Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 15:59:00	2025-06-13 16:30:08	1868 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,131 [root] INFO: Date set to: 20250613T10:27:48, timeout set to: 1800
2025-06-13 11:27:48,384 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 11:27:48,384 [root] DEBUG: Storing results at: C:\mZmWgxH
2025-06-13 11:27:48,384 [root] DEBUG: Pipe server name: \\.\PIPE\gxpNJC
2025-06-13 11:27:48,384 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:27:48,399 [root] INFO: analysis running as an admin
2025-06-13 11:27:48,399 [root] INFO: analysis package specified: "exe"
2025-06-13 11:27:48,399 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:27:49,103 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:27:49,103 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:27:49,103 [lib.common.common] INFO: wrapping
2025-06-13 11:27:49,103 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:27:49,103 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\mweather.exe
2025-06-13 11:27:49,103 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:27:49,103 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:27:49,103 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:27:49,103 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:27:49,431 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:27:49,462 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:27:49,525 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:27:49,540 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:27:49,556 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:27:49,556 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:27:49,556 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:27:49,556 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:27:49,556 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:27:49,556 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:27:49,556 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:27:49,556 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:27:49,556 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:27:49,556 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:27:49,556 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:27:49,556 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:27:49,556 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:27:49,556 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:28:12,009 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-13 11:28:12,009 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:28:12,009 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:28:12,009 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:28:12,009 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:28:12,009 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:28:12,009 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:28:12,009 [modules.auxiliary.disguise] INFO: Disguising GUID to cb6d534e-00ef-4727-a10a-526343788069
2025-06-13 11:28:12,009 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:28:12,009 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:28:12,009 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:28:12,009 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:28:12,009 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:28:12,009 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:28:12,009 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:28:12,009 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:28:12,009 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:28:12,009 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:28:12,009 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:28:12,009 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:28:12,025 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:28:12,025 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:28:12,025 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:28:12,025 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:28:12,025 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:28:12,040 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 11:28:12,040 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:28:12,040 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:28:12,040 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:28:12,040 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:28:12,040 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:28:12,040 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:28:12,056 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\yLKHDT.dll, loader C:\tmpjeo7jmad\bin\wBsGnKoA.exe
2025-06-13 11:28:12,103 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:28:12,103 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\yLKHDT.dll.
2025-06-13 11:28:12,103 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:28:12,103 [root] INFO: Disabling sleep skipping.
2025-06-13 11:28:12,103 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:28:12,103 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:28:12,103 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:28:12,103 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:28:12,118 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:28:12,118 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:28:12,118 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:28:12,118 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:28:12,118 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 4512, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-13 11:28:12,118 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:28:12,134 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:28:12,134 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:28:12,134 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\yLKHDT.dll.
2025-06-13 11:28:12,134 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 11:28:12,134 [roo <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 15:59:00	2025-06-13 16:29:49	none

File Details

File Name	mweather.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	226512 bytes
MD5	2658cdfbda1bc05deb286ddc3aeb42ca
SHA1	76529f1ff08627d44b55eea9bf10cae0914f74db
SHA256	59fa9085953abde6f22d4aaa5b4c4a2708de275aec2f27c41f59213bbe6a7a90 [VT] [MWDB] [Bazaar]
SHA3-384	b2ebf9bf363988735554168be0b9665133f1898b890164eb6119750f00ee3154054120129982511aeea3345238242175
CRC32	88A3DEEC
TLSH	T17A24DF67CA241C84EAD8CC3585DF9CB61930F817C0997ABA53D08C6F6E23EF5EA5510E
Ssdeep	3072:GrRcQHL5SvCHT0a1j/4AA8qiCYGk4ccjlGXy5SnMhEO2ZwS4ZRP39sp55/c:QccES04jVAo/4F2nET2l41sp3c
PE	File Strings BinGraph Vba2Graph VirusTotal

