Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-11 07:41:21	2025-06-11 07:59:08	1067 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,991 [root] INFO: Date set to: 20250611T05:55:32, timeout set to: 1000
2025-06-11 06:55:32,121 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 06:55:32,121 [root] DEBUG: Storing results at: C:\qDdlkFnGz
2025-06-11 06:55:32,121 [root] DEBUG: Pipe server name: \\.\PIPE\wXevDSJXBA
2025-06-11 06:55:32,121 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 06:55:32,121 [root] INFO: analysis running as an admin
2025-06-11 06:55:32,121 [root] INFO: analysis package specified: "exe"
2025-06-11 06:55:32,121 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 06:55:33,137 [root] DEBUG: imported analysis package "exe"
2025-06-11 06:55:33,137 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 06:55:33,137 [lib.common.common] INFO: wrapping
2025-06-11 06:55:33,137 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 06:55:33,137 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\JkDefragPortable_3.3.exe
2025-06-11 06:55:33,137 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 06:55:33,137 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 06:55:33,137 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 06:55:33,137 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 06:55:33,340 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 06:55:33,355 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 06:55:33,387 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 06:55:33,402 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 06:55:33,480 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 06:55:33,480 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 06:55:33,480 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 06:55:33,480 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 06:55:33,480 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 06:55:33,480 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 06:55:33,480 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 06:55:33,480 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 06:55:33,480 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 06:55:33,480 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 06:55:33,480 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 06:55:33,480 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 06:55:33,480 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 06:55:33,480 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 06:55:55,949 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 06:55:55,965 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 06:55:55,965 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 06:55:55,965 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 06:55:55,965 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 06:55:55,965 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 06:55:55,965 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 06:55:55,965 [modules.auxiliary.disguise] INFO: Disguising GUID to eebf7374-c733-4252-9a71-d3c91b91d619
2025-06-11 06:55:55,965 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 06:55:55,965 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 06:55:55,965 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 06:55:55,965 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 06:55:55,965 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 06:55:55,965 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 06:55:55,965 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 06:55:55,965 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 06:55:55,965 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 06:55:55,965 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 06:55:55,965 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 06:55:55,965 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 06:55:55,965 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 06:55:55,965 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 06:55:55,965 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 06:55:55,965 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 06:55:55,965 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 06:55:55,996 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 06:55:55,996 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 06:55:55,996 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 06:55:55,996 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 06:55:55,996 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 06:55:55,996 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 06:55:55,996 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 06:55:55,996 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\EeGlvdpK.dll, loader C:\tmp_gell1p8\bin\PoaYJsgW.exe
2025-06-11 06:55:56,043 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 06:55:56,043 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-11 06:55:56,074 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 06:55:56,074 [root] INFO: Disabling sleep skipping.
2025-06-11 06:55:56,074 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 06:55:56,074 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 06:55:56,074 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 06:55:56,074 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 06:55:56,074 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 06:55:56,074 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 06:55:56,090 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 06:55:56,090 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 06:55:56,090 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 4320, image base 0x00007FF60D500000, stack from 0x0000008EFABF4000-0x0000008EFAC00000
2025-06-11 06:55:56,090 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 06:55:56,090 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 06:55:56,090 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 06:55:56,106 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-11 06:55:56,106 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-11 07:41:21	2025-06-11 07:58:48	none

File Details

File Name	JkDefragPortable_3.3.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	935312 bytes
MD5	e2ad2f59cd2c259cc684a0f873820e8b
SHA1	b427a317a1eb469b1f4c7d561f9b88862c5649f5
SHA256	bc14dead89d55e50e5f4828f84b654a1a4b16a1badf0b000fac45fd2cbb6a1e8 [VT] [MWDB] [Bazaar]
SHA3-384	f8825d70c772651f4c166f944264b1cf29c7a6c3cf5b9f4b2892a5b246eca51d0fcc07dc9193f2ee735204f74cec619b
CRC32	41BC4AF4
TLSH	T1FC1523069AD5D862F5A10F7290F315720E3BFC312E35A99F7F45EA8E7429A40EE18707
Ssdeep	24576:By9D3li9Su1//RDz1VD5Mm+ikOtNnFXasXkYM8Y0:o9JASWBDzBTNBFXkM
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/76)

Full Results

Engine	Result	Engine	Result	Engine	Result

:G]|y

PPe)r

aTsSM

4-H&qO.

Ky,Z[

M5t,id

N%]x#

@.data

;5)U4w~

x|qQ{-

"a[*F

Rare Ideas, LLC1

SelectObject

49@nXZ

Thawte Certification1

IsDlgButtonChecked

*:&xe

)pp(2

{6$dV.

p!6V&

/.Ka6

4hgV~`

_<N:9X

PCE?I

vmqa,

=At|~

(3"E0LvH

f"z 4zu

KS!RCLg

Pm;&u*

TKQr<

7'M=F

:b1T8

5VqXZ

cT}[+-

Y5HkN

u#Wrb

FAY(}

;jKoo0

D{{9~

m[aYW;dr9

8?&rY

SUVWj 3

ED"q$h

nUxANW

AI|Sh

$'uc

XsHJ.qv

S%NM+0}

Z}>`A-

"ODF_

B>(mg

z9>B0

CsC:=

C.@0x-t

~n'{#

isDO;]

I QB6_

-yVcu"

2)5Z=

G=aY

^{s]{

^&-0M

#v2yI

"u|3G{<

Ul"Ui

PGVQ'

sZkav

.:m|V

ZS?]i

CreateWindowExW

*[[5d

C",b8

WritePrivateProfileStringW

EndDialog

a0]S|{

'*64a

L@70X\Q0

SetCursor

RegSetValueExW

8)%Qy

SfdB{

ZL$&a

%MYYj

HOv\a

>_P6\

Version

XJ%w2

7L#i:F

*,Va37o

}E%I.Gb/

ebP(puJ=

)|#qw

~',ik

AwQo:

)Xyw?

.6UHhy

gV?D{

]R75U

s["Xkl

m6czY

f(NN1

$KkD3'A2t

[.a?[

rzsI_

{MT|?

k"}J7\v

<Jp|d

w(Aa[u

W2w793

#cB%P

F_4sy

yXN<'+Z

u,YOs

0+T1]*

+<NV:

GetTTFNameString

CreateBrushIndirect

0VyZ(n

IW'gh

LiDb%c

_U7^Z

90Z(h

New York1

6-B:6[

n;D|,e

lw6T=

:.3-G

e&br&S1

Da5V} #

D,oS=

GMYD`O

D?D![0

B-o@mm=

B=12OB

<s6;p8

rR[yM

p9&By

a<>T(

w6p5`6_O%

IdpTD

aq4j"K`

lXJOh

uWXz}\*

ZUV4r

^B=^|

Error registering DLL: Could not initialize OLE

By+Ob{

$$W}AO1

LoadLibraryExW

DvPo 7KKA

b:F3a_

$jO#A

i4>BT

=0=f=w=

6SX/_

'Av0A>

8TNB-7

File: error, user abort

:7?o

h~Y{0

9_]Op.

z+/'Sd

B^7d'

n]^=N

4c1$F

IK-+o

Y\i~}

nhTBP

1fdf<

$03C5

100091

wO)Ch

Ya>^s

1[fF/

7~`BT

19E3F/

)R0W^

D$4+D$,P

0z%#9V

>w>shon]HX

jPOPLXmjVKKWMEA'n

d|~O%

q Ez?5

k"6]Sq

sst*?P

VeriSign, Inc.1+0)

Ls^t4

SysListView32

._GLE$

+PQD@

~g) V(X+

4Zj2P

Y)hLPz

rz=8_

Q|&4+

=*\5.

%jIj_

pXksj>q

W=Fwsw@

PL/<r

myPU:b

?(=@d

Fsv&c

>Jv^)1))

U:cJn

9&CdR

`P2H!*

2h0HU

<>]i/w

(Fl69

1#101>1J1P1U1[1f1l1

~.05~

Shm2

h=g#"

VK10:

invalid registry key

Fh6b/+

34qW)

%u.%u%s%s

OIg>_

LoadLibraryW

:W+Bn

C!cWe

{X7.C/

]2](L

.3pB=/X

^-A9?

L|$(]

Bv5;-Z

4#nNF

z/HwB

PM%JtG

MjG;}

USPK.

bd`BP

t0]c#

Wxb5K=C

Jp}lt

[/cJ^-m

`V77>

O^*EG

B{H+&w

r=7B[

hXgRrT

5U~Btp*

S3Ptgr

*Q.D=

]UWUI

T0/~Aw

Ze_.E

:2NL1

:j&B?

KiKQ~N

SS{K:

-'jM!

r]y^e

%JzcD

H0`|W\

?;A>#

:JuN:p

skXDl

QCgsQ?

@AI#Z

w/|Ty

b_8[3

\Fq\j

"LC-9O

#|Pal:

verifying installer: %d%%

T"2kB

Vif?g%

F/2sv

KiKPAN

HQ"5D

eEvrb

v_#@X{}

n=CAC

YA<ZF

,Lpf$

mtlTIlH

%ni4b

3N{FV

m-$0d

R?| f

FillRect

G7|gc

J&dY/

)E ZE

w#6AvS

kzF@y!

4#464G4g4~4

j'wc-f

baDPF&

y{w=&

W_T=Zez

F3JEx

V9+{+P

U;Q|t\!

RXFBx

unpacking data: %d%%

ZC!aZ

@SBjx

`&zch

?[B1g

RI[+

LTznlN

ZaE%J

Ka cM

>g%p"

4 h\{

4%Jp=n

CMn|A

\,Z52

3fHO

6.646B6H6Q6d6

Pta8Y

LoadLibraryA

O.{*9<

rcIEe$Y

82,,k^

FT;Yp

\D#f^

7BUBO

e?*ij

0Z<lm

_}<I&

$Q@#hb#

~Ih=b

SetFileAttributes failed.

qnnmh*\

TvH+y

323V3j3

cIl/7

/r/qJ,

A m:t

nk$'5;x

5d3Wp

*Yj8=

p>$y?

2yF#+

SHFileOperationW

(eU8PK&

Hp9mE

E 55#r!

@pQEk

)TbRP

%AMFI6#

W)D-k

MoveFileExW

pjKYw

j24+*

Sl*gI

|(In&'sr

)U8^w

!NCEI

<61W:=l

k{^cm=

V;56U-

Z5`"'7

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

yce1k

K G?\

W5:/Y

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

k7mb#3

da#%>m]

xTz .

=Z6q2U

Wp_~G

urg>@

E~y7[X

m(m`~

;EyNS

>3KT;Mh

?r$(P"hA

=:qUV

4/qBJ

:O,iv

ne .]p

? ?K?

dbv<E

A}`/%@X

HKEY_PERFORMANCE_DATA

pD?>A="

%SJ.a

Zw"@@

JN0Yce

WriteRegStr: "%s\%s" "%s"="%s"

fp4?z

8g0gQ

{*RUA

e4S)E)

t$(WW

eX^Gi]

[y4rS

DP{ fL

EZ}8E#

;;1gx

OP}&

Js]t/

H`YIhGd]%

C|q%;

4A52[

d'F.'

?L!Y1

muI0^

jBD>zR&

"VeriSign Time Stamping Services CA0

]WF.'j

;L;V;b;w;|;

dpA=2a$-

87{<y

c d,'

CoCreateInstance

mu4z,*L

%s=%s

GetCommandLineW

|VUGi+

>D[3s

7\IE,)

[<u,0u

Rename: %s

'!;"00

z(M;l

v6Gdc?W

]F</C`

JvwP`

5;MVN

k4s}J6

e`&s,

%~enV

+aSW;

NullsoftInst

mTT|<t_

X*1Lm

aV"GE

\bvv]zz`

pEc!R

t$,VW

GetFileAttributesW

zI$l'

\Temp

Vsw'6

PortableApps.com

IMYB\

:[:45v

';~'R

[X^.x

9tKB{6f

4%444@4I4X4

^YvN.

