20:31,238 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 18:20:31,238 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 18:20:31,254 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 18:20:31,254 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824DE0000, thread 1480, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 18:20:31,254 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 18:20:31,254 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 18:20:31,254 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 18:20:31,254 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\PHaQKJO.dll.
2025-06-11 18:20:31,269 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 18:20:31, <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 10:13:18	2025-06-12 10:43:49	none

File Details

File Name	WindowsErrorLookupTo.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	723537 bytes
MD5	8c90db0373c5927b76764f5a42a49d59
SHA1	3ee9948f3c40addeb46e9109ded4f6def932d610
SHA256	6b02d1305936151043755bc23a178ffc0f25fcc00b63abe3eb399e9511827f81 [VT] [MWDB] [Bazaar]
SHA3-384	0cb9979e068fa09a141242bb64b93ce220df8f55830df9c359ce3336293d61a1b0848d41717e82bedc687af9268d941d
CRC32	AA9DFDCC
TLSH	T1B0F4231AE3C05AB7F6B60EB160BB4D255AB2BD1004B5CE5FB7087A8F3E315129614F63
Ssdeep	12288:fEjr5nOE4wrLei8Gvl/xiPGPqV2P/IYgEJAFMHtjf79sglGX1uhQCVfQb3K5:fi9D/eiH5ieigSuXVJsqG6QCS65
PE	File Strings BinGraph Vba2Graph VirusTotal

Yix=f

/[//O

+5#Wu

;M_Vy

hQ6+

@.data

*r-u,

3H@oz5

qZNOZ6*

SelectObject

dA|C+

wEICq

IsDlgButtonChecked

/5o^8

/.Ka6

>Mqa~b

["=}6n

MR2u!i

"6[mb

;7*`8

_k+fM

yp:SE(W

0M7'"

X7)Am

nS=qA+kMu

Q9-7F

7'M=F

M1NAZdF

5VqXZ

mMfsf

MQC]x

rv|2>

;jKoo0

D{{9~

| feL

m[aYW;dr9

'2lWq

H_ d8

}|#z7bD

WV,-<

SUVWj 3

ub'9[*kM

1$C;j-

Png_g

0*RTk&i

;iOP#.T?

"r<e9

t8JVq

.tf3c

jY2nV

Vi<w~'u7

W-}ym

ns`!G

Th)DX

I%PEn

t/b+4

I5=r*$

f2|f#<

#\ L3

#edxJ@

CreateWindowExW

s(#;s

WritePrivateProfileStringW

fJj?y`

EndDialog

$e|}k0r

.v_61i

:5>PI]:fp G2

P'EZ@b

SetCursor

RegSetValueExW

Jbw.RU-

k;(1_

ZL$&a

2Q33P_

0dIr

HNd:2

7L#i:F

*,Va37o

X0u+&

0Q4>D

C-~ @z

C?/G[

5:N@//

~',ik

AwQo:

g]ri41&`

NO)Xu

X{0|zD

2y:L>

jcs-I4

2ksV[

25W-~

=^Dm'u

cQKR5=

CjwdA

GetTTFNameString

On*q~

CreateBrushIndirect

d>ZpiaS

,%p+F

IW'gh

@k]vD

!0rL{

+@v=_

"_b5K

dg43y

vbwJleDR

CoRF(F)

!i0"7

Da5V} #

G2hVo7

eCgn#

`LN1sttB

B-o@mm=

3'0^1

a.'O<

m>0a/

7Gu'S

)=kwN

<6Mk1a

aq4j"K`

Kc9XZ

v*a43

n?Wd,

Error registering DLL: Could not initialize OLE

HX@C*/-'~

LoadLibraryExW

File: error, user abort

=0=f=w=

?*tR;

# $@=

4RG4aP|C

:7?o

S5_/x

P3-Tx

r`v00J

E~iPZP

f2,yxc

4Ru (i>

:iq&P

$03C5

EYXJq9Q

^F@LA

LWYhw

S[!+iaV

Pq= G

D$4+D$,P

Z8s4&

jPOPLXmjVKKWMEA'n

nT`Z&)Cd

d|~O%

Bnb{y#E

o7Qz*

yx+/Z2

SysListView32

JD^Q?

N}e8=D

]^nHF

>$KX:

='hjV

m~UTp

s,cc"

1#101>1J1P1U1[1f1l1

@0J?gS

invalid registry key

M(q[(m

%u.%u%s%s

IZ`v

LoadLibraryW

}~E~R

{X7.C/

]2](L

=)gzD

sKn}]

USPK.

VB;P8

=,x1=

PJLa>

T0/~Aw

Ngj7k

>N`uA

:2NL1

U8J%}

"^g-d

*C}j~

'<H+AEA

?;A>#

:JuN:p

0,Xog

verifying installer: %d%%

gSZi_

0mHX|

f1j`u

`eV`_8

Zt~>cp

Ph!U9q

FillRect

4$p8V

4XV%=

d\76O

4#464G4g4~4

Oyn1hZ

_.6(w

L'|!!

|o ; p

unpacking data: %d%%

dY`\W

DsW5h

_XWB`

]M!m]

#5{dQ/

s-^9,fi5

iqnJ;

eph&=

X|#~5<

`&oO7

7C3P"f

3.0.7.0

6.646B6H6Q6d6

Fy7Jb

d8'9Y

kJC-j/

R.5;#

LoadLibraryA

v<(.t

%nk_3

`"~qP#

*`}64

b<_Gn

Windows Error Lookup Tool Portable

SetFileAttributes failed.

N^yJX<

ZL>0~

s'Zi*

323V3j3

HkpN`

'{i/r

|J:?((^

o9vh5$j!

nk$'5;x

#|;-ri

SHFileOperationW

z*{Yu

)TbRP

U46[P,

MoveFileExW

[s^;[2

qa6$I

0H6^U

JYh*

<61W:=l

*e&j&

c#nZl

Fwsd@

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

)`'j5

dF%8-

4Em]@

>& Jb

m+%wb6

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

76wep

tOjd,

OS..X

m(m`~

;EyNS

U'Iq4$

!_[erZ

>3TOg:Tb`pz

8g/8J</C

z]G_z

ehRIx

6<eDq

u RK2

? ?K?

AztX3

E@{46

{KuBe

pD?>A="

%+U.&

HKEY_PERFORMANCE_DATA

X`\1r

WriteRegStr: "%s\%s" "%s"="%s"

@3-F6

8M1\;

t$(WW

p^B%!s

aE8mI

!P*pH

R~=Na\b

oC6NX

Hf&+G

4A52[

CZKgo`4

;L;V;b;w;|;

VSK|*f

c d,'

?x65AXn

_qC2$4u

_`pag

CoCreateInstance

;*Vc,)

%s=%s

GetCommandLineW

<5?_8

7\IE,)

Rename: %s

Q$A{F

'!;"00

\k.,|

8kv.mR

|}WfDW

b[9c5

CEM_D

3f(&"+5

k4s}J6

s^<jv

+aSW;

%L7"VI

n{q.0

\bvv]zz`

=Q#hJ

t$,VW

GetFileAttributesW

/2X^Am#p

\Temp

wu[)N

PortableApps.com

a9aI+`tp

"%|2C]

4%444@4I4X4

3u6>o

>TA.$

=grS^

Ed+EL;E

CompareFileTime

=9jyj

RMMRIB6

?chRdB

Rename on reboot: %s

c/1.v

m*L3LQL

</;qk4

AQ\LJ

V.ibr

.?[g?+b

%02x%c

`u7wr

u4o6^ug

g;,@"

Mv^#]

Sc4eC

7J}_3

T#J-w

cL(/y

TBlq:

GT^L7

M(t9g b

pw!):

?#?F?Y?n?z?

sN+#{9

DispatchMessageW

p5ZWn

y6<DN

1!1*1

S@XMo

')q_T)

aF&ng

55R;@u

YWV9]

81N.i

n/._<

4!hBJ

{1oF.

S{jjq[

3evVK

; .}&

^Bz>h!1sI7

XeJp\

CreatePopupMenu

nr&Vl

LoHh%U30

`ze8mm)S

WriteRegBin: "%s\%s" "%s"="%s"

"TgNt

ozJ^EP;

09VmZ[

FileDescription

\7rVe

;whW_

ixH\vw

%@4vFS

VMT4D

0syOdN

GD)CZ

7=`8>p

%f!brZ

^1~d,

>1iT=TkD~

j'_FtYDk

pR->8

2Lx-*+A

/FGi:

BeginPaint

PWSVh@

;P_/s"-

"w1-w

k-i$}

mGe1!

+3hX-

YpZfVm

r-.*6

V*A]ALU

;>k;vP

xE&AL

fLUxj!

(owLb

yb6Q$

_$mMQ

?7L@B

$!W<2

In }JQNa

HKEY_DYN_DATA

xQs(FN)}

9uJ'k

#`c={

lstrcpyA

*2_hW)

{~H2V

SetWindowLongW

logging set to %d

)3p*8

AdjustTokenPrivileges

;-Mm*

E^~@Q

GetFileVersionInfoSizeW

3=w]@

w*%x8

.*1h.

