Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-11 09:28:47 | 2025-06-11 09:46:45 | 1078 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,256 [root] INFO: Date set to: 20250611T07:23:22, timeout set to: 1000 2025-06-11 08:23:22,824 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-11 08:23:22,824 [root] DEBUG: Storing results at: C:\uyHCokWh 2025-06-11 08:23:22,824 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC 2025-06-11 08:23:22,824 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 08:23:22,824 [root] INFO: analysis running as an admin 2025-06-11 08:23:22,824 [root] INFO: analysis package specified: "exe" 2025-06-11 08:23:22,824 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 08:23:23,183 [root] DEBUG: imported analysis package "exe" 2025-06-11 08:23:23,183 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 08:23:23,183 [lib.common.common] INFO: wrapping 2025-06-11 08:23:23,183 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 08:23:23,183 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\PaulStretchPortable_.exe 2025-06-11 08:23:23,183 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 08:23:23,183 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 08:23:23,183 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 08:23:23,183 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 08:23:23,433 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 08:23:23,480 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 08:23:23,527 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 08:23:23,527 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 08:23:23,543 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 08:23:23,543 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 08:23:23,543 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 08:23:23,558 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 08:23:23,558 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 08:23:23,558 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 08:23:23,558 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 08:23:23,558 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 08:23:23,558 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 08:23:23,558 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 08:23:23,558 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 08:23:23,558 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 08:23:23,558 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 08:23:23,558 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 08:23:45,965 [modules.auxiliary.digisig] DEBUG: File has a valid signature 2025-06-11 08:23:45,965 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 08:23:45,980 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 08:23:45,980 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 08:23:45,980 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 08:23:45,980 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 08:23:45,980 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 08:23:45,980 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9 2025-06-11 08:23:45,980 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 08:23:45,980 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 08:23:45,980 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 08:23:45,980 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 08:23:45,980 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 08:23:45,980 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 08:23:45,980 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 08:23:45,980 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 08:23:45,980 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 08:23:45,980 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 08:23:45,980 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 08:23:45,980 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 08:23:45,980 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 08:23:45,980 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 08:23:45,980 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 08:23:45,980 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 08:23:45,980 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 08:23:46,011 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-11 08:23:46,011 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 08:23:46,011 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 08:23:46,011 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 08:23:46,011 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-11 08:23:46,011 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 08:23:46,011 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 08:23:46,011 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe 2025-06-11 08:23:46,058 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 08:23:46,058 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll. 2025-06-11 08:23:46,074 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 08:23:46,074 [root] INFO: Disabling sleep skipping. 2025-06-11 08:23:46,074 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 08:23:46,074 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 08:23:46,074 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 08:23:46,074 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-11 08:23:46,074 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 08:23:46,074 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 08:23:46,089 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 08:23:46,089 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 08:23:46,089 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 1564, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-11 08:23:46,089 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 08:23:46,105 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 08:23:46,105 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 08:23:46,105 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll. 2025-06-11 08:23:46,105 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-11 08: <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-11 09:28:47 | 2025-06-11 09:46:24 | none |
File Details
| File Name |
PaulStretchPortable_.exe
|
|---|---|
| File Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| File Size | 887816 bytes |
| MD5 | 2c57a93a1c6d7d7377500b8d15edc803 |
| SHA1 | 664e6b5b09f170fd80a760c11eb0a1e7320fefac |
| SHA256 | dc70e4001b3995f60d4e4d7ad5ecec534159673b1886ae79c2445374ad74811b [VT] [MWDB] [Bazaar] |
| SHA3-384 | b2dfdaf32355067a6ab0a1d9ad09be528818f09a3c6e02b2f143c6ce5c2d900a6d5b7461f2d59ab88bb0c66ecb84562c |
| CRC32 | 7DF9E2FE |
| TLSH | T105152305DEB4D0BAE2B30DF1A4722767AA74FE200970861B5311FEAE7D71999C904F93 |
| Ssdeep | 12288:PENr5nOE4wrMId9B71Q3HSLSMuvxn0z18CZyeDciWWT6QHQ1ZWMteZNZ63Prntcx:PI9DIIdH71Q32JJ8cDlQZ8J6xiVx |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
gV"u>
Lv^::R
*t=TR
x[M)+
@.data
Rare Ideas, LLC1
kxb@7
1!"5wD
SelectObject
>^c]3
!|!w;;
Thawte Certification1
IsDlgButtonChecked
Wy"g(
jLYiIn
-nZG&
/.Ka6
AgXLz
3.0.15
4WD4S
lkAX4i
l*G!l
G<U}Z
4$O,M
7'M=F
5VqXZ
m>ga2
,@3gk
Iqn|rhe$n
YtP)\
F< U(
;jKoo0
gphB#
<\o-P
/b6oV
D{{9~
y-*ZD
m[aYW;dr9
9 KEC
N=,dTx<
3V_{)
p_b6(
SUVWj 3
v}H*Z
3\L#pV
.0UR&
4@o7A
mMn`tF
2bc\=
.8q+KF
%#RB%
d(*}Hh
AavdH
\+&|b
:R=$h
nQleg
bIxo>
E-($tj
Wk(P
!U}#G
Ix'hB@
4%'A,;
d']BgA
- %=IV
Yj(;g
5"DX_5
&q~)1
\wr\O
`(#17
/^P0j
[0RN:iV{&{uj
CreateWindowExW
)No#{j
FYP:v
WritePrivateProfileStringW
~3hLh
#Obx|
EndDialog
*sZ&-0
mO5D#
mj-Sc
SetCursor
RegSetValueExW
ZL$&a
7#1V.
GLSAkH
B5^a\
RL[pKc
7L#i:F
*,Va37o
`l{jz'
Version
_`K/o
5(>]&25
~',ik
AwQo:
0!e3#
8'lOf
P+%-fBD
?>7IW
.3<kh{
Ep4fB
7W.7zkP
-,O<k
GetTTFNameString
(W`HEg1
@K"o>
CreateBrushIndirect
t\!w2
IW'gh
I8hc-y
<e.t`
3&W.Z
,.bg.
=[&pQj[
New York1
xe3J\Lr
7AHY)
9"mbN
VBQ+~
NC&jg
Og:}(
Da5V} #
57h54
Z>Wi(
gi-zL
*]n}#<
A,qV}b
B-o@mm=
D#uL(
^KALkq(?
F_<Ip
icU34:s
d]+u3
T?@$e
/>~0"$
aq4j"K`
FdV,0
q`g/@D
UDAAU2
B&f*pZ}
f-*!z
k&t=L
+>-O%B
p='C%
Error registering DLL: Could not initialize OLE
OL$(tQOO
LoadLibraryExW
File: error, user abort
PhNF}
=0=f=w=
vg{%&
LoCST
:7?o
<b@=M`|R
c%"bb
2lGL/
|;0.?
R,@]slW~
aEDCq
#cRB?4
0R1;.(]A
puz+X
ax!Y\1
$03C5
EGAR$
P eza
100091
QQ[BMu6
%OzUh
-nZ[$
h2(bS
D$4+D$,P
,X?i0
|r*|1
^`)u_
jPOPLXmjVKKWMEA'n
d|~O%
O(8u<M]
nfBF`
Vyh:dfS
1l+2>
%i<I<
42NfX
4_8kxu
SysListView32
MroT>
(fN1)
|@pFq
G@aIs
Qoc:9hb
}^k[v
3x!895
|,;:"
$R<ts
4T!dbW0
X?2/Ysj
WCk@@
UF[AG
gk5>JI/
D*I{x
+P7ag
Q_kRQ4
F;#=4c
?<WipF
1#101>1J1P1U1[1f1l1
F6]`:
VQ`WVHd
4<@>O
'.rgS
Gr1D>
n?n%d
%(Nz"
4tYMNCig
T<CJ-
9Klwgi
invalid registry key
%u.%u%s%s
"mK%h
r:4w:
X@eqC
LoadLibraryW
=seYn
(-wE]
{X7.C/
/Gz!KX
]2](L
\tLvX
Mjdtr4
rAVuZ@
Oa*pO
6L3kZ
U[V\E
m#d$m
4E+XL~d
USPK.
?9t/<
&gXt9=
'wz(v]U
OCqhh
I|gW*
\mDCU[
T0/~Aw
fJ"HL
,kK$%
:2NL1
o4MFpKo5
dql[GtP
mU{#A
?;A>#
#<t?h
:JuN:p
RgQi/i
verifying installer: %d%%
[ye5
2(aX;
,?oa=n
'X+(^
9*p5f
;n7#5
<]+Nf`
Q3uIk
PdsA^90
FillRect
?ouv@
%PC|J
+^04"
nF~'J
BM.2{
4#464G4g4~4
oWDWh
cmm]gav
0REo]
?.b1E
(02ST
=7X*}
|S(^'8
unpacking data: %d%%
(kZ_-
H%Zf$
{1f^d
Ugu1F^
v$YVbl
kss8^
j@;>2
{sacU
FCx`>
m\X(D!
1=5^1m
r*3c0
i`-y'
Dh~d=
@1WtV`.
9306:
Buclj
Jw7|]
6.646B6H6Q6d6
\5/z(
U4D;?Nh
LoadLibraryA
]8mnu
d-e.8
^Gf.b-
J1DD"
]0 ]3
q?Kun&
rC_n%
r$A2q
yq|H=
C'%63
SetFileAttributes failed.
"Q|M'
QMYVi|B
G]hoA
B,=Pr
fVm9jI
H)Kfz
=bi*^
323V3j3
V,bmT
WezZk
"PviQ
WGqCV
A0##&&
U/,N?
DPL;X
BVc?U`
nk$'5;x
I/Dva
@/Q+7s
._3qh
SHFileOperationW
N(*xv
%CJ@ak
7OhWh
iZC|(
)TbRP
s%KB-J
7-1`^
eu=~m02
MoveFileExW
-QGSi
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
:GuH79
a%@=@
zCR_4bF
<61W:=l
xb)IL
.&KP8
qkLtF
?NxO#
s3,G\
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
),8L-&
+X^)B^
9v3I4
(h$*?
Ovz@r
vR*yw
l!`S`
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
0GtKt
A{.)K
r)o[`
K\k@C
^$Xoer
+F"p,
m(m`~
;EyNS
WGvTD
=](tx
9og|{
d= :2{
%(Q3{
X)Sl/
E.=:q
[d|L^/
ais#r
o\|KZ
? ?K?
yY}+Dl
YM8]5(L-
cut-}
pD?>A="
HKEY_PERFORMANCE_DATA
BgLV|d
`\CS:/
SXjs{
WriteRegStr: "%s\%s" "%s"="%s"
I;6t;
G02[;
IQ<nD
t$(WW
6'"cM
ysrt<
2"Mi{
|?H2:
C^"Tb+
2k5`w,
V5v.)
