Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 00:55:08	2025-06-12 01:26:19	1871 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,366 [root] INFO: Date set to: 20250611T16:49:08, timeout set to: 1800
2025-06-11 17:49:08,332 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 17:49:08,332 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-11 17:49:08,332 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-11 17:49:08,332 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 17:49:08,332 [root] INFO: analysis running as an admin
2025-06-11 17:49:08,332 [root] INFO: analysis package specified: "exe"
2025-06-11 17:49:08,332 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 17:49:09,129 [root] DEBUG: imported analysis package "exe"
2025-06-11 17:49:09,129 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 17:49:09,129 [lib.common.common] INFO: wrapping
2025-06-11 17:49:09,129 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 17:49:09,144 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\VMMapPortable_3.31_E.exe
2025-06-11 17:49:09,144 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 17:49:09,144 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 17:49:09,144 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 17:49:09,144 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 17:49:09,332 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 17:49:09,347 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 17:49:09,426 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 17:49:09,488 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 17:49:09,504 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 17:49:09,504 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 17:49:09,504 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 17:49:09,504 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 17:49:09,504 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 17:49:09,504 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 17:49:09,504 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 17:49:09,520 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 17:49:09,520 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 17:49:09,520 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 17:49:09,520 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 17:49:09,520 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 17:49:09,520 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 17:49:09,520 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 17:49:31,942 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 17:49:31,957 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 17:49:32,410 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 17:49:32,410 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 17:49:32,410 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 17:49:32,410 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 17:49:32,410 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 17:49:32,410 [modules.auxiliary.disguise] INFO: Disguising GUID to 9b7cdcea-e4d9-4c24-8a0c-bc615bd315ed
2025-06-11 17:49:32,410 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 17:49:32,410 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 17:49:32,410 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 17:49:32,410 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 17:49:32,410 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 17:49:32,410 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 17:49:32,410 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 17:49:32,410 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 17:49:32,410 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 17:49:32,410 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 17:49:32,410 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 17:49:32,410 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 17:49:32,410 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 17:49:32,410 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 17:49:32,410 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 17:49:32,410 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 17:49:32,426 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 17:49:32,441 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 17:49:32,441 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 17:49:32,441 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 17:49:32,441 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 17:49:32,457 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 17:49:32,457 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 17:49:32,457 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 17:49:32,457 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe
2025-06-11 17:49:32,520 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 17:49:32,520 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-11 17:49:32,520 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 17:49:32,520 [root] INFO: Disabling sleep skipping.
2025-06-11 17:49:32,520 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 17:49:32,520 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 17:49:32,520 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 17:49:32,520 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 17:49:32,520 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 17:49:32,535 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 17:49:32,535 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 17:49:32,535 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 17:49:32,551 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 4996, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-11 17:49:32,551 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 17:49:32,566 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 17:49:32,566 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 17:49:32,566 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-11 17:49:32,566 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 17: <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 00:55:08	2025-06-12 01:25:59	none

File Details

File Name	VMMapPortable_3.31_E.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	956360 bytes
MD5	361bf7ba27dd01e6ef3bf551b79e79dc
SHA1	4e395c919417c731a2de4945c20121e4368cb1d7
SHA256	ba52a2907835a2da38496f8570453bd2acbdecdcb5e3c0879344ca7a3e938c5e [VT] [MWDB] [Bazaar]
SHA3-384	dfc7c6dcfa61e58fbc4275744872626f66f69e36041a5a034633360e0adb00d982f563ba19d4fac15bd7564ca5234510
CRC32	2D13EBEA
TLSH	T1811523C4B7B1A0A3C4D31FB019BE7B17DAB1291185618F4F6B1A3D9CBE7A0105D5B28B
Ssdeep	24576:fLt9Dshi193rYoHGOHcvfl29uRQ0HH5lUb/YI1P:fLt9YibrYQG4cvflJR3H0bl
PE	File Strings BinGraph Vba2Graph VirusTotal

gK=-l

E9@h"x

As 6`~`E

bq$*I

Ajz4A

!XdfNM5i~

,jG;&

r8H)tz

@.data

++.+9

t^Zqa

T3K}

SelectObject

%USERTrust RSA Certification Authority

kI)f"s

f$2v5

VMMapPortable

3-e_,Nm

1fCAF

TrRNH

O\%vO

QQoMhi

[H(mv

zVnI`

{$=3![l

s_/gfh

A2jML>

TqPfw

/.Ka6

WAAQAy

PortableApps.comDownloadFileName

;HW<:

y$cQ;

hJnjO

M7&`r

/=H-A

a0!ps\

s1HX&

36p6:>y

l`7=I

GUKw!

DT_{3

7'M=F

5VqXZ

@Rw(a

CLBCATQ

==THC%0

AmC02

}Va*8

;jKoo0

sAO\?R

dRwh?$|

d<Nxw

D{{9~

m[aYW;dr9

\FIDS

9IZf;<

Do(ge

@tf2)U

yU5Bp

t7bq?

BYw`r

*]a6l

*rNxk9

loHX7

m1a\O

A>Tk~

-pY3t

Ass^~

`,OrpiF

xLY\eO#v

B{i5Oc

$k(A&%-

pT= <

FO1Ya

@e1hH]IaI

8hC(nF

/;hP^ V7

TicXu

i[Jub

al*u2

fe:q&

5i4(*

75B^M

sV@l@(

!54"9I

'yv""

8zlF<

|Y6{>

Q{~wI

pJ[Gzs

!0ZvW

^VF|!

@ScUW

CreateWindowExW

a;dUa

WritePrivateProfileStringW

q*i>:

;^8fn

c?`&^

EndDialog

"t#)g

:TW4,

|-nm{

SetCursor

RegSetValueExW

Nz3QK

ZL$&a

XD~s8

jRjA.

bJw?oe"M'

7L#i:F

*,Va37o

bIF;f

O`"n>

dy$}+)

4sV>B

J<C}C

~',ik

AwQo:

0(K>(

pAjqP;(

Sug>q

d=&*c

8 &R7)

TrqT53ae

oivgS

_\t2O

6K:X(Q

ZGKf#j}

\zMih

uw0[o

nGk|n&

'Pcdc

G?;e2Ep

K7y!qm

Ys)t~;gY

USERENV

ZHWN~

CreateBrushIndirect

m:om/

IW'gh

C*<=K

_jW#v

rNU=Oq]

pJ<>1yR

cg2I)[

%!+0f<

New York1

PHng)?F

*@k!D

_rMbK

N}dRN

@y#Jy

f4beT+F

SVH+C

5[%.R

Da5V} #

uzs@J'

LnFVc]

!krN45

Z{S95

H?T=!

B-o@mm=

dt@f!

rXvPz

VCROGw

_W[AU

a6Q0T

zL&V0QM

0=0cW

U{EOE

(,gFc

YIR&|

`1]Q_d

9pOP

aq4j"K`

02b6F_

SetDefaultDllDirectories

qy)TU{

040904b0

NJR>4

qCbNPi

181102000000Z

|g~}.

KUq;u

LoadLibraryExW

8^za}j

Y"Sik

B?I;@;0

f)Np/

TNgU9?

$d?y^

nj+[\7

:7?o

?G1g7

22Il*+X

%ls=%ls

O?a,"g

58>mZ8$

s[bM)Z

$03C5

g#t91

gf|}p

V,RH}

jk\Aq

%v<E9

mQ6!^

R*"Pm

x~l+^

.qr>C$

Uz(1c

gBDKYy

jPOPLXmjVKKWMEA'n

,V6fJ

d|~O%

#-,<R

iu]bC

VHTS4

9-llM

+uQ#xx

N&X=s4

cCA$]

gj`pk

h&Cs#

)2Y@D`&}

SysListView32

,m,zcl

P4hrh

[gYGs

%)}'q

6/VV<

P@B;=L

W:omS

<&!?8

K}FNg

'/GX!

xL5%H

Ov,5,X

xmBW[

]/t,(

>rW\fL

%<j%?}

5`kk_.[

TxB>x

a%TPMd>

X9W!7

bi4<V

"jXy)<

hNkqj!

Ad(t/

5x589

|;3/$

^X[=x

#_t>

iK(On=

%u.%u%s%s

~GaMd

tf`cB

0#WYf

`8]ZpRa

oLP;?Z+

-a2Y~

&~{2@C

G5!CI%

BK:{A

sL%PM

{X7.C/

|Kzt9

]2](L

vT{G!

?&^P8T

n?$qy^

Io"zA

?M/#n70_}

blq?K

\65\&

`[/O+\

]QuQe

?wq3B

i^N8A

USPK.

;td~d

"~>rj

d>F_2

T0/~Aw

f;xBu

:2NL1

9E./b

'!wA!

?;A>#

:JuN:p

-(@znD

fX gn

^SI7m

4@Et3;

AJ=*B

J 6~j

Sectigo RSA Time Stamping CA0

verifying installer: %d%%

+<iE'

kz`5P

contact@rareideas.com0

\)vY_

&hkQd

wE%_9

%7kR2

UT.n7,O

beKnO

8xd_r

3lZA+

>+u5J

FillRect

sX*H_

HE.mxu,H

k56G+]

gP`V@

FV{2n2

^))mo

pl,y9j3

M+zrW

@!]m,

201110192932Z0?

unpacking data: %d%%

gU;#+

E[{ S

_r+OO

]Q!ax1}

%Krgi

2:[g,a

?6r.NC

E6&$d

W4RPt

<10c1

r(l1k

LO=]V

t3_72M

zv<35

E20_{

ntB1|

:oG!7

af273425b6b51956cd40dffeb71d802f

v$+qk

FZ&aV(!

ctp,?

sP9~<

1KH4z

v[!1

Qn}oH

'Eerl

#@u%W

|vXE=P

Lz}qO

5#Ip:

^`/d4

PortableApps.comDownloadName

5=rOM

#np\

;HM ?#

>\NhD

8nTg*

P}b(l

P5m(U

S25ul

6=VL{|

9\QQaZ

f_"ze;FU)

UQOUa

#,D:z

_l)7y2

h >\B

T 4kO

Ox}O~hssrgj3

pAKkh

vn8ad

u%Hf3

nk$'5;x

lgeZ$

mt^Ju~

9;>Pb

_$J6s

SHFileOperationW

>S))2

X+}@L;

)TbRP

G&RgR

pZx-x

KvIG*(

rwoJM

MoveFileExW

AbE<j

dp)]1

qN!Ot

>(8Nf

4(9-

{y26Tojq3

q8~@h

<61W:=l

}LU2q

4=b3ub

@t;ot

%lnxSz

CZ{)%

bbv\H

RLTQY

Cl;zXJig`

*sYj1

k~V8.

[pu-Q}n

9I\[4

2LD>ZB

2u9BI

m(m`~

;EyNS

Y/=tpIJ

@1l16

$R-8o

dh~gO4

cF't`

tFi?!