MG>BJI]

l<=&O

Section: "%s"

*?|<>/":

lO6>D

IhVvXo

5Z]-K

]U@q&

${)*p

We?0J=

+vDzn

]L.y<

<_Q_(

s@Q)V

&,m90q

zD~Mz

!@K n

Ed`!z

#;q,q

/7&XD0s

z!^3~K$#{-

FTF[f

XP,"`

u\%%b

$Ofjl

Aborting: "%s"

olw'z

%rXu!

xl&WD

|Cj`9

HO8Jw

lVG6#

gx7+JG0

GetSysColor

CharPrevW

;+<P<w<

`@-BIZC

p5kEt\3"

li^HdI

]H+$"

i AdaPnv5/

?TP|*

FrY%h

gx%CE}

U+y"]

5vn$,\

A_r~P

8,888J8e8y8

d}TLk

nSz *H

O,Ftv

GWOWh

^)W&7X

22[>c

\0_9]

_#v)'

sh}/$1

ME>(k

}[6\U

lnd_:u/

WriteReg: error creating key "%s\%s"

Y6e.W

81j.S

K'Ffk%

N\am6

Rw8l$m&

Ix(X_r&

|wu49

6w*U.

m` \]

.[SG&l

, '-c&

dt)g9

A7B,l

q6~Ul

,LC$g

n{s[r

Q@nMiN

^Lj)7

D/!w@

UsYY>

Bqvfs

8}mKp

7F60;*

[94BMR

.D.`

IfFileExists: file "%s" exists, jumping %d

BBL#%9

\?we}h

I',CQ

T5!/3

GGg]OQ{

$EFky

zc@X9

%C1~p

\Idq'b

5dlyb

1V=tx

^wE_p

E$:07

(;YH(VP

+^9;5D

dL4=U&cr

?M.a&

tcsgx?

C`[MD

a$2f3Su

$U*$T

\I%Nz

JI+%vl

J/xr1

-4Fu_I1

fertH

M#RR'

qDZ}u

7h&V`P

r?,cu0t

Version

iJMNCQ

o5\+u

[ci%O

GetModuleHandleA

D7h5;

RMDir: "%s"

B$EOG

!6l]<

Ka8h{+

UJ$-4K=

3HW|$

#t#97

drA7i

fD:GK

SetFileAttributesW

v54`8X

SetDlgItemTextW

:oT<-;-

*#M8*

_G)IX

-)Uh)Ul3

po`;TaJq;

GetModuleHandleW

J(%rQ:

O5=ce

\gb{%G

+x`C

8oK40

yyjrX

uxu\W3

Rf\Hg

V}"*U

Min|D

5J|c!

XRpt"E

.rsrc

Ws#fm

'qwDt

x=QQS

"'f/EH

<3<S<X<c<k<w<~<

J{`sR

5t|V[

anC'l

'Y"!_

~)Sjc

H$;[f

T ,1_A

Al>YU

NzNgj

i#U(m

;aBn]C

8'> +

OriginalFilename

5On6C

Cmonl

l`)My

!PjjD

ULxeI

fg#Gf

0K/;S

h'hDm

Z(yJI?

j8:6.

[7+W*%:

2Ak@/

l) 8B

MqT~x^^c

hR|5~:

&cfmb

:(:.:@:F:L:R:Y:_:g:r:x:

0B>i#R

{EUNj(

\l5[-

_]CSf:

QHSS}

4(515

,(9om

?Kz9b

p\cOdK!1

~H:tE

UNjc

C_0{V[p

ZooV)

IDBD $DQ47

Cp\F/

O-.Pzc

V5x!4R

j;gY7

"T'W(`

h>tv/

0=I}>X

GetFullPathNameW

cFAn:+$`%]

][_A1k

={uYD

i_#LP

)Dzat

nxn?;

-zTjI

iWsC=

EnableWindow

7t.>.

pg:s[D

\Microsoft\Internet Explorer\Quick Launch

cBN'Z

S0z!$

Pop: stack empty

@(,-n

Ir3w3

|[7|&

;:ihd

0(>;"

CloseHandle

'l!1]2

oQ2vL

D"QA2

Y28-+

!;p,M

%jTUs

@.reloc

!:5<~35\

NH=nI

^Frj>R

khVmh

)Qg.B/

Bb*+d(z.

"iqE/

*^LO]

9xhqFT

!*"mS

4I6f4

5"5/5

?1/V5

#xHBu

9:3@.A

}c}1E

vsc)5$

giv$8

R:* 0C

TjW9c

C}6R0

<@c\

4RAb-c

AejO!%2"

o;m7F

RegEnumValueW

w^}CB>

SeShutdownPrivilege

Cu$9n

:B7||

&eS;\(*

nj}EN

&T^)0

X_jJNC

1HjZ_

YA0`S

)nk+H

`HP*1>

<:;t54]

Le6K]

y0e]z

_e$/+

V-J#sI

.ENfr

3-3:3G3T3a3n3y3

ceiY9

'H%E[&;

g#l|C

ZC5w2J~f

`4H%P

P68,=

n`@`b

Vw-_i*

d*%dP

TU]USQY

NSIS Error

[W:B(8~FB

".cZS

CharNextW

-g,Y:K

l< J&

yz%7]

MS{UM$

":rp+

9E9V9

~g?a4

CreateDirectory: can't create "%s" - a file already exists

]OL/x

q-aG

g4?X}

F=zAmX

>}x+F

yVjUUSw

L0&3

\W{u(

U+GH@

\"_2f

EjZsO\

IS`?L

^`.P!_

vi-4e

c%H-[ET

k7X.:z{

Da=Cx(

r9P32

x8Nm

4bb|*

+Unov

4#4*484C4O4f4m4x4

.text

W,R5Y

*vzct

TlAhZ

@Cw`?

lstrcpynW

l\]vg:

Bsrj!^

p1X6$

;bFYK

@&\j~

=}0#w

6d]w)K

P{nlmP

V86Cf

QK+x;Z

DeleteRegValue: "%s\%s" "%s"

CreateDirectory: can't create "%s" (err=%d)

M:m`?>

-?o[g

b>,pH

r~CaBh

SetWindowPos

G1[x>s

RichEdit20A

X 1 f

%q]ya

U1v8R

XrQ[v

SeSFU

f@LP?

GetDlgItemTextW

;*8o-

aYNde^RgHB6

JGcv'

)k?b(

<`P5O?

q=-Eu

Cx}*=e{

.{Q7P

9*W6a

>.:RP

/'c/~

9Lq.~

l<&k0

o9~sz|

m'fcGi

SrV|^7}7!$

*KS`+

2zt8\*

`&@v+

iv[|:

Oa@zJ

[^`4`S

Y%{i.

xoc/&3

#s_^|

"'^tg

BW"0DP

v^7w%

?^T;GWV

I[0mB

0[Z;$J

h6PA99~9

xfA#p

5&5,5b5k5p5v5

UMU$2$iN

.fN5[

{V4-?

<g*}n

(mD?`

1aI#E8x@=

|1y9H

^j\PN

B&$CUs

=IU{H

m+Bgh

M-iOO

j*6+T

jG%|m9

908=[b

WriteReg: error writing into "%s\%s" "%s"

v'f"D

i/wdWLT

uX]gm

mn<A3

VERSION.dll

|w9Bw

k"wJ,

(D?C]M$

lstrcmpA

Tq3=g,.

s}J77

^'5w(

r6R^r

DVi&/

Ft#n'

s-.A;

created uninstaller: %d, "%s"

!K4D1

D?<JSRj

m@Xbr

4~+\o

O8w?R

(*^cCCk

COMCTL32.dll

;!;';-;N;W;n;

[A%.N

5JA`3

o1QBf

pvZ4SU

"k{%!

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

tDF2Kc

Gys8p

niM48KWREBm

HS[%A

PortableApps.comInstallerVersion

n.~(l

~^EU)

GHRz'u

3pb}Pb

MessageBoxIndirectW

?:.O[TH

}U5 n

@dejo

Ornq}

e+aIw

R5m?2

L\9c+

`$ho}

{wE-nt

v=LVW

C|-D]?

i|!Yw

BK$qX'y

@RFS:

%K13q

7T4yok

_M5^!

kA|fo

HH416`

#0O(m

More information at:

A[kX!

/Zp,X

-TJm)

!~o$A

RemoveDirectoryW

nWO(S

$ 6@`

R1<~o

DeleteObject

5\e\R

z<r89

QO>d\

0 0$0(0,0`0d0h0l0p0t0x0|0

1c^g~

&%8Zph

<?)m)

EmptyClipboard

_r#/o.

ptn`%^

Pj4=WA

Z02!'

6j;4F#

;I~e5

=*=9=C=M=

MecyU

ktweNI

>QP%a6

DAQf8

=LTxN5x

aGa!$

RegDeleteValueW

SE:1{

\YxEtx

:-;[;c;l;

e}eak

+6bL.:

{oH##

{f{5s

%aSS-

MN{]@>i

^+%B3

Rct_k

1J3P=

RG !/E

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

R/^a_kj[

abbab]\

AkDx/

zO qlU

0z>'A

qB:A[

~>_jz

gT3BYH

6>6J6[6z6

xMn2O\E~

97Eo-

QYzQU

=>Y;$

r=C0@o

MUTe,.