#>bZ#
IhF@5
cz;XA{r
4A52[
-b3SJ
n |viA
;L;V;b;w;|;
iwZQx
I*VBS
c d,'
SO!sa
sN.h+
z1yP8#
CoCreateInstance
ZGSK;
%s=%s
GetCommandLineW
SmB7G
J'R18X
7\IE,)
Rename: %s
'!;"00
>2W)J
a j[I
k4s}J6
t[q~bq@
+aSW;
kqz$ah
auwo1!
s<MsZf/
B|v6!
\bvv]zz`
ItxD~^a
WOv!XX
t$,VW
GetFileAttributesW
\Temp
pb#gW
$#Q)s
pGW2J
IL eJ
x$.lyo
;Oc"A.FzZ
Z#{\~
x)CQA
oj#[:
=!5eX?!G
4%444@4I4X4
licOn
.d\]t
Ed+EL;E
CompareFileTime
iHY<y,
]DF]a
{1x^"
RMMRIB6
@AY$U
Z]#bh`
=>yP}
Rename on reboot: %s
Er>X-vNH'
#g@Zz*u
fUwsJ
%)hoD'm
<RdI>
0(Wlr
f<><x
go+:jD
V9KD4
dmi"&:z
.Gs=`
cM{4Q
&JA?R
fX&uj
ei2@H4M
F&qF5
http://ocsp.usertrust.com0
%02x%c
1Nb\G
mk3Az
cL(/y
@CI2n
kqd@i
RMDir: RemoveDirectory failed("%s")
ci(t\?"
?#?F?Y?n?z?
=TmnP
DispatchMessageW
_7OD>
1!1*1
UxfQU,
[ICDL
gm uB
(e!s7V
1N8jeM[
aL79:;
YWV9]
jf(fh
&gw%wA
%tuTe`
p:&<)7s
4!hBJ
5WT%7f
%X!zy
CreatePopupMenu
WriteRegBin: "%s\%s" "%s"="%s"
5ie#/
!SYZ{aE
FileDescription
dV\z<A
D|%'=
.by!}B)j
RYG6X
t58;g
TimeStamp-2048-20
Ex{e!
SKM,nYF
Hw#fw%
bpR)I
x{Z&Jv
L8`JW
)0@] &<
0FHfK
`5XYe
/">9_
hT(/H
^wO$!%
fL]GQ
R$rQ-
D<zu
U>~/-%
o71-/x:7h+_
;i2#W2
>1iT=TkD~
j'_FtYDk
?$a::\
m6~gi
U2ReWG
H ?i.
x]r&u
Kbb-q
BeginPaint
s ,"!)~
PWSVh@
r7nc@
+m4TAt
r#D.?
%a`kO
)ly>S
t(_YL
mGe1!
e|k]`m
R#_|`
qHlC`
3l`Bl
+83}%
P8Olmy
Q<fms
}.9f@
aXY,Q+
>PuyZ|:
Z+meK
TJ/J8J
7MEfI
kbv<@
"nx[5
S|C;M5Z
VHX&K
f:{6M!
{"$N:U
%*x;9#
PPDby74
HKEY_DYN_DATA
;zZM\s
\<)A%l<
_'P*u-h6
3NcQ*Va?x
#`c={
lstrcpyA
yMe'D>
j4~Z]
J?L,K
C7abJP
g4-<FE
`a~9%e
SetWindowLongW
&9\r%FM
b zr
logging set to %d
AdjustTokenPrivileges
)8+\"D;
*u{tK
iePg!
!8by.
q5$]$
1ZN3c
Mo'<6
?djJA
GetFileVersionInfoSizeW
UTN-USERFirst-Object0
k ECk
"M"t3;
X6Dg=SWzw
OXY,f4p
#^O\r
.mZ0"
MG>BJI]
^,%3X
W)8qa
j/HzS6
O2S(5
_E*x8*
$Ty4SD8
Section: "%s"
*?|<>/":
{B(avnC{3<
;0907
[+|;w
5Z]-K
${)*p
IBO>;
3'B}&
2|B]/
@(UmrU
5!UTX
1&F:|dD
60wbH
0p"[W5
rd6={1
pq$Vu
zD~Mz
QQEo`
j<D:b
Ed`!z
874]O
ho;Dg
z-{}+
Q1D6/
B!<@p
wnfVG
Aborting: "%s"
d&".d
w9~H6
olw'z
ZmhAe
9!B`Q
.8WS#
MI XUq
gx7+JG0
6j";_
MQt|<
GetSysColor
5XAP|
CharPrevW
;+<P<w<
m;Von&j
K%1|M
2EqE09
vek o
j1P3hu
DuN;]k
Greater Manchester1
/h+2.
]N(&\
@zf3^c
JL5]B
OmmtL
O7dFo
=\i{;6
8,888J8e8y8
!{%af
oGYDT-
pXp7.9
xC#*/
9=R}D4C
I`\$*
R'hoA
ia!NM
Pqq]^
XR^%
STp_"
["A$m
^+qf#
1Y2DL
yKwg9k
r.=pC
<SGm8
VSM-vk
2g+0S
#`n U
WriteReg: error creating key "%s\%s"
biqwx
C*UM5
p!dJS
M1rj&
`cgnNv\L2
G~fqs
dqo-=M
cj-G}4+
Rd<P[
?*(\_
LRe,|
kf>2q<}
@'7_g
>a;dn
dGO$*"
horKt=2
19 AG
?u iz
, '-c&
3dP62
FDaW4
5)+2b
x;rR2H"l
}M5Qhh
,LC$g
Ia0dx
89r$D
D/!w@
eNeKL
u'ukl
wyT*K1
=QX(Om
nnq+K
[gLxR
6P3CR
IfFileExists: file "%s" exists, jumping %d
BBL#%9
)73FrKk
I',CQ
-CMRZ
GGg]OQ{
}Hkt-
Salt Lake City1
{>r^M
<8Xw[Z
IytHh
{AdE_^J
1`wcl
La:gH
3gf/@
tcsgx?
n")$
C`[MD
a$2f3Su
JlJ3A
Ez@:r`
j<&t,
!B&Ah
Western Cape1
,pZU}o
oo90%
}7jl,
TnkG]
_CKe;
aGdEH
)H"D<
N.QpX
AYQt3
GetModuleHandleA
k.;nM
RMDir: "%s"
/J+Eb<
.Vu?O
MQhOD/
W@p@r
t*oCPJ
{ZbOZ
SetFileAttributesW
xZ^{*
xw[-#
~DX_}
SetDlgItemTextW
K@vFY
)tYV4M
ylyT
f}z,Y
^9NG
8it}o
gf}V|S
bd-MG
-)Uh)Ul3
^__mZ
Ic]JPr}w
GetModuleHandleW
~@EJ9a
?DP32
s-7SO
d1{FJm
MqydS
I5wd<
8oK40
OpB9H
{\6wD
HJIlQ$
R\PhE
https://secure.comodo.net/CPS0A
k20u5M
Rf\Hg
:Zi})2JMC
veh(z
v`V5m
XgWOm,
Sv 1aG
3SXQP
\TdVD
o"l{Kp"'
.rsrc
Db-6f
tC3{-
'Symantec Time Stamping Services CA - G20
QG`Iu
6t%4b
8A(mk[
"'f/EH
<3<S<X<c<k<w<~<
> 44E
z|KH(
b"HPi
:kq~+
#6!Wa
=<IB>
l.9SA
y;YDu
}i@l
1i}x}
E+YU3b
]*ni(
Q'\='
@9}9;qy
O3g0>{
WKTG_
stG~6
,B*Jv.
E?L&;
8'> +
!?2 I3D
pA&}$
+Piji
OriginalFilename
5On6C
z ~}S
BNW^XM5
mr;}(v
a/4gL
*:/$J
p?5+U-sD
4A_d#c
U`R=#
kki?=
x3Gt?
UH8Fg
h'hDm
.whRF
$1iLJ
oHZ1?)
x)?`vMcw
i3q#qF
MqT~x^^c
g&V=v^
:(:.:@:F:L:R:Y:_:g:r:x:
0B>i#R
!3*w;{
z5IeE
dOA:7
QHSS}
A.q'8
EeTj]
3!L>,
4(515
p\cOdK!1
nCOJlx_
yO(wY
3($HF*
:%'(\
$S@Ok
+8z=V%
IDBD $DQ47
H'^gI\
%k.0w
V5x!4R
@pc!<
^PSk(
f%g3`ZkS]
$OdVm
$ma^bUj
h>tv/
2Gqaf
GetFullPathNameW
*MZW6M
/fs]Q
QG{zJ+
rx,nUl
4j<&3
.c1kf
l9W^E
iWsC=
A(R<m4k9
EnableWindow
0]:UXeU
.eED!
"M5=T
b=U>>7!z
p.aQB
co9[3/e
n(K%,!L
e7M^E{
he9DW
qO3'rD?
cb?CNl'3
;]F<`
<uIC*<
[rSi)
^vYNN
Pop: stack empty
AK~< "
;:ihd
!U<3t
}T*Z`
q^p`w
CloseHandle
oQ2vL
L6w1/@
D"QA2
!;p,M
kJm{F
}$?-IiZ
@.reloc
!:5<~35\
K&(u<
^ef~C
?lrz70
Oq7NM
/o(?1
"iqE/
i'7N7
FB1gm
%1Kg{%%\&<>
qJ2X
$^gm~
5"5/5
gNo<\
Z}TQi
]i`V=
d*2-z\F
'vPG6
a0^$Ta
,EWN1c/n
C}6R0
1Y_%?
@9xBd
RegEnumValueW
w^}CB>
O"ool/
EbUdL
SeShutdownPrivilege
6r:2L0&
,Oo<F-
%^[gk
&f3qa
sazM)t
e>4'a
,m.{~
<:;t54]
r$$fP7
D`?^h
_Vbj8
^n|)N
\]dw&B
3-3:3G3T3a3n3y3
!;pW<
zuD.b
h zqjRt8U v@\P=
p1>p{{
g#l|C
g+Vo3g
*[UFj
y.Q&:
P68,=
y&*B7
)|xFr
{gIU9
^Uw"f\P
\j"N9
CB>F^
`zqW\-
NSIS Error
TU]USQY
".cZS
CharNextW
Cn%Vuh
whR1JU
=f7\c
lg9o%
141115183952Z0#
Op.dk
Afmh(#
9E9V9
&0$0"
f0d0<
]OL/x
CreateDirectory: can't create "%s" - a file already exists
eoJAck
The USERTRUST Network1!0
\&Elc
}>G$e*/I!