Br6XO

5? #O$Q0

AQML<3

-o7RPDdB

ChvTo

Az= R

aaAG|NTL

sSGlP

CAM7M

GbEr8

`dMu5

UT?SR''

~~~~r

"8888888"

K}% L

xNl`S

u:2p9H

J(l_?

OBLEtL

85UD Dr

9cI}8

7Yr7]D

(HU@a

jsX``

DQB(4

^6*WIKVN

By,(l_

PT0Eij

$0#RCTP

AIGQ#N

[BT0WK

%> '|

;@TO3h

MQTUY]>

HGTN/Z

uFRUN@

'rz]p

zwoAvL$H

daPRN

H?WMPP

.< dv

Ptly.

v"gbf; 3:%

\AAGCI

"8888888

79J<4

y$@HD~"X

aJFU4

comdlg32.dll

I16<y

oInT!

WILJX

040904b0

FQQUP

wynx-

oz+p0

o58;O

[Fvl#Qr(l=

lh $(

~.TXTa[

r="#$" l

;5]6.

AtEp5

wwwwwx

VJIJU

WR06Yj$

KERNEL32.DLL

v!@B6f

kGEOHIJ

F~Su8]

`VNdu

AIA[c]B

FRpVI

https://secure.comodo.net/CPS0C

0888880

[JL )

}@D8E

~ ~yr

D8F(T

$llSTHXYZ[\7

Wp"o=

/>NA%

?|I7Z#

>81JjKK

.rsrc>Mpp

g0^{QS4I]p-

,>K&<

7IAL{S<

Ramat Gan1

mAZPC

RSBm"

T~ADUU

*<dP@

LK."U@

k?J-BY-RA@

AVMl&HIw

AWQPS

wwwwww

TPA,:HVTPA

'Voz`!

1#PLe

j wAJZI

EoI?III

&hZ rN

^M|(PV

pAXCP

t~APAA+K

F^rqh

(2JAPCJEJU

(*.Jt

w3W~(

L:/EG

sCNKy

:M/x-

f%-18s

pAKEZh

t x$:

6U">.

LoadLibraryA

Rich]

De?Fls

@DEA1

PSRh

qj]AJ

pY,4,

9(`>+

@Y0Z'=#

fWtB@4

8~d'!

P00`~R

OHoRe

&UNITS=A&ST:ION>

243aC

tFXoD\

S8W~

AYRYs

A,-_Kl

DA O'

NMov@

Q57JTJ

y[$~,Ny%

PADKrR

ChooseFontA

jHT?Q

4BM?vz

?#%X.y

VPL4Qg(

p|TpE

/mV p

u!X<n

DMAB"N

o#w_j

{D1VU

\UB-'

S._0H

UAo_u

DpPVQ

3PPQ>

C`Hvf

H\|?j

fB H$A

v*FRh;

(k/GB

u+fWoa

DPMA^LW

p/(Hx

Y`Gvb

$B7Sa

f0ijk

oRi8`

Br%AS.

]OAP8FS

http://ocsp.usertrust.com0

ADAW;

t^>`BKH

7#sLD?

EFKy)?

sFLLF

ATBqx

AOUO-4

%W Rq

wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

^VABWIB

QBth

HAO*t

m"?gkT\

d/OHD

u~ACR

FileDescription

rh>"of

p^B][

EAJOO4

|S8@~

8`Y[N

S<T>s

^FGfGSO

]JCry~

VED6n

ADROU1O

|std5pu

XfA (NW)

\PzG=

Y<AGOG

%UhA_

iznAZ

L=X;-<8:

6WA`0

JkAA4

UQS'n

/FVQK

dRD%n

DAZc

fM%cxD$

AE-w5

?6(`p

]3A1C.L

}TEDU

H.^[X

l{_kb

f6AYCs

Bf!#P

TUpdg"

UTN-USERFirst-Object0

@RD'PP

1dn.'xXo\

;0907

8G>F8b

P`}Jy

TfAKRB

%8z>PF<XK

]FLV|

vZ?ZYX

BH(rRD

s4rbEO

H:*9oN

)Augu

?FFf@

^AF@=<

>@H@'

6L@=S

vrrutt?s

X;$4W

mweather.exe

Greater Manchester1

."~'XTP

6"ntac

HLPTrrr

AHIHiU

Z$\"6

n20E@

wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwx

8}ZPv

SfAL~M

OFAlD

#.X'HBO

WAGZH

=AGIFy

`uB!#

@GGGhr|O+

"7888888"

>]\~{-)T@~

HupC8e

VAJWY

BF@FP

B)_9S

lobal

AI5f|sb

XBPX>

<6@4 D

%&eRG)

<2`aR

E>AMI

LI /w

ATo{"

L?%ogUU

`v:)*D

sNCqx<

EAX=I&

bp$>HiIUD|

uAUJU

b'{D7ol

Salt Lake City1

4ba%9

h(x=u

p9FPl

TB%8u

Bj|m2

ARK_q

macr;dp

MrUDO#

o_+NCN

v+"AKKx

z=mB`#

&kv`/LHA/L

= Na_ICAO

.jxfJf

R^LGZ

IQAIMR

AHnH2{?

@JLCf

MAOYT

ACPgn

`7U3a

6OV^HF

3)v58

IJIE:

u!jX`

/BYHA

RY'Suhx$.

Mon!Su

QR@H!

G`.u@

AJOTX-

%MN&N`^MOA VZ

tNIt?

https://secure.comodo.net/CPS0A

:]=O>

X~ACHF

UTN-USERFirst-Object

