Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 20:02:09	2025-06-12 20:33:27	1878 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,006 [root] INFO: Date set to: 20250611T19:38:09, timeout set to: 1800
2025-06-11 20:38:09,700 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 20:38:09,700 [root] DEBUG: Storing results at: C:\SLtSxJVgsX
2025-06-11 20:38:09,700 [root] DEBUG: Pipe server name: \\.\PIPE\TCjHsIkvb
2025-06-11 20:38:09,700 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 20:38:09,700 [root] INFO: analysis running as an admin
2025-06-11 20:38:09,716 [root] INFO: analysis package specified: "exe"
2025-06-11 20:38:09,716 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 20:38:10,185 [root] DEBUG: imported analysis package "exe"
2025-06-11 20:38:10,185 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 20:38:10,185 [lib.common.common] INFO: wrapping
2025-06-11 20:38:10,185 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 20:38:10,185 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\CommandPromptPortabl.exe
2025-06-11 20:38:10,185 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 20:38:10,185 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 20:38:10,185 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 20:38:10,185 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 20:38:10,419 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 20:38:10,450 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 20:38:10,497 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 20:38:10,497 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 20:38:10,529 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 20:38:10,529 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 20:38:10,529 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 20:38:10,529 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 20:38:10,529 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 20:38:10,529 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 20:38:10,529 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 20:38:10,529 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 20:38:10,529 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 20:38:10,529 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 20:38:10,529 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 20:38:10,529 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 20:38:10,529 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 20:38:10,529 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 20:38:31,872 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 20:38:31,872 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 20:38:31,872 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 20:38:31,872 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 20:38:31,872 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 20:38:31,872 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 20:38:31,872 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 20:38:31,888 [modules.auxiliary.disguise] INFO: Disguising GUID to 1b621a55-cfac-4e69-8e86-c2b86ccae11e
2025-06-11 20:38:31,888 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 20:38:31,888 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 20:38:31,888 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 20:38:31,888 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 20:38:31,888 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 20:38:31,888 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 20:38:31,888 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 20:38:31,888 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 20:38:31,888 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 20:38:31,888 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 20:38:31,888 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 20:38:31,888 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 20:38:31,888 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 20:38:31,888 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 20:38:31,888 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 20:38:31,888 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 20:38:31,888 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 20:38:31,919 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 20:38:31,919 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 20:38:31,919 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 20:38:31,919 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 20:38:31,919 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 20:38:31,919 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 20:38:31,919 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 20:38:31,919 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\KhePLP.dll, loader C:\tmp_gell1p8\bin\ktypyZOY.exe
2025-06-11 20:38:31,966 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 20:38:31,966 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\KhePLP.dll.
2025-06-11 20:38:32,028 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 20:38:32,028 [root] INFO: Disabling sleep skipping.
2025-06-11 20:38:32,028 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 20:38:32,028 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 20:38:32,028 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 20:38:32,028 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 20:38:32,028 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 20:38:32,107 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 20:38:32,122 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 20:38:32,122 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 20:38:32,122 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 4916, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 20:38:32,138 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 20:38:32,138 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 20:38:32,138 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 20:38:32,138 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\KhePLP.dll.
2025-06-11 20:38:32,154 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 20:02:09	2025-06-12 20:33:06	none

File Details

File Name	CommandPromptPortabl.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	362472 bytes
MD5	89eb95b4c1f3a811e4ca77418e58a70f
SHA1	21bc1df9b1746bc65975e719a484a2b6753ae449
SHA256	cfa1818bbca8013c8ea41d920314b591d8bf7300c6b3f9a2c02b0a9288e79f6a [VT] [MWDB] [Bazaar]
SHA3-384	6e8858844c868b92cc2f623a545fcddf89f1580b2caee99a4debd6ec42aa2d7c6a727272e77f2ff545e381d89707ddb4
CRC32	C786FC9A
TLSH	T109740282BB90D022D1630E3147FAD7A37A72FC2958204A4BBB44775F7E35741EE1AA47
Ssdeep	6144:FLDjol4jXI65nOKJ4wDfDYntXdEuAZdjC+xYyA7fxu7Q69+kLWVadiqxFzAgKuj:FLJr5nOE4wDbY5dEFZZyyAzxu7Q68Gdx
PE	File Strings BinGraph Vba2Graph VirusTotal

diBsp

r&AOc'

:Ma&F

@.data

SelectObject

%USERTrust RSA Certification Authority

QQoMhi

3.5.20

/.Ka6

In'^W

Pu(^(

36p6:>y

7'M=F

5VqXZ

TK^B2VM

CLBCATQ

48_U%

;jKoo0

D{{9~

m[aYW;dr9

roa'(c

2.6.0.0

W|zSoA

Ag<Ey~

"0rA_

?lT:,

7H+d(

71LCu

&,=tF

RP0Um(

CreateWindowExW

LlLQX

%fnYw

WritePrivateProfileStringW

A1`L4F^

EndDialog

A8]IP

20210617150815Z

SetCursor

RegSetValueExW

ZL$&a

|<ke~

7L#i:F

*,Va37o

QzpZf

& IQN

~',ik

AwQo:

^4@Yl

USERENV

CreateBrushIndirect

PEB0"

IW'gh

Nf`9I

New York1

^1pE(

)vu;1

Da5V} #

B-o@mm=

040904b0

aq4j"K`

SetDefaultDllDirectories

Dm`iO

_}gGm

181102000000Z

|g~}.

]+^s]

h\^}g

LoadLibraryExW

.:fIx

@9900

B?I;@;0

3.5.20.0

:7?o

22Il*+X

%ls=%ls

sKMNQ

$03C5

22|d@

|G^<K?

jPOPLXmjVKKWMEA'n

d|~O%

PhwEQ?

K:2g#

^%jd/T?n

SysListView32

u-JEj<

W4A']a-;

e7j|;

W=%<[

4{~Zf

zOVf.

%u.%u%s%s

$y5Iq

{X7.C/

]2](L

:D![_

e= lB

USPK.

&&C(tv

T0/~Aw

:2NL1

?;A>#

0Tco;Gj

:JuN:p

H=pw0

verifying installer: %d%%

lk/!op

Sectigo RSA Time Stamping CA0

&A3<[

contact@rareideas.com0

x3bTJ

IN%Ye

FillRect

uEQ%i

unpacking data: %d%%

_fHW?

