Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 00:23:49	2025-06-12 00:55:08	1879 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,897 [root] INFO: Date set to: 20250611T16:47:32, timeout set to: 1800
2025-06-11 17:47:32,024 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 17:47:32,024 [root] DEBUG: Storing results at: C:\boUvofCgHL
2025-06-11 17:47:32,024 [root] DEBUG: Pipe server name: \\.\PIPE\aQBjYU
2025-06-11 17:47:32,024 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 17:47:32,024 [root] INFO: analysis running as an admin
2025-06-11 17:47:32,024 [root] INFO: analysis package specified: "exe"
2025-06-11 17:47:32,024 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 17:47:33,196 [root] DEBUG: imported analysis package "exe"
2025-06-11 17:47:33,196 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 17:47:33,196 [lib.common.common] INFO: wrapping
2025-06-11 17:47:33,196 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 17:47:33,196 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\VirtuaWinPortable_4..exe
2025-06-11 17:47:33,196 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 17:47:33,196 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 17:47:33,196 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 17:47:33,196 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 17:47:33,368 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 17:47:33,383 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 17:47:33,415 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 17:47:33,430 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 17:47:33,446 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 17:47:33,462 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 17:47:33,462 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 17:47:33,462 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 17:47:33,462 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 17:47:33,462 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 17:47:33,462 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 17:47:33,462 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 17:47:33,462 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 17:47:33,462 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 17:47:33,462 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 17:47:33,462 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 17:47:33,462 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 17:47:33,462 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 17:47:55,962 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 17:47:55,977 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 17:47:55,977 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 17:47:55,977 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 17:47:55,977 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 17:47:55,977 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 17:47:55,977 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 17:47:55,977 [modules.auxiliary.disguise] INFO: Disguising GUID to c06db7d9-b0ac-435c-9ba2-302bf5f31f7e
2025-06-11 17:47:55,977 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 17:47:55,977 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 17:47:55,977 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 17:47:55,977 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 17:47:55,977 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 17:47:55,977 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 17:47:55,977 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 17:47:55,977 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 17:47:55,977 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 17:47:55,977 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 17:47:55,977 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 17:47:55,977 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 17:47:55,977 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 17:47:55,977 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 17:47:55,977 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 17:47:55,977 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 17:47:55,977 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 17:47:55,993 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 17:47:55,993 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 17:47:55,993 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 17:47:55,993 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 17:47:56,008 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 17:47:56,008 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 17:47:56,008 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 17:47:56,008 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\JHPnZzBU.dll, loader C:\tmp_gell1p8\bin\gzGeTvzK.exe
2025-06-11 17:47:56,055 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 17:47:56,055 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\JHPnZzBU.dll.
2025-06-11 17:47:56,055 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 17:47:56,055 [root] INFO: Disabling sleep skipping.
2025-06-11 17:47:56,055 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 17:47:56,055 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 17:47:56,055 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 17:47:56,055 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 17:47:56,055 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 17:47:56,071 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 17:47:56,071 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 17:47:56,071 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 17:47:56,071 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 4484, image base 0x00007FF60D500000, stack from 0x0000008EFABF4000-0x0000008EFAC00000
2025-06-11 17:47:56,071 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 17:47:56,087 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 17:47:56,087 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 17:47:56,087 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\JHPnZzBU.dll.
2025-06-11 17:47:56,087 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 00:23:49	2025-06-12 00:54:48	none

File Details

File Name	VirtuaWinPortable_4..exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	466512 bytes
MD5	5a4cadc0993bec09acf0c075be65b0dc
SHA1	c68f6c580b2aae8429b618c17212a29ca1ac1034
SHA256	8a81904787f6cf011c1ade068a1e8783620a47e34b3010c7a739de6bdd81a20a [VT] [MWDB] [Bazaar]
SHA3-384	3a302af38a3df3f8c0bca1c78605420fdeb115441c8a123f6d8c2c4e3f4103240509b3796627af109a4730be7918be38
CRC32	DFD22ADC
TLSH	T170A413907F909061D9B30A7026BBCF67AD34791508904A4B6760762F7F35381EB1FBAB
Ssdeep	12288:4L4fr5nOE4wD7gUuJT3ePaJwTbxyloqHyjqCcb0P:4L4f9DXWbnqCnyjTS0P
PE	File Strings BinGraph Vba2Graph VirusTotal

k6Y"t

3I?1;

`cujo

s$Nd!_

@.data

_+GCJ

SelectObject

%USERTrust RSA Certification Authority

5X$ng

QQoMhi

%X19m

rL#Kn

k8Huqt

/.Ka6

qXR@y

e~Ni>

paAATrB

~>KI|

36p6:>y

!+**+

7'M=F

5VqXZ

wR*#r

CLBCATQ

;jKoo0

oo`T&]X

D{{9~

m[aYW;dr9

0=7Qa

++hG:z

q^ny<

<^/<D

3.5.19.0

4|I`A

4]g[<m<

pW%wQ

|mBsz-

>cp_F}

O0_CW

jk!Hd

Z=Mh!_J

"fD0A0`

hCdtdngA

CreateWindowExW

WritePrivateProfileStringW

a#Y12M

&hY.tWT

EndDialog

3w*Kw[

SetCursor

RegSetValueExW

ZL$&a

52sf<

7L#i:F

*,Va37o

(bnKci

~',ik

AwQo:

J<Y f=

4j]-|

USERENV

{_]s2

CreateBrushIndirect

jQg#w<

IW'gh

<'P1w

k\TLLv

New York1

T.S}F~

R'IMj

PecM}A

Da5V} #

j`sy;DE

B-o@mm=

;i^&d

dH={V

DiQzy:

!j7<W>

aq4j"K`

040904b0

SetDefaultDllDirectories

181102000000Z

|g~}.

\:PUz

L-TeR{

LoadLibraryExW

B?I;@;0

#sZu#j

:7?o

22Il*+X

%ls=%ls

m@dDM2$u

zn`m|b

$03C5

wP]F\

Mmd\n

>\1qDFny

{xk_8{@__

CpS4gK+

IzP$P

72z3iE

Sw[s:d

&buZt

a$jI&

sPYzU

1SdN$_

jPOPLXmjVKKWMEA'n

g B<;

d|~O%

Awn^k

7=fBL

IgKvU

[Uot`V(

SysListView32

O40xV

3|&#4:

'9VO`

Ftx?m

K~|Ra

%u.%u%s%s

rM PYQ

{X7.C/

>I{)/

]2](L

9^Ua4f

jandj

vMNh:[

W3jlKY

os9]H

USPK.

uh|yc

GJ^D]

T0/~Aw

0nq1NR

:2NL1

l'S:v}L

?;A>#

P+XFR

:JuN:p

verifying installer: %d%%

Sectigo RSA Time Stamping CA0

|z@w-

KW)`y

contact@rareideas.com0

8@3m9\

w)]n=

\'X(eDv

FillRect

5IhuG

"DuFU

%S1%-X|

unpacking data: %d%%

W*"xC

\&89k

\GKmH

R-$>w

?`}Oy

\g.lw

m2YW~$M

gpJs)

Uk8:c

`noV4-[K

W!6FL

yw4v]\}

b[E8m

l7$PIn

rh^a\o

)._s[Jb

}ubsQ

?GG&V\

i?l'cB~>

nk$'5;x

mt^Ju~

,L*6'

SHFileOperationW

(9p^r

)>X3T~rw

)TbRP

c+L^g

d&2\wIa

d@!oe4rP

MoveFileExW

{k+?o@

O'W_#

<61W:=l

n'.|0

i|!6h

_!LE}

$(d-+

h R1*

m(m`~

;EyNS

?TvZ,

pD?>A="

{F*G,

~Ik9h

-W+yg

BnAfKE(

yL:MH

4yx!$'Y

Jub&Y@.;p

38a_mv

AVy3a

4A52[

NullsoftInstb_

0#~Dqe6

}:1(n

)a{OR

Y'kQ8

$-A~F

T]m3.

c d,'

ER=Sy

CoCreateInstance

S)"I*

SM_5Li

GetCommandLineW

wM*3!