%H<!Pi

D ?xKTe

TyC3p

pD?>A="

-vqATK(^x

5S)!I

~H#RO

DFf e

``WX8~

K8sFv

?C^&&/

|]B0+

_^`{o

w}$iq

VGK,oI$

eAiRG

c|OZdoZ

G]jjLY

xtxX`

Is^1_

4A52[

h901d

bB}M`

}?k_L%

h7^Dg

%jaiSf@

>$~1]!

c d,'

Lv" g

qy*ge

h7&w-

tRGoa

_5RH\

CoCreateInstance

W@6X2

rV6Kt

W5zUY

GetCommandLineW

7\IE,)

?]"WzI

301231235959Z0|1

imf0J

'!;"00

f_^6A]

eQqso

+Rg$2Y

5ipcF

:a*aCu

BM5sF

t8EK4

k4s}J6

+aSW;

NullsoftInst

fF{Q;w

.4EEL[

\bvv]zz`

$+5yY

f(w|?o

t$,VW

GetFileAttributesW

`H~Y/

&Gdd!

\Temp

&uze/

Tw~Pg

PortableApps.com

bLsT{

%)7_}

7z&0M

J-,\![

f;Vjs+/

KBZuq!

e^p,~

_%?\E

'vY$}=

CompareFileTime

R%^:A

jC^f2

8(:#e

RMMRIB6

>y:"]3

z\Z_&

Og![-

j^_,]

I0G0E

T3}MB2

YD>m,>d9

yG,{6

15$x9

{PyE&G

Pksbk

HD~IB

*h18L%)U8

iBFEV

P'Wb{

5Xy},B@

a#Z'H

g0x3=

http://ocsp.usertrust.com0

*t<vJv

CPH3+

U2R<X

cL(/y

P0s#"

{pc=Z

B*<Wj

"s6QQ5

DispatchMessageW

ZmGiJZr

Og!z^

.6-WMl

201023000000Z

>cR;Z

0(5h>

62Bjg

ol\Ji

oU{xvf

$S3,/

JvR$,

#Vh+/@

ZD5s@

:]t3j

KLumhj

XGd:e`

AvFo?

in?HL

,QI)}

Fuj:>

p1i>W

2&)i[

dic<5

4!hBJ

l`%__t

DHWBa*

Qo`{18$i

'tzaw

e:,qnv`

/;wdm

CreatePopupMenu

x`@DNTW{

Fk(dV.

@+'b<

c!l5^

z5"d7

FileDescription

[we9T

Ajoo)

3aqY@

:ESSj

(!V7P

^]go}

"h#6m

https://sectigo.com/CPS0C

>h0fC

4t3zdSYF"

BI][6

X'lQ@5

="qYg

.kQf

1:5 N

X+a'4

>1iT=TkD~

j'_FtYDk

1jm*l

]^ss|

p'*V`rR

.~_Rr

.]yc,&

<%e5'U

VR%9sj

BeginPaint

AGn-Kc

^P#,j

/fw)k

a`j'D\

}/zgm

?Fs0]

%-h`+

W{^I_

1`zSK

kRl-!

mGe1!

Vo55)3

+(A9k

{3c6;

PZC0I$

\1qMY

K^=i;

]7HKd-(a

["h=~

,4$2k

kiQ&S

Y}8>D

,?a3

v?"#iY

Xn&/$jX:r

s77JfMu

isIo,

X`x(h.

z/\kqt

Khv$c

4Z!|e

#`c={

lstrcpyA

Lt?=~q

<TEWR

+w^wC

CU*_]

V#l]GKM

SetWindowLongW

Iqeb>

B+[L`p

vgCvt

Hs0yA

IY~i}

AdjustTokenPrivileges

on>P[i

{\~i3

l;8>H

Im8y-lH|)m

um,dY'

PhwV@

V\{nLCTP

GetFileVersionInfoSizeW

joV&HS

f'01O

T(MA.<_o

%>}ZF%

3.5.18.0

mNCua

\Rf]$>

zr_waW

u&1eu6

MG>BJI]

NSWY'YO

2]{Gx&j

{p=je

OGnZ(

k]RFJ

-`22p

UK;4(

*?|<>/":

+]K:dC

o2@#F

w8M#[

U+F~O)6

_-D1/&

5Z]-K

ZPJgDP

4q;%@

)$$EQ

${)*p

is9bz!eO

JbI#3qp

G{fx#UT

^Q2homX A

E#,PqC

`pOu~

X]La*

kWWY1?

@G6I

3i2#W

zD~Mz

wID=8

np)1W

Bjr9H

T*5bs

Ed`!z

[}Fg:

w)4`9ge

TcY "

;[E)H

y,0O

olw'z

/y*?|Te

H/]BQ%

!78Rn

)Es6=

XF7W`>{

>,%L_Ps

j>#};

UO|[Q1

YxkS!

gx7+JG0

f=1J[

&B&UMq

GetSysColor

CharPrevW

"##(M'

4?P *

S%SNN

f:q:^

>&dF4C

Yzy%vi1?

_-@K%xQO

^<xr_plA

< r\?g

S8h.!-u

x_*}c

('#C!

>]`.8`CS

Greater Manchester1

?$xN:

L1Ym+&)

Rare Ideas LLC0

:d<v`[

@81^9j

k30-?

},Xm(

IpuF?1

G%d"'

^aq J

oyMssnC

o3[2o.

)d}PSAsF

InitiateShutdownW

v2 [?f

joy#i&

[`C;RlO

_%Gjw

r?MpHzY

Ql-ET

/8Bt8:

eNrm@b

`ewaz(@

O/3+0

#K}$;>

muV5x

@)4+5c

ogJUPa3f

7pPm~

)\?}n

}zo_X'

kVMDx

q.}LG>

, '-c&

~V6G2

;\y1r'

w,a;fJ

ex^5A

,LC$g

i{InT

E ~D?

2y!9I

D/!w@

]"a:<

{W.vq:

a7hAL

BBL#%9

U?Si:

!Z ad

I',CQ

I%Z}7~-

GGg]OQ{

|pNk[f

Y=*[N

FT1aW7

GblK6

wn"Eg

cU7hU:

:b~De

$e=]<G

F}7<f:7~

[[S!4)

+cIJ?}

$,>?Cw9J

jJQ]Cj1t

x^CgY

Mre.<

a(YZ7.X

tcsgx?

"vmy#

-x!d$

C`[MD

a$2f3Su

K24Y2

80hq%

SHELL32

Jx&9s?

oQeq#?

gIkj"S

S~&}V

$7:6lo

>+`J!

>Wz}|

,;Txk

^DxR;

<w,RZ|/

&{DTS

oah1*Ew

69Ma3

>E-_+

03yG.

GetModuleHandleA

Wc~)>

?x?1[

i68BM]

}&s1y

og~Rz?)CV

pXc(

Y\ G1

0C~fB8fb

Z_&T<

|/}ww

+q$+B

&<,nST

hoFebcZ:

l,/*{

SetFileAttributesW

IGQKZ

iFEJC

vU!/[

Bc&pD

;e6YH

SetDlgItemTextW

K>k<V

yu!FIqF

fd3g|

6Y.6<

V.8#&&X_

pkm`G

/sL^$0

13nL05n

?Xxe4

3Y*r/

*-TfK

&'P_+

jM+)3pUs

xgKLh"

](B|?d

_d?y*

GetModuleHandleW

D/7uKa

7l|1B

uRw$}#

[C]e=P

4${yo

~tl;I

Z4-Lu-.

#hI<wh

8oK40

@8,Iy

yKsO5

%zrkN

+yDD^

0mnmy

Rf\Hg

CMBS3b

V:,}(

YZ$be

jkJ.|N

:olz2p

n^@il

$]h-U

A% fK(

2c'n[

.rsrc

( c'{

t$tW`

;o@6a

`&0fT

(VTIZ

"'f/EH

FmI~y$aP

)Itf8

4.lt)

^h@%G

4<Vew

Sh?9#

.INAn

:GaW'

4x<@OT

8'> +

(usvj

5Ik!y

wo+j6

OriginalFilename

r=6G#

5On6C

tb%+L

[{{?2

- s$&_

^NAM

udq49

ITK\$

b+O>j

f`0e#H}

|7J`d

VJJU\Bv

~_Of0

ba)"b

h'hDm

nKfIAL

ryc^w

2iLiG

,=Uf)

MqT~x^^c

qE_1.

5.eG{

jaC^u]

SoW/)

0B>i#R

~xq?$

220220235959Z0

K{Y|Z1

gn5jv

YUOb_

QHSS}

tl~J5M)

~Zl@U

S#22E

~Edjv

p\cOdK!1

/JOi0-

E=I,](

%`pDq

!L]9c

DLiA5H

&#Eu"

YOKX@

$Tj4t=

IDBD $DQ47

cegLS`

is#4@ bEg

sS$^@

V5x!4R

N-9BX

1zCT%Rl

8$;:5T

eMaCt

h>tv/

GetFullPathNameW

F&pe#

PortableApps.comDownloadURL

f_]-u

im}\A

iWsC=

EnableWindow

t@Yr

7!U=E

i_^:3

\Microsoft\Internet Explorer\Quick Launch

=`?/[

Nzbz

BD|LRS

fS#AC

ltFmD+

TeXm|j

zK{{>

;:ihd

]G^S#

U<39n]

Gc:T?$

CloseHandle

NI#8t

oQ2vL

D"QA2

!;p,M

r.0VR

/"0~;

LH5*i

#k=#GX

!:5<~35\

"!?7~

#Sectigo RSA Time Stamping Signer #20

icK1)

;e235

:m| ~,x[

:*WJI

!B}gs

"iqE/

06]'h

3WUqu!~

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

~M[xD

a)43)

Jf3KT

(YSoL

NzbBA$U

/*pRQVC)

\_F"-K]G

TVP`)

)N; >

RZ[WH&

ZrKiU

t#SSS

C}6R0

s{F'L

&`+hV

3#JGtc

8u52E

2Jvio

qr3btK

pDhtH

'U/}P

"L`;:

RegEnumValueW

w^}CB>

$.#3]

SeShutdownPrivilege

/={-*

j:X?#

/}-0F

PortableApps.comDownloadKnockURL

^R`Yd

<8|\x

H_}^j

:2$eW

G#v:jz:

=UaNa-

$^^hz

KBIJ:

wDs]%n

3p[<

<:;t54]

Z#r4-

.BKG]

NuP//

Z~(t,

+b[U~,

&=\c(

2&1N6

|Ye2~z7

(k3+-!

F*JQDTC

g#l|C

$vOc-

,Qez>

5_11}uH

),H=I

P68,=

xAW)0

y.,3~

[T.S)

2q5hi

:@5b=L

WKm:y

m|Mqh

NSIS Error

TU]USQY

}rC\8

".cZS

fU$0)

gM#iD

m220Y

CharNextW

2XkT5

]Yl[%

l KJ}

t:(86

4 N@rD

kSM>G

*.i+^

i9]jp

PaGh^5

(T924

x`64 w

V{6&|

ghHCm

SBrz+

j0h0?