F,e#{

KjCUP

3"Fz*!

(NZ44V(

bq:kZ

[af?Y

PNk33z

W9&%BQ+

*Pf$8{gw

cGgg^.

3%w1r

w[4XX

nk$'5;x

d[<.B

mt^Ju~

SHFileOperationW

)TbRP

uX20l

MoveFileExW

<61W:=l

#E%ET

S@nX:%

g:HN)_

xiL{hS

m(m`~

;EyNS

J9()

Wm3:FE

YRa6}

pD?>A="

`;=''

KWFGf:

4A52[

.A=Yi&=f

|-?/^r

chti=

c d,'

CoCreateInstance

GetCommandLineW

7\IE,)

301231235959Z0|1

'!;"00

k4s}J6

+aSW;

NullsoftInst

m9d/L

\bvv]zz`

t$,VW

GetFileAttributesW

\Temp

PortableApps.com

h0]Y~

o}"p`

CompareFileTime

7Db44c^

A?u07

RMMRIB6

I0G0E

t|Q`n

zOA;(

$!9mx

YMV?XS

http://ocsp.usertrust.com0

P:=[6

>r7MEy3mO

{3%o+&

cL(/y

|sOPs

DispatchMessageW

201023000000Z

#Vh+/@

KLumhj

>a=&Jmvv

;3e^xg

4!hBJ

j;xsm

Ig~U|a

CreatePopupMenu

].O4

FileDescription

U:H{8

C;d/[

https://sectigo.com/CPS0C

]r#Yh

>1iT=TkD~

j'_FtYDk

+u+4-@

BeginPaint

mGe1!

{e\(0

m6iYO

mez]-

=.=4yX

#`c={

lstrcpyA

SetWindowLongW

AdjustTokenPrivileges

PhwV@

GetFileVersionInfoSizeW

s6$!D87

la8D3PY

MG>BJI]

z6fC%r

[j 9g

vh`#g~zh

*?|<>/":

9Ty_*tR

5Z]-K

"S=}K6bW

%EIe5

${)*p

AyHzopw

^gTO)

-32{N

t;H|<

zD~Mz

Ed`!z

3O}0H

%];mhR=-

olw'z

0G#K8

o$pv?

gx7+JG0

GetSysColor

CharPrevW

#^bsV

9\\:%

Greater Manchester1

Rare Ideas LLC0

f?ZH]l

InitiateShutdownW

h G%8

, '-c&

,LC$g

D/!w@

{V"].

uCJ_A9

BBL#%9

I',CQ

obK*A

GGg]OQ{

njFln

yr/JI

mZ0!Z

)gBC*

R0';&

tcsgx?

C`[MD

a$2f3Su

SHELL32

D\QJY?fw

sv\c3

GetModuleHandleA

|x`+OB=q

SetFileAttributesW

SetDlgItemTextW

IH})T

13nL05n

%^u-p.

GetModuleHandleW

eF$T`

[C]e=P

!ov4#W

sU9/g

8oK40

N-9qb

Rf\Hg

sf0]AkwI

.rsrc

"'f/EH

HQY|S

AEb.zK

!g:{!*m)bl

s>!3i

8'> +

,e/pn

OriginalFilename

5On6C

zHUPNhj

_lF%J

e;6`HU

Y`O)(

UCu|,d

h'hDm

MqT~x^^c

bm&qk

0B>i#R

$J(W^

220220235959Z0

`XIWDj

QHSS}

XeitY

p\cOdK!1

xUSG3

IDBD $DQ47

I|J(Bf[

V5x!4R

B~3i

ofoaU

h>tv/

Ibl4%o

GetFullPathNameW

4:_Y}!E

8UH=b~

iWsC=

EnableWindow

#W)'(

NoD!P@RF:

\Microsoft\Internet Explorer\Quick Launch

8S{O[

v^v7

BD|LRS

;:ihd

j5blb

CloseHandle

oQ2vL

D"QA2

!;p,M

#Sectigo RSA Time Stamping Signer #20

!:5<~35\

"iqE/

c>J4E

lw-HB

DfFaM1

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

@B@(H

`3O}~

ibT@t

UHGq?

t#SSS

C}6R0

bpF$o

:)q5y

RegEnumValueW

w^}CB>

bB7o6W

SeShutdownPrivilege

&" Ugc\6T

~qG1$g

ie\&V

rCPe$

<:;t54]

14]If

m`gOL

W&{!i&

t&\6J

p;q*#

g#l|C

P68,=

4DDW.

22UFV

/Ux&E

@m)sS

2W{2k

TU]USQY

NSIS Error

".cZS

CharNextW

C(yLZ

4KoTM

j0h0?

]OL/x

hCmM*

7#i:3

CCjjM/

Bg{p}

.text

(obfC=

TlAhZ

mZF"65

lstrcpynW

@OSf:

P{nlmP

V86Cf

rrV78_

SetWindowPos

# ,@S

GetDlgItemTextW

aYNde^RgHB6

+[/U{`

;?~LIK

=0;09

v?x={}

E5x;X

*KS`+

pK^mGy

'1m.P/

)%CYe

'CY,y

bL6ry

0[Z;$J

xfA#p

Z$`/Ku

^j\PN

@_^[]

`9[Wj

m+Bgh

M-iOO

v'f"D

~2Ewh

|-IQ~

tWf="

s}J77

L+s-Q

.VH6a

V/5P;`

ZH5;L3(n

;&;RX

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

D?<JSRj

_!Wl+

(*^cCCk

COMCTL32.dll

>FFf;

"k{%!

$zo7{

niM48KWREBm

PortableApps.comInstallerVersion

hvdr+

_3RjX

MessageBoxIndirectW

?:.O[TH

8'/pY

lb)3:

R7KU,

e+aIw

b*5ir

Rj]>q

#a:gi?

i -ZA

2&-jWp

Zei1|

More information at:

RemoveDirectoryW

$ 6@`

DeleteObject

$$zm1

Gn*(>N

E@\"1

EmptyClipboard

)#afi

04aAO.