7\IE,)

301231235959Z0|1

x!oUG

'!;"00

|V9w -

T ^&G

k4s}J6

+aSW;

BUWT}

\bvv]zz`

t$,VW

GetFileAttributesW

>0a)h

\Temp

PortableApps.com

y6#J{

CompareFileTime

.;]DB1

RMMRIB6

('7Y+

^"'Jb

I0G0E

`'pB?:

nY2|Y

r,5u]

%WYV);

F4BAhF`

http://ocsp.usertrust.com0

w|L.^:

)k(5bE

^HB2=

cL(/y

@-qBhp

DispatchMessageW

iC`Kzyp

wvZ]~

201023000000Z

1Uh%N

'h^S !}[

#Vh+/@

&1/>@

LGB:!J

KLumhj

4KF{W

glGlJ!

'S{)<

L-w}9qX

4!hBJ

++Xk.#

CreatePopupMenu

FileDescription

fs?r2d;

&LD1P

VyRtP/

IpG:?J

https://sectigo.com/CPS0C

{"w4

dJ43J0

"p3kN+

AHi9tMo

8>vGm

/8%of4

>1iT=TkD~

j'_FtYDk

zi~u8

<E,/#

HIj9c

i;I"!

(7_@G Y

je_?F

BeginPaint

z*PIy

`[FJt

~|u%qzQ

en/kL

h2vo%

awQh%

S==p^

mGe1!

wSIM!@9hm

$Sm{Pc

CA$#'

k$`.hs

@}\6uf_

f3y+E

"ejt[v

sThq~

]HcT\gp

``%K5

H=.f*

(;.7mJ

#`c={

lstrcpyA

Y`8TQ(

SetWindowLongW

]Jq}~

AdjustTokenPrivileges

h?y8"

PhwV@

GetFileVersionInfoSizeW

^O"ZN$C

Kkjeo

~ =o}

%MFQhqE

MG>BJI]

S^-yi

]4uBvdY

grzXz

*?|<>/":

:<R3k

5Z]-K

eW0Ev

${)*p

sfN>:e

EBH&?

\[i_}$

*=hf!@

zD~Mz

eAH{@

Ed`!z

$2/7BW

p{{t9P

w!v*}30

olw'z

FWkeq

OSup:

wut-d

>Yzi3

sWOxC

xA0znN

v5g E

gx7+JG0

GetSysColor

CharPrevW

Q,fhW

Greater Manchester1

g>u6:

Rare Ideas LLC0

4.5.0.2

)_Z`i

nbd*L<C

{(\%/

gcY#K

1y,-W|

a4=G@

InitiateShutdownW

xqpyF

OHYN>

ul0_a

&~%qe

)CVXaH

hg=1izG

n'$i?G[

+B%dZ

}E'OK82

2'\I~

.5X/ b

, '-c&

Q5X!y

g(|Y$

,LC$g

Cfj$40

D/!w@

oeDO^O

BBL#%9

($;pC

I',CQ

GGg]OQ{

=!zX(

x%mM^2

Rd^Pt

tcsgx?

WO>GPR

C`[MD

a$2f3Su

0(HIS

SHELL32

l^3fg

,fmb\

GetModuleHandleA

b"b}"

WvPn{

{0Zrp

gF9AKS9

]N<'3

8Gz`K

|^-nTk=

VirtuaWinPortable

SetFileAttributesW

SetDlgItemTextW

*l/dh

2Gaa=m

.g:Kbw

13nL05n

e~V7B

ENqlc

XVA7K@

GetModuleHandleW

#Knbj

?F*l<~

[C]e=P

VZvRb

8oK40

Rf\Hg

Q.=iZ

E6B)D

?_pb$==

'm]d$

Aa&1^y

Nn;rF>|0sA-

.rsrc

|{y82%

:Q4ho

"'f/EH

Sp(<?

}`RRN

z2,*|

H%cDi

lC;"D

8'> +

#nD2T

OriginalFilename

5On6C

k?\tL

]`3KZm

;Zfat+0~

pIBHc

Jx&R0l

h'hDm

MqT~x^^c

{11PK

Fga^.

-1_73

*l;4m

0B>i#R

220220235959Z0

>&f8@E

p&z*y

QHSS}

7J.=eh

S}AvG?

p\cOdK!1

?%|uE. 4

nI}!1

szIC!

eYxs'

P,{Le^

IDBD $DQ47

'jQcQ

V5x!4R

Z#P^`

s|&>A

h>tv/

QARlU

GetFullPathNameW

?n}:)

Zpn%1

)s*hp

iWsC=

EnableWindow

'0oTe

0XvPl

7r_un

\Microsoft\Internet Explorer\Quick Launch

BD|LRS

03}iEG

DRnF^'z

;:ihd

W9p'Bz#

CloseHandle

oQ2vL

D"QA2

!;p,M

E%-eU\t

#Sectigo RSA Time Stamping Signer #20

!:5<~35\

W(MyS

"iqE/

yBE5g

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

X]DAw

t#SSS

C}6R0

RegEnumValueW

w^}CB>

:<]G<b

f~uPQ

R;Q7n

SeShutdownPrivilege

yx?\M

=FI@0

<:;t54]

=TI^m

*~-%<

G]{t+

g#l|C

+7^.o9

0]K$S

P68,=

odbNo

Y}}T|

a|c)p

NSIS Error

TU]USQY

".cZS

CharNextW

yI'g5

j0h0?

]OL/x

or}e5

tvs{k

;!g7W

KP~S%

.text

K7OB7|

QI+ {

TlAhZ

lstrcpynW

9I}0N

^ )Fd~

x{jA$k!

L-j\oS

2bLI{bpE

P{nlmP

V86Cf

]?Em9

SetWindowPos

GetDlgItemTextW

aYNde^RgHB6

WmYE8

ZyZd`B

;?~LIK

Uf>);U

=0;09

Vn~[Y

'AE![!

@1fa&

de|:R0

*KS`+

h%s$v

1kCLB

yAsL.W

v\G n

S{7`v

o5$wf

DlE@B

ib8.1

(^;]4

0[Z;$J

xfA#p

Bm^m>

"=GLX

^j\PN

@_^[]

m+Bgh

M-iOO

2`E2{4

v'f"D

0B<nV

*ksr

_/Gz,

tWf="

qo+|U

TB6SD^

s}J77

fxbd=

aap|_2}

kGlT}

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

vpBtl

D?<JSRj

(*^cCCk

COMCTL32.dll

>FFf;

NcLBk;>

"k{%!