]OL/x

oQ@.!}

9\lw-

T%FZkd

`/*r|

3@eKV

\Hp2/

rOq)j

zGPv(

M#G\|(F

NX|D5 Y

rp}#D

7DvE4

.text

#O=X2

~Uy%P

~?:3(k

TlAhZ

t\lo4.F

5Vq\0

lstrcpynW

pq#Mw

W-`hA

C'R49?}

|Ur6vg

P{nlmP

V86Cf

O2MY:P

xaha

?I4ptS,:

g}hs\H

<fL:=5

&58%Kf.

,gE,)M=}

,rO4j

Fbb'\

vOPPGT

8A#Gg

LVWh#Q

$=-Bf\

SetWindowPos

PN]M~

"1/IT

L|rdY

&fJg1

XF83.

?\7o;&

1:0vB

%xUCE(

Rr5:G

UHhz?

MeUEz

GetDlgItemTextW

aYNde^RgHB6

;?~LIK

/;{<TD

vxQu.

=0;09

,GB7la

,dwB7

S+u(c

,_S(D

2\W2N

eY(ls

<HBH4k

HxS`uJ)

*KS`+

S&;G7

~RJC(U

[(aVL

\ h'x9Ra

k>/Zl&M

#Z]%^

4w_UW

[:7r5

E4vZ|

y:ib-1

j{wc;

Zd_E/

]@7x9

m'9'\

>Tn5D

%"v<E

E\Vau

R YC}

6,v&$

3{3gV

>S|}<L_

HnT#"

#+A)u

0gXg]

0[Z;$J

c=V\5

xfA#p

}p=Tb

3A5vg

9V;Bq

@sO)J

%pJ}

D=);<

AhKo@a

zSB1s

p(Q|TG

^j\PN

@_^[]

\=^F]PT

*c&_4

m+Bgh

M-iOO

,"L84

]_Pa=s

4 h|7

W+5h)

v'f"D

}wRgc

22M ,O

"tI8<

LA5@##lt<r

\Y^{6

BS2I9

,$ny~

VMMap.zip

)UzZe

-zyzq

tWf="

7WB6`

64&T?

s}J77

7m(jt[

V4U,0

5+'U*hk

Hn}RpZ

4!5`F

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

UBy8#-

iMj\7t

D?<JSRj

CG(`S3G

(*^cCCk

zk5,Ys

COMCTL32.dll

>FFf;

8n;mZ

^N1X2Kz

"k{%!

%tVz.b

=1:p?

;pEd(

$Ow0?

niM48KWREBm

B(Mo:

*-v1.

zk:L'

Y"xe@

B}D7s$

~zzs{+

PortableApps.comInstallerVersion

Vd0u/D

xslA1

&2|2cx

r8x9F

m9Dd9

`P'Wc

i9 ;t!1|9v

%ZWK#

XV`Fs

MessageBoxIndirectW

?:.O[TH

G41g:

{XO/#

e+aIw

00]}[

%bZwJRB

F>U4r

2&-jWp

Dn6O.u*

fPr/4

QC4h=

2+Oio

+m^rv

]Ac3<.v

`h)(|X

3v|,m

{B}ObU

g"h}Z

More information at:

pf`aE

^OStv0

uHEhl

:XMfVU75

RemoveDirectoryW

Z]EvM

$ 6@`

!?FSx

A`JL2

DeleteObject

0IZX;

L$0BH

X&LsEG

xYrTKl

EmptyClipboard

$VkI8

OK!vO

:=!Yp

Q43Z

V}.wx

.0]EBa

2$H#

6j;4F#

bfnyC

=n[/'[

h4op_

C[=`#

Ql'MM~y

gj(A}

$nv!N

DAQf8

aGa!$

!7N/%[

RegDeleteValueW

;8~~YK

LYp"$

P5Tx&

EEyD?

MiaALa

WH$xi

r^f +

MN{]@>i

Ay@\U

ql=Yo{'

H=\j-)

;b<]s

RG !/E

_h[N#Lw

abbab]\

Uo|'(

yLF2$x

O3f'y$

&J&ElR

@LniyD

p(sWY

`&NTH

4y-!O

\epPZzFOZ

'YQZo

xX{Xz

m0;*j3

1Q'CNK

59Mon

t@@t+

%USERTrust RSA Certification Authority0

[>4m0

=>Y;$

[b9u6{

.?PnS

69=`M

-vxMF

RegEnumKeyW

vVe^X

;`,%a

GetWindowRect

ioq1D

W{wOM

j=x@N

CRYPTBASE

d PlK

4c] u~

54g'&J

RN;d!

!uF'S

t-j_x

'`|3C

#Y5Rkv5

EndPaint

8gqmH

IsWindow

7lcLEs

Rq\y|\

(I(TQ

U?K}Y

@e>WV@

,/KPip

SpV8Rx

zJ`jk

@u/`W

r~*>6

[v`,P

te9H2

GrVCan

qn}<$

I3{4m

0>ws'!&i3

.KX!0S

;)rd&@

*_rm--

5:Fhkl

6#]L

L^IPE

C[[>g

0#8;2DtX

-*[5*

"> #j

*e'D

SetClipboardData

?13ak

(3Mvdh

eQ.YW

LNJave

}{6%M

v>lsd

}UV'q

h_ay

wP.As

W)8z'

j [f;

a![jU|U

\G[^)

1x9?()EWL

^jhA=

*m4|4W

/(bq9

oAIvE

^k9mX

!5s3Q

RE]DL

^("}1m

fjTIG

IsWindowVisible

s8Z6G:+

nIc(1

wXi"|T

SJ_ W

Iy2x\

;cu.y

gIWunq

-oi{NdDq

CreateDirectoryW

RZm:

Es. 2s

EQXQ4

Vw@)$

n,86[kz

JZt4+7

=ZqKU(

>R%E|

ifOg]Z;8

D^7LYFp$dF

D,&P_3|

fdT$Q\Ov9.

8>t`NP

!o6!1

Dm/n!@

[Vqet

faYF}

,4(6H

Hf{RvPx(

Al:xu2J

#XFLa

r*|f]

a/YZD

Eq\Z:

#~gO[

@Gk3o#

m'QQhF

^b$*BR[CT

[ s+p

5m G>mn

Dz[dPa

GW)epZ7^

WkY+<n:H

;>OJD#V%:

rdI7/

Z<+WW

p`kaIuV

g%I0%

-=2gz

Kn?Bzq

-|$_O

4wV'S-

>S[gb'

,Wd%#T42

"#vn/:1P

|kh^B

hgHUS

#GWx:

lYi`;

):TmfeL

3(0Mu

bzlN)

%X1mB

>;qgk

O+B]]"q

PSud56

24NO&

Tb5Qw

DQ6}J

QX(==

Kil[D

qu3".

5t'>%

%l@L1

s^vh[e

K m70

,%.`zG

#@jIj^

,/+B#

v=PqR

`^YWh

~cMgo }ag

z_~nK

kX<eK

w.nZdj

E&`^v

9R-C:

R&wcI

dIa2\

LegalCopyright

GOp>D}

f!>_^

YAHRqE

8$_^\

==sn)

Z^<m<s

SendMessageTimeoutW

CallWindowProcW

oAFkh

M62x65

nfG)0x

TFt1b

gIwZH

/O[ex

e5@B},

c<-FzO

I_qE4

t[:s]}

9HsR7x

8DHL`

SetCurrentDirectoryW

i%Q`#

WqC9N#

LXZDY

G`Z}f

(U0&3

C4N6x?

*aSic

LO'e{

EN0F#

{"`PM

-W5{T

B2CiJ?

\xebz

91ISF

F5j|Hq

cc1=7

=j_?-O

5ln\V

1uBvp

na1aT%7ri)ao

&Qh|H&

VvxZtddP

]{RAC

"M_em

Sghv~^

zF$C(Z&

prP!D

dj359AGVWd

NxHkH

Ea#fMr#i

;#[a_U?

B:tctt#

ER9&G

+:0K<

$%2@c!

o~ZcG

<dLBi

}f`nQ

>qAU8

D^+x3x~

/?~n.

6NKnI

BdWnf

Rx;fva

xw$pT

GetMessagePos

%`75k

101181

WPWj0

J#(QT

.tMEc

^|D.Ne7

^,BYl?

B@M,)S,

Nc'kd

=V\R]

:Dh7DWo

Klu=M

TtRZb

fC4a{

{"Wl'

xPvM

HeyAB

@m8Q,

IU8#V

d58"K

HEm,iW

i8&@mq

RAr_#/

cYbT'

P'6KZ#

6b/Lj

snnaR

X$DE5

-?\\W

RegDeleteKeyW

|TLn<

*/#:I~

h4pZ;`Y5"

ws7"/

A!P*&

*Jkgdut

+U+7Wk

*Q_!+f

Sectigo RSA Code Signing CA

~p7b7Y673

*I!OX=

t8CS_

4OhuF

/-6n[

4K~Wr

jhyPY

$.4#vD

A)#wI

G$ma<

TAlZg-dE

]9J&X|KY

K~\CvT[

a}9J]

#T2UYV

#gJ}.

(zIkV(}b

vtMPXU

O&'&C+

>~}7G

#||lIOh

.opx8

@V$^(uQ

r$qB;

rI^W_

Q{gC|

iZ;qR

S$6va

"cGC c

M8=bQpa

ImageList_Create

bF\5uM{o".X

,&PMt

X.Y*

e4ZpBH

-OH;h1

jT22#U

%O[~=

t^Z}QO

Bnqo6

_r4dI

~aHTTz

.DEFAULT\Control Panel\International

x~I)g

WaitForSingleObject

;3`Jq@

6nh[15

(hfwG[

zy(Hu

(%ibcD

3+ZH8

97(?86I

gi4blk

wd-8:@

NaXg#

.ey#6

SPs%1

~jEIH

lstrlenW

yA419

)QCsp(\8

({Ddd_BSNP

!3+p+

New Jersey1

Mv\U14

Em\Jm

OpenProcessToken

DyA;(:

LNRV)

B/ce

\)(Fi

VOKu0R

O?c^M(

bufRu

jE|9\

EVNZro

Comments

$ TKS

RD<Fs

<,g#"

v1~S=

SystemParametersInfoW

`7p*&C

[}Ofeb

'yVbL

.tv,"

K2VBZ

CSlwa

;|>(i

Nne(\0

:y [/

MMbG1

am>Y-

JY#r(

KRpm3

Yd)cDY%:6

320122235959Z0

SHGetKnownFolderPath

Bj 9;

7NNAZ

X*sS}

pI2`b

A84|<

]hlkWy

n!dKk

B&KyT2

SetForegroundWindow

[0,}hbw

1vzBr

VMMap

FHEHz

uDWWh

w/X'o

RNdwC

0AY"$

nCSV]

ASxQj

tCe[P

i223-

}I{ftS

OVDGS

nyqoNFZG})m

gi3Od

HDGPC<&

*T&?P

?_h@Mg

SetErrorMode

<G;5h

j,/!br

t^!$c

_ 0)?8

4#!yx

-?b)k

Bq8,5

q#9j3V?GXaC

2N-DR

qQ4R+

agz:x

RC%/(m

oz.kOmC

\_X+xK

190502000000Z

mZ(7'

|*vcQ

c{hdt

qKkW(

`I$]v

lNgqr

_A>VS*

;JjGe

*O_C<

E$}A:

SHGetFolderPathW

M:=$7

V-L:F

BA*hBWT

\Q@2EMg

0lwti

j~,|4|P

.O$COc

s_%"iz

ISH56

FJ"U|=?=

?7xcpf

ux?A^

,0UuV

A7J2,G/K

ExpandEnvironmentStringsW

[ 9O]C

y~Fy"

F 0}[c

A8xf9

-"LN2

}HJe&

@ ah"5

544S$

SearchPathW

"YC9\i

ze({"EO4

$SPU$wP

SetFileTime

1$iH}

o5qs7

KiT*t|a^

LO}#\

';Sk6k

p7!J.

