Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 06:39:10	2025-06-13 07:10:20	1870 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,053 [root] INFO: Date set to: 20250612T19:20:09, timeout set to: 1800
2025-06-12 20:20:09,198 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 20:20:09,198 [root] DEBUG: Storing results at: C:\fjXeEoN
2025-06-12 20:20:09,198 [root] DEBUG: Pipe server name: \\.\PIPE\OOOCeV
2025-06-12 20:20:09,198 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:20:09,198 [root] INFO: analysis running as an admin
2025-06-12 20:20:09,198 [root] INFO: analysis package specified: "exe"
2025-06-12 20:20:09,198 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:20:10,198 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:20:10,276 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:20:10,292 [lib.common.common] INFO: wrapping
2025-06-12 20:20:10,292 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:20:10,292 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\JavaPortableLauncher.exe
2025-06-12 20:20:10,292 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:20:10,292 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:20:10,292 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:20:10,292 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:20:10,557 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:20:10,589 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:20:10,620 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:20:10,636 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:20:10,651 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:20:10,651 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:20:10,651 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:20:10,651 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:20:10,651 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:20:10,651 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:20:10,651 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:20:10,651 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:20:10,651 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:20:10,651 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:20:10,651 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:20:10,651 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:20:10,651 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:20:10,651 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:20:32,042 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-12 20:20:32,042 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:20:32,042 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:20:32,042 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:20:32,042 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:20:32,042 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:20:32,042 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:20:32,042 [modules.auxiliary.disguise] INFO: Disguising GUID to cc17bb19-36d5-4bb7-8ca8-ceb2ec530a08
2025-06-12 20:20:32,042 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:20:32,042 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:20:32,042 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:20:32,042 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:20:32,042 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:20:32,042 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:20:32,042 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:20:32,042 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:20:32,042 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:20:32,042 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:20:32,042 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:20:32,042 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:20:32,042 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:20:32,042 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:20:32,042 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:20:32,042 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:20:32,042 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:20:32,089 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 20:20:32,089 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:20:32,089 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:20:32,089 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:20:32,089 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:20:32,089 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:20:32,089 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:20:32,089 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\asYlzPM.dll, loader C:\tmp_gell1p8\bin\UYYnOhpx.exe
2025-06-12 20:20:32,167 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:20:32,182 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\asYlzPM.dll.
2025-06-12 20:20:32,182 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:20:32,198 [root] INFO: Disabling sleep skipping.
2025-06-12 20:20:32,198 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:20:32,198 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:20:32,198 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:20:32,198 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:20:32,198 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:20:32,198 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:20:32,214 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:20:32,214 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:20:32,214 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 4660, image base 0x00007FF60D500000, stack from 0x0000008EFABF4000-0x0000008EFAC00000
2025-06-12 20:20:32,214 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:20:32,229 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:20:32,229 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:20:32,229 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\asYlzPM.dll.
2025-06-12 20:20:32,229 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 20 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 06:39:10	2025-06-13 07:10:01	none

File Details

File Name	JavaPortableLauncher.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	398736 bytes
MD5	d1ae3480b4ccf2948a89e36628806a22
SHA1	a28bcd82678225ac15321eb3c86c4c784a06bd19
SHA256	7d23eb4f5b2cd52d69a5113c78a6f64da6106cc96a1dda42cacbe426b1217584 [VT] [MWDB] [Bazaar]
SHA3-384	e33f1a3d6909f5e595e3a3ce086c4e8019000460274c4b034df55aa00edaea7dda69df7f2485f748da5de6d6673326c3
CRC32	D068DE17
TLSH	T158841296BBD0E062D1630A315AB29BF379B5FC1419154F4377D47A0B3B36280EE1A39E
Ssdeep	12288:BLpr5nOE4wDNS85VMIm5A2pUnUIbXoNei8KMdEN:BLp9DRXVLm55ijbXWCBdEN
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/77)

Full Results

Engine	Result	Engine	Result	Engine	Result

Ba'A%

jv=|1

6.0.0.0

@.data

.C=X]q

[J4}D\4"~

',oWv9

'#PI|

SelectObject

%USERTrust RSA Certification Authority

UXcg5P

t1*JNuX^

QQoMhi

/.Ka6

U}>>$:/

h4p0i

36p6:>y

7'M=F

5VqXZ

'E<6%6,

CLBCATQ

DhHdt

;jKoo0

D{{9~

Z Sz8s

m[aYW;dr9

M^zj*

}34Jp=

ow]v4

2007-2021 PortableApps.com, PortableApps.com Installer 3.5.22.0

vh}jRs

c.pY$3

8Hwd<

wxc'}d

h07v<

$E$HK

|op5$

GQb`uK

8m!BS

CreateWindowExW

WritePrivateProfileStringW

%8h[$

N<7.@'

EndDialog

'p=l:

SetCursor

RegSetValueExW

ZL$&a

1Z("Kl

7L#i:F

*,Va37o

Vb'm1

~',ik

AwQo:

PZ4uK

vA&b< J

O\Fe>

#`WC\

#Q@Jw.

gy=2T

(+(SU

USERENV

CreateBrushIndirect

J_rI[z

IW'gh

j~>E:

JHC+*Qu1

'?g!5

New York1

Da5V} #

_K>/>s>

B-o@mm=

gpO{Fd

G4:o'

aq4j"K`

040904b0

SetDefaultDllDirectories

+2/dS

181102000000Z

|g~}.

Ev9/.O!

LoadLibraryExW

B?I;@;0

moD,Y

z9j-ocl

:7?o

%Bc<S

22Il*+X

%ls=%ls

^{So)

eZe/)

q<\g*

q]yeJ

XM%])

$03C5

U='$nz~

2"CZr

7_d$8

vjAW_

jPOPLXmjVKKWMEA'n

Ct'P

d|~O%

C/-rh$E

B\@<2:

SysListView32

'NHa;

h=p6F.}

%u.%u%s%s

d,GP"X

{X7.C/

]2](L

5@VU;

o#rW^

xUeV3b=6

aOW}5}

+ex;q

@4IXC

rLRB;

USPK.

