Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-11 12:08:30	2025-06-11 12:26:18	1068 seconds	Show Options	Show Analysis Log

nohuman=yes
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,100 [root] INFO: Date set to: 20250611T07:35:26, timeout set to: 1000
2025-06-11 08:35:26,290 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-11 08:35:26,384 [root] DEBUG: Storing results at: C:\boUvofCgHL
2025-06-11 08:35:26,415 [root] DEBUG: Pipe server name: \\.\PIPE\aQBjYU
2025-06-11 08:35:26,415 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 08:35:26,415 [root] INFO: analysis running as an admin
2025-06-11 08:35:26,415 [root] INFO: analysis package specified: "exe"
2025-06-11 08:35:26,415 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 08:35:27,118 [root] DEBUG: imported analysis package "exe"
2025-06-11 08:35:27,118 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 08:35:27,118 [lib.common.common] INFO: wrapping
2025-06-11 08:35:27,118 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 08:35:27,118 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\RAMMapPortable_1.60_.exe
2025-06-11 08:35:27,118 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 08:35:27,118 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 08:35:27,134 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 08:35:27,134 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 08:35:27,321 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 08:35:27,337 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 08:35:27,384 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 08:35:27,415 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 08:35:27,478 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 08:35:27,478 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 08:35:27,478 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 08:35:27,478 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 08:35:27,478 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 08:35:27,478 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 08:35:27,478 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 08:35:27,478 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 08:35:27,493 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 08:35:27,493 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 08:35:27,493 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 08:35:27,493 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 08:35:27,493 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 08:35:27,493 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 08:35:49,978 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 08:35:49,978 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 08:35:50,212 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 08:35:50,212 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 08:35:50,212 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 08:35:50,212 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 08:35:50,212 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 08:35:50,212 [modules.auxiliary.disguise] INFO: Disguising GUID to c06db7d9-b0ac-435c-9ba2-302bf5f31f7e
2025-06-11 08:35:50,212 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 08:35:50,212 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 08:35:50,212 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 08:35:50,212 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 08:35:50,212 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 08:35:50,212 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 08:35:50,212 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 08:35:50,212 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 08:35:50,212 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 08:35:50,212 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 08:35:50,212 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 08:35:50,212 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 08:35:50,212 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 08:35:50,212 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 08:35:50,212 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 08:35:50,212 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 08:35:50,228 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 08:35:50,243 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-11 08:35:50,243 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 08:35:50,259 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 08:35:50,259 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 08:35:50,259 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 08:35:50,259 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 08:35:50,259 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 08:35:50,259 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\JHPnZzBU.dll, loader C:\tmpjeo7jmad\bin\gzGeTvzK.exe
2025-06-11 08:35:50,306 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 08:35:50,306 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\JHPnZzBU.dll.
2025-06-11 08:35:50,321 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 08:35:50,321 [root] INFO: Disabling sleep skipping.
2025-06-11 08:35:50,321 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 08:35:50,321 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 08:35:50,321 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 08:35:50,321 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 08:35:50,321 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 08:35:50,321 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 08:35:50,337 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 08:35:50,337 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 08:35:50,337 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 568, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 08:35:50,337 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 08:35:50,353 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 08:35:50,353 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 08:35:50,353 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\JHPnZzBU.dll.
2025-06-11 08:35:50,353 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06- <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-11 12:08:30	2025-06-11 12:25:57	none

File Details

File Name	RAMMapPortable_1.60_.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	942888 bytes
MD5	3356214c8e933229f434b6890ed91549
SHA1	07872465b4de999b08512741f0fa1250438c4d5e
SHA256	e31e2c01f113e60e8abba26c11eb8792d93f8965dfbac70c7ed784ba82e3bae3 [VT] [MWDB] [Bazaar]
SHA3-384	46140f2ffa7fe7f34cdb3afd968f97f4b15af630e3035e497831d01a2175edeb41b9fc6e50183f8849ec40f790e29e0d
CRC32	246447BB
TLSH	T1981523817FB061C2FC63473049BB15BEBAB969A008616B1737D83157BC3A3429D6DE9C
Ssdeep	24576:ILp9Df4kghIp/Uct1O5qf7tvCq4gyQ4F8kf9AxA+g:ILp9v14qJ3yLJf9x
PE	File Strings BinGraph Vba2Graph

VirusTotal (1/71)

Full Results

Engine	Result	Engine	Result	Engine	Result
Malwarebytes	Malware.Heuristic.1006

$?^_L

[HR0y

}IZc.1p

u(e}H

`np@H'

z'n;B

e=*`4v

Q$WYEu

hL&o~

x7-U

@.data

FjLb=

_ 84H

;C*.U

SelectObject

%USERTrust RSA Certification Authority

Z'{SeZ

o'A~x

Sd~f$

uKvr2

>(IKV

4u_;a

QQoMhi

L*nQJ

Rz:+7}

/.Ka6

7Y[omi

*3d'x

PortableApps.comDownloadFileName

}LWbE

bC5$c

%(8&D.`

/9p5d

*imU*

lrC|P

<9wtm

~Z!8t7

36p6:>y

"=G(L

Z-d3Q

amWm^B

2(@]+

|A;af

7'M=F

xxp@V4

5VqXZ

7xP_Q

CLBCATQ

]h+VI

IOB_K:d

;jKoo0

BKHz.

D{{9~

m[aYW;dr9

3p]Nc

[JW i

M_fL

r.+?4

H&_Jk

"fC6?

zZ<8[

?y64G

s=,9R

&(,B8

tTzUH

D@O/p

+o565v

]]erSi{

QEYmHN

_(0+B,V

Dc4b4

5JXa3

NWc@^!

;$ke

k7TxW

;qmq#

5ng9\

8`=.e

jK3}I

(0r)&oF$

Sx"S.

Nt'{v

&_Mn

W)72@

~e#Yy

`kaqD#

c.&U|7

8V=;za

j&-XH

@FmK[W4

&"fOX!W

Bcz-^

j)tc\

K-#|W

gDZ-+

.wY8gj6

'5q\9

pIF~j^

CreateWindowExW

VfW""8

WritePrivateProfileStringW

J[&oP

&/-'p

`8d5r

XbN\"lb

{<NtN

fn#ra

l\S7t

EndDialog

~FP2rr

M9Q_gI=

N44k0O

SetCursor

RegSetValueExW

j6/e_

)a=lX

BnZ;m15/

ZL$&a

ggM;H

ulX)N

1?{0!

$#xwO

7L#i:F

*,Va37o

@:fK'

H;GlI

~',ik

AwQo:

IHK<vS>7

,F`8x

]A/~PnVn

3~V_E4

5eG8u

\6+7y

j1n_

USERENV

X)@bp:

CreateBrushIndirect

W=5XRzF

F/=5G=

=mRo4

IW'gh

yCxZD

)N}$B

m<%yT

`T<np

J^md[0

o(0XR6w

New York1

K>]4"

9oZkm

iy_w#e

Sa""X

]}:pF

F+Bd*

Da5V} #

L1A*G

(A{OK

4N\{.

B-o@mm=

'@38k

+-D1Z

BCEyzl

V[b3b

1$:P6

N@j8$

khU>d

040904b0

aq4j"K`

SetDefaultDllDirectories

Tzt9C

&w/4|KE

eT*pKX

^p?e'[

#6&x5

pKoKr

181102000000Z

|g~}.

Jvl0C

j:,@a`

LoadLibraryExW

B?I;@;0

%4KL

gf;!0

288ai

:7?o

q3NvUn

22Il*+X

%ls=%ls

gStn_

\E>w3

>B5}`

c2pQG

>y2_m

$03C5

EyI+X

]?^]+

,ZYx2

DyFsTzT5Ob&}

<=ZDs

qy)k (

dDF x

i+2Nw|

aYZPd

gR<z!xD

jfJ4;

a~^{Y

-\(i+

`Umj9

@4vB:

blj+7

ZrW!P

jPOPLXmjVKKWMEA'n

d|~O%

;=4=@b

n?AE+

wfk_+

|2~~tp8f

~dZ14

hEptEu

SysListView32

ZdPK!

8_uAAS,

nY5]HT

-"N.Hw

Ps,%X

:X3eE

0"]?i`~

V$16K

@Sp,>

ag]VN

?<@8c

7,jwC

'j:\ Z

5=/%A+

S)'7i

7!HC8|

I-ZvB~

A$p*\

U5F9-c

N,fw

%u.%u%s%s

^y=Wo

,TSs,

hV7",rG?

7YwM[

`[^{@

`LR^~**9

2oa+E

s<soD

{X7.C/

Ay.~'

]2](L

r)rX@

\O$zY

-BBO!C'F1u

-/6(Y

IJXT]

r^bb5jL

ik|qg7

a;FPy

H,he-A

DXI2aE

!"4e;R'

Xo<mtEx

Z5j(7f

USPK.

5IIK`

%k_wO

H0&bhi

'(=qC/

+v%0]

f8P+T,%CH

|lXva>

VSVRHv

3!At6

T0/~Aw

=.#3,

<uZZG

:2NL1

C.\*L

)y)UHw

!3jOQ

M__R@

O:>of

nMEkkS

K{pU=

eSVO8

[BDO_

?;A>#

:JuN:p

{R?u6

verifying installer: %d%%

nU(S)

7Bn.Gs

K&!L&

Sectigo RSA Time Stamping CA0

G>2{V

oi5NL

Yl6@!

I+_ j

7{O'0

contact@rareideas.com0

1luOH(

)v5G

ay~J`

@Q])F

:_AHFPD5@]~

46#VaW|

phFo

?K=Za/

FillRect

Nh'E[

OO=MZ

{5j1c.

h9zHY

4li[GG

JenegK1d

+,T/#

9=>-?

YhXXa

;v_&,

*Tizj

Y&X8;

unpacking data: %d%%

1SWX5

Hg cWa>y

p{=C9

WI#qi

A-w{^

V,V)/B

\-%Py

E2&bMZ

8`wpC

g/C~{

K7rS~

(CvCB

X{[_9a

qkUrz

T<"U7;

+06"fu

?>Uct

xU%1A"

!iE\f

PortableApps.comDownloadName

H;lI#1

rMgJI

jq_p.

bNF,Ij

[#~U;

<&x<zI

Q7<h]

,92~n

LRNn?

f)/tU

m |oq

LI9gt

\[72_

/;?=`

Sh~M&|=

pwiRB\R:H

@.uspy8

\Pn-*C4

j(7OB

9:b*7wz]j;F

`sOYL,_

nk$'5;x

mt^Ju~

SHFileOperationW

ODU1}'

)TbRP

p8"^$

t=%=,

i9|Oe

MoveFileExW

Ic_uml&

_,z&l

X`p&>

:NiO0

5>A(8

<61W:=l

}JMZ$

P(Q[z

ofN+:

)@D*5l

aff<IY-

byR)n

V)COA

j'!XN

!9]T3

d7:8r(

7zUhR

s=<qQ

m(m`~

;EyNS

\.Q/p$<;j#S

kqaE(

O{zbm

7rXhr

;[o_w

Sectigo Limited1$0"

f!N7e

U||Dt

fmf#w

t0]0I

X%qkq

2HHVA0

pD?>A="

f6W`<

PTorMK

0Vb@na

5\$t;

ZG->W

S-g|"

#fCx9

UG~^L

bHq@>

p|}nq

201110193223Z0?