#(fN&;
J,hIN7
S5Ssu
oDItd
4JXe4|e
,ftqW
@&sey
Tx/(e
#.-Lg
nH%X"$
j}wE)H
EKAtL
{rt!J
YZG@B
4#4*484C4O4f4m4x4
O;<}k
.text
Tn3SO
TlAhZ
lstrcpynW
-}i*N
'un9f
zqrf!R
L1Q9MC
bi`=8
{yaj{
YE'^.
vXNRG]
k@}Qa{w(
9{Ezm
=!THLx
P{nlmP
V86Cf
DeleteRegValue: "%s\%s" "%s"
[qSd{[
T*zn8
l)2D
CreateDirectory: can't create "%s" (err=%d)
fOI_<
"N4S2
zNWnf
=V1R2
SetWindowPos
PjkM[\
*\4#z~
=@u`p(
|*TCO
RichEdit20A
3^?A@V
=cc}D
3uL@\
s7N1\[
ls,9'
JM?AH
G'0{H
GetDlgItemTextW
s!Jff+'
aYNde^RgHB6
0^ty3
eIdyJ
2.2.2.2
|\9x*
>"hcS
E9n1^)}U
<=fNo
0Piv0
#.un-j
|7]=A4Y
V]k?'
*KS`+
YqE6j
/e@+k2
Mq7q#O
f%e5R
LRoN h
d&Z1!
K6@s/
s?G@!Z
9XJSj
*BX y9Q
V&;fD
oH<|j,
$tE=:
iD?Eu
>E~~3
l.+qQ
a#*"t(/
l@iGmJ_
0[Z;$J
xfA#p
5&5,5b5k5p5v5
M0Ao@
jvmlL
OTvAh
-48 |bT
+0m{z
!pqZ'd
Thawte Timestamping CA0
}j9&F
t<rP/|
^j\PN
WriteReg: error writing into "%s\%s" "%s"
m+Bgh
M-iOO
i@&N\
jUpBw
:q<nl
)-3B^
v'f"D
b1V`]
4a?TyT
u(U(x;
:0806
&W~bc
Wy\Ik
VERSION.dll
sJ4S.
m0\'x
J yh>-O
%^<fZ
n#i?$
=<!=kAe]
lstrcmpA
P}9\YuR4yd
s}J77
)VxUJ5
\'iob
8Re2g
e&hr<o
ZigC(
/eFW%^#
0%60Q
+Symantec Time Stamping Services Signer - G40
2yd8+r<OIJ
created uninstaller: %d, "%s"
bHs7(`
Ja;*Z
_9,`h/n
Ro4)dL
D?<JSRj
<:sgv
(*^cCCk
'$XZI
COMCTL32.dll
rjhduB
;!;';-;N;W;n;
;&mx'
"k{%!
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
v0MU<
niM48KWREBm
'35bd_~
AFIKP
PortableApps.comInstallerVersion
U@gAJ
:MR>V
+>@U9
c0}yNW8x
L"oT&,
oZvoy
MessageBoxIndirectW
?:.O[TH
MXOd%u2
Z52DiT
Hk#Fzp
(j-7p
AwhO,m
]3\L4
vna6J]
R]-$q
e+aIw
C5)6+V
n-+qB
u_`B1
Rq-0#dV[A4fh
.nuf"g
_hTW7
pB2<F
nDML(
">jtE|
?s!jShaY
h{z$s!{
=>S:;xtd
?p~lp
^h)@k
b^vr+p
|_`L&
95MR[!B}
I2&L1
BUS,-
Thawte1
YN.[4
I_x??
}MY5v
More information at:
TAb*}
_S=2z
+|tW})
o46eP/
RemoveDirectoryW
Ep{'_
$ 6@`
C=+YX
Ui6ZX
DeleteObject
T+(#L
'*nrm
pe>[Z
q}=j,i\
JmPvi
/:("S2
0 0$0(0,0`0d0h0l0p0t0x0|0
i]$(*
dY3"R
[ahb7
EmptyClipboard
dMCf&
P)K)~C
6j;4F#
kLH9G
o1s"{
tT1DwGgP
Abi7r$(Mr/
lhwOV
=*=9=C=M=
p/_SzC]+"
m?*ox
zzOY^
iAdBx
MgbIaDRz:B
=QRj(
DAQf8
,V}l0
aGa!$
<^;/VXf
RegDeleteValueW
<`VCL
:Q\I4@
WKP+x
,:Hn{
J{W.]
.h;}Q
:-;[;c;l;
}.FkgCG
YHM2m
GQ|=a
T^x*T$
MN{]@>i
qU%#!
tGggn@z:
+M<@$XY:F
P<jU4
:p:::
H;{UiB:
RG !/E
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
wQ!1q
abbab]\
R<@jy
&Q}6]
\kI Hs
9zMQC
^{tDs
6>6J6[6z6
E~PIp
;k'c~
,4@n?aC
|;Cf`r
ti9%)
>cQ2f
\UTMM
=>Y;$
T8rp
LuTqw
((]sc-
RegEnumKeyW
wU&?$U
qM,Ru
b#0lV
$a-pPc!
i1Q'pXb
vQ|NN
GetWindowRect
1@m={=
JMAD.
r|9Ob
4"4(4-42484I4]4c4i4o4w4~4
=/qmbv
i-$jk
$>IF$
t)iPo
617AK]P
:P)[J
+O=AC
Symantec Corporation100.
Kq>:1
<A6VrSI
F/R`)
,N<<2B
S5#93
EndPaint
Pgv>a
zXIicM
1H#XL.
BX8{0=UwK
IsWindow
PG-R<28r
80604
Error registering DLL: Could not load %s
(I(TQ
,/KPip
f\-@T
uA:cl
Hqqft
@R&n`
z)3D9
b\CM\
Bhqeh
Wp$N}<
R=*yl
`KVYC
f{2rt
Z$5RG_qQX6
|Uodz,
[lM*G
Jaoyf
GOi^m,
m6/<EG
A%r-]
C[[>g
XT?N
-*[5*
ocGX@
Rl2Pz
GetModuleBaseNameW
^g6XZ|
AQn^BM
Y#f9U
DvRpa
SetClipboardData
73TJo
)) $%W
/Fcx)
j'c9w*Y
XW\&Y5
PO Box 2271
Symantec Corporation1402
7d9lo
Cyt9.
6 S<p
[S,.Y
[%/LG@
Aq9wb
@Ys:;
HX}uv
1rp#3z
z#*I|Z
'_VUt"
:B)qy
T($r2
j [f;
#/aMk
qp|7)
)F9:`
hf/,!
/(bq9
5[>_>c>g>k>o>s>w>{>
J#=H(
FL{3(
Hyob5
IsWindowVisible
\,%YQ
&,-?v
jrih:
cHv#)s
2007-2014 PortableApps.com, PortableApps.com Installer 3.0.15.0
=p`jR
q&6*@
[pZ8#
nYU(!
CreateDirectoryW
#$@fE
j}QBC
&%3crd)
T5GmZN*
bi3r5
&;DKO
.http://crl.thawte.com/ThawteTimestampingCA.crl0
Z~H9=
8>t`NP
[j0Xjxf
s.klr
A7@8c
(%mmj
)t2L
KT94H
p]0ob
UqMMY?
Bm2VV`
dc5l9
Inf\Q
U>b4=D
#~gO[
@Gk3o#
m'QQhF
@jnfi[
O[CbW
GHpKf
oEXq]g
|NT`4
:;#MP
^} Q6
mljh{
6.6T6c6
80858A8i8n8x8
Q~v?=
chC) a(
j@VQFO
a;P <
dEv[]v
&Gz#5t
z)H8ow
"$u:
f]{s{
S{GXT"
CdE=^P
C&X$c
P:4Ft
ehY7HD
W"oms
=z6n4
Yi0V_Nk
r>\3?
TtrT"\
:}q,y
x)m5zp
IAk$e
,/+B#
c=#&k>
140219000000Z
kC6G[L
W_oI8J
-njA@
jvGPE
yQMN_
YjNtC9
E&`^v
9VFJs~
3J{v`
67#E9r
P8t;,
LegalCopyright
g4AZ
;4]Yu
8dcS?
YAHRqE
8$_^\
Q>[S_
SendMessageTimeoutW
CallWindowProcW
zV$fiya
Ne"G1
Exch: stack < %d elements
P<)ekM5w
zTt{#
e WENl
;ymhf
ePp<%
e5@B},
k{ztZ-_rP
i*-\k
:a)b\
8DHL`
SetCurrentDirectoryW
+biQhw
?k2=`u
DW{e8u
}",38
Nu#>5e
"vhWN
&_-{8m
\xebz
2bJ%=5
6h5s}y)
a!N9/?
nq~9W
^k?<f
I9j,["
w)kJK
?MlJ0
e^K:eh
s9^ 1
eW+aW*TH
5^:[_
q&E5o
XeAS!
O}!&z
lLywr
7*757@7
T]0|f
d-^zq
Sghv~^
[2nHT>
_u;|+Ko
ux{oF
dj359AGVWd
i8UVZ&x
<q<d#K
&"3}E^
sb:{m
ThL/)
VEb-&e
WriteRegExpandStr: "%s\%s" "%s"="%s"
P!Y>I
D^+x3x~
9b9L/F
R7O._
sLKA -
V78hj
)&6*z+
M4^.0}k
4bF0(
File: wrote %d to "%s"
GetMessagePos
J*U*t
]# *O`So
^|D.Ne7
`)>my
Ya+8%
|@ZT5!63C
4=YMe(
RMDir: RemoveDirectory("%s")
\yH]5
r^R:6
FFY>Wb
+Sm=pp}s
TFCkt
@m8Q,
G\=y_
oEy$=]
El>k((
ar'S*so
0>f>s
JO_*EI
Process32NextW
RegDeleteKeyW
N0TR${
~p7b7Y673
17(UG
i*u2*
LD`i$
sP>E\7
J3(^I
909>9c9o9
http://ocsp.thawte.com0
GFk6#
]!+<s
s{0h)3
}lIF>
w,$0HK
c|EHO
PPPPPP
O&'&C+
>~}7G
fF$[2
T1Prc
k`;PX
@5Fb(
5w|jA
iZ;qR
Dn})N
5"5:5]5m5s5
0Ng#%0
ImageList_Create
0g/iS
pBJ5<
uM3:pI Uso-
i|y0g
u}9-$.G
H%Tb4h@r
QYom)
<{OHt
)QCWv
M(P*X
#a_|WR!
HNL_4&
sJHg+m{.g
.2i7:
!x]=l<
J18"
r Ap]
U}.!_
?"foo
kh'(N/
.DEFAULT\Control Panel\International
WaitForSingleObject
kM4M"
6nh[15
wqj"Q
<64.$
Srqee,
97(?86I
gi4blk
wd-8:@
lstrlenW
0FDKG
~FS?(
kg'&~
oV:0-GD
g0e0*
oOIrO
OpenProcessToken
YY?"B,
LNRV)
%&E/=
4ncQq
8@l`9
n;1r}
D{6>T
cQw[w
Comments
+'9pi
pAH+w
[E=@h
,]:!W
+*f9,~(
SystemParametersInfoW
B^ci4HG3
*[j@(;_
fsxb%
&AIAn
4kkA6
!y*tm
s/H`M
aR[e_
_j,#a
odFH|1
>pLE[
)RN S
QKW:I
Bj 9;
T"JNo
y,A`n
-bC=6NM
a|B:K
SetForegroundWindow
l{\=/qW
;!, f!
fsv&?