d(hlpq}

.rsrc

FMGN}

c/(n\

rJ>+p

0z~~~

Pex?0

@XEE CP4u

dE36O

AMM?;

AAa5p

BPALT

OriginalFilename

48(tAl

sob;999QA0 /?b

5AyL&

zUMA2

)r;9y

N.`_A

;AFLO

6ADEW)E

Th$s'Wed

JIMKU

PPG$!Rn

+r+.lytm:

QAOX;

DS/kD

AxuN}*

RVAPR

${~~~

/BaHO;

*ARGK

-\-]h|

.X'q~

525831

Cpp`(

.*r=rk

AHdLP

H0>;T

nAQyh

l1h-F

~t%TX

eEM!ZPM6

=\uIs

)}"<Np

X(Q(k

D$<VW

AYpHaA

VirtualProtect

WININET.dll

hb?O2

aaaarr2

181023111534Z0+

.+ANB

ZEBUE

1*5)@

TB@C

CC&4A

AEXY]=q@G

9ASjH4

Bu#\W

6IFN)l)$D

!WWPg

poWx89R?D

Bnf99N

ANQIRd

{"@PTPn

CqTR;?

f0d0<

#{ ~`~R=

Fw_@+

The USERTRUST Network1!0

AJXI35

9SJyU

\5X=Tf

23456789:;

<PLHD<y'

Tyo 6

ALUMdA

bkG%`UA

1AJBF

k6V7a

N$,\-|,6

-VP<!

K8bAM=F

&TJxkU

zipb0r

m0F)e

A@>O=oNn'

3BFMO

Ad+<L

9aYF#

7|,`O!

x;9rG

_n[H5

=0;09

htH689

q-<)|J

*FBd4U

GBNGIL

J~c+1E

K<<H!

Autov h

AMA8Tf?1Q

Wtt+DPI,

@^0`7_

5THHYE

NTQh

TAMD1

hVQRQ

LF6/PYRZ

YARE"S

?L+H]

z?aUY

~_I)Vr.

WWN|Agp0

BPQSVk

GFL< r

,FFOE

cpy)Q}

tXTsS

+5xk

:0806

@\:`Ye_

E0C0A

mwH8^

ZHASQ

O/RL/G.

ASSl;VF

%S#[k

SO%V

NYDG'i

COMCTL32.dll

BkifQ

hDVT+

ALGUL0

/JL 9:

=4sY@C

YR\Xib

?pmsg

200530104838Z0

NirSoft

~cL@g

;iB!(L

J$QC8

SAV5A

Cr8%=

0TvdL

~`2_X

ORNADO

$fQIZ

'PW~

u:',<

.0<tc8QW

exp10

ACE/?

@5SS@Lx

:3AV+2

bad allocation

JG'>ff

PS@C^

+DTCA

7^~.Gx/

W }x_m20($

<'P;T

o_OG?

4A7$6

MAMEW

3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

SESPE

PZATM

$X$(*_w

-CAWW.

URU1AT

"7888887

6K^<@

&CONOUT$2.2XZS

AHa[B

AYIP~

jPm"^

4CR|S

VRrkh

_GDY~

u6^u=

AFDp9

VirtualAlloc

?5Wg4p

[lTpK

uN|qf

y,F./T

4C0" O

ARPHRA.

CCC888

d ( J

GG:N/

j@j ^V5

\$$(R

0@4Ho

P-TjS

Y*/?; KA'

V%59y6Z

)ALCU

-GOCS

!PC?8

*/UMOz|

oonm?

KY;2MA

9XGZ|

-Z3J

ARG{Y1.S

wnh"n1D

~#uFfw

}ASA.

0OEO,,

n@ieSj4

u:Y50

V{FM@"

<OVR-;

e0c0;

3[X K

t@vn77

2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t

*d&<W

AHIH>

/wGYO~

Lm2M+<3@

eJN:J$

LTXdPF

nKrTo

1http://crl.usertrust.com/UTN-USERFirst-Object.crl05

MKO_!

AddTrust External CA Root0

0UFF/

ORoVr

iRMLY

2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$

%4>)0

EYAOw

-64OS

EGYGR

?`__^rrr;]o]\[

P:7QNe

GA}\V

ff:Oe

iTKVT

LB-h<

wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

0wYA:a

[LO\"

kAR X

@ckF|

@P|jV

~AU\\

AASHD'

lh,p.Napsho

]2US: %JN

<@En[vP

|)P!?Ua0

130509000000Z

TVB@*

f=Hv6.

BAEj>

A5uC9

ht8lt

]JHhZ

LegalCopyright

-AIZGY

=wAFRTF

ySHQyLpk*U

APl`C

ABTMU

AUDGD

Fnz mm

AMHTO

nRmefr

|yKG~

@PTPMIUT

E|~-N

|(,04

AUUp~

UBL<~

HBPEO

MetarWeather

AFl)@p

iBOkH`

w4H&PT

YVL/D

caWKV>

v;U_Y/

3/f$

?X&eB

8`<^j

OGl<I

ABB|hL

'%PASHPf

{aH(L9=b

m(-AI=

ACO[:a

151231000000Z

(V&MD:

+B|^#

?h6_~

C *"S

e8aa=

secOuml/

pU6W@

vQGTM