*4YDR5

RegEnumKeyW

eS#jpU

GetWindowRect

FJ)'r

PTmPi

4"4(4-42484I4]4c4i4o4w4~4

=z@n]o<

Di;]j

E1`b.W

>`! d

9AAo@

=|61;+

#4PC]

C83xy

DIJki

NZwC'@

x)qbdt

itV^J

[O(Tj

FA>R'

EndPaint

&.MBZ

~N9`Q

A]9R@IC

IsWindow

]pQ;G

X:xy]

V:&bb

KywPnj

Error registering DLL: Could not load %s

(I(TQ

25}$I

.-jZ0

g]VkZ

E}X=d

I'M>y

8/2weR

,/KPip

Ec&,E

f_'z3

,Kh$V

gMD5v

C[[>g

>.U/aO

-*[5*

(f-d@

GetModuleBaseNameW

hHKC2

-gNL

SetClipboardData

*XI}]S

,y-1-

7Q!W36

%_Z/c%

#(&Kl

rk.7i.p

S)x r

lN)vq

cz*Ea

M>!Jy

+?xM^

HR1Pc

s%AdB

:wRO!

j [f;

<R:&?

jmlgflFK

J'R3z

sg&'Ws

/(bq9

5[>_>c>g>k>o>s>w>{>

B45k7R

IsWindowVisible

!-xA%

NullsoftInst0

#$(<6&

WV| &

8G?9y.o

b%Pe0

Wb5:+

&LQ"~|Yu

Tktc[

CreateDirectoryW

B'cN)3

,nn>o[

'M1P7F

er;}wC

8>t`NP

[j0Xjxf

>_K=k}

s~>x<

?6Uq+I

p8"` T

]F!!h

""Uu'H

!306X

.]Mg+x\~

J+;7V@

*h#AS,w,

#~gO[

@Gk3o#

m'QQhF

n8O9Q%EN

D)X,Y

G'ZHI

*#}xrsa[4

Ps38u

"@AclI

#SONM

6.6T6c6

80858A8i8n8x8

TiTH?[

l@nu&

Oj%'k

vbL3'

x W]gy

MlQ<F

H^QS[

`,9QW

*I*0p

BPWs3

m+dqmm

/2sA+

k5tmC

j3Oeo

9YNFqQ#

uO$Uw

}Sz$GRBu~

ejR"r

&{N*</

hI<z:

M{|*|

,/+B#

xRY}

?k*~w

('[GA

I?Nu]

yC_dx

("{/)

E&`^v

LegalCopyright

\7X"4

Y$T;r|

qjbW$

&/084

YAHRqE

8$_^\

6S"S/

\K)eh

SendMessageTimeoutW

CallWindowProcW

VhFXTH-

(I=A"

18=7|

Exch: stack < %d elements

7/*b#

e5@B},

G\I}&

rz]9q

0/ kh

8DHL`

!n*/<r

SetCurrentDirectoryW

`S,84

BD|G,

[b<1%1f

Brt{/lS

KBiA2

\xebz

gLVtQ}

G;PQt

]*1mk

1BL 2

ji<SH

&yR6Li

nM0Eg48

D}A@A

%>0MJ

7*757@7

i<c':7K

~z;-cl

Sghv~^

]#7L%7/

Ul3VO

#t`*]

dj359AGVWd

z-24I

t:>m

u.PzlE: _=

0fiXI}

WriteRegExpandStr: "%s\%s" "%s"="%s"

p`9LN`s

D^+x3x~

B]&ZA*

9UchO

&8D&2

File: wrote %d to "%s"

GetMessagePos

MVWIT

?kYBH

^|D.Ne7

O,PP5

A,mM=B

oXh*m

d'J4[W

B;%V?

RMDir: RemoveDirectory("%s")

'?sK_=E~@

a3VqC

nage"

rOG"m

@m8Q,

=DZn+y

Process32NextW

/e-Z/a

+UjDB

q,QV`:

&$whp

rGSN-B

RegDeleteKeyW

&B*-'

&Pbv=

S~zZ8

2H!ogfVi

~p7b7Y673

)3},=

Bf1_l

!/>f7

Wet2#

6Ix|uG

pzZy'

909>9c9o9

`N0&8

mV7qK

PPPPPP

J!mVL

Z3;r@

O&'&C+

>~}7G

%~7$\

d|~KW

Bh.HJ

iZ;qR

5"5:5]5m5s5

ImageList_Create

u}9-$.G

^2qv[

xr^D]'

]NhdUW

u|nb}0

J?e.1S

ZKsRn

.DEFAULT\Control Panel\International

Delete: DeleteFile failed("%s")

)WiJ.

F#r-;V,%|"

WaitForSingleObject

<^/52

6nh[15

J{[]I)

NFM:Y

E;Ns<v

97(?86I

gi4blk

wd-8:@

I '%4

J3&N|

!hS}x7

w!QLa

lstrlenW

+82NI(Z

DRqk)

PBb7@

L#8Gt>

V*$#2A

]3XJ>F~$

OpenProcessToken

!0%0g

LNRV)

UJ$jV

iH.Ome<

"H<*:

08c$.P

Comments

isAtM8

=!ftF8P19

xV6iJ0#|T

"va]W

SystemParametersInfoW

k7H0a8

;q?{o

0&W.Y75.${

cd^H`

+_s-gu

Bj 9;

W+zA^

r2J D

NW2?\

:2y9C>b

SetForegroundWindow

'f6?[z

8!828j8t8

uDWWh

OIx!s

nCSV]

i223-

8/aEz

Rename failed: %s

2pCfA/

%s: failed opening file "%s"

File: skipped: "%s" (overwriteflag=%d)

y"*5Z

HDGPC<&

e0fRF

K];UD

hJ]mD

K,^,Aa

HB=aJ

-mx:Jmq:

}rh!&

SetErrorMode

znB2F

@*/$4

T$t8D

t^!$c

x~:TrO

4#!yx

Jkk0w

+RMs@

<#m.J^<

%NbPp!

b.,:Wlp

000004b0

Bq8,5

[dssG

?1?<?X?t?

zjtZ/g

c{hdt

gBvY)

@:&,lQk

_A>VS*

MA%+Ik

a[SGr+

JL9`=qyF

SHGetFolderPathW

}(k!78

{_m{_Q

#%WB}

bi_2-

S1@MqH

=%=/=5=:=@=N=T=x=

D$,9-

YAf*1

ExpandEnvironmentStringsW

*9kQ5+w

@ ah"5

544S$

SearchPathW

5au25

_I5{Gz

SetFileTime

Dz/C?

6IoF!Td

?olM(

?W,rj

i9^9$C

H9.IL

id|*v

KiT*t|a^

SetFileAttributes: "%s":%08X

o`R[:

p7!J.

lvR)Rr+Y

<gj)$

GetTickCount

d2&O/

k*zAE

u%2./

<UbU^

_t`{i

n"4Wr

`m.Jl5RK

jW4x]%

uSL (#

ic6L_D$

>S@"pG

f[4h+

A^;!N

/%o \

MBWsp

3H@pR

hZx'1E

0Y0i0n0

U_K~h

6R<i2h

Xw}RR"

7eDmC2

JUJy%

s]go`Q

.|&qc*w

7+glD

c4Iq)

\mf?p

5\Kv'R

+8gg]j

q~&KD

ZABW`%

uF7fb

fS|]F

3MdQv

^=H;

my`5I /

+#rv|#[

wt~7&

SLC '

V\T(&r|

<pyC)

9:s%>

s]yxz

CB<^@

Zr&]3Xa

KZ[yz

MultiByteToWideChar

N1Y-0

EhWzC

M~o__

P:|Uie

rZK1@

For additional details, visit PortableApps.com

Y~9WWJ

Gvdkj`

NQ3T[]

&!]ird

O_w59

J;Y@%uKN

A'cVr;

0.0;0I0]0j0

:hW2e+S

wi4-s

File: error, user cancel

softuW

{D6Ium

] Ihl*

b/=nC/

"_` `

mD=S[8

W?s(/

~]Qh#

7E-@X

&`!vb

4ocOY)

HE+MM

gJ^@`

]+Th3

4Ga3T

FwmOI

`Y<[Y

L'#"

44ayd

1ra]$

},R%9;,b

x#)%1

/eczd

l:(u1Z

&9q9G

j3!&$R[

s/35U

Lg\#MO

cxAH`a

{:Bk/W

HAl\3/d&7

msctls_progress32

JE8g>9,3

SHELL32.dll

HM?2fK

%st<F

um|.9

buuu(

k.Lwx

/y]ZnNb

ug<0K_

!!33n

i`KVqy

mXC!>

l?(;A

Wz'2t

V+Y52

) %{#

jh.b)*S}

A( PxbP

&^"N7

Yz%Wf

"Im%`

*~n<E

+oxy\

c9,6uQ

bT=g:

202t2

#%5R2

)w2rf

UXsNs

u}010Z7}

\#Zv4

3.0.6.0

Cs3;

(*|LaN

bbM0<9

^GFGx

3s[l<

p;T#g

Po1C)

Jw}Ml

y>HD.