<o^>W7
8!828j8t8
#7\/9r
uDWWh
c~F8/
1~2l'P
dKTZ
/E|l-
nCSV]
@\/~gD
f%Y/l
g`;eu5f
:d=!8BG
O-.xX
[g:c<
;`=)OQ
i223-
3F?kU
{Bk=+
&l+;2
Rename failed: %s
v.KU;
File: skipped: "%s" (overwriteflag=%d)
%s: failed opening file "%s"
o^bA7R
HDGPC<&
HZEf4
_<3eaR
txzSR
oFQSU
SetErrorMode
8|kM:
t^!$c
R0vPs
4#!yx
`~<VmD
2^r'R
000004b0
}}lN%g
Bq8,5
BKqNIknv
l %<s#U
TimeStamp-2048-10
]aC!]t
7EPA%
(ZCEv
?1?<?X?t?
y3+.{
c{hdt
&e}/&P
/NjIn
_A>VS*
?TjVg
W73?&
\Zq{kB
9:gw0
?7VH]U
SHGetFolderPathW
UdS8X
euiyB
Fgy3|d
31\1'
DBTV5
<KLbP#U8{L
mg-p0h1
jK~tK
:Nj;I>U(
0t`|?
W`6Rf
OEyTp
SI2LJ
@L*/j
+f`Wn
S)BzAf
Ad;L8t
=%=/=5=:=@=N=T=x=
D$,9-
k[BeJC
ExpandEnvironmentStringsW
'q336
<E~3aua
3H)bAZ
|P8Lr|
@ ah"5
544S$
SearchPathW
C?x1P
SetFileTime
n^x/|
@,b0mttIp
dVtU\
r)4p=
bi6V]v
G-$9"
KiT*t|a^
SetFileAttributes: "%s":%08X
cn}<SVA
)xpWjX
2\a?1
p7!J.
\Q ^Q
iU*Zj^
r\$ZbH
GetTickCount
r+1eVU
q\oFXQ
AP|%q
qxASx
-n?F_
y2;_t
tiWzz
$N-+(
Zz|z}
'_Lm<
4KBV,
~yH($y}3.
A^Fy;
,l33D
J.xd]
Mp9z+
9%&L#zgW
3.0.15.0
&qgMA}
BctzY
mc)XG
:7/]I
nubdg
7:.}`
:1|I:
S3nV3s
Kn_sBo
5aD3Q
0Y0i0n0
^&8s!v
|HEQNGb
Aw<!Cd
5-{i'
\;!/3[
=5o3[
gD~hhQ
w(\b<
w;wqo
s]go`Q
=A\])
aJ]#*5x#
QLop<
D_$)B:
5\Kv'R
n@)v}
)'i??
t749@
M~P=FcM
YJbly&m
SADn)
UP$Bsh
i{H-3HI
w~V>E0
xH.O,
"rtkV
F|5@m
me}ZV
3NIr{P
uqXjW$
SLC '
{`ix)B
fD4HZ~!
gF.`;
CF{BF}
HM1E<
W!p$"
tHTI^!
KZ[yz
MultiByteToWideChar
uvI~+W'A
3yB1&
+0\ZU&V
p|[.2
For additional details, visit PortableApps.com
=g@Vk/
%2XZa
NQ3T[]
/72]+
5_MWn
x*x~>s
P3UcV
0.0;0I0]0j0
@4PMQ
:hW2e+S
|56,4
File: error, user cancel
softuW
P#M\`
{D6Ium
l;o"Q
?eHhcN
-Ai_~P
,Bcv7
'`e_"
.G<ZY
tO&mo'
"_` `
J#U[ "aYvD
Q|li^x
#5CU
7E-@X
&`!vb
9R`66
4ocOY)
G:~&?
CLsna
&R?0X
[a:n}
]+Th3
MTZuO
3EZOf
I;@8LJI(F
n{9CL
zo#,nxO
j[:/\E
myn6C\G
*0}!w
+P/Vc
]_lH"7
msctls_progress32
}a@PI@vJ5l
JE8g>9,3
SHELL32.dll
mDWe1
R%'B$n
fJiBG
buuu(
"l0_$Q
~*1*S
(aqs[
xv3AX
`yBL^p
b=pWN%
XtP=
mXC!>
shqkJ
tb#Rp*{V
ZtDsp
S'e$V
)zTbmEx
}#G #'
#31#$
wUx]>
,lQBI
\YTm+
jh.b)*S}
`[qzf
.U=W+
v0d\n
34w4sB
[Q/TU
fxxmL
[5d2I
>Ro;i
y\s&^
^uX:G
202t2
vKW5H
Rjs+l
w'al&
6q@eF
!T5:R
\L1u(4`%
SpoQh
rA5se
2?2P2b2q2{2
te`O-
%FVaA+.
`^^^sS
0aH|Dd
RMDir: RemoveDirectory invalid input("%s")
CreateProcessW
wY<X;!
HU<8%
|Z=qW
PczF~
H*#o*
J@6.Ms(J
ax@2t
XE<x)
oV<X&eu{C
lAG8h
/*mc-
40%.qh\
67^/i
;5<w%&E
t]K8/
installer's author to obtain a new copy.
ShellExecuteW
td'm%
t&+Pu
223@3I3
tzK.x
n[[JN
... %d%%
hd/o{
xr]<V
d BEB
6wV;H
(]D0A
8yk=V
Pfem<
+ony]
9E8um
Xm-t7
/W$&=y
)}\0s
SX'\f
<82+B-
9G(W&
z%3t0
"6V+1
@8=N>
_R7{<
PSAPI.DLL
6g++i
KPxM*
ADVAPI32.dll
<Si3s
"i8F>
P_,x[^
`JfH~$(}P]
smVm
fu/SI
,63[(
2]O*?
VsA.4q
o2NVfD&
4)eYX8
VP't#
GE4]oL
D1`}#j
7@vD`!L
%Z.Bs
UUUUW
50301
/ P6pL
CreateThread
MessageBox: %d,"%s"
SetBkMode
Z|_|q
>"?@?Q?
Th-+CX
.Fgec
TrackPopupMenu
@]e44
z>=cx
_(PDJ8
`ve93t
DialogBoxParamW
FreeLibrary
Nzlt%Z
HNeOh
F"C?N
~X6^m
oV8=;
Bc'}u
LeRN6
lHVaL
&lU~y
L'n.0
D$$Ph
lstrlenA
;I|r'
a9G1<h(
?0=0;
7y`g?I%9
w12,2
nM-a;
~YO\>
S^=s9N
z6j$:4\
TwQ/F
5G6Z6
%*aUlAD
`pGOr
BH8=<
E-T}=
z7~^)#
Ku.TT\
B%8wGO~
(|8hL:/
O{btu
P@1PM
_% s,3
YCVF6n]
CompanyName
5+5;5I5W5i5x5
Kernel32.DLL
[kM|o
Kf45L*
B<1Y44V
["Xvj
X((MIn
_G8>2N
~r -LH8
q5!iX
IzC>>
|2d|T
'4+Ma
2.Xi]
0NDqx
'8z(m
g~ABqDI
j2#Im\C#(
=][/|
3xIIq
-iolo
'kaP6
lo_#{
(B9>"
o~M"4
wFU/B+
9>"|X
6z-Mr[6
p]Dm6M
w7XL8
EnumProcesses
+#$zeI
ET&R+Gw
r5o<x
md*p
Q*@W?
\K"go
~9;NA
a>8);
*5SL%oz
udmdW
?S25dQ
ExecShell: success ("%s": file:"%s" params:"%s")
Sleep
:S+Km
]F-kQ"
M,0I8
:Jw>f
HKEY_CLASSES_ROOT
`_FUlhP
HW.^M
A5DMPN
N&tL8g
qZF9@}
|zgpqL1
,_DR$k
U389[
tLp&Q
Rh)\v
A\(q<
hIbfh
r]k696
R)VfFa%
Y0#Gm
8A%^^
GlobalFree
hFst(
uNn8;
_dk@Jg
qn5IZ
atsUs>
|+Ad)
GetUserDefaultUILanguage
f!|&2?x
|f(:3
>R}ak
GetDiskFreeSpaceExW
:27Q6,4N
ptH-)
-8*7v
k"3}Z
]y{7*
hMSBn5^C~k
']I,',
-,%m!D
&ZMD~
ttnyat
D(TvH(
\KIT/
http://www.usertrust.com1
~mBwS
aSQ;V
w!f'yr8Y
&[=-.
DuKqH_'
pu\Y!
8^/|#c
RegOpenKeyExW
LoadBitmapW
/-P?pR
SetBkColor
T|#=Dh
`%HPLULd
GetTTFVersionString(%s) returned %s
[ctqC
IOpHM
$CEkI
rVl0\
CzE</
};}hU-w
z\Qp]u7.&
mL0H.Yg
XZsyH
k|y!9
PortableApps.comAppID
|u)6_
N}lKe
a1X I
FindFirstFileW
y;Sd^A
utb$l
yW42q
?+%9|]i
020T0y0
wsprintfW
s"YQ%
F2jE[!
979=9
TlikC>
!fyK.a
8"JIY
xZI<lb
PaulStretchPortable_2.2-2_Rev_2_English.paf.exe
+9ukjT9
yP,4qu
t,?"vW@,
,|_$A
oIMKm
sWeI{
H1u^aH
% D3t
\i,,0
OKgNKC
iJWnTM
aSZ6%V
\n6!E*g^
_mlO)
:hvjJN
nA$&'
.a2]'w
aW_*
-=SGC
D)j!$
[`~!hT
`om%[
1&2U2a2g2s2
p&K&4
Y6-6|[1
07&vJ
#qx2Ep
ZHF&P
)Mh)Mlf
M~riC
tw-ezo
V2N;2W
y#v`[=
1]lBK/`
Ypu[j
G.h{z
[[>e]
0;+97
*]9+0x
xQM>m
[1TY,
4=H5.
}1<#2
3B@-I
ejE",+
=?%y`
n8lkF
WSMKm
(|Rt\
tV~dp.
4()E10N
"rkBHo
D/{|h
*Bqv*
(1^M;
((L0,/d
SHGetPathFromIDListW
?x11%
w/Xxo
Exec: command="%s"
PV\WI
,)=T1#~
'N^B:
bfhit
niGx''
j8WUHBYs
<+<4<J<U<m<v<
lTCs1P
6:jaO
s-)M)
63yeeQ
*cV a
c~"9"
S%LEI
n1t`E
#@tG6
iY@Ki
z@<vv
,@P+3Cn
4:iSG
u1+Ww
ImageList_AddMasked
rO>3M
=2L0,R
#Y@w{
@R6=i
AppendMenuW
#SK><G
-a2 BzZNK
W+qB$
OBhW1
Igd!2#
m.qCG
4/4o4t4y4
\UQnYb
k/bg+D
3U,C0
a=s]M\
gAs=K
ydWS'B
OpenProcess
RD`*U
[1Hgn
:QpD>
Hgv^'
9l<x@j
=<jZn
NuRPW+-5/
AK$g\K
21R[W
JtE?i
Ux;E|
ce>=H
/.G[0
?K5F~
mZnR_
~7|nL`
u1JSY!