#COMODO SHA-256 Time Stamping Signer0

P[Ou']^_

p?eGW

E4U+

ATHn(

GHWRW/:

14aqh

-fASYU

dM{~~

VxJw

F6FUVVD

KULNa

)GNG1

`TFAAIR

BA+#?

(v6o{z

*171*

MHMIRF~`A

<7N!

.ACQT

ASIFE

zASA*w

CCC7878

140912000000Z

6<FAD\t

Pj},Q

^^BBNS

p=>BLIRZb

GJT7~

y1~?|"

rqqpo

q!q*-

RAPWm

FAYWH

.mo)H

ageBox

jeBtz#

-)ZE;,

mASEV

lm&pqr

AMM|D

DA6=^

MtQXv

COMODO RSA Code Signing CA

!ANDX<

SN20s

zp)@3

CCC88"

&lyZ(H

ACJ,E

9`wEQp

\AD@W>

Ligh4

AOASK

MRMERRIL

AP60`

\A/f]B!Z

GOANAHA

VYPQ

TgSH;

w(nur

JAHRW/

ASPR/

+vHOP

mT1.:!

OLA.9m

AddTrust External TTP Network1"0

AddTrust AB1&0$

[BX3/

psave

rLfh)

BAHFYX

^A2tcS

ADp4q@

R;O&0

vTBF}@

V(FN\

mSW9QET

JVUPYNc

7Orz^

.$0j\

ys%,U5

?*qVPZ

1(N!+

PQVL(S

13s_w

AJONO

HM"S]

#_%Pb

LL"nQ

nUif(^_

4dlrbOg@Vw

IGJxK

AUEK

Maximum37in

X^OH^K

E:YA(

Pk\7o

T~OXu

Nd / :Awd

#ABBC

EXC~Y

[VF+d

<CVHO

v RPh+

rd&vk_o&0

vI`~XG

!X@QWi

l(aua

c4yA?

wN@$T9Bew

@e2p

HH:mm:B^

16Vj<

ABN'v

40fLL

[h01T

JKAcr

"7888888

H(QKVI

BC >0

z(<=zG

<TITLE>ADDS -<!DOCTYP

SHELL32.dll

?}Y8{O

;5dmv

ASHWx

QAFYV

!6Z&h

X3dU~

cARCm

('u`h

Ty"A/

88888

xDc@#

\XTPL@>

yotW. n

6BAPJ

CDITV

4AEHP

XLP0~

ATBN

J"kKo3

82o-H8

DADCY:5u`

*v_@^

x/QHA

W7RVA

'/lh4

b5s;#

9!<IIAR

/U-8P

RWLOh

RZhZWEIg,

ZZA{]v

rBNpI

Bfe9?0

LQ|R~

ADVAPI32.dll

J^_D~

zep$M

EncodePointer.Ol

j8hRcY

B:AA{Z

::[u~

dGiUnknown exNp]

2%HAT_

QCPWW

\VVVi

injAM"

~o[.:

]#AAk

4i83z$

\iAyh

)AZURUGI0-

L=SUBM

?0=0;

@eXVV

aOo H{T

HDLVWG

=,: d!

%XVW=

\`drrrrhlpt

A@L>5

5VgNMtu

FMMBLER5e

CompanyName

wE8@e

#+&+AaG

#JPh`

*?{Pnva

i$,((

wBRASKA

v()>>

xIGNN

Z.w@(

#tqJtE

_7V8=

T-?IY

QMfB O

V2ZU@

\2Nm fx

APGJG

hd`\XT<

AOqvm

ruSp"&

uhx*P

NHZ^/~@

BGEB~C

@F<Yv8

"DZAG

,+GA7d

7ABG*

s4R4rs

'ABQkb

@rCHZ

GCCGI

D&L?>

ASHO{.mo

@NCMcd(

ANKN@

YAPLP

3@5LT

http://www.usertrust.com1

, <Xw

FNtd=

w:@1(n

a@WAx

DEKeY

4HAMA

@A; r

A1A6W

@RK|^

9ADC;

ALJFkAC

MD|1F%,

AHS-P

ASIVN

ANAUM

AlIc0

190912235959Z0

ATPP2P"

fzv3$x

|.AKfAP

Gush Dan1

CAGTRG

tfAV7=

~LUH/

fd'|.dh

slt@%C3

4=YW>

g+"R$

pldT>

=Q@BGOK?

! p"C

&h.j!q

TRInM

CA/a`X~w

JUJUY

DD+~+

S(`<;

W/ W0r\Sq

!"#$%&'()*+,-./

NVNEZ

/pg)([|X>H1

QTAUIQSUTe

zrB?zi

?XYA'

ALKU~

);4:vfh

DUOU~

f`+xAu

8WAN/

<br</

@Ae6g

>Y^ n`p

5BA}\.6.+9

XAy9/WK0Id

p^EQ8

\x=QO

p^KH(?T

:Sa3A

qAXOM

hL6m_

280508235959Z0}1

ZcATTRO}

ATYRO

F SEAP

tN$S{

O22sjE&

f<cPB7

QA_CH~

bG!p^RL

mRSys=

LRD>A

4ALtP%

AAAO/JA

_L>$Q

QAPHHEI|)

!0ayBD

B?4CN$

r('8PWv

YSY8D3A

#<.Ra

Shx'R/ U

k h_b

"t^9(uZ

GCY}*

?MAT7

&(/OL(

hSE@<

SMvO(

qXI;S

l|^JNJA

,AETB

V5pF~D\

XfACYq&

ARA,<,,

wwwww

3yTPu<

9AKK=

hms @tX

/=Z'A

pbUQQ

!yqE>L

Z:kJ?{

AJtNE

ALWWH

Atxr|

RGJt%(

e6]A^K

w`/si\g

/4.0 (

:#pOu