)tAU;v

m$YEM5H

T0/~Aw

VIiIQ

:2NL1

_sucv

[Z?;K

?;A>#

hdx\v

:JuN:p

verifying installer: %d%%

&owuX

Sectigo RSA Time Stamping CA0

oc%+P

contact@rareideas.com0

1)(.t

+W4~

#8:Y|

FillRect

pPvu&

6ce"LI

=j4d)

unpacking data: %d%%

vLoUS

wY WF

4`_$y

p/Xyt

G^S*T&

7zGl+

;%76[^

774-7

3PMc]2'Y

qrVGxi

D<%PJ$

jPortable Launcher

2si>A

S*u|i

=jvP@

*OFVD

nk$'5;x

mt^Ju~

SHFileOperationW

)TbRP

MoveFileExW

<61W:=l

m(m`~

;EyNS

^gRLX

~{8:Xi

pD?>A="

7`;H`

%60s7&

.XepelH

Kg:g$

2Xy\A

4A52[

Bu,Kn

c d,'

CoCreateInstance

/;u=3

U~m+K

GetCommandLineW

hF%,x'#C

7\IE,)

NrTT}

301231235959Z0|1

'!;"00

k4s}J6

efQ_y

v@iPM

+aSW;

;Q=kJ

\bvv]zz`

<7h~|{

t$,VW

GetFileAttributesW

o"lR4p

\Temp

PortableApps.com

cL~UMd

Z=CKa

)'}oh

CompareFileTime

RMMRIB6

I0G0E

"&q46

V#.U?

Uu42B

rtbmy4

http://ocsp.usertrust.com0

cL(/y

{?8)K;

DispatchMessageW

Pq @5

{N*of

201023000000Z

|A|yRT

Qs_-*A

#Vh+/@

KLumhj

0p8YE;

4!hBJ

Ns%avp+q

CreatePopupMenu

Fwh^`

FileDescription

mSb#3M

sU.:T

https://sectigo.com/CPS0C

4I:Kf

hbpB"

}t\vH

>1iT=TkD~

j'_FtYDk

"ER-D

]qOkC

Jda_2bY}

BeginPaint

GP_Uo0

mGe1!

W"/)b

(|L_,

d%Ec)

zjvm|

NullsoftInst22

/FE(b

Zp8[.j\

!TuwT

#`c={

lstrcpyA

F(fR<%

^p/K|

SetWindowLongW

AdjustTokenPrivileges

CBSEX

SQ}8G3b

PhwV@

GetFileVersionInfoSizeW

7t"NF

{Ep f

[*r(L

LB]j-"L

X,2WD

MG>BJI]

UA$~A

*?|<>/":

k##cl

5Z]-K

${)*p

6lt-&

qK-js

pEX9`

/q@)K

zD~Mz

Ed`!z

3w(;h

W V1+

olw'z

k?L34a

gx7+JG0

GetSysColor

CharPrevW

;3O#p

x7\``

Greater Manchester1

Rare Ideas LLC0

O7h[^[

yy? Er

-Q]zFl

InitiateShutdownW

PIsyh

yFHNf

uh|VX

0]On>=W

=Nr!!

nw25^

\$*Jk

QOj<@e

Ct#c07

'J*6nr&

88TEJ

BHmx50|

, '-c&

%uUhu

,LC$g

m!TT"1>

9wpTI

D/!w@

BBL#%9

I',CQ

Og_k!

GGg]OQ{

Gd72.R

$rO$s

im]5p

nIlb?

5fVcN

tcsgx?

C`[MD

a$2f3Su

SHELL32

Q6~b)

\P-X>

GetModuleHandleA

fO9*!

"(lp

S3q@J

SetFileAttributesW

SetDlgItemTextW

#$4mD

13nL05n

f=}kc'

a=Z7NR

VStYv

GetModuleHandleW

[C]e=P

0zrV]"

5!6fd

pVExC

8oK40

$@32Y

+iY_R

Rf\Hg

/=c#;

g0|i^

LW'<.

i1\;%E

0k42{

.rsrc

$AV F

"'f/EH

[6YZQ

mMe03

F$X)%

X{;KQ

{C;5L2

%#_pI

8'> +

`z[4W<.

`&h:X

5On6C

OriginalFilename

9XMU,

Gg!{n

\!+8GP_

T03`A

h'hDm

oee@E

HZ0k8v^

<8"$\

MqT~x^^c

(b[O

0B>i#R

220220235959Z0

QHSS}

S+0}CDi

T/B]vG

C@be9W

p\cOdK!1

=*MWS}

Z:x[zA

ga<^X

IDBD $DQ47

;wSTu|2

7&IJl

V5x!4R

qp) k

lY}r]#

h>tv/

3.5.22.0

#%m>f|

GetFullPathNameW

puT?<

l)jZ+

iWsC=

EnableWindow

=2N4R

\Microsoft\Internet Explorer\Quick Launch

F8u}|

| W[~

BD|LRS

8uE:2cE

;:ihd

CloseHandle

oQ2vL

]Xr(q

(_rCch

D"QA2

!;p,M

I4^J9

'd/E~Sn)

8QN69

OWTLzn

#Sectigo RSA Time Stamping Signer #20

!:5<~35\

3/|M?

"iqE/

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

c`+>1)

Y\>3B

oP!6K

v--0BO

;s$WF

3lI`Z4q0y

t#SSS

C}6R0

hY7XS;s5Gg

;&7Td9

RegEnumValueW

w^}CB>

SeShutdownPrivilege

+wm_"

0X"S5

K\Q:VW

<:;t54]

2F|Pv

D''xE

g#l|C

BR;efm%3

P68,=

-aiHA

OW7vm

-Kg)YA

ti)LT

s:U&i

NSIS Error

TU]USQY

".cZS

CharNextW

Is!g

Y-yyuM

bK_&w

]B(U;

j0h0?

]OL/x

c~6^a|Xr

t:Hh?

NX8}?

.text

$c'$1x9

TlAhZ

lstrcpynW

ZiA%v

k4@W[.0

P{nlmP

V86Cf

zeq!U

FTAF?

SetWindowPos

xnVGs| M

GetDlgItemTextW

J/R+t

aYNde^RgHB6

;?~LIK

=0;09

*KS`+

%gOr~

]LZ.6

%3(*hD

,g?Zt

fLJ|rn

Jo9.0

QE7J,

L_\M@

}8INY

^~)|s

0[Z;$J

_Y2`P

XRi"D

xfA#p

P[z>(fW

^oXYs

R> XX

wi-1se)

z^XUh

^j\PN

@_^[]

m+Bgh

M-iOO

RC|>V"

v'f"D

tWf="

s}J77

Mccx

/|DUt

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

>f=71

Q`a?r

D?<JSRj

'@xDB

~My^V

(*^cCCk

COMCTL32.dll

>FFf;

JO[j

"k{%!

,w+\!

niM48KWREBm

PortableApps.comInstallerVersion

?|`d3$

+l;J6"

1SL,u

MessageBoxIndirectW

?:.O[TH

Bva%4

VX\0ps

e+aIw

(ZQcFm.

05O}lQ

2&-jWp

RE~}\

More information at:

"9M#Y

\4#'D

uYw|+3oM

RemoveDirectoryW

JLgrH

$ 6@`

{_G_0

NFEs$:

DeleteObject

uk;p6

`BwCwe

P76SY

EmptyClipboard

6j;4F#

pz$oX

<D,ha

DAQf8

aGa!$

CR-H$

RegDeleteValueW

@c/ !