IDATx
Garjl2
F>/y`L
Rare Ideas, LLC0
NC`3Y2
CornD
O4U-qh
/iQkw
BP{vG
]buxyubO
Xt-8|
dO"N:
{#})b
P'#.T
`9LLDi
UWUm.
'cChr
XR1$+L
AHp\TC
H2nL"
^1~7[
7}D]|
k2"o7
"rD#?
CreateDirectory: "%s" (%d)
R9,py
xkDB\/
<x"F$
!KI+OF
jEURGC
G" 4r
ncw|u
FindWindowExW
>[SK"
lstrcmpiW
IGOi
!;_O4
$?\CH
mxK:B
~X;Vgv
(*3#:
VH#A%
\WKGsz
fpT2t
bM1#v6yc
hcg a)
ADVAPI32
yE-&P
zV@uM5'
vO-7-
R'Z>I
14%m&J%U
PeekMessageW
&'r{j
-qPG!C
NH=!$&`DQS
9(gtLq
;cf&C
2'D}M\<
lE=kt No
yub% d
LegalTrademarks
=>zS]
Lq(FJo
E~7Y1
.XBs,
fUn#t
a=2U*
/8Sn,
3,{%5
Im/8G
_VEz1
~du~f
(zu\&!
D=,'7:e
%C1V\-
SHAutoComplete
lfW@"
GetClientRect
H^TU'YKK
1QQXlT
&EFPd
_{$1m
8 P4+8
$'|'"VN
~J9pG
>>nS57
UP71A
2X1k2
cA8*PpAA
X%Q{e9l
V)F3j H
pxj3.NT
`y"bP
*{[AI
CreateToolhelp32Snapshot
ReadFile
F~p%!+
FE``U
42/Azr
WideCharToMultiByte
RegQueryValueExW
S&M7wd
%Kbq#
w+d4S
8b{kw~
')l?UEl1K
$(/9rn
VarFileInfo
3Ak/60
wsprintfA
aX$$:
272q2}2
NulluN
:5*>T
J)^.ta
}T"@%
COMODO Code Signing CA 2
jg%P#[
N7'%.rFp
\MO7O
ImageList_Destroy
DrawTextW
byYcS,G
rdVL^
jxZLQ
}&e3RE(F
.o0GfO$
yIQmn
!L!#s
(v[E
4kv"L
&hjrB
t$$VV
1e/"DL
{{qV($
T}%<5
:-:8:>:C:H:S:Y:f:m:s:
a[g~o
hmI@$Y
GetFileVersionInfoW
Ep\->
Qe6I|
iIJn1
Delete: DeleteFile("%s")
@@'87
<4/:|
;L[!k
2<Ugz<1s
}$dIC
L-.)d
v}e:I
detailprint: %s
WJbVR,
83('[TH
CreateFileW
99x&~
DXj88gj
ExitWindowsEx
$vH4T
~W]>lX
GlobalAlloc
Delete: DeleteFile failed("%s")
!AMD,
pgI <
\=>D`
LiVR8
dZIqo
Installer integrity check has failed. Common causes include
=<^[_a
<"Fc(
rJ&yD=T5
p^vH[
=1_+[
?Da[+/
$-uVL
ICCc+454
N&bz@9
z:f<Ms
ECpWPk<
CopyFileW
6}N.?
<?rO5
o#4uh
JHJC&
6A[!q
d\bmU
C7OA]
7 P9q
6^JzAc
Module32FirstW
A'"!9
l02x*
7OzXPx
`x)A*
W.vP`
R*N^v
D\7{!
]Z<-=
Am/ce<
(+phz
GetTTFFontName(%s) returned %s
$MQ2)
.4@h#
V&'i{w
Bxg`g+)
zvz]<
,LIS,,
2q">7
<NDM3
G2XBQ
Control Panel\Desktop\ResourceLocale
\vnO^
xowG
yOR&<s
Error writing temporary file. Make sure your temp folder is valid.
rltE>s
D.TFZ3rh
LLVT,D
P9j;x8
R=RjQ
s695
k33]c)
SHFOLDER
SjeM`F6
iHK`~
dfjmyN[
eZH=k
o[%,.Aa
~N\UC!$oos
oY-p{
7Rd=_X
|mnVL
L8)Z;
t0q<n
J[xY?
so F54
%3@w@
=2y,p
^ZYHWq-P
i:6?)@
p`}\3!
1gb=Fg
C2*v#
0'0D0M0o0
JTOCP
<F}=`#W
En:T@3h
>/zBl
VSX\il
wO_7{
HO}~=%
W?%4\
GetWindowLongW
B#"n!k
[_+7z
}}Q]q~
L-XnY
vge"B('&=
LoepP
3?YH}0y
7#N>r
Module32NextW
LW8PR
U'PGu
pA0|v
/Y8XY
-V^/2
*t:s%
QuC2}
]A$%.
qO(N=
^8DU!
yvRea
*oUZ5
[g9[7
@yW>M
d?|{y
Call: %d
?G_VS
$jD}bV
H'#o+
GetFileSize
bLv$B1
C/O$F
5TQg:
(n)(m
w^ZH=b#^"
m!>A
FgcNB
5]r`,-
xPcA#
PsViN
Dy[4X
)q[uF
ii+Qz
&!Qp_2O[P
wo<S
gf++cb
{055M
kP9(r[
GetDeviceCaps
y(abXyL_
lstrcpyW
a_BPU!
aa 2A
djFkfK,J
4z{(0<
R!<#4-
4yp 'M!
CMytr
vc,hR
3uS ]
=k1gI^h+r&
7hiuU
-Ne_h
ZO^aJ
s^0Ws
etGHQ6j
Error launching installer
-W~Jty
HKEY_LOCAL_MACHINE
vJ=|<
n/#6+
CCKhfq
CGb`"
110824000000Z
r(t'PN
?2<H#
o(8dI
KS}Kb
797C7I7Y7|7
|w*R<
UaL!c
xyjb\
)hzw$M
rI\l
U5VC(
vu4l?
Fp2r5
(<n$T
/i'&Z+c
vJG=9
S]W/`
Glyma
PX\zH
.jlY4s
E89E0}s
TXmA,
rW{?7
+K4>X"
WriteFile
rHI\^
D?{H-
AO+,8+
S=L@iu
KERNEL32
][(Q?
~ubO}
8uxIN
Ne4-0qV
E [sY
3~Yfz
c[UI2
#}k#b
<Iys^
DestroyWindow
>N>_>i>
qhdQYFs
IVS1?j
?Q2%.
A>J%J2
D)&Kj
]qkf"
<p?{q
9T0Q%
U}}*6O
WD929jg<3
0;1A1Z1
.IW*q
2L>X5OG
=.G}g
HS)62
_Xs%*
{i3w*
!W|m3
z:v_'_
0;f8i
GetVersion
KVq#Q
m2Jvw
8flcL)
WriteINIStr: wrote [%s] %s=%s in %s
FI34.
SetWindowTextW
tj;t$
Y6@13
O1[P!
dPgYV}:
g76j4>3I
rpj6yQGk
y?@P|
?[0ZU$
CreateDirectory: "%s" created
!4h;~
fEi8p
<K] T
&PExr
o|7Z4~DJCGR7
~2)<j$
E89E0
VSUbOI:
fu"_iU
3aOGQF
8:8C8U8\8h8
veGoys<]
\h;{]
h(k[D
HO@DFFDD'!"
M/,QG
'Symantec Time Stamping Services CA - G2
',7Ui
o^$d9
EnableMenuItem
LoadCursorW
SHGetSpecialFolderLocation
*9_V|-
\Z-|Z~
04q\G<o
0{^h!
$'4DJ:
wvsprintfW
;|z8M
sD^ *
;:{`)
<D\bG$
a$E@z
3\ep\
zgx>-
pUjC4t
p2CN;
^SYi
$|<w}
dUU'u;d
ZPE.d#
UWvxv
3\nmI
0q-p>
~%Hn9v
4t!MR/
D{b_%
]u99^
r/#*$z
Error registering DLL: %s not found in %s
<jJYL
M0m}2
~f%RV
c_472:
_A<rU
4/OY/H
APaBu
D]},k
!|Oe2
7Hrhls
+`C7c
.xmE~
RichEd20
StringFileInfo
@t*KT
UaZyP
'%%"b
{X$Cp
=#q>9f
9W)pX
/d3mU
zfwrv
U,'HA
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
fp#l*
l[Q9`
ole32.dll
d]NX=
.?aX^Y
SHBrowseForFolderW
;U&%[JY
z=NZoo
CBppE
OhHW{q
a{)Wx
Yhy*r
iqpU_Z
PortableApps.comFormatVersion
v[X%%
ShDi`
~_GAb
``;24
jcQ.\
{"\=T/g
3~a+[
9WuUI
%2Ttx
"^@|qr
"f5c!
iV(ZW.$
LAio
g-yGQ
jj@5@
tdB%>
(',5D
;f6X[)l
\Microsoft\Internet Explorer\Quick Launch
?k>cg
s,-s#
LSVW3
Process32FirstW
BrIeB
h@cHf5
TU#=)Q
aP~0\Q0
w)FS+R
S_l@,/
GlobalUnlock
WriteRegDWORD: "%s\%s" "%s"="0x%08x"
'l+GSw}
pR;--
vf==GoE
&%Jhm
<`cCW4
xG2EwS
D_}:_
k{WLAx
1@aZ/
"WH%-
py2\(
KgVkQ
>:aX.
201229235959Z0b1
C0f]o!B
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
s,T}%
)wB}B]
gBmME
nDS {
|b}Aw`
4uRG&
_Zd|n
/Jf#@r
:vz%_
MU4n}B\
RMDir: RemoveDirectory on Reboot("%s")
OF?{)
Zgm;{
ZO<@'C
nC5+2
y5Vs>\
7|Vy[H
m &KA
UoHwb
ojI4($3C6f,
b]##]
dhjqdZ
U;AQ
GFa^7J
767@7I7S7_7j7s7
R<1zeN2f
!%r@C6
2a0pS
h;)v?}
Y"E~#
~19ld;
v+CnXZ
483`kby
;{$3`
NullsoftInstBD
4|bpY,K_
|'tbz
a47kn)x
hR2jv
S-[bWv
WIY~{M
203Y3
z7gQTa?I
pKXJ}
$ObFc:
),vt)o
^]e-0
3=yE,:Kb
N2WUIBIikK.28
KqR@G
S8ZRu
XH2!;
)V&0^
+2aLdL
; Cr7
olj}xyGK
E:{q@El
Z\rMM!%
JX`j9f
bMw')
"boy(2
`Qr![
KSP5x;
qY\AA
"QKyp
SOghF_i{ydj
,&g.O
,(!U=q
%4J)3
U?O3N
qN)Tf
b<Kc[
Z^^$VE
]XaAH
h0\Xk
XNlEu
T/NTC
%1U!7
Salford1
BvY61y
_kh_?