~~~~V

IWZ/Or

VtsPA

FWUFJ

vrhQ`

2xIEA

>a-VI4A

h0f0>

7http://w

ITRRY

eXAAV

7ASLN

Q-1AKG

(AITja

;ATUP

VarFileInfo

t ^u8

97 A.D/V

![CDA

ZwHIj

vv:`R

COMODO Code Signing CA 2

VC7s(

wwwwwwx

Zs\VS2005

|O.pU

KYP`(l

fRRi

_A?4X0

]PBo?

XVAXJ

T*XdP}jJb

VGIUM

u)D|t$

jPQRK8

bF$~LQu5aM

H& ZZ

APGP^

%Digp

wCCDf

=`EBA8

-)" ,

r$Of.

NGYrGq2>w?

cn{P/

Oc5'Tt1kX

M4iKr

!COMODO SHA-1 Time Stamping Signer0

+ uaVE

MTBAYTSIM

zur_u

{p$B7

zT/JV

ALRUph

{z?yyr;99xwvov

QQAx

_u(j@

m1WY$

JANC7

[(t@wn

wMhPgbO%

+t7Y=v6"

6 DringBX

COMODO CA Limited1*0(

DxFf>p

1VD50J

N+ICA

$4V!&J^

vE0sKO7

{3Id(

7b6)AR

9L2N-AUX1

ZH/ME

)/ #}H=V~4f

M$">R

1AIx8

@HEYR,

{eHAG/ /

zAPQLx

>[]R3

<$(( #

idna\

0VXAH=}

DhHI@

AFpUFA

NNNn?

AD/DD4s

OZEIw

@wgC!

aSCRS

^ALSF

AULUX

ACO>~*\

H_LD~

6AGHG

>jULA

T$PR|6

G;l!8

th,C

Wto=(

9f*<Z,m

EEM=#

]vQ<)8

ABFLBNRS

62~n/QU

=1.=]

110824000000Z

Nn8me

AUTN{*`

H;er 8^

P##uZ

SAZ!T

AHYX=

"(J;

//ZbFGo

S}afAUBY

@6@xf

>MPST0Q

4k(DJ

VirtualFree

P~ARC

AEXAD

$ALVJM

R_nB+

s"$&?(d

@UXLX

{+59A

xvARURRU

pxO)k

2KcpV

D$ AccO

JyIv'rH

)pIV@

KKIE:

DGW0P

y. @08

ANCCH

)ABWtSS

E3aX_Ix

At.0x

@Kz`x*OL

XK<vS+

AVP8

=HKT>3

O1[P!

Hy"\

U78OD

y''AJ|

4!u.$Rz

COMODO CA Limited1,0*

1GP[?

ZAD't+

@EBd

zIP~I>4C

ANDGt

< UADP0ia

>6Vh0

sSJ\YY

8BfWS

uZafi'

$qS>t

m$ to

$QX[{

q/H#G

\E2\>

3@N7/

AUL>Q

SACA>

2;8"F

FC7kuB

)=L'V(

eEZRT

l( ASL

;AWWD'd$

@L@~Ie@T

uALI6NE

StringFileInfo

:I#uP

AKVT?#

ANK7q~

uvwxyz{|}~

K,/BTe

}TTUMW

Y:`'h

W"Fr9

.+toU

M"er@@7

{kF/$

{MOC:@

>@QS1

_'L Y^

Su8~x

ocbba999

"08880"

v:aDU

OW_of@

brprU]

EIWK"

NNKJoJI]a

sASRI

IYTS,

`q@PB

WWoVU

@WJF&

g"vA9

RO@{<

u--=/

- 9} 7}

^arV>

JGNH!

trN,D

AD3p2UE

PNUKD

VUZi!q

PC#@r

2< wB

4FC27

Tl`6UIU

NUQAFF

RWAX`

@</t

CHWYX

PDKP3T

@TKL8B

~J)"Y

%74YE&o

ayr4oI

s>%4.4f,

0PARR

QIA&\

Y&A45

<AItZU

ZDZ{Z

%&;>R

\W CDA

TN>GU

m#AJ*

Salford1

QUw0

l<FICVE

LKK^/?,

1'hAJ

([*>FHu

0.{=VNZ

l&TSFZZRAN|

*Az4`0X

l,fsa

3U`34

s/s99iUthnUUUb

?7Tf(

`paD"

nYSUp

qR/O%u

tvAWN

bshMBj

BD*jC@`

|r;L'uB

x"znCR

AC29h

4#;`eh %C

}#M(0

neAprilf

}.chm

.O PEOP'

BBUrE

!84SV

<aeimq

.mixcrt

[HTS]

#tBWe

333f3

p/@OOJ,

YYCN!