2?2P2b2q2{2

o/eJUC

RMDir: RemoveDirectory invalid input("%s")

`^^^sS

@F Z$

h6G/5U4

x^WA5

CreateProcessW

+6tbrJq

PczF~

(EPa`

J@6.Ms(J

+)sp8

kqj4w

f"!ZqDj

40%.qh\

;5<w%&E

installer's author to obtain a new copy.

hIr&_

ShellExecuteW

223@3I3

f%_Dt

Q^@bK

tzK.x

vqxb~X

^X=Q0

i.a%J/cY

~8IOQ5

GkHrU

... %d%%

9E8um

>X~Wf

+_Lkz

{Y$T8

y]]X$

p&^Q7@

aEmmns

Hh=^w-

:H)"iP

dKMRx

B*R)k7

PSAPI.DLL

7Yrz*[

gD<wl

k<-o

ADVAPI32.dll

B~t"50

RqYv^

"i8F>

Z53%R

,A`LY

K|-#P

G)?k_

{7Dh[

UUUUW

/ P6pL

CreateThread

MessageBox: %d,"%s"

SetBkMode

Z|_|q

>"?@?Q?

Hw-Yf

_q{jG

TrackPopupMenu

yzN(Kvj

4Po1S

kpLf99

DialogBoxParamW

FreeLibrary

F"C?N

sCyK~|GJ

y1'Lmf

dS0DP

G6C/ Q:A

kv'Ag

D$$Ph

lstrlenA

a9G1<h(

w12,2

jCn2#

IV9)N-k

5G6Z6

zDs^v

`q|Ls

5u-.4

McGH<

9w$OW

acREy

CompanyName

kJi,.

5+5;5I5W5i5x5

Kernel32.DLL

)V)$&

FJZKE\u

B<1Y44V

dm\ie

-=W0_k

+n4nY

~W*sD

GM9)I

$OZSQH

BpK.v

kWq3=0

d^D[1V44

X`BM*^E

0NDqx

D9e8kfHk

D^5k#

S_'@e

[q>R\

jO&U%

X4n_H

-6{Y`xo

\Wy^~Y

U5!<6I

o~M"4

?t:y&

Fe!F7

H=M~V

p]Dm6M

Go't"

:hS]I

EnumProcesses

md*p

Q*@W?

@XeqI

sK`G_h

io2B5}jQ

a>8);

)dOxe

5Mm_+T!

ExecShell: success ("%s": file:"%s" params:"%s")

Sleep

Yk=)w

3d, x

%;SAf

*0:x*lHK

q]v<q6

HKEY_CLASSES_ROOT

gsq@8

p._ag

ft*~J

evvLd

Xt6R@^

76)29A

(-1-b#

GlobalFree

714Qf

FhS~f_r

GetUserDefaultUILanguage

&\s3CW

@rH~Q

{7?'#

GetDiskFreeSpaceExW

:27Q6,4N

]jvxgL

xou?X

r[]qi

6"5(Q9

P{"F]

^pR_[t

E }Fl

6/~~V

<uBQk\

$"h(]

Gjr2-Z

g;#U=

[>0c-

be|f"

v).|r

!C>~1

RegOpenKeyExW

s{d.U

LoadBitmapW

/-P?pR

LU=B)

_~M#`

SetBkColor

GetTTFVersionString(%s) returned %s

$`5/Fh

JY%h12o

?E]kRI

PortableApps.comAppID

rdXYS

O;~R#

z%Hkx

FindFirstFileW

`k"4@

mXckT

yCmXos

&Iq{h

UV_lG

020T0y0

xL0Iloh

wsprintfW

979=9

hrj3n*ML

"E_|E

rm"TH^)

vP,2NP

~A"f^i

r!Z,)

v13E#R

?rF-q^

_4M},b&p

% D3t

OKgNKC

iJWnTM

]59c:4

+-O}^

S.*[e

1&2U2a2g2s2

{<eT5

k9@z(

)Mh)Mlf

M~riC

Ag}~t6A|G

&gKZp

tw-ezo

T^'Xig

y#v`[=

1]lBK/`

lKZ$\

sWbP_

x~vDu

HU=~j

FR Mj

m,3g!o

&D#M9

VY%]6

ejE",+

a;9P(

I18rJ

4()E10N

#:Kmtx

[|rL,

D/{|h

((L0,/d

SHGetPathFromIDListW

O|rgyLN

~^W^

w/Xxo

eF;HGcq

Exec: command="%s"

'N^B:

bfhit

j8WUHBYs

<+<4<J<U<m<v<

x(T{C

8~eoGS

,N#F3<b#m

GQGS]

Med/dG<q

Vr13I

[ts-hy

<Wa6u

*cV a

?W>.,

tWg2I

4:iSG

.I\bb

ImageList_AddMasked

gH=iQ

B+ |?

oNeIp

AppendMenuW

R`&.~\)

"+FR'5

Jk&u[l

z"XfV1

_oBBV

$?hFvj[+

-UfZC

4/4o4t4y4

OpenProcess

HgncSJ

!6^/f

:QpD>

9l<x@j

,I;t=<

}]v{p

f/,O\

SUoqQ

`!b_y

1@=i{

9U{G.

A4-sJD

\ka/$g

C'aEp

3|@|M

3X@[fk

MhE%3

}bvJC/

WJ+&P

FT19K

8)Zv*v

\;}Udku

g",_\

IDATx

Garjl2

L-XY@wY

4{g.J

l'Bh|

CornD

]buxyubO

0.D}qB

_~VE1vm

Q8kTr2

"\`ji

lL=wT>j

CreateDirectory: "%s" (%d)

OpUSo2

(]m{F

j(eS4

l4Be:

Rt*Tlt

\Fp6n

A>heyk

!KI+OF

G" 4r

yA].+

FindWindowExW

vSG>XH)

lstrcmpiW

x%GGc

0@T?z

o#l1>k

cY#-e

)1g#Uy

ADVAPI32

zV@uM5'

Em|6Ii

s(\9$>)v

B|(u[m\

i3o94

_wHqAu2

PeekMessageW

/^dFp

D(6d{

vU]WB

vkmrB

*]X@I

NH=!$&`DQS

-IL=H9!

wg}0B

qS$b9

@0j<0

JX%LC

Ld\Ds

w&XF1p8A

LegalTrademarks

a=2U*

3,{%5

32yKn

9BA9X

HyP*jL

D=,'7:e

ZA+Q>

SHAutoComplete

Rqj p

GetClientRect

b-%p,

&EFPd

:G4QpPH

?s(3o

<7S'4

EKGNl

Y,PirXu

0Uk8u

<q"Oz

x}Xng

yN]o7

`!K;H

kUeF)X6

y_-3V

CreateToolhelp32Snapshot

ReadFile

3@pU\

FE``U

n?UA{

:T*UE

=^,9j

WideCharToMultiByte

RegQueryValueExW

S&M7wd

/"KeD

C{</mu

8b{kw~

DI&Z]

VarFileInfo

%|3;7,G

Y[}_1H

@@8"G

"YwX([

wsprintfA

6EH~Rf=#Vr

_X3*7

fqxQ-

272q2}2

NulluN

Kxl.z

mfo;}

%" ??

@d:zW%

B%p;k@

G <F SA

JS]0a

ImageList_Destroy

DrawTextW

no)''s

7;Zpm

rdVL^

So7Yx

W,G[L

m*Q{.

|Cg9h

CT8XF

&hjrB

/VpmEw

bBhj[u

t$$VV

GUl^-

A_yY!

Dx0,81

*L5\<<

q4XR=o[%@

;B3\O$

9{c:#k

:-:8:>:C:H:S:Y:f:m:s:

I#+P4

a[g~o

Xl{sq

7vc@W9

WvF:q

GetFileVersionInfoW

tu>Mb

a(sW_

HahMP

Delete: DeleteFile("%s")

Bwj2s

1&1)ju

Lwaz!c4

YyO$c

z2!5d

+_yT*

detailprint: %s

83('[TH

CreateFileW

99x&~

!Ds*B"<

ExitWindowsEx

[RU1r

L4 -2n)

VdoWqT

f#K6G

GlobalAlloc

;5A1:1

#"[j"0k

aH*<Op

se8L/:

=<^[_a

Installer integrity check has failed. Common causes include

zm![I

p%@9s^

p^vH[

Q)Vvz

?Da[+/

/p'sa

ICCc+454

k<s(2

CopyFileW

_NSho

fDaQn

3<=J-Of

FI)h6D

aH #?vt6K|

Module32FirstW

[5oeX

R2#RA/

|,/&a

$_>8`

j0U16r

;iR@r

c{;Q@

io :5

%["({

+0C!4vC

GetTTFFontName(%s) returned %s

cESkX

V&'i{w

~^FjG_

b(FG`

X4xx93

Control Panel\Desktop\ResourceLocale

_,o}'s

Error writing temporary file. Make sure your temp folder is valid.

]~Pvp

A`ILd

2qjM(

s695

^.'jm

SHFOLDER

e-PO4

9d7Do

4Bu_?

=unRe

X\lI?

3iZy^

3(~]~7

6WC]7

3WiVY

52*0x

i:6?)@

cR)-?