6j;4F#

Command Prompt Portable

Tod9;

IVUwM

pi2xM

b68hR

DAQf8

aGa!$

RegDeleteValueW

qAgL-

MN{]@>i

RG !/E

abbab]\

dRi'VC

%USERTrust RSA Certification Authority0

jD^*

:8w'%

=>Y;$

L0e7Y

RegEnumKeyW

0Nf)o

GetWindowRect

g<my[

CRYPTBASE

Mc*w_o#q-

X/P4?

6%x;J

h]v^f

)w&WA

EndPaint

WfD:O

Qj=rEh

IsWindow

GmXr^

(I(TQ

tVs|w

xw smc

,/KPip

B//sU

%_YnaS

C[[>g

-*[5*

SetClipboardData

|_[J9l

|`_d^

5rw+k

j [f;

NzLT;

/(bq9

$uwWR8

IsWindowVisible

~ahT,JB

;>p%e

>V5]|t

{+GGD

b>tZU

CreateDirectoryW

)kp<j

BpfUlo

JQ_qp

8>t`NP

[Vqet

#~gO[

@Gk3o#

m'QQhF

/6J]N(^

7`{Y>

MUv|M&x

{d&H7C{

8;vi(I6

v^o\d

6@Fw[

,/+B#

B#J@=

":Sc3

ftXYj

h 5

E&`^v

LegalCopyright

hG "]w .|

eQaL

f!>_^

YAHRqE

8$_^\

SendMessageTimeoutW

CallWindowProcW

TFt1b

{HLvG

e5@B},

8DHL`

SetCurrentDirectoryW

R6, C

ZERCwH

C;{01

+Tq7c

\xebz

e_[ep&S

i,yF$-

>SEJJ-

{FC&g

Sghv~^

F3br/E

dj359AGVWd

:$R4ST

hRE?dH|

D^+x3x~

{Yir7

cs0%;

GetMessagePos

101181

WPWj0

^|D.Ne7

;F3H/;)(

@m8Q,

RZI$7hN"

g:iRa>T

RegDeleteKeyW

GEg8P

iJ~y_A

Sectigo RSA Code Signing CA

~p7b7Y673

kB6ip

OG=;Y

O&'&C+

>~}7G

wQJ=#xC

gY|H.

iZ;qR

r+u?|

ImageList_Create

W\uCy

.DEFAULT\Control Panel\International

WaitForSingleObject

6nh[15

@D_Sw

97(?86I

gi4blk

wd-8:@

t9U])

New Jersey1

lstrlenW

h97VR

D|%HoyD

EJ#tS"

OpenProcessToken

LNRV)

/eA]zZ

PQql8

Comments

Ou=Ye

SystemParametersInfoW

|NQ3w

cO.EOHx

320122235959Z0

eB9x2

SHGetKnownFolderPath

Bj 9;

W)$a{9#

~Zb{

vmO$g

iK>?].

SetForegroundWindow

yt7@q

og[SV

uDWWh

nCSV]

i223-

tIKtO

en_}i

-Mfw(

HDGPC<&

L{hsu$

Y<[;U

SetErrorMode

t^!$c

4#!yx

O:/9h

sP*L!

Bq8,5

190502000000Z

c{hdt

{>|R^.f$i

_A>VS*

/8:3_

dnGui/

SHGetFolderPathW

>#KBH

?-Oo1

7kjbka5

ExpandEnvironmentStringsW

@ ah"5

544S$

SearchPathW

]LbtwX

SetFileTime

{?y.

KiT*t|a^

.,:d#

p7!J.

fgkGR86t~8

GetTickCount

]=Y1h

;]!G3

H-0'OE)9

-C}c8

-do^>X9&}

#/85,

&t<rT

69JPS

X="gI

s]go`Q

5Y&5w

H<+5M

5\Kv'R

_n-%\

+4>Ex

QR_'H

M]OQ$D

EZ0&f4<

SLC '

R k$`w

)TdE%

jWQAi?e

t+Q<Z

M!"P.

]]Rm9

]Mw.NW

I3PuI

KZ[yz

MultiByteToWideChar

For additional details, visit PortableApps.com

I`@8i`

NQ3T[]

d%Kly

:hW2e+S

bHscV

softuW

{D6Ium

To^~b

"_` `

3G$wJ

http://ocsp.sectigo.com0

VERSION

7E-@X

&`!vb

$wJO>R

4ocOY)

|prpL

]+Th3

}SA=T(

*A*/u

msctls_progress32

JE8g>9,3

SHELL32.dll

buuu(

f_5CFx

mXC!>

jh.b)*S}

Du4x.

$g:&<S;#K

BjsQ|

U`)B+7

]fBH.?

1p/FL

`^^^sS

CreateProcessW

jebz>

PczF~

J@6.Ms(J

40%.qh\

;5<w%&E

{"8;N

installer's author to obtain a new copy.

A'pA,6NH

tzK.x

4}7{p

... %d%%

WibtY

*1FhDa

Vwi^@

S61,~f

)0]{.

ADVAPI32.dll

WQSPV

"i8F>

b1]R9

ec%f4

$'zDG

UUUUW

\,F \

CreateThread

/ P6pL

SetBkMode

Z|_|q

90705

\p|O"

W6?R6

TrackPopupMenu

DialogBoxParamW

FreeLibrary

%2L]g

F"C?N

v5loi

lstrlenA

a9G1<h(

.=IgLL

w12,2

1j=v\

yeVBiY

"'CWi}

o]~~'m9

CompanyName

jRv3v

B<1Y44V

Rare Ideas LLC1

+#:X[

EpX.=

#r_0Jo

($thk

0NDqx

73& #

(RcrF

E59IuW7

o~M"4

h2{Ib

p]Dm6M

wK&N'D1

X[Vu?3

md*p

Q*@W?

rdw ^

qi<mG'@u

210617150815Z0?

a>8);

VRhH~

Sleep

#FsMB

90u'AAf

]<Po{X

rZSPnh

kR7Uu

GlobalFree

,+^@&u

<U!Ly

GetUserDefaultUILanguage

Aj"A[f

GetDiskFreeSpaceExW

:27Q6,4N

ShellExecuteExW

0:"?0

z%pzH]

v$jF?