QwJN'

Y{5W^

"A1`Dew

S&Yc1w0

p,XO,

~?3dE

M&?e{

GetTickCount

x+22?

27e\r"

^f*q/h

62Rvl

=jEe`JU

fMgUM

e4J>!

f_"NM

*i,T!

\%UB<

8X5n1

i8:,#K

jdt(&

6Lv3x

G*:Ma

@?EpS>Ou

%h)WOs

gKcL_

3H}xV

~dO738

t7IW4

32Ff9

"?~-_n

[U 4+

&fk@G

n__J5O

m.~[ .A*

3Xc]Z

"2go^

W!&=hE,

"mth$

?/n8[F

s]go`Q

(Aiy&cD

5\Kv'R

z\YT_

Tom^J

X+D(;

7<eT!Dh;+

\SCYNK

U1<XnAp

9VUQN

b,hW]4

FE{pc

/Fc}\

)L}Bb

SLC '

p{{ jSRD

bvTy~

nzse

cDg!fG#T]

B[P=%

Gpf?3,

[8,uO

=-Cb.

+S9X/

+hY v=

.4CF-N!

SIVN\(f

KZ[yz

f,-Bj

MultiByteToWideChar

zY+d;F<

z0-B-

A}xS:

]\:7v

p~,*<

For additional details, visit PortableApps.com

9/jD,

[#|rK

NQ3T[]

Cjie6

b`,>=

:mAGY

:hW2e+S

Ars{r

FflSJ7

?vS`2G

vqbxU

4LVT$Nn

softuW

{D6Ium

n_gb~WH

[K4S;4-

5DrhS

9A\lKf

iY>WU

"_` `

http://ocsp.sectigo.com0

VERSION

IZ#LC

66s6'

7E-@X

&`!vb

4ocOY)

KgG{3

h`z#s

I^;~]

aA9B).(:

]+Th3

d{g)Z

cBr&f

a{68+

=x"Q4

#)4p6

Bb~!dp

r9'O+

5AT#N

phd<mU

-iPjG

&=@{t

]'r~d

EV- J0

*WWj;;YmN@

msctls_progress32

JE8g>9,3

|7XWcM

SHELL32.dll

+[7jv

KZ,Lk

`E9FG

buuu(

#}oOsy

.H/"7:

:qk1l

iM{b9

uyz`l

/uVKKV

Lj=A|

1i=Dv

q%/<N

mXC!>

X'LKX

AY&]x

KCxo3EN

WR7hp(

R^Jcj

60dxDa

ZQ545

??,!r

yK9(W

jh.b)*S}

&.rTw

.WtBa

?TlTV

$9kNj

A`="R

88*p7u

76^t0

/<c7*

o^nrH

x(X3a

>B14=<

+M'vJ>

]w<RV

~',]!

L9(oz

J%SUNR

W2X{t7Y

m~qV

`^^^sS

]Y?rp

NvZHt

(_xnW

l#\)f

BQRR0G

CreateProcessW

T-L|ys

{rC+~8

G9=t}d

'#Z*,

U'X;(

CWm}N

.QCEK

XBlAp

PczF~

5Xz6?

UljV5

J@6.Ms(J

q=v@t

bsh;

jkplYd:

#2}+J

)%u@Xg

R,<FO%?^0

Tm=@}C(

40%.qh\

6;a_C

;5<w%&E

FE_-:

]-iwGk

installer's author to obtain a new copy.

0,S~c

e6^@R

tzK.x

mN9&|

gux'?

p@+,HQ

... %d%%

Ui9Bd$Q#

+DN87

]0IWn

Vw\w]

DWO'0

|tD1l

N[/<1k

~{f:q

8~o0y

A UM`

O)>i:

I-DBhr

LS3NN

BpJk9

&0j;'

anK~G

9^9bV

lWKx^

_IaNj

5RU2#

/]DH,D4

d'@3|

~ xQP

ADVAPI32.dll

eBVkq

WQSPV

@:.*}:

1*!ZmL

"i8F>

NmZV2H

Bv2{+

W~PS"

`?%[M

B8:[H

@8w{8^

]W9U"

Ub)%qP

UUUUW

<~XTw

/ELEx}

CreateThread

/ P6pL

SetBkMode

Z|_|q

O=\L2V

90705

$V7QH

k/UJI

oPG>5p

TrackPopupMenu

/HE"x

l$hd<

[Z}A*`

HuGn0

D_W$9

YYaCPa

",dC\

DialogBoxParamW

FreeLibrary

u"scDCj:

F"C?N

iDG28

V^bI(

y:GjBM

uQ6e1u

lstrlenA

a9G1<h(

ZgJs)

w12,2

JzTri

I&:@04

Nuqun

xw#J!Y)}

("www

jUHRlZcS

-y~O'

rG/2VYJ<(

&wJr)x

YSa^Bg

D1wF^

\OM}e

.8e?,

aPgH]

j"8=z

Vt07x

CompanyName

I}Vu@

&ud4;

:yx>DP

1nI9Wv

B<1Y44V

vt%X]

/QDhx

4x\fq

Rare Ideas LLC1

8q}Er

rA7A$

eDn/l

/2eynRs

ItN& U _

0NDqx

@2~kH

^Cf$j

LMt3g

F:a.hA

2Q4o]

-Am+1

vQs%Z

73& #

]7F;5

("S5:

<K2<nx

o~M"4

a8K?gQ

9(W`D

[zFNb

p]Dm6M

3Z u6)&T

fVD7,H

t~Ob'

JoB/tL

{}dS~

md*p

Q*@W?

1(:8=

`L7:]

%)1;\

VX~RI

3|s0h

5Ya+f

a>8);

4a2S_

QJ2Gx

1+OPt

52Jh%&)

h}X9A

2J+J5

IFq"l

iRxH^

Sleep

?.jF|

90u'AAf

#ZNjT

DkKLM

K{z7i

&)#xR]

,IM9N

ElG(t

I:Efk

V3=K*

$vu9%

AOz.t

<."G~

Ya~B&

]Q#${X

L)Ixf]

y:`;7

k&@%;a

GlobalFree

<Na:S

!EIG7

]Ai"|

=q^j*Y

GetUserDefaultUILanguage

Aj"A[f

#7I^NT

pNcm6

GetDiskFreeSpaceExW

:27Q6,4N

ShellExecuteExW

._peH

\3D;@

1Cw%&

4tJ|!

#VX@2

v5hOTDG

M0TXM

PW!?:

%gc~l

%&qP(zyk

hJGK=i

bW#}<

N)_4B

WWWWjn

51< )Jh$

x6-%D

Jh$i}

+*!oO

)Gr/bv

:j*B'

z9IK\

IwmVd

oyW|ii

https://sectigo.com/CPS0D

W2}P_33L

2Cpz&

4sJ`K=

Llt3k

ga*~m

.=?pT

RegOpenKeyExW

-Dh%xb%

eH:4R?

|Jjd"h

}D-?v)

Hc<_4

5}xd<%

$P3"Y^m

)O|s[

WUpKN

/-P?pR

;cJW=

WanPM

M=NY0

SetBkColor

LX\G8*l

h=&?o

#ZC</

eKZj9q

Nm]['f

?6JPi#?

fP7@S5

>EJ{~

http://ocsp.sectigo.com0

PortableApps.comAppID

)9dfQU

hd-S

f3D,e

[7WfT+'

FindFirstFileW

GeR?&,

HQHu2Df

k_YXY[

J.&$h

W+!m},?Z

N ;rB*5

wsprintfW

fCSiT

;f&Y]

e{1]C

[F$)2

L%i K

n-Q7)#2

AZe'b$a!

@!G.Z

VaKP2

}|~ue

t6.bb

X!9w"

New York1!0

=]bdj?

D$,+D$$P

`ZOIKF:

yn(%kx

xEY5pp&a

% D3t

OKgNKC

iJWnTM

&vCr^'t

*R!^W

*`?5;

0WG@,J<

gpWm_C=9q

#Fti&x,

;%"$YMv

9X9vdi

`?8;qx

<.i!QV

|eh3t{

1f,:Om

x&dwG

cM>[!"

sH`;6E

k~^Sdu

M~riC

cn0\m

Ud1)4

Ky/[>

tw-ezo

~y(1,

3V?QCU

.sG]3

quzq8

JemdFY

y#v`[=

1]lBK/`

]f>gT

i|06e

/6pGq8

0DMc/;

GtnXhk

N)z9%p

+wwVR0

j-<TD

H;!i[

dY+)&q

8@jLeK

-1&0gq

]:XbpSv

ejE",+

]=wgo(

atHW'g

]bT]|,

4{_d8l

FP=s}

]6N*a

's#5V&

^,VtC

4()E10N

T|yoI

KKQke

D/{|h

kk(&:

((L0,/d

SHGetPathFromIDListW

DgEyV

Ut>2rL

~r`.m

w/Xxo

x3ZV>

7O307n

*)CJz

R~?ss<0

AZ-&K

') ;{k[

4l+`a

'N^B:

bfhit

5qqZU1FO

j8WUHBYs

~|Q-T

gOLc*

:fAI^

~&Ay,|

f!j3

Y'/-P

|1s~#)H^%

)s?@?

dr,a9j7p+

`L)C+

O3rbT

b4zNWv

(`ao$S]GM

50FzE#q

U&e~U

=OA_6

5KQgz

;_`?M

EFl!.e?