V1-+s

niM48KWREBm

PortableApps.comInstallerVersion

Q_DO#

\"+bOf%

#siy1

?Wlr~0m

aD2/Us

MessageBoxIndirectW

?:.O[TH

m1y&Gi

qJIurb

^t38rw

e+aIw

if1]9

2&-jWp

$n&X'

`0H!{

nZ~I=Q

More information at:

EC+~Eb;

RemoveDirectoryW

$ 6@`

DeleteObject

o=[p@f

>"GM_V

,WKj(

TI$og~

Y>Sqn

EmptyClipboard

Q1-rPW

SX-_0G

6j;4F#

gu5'^j

?R89+

b4q'#

9uL`_

DAQf8

J4q@pb

aGa!$

\yn8Q

RegDeleteValueW

p[u.S

e'Ih)

+^/l+9

Xy`23

A352a

}MXGx.

n|hV12

MN{]@>i

u$5'E

I(m'4>g(

RG !/E

?_=UM

abbab]\

|ItFJ

X[nT6c

U;+J9

%USERTrust RSA Certification Authority0

$ Fe+

\XQZjZ

=>Y;$

VnzQT\Z%]

lv|GH

RegEnumKeyW

W`&78

GetWindowRect

CRYPTBASE

<Tei(

EndPaint

x"GVJ

Qm?q`

IsWindow

kGH4JE

W*MvP

(I(TQ

,/KPip

X`JJw0K

VwiIYT

jK$y9

>I4bN^

33#rU

@U"(N

Y-<Bh{r=J

$d0e^

UghwZ`E

-WC;'

,jm,G

C[[>g

-*[5*

5%uAB?

FJ{l~

b?K'2

SetClipboardData

Wnl?fm

j [f;

R]&RF@

y-uRl

vv-F(

/(bq9

GM-86OV

IsWindowVisible

k#)Ac

%{ CV

*cSG~

RBmY]

4')#Oy}

5c%)&3~1

VirtuaWin Portable

>L/Sq

CreateDirectoryW

tC2{iN

8>t`NP

[Vqet

%9A1R

ZkC/H

]+tdY

#~gO[

@Gk3o#

m'QQhF

>5S}do

Ls|<"A/^

"-${v

vJ,H

K'G5l

-8(COt

>]6iQ

S]hoP*

j-g!Cy

:)n;k

}K_sLls#{

`"WY/

,/+B#

g^nhd

210413130832Z0?

E&`^v

LegalCopyright

MT+30~

f!>_^

YAHRqE

8$_^\

p>Yy'uz

SendMessageTimeoutW

CallWindowProcW

a\NCWf

TFt1b

e5@B},

gDZJ'

[r3nn(

8DHL`

SetCurrentDirectoryW

cJgXCJ

fxUIyu

\xebz

0~9J]j

tI[`}

&}rz\

HO`Fo

Bq|Kh

qwUFm|<

Sghv~^

dj359AGVWd

z~$Ia

iJ?[_]

r.O1N

D^+x3x~

(+3 b

@na'>

GetMessagePos

101181

WPWj0

^|D.Ne7

0X@JG

Dzx|(s

huWM"

@m8Q,

Q^vBzM

`<}v}

jgs74

a:@tI

HWr;{%<

RegDeleteKeyW

F$Khr

qV!F`

Ci,zwU0

Sectigo RSA Code Signing CA

~p7b7Y673

xDf`uN

&&Y9$W

g_mWkB

pUjK]

BN()Y

=}3$6

_c>^Jm

@O1-d

4yySR

O&'&C+

>~}7G

.mgrs

iZ;qR

ImageList_Create

q,<Eh

o6"y,

.DEFAULT\Control Panel\International

i>!qmj

?J:*C

Cq50;

2k=kT'

WaitForSingleObject

^y'Z`zl

6nh[15

97(?86I

Vs>|wQ

gi4blk

wd-8:@

O3hVA

New Jersey1

;\*36

lstrlenW

U-tlK5Ut

3jq+n

OpenProcessToken

LNRV)

!AufgA

Comments

^UWZP

SystemParametersInfoW

y?bQl

~2Krr

]w_lcD

Nk~t!

K:SB=

320122235959Z0

SHGetKnownFolderPath

Bj 9;

20210413130835Z

!Pgi@a

Bm{*@Da

SetForegroundWindow

]0e,$

/k)5;

uDWWh

_O'sgY#

i}W]0

nCSV]

#Yprn)|

'UW*n;

i223-

#HbwE]

x^"eS

}Xb~M

HDGPC<&

3{%x`G

SetErrorMode

(K#^i[

t^!$c

4#!yx

Bq8,5

190502000000Z

fjC_k

_mNy8

c{hdt

&0YG1

z[WLG

_A>VS*

|zK-q

PtH!h

{SW1,Vt

SHGetFolderPathW

iPgW8

6YW?7g

z/] c

D5wKd

e*2I2F

o7\*%vN

y=uDa

Ec (/

E[(a[

R^pUg57

ExpandEnvironmentStringsW

6&f=nRm

2oACO

bSJq

HVHQN

D*aiMR

@ ah"5

544S$

SearchPathW

wBUYn

SetFileTime

]fV0Y

G7!Cn

]i\X>T

IKylM

KiT*t|a^

hqrT0v

ao35H

p7!J.

rXW&fJ

GetTickCount

:FD|m

>x[N`

l=Dbx

j6vDm

S;eO<

gXJ{)5

6B[Ld\

@c"Yc

&J%ZE

9OhF;

{_sy^\XyT

s]go`Q

A#V!'

5\Kv'R

B;cqMJ

6NYSA<

_]5fBvx`

H<Gfr_

ufcmi

Xc1hR

SLC '

<b<L2ZG

KZ[yz

MultiByteToWideChar

For additional details, visit PortableApps.com

NQ3T[]

:hW2e+S

softuW

q0Jx;

{D6Ium

J`o+l

6}zs)

"_` `

http://ocsp.sectigo.com0

VERSION

0EdN|

7QL~vVd

7E-@X

&`!vb

4ocOY)

aT_GM

[Y?IDV

]+Th3

q^V8f:

N*|@g

hriHbc

coJ'5

G*:u$

B5-Wfe

>[<?^

msctls_progress32

JE8g>9,3

SHELL32.dll

buuu(

6Uqb8

mXC!>

k#o?0

-:&tfE

]0-y|

;FO6-

jh.b)*S}

u@mkA

g[>DW_

aeX/!J

sb~+oG

\r,JH

e{&"]

`^^^sS

6NrL!

r@.dje

CreateProcessW

ev4aB

KABhp

2007-2020 PortableApps.com, PortableApps.com Installer 3.5.19.0

.4B^t

PczF~

cGam/

J@6.Ms(J

(Zrcy

-&\G%>

wp?0u

40%.qh\

%wXxo

;5<w%&E

f^/Q'Vk

installer's author to obtain a new copy.