Y.}N0"

\z^{.

q,&R&K }

sphL~V

eR]K_

&0$bz

Cj;q;

?dT3^m

4A52[

\'9/AXhK5

Elo[(

yUmcy

va1gr

I@bz8

5+"h1

c d,'

Wp9R(

kvN`2{u%

)bBF%h

CoCreateInstance

FnD"]

q\`dpJ

~u&q>

GetCommandLineW

h@TQE

7\IE,)

\b|2h

`^(R8W

301231235959Z0|1

'!;"00

] mf>e

0E`FT

k4s}J6

Wl{Mv4

+aSW;

NullsoftInst

\bvv]zz`

Yt5p'

YVwE0

sv8!!.

t$,VW

GetFileAttributesW

\Temp

PortableApps.com

G9& [4/

$0,9q

H,@Lu{

C>&JCy

-+!"b5Y

+<i#%>a

,l="s

CompareFileTime

n51`?

rrP\~

*J7}y

@R?[|

RMMRIB6

]%R80M\

GX@q''}r

e sAF

I0G0E

@}9~S

C9A%gnz

Oh%LEq

?5#8r

-.;?Qp

"U^_<0

hPr#r

4-&9eX

/,x)p

/5gv{_%

http://ocsp.usertrust.com0

Wt3lok

6VGjZ

8<!wd

_(qp^r

ZDvMl

2nIM-

cL(/y

$TT&B

Hjvm$

N>7,`

c*R`nEl

wO>V;

DispatchMessageW

rc4P~Be

[B'n'

}2?9}f

H*$IT^h

uJ7nfY

@-%R>

O==wa'

ZJ 8tF^

'e'^Z

201023000000Z

4xSfabB

#Vh+/@

VowSi(Y

KLumhj

9|Ol/

;gBm3j

GSy6+74

X^IbV

wQ\y<

4!hBJ

v/k&6p|Q

W<~9U

R5]|{

?; 2b

A"3}h-

=p#c$

CreatePopupMenu

;`6~np

GW3tw

,v~6l5

U[Rig

Qq%#/a;1;

FileDescription

jGnan

tLdWq

l8@iH

Lu6P4H

&&":#

Dr|}F

'1"MEW-

0}h(^

https://sectigo.com/CPS0C

6n#Vw

`[=)C

;>Ei<zl

E_u&?

21~k-

"(D[b+

ML9^g|f{4

n5uZIN

G/hbx

>&D"..Y

73D&)

W%w*O

6Byn0

>1iT=TkD~

RHKd}

YgZ3c

j'_FtYDk

_=Zj=6

%F%v0

,YNyc-[

BDi:/

[%a*]

BeginPaint

DH4{Wo

oH5c#|e

G|fs;&<

6*sRB

"7jd%

1T8SV

n(l{A

Q@+D

mGe1!

c<t/o

RplXc|0{".

%(%yw

s057XE

Jph}V

{AnVb3(W

4 K5J

Y=us/

#`c={

lstrcpyA

@+K}:

fDu80A

+Wr%d

VaKlz

SetWindowLongW

Zg)[V

AdjustTokenPrivileges

q1c7h

6NfTY["x8

cP{)j

PhwV@

GetFileVersionInfoSizeW

(lP8i

(C_^5

3uA&;

T[Way

3.5.18.0

s&!zI:%"

ku%<6

nI'plT

MG>BJI]

Py.yq

N\>Le

l3Fe"s

SiGYd=

=RkY5w

'`3.-

Bf'k-

*?|<>/":

|l}HQ

\:DLTy

.~Jo;

PF]B.

5Z]-K

$82.py

ns]^1

eX}qu=

}h+d"

${)*p

i|c)F

LoehR

P;B''G

Etp\#

D0TO+

#;TPJM

,NoyN

wc)GO

}_T#O

zD~Mz

NlL,XE

Ho3Z<

Ed`!z

j61KX)

;k#E=

7$G&2

Ch#_A

O,!CS

l0`39

4b+vP

olw'z

1S*%"S|}H

"@-VZF

/@.-O

l:(JQS

Hc+P3m

(|. <J

Z;<zt

C_Mp~

gx7+JG0

CR?2j

GetSysColor

N)m!

CharPrevW

A239o

F}aZO

-59b5

Greater Manchester1

*'={U

2t;%3TM

:.~Ik

Rare Ideas LLC0

,hlb,`5~5

[*i Nea

-d^/c

i=80cTj

OTXq"<^=p

Szn/.

;{9#C

_ohBr

lqfDw

InitiateShutdownW

Iw^Z$

rI^yl

5Jdis

e4qAT

D:o")

jr`tP8

Sm']Q

uEtKM

{D%k]

C)lYN

A:y.{

bzIBU"4Oh(

^l2mJ

:|8_Fg

7*L5#

Sr9'*/

&`9ULCO

$w"Wm7e

}8(+~

z_;a-

, '-c&

C:B"6

~_1{C

r@N6d.F

,LC$g

R*|#R/

'akxL

uFb#d`

+%YE]

Npn4Z

D/!w@

bO%xz

T_3YT

q"gAr

y!6(_7

BBL#%9

G~7I*

} S_\]

I0V_{

I',CQ

.<mO!<

%i(u1_

GGg]OQ{

7Mo40

eL3AQ

sj0uA

8zm b

g)R^o1

b6~y)

Fv/cH

Dj/y

@zuD6{P.

.`bqW

P8k+y!

*:870

r8T9/

Z\wIe

2%@uv(

!'(=-

H,V4&#

&VJ>!u

tcsgx?

C`[MD

a$2f3Su

}}afe

SHELL32

!www\

*|t#=

-(O2~

@LUQ_/

!\2{/

`)hgmW

}APlC

^9u^p

<@KnQ

GetModuleHandleA

mV(,F=

ppz-p

(KemLT

<m&8E

YFCBS

<3>2k)

,q-kl

MpgWX*U

tc~hzm

KI?(b

+5XrL

,~x[iW

SetFileAttributesW

N~cJ;

W:7tpn

y*P?Y

'&hP>

k$V103

Oiy_6

SetDlgItemTextW

NB~a-

8FUICR

?vcrN

qV!;'

("tM3

13nL05n

Jj(QS

LxSW"

cT{L3

K@;!/Z

_\rCM

_hp"y

GetModuleHandleW

[C]e=P

Y-N@S

5pt,:5e

IyR<iM

T`DXO9

8oK40

M$V%R

^.cIk

AuPwk

\0GHV

d.4*F

Rf\Hg

5ivrf

bnKRw!,6

Ee.Ym

.rsrc

K6:+x

1?tkX

QH&yO

6Xo]6i

"'f/EH

o=w%@

L!Jg!;

BXaASW

&pUXqc[

%LAh93,YCN

|0Odw

%%<%0

ARt$U;

O.Wo+2#

r?RE

6p)]J#

K_m6K

3%CWT

}0{l.

\E@,4

8'> +

OriginalFilename

mb{]t

5On6C

"ze>I

_zo=1

kv,[|7

tCT*tSly

j*ra6

yMPN"

b^[IX

l:C>'E

t/ZS/

h'hDm

0:+[3

>zvz7

{9zr6I~s_

MqT~x^^c

.Ox"0

h^SbC

`!vjxY]

#gu:D

%,`+h

7bowC

M+6{b

0B>i#R

PGK&]

220220235959Z0

0lH'#1

t>T`f

y|vr^

C,ke&

= x5Y

QHSS}

A6.'d

LSw%xf[M<TP

_b2ql

?&q#Y

31GJu

p\cOdK!1

tO~G6

wL|U*L

.jjE)

qBP:Ds`

D,~\ug

.+^wo8

Dl %A

N/fH4

7edcbf0ffa80d0b10b7c54a2352f612e

/)>hy

g*pgz

#G/[h

<<sR5t

AiKLN

IDBD $DQ47

-.0\;

Xw"vj .

_id:=

V5x!4R

^x8MEx[M

J9N];B

pNb-c

|e4+e]b

h>tv/

-Uv]H|2

_4Bx%

GetFullPathNameW

86<~F

PortableApps.comDownloadURL

B4C,3

O*9;(y

$%A:4

"p@fa

&LJo~

n@&\=M

r(.=6

.>gJ}

~i94v

iWsC=

*/].Lc

EnableWindow

lsWit

*=B6}

Xfh1$H&

19y4)

94$F?

N4qgx<

\Microsoft\Internet Explorer\Quick Launch

1k^^a

BD|LRS

k*DCg

s+H:c

B?]y9

m8%SN

;:ihd

!ny2+h

="w@,

c4Nqk.

$xh7\

CloseHandle

H~4;,

oQ2vL

`*ZbF

55+DJ

D"QA2

!;p,M

/mC*d

Gw%;B

O{T:i`4)

j!X{U

abR7]

!:5<~35\

#Sectigo RSA Time Stamping Signer #20

}tFY}

@!Z8&

/}&zJ

]KgY_B

z"_BL7

"iqE/

Z1esywQ

Bom7Gm

.*YZt{

\QGGtS.

";P+W

n-.St

n&$,o

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

>b{>$

wD[9^

!y64P

"wAivnz

Oqn<V

DOFqh

Uu$gEG

|sv%RE

%|"_,C

<"\a0

|!7;[

t#SSS

C}6R0

]$igU

MrMd&

RegEnumValueW

w^}CB>

;;9Dc

;<'b:U

0Gc{$

SeShutdownPrivilege

,A)ry.WXK

MIfr7

PortableApps.comDownloadKnockURL

C 'y*

O*X#+L}/

XJaRez

DEjc?x

W+Y]7

Ok"Q2%

okN)e@

wuq~=

~X65]

<:;t54]

?s?->Jx

j`Z*`

UU\ca

F)[ h

bZe_|

v*\d+

0=DxEG

g#l|C

_CyQB>.

"0($Z

X9[nP|#

9d,9N

P68,=

r<OV7

b4m@w

jom;bF

5Q?fK

Eo@+LU(

RUC!=

}BX23

XH{De

NSIS Error

TU]USQY

Yp1/<

".cZS

kUivU

%X*.?-E

CharNextW

7oSvo

/H[hx

m-OG=

xEnVB

Q4'Hb

j0h0?