AFQUF

</assembly>PA

IUnlM

JTt!x

)`w>F-4

AMRbE

rNzxW

<=>?@ABCDEFGHIJKLMNOX

Dq4T'

AESF4

09 tg

m@NZg/

(was Za

2003 - 2018 Nir Sofer

llkjojn'''ihg?gNNNNfedd

HWJl,

h0f0=

ska)N

support@nirsoft.net0

:8o76

JAGG^E

5h+W2@

^_x%D

Vsqrt2

j.wC!$

/!vrr;5

<AKGQ9~_

ALL IS

hSkkK

w#*OY

msv.d@

HMOS-

AVYVWt

%QVNm

x^&EF

VS_VERSION_INFO

ua, v\

0A@@Ju

%iOKVA

74>U".

f3fff

9xB.!

190709184036Z0

PGVOV

JDHrP

QC"AWNW

Wa%0

Lx"N-

COMODO Code Signing CA 20

nVT@9fAP

u iu_C

;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q

PKUNMR

qGM!0

Z._qJ

Nir Sofer0

ZZVZALUV"QR&

OL|"RHOD

%>-RQ%

4HI$q&"

R6034

xHHYe?

wte;^i

Vjf*Vi

:?U24

Fn ,d4\

YKYYW

NN~}o||9

|rriiethnvrr;o_ooo?.x

EEEEE

6QPF@W

@I\?H7ooj

8((_W

YO0I~

)0'0%

aJ<A@D;8

r(TLOSS`

:h~0@

=CJ93

ZBEK>[

8ABVX

Py.2;

z<%()S

GetProcAddress

"PQ)v

?IT$7

RHWYC

ProductName

+XLm[]v?

*nxVt

/FC^e

AKlv>3

1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

P"["8

\Nh`_

\K_*^U

TWC$WC^V

APMDg

6JD RazW

ALBT\

>R 0,t

RQoPPONNn'N?MML

<xv<X%

*rs}8l

AXXLUb

3lWA'6

*guQs

k>? #J

ExitProcess

Wh,+&

&?~YK|

AOY/'

%O\<c'x

,4TO%

dDAEME

KNh9a

ADPUA

BSi*m

SYLVA

Bu f=

AYGUP~

IHm2t

Z{'E,R

2DBEI

v/f%0

(AUX(

FileVersion

CYvzu

gTd:`m

&~4Gvmx.@

:AHND

XRDkEA.

G=3hl

"AHIF

NAUu?

COMODO CA Limited1#0!

YYAZDR

{ETAR

|TEXASz

Kx*U.

4';.~

|GNVG

AiFC.

XMnXH

ARRdN_

s@8t

Z@L(K

VHg7m

u*"g9^\

wu'j$

?QOQT

i/aAXq

zMB5@

u"Rpt

deH4p<

hI{L[

1)^)f

AEUL8

Ht;mE

'=YiVt

X$gA~8

/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$

vLdKDFGXK

'Z"q!

WB7c5

LineTo

&!@TF

i@F.N

AHDH@e

5 Hashoshanim st.1

@B`vA`X~

plhd`

yI_$+

g{|Bx(

.n"c=2

SFFUG<

ShellExecuteA

FCMN9

wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

"L*}@

JQPV|A

(e@#!

ilh $(i;X

}~ADLLYD

-ART~

AXTHl

ALJSW'{

SHvPY

GDI32.dll

<8bunz8r

AUCvN

;FsX

ZrHWCYP

HBl_m

AB("p

3HpLxP3

a5qvC

39>pV

(QUA|

v@tBu

XtBrG

zWnzz*R

y>}pDt0"

LMpvAHH

998P<

#COMODO SHA-256 Time Stamping Signer

:3FPs

A8A0B"DGh8T

L}\* k

&]yUK

3A@RN

<9~4]

z8F<1pfAO

1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t

,I]}c

2fER'

Nir Sofer1

InternalName

fO\r6{

of~,WP

u/9U.

"ha.gov/

lPAP

wIPMV

T/&^c

T^&d%er bugQ

OXAWJM

Elehmd

GYM~H

Suwyo.

RYENg

COMODO CA Limited1!0

COMODO CA Limited1+0)

oEZFA

XQId&J%,

<#@`Dh#

I<JALJ

`"1F0

_OFl8^

k.%SQ

6R3AM:

.z"yF.

pKUVT

Vo-G+

O_OOO?@w

<6R64

GetDC

wwwwxww

V[Y9gH

APSMp

IRGAa

OAJHE

2AFFF

gCNf|ASg

sd7bFI

}!Syz

HhApd

u&NMst

TP-e|

$qGU`

oAAKT

"COMODO RSA Certification Authority0

0@Pj)

r2s[S;7|G

kSKt_

JUAQ~

ASPBa

(<4u/

</1L/t

PQ 8PX

OIWj}

-APDa

YSTr+

,0Y^?

KEUG7l

2QN91

`5@n];

.L^HW

2@NC4

CH\U<

O(Y r/

wgGRi

ntUqS

!~hj!K

*=mg&

b9mkG

RKY/Q

yV^Sy

=hmm1

UJQR?b

/Wm@S~?

