Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 13:13:31	2025-06-14 13:44:34	1863 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:18,147 [root] INFO: Date set to: 20250614T06:54:08, timeout set to: 1800
2025-06-14 07:54:08,486 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-14 07:54:08,486 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-14 07:54:08,486 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-14 07:54:08,486 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:54:08,486 [root] INFO: analysis running as an admin
2025-06-14 07:54:08,486 [root] INFO: analysis package specified: "exe"
2025-06-14 07:54:08,486 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:54:09,111 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:54:09,111 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:54:09,111 [lib.common.common] INFO: wrapping
2025-06-14 07:54:09,111 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:54:09,111 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\TinyTaskPortable_1.7.exe
2025-06-14 07:54:09,111 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:54:09,111 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:54:09,111 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:54:09,111 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:54:09,329 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:54:09,376 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:54:09,408 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:54:09,408 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:54:09,423 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:54:09,423 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:54:09,423 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:54:09,439 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:54:09,439 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:54:09,439 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:54:09,439 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:54:09,439 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:54:09,439 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:54:09,439 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:54:09,439 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:54:09,439 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:54:09,439 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:54:09,439 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:54:09,579 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-14 07:54:09,579 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:54:09,579 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:54:09,579 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:54:09,579 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:54:09,579 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:54:09,579 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:54:09,579 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-14 07:54:09,579 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:54:09,579 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:54:09,579 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:54:09,595 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:54:09,595 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:54:09,595 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:54:09,595 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:54:09,595 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:54:09,595 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:54:09,595 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:54:09,595 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:54:09,595 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:54:09,595 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:54:09,595 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:54:09,595 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:54:09,595 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:54:09,595 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:54:09,611 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-14 07:54:09,611 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:54:09,611 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:54:09,611 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:54:09,611 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:54:09,611 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:54:09,611 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:54:09,626 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\pQxbIz.dll, loader C:\tmpjeo7jmad\bin\EPCPTrhb.exe
2025-06-14 07:54:09,705 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:54:09,705 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-14 07:54:09,767 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:54:09,767 [root] INFO: Disabling sleep skipping.
2025-06-14 07:54:09,767 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:54:09,767 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:54:09,767 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:54:09,767 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:54:09,767 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:54:09,767 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:54:09,798 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:54:09,798 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:54:09,798 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 668, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:54:09,798 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:54:09,814 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:54:09,814 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:54:09,814 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-14 07:54:09,814 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:54:09,814 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 13:13:31	2025-06-14 13:44:16	none

File Details

File Name	TinyTaskPortable_1.7.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	352349 bytes
MD5	ac850015c9bcc969b233ed430ef41866
SHA1	4dcf88c3a4eaf3ae019df56a8258030e06fc64bd
SHA256	efa29a2024460f1df66adb96968f0515a910ed91429059101c0285bb1bed86bc [VT] [MWDB] [Bazaar]
SHA3-384	6c09bc818bdbaf82df05c2da9ee43fde99c2f7f2e1ee026af2082160c5ef2065b341f289a9ceb9971257f04fe7539ed6
CRC32	7DF60F5A
TLSH	T1CA74128177F1D1A3EA3343311AF11DB2A6BD2D1C4862CF0F1B85790839781A0EA5E7E2
Ssdeep	6144:O7BfU1jXI65nOKJ4wDfPImPeBzbFvU65d1SmMnDue9hwfVsf+y9b:YQr5nOE4wDnImP0FD3zwR9hwOfDZ
PE	File Strings BinGraph Vba2Graph

VirusTotal (8/76) - Keylogger

Full Results

Engine	Result	Engine	Result	Engine	Result
Bkav	W32.AIDetectMalware	NANO-Antivirus	Trojan.Win32.KeyLogger.hjzhwr	Zillya	Trojan.Keylogger.Win32.65786
Varist	W32/Injector.SHQJ-1469	Xcitium	Malware@#23pshffcwmhdz	Google	Detected
MaxSecure	Trojan.Malware.300983.susgen	Fortinet	W32/PossibleThreat