#w8B`

]OL/x

Av4.J

qtI3wE

WP QU

"/u}4

*w0c;

!TTW?

E:yjp22Ku~

=qVW{

gNK,%

z{9fk)&la

ES6q%

/#+:+

.text

?pD C

j-ITr

}9:eji

{hr5l

v7lR;

R^9|-

UHjOA

TlAhZ

>,h<H

.SFO=^

(x?aHn

Vg"'J

lstrcpynW

,Nz/@9s

<)N33

tf+?R]P,

?yu^q

%&r7`Yt

:1M e

WiSsX

kaO[[B

P{nlmP

V86Cf

((B;O

)Xd^bF

+1M"A-

=bwt}9

+V5&Q

&VvN55

=#lg?

Ad|bM

SetWindowPos

t5~,,ig

!"wsBU

e_#~

X[;Y

x)/lOR

-nSLf

J2&V*G

)oT:

cDTn@

McU>.

2K)[Z]

GetDlgItemTextW

}Q\`-

aYNde^RgHB6

p6lwLl

Y]eK7C

;?~LIK

11X<LfT7

/7E>.

=0;09

E2Zqt

n)eeHa

YDS)_

tHc QH

NNWY1

>&3bY

X<'Pg

SwN|U

6#VYMb

@i;&r

lpIXw

7#0kZse

*KS`+

E.a*K

#\$a>

:2?bw

Ynppr

l@{0l6n

i=P7.V

l?Jz~

~)Eu!f

-)O4$\

EtmXb

p#-*g)nk&

`J-&n^

7Y4%4

wx7(V

B$4s!

GMVM*d

0[Z;$J

ha'u58

1j-/sF

xfA#p

5q*[ow

+e"A]]

a, FI32|}

^j\PN

@_^[]

m+Bgh

M-iOO

u(&xg

oAO:b

sT?5]Wi

v'f"D

pGQbHVj

A*0tQ

^6=[p

\=i$\

tWf="

!edj7DIGj

t=p,8

x^<)z

&;P4#

buy#C

s}J77

k_&n;}2

I]ChmZ

ha;Mn

Oxi5"T

$P6DL

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

e10!S

XNwOB#^

Vhwfj

D?<JSRj

w_ =}

Q#*>p

(*^cCCk

8 ;T;g\n

COMCTL32.dll

>FFf;

6D<%N

Txa\7

"k{%!

?Yb.q>K

3B=B0[

niM48KWREBm

<$@%-

#f,SR

v/j 2C

Cvw`d

PortableApps.comInstallerVersion

dN-QF

jD6kl

B`40\

y'm*mR

w^;/QM

d:*/p

i#&bC<`

MessageBoxIndirectW

?:.O[TH

K>;>k

@2y@zn

5m%%e

OK`LK

X4nvb-p"~&

&~U!m6c

e+aIw

~wq5z

(pcz:

x/* VN

~}/Q#M

S_L3Yz

a|t;x

,_kvq

ZbRN,

Q1tE(96

1(wT{

2&-jWp

oT/j~

nWT{g

YJdUX

I.~ 3

^8qPP

biN(V`c

)mfGy

&\w&:/

More information at:

[IKX*

h6?tE.

4$e@b5}

}9_=u

%]X3r

RemoveDirectoryW

!uy H

$ 6@`

1Wf'@mQ

/@gs%W

DeleteObject

9P9":

#nvp{r

dn4cK

Uy2,p9^>7R

_{Ae1

6Vk:bA

I!yi9

OL:6CJ

"]JD1M

EmptyClipboard

]-^|K

*I?u~+

M#|=;

6j;4F#

gU]Dv{

J)BD^

FS}Ht3\

-&k{5

bAJUi

.c0]T

$rPDj

B)8d-(

0rd^X

S_fDl7

DAQf8

]-2+lG}

aGa!$

RegDeleteValueW

sL{N#

d()}cm

,47b\

C&V!w'd

5\L;R

kZw>.b{

?:La)<

lC+JMy

_ui&aUV

KqeE[W.

?>Kz'

K^o!xg

g8uOEP$

MN{]@>i

OBwB{

RAMMapPortable

DS>B:

NY\@(=

RG !/E

N!re'

abbab]\

qxx$I

:It3Q

>HbzA

S>l!5

-*/:zF

8k300[

y]pc[!5

XC=qN:

E,z4[A

K:wbL f

k0_A)t7q8B

%USERTrust RSA Certification Authority0

nprIf

=>Y;$

yc(A3>

Nv2Rh&

^%02~V

x_0.2

i7o>&2

`?S7

RegEnumKeyW

qT_tY{

T[@6?*M

@ HZ.

GetWindowRect

.N}>[

0d]eZr

$/i{>

CRYPTBASE

I$|5.

=vA{#\

2#!=,

+\2i>D

rH[ny#

6DA1mf

9J!!`

z8n7s

i|0Y]

sW%d1b

4F+f@

tFeE[s

)vCW_$

=7h_U

EndPaint

VlUsE3M

zp-&!

IsWindow

1'&27

T,s{#

(I(TQ

%KFO9

'JwTAd

b{<91

n|5/d

[D&Mr

,/KPip

edf3#

Qa"?,

X3_)}#

>9v2r

9^V81

REnF'

~NX73d

ZD>>9

tc[{AO

;,b,4

evEz7K

ytPyUQ

- <-|

,:u~.{

XVtFH:

,jlNN

jvIVo

XsCX]S

|>5-1

pvUi8P

4XmQW

jx4G.Mu

C[[>g

eo\#`

-*[5*

T[*rY

.t~1E

ZQdJ98t

SetClipboardData

3pDJ

4{V%*

&#Gxf+8

5n} w

J4o`A

yuv,1

IMC-,

c<<IjT

wFQ%)

{=j@%

^6^-t

?W/?&

v7`.06b

[M{,Q

j [f;

sb\}|

H:Ata

/(bq9

egrbil

_wo!6

(fq}U

IsWindowVisible

E^iIs

6FbTF

8p(|T#@

EPH_JS0

w{51(

n@H2[0B

#g7.c

qYS$C&

( C+Ml?

w1}op

n`gMH

WkmX`

h+PP@

CreateDirectoryW

E&Ub5

rp>xX

vgos/

d`\;^&vY

GLs_af

w&'Ea

s BQk

.s~w4

Nyr(,

PMR_~+

G`7{b

7|.@B&

xhIt5[z3

8>t`NP

$OdXX

[Vqet

:<+cm

OpZ^l@

jrOq4!

c\Q[0

#~gO[

@Gk3o#

m'QQhF

SHRNCF

MU3FI.MD

m9^c4

<OYqE

Uw+~QS

MTPmd"

TF'mk

.[N^&%

iSYb%

M:$1d

^*eC.Et

=O4Tx

.!R7vu;>

R*O(t

L.La&

#$|Qe

Ya8@g

hlH5#

B^`@B

@'isfpop

AL{r%

/Hl_B

X:pe_

http://ocsp.sectigo.com0

yt35k

m-Mr`

=wJeJ*

2'"gP

g|\5[/

0^ "Bt

Nb\Q=d

oo5:b

FJQhh|g

U1V?$

3|U7XGp

.Pb@0P

,/+B#

,yU!-Y

<x*y\

D6sZ?

m{Tew

~3zwv

4Ag1Og

j;fq]

d)::5H

>3RwD

w,p[uZm

PT3Yf

_Iv5C

zF= G

E&`^v

w}e]lqS

7R<L[

[oz>z

rs1M-

LegalCopyright

3<n;

y|-C#

J<~sL

f!>_^

wYfX?

YAHRqE

8$_^\

%h3]p

se'Va

B}#jR

SendMessageTimeoutW

CallWindowProcW

"8p_y

TFt1b

s,lwe:

}WNf^

e5@B},

2sQlY

h#ipi

8DHL`

M%7;^

SetCurrentDirectoryW

VKlFV

O<pf,?

[ObGty

*-!(y

f<C|H3

(izl,

[QC1^

\xebz

d-O}c

ngy<7Cq?

wEyNy

xmqX-

Hz`>_

PV|Fz

2.@El

fAU/r[

p1U OV/

$jX6>

3[ Mu

}p-i>

#fzD:

Sghv~^

SWS^^

7@HX

-2_Ps

dj359AGVWd

>\c}k}

P|(!/

/X;.3

NM(Zr

D^+x3x~

2/891B

)=*vo

GetMessagePos

101181

z7rW!

WPWj0

URyA8

[)c^D

^|D.Ne7

XRs4h

L\(Kj

YXZ6Oc

%{Zv8]

u=9A`

XU/9]

HDt0m

@m8Q,

AtSWo

#VGEZ

SnlLE

(a0 #A>

`LoFOV

<l4:I4v

h}}`R

y!]([_(n

RegDeleteKeyW

y;70Z

*bP1D

HZ8-p$h

Sectigo RSA Code Signing CA

~p7b7Y673

9EZwE(7

j#(WB

rWim`%r

X7 M%

{B:'H

qva"@%

JJ5%-

*%!qFM

\BKjJ

:OB,c

zb4:p

\sGQ{

Cht!K

41>w2

t4nIW

@'39m

O&'&C+

>~}7G

Wt!c51

[E\b_v]

#nbYzp

V*?|;

aZ3;b

iZ;qR

ImageList_Create

F4xJ~XO

~@`s8

-el1c

-#OW>

I%f:)i

bKe6^

L}mhSv

l5cyS

Rqk"F

.DEFAULT\Control Panel\International

2U*[k

?uJR9-

WaitForSingleObject

6nh[15

`P]sI

[|^;G@

jwZGr

$-WSo

97(?86I

>6>c[W

gi4blk

wd-8:@

ewZ3@

New Jersey1

lstrlenW

y(Ta

DO)X8!

%tC aGNAIi

,[)!St}

We<Yr

n8P5f

stiId

!& sPn

Cz!kv

Ldo@5c

#S~-UtT

tCVBq

OpenProcessToken

Fbnj8

LNRV)

HUsb{

lh%<'5

P7hak;

>XZSm

i=GA<PC

Z*G_B

B,KxKQu

fVSWg0

]QjHz

)YMB(h!

*YxhG

Comments

IN 7&

SystemParametersInfoW

P-g$#1(B

Allu6

vQJ3v

yARc|.

.g1uA

Zr@7l

R9-eaEu

qEO&bR

sc!)~

~L;z27

|}Z .

320122235959Z0

,C{4f

SHGetKnownFolderPath

Bj 9;

')zZ4

K!V&!