] A[V

s^2v9

WWWWjn

OL/Mu

u&e[)

https://sectigo.com/CPS0D

RegOpenKeyExW

HtijIa

WUpKN

(ZwWG

/-P?pR

SetBkColor

http://ocsp.sectigo.com0

PortableApps.comAppID

ziY4=

FindFirstFileW

bMu'`;k3T

Y>GY-d

-"N($

wsprintfW

o,T(k

#J-r{

New York1!0

CommandPromptPortable_2.6.paf.exe

D$,+D$$P

`ZOIKF:

^y4:Fv

V!!2E

%5Ud1

% D3t

OKgNKC

iJWnTM

i?7t7

M~riC

tw-ezo

O~yBq<T-?

y#v`[=

1]lBK/`

E5_zb

ejE",+

q-RQW

k%Jh[R

4()E10N

D/{|h

((L0,/d

SHGetPathFromIDListW

IFE6\Ys

w/Xxo

0b{yR.3c

'N^B:

bfhit

j8WUHBYs

F) ]8

tSY_1

*cV a

ZSE?13

4:iSG

ImageList_AddMasked

AppendMenuW

g^oBmH

p}/Ln

190221000000Z

ROb_n

t~>%Lc

3|VV<k

+Z'%vb

;Z=1i$

:QpD>

5N^Oo2C

9l<x@j

%ab4<

m|Kkq

?Vpjb

]v8yU

8s$FS

4BR'Tkj

IDATx

Garjl2

MHY&w

fK5nv}.

mHa$k-

gT#O}

CornD

;`@0s

]buxyubO

_T00'

!KI+OF

G" 4r

FindWindowExW

lstrcmpiW

ReleaseDC

'mFD%C

ADVAPI32

0;OFL)

zV@uM5'

PeekMessageW

vBC)s

sabDK7

NH=!$&`DQS

LegalTrademarks

zwdt)

a=2U*

3,{%5

`G*:v

D=,'7:e

SHAutoComplete

h$u&l3

GetClientRect

&EFPd

!wNo__>

SetEnvironmentVariableW

FFC;]

ReadFile

FE``U

{ts(?v

WideCharToMultiByte

RegQueryValueExW

S&M7wd

8b{kw~

VarFileInfo

wsprintfA

NulluN

rsUvB

la$4U

ImageList_Destroy

DrawTextW

$\#^^E#a$

rdVL^

e5}W(Gw

n5;3p

&hjrB

w3nh:

xJEA/

a[g~o

GetFileVersionInfoW

X,4ti

FtI:`

;OV$nb

83('[TH

CreateFileW

99x&~

ExitWindowsEx

:;coAD

GlobalAlloc

#rMAz

81>/VIr+*{0J

PROPSYS

aF^VbE

Installer integrity check has failed. Common causes include

=<^[_a

p^vH[

?Da[+/

ICCc+454

CopyFileW

Ig>"AyY{

m`B"i

Jersey City1

<<kjoa

sU4Q6

V&'i{w

Control Panel\Desktop\ResourceLocale

Error writing temporary file. Make sure your temp folder is valid.

chFat

{afpx$

`)h)o

8^fEO

SHFOLDER

R_dbU

ISLb~

i:6?)@

Jo^R?

>/zBl

VSX\il

^pXKy

wO_7{

GetWindowLongW

s)RB8;'u

f3HI(

*w>st

bt:@t?

F68Hj5

mb %M/

ugj=C

Il)=|

~w9+5LiL

2Q{l0

GetFileSize

w^ZH=b#^"

ii+Qz

;pewN8

wo<S

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

{055M

GetDeviceCaps

m5skS

)gGq^

RGkwv

k8!)] @I

}"wRF

_>#\W"

diUn'

7hiuU

380118235959Z0}1

Error launching installer

a0L_rNc

r(t'PN

?2<H#

U5VC(

E${O>r

n}{P:k7

TXmA,

WriteFile

FT6dVk

k;e"M

KERNEL32

o%>}?=

b_@BA

DestroyWindow

6P}DK6

Sectigo RSA Time Stamping CA

<p?{q

e)5*-

K_u}J

cd9eg

GetVersion

O&7<W

ycDPU

haWhKF

epKxWsTT

g!BnN}

SetWindowTextW

9VYp^

Sectigo RSA Code Signing CA0

g76j4>3I

y?@P|

|dZcy

?Y^wH'

VSUbOI:

\u f9O

HO@DFFDD'!"

SQWPV

qW. G

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

n~y$Z

-DdZ:

k8EZD

p2CN;

G\w~B

UWvxv

,TG21

@p(Y4

P"~({

RM)Y+

=.}v)

~"gFB

7Hrhls

)hgnF

RichEd20

StringFileInfo

he=wS%7

jHjZV

ole32.dll

=BBZ#

oLY/-"

SHBrowseForFolderW

qtTq~

PortableApps.comFormatVersion

G9jX[H

W3\&Z

]0}(%k8

UE=8E

zEBzP

#TrMUGe

iimLgq+

`JX{A

UuQwm

u g V

BrIeB

R0hWSF

vo2<C

GlobalUnlock

-z8_$

1@aZ/

&c\j1

nDS {

@c0_~

qw*BW

1]A;E

kd6!%

2007-2020 PortableApps.com, PortableApps.com Installer 3.5.20.0

>$9&%~

ojI4($3C6f,

OLEACC

b#huJ

!%r@C6

mnOtH

483`kby

"0NA9

c#bM`X

9tbjN

n0N+'

N2WUIBIikK.28

b2|I6N

=R7|O

f9=HgD

olj}xyGK

^Z+KOPg

Z\rMM!%

h0f0?

`Qr![

%4J)3

#M9/YI

Salford1

QK?I^YM

,U7?aH

<Q1,~

O2Vep4

2Ug^%

Zlp)p$

`"Bu[

LJ'VqWe

`Rb"k

/|9*v

J3=#S

P?'j>

3;<0A

g7it7

I!rzI

hL>AcS>tW

nRC"7

GetModuleFileNameW

"%SG,.V

42?D%'L

20n2EB|6"

C/n>i

]jdB>

B=#$@9

SetTimer

P: e_

SetClassLongW

8W,9+p

/Ol}0-

;W1i'

4h@N)

lstrcmpW

a6i5w

KERNEL32.dll

RichEd32

OleInitialize

z"{5m

9nk8=\'

!hni`a

W|7=,

=m+M$a

H1Vfgh

K^zs/

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

kyh!'