G obJZs

Ed+EL;E

CompareFileTime

C$meN

_2y}[

3A.s/

RMMRIB6

d t XCZM

wI2OC

'-uSp

AJc-'

Rename on reboot: %s

=<u(J

%nxz4$w

3.0.3.0

QCuJ|t

'{Zu]*

ePQV_

AFi~D

xVy.Z

lO=JOh

?c;D_

1UGa?

-HyAN

{Z1>f

O..(_L

k:i/V

Hvrra*u0m

-?\x@

http://ocsp.usertrust.com0

%02x%c

@XO$c

RMDir: RemoveDirectory failed("%s")

kR6qxJ

cL(/y

?#?F?Y?n?z?

DispatchMessageW

fsll&

1!1*1

VhJ((

\`uk0

dOyB{

.1.xB

,0*0(

*aWY~HL

YWV9]

rc Wau

feTcDv

cpaQr

4!hBJ

yj8?uT

@pE"z%

/]Odo;

CreatePopupMenu

c#Wjo

' !#3

WriteRegBin: "%s\%s" "%s"="%s"

FileDescription

8 /C`

2w5%e

121231235959Z0b1

t6ceL

h:-1O

VAPIh

dZt0IV G

3*oD(ae"Y

vS`)F

X5<>4@1$

6dWS4

f|gYs

E-evh

fd_c5

PN/c_

+m]`{

_6hC)u!_T-H

_RY0G?_=y

eDT`@

a~Zj)

Jq+Z

ht Xz

.scuQ)`f

+ QT}

}NL~?#

>1iT=TkD~

'2rM,_

H/-O!

j'_FtYDk

YZzU~

Yj`EeX

u[5E.

c/D<p

()~?c{

,AQf2

BeginPaint

H`z $wU

PWSVh@

apxIl0!

p*qBa

r&Dim

,0oUe

7txt^

yH~0~

T~b|Xx8

dxp)p

KVxvv]

YrLd`

i[Sc9

L%rat

e,x@t{

nK+i< O

mGe1!

@47M[E

ux8g?

eP*]K

Zz8Q3

xL!_^

-5D\sCY

>e/2)B

uf,fM

^SQfp

\_,=8

lNL2W

Hp`=7O}

D\xyf"

vp&slEe0

ETBIL

HKEY_DYN_DATA

&9'e2

Z]Z!9

s,YQrX

#`c={

lstrcpyA

h#])O

a46l(

#@colw

SetWindowLongW

vW6C$

BsMY4F0

6v-FD

5O)-_[W

K<Hd<

logging set to %d

AdjustTokenPrivileges

6AYz$\

YUUye

oIO0v

~ iK=

GetFileVersionInfoSizeW

F9C+>

67<y0A

UTN-USERFirst-Object0

<|UH8

:}e^q.]

y:)nh

)d-+q

,apr^

(Q/(*

8|Wn7

Tp#I_

MG>BJI]

bc@4r

6S36$~

)~70d

1JG/g$W

Section: "%s"

;1A0U{

]_>i0X

%Gl{r

*?|<>/":

>=$s\

G $N&

54kuF1V.

BtCoIkkP

5Z]-K

;0907

`FQJ}

${)*p

&3^t^

1*koE

'}<Vi

KK~IS|

0vPD~r]+

%W%HP

raj^-d

zYYN1

M"$sh

b-O\}A*

WWgLzx

agLXe

<JQe(

zD~Mz

*Pe d

-+~=K)

Ed`!z

V)jVq

41rs"

,4_5(

58-+\

`jytYO

-iW.k

Aborting: "%s"

olw'z

YvXQja

Y\]"9

{`*/H

?dFl1

$4IH|

xKaul}

gx7+JG0

GetSysColor

CharPrevW

;+<P<w<

W{s?Q

Ac%bx

(d5 y2L

5O+eE

y`PI%

d|!by+u

vm`_4

P9!}q

Greater Manchester1

IjFb%E

LeTXq}#

VY?#!

A]'hC

085J#

|3_1M

OYBq]

&,,lw

8,888J8e8y8

x]}SF(

Vy m:

|k[)-

E/Tdk

t)QZq

E<287v

$<bz%

G GC/

EkJ=s

4T.CA

=,t$i#

KSvIy3

WriteReg: error creating key "%s\%s"

/iXc1va

WL/32]

g9^N`

s^UEl

LsgTsvc(W

$/('VC

!TRobF

wPn<C

.|9'+et

a2VLZd

by,4a

7s*)2

Y<cA1>

R`r@i

, '-c&

\N&SP

~`u}g

.Gy%&V

e(<oL

EVZx@

,LC$g

ExecShell: success ("%s": file:"%s" params:"%s")

jOL>o

-8 .Y

!ZX~g

D/!w@

(Q<[rP

}(=|

|dD.U

IfFileExists: file "%s" exists, jumping %d

BBL#%9

I',CQ

&l+UB

GGg]OQ{

c'~=:`(1

Salt Lake City1

]_Ts_

YwRB)u

47,}=

Vh<R0-

'T)>?

m27q!

tcsgx?

A&84]Z

IUVGRAe

C`[MD

a$2f3Su

CE,SR

K<<4#

+,6ZQSQ#

:?in|

TH_r`'

.QnKi

Western Cape1

;us9q

a7i*05

e[cZl

:8l\;

q)+.5

C`XQ

<pRw!

MmO-]

]m0Ve

05GI8

a-;z=

2j(c

GetModuleHandleA

RMDir: "%s"

ice~@;

>!fWO

#6<U7

~mMCE

kiv%?1

k5EJJl

A2cU+8~&6

SetFileAttributesW

IYn1y

-cBl?@D

SetDlgItemTextW

w@vA}

i]f)8

ch`i~

Wm"{-Y

ET|gc

-)Uh)Ul3

YCwh4T4

Q+l[a'S

GetModuleHandleW

a1Zep

|=658

>&{\pe

RC})3u0

%^$33N

FI,H7j9

ilX`|u

&|mXr7l@:

&-uNC

8oK40

|q5jd

C~4Mz

jsW]iJ

Rf\Hg

Ni7P8

https://secure.comodo.net/CPS0A

_"(|G*4

e~~I1

JPg k

+GwZ%g

! E/z

,Z`l~

.rsrc

D1147

\[qs;

244,C

j7>!D

`F'ee-

jndCZ]

8ruT=l

xlhJ5

mNm!t

"'f/EH

<3<S<X<c<k<w<~<

$_t4*

-2vx$UAI_

]TnCJf

;Pj_}\;

?)3r~

T('Ti

8t[Y(q

Tn\4J

Vl.B\z

!Fnd<d

ZpabQ

fh%Az

;Zw{c

`CeJp

Sg52S

aBJ\Z

'qiRQ~

8'> +

n:.Mg

Fm .hr

F3_hH

qSy=q

OriginalFilename

5On6C

TtB;<

n|&e"

gB0.D

xsXLDRw

>Jy[kb

jV;^/s

KWCvn&

z*67T

T1olA

h'hDm

131203235959Z0S1

{Es,B$

W/8A0

MqT~x^^c

4J$ K

G849`>

:(:.:@:F:L:R:Y:_:g:r:x:

0B>i#R

qjpZL

QHSS}

lCVIm

5hZt~

4(515

KN"4AK

p\cOdK!1

Z^UczO

r,dE7

(H5ew

DDQkoyY

=|_u5

lgaDH

`w{eP

[NZ&~

/M*a8

x*$q8

@fH5N

XPJ^i

IDBD $DQ47

x [aaaK

D+TYj

V5x!4R

,b>:U)z>

seXt<

'4Sm:

1#lIV

DtMUk]=

J*SuH

3dzY}

h>tv/

C:%[S

*^rG>

w55=1

)!82Z\

-'N!o

GetFullPathNameW

rWfP;

_bf.(

^mn869

ncP'JbfV

"_l$8

,%QwY

ITpWV

/8E'D

sHqQoO;hV

OSc %H

m> s:

iWsC=

EnableWindow

RQ!uo

m\R95U

#).L7P

w#25Ob

D/ncLB

> e*k

\Microsoft\Internet Explorer\Quick Launch

8J[p0}

kvCWi

3nfZ^R7

T|@E5

8?E!F

Pop: stack empty

k?!J

,ozOa

qt-;?f

>K7tEF

;:ihd

Yh;d/

XMi,M'?t_

"iv=w

CloseHandle

oXrj^

oQ2vL

h[EJ5

sWMzM

D"QA2

!;p,M

@.reloc

!:5<~35\

"%h<j

=5[f\n

gn:~9G

/';J*

goBTC

=@S~6

5`hGC

"iqE/

iOie+

$|X"92D

<?C<Cj

5"5/5

FtVEc

Y!FU^

<<!B0

`<T;^*6

cajo^7

Md>F"

/h)cF

|m.w3

E,wTs

A8W;~

C}6R0

=PUf(GRd

'z,]8

h)fv9

.91Q^

4vMr%l

RegEnumValueW

w^}CB>

>jW[]

SeShutdownPrivilege

-Q6[/

*A53C

X4kZu

^CuR>

flnx*&e'

{DUp'

<:;t54]

&_8NP

J<^;Y

laAHx

BgWEI

}MtCZ

E-5fj

R\Q*+

3-3:3G3T3a3n3y3

oBUEz=

H[}'gh

cHG(gq

J[J9BKp

%R=yS?

`s7gl

~P4eK

g#l|C

Oyw>

5]Y#:!

J1r9n

P68,=

d&FUZ

)7Mq[,.

IvM?iI

NSIS Error

TU]USQY

jT}pP

".cZS

GR5HWI

CharNextW

EiBQb

~![yo

Q:C'"L

[~>G'

`eIF9j0

9E9V9

BAw5;

Blz1=uk

]OL/x

120501000000Z

f0d0<

0k>"Y

The USERTRUST Network1!0

CreateDirectory: can't create "%s" - a file already exists

(2/SG

fbNumJ

fda9o

f M@,

4#4*484C4O4f4m4x4

>"hDLk

.text

@Padc

ms*'oRGj^

n}_i5A

/C4a3

]?!\G

TlAhZ

jU&.T

re+Z^P

lstrcpynW

@Z K.=

,/;#T%

< t`b

&Oa6r

xjQuNA

P{nlmP

V86Cf

h 3O.O';

DeleteRegValue: "%s\%s" "%s"

mo(nT

WGDF\E>+

CreateDirectory: can't create "%s" (err=%d)

^,g+Qj

.E^a'

u)+NMr

SetWindowPos

`(<ch

7zg{SD

dO5no

RichEdit20A

~qA4nS

;l[%VH

GetDlgItemTextW

ZN'K4

aYNde^RgHB6

z%qXEO|

J0~xK

Qzg8D

%FIm_

=0;09

lP+4n

m$G~#

pGKtX

^R=R4d

*KS`+

_eg63Mk

huo%N

1${3]

G@t"{ts~

?5jAD

/$/)+

^?/qK5$

37;&`

h1N3&

~'];4

l!ts3

A/(ry

uJ~d]

!dyp]z

!ipL3;

]Zx)1)J

0[Z;$J

I"};{

xfA#p

5&5,5b5k5p5v5

|<NgB

T<`aa

'2Sk|

["4\V8

+Bgyh

@le*6

/-)D`Z

Thawte Timestamping CA0

3-,]{,

I5Ybi

^j\PN

9XK+f|

WriteReg: error writing into "%s\%s" "%s"

m+Bgh

M-iOO

SiQQ#

wkLdBx

:0806

v'f"D

N":Zg

*{64D

g2p1,0

"http://crl.verisign.com/tss-ca.crl0

urjTb0@

VERSION.dll

MU}{j5f

~Uo(S

lstrcmpA

]|n,'L

s}J77

X|Cg3

+qC;G

>g:a(

@c:HOj

+pmyjR

i"}w@<'

created uninstaller: %d, "%s"

-Zv'&

^uCFm

+Bp>*MW

<O:i#

YNQ9j

D?<JSRj

|9g9v|i

(*^cCCk

k.FTv

COMCTL32.dll

2:5D}c/

ehvhkW

@6AH]N

;!;';-;N;W;n;

eI.6K

p!b.gY

#!,Ef

!K,Ur

"k{%!