RC[|f

ncZ@B/

"s?+98

SetForegroundWindow

Suc&r

@@a#Y4

gbvJy

!Ne*vu

c{P4w

uDWWh

Y*oJU

/Uw&/

|jZ ,

nCSV]

4eKT2Ra

t7g[4

SQlzu<;

:kC_=

i223-

v<DQOJ-

WxzCw]

GY+bW

Lv_F>

7t`tT^

~;R>)

m4<>wb

1MQFn

OY#nd

HDGPC<&

FIFJ5

A,K8L

eF]YC

KSL"3

1+_4V

THutm

11st}

SetErrorMode

`HL1!z

b$vnbg

t^!$c

LI?gI

4#!yx

+Vy#y

rh2uHX

.@Val

Vd#kpB

b~C\8

Bq8,5

o5H_(

\i1v8#

BK2xP

Jq+G-

LwuOE

twVHi

<lE8=

190502000000Z

c{hdt

_uN}O

_A>VS*

AfX>!

`/m64Q

1nCE~

rYHuk

SHGetFolderPathW

e>]l^

w4t~5

3(;CN

j]`$J

JFn=8

t7c~-

`1M"w~

/.K-H

&W|:pB

akSTf

a[lue7

\}sM-

NkVev

E5[MH

ExpandEnvironmentStringsW

UplYW

uYsr]Ihme

Z.fWY

@ ah"5

544S$

SearchPathW

YGG-x

!SSE$

dAu{m

]_3"!>Q

SetFileTime

<0X]d

a1P_<

\~sr?

l~=uU~

O25'9

ZU&<X

l,M@;

KiT*t|a^

WF:].bz

U&?t5

u$Ew*7

5_6;q

NKbCr

p7!J.

}VB?Q

A_>C!

!uq(<

c]tnu

_;uW8_

siEP)@

GetTickCount

?eLDGg

s67IWnP

WlnU7u

T@FJ1f

P6qP"d

%%!Pf*&

"$jQB

L)}O{

q$5|_

$T@sG

F"@p9

A`2I/

{\4wf

%]?5t

h(4o3

E7 2Y.t

`A3Y

/|^GGxGk

t}H6{*m8

ANi0("

NoLw*

w8GwX

lv_qC

s]go`Q

yIXa+

c6^"p

zO3yb

,HcT-

-_h)d[

hkxRl

5\Kv'R

:%R5<h

&G{/}

z]P>J

_pciF

7{Wn3

qD &Tw

54`@G

rO{9kl

SLC '

ofsE,

5Jrlc

{~%D>

7_NNd

#~MDD

tfc([<

6vxJ\

sky8T

?yApp

KZ[yz

*?vn>

MultiByteToWideChar

`M?hu

!*)6q

_7*dv

mz?hHn

q%S>N

For additional details, visit PortableApps.com

)T8gF

NQ3T[]

".j(5

B6i=l

:hW2e+S

Q\N|x

softuW

T@*7H

{D6Ium

[yEz_

d<8(C

)%V)9}_

"_` `

zEeua

.F cS

4AU&:

'vcrO!

VERSION

U7qNDf[

y5Ge^

7E-@X

&`!vb

xl6z%

4ocOY)

7UpTU?

~Zh[d+

@1u\[

>CM| W

(O7qP

HRVqiIu

ar#Py

pY]8v

]+Th3

>`j`d

SIP/c-

?"U:`t

(+g;/

EZ7MZ

up=)w!Td

T\kq:|

&w,Rw

BEX?r

%D:i.%

msctls_progress32

R$lGh

JE8g>9,3

8FUg)

SHELL32.dll

Nk )+h

W:DOo

buuu(

LSRv*

Y)2'^

iC115

bSo>~

]a(1Q

hT4?s

(:{(w[

!cqP[4"t

NV C??G

mXC!>

wh#0ap

z]v+cl

cb=M{

Ah7Af(

xxC~e

[aQ'H

3xq1b

N#e=Q

i`OfI

jh.b)*S}

GccT/^

LY04Gy

O4MJ|

F#mSu/

C/6m^

>+#ya

7o 1&G

olP N

RKg37

SKA*LU

^4z\\

#2n1]

b<U[O

f!KBvxT

P6aim]

SFjCY

8:+WQkE

PFAaG

`^^^sS

<k.@a

PCl5;u

n:ww%

^2v+o

Y`K7`

CreateProcessW

\SBHWo@-

PczF~

J@6.Ms(J

4lwfr

,|IV>

LQ5f.x^=H

R#jj<

40%.qh\

c]w94

;5<w%&E

installer's author to obtain a new copy.

nSm!(

qgml[

oODZ/~

Sh.x[[D

ly5R;x

r<NX{

tzK.x

v@OI.

... %d%%

UacLw

+ 4B0

%bl7rA

?#kek

]Z^#i ?

%\x*Z

} &AU

4;h*q)

*s|Z3,

li[U>

}N7T%

3;H)t

vWwis

,oFVX

hNf<n~

m3r#x

E;Vu\V

ADVAPI32.dll

WQSPV

iV>Dyl

T0"nQ

"i8F>

LN^_{

^bn8~lm

io?G~

Ja\[vN

Q?XbZu4

UUUUW

/ P6pL

CreateThread

=S`/#

SetBkMode

Z|_|q

gwnub

0>LRKj

Q# iZ

lJw z

BrQ|d

=XndF

TrackPopupMenu

90705

7SPmVM

6cGFk

YZd]`

DialogBoxParamW

FreeLibrary

a9,0U

e[\&b

F"C?N

8#'M![

$2z_l2

UV]NUT

_'03I=

lstrlenA

a9G1<h(

7ivMHl

w12,2

Yk3P,k0O

[$gZi-H

!"pY!K

M)7^H(

#c[B*

warUC-bQ

H`jVT

lDbHC%

dW][Yi

?g\^Rs`$

)]nao

uDaOO

Xx!cm

PJPwz

73y?P\[

+@-}}

f#R M

@=;2V

<C*,1

@jc%:

Hle?_X

Q3cGi

{S6."

~?:8>

3)"{/wu

gP>_,

u2pxA

=]8{j(

%a"7{6+

CompanyName

4RyT?

Dr9/T

B<1Y44V

5-G6;

Rare Ideas LLC1

8?&<

ldzF[

h;.XQ~

3PS"D

JXNSs

~Vpg2

!S-"{\,;

b+Y<$

+2sF:

0NDqx

z]&C^#

~w,*.\

73& #

H#7%9

<$Peo`

o~M"4

/!F#U2

iy8nHaHN

p]Dm6M

1.6.0.0

-gWP(

y1mA$

g@#e4

.unR\

X3KakP

md*p

Q*@W?

}opUE

=eP49c

[ZBQN

}[LTE

9O>~[Y

-':PDmJ

a>8);

9AC|Wo

how.z)

i7)0i*

Sleep

X?(/5

90u'AAf

f&~@L

n`Or1

^#~T.

5H^Tho

UbM/>

eN,i6

~P%5o

GqUTr

@!YPm

3Rw?E

p~TrE

1C<3O~

.MCL&

uH_}i

\g]p

AW+F;

!g)LT

:CR<`

rA/&?

2")_]

SS^'k

GlobalFree

r@6%I

FY:2c

Z*0e<

%5I@5$

*S~e+

zHw*i5

SZj7I

GetUserDefaultUILanguage

Aj"A[f

Qhwv_

GetDiskFreeSpaceExW

:27Q6,4N

ShellExecuteExW

9umjU

RI\eE

1Y'RB

Ys(8R

ZD(v+

d0xXe

WWWWjn

KVml3

yo^i1

{OJ>S

[R@PD

&h+S.g

&B1k[

_#GMk

0>(rW

https://sectigo.com/CPS0D

fHLa!

5HH^Q

RegOpenKeyExW

]@jD0@

Q<M-

WUpKN

/-P?pR

]*!L1B

CxE'<

SetBkColor

`ZAnz

;2tJ3

http://ocsp.sectigo.com0

asY0}J

PortableApps.comAppID

k}NWV

.cY#S

u'==.

\w<;e#

FindFirstFileW

&)dG-

F`$V5

o4b'b5>

M 3_i

/=K9Pt

06(SE

!G}mA

C/E<Z

;yOV3O7

KQ*N|[

e`x?n

wsprintfW

Aw7iiM

V5PBPn

(eH[u

CDm\G

BeOIJ

8W1>A

P9$si

Rjd28"

t^~HuO

L70{;

u8~AD

/cW[Y

*q:q'

New York1!0

W;GaA

RX(Tq

D$,+D$$P

`ZOIKF:

% D3t

kK]Km4/N

OKgNKC

iJWnTM

<OS2f

3!0})

F6_Sp

acS3N

He5aj

dV7(k

{_"'Ov

<pg[%

*@q8-

=wY-[d

"NVU~:K

hKH.d

/d87Q>

E@jb8

6K0Sn

M~riC

_nF[k2F

tw-ezo

|AiwE

$ydN0'

,(yQS

{hm9j

y#v`[=

1]lBK/`

6u=.g

ZKF`6 @

xz19i

-'p|c

1BL8v

2Y5z,Ee2}

:Txq"ezf

vDXJQ

ejE",+

j'!Y7

=IkF*S

T6F?e~

#5D<D

DrM<d

4()E10N

qRRG*

*ZyDV

pyjK8

D/{|h

2YbsYP#

gb3}#T

((L0,/d

SHGetPathFromIDListW

t:]D_

B+ P9

%>i.kr

i@pIO

w/Xxo

H0}Rm

Vgh?c?

C3 VHsc

xYR,1

<xSvC

iFEjB6

gon>U

'N^B:

bfhit

HbdB/C

j8WUHBYs

V\1*}k

?)w8C

nG|k'xN

9oi4u

FV=@|>

'Hm3y\oA

]!CZ=C

-GJ8L9y

ChQ_C<

]c)@M

\whOa

*97}H J

S!JLu,rR

*cV a

wU!Ei

muOvY

2i`*L

\!!(j_

AQIYx+

?`mlA

/!*_,2

@6R74

LPv`<

4:iSG

jH10/

ImageList_AddMasked

53QK?4

eAd?|Y

Jd56[#

Q#JVxRQ

AppendMenuW

[U'Emr

0]\4T

v?:~W

=WIGhf3R

J5>3i

iRLR4

gngJ3J

9<b}D

190221000000Z

kBf#&Y

XE0Gu

:k!QO

!I?b+

7r/\-

:QpD>

*s/b'

_}"":-p,

|,m ]

9l<x@j

T;O]!