X:06-Ay

J)VPBj

b|nmI[

0CZJE

P!sF)G%

MN{]@>i

7KgJ(/

O1Kjmm

RG !/E

[^}]F

abbab]\

TKgZ/

%USERTrust RSA Certification Authority0

cwNW8

57cu8

=>Y;$

RegEnumKeyW

n5j)a

_zc4}[X

GetWindowRect

QJ'hN

CRYPTBASE

r%XUG

|4ewe&

^MnqC

QW!eD

EndPaint

idp`O

IsWindow

EUF[I{

;wJq;$

(I(TQ

^1`<o

,/KPip

Pp(xY

<A#Q<(k

C[[>g

-*[5*

Vw)>a|

Y'"f-|TSUZ

SetClipboardData

:`f&tg

:R{B E

<]J]V{

"<f4&

j [f;

/(bq9

IsWindowVisible

#Z37|

{}<%m

QG(./^

CreateDirectoryW

?21HW

{, Qs

1ic0!

h" ^P

8>t`NP

[Vqet

%(jT`%

#~gO[

@Gk3o#

m'QQhF

,G'-o

oRFhM

N%*Nj

(wRbN

iH''r

Cc\0R

,/+B#

<HYBbT@

Xgsb=3J

%u\p{

nz~4v

E&`^v

uMqVb

LegalCopyright

f!>_^

YAHRqE

8$_^\

SendMessageTimeoutW

CallWindowProcW

TFt1b

_tU>P

-im12"x

e5@B},

6\Oec

8DHL`

SetCurrentDirectoryW

oQ~&9

co727OC

\xebz

ZMYa @

XJ<n;a

WcaU5

Sghv~^

dj359AGVWd

@vg_m

D^+x3x~

u_k"v

NqA7B

$jC&A

GetMessagePos

::a|`

3@LaI4-"O

WPWj0

T!)L6

101181

^|D.Ne7

_lpP&

n~S6w

bgc*W

?5JjZ

@m8Q,

(7?hU

9:LC_

&30G S

Ij&I__

RegDeleteKeyW

?wDt}

Sectigo RSA Code Signing CA

~p7b7Y673

sEy,8

O&'&C+

>~}7G

nZi(%a

iZ;qR

ImageList_Create

RDV#C

.DEFAULT\Control Panel\International

(S&8$

WaitForSingleObject

6nh[15

8|3/)

97(?86I

gi4blk

wd-8:@

New Jersey1

lstrlenW

313[*

LFb$}C

oQY.Bq

BG%%p

v'eJD

OpenProcessToken

LNRV)

09|,!

Comments

d~*3y

SystemParametersInfoW

(E@dU

320122235959Z0

|?OFj(iB*

SHGetKnownFolderPath

Bj 9;

q(w+g

szG$SN

vHY0S

5/7bN

:t. F-

YM]y1S-4

SetForegroundWindow

!B\"X

uDWWh

B}>hR

nCSV]

D(gEe

IGU}<

,L#Gh

i223-

,///H

4"hS3e

(`,8Y

."|`p

HDGPC<&

iv,<*~de}

SetErrorMode

t^!$c

4#!yx

| ,TM,;

Bq8,5

d0O~+

:p&)M

190502000000Z

nt`\t

c{hdt

_A>VS*

(F|CX

SHGetFolderPathW

cuj^B

ExpandEnvironmentStringsW

^h$g~+

@ ah"5

Z)(x"

544S$

SearchPathW

SetFileTime

#y#K|\

:%grS

Nr%sqi

W/1M*

GKb6S

KiT*t|a^

L'Sm#

p7!J.

ZU g+

O j@32%

Gb7Mp

W.+Al

S<mkx`k

GetTickCount

)$?ufh

UhtZ\n

hYn-B

p]wYFp/

[5?Gj

7@AC`

]R43n*

8F47d(

KK3d\rq1XCJ

B4=':

T yF\e

V\xKv _

s]go`Q

He{Jo

5\Kv'R

js#uMnc

:OW-ESF

SLC '

Q*5f!

Yys\0

JavaPortableLauncher_6.0.paf.exe

KZ[yz

jRh8r

MultiByteToWideChar

For additional details, visit PortableApps.com

g9<16

NQ3T[]

UUIe/v=o

3xH3rb'

:hW2e+S

A$/|vw5

softuW

O'YT

{D6Ium

>-dX't

0`L$"'9A

6_cuC

"_` `

http://ocsp.sectigo.com0

VERSION

7E-@X

&`!vb

4ocOY)

]+Th3

e,Prt

c0` @B0

msctls_progress32

JE8g>9,3

RYkc!

SHELL32.dll

buuu(

a9K[dD

&f{D=d

mXC!>

;wk~R~

CHAEa

j?O4@:

0K7'!

jh.b)*S}

27&${

TEyW[R@

q9'Z!

k7^d^

4%^od

`^^^sS

\oul[

1]DAF

CreateProcessW

)&N@>

cgg7]M

PczF~

z^C>-

J@6.Ms(J

)d&.C^

AUl/+

OS+}r

9Hjse:

40%.qh\

;5<w%&E

installer's author to obtain a new copy.

sP$|(w

)ha_C/6

tzK.x

v.yWS

... %d%%

;h03.

)u@pti

uMw!{

Qs1\9~

W'G/o

ku(sfg

ADVAPI32.dll

WQSPV

Qw'5Y

"i8F>

Oi~9&

=gO#S

UUUUW

QRT}2

/ P6pL

CreateThread

SetBkMode

Z|_|q

T>n3R

90705

P/!]'t

TrackPopupMenu

DialogBoxParamW

FreeLibrary

F"C?N

@i0t>

_[bGO

lstrlenA

a9G1<h(

w12,2

44EQA

2tzY{}

CompanyName

hMW)B

hAG$Ht#

B<1Y44V

Rare Ideas LLC1

akZ?apj'

0NDqx

Q%xqq

U"Tn\

73& #

o1:(%

7:d2+s

8Q)JT

AJl~`

S86Uo^

o~M"4

iS_jS

p]Dm6M

md*p

Q*@W?

a]v i|

a>8);

8/+,2`

F=6_{

Sleep

90u'AAf

$Tn0i

L8no3N

)$.ZF

1Eu1.

GlobalFree

J:2sRe

GetUserDefaultUILanguage

Aj"A[f

GetDiskFreeSpaceExW

:27Q6,4N

ShellExecuteExW

x}NYX

^AU{E

&X9dwK

WWWWjn

h(D^UY

https://sectigo.com/CPS0D

3.5.22

UkMo}

RegOpenKeyExW

WUpKN

/-P?pR

8PU+!