YnLG~

tzK.x

f@>SR`i

q2RC(

<N]:Gv'

... %d%%

O2mV2

x&3j9

~htV^

,|wE\

/n,DJ

p\tWek

ADVAPI32.dll

WQSPV

i;b~Z

"i8F>

o&(MnW

X?m7w

HCQDG

+CDJa$

UUUUW

/ P6pL

CreateThread

(Wwb9|

SetBkMode

Z|_|q

)eT;@

9BAu3

90705

TrackPopupMenu

DialogBoxParamW

FreeLibrary

F"C?N

wp2]b

KnBF{

6}X?Z

K<#;bh

lstrlenA

XBJ(6

a9G1<h(

w12,2

CPxjz

EbS0$Vv

-.%6w9

"(b'&

.~"bNi

CompanyName

mpjAX

B<1Y44V

k[%/8(

Rare Ideas LLC1

y%#g]U

^x^d8/

B.I'NktV

0NDqx

=J5_zo

73& #

XNKt2

B/&nJ

o~M"4

#h^!_

-BU]&

p]Dm6M

{00?h

Fr`Wo

md*p

Q*@W?

a>8);

f>feg

Sleep

90u'AAf

E]`P/

fd7Ag

r;3H>

eZ7e

~7-Gs?

Zt;b3@

*47YD

S[|b&

E8Iax

GlobalFree

MsRYlY\|

cMb|h

rc quC

GetUserDefaultUILanguage

Aj"A[f

GetDiskFreeSpaceExW

:27Q6,4N

ShellExecuteExW

l)45x

6\mUi

By@Aw

M1pt1

gu-b7q7

WWWWjn

https://sectigo.com/CPS0D

JpSmP

vgt`2.

RegOpenKeyExW

}0p1[

WUpKN

/-P?pR

Ea(zq

f.:N\

SetBkColor

tBgOQ^

|>|Xr

U{U=<

http://ocsp.sectigo.com0

PortableApps.comAppID

FindFirstFileW

=0R1u

YZjo7'

6l($H

7yP!k

wKLet5

wsprintfW

E-:+X

New York1!0

D$,+D$$P

`ZOIKF:

1C#J4

% D3t

OKgNKC

iJWnTM

476m~!7"

|#>$T

h!:c{t

wL0 X/]O

bx1;w0

"@1'0

8S1]t

M~riC

tw-ezo

8r&!o

y#v`[=

1]lBK/`

`nia

rF0Wt

0ZuP4^

%t wLk

ejE",+

rc{k2hY

P%w?_

U`8K/6W

4()E10N

[DdCA

5^^^[

D/{|h

]I*5^

((L0,/d

SHGetPathFromIDListW

w/Xxo

%Zv l

'N^B:

bfhit

j8WUHBYs

cnCwN

A[tVI

ULmy>

*cV a

7u\w2

4:iSG

U_X5jXz

ImageList_AddMasked

2,57V

AppendMenuW

T;u5+

190221000000Z

,g@`d

ovfwz#

f1YF[

sN; kZR@

ITt2~

RE<@Iy

|?B`W

:QpD>

9l<x@j

r<D&k

o 7%]

xjc6O

gvR''

#f(Mw

>%^fc

IDATx

Garjl2

o|.xG

f-YA(

CornD

[ $OT

bMB-}M

]buxyubO

4m~&];

2_CcY,

m62,R

PiMj&

gA6c)

XWwq5{zHM

/-2B$

!3@,QZ

AQxV(

_m >7

C:}6?

":K1K

!KI+OF

EpW<@

IfEZ.

G" 4r

s{:qa

FindWindowExW

lstrcmpiW

ReleaseDC

8R]]*M

`CL.]*

Qz|GS

29gM{\$

^l+LzXW

qOI\SU*

>tvm!

ADVAPI32

zV@uM5'

|aa2S

k_(>D

PeekMessageW

3~}<S

NH=!$&`DQS

{2)Ip

46EXQM

pX<g'N

E[;i+

,q0r@

LegalTrademarks

a=2U*

3,{%5

hC==Z

}^"32

D=,'7:e

SHAutoComplete

a9u5h

GetClientRect

&EFPd

rJ%11

GccZAbdq1

6jTyp

;61#,#

5YHNE

SetEnvironmentVariableW

FFC;]

/c/;y

mK~lf

ReadFile

FE``U

WideCharToMultiByte

RegQueryValueExW

S&M7wd

8b{kw~

VarFileInfo

<?\W/

$SmrH

wsprintfA

j(H#

NulluN

st*Pr<9/

9ZqS+

iX1z<

ImageList_Destroy

DrawTextW

rdVL^

a`)wr5fs$

fen*D

&hjrB

CiSMB<

+xeKQp

a&76D

_)~ssK

%|5AT

oB"0r

+_&q=

a[g~o

GetFileVersionInfoW

?_UF{

P,0G0 ^

gO@7@

sEgO.

hGDj.

Mp2YQ?

83('[TH

Qhe#)

CreateFileW

99x&~

J@iYu

{CCpD|

ExitWindowsEx

:;coAD

ed\uU#D

GlobalAlloc

&gr54Xqh

b#cS\r

PROPSYS

Installer integrity check has failed. Common causes include

{GS(w.;

=<^[_a

2?*e{

VirtuaWinPortable_4.5_Rev_2_English.paf.exe

p^vH[

:utb

?Da[+/

ICCc+454

w9#:(

CopyFileW

n__zf<U

GJ(A""

Jersey City1

/Db'V

N-DW#

1-rjYU

p|Tx|

@YzAk

V&'i{w

$RZo^

Control Panel\Desktop\ResourceLocale

J_Z^O

Error writing temporary file. Make sure your temp folder is valid.

.NWmB;

FMQ6;p_

i+2L-

SHFOLDER

E,}TO

m7f=fL

i:6?)@

\ZQ"\]

"fz^w

NXH?f

>/zBl

VSX\il

mdm]E

wO_7{

|Zqqo

GetWindowLongW

E@z{O&

bQ<a);

;11mS

k[R!%j

xZGU>

F68Hj5

%:ehwU:

Na60DDl

AVpa\$Nj

m.Bz.~

wD_lM

|k*hCsPl#

GetFileSize

Ep^8>

w^ZH=b#^"

xfkC

=;Y)$

Fv.*a

ii+Qz

wo<S

C%I>\

U)$r+-.

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

{055M

1TW*

MEe5%

XX\oG]0

&Fxzqq

X,wT{

GetDeviceCaps

bT`d&

T~md|

Wx K&

aH\'e9

=d1T[7E

>N{=D

:tc o4h

uj8pb

t]Mcp

7hiuU

380118235959Z0}1

}LBH_

Error launching installer

vk[%

d[.bE-

@+3Oqv

r(t'PN

?2<H#

PrbRM

FyhMYco

'-=H d

{s|,BW

SB=5+@

:r)ZA

|^n(aG

9=p 0S"1

U5VC(

QowAw

~e`o0

Ef-SS

[fuU-

ut,Rg

TXmA,

Q#`Zh

kxXB`

gGB;lY

WriteFile

|k0$-R

r[~@{.

Y%/_;

KERNEL32

8R 7a6YU

tA(Ug

RPjSP

5wp3h

DestroyWindow

"7FId'0b

Sectigo RSA Time Stamping CA

<p?{q

4 oUmC

i3]UN

e)5*-

B~Yk(

*w0~K

GetVersion

N[)b3

AFs 9

*q'/I

lY^\-

SetWindowTextW

Sectigo RSA Code Signing CA0

'MEMp

g76j4>3I

y?@P|

-V4$M(

l)(wU^

?&qDu

A~2[78j

I{=#}

VSUbOI:

9?9Gu

\u f9O

dc@\b5

]xf~C]

HO@DFFDD'!"