8{-T.

op*g<j

M}2@T

3k&'J

oG!!m

f.g'#

xO,MOw

/(u/9]l

IDATx

Garjl2

8 6;e

2"!$9g

q:$@;

|Yfxc

m*Nb-

CornD

0#D/i

]buxyubO

g;T>>9

z4#cZ!

r #[_

s1Z0+

UhKkT

8]rMDLs}5

gNB:

&"(gr

s22E

j^J;R

[V1I/

yu-W1

qIC5chg/.

EIb`r

*bnYF

h_3 T

Hd*uRN

!KI+OF

qu^=[

TOq0E

G" 4r

xYhce

rE?2(p/~

=\Zrc

LIz*lZ

/5;LHPt

FindWindowExW

lstrcmpiW

ReleaseDC

}/?"v

m\y}o

p\Gaa

.5+\J

o`Q`n:

ADVAPI32

zV@uM5'

3)~{>

PeekMessageW

E?vFv

r{4iD

~+</~

NH=!$&`DQS

AKx%Dk

&!>cM

@nr!;

eY+u+WO

S5|.h

DZ'sg

JE}^@

.&D0c

6"2z$

Q}rJ5

LegalTrademarks

y/.XF

P]T,*|:]

a=2U*

3,{%5

5r=cR

#e<OJ?

tm{VND

[H8[Zn

Qt6JPeE

D=,'7:e

/2*H|

SHAutoComplete

og3Hr*

GetClientRect

WI32b

,7xmq

&EFPd

- lB!

;QSCa

{dzD%(

TE\YL

EA:3Ut

o4|j/t

OzEd'o

YB~6ab(

eQXND

\W}2osr

muqi;

`XrM+

35o\K]

mL0"W

[f=*N

SetEnvironmentVariableW

%n]}/

FFC;]

F{PPi

Ce1qx

ReadFile

!tP"V

20201110193226Z

MYPau

FE``U

YA[S[

1}'(8

WideCharToMultiByte

RegQueryValueExW

S&M7wd

/A>/E

-('uU

8b{kw~

'ld^]

s!)Qg%;

VarFileInfo

;lj/,?

1dZb{.+

wsprintfA

LhnEk

OLaFXH

.g`=@

NulluN

|c}YZ

[yECG

ImageList_Destroy

DrawTextW

S0+k\4

^iQ'$

rdVL^

jZ"Q:

$x2ek

x![xY

[BAXK

&hjrB

_LA3I

d1:sL

I!IFd

jyB${=

f?8/u

[;6)L1q>*q

6!rU]a

{iLFi

3|Q<010c

znU?!7n

qA(mP

38q;\

a[g~o

?}yDs

FqiQO(

an1>r

z0$in

R3]p,

GetFileVersionInfoW

-9VSa

jCl=y8

GS'*Ip]'/

|@>o'

ZDG=IAb

i9:n[

QNIPX

(=`+W

2qo_6

83('[TH

CreateFileW

99x&~

ExitWindowsEx

:;coAD

J$ofTO

= p}/e(

[\.3J

GlobalAlloc

q+_c(

4IqZQ

PROPSYS

q8LMK

Installer integrity check has failed. Common causes include

xZk`&

=<^[_a

A1SRj

p^vH[

}nlq}

?Da[+/

rqMbm

ICCc+454

euYvd

W@/*Ld

!OOFU=

CopyFileW

X>+g_M

E]#gz>r

C}`uR

mIdX`

f@Heg

|hO?s

xDtJsC{

"a?)3

<$Q0:

$zI>E

ycYNo

Jersey City1

0Kc,}

4&1uG

acN6Z

jt_E

4,,rV

b4BK?

%M;2(

^$WuR

t9Z4X

.PE:z

V&'i{w

q>]=g

:3873

2zWH&

Control Panel\Desktop\ResourceLocale

l`<NK

/QqND

R1=X(I

Error writing temporary file. Make sure your temp folder is valid.

)a&L~c

ZhKx0

?_"lY

^@o;.

EuR*=

r;u92

;'8?:

2_ H"<

SHFOLDER

I=7OS

m;jE,ahOL

|s;4&

EtfM9M'

5wgAf

TE)MM.*f

i:6?)@

[I!,e?

txm[R

>/zBl

VSX\il

V/}DZ

x37Ks

?ijSp$

wO_7{

vL0__

9@4(G

GetWindowLongW

=b~ew

*bOhj

bYSzz1

wc*%2

a+:ak

u+cul`/

'J$Iz

2007-2020 PortableApps.com, PortableApps.com Installer 3.5.18.0

iGult

41+_u

q]m(X

U}V~)

6-02h

eIl_8]

9y4/]

;gC]4\

F68Hj5

V52!_

/?XJ!#

^ 0v~v(

Tpz8z

Y}gpv

;J2>.

yw#?>

P3b6`

g-({N3

tpCvFSv3

i1X?H

`f3&=

m@XM0

GetFileSize

bg?sQ

RM;lj

https://download.sysinternals.com/files/RAMMap.zip

w^ZH=b#^"

`iL-y

*nZ,g

taYcAdGS

'F%}Q

ngf[m6A

V#r9@

|oIjcp

u.j<S

ii+Qz

wo<S

5{Qs

53=7i

!p5;t

{055M

EeNhZ

CH@vu

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

GetDeviceCaps

6V <s

iwAD*

#Mci$

l-W1h

u!JfPR

5wL)PpJ

zUvn>,

L>'C%

*c416

lWlR"cL

>Ot25Ks7ja

9$H'WU

CEFKB

\IGp|

RAMMap.zip

EANGo

7hiuU

bQcew

@["|T

380118235959Z0}1

Error launching installer

H,X\#)

q./ME

Ff[sP

0#+dT

BrAvo

r(t'PN

?2<H#

9>4&SA

@)r@^

Ty$pw

gQvXd

<S~~6+

U5VC(

~KeoReuN

bno<Y

l$ocH

SDw);

%H,'d

Ww'&Ex

WNxqc

(;xDL

TXmA,

3{cJw

P#ci)

Hu)x@

WriteFile

Kb]6U

1ohk?o

\"5*oy

jq~%!

rAdtnL

!{.7N

c=_&W1

881sv>I

`1pYK

[a<Fs

KERNEL32

'8)zVn

6OmzD

U6uMVev

>}Cib2~q

&5:6j

DestroyWindow

;W$+>

lNKi0do

[H(6O

4qQ(!

r5-hb

R!Xwz

iY=CS0

n+<S%*4

BA%#H

z=O4K

~?T6g

0sR56

&qf}X

[9:[[g

"3J?B

RH^V

<p?{q

ml*TN

!?G~-

Sectigo RSA Time Stamping CA

^@`}T

rE++)s

Y-4'B

e)5*-

`Uf&/

_IR$_

[Y915

GL96O%

0~lSs

T)<(m

nxzvo

;G$Pi

GetVersion

7{E]f

"YC~)

Wh&Zh

KXp-rO6

w20yE

l=vmf

mkZ"H

SetWindowTextW

QG<0Kl

"hYPR

Sectigo RSA Code Signing CA0

`2s=1

i>{13

g76j4>3I

y?@P|

o_MNuJ

O[Vb0

U?U_f

VSUbOI:

bMKsj%

p\$3re

QwK6{T_

\u f9O

g@so{

k b:P&wd

6-~s4

HO@DFFDD'!"

SQWPV

.\#)7l

n_M.8m

Y6H$c

|:}N9e,bl

N(!c#:

scjTF

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

~]C%!

FO{2B

P/Xz

-.C_L_#

j~GhONw

.2q99x_7#

s*rX!1

33_FR

!G*^6V

vWs~1

IT&2`|gst

%e#5n-

p2CN;

nPCqK

z!Y*:

,,`~;Pt

h>/~:

TX`D(

UWvxv

hy3eI

(JO.|>z

dFdu<

[gU_,<

A`=kO

GIi5e

#>&Q%$

-|4YT

1l\>]C[

7Hrhls

0_Oi}

<dV1.

892.c

RichEd20

*oiI%

N;^w-

StringFileInfo

eh$or

l\u}aM

|]t\v

jHjZV

`L8RCrByi

rPLi7

1eyfq

H -;q

ole32.dll

UojfG

F$wnP!

CEwSO

=*P^}

SHBrowseForFolderW

HQU+>

w.(CM

PortableApps.comFormatVersion

},M93L?

${DownloadKnockURL}

dj9+z

@af}V

9etRX

%|`Y=?

Vk/>3

Ir&*2

a4xP5

GBK;$

Q+b>`.

4 IH$G

eZQGC3

kiD9%<

5J`MX

S]q<6

R8^fh

P7X:V

hrCj&d

BrIeB

oRooz1s

~S#w6^

}}:tK

33F|GJ

GlobalUnlock

fNk98

fdkeaA*'-S}ee&

Xsx00

m)7AE

v@sL0

` &^e

Y^*0d

1@aZ/

}E;F(

#^i#n

js1M5

@p<ib{

{.C=}l

$rPJ5jtp

s"7/q*`

jtHX.y9

I)fB%@@IC}sf$

uq[YP

nDS {

C-3&A

6jb;#

vEe9-

I1~}S

sr&n'

ki53I_!

FIIf+

>-JRP

%Y]<UW

iBy&'zNS

Ng1X~A

ojI4($3C6f,

BO=aK

fg/N?

G4flH

OLEACC

epFF.

!%r@C6

f<%-[x&2e

$>t%LS

-W|!s

:Q^afe

483`kby

-`{n.>jM

:Laqn

;!>mjx[O

$mg1i

i$1hH

E?@kJ

(0+V{

`AhC.

!Ht>T

+*8VV

/qK'O,9

Xdz4Z

N2WUIBIikK.28

V-Q[l

kfTs+H

Q}Te}

sxhi@

^,h';

6([%S

A=tUKO

'lDb,x

f9=HgD

olj}xyGK

Z\rMM!%

-#H<W

C;M)x

g6>q2'

\`Lf2#

h0f0?

`Qr![

jQ)u:Z

RRiG0

e]lmo

,ptPJ

^N9Sf

PaI[r}

mD{%o

%4J)3

4;a"-]K

!8o!=

5>k1c>A

~7C[Qm

J6uqL

(@F_)

Z9NYO

Cxo:w

Llpgj

ej*V!t4L

Salford1

QK?I^YM

Ek#-z_

#*iIz

zKmp!

UWb5y4(DLFzx

Hy`$#.

Fs]F0a+%

[E3M"

!yY_d>

g[7^i

`S,:<

f9<Sl

2Ug^%

salSk

3{(F<?

`~M%]

c{*UG

Zlp)p$

piq~P

:q}6mu

LJ'VqWe

E13Iu

nww\V

R49~Z

[h ih

:?A\3

iYO/q

P?'j>

3;<0A

;sa+e

'.!n$

D*/Nm

iZRqe

+W2;Qv

} 4"c

!1 .]~

``h3HY

RnKTw^

OS|^'

~.nAS

,D7=A

!]:T@

N|G^1

<J~6h

tCjgL

osN+p

c\,QNM

)s.'O0X

GetModuleFileNameW

"%SG,.V

?'|^3

)PE0)G

O{#88

X\ kUyJ

{6_#?