QK?I^YM
\J>::
Ne~R2
E%Y=HL
@dL9pc
1<IIL
Cf^t]gA
2Ug^%
:csVQW
+{+,Q
VVVVj
@ouCB
Zlp)p$
Y/xt8Y[e
LJ'VqWe
=j8q>
GW"%k
Q#)Ac#f
1,PN3
_aVbB2
tkvq&
MdRHRL
AH7F&
5[`SX
p{;DO
QSUVWh
:<(}(Qi
P?'j>
3;<0A
A<W5<
jzi,u
8&!(|
4pr(F]^
6(DZc*9
W hSm
9t,'q2
:mwu<Xw
`s]ZP>
[W\4p
hlSZ~
GetModuleFileNameW
"%SG,.V
YFlp'_
A|K:kBhxm
~W3TN
20n2EB|6"
<Pe4}
]jdB>
B=#$@9
'7iIb
[Z;m[/
SetTimer
9}pKt
P: e_
SetClassLongW
K>2'1
bnHoff)
5e@*#
,[FeK
h"!Bp
]4;Mhr
;etTdG
<a/\$
150219235959Z0
?G?[;Rr
c{E&I
FvqcB
6dx61g
*qDgB
8W,9+p
gcKLF6
J|3J_}P
ywBGL
|^o{Hb
_zKpO
|{As[
lstrcmpW
OsX,{ex$
GetAsyncKeyState
6q7v7
-#{Dw^
q}DWAy
4 ep-
WQCO;
~?-rJ
|ZJ.z4
9t#gK
KERNEL32.dll
7tvfaj
OleInitialize
rB511
?1kg2
RichEd32
fS[h
F[]mM
?-?I?\?o?w?
h&Uf7
VST}5
2\CLF
!hni`a
6#616i6n6
g(A2o
$hnv:
.R\@v
W!cp
tvF7&`R
N a58
Delete: DeleteFile on Reboot("%s")
H1Vfgh
%[7pt
New install of "%s" to "%s"
K^zs/
#Nl|0A
[%v's
F2)~^
TO=&(
by0,0
V~!6z
h0f0=
9!9N9u9
wi*%$
GetWindowsDirectoryW
-+-V,+O
DefWindowProcW
K|~:?
74NV`
= =1=
-\MO*K
LGGNMKg
"D?2j
F/:o[U
uTb-vk/>S
%E#>"J
):(_M
GetVersionExW
g)0M,
0WZHBMko:.2
9::T:e:
hvV!D
eVnc!
4WimFe\
w#*OY
nT4KD
]wYD*
GetSystemDirectoryW
>&>P>^>e>}>
sBY>g
}*i^O
e\;a'
hO.Ej
VS_VERSION_INFO
GetDiskFreeSpaceW
C=1V;6+
4\x$N2
/Go (Mk
baP`g|
P8]1i
.P{#;
[hig)ZZ=Z
*TGI6
ng:9Z
+d 6\]
5iihc
c\DfG
*b$i9
i'K4#
*rg_&N
g/K?1R
%x9GK
1~_X{?
Sleep(%d)
3$N^w=
Tnote
>`[,|_
COMODO Code Signing CA 20
]jxdE
s:|{1K
rve,`
PostQuitMessage
2%&=&
J!dp4
;Ruh
tJ-DQ*
vOu)2
kEef1
7Bzpz
lhgH+
`]mgm
acOfi
iGQ1=T
<Fp|Ld
:BUe7P
1ue0fC
H>p=j
pbUk
SendMessageW
PortableApps.com
|{KK#%yk3U
Kax{Vu
{49=Ii
6G&+A
~v-2|
pJ&[-9
ktZ>x+b
'pBG-
3V<2Y6
8F-`35
Yz}s-A+
h(.]$
@{w*c
XR$m%
;bv#>j
ZjO{,
Jit+8
HideWindow
OpenClipboard
*6`C[
r6/%k
r(kh=a
S~}N(
}{I1g
['|1-;8
wgVz`
zvlL[
#"u.#+
FL!C(
h$#m6
?VV<<
umxY0
(26)f:
NWR]8
n.-_@s
>R0j1
979D9L9w9
K-Y`,
1Tu@,[V
_jlvzyxb^
XbpmW
aQBZE
)g'yzQQ9vz
2BKqp
SdV0D
dzf.3
?oY}c
9Vp-o
UYg#@
SMALHB7
OP{&;
?1J,U
|V\Zx
S+</>
P^Qx]
G028GM
gs!38
O/*5>4
pM?_xW]
^3JqR|
Y%t;FK
oVLNl
GetProcAddress
Exec: failed createprocess ("%s")
\FmT69K!
lkfb`u
=df)tpyB
zuqYq
0&DiYlB
.)8'{
IsWindowEnabled
mfT>_ZGvp1C
;4F?>@6.,
ProductName
zcDl9
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
CU?!0
94**wma
rvJh#
!~j0T
/sNx,u
5UKWL9"
Lt.U7e
[yZ02{
)AWV>
Y#-`-
>,>1>6>;>D>I>O>S>Y>_>v>
g~[AbT
x7=[^mf
|QEn>
}/ x4
S+[dU
`HKZ*
3XeS=
2A.7O
@bq:}
}~(nK[W
|zv@z2
Uc<#)
DcrR-%
ExitProcess
U)E|`
R$o~R
PaulStretchPortable
}M:xl
;!;2;A;T;
LIu16
GtDZ7
:m^%IO
/i,A9
jO/V.
pyt7_
,mrvGyk
=;n%n)P
kh8L)ZE
./I-x
63V:x
p>QBry
fIm&I
{|xRL
Jg9j^
R,&?1*}U
t~f]c
lstrcpynA
D$8PUh
1nMY_
GFeO@
+>96u:
X=?KJ
[g `;y+i
{TP@n_
w~EMX
@'gYh
M){C*
B.H%i
l]8fH
F,-,n
MoveFileW
V"2]5
FileVersion
8kx#:
http://nsis.sf.net/NSIS_Error
)Mk78
Please wait while Setup is loading...
dNje1
"pp'}|$
A(c&=
3WxzEr
C> 'W
:2/*}
2 2$2(2,2024282<2@2D2H2N2S2c2
vMFMUs
`Qqd)
(~Vw"
0wS xu?
CreateDialogParamW
0H&Q;*
QNSfef
G%01$
Cg@Cy
Q+fm@!
!}Erqc
PZu0
z7iO`|
y1:kv
_Vi:;
tp:6-
ed sd
-lI\A
nS@|r
c@G0Ln9'
6I]Rt
GetExitCodeProcess
FLHh^
O`;[oDm]K
:.md%
e|_iK2
IEFNlD89A4/k
!B<y.
~cVvG0
?0nTa<}l
LGLtPPp
m6xBu-LGB
{xhv6
D7S?>
[Rename]
SetFilePointer
6E.dJ
#9`0F{
1K>q/]
>uKty
K:K=V
lb+E<
n81cc
d30(e
:d8y<m
lwm"r/>u3N
X&;=-f
&"6H7w
8/Dl,%}
D$$+D$
`b4!qk
CJ-Oxk
'GB!g?j
wIBzZp
_7GA9
RegisterClassW
|UBJ:t
L% ;n@
-m<^V
\EnK;#@{
p=<j,
)]@$2c`%
9!6i>P
!Jz$T
(/iTG3CJWf,+*
(,=al
ISxRT
l^)Fk
oR:|l
[6HUcJ
\u!f9O
*ObqK"
1JM\^
<Az2W}Fo
kzM:x
>m&If
*Ed8C
AZd?{
^i0$}
jSVlS
`m;,$
Xm!gG
wq\7' x"
VerQueryValueW
c)p&[
CheckDlgButton
CWQ/H
a|5Zl
Qb zg+
d&"79/
]Yy*-m
1-RZ
xEM@X
N~r}l%Ma`
A[#&M@
uD5!X
n{q^UiS
[3[$~f?H4
9nM603CIf9
L,$]d
d_4Vu
VCdAf
fP-u4
%n;.3
GlobalLock
SHLWAPI
Iy3e0I2&
3D/xV
VLteT
E(RvJ
%C"QG
-zz.<
\|;+HU
(s/<z:
DeleteFileW
xq<K m
lstrcatW
:sn3IV}-,~o
?> ~>S
GetPrivateProfileStringW
GDI32.dll
"=[%@
n'yu^
[d:7q
p3u`1'
Z>K`"
Eh'lV
EnumProcessModules
y3P4-
4>'%q
]N}js
6C1$>
ltq)r
c _2WI
InvalidateRect
O*5{:
a#PHZ
8<S1J
SnH<x
Y`kA+
j_}^]_
0z*FM
pDVY&
=9>L~
_^][Y
S8) h'
5wbH4
Y+k~}
oKdk$
ENcG@
M28kk!R=
.SwtS
>\_|,Fa
GU+6;O@;(
-L,xQ
cv"d%2
UXX`f6
23Qe:?|
Gpo/U,
V`ep1W
Oj7xT
{rp5~
0r0^1
n^Jo'?K(
wUzBt
C;q)I
nkzwF
Sd$q>
J?_lj7
3]EWL
$3?U,d
1k;dX3
!{6,i
tyW9u
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
o)!\F
]>\4T
Y$|$U#;
K h0*MK
8|9%@i(].
d#F9n]
InternalName
p<d%9
]_~"r
l0=EB
\b2jf:
&m6$<
#[yW`
8]0"G
L@~P)
{$/.XtM
!K{Mq
Xm}6{
http://ts-ocsp.ws.symantec.com07
HKEY_CURRENT_CONFIG
E8gwF
mo|Pr
drKxl
O5kb3
BringToFront
;RY>d
zgsQ#
JYspE
5#9r\
PtCG9
HX>Ozj
?Z\hR
0fId%Tm
COMODO CA Limited1!0
^z>@@;
YO,>ue<
Software\Microsoft\Windows\CurrentVersion
imaF~
J,ns{_
KtBu;<t
T&cl"
u:FeV
201230235959Z0^1
KN0.~
C')61f
qR15`
*Dq$=
,LvmG
GetDC
'yrz|
MsNP*
SetTextColor
`j,cG
XU_^RL;
ZalP@.~l/A
v%+H^
Z7V"Fg
+A{6'
Hra&!
Lm-!.