SQWPV

~#a!\7

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

:#E++

cKn\7=

M@Ci>

hTA N1A

ddqQ/

OYzk:

oeT`-

p2CN;

}[`5Sk

`aT!1

UWvxv

DxsRR_

%e6:E

9k}Ad

]0m2N

W^3Y:V]w

7Hrhls

RichEd20

s*7eg9

ZMI*o

StringFileInfo

YwGEKaV

jHjZV

0oQ}{

ole32.dll

SHBrowseForFolderW

}R<r}

bNrVPQ

PortableApps.comFormatVersion

f<Bcl

Ks"/5

df:?3

b.[c+*

xOhY[

L$Li2

w_9cb

BrIeB

GlobalUnlock

Pk`;W

9jJ,X

248\t

@#qA%

3-o09

|~co%

1@aZ/

`\yud

9AbTP

!SpNRT

nDS {

|{MexKK

!e}|c

;'j{@

k!b`4&

hRcJ"

ojI4($3C6f,

~<WuC

]c#olt

OLEACC

!%r@C6

E){7F

QY#6-

33~2T

k_.^u

483`kby

N2WUIBIikK.28

`vC:Kp5

f9=HgD

olj}xyGK

Z\rMM!%

MX)Od-

h0f0?

Y7{>6

`Qr![

, #"z

b@]We

%4J)3

:LvEc

+h~x_-

U^0E

i(4hL

g%p|G

,9>hFum

:cf!zK

Salford1

qT]qq#fZxSJUj

^@m3(

QK?I^YM

%0zFP

9&%hz

210413130835Z0?

}E_m_

9Dr%wq,r

2Ug^%

Zlp)p$

LJ'VqWe

X_?m<

1ur\9j

X.9_]

X!gg[

`^$BzT

k'Wq4

HjWRL

P?'j>

3;<0A

A>Ocq

<oqC

x4tV`_

`!>|dK

5P3E9

GetModuleFileNameW

"%SG,.V

42?D%'L

W*yoZ

9&9-R

20n2EB|6"

]jdB>

B=#$@9

AWO#Pm.

3LxA)vg

SetTimer

sFA!R

#)kq@

P: e_

k7RYYn(m

SetClassLongW

8W,9+p

=[tC2

B|0Sr

lstrcmpW

Fq\#&H

KERNEL32.dll

RichEd32

OleInitialize

KVmj\

>l8+/

k)!$fp

d?*/q~

TSw''d"V2

QUbWn'<

qc>pn

!hni`a

1JtcW

SQT0H

D:&m@

\I}32

H1Vfgh

z2"Ip

m$9RIP

K^zs/

:{-h&L

G:Lchb

,s;|V

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

~UPA0

LGGNMKg

N}'+z

"D?2j

E?kVE

g)0M,

0WZHBMko:.2

wO#]1

A_X9o

j:F~>=?

GetSystemDirectoryW

e/I|O:K

e\;a'

VS_VERSION_INFO

IHa}?<<

GetDiskFreeSpaceW

C=1V;6+

4\x$N2

baP`g|

YVWD- J

zL7_n

;`#.A

#Sectigo RSA Time Stamping Signer #2

sHYpX>

c\DfG

Vei?S-%

tYtLz

`}}xY

b@3!A

~D#JdZ/.

|O$h,

PostQuitMessage

1[UdEQ%

Vj%SSS

@Toa#$

dK3Y{A

YV\oI

SendMessageW

@zbG8

v'2R9

JBzGT

{49=Ii

7wXB%

Nk@b]>

sKLj{6>

9>Bi<^ct

-h-)O

SVWj _3

TBP7\

XR$m%

SvFb/

:b}~$

tZj\V

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

OpenClipboard

}{I1g

+<G=au

iwry"

_jlvzyxb^

pLu+I

SdV0D

SMALHB7

OP{&;

?1J,U

6XQU'B

Sectigo Limited1%0#

Ce #a

cf6Y>

[W8yZ\+{}Q

maa>1

~"rm\

-9v4/3

GetProcAddress

\FmT69K!

zuqYq

0&DiYlB

z6G}^9

du@!-y

IsWindowEnabled

,iRYOq

;4F?>@6.,

Z:22p

VZ$]6

[v,qux

ProductName

94**wma

m6QUo

/sNx,u

RytN8

vx5=w

]8!*

S+[dU

OQB8D5

%!*V#

G#tAS

SetFileSecurityW

ExitProcess

DBTb>91

DEv]I[

0iG7G4"

}K~"!

9=4gD

|Ayp<a

xyoS.UX

0={3@

(*lIB

$C2k|!

FHs\(

1^eQP]

60XiZ

(0LFR

Tq<Rr}

iVKvx[

m9O1%

GFeO@

e'?{p

iLQ`^

]IMrV

zu~[r

['YDKgo

MoveFileW

Fc2qv6

FileVersion

http://nsis.sf.net/NSIS_Error

cQa]5

IBw-0v

Please wait while Setup is loading...

|SZ<[W]

r.U=Dh

CaOF_K

yQo5P

Qad!$

7[(}r

vbj}R

5qcSL

'RZiT

7ab,C

`>d)#'

G>v1>

u\d=8

CreateDialogParamW

$9S%N

QNSfef

G%01$

2S%Z1

AlK_c

9`GuS

nS@|r

mYz-5

c@G0Ln9'

GetExitCodeProcess

2AAm^

IEFNlD89A4/k

9cFls

LGLtPPp

[Rename]

SetFilePointer

D$$+D$

$rp,G*

_7GA9

{}ElN

RegisterClassW

\EnK;#@{

RichEdit20W

)]@$2c`%

-n-kS

T6Sv6

dntSw

(/iTG3CJWf,+*

nOBWv]i

sH8]rU

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.06.1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

9-HgE

UA(e=

9KR!{

@'Wa

so.17

ElXbP

z,|S%,

rq$WZ

VerQueryValueW

CheckDlgButton

~iR1X

BAA+r

w+;s`

!M|7S

1-RZ

_o^d

-?~gJ;

s,1<q

z`DY]

9nM603CIf9

d_4Vu

sLx,T

9=8gD

* $=nH

GlobalLock

SHLWAPI

$02tN

dlAFW

<v@K1a2

UUj/;

DeleteFileW

lstrcatW

:$#_'

GetPrivateProfileStringW

GDI32.dll

{oNe(

NTMARTA

E9q!P\

VQ*qR

=FlTeJz

dv_tU

InvalidateRect

d_dI/

a#PHZ

1q-zG

G+0J0M%i

l#S89

"<$AC

23Qe:?|

Gpo/U,

IQvMxi

e|QmD'y

}yDV!

Z5>3(Q

rHL77

+23pi

$3?U,d

w<%E.

!{6,i

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

>P[$F|

tAm3,

~$[Os,

InternalName

NFg"k

BslWU

IT\W;

H9mb}{

JYspE

lupib

?Z\hR

pRX]i

]^>DT

F#6]*

Software\Microsoft\Windows\CurrentVersion

JeadD

imaF~

u:FeV

H< |W

s%-/&

aCV)o=

qR15`

GetDC

U9f>5

SetTextColor

XU_^RL;

HCIs&%

zh0\&

oCD[3

K@fam

D.yX8

-Fo'=

FindNextFileW

;8*wEZ

*Yt0~b

FindClose

X?T(=

[UISaYNd|sg

ME^0O

KI433

KB6p

]1>nuh

9GWgoR.