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

]n&sj

niM48KWREBm

PortableApps.comInstallerVersion

Rmqpt

~RHX*

g8L|h0

XqGtp

t']B2

w3`#0

!"D^~

200530104838Z0

.{@2t

F<]>W

Ri+'a

(Ir7~

F3"i]

ilWQ/2

+e<r`dO

MessageBoxIndirectW

?:.O[TH

F#.JYaHSHyr

%Lp-YOT

spT_?

>`|5b

|"@d5.d

R9X}k

ylZ44

'yiF~3

e+aIw

c-crn

s1} VW

$jvGluv}

mJZ\P!

JS=)h

8>vKf

b8k=n

+"2gF

D[]IE

j<56'

0y}%%

H'B]e

,Y".<

W!v4c

ey"!p

_*4]j

@XXrp

t!^7}

Thawte1

2,xf"A

J@pn0

(/'PA

HJ+#Uah'

&tv(z~

More information at:

Rf:EP

u*IO?

6sy"s

tp+)[7=.

R_.Zw+

RemoveDirectoryW

$ 6@`

DeleteObject

lPYB/

#fzEo

LzRH`

t3SXa8

+*'`=

0 0$0(0,0`0d0h0l0p0t0x0|0

2%~p_

Ys~mW1?

EmptyClipboard

+PRYZ

)<.8ev

2asM]z

6j;4F#

gY:hY

$:Pj{

=*=9=C=M=

[e+0<p

#rq$F

&5Q^h

_w$N+LB

~mXO,F

DAQf8

3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

aGa!$

rO%e4_=i

RegDeleteValueW

xggRy

cO7"8}

:uIzl

+N)2:

va~;E

/~&UcY

:-;[;c;l;

DMBa%

O@O'i\

uc-*i#T

`F%w?

N~> Z

<*zC&

ItoWB

PW"\7

MN{]@>i

f7zG[O

kH@_eD

/p=4?to

:fA>H

t,+,F

W'rFp

RG !/E

_|Uq`(

abbab]\

6>6J6[6z6

I2#C#

t!Nkq

o]5#,g

=fu~*7V

=>Y;$

\R<M*5

d2'Hb

~C "-

RegEnumKeyW

]5yg`

{*{Z`f9

>C\wZ

GetWindowRect

?SxZs

ONc)I

'EM/!u^D

`IWla[

4"4(4-42484I4]4c4i4o4w4~4

I5#J]

:#%Tx

SkOHsh

b=sRs

N2+a4

r^2j=

n:`f6

Js,<]

sKZF0U

=iq]{Y

GB'Ca

|AMyde

EndPaint

[/V4vH

IsWindow

'T<6fO|

|9-My

>%Sf*

js0yc

)I-@9

=o0^v

x0m]|

(I(TQ

.Nw{&

&*9\+

AD4\M

Error registering DLL: Could not load %s

,/KPip

Ntmu6Z

:a9(^.`

~J Ih

n:qM(V

iuG)$

#$'@3

\ZiSv

2>.9'~PW

?_U<Su

P o[[A?0/

A.'NGe

ZqPvnK

C[[>g

gXo/m

-*[5*

VX$%}X~Zt

z9Idn?U,z

GetModuleBaseNameW

6]`/V

+fF&=

SetClipboardData

z+e}H

PO Box 2271

3&Wv<

\FJDmnC

X&Vkc,

q o&W

q9^?X

Symantec Corporation1402

<lS:0

Z?*J<

/G,H!+

4Fe?n

F-C:?

/+$rs

#*n#&

6Q/)M

j [f;

TO';x&

g.F&vz

RZvuR

Wu*Bo

Q'Q]9

|akw

Z*Vgv3

/(bq9

5[>_>c>g>k>o>s>w>{>

m:Snk8

n"{$8

IsWindowVisible

WZQR|lv

$&sef

`IN][

ZpmHn

%]3XR

>q q-

`jxdt

AddTrust External CA Root0

CreateDirectoryW

Bz^bj

lV/ ]

BB:vE

[Y0R'

L,M'<

QxSLc

=^HsY

8>t`NP

[j0Xjxf

MOiLaO%A

-f3:Nh

(y3.nY

F.FiW

5sLt\

.j#I<3

bI\y&

7[&vm

#~gO[

@Gk3o#

m'QQhF

z+l~Y

8.?!K:

:K--a

d*En)

6.6T6c6

2lL^y

80858A8i8n8x8

WPjjI

AW,9f

+(x,1

H+1;k

H0Q.d

*{jh.W

0P<O4

[IK!<r&

,yHlX-

E^QEB

KgS=f(

XmB2G

#&K7'M

`+ b`Z

~ln^tD)H4

ZOqA0

,/+B#

mX61e!

[d$])

@7v1@x

J7x(_

xd )7U

r=VVh

,pS?v%

77&$S

E&`^v

klK7l

nmFF)y,

C-68:

LegalCopyright

#s'nS

"0xn\4g\

`uY)I

YAHRqE

8$_^\

M+cV(}

utx=M

XZf/%

SendMessageTimeoutW

CallWindowProcW

8r.5<p

X<fR0t

Exch: stack < %d elements

TMRn2

j?R_:

e5@B},

K6VWl$^4

> %Q@b

8DHL`

0http://crl.verisign.com/ThawteTimestampingCA.crl0

SetCurrentDirectoryW

L+nwM

I%7t;

s'w+}%/

?<$0@

Y))jHL

,p`8~

Id_TJ&m

|)nsR

apu\wa

6A2m6

/[w|

N4"YR

\xebz

/ONrv!

O<(UW

!zm@x

)2NTvvSY

e]z2_s

n*R4?

% Hd'

m>FsmW

'1REc

3Ycg}

@#J$Y

7*757@7

Vq5+q

Sghv~^

'==*r`

]^dAX

U]!dZ

dj359AGVWd

pE!)p

JY_b?

6t=3v

WriteRegExpandStr: "%s\%s" "%s"="%s"

6G(iQ

s6%0sh:

D^+x3x~

FRtQ:4

File: wrote %d to "%s"

-pgty

\a6Qo

}~:TG

GetMessagePos

R2amd

!VXl2

LL&$\(

=xcaF

^|D.Ne7

g+fszY

RMDir: RemoveDirectory("%s")

JIOO3

Ut,-z

Jz_C+

Z*c1T

=]12L\

J(4/

@m8Q,

;bbSZB

~ {q}

NJ!j8V"I

\M+S;

Process32NextW

NkAY&

vq)$f

pVn|"

kJVi;

t1j9S

6x?P!C

BOpC?$U>

RegDeleteKeyW

w+XuA

3_(bm

A>AJ!z

};Udb

~p7b7Y673

d0-qlm

2G\mh

~(V,s

909>9c9o9

]}1;V

Mj^qM

11d`S

Uc)PJ

9a#Fc

dVW.nl

=AVpu(

PPPPPP

9crf2XM

LQ:42

O&'&C+

>~}7G

]iC48z

:Mi:P

iZ;qR

-M,Cc

5"5:5]5m5s5

td!ii3I[9

ImageList_Create

g`4c2

]>Zij

CmTaa

{2"KE

u}9-$.G

J+SQ+

Delete: DeleteFile failed("%s")

-`!R]

h$io64Ok

.DEFAULT\Control Panel\International

%SKq~

P8Z3KC

q[s6s

[U?Sr

623Bl

WaitForSingleObject

V0]GaZ

6nh[15

TO}<#

f|O.I

XTY2&[

v+0=9n

ynaz`

97(?86I

Pd5$Hf

gi4blk

wd-8:@

pZI1<

Cly,[LW

lstrlenW

*qz(8N

'"}2A

mGHP<7

Lg} eS

nDuiY]

OpenProcessToken

LNRV)

,b"91i

+DYfv

&l<0]Y/

38M|a

cJd'Y

Comments

$-Gg[

*q+n6

}P"kYw(

SystemParametersInfoW

+z_3=

Gf_<C

Q"vzy

>"Av}V

74\N:C

vR9VL%

4)$5s

Bj 9;

9]'/t

I8$aL

_L`~rv

$+mVRk

E!Sc4_

U" qi

SetForegroundWindow

,2_%{

];B,'#

8!828j8t8

SzDz[

uDWWh

xs5_9

CqXqT

Q(g9U

/+q).

nCSV]

]x@+-

.'1v.

gF3NS

J]KQo_

Ge+sB

!w'KJ

pnAd$;z

i223-

9QL" :

e`1<bI

#l>4>

?7!Op1

Rename failed: %s

%s: failed opening file "%s"

]qEw5m

File: skipped: "%s" (overwriteflag=%d)

HDGPC<&

{A*m>

";AJ|

SetErrorMode

GYk!G

t^!$c

4~pX<

4#!yx

Q]HckO

}&>,MPJ

000004b0

Bq8,5

FAQ*D

?1?<?X?t?

c{hdt

Yb^@:

_A>VS*

KjgR9

bs=j}s

,rg)

B>ygy

PcDVQ

g>Kg~

120529043015Z0#

W%#~h

Q?<tNAx

H.3)>9

SHGetFolderPathW

>SSURo+

H\5"D6z

Dv$g3

yJ)De&

y.eGo~

%v7b_

zDLXj

0g0S1

^0RkO

%u|Pi

TMB):;

DLE~k

O)[%0K

@$z\/h

=%=/=5=:=@=N=T=x=

D$,9-

ExpandEnvironmentStringsW

\f9.;Sk8

Og^Es

HG:pX

AddTrust External TTP Network1"0

74E'

3.36.0.2

@ ah"5

*z[3_

544S$

SearchPathW

wq!7A

AddTrust AB1&0$

SetFileTime

*N#Xd

;o:)s

bT7(~l

w}UL@

E}~*(

l.4Y!{

,z=NM

G6,pd

(n?^X?V

nKo2*9

KiT*t|a^

bd==F(=

SetFileAttributes: "%s":%08X

X)Bmz

lEBsCQ

p7!J.