-Lr^o
dK(,A
HCIs&%
^C*"A
KNF+yU1
w-zJ2
oCD[3
Vc(A2->}
K@fam
kgj1V!4
RXede6"
<1{p]
Fj]e4B
FindNextFileW
tnWp{#
nSiL'
aw;EU
!j6^H+l
;8*wEZ
0-1R1r1~1
f~Dz(,
F0Up(
UWTsH^W
9Je&`
RE[mk;y
M8LB9/
FindClose
55]Sw
[UISaYNd|sg
;{D]0="
$4k4S
ijM%/
JfMm&O2
{HhnO"4M;
~v$IZ~O
US^SK
yX]~zm
KB6p
(*r&@iJ(p
9GWgoR.
*%HDF
cxnzj
_FWX}
sd+cB
3WJ$Mc
MulDiv
pd(ax
@ %dvz
l AT3W
GetTempPathW
sQdip
:n\LM
y=/A!,?
:xI+&
.Tq1m
Jzdc>
[zXSZbb
;dhKQ
57jXR
o4M1>
ONGU,x
RegCreateKeyExW
incomplete download and damaged media. Contact the
e=_T>?
VNUiH
^f(uRW
! aKR
[=ygFWT
i#!)c
Gu6:Zs@;
P4Q#8j
yS-&i
%PKrz)B
B<0crj]
@_(iUTp5
B/hn`
jZ(k_
vSH@al6
A:[bf<"R
+3CWd
;|txV
z$t5B
vpw/}
iz5Au
4a_xaY,
) ^II?
O+o,7fe+O
HW-9~
>dB[E
YX07&
cWEnl!
N};/[
V^=Pb+1
GetSystemMetrics
OA]]5w
r$18R
jwA}w
U6`|cW
x5}0E
Y?[d:
=7+1JD7cRL@
;6;;;Q;Y;^;d;j;p;~;
|#o#f
P?0}6
CharUpperW
w~92,90
l2U,L
p*`>h
WwtC'
Z;z8}h
*%4r84Cp,#
nnb">
zSwrw
Psc=2
<htS'
Kdpy
}X4#L
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
#@H2o0
t$(VV
H}_[+
P?gEO
*Z5kq
@%<'<
J=ymQ
PortableApps.com is a registered trademark of Rare Ideas, LLC.
k@3,/
5r_h%
djdih
zC 59h
CoTaskMemFree
T,}ieG
GetDlgItem
CloseClipboard
i#({l
|Po|&
7#|YD
`mEHL
*jt_DE#
wXFvY
G"ehyM
MS Shell Dlg
q5jl9;
593l8K
WwNPe
hh:;R(
huuIe!b
ZGI8b
6$7TAU
v-SKX
\LEMx
q:27G
M9}9_
'^nm.
2-{Y1
a$Qy:
zZK(>
=6*IM(
l.G##
wy9,oH
I=vln
-qg6{3
m*JpH
RFl>$e
[1Z}9
UdKOf
,.Qur
8^a{Z
RoU-F'%G
<4*F:5L
FQn('
Om]UPb
b akP
GetShortPathNameW
-Q;RD
T%,L.
!This program cannot be run in DOS mode.
PGCTl~aD
L~jp#
U\vd`Kkj
7RR+d
/90$T
<a~^I
9+9L9Z9
FG %h:
`|}%y8z
g-T%
@#bON
L4t'rp
U0~A%
F]v-vB[
,A:.x1
KfN=)
/QyQY
<'<3<=<G<L<W<[<a<f<l<
@;>n3&
8CG9*
9-SVj
]Fpe'
<_6+~
=.1sl
B3+*w
oe6>q68
7g~M!I
Wo1!jW*
pzz_}
viM(w
94L]]gD
}Q'j8^
nP38-
,=C_b
4"4/4C4_4i4
aQQZz
Lbw)Z
"@)iK
n[;Oh
USER32.dll
'G&3:
ScrWl
$#FO3
D:'Iy
1:|qB
3"3(30383I3P3e3n3t3|3
0P[Vm
SCHgoG
}gAkt
/0cOj
D)TBf7
m<sisQ
BV<<*P
UTXbzXkE
):E]H
W)S4-
.Ffm-
8!808D8X8
A1[RJ
F$OJ,
JLU&YQe
z4uy@
"Rr^R
JZJ!5[
62n.W
%oY74D
"~+:dm
]26X(
XOa>['
b.V|/
$__k9O{
rOl5w
]TycN
SOY9X\
QH|ctd
(H|J5[.Hx
&3;0:
6Hb^k]
1~:oK
JAz3S
{,vCY
GTl"\
Durbanville1
Exec: success ("%s")
vf/M6r_
&V=ty
K96'p
CreateFontIndirectW
A8zx?
RegDeleteKeyExW
f5?S!
5?eP!Ft
!J1F~5
}O<BC
=vdqH!HZ
$9j?!
pS}XW
uSTy@N0y
%,@x1
LoadImageW
dn W+
(p$+}
9C)a,TS
44)(g'9
BacF
j5U.\
iNdnq
{rPcA
[A*[U&
0p<V)
uZZ"g
@_Z44
wE~d0H
xTo>[s
lstrcmpiA
8Rich
1}[i\#
qFMhg
4i`XOp
CopyFiles "%s"->"%s"
l@Pb|s
IfFileExists: file "%s" does not exist, jumping %d
HKEY_CURRENT_USER
Paul's Extreme Sound Stretch Portable
GetCurrentProcess
GdG*bC
121018000000Z
v~yme
e?YVL
s 4(p
<Xj&~o
@3M#p
rQoQ5
8FC=V
| }9g
*XFq<(i
."x"Si^
D$,PU
JE/Zb
XS((t
,_kwT
8\DJv
ub/J/
pFOOHSNNSMFB&%
7FsbR
^vG$&
\Vk&8T
dKSYt
SHGetFileInfoW
dp{j;=F
Z3Lf+
H!%q!
k$anI
t=-.,
2iu2Y->
2baX7
gaT/i\
j0s#h{
)?~g>
.ndata
4a5r5z5
`.N3'
<wmN(
o'2?$
@Lwf!
ZpU#0
6=Im>
'5w0r
`Ca1<
fZN5M
GetClassInfoW
e&mfJ
r![\p
e[5\V
_R!3p
Gug\X
<C3K.p
$\fdF)z
d'05-
u$9Mls
q,U"y$Q
d/N&p
1J{8l
"E7'G
MSs34lw
]!mEC
?2?B?_?j?
GA=;KJf
Af<OH
111;1D1Z1a1y1
6v%H;n
ScreenToClient
Translation
-s`(^
http://ocsp.comodoca.com0
fO}~(O
vhmlF
n_bAh
A[')&G
Xui'Z
W[le>
{DEzef
;;d2U@
200530104838Z0{1
7F;Mn0
OgI8Cg
Fcm}+
OleUninitialize
C#!5|:
rokSH
f@DFv{5h
2HvtP5"
.Y(RV
,g"h
_=[@-
u_WD,
X A\{
s\;gDG
`uZxy
,q:JHO
y!*3^r
.K=}PS/+
^}_ q
CWVWin|
FCK{YY~
G4{)XL
!SA_3
dmx&.
QAE6t
#?UD9
wP;H\
S;Fum
y_>[|
>8Dr7a
2'2B2d2v2
6%~=
h2=d(
r?0GCY
zdqfAm-F|
`?$Sa
4Htjmn
@"fHM
XmWe~
?]`.R
GetTempFileNameW
L3B{|"DCa
ProductVersion
E>BMu~
=~|8K*
,M%*%
['.g?
+)Bnz
K6#hqHx
#Vhh2@
Instu`
X~\J|
c0>FV
jk"c[
[]?"J
b|(%R
{25^t
xkHbqE
av.-{
iyCn%
+-]q8<t
!]6):
Q{3jk
ShowWindow
Ht@h@
)DS%R
6}f%^
OVYB*]
=)a&n
xQmNi
/GxY3
RichEdit
e\Fz:T
7cvs{
xU#MRS=
*u4[e
RZdBD PS
58<sT
9IVa#
FKo.kj
6Tb51
6jyE4
9d4)i!
eaf;J/e!
8bwU3'
^9`cb
&*dCS
b0Kbt
BZ\g3
0*"?%%B
F?3$H
u{U:t
/`6u!
(O:o(
+58%k
-kPz?|
> aY$h}eW<
32[|\v
=r<h0
Jump: %d
SOW*2"
3AI<-9
O.WzO
File: error, user retry
)@~EN
\Y}wk
FMN%}
1OpuJ
5i2Dyq
File: error creating "%s"
D>Fz/*
N!G&*
9af-&=
Lms=ojU
GkcPUU
z2q7x
*o@O(r
8aPGIp
cuyglB
vPH(j
_)=(e
by/1YZ
5Oq8W
:r9$w
+sOcY
]eWjQT-
\Bnro
:i[/c
3N3u=
s;y-
!l|]R~!
5)g^{
i.kJI
O~~6y
p=ys>
~wb'uK
1[{-:f
]DUS7
85HO\^
*#+QO"@/pT
p]mL!i5hQ
Qdw-I
TMEU$
DeleteRegKey: "%s\%s"
_]3mX
UA>x?6:
PIDBapCKB!
vjw|YwF
X[t1H
HKEY_USERS
MgsCf
tnyU6E
5#:Xm
cv0{d
3hw=y
O(_DG
v#~ll
S{x0SD
.dKz(^
|P` <(?
z4H9/
LookupPrivilegeValueW
@g 58
lbFZH
2$=u:A
b_8J]
I&ks|
t{^5\
J=O;M{
xf,E8Q[
~nsu.tmp
ey`HS
P|)Dac
CharNextA
62A VZ\
4fr'p
;#;A;H;`;u;
17:rj
121221000000Z
"1?2,1$
\cE>t
+wjRO1
}%(KIw
qJvly
#85=,[
a!<cGA
+r06c
tYcQIV
u$9Uls
-2%<C
Delete: "%s"
~!(HM
cfs(<
Hj\("
2H-bh
+Y-NQ
NE1;$
&VT:L
VG_*c
Tu5V+6L
fA P|
MG@.USd
}$a`.
y6A56
K*Y#$
N2|9v
2sY+F
tq<f]
uPP6&
jc)y#
c)444
7.7q7v7
H-2M2
kT@=L
;-*<f"
Ru*q<
%dDdv
f58ksIN
fszfu
Q,iSt
oe9`B
:5-SG
q{h[B
^fIIu
*4'f`N
R?N`V
/ob6K
#%NXS
T[KUVV
1yis_
%%2~Po
@:Ke\p!
!/ze#^kl
cLPngMu
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
settings logging to %d
/q*-)
GetLastError
O>Z|gD
6<.Md
PE96ol?