*cV a

~P>3n

Vo8.]$

bh3<}

X[H'o4T

j`qVZ;

SH(/Q`

Bb_-X

l Eq_

9YbxSv

}Xz63l

4:iSG

"y-6v[0;

*,0-H@

oGF'_

csis~\zL-

ImageList_AddMasked

JJV^]I=}e

wgz10

|vXW//

i!OZ6

mYmZd>

X&<Y.^

AppendMenuW

nIM@q

IcNiZ

1j5wW

pyi7h

]3 }mX

w~e>F|

G<?Cz

2N(94

y`7y|(

190221000000Z

B)ep$

+8rcF

'Vsd8Gb

0,8>p

.@82R2

if[,m

rrVK8

:QpD>

FYUy@

`4M@K

9l<x@j

~YTB

?+q?_@s

*y'$U

i<XOK]

@@y V

QT=THv

CAd{A

0g:Q/

kA5%W'

Se$xOZ

IDATx

Garjl2

NvtG0c

BHXH5j

dl:IZ

<{GTQ

CornD

O9&ou3

ES:4.p]

!1qhq

L%}=l

*oij'#|

hk3 c

]buxyubO

hUT_N

XQ5ci

h7%fn

dcU>"v

qp?2e

cf>nGe

,C3}[

<? x3

1\}*Tt

"K0aAe

c^!tt>

Lle%K

V9$GX

8js{8_

!KI+OF

?pzjA

ddK.a

G" 4r

Hw kp

27Cn+1

h3#q3_

hO$|1

c4_c}

FindWindowExW

]vKM0zB

lstrcmpiW

ReleaseDC

kMqyl

?Dy,R

T68&)

V,F1yx

V;ndZkB

mMuNW

`K76A^5

SUJldm

\_2^C0

ADVAPI32

KjJuC

zV@uM5'

<xbkCEBdC

&8aOT

hEvH3a

ERg)w

PeekMessageW

NH=!$&`DQS

f<zfw

"pOYvVI

2.W5D

4%IxH

%"55P!

5:07s

fEtqZN

Xwx)(

=wbG5

LegalTrademarks

a=2U*

3,{%5

cy`O:

8y`fo

.V[m}In

eveHX*

yS@NG?]

lyuR}

D=,'7:e

&\kjX

exPb\

SHAutoComplete

TZFxxu

Zm@_(

K.dj1

GetClientRect

3T )0

M9zXt

WuGnX

&EFPd

bi9>(aw

Tg|=V

TH)/di

QX;i=D

]z4vK

d=T\B

u'(Lif,pX

=]B'\7

O]V'`

]PDKHDp(e

U_kL+

2B12w

y+(tU<-p

9Sb2I

SetEnvironmentVariableW

bQ}R/

FFC;]

'Pi|-

iOQuXW

ReadFile

vNvn`V+

_Ywv7

K\(y6

NgCd`d4

FE``U

`0Mq.

?d'~B

z<rFI

WideCharToMultiByte

RegQueryValueExW

S&M7wd

^|DH0

RiY.r[

8b{kw~

U;::!

qU|&)

VarFileInfo

x<>o.

f(V3?<GN

xe!R?

wsprintfA

KmbYP

)_k^r{

KoA(zb!

NulluN

5-"Us

q):GK5

^}z#.

VMMap Portable

D]8w=

{wi*jJ

ImageList_Destroy

DrawTextW

)(9_J.)

rdVL^

,|(!AeN

rwB!}i!j

V!?en

dw8.!ST~

^:u3:

M~$\l

$P;&G|

`K.5Y*

&hjrB

mhZg|a

?GGry

+>%zAs

XEy\04A

k`<<aO k$

z_VRI

a[g~o

->d\,

vgGRW

Rr%b]

eSF0v

>BESNF

0&E?%~

GetFileVersionInfoW

&eK\w

:dw"G+

Di*%=b

GJ]4R

aIOr.}

. k(

,<q.ZM

x'`j}Ja

83('[TH

CreateFileW

99x&~

0x+$.

a[r),P

ExitWindowsEx

:;coAD

@[ToB

!\obSX'4

e&$')

9F1J/

GlobalAlloc

W?:g$

ZO=hv

8Wlf0

PROPSYS

9k\%F

qj:gB

m^+2)

=<^[_a

ZQZT}

Installer integrity check has failed. Common causes include

dB707

)P& y

p^vH[

4a>9o7

?Da[+/

X?,H*

lbN|#

ICCc+454

:|Go*r

CopyFileW

.:=@Bj

<qAi%

qZ[GZH

9sk2v

ed[/j

4-k0<~

Jersey City1

o`)UG8t;

c]uB8

yXAxmb

E\?8t$

e*sh8+

4ige^

|* >0S@

L1#xA

=5Z|0

(@53H

V&'i{w

>"OCi

mQV1Vg

Control Panel\Desktop\ResourceLocale

PxBoL[

0XcK9

mH=?n

I,R~?

Error writing temporary file. Make sure your temp folder is valid.

jHqew

:wfK3e

'F&<~

gXj1n

`#u](

Y]+*p))

n [*b

SHFOLDER

qmrGZ

5 TZo

jRwC-&=

>gytH

528M:}

~7-)&

Z/,zk

8UupM~

f xvz~

Pw\*tYE&

@T@N/

zl48g

i:6?)@

f`7)5

2xf*~

]8/+`

>/zBl

VSX\il

i=};=

Kw\z,p

wO_7{

GetWindowLongW

$C!h^

2007-2020 PortableApps.com, PortableApps.com Installer 3.5.18.0

0l~bo

L1V[7

_bc(.

HSg`V

[<\;FR;

9$( a

Mt5l\

I,+4V

}h%P1R

Zrxrd

2]|v0

<ke?_

F68Hj5

\f:XM&

$Il2\

s2L(_

r*X^R

.>O>La

`OtwoL

4Bd5Tu

e(mv&

&u8aX

2k|E*

!gllw

)__Hx'O

%aI{EQBX

^o{~P

XU+s!c(

1`dzx}u

GetFileSize

<|Vxmm

~C;{B

\_/*E8

<dI'&

w^ZH=b#^"

NtJ(`

\9g&.

-xEN];N)

ii+Qz

2nYiJ

wo<S

G/lU'+A

i!oo3

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

{055M

lczy#V

=;c)~

p`h~|

dObktH

GetDeviceCaps

5h-.WV

.T#Y2

)=2-KO

_%rW![

"b#%+@AI:?"t

EM$S5

>2eaA

Vo_HM*

9nS y

Jh5ie56

C=oDYj

4{Jpp6

.jn5W

oVgAP

-/U1.

4dc!j

cCLo\5

u8rafh$"Y

ynj3S

7hiuU

Gq|e=/

8$X)\

aB4|;@t

380118235959Z0}1

Error launching installer

http://download.sysinternals.com/files/VMMap.zip

_}w4B

4c@_B

r(t'PN

?2<H#

.yti_

cA<VbXz

l<1<[

)%$u?

k+"Xj4

fqix.U

{-xmv

ef]\g

U5VC(

Zhw_c

wG<j|

DoP'B

=/M,dm

2Z.U[0

L\oqz

TXmA,

#`{LQ7

6&O8,

LQc@0

WriteFile

^mCWY

W$k0>c

Rtw;uT

!cORv

J![Vv

]=(da

owz*Gq

!D#=cs

]ffad

7#]$MlK

-!j'DM

Y&!su&

KERNEL32

*cZWa3

CtLl{

?L3$wi

;&XeA

M0# )

8so%$6

DestroyWindow

yJ_eoQ9"

1*GGo

zda[?

~[=R

~rVHM

%SWL<

:U$2X

O!MX$k

ZReaP

Sectigo RSA Time Stamping CA

_V2~%

6l f'MS

<p?{q

7Q/^Yro

%zRg9z

R?QyE

e)5*-

WSa0e

]fvE|

(cmQphw

pN79Y

A<9Lt1

GetVersion

`uie

[b]t8

D&U,l

`0azD

#~~"#?#-

)lJz82B

I\cRD

SetWindowTextW

|!Ih<~

qmc\JE

Sectigo RSA Code Signing CA0

dA\@1r

^nBl.

i?{K8w

5 CjDF

DK/Xi

m7h;k

g76j4>3I

xi^y(

gH"B)R

f^cEj

y?@P|

d<`~%d

6'?<J

K!RWS

qI2v!{

ANK'T

jb*>&[:

pZB;SR

VSUbOI:

X"X{9d

Q#3jN

>V!F"Do

eK){v

.6#gg

-Nx2f`s

\u f9O

6TIWp

0f7xv

HO@DFFDD'!"

SQWPV

l30kNct

SN]?zv

J9+Q.

G7N"WhWLK

SSu72

OCm0}

UXN8+

_*|F'

dc-b~

I/Or'LQ_

{@a<Y

lC7q\

nL{:}u)

iBU]1

3X%XN

sNwwR

]$gGk

"jr_]&

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

=9 r"

W2p0w

]v?cI

E<Jgo

P.11C

sx|tAtg3

41mqd

*x:1(

MvQ=E

#cM53`

:pLF&

jdS-8,

wcN+2

x5v$S3

UF6 }

)iJ3p

p2CN;

#j>z2[

S]'A`

,S=6b

l83B2

`?ww+

m5dW"

bt~DX

Bu3"#Y

Lo&0i7

+nfz%

UWvxv

T7Y},S

n&&v;

s.$ha

Ck$\Z

#g?#*+:

.(4m&Y

$;>pD

`S3i$E

b#X|<

tPAkO7

URy\3

+P'Ss

x)$C?F

~>_Bs

{#T/

+aUA9

|a>AG

7Hrhls

>h}<hZ

RichEd20

$UdgZ

StringFileInfo

0EJjX

RnkFS

jHjZV

H)b`X

fyx#DA

ole32.dll

=l5f>f

_EdY

{A:/t2

SHBrowseForFolderW

!|XDs

PortableApps.comFormatVersion

z(>\>_o

F_1.M

${DownloadKnockURL}

.:[\{_

@0_sG

a0eGH

%l-+H

S2jR}i-HrV

r?37 $

r+O#'

ryb;Db

}OYAq

58p/e

W=1:f

B'[&0

WFR7N

iga=F

[-%_5

\e!Ar

G@cPD

BrIeB

w\73E/

AWw[t

UMtpJ

y6(G.r

r88Cv

F7XXe\

\"RR6Yb DQx

D;ntF

so1T,

iS~`0

GlobalUnlock

Jn\qj|

NzV,r

gMuB-t?Jb

Ax<)(

tfY/$

1@aZ/

E)M|r

Buyfqu

Egp5UD

zM}D[

]=4w0

YM^'=,

|bkm8iV0

Sifs4

cYE,N

0{_si

nDS {

yMGbI

T@E"2

4;9k2

@j|d]

S@KKp

7WC'0+

18,\m

]5Dw]

Byl4k

.aWYN

Q.4lq

WW@6w

D!/*~

XievB

h1<D4

N<D(,

ojI4($3C6f,

W_YT^

A[Vg:D,QK

LOFS7

uc|rl

R/J4f

OLEACC

4VZ @

!%r@C6

o^'\T

";3!<

483`kby

$cHv'

h7F|d

cy!2C

U)vUb

}g!}RP

8:7fa

)3u:L

4/uk<

5cE_~

2AdNOs

&:1Hf]"

3Y.+7Q

l)f.H

N2WUIBIikK.28

v{S<_

KW}cF

H(zW}fhD.Du|I07

f9=HgD

olj}xyGK

3Y;g2p

Z\rMM!%

h0f0?