SetBkColor

G4o_`#j

PmD)P

http://ocsp.sectigo.com0

PortableApps.comAppID

FindFirstFileW

3`$#B

y%Seh

-55G}

wsprintfW

dbsm T

5xa@y

New York1!0

mGgm&l

D$,+D$$P

`ZOIKF:

% D3t

OKgNKC

iJWnTM

U/C<k

<Ch+:

+*0x[

Y24i@z

Lt[(\,

vXB'3Ln

M~riC

0~E5f

tw-ezo

k3@Gw

y#v`[=

1]lBK/`

HGqH1

Mw/gHH

eu\,W

ejE",+

4E'j.Y

s<g:&i<

4()E10N

]Zks{($

v}?/C9

D/{|h

1U}Q&

((L0,/d

SHGetPathFromIDListW

OwR}2

m,i.x

w/Xxo

*-#+#

'N^B:

bfhit

j8WUHBYs

o7|nF

QK5lXW

t~7UM

}>hP*

*cV a

]/5afs

JZc^$x>

4:iSG

(~rX'

ImageList_AddMasked

NL9mx

AppendMenuW

5-QiW

G0-O@W

190221000000Z

!JAL[

2nzo|5

:QpD>

/~Ho3^d7,

TrgS?O

9l<x@j

V:"P0?9

r&[FZ8s

p;[Bp

X@60a

Ss\phf|

X~G28

NAr!%

IDATx

Garjl2

,UJTYK

CornD

2j\Yp!%

]buxyubO

>{9VC.

h{|oV]

mY!=Pc

rI*]]

!KI+OF

G" 4r

FindWindowExW

lstrcmpiW

ReleaseDC

r#T-G

HTLR=

ADVAPI32

~O8<d

zV@uM5'

PeekMessageW

TO-UM

NH=!$&`DQS

5<vdv

LegalTrademarks

a=2U*

3,{%5

^eO\:

D=,'7:e

SHAutoComplete

GetClientRect

&EFPd

8{\G<

n:>-9

\2x%-

bX`Bk9

SetEnvironmentVariableW

FFC;]

ReadFile

n@WBn

wIP$x(p+l

no*;LMUYL;

FE``U

WideCharToMultiByte

RegQueryValueExW

S&M7wd

vi]izlua|

8b{kw~

VarFileInfo

j_RG2!

vRf!0

wsprintfA

q'$91

NulluN

j6yj6

XohI=4

GK:7[

QQL-0

tTX[Xv

4q)~3)

ImageList_Destroy

DrawTextW

<I<gY

rdVL^

'A(M2

&hjrB

k[|9X

oyJ0/d

)-9[K

vn.Ik

NM@C.

UHI+s|>

a[g~o

fxBO~

GetFileVersionInfoW

B?l&.

,jg4O

16B'1

\h?KH%E

Nkk=<

83('[TH

6I(GMq

CreateFileW

99x&~

ExitWindowsEx

:;coAD

GlobalAlloc

G/<*9

PROPSYS

+Ux*a

aX-JS

Installer integrity check has failed. Common causes include

=<^[_a

p^vH[

?Da[+/

ICCc+454

CopyFileW

H8)d9

Qva4w

Jersey City1

Z!<zS

zHK5rK

/}'sw*)r

V&'i{w

Control Panel\Desktop\ResourceLocale

Error writing temporary file. Make sure your temp folder is valid.

Kiuoy

Gb>B[

bpD>~s

SHFOLDER

Ggz17

i:6?)@

9Wn)p

>/zBl

VSX\il

R<N0"

o)z?E

wO_7{

GetWindowLongW

S.ZmCn/

^U34n

Kfb895%yf

F68Hj5

.S kj

GetFileSize

PS>mr

'(2lb

MS$'ua

w^ZH=b#^"

ii+Qz

wo<S

I97\vx

^<FnGz

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

{055M

j{u)R

z7^OB

GetDeviceCaps

"?SxQ-g

m<LDiAO

\G`nD

<b<,Awd`

7hiuU

380118235959Z0}1

Error launching installer

E6|"/

6:?gS

>Cj{(

r(t'PN

?2<H#

@G#-Q

U5VC(

{|zh"

5)Hq8

/{}]>

DDH,k

A4U1x

rJ|7XC

/aI-:

TXmA,

WriteFile

/?(`;

KERNEL32

K_!mE

XR_?[Bb

a'zG,]

DestroyWindow

t^!Fr

j]q/X

Q5#Eb

M4O/(

Oez2CY

Sectigo RSA Time Stamping CA

<p?{q

*;,yq

<~=NJ

e)5*-

zps$i

;SxHupw

GetVersion

}K3_g

.[G_H{

SetWindowTextW

Sectigo RSA Code Signing CA0

j"hrc

."!dw9Zg

g76j4>3I

j AJl

a*+~W

y?@P|

~t}jF K

f[J:VP

VSUbOI:

\u f9O

HO@DFFDD'!"

SQWPV

o VFJ

f?+#9

>Z~[#~

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

IgiWf

/%p4%

p2CN;

UWvxv

RPl3"]'

vD,\%J

+lcCm

7Hrhls

RichEd20

StringFileInfo

)~3Yy

jHjZV

ole32.dll

SHBrowseForFolderW

^h}6i

PortableApps.comFormatVersion

.`)e"

a@LoM8

C{;0{

w pK~[

'_F:<t

BrIeB

T.1*>;

1vqh4*,1

/4X8>

GlobalUnlock

'=//]

7drsG

kN%W0

1@aZ/

z;%/9i

j>t8H

MZj0:

JgUTj

?YnjO

3t$&}

nDS {

N\OOs

zK{$H

hx>s=f;'

Faz8}h

baz1}F

ojI4($3C6f,

OLEACC

_8<01K

!%r@C6

x^{cdD1

483`kby

=8t$O

Q\ PK

#\O][

N2WUIBIikK.28

FPf#-w:

f9=HgD

olj}xyGK

Z\rMM!%

bIl9#d^

h0f0?

`Qr![

Qw$7v

;tM+#I

%4J)3

FlKL~

Zb]ko

u('BW

Salford1

QK?I^YM

7|WYi

211104005412Z0?

|!]>K

di+peA

yGZ}{

2Ug^%

bn!5X

Zlp)p$

LJ'VqWe

HB^jo7

y:(O4

/'uYz

Tv)Ix

nJ;h,b

ZjS\>

P?'j>

3;<0A

FiDx{

J;-5+

WQS<OV

GetModuleFileNameW

"%SG,.V

O 0S6

42?D%'L

-Xzb*d

!,!AJ

20n2EB|6"

e&8sh

]jdB>

B=#$@9

cNIh;

QQkFx

}O}ux

V_y\Y-

SetTimer

RB^;n

P: e_

X;Y_!F

SetClassLongW

xcdBe

WNtTN

&|RB@

8W,9+p

Pqb5P

lstrcmpW

KERNEL32.dll

RichEd32

OleInitialize

U!",LT]

(v?0o

9[e4?