"ElS27

LGGNMKg

"D?2j

g)0M,

0WZHBMko:.2

-<Wb{

),Jxe2a

GetSystemDirectoryW

e\;a'

VS_VERSION_INFO

IHa}?<<

GetDiskFreeSpaceW

C=1V;6+

4\x$N2

baP`g|

#Sectigo RSA Time Stamping Signer #2

c\DfG

[+byL

!s?n

k>Ilc

KV6L4

E~:@!

PostQuitMessage

=^'&+uD

)VGS.,W

ecCL6+

Vj%SSS

]5\ j

SendMessageW

m{JK]

{49=Ii

#qqA.

SVWj _3

Iywf|

XR$m%

EIV^)

tZj\V

RS55!

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

OpenClipboard

(M.tiw$

^V0e6

<L_4u

}{I1g

|hcA<_

%S]8A<kOz`u!

_jlvzyxb^

SdV0D

SMALHB7

OP{&;

?1J,U

Sectigo Limited1%0#

?qVOA

GetProcAddress

\FmT69K!

Kq~[o

zuqYq

0&DiYlB

vDUVD

IsWindowEnabled

ProductName

;4F?>@6.,

{h]HB

94**wma

/sNx,u

= @%T

([?`CO

S+[dU

SetFileSecurityW

)Dcat~

Y[hEC

CiuL(

Q.pG>

ExitProcess

DBTb>91

9=4gD

czvT@M

yR||x

wc.5Tyx

YkQmph

u[,&H

$n9U,-*_?wo

@erSD

OiOJJ'

GFeO@

]IMrV

}nQsa

MoveFileW

FileVersion

#+j9k

e@B$y%)

http://nsis.sf.net/NSIS_Error

Please wait while Setup is loading...

{aNI"

QuSKM

~MY[}y

a5Y)I

sz#bw

|sx~j2

E#YMe

^EK/Q

CreateDialogParamW

X~]m=

QNSfef

G%01$

OZ&U"

_}W;94'R>`

}j(l~w8m

nS@|r

c@G0Ln9'

GetExitCodeProcess

cc:LM&Q{

RW :;g

IEFNlD89A4/k

LGLtPPp

[Rename]

SetFilePointer

3MQ:p

vr{uL

rTra&

)"EQ"

D$$+D$

Bl2qd}A

_7GA9

vS(IH5

RegisterClassW

_YhW^

\EnK;#@{

RichEdit20W

qwS8V`

)]@$2c`%

(/iTG3CJWf,+*

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.06.1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

9-HgE

qISr0

TR31zS

54b4K

* ALZ

VerQueryValueW

CheckDlgButton

1-RZ

h?mHOY`OW

9nM603CIf9

7pYXJ!

d_4Vu

rrxx.

9=8gD

GlobalLock

SHLWAPI

(]MbM

DeleteFileW

lstrcatW

GetPrivateProfileStringW

Qy{/?

GDI32.dll

U]Yg^6

EAm##

NTMARTA

0=4v3

D.K#$

de}se

InvalidateRect

R(|c5

a#PHZ

j!gz L-

DH3uK7

Gpo/U,

23Qe:?|

~d$c}

jBr246

RoNB<z

.'8-&0

$3?U,d

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

!{6,i

'~7fa.

26aK/

TgXDT<

InternalName

{^<JB

.+$}E

JYspE

?Z\hR

Software\Microsoft\Windows\CurrentVersion

*pZ_/

imaF~

-<TiI

u:FeV

"[_5K*

qR15`

GetDC

SetTextColor

XU_^RL;

j;5;8

HCIs&%

oCD[3

$Omy}

K@fam

l;53P

FindNextFileW

5HkI4

2,Vat

;8*wEZ

FindClose

[UISaYNd|sg

cu`i=

q`^g9

KB6p

9GWgoR.

"zZTv}"

D$ Ph

MulDiv

<\rh4

GetTempPathW

HH$L0

KpmSv

/3sj|

o4M1>

RegCreateKeyExW

incomplete download and damaged media. Contact the

|Q&9q

vX95h

7jdec

Gu6:Zs@;

B<0crj]

U?=4z~

TLUH)/"

X$}7~

s495

8,5-A#Wf

9BCK?U|

%E^jz<

SETUPAPI

Nye[<

vSH@al6

A:[bf<"R

9A7Zm

vpw/}

d>zEr

dZ->R

T'+j~

cWEnl!

GetSystemMetrics

OA]]5w

<0:08

vCI3f

D$$SPS

x5}0E

Z+l]S

=7+1JD7cRL@

WwtC'

Z;z8}h

*%4r84Cp,#

68a{!q

Psc=2

c;GNT{

p[A^4yq5O

gyQl=

Kdpy

b$sZT

]1_TA

c~BW_

*:sEUJ

PortableApps.com is a registered trademark of Rare Ideas, LLC.

=UH_L

/AFp!

5r_h%

djdih

CoTaskMemFree

GetDlgItem

CloseClipboard

)L+5K

YcvP}9

ZD;b"b1

MS Shell Dlg

G`N-n

q:27G

'^nm.

2-{Y1

l.G##

m*JpH

K?i4tP

Tl`?%

tzo*c;

<4*F:5L

GetShortPathNameW

Sectigo Limited1$0"

!This program cannot be run in DOS mode.

PGCTl~aD

?ufFM

oZ%pb

NL+v?

W`Zw7

TCk5~

@Af]WY

;9e_t

@;>n3&

8CG9*

7^^1(U

z3DLdR

]E,$-KYI

USER32.dll

7$OV`

<u6Kat&}|a

0P[Vm

c>uB*B

iDd`!\

Rx`:|

7\Hkj

ojK.K;

4s;tv!

z4uy@

"Rr^R

JZJ!5[

!CYi!

`|HN>

APPHELP

746!%%A

z4s02*

SVWj"

CreateFontIndirectW

A8zx?

350 Fifth Ave Suite 52091

W[b&nY

<7Y&\C

RegDeleteKeyExW

-@uO'w5?

=vdqH!HZ

$9j?!

EU'%?

LoadImageW

+Nbej

P{dFt

wE~d0H

lstrcmpiA

g+JfrMr

w@"sr

GetCurrentProcess

v~yme

P6cn8

{=ww1x

"'dLF|

uff)j(

yy@+T

)2(6d

pFOOHSNNSMFB&%

%t^lx

dKSYt

SHGetFileInfoW

Z,Fr5

jCBzB

H!%q!