Ul%+tj

ler'K9

GetTickCount

@Uus8^l

P*e36&

B\<tM

yD(8w

![9hH

JA\$&

7.n#L

'L('_

!Z|-$

b:1Lkbk

;}mTT

l=*`,

j_/1I

x7g/\%

P5=m'

(New7

{owp#>

0Y0i0n0

*f&~d

GR^EA

M<!uLZ

s]go`Q

3"sT]

qsop

tnDKc

Y,!Jr

BS%20@\2

5\Kv'R

`[&m/

tS36\

kn4xH

Q6Z?E2{\

cJ5'R

q:6K-

V+y':

qg"DVj

kd|IN

~(m/G[

SLC '

Iey>5

? 2,r

XcL=W

+XCI~

KZ[yz

LzFTw5

MultiByteToWideChar

9b4#"

86s#CB[

dY2-P

Nz}s"

For additional details, visit PortableApps.com

TS;9R

NQ3T[]

N1-zT

5T.Zo$

Uuaim

0.0;0I0]0j0

!XmF< T

:hW2e+S

p09%M

KW%eq

*az/H

File: error, user cancel

softuW

8['mdB[8

{D6Ium

=F/q1aH

O~-Ev}

"_` `

9}XxU

ms@K1!V

BN!UX%

7E-@X

&`!vb

4ocOY)

^[cRuk

D-PvF

b{_9U0

neYx7

Sl\~)

]+Th3

^[~`y4

aaMVk

XD>RC

:sbr`

2ZFcO

8Z~lK

O[Y-jb

mT"}1

VHXZ3

<x.vY

S)0o&

Q11^st

N2v@T

owqu!(

]jQUVF

TSA2048-1-530

~Y$Tl

msctls_progress32

JE8g>9,3

2OnM:

SHELL32.dll

LTuH\B

MI2 o

c]aN}d

buuu(

!u/~?

*0T'D*

R-= @u

n)zT^[

B)cPc

ntbg\

d#`W-

I:r{

j/%!9]{

mXC!>

e~_-l

"ezd}

s^=7p

0P;K{l3Xq

jffcS

jh.b)*S}

_d*B,y

eO|w*

Qz?;`

a$Mjp

8P%Sh

,(r_p'O&

?Kq*'Z

Khna5

202t2

EW T5o

3<Mz,

42c7f

YWF5U

7z}W5

Dv `5

qIS_4

qG !>:

-e9r.5M

E9QA'

,DC'n

}YRTo

iTJI^

2?2P2b2q2{2

08n])i

RMDir: RemoveDirectory invalid input("%s")

`^^^sS

X{k"B/-

CreateProcessW

zxNUo

PczF~

<7R0D>

J@6.Ms(J

8g7|P

NwsU~O

]&nMc

w?T"

40%.qh\

;5<w%&E

#2m.z'

)TE|DR

ShellExecuteW

eEvk)

installer's author to obtain a new copy.

223@3I3

F*/;w

3mHBH

=BA@'

tzK.x

4 L/x$

Voni[

'[?GY\{/

5$>ME

4"!Tu

5`'!1

... %d%%

w3+>{

Fm}Kd

QFQ%R

m[PBVO

DE6@;-U

Zx[EA

"A`w@N

eKXg9

q**IH7B

F6w9a

0jAmd

H!|in

/pR+b

gr~6I+

9E8um

P4Ru,

qlGS;

`mpW;

\:@]z

~e`er&_p

.^kFT

77DKk>

yL`RJ

QFDh2A

C/^bq6o

Jh Is

vw1d:{

rz2Oyc

5|D'wN

PSAPI.DLL

K7fF]

V6y5E

ADVAPI32.dll

YHeC\

"i8F>

n)w~l

{0YnX

>U~q[

[i=Za

oO)@#

(sx]'B

UUUUW

/ P6pL

CreateThread

i8b=\

SetBkMode

Z|_|q

>"?@?Q?

=ToB4p

MessageBox: %d,"%s"

.raB2

=!RV

TrackPopupMenu

&YyUO

0CjUW

SZ_~aC

b\EO9

DialogBoxParamW

FreeLibrary

)2+Lh

F"C?N

WsZ2C

=CKI#

BVY&7

AlS@_

&O+\s

.%aVD

D$$Ph

lstrlenA

A?7RI

a9G1<h(

NnKHLP

?0=0;

w12,2

DKD9-F

`|Dnvt1

;P}(J

5G6Z6

J/#S:

dU&M`

hv^&=O

HMfER

W4L7[

GYc6F

iq[li

t[N!M

Jz<IR

CompanyName

=9CS3tpD.~X

[qZ%!

5+5;5I5W5i5x5

Kernel32.DLL

L5_.P

B<1Y44V

^yhNK

CFXAm

Z;)*)

+1@{

"^yu[

y!C<V

(~2fY(z

ipI]p

$1Qt/

yU{eQ

GaYGg

@8w4epgA

;U|u{

_zj1.

0NDqx

wFXX&

4QD[^fN

XQ 4:

}&l)K

Zla|H

PH3pG

ti6z_hG{7S

K}sEZ

&:lbaa

Mre(%

0-CosX

rVi\B5@^n)

.bv(L

dl5(b[

o~M"4

wJp?#iE!,

dY>0e

p]Dm6M

9wBWC

uD>UJ~

+S6^q&

EnumProcesses

Z:7Fuv

D:+%!

FU]fB

9:]P(

R;?m1{

md*p

Q*@W?

'%s5c

>LhS]

*Y!`!

a>8);

*9XFpoQ

Yxv?Z

nSD^yHA

63)<RtC

Sleep

%de/K

@CJR!0

_nwF-/];

l+/YkTV

,11dg

$Et[}

v/vHB

<wRyU3

T*UbUI

0ed_|_

HKEY_CLASSES_ROOT

\$H]r

yhFP|#E

0~"7=(

_y:Ld:

Jht#U

D2=D\

DbYP.

3n5Pnm

D*P5Y

}ZdhM

`"-1t

GlobalFree

piXci

3i+3A2

G'F}if

GetUserDefaultUILanguage

R6HS>

,4Bi>

|s+D<f<h8

,Mz6h

GetDiskFreeSpaceExW

:27Q6,4N

B:9j[

~"?E?n

5r8Uh

4~u$PK

bez^x

A)-v@

b^6+b

`^<q`t

nyE/}

q*Xw8]9

http://www.usertrust.com1

sW$},

-L>,k

fZ|u]

_#MzE

UlXKf

,"5]4

^cYY S

p~2pM

RegOpenKeyExW

|ZnUz

B%p:?l

LoadBitmapW

/DRA4

|9us:

{@7as

jn0q/D)

gZ"Yr

/.yLfe

/-P?pR

SetBkColor

b+/#Q

3"bm,W

GetTTFVersionString(%s) returned %s

!4'lV

Yx\}W

x@Yf-

\HO9d8

PortableApps.comAppID

+-rri-Ph+j<

=U|x+

<hK*ofu!(

))|~6

p\;5R

FindFirstFileW

+){TY

IG2p+u

N^DaF

Jpk!MA

Q",E-

KIV[3

020T0y0

Tf-2Nw

wsprintfW

k[? F

979=9

)>ld(

S.<}D

>\{ p]e

pcp'8f

JkDefragPortable_3.36_Rev_2.paf.exe

j#Rb5z

bxg/"

d;j-*

o#J4'J{

h*bfI

d?~8"!

% D3t

j[d-o

OKgNKC

iJWnTM

,!qC-

7{^vl)m

sFXs#M

yknn<

Ug]C-

t]L_$h

1&2U2a2g2s2

29VhH}ut

N]6RU

d)kyb

M?dUQ

)Mh)Mlf

M~riC

Aeu;}

;L?#"L@

tw-ezo

)3f4RO6

q'@w7

am\Y1[M

3+6.i(3

|*gA+

y#v`[=

1]lBK/`

x,N2L

S6h.V

e`h"E

["KcZ

-"^S*

8ccT"

6|}8;

-[=e(

ejE",+

y-.kl

8sI>b

(0&0$

n'_)JCO

`7.ps

oeOad

4()E10N

8LK+c

objH9

Em4ojaVg

ZEMpT

D/{|h

q[nLJ`

t46A&

((L0,/d

SHGetPathFromIDListW

6#SNC

kSS5#c

!{iZs

{#HrZ

w/Xxo

pKar5

4/VPk

=D7cR&

Exec: command="%s"

^l9VN

3!][Y

[}amu

'N^B:

bfhit

j8WUHBYs

<+<4<J<U<m<v<

f ~Z~8

Jc[[`

$6[Nqv%

9f :,

Wak:H

KD.3Zj7

'bt[;

acI-6A

v%+6+

*cV a

h'wqv

_m?P7

eSa'\?`

6\{ex

X\H,|

`pe2l

gF>1=g#

XSG}R

Ei""H

n!OVF

yj=4N

4:iSG

ksqMd

;.m-QQ5

M3%O^_

ImageList_AddMasked

a%&C|

gX-T:

];YFN

AppendMenuW

6t~a`zE

]|r.A.

R)apC

5"VY:pz

4/4o4t4y4

h[_Z&

\VE<B

h]-HJ

OpenProcess

:QpD>

9l<x@j

AJTnU

wqxUL

K|DdS2]

PNd&p

oD6Ke

)q+<O

jz;Bw

2X5VT

<R^FM&

[%_'[=

.)a(qA

YMtI^'Hm

WMP59-O9

YXYgZ

1gh_m:

-\?<Ri

'L1I*N

IDATx

Garjl2

`#gU:a

Rare Ideas, LLC0

jH;+FD

W!E6U

CornD

]buxyubO

K=p\?e

x5w,R

rJ4O*

IsWlTEd-

"=6b{

h&bE+

s$dKqi

3GdOIjj

Q%CXS

wMH6l+

p~Ep0J^I*

J~z's

A'^hT

CreateDirectory: "%s" (%d)

G!y%?

!KI+OF

G" 4r

]'}@_u

NkPl*&

||W^*Iv

V,WW-

qI3e6

FindWindowExW

dX>Cz

lstrcmpiW

]@@0Gu

F2tm[

e;l$O3w<

QPs-u-&

Yzh3x

=8Hyb

9~q}JN

S~Na6

<kK;.;&

WsY(7

dT`^]

<"A:|

ADVAPI32

y|ts$

Uyr]oc

zV@uM5'

h}BL.#x

@!K]2

y_~Do

]M8*`,

[1P]!

TVt_L

uG6di

s>eBtL

PeekMessageW

{H`v{

pvv:pJy

i Z-)

t8P,I

r=0ju"

NH=!$&`DQS

$(v)2

}mSb;DU

E~'IH

U\<xE#

DH&(8

I0/-3

w`it1

zc8">

%i`gtl8

_gF}e

@_.[5k2-{

LegalTrademarks

a=2U*

3,{%5

=Iq;(,

@.Y/:

R/X{m

~j>Mn)B

~R``|

"ys[;

D=,'7:e

w|":M

SHAutoComplete

t311^j

,`:6V+

gr^Nf|AI

GetClientRect

Qyz]+

a|gl#H$

&EFPd

VVnL<>Me

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.4-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

U8i=V

B+{rz

nZU<%c

YE"LR

}HJX_

PDMR-

-&V{0

8^9J+]1`

mTen*y

Ci?tL

g~HIC

}`e&Q

fCiyL

ol5tY-

=IHFT

CreateToolhelp32Snapshot

ReadFile

-YqKE

>*;ISd

8MasJq

FE``U

P\7-^

wT!%}

318()sQ

WideCharToMultiByte

RegQueryValueExW

S&M7wd

enx0:k

KN?Z;

8b{kw~

VarFileInfo

u`{;?

wsprintfA

n0Q=&'

272q2}2

NulluN

gNJy;

COMODO Code Signing CA 2

q9w-B

BvD-^#R

8FgQ*

%oQ#A

K*er:

ImageList_Destroy

DrawTextW

3Jp=]

bA5&j

rdVL^

9VH'm

J-AP2

4G* p]N

$7URh

3)s-oh

BLL#4

&hjrB

4.3~P

t$$VV

H%^ndt

^`oUg

KE$\lU

C!&B9

UM(Ng:

f2}yw

U-D~K

Ia_p>

Y'h^:

froQ%*

:-:8:>:C:H:S:Y:f:m:s:

(^6=Z+ke,

JkDefrag Portable

a[g~o

QG>]1

uuGtRY

GetFileVersionInfoW

3+C@oT

%4fxF

,tdnBf0Amn

Delete: DeleteFile("%s")

y~f?f0

zO0B4{

_d{s%=

]62 c

|UcQ#

,|agGJ

{r1I*

vw$Q`+q

RMlIE

detailprint: %s

83('[TH

CreateFileW

99x&~

ExitWindowsEx

yj[@+

nEOz^

vr}-I

u67M.