uOix*e

ggR??\{w

W*-%S#

@.data

%fJ'nqS

SelectObject

QQoMhi

/.Ka6

JE+vq

>bip$

X!F%Cz

36p6:>y

0D"mR0

7'M=F

1G%'m

5VqXZ

CLBCATQ

;jKoo0

D{{9~

m[aYW;dr9

*.4;Z

(;B,n,

G.sRx

Y`?{E

/7ONGz

<*}|`

v462D"hB~

6FHNff

nG0Zv

7]]czw

s0NG8;

mbWJf

[7.c/&~x

KufUG?!f<

l.ed1

CreateWindowExW

WritePrivateProfileStringW

p+Gj2

;llDX

0z|sUs

EndDialog

Bq <LL

0w,*M9

Iptp3

nGJgu

SetCursor

RegSetValueExW

ZL$&a

VQSPW

7L#i:F

*,Va37o

~',ik

AwQo:

qA.4(

E,(!Fh-`

L9VF"

USERENV

CreateBrushIndirect

IW'gh

s!jsJ

{m;N3qmE-]w

aB'i%vrq

Da5V} #

)G&r)s

B-o@mm=

[IVa`<0

040904b0

aq4j"K`

SetDefaultDllDirectories

l97I$x

t<c@[

^fc9F

LoadLibraryExW

uW~o$C

B?I;@;0

3iSde

:7?o

22Il*+X

%ls=%ls

v6;gt:

?u<g}l

$03C5

k6.CX

7fu^:mz

jPOPLXmjVKKWMEA'n

d|~O%

iU`G^

uIMy:

;G _-

?[M*A_:

XzHqy

SysListView32

qjq5|

#g_L5

);%4r

`J2"G

p,;,Rw

%u.%u%s%s

3.5.14.0

{X7.C/

]2](L

53`5<

}m8Zig

-mCb'

USPK.

]_i(?

T0/~Aw

:2NL1

?;A>#

:JuN:p

verifying installer: %d%%

D*\5Q4c+

v2GW1i

mgHj<6~

FillRect

0Vf%@9

LxlgUH

BQR_q1

F)$I<myE

unpacking data: %d%%

ie48}%

^:og}

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.04</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>

NXgIC

$,0/w

qC>%4L

BaKMpZm+4

nk$'5;x

72ByIV

SHFileOperationW

)TbRP

MoveFileExW

^N]i~

R.|NM7

<61W:=l

]4p"?aX

9oj<6

K:EsJ

Q^LtBl

Ftk:\Z

fyiQ7

's5+xiw

m(m`~

;EyNS

iI~$B

MAyB<m

pD?>A="

_,C-!

dMj^Du0

Y-Lc4

J}d]O

ZY+OOU@"gt

4A52[

/KHvJ!_

c d,'

i-je

CoCreateInstance

-oR:e}

B~Y_qR

GetCommandLineW

1B[sf

7\IE,)

2wl#_

'!;"00

_x58BFk~

\W|El

k4s}J6

tzD^D

#u.}O(

+aSW;

NullsoftInst

\bvv]zz`

t$,VW

GetFileAttributesW

\Temp

PortableApps.com

86~{-ZV

Rqg{h9s

X#M~4

CompareFileTime

+hB8D

RMMRIB6

HVHr)H

$);9MX

ylP?3

Knj].

U 6*J

cL(/y

DispatchMessageW

OL):H

{p:e,

)pp3*O

(7a'gy

Ow=Xy!

l{^Kc0i

eTLS|

!v2yW

-D{*T

Q?:)X

KLumhj

p/hK#G

"8KX=

4!hBJ

$* 3K

@AMuclI<

CreatePopupMenu

FileDescription

TinyTask Portable

\A~P[

Uu*j]^

<qHKD

Sutqu

0tzIz

>1iT=TkD~

kbw=

j'_FtYDk

IS@%&<}

N {xD

Q6F9'Yv

BeginPaint

gwGZ#8ON

mGe1!