M$_1dqP

!hni`a

]H4}c

H1Vfgh

_'w/l

K^zs/

=HVYx

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

BcHd&VJy

LGGNMKg

"D?2j

BB}" b

g)0M,

0WZHBMko:.2

BIo:cz

EwXV')b

_\)9c-~{

GetSystemDirectoryW

e\;a'

y/h?^

IHa}?<<

VS_VERSION_INFO

GetDiskFreeSpaceW

C=1V;6+

4\x$N2

baP`g|

QEjNi

#Sectigo RSA Time Stamping Signer #2

apo+RQ

c\DfG

[iQ6_

#_LM||T<

gUQvT-

C>|Q~

20211104005412Z

*,CM$

PostQuitMessage

i+=-%

>Z>x=W

>k9zl

jOMo2

Vj%SSS

qD&uq6

nYf-@

SendMessageW

?q039

{49=Ii

ZNlJbm

SVWj _3

XR$m%

tZj\V

?dk9P

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

OpenClipboard

4JSq/

:\NmS9

1EwpOJ

}{I1g

vgsq}+

[VRL8!;V

_jlvzyxb^

tY|yB

SdV0D

SMALHB7

OP{&;

?1J,U

O^l~!

Sectigo Limited1%0#

D";gs

GetProcAddress

\FmT69K!

zuqYq

0&DiYlB

IsWindowEnabled

ProductName

;4F?>@6.,

I.xe4

94**wma

/sNx,u

.VNSO

keOnx-

U.*&hX

ZwQkT

S+[dU

5B>I1

SetFileSecurityW

EQ%,.X

ExitProcess

DBTb>91

y8p`2

%M(e2K

9=4gD

`?G]s

/8~[6

,b{vD

5i<0R9

GFeO@

i=,0&

N.4FF

]IMrV

MoveFileW

FileVersion

http://nsis.sf.net/NSIS_Error

Please wait while Setup is loading...

%9@bs

iTmdb

xvE6QP

f_uQO

s9,EW

wpl]?m

x'w}DP

Dv'e}

O"RWf

of,|4_

bw_q.

c6{\%

CreateDialogParamW

QNSfef

G%01$

6(=8ki

nS@|r

c@G0Ln9'

sjgbY

GetExitCodeProcess

{S(+W

IMc:D

#c@]am

a4>?Mw

'dB}G8

V]\-11

IEFNlD89A4/k

LGLtPPp

z<"nb'

I*[{O

[Rename]

SetFilePointer

^}"'_O

J>?bf

#jiVd7k

C!qh*oI]

D$$+D$

ML3/Q

_7GA9

T4$71y(

RegisterClassW

406+^

OO7]%p

\EnK;#@{

RichEdit20W

)]@$2c`%

*O>@4D

(/iTG3CJWf,+*

V5H ({

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.06.1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

9-HgE

[wN83|d

VerQueryValueW

~Y:+j

'[bA929U

CheckDlgButton

4Xi;:

zK|^P

?XMef

f,ZaA

1-RZ

60OJ5

n)|m7

4-Cl+

9nM603CIf9

Ka1f^

d_4Vu

$:K_L

g W(F{

pf\,E

4dDr}P

@:&&n

9=8gD

GlobalLock

SHLWAPI

l}o1y7

r9!mY

DeleteFileW

nx@}1g=

lstrcatW

GetPrivateProfileStringW

GDI32.dll

r7`zJ

NTMARTA

X+UfU

I,&}4

InvalidateRect

a#PHZ

V|`<9

$EbQ*C`G

GfZ=m

23Qe:?|

Gpo/U,

f+{jvy)

dNYQQ

GXYH;pH

l!\VCJ

$3?U,d

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

!{6,i

lR8yt$

InternalName

4u)E8

Gpcs;h

JYspE

vrRa

?Z\hR

]7es~W?

4v$j5

Software\Microsoft\Windows\CurrentVersion

imaF~

0s*bwA

;7S;M

u:FeV

p-6*TI<Q?

z+cyD<^

qR15`

yclc\z:

eh,Xa

GetDC

SetTextColor

<n>0Q}

XU_^RL;

;-+8|

nm+)?H

HCIs&%

4[a7M

oCD[3

XaT}v5

K@fam

P;P;Mm

j1~2V

FindNextFileW

t-\b[j

;8*wEZ

,>249\

4yaye

FindClose

?s3ZHF

[UISaYNd|sg

KB6p

zu.]pw

9GWgoR.

k|V.4

D$ Ph

MulDiv

GetTempPathW

) {:g

AC=k(

PkW!!D

s{d[a

JJ|/f

pPf(TS

jH0(#qB

!=u<7n

S%NLZI

o4M1>

RegCreateKeyExW

incomplete download and damaged media. Contact the

vX95h

Gu6:Zs@;

t)w3~F

4bYFAA

pXVCE

~Rilyn

B<0crj]

UZA~m

s495

:svFs

#Fx-//

SETUPAPI

vSH@al6

A:[bf<"R

vpw/}

mK&><f

JavaPortableLauncher

cWEnl!

GetSystemMetrics

OA]]5w

<0:08

D$$SPS

x5}0E

4Z,6

=7+1JD7cRL@

vlc:2

Rof%q

J4N|Y]{cS,0l7

WwtC'

Z;z8}h

*%4r84Cp,#

Psc=2

gVqUv*

Kdpy

PortableApps.com is a registered trademark of Rare Ideas, LLC.

5r_h%

djdih

)H8e|R

CoTaskMemFree

GetDlgItem

CloseClipboard

2&h0!

MS Shell Dlg

/},p>Cj1v-

HcRvR

NY50X2

or;ck

q:27G

h_1Id

ErBCB"

'^nm.

2-{Y1

[@:p/

byeeF

}G93|

l.G##

m*JpH

&=0<3

Xa/QPP

X};82

<4*F:5L

GetShortPathNameW

Sectigo Limited1$0"

!This program cannot be run in DOS mode.

PGCTl~aD

oZ%pb

>x\md

h-Hk~/

@Af]WY

+T_d5

@;>n3&

8CG9*

uEL|j

'K?%e

.z|}F

USER32.dll

|TI`Y

zMI"

0P[Vm

/OsKy

?BsblH

T= p`

z4uy@

"Rr^R

JZJ!5[

`cKry;r

byySf+

Va4mT

APPHELP

},!)E

746!%%A

V5 U.Bj^

SVWj"

CreateFontIndirectW

!Fkj4

A8zx?