GlobalAlloc

ai|>}r

X[8[

Installer integrity check has failed. Common causes include

=<^[_a

5<*$'(

p^vH[

?Da[+/

<8%?f

3*s!E

ICCc+454

otj[O

CopyFileW

CPP%=

n_@*+'b/y

=F%x'R

Yp4~ahcH&

dI!<Z

A_6p9J

ys26RA

$`?f%

Module32FirstW

~UGZ;

H@P>|E

)5b0 G

a_92M

pzS?9

Uqma-

,Z2X*1

u7V`[

%GN(@

.Ni|8%

]b 7n

)]2y[tj

GetTTFFontName(%s) returned %s

V&'i{w

7q{iy=

Z0X03

*s/2#S

Control Panel\Desktop\ResourceLocale

Error writing temporary file. Make sure your temp folder is valid.

/'e@A

imR#^

o&aQ

Uh*vt

I6t_TR

?pX+:kM5

4)2x]j

s695

"${%B

~eX&O

_:f(>2

SHFOLDER

L\Ejt}*

X.B&.

$"W9l

\O`x7

Vjuez

xvmMc

RU5;|

Dek\F

)KSiX{

,z$`Vg/t

Y3:GKM

x#sPD

ms#CT

i:6?)@

EgY'@

0'0D0M0o0

:U%HS[N?

.)Q E

>/zBl

VSX\il

)af/nP

^jvRir

wO_7{

>r<{<

XSJfp

{<%Th

GetWindowLongW

qqSw3)2jK

5Ee.f

A68d(7v

;6'.b

a[rw=

?Y\l>

5/?D?

^h5m&

BzRuiY

cn!gL

|"s~]

YG5cO

Module32NextW

|DI`Y[yv

9&|=q

cL0PP

RQ97/m

C sz/S

gXVe*

;a)I_N

]`c!mZ

Call: %d

28'Ut=G\

GetFileSize

s6Kb!

YlKT(

ZXG-3

F=c2f

w^ZH=b#^"

W];"p

[HX?~

Ko8'r

ce{'y<

L"@)O"@

v]R>_

#8P8q

ii+Qz

/7s$A

wo<S

QAI D}I

B5~QZ

{055M

0"R6F

/Far8

GetDeviceCaps

I,<T>

B`m*E

uJdXD

'9+YF

,jG6R

lstrcpyW

(YDK;

9L5j^)m

Ueh5n

[@b0hy

5T:R;

x2X.L

>E[q_U

RBiQ'

WE0nG

]@.!}

BEzX#

lceY3k

@C|Oi

7hiuU

ui'I{j

3~ Y(|%

\-Zsn

J{DDj

9f*<Z,m

Error launching installer

:OKHC

-S\J4

(yn^-R

HKEY_LOCAL_MACHINE

[\Z!n6

^90X@

r(t'PN

?2<H#

110824000000Z

'g#Rq

797C7I7Y7|7

yG:9/

"Z:4Z

@YWNp,

j5'J9

U5VC(

o:=6w

4ibC8

XmVy!

,,zhZ

kyL?<*

E89E0}s

y X.)

J!fgp

TXmA,

"EnYj&DA

=mC;8

WriteFile

Gka[V

|lVzF

e&L(2u

,{-Fv

KERNEL32

x2?-,WII

bQof@

9HB$6

ie`oA:

(;3!Qka*

:8gte

b:X~%

tJ o$G

DestroyWindow

E:fy2>

>N>_>i>

*{j1Q

B{>HL

ut%)e

03Vm_+!4

~vm\Z

!"3Od^

<p?{q

0;1A1Z1

oN=3I

(#%Qo

T7<fI;

DOpt1

_N%)F

Pini|

(qGs6:4p

kHL$.

c9p-g

9^Y+:

Kol*g

%5d*8

jK13^

}5\[d0J

GetVersion

7()sc

^C*Ig

sV'uc

L.UVL

3\SJA

WriteINIStr: wrote [%s] %s=%s in %s

0usrs

C)4jD

q3W~[

%.%7Q

@M?Fe

Q4gei

SetWindowTextW

tj;t$

Qz.^k

8jeh@

O1[P!

0@YY<

h9xb'u

g76j4>3I

*.0LU

y?@P|

0iLkBG

pRZ`R

CreateDirectory: "%s" created

8gXfR

v6=U|

E7aN:

E89E0

VSUbOI:

8:8C8U8\8h8

rdu+7r

:6Tjg

<XY@3

HO@DFFDD'!"

JGRpS

!?D\LN

0.OmU|

vS|xL

K4C]Y

sU!Wl

H7;I~X

M|{s~

y wQu

JB!~l

,i30"

+]>w2

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

Dde1B

sCPRKeZ

?}1:x

wvsprintfW

>pRBQ

(aSDFg

%+QOYI

`iUY(

e481#

m>u*j

Cwek#

Ds<*$

|;$TN

FKmvq}

2GSZ"

xWG^Bz

T+4N4

c;=<6>i

pAsYE

8GZW)

&5|FC

|r+=SW}

p2CN;

KV2h;

^>':PA

_8X*C

beAh/

`.6;7

UWvxv

ap^:dx

apvB_

xi@6d

t4bF+

A,-Y}

2,X}D

Vh|8!

5 n>_

GgQT>

Error registering DLL: %s not found in %s

_lA"%

O`!Lh

!n\0"

#S7xMA

NCt1G

L]2sU

%0&Rn

7Hrhls

vX93]

RichEd20

StringFileInfo

kH(^G

U-0N6R

*mFgJ)E

RHp}D

9cp9v?z

9`W5M

N)AOPc

P @5

I#zdD

FeM-h

6R?H<p

[_Ikx`

-]fI\

U]Qvw

hEa:4

rUE(7

ole32.dll

3.0.3

Y57c2

L>p~n

pk;ZV

SHBrowseForFolderW

jj.+El

~&2IC

fMQ?\

PortableApps.comFormatVersion

3At+%.

hH\BI

s_3?N

ELe#n

'<DsZ

0m6jEr

`q%iq

0igp(

+\-\^}m"

;ZXgY

0_qX;[

oZv"@

g5bX%x

,sSd6

|`=|}

S+vg4-

'Z9@/

7&-p:

YG k'

<vpVO

c?:lv

Pc]{P&

9P=`d

Y6oYE

S3tWw:x|

bN!^8

;nns=

LSVW3

VC=nG

9/8F"

Process32FirstW

BrIeB

D~^p'.

ZgdLY

"I@$=

)"_[x

HU{{UFU

X;h6z

$<S%C

k5lRCHy

GlobalUnlock

q{wx_

WriteRegDWORD: "%s\%s" "%s"="0x%08x"

MOu!'

+;)x}

sK4EL

,Qmd~

nYgMu"

q\06g

1@aZ/

[aqS^

TA5T=

FkHUJ

73ywf

WC{0/

Y7q3\

DYM#n

Ys80B

dYHNo

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

*E#f{

nDS {

Kk):L

`2_4R

56-b1

^L[qZ

^-x%a

u;LTB

d_(|p

~,_k~

h(u5i

RMDir: RemoveDirectory on Reboot("%s")

RQul$

5]0j:

qv8l1

n?I`t@/

hV}c3

^}?#6

NV6tv,

ojI4($3C6f,

Ku?>4

-1Nv@

!PCT,

40sxQ

m[HKN

i`n4d

rQ_!M

767@7I7S7_7j7s7

!%r@C6

w<3Pv

<<<Obsolete>>

483`kby

nTBD?

]7SSa

@)#f3o

n}g?N

203Y3

P981S

}V'BK

'+dO#

MZQ8x

\p\[ N

Y l=E

u=h<kRp~U

N2WUIBIikK.28

$o1x$

rOUL.

Lqetf

e.g_0

[nm#iE

ri\~P

"w)^]

kDJDW#

&gq\=

=hcnhitS

olj}xyGK

X7AtKo4

%OxD<

Z\rMM!%

SBID=|

N[e;h

<qFN2A

`Qr![

D."uY

Dvi]!};z

#3R@d

"a,.@

031204000000Z

h|W=/

BYNA6

~u`m<

r4YRk

%4J)3

:&Y:K

DhoZB

nm\t/_

GFd~<rC

[avn;

@9icG!

x0s[[-

e.C<_

x4#Z>

LVl ~

Salford1

^!L48

d+RE%

QK?I^YM

8H+<*

pQ?\'

.x'C+

(_Ef~

x?>Bx

m1TJR

DYYe$

2Ug^%

+ogl8

3mw[kJ

~a9^`

VVVVj

qnQZ9

Zlp)p$

gV@nP0

LJ'VqWe

Q.GSZN

}jbB<:

U^S*$

JZj4!

VE*M*

JkDefragPortable

.y "$

QSUVWh

bC OD

P?'j>

3;<0A

u\/-d

G86~^/

CHWkJ

${gk+

]uf;~hC

_zAxh

130215235959Z0

#rR&L[

=[CCx+2

#YUd@

Q<+Nf

(Rk{JW

Kc>q)

A)T`n

>V]vi

TNnLw

GetModuleFileNameW

"%SG,.V

)GsJ@

5J"B`

?rapY

yqf\*

20n2EB|6"

&c S}R

]jdB>

B=#$@9

Y7QOv

#+Km

v#~- U

Q/n>]

Ls<mC

#a'S!G

/vjL]

=w=/l

^:wWA

:S9|p47

SetTimer

hXymD

P: e_

KxpUz"{

SetClassLongW

kJuxz

[g%t,

C;2We

]4;Mhr

pr6X.

O~kE,!

6[w*$D

,?!L]q

2Zy$2

z]nm>

-~J_=H!

j<n9cx

TL&%/l

8W,9+p

#vRBT

<R[;2

nCRWS

7AFP1

r}47M

{-i1&

lstrcmpW

m4,RK

GetAsyncKeyState

6q7v7

4+W4

KERNEL32.dll

OleInitialize

c'zA/X

RichEd32

)'"Fu

$GsoB

><+E;

_e iP

ls8`G

?-?I?\?o?w?

W\*|k(

=(e9Em

)joLZu

mUu5%)K!

N`Q{>

!hni`a

6#616i6n6

9eiO5

)#O>u

L*_O

s[WBS

H@:w#)

"Wf>Z

Kn]-(

9UgK&

[)W$[O

Delete: DeleteFile on Reboot("%s")

H1Vfgh

New install of "%s" to "%s"

2YfZu

K^zs/

v89?Wk

]'j1f

BX#,n+_

Ww!.N

:m7[X

*}^S|

j\\aUi

h0f0=

9!9N9u9

W"0j.

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

=F\uk^

fAb5l$

5gyS(8

`?Q:o|

9miQQ

= =1=

^phU_

LGGNMKg

"D?2j

+flmI

=ub:m

4zp@.