/|+woj

hl^?4

#~? >>

3@20"

#`c={

lstrcpyA

SetWindowLongW

wDaaB

AdjustTokenPrivileges

jwc-H

oDLJE

1<(-N|N5

\'+Pif)9

GetFileVersionInfoSizeW

JajPKX

MG>BJI]

*?|<>/":

5Z]-K

${)*p

PZ0AW

6M4i}

lmCYF

>T`QL

zD~Mz

jGRX

^r$vA

Ed`!z

#[+7a

NrG%n

TADg>A`

olw'z

|2cXW

e.c+8

gx7+JG0

GetSysColor

CharPrevW

~\o"k p(

k`H2ns

YHx:/

KJ`,(6z

e)$%r

J\~<rR

InitiateShutdownW

wdG4!

w+kJJ

=?4;y_

k9,c/

j3aeCC

[/[2W

Eg7/

fP!6RW

, '-c&

,LC$g

Tr+cU

D/!w@

@<rN

BBL#%9

NSZ4iC

YDoC+

G<k#Ss

I',CQ

0tb!#F

GGg]OQ{

6gm|u }

tcsgx?

@GOt"1

C`[MD

a$2f3Su

SHELL32

YF)"(

jR+Ns

K[`Ecvbo~

{NWd/

GetModuleHandleA

Qad]M

4JN?;

SetFileAttributesW

j5g:\

SetDlgItemTextW

13nL05n

3#3J2bre

w%;rjK

UzkyI

GetModuleHandleW

^ay!G

A~ML'P

Z[%d#

&3rKx

'<j10

8oK40

Rf\Hg

QNq>n

PWn#o

T</"_

.rsrc

8{<tGk`.

"'f/EH

K[s`W}z

S+]C2

^U&R(Ld

++PnW

8'> +

OriginalFilename

)"up?

5On6C

r}_sE

cD3=u

9d&k;

KBTXm

h'hDm

^$}MKkX

ur$FQ

MqT~x^^c

0B>i#R

[(_?]

QHSS}

E#\u1

p\cOdK!1

Gg3^S

t<gk|

IDBD $DQ47

E*NJa

V5x!4R

I6%#Xp

THO6M-?

h>tv/

Kb/wZ

GetFullPathNameW

iWsC=

}"HhJ.MhrC

EnableWindow

k=&:}F

\Microsoft\Internet Explorer\Quick Launch

*Xw"'

BD|LRS

CbIv@(K

;:ihd

CloseHandle

oQ2vL

D"QA2

!;p,M

!:5<~35\

*{"=_

|2Z:e

"iqE/

HbhN13

J[b*p

*WZj!+

:AoSB

:[^{7VV7

C}6R0

))u a

RegEnumValueW

w^}CB>

SeShutdownPrivilege

p< {c

\omOH

<:;t54]

I8ko:#

Q'xu5

iqbej}

hE#63

g#l|C

76&kk

P68,=

#.Hvr

NSIS Error

TU]USQY

mp(ZP

".cZS

I'W6g

CharNextW

fY3_1

]OL/x

NYZ^>

x>1gB,

PzWPl

r?'?R@

.text

TlAhZ

xrswY

lstrcpynW

`>5]c

];5R/

P{nlmP

V86Cf

,yp9X

SetWindowPos

0p{ 3h

GetDlgItemTextW

aYNde^RgHB6

;?~LIK

{Tc~*

{O+T1

mc\uy

Ee9"~

.Y=h=2

*KS`+

]H\z*

7,^ F

'9H^E

0[Z;$J

/M-?E

xfA#p

G#^";

(Mbt\

^j\PN

@_^[]

m+Bgh

M-iOO

ly;Em

'4(@`G

v'f"D

~:k6$z

tWf="

=YG_}.V

s}J77

%$(N;

D?<JSRj

)|BU-

(*^cCCk

COMCTL32.dll

>FFf;

"k{%!

niM48KWREBm

PortableApps.comInstallerVersion

&.s!Gk

46q8b

a=>$(|4\5

MessageBoxIndirectW

?:.O[TH

-(!>

e+aIw

*2mqUpd]

p<cg{pO2E!

8]~:1

l{U})NL

!^4XvJ

More information at:

8uq<9

RemoveDirectoryW

$ 6@`

DeleteObject

EmptyClipboard

me(X&

?tU4oIK

sZQ)T

6j;4F#

g6DFm

o'lqF^

DAQf8

aGa!$

RegDeleteValueW

kr(?)