Kw>?+-

350 Fifth Ave Suite 52091

+&erg]:

bJ#,EmU

>J`\8

RegDeleteKeyExW

0rMQy

;U^w8IFV

<1FI~

c/8j"u

=vdqH!HZ

$9j?!

.FShUM

"n_Nr

LoadImageW

Mw;[YE

3Bcuk

C_'zJ["';

7^L~E

M 0Ep

q@./m

wE~d0H

`\VtV

(H~g4#?=Y`

lstrcmpiA

32Ea%

+,X=6DF"

H/m9/CS

X_M\1

GetCurrentProcess

^;G>fQ5

v~yme

AW{:j

`Vn*-/?

bam|'

pFOOHSNNSMFB&%

dKSYt

SHGetFileInfoW

W1!__j}

H!%q!

*8@Vg

.ndata

.+DwYS

6=Im>

GetClassInfoW

}~gC"+

`T|_-

Ik>7o

~D}lRGk

v~pK!.

u[2j~

MSs34lw

~-{,+

xBpI-$K

GA=;KJf

g17wa

kdy6w6

,ic=s

ScreenToClient

Translation

:SJ-L^

%1Z+a

vhmlF

@~?%P"

vq9t_

tIYV#

%s%S.dll

OleUninitialize

'&<?S$)"[

_b"qS

J(_r4

-|RWy

v/z}[

Avtfxj;

CWVWin|

FCK{YY~

!SA_3

h~,^f

]w;P5

JW?;zdfR

"9d#W

QySfJ

H,]4|$I

nSyi-

CDW#]+

YRYw=

GetTempFileNameW

ProductVersion

g0e0>

CEEn)

C3#`i

-r*qx8F

8u+j!

*u'KX

K6#hqHx

,Z'Z@O~

Instu`

;^fVm

TbGp8

-~gQ^

>dO&a

rRj;B7|

av.-{

+-]q8<t

ShowWindow

The USERTRUST Network1.0,

=)a&n

RichEdit

:>p8W3;

A8iW-t

RZdBD PS

}[3[Q

0*"?%%B

u{U:t

}XVf\F

3oH"y

=bANr

)@~EN

m}N%t

^;et+

D>Fz/*

<n-1vY7

GkcPUU

uqcmP

D7aC<M

YmB,m

_)=(e

by/1YZ

~4mWJ8zM?

!l|]R~!

UXTHEME

0@\[x

6\a+L

85HO\^

r-rI:

a:Z1X

J'~Y[OF

DWMAPI

sAS@d

dUR]u%+

tnyU6E

6\i@4

LookupPrivilegeValueW

@g 58

+R);

h*&BXv

CharNextA

ewri|

Pr+B^K

Hk4wt

"1?2,1$

nB}t{

qJvly

e\XV$

-2%<C

K)V'Nm

Hj\("

fA P|

n'Kb)

@M5Hd

MG@.USd

('&Qo

IIDFromString

v0xa%Z

2sY+F

/z8V;/

ar?WPh

S,c/*'

.?~Mi

c)444

kT@=L

;-*<f"

f58ksIN

h{@Y&

j#;B@

*4'f`N

sf itw!Z

i{#fI

eyS)!

gp/p<T

G/A_p

KBe3:

GetLastError

s_'E>

S}t4{

gI=Y6lzN

Sectigo Limited1,0*

YIb~5(\

[r0s8

!reGG

ucg|pa

s4R-T

$it6'#*l

d[n0I

+&/d,-U

*Ujrj

)|hC{

v5%iR\^

O@ntBz.

4la8y

tz[h4`>Z

=3fR|i

884B=

#v;/9

eg=1Tu&M

'DAI;Oy

]a]a]]

`.rdata

U/~`w

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

,GL1#

-8w.h

#jYhRB_

5:xL<A|

RegCloseKey

GetSystemMenu

}'W[6

mD|:!

n6W~W

&aCP`!

x-W(4

MpPI(

+Uesqq

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000035d8	0x0006bae1	0x0006bae1	4.0	2021-07-24 22:31:33	c05041e01f84e1ccca9c4451f3b6a383		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	jPortable Launcher
FileVersion	6.0.0.0
InternalName	jPortable Launcher
LegalCopyright	2007-2021 PortableApps.com, PortableApps.com Installer 3.5.22.0
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	JavaPortableLauncher_6.0.paf.exe
PortableApps.comAppID	JavaPortableLauncher
PortableApps.comFormatVersion	3.5.22
PortableApps.comInstallerVersion	3.5.22.0
ProductName	jPortable Launcher
ProductVersion	6.0.0.0
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006572	0x00006600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.45
.rdata	0x00006a00	0x00008000	0x00001398	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.14
.data	0x00007e00	0x0000a000	0x00066378	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.09
.ndata	0x00000000	0x00071000	0x0015c000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x00008400	0x001cd000	0x0001c6e8	0x0001c800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.24

Overlay

Offset	0x00024c00
Size	0x0003c990

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x001cd958	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x001dfe80	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	None
RT_ICON	0x001e2428	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x001e34d0	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x001e4378	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.65	None
RT_ICON	0x001e4d00	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x001e55a8	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x001e5b10	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x001e5f78	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x001e6098	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x001e6298	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x001e6390	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_DIALOG	0x001e6480	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e65a0	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e67a0	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e6898	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	None
RT_DIALOG	0x001e6988	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e6aa8	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e6ca8	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e6da0	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	None
RT_DIALOG	0x001e6e90	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e6fb0	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e71b0	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e72a8	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	None
RT_DIALOG	0x001e7398	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.65	None
RT_DIALOG	0x001e74b0	0x000001f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.73	None
RT_DIALOG	0x001e76a8	0x000000f0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.05	None
RT_DIALOG	0x001e7798	0x000000e6	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.13	None
RT_DIALOG	0x001e7880	0x0000010c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.48	None
RT_DIALOG	0x001e7990	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.62	None
RT_DIALOG	0x001e7b80	0x000000e4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.86	None
RT_DIALOG	0x001e7c68	0x000000da	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e7d48	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e7e68	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e8068	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e8160	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.09	None
RT_DIALOG	0x001e8250	0x0000010c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.48	None
RT_DIALOG	0x001e8360	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.63	None
RT_DIALOG	0x001e8550	0x000000e4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.87	None
RT_DIALOG	0x001e8638	0x000000da	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e8718	0x00000110	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.58	None
RT_DIALOG	0x001e8828	0x000001f0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x001e8a18	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.97	None
RT_DIALOG	0x001e8b00	0x000000de	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_GROUP_ICON	0x001e8be0	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_VERSION	0x001e8c58	0x000005a4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.38	None
RT_MANIFEST	0x001e9200	0x000004e3	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.29	None