42?D%'L

V*0A(

Q(@(L

%w}K&

20n2EB|6"

g%fKtP

B7$NF

}?F4`

U_7aH

.CMWg

]jdB>

B=#$@9

1Pf%_<

(2=c;

Nu|RN

,:j@*zt

zt@7&

G3:<;

SetTimer

Ri5,+

P: e_

SetClassLongW

pV%Zzz%@

gT{)D

~,gR#

%r|[m

qh<Mb]

v:w-q

@BeY~

SKyMI

8W,9+p

R~PKP}f

^2b-c

dOG=

'/oaX=

+JN/C

L!7V)

0'U-N

lB(|b)

jUCf*b

l!kV?<

r#|Zq

lstrcmpW

1B8d6

y~pH~d

?N^@e

KERNEL32.dll

\^n:lC

r"J]8)

RichEd32

OleInitialize

B*ODT

>gPEC

^(=wm

"rbRpD@

jMm:xN

z1LCG2

/W~PG

'D%sG

L4iPJ7t

!hni`a

vaOB6

~[TPM

QU`|/

H1Vfgh

K^zs/

a#}W+;

VYpn5

[g-H7

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

1d\d

[G47g

n!4"r@

:Le2/

E<)5Q

LGGNMKg

PT^~-"

"D?2j

*h-+A

ssBs\

T`@Y4

uL[!h

r,1kV

g)0M,

0WZHBMko:.2

}&[{2

M4T15

hZ0J4zA

]g1+?S$

]j%J$R

55m_v

qm4bT=

1a[g42

3[eo15

{r9.5

8\j>Pn

Wp?F#

GetSystemDirectoryW

o= e

&fg@no

yLqa$3;

e\;a'

rf2RA

_vrE!

IHa}?<<

N=?%Vm

GetDiskFreeSpaceW

C=1V;6+

.gZJb

VS_VERSION_INFO

4\x$N2

{F,U2

baP`g|

o@="#_(

[7M\"

#Sectigo RSA Time Stamping Signer #2

.,#^1

_ZCU@

,Q~e@!

+(o{Hk@

F/xVm

RAMMapPortable_1.60_English_online.paf.exe

c\DfG

STOx.

|BkH{u

oZ*z|

/6$xg

_S/-{

a-3^^

O6,iq

TO*yL

E2EXP

{D^>y

PostQuitMessage

CIH'h'

4yS3!*T

6S?U~

1b=oQJ

kfma*+

Vj%SSS

0LdA8

&J$nN

RC.#[

?8ytS

a0>h~

n5t`b

Eil2F

FkteK7

SendMessageW

"?}``}

{49=Ii

G3bd7pt

JPf\U

kbYG3

(95Y>

S1R:|

\LKAW

wUb<iM

g9azk

6|Nz]A

SVWj _3

XR$m%

S1$E=<

tZj\V

JgHTZ

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

OL42O

Jj,[~

OpenClipboard

{E[&K

8"@FT

B#4#>

*)jv?

}{I1g

{XC$8

0~]Gc

U_,a#Fo

n@.aQ=

8<'05

u'Dyn"~

z!G3/GQ

R+T[!.~

?{k7k

B-`x]

|EY$q

se~rv

_jlvzyxb^

)43Zl

SdV0D

Rb"Y*4

:&ber

j&h6*r

SMALHB7

OP{&;

?1J,U

`>CX+mi

a}p8l

d?QfV

`Qj(8

Sectigo Limited1%0#

":Qtb&

}_p<:6

qb_Pb

xX2sg

#/D%+

U^C]sL

mVCGy

XAnE)

#wp i

GetProcAddress

sJu1c

\FmT69K!

z1<Wh

>'ubP

zuqYq

iPY-tM

OER=[

0&DiYlB

u5K~S

}btd2

ZDeuv

IsWindowEnabled

ProductName

;4F?>@6.,

=a^D]x

+@^~,

Y=49z 'I+%Vw

h4j!T

t*o%2

94**wma

<RV|2

/sNx,u

o.a>V+MF*

1#843

Dg7;R':D

= nU(8

!$Bygo

]tuL;7

7t/Mi

;] >h

J0 .{

id5E/

2jw,mP

qY-14/

!pk7WjAG

S+[dU

qQw56

#68f=

SetFileSecurityW

)!+CIG

7GJFL

9M7!wC

6o+W

ExitProcess

DBTb>91

%MH}.

J)ati*

e`v r

qh(M`

]C|b(

G#pbj

sl1mv

p1'NS~

9=4gD

\DkwBd

.w*+-

ez?zz

rJ"E|_@

r&ynj

pJ 1M

/cM76z

ntg`u|@

?i'vRa5

x'6!_4qW1:ET

nK}EuR

_nC J

bQYH`

xv>]F

`(A,NK

O6zzA

\j7%@

60 DG

:i;9e1

s{qF6

g,E50

N5GE

^tZ\A

S>(fE

Y;&JG

GFeO@

Yoj{~

9|15B

cM1}T

mf'Fk

]IMrV

qnD-7

`0meU G

_maSR1

TP<32

_ocrcd:

e+/,t

hjAWJ8

-/N'<=

~opas

P,;Oj"

MoveFileW

FileVersion

h\, O

W~igXC

http://nsis.sf.net/NSIS_Error

Please wait while Setup is loading...

.PW][

hGu_I

785B;

[Di&H

neWpcR

Z1lb]

'jx<&b

n&q|C

^w=xX

R;)-|

ANlk`

W?j2O1

RP6]B

9/f$>

lr`*2j

nbHHK

v*0J%

e!v0'

U}Zb#

&`~E'r

r_CUr

CreateDialogParamW

}RpD{DCyV

QNSfef

G%01$

;:UR 7K@zz/

<;`d%

*Xq_}

|vefqZl

u5fD=

23H{DK

~v=X,

[5:4<

0!FygT

7teYc?

XYW`Cy

nS@|r

c@G0Ln9'

Y9gIF

GetExitCodeProcess

2C` R

"Fa(G

IEFNlD89A4/k

JMraw7`<b

{Q2P=

^B&=Gv

LGLtPPp

4:e)&g

3t2l@}

[Rename]

SetFilePointer

"e/+=d

W:&O2

hWyk=p\

j"_bG

S97}Q

_&Zmy

4ueL7

o'wNe

ibUzD

\0W?64

Xy:j8X

9@:J*ZRp

}.yF=

MR%hDX-"

D$$+D$

_7GA9

CWj;i

,91"Z

RegisterClassW

;))~j

jRu4 }

u!>!w

n1,R%

I*'%h

Czjd$

|j}EH

A3EPD

\EnK;#@{

uyWG1e

RichEdit20W

$<v:A

-+mtf

)]@$2c`%

wy}p@W

mo<yJ

+j%K-

(/iTG3CJWf,+*

a[?L@

}kJ3<i

F?P<!S

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.06.1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

1`WSqD

w"9Yh

9-HgE

'Kg|+

na6W%_

%>QgQU

fwHnRLS

3Z;_c

&EyME

xeHXO

^,BZ)cH

+^j>{

G"lZIT.V

7}a@j6W"\

?OKAvl

|mQ-F

88{;3

|#)Tq-

VerQueryValueW

bhS-@/

pW\Qp1:B

CheckDlgButton

Dno;r

E]##c:

1-RZ

}7W/Jv,

|,c>Kk

54]gn%

Zx/-i'r'h

nFgl-

p0AHv

-?Z@N

.}QvH

9nM603CIf9

1hwPE)U

d_4Vu

WYXD}

l%q:0[

U2=;O0

:/[wFz

R8CUL

{cb4nI

9=8gD

PortableApps.comDownloadMD5

GlobalLock

SHLWAPI

Z^i8!Ae

&;S,T

&3bTfoED)1

ruxFr?K[

/EG5$

w+G?

?!qr;

f5] !K

DeleteFileW

yUb<>

lstrcatW

RAb1l

GetPrivateProfileStringW

ZzB"@

GDI32.dll

`Y9u4

ZOEDS

v8pN.?y

Hg'f;

NTMARTA

kU4ZNbf

%Sbsx

OW~Zc

]0e-V

Be)FvU0BO*z

\km*k

eN@46

c`u?b

InvalidateRect

{Coi

a#PHZ

Po}xF

`v%e<i

RAMMap

CoJ#P

0CJTL

LZP%@

toNIL

Rc}O7

&A{^w

=ZzeRG

23Qe:?|

Gpo/U,

+vMHe

QP\9m

u@V?&

$B-eL

> cxE

L~bYe

90=dFd)F

\1gyy

M@oH)r

qJi:y@d

T"~a.

N^J4]

uvJ8`

e a)%

m:}kR

(/4<;#

@mfP\

ZViKJ

{wuk\Ov

$3?U,d

{NVH"y

!{6,i

<gnbd

,DGr`)I7Fi

*9.%^Y

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

\P!J_

n'l29

w;}CP1o`

r|R(P-

=VX,'

-|_][

T_^Vb

InternalName

s4l}N

:cZ]6^

JAc.

xqe%O;

KV`XP<

EoM7@

s=6`q2

L8ZnYB

Q`{xd

~d9J!

1Wh%.

N1!S0a

V@oj!+

1WAMp

TMs`V

2qv-,]

~,Sqv

e]uZIT1

JYspE

k)fwf

]49F]

5+>Cg1

@;njs

=JM0Pb

fCXsK

qo,K K

?Z\hR

a+dXsW

1P%=i

Vx0RT

b+VRO<]=z

HRq$/r

Software\Microsoft\Windows\CurrentVersion

imaF~

3 VZ%

w$$>|

u:FeV

{E&cX

]IP>:

;<n3")

xpM+,

wtWv.N

qR15`

SA'fT

y]T$H*

Ku!O%B`

GetDC

FDv&0`

SetTextColor

XU_^RL;

o]S>E

2lpc<>

5GS$[

m7l?>k

HCIs&%

7<ty9

Nb[4&

oCD[3

K@fam

r *G8

FindNextFileW

lO)tW

R8jd7

;8*wEZ

`voxz

,$5q>

w[HFZ#

v[|[}

o24KZ

;mQ.nt

v^H=I

FindClose

P% =#

&""BX-

O\y2mS0

LN^PjH

[UISaYNd|sg

j>sXa

'F`=a

`083L

wqw7,

_6gTi

*F@+[TH

=i[{"'

;R't.9

KB6p

9GWgoR.