.ndata

KiY<\

6=Im>

GetClassInfoW

0q^hp

zS\EJ

N{xh(

v#.Mp

MSs34lw

C 1CRP@.

GA=;KJf

Translation

,dOmiBK{7P

ScreenToClient

Z3vJ,

rf#I1

vhmlF

7OW0`

nv_HV

%s%S.dll

OleUninitialize

kng2Qu

CWVWin|

FCK{YY~

!SA_3

i9#9P/os

6hltp

"$0Qn

RxOdj

GetTempFileNameW

ProductVersion

R~(LCX

g0e0>

$ xBo

.?5O\

8u+j!

K6#hqHx

Instu`

'_^2y:

rRj;B7|

av.-{

A4xI;'8\

+-]q8<t

ShowWindow

The USERTRUST Network1.0,

=)a&n

RichEdit

qyxxx

RZdBD PS

Uweg%

**LE0

0*"?%%B

u{U:t

ZMLt|[

)@~EN

RR-rj

o!KX+

{V,M#K

N@v~Wt+

D>Fz/*

cSH}#

CommandPromptPortable

GkcPUU

TU<W5

_)=(e

by/1YZ

XDVmd

A?|ht

Zh@^uB.

&p\Rs

9NZd^

!l|]R~!

UXTHEME

U|tG[~I`#

85HO\^

@TmJM

DWMAPI

bbe??niU1

Ef_j9

tnyU6E

6J&ev

>r|2P

*-X@F

LookupPrivilegeValueW

@g 58

P4YTb

CharNextA

XjJ1wd;i7

"1?2,1$

EBlP^&

qJvly

-2%<C

Hj\("

Ry` +;

fA P|

E?wVu

qFFQe&V-

MG@.USd

IIDFromString

^p)"ID^

KRbO]

2sY+F

<ENoIDJ

\ P8D

c)444

kT@=L

;-*<f"

f58ksIN

*4'f`N

`O|)h

4?U~_-

ep\ll+

gc8g+?

"ii\o

GetLastError

rg[CD

Sectigo Limited1,0*

ua%g}L

[r0s8

cohca

.X=4F

o9!Z!

3EqZh

s4R-T

0M;ff~

\UZqj4

gz`;p

'La$`7

%lN\U

1'I{Us

+&/d,-U

eI%0M

F5l%f

R2X!~ `

*Ujrj

?!*r=1

I<]t?%

bx~A_

O@ntBz.

V'{ENJ9

+S7la

884B=

yn0wK

]a]a]]

`.rdata

2B^m!

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

#jYhRB_

:=E$q

TP]Sc

5:xL<A|

}FugP

RegCloseKey

GetSystemMenu

u]}3b

P{[ae.s/z

Y|AP:G

4|TnV

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000035d8	0x000679f9	0x000679f9	4.0	2020-08-01 02:52:49	c05041e01f84e1ccca9c4451f3b6a383		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	Command Prompt Portable
FileVersion	2.6.0.0
InternalName	Command Prompt Portable
LegalCopyright	2007-2020 PortableApps.com, PortableApps.com Installer 3.5.20.0
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	CommandPromptPortable_2.6.paf.exe
PortableApps.comAppID	CommandPromptPortable
PortableApps.comFormatVersion	3.5.20
PortableApps.comInstallerVersion	3.5.20.0
ProductName	Command Prompt Portable
ProductVersion	2.6.0.0
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006572	0x00006600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.45
.rdata	0x00006a00	0x00008000	0x00001398	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.14
.data	0x00007e00	0x0000a000	0x00066378	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.09
.ndata	0x00000000	0x00071000	0x0015c000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x00008400	0x001cd000	0x0001c700	0x0001c800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.24

Overlay

Offset	0x00024c00
Size	0x00033be8

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x001cd958	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x001dfe80	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	None
RT_ICON	0x001e2428	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x001e34d0	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x001e4378	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.65	None
RT_ICON	0x001e4d00	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x001e55a8	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x001e5b10	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x001e5f78	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x001e6098	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x001e6298	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x001e6390	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_DIALOG	0x001e6480	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e65a0	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e67a0	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e6898	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_DIALOG	0x001e6988	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e6aa8	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e6ca8	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e6da0	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_DIALOG	0x001e6e90	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e6fb0	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e71b0	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e72a8	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_DIALOG	0x001e7398	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.65	None
RT_DIALOG	0x001e74b0	0x000001f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.73	None
RT_DIALOG	0x001e76a8	0x000000f0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.05	None
RT_DIALOG	0x001e7798	0x000000e6	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.10	None
RT_DIALOG	0x001e7880	0x0000010c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.48	None
RT_DIALOG	0x001e7990	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.62	None
RT_DIALOG	0x001e7b80	0x000000e4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.86	None
RT_DIALOG	0x001e7c68	0x000000da	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_DIALOG	0x001e7d48	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
RT_DIALOG	0x001e7e68	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_DIALOG	0x001e8068	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_DIALOG	0x001e8160	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_DIALOG	0x001e8250	0x0000010c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.48	None
RT_DIALOG	0x001e8360	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.63	None
RT_DIALOG	0x001e8550	0x000000e4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.87	None
RT_DIALOG	0x001e8638	0x000000da	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_DIALOG	0x001e8718	0x00000110	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.58	None
RT_DIALOG	0x001e8828	0x000001f0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x001e8a18	0x000000e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.97	None
RT_DIALOG	0x001e8b00	0x000000de	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.04	None
RT_GROUP_ICON	0x001e8be0	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_VERSION	0x001e8c58	0x000005bc	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.37	None
RT_MANIFEST	0x001e9218	0x000004e3	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.29	None

Imports

Name	Address
RegCreateKeyExW	0x408000
RegEnumKeyW	0x408004
RegQueryValueExW	0x408008
RegSetValueExW	0x40800c
RegCloseKey	0x408010
RegDeleteValueW	0x408014
RegDeleteKeyW	0x408018
AdjustTokenPrivileges	0x40801c
LookupPrivilegeValueW	0x408020
OpenProcessToken	0x408024
SetFileSecurityW	0x408028
RegOpenKeyExW	0x40802c
RegEnumValueW	0x408030

Name	Address
SHGetSpecialFolderLocation	0x408178
SHFileOperationW	0x40817c
SHBrowseForFolderW	0x408180
SHGetPathFromIDListW	0x408184
ShellExecuteExW	0x408188
SHGetFileInfoW	0x40818c