`Qr![

3jaze-

ZyUs\

3V^)`

SZdP2

D\X*v}G

c5O;h

%4J)3

h[3?1~

h;v?"k

s#pTE

x=MjV

5fN#h

9&!O/

N&ZA?

Salford1

o94FuG

)ayrb

QK?I^YM

(~C6uR

m=jZ}

S9USMi

-E40{

CBLl0

@M|5t

BBP*n

2Ug^%

spZmC6

f#@xm

E|!LD

Zlp)p$

oV`tM

h]IYU)<

c=J#9

3|O!N

LJ'VqWe

`pkK/

3?f&X

[=d`b

b7|6G

0r[oR

Sd6/1

FM]0w)

?MNo}

$3(}w

$/8k6

xs6p

P?'j>

3;<0A

e fPH

qY5C[K

'lfsD]

6+r{K<1

]X$Di.

XfRo(

;%T U

QY0F6]#=

Lz3.W

hc|jRt

A01So

l`-c9E

|A~_Q=

t>([-

qb~` J

@fIO%

[3V(<

JT9nn

YJ9,]

GetModuleFileNameW

"%SG,.V

{-sE*

j3{@(

mP=o7:

}l`^G

6.<Zh

42?D%'L

+~Zyf

p$Rv=

.]&efv

20n2EB|6"

\btH9sTbQ

PQRpX

3OFbl

BeKdI

]jdB>

B=#$@9

'.gG?

*pt/l

kDo0@

?QQli

eLDkF^

uH"kbF

SetTimer

P: e_

wMIO7d

SetClassLongW

\'+}`o

<oO.>

W+l;o

<rfK5

P.tk,

6i%mW

<DD^c

%3s-O&

{NJOA

B)QG,

201110192929Z0?

8W,9+p

p>>k_

Zszx:Fv

,MT;,

6]r|'

lstrcmpW

0$Tt*

";Va(\

KERNEL32.dll

^NB+[

,M@d%)q

RichEd32

OleInitialize

DO:cM

$=Mz^

W o]|

%7o:S{

UtuoM

Zet26

f6A.J

Z`,M#

a!mb.

!hni`a

$ZkI~

3c}ky\(}o

cPXl?

!ulnf)

+v.lN^>

,j|T8IN%

a9B"<

la{lI

H1Vfgh

$d!,.

/kL9Gu

K^zs/

Ak%,*i

F/"i!

V1-=@$

/]g!2lw

7`[4dRa1

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

Wml:\

]Yfp~

34P-$

Zd}_*2

LGGNMKg

L#t|'u^h

"D?2j

7[RUc

t4HHD

}3M<b

Yj]{x

lVqdP

Syuxj

X%B?rGS

g)0M,

0WZHBMko:.2

&@MiwWU

{ >|

\HQX<

s2*"K

u9fCG

GetSystemDirectoryW

QrZtx>@

=HG1~

{ 8f|8\

e\;a'

8Ck~+

VS_VERSION_INFO

IHa}?<<

@#2XfQ

GetDiskFreeSpaceW

C=1V;6+

XnF#d

85a$s

4\x$N2

S}(F)

baP`g|

tj(6c

1zjxwM[

s>gol

VNdJ]

R]1J)`

.okd3~!

#Sectigo RSA Time Stamping Signer #2

K^3]n

c\DfG

C&`qF

8j2~K,pCN

@7&sj

9K`B>

zr%VQ

=43([

%tglW

>%(OCw

[;TqQ

PostQuitMessage

\.if^t

}x7t31

O.+\<

cFMS8

M+Ph;p

\oq:0

R;Y6[

'p:VJVX

{=~TQ

/1k9;

jgGzt

b2!LDNb)

05B#s"

(U^3Y

aKX&|

wI`SJo

L,UM$

Vj%SSS

#</15

?{?a?

dkmyM

CLs!to{oW`~

3w:\;

oPab9

!I/?y%

>YA{v

gUH=y

+EkI;

R\~[<

SendMessageW

QOtCB

iBLEh*

{49=Ii

N^mHvn_

[)e5q

h3u;:

8PtH^

cIwR/

CP*mNy

,J"!jQ

]f'2tz

F.M$~

km3WM

F+o8@

@'F/!@b

\O.vx

P#[Ory

SVWj _3

XR$m%

k(,U`'P

w8)3Zc)

tZj\V

o={yJK

%%<Eli

ZiiLud

v6~bOj^w

7lWHa

['{|`,

Yn#U>E

3[px]

XPT\V

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

OpenClipboard

)+f<5

Cad:L

J6e+wO

&:9[m

NxQ5"

P-Obz~<5

XtAh9F x<

}{I1g

*nRv>

$MW)g

_frOG

|q=)_

b*7I_*

4znk2

Rqbb.

hT%5{

7E[9@W

b9^rM3W1e

[cu(fU>

_jlvzyxb^

N;_B0

cM.0)

SdV0D

q&i.n

SMALHB7

OP{&;

?1J,U

|Yz~Ju

Sectigo Limited1%0#

|h#}I

xr)(]c

%{?*;?

vpQRD

*1'Y&

d/b>I

FqxZyed{L

;O=o\

{zEIU

4kGCu

B,%x5'

H,;<k\

E+rX&

.:f_$.

GetProcAddress

P,#=_

Y_T)N

\FmT69K!

uSk9l

m_{%JGz

T;F^`

zuqYq

0/JY5

UWIIja

0&DiYlB

Z,{Cl2

A7ob@dbC

IsWindowEnabled

ProductName

;4F?>@6.,

aJc`gl

\,6\:

ba7M>

LdAdX

94**wma

isF0OK0

8Y].W[Nh

1Z|u2

/sNx,u

}o@p01

SCIae[

\r%>^

YUH+l

|/_8)

0X!!E#

![M:&

<S[^eJ

E]cO8xsd

S+[dU

K,x@]

0$VxVK

SetFileSecurityW

~|TkQ

BJ"6z

4y$//

r`d$D

yt.+M

@lB2T

%p>|~

ExitProcess

DBTb>91

%sMn>

bK3m`

<yifr

-oaq*

9=4gD

o"[RV

"M)Hb

r0joI

t8AyU

%m90E

TPwwf

c164g

9v ?9

g/RLv&

o/}=eV

OPOT_t

rbRYn

<5[IT

w1?en T

Z{dmWs$d

\3c%8

R$g*-

b~XkD

@dd(tPD

#`e+>

GG*U$

1E*Tv

pe,Xc

u2dvd

Tsym*

mbh{N

7R{Pq]

ri{ct

2_JnW

5*|(cm?

9o$*$

Bu)7yj

k/w$]

`7MWz

]7L/J3

HciD4.

GFeO@

P53aF

]IMrV

om=^\

9Cx$74-D

QE7hz

<dgAVUs

e%Jr9

MoveFileW

|yV5md

Bd9(~

FileVersion

{jV/W

t7er$

$r+rP

http://nsis.sf.net/NSIS_Error

-Ox4H

Please wait while Setup is loading...

+JYmD#"

14XlB

h2,Ka

D:D$/

%* )^

9HlG!3

.UE#Y

C#@tZ

h^\5~|w

1E'?A4

8{P'[)

cfju!LN+

@fvhg

1PK`(e

zUTp{

^f$o/

{3"+r

r,B{q

&OdV`

<R)z?

iw`?u

d*Xl`Y;

CreateDialogParamW

5'`_3It

QNSfef

G%01$

,J-7A{

7E>Tn

d#(9Acy

(J9M&

VjbB^Sq+

}=Gi%

nS@|r

c@G0Ln9'

UP2SX

PDPSo

GetExitCodeProcess

vxG/Bra

V|>~ol

1Kj}U&

RU{eO

AAb!?fF

^l&qzY

4-fiR

$^:a.#

IEFNlD89A4/k

VMMapPortable_3.31_English_online.paf.exe

]]!W:V

%RM(pcA

LGLtPPp

GYjFf

B5#G)

?0QcJP?"

[Rename]

SetFilePointer

4MJ][

C&m:Hi

Wlo"q

3CS#G

&:3+_

A586K

`X<cU

"--^k

<6ld;

!6m!Z

Y6rJ!

]v?iA

D$$+D$

;~x[[

Ln:R

_7GA9

=CFs]I

RegisterClassW

pe3.@+G"

4Wlc,Av

\EnK;#@{

G'5q-$(N

RichEdit20W

)]@$2c`%

MAgv7

uq{=)

{/{6j

%@|dr

42Bn5Q

|G2^o

(/iTG3CJWf,+*

`"S&f

k*#V/

z :vq

&k\\=

GYfF]

LbEhA

]OG6X

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.06.1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

XyTT4J,?*"

Cl}${

9-HgE

qV#4o

FnMLW

%X:E1

Eer)n

"S1kM

*(=Te

owHJ{

["1)M2

kqwUR

),zY`X

@jYbR

VerQueryValueW

W6uX&

[i&yw

CheckDlgButton

.Rw|G

F_&%m

c~~!u

4u[(O

yig8b:

h{JP}

1-RZ

"s#V4

!~Gki\t

jl|xm

Xj_>.

]KK`F8

PEMy?

!=<M@0e

@CqV1

$bzx"

$bq;3X

9nM603CIf9

K]HW'

d_4Vu

)M5<3

5\Q|:

5&4GVX

boU,

v`1GiZ

[?hxu

9=8gD

2|F6,X

GlobalLock

SHLWAPI

>gyQ.

PortableApps.comDownloadMD5

7l>oL

xLx#>

$n|U}

h;a2L

\gPpJ

K<s\ g

JuZ?s\

DeleteFileW

(Wi~)pOI

lstrcatW

!%j;f

CpUZ_

GetPrivateProfileStringW

Rh+U+

GDI32.dll

3ql54

z1F)6vj^

~Oq('

Q:co8o

NTMARTA

R$N6R

vvGh@

pXS~Uv

/mnAH]

InvalidateRect

a#PHZ

%fW$]jQ

3%rwh

ZJcZB[1}'

cDaBb

zKG)j

'0+H8,

9BG1>\

_jXN{5U

ySS<g^

<yC##F

QN,,Il

XMWO7

wHP@OT

\f9Dk

.gZgl

>{fwG

=A^V.