GetVersionExW

LF=%x

Vv'qc

g)0M,

0WZHBMko:.2

9::T:e:

ArfRJ

Z2/n0v3

}?2u~

Zn|N{

w#*OY

5ZH_js

#7WWQ0|

r+&VV

toumEP

[G&Rd

R"}hI

GetSystemDirectoryW

>&>P>^>e>}>

I=Oct

FbxTSc

e\;a'

VS_VERSION_INFO

GetDiskFreeSpaceW

C=1V;6+

pRVg4

B]'5V

4\x$N2

D)22F

\@4)B_

baP`g|

2&rPCy

~ko|7

`}q::

,q45>

fuS\DLc*

ZLhOc@~

c\DfG

g(LUm

DuBBS

ngl|a

Sleep(%d)

lT.I)

kx_4X0

VL!x0'

Bh_#)

Z?_|1f

COMODO Code Signing CA 20

M5i5$

kS!+9

PostQuitMessage

:7U2)u

nXALp

T_'@/

r0?(I

4dbvJ

%FFee

AeW7h

Mz{A(

)]6z\

NZ?d6

?DZu

;q+!B

,iP<F

PQ[Aa{?

}",RX

CgxjN

*73`w

SendMessageW

"%K"CL

L_:A,

|=y2d}

kUQ93

{49=Ii

. M52

t7@bp}

J1qq-

0v)#$

?G:S"9]9

O/)f:

MSAWv

XR$m%

0&%L"1`

k/BfC7

HideWindow

\Sd/`g

6C!s&D{|A

OpenClipboard

^3d?(I

Js%m$<

CSCR~N

ko4j5

k/&YLb

Xk^w<

}{I1g

_~}Sa

@O%4p!B8

"VeriSign Time Stamping Services CA

9krT?

979D9L9w9

ClZRG

;L.eA

)0'0%

yT6Vi

'b.(:

I9n\T

_jlvzyxb^

5E-Wk

] BlCc

:hWqD

j&ihW

SdV0D

{1dEe

SMALHB7

OP{&;

?1J,U

mCE,G

`[R6df

+7wS:\

EnxH/

58|~

j:U~G"

<C'ke

GetProcAddress

s ic9z

Exec: failed createprocess ("%s")

\FmT69K!

zuqYq

0&DiYlB

E/@d.TGG

IsWindowEnabled

ProductName

;4F?>@6.,

XM:d$

=&x09

(W ICr

1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

?5VI,

94**wma

/sNx,u

HKZgY

X>m'9

q%`a:L_

oRJZd~

F.U*(\q

>,>1>6>;>D>I>O>S>Y>_>v>

IlL.

[# K:

S+[dU

Retvo

-rtJ8

^tx36

T]HTz

2/M}_

9g\"|

}kX|H

`3:U>

0/|P<

E[@OI3u

9yGo*

ExitProcess

sVxq;

="_HZ

~P.U]

L-0,&1L

7h.68ee

P<8}|sr

;!;2;A;T;

H6*YUP

v`pr:R

<d!:;(

tql(`k

@6E2p

T'_H

Lkz7p

5<#U.

q<=sa

Iqs.H

42{ZF

)!P]+

=T@CMw

wx>TO

r#/nG

7rT>8#K

\Mx*v

4tDes

YiW~d

OU7v,

lstrcpynA

D$8PUh

0U36.<

GFeO@

lQl6b'nE5f]G?

MoveFileW

<Xzq4

Le:un

FileVersion

http://nsis.sf.net/NSIS_Error

:b(45

Please wait while Setup is loading...

kZulvxs

7Hz^S

<MXgD

^Um]3

TSA1-30

.Wj$B

2 2$2(2,2024282<2@2D2H2N2S2c2

hbXM(

Qgu8Lo

?48/#

#mH{5XHm

~gy)h

(M43G

a.K_=

CreateDialogParamW

QNSfef

G%01$

g] e00

+x^RmO-

8e`S6

B.ssQ

9KD)6U

n:7[s

+%O(t

nS@|r

c@G0Ln9'

GetExitCodeProcess

^I<M6

1w0-T

IEFNlD89A4/k

[l|ev

=j6\+

ZQs:]

LGLtPPp

$M.ja8

[Rename]

SetFilePointer

f:G-L

~''GOc

0bN=XP

zrvD\

QU';X

|[B]J`

p,[m$F=

nU=/9%

dA/%(

Gx7!P

D$$+D$

mJPuu.z

.H)1V(

+=4&g0]

_7GA9

';09k

?ZcfA

XHL`e

RegisterClassW

ZJMdC.

gA^}"

%hK2RG

X}^G%

ZO58L

DF@nO

c#@M+

\EnK;#@{

=lEy/

QkC7

S_*X)

)]@$2c`%

QG= 5

xGRA{

l/(Sl

R#_z^

kt[6g

H#9Gw

H0`+QGp

(/iTG3CJWf,+*

ZA,fj

GBQc[g@

y:ImO

c'|b]

0)-c

\u!f9O

mu~<y

5&ir*

ki#6A

Delete: "%s"

S~lS7

6Us4o

Mp{|d

ZwE_)Z

0?2A@

VerQueryValueW

S1*Uo

jYM|"

CheckDlgButton

t7[SMcg

UaK5w

2 }'\

`<#qC

IG]oN&

mV?O$

%CKXf

6_0aZ

h r;my

1-RZ

?cTe{Q>

(VyhS

u6a@a

(=zy)-

9nM603CIf9

4({?/

d_4Vu

u$Go}V

F6@0+

K,$h6

f=-IP

K;XS(

R(%=a

vp~djj

hM)}a"

GlobalLock

SHLWAPI

R;at(

2a]{3

l7d!$

l'-Z\

fxU3r

CP){t

"j#Lc

i>fs{q

,cFpk

<pviG

DeleteFileW

lstrcatW

&Tox nH\

K&A'/

koJA\

GetPrivateProfileStringW

GDI32.dll

(//t?

r1qIH

}O|F~

EnumProcessModules

lBAIL

xHJ;UoQ3l

b3C+=

`<u5qZ

h"<Oge

.;\Q3Z

&uS=.

//r,7

InvalidateRect

$=Kq_k.

a#PHZ

~*Jt@

"n86K

D'Hl^

^qJ9&

FG"e9

_^][Y

ls&_~

0VJ%V

2_,nKQ

CL`##DZ

tu(&Y~

i'4&1

I|/54

23Qe:?|

Gpo/U,

hqi{D

LARd;

%QygP

'=B!A

-!iYL

MTf2g

1>oet

2ljlh

VsK2+f

r>0<huEs

l0~c~

$3?U,d

I3l#D

!{6,i

tyW9u

1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t

Q!(QG0

fBMJau

#.ClD

%2;cK

'\\*`9

InternalName

UP,d)

OF$~+@

(q!\}

L]*j)j]

sQ\G\J

HKEY_CURRENT_CONFIG

BringToFront

A.4h&

JYspE

!_VOA

3,-gM@

&U& Y

}'/eo

XZw(*L

?Z\hR

COMODO CA Limited1!0

O,<;q

D|)gK

tk]_i

Q22cC!M

-+`ARDc

q:e #!

Software\Microsoft\Windows\CurrentVersion

imaF~

d?<bp

4Bm&NX

?wz@y

Wu|i<l

u:FeV

}c~v$3Q)

Fh]cT

qR15`

<+Mw7

6y2ac

#kXR!R

c^^YCB

GetDC

SetTextColor

WI^PZ_

+Symantec Time Stamping Services Signer - G30

XU_^RL;

rIS"F

HCIs&%

xe"G67

zh_Zs

oCD[3

R=0vK

K@fam

FindNextFileW

]E.58

;8*wEZ

0-1R1r1~1

E?kv~

rn B

<NgV}

uHqtg

uvfHY

OHFyP

FindClose

$-]Vg$@

l}!kb

NU@0/

[UISaYNd|sg

Fd)*>

vQj%D

2%uZ>

SXjDE

VR&1{yR

bIi^z

%C^ZiB

KB6p

9GWgoR.

]]{>I

q?&b

<kw`+nR

MulDiv

iE$a0

%Z!\-

.jJvR

c.5S1

GetTempPathW

N5dW:

0XrW`j

=yK0{G

I~*-W

m1T/3

((NxF

7xU!y

KV4kd

jnxloE

P(]*k

%9'#~

o4M1>

EJeBA

rEWPQ

RegCreateKeyExW

incomplete download and damaged media. Contact the

"O~:%g

|\]H3

!,eYej-

BiNqf

2"m*o

4eT<lC*

j0cQvw

Gu6:Zs@;

QxDO']-S5*

&''|/R

/&%uG

~g2%(7

)vPtO

B<0crj]

;z*M0K

bOa_J

fpM>N

D9xqH

wa]=

Am3:5r

Ds"/b

5En(X

yI$-zT

W<*A@

!.Xf5

g/^u-y

/~hj{M

TDC>}$

f")TW

np:Q%p$

V*Q!K

vSH@al6

A:[bf<"R

TK9oa

(0Z}r7|n

pI}>%XX]gY

vpw/}

V,3LE

(jG1,>

(}.v:

WGtcB

(|E%L

UD&C~

~x4:SR

\+W_{

2g~7T

k5]/:

)W#hT$

cWEnl!

t@0Mo"

a>*P3

?fz(<"

GetSystemMetrics

OA]]5w

N1B"[

b|zz'

noq o

x5}0E

#q3-<

Uu,Bn

a};z"fN

=7+1JD7cRL@

;6;;;Q;Y;^;d;j;p;~;

P"]QA7

u:gI"g

'oXsB

CharUpperW

Z7$\-

<Yfwb

\)@EL5

WwtC'

Z;z8}h

*%4r84Cp,#

7PL`g

5#kusrp

Psc=2

RLQ=4}

E*R23=

Mx-K5

Kdpy

O2) /Q

0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

t$(VV

Ji{3e

eUKx\

j%^)=a

A2[fE

cpi6ho

-3wdT

%Bm:,

>G]G6

PortableApps.com is a registered trademark of Rare Ideas, LLC.

Lza<7

5r_h%

djdih

J^ }S

CoTaskMemFree

GetDlgItem

CloseClipboard

zdLkw

#W1`U

A"BD4

MS Shell Dlg

rm;O[

/=dct

G h0

$.<,?

q:27G

oJl<i

'^nm.

2-{Y1

E5p0O

I$5~X.

yvXVJ(

~JbW~r

l.G##

UIgo EP>

=qgkP~

1>VP7

m*JpH

z]lB`s

z]5vV~cf

m4q?4q

KZIt9

8+|Y_M

9<\#?

4~l'w

]]U?"

<4*F:5L

"Su?n4

GM=1L

GetShortPathNameW

!This program cannot be run in DOS mode.

PGCTl~aD

R|Xh1

;Q\nh*

{>ze=a

<a~^I

9+9L9Z9

riY\.C

OvA<k

OmLDcb

\.3m@

S)l:I

@CV5)

U[~L>

UBfGC

kVBb_

<'<3<=<G<L<W<[<a<f<l<

H}:0i/aw]Y

@;>n3&

8CG9*

9-SVj

<*^?\_

"o:e1

Em`Om

DO=7`

?B|>a

}Aydp

'G=c?

rPbDM

CYcts

0 0lK

Ue=89!