Imports

Name	Address
RegCreateKeyExW	0x408000
RegEnumKeyW	0x408004
RegQueryValueExW	0x408008
RegSetValueExW	0x40800c
RegCloseKey	0x408010
RegDeleteValueW	0x408014
RegDeleteKeyW	0x408018
AdjustTokenPrivileges	0x40801c
LookupPrivilegeValueW	0x408020
OpenProcessToken	0x408024
SetFileSecurityW	0x408028
RegOpenKeyExW	0x40802c
RegEnumValueW	0x408030

Name	Address
SHGetSpecialFolderLocation	0x408178
SHFileOperationW	0x40817c
SHBrowseForFolderW	0x408180
SHGetPathFromIDListW	0x408184
ShellExecuteExW	0x408188
SHGetFileInfoW	0x40818c

Name	Address
OleInitialize	0x408298
OleUninitialize	0x40829c
CoCreateInstance	0x4082a0
IIDFromString	0x4082a4
CoTaskMemFree	0x4082a8

Name	Address
ImageList_Create	0x40803c
ImageList_Destroy	0x408040
ImageList_AddMasked	0x408044

Name	Address
GetClientRect	0x408194
EndPaint	0x408198
DrawTextW	0x40819c
IsWindowEnabled	0x4081a0
DispatchMessageW	0x4081a4
wsprintfA	0x4081a8
CharNextA	0x4081ac
CharPrevW	0x4081b0
MessageBoxIndirectW	0x4081b4
GetDlgItemTextW	0x4081b8
SetDlgItemTextW	0x4081bc
GetSystemMetrics	0x4081c0
FillRect	0x4081c4
AppendMenuW	0x4081c8
TrackPopupMenu	0x4081cc
OpenClipboard	0x4081d0
SetClipboardData	0x4081d4
CloseClipboard	0x4081d8
IsWindowVisible	0x4081dc
CallWindowProcW	0x4081e0
GetMessagePos	0x4081e4
CheckDlgButton	0x4081e8
LoadCursorW	0x4081ec
SetCursor	0x4081f0
GetWindowLongW	0x4081f4
GetSysColor	0x4081f8
SetWindowPos	0x4081fc
PeekMessageW	0x408200
SetClassLongW	0x408204
GetSystemMenu	0x408208
EnableMenuItem	0x40820c
GetWindowRect	0x408210
ScreenToClient	0x408214
EndDialog	0x408218
RegisterClassW	0x40821c
SystemParametersInfoW	0x408220
CreateWindowExW	0x408224
GetClassInfoW	0x408228
DialogBoxParamW	0x40822c
CharNextW	0x408230
ExitWindowsEx	0x408234
DestroyWindow	0x408238
CreateDialogParamW	0x40823c
SetTimer	0x408240
SetWindowTextW	0x408244
PostQuitMessage	0x408248
SetForegroundWindow	0x40824c
ShowWindow	0x408250
wsprintfW	0x408254
SendMessageTimeoutW	0x408258
FindWindowExW	0x40825c
IsWindow	0x408260
GetDlgItem	0x408264
SetWindowLongW	0x408268
LoadImageW	0x40826c
GetDC	0x408270
ReleaseDC	0x408274
EnableWindow	0x408278
InvalidateRect	0x40827c
SendMessageW	0x408280
DefWindowProcW	0x408284
BeginPaint	0x408288
EmptyClipboard	0x40828c
CreatePopupMenu	0x408290

Name	Address
SetBkMode	0x40804c
SetBkColor	0x408050
GetDeviceCaps	0x408054
CreateFontIndirectW	0x408058
CreateBrushIndirect	0x40805c
DeleteObject	0x408060
SetTextColor	0x408064
SelectObject	0x408068

Name	Address
GetExitCodeProcess	0x408070
WaitForSingleObject	0x408074
GetModuleHandleA	0x408078
GetProcAddress	0x40807c
GetSystemDirectoryW	0x408080
lstrcatW	0x408084
Sleep	0x408088
lstrcpyA	0x40808c
WriteFile	0x408090
GetTempFileNameW	0x408094
lstrcmpiA	0x408098
RemoveDirectoryW	0x40809c
CreateProcessW	0x4080a0
CreateDirectoryW	0x4080a4
GetLastError	0x4080a8
CreateThread	0x4080ac
GlobalLock	0x4080b0
GlobalUnlock	0x4080b4
GetDiskFreeSpaceW	0x4080b8
WideCharToMultiByte	0x4080bc
lstrcpynW	0x4080c0
lstrlenW	0x4080c4
SetErrorMode	0x4080c8
GetVersion	0x4080cc
GetCommandLineW	0x4080d0
GetTempPathW	0x4080d4
GetWindowsDirectoryW	0x4080d8
SetEnvironmentVariableW	0x4080dc
ExitProcess	0x4080e0
CopyFileW	0x4080e4
GetCurrentProcess	0x4080e8
GetModuleFileNameW	0x4080ec
GetFileSize	0x4080f0
CreateFileW	0x4080f4
GetTickCount	0x4080f8
MulDiv	0x4080fc
SetFileAttributesW	0x408100
GetFileAttributesW	0x408104
SetCurrentDirectoryW	0x408108
MoveFileW	0x40810c
GetFullPathNameW	0x408110
GetShortPathNameW	0x408114
SearchPathW	0x408118
CompareFileTime	0x40811c
SetFileTime	0x408120
CloseHandle	0x408124
lstrcmpiW	0x408128
lstrcmpW	0x40812c
ExpandEnvironmentStringsW	0x408130
GlobalFree	0x408134
GlobalAlloc	0x408138
GetModuleHandleW	0x40813c
LoadLibraryExW	0x408140
MoveFileExW	0x408144
FreeLibrary	0x408148
WritePrivateProfileStringW	0x40814c
GetPrivateProfileStringW	0x408150
lstrlenA	0x408154
MultiByteToWideChar	0x408158
ReadFile	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170

Reports: JSON

Statistics (38.39)

Usage

Processing ( 36.53 seconds )

32.374 ProcessMemory
2.554 BehaviorAnalysis
1.573 CAPE
0.027 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.007 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.002 masquerade_process_name
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 1.80 seconds )