IidPO
fS*V6
a?9fN
ExP:t
WY)3ig
[r0s8
6P!"}
mnjMU
Q^xWz
n~k^Y
bo!nl
>(T@y
s4R-T
opN;k
J2~~Y;
lxPhMb
U)7D]
I0[0`0
H<pj2
576@6^6k6
inOP5
Skipping section: "%s"
wMnT1>
^:}L2
%$>]X2+tk
R'IsY
Fp?:p
Unknown
%2dh(
6~sqa
+&/d,-U
7!h::
?gVvZ
Ds)g21
`4nAu
|a[{B
qwso%
*Ujrj
99:f:{:
O@ntBz.
t4bN$
m10`b7
F>]C)
D<Cg3
SET>3::
I_Z&l
{C]k$1v
q]z;y
NM<G`
xD`wx
4R87ip
*]vrMQoi
d~4`f
}j7:9
/BK8@U
sn{[7
AKw*}
#NZ$/
7;cSy
`/q]X
(pv}v
%zX&!
_F1D1h
x-&h[
.k|8v
1%6/o
2YRi)
x[l36
NSn"`
>DS2|
#}!0r
884B=
`ZLff
vA5w>
^o 'Yo)
X0ls:O
O:2B)
]a]a]]
`.rdata
<]q2{
@P6@{
6F%g$
Ai;_n
nNShm
._0\O
8Q_C_
RegCloseKey
GetSystemMenu
&Z[P]
nAu1j
p4=d<|
^ksu4)
S<Mt[
"qQen
gTA,9
[XJf>SB
{0Usft1
=G+Em
s^0%%
install.log
^#ys=W
znv,i
HddqA
<NrA?
F}30J
{IDy*
&P"0E
\Bb%
C(SDI
^qM>&
lru.~
%CtVY
)( MR
J.^NF
EacOm
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|
| 0x00400000 | 0x000039e3 | 0x000e7444 | 0x000e7444 | 5.0 | 2012-02-24 19:19:59 | 32f3282581436269b3a75b6675fe3e08 |  |
2c09465cc979677d65781d9403176c31 | 5c00f471cce984e3b873ef9ade242aed | 71e0e4b8cccccce0 |
Version Infos
| Comments | For additional details, visit PortableApps.com |
|---|---|
| CompanyName | PortableApps.com |
| FileDescription | Paul's Extreme Sound Stretch Portable |
| FileVersion | 2.2.2.2 |
| InternalName | Paul's Extreme Sound Stretch Portable |
| LegalCopyright | 2007-2014 PortableApps.com, PortableApps.com Installer 3.0.15.0 |
| LegalTrademarks | PortableApps.com is a registered trademark of Rare Ideas, LLC. |
| OriginalFilename | PaulStretchPortable_2.2-2_Rev_2_English.paf.exe |
| PortableApps.comAppID | PaulStretchPortable |
| PortableApps.comFormatVersion | 3.0.15 |
| PortableApps.comInstallerVersion | 3.0.15.0 |
| ProductName | Paul's Extreme Sound Stretch Portable |
| ProductVersion | 2.2.2.2 |
| Translation | 0x0000 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00006f10 | 0x00007000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.50 |
| .rdata | 0x00007400 | 0x00008000 | 0x00002a92 | 0x00002c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.39 |
| .data | 0x0000a000 | 0x0000b000 | 0x00067ebc | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 1.47 |
| .ndata | 0x00000000 | 0x00073000 | 0x00159000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .rsrc | 0x0000a200 | 0x001cc000 | 0x00018f18 | 0x00019000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.56 |
| .reloc | 0x0000b400 | 0x001e5000 | 0x00000f8a | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 7.88 |
Overlay
| Offset | 0x00023200 |
| Size | 0x000b5a08 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| RT_ICON | 0x001cc328 | 0x00012524 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.98 | None |
| RT_ICON | 0x001de850 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.18 | None |
| RT_ICON | 0x001e0df8 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.51 | None |
| RT_ICON | 0x001e1ea0 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.70 | None |
| RT_ICON | 0x001e2d48 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.02 | None |
| RT_ICON | 0x001e35f0 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.67 | None |
| RT_ICON | 0x001e3b58 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.84 | None |
| RT_DIALOG | 0x001e3fc0 | 0x00000120 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.56 | None |
| RT_DIALOG | 0x001e40e0 | 0x00000200 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.68 | None |
| RT_DIALOG | 0x001e42e0 | 0x000000f8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.91 | None |
| RT_DIALOG | 0x001e43d8 | 0x000000ee | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.93 | None |
| RT_GROUP_ICON | 0x001e44c8 | 0x00000068 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.72 | None |
| RT_VERSION | 0x001e4530 | 0x00000628 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 3.43 | None |
| RT_MANIFEST | 0x001e4b58 | 0x000003bd | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.23 | None |
Imports
| Name | Address |
|---|---|
| SetBkColor | 0x40803c |
| GetDeviceCaps | 0x408040 |
| DeleteObject | 0x408044 |
| CreateBrushIndirect | 0x408048 |
| CreateFontIndirectW | 0x40804c |
| SetBkMode | 0x408050 |
| SetTextColor | 0x408054 |
| SelectObject | 0x408058 |
| Name | Address |
|---|---|
| SHBrowseForFolderW | 0x40817c |
| SHGetPathFromIDListW | 0x408180 |
| SHGetFileInfoW | 0x408184 |
| ShellExecuteW | 0x408188 |
| SHFileOperationW | 0x40818c |
| SHGetSpecialFolderLocation | 0x408190 |
| Name | Address |
|---|---|
| RegEnumKeyW | 0x408000 |
| RegOpenKeyExW | 0x408004 |
| RegCloseKey | 0x408008 |
| RegDeleteKeyW | 0x40800c |
| RegDeleteValueW | 0x408010 |
| RegCreateKeyExW | 0x408014 |
| RegSetValueExW | 0x408018 |
| RegQueryValueExW | 0x40801c |
| RegEnumValueW | 0x408020 |
| Name | Address |
|---|---|
| ImageList_AddMasked | 0x408028 |
| ImageList_Destroy | 0x40802c |
| ImageList_Create | 0x408034 |
| Name | Address |
|---|---|
| CoTaskMemFree | 0x4082bc |
| OleInitialize | 0x4082c0 |
| OleUninitialize | 0x4082c4 |
| CoCreateInstance | 0x4082c8 |
| Name | Address |
|---|---|
| GetFileVersionInfoSizeW | 0x4082ac |
| GetFileVersionInfoW | 0x4082b0 |
| VerQueryValueW | 0x4082b4 |
Usage
Processing ( 2.67 seconds )
- 2.53 CAPE
- 0.132 BehaviorAnalysis
- 0.008 AnalysisInfo
- 0.001 Debug
Signatures ( 0.07 seconds )
- 0.009 ransomware_files
- 0.007 antiav_detectreg
- 0.006 antianalysis_detectfile
- 0.005 ransomware_extensions
- 0.003 antiav_detectfile
- 0.003 infostealer_ftp
- 0.003 territorial_disputes_sigs
- 0.003 ursnif_behavior
- 0.002 antianalysis_detectreg
- 0.002 antivm_vbox_files
- 0.002 infostealer_bitcoin
- 0.002 infostealer_im
- 0.002 infostealer_mail
- 0.002 poullight_files
- 0.002 masquerade_process_name
- 0.001 bot_drive
- 0.001 antidebug_devices
- 0.001 antivm_parallels_keys
- 0.001 antivm_vbox_keys
- 0.001 antivm_vmware_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 qulab_files
- 0.001 changes_trust_center_settings
- 0.001 revil_mutexes
- 0.001 modirat_behavior
- 0.001 lokibot_mutexes
Reporting ( 0.04 seconds )
- 0.032 CAPASummary
- 0.006 JsonDump
Signatures
Queries the keyboard layout
Reads data out of its own binary image
self_read: process: PaulStretchPortable_.exe, pid: 4400, offset: 0x00000000, length: 0x000d74a4
self_read: process: PaulStretchPortable_.exe, pid: 4400, offset: 0x30785c426331785c, length: 0x00004000
self_read: process: PaulStretchPortable_.exe, pid: 4400, offset: 0x3238785c6331785c, length: 0x00008000
self_read: process: PaulStretchPortable_.exe, pid: 4400, offset: 0x785c0d743461785c, length: 0x00000004
The binary likely contains encrypted or compressed data
section: {'name': '.rsrc', 'raw_address': '0x0000a200', 'virtual_address': '0x001cc000', 'virtual_size': '0x00018f18', 'size_of_data': '0x00019000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.56'}
section: {'name': '.reloc', 'raw_address': '0x0000b400', 'virtual_address': '0x001e5000', 'virtual_size': '0x00000f8a', 'size_of_data': '0x00001000', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x42000040', 'entropy': '7.88'}
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\SHFOLDER.DLL
C:\Windows\System32\shfolder.dll
C:\Windows\System32\cfgmgr32.dll
\Device\DeviceApi\CMApi
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nsh40E5.tmp
C:\Users\Packager\AppData\Local\Temp\PaulStretchPortable_.exe
C:\Users\Packager\AppData\Local\Temp\nsh4182.tmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\System.dll
C:\PortableApps
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\RichEd20.DLL
C:\Windows\System32\riched20.dll
C:\Users\Packager\AppData\Local\Temp\USP10.dll
C:\Windows\System32\usp10.dll
C:\Users\Packager\AppData\Local\Temp\msls31.dll
C:\Windows\System32\msls31.dll
C:\Windows\System32\msctf.dll
C:\Windows\System32\en-US\USER32.dll.mui
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-wizard.bmp
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\nsDialogs.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\shell32.dll
C:\Users\Packager\AppData\Local\Temp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\SHFOLDER.DLL
C:\Windows\System32\shfolder.dll
C:\Windows\System32\cfgmgr32.dll
\Device\DeviceApi\CMApi
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nsh40E5.tmp
C:\Users\Packager\AppData\Local\Temp\PaulStretchPortable_.exe
C:\Users\Packager\AppData\Local\Temp\nsh4182.tmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\System.dll
C:\PortableApps
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\RichEd20.DLL
C:\Windows\System32\riched20.dll
C:\Users\Packager\AppData\Local\Temp\USP10.dll
C:\Windows\System32\usp10.dll
C:\Users\Packager\AppData\Local\Temp\msls31.dll
C:\Windows\System32\msls31.dll
C:\Windows\System32\msctf.dll
C:\Windows\System32\en-US\USER32.dll.mui
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-wizard.bmp
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\nsDialogs.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\shell32.dll
C:\Users\Packager\AppData\Local\Temp\imageres.dll
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun
C:\Users\Packager\AppData\Local\Temp\nsh4182.tmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\nsDialogs.dll
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\FindProcDLL.dll
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp\nsDialogs.dll
C:\Users\Packager\AppData\Local\Temp\nsh40E5.tmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp
C:\Users\Packager\AppData\Local\Temp\nsm41A2.tmp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PaulStretchPortable_.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PaulStretchPortable_.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
Local\SM0:4400:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI
Local\SM0:4400:64:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI
Local\SM0:4400:64:WilError_03
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.