Name	Address
OleInitialize	0x408298
OleUninitialize	0x40829c
CoCreateInstance	0x4082a0
IIDFromString	0x4082a4
CoTaskMemFree	0x4082a8

Name	Address
ImageList_Create	0x40803c
ImageList_Destroy	0x408040
ImageList_AddMasked	0x408044

Name	Address
GetClientRect	0x408194
EndPaint	0x408198
DrawTextW	0x40819c
IsWindowEnabled	0x4081a0
DispatchMessageW	0x4081a4
wsprintfA	0x4081a8
CharNextA	0x4081ac
CharPrevW	0x4081b0
MessageBoxIndirectW	0x4081b4
GetDlgItemTextW	0x4081b8
SetDlgItemTextW	0x4081bc
GetSystemMetrics	0x4081c0
FillRect	0x4081c4
AppendMenuW	0x4081c8
TrackPopupMenu	0x4081cc
OpenClipboard	0x4081d0
SetClipboardData	0x4081d4
CloseClipboard	0x4081d8
IsWindowVisible	0x4081dc
CallWindowProcW	0x4081e0
GetMessagePos	0x4081e4
CheckDlgButton	0x4081e8
LoadCursorW	0x4081ec
SetCursor	0x4081f0
GetWindowLongW	0x4081f4
GetSysColor	0x4081f8
SetWindowPos	0x4081fc
PeekMessageW	0x408200
SetClassLongW	0x408204
GetSystemMenu	0x408208
EnableMenuItem	0x40820c
GetWindowRect	0x408210
ScreenToClient	0x408214
EndDialog	0x408218
RegisterClassW	0x40821c
SystemParametersInfoW	0x408220
CreateWindowExW	0x408224
GetClassInfoW	0x408228
DialogBoxParamW	0x40822c
CharNextW	0x408230
ExitWindowsEx	0x408234
DestroyWindow	0x408238
CreateDialogParamW	0x40823c
SetTimer	0x408240
SetWindowTextW	0x408244
PostQuitMessage	0x408248
SetForegroundWindow	0x40824c
ShowWindow	0x408250
wsprintfW	0x408254
SendMessageTimeoutW	0x408258
FindWindowExW	0x40825c
IsWindow	0x408260
GetDlgItem	0x408264
SetWindowLongW	0x408268
LoadImageW	0x40826c
GetDC	0x408270
ReleaseDC	0x408274
EnableWindow	0x408278
InvalidateRect	0x40827c
SendMessageW	0x408280
DefWindowProcW	0x408284
BeginPaint	0x408288
EmptyClipboard	0x40828c
CreatePopupMenu	0x408290

Name	Address
SetBkMode	0x40804c
SetBkColor	0x408050
GetDeviceCaps	0x408054
CreateFontIndirectW	0x408058
CreateBrushIndirect	0x40805c
DeleteObject	0x408060
SetTextColor	0x408064
SelectObject	0x408068

Name	Address
GetExitCodeProcess	0x408070
WaitForSingleObject	0x408074
GetModuleHandleA	0x408078
GetProcAddress	0x40807c
GetSystemDirectoryW	0x408080
lstrcatW	0x408084
Sleep	0x408088
lstrcpyA	0x40808c
WriteFile	0x408090
GetTempFileNameW	0x408094
lstrcmpiA	0x408098
RemoveDirectoryW	0x40809c
CreateProcessW	0x4080a0
CreateDirectoryW	0x4080a4
GetLastError	0x4080a8
CreateThread	0x4080ac
GlobalLock	0x4080b0
GlobalUnlock	0x4080b4
GetDiskFreeSpaceW	0x4080b8
WideCharToMultiByte	0x4080bc
lstrcpynW	0x4080c0
lstrlenW	0x4080c4
SetErrorMode	0x4080c8
GetVersion	0x4080cc
GetCommandLineW	0x4080d0
GetTempPathW	0x4080d4
GetWindowsDirectoryW	0x4080d8
SetEnvironmentVariableW	0x4080dc
ExitProcess	0x4080e0
CopyFileW	0x4080e4
GetCurrentProcess	0x4080e8
GetModuleFileNameW	0x4080ec
GetFileSize	0x4080f0
CreateFileW	0x4080f4
GetTickCount	0x4080f8
MulDiv	0x4080fc
SetFileAttributesW	0x408100
GetFileAttributesW	0x408104
SetCurrentDirectoryW	0x408108
MoveFileW	0x40810c
GetFullPathNameW	0x408110
GetShortPathNameW	0x408114
SearchPathW	0x408118
CompareFileTime	0x40811c
SetFileTime	0x408120
CloseHandle	0x408124
lstrcmpiW	0x408128
lstrcmpW	0x40812c
ExpandEnvironmentStringsW	0x408130
GlobalFree	0x408134
GlobalAlloc	0x408138
GetModuleHandleW	0x40813c
LoadLibraryExW	0x408140
MoveFileExW	0x408144
FreeLibrary	0x408148
WritePrivateProfileStringW	0x40814c
GetPrivateProfileStringW	0x408150
lstrlenA	0x408154
MultiByteToWideChar	0x408158
ReadFile	0x40815c
SetFilePointer	0x408160
FindClose	0x408164
FindNextFileW	0x408168
FindFirstFileW	0x40816c
DeleteFileW	0x408170

Reports: JSON

Statistics (34.72)

Usage

Processing ( 34.54 seconds )

31.905 ProcessMemory
2.451 CAPE
0.171 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.007 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.002 masquerade_process_name
0.001 antidebug_devices
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.12 seconds )