.1i6MB

oD+TD

D$ Ph

MulDiv

ObselZ

~Sgt{

H!`zz

GetTempPathW

Xqi#^7

Dh{E*

(qap^t

6]Okb

V"D2?e

3')tY%

o4M1>

e.Rb*

RegCreateKeyExW

3Ia1{

|-$ts

Z>9oK(

incomplete download and damaged media. Contact the

;OR}f^

_p3(l

?;3Pd)

vX95h

Gu6:Zs@;

B<0crj]

S,`|T

m}gpN

s495

`~|Wd48

MlTfT

>T(eaOEy

SETUPAPI

2Zw=a

vSH@al6

A:[bf<"R

[+Mg@L1

vpw/}

{wcq`

r4~2i

cWEnl!

GetSystemMetrics

OA]]5w

<0:08

D$$SPS

x5}0E

"v}<E

?T9xH;-

=7+1JD7cRL@

WwtC'

Z;z8}h

*%4r84Cp,#

R.d(H

Psc=2

Kdpy

IZb&z

c)`-.

U[_U8RZ

PortableApps.com is a registered trademark of Rare Ideas, LLC.

1_?-I

5r_h%

djdih

CoTaskMemFree

GetDlgItem

CloseClipboard

,}!uh

t~TYGY

MS Shell Dlg

Cvz&0X

6DDpS

ahuZ(

q:27G

b:#oU

'^nm.

2-{Y1

b+!er5c

l.G##

m*JpH

)<w60/

B-N(<

>Zo<&

D*}td

KcE+{

<4*F:5L

GetShortPathNameW

g!'UOo

>@T^T

Sectigo Limited1$0"

!This program cannot be run in DOS mode.

PGCTl~aD

GVh6i3

b)JbCD

oZ%pb

8M:dk

fPs*-

@Af]WY

syW*_ux

@;>n3&

8CG9*

l\d4@E

(-YF=^

H_t)S

Rz_M8

2c^#~y

8mh]]!O

mK8N4

X&~&J

USER32.dll

(q93;

Nm%A:

?$MvR%

4Hzv;l

0P[Vm

da W1]^

G9HW~$

x5[!>m

^$|t<nK

y}@kd

;a~He

3.5.19

ia)HT}

s;-'NP

z4uy@

"Rr^R

JZJ!5[

/m1Ud

I(i4d(

U,-{ws

APPHELP

746!%%A

SVWj"

h,D'x

CreateFontIndirectW

t^29?

A8zx?

l2CjoN4:

350 Fifth Ave Suite 52091

3TZcX

xb3/(1

^=F^\

@%AiDu

P]F\wl

RegDeleteKeyExW

hv*}#3#\

Ui)N3

=vdqH!HZ

)GRZDv

$9j?!

LoadImageW

Z08W~w&'

"iE(e

t0^n}

wE~d0H

lstrcmpiA

fO3-}[

K>?LJ

*:v6u;

3HA5(Vk!U

\t'O4

0IY4w

8tfm!

sT4M"A

Y$@x"KM

W\/fo

GetCurrentProcess

v~yme

w0u}Wc

nD~$=V

81Da<

fk8ct

&9Zye

s(+[2pQ

pFOOHSNNSMFB&%

*$Cyv

m+c<r,qHMJ

dKSYt

SHGetFileInfoW

H!%q!

i(uf$RE

.ndata

`Lq.W/

S8:\x

6=Im>

IBBe)f

_0leR

GetClassInfoW

!:2%[

EQM_Y

44#P2

j368r

Tb{CdUAf

k;G8_?d2

gH0L>

3M)C{O

R#6'B

MSs34lw

AF=?';

If{q|

GA=;KJf

Translation

ScreenToClient

M-]Kx

vhmlF

BVd3+

CVP);

D@Huv

.cf0H

my{wU

%s%S.dll

OleUninitialize

^^p#9

2R5EY

irvl`

L/A,#

E\0 p

n3x>D

Y9`,@

^aD9|

MuUKW

[tfkh

&"z=a

H9:u*

,VI>#

=1@}=

CWVWin|

FCK{YY~

=mlKH

!SA_3

G.wRy

tZV7!

X>PCK0km^

M>|#To

=*DbG

<S8fO

PdFIHc

GetTempFileNameW

Fl35J

ProductVersion

g0e0>

)}&=

Hqye.AN

8u+j!

K6#hqHx

Instu`

> QeH

rRj;B7|

av.-{

f7xQq

+-]q8<t

}g>U_

ShowWindow

The USERTRUST Network1.0,

=)a&n

RichEdit

RZdBD PS

G)i5p

0*"?%%B

F|TO_

se?^e

25%v5

u{U:t

Q7*'}

H/$5e

0'\,Y

``'RO

<}wP+r

/=00/

"+|G&R

m~Q}0U

)@~EN

D>Fz/*

Xvwpc

~I*r0K5

GkcPUU

0HSo_=

@,W8K

,pN 9

r'kANU

_)=(e

by/1YZ

KkSLL

!l|]R~!

UXTHEME

.QC-k

Bm="p

`8@ tr

85HO\^

DWMAPI

Y ~l8

tnyU6E

ZtQjdI[

E;HF4

LookupPrivilegeValueW

@g 58

n80aj

IZhQZ&

CharNextA

"1?2,1$

y>:E'2

54N4O<6

oU]b>_

g.tEa

qJvly

-2%<C

n9H7'lK

Hj\("

E-G"'

fA P|

m;=0?

MG@.USd

NwrChM

/T_3s

6G?yX

IIDFromString

@BX+8J

68alF

2sY+F

=L^Zj

c)444

bgp\m

p\9 s7

kT@=L

;-*<f"

n+LC0

f58ksIN

\E7@D

#32}N8

*4'f`N

n~+Ud

GetLastError

YWhTg

Gbp2P#>

/U)C1`7

@Iy:7

XE PY

r?}=`

Sectigo Limited1,0*

xSGT=

[r0s8

4^<o~ds/

s4R-T

|Y>_j

n`s[

!eK\S

lws4i

5}i*s

b_>q"J

(? `)~

fbX]d

3l{>WO

+&/d,-U

?"?}P

y>h(W

*Ujrj

bD,f;

O@ntBz.