Ecd`}

9TnspT>

kTCdD

0'0D0M0o0

>Kyfc

vipNo

E'qmO

>/zBl

VSX\il

J{x80/h

wO_7{

#QwVG

D2$SU

GetWindowLongW

rT3`1#-

;k8sonw

3G%a~

=hO+9J

,>g3Y

ONg+B

{m>)`&;

~SXgOW%

Module32NextW

$g:7|r

&'|Ss9

{nopER

@"!z#

ZaJ4z'.z @

bkA\rm

O*L_~

1R4h4x

OA<|<e0

~v0M

zFCTCx

'=%8O

G:&b}

`7SJ)

#C}Vq

Call: %d

Slvs$^

GetFileSize

kI}l.

dsH?l

9Xmg;

&{QFE@

T]j7Uc.S6

w^ZH=b#^"

>TGc_K

7>bgryw

QZl|v

ii+Qz

wo<S

a*3\C

{055M

"oxLx

]G]_#

GetDeviceCaps

_SPa#v-]i

z8F:g

{[rRd

lstrcpyW

Y"1$!

\l]$}z

]&P)3

sS$y`

B8L|R

JsQZ`

:6?YX

})"Vdd

`2M^n>$j7

:i:sCc+

>VDTv

7hiuU

-R3SHw

Error launching installer

rTvQF

HKEY_LOCAL_MACHINE

r(t'PN

?2<H#

lwlyd

m+'b

;*j+%Uk

GSHe:

8\(/(!

797C7I7Y7|7

HN|5d

!\@u6?7

XJtP{

U5VC(

C?mr-

3wlYVb

E;K3N

rt$W0kfk1

`4,g/

&0%=3"

El(v`

E89E0}s

TeI$Q

<aFU<

TXmA,

|*'N5

WriteFile

j=mIq

lAA00

V7fTK

,}4MqG?

&+|O /VH

Dnsf:DGY

eB1~!r

KERNEL32

.x aoVr

Oiz]O

%}bHg

UIiFX

YRjS#>W

M]LJ(

DestroyWindow

>N>_>i>

A~Q:sCA

#X,c%

[\2`.?i

<p?{q

HtCO<3

0;1A1Z1

$0Z]dud'@@

)RDsV

HD17`

,8lse

H<#DH

+^TY_

(.l+*

GetVersion

gr*o7f`U

wY,DK

0,ieZ

DBx%J

WriteINIStr: wrote [%s] %s=%s in %s

f 'px~n

oPyVi|

>Kd[n?s8

SetWindowTextW

b74NQ

tj;t$

LCfF.e

tkT,O5

g76j4>3I

\3qS4FaY

u;IP:

y?@P|

{ 2oT

:dfS0

CreateDirectory: "%s" created

eS&ZC

E89E0

VSUbOI:

#MTrg

X@wT{

R-,zu

g6+;a

*"a)$[

8:8C8U8\8h8

fg:<B

HO@DFFDD'!"

`f_s1

8,k{~

5jsH{

kKW/b

BV`4AA

~$ZTh

r,\mp

PCIc<

wdK?M

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

UEia&

o')%bw

n_b@g

wvsprintfW

>v~bd*

z,f9nN

Ci(]`=J

ZoKIe

(;_%l

x%s_ a

cg&WH[

p2CN;

jb*^A>

15OrK

X(Rw1

UWvxv

4HVF>

LMfX'

Error registering DLL: %s not found in %s

O&@K2

O`m|m

kU!~J

*i&\z

<!*92

MDB|L

7Hrhls

75Cdj

Eq8XN

"J<@-8r

RichEd20

StringFileInfo

dF\h*

^]ewI

Te{!a

[*.,!

MaP>/

h:^^b

Hnrx!

|>&+

0c)DUjQ

2sr4]

ole32.dll

QFP|h

SHBrowseForFolderW

PTA(c

H"|H)&

PortableApps.comFormatVersion

`EbX?+

o7+]i

Ug<(xb

aSHdZ

sP%\_

k7wNW

")R2

QdfIJt

\g7]k

mt%&Z

*ni<

e)$Bo

,|41G

faof!

?DNs|

LSVW3

-JQ:`Iu

Process32FirstW

BrIeB

gK:u+

_{_<~K

=&>Cq

GlobalUnlock

p@lM"+

7[}3

WriteRegDWORD: "%s\%s" "%s"="0x%08x"

2'%M%

S`QwC

6PN\6~

Q>{ui

v3F[W

1@aZ/

Mb{U7Q_

Z-zV$

:$ls3

aDj'F

TF-UJ

(/Z #

K7XdyW#M

6E;D]

k+;"D

q?j1*

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

`v*0j

<nH#A

nDS {

&NoZ.

2u&C:,dI

<!['{

+qG+:

T@l`7

RMDir: RemoveDirectory on Reboot("%s")

%9ZV(

o]S+`l=

JeT)2

2(+1}

vd1hT+-~>

ojI4($3C6f,

^9P(fC

~E=;f

&pg"Y

d"gDq

767@7I7S7_7j7s7

y7%Ptg|t

!%r@C6

fi.Ma

EunK#

^~x=D

Rs0yhj3o~

483`kby

Y]L<cR>

838kE+

C=hFWOx1(

gUK)'

^y.~5

203Y3

gJ%~3

),N:D

ECv4Am

lP,#m

9G1-/

0_/`F

N2WUIBIikK.28

ixp0P{

/b3{fW

*W7Es

DY;R2

L=ne9

BZAmM

uAZc:O

e Wv#

5x"djy

olj}xyGK

Z\rMM!%

2d.a)

`Qr![

Iunl(

6hGO7

jG6)9b

!hq-m

zCBjiE

EHtQ0

jXP]|

|sS0(

@+*a(

%4J)3

!Ki&H

*g]%n

EU3+I

Kc0\vl

QK?I^YM

[Ic+N

~Y`R6

/"K=hf

`(>5v

h(5ys

ZX#jr

2Ug^%

VVVVj

Zlp)p$

LJ'VqWe

}>$x1

>&OB;

YnBZ"y0q

d4?>\

\e[k)&

QSUVWh

$iC*"

P?'j>

3;<0A

Tz8^b

F2['MM

mRZGrJ

sQ>J^

4I/{f

GetModuleFileNameW

"%SG,.V

4'|>x

=g:#O

`Rx@C;

20n2EB|6"

+FwQ&

fQ +P?

]jdB>

B=#$@9

"pVS~>

?=x(

'H9853

L@]N5

[/dk\

SetTimer

}&x.i

P: e_

%z NaM~

SetClassLongW

bL%9}|

zb0,d

]4;Mhr

.567O

{rz^u

"/cN(

v#%G9

)YQ+7

Hl2q>

8W,9+p

Cxve5

xT=='/

h#.KJ

hSP.@

0%;IQ]

7W6[<

lstrcmpW

iM0(a

GetAsyncKeyState

6q7v7

*%~]Y

6D<zi

)4lMV

KERNEL32.dll

^;!Wg

OleInitialize

^+`rr)

RichEd32

7FoHdiK

f;C7i

Gq%YZYi

LJ!Xbm_

JF&kU

?-?I?\?o?w?

b~nf>

nH'0u9v

vMW!!

Y$hre

Ft_B;$

p4!e4K

gqRbm

YE=pJ,E

!hni`a

6#616i6n6

x]CO>q

*5;.&

LE@*i

vN._CPz

zFyE*h=u

ACN,6

PeJ@'

W?B*3

shm9}

Delete: DeleteFile on Reboot("%s")

H1Vfgh

Ftqnx

New install of "%s" to "%s"

K^zs/

,k;wp6

V+rFG

,pR27

v|<66

#E3/0

9!9N9u9

t=&W$n

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

,Kc2B&

Q[`B84\

= =1=

LGGNMKg

"D?2j

8U[)c

5X6N{

GetVersionExW

g)0M,

0WZHBMko:.2

9::T:e:

>puqe[

)*a]x

'*YvS

f1x''K

r8PI5

:uJy9

GetSystemDirectoryW

>&>P>^>e>}>

e\;a'

VS_VERSION_INFO

ht>DA

GetDiskFreeSpaceW

C=1V;6+

FqSY]

2$wW1

4\x$N2

4#1E3

t67D:

baP`g|

9f"dl

f$F:j

$Eqcy

0u:g6

zhO|xb*

c\DfG

Sleep(%d)

gPcKh

X!l4/

`e2|t2

"FJjs

lQx`R>

IcmYq

w9HJ;

PostQuitMessage

L{q@Z

^m'r'

d62:.(

,j%Y<;

FsVr=

;xM>>|

EJ@1b-

DgYUdPp

;7D%/~

-C-I[

SendMessageW

Gc2:y

0'+HD>j-

V8([rm7

TmXb+

12qr'

<[9o6mi

{49=Ii

k64zL

{T~\py

<lUsy

?7ET5<

+T-0_

;Zy]a

pzm,9R

ysQb2

(FjJBA

XR$m%

;<{^U

b$J<qp

HideWindow

OpenClipboard

UPbwNQ

w*O>d

P0+PX

U'!R_~

VO&)bG4

}{I1g

/#6Tr

979D9L9w9

r95],d

m{UG#

_jlvzyxb^

XJg5U,

zE/tN37X

}u.&D'

SdV0D

X&9&S

`S'/w

576Vv

SMALHB7

OP{&;

?1J,U

Dw$L!y

@u%e f

Jz!aJ

]IgaS

ihJ0:pg

B>3t|

]``0W1q

:N[Sq

}wFY!