0.115 CAPASummary
0.007 JsonDump

Signatures

Queries the keyboard layout

Enumerates running processes

process: System with pid 4

process: Registry with pid 92

process: smss.exe with pid 384

process: csrss.exe with pid 476

process: wininit.exe with pid 552

process: services.exe with pid 656

process: lsass.exe with pid 696

process: fontdrvhost.exe with pid 784

process: svchost.exe with pid 808

process: svchost.exe with pid 924

process: svchost.exe with pid 976

process: svchost.exe with pid 1036

process: svchost.exe with pid 1108

process: svchost.exe with pid 1116

process: svchost.exe with pid 1204

process: svchost.exe with pid 1240

process: svchost.exe with pid 1296

process: svchost.exe with pid 1348

process: svchost.exe with pid 1392

process: svchost.exe with pid 1428

process: svchost.exe with pid 1452

process: svchost.exe with pid 1544

process: svchost.exe with pid 1552

process: svchost.exe with pid 1676

process: svchost.exe with pid 1756

process: svchost.exe with pid 1772

process: svchost.exe with pid 1788

process: Memory Compression with pid 1844

process: svchost.exe with pid 1864

process: svchost.exe with pid 1940

process: svchost.exe with pid 1964

process: svchost.exe with pid 1976

process: svchost.exe with pid 1364

process: svchost.exe with pid 2024

process: svchost.exe with pid 1692

process: svchost.exe with pid 2116

process: svchost.exe with pid 2128

process: svchost.exe with pid 2136

process: svchost.exe with pid 2144

process: svchost.exe with pid 2252

process: spoolsv.exe with pid 2340

process: svchost.exe with pid 2384

process: svchost.exe with pid 2416

process: svchost.exe with pid 2568

process: svchost.exe with pid 2580

process: svchost.exe with pid 2596

process: svchost.exe with pid 2608

process: svchost.exe with pid 2640

process: svchost.exe with pid 2736

process: svchost.exe with pid 2756

process: svchost.exe with pid 2764

process: MsMpEng.exe with pid 2772

process: svchost.exe with pid 2800

process: svchost.exe with pid 2852

process: svchost.exe with pid 3136

process: svchost.exe with pid 3772

process: svchost.exe with pid 3912

process: MicrosoftEdgeUpdate.exe with pid 3080

process: svchost.exe with pid 64

process: svchost.exe with pid 820

process: svchost.exe with pid 3692

process: SearchIndexer.exe with pid 5088

process: svchost.exe with pid 5940

process: svchost.exe with pid 6084

process: svchost.exe with pid 6092

process: svchost.exe with pid 5208

process: svchost.exe with pid 3440

process: dasHost.exe with pid 4544

process: svchost.exe with pid 4576

process: SecurityHealthService.exe with pid 4392

process: NisSrv.exe with pid 5416

process: svchost.exe with pid 6748

process: svchost.exe with pid 7040

process: svchost.exe with pid 6580

process: SgrmBroker.exe with pid 1796

process: svchost.exe with pid 6248

process: svchost.exe with pid 572

process: svchost.exe with pid 3184

process: svchost.exe with pid 3180

process: svchost.exe with pid 5236

process: svchost.exe with pid 1572

process: svchost.exe with pid 5020

process: csrss.exe with pid 6676

process: winlogon.exe with pid 780

process: fontdrvhost.exe with pid 4680

process: dwm.exe with pid 3860

process: sihost.exe with pid 2360

process: svchost.exe with pid 2216

process: svchost.exe with pid 6832

process: svchost.exe with pid 5524

process: taskhostw.exe with pid 7156

process: explorer.exe with pid 640

process: svchost.exe with pid 4968

process: StartMenuExperienceHost.exe with pid 4628

process: RuntimeBroker.exe with pid 6224

process: SearchApp.exe with pid 2060

process: RuntimeBroker.exe with pid 2732

process: SearchApp.exe with pid 952

process: ctfmon.exe with pid 5664

process: SkypeBackgroundHost.exe with pid 648

process: TextInputHost.exe with pid 676

process: smartscreen.exe with pid 5572

process: RuntimeBroker.exe with pid 6932

process: SecurityHealthSystray.exe with pid 5404

process: OneDrive.exe with pid 4508

process: SystemSettings.exe with pid 5096

process: ApplicationFrameHost.exe with pid 4160

process: UserOOBEBroker.exe with pid 5852

process: audiodg.exe with pid 5596

process: dllhost.exe with pid 1856

process: svchost.exe with pid 1632

process: ShellExperienceHost.exe with pid 5964

process: RuntimeBroker.exe with pid 6872

process: conhost.exe with pid 2892

process: upfc.exe with pid 824

process: svchost.exe with pid 6844

process: backgroundTaskHost.exe with pid 4932

process: CompatTelRunner.exe with pid 5868

process: TrustedInstaller.exe with pid 1988

process: TiWorker.exe with pid 6564

process: MoUsoCoreWorker.exe with pid 3976

process: conhost.exe with pid 6628

process: svchost.exe with pid 2924

process: sppsvc.exe with pid 5768

process: SppExtComObj.Exe with pid 4272

process: RuntimeBroker.exe with pid 1532

process: RuntimeBroker.exe with pid 3696

process: svchost.exe with pid 5028

process: svchost.exe with pid 7000

process: CommandPromptPortabl.exe with pid 4164

Reads data out of its own binary image

self_read: process: CommandPromptPortabl.exe, pid: 4164, offset: 0x00000000, length: 0x00056642

self_read: process: CommandPromptPortabl.exe, pid: 4164, offset: 0x30785c4c6331785c, length: 0x00004000

self_read: process: CommandPromptPortabl.exe, pid: 4164, offset: 0x6338785c6331785c, length: 0x00010000

self_read: process: CommandPromptPortabl.exe, pid: 4164, offset: 0x785c3530785c6642, length: 0x00000004

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00008400', 'virtual_address': '0x001cd000', 'virtual_size': '0x0001c700', 'size_of_data': '0x0001c800', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.24'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4164 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nsl422D.tmp
C:\Users\Packager\AppData\Local\Temp\CommandPromptPortabl.exe
C:\Users\Packager\AppData\Local\Temp\nsv42BA.tmp
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\LangDLL.dll
C:\Users\Packager\AppData\Local\Temp\CommandPromptPortabl.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\System32\UXTHEME.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\TextShaping.dll
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\System.dll
C:\PortableApps
C:\Windows\System32\en-US\USER32.dll.mui
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\nsDialogs.dll
C:\Windows\System32\shell32.dll
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun

C:\Users\Packager\AppData\Local\Temp\nsv42BA.tmp
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\LangDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp\nsDialogs.dll

C:\Users\Packager\AppData\Local\Temp\nsl422D.tmp
C:\Users\Packager\AppData\Local\Temp\nsq4338.tmp

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\CommandPromptPortabl.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI

Local\SM0:4164:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI
Local\SM0:4164:64:WilError_03

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.