)}ikj

:?W}z

:`9]e9

YdcYe-'"

p0k]<

s2/XT

>Oe+O

884B=

@J4~w

s4?#\

]a]a]]

`.rdata

q*o9r

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

I>5@>

#jYhRB_

5:xL<A|

U^ v27

<s_6d

RegCloseKey

GetSystemMenu

c} eh

34XjC

I2,1<'

Fp,`w

VOa#^

A(I\F

,rI\F

XL=g.pa

Gd h_ZP

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000035d8	0x00077e16	0x00077e16	4.0	2020-08-01 02:52:49	c05041e01f84e1ccca9c4451f3b6a383		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	VirtuaWin Portable
FileVersion	4.5.0.2
InternalName	VirtuaWin Portable
LegalCopyright	2007-2020 PortableApps.com, PortableApps.com Installer 3.5.19.0
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	VirtuaWinPortable_4.5_Rev_2_English.paf.exe
PortableApps.comAppID	VirtuaWinPortable
PortableApps.comFormatVersion	3.5.19
PortableApps.comInstallerVersion	3.5.19.0
ProductName	VirtuaWin Portable
ProductVersion	4.5.0.2
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006572	0x00006600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.45
.rdata	0x00006a00	0x00008000	0x00001398	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.14
.data	0x00007e00	0x0000a000	0x00066378	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.09
.ndata	0x00000000	0x00071000	0x0015c000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x00008400	0x001cd000	0x00019990	0x00019a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.53

Overlay

Offset	0x00021e00
Size	0x00050050

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x001cd358	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x001df880	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	None
RT_ICON	0x001e1e28	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x001e2ed0	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x001e3d78	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.65	None
RT_ICON	0x001e4700	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x001e4fa8	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x001e5510	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x001e5978	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x001e5a98	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x001e5c98	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x001e5d90	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_GROUP_ICON	0x001e5e80	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_VERSION	0x001e5ef8	0x000005b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	None
RT_MANIFEST	0x001e64a8	0x000004e3	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.29	None

Imports

Name	Address
RegCreateKeyExW	0x408000
RegEnumKeyW	0x408004
RegQueryValueExW	0x408008
RegSetValueExW	0x40800c
RegCloseKey	0x408010
RegDeleteValueW	0x408014
RegDeleteKeyW	0x408018
AdjustTokenPrivileges	0x40801c
LookupPrivilegeValueW	0x408020
OpenProcessToken	0x408024
SetFileSecurityW	0x408028
RegOpenKeyExW	0x40802c
RegEnumValueW	0x408030

Name	Address
SHGetSpecialFolderLocation	0x408178
SHFileOperationW	0x40817c
SHBrowseForFolderW	0x408180
SHGetPathFromIDListW	0x408184
ShellExecuteExW	0x408188
SHGetFileInfoW	0x40818c

Name	Address
OleInitialize	0x408298
OleUninitialize	0x40829c
CoCreateInstance	0x4082a0
IIDFromString	0x4082a4
CoTaskMemFree	0x4082a8

Name	Address
ImageList_Create	0x40803c
ImageList_Destroy	0x408040
ImageList_AddMasked	0x408044

Name	Address
GetClientRect	0x408194
EndPaint	0x408198
DrawTextW	0x40819c
IsWindowEnabled	0x4081a0
DispatchMessageW	0x4081a4
wsprintfA	0x4081a8
CharNextA	0x4081ac
CharPrevW	0x4081b0
MessageBoxIndirectW	0x4081b4
GetDlgItemTextW	0x4081b8
SetDlgItemTextW	0x4081bc
GetSystemMetrics	0x4081c0
FillRect	0x4081c4
AppendMenuW	0x4081c8
TrackPopupMenu	0x4081cc
OpenClipboard	0x4081d0
SetClipboardData	0x4081d4
CloseClipboard	0x4081d8
IsWindowVisible	0x4081dc
CallWindowProcW	0x4081e0
GetMessagePos	0x4081e4
CheckDlgButton	0x4081e8
LoadCursorW	0x4081ec
SetCursor	0x4081f0
GetWindowLongW	0x4081f4
GetSysColor	0x4081f8
SetWindowPos	0x4081fc
PeekMessageW	0x408200
SetClassLongW	0x408204
GetSystemMenu	0x408208
EnableMenuItem	0x40820c
GetWindowRect	0x408210
ScreenToClient	0x408214
EndDialog	0x408218
RegisterClassW	0x40821c
SystemParametersInfoW	0x408220
CreateWindowExW	0x408224
GetClassInfoW	0x408228
DialogBoxParamW	0x40822c
CharNextW	0x408230
ExitWindowsEx	0x408234
DestroyWindow	0x408238
CreateDialogParamW	0x40823c
SetTimer	0x408240
SetWindowTextW	0x408244
PostQuitMessage	0x408248
SetForegroundWindow	0x40824c
ShowWindow	0x408250
wsprintfW	0x408254
SendMessageTimeoutW	0x408258
FindWindowExW	0x40825c
IsWindow	0x408260
GetDlgItem	0x408264
SetWindowLongW	0x408268
LoadImageW	0x40826c
GetDC	0x408270
ReleaseDC	0x408274
EnableWindow	0x408278
InvalidateRect	0x40827c
SendMessageW	0x408280
DefWindowProcW	0x408284
BeginPaint	0x408288
EmptyClipboard	0x40828c
CreatePopupMenu	0x408290

Name	Address
SetBkMode	0x40804c
SetBkColor	0x408050
GetDeviceCaps	0x408054
CreateFontIndirectW	0x408058
CreateBrushIndirect	0x40805c
DeleteObject	0x408060
SetTextColor	0x408064
SelectObject	0x408068

Name	Address
GetExitCodeProcess	0x408070
WaitForSingleObject	0x408074
GetModuleHandleA	0x408078
GetProcAddress	0x40807c
GetSystemDirectoryW	0x408080
lstrcatW	0x408084
Sleep	0x408088
lstrcpyA	0x40808c
WriteFile	0x408090
GetTempFileNameW	0x408094
lstrcmpiA	0x408098
RemoveDirectoryW	0x40809c
CreateProcessW	0x4080a0
CreateDirectoryW	0x4080a4
GetLastError	0x4080a8
CreateThread	0x4080ac
GlobalLock	0x4080b0
GlobalUnlock	0x4080b4
GetDiskFreeSpaceW	0x4080b8
WideCharToMultiByte	0x4080bc
lstrcpynW	0x4080c0
lstrlenW	0x4080c4
SetErrorMode	0x4080c8
GetVersion	0x4080cc
GetCommandLineW	0x4080d0
GetTempPathW	0x4080d4
GetWindowsDirectoryW	0x4080d8
SetEnvironmentVariableW	0x4080dc
ExitProcess	0x4080e0
CopyFileW	0x4080e4
GetCurrentProcess	0x4080e8
GetModuleFileNameW	0x4080ec
GetFileSize	0x4080f0
CreateFileW	0x4080f4
GetTickCount	0x4080f8
MulDiv	0x4080fc
SetFileAttributesW	0x408100
GetFileAttributesW	0x408104
SetCurrentDirectoryW	0x408108
MoveFileW	0x40810c
GetFullPathNameW	0x408110
GetShortPathNameW	0x408114
SearchPathW	0x408118
CompareFileTime	0x40811c
SetFileTime	0x408120
CloseHandle	0x408124
lstrcmpiW	0x408128
lstrcmpW	0x40812c
ExpandEnvironmentStringsW	0x408130
GlobalFree	0x408134
GlobalAlloc	0x408138
GetModuleHandleW	0x40813c
LoadLibraryExW	0x408140
MoveFileExW	0x408144
FreeLibrary	0x408148
WritePrivateProfileStringW	0x40814c
GetPrivateProfileStringW	0x408150
lstrlenA	0x408154
MultiByteToWideChar	0x408158
ReadFile	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170

Reports: JSON

Statistics (34.68)

Usage

Processing ( 34.49 seconds )