Tl`]g

@@(e)Q

$zW .5~c

4"4/4C4_4i4

)*#cC

fY4A8h

$.VIp

?s-%n

USER32.dll

vKx`JG

qnVP6RY_b

qLGg<

YKe3[[U

+(iQ\

fK^md

3"3(30383I3P3e3n3t3|3

0P[Vm

^G.ZV

+bbk&

jnyZA

hc`P,

EkO}=*

'Jl=gM

5w*w@

8!808D8X8

B,6&zv

z4uy@

"Rr^R

JZJ!5[

HZXs40o

&ijh4Y

-x4:)G

+*=|DLpK

iH~bqp

}"!Nck

dH}x$

w$TK9

k0~!#

JHOF7

-xm*JF

L*5@r\

rSLq6`

*OH-A

Durbanville1

Exec: success ("%s")

1@4Od

FDz{U&

CreateFontIndirectW

A8zx?

wel<Y

`'4rD

wLZK7(

Bvgys

^|O4-

'S40d&5|sJ

{R3Hz

PJ1-H

lLL#O$

"e]|/"+

RegDeleteKeyExW

d})H5

5LgmC

DFfu>

I09JF

-]/m

=vdqH!HZ

$9j?!

Dd_mC

P$8x+X

trT=k

LoadImageW

qoEyaMtwr!n

wv,f\

{H;a,<>1

SS=tN

=HG^!

McH/y

.)Bf

s9_<'

\KP3S

#A?L

o!*{&

B|$q!

Q-oue

a2f1r=:V

\d:no!

{gb'4

'fA|\V

lE0@XqM

<>l=8

wE~d0H

,/LTk

lstrcmpiA

P"/XP

HA/31

ViXDrW

8Rich

MsYA!K

6m)+K

{aUb=

VL(6M

CopyFiles "%s"->"%s"

-_jNC

IfFileExists: file "%s" does not exist, jumping %d

HKEY_CURRENT_USER

GetCurrentProcess

kfpc4

i|@8w

v~yme

[8"NB

[Qoiny

Szw@_

3ko{o

%X$|-q

D$,PU

iKz;~

Id/r4/

<w%ep

vvRS+k

pFOOHSNNSMFB&%

dKSYt

SHGetFileInfoW

[n(Sy

e>WHg

gIhlK

H!%q!

V%xG9P=

/M$#V

URp?P

iD^h+

j.s;H

'Q1fr'

.ndata

4a5r5z5

gvJv0F.5

zW>0ok(

pWS\N^

6=Im>

fJ;Z4

rVs nR

0s%8cEk}wI

j80[k

GetClassInfoW

tX2NgJ

=Zu;.

9vL'b &>D

!L[Z]

BVH,g)

R)a;#

%]vR{

f&'),

$ !_v

~EcueR

u$9Mls

>OEp;)

3bAZaQ4F

wYkL

gVoN

<U|O`j

{U'c(Q]7

A+7+0

{fI)I

MSs34lw

?2?B?_?j?

'ch"~

^3FZG

GA=;KJf

8R>9IV4

111;1D1Z1a1y1

/WsWc

ScreenToClient

~.hP)lC

n)eJ-

y=|*@l

Translation

p\o!qG

Kc}?ZK

http://ocsp.comodoca.com0

vhmlF

L{Bp!7

[`VWh

I5YBS:rA

%tVt_

lsMCD

gE<Y-Nx

200530104838Z0{1

8\:xm

Q'mV"<

OleUninitialize

uK_#nPSt

nk*JeS

lb0Ku

,^7ui_

[)h>)z9i

~o04|

;z+MN[

=F,Q6

8zA4l

Mu/bKY

NW??9

CWVWin|

FCK{YY~

!SA_3

_`:?4

mbs}n

J<t?:

Us+k$\A

k*#p&\M

@cK@y

2'2B2d2v2

xo6Gk

wUC)d

98k+Vy

X[M$:

c~wkM

k" t?

GetTempFileNameW

1d+#+

|-*t%

CG5H_

^Cy@5

ProductVersion

&6d<u

XM[kEI

\y;Gh9

7.V7e

h!`jp

K6#hqHx

#Vhh2@

Instu`

'/\b&

050607080910Z

V[PXQ;

:(,/P

av.-{

+-]q8<t

r#&^q

Q$!,k

uT$j8

ShowWindow

Ht@h@

%<8#P

=)a&n

oL%Ai

XI+k|!

RichEdit

)L>%l&

<au<t

>6zTg

m>&X%

Q_]Lo(~_

RZdBD PS

x!4Dj

:.)1ku

)SYxL

z3{Vp

*dn*@

0*"?%%B

^8?6+

u{U:t

K iI&*

@z3{+'#

{[?Bj

!]Y{^{

)>oc#

dG]rzB

aUGjS

`_Y]T

u&mutw#

Jump: %d

GYpm1r

ozo&=N

lnF's

IaD)Gj!S}

File: error, user retry

)@~EN

-~*}=

iu.5|S

File: error creating "%s"

f4f&i

D>Fz/*

6Ek/q

I)+Rb

\OHvY

GkcPUU

U_z]k

Pt+4t

bNu}z

yJQSa

_)=(e

by/1YZ

ikN/"

KQ{;B

~p*0)<

m%k@'

vhq2J

hWtXbe

D4q#D

o$53Bv

p~o#z

A4h/N

_.#>O

J^j?T

!l|]R~!

;ne+JP

:GnO(5

snGjv

&sVL>

x80_v=g

Iq"ds

mtE$O

dY>lC=DJ

t6mU

85HO\^

nv,gQ

;KFo7Z

MjWOV

x.9aS

DeleteRegKey: "%s\%s"

RvbcoY

y:8M?

HKEY_USERS

]VgW97

tnyU6E

`+k6V

_=Ev'

fYF~m

:"S!p

LookupPrivilegeValueW

@g 58

v#3 U

\u2+8

D-^$DmSl

PcWF&

mJ|.L*

x<_9(

~nsu.tmp

CharNextA

&39#/

;#;A;H;`;u;

#0k?T@

H2|h_

8aBD;j

m(nx\

|X @4

"1?2,1$

&/;\D

/2QYy

KNa.3An"

Z}>VX

qJvly

gtpWx?+

u$9Uls

\wrHKS

eA2^h

o4^e]

-2%<C

LgEWs

"Rh-g

.-~4Z~

pTED4

5IqE:2C

Hj\("

d i0b

,ma!b/

}90<w

A.g+N

gB_*8

o4!$n

HT44nI

fA P|

Xwf(-

MG@.USd

NCqV!

bQG+@O

>|Bm,GU

OU>6`

4tIN_

,cv.B

6ebpV

2sY+F

lacv|q

u9[~8

FwIMa`

vbqhw

c)444

7.7q7v7

W/F_`)!

0`kZE5h

kT@=L

;-*<f"

f58ksIN

LWMB+

x\^9M

3z60:?

@NXWp

*4'f`N

8 MAI

:f.,~

,PufeP$

e><#]F

0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

nHr@/0

d:g\,

Q0qP[ID

}C~wj

/#Qy5

VBc4M

2^cPe

settings logging to %d

GetLastError

[l"-V

v`XpV:0#

S,d c

_|F|-

$NA=R

*0SKw@

O{75'

}}6x[

qw:L2

4GC0:

&sf`P\:T

pc}4=

1H-|w

H[V82

[r0s8

(~lbya

7\4RC

IeT<)

ZBBkI

AT}])

f6@Ke]x

d"{j `

0:XZi

abQZM

s4R-T

)v`V\oMG|"

http://ocsp.verisign.com0

O+g(l:

2cN?d

|aX`/

I0[0`0

10%|a

H&:^:Q

576@6^6k6

j})JU

<)}[s

>y@2T

<~\xe

l/Tv,*

8t0&%

F(N(/

vf[-W

pdq$]

Skipping section: "%s"

~9PaT

ApF](

\hM2&L

$Fh*s

Unknown

+&/d,-U

81q^Z

G0v~f

6sbZe;

1uGdD

IZ]:>

DV[PRdD

8<Qt\q

+_uo:

_eNk3

-CZnO

P*4$I`

LOcX)

4\9p?

o-JqJ

*Ujrj

G^L4u

zgl3K/

99:f:{:

wS|:Hm

a zVc

O@ntBz.

_Mlso

`aL$v

oBxwU

h?ZfQ

wS9]F8

-t8\GIb`WS

w[LFf

h\{T~@I

Lwc_I

ONsj]

`=wfR:W

MPh_6

'BrhG

hu@^*

OP4hT

kV;Uz

.0u]Z2

,A&Y>

~Q,Us

i,]eF

olM54

dvT d6\

]<MSU

884B=

?_`0)

120216000000Z

{:}g-

K'!rR

]a]a]]

`.rdata

N)`q|

s+WiyU

%Sp#c~8O

"PLX\l

^:X_.

@FT-ce

|wp)#

`k+>+

-B@BdB

08&M M

(L:7<

IM=OC

mGn(@

tOCBi!

\c^vP

RegCloseKey

GetSystemMenu

*tWa|

6xpuT

l"i_*

,k+!-qaP

cua8~

install.log

z-if4#

;/@3~

ql,P^sv

G8_[e

&cGM|J

J01)L

TNx|O-

oehEk

i=2!

8I%>M,.w

02T`P

dvaP0

2S*~w

<A2;q2

>72"^

SRkzv

h]mj%

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000039e3	0x000eca3b	0x000eca3b	5.0	2012-02-24 19:19:59	32f3282581436269b3a75b6675fe3e08		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	JkDefrag Portable
FileVersion	3.36.0.2
InternalName	JkDefrag Portable
LegalCopyright	PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	JkDefragPortable_3.36_Rev_2.paf.exe
PortableApps.comAppID	JkDefragPortable
PortableApps.comFormatVersion	3.0.3
PortableApps.comInstallerVersion	3.0.3.0
ProductName	JkDefrag Portable
ProductVersion	3.36.0.2
Translation	0x0000 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006f10	0x00007000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.50
.rdata	0x00007400	0x00008000	0x00002a92	0x00002c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.39
.data	0x0000a000	0x0000b000	0x00067ebc	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.47
.ndata	0x00000000	0x00073000	0x000bd000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x0000a200	0x00130000	0x0001b620	0x0001b800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.29
.reloc	0x0000b400	0x0014c000	0x00000f8a	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	7.87

Overlay

Offset	0x00025a00
Size	0x000beb90

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x00130868	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x00142d90	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.18	None
RT_ICON	0x00145338	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x001463e0	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x00147288	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x00147b30	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x00148098	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x00148500	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x00148620	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x00148820	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x00148918	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_DIALOG	0x00148a08	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x00148b28	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x00148d28	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x00148e20	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_DIALOG	0x00148f10	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x00149030	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x00149230	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x00149328	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_DIALOG	0x00149418	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x00149538	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x00149738	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x00149830	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_DIALOG	0x00149920	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.65	None
RT_DIALOG	0x00149a38	0x000001f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.73	None
RT_DIALOG	0x00149c30	0x000000f0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.05	None
RT_DIALOG	0x00149d20	0x000000e6	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.10	None
RT_DIALOG	0x00149e08	0x0000010c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.48	None
RT_DIALOG	0x00149f18	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.62	None
RT_DIALOG	0x0014a108	0x000000e4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.86	None
RT_DIALOG	0x0014a1f0	0x000000da	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_DIALOG	0x0014a2d0	0x0000010c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.48	None
RT_DIALOG	0x0014a3e0	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.63	None
RT_DIALOG	0x0014a5d0	0x000000e4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.87	None
RT_DIALOG	0x0014a6b8	0x000000da	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_DIALOG	0x0014a798	0x00000110	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.58	None
RT_DIALOG	0x0014a8a8	0x000001f0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x0014aa98	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.97	None
RT_DIALOG	0x0014ab80	0x000000de	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.04	None
RT_GROUP_ICON	0x0014ac60	0x00000068	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.72	None
RT_VERSION	0x0014acc8	0x00000598	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.39	None
RT_MANIFEST	0x0014b260	0x000003bd	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.23	None