GetProcAddress

=~iILA

YKroaiig

dNxw9

\FmT69K!

Exec: failed createprocess ("%s")

zuqYq

0&DiYlB

QNFu=

IsWindowEnabled

7(@m__

;4F?>@6.,

ProductName

9h[hm

mi!LIM

9iu(B

94**wma

64q#H

v6X~pN

/sNx,u

R/uM7:T

PmZ!WZ

$ ?.W

>,>1>6>;>D>I>O>S>Y>_>v>

S+[dU

Pa#!Z

s}D'&mNr

AT^vJ.

JgtBr

!~@lN

J0wm]

y!D V

oz:mH

ExitProcess

;6\qr

?N;$q

j\T.=

qy*XW

;!;2;A;T;

}pV!Is

$OkADmx

3AXd=

~@Os9>Q

W]#d\'U

hlKnM

}#Tu!

T^S7M?

0C/;O!

]^zSFK

_'T+U

Ze.7^fn

5puB<1

2rNu0

2E^:x

Yo655

"#oIf

TZ3+}+

lstrcpynA

3Y~^i

D$8PUh

-ETy6

GFeO@

Vezj9

'1o|M

5c\HZ

#yhctWz2

pm&I.*

L[)7:

Z~KG,OD9C

aZ8 _

K*}K^

=UzF}

MoveFileW

FileVersion

PN7efRfel

S#qw-

http://nsis.sf.net/NSIS_Error

Please wait while Setup is loading...

+7?3d;-Q

FC]k]

8BV*f

Ac&!EE

dvD,:u

Li#6/

*cfHJ

2 2$2(2,2024282<2@2D2H2N2S2c2

NtUxU

%F~V,G

nt*ZZ

$2PEOd

5/J!sa

/kwzuT

Me{s`K%n

CreateDialogParamW

& 4#

QNSfef

G%01$

$e<D,

c[Yq s

StxV8z6

/2|[)

XQWe8UN

nS@|r

~_GZ)2`

c@G0Ln9'

GetExitCodeProcess

/#_WG!S

d^?]-S

IEFNlD89A4/k

0<{%Je

eT9n>8

LGLtPPp

T1T}S

[Rename]

SetFilePointer

jZF]4

=Z0Wsh|

7 )G1

O !R6Xn:

`,3gs

80G>A

D$$+D$

peu,Ko`

L4'0{

_7GA9

RegisterClassW

X@_*z

Up!w)o

r{y0P

t5"L]}

(:1{h

\EnK;#@{

(4=WY

TYNWu/

)]@$2c`%

3),C5-*

O02#w

Prpc5|"C

XgX2l

(/iTG3CJWf,+*

XMdE~

;}n5c

\u!f9O

8PXhY

:qoWR?G

R%kqc+

!9L|.:

S17@SMt

b,(9z

S7^Jr

5dAQ{

VerQueryValueW

!Ty^5M

CheckDlgButton

q$d*)

1-RZ

il%JN^a

$VoLJ{

=GWeJ

#Hogk+

9nM603CIf9

d_4Vu

4k4[Zb

@e//;Z

{~#0mC

HV[p;

zuwurh} 7

`;%F

GlobalLock

SHLWAPI

nSBU0

8@U,N|

?GdnN

DeleteFileW

lstrcatW

Is=#w5

GetPrivateProfileStringW

GDI32.dll

mBO%

aiWDa

,cGx3

=/x}*

EnumProcessModules

ddkrhW

tZ:JINy

fG1T7x

dzc\Upg?

>p0Y;

*pVK+

p>NKCH@

InvalidateRect

a#PHZ

zllT7

z'c?Phr

L4---&

v7C6:

Ow*gZ

lOMfb

7;kvw

GfV96

@1q)zO

_^][Y

Tmb!!$

[i Ej

/t=vM

zI{s5V

]^:-6

X{Fm0pD2

23Qe:?|

Gpo/U,

7w8i4

{R$hl~

vwlzM

|b(L&T

}dx-[

vj8wU]

$3?U,d

!{6,i

C>_G|

AR?BJ

tyW9u

xf3oT

InternalName

W4G`X

<#,;E_

0?@p8

ehZE~I

HKEY_CURRENT_CONFIG

eJ\;_<Q'

BringToFront

F;zaI

JYspE

_G &t$v

OG+'B:

#A1&n

?Z\hR

ceRVrf6XI

=>' 3

B-iBpW

]ZPBH

?t}fVq

=_sqS

S&.pO

Software\Microsoft\Windows\CurrentVersion

KUkH5

imaF~

C({@/

b7pZs

P#b'S"

u:FeV

*Re4w"

"Q4 ~

qR15`

t\~F<

|PP+!3Z

GetDC

<4(+<

SetTextColor

jlB/~

k{ )lJ

XU_^RL;

r&n2/i

:rd;Z

R2.+)

5-Bk[

RG';G

tEeFN

HCIs&%

.''sd

3\WkmV

oCD[3

K@fam

FindNextFileW

+^l"8

i.O}W

@0p$N

;8*wEZ

0-1R1r1~1

9:/sF

G3"T@)

8<z*d

~~JHh

FindClose

g,&&gj

H\D#j

[UISaYNd|sg

i:?!J

.IzF{

KB6p

l]>)1

(-amb

9GWgoR.

nukG~

W-,\i

MulDiv

E"TT{

GetTempPathW

9RffO

-XCq|

M.+cX

M8QRA

XS'Si

Au VM

O&G7`x

]DU|`

chdWB

@*~Oc0

rf")]D

o4M1>

j}>@/

RegCreateKeyExW

\O(%]

^CT[J

incomplete download and damaged media. Contact the

WindowsErrorLookupToolPortable_3.0.7_English.paf.exe

#n"80

PuOdb

B!l&x;ZV

Gu6:Zs@;

j M<S

F&f$I=

GVbjO

wr{l1F%

B<0crj]

+z\&5

*Lm+)

\Cmmu

c?f'hy

#"W*b

vSH@al6

A:[bf<"R

vpw/}

NqFPU_

WindowsErrorLookupToolPortable

,s?2W)3

@wqCv

(l,mV-

cWEnl!

xKyh.w.

>N\Oq4!mn8K

,g5jm

GetSystemMetrics

OA]]5w

/ekSw

x5}0E

$)yVR

DYTj$HP

=7+1JD7cRL@

;6;;;Q;Y;^;d;j;p;~;

Faf,}

CharUpperW

'k#<`5

WwtC'

Z;z8}h

*%4r84Cp,#

Psc=2

\?()(u

\l/1cp

Kdpy

@}/]n<

t$(VV

!tlTI

?`^g|

By4)K

y0]Vc

fC|&}3

I[m/c

[b]ytR

|.V9i.

PortableApps.com is a registered trademark of Rare Ideas, LLC.

2{cdH

$wef)

5r_h%

djdih

5^Mj/

CoTaskMemFree

wsB'x

GetDlgItem

CloseClipboard

~}~^+;d

MS Shell Dlg

\]'$;

!&}=2H\

-?eNy

M=-Jk

uY.TB1

UlU&g

q:27G

Ub!;r

oL*nPh

'^nm.

2-{Y1

l.G##

f{yq)

m*JpH

P [.B

kIj#!5

t'tpt

VPT;q

&NDW8gg`!

ksf6b{

<4*F:5L

]f81+

(2Z<M1

GetShortPathNameW

S <h5

0UT>M

!This program cannot be run in DOS mode.

PGCTl~aD

Xn>6S(

TsY(z9

9+9L9Z9

32UC?

<;dZXE

Kr~k$YH<

S*\J8

EOk$wR

<'<3<=<G<L<W<[<a<f<l<

@;>n3&

8CG9*

6<n>_

9-SVj

uiAo@,

\qJpIT

O?+qz<N

oG>-h

10qab;

XL){Q

DYVZr1

Y9o?`

x$l_j

4"4/4C4_4i4

v,C0l

+q{UW

USER32.dll

[4mng

0n])h

YX@[|

3"3(30383I3P3e3n3t3|3

0P[Vm

t`<8q

vNo5=bVy~

JMmz!

0S1Sx\

8!808D8X8

GySa:

z4uy@

"Rr^R

JZJ!5[

_+9v{R

olB5T

fN;+Yj

,[fjj"

HiJJ}

J9q?f#[

`0R2?

,=%\5

\NQ&^u

ITJ$L

4ebLJ

Exec: success ("%s")

M0~dw9

~Jy4K-

CreateFontIndirectW

A8zx?

V3$"A;6

>8nlgp

H)5{-v'

RegDeleteKeyExW

=vdqH!HZ

NY,+B

$9j?!

LoadImageW

,Zzj"

n~~HD|

F"V8e1

}$,5\

*9t]5

sB6J/

"^3SF

E}h;h

jn/w(

+1.<N

wE~d0H

lstrcmpiA

K7kor

B%=pZ

^.{s<

8Rich

SH,/g

\uuXX

*iK3|k

F>a7?