32.603 ProcessMemory
1.718 CAPE
0.159 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.009 ransomware_files
0.008 antiav_detectreg
0.006 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.002 masquerade_process_name
0.001 bot_drive
0.001 antidebug_devices
0.001 antivm_parallels_keys
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 qulab_files
0.001 revil_mutexes
0.001 modirat_behavior
0.001 lokibot_mutexes

Reporting ( 0.12 seconds )

0.115 CAPASummary
0.008 JsonDump

Signatures

Queries the keyboard layout

Enumerates running processes

process: System with pid 4

process: Registry with pid 92

process: smss.exe with pid 384

process: csrss.exe with pid 476

process: wininit.exe with pid 552

process: services.exe with pid 656

process: lsass.exe with pid 696

process: fontdrvhost.exe with pid 784

process: svchost.exe with pid 808

process: svchost.exe with pid 924

process: svchost.exe with pid 976

process: svchost.exe with pid 1036

process: svchost.exe with pid 1108

process: svchost.exe with pid 1116

process: svchost.exe with pid 1204

process: svchost.exe with pid 1240

process: svchost.exe with pid 1296

process: svchost.exe with pid 1348

process: svchost.exe with pid 1392

process: svchost.exe with pid 1428

process: svchost.exe with pid 1452

process: svchost.exe with pid 1544

process: svchost.exe with pid 1552

process: svchost.exe with pid 1676

process: svchost.exe with pid 1756

process: svchost.exe with pid 1772

process: svchost.exe with pid 1788

process: Memory Compression with pid 1844

process: svchost.exe with pid 1864

process: svchost.exe with pid 1940

process: svchost.exe with pid 1964

process: svchost.exe with pid 1976

process: svchost.exe with pid 1364

process: svchost.exe with pid 2024

process: svchost.exe with pid 1692

process: svchost.exe with pid 2116

process: svchost.exe with pid 2128

process: svchost.exe with pid 2136

process: svchost.exe with pid 2144

process: svchost.exe with pid 2252

process: spoolsv.exe with pid 2340

process: svchost.exe with pid 2384

process: svchost.exe with pid 2416

process: svchost.exe with pid 2568

process: svchost.exe with pid 2580

process: svchost.exe with pid 2596

process: svchost.exe with pid 2608

process: svchost.exe with pid 2640

process: svchost.exe with pid 2736

process: svchost.exe with pid 2756

process: svchost.exe with pid 2764

process: MsMpEng.exe with pid 2772

process: svchost.exe with pid 2800

process: svchost.exe with pid 2852

process: svchost.exe with pid 3136

process: svchost.exe with pid 3772

process: svchost.exe with pid 3912

process: MicrosoftEdgeUpdate.exe with pid 3080

process: svchost.exe with pid 64

process: svchost.exe with pid 820

process: svchost.exe with pid 3692

process: SearchIndexer.exe with pid 5088

process: svchost.exe with pid 5940

process: svchost.exe with pid 6084

process: svchost.exe with pid 6092

process: svchost.exe with pid 5208

process: svchost.exe with pid 3440

process: dasHost.exe with pid 4544

process: svchost.exe with pid 4576

process: SecurityHealthService.exe with pid 4392

process: NisSrv.exe with pid 5416

process: svchost.exe with pid 6748

process: svchost.exe with pid 7040

process: svchost.exe with pid 6580

process: SgrmBroker.exe with pid 1796

process: svchost.exe with pid 6248

process: svchost.exe with pid 572

process: svchost.exe with pid 3184

process: svchost.exe with pid 3180

process: svchost.exe with pid 5236

process: svchost.exe with pid 1572

process: svchost.exe with pid 5020

process: csrss.exe with pid 6676

process: winlogon.exe with pid 780

process: fontdrvhost.exe with pid 4680

process: dwm.exe with pid 3860

process: sihost.exe with pid 2360

process: svchost.exe with pid 2216

process: svchost.exe with pid 6832

process: svchost.exe with pid 5524

process: taskhostw.exe with pid 7156

process: explorer.exe with pid 640

process: svchost.exe with pid 4968

process: StartMenuExperienceHost.exe with pid 4628

process: RuntimeBroker.exe with pid 6224

process: SearchApp.exe with pid 2060

process: RuntimeBroker.exe with pid 2732

process: SearchApp.exe with pid 952

process: ctfmon.exe with pid 5664

process: SkypeBackgroundHost.exe with pid 648

process: TextInputHost.exe with pid 676

process: smartscreen.exe with pid 5572

process: RuntimeBroker.exe with pid 6932

process: SecurityHealthSystray.exe with pid 5404

process: OneDrive.exe with pid 4508

process: SystemSettings.exe with pid 5096

process: ApplicationFrameHost.exe with pid 4160

process: UserOOBEBroker.exe with pid 5852

process: audiodg.exe with pid 5596

process: dllhost.exe with pid 1856

process: svchost.exe with pid 1632

process: ShellExperienceHost.exe with pid 5964

process: RuntimeBroker.exe with pid 6872

process: conhost.exe with pid 2892

process: upfc.exe with pid 2652

process: svchost.exe with pid 3784

process: backgroundTaskHost.exe with pid 5016

process: CompatTelRunner.exe with pid 4364

process: TrustedInstaller.exe with pid 3124

process: TiWorker.exe with pid 1560

process: MoUsoCoreWorker.exe with pid 612

process: conhost.exe with pid 4600

process: svchost.exe with pid 5820

process: sppsvc.exe with pid 4876

process: RuntimeBroker.exe with pid 3076

process: SppExtComObj.Exe with pid 6516

process: RuntimeBroker.exe with pid 1716

process: svchost.exe with pid 4504

process: svchost.exe with pid 6760

process: VirtuaWinPortable_4..exe with pid 6112

Reads data out of its own binary image

self_read: process: VirtuaWinPortable_4..exe, pid: 6112, offset: 0x00000000, length: 0x0006dd45

self_read: process: VirtuaWinPortable_4..exe, pid: 6112, offset: 0x30785c5e6331785c, length: 0x00008000

self_read: process: VirtuaWinPortable_4..exe, pid: 6112, offset: 0x30785c6464785c45, length: 0x00000004

self_read: process: VirtuaWinPortable_4..exe, pid: 6112, offset: 0x6531785c6331785c, length: 0x00004000

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00008400', 'virtual_address': '0x001cd000', 'virtual_size': '0x00019990', 'size_of_data': '0x00019a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.53'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6112 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nsa4634.tmp
C:\Users\Packager\AppData\Local\Temp\VirtuaWinPortable_4..exe
C:\Users\Packager\AppData\Local\Temp\nsl46C2.tmp
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\System.dll
C:\PortableApps
C:\Windows\System32\en-US\USER32.dll.mui
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\modern-wizard.bmp
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\nsDialogs.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\shell32.dll
C:\Users\Packager\AppData\Local\Temp\VirtuaWinPortable_4..exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun

C:\Users\Packager\AppData\Local\Temp\nsl46C2.tmp
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp\nsDialogs.dll

C:\Users\Packager\AppData\Local\Temp\nsa4634.tmp
C:\Users\Packager\AppData\Local\Temp\nsq46E2.tmp

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\VirtuaWinPortable_4..exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI

Local\SM0:6112:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI
Local\SM0:6112:64:WilError_03

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.