23Qe:?|

Gpo/U,

1/M i

n%>[M

kQYdg

Wg%38

Q:=]Jf

J41V'

Ankf~c

$3?U,d

WzYG7

!{6,i

-QGMSO

mYi?o^

]7,\^0

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

*bnDp

LK>Gf;

ZRtTM

InternalName

^zlkx=

ch(H)

cs8e&

>XPJY

i;w!N

O^M:j

78Wh}

k#_Wu

Csh$9

6},,'

Ln:i[z

JYspE

{hZ!8k3{t

}g(;

lo_[sw

+JXvG

]H\uF

WJ$K0hR

w:>xA

?Z\hR

RO@F;

mNBS&

#a<;i

n3:8n

PdY+N

ch;}_T

H?1fK

L6ls3

r<)'j

mFQxC

gzHd[i

8RV^

imaF~

Software\Microsoft\Windows\CurrentVersion

YBA\)

Htlj[~

*:tc=T

V\r=\{PZ

u:FeV

s(D"pkm

ekAHI

qR15`

<NnmL,V

-1PS.

z43J%`

z8e2iV

GetDC

wA@Qxz

5g%7~g

OoKJa{-f

SetTextColor

V&6"}

@K@Be2

XU_^RL;

s;)mYY

$`YAh

*yiw{*

}/[ks

HCIs&%

X`+#%

_4=~w

oCD[3

k/IKh

K@fam

}{:.M

@CF(sP:

FindNextFileW

qgwTh

^Q.Hc7s

x`?[("

;8*wEZ

BA-+)

J9A@tN}

Mqk#a

hN$fF

FindClose

W/)y7

w;(%(

[UISaYNd|sg

]};jugs

u<"`'

-?JzwKc

JJ-C6

$dHr$

KB6p

WGDJT

oru?:

9GWgoR.

z^4d6n

tu->p

[v = *

'N5wQ.

D$ Ph

MulDiv

TtF4C

o'n~t

I^C-:

GetTempPathW

3W\CF

zofCKG7

y6mw[

"Q0|f

p'b;y

BGar$j7y

+M]`_DZ

OQ#,E

}/FVn

nzaRX

A:YB4

o4M1>

8;ejHT

RegCreateKeyExW

-rm%9*

g$RE.

PJY?+

incomplete download and damaged media. Contact the

isGpN

]zWm?

uRf9P

jV/f_

lb+qGF

vCF--

vX95h

txJD=

Gu6:Zs@;

A2I,lt

5/p/m

e3(ft.

sj[3b

?| jEo~

7~~Z^$I3

zw)|H

B<0crj]

SM+;\

c~i?F

s495

Khj&)`

(RY%'}

DspLN

z-or;l

IF.o5

] C0R

3.rIE

u*o:c

|Y:>i

+LAQtf

WTD#P|v

SETUPAPI

7yP2&

{FP~#

vSH@al6

A:[bf<"R

$VR!"8

Wnlyd

vpw/}

%zLeX

/ZBc ^

xMP/[

-Rj[_

*&$e+X

nyqvZX

cWEnl!

q=tQs

GetSystemMetrics

OA]]5w

yxYtEZ

dT.Lb

<0:08

D$$SPS

x5}0E

eW5d`PQ

o-JUu

FYgZ"xf&

'QN p9

2I]4t

=7+1JD7cRL@

o83ZK]z

;DZ_d

WwtC'

Z;z8}h

*%4r84Cp,#

T8zk(E

Psc=2

Kdpy

eX`kf

+s5uQ

m*Y10

_!G/1

Tf/^@)/

4g0#dK@

b)Yu9

R<OYL

PortableApps.com is a registered trademark of Rare Ideas, LLC.

5r_h%

djdih

`<r6t?

CoTaskMemFree

1n`-A0xWF

GetDlgItem

CloseClipboard

Rf>7I^

z^^Ha

/Dw+!

MS Shell Dlg

,\X;5

B*tX^T

ZX|R;

+*sj2K

&Y,}y

1K%1$[

3E>4`

6FN7;

hV?rO

q:27G

,FLXPD

'^nm.

2-{Y1

No.g]x

Oc_6x[sF

-&7)%aab

Ue*O>

l.G##

%c^nO

c<5FHf

m*JpH

B4izo

D`'q3FFv

8:yk_

r:H'Q

0wPW~

<4*F:5L

oi{Vj

u'SWit

@9uc!

GetShortPathNameW

7RxHS

Sectigo Limited1$0"

XTt%q

C_n:%

!This program cannot be run in DOS mode.

PGCTl~aD

=WSA(m

()8lRxiFW

oZ%pb

>kjE)aX

TJk%S

_V}87[

q$]G|t

bQVe\

@Af]WY

iy9[a

U.jN9!

%DN@?

6Fc^f)

PGBc<

XN'Fo~t*

MU7!x%

}X+ ;

-s3D0j

@;>n3&

8CG9*

uF%Nz

R=:\cM

f5!0`$A

ZpX&H;

x&J(s

gx*zi

MWWFU

vxrkB

lbPU0

KE! x

`yE:=

U\SK\

N/MDi

i%Vwo

nfSad

USER32.dll

o]?;z

DUr_l

uyz<+

hM5/7

KJJ)'!

41!BP

^5b^q4

<HCe@

sv6FM

0P[Vm

xK>8W

Q\2|v

Xh#-_y\s

h3}U=YB

20201110192932Z

JwUcY

z4uy@

"Rr^R

JZJ!5[

v1@go

oO_-9

_XWRh

IH3#fK~`@

a|b-:

']Ng,

=fl!{

APPHELP

9N+Gk

Snr[%

746!%%A

$qTQ[

tEIt-{!

v/uiE

SVWj"

Hm5PX8

#5@>h

uB3.+A+9

CreateFontIndirectW

d\w<,

A8zx?

(di##

350 Fifth Ave Suite 52091

Ys@YB

f*P@K

RegDeleteKeyExW

jm^oTU#O

6e'yQ

$[Zoa

`p.`k

=vdqH!HZ

<zuL<

1aPLl

$9j?!

Z([O

Op$]NT

c)@T%T

Sb^L\

LoadImageW

F/(9'

9pGy,

W-L {

NX-,Km

Q69*p

_?Wz7

,/v6yw

/ 9=}

;D>Hj,

rlde*

FMzCh

wE~d0H

lstrcmpiA

jSCiw

0)1A>

[dV+(n

"{t9v!

"<v;K+

=~;h>giN

B+5<Jt*

!Av:Ce

xGw<R

GetCurrentProcess

;We2qb;PL(

tbBg|

Qob+m

Z?C/J

v~yme

Rg%aq

`&~A>OAB

mFkn4

~}\fJ=p

*wM`9

;S:.Q

ub6o-

:+<KI3

sZes`

4>Etj

_O~2j1

p,KQk

|Rm)`

pFOOHSNNSMFB&%

S?YOc

Q!qma

XI<oh

dKSYt

SHGetFileInfoW

jsh&{

"P0s*

H!%q!

"F/;2

g2Q"Y

,M+z1

B&i{v4

S(_skR6

k-5DP

sg+"4th

.ndata

@%gk)

5XINPS

3;@4 3g5

6=Im>

GetClassInfoW

2tw29

@vr(

4di2-

~sO~m4

WwV)S^Z

a`]i9

+_(\L

`.p?H,

Ue|a{

?sKYj

f>C+#

#7[O*6]

^JF<V=

myjo <

Y?Q_|

MSs34lw

@a?Jb

>K7bE

l&Jxz

`|}}0[z

GA=;KJf

y.Y}U

kv]E't

Translation

ScreenToClient

wnEdI[:

L?/-vv95

ar518

E$sz@

8g8dfe

vhmlF

*)XKg

RX%+@H

q,Frq

@2-A#

9dOY};

FZGjf

3g^sR$TA

/x*l.2

@R@ync

eKE]r7b

%s%S.dll

OleUninitialize

u1g>V?

/'B-hR

D %BMgu`

k)t:L

&-6Q?

x9on>

kc_bmD5

EAUc"

|*:kmy

j<\)L

2 b~HA

Z#sI(

I6PGFU

*qJ#.B3+

CWVWin|

FCK{YY~

~N{%Dh

!SA_3

2&[=0(

A&`-p

{$$.f

6VJ*@

gO1_@

ge+F)

WdEkS}h

"Tsr+

Y^K>

V?;{qz>

GetTempFileNameW

Wf"kfrY

57"d7

_0|yv

XpO"nb

g0e0>

ProductVersion

I#y&[

45 S|

k'i!j`C

kN0bX

8u+j!

2:k|3<

K6#hqHx

CVtHv

Instu`

P'gu/

@?$*o

vAI~a

rRj;B7|

yrH)K

av.-{

GcC_WE

sT1~c

+-]q8<t

.PCni

w,.!k

n1#i,T

t:3O"-

6_5r4

ShowWindow

iwRss

=)a&n

&^Up2

$G) Ff

n;vUim!

The USERTRUST Network1.0,

q$Ku:

RichEdit

}zJ*u

Ton0D

RZdBD PS

t<c$}-{

G(-K<9

B\=yU

M\A(,

Lpf\O

zMY=t

0*"?%%B

)|U(~k

& X3dr9

u{U:t

+>]oI=S

.Ol{[G)

I%Q?}>g

s9EDT

?\|bT

u>)Ix7

H|_$~i

3-3a|Z

RV #8

mg)4Ve

)@~EN

_ZorZ

(~@!:

iw-rIM

D>Fz/*

@T2Eg@}

2.<B%

GkcPUU

Fzunu3

U@pYZ

u}Na#

:s\-S

(F>*

L%sfv

uN$74

_)=(e

by/1YZ

_[*pp1

VNldT

c)3Fn~

]8tCB

~qLv?)

2?_2

!l|]R~!

n@TV&

UXTHEME

&8WJ?

EXffJ

5W"JN

aP|7?

nTnZ~$~

wb5xk

.TLGH#

4R~=3

KS";E

q69"m

hsC,M!

|e5mL

85HO\^

$)&RL

]c1?

|8"1~7vpv

^^,jRA_M

[5bTa

cJT~cr

q5qkVr

DWMAPI

tnyU6E

,tkZcoH

xUTt]n-j

rrzYQ

EH2MD

#{Gq.N

;],p{

2PNSr

LookupPrivilegeValueW

wQ|?h

@g 58

a%Kg3

B;^de

*od15R

o:D$5

`2(6t

G<DV9h

M/],7

CWf2(f

CharNextA

x4 jm

HZe|Exo

;pl!r

_D4;T

"1?2,1$

Ih)EGIw

dwa@^

[C,TGl

r4,Vk

qJvly

sRGkV

k)CB/&

~E6/0

zP(%I

-2%<C

or3nfo

VmqNlC

Hj\("

-i}!H

&NRCh

)U$u|{Q

{)Lv`

k^el2D

|xK'r

$D&MV

fA P|

Zx;/Dd4

MG@.USd

) $VY

k~GfJ

IIDFromString

|aZyU

2sY+F

j(WU$X

s?^R9j

O4.K@~S

U/6iV

-c@t1$

|9ymd

{@_Ty^

;T/Cr}

gbojT

c)444

!x+Nm

kT@=L

;-*<f"

G$b$W

/{$ghe

f58ksIN

37<rS

1fbV1

D0v r

vKNJ~0l2

*4'f`N

u;HW_

[zN[Q

_l\VQc

.?$zt

l,YAlj

\xdyY

>Lzk3};

;**;/b\}

oo~]G|

u@W$J

%]"ST

L+kT_

GetLastError

)M7;&

:Pa1:

g0R@n

)v|\7

]yv)+

a87?}

>0H~_

LbnY\

Sectigo Limited1,0*

`[@zD

[r0s8

-GNyoN

`H+wF(

;X1lve

bQ,/]

_>=<.!