CopyFiles "%s"->"%s"

ZJwpu

jhKeId

IfFileExists: file "%s" does not exist, jumping %d

TakVV}

HKEY_CURRENT_USER

GetCurrentProcess

}$Omd

v~yme

^YfVj

3ETmY9

D$,PU

L-:vFA84

i.(b&

3.0.6

pFOOHSNNSMFB&%

dKSYt

SHGetFileInfoW

1&Miz

mQ;HA

H!%q!

?+~7,

.ndata

4a5r5z5

O<-#`!

=/!,L

6=Im>

^ >G vK,C

GetClassInfoW

vsqL9

_j4SvL

<C{nb

4FR-b

NU~WW

u$9Mls

K\&N~

MSs34lw

?2?B?_?j?

GA=;KJf

111;1D1Z1a1y1

/n<&@

ScreenToClient

Translation

vhmlF

S36B@

]wD-~Xl

P.+mn

!f~{+

33/,l

:S{W?

k^C;z

|_9#|

o0O%(

%/oZr

h[2_J

OleUninitialize

t<V2X

-dusOY&B

C.m`4

$]"Sq

FE69Mf

xv8<b

m'Mc"+1

eb]c6

WQ^7q

=TL>l

O[vQA'

^a[Us

;]M$mz

r{|q*

v~Z27

CWVWin|

FCK{YY~

!SA_3

TK*Jj.

NB\)5

iz4;+,

2'2B2d2v2

q][gO

6\)wz

\,9@ID

x"#Vnhd FO

_VCt9l

GetTempFileNameW

db6}1

^O3Mn

8fhxi;2

ProductVersion

Ar6B4Z

5FlK>

@'H@:y

zM=S4

vzo"x

K6#hqHx

#Vhh2@

Instu`

2C>A5Gy

V1sTu_

2y|ay

r_Y!1

jcG-K

H3Uk%

av.-{

aY(.T

+-]q8<t

@k t$

O:Y(9

iL"`y

ShowWindow

Ht@h@

+P}Cr

8|[Te>

xiit/

=)a&n

P>_NN

g6[=\

byAf~

"%}v$S

wnyS{

;L2(Rf

RichEdit

RZdBD PS

-xi6M

f ?{z

`g51U

vv\gz

}|%Z$

>a`3>-

T2o %

iV[aXX&

[z$$a

%/p;8

0*"?%%B

/c*CiK+

.`\'m

u{U:t

^'5iZ!Z

\v;4C

2y'{eWa

WIZP`

Jump: %d

4Dm^.*

%[vm\

File: error, user retry

)@~EN

File: error creating "%s"

!|@#H

\>y[F

69t\9

kioe6^

D>Fz/*

XSS44/3

`WXZ$2

GkcPUU

FtdNkw

4.ACz

F.Y2C

ct#:G

$S{jq&

zKu';v

_)=(e

by/1YZ

G(n9My

|Mdj#U

,/:cl

UA]nd

AO\*8C

!l|]R~!

|YZvV

-W6[X2i

]c~}/

UOSEB

-7B>d

,Y19=

,5H$w{

7G0Lx

I::}[

85HO\^

t]<TW

,aVm?

Y4Rm!d?

DeleteRegKey: "%s\%s"

E1HTd#3p

HKEY_USERS

tnyU6E

|YO y

>MeJbe-

zT;>^

Hs2"wW

LookupPrivilegeValueW

@g 58

R1<=&

s)aU7

PUD>c

lhE<:

Yy8h#

~nsu.tmp

QnpSs

A68@[jmt4*l

CharNextA

g?[Gc

;#;A;H;`;u;

0:I-q

"1?2,1$

AG';6H

uX;'q?

qJvly

u$9Uls

U1q&7

^3p?:x

-2%<C

j=n{w

^u:_C

E@{j/

Delete: "%s"

Hj\("

hbUM8o?E

],j0oI

iUc:F

fA P|

U` 7~"i

MG@.USd

~.X;j

K{6iv

&)-nV6

+DnYk

-sp&/

'To!Ci

2sY+F

ZX.x3g

/./:#

ZWF@x

EHMh6f

GXoTp'

c)444

7.7q7v7

^p9DVYxS

y`u0Xh,e

rbD\G

kT@=L

;-*<f"

1? "&i

1hb!t2o

f58ksIN

k)Di}

xV^\0W

H)ul}UZ

9HFHt

;u{!b

*4'f`N

Q~ ia

&BQ'f]

cnU&wzv0

KC|k?h

RLqc6X

OBt!6@)

0u6TF

settings logging to %d

GetLastError

O*Js:

|>'Sx

:Kq+>

[r0s8

#}kJG

RWJ*(

;K`ya-

av;av

_9$F>

s4R-T

Tnc%O

5},:s

ZsTvvXh

e*UUY

$V?Zdy>

(W(5'

(gp6\

I0[0`0

576@6^6k6

Cd6h%

kDHv!

Skipping section: "%s"

~2>eZ*

y>+B'

EZIoQ

]S^T`

`noO~VM

b!q: qdABf

|:}i]

Unknown

+&/d,-U

._IF7

g%?$@

kX;3-

p}|gP

QZpvy

weCm;N]g

=B ^A

74)F#

*Ujrj

99:f:{:

jNK+r

O@ntBz.

a]l_&N

`*nx\

m.GB~

Ww7RY

GlD"O

B1EgieOx

B}B##

qo_"?o

L'GaQ

Tq5HD

%g#61

_A#fI-

pR;V,'

![1]?VQ3h

x,Zav

884B=

FZ:AN&

"&H:@

@#o\'

W?z.!

]a]a]]

`.rdata

3A#~F

h)rc]

wctEb

nVFOT@

~2n$r

,njy2

r"<C_(

DJ=\|

}\fS'

bGot?

`BBgG

;{AjMs

RegCloseKey

8w)xlc

GetSystemMenu

j52E4

v5l=,

e*}1Of

g ?>X

Q[yP%

RMDir: RemoveDirectory failed("%s")

0mD[~

install.log

yJ:\X

7T4Q|

+cKa`x

{(3\Ih

0PeZm

Y*0G_

9@ Dxa

.q[`O

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000039e3	0x00000000	0x000b8d60	5.0	2012-02-24 19:19:59	32f3282581436269b3a75b6675fe3e08		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	Windows Error Lookup Tool Portable
FileVersion	3.0.7.0
InternalName	Windows Error Lookup Tool Portable
LegalCopyright	PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	WindowsErrorLookupToolPortable_3.0.7_English.paf.exe
PortableApps.comAppID	WindowsErrorLookupToolPortable
PortableApps.comFormatVersion	3.0.6
PortableApps.comInstallerVersion	3.0.6.0
ProductName	Windows Error Lookup Tool Portable
ProductVersion	3.0.7.0
Translation	0x0000 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006f10	0x00007000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.50
.rdata	0x00007400	0x00008000	0x00002a92	0x00002c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.39
.data	0x0000a000	0x0000b000	0x00067ebc	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.47
.ndata	0x00000000	0x00073000	0x000bd000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x0000a200	0x00130000	0x00018f30	0x00019000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.56
.reloc	0x0000b400	0x00149000	0x00000f8a	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	7.88

Overlay

Offset	0x00023200
Size	0x0008d851

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x00130328	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x00142850	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.18	None
RT_ICON	0x00144df8	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x00145ea0	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x00146d48	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x001475f0	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x00147b58	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x00147fc0	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x001480e0	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x001482e0	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x001483d8	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_GROUP_ICON	0x001484c8	0x00000068	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.72	None
RT_VERSION	0x00148530	0x0000063c	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.38	None
RT_MANIFEST	0x00148b70	0x000003bd	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.23	None

Imports

Name	Address
SetFileTime	0x408060
CompareFileTime	0x408064
SearchPathW	0x408068
GetShortPathNameW	0x40806c
GetFullPathNameW	0x408070
MoveFileW	0x408074
SetCurrentDirectoryW	0x408078
GetFileAttributesW	0x40807c
GetLastError	0x408080
CreateDirectoryW	0x408084
SetFileAttributesW	0x408088
Sleep	0x40808c
GetTickCount	0x408090
CreateFileW	0x408094
GetFileSize	0x408098
GetModuleFileNameW	0x40809c
GetCurrentProcess	0x4080a0
CopyFileW	0x4080a4
ExitProcess	0x4080a8
GetWindowsDirectoryW	0x4080ac
GetTempPathW	0x4080b0
GetCommandLineW	0x4080b4
SetErrorMode	0x4080b8
CloseHandle	0x4080bc
lstrlenW	0x4080c0
lstrcpynW	0x4080c4
GetDiskFreeSpaceW	0x4080c8
GlobalUnlock	0x4080cc
GlobalLock	0x4080d0
CreateThread	0x4080d4
LoadLibraryW	0x4080d8
CreateProcessW	0x4080dc
lstrcmpiA	0x4080e0
GetTempFileNameW	0x4080e4
lstrcatW	0x4080e8
GetProcAddress	0x4080ec
LoadLibraryA	0x4080f0
GetModuleHandleA	0x4080f4
OpenProcess	0x4080f8
lstrcpyW	0x4080fc
GetVersionExW	0x408100
GetSystemDirectoryW	0x408104
GetVersion	0x408108
lstrcpyA	0x40810c
RemoveDirectoryW	0x408110
lstrcmpA	0x408114
lstrcmpiW	0x408118
lstrcmpW	0x40811c
ExpandEnvironmentStringsW	0x408120
GlobalAlloc	0x408124
WaitForSingleObject	0x408128
GetExitCodeProcess	0x40812c
GlobalFree	0x408130
GetModuleHandleW	0x408134
LoadLibraryExW	0x408138
FreeLibrary	0x40813c
WritePrivateProfileStringW	0x408140
GetPrivateProfileStringW	0x408144
WideCharToMultiByte	0x408148
lstrlenA	0x40814c
MulDiv	0x408150
WriteFile	0x408154
ReadFile	0x408158
MultiByteToWideChar	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170
lstrcpynA	0x408174