YV1E*!

2w%Zn

D$ Ph

MulDiv

(z7TG.

K!@3|

=vWn8

GetTempPathW

1qE+

8@<G<

zM^-i

tYQx*'2x

9iA\&

m,yZR:

w:M2D

2U$M7

K/2P4

X[Vjt4

o4M1>

@HY0A

=5My7

RegCreateKeyExW

incomplete download and damaged media. Contact the

^{ka)

%z'qu

|&N.H

+QjSJ

>S\A]

vX95h

?Q-8\

Gu6:Zs@;

yrS={:@

?luTd\

RJAJ<

I)in[&

9K)5q

%\2m{7

z2jgw

kW,No

B<0crj]

S&)t0

j{G[n

TN[3^

eRXYk

F,D l

s495

Lz;`2

*bG?5

reD*Cw

E=Y0/j

dsP5{

P|$jf:

$mYy0

h0Lk{X

H#zJ=&

Fy6rw

<)2{r

%++SN

3esp

*Ak9O%

`a=BI+

eJ )!

*$uHM)

jt!`i

6` ";:

SETUPAPI

H^mBUhM

vSH@al6

A:[bf<"R

0,it:

&^q)b

vpw/}

\'Ci5

)eaagJ(

|x23CB

VSj/|

1BLkC2Jw

'BE9l}

-UvW8

Uta&)

GY`?|xR

r8=vu~

}x=1T5d

cWEnl!

H*I|&

GetSystemMetrics

OA]]5w

~@wFaa

`I#I_

qB6-$

D$$SPS

x5}0E

$T?qK

<0:08

/{w0hO

Dpkhk

}'6`t

=7+1JD7cRL@

<FPdM

j_(uM

NlcV}

WwtC'

Z;z8}h

*%4r84Cp,#

C763y

#IKFmFT

Psc=2

l-dwOO?;^

vlNY

`>D{v

Kdpy

j}`W{T

v8 DR

LtEs#

M(xz4qp

Z\1,)

(A/Ip.

[`n_C

O%|_&bN

p05$$

Pz G>

PortableApps.com is a registered trademark of Rare Ideas, LLC.

CTfVZdM

$(D.V

5r_h%

djdih

A(U8`

CoTaskMemFree

/ZXc{

GetDlgItem

CloseClipboard

7bT%(

$z'P8ZG

f&V^-B

{FY@:

m;5Oq

)NF{R

^9)\[

/*7gS?

vIiP1

MS Shell Dlg

=vbXF

{h%Q<

;Z*mX

.N{fwh

pe-Ox

q:27G

HV,`}=

%q;dC

'^nm.

2-{Y1

1$LR{

Pt%Qh`

l.G##

GF4<n<|Mj

aE?!L

m*JpH

zhz%A?{

XG6P(

279[)e

,f^ v+c

)!Zkq

r>@U9

8 `IwC)

xY5N.:

$er,3

<4*F:5L

u5r!F

-8xLt

lsUYl

`aN[6p

GetShortPathNameW

C9HOb

pQ#r

` ]<N

[=B";

!This program cannot be run in DOS mode.

PGCTl~aD

5+O03

C]KX]@

QhDTL<

.kh&\G

WR?QX

oZ%pb

|{"[%

W0B?

_AhyvNH

XsSSx;

mklSA;h|Kr

~DHuw

0TbD:f

y97`wC

^6FO}

@u@x8m

@Af]WY

g.u@y

5;.]]

:%IP`]|L

[2n0F

`wuzU

=`S^_.

pM>OT

OKi.N[

@;>n3&

8CG9*

FPaOh

$ 8]N

3x?S4

H)onVz

s8IWH

+"g\SY

u(.[A

xa],3

+@rQv

Bp'~l

z%u+r

C2ni;

R5?Bm

)w4bZ

@2jR@4

|A(cI?

(hsdiM

oIg@/K

i6JZJ)&

USER32.dll

5&{7o

+mlqc

'(P3#V

_hi]z

0P[Vm

Ez\::Q

JIw*'

x_lrg

50ofIB

(#2m}

j2w"U

z4uy@

"Rr^R

JZJ!5[

caWpz)

!ebQ7e(n

alM*_O

VwE6m

7WUNN

APPHELP

VrqHF

t9Ize

|Gp><#

6uZ)r

X9?pj}

ak{vZ

746!%%A

-ndL,

SVWj"

9'>mL

pT;js

5UbU(P

ogZO*

CreateFontIndirectW

C1-XU

A8zx?

*8W R

(<b/0

A[e1J

,.S?a

350 Fifth Ave Suite 52091

<x/f9a'

y5'E+-

RegDeleteKeyExW

2!f_3

Umq])-Sy~"

*2/DN

qkCm7

*61s_=

=vdqH!HZ

X(vq+

$9j?!

cd|Qdq

UAV{PL[

OeQ;^}

awP7N

LoadImageW

BFvG_

yrv,,

L:Dm8I

R1V,$H

.EbN0v

{FQDp$q

c"90%*

r><Zm

zS]VD

|0^CO

;C%P0

Usq+H:

Q_).E

wE~d0H

n3t/M

][rXIr

lstrcmpiA

o=*``

+Bds`

'\>e+

ph}aa

u[zz/y}

-r*#J

b~SJq

5&oR%

GetCurrentProcess

K| &O

pf&{!,

v~yme

'mDbIZ

~3Hv`

iTGe+

cw[\1rA

v ?R]5

BY`a\(

FPWS&

<5DKl

#}Na=7<

JoH=b

n;Q"

pFOOHSNNSMFB&%

A@OFkEL

lqvx?

dKSYt

SHGetFileInfoW

1KVYt-~C7

}oSjfq

s\,7}

x<u-W

H!%q!

)I.8FN

0XBF&

dY4xcU

.ndata

#z7s/

p6,oK

6=Im>

7N*fj

9q[~.

GetClassInfoW

Gq04^[

i1auE

]J'K3

|BPm0

#G3N2G

AY&*&

.mkm$D

6~S~p

dC$Oi`

MSs34lw

"|>CYr

GA=;KJf

Translation

bV;2.&

ScreenToClient

dVk:X^y

P\[acF

Fe' q

,7qa!s

vhmlF

;4B9x

@YKme

2Gx[y*

Q%Ey-

i%9S&

w9_G|

<!Ko&v

%s%S.dll

RAMMap Portable

OleUninitialize

_'9a5*

T5#'/2

E\XS9

a_GE.

pAw-S

2Bi6Z*

_4Hr~1

B`H7"q

201110193226Z0?

?$;_\

pH (`

[ntzC`

]sA*ywO

>0,PqSo

hz||RG

CWVWin|

FCK{YY~

!SA_3

Z4ebQ

UO,"%

Nh<g@

:{?Rage0W

Wf,U|

r'o~+

rfL/?

M:}K\+

5xI,Kc

+KSZ"

bJO79

`[M2RP

*d:Am07P

f%O};

z<Sb#]

+}DpP

GetTempFileNameW

e;9B`

h_KZ9+

Mjl]c

QrsiY

z-e%8

g0e0>

ProductVersion

+^GLPZ

~oH&v

}P*2!

~XHM(

a$c))

+PiP`G

7RAy4?BH

OF}tB'

8u+j!

K6#hqHx

Instu`

9K}TK

rRj;B7|

f(qA,

jo;K1

av.-{

_UiGi

+-]q8<t

eR6NTZ

NRE*0)

?:yhl

Z.5b?vs

htGZ{

ShowWindow

-bCKY

The USERTRUST Network1.0,

=)a&n

sA},k

+35Rm

CSHn_

B54+)

Xc*):n

RichEdit

Q RAl@

&kNYw

RZdBD PS

c<I"!

Tbq*)

t)zApl

}H"$t

)yWvW

vgiQ`x

5tDqB

k0p_fTi

a'I}SX

7%^7h

0*"?%%B

OrtqU

"Kx7<.

u54/a

u{U:t

8yOFur

m|7Xv

2hfJpU#k^

eD]>r

{0pL@I

F]$:7

WgQb#

YWL`.

;*+at$

)@~EN

].Sd{[m

bS1.Y

rf1Q4

D>Fz/*

Bd!M.c#

GydkZ&

ih^ '!

^:vkoDl

GkcPUU

|KWi"

:K#90[n1z

1_KAp

p\-pd

87oY6&s

X)W9cyU7

_)=(e

by/1YZ

pe,!O

s0XT=

~K {

gZVW%

`i8@Z

3=\!K]

[O?,QY

.#YY2

_qU^5

!l|]R~!

+Ay6H

IT}1_

UXTHEME

3n'Cp

b-^'N

T6woA

)tV&1+

H4:&-SK

Z'0>oJ

85HO\^

K25ab$

_A~/6>

i&^@K

6@?~7

fa7:ncs

oT4/4s

5B>lZ5+

DWMAPI

tnyU6E

Mo7R)NK

"p!u/

Q|pf[

bL}x<

VvJoo

V\>:Y

9L~!v

LWiFX

LookupPrivilegeValueW

aR=ki

@g 58

#FVSEA

}&%mA}

e|C_`

\FZB:

%@W,R

q*d/8

S~Cw7

th! uZP

fsc+D

Y-~P,h

a:/ja

jdp<W8

{j.7v

O66a6

CharNextA

j=Q;a2Kx5

Y>6AC

8aX9,g

dr0&G

oz6O,

+s 3a

"1?2,1$

au:_*

+TM@<

:>t(5

kt #

qJvly

|P2oI

6]VFx

N;?%R&

S,!e3

-2%<C

7UbVh

V3n4?Y

pFKe_uW

Hj\("

Jd[gM

0yJcko

2:v`L86s

H>h]%

M.:5DVe

#p[=7

b~)LC^

S`};-~#

:.$7k

JO%--

Z5'eY<

n,v-t

fA P|

|:9KPx

flnsb

MG@.USd

Iq{LA

%.${%

#3./b

IIDFromString

\az=>

U7RkD

q.##}

?ocpjT

!X6(e

9T/6c

2sY+F

q'SB|

h_uhX

}D$5Z

'xc#/dG

+8?>`

FE@l4;

8P]>[

}JZH,

F0^]1V

c)444

HB)[!

U@W2/K

TWl t

NLvqn

kT@=L

;-*<f"

|1J_p

"c2Ve

f58ksIN

f]7at

=#.c6P

fU/%;

Nz>iR

N/R{W"

r[jyT'3

963U*)

*4'f`N

I['cE4?