1.667 CAPASummary
0.133 JsonDump

Signatures

Queries the keyboard layout

Enumerates running processes

process: System with pid 4

process: Registry with pid 92

process: smss.exe with pid 384

process: csrss.exe with pid 476

process: wininit.exe with pid 552

process: services.exe with pid 656

process: lsass.exe with pid 696

process: fontdrvhost.exe with pid 784

process: svchost.exe with pid 808

process: svchost.exe with pid 924

process: svchost.exe with pid 976

process: svchost.exe with pid 1036

process: svchost.exe with pid 1108

process: svchost.exe with pid 1116

process: svchost.exe with pid 1204

process: svchost.exe with pid 1240

process: svchost.exe with pid 1296

process: svchost.exe with pid 1348

process: svchost.exe with pid 1392

process: svchost.exe with pid 1428

process: svchost.exe with pid 1452

process: svchost.exe with pid 1544

process: svchost.exe with pid 1552

process: svchost.exe with pid 1676

process: svchost.exe with pid 1756

process: svchost.exe with pid 1772

process: svchost.exe with pid 1788

process: Memory Compression with pid 1844

process: svchost.exe with pid 1864

process: svchost.exe with pid 1940

process: svchost.exe with pid 1964

process: svchost.exe with pid 1976

process: svchost.exe with pid 1364

process: svchost.exe with pid 2024

process: svchost.exe with pid 1692

process: svchost.exe with pid 2116

process: svchost.exe with pid 2128

process: svchost.exe with pid 2136

process: svchost.exe with pid 2144

process: svchost.exe with pid 2252

process: spoolsv.exe with pid 2340

process: svchost.exe with pid 2384

process: svchost.exe with pid 2416

process: svchost.exe with pid 2568

process: svchost.exe with pid 2580

process: svchost.exe with pid 2596

process: svchost.exe with pid 2608

process: svchost.exe with pid 2640

process: svchost.exe with pid 2736

process: svchost.exe with pid 2756

process: svchost.exe with pid 2764

process: MsMpEng.exe with pid 2772

process: svchost.exe with pid 2800

process: svchost.exe with pid 2852

process: svchost.exe with pid 3136

process: svchost.exe with pid 3772

process: svchost.exe with pid 3912

process: MicrosoftEdgeUpdate.exe with pid 3080

process: svchost.exe with pid 64

process: svchost.exe with pid 820

process: svchost.exe with pid 3692

process: SearchIndexer.exe with pid 5088

process: svchost.exe with pid 5940

process: svchost.exe with pid 6084

process: svchost.exe with pid 6092

process: svchost.exe with pid 5208

process: svchost.exe with pid 3440

process: dasHost.exe with pid 4544

process: svchost.exe with pid 4576

process: SecurityHealthService.exe with pid 4392

process: NisSrv.exe with pid 5416

process: svchost.exe with pid 6748

process: svchost.exe with pid 7040

process: svchost.exe with pid 6580

process: SgrmBroker.exe with pid 1796

process: svchost.exe with pid 6248

process: svchost.exe with pid 572

process: svchost.exe with pid 3184

process: svchost.exe with pid 3180

process: svchost.exe with pid 5236

process: svchost.exe with pid 1572

process: svchost.exe with pid 5020

process: csrss.exe with pid 6676

process: winlogon.exe with pid 780

process: fontdrvhost.exe with pid 4680

process: dwm.exe with pid 3860

process: sihost.exe with pid 2360

process: svchost.exe with pid 2216

process: svchost.exe with pid 6832

process: svchost.exe with pid 5524

process: taskhostw.exe with pid 7156

process: explorer.exe with pid 640

process: svchost.exe with pid 4968

process: StartMenuExperienceHost.exe with pid 4628

process: RuntimeBroker.exe with pid 6224

process: SearchApp.exe with pid 2060

process: RuntimeBroker.exe with pid 2732

process: SearchApp.exe with pid 952

process: ctfmon.exe with pid 5664

process: SkypeBackgroundHost.exe with pid 648

process: TextInputHost.exe with pid 676

process: smartscreen.exe with pid 5572

process: RuntimeBroker.exe with pid 6932

process: SecurityHealthSystray.exe with pid 5404

process: OneDrive.exe with pid 4508

process: SystemSettings.exe with pid 5096

process: ApplicationFrameHost.exe with pid 4160

process: UserOOBEBroker.exe with pid 5852

process: audiodg.exe with pid 5596

process: dllhost.exe with pid 1856

process: svchost.exe with pid 1632

process: ShellExperienceHost.exe with pid 5964

process: RuntimeBroker.exe with pid 6872

process: conhost.exe with pid 2892

process: upfc.exe with pid 2652

process: svchost.exe with pid 6844

process: backgroundTaskHost.exe with pid 6980

process: CompatTelRunner.exe with pid 3432

process: TrustedInstaller.exe with pid 1988

process: TiWorker.exe with pid 6564

process: conhost.exe with pid 6628

process: MoUsoCoreWorker.exe with pid 4744

process: sppsvc.exe with pid 2456

process: svchost.exe with pid 1664

process: RuntimeBroker.exe with pid 4344

process: SppExtComObj.Exe with pid 6516

process: RuntimeBroker.exe with pid 2976

process: svchost.exe with pid 4556

process: svchost.exe with pid 3800

process: JavaPortableLauncher.exe with pid 4888

Expresses interest in specific running processes

process: JavaPortableLauncher.exe

process: svchost.exe

Reads data out of its own binary image

self_read: process: JavaPortableLauncher.exe, pid: 4888, offset: 0x00000000, length: 0x0005f3ea

self_read: process: JavaPortableLauncher.exe, pid: 4888, offset: 0x30785c4c6331785c, length: 0x00004000

self_read: process: JavaPortableLauncher.exe, pid: 4888, offset: 0x3366785c6165785c, length: 0x00000004

self_read: process: JavaPortableLauncher.exe, pid: 4888, offset: 0x6338785c6331785c, length: 0x00010000

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00008400', 'virtual_address': '0x001cd000', 'virtual_size': '0x0001c6e8', 'size_of_data': '0x0001c800', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.24'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4888 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\SHCore.dll
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nsw428A.tmp
C:\Users\Packager\AppData\Local\Temp\JavaPortableLauncher.exe
C:\Users\Packager\AppData\Local\Temp\nsc42F9.tmp
C:\Users\Packager\AppData\Local\Temp\nsh4367.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Temp\nsh4367.tmp\LangDLL.dll
C:\Windows\System32\msctf.dll
C:\Users\Packager\AppData\Local\Temp\JavaPortableLauncher.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\System32\UXTHEME.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\TextShaping.dll
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nsh4367.tmp\System.dll
C:\PortableApps
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun

C:\Users\Packager\AppData\Local\Temp\nsc42F9.tmp
C:\Users\Packager\AppData\Local\Temp\nsh4367.tmp\LangDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsh4367.tmp\System.dll

C:\Users\Packager\AppData\Local\Temp\nsw428A.tmp
C:\Users\Packager\AppData\Local\Temp\nsh4367.tmp

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\JavaPortableLauncher.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir

Local\SM0:4888:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.