Name	Address
GetAsyncKeyState	0x408198
IsDlgButtonChecked	0x40819c
ScreenToClient	0x4081a0
GetMessagePos	0x4081a4
CallWindowProcW	0x4081a8
IsWindowVisible	0x4081ac
LoadBitmapW	0x4081b0
CloseClipboard	0x4081b4
SetClipboardData	0x4081b8
EmptyClipboard	0x4081bc
OpenClipboard	0x4081c0
TrackPopupMenu	0x4081c4
GetWindowRect	0x4081c8
AppendMenuW	0x4081cc
CreatePopupMenu	0x4081d0
GetSystemMetrics	0x4081d4
EndDialog	0x4081d8
EnableMenuItem	0x4081dc
GetSystemMenu	0x4081e0
SetClassLongW	0x4081e4
IsWindowEnabled	0x4081e8
SetWindowPos	0x4081ec
DialogBoxParamW	0x4081f0
CheckDlgButton	0x4081f4
CreateWindowExW	0x4081f8
SystemParametersInfoW	0x4081fc
RegisterClassW	0x408200
SetDlgItemTextW	0x408204
GetDlgItemTextW	0x408208
MessageBoxIndirectW	0x40820c
CharNextA	0x408210
CharUpperW	0x408214
CharPrevW	0x408218
wvsprintfW	0x40821c
DispatchMessageW	0x408220
PeekMessageW	0x408224
wsprintfA	0x408228
DestroyWindow	0x40822c
CreateDialogParamW	0x408230
SetTimer	0x408234
SetWindowTextW	0x408238
PostQuitMessage	0x40823c
SetForegroundWindow	0x408240
ShowWindow	0x408244
wsprintfW	0x408248
SendMessageTimeoutW	0x40824c
LoadCursorW	0x408250
SetCursor	0x408254
GetWindowLongW	0x408258
GetSysColor	0x40825c
CharNextW	0x408260
GetClassInfoW	0x408264
ExitWindowsEx	0x408268
IsWindow	0x40826c
GetDlgItem	0x408270
SetWindowLongW	0x408274
LoadImageW	0x408278
GetDC	0x40827c
EnableWindow	0x408280
InvalidateRect	0x408284
SendMessageW	0x408288
DefWindowProcW	0x40828c
BeginPaint	0x408290
GetClientRect	0x408294
FillRect	0x408298
DrawTextW	0x40829c
EndPaint	0x4082a0
FindWindowExW	0x4082a4

Name	Address
SetBkColor	0x40803c
GetDeviceCaps	0x408040
DeleteObject	0x408044
CreateBrushIndirect	0x408048
CreateFontIndirectW	0x40804c
SetBkMode	0x408050
SetTextColor	0x408054
SelectObject	0x408058

Name	Address
SHBrowseForFolderW	0x40817c
SHGetPathFromIDListW	0x408180
SHGetFileInfoW	0x408184
ShellExecuteW	0x408188
SHFileOperationW	0x40818c
SHGetSpecialFolderLocation	0x408190

Name	Address
RegEnumKeyW	0x408000
RegOpenKeyExW	0x408004
RegCloseKey	0x408008
RegDeleteKeyW	0x40800c
RegDeleteValueW	0x408010
RegCreateKeyExW	0x408014
RegSetValueExW	0x408018
RegQueryValueExW	0x40801c
RegEnumValueW	0x408020

Name	Address
ImageList_AddMasked	0x408028
ImageList_Destroy	0x40802c
ImageList_Create	0x408034

Name	Address
CoTaskMemFree	0x4082bc
OleInitialize	0x4082c0
OleUninitialize	0x4082c4
CoCreateInstance	0x4082c8

Name	Address
GetFileVersionInfoSizeW	0x4082ac
GetFileVersionInfoW	0x4082b0
VerQueryValueW	0x4082b4

Reports: JSON

Statistics (43.93)

Usage

Processing ( 43.71 seconds )

32.087 ProcessMemory
11.401 CAPE
0.216 BehaviorAnalysis
0.006 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.01 ransomware_files
0.007 antiav_detectreg
0.006 antianalysis_detectfile
0.006 ransomware_extensions
0.004 antiav_detectfile
0.004 infostealer_ftp
0.003 masquerade_process_name
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.001 antidebug_devices
0.001 antivm_parallels_keys
0.001 antivm_vbox_keys
0.001 antivm_vmware_files
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 qulab_files
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.15 seconds )

0.135 CAPASummary
0.011 JsonDump

Signatures

Queries the keyboard layout

Reads data out of its own binary image

self_read: process: WindowsErrorLookupTo.exe, pid: 3732, offset: 0x00000000, length: 0x000b0a4d

self_read: process: WindowsErrorLookupTo.exe, pid: 3732, offset: 0x30785c426331785c, length: 0x0003c000

self_read: process: WindowsErrorLookupTo.exe, pid: 3732, offset: 0x3230785c6331785c, length: 0x00000831

self_read: process: WindowsErrorLookupTo.exe, pid: 3732, offset: 0x3230785c6331785c, length: 0x00014000

self_read: process: WindowsErrorLookupTo.exe, pid: 3732, offset: 0x3238785c6331785c, length: 0x00008000

self_read: process: WindowsErrorLookupTo.exe, pid: 3732, offset: 0x3263785c6331785c, length: 0x00004000

self_read: process: WindowsErrorLookupTo.exe, pid: 3732, offset: 0x785c6230785c0a4d, length: 0x00000004

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x0000a200', 'virtual_address': '0x00130000', 'virtual_size': '0x00018f30', 'size_of_data': '0x00019000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.56'}

section: {'name': '.reloc', 'raw_address': '0x0000b400', 'virtual_address': '0x00149000', 'virtual_size': '0x00000f8a', 'size_of_data': '0x00001000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x42000040', 'entropy': '7.88'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 3732 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\SHFOLDER.DLL
C:\Windows\System32\shfolder.dll
C:\Windows\System32\cfgmgr32.dll
\Device\DeviceApi\CMApi
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nscEB62.tmp
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupTo.exe
C:\Users\Packager\AppData\Local\Temp\nsnEBF0.tmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\System.dll
C:\PortableApps
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\RichEd20.DLL
C:\Windows\System32\riched20.dll
C:\Users\Packager\AppData\Local\Temp\USP10.dll
C:\Windows\System32\usp10.dll
C:\Users\Packager\AppData\Local\Temp\msls31.dll
C:\Windows\System32\msls31.dll
C:\Windows\System32\msctf.dll
C:\Windows\System32\en-US\USER32.dll.mui
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\ioSpecial.ini
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\modern-header.bmp
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\InstallOptions.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable
C:\
C:\Windows\System32\shell32.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\w7tbp.dll
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\*.*
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\*.*
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\*.*
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\WindowsErrorLookupToolPortable.exe
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\help.html
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\Readme.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon.ico
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_128.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_16.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_32.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appinfo.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher\WindowsErrorLookupToolPortable.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\Windows Error Lookup Tool.exe
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\defines.db3
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\sqlite3.dll
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\versions.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\donation_button.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\favicon.ico
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_footer.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_header.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_logo_top.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\AppNamePortable.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\IconReadme.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\LauncherLicense.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\PortableApps.comLauncher.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\Readme.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Data
C:\Users\Packager\AppData\Local\Temp\PortableApps.com\PortableAppsPlatform.exe
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\7zTemp\7z.exe
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\7zTemp
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\7zTemp\7z.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\*.*
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\

C:\Users\Packager\AppData\Local\Temp\nsnEBF0.tmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\ioSpecial.ini
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\InstallOptions.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\w7tbp.dll
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\WindowsErrorLookupToolPortable.exe
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\help.html
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\Readme.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon.ico
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_128.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_16.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appicon_32.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\appinfo.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\AppInfo\Launcher\WindowsErrorLookupToolPortable.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\Windows Error Lookup Tool.exe
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\defines.db3
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\sqlite3.dll
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\App\WELT\versions.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\donation_button.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\favicon.ico
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_footer.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_background_header.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Help\images\help_logo_top.png
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\AppNamePortable.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\IconReadme.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\LauncherLicense.txt
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\PortableApps.comLauncher.ini
C:\Users\Packager\AppData\Local\Temp\WindowsErrorLookupToolPortable\Other\Source\Readme.txt

C:\Users\Packager\AppData\Local\Temp\nscEB62.tmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\InstallOptions.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\ioSpecial.ini
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\w7tbp.dll
C:\Users\Packager\AppData\Local\Temp\nscEC00.tmp\

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\WindowsErrorLookupTo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:3732:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI
Local\SM0:3732:64:WilError_03

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.