{xcJ,

u*etj

7o7(3

gh%26

e)G*1

N\%30

x>9M3

gg3"1_

d?\8Y

GetLastError

U^m5g~y

W~rM:

5NILA

SEzQRQ

=^C%~

Sectigo Limited1,0*

K]YxQ

R-`GR

[r0s8

|MAuL

s$u4bu7D

\EZi3Z

F4hz>

`SoIs5

s#VVp

uk3EC

Q:6]4 j

f{Qgn[

|28j;H|

s4R-T

.QlYPw

_p[pK#"

3/[C_e

3ZCB^IduV

u!%eM

Bc,R|

w'g;~r

\Gr\@

e{%MG

"H[lv$

S]u'wO

r8)Pfn

FU~`l

wQ+1:{Y"m

GQfpg

Rr@)m

<*6\M

hL?!b

XLjJX

+&/d,-U

ES(h D

|AK_9j,

61-)}

J[,BB<

.ydj>a

eqn{v

/-4hd

*Ujrj

$O$[b

*6o\r1

!C\v@

O@ntBz.

.ll&x6)

MU(aE

*"36q

Ji:SI

^@MK=|

to^?|

KQnf

7EtKH

<#3'v

^TJ4i

C'f<"6/

rD|gd

/8CI.

62S;}

@:Ijx

>Qv0N

gw\Q~A

JD~2C

2)3J4

yhcBwC

kjY<)

884B=

'O5Hm

}.qX<

p>:U

.gobV

N4 =l

o<0.5

]a]a]]

`.rdata

b,P=)

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

(Gd1t

3E`T<Z

'9,hq6cw

#jYhRB_

u%p-56

5:xL<A|

wH9a4

Z~cHN7

RegCloseKey

ui([C

GetSystemMenu

3.5.18

k o"<

VNA?g

_4 2?

6fmqn

a9fYq

]Ew*~!A4

5L-z9

)fm+Q0

478wJ

VHx"#

"|VU'Df_

tO)PK

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000035d8	0x000e97aa	0x000e97aa	4.0	2020-08-01 02:52:49	c05041e01f84e1ccca9c4451f3b6a383		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	RAMMap Portable
FileVersion	1.6.0.0
InternalName	RAMMap Portable
LegalCopyright	2007-2020 PortableApps.com, PortableApps.com Installer 3.5.18.0
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	RAMMapPortable_1.60_English_online.paf.exe
PortableApps.comAppID	RAMMapPortable
PortableApps.comDownloadFileName	RAMMap.zip
PortableApps.comDownloadKnockURL	${DownloadKnockURL}
PortableApps.comDownloadMD5	7edcbf0ffa80d0b10b7c54a2352f612e
PortableApps.comDownloadName	RAMMap
PortableApps.comDownloadURL	https://download.sysinternals.com/files/RAMMap.zip
PortableApps.comFormatVersion	3.5.18
PortableApps.comInstallerVersion	3.5.18.0
ProductName	RAMMap Portable
ProductVersion	1.6.0.0
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006572	0x00006600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.45
.rdata	0x00006a00	0x00008000	0x00001398	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.14
.data	0x00007e00	0x0000a000	0x00066378	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.09
.ndata	0x00000000	0x00071000	0x00194000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x00008400	0x00205000	0x00019ca8	0x00019e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.51

Overlay

Offset	0x00022200
Size	0x000c4128

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x00205388	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x002178b0	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	None
RT_ICON	0x00219e58	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x0021af00	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x0021bda8	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.65	None
RT_ICON	0x0021c730	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x0021cfd8	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x0021d540	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x0021d9a8	0x000000b4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.72	None
RT_DIALOG	0x0021da60	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x0021db80	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x0021dd80	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x0021de78	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_GROUP_ICON	0x0021df68	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_VERSION	0x0021dfe0	0x000007e0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.48	None
RT_MANIFEST	0x0021e7c0	0x000004e3	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.29	None

Imports

Name	Address
RegCreateKeyExW	0x408000
RegEnumKeyW	0x408004
RegQueryValueExW	0x408008
RegSetValueExW	0x40800c
RegCloseKey	0x408010
RegDeleteValueW	0x408014
RegDeleteKeyW	0x408018
AdjustTokenPrivileges	0x40801c
LookupPrivilegeValueW	0x408020
OpenProcessToken	0x408024
SetFileSecurityW	0x408028
RegOpenKeyExW	0x40802c
RegEnumValueW	0x408030

Name	Address
SHGetSpecialFolderLocation	0x408178
SHFileOperationW	0x40817c
SHBrowseForFolderW	0x408180
SHGetPathFromIDListW	0x408184
ShellExecuteExW	0x408188
SHGetFileInfoW	0x40818c

Name	Address
OleInitialize	0x408298
OleUninitialize	0x40829c
CoCreateInstance	0x4082a0
IIDFromString	0x4082a4
CoTaskMemFree	0x4082a8

Name	Address
ImageList_Create	0x40803c
ImageList_Destroy	0x408040
ImageList_AddMasked	0x408044

Name	Address
GetClientRect	0x408194
EndPaint	0x408198
DrawTextW	0x40819c
IsWindowEnabled	0x4081a0
DispatchMessageW	0x4081a4
wsprintfA	0x4081a8
CharNextA	0x4081ac
CharPrevW	0x4081b0
MessageBoxIndirectW	0x4081b4
GetDlgItemTextW	0x4081b8
SetDlgItemTextW	0x4081bc
GetSystemMetrics	0x4081c0
FillRect	0x4081c4
AppendMenuW	0x4081c8
TrackPopupMenu	0x4081cc
OpenClipboard	0x4081d0
SetClipboardData	0x4081d4
CloseClipboard	0x4081d8
IsWindowVisible	0x4081dc
CallWindowProcW	0x4081e0
GetMessagePos	0x4081e4
CheckDlgButton	0x4081e8
LoadCursorW	0x4081ec
SetCursor	0x4081f0
GetWindowLongW	0x4081f4
GetSysColor	0x4081f8
SetWindowPos	0x4081fc
PeekMessageW	0x408200
SetClassLongW	0x408204
GetSystemMenu	0x408208
EnableMenuItem	0x40820c
GetWindowRect	0x408210
ScreenToClient	0x408214
EndDialog	0x408218
RegisterClassW	0x40821c
SystemParametersInfoW	0x408220
CreateWindowExW	0x408224
GetClassInfoW	0x408228
DialogBoxParamW	0x40822c
CharNextW	0x408230
ExitWindowsEx	0x408234
DestroyWindow	0x408238
CreateDialogParamW	0x40823c
SetTimer	0x408240
SetWindowTextW	0x408244
PostQuitMessage	0x408248
SetForegroundWindow	0x40824c
ShowWindow	0x408250
wsprintfW	0x408254
SendMessageTimeoutW	0x408258
FindWindowExW	0x40825c
IsWindow	0x408260
GetDlgItem	0x408264
SetWindowLongW	0x408268
LoadImageW	0x40826c
GetDC	0x408270
ReleaseDC	0x408274
EnableWindow	0x408278
InvalidateRect	0x40827c
SendMessageW	0x408280
DefWindowProcW	0x408284
BeginPaint	0x408288
EmptyClipboard	0x40828c
CreatePopupMenu	0x408290

Name	Address
SetBkMode	0x40804c
SetBkColor	0x408050
GetDeviceCaps	0x408054
CreateFontIndirectW	0x408058
CreateBrushIndirect	0x40805c
DeleteObject	0x408060
SetTextColor	0x408064
SelectObject	0x408068

Name	Address
GetExitCodeProcess	0x408070
WaitForSingleObject	0x408074
GetModuleHandleA	0x408078
GetProcAddress	0x40807c
GetSystemDirectoryW	0x408080
lstrcatW	0x408084
Sleep	0x408088
lstrcpyA	0x40808c
WriteFile	0x408090
GetTempFileNameW	0x408094
lstrcmpiA	0x408098
RemoveDirectoryW	0x40809c
CreateProcessW	0x4080a0
CreateDirectoryW	0x4080a4
GetLastError	0x4080a8
CreateThread	0x4080ac
GlobalLock	0x4080b0
GlobalUnlock	0x4080b4
GetDiskFreeSpaceW	0x4080b8
WideCharToMultiByte	0x4080bc
lstrcpynW	0x4080c0
lstrlenW	0x4080c4
SetErrorMode	0x4080c8
GetVersion	0x4080cc
GetCommandLineW	0x4080d0
GetTempPathW	0x4080d4
GetWindowsDirectoryW	0x4080d8
SetEnvironmentVariableW	0x4080dc
ExitProcess	0x4080e0
CopyFileW	0x4080e4
GetCurrentProcess	0x4080e8
GetModuleFileNameW	0x4080ec
GetFileSize	0x4080f0
CreateFileW	0x4080f4
GetTickCount	0x4080f8
MulDiv	0x4080fc
SetFileAttributesW	0x408100
GetFileAttributesW	0x408104
SetCurrentDirectoryW	0x408108
MoveFileW	0x40810c
GetFullPathNameW	0x408110
GetShortPathNameW	0x408114
SearchPathW	0x408118
CompareFileTime	0x40811c
SetFileTime	0x408120
CloseHandle	0x408124
lstrcmpiW	0x408128
lstrcmpW	0x40812c
ExpandEnvironmentStringsW	0x408130
GlobalFree	0x408134
GlobalAlloc	0x408138
GetModuleHandleW	0x40813c
LoadLibraryExW	0x408140
MoveFileExW	0x408144
FreeLibrary	0x408148
WritePrivateProfileStringW	0x40814c
GetPrivateProfileStringW	0x408150
lstrlenA	0x408154
MultiByteToWideChar	0x408158
ReadFile	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170

Reports: JSON

Statistics (0.81)

Usage

Processing ( 0.74 seconds )

0.676 CAPE
0.059 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.009 CAPASummary
0.002 JsonDump

Signatures

Queries the keyboard layout

Reads data out of its own binary image

self_read: process: RAMMapPortable_1.60_.exe, pid: 2456, offset: 0x00000000, length: 0x000e2222

self_read: process: RAMMapPortable_1.60_.exe, pid: 2456, offset: 0x30785c226331785c, length: 0x00004000

self_read: process: RAMMapPortable_1.60_.exe, pid: 2456, offset: 0x785c6530785c2222, length: 0x00000004

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00008400', 'virtual_address': '0x00205000', 'virtual_size': '0x00019ca8', 'size_of_data': '0x00019e00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.51'}

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nst41CF.tmp
C:\Users\Packager\AppData\Local\Temp\RAMMapPortable_1.60_.exe
C:\Users\Packager\AppData\Local\Temp\nsj422E.tmp
C:\Windows\System32\TextShaping.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\WinTypes.dll

C:\Users\Packager\AppData\Local\Temp\nsj422E.tmp

C:\Users\Packager\AppData\Local\Temp\nst41CF.tmp

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\RAMMapPortable_1.60_.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations

Local\SM0:2456:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.