@?cfu%(

z,R_&

)ATTL+/

0.y3J

kPm&o

''o9@>

<0:08

AI'BC

8wAOXB

G=ZcH

0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

ouuu_y/

J6}\G

Laa[GT

<ku@L>

*78888

CNW/T

.c(>)

HVJA>

appliU has mz

\AACT

<_N0l$$(

aeceerrrreeii

11RANi

IX:UK

A:3AE,

V ^0w

uAVPU

yyyyh

xYVAEV

ZAXB5j

d('\kB

R50ZA

!This program cannot be run in DOS mode.

<a~^I

gAVRh

KZlM'2fY

181023111531Z0#

3ri6a

RO"#?

_JTfW

071IA?

'&o$n''

AWMC^

AMYuYy

ITa`C

USER32.dll

JYL<[

m\TG\P_{f

NT,:y

1(/ISO-8859-`?

ATNCt

gTP#|

pAUU0

20181023111534Z

kkM;rte

AKX C

1 ]-V%

(+LFT

AIJ~g

JNJVN

Wbdv.

VPp"J

~@bh^

7E$(@B

\LdF\

bH..0z

[6.QFx8

zc%C1

ARZNO

nA2tZ

"MH/(

lZGfD{

<(t*-t

:XSvV

rObjlI

ADQTH

rVfE1K

bS*d.

OJCAAE

GvTObS

OOAX

CMJeu

NJK";

700WP

>AROG

7yDele7

!4WQK

eBV]`

k90H\

v^LPx

GAMHf

Vcws[

vjgQ,

UTAFk

3AFJFUJ2y

L6V\?

LbseBM

AAOO

FtpOpenFileA

Qu,yP

OKQAp

_-AEW

>s0J@OP

St1/U

U*XY]Y3

\FSI~

<tChb<8

_APTP#L

(VTRh

'1Oqtn

6`AOS

Translation

ZY-B&

http://ocsp.comodoca.com0

|I $D

BQKAz4q

$ddeK

200530104838Z0{1

N(/clr)<

ArFy'']]

y>Nns

h--@Wd

x[^ITV

|@MFf

/JEFFC@b

AYGOO"

CgP}|

'ABG-

+MKgY

PKw"|

Sz`7!9M

1530+4

ProductVersion

_CTagsR

Dh4l<

i69AO

eATWOY

=1x$B&

050607080910Z

MQ53A

$~c(~

aIthW

BmM@B

g<"QT!\3

a)o]gk

W Y@K

q~ASR

htPL~@I

ZUM&W

BAb_x

AKKab

)HR]?

3ASFZP|

AfOS^

yzCC_

``e}X

=YXAy

H"M6

cLx-e

_k!kGI%

160330000000Z

<{Q}<

rp;N;

OA52D

<JWPAW8

qZFMb

iK>``

Eb2]A

EDC Y

WDWARD

)aXSA

RHPA.

3c$va\:TH

aFLNc

e;`q@|

G#a`c

@-^?Q

N(QTV$$~

A.ADK/

M@ D/~j

431o0

`vq^QZNZ

eV4tu

<2W6A

wwwwx

D'C=y

;Yr!S

RAM:A5;

XK^YJ

gS!QP

za[~.

~U`K

APDPL

AZHIXe

IMMU)

0V>u)2

oG8@a

0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

IA/F<

COMODO RSA Code Signing CA0

$,(0,8

.?AV_@

OMA$#

PyS84

Wri^jAf

]rhd#

|"4>AR

UR8WHONM

207A

X@+Pe

[,Enr

aOIFPKAO

d, M

Yzhl/

0MTN0

hNBLZv

,@0w#

ADBDUB

C")"C

w~ALAz

NvEi'BG

AIbB!

4&YY6

,,,,,R

DHUCH

@AKCD

XPTPSW

190630235959Z0

sJVLJ

pLEN3H

,,SSS

JLLR

F0Ai;

<"BVn

ALXIw #

B1vS5

/*+*ok

G+M,6

9_O^f

bIN{q!

HFFFF

{ (U.S.<;

$w8;2

S(8v,

RegCloseKey

wCorExitPr

ASPEH

@SF K~sxtd/+D

AEN8Y#E

hK>POG

mrZ*X

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000653d0	0x00046bf7	0x00046bf7	4.0	2018-10-23 11:12:51	c77fae7ab0a13d4992821c97f618554d		ac65814eaab16eb19552374ced998c29	3144598160f707aed320a1220d2303a3	b269ccf4f0325a08

Version Infos

CompanyName	NirSoft
FileDescription	MetarWeather
FileVersion	1.76
InternalName	MetarWeather
LegalCopyright	Copyright Â© 2003 - 2018 Nir Sofer
OriginalFilename	mweather.exe
ProductName	MetarWeather
ProductVersion	1.76
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
UPX0	0x00000400	0x00001000	0x00037000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00000400	0x00038000	0x0002e000	0x0002d600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.91
.rsrc	0x0002da00	0x00066000	0x00007000	0x00006c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.02