Imports

Name	Address
SetFileTime	0x408060
CompareFileTime	0x408064
SearchPathW	0x408068
GetShortPathNameW	0x40806c
GetFullPathNameW	0x408070
MoveFileW	0x408074
SetCurrentDirectoryW	0x408078
GetFileAttributesW	0x40807c
GetLastError	0x408080
CreateDirectoryW	0x408084
SetFileAttributesW	0x408088
Sleep	0x40808c
GetTickCount	0x408090
CreateFileW	0x408094
GetFileSize	0x408098
GetModuleFileNameW	0x40809c
GetCurrentProcess	0x4080a0
CopyFileW	0x4080a4
ExitProcess	0x4080a8
GetWindowsDirectoryW	0x4080ac
GetTempPathW	0x4080b0
GetCommandLineW	0x4080b4
SetErrorMode	0x4080b8
CloseHandle	0x4080bc
lstrlenW	0x4080c0
lstrcpynW	0x4080c4
GetDiskFreeSpaceW	0x4080c8
GlobalUnlock	0x4080cc
GlobalLock	0x4080d0
CreateThread	0x4080d4
LoadLibraryW	0x4080d8
CreateProcessW	0x4080dc
lstrcmpiA	0x4080e0
GetTempFileNameW	0x4080e4
lstrcatW	0x4080e8
GetProcAddress	0x4080ec
LoadLibraryA	0x4080f0
GetModuleHandleA	0x4080f4
OpenProcess	0x4080f8
lstrcpyW	0x4080fc
GetVersionExW	0x408100
GetSystemDirectoryW	0x408104
GetVersion	0x408108
lstrcpyA	0x40810c
RemoveDirectoryW	0x408110
lstrcmpA	0x408114
lstrcmpiW	0x408118
lstrcmpW	0x40811c
ExpandEnvironmentStringsW	0x408120
GlobalAlloc	0x408124
WaitForSingleObject	0x408128
GetExitCodeProcess	0x40812c
GlobalFree	0x408130
GetModuleHandleW	0x408134
LoadLibraryExW	0x408138
FreeLibrary	0x40813c
WritePrivateProfileStringW	0x408140
GetPrivateProfileStringW	0x408144
WideCharToMultiByte	0x408148
lstrlenA	0x40814c
MulDiv	0x408150
WriteFile	0x408154
ReadFile	0x408158
MultiByteToWideChar	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170
lstrcpynA	0x408174

Name	Address
GetAsyncKeyState	0x408198
IsDlgButtonChecked	0x40819c
ScreenToClient	0x4081a0
GetMessagePos	0x4081a4
CallWindowProcW	0x4081a8
IsWindowVisible	0x4081ac
LoadBitmapW	0x4081b0
CloseClipboard	0x4081b4
SetClipboardData	0x4081b8
EmptyClipboard	0x4081bc
OpenClipboard	0x4081c0
TrackPopupMenu	0x4081c4
GetWindowRect	0x4081c8
AppendMenuW	0x4081cc
CreatePopupMenu	0x4081d0
GetSystemMetrics	0x4081d4
EndDialog	0x4081d8
EnableMenuItem	0x4081dc
GetSystemMenu	0x4081e0
SetClassLongW	0x4081e4
IsWindowEnabled	0x4081e8
SetWindowPos	0x4081ec
DialogBoxParamW	0x4081f0
CheckDlgButton	0x4081f4
CreateWindowExW	0x4081f8
SystemParametersInfoW	0x4081fc
RegisterClassW	0x408200
SetDlgItemTextW	0x408204
GetDlgItemTextW	0x408208
MessageBoxIndirectW	0x40820c
CharNextA	0x408210
CharUpperW	0x408214
CharPrevW	0x408218
wvsprintfW	0x40821c
DispatchMessageW	0x408220
PeekMessageW	0x408224
wsprintfA	0x408228
DestroyWindow	0x40822c
CreateDialogParamW	0x408230
SetTimer	0x408234
SetWindowTextW	0x408238
PostQuitMessage	0x40823c
SetForegroundWindow	0x408240
ShowWindow	0x408244
wsprintfW	0x408248
SendMessageTimeoutW	0x40824c
LoadCursorW	0x408250
SetCursor	0x408254
GetWindowLongW	0x408258
GetSysColor	0x40825c
CharNextW	0x408260
GetClassInfoW	0x408264
ExitWindowsEx	0x408268
IsWindow	0x40826c
GetDlgItem	0x408270
SetWindowLongW	0x408274
LoadImageW	0x408278
GetDC	0x40827c
EnableWindow	0x408280
InvalidateRect	0x408284
SendMessageW	0x408288
DefWindowProcW	0x40828c
BeginPaint	0x408290
GetClientRect	0x408294
FillRect	0x408298
DrawTextW	0x40829c
EndPaint	0x4082a0
FindWindowExW	0x4082a4

Name	Address
SetBkColor	0x40803c
GetDeviceCaps	0x408040
DeleteObject	0x408044
CreateBrushIndirect	0x408048
CreateFontIndirectW	0x40804c
SetBkMode	0x408050
SetTextColor	0x408054
SelectObject	0x408058

Name	Address
SHBrowseForFolderW	0x40817c
SHGetPathFromIDListW	0x408180
SHGetFileInfoW	0x408184
ShellExecuteW	0x408188
SHFileOperationW	0x40818c
SHGetSpecialFolderLocation	0x408190

Name	Address
RegEnumKeyW	0x408000
RegOpenKeyExW	0x408004
RegCloseKey	0x408008
RegDeleteKeyW	0x40800c
RegDeleteValueW	0x408010
RegCreateKeyExW	0x408014
RegSetValueExW	0x408018
RegQueryValueExW	0x40801c
RegEnumValueW	0x408020

Name	Address
ImageList_AddMasked	0x408028
ImageList_Destroy	0x40802c
ImageList_Create	0x408034

Name	Address
CoTaskMemFree	0x4082bc
OleInitialize	0x4082c0
OleUninitialize	0x4082c4
CoCreateInstance	0x4082c8

Name	Address
GetFileVersionInfoSizeW	0x4082ac
GetFileVersionInfoW	0x4082b0
VerQueryValueW	0x4082b4

Reports: JSON

Statistics (51.33)

Usage

Processing ( 51.10 seconds )

32.533 ProcessMemory
18.286 CAPE
0.267 BehaviorAnalysis
0.009 AnalysisInfo
0.001 Debug

Signatures ( 0.08 seconds )

0.01 ransomware_files
0.008 antiav_detectreg
0.007 ransomware_extensions
0.006 antianalysis_detectfile
0.004 antiav_detectfile
0.004 infostealer_ftp
0.004 masquerade_process_name
0.003 infostealer_bitcoin
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.001 bot_drive
0.001 antidebug_devices
0.001 antivm_parallels_keys
0.001 antivm_vbox_keys
0.001 antivm_vmware_files
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 qulab_files
0.001 revil_mutexes
0.001 modirat_behavior
0.001 lokibot_mutexes

Reporting ( 0.15 seconds )

0.136 CAPASummary
0.013 JsonDump

Signatures

Queries the keyboard layout

Reads data out of its own binary image

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x00000000, length: 0x000e2b3f

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x30785c2a6331785c, length: 0x00000123

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x30785c2a6331785c, length: 0x0000c000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x30785c2a6331f85c, length: 0x00014000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x30785c2a6332385c, length: 0x0000c000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x30785c2a6333385c, length: 0x0003c000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x30785c6a6331785c, length: 0x00008000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x6161785c6331785c, length: 0x00004000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x6161785c6331785c, length: 0x00008000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x6161785c6331b85c, length: 0x00008000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x6165785c6331785c, length: 0x00014000

self_read: process: JkDefragPortable_3.3.exe, pid: 5432, offset: 0x785c6530785c2b3f, length: 0x00000004

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x0000a200', 'virtual_address': '0x00130000', 'virtual_size': '0x0001b620', 'size_of_data': '0x0001b800', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.29'}

section: {'name': '.reloc', 'raw_address': '0x0000b400', 'virtual_address': '0x0014c000', 'virtual_size': '0x00000f8a', 'size_of_data': '0x00001000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x42000040', 'entropy': '7.87'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 5432 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\SHFOLDER.DLL
C:\Windows\System32\shfolder.dll
C:\Windows\System32\cfgmgr32.dll
\Device\DeviceApi\CMApi
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nsy3FBC.tmp
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable_3.3.exe
C:\Users\Packager\AppData\Local\Temp\nsd402A.tmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\LangDLL.dll
C:\Windows\System32\msctf.dll
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable_3.3.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\System.dll
C:\PortableApps
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\RichEd20.DLL
C:\Windows\System32\riched20.dll
C:\Users\Packager\AppData\Local\Temp\USP10.dll
C:\Windows\System32\usp10.dll
C:\Users\Packager\AppData\Local\Temp\msls31.dll
C:\Windows\System32\msls31.dll
C:\Windows\System32\en-US\USER32.dll.mui
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\ioSpecial.ini
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\InstallOptions.dll
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable
C:\
C:\Windows\System32\shell32.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\w7tbp.dll
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\*.*
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\*.*
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\*.*
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\JkDefragPortable.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\help.html
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\ReadMe.txt
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon.ico
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon_128.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon_16.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon_32.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appinfo.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\JkDefrag.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\JkDefrag64.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\JkDefragGUI.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-cz-CZ.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-de-DE.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-en-US.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-es-ES.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-fi-FI.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-fr-FR.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-it-IT.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-ja-JA.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-pl-PL.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-pt-BR.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-pt-PT.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-zh-CN.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-zh-TW.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\donation_button.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\favicon.ico
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\help_background_footer.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\help_background_header.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\help_logo_top.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\AppSource.txt
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\CheckForPlatformSplashDisable.nsh
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragGUI.au3
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragPortable.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragPortable.jpg
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragPortable.nsi
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\License.txt
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\PortableApps.comLauncherLANG_ENGLISH.nsh
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\Readme.txt
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Data
C:\Users\Packager\AppData\Local\Temp\PortableApps.com\PortableAppsPlatform.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\7zTemp\7z.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\7zTemp
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\7zTemp\7z.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\*.*
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\

C:\Users\Packager\AppData\Local\Temp\nsd402A.tmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\LangDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\ioSpecial.ini
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\InstallOptions.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\w7tbp.dll
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\JkDefragPortable.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\help.html
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\ReadMe.txt
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon.ico
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon_128.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon_16.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appicon_32.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\AppInfo\appinfo.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\JkDefrag.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\JkDefrag64.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\JkDefragGUI.exe
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-cz-CZ.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-de-DE.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-en-US.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-es-ES.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-fi-FI.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-fr-FR.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-it-IT.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-ja-JA.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-pl-PL.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-pt-BR.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-pt-PT.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-zh-CN.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\App\JkDefrag\languages\lang-zh-TW.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\donation_button.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\favicon.ico
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\help_background_footer.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\help_background_header.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Help\images\help_logo_top.png
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\AppSource.txt
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\CheckForPlatformSplashDisable.nsh
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragGUI.au3
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragPortable.ini
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragPortable.jpg
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\JkDefragPortable.nsi
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\License.txt
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\PortableApps.comLauncherLANG_ENGLISH.nsh
C:\Users\Packager\AppData\Local\Temp\JkDefragPortable\Other\Source\Readme.txt

C:\Users\Packager\AppData\Local\Temp\nsy3FBC.tmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\InstallOptions.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\ioSpecial.ini
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\LangDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\w7tbp.dll
C:\Users\Packager\AppData\Local\Temp\nsi4098.tmp\

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\JkDefragPortable_3.3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:5432:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI
Local\SM0:5432:64:WilError_03

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.