F=JVt0

.+')?l

MN{]@>i

Ph#U@

RG !/E

}`t^Bp

abbab]\

Ct=G%

`m>1<

(7Sw*

+{MLp

=>Y;$

RegEnumKeyW

GetWindowRect

<4*EQ

CRYPTBASE

h>i-N

oa,dT

EndPaint

2007-2019 PortableApps.com, PortableApps.com Installer 3.5.14.0

IsWindow

(I(TQ

=!bu$*

sqiHd

.=-VQn

;[[*m_

,/KPip

)/M]k4

cQ@m;

eVtBj

C[[>g

^>tn<Z

-*[5*

SetClipboardData

5ffo]d

xPl$%P

hiV{h(

j [f;

Mx&T#x

/(bq9

IsWindowVisible

Yr|/u

WA"p;

.aTV]

CreateDirectoryW

svE|*n

,j[\Tp

8>t`NP

&rRG_d

j/P*[

Hi3l[?

kr7@|

#~gO[

@Gk3o#

m'QQhF

p"d15

&zS;p

Sb/l<Q

%Yq~e

Mr1 Y

y}KBx

;icJ{kB

t]Z^f~

-@ngC

,/+B#

75u/:P

E&`^v

LegalCopyright

f!>_^

rm_p

YAHRqE

8$_^\

SendMessageTimeoutW

CallWindowProcW

v<(]8

e5@B},

Instu_

F<]@t

8DHL`

SetCurrentDirectoryW

L*(.5`Q

4U+|y

1.77.0.0

\xebz

}.XKo

Sghv~^

dj359AGVWd

b&oS4

pD""|

K/eVW

MFGMbu

D^+x3x~

kLiTx.

GetMessagePos

WPWj0

^|D.Ne7

HpUp(

w%=cYz

@m8Q,

b<xRC

RegDeleteKeyW

Vc]\Q

]=%95`f

~p7b7Y673

sQL&?

U44KB

X@eEkq

eTf\v

&enze

O&'&C+

>~}7G

AdQ((

iZ;qR

ImageList_Create

kL=Y`H

yp}J~

sg5(

.DEFAULT\Control Panel\International

9e!t>

WaitForSingleObject

6nh[15

6$Rja

*v7Uq

VO(G{u

97(?86I

gi4blk

wd-8:@

w24wj

lstrlenW

mV8:H

?!x!#

(5rqZ[

Gs34hk

x3c7F

OpenProcessToken

J`XV(5

LNRV)

>ud#r

Comments

mQ yu

`3Nd/

lCZAD

SystemParametersInfoW

#ZB>1

Bj 9;

0E]gi

;?PiO

is*T3-

t1 AMl

SetForegroundWindow

le%b7[_+

uDWWh

nCSV]

i223-

nxCo[

5`6X#

HDGPC<&

@te72

Nr'ilK

SetErrorMode

,Tije

t^!$c

4#!yx

QdH]pK9

BXQC`

Bq8,5

c{hdt

_A>VS*

BSyQY[.

#"I )

SHGetFolderPathW

ttRYMX

ExpandEnvironmentStringsW

TeEo@

@ ah"5

544S$

SearchPathW

nWGYt

SetFileTime

r@M8F

L)]R>

KiT*t|a^

p7!J.

]4l~sM

GetTickCount

o3KmR

>3Jo9

hXHa+Z

;dDF&

|W=@H

$X"J:

JB!mw

?/S[

z)esu

(+V3bvg

s]go`Q

$K7HJ

5\Kv'R

r5RUCOS}N

-G4s;L

{b5NnrT

SLC '

LoyM9

D!2?8g{Bf

mRHR0k

oEU=m?

fk'`*@

HlQB)g~

KZ[yz

MultiByteToWideChar

For additional details, visit PortableApps.com

NQ3T[]

tNLb^]z

:hW2e+S

>Z$1}

{D6Ium

"_` `

KN{3s

VERSION

H.Cgd

7E-@X

&`!vb

rHgSPZX

4ocOY)

]+Th3

W[K%-

B$IY8

OFPag

gQEqT

]h/Xaa

$~ K8

msctls_progress32

JE8g>9,3

SHELL32.dll

LA!VK

buuu(

sJf[u

mXC!>

96J)}

jRz;n

`I ~<

jh.b)*S}

06<R;G

`^^^sS

g{cxK

CreateProcessW

PczF~

J@6.Ms(J

/M0nf

&O^a?