Overlay

Offset	0x00034600
Size	0x00002ed0

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_CURSOR	0x0005bb08	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.08	None
RT_BITMAP	0x0005bc3c	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	7.64	None
RT_ICON	0x00066b0c	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.00	None
RT_ICON	0x00066c38	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.01	None
RT_ICON	0x00066d64	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.79	None
RT_ICON	0x000672d0	0x000008a8	LANG_HEBREW	SUBLANG_DEFAULT	3.48	None
RT_ICON	0x00067b7c	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.96	None
RT_ICON	0x000680e8	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.54	None
RT_ICON	0x00068654	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.59	None
RT_ICON	0x00068bc0	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.65	None
RT_ICON	0x0006912c	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.82	None
RT_ICON	0x00069698	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.77	None
RT_ICON	0x00069c04	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.46	None
RT_ICON	0x0006a170	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.64	None
RT_ICON	0x0006a6dc	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.68	None
RT_ICON	0x0006ac48	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.72	None
RT_ICON	0x0006b1b4	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.66	None
RT_ICON	0x0006b720	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.86	None
RT_ICON	0x0006bc8c	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.86	None
RT_ICON	0x0006c1f8	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	1.82	None
RT_ICON	0x0006c324	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	1.37	None
RT_MENU	0x00061a9c	0x00000a36	LANG_HEBREW	SUBLANG_DEFAULT	7.72	None
RT_MENU	0x000624d4	0x00000246	LANG_HEBREW	SUBLANG_DEFAULT	7.44	None
RT_MENU	0x0006271c	0x00000012	LANG_HEBREW	SUBLANG_DEFAULT	4.06	None
RT_DIALOG	0x00062730	0x000000b2	LANG_HEBREW	SUBLANG_DEFAULT	6.70	None
RT_DIALOG	0x000627e4	0x00000158	LANG_HEBREW	SUBLANG_DEFAULT	7.13	None
RT_DIALOG	0x0006293c	0x00000548	LANG_HEBREW	SUBLANG_DEFAULT	7.58	None
RT_DIALOG	0x00062e84	0x000000b6	LANG_HEBREW	SUBLANG_DEFAULT	6.73	None
RT_DIALOG	0x00062f3c	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	7.50	None
RT_DIALOG	0x000631d4	0x0000033e	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.53	None
RT_ACCELERATOR	0x00063514	0x00000068	LANG_HEBREW	SUBLANG_DEFAULT	6.17	None
RT_GROUP_CURSOR	0x0006357c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.12	None
RT_GROUP_ICON	0x0006c450	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.42	None
RT_GROUP_ICON	0x0006c478	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c490	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.84	None
RT_GROUP_ICON	0x0006c4a8	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	None
RT_GROUP_ICON	0x0006c4c0	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c4d8	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	1.98	None
RT_GROUP_ICON	0x0006c4f0	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c508	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c520	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c538	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c550	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c568	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c580	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c598	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	1.94	None
RT_GROUP_ICON	0x0006c5b0	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c5c8	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.08	None
RT_GROUP_ICON	0x0006c5e0	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.02	None
RT_GROUP_ICON	0x0006c5f8	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.02	None
RT_VERSION	0x0006c610	0x000002d0	LANG_HEBREW	SUBLANG_DEFAULT	3.38	None
RT_MANIFEST	0x0006c8e4	0x00000056	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.66	None
None	0x00063a30	0x0000002e	LANG_HEBREW	SUBLANG_DEFAULT	5.19	None

Imports

Name	Address
LoadLibraryA	0x46c9f0
GetProcAddress	0x46c9f4
VirtualProtect	0x46c9f8
VirtualAlloc	0x46c9fc
VirtualFree	0x46ca00
ExitProcess	0x46ca04

Name	Address
RegCloseKey	0x46ca0c

Name	Address

Name	Address
ChooseFontA	0x46ca1c

Name	Address
LineTo	0x46ca24

Name	Address
ShellExecuteA	0x46ca2c

Name	Address
GetDC	0x46ca34

Name	Address
FtpOpenFileA	0x46ca3c

Reports: JSON

Statistics (32.88)

Usage

Processing ( 32.79 seconds )

30.478 ProcessMemory
2.184 CAPE
0.116 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.007 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.03 seconds )

0.024 CAPASummary
0.006 JsonDump

Signatures

Queries the keyboard layout

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: mweather.exe, PID 2748

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': 'UPX0', 'raw_address': '0x00000400', 'virtual_address': '0x00001000', 'virtual_size': '0x00037000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000080', 'entropy': '0.00'}

unknown section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00038000', 'virtual_size': '0x0002e000', 'size_of_data': '0x0002d600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.91'}

The binary likely contains encrypted or compressed data

section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00038000', 'virtual_size': '0x0002e000', 'size_of_data': '0x0002d600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.91'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 2748 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\oleaut32.dll
C:\Windows\System32\msctf.dll
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\mweather.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll
C:\Windows\WindowsShell.Manifest
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Users\Packager\AppData\Local\Temp\mweather.cfg
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp\mweather.chm
C:\Users\Packager\AppData\Local\Temp\mreport.html

C:\Users\Packager\AppData\Local\Temp\mweather.cfg

C:\Users\Packager\AppData\Local\Temp\mreport.html

HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sCountry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\mweather.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\International\sCountry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:2748:168:WilStaging_02
Local\SM0:2748:64:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.