IuvJ=

scmQC&

zx^1$YV

$I"[H

s4R-T

T4oau

HKeo^Q4

oI*NI

~\\8Zu

0@Ip1u

.Q(Gu

F8K5h

q0Hl+

eImVx

#b^iv\

FFC{6h

Eh]3>

.- L`

,%,p!

g>ysM{

!h;kU>

Yr,z(

+&/d,-U

k99_4

7@hy,

Z!w"$t

MUki<

{`s=~

7rkLd

*Ujrj

*n498

O@ntBz.

8`I[\]

I.$%;

Pd@hY

sJBib

@<nq$3u

+X{U1K

|6Ezid

<DHVqD

4jtA*j4

&U/;j@

0&R|&w

m+J1wX?

EGo)6k

"O%-]p

a9X%e

kX[n{

,Qnv&

!/cHZ

#Mt<g

GRUo!U

bv8xF

}ZAL4b

*&q]Et

884B=

/A)MA

J+D'

PI|i^{

]a]a]]

`.rdata

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

5F^bc

~]4*o

x&@s07

,C=Si

#jYhRB_

Gx}zO

)-=ip

%;|\f

5:xL<A|

$i{Ts

\m}w4

uU-U%

RegCloseKey

3.5.18

GetSystemMenu

G!n4-w

r_qu[

)@C=0

/74EkJ

n32.(

@+5]Ndp

58oko

jr"3f

-&|:k

O}RhH

]dDwU

>./.t

<8YZ8

q@"Uz

,#&14}s

7.p35

{4+P{

"iqC-0

e58Wt

^ixz;0

3^IWD

sB7Mks

3.31.0.0

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000035d8	0x000eceb4	0x000eceb4	4.0	2020-08-01 02:52:49	c05041e01f84e1ccca9c4451f3b6a383		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	VMMap Portable
FileVersion	3.31.0.0
InternalName	VMMap Portable
LegalCopyright	2007-2020 PortableApps.com, PortableApps.com Installer 3.5.18.0
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	VMMapPortable_3.31_English_online.paf.exe
PortableApps.comAppID	VMMapPortable
PortableApps.comDownloadFileName	VMMap.zip
PortableApps.comDownloadKnockURL	${DownloadKnockURL}
PortableApps.comDownloadMD5	af273425b6b51956cd40dffeb71d802f
PortableApps.comDownloadName	VMMap
PortableApps.comDownloadURL	http://download.sysinternals.com/files/VMMap.zip
PortableApps.comFormatVersion	3.5.18
PortableApps.comInstallerVersion	3.5.18.0
ProductName	VMMap Portable
ProductVersion	3.31.0.0
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006572	0x00006600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.45
.rdata	0x00006a00	0x00008000	0x00001398	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.14
.data	0x00007e00	0x0000a000	0x00066378	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.09
.ndata	0x00000000	0x00071000	0x00194000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x00008400	0x00205000	0x00019ca0	0x00019e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.51

Overlay

Offset	0x00022200
Size	0x000c75c8

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x00205388	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x002178b0	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	None
RT_ICON	0x00219e58	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x0021af00	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x0021bda8	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.65	None
RT_ICON	0x0021c730	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x0021cfd8	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x0021d540	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x0021d9a8	0x000000b4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.72	None
RT_DIALOG	0x0021da60	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x0021db80	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x0021dd80	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x0021de78	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_GROUP_ICON	0x0021df68	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_VERSION	0x0021dfe0	0x000007d4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.48	None
RT_MANIFEST	0x0021e7b8	0x000004e3	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.29	None

Imports

Name	Address
RegCreateKeyExW	0x408000
RegEnumKeyW	0x408004
RegQueryValueExW	0x408008
RegSetValueExW	0x40800c
RegCloseKey	0x408010
RegDeleteValueW	0x408014
RegDeleteKeyW	0x408018
AdjustTokenPrivileges	0x40801c
LookupPrivilegeValueW	0x408020
OpenProcessToken	0x408024
SetFileSecurityW	0x408028
RegOpenKeyExW	0x40802c
RegEnumValueW	0x408030

Name	Address
SHGetSpecialFolderLocation	0x408178
SHFileOperationW	0x40817c
SHBrowseForFolderW	0x408180
SHGetPathFromIDListW	0x408184
ShellExecuteExW	0x408188
SHGetFileInfoW	0x40818c

Name	Address
OleInitialize	0x408298
OleUninitialize	0x40829c
CoCreateInstance	0x4082a0
IIDFromString	0x4082a4
CoTaskMemFree	0x4082a8

Name	Address
ImageList_Create	0x40803c
ImageList_Destroy	0x408040
ImageList_AddMasked	0x408044

Name	Address
GetClientRect	0x408194
EndPaint	0x408198
DrawTextW	0x40819c
IsWindowEnabled	0x4081a0
DispatchMessageW	0x4081a4
wsprintfA	0x4081a8
CharNextA	0x4081ac
CharPrevW	0x4081b0
MessageBoxIndirectW	0x4081b4
GetDlgItemTextW	0x4081b8
SetDlgItemTextW	0x4081bc
GetSystemMetrics	0x4081c0
FillRect	0x4081c4
AppendMenuW	0x4081c8
TrackPopupMenu	0x4081cc
OpenClipboard	0x4081d0
SetClipboardData	0x4081d4
CloseClipboard	0x4081d8
IsWindowVisible	0x4081dc
CallWindowProcW	0x4081e0
GetMessagePos	0x4081e4
CheckDlgButton	0x4081e8
LoadCursorW	0x4081ec
SetCursor	0x4081f0
GetWindowLongW	0x4081f4
GetSysColor	0x4081f8
SetWindowPos	0x4081fc
PeekMessageW	0x408200
SetClassLongW	0x408204
GetSystemMenu	0x408208
EnableMenuItem	0x40820c
GetWindowRect	0x408210
ScreenToClient	0x408214
EndDialog	0x408218
RegisterClassW	0x40821c
SystemParametersInfoW	0x408220
CreateWindowExW	0x408224
GetClassInfoW	0x408228
DialogBoxParamW	0x40822c
CharNextW	0x408230
ExitWindowsEx	0x408234
DestroyWindow	0x408238
CreateDialogParamW	0x40823c
SetTimer	0x408240
SetWindowTextW	0x408244
PostQuitMessage	0x408248
SetForegroundWindow	0x40824c
ShowWindow	0x408250
wsprintfW	0x408254
SendMessageTimeoutW	0x408258
FindWindowExW	0x40825c
IsWindow	0x408260
GetDlgItem	0x408264
SetWindowLongW	0x408268
LoadImageW	0x40826c
GetDC	0x408270
ReleaseDC	0x408274
EnableWindow	0x408278
InvalidateRect	0x40827c
SendMessageW	0x408280
DefWindowProcW	0x408284
BeginPaint	0x408288
EmptyClipboard	0x40828c
CreatePopupMenu	0x408290

Name	Address
SetBkMode	0x40804c
SetBkColor	0x408050
GetDeviceCaps	0x408054
CreateFontIndirectW	0x408058
CreateBrushIndirect	0x40805c
DeleteObject	0x408060
SetTextColor	0x408064
SelectObject	0x408068

Name	Address
GetExitCodeProcess	0x408070
WaitForSingleObject	0x408074
GetModuleHandleA	0x408078
GetProcAddress	0x40807c
GetSystemDirectoryW	0x408080
lstrcatW	0x408084
Sleep	0x408088
lstrcpyA	0x40808c
WriteFile	0x408090
GetTempFileNameW	0x408094
lstrcmpiA	0x408098
RemoveDirectoryW	0x40809c
CreateProcessW	0x4080a0
CreateDirectoryW	0x4080a4
GetLastError	0x4080a8
CreateThread	0x4080ac
GlobalLock	0x4080b0
GlobalUnlock	0x4080b4
GetDiskFreeSpaceW	0x4080b8
WideCharToMultiByte	0x4080bc
lstrcpynW	0x4080c0
lstrlenW	0x4080c4
SetErrorMode	0x4080c8
GetVersion	0x4080cc
GetCommandLineW	0x4080d0
GetTempPathW	0x4080d4
GetWindowsDirectoryW	0x4080d8
SetEnvironmentVariableW	0x4080dc
ExitProcess	0x4080e0
CopyFileW	0x4080e4
GetCurrentProcess	0x4080e8
GetModuleFileNameW	0x4080ec
GetFileSize	0x4080f0
CreateFileW	0x4080f4
GetTickCount	0x4080f8
MulDiv	0x4080fc
SetFileAttributesW	0x408100
GetFileAttributesW	0x408104
SetCurrentDirectoryW	0x408108
MoveFileW	0x40810c
GetFullPathNameW	0x408110
GetShortPathNameW	0x408114
SearchPathW	0x408118
CompareFileTime	0x40811c
SetFileTime	0x408120
CloseHandle	0x408124
lstrcmpiW	0x408128
lstrcmpW	0x40812c
ExpandEnvironmentStringsW	0x408130
GlobalFree	0x408134
GlobalAlloc	0x408138
GetModuleHandleW	0x40813c
LoadLibraryExW	0x408140
MoveFileExW	0x408144
FreeLibrary	0x408148
WritePrivateProfileStringW	0x40814c
GetPrivateProfileStringW	0x408150
lstrlenA	0x408154
MultiByteToWideChar	0x408158
ReadFile	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170

Reports: JSON

Statistics (0.85)

Usage

Processing ( 0.78 seconds )

0.711 CAPE
0.063 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 lokibot_mutexes

Reporting ( 0.01 seconds )

0.01 CAPASummary
0.002 JsonDump

Signatures

Queries the keyboard layout

Reads data out of its own binary image

self_read: process: VMMapPortable_3.31_E.exe, pid: 4088, offset: 0x00000000, length: 0x000e56c2

self_read: process: VMMapPortable_3.31_E.exe, pid: 4088, offset: 0x30785c226331785c, length: 0x00004000

self_read: process: VMMapPortable_3.31_E.exe, pid: 4088, offset: 0x30785c563263785c, length: 0x00000004

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00008400', 'virtual_address': '0x00205000', 'virtual_size': '0x00019ca0', 'size_of_data': '0x00019e00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.51'}

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nsi4356.tmp
C:\Users\Packager\AppData\Local\Temp\VMMapPortable_3.31_E.exe
C:\Users\Packager\AppData\Local\Temp\nsd43D4.tmp
C:\Windows\System32\TextShaping.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\WinTypes.dll

C:\Users\Packager\AppData\Local\Temp\nsd43D4.tmp

C:\Users\Packager\AppData\Local\Temp\nsi4356.tmp

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\VMMapPortable_3.31_E.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:4088:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.