@m;`L

'$aV^[H

40%.qh\

;5<w%&E

installer's author to obtain a new copy.

oq'c9

wpUOS

tzK.x

lx/XU=v

e!%MI=

6gyH=Y

... %d%%

(4"UO

l_5M

"}ZB f

8/{x!

8ZC~6

nAUoDm

v<7Cb

ADVAPI32.dll

p3i15

"i8F>

"JpVn

&k0cd

UUUUW

/ P6pL

CreateThread

pU8gv

SetBkMode

Z|_|q

)Cc|z

TrackPopupMenu

DialogBoxParamW

FreeLibrary

HO1|:t

F"C?N

]n3jil

lstrlenA

a9G1<h(

i\GP]

w12,2

u[|-Oe

--y~5A+

2Oh$m

gLor.]}

C!"8w

@g{3j{

)yb=^u

CompanyName

~)#Ky

B<1Y44V

0NDqx

vXs~EN}$E

@'e(Xm

6|jgt

o~M"4

[/+8K

){3fw

N*-nw

p]Dm6M

c6!C

)?)7E

%=FAzk

`#a:Fm

md*p

Q*@W?

a>8);

#dULT

Sleep

90u'AAf

Icm-8-d

D?VcPq&

_r ^5

"//V0|r-i;A

GlobalFree

+^wXI

8(O/g

P6l))

GetUserDefaultUILanguage

Aj"A[f

GetDiskFreeSpaceExW

:27Q6,4N

ShellExecuteExW

=)gIC

u7K;`EZ

E,_8Q

~U/kT

RegOpenKeyExW

LoadBitmapW

WBdYO9

/-P?pR

J`b rz

H@Ic]

SetBkColor

qY}G[=:/

PortableApps.comAppID

FindFirstFileW

1R&HBSo

YV`<#

wsprintfW

kDMqy

H!"yQ

D$,+D$$P

`ZOIKF:

% D3t

OKgNKC

iJWnTM

}UHxdB!P9

;\&YU=

U^;0|#

M~riC

YMv8@T)

tw-ezo

y#v`[=

1]lBK/`

Z-?dU

O[427

WjbtQ

ejE",+

4()E10N

D/{|h

((L0,/d

SHGetPathFromIDListW

w/Xxo

d_z'j

'N^B:

bfhit

j8WUHBYs

pHITI

md7A1

eYI<reg

c]@[qvu

(VDza

NulluM

*cV a

4:iSG

kp1]\Lo

ImageList_AddMasked

i/2VY<j

AppendMenuW

4[z}Q

;DV!Q,

:QpD>

9l<x@j

E|"O\a

$S#@S'j

9V>)|

;Ush^)#

IDATx

Garjl2

Pj/U]

CornD

Vw;r/

]buxyubO

;)i m

rlgL.

B}142.

3xn$#

C Bnq*

jB,*%

!KI+OF

G" 4r

FindWindowExW

lstrcmpiW

ReleaseDC

K&#"x

ADVAPI32

zV@uM5'

PeekMessageW

:7*Iu

NH=!$&`DQS

LegalTrademarks

a=2U*

[0Sj"R

3,{%5

[LCrE

!zEKi

YaU+B

D=,'7:e

SHAutoComplete

b2oF7:')

8%{jn0

[#b\G

>)O\8

GetClientRect

&EFPd

5?S8dAa

c$MRG]

4!"l*

I0+?~s

yFv^,

:`L0hl

SetEnvironmentVariableW

FFC;]

ReadFile

FE``U

WvjFB

WideCharToMultiByte

RegQueryValueExW

S&M7wd

8b{kw~

mrWPeJH

UzxE,

VarFileInfo

wsprintfA

ImageList_Destroy

DrawTextW

?H|GT

rdVL^

&hjrB

/&+oH<

3.5.14

a[g~o

?6XC;/

GetFileVersionInfoW

'L3Ty"

c$V}G

Io[y7C}

ZH.ZT

F5F0T'g

83('[TH

CreateFileW

99x&~

ExitWindowsEx

:;coAD

@DP1C

GlobalAlloc

)j8qi

PROPSYS

Installer integrity check has failed. Common causes include

PH>]!s[

=<^[_a

p^vH[

?Da[+/

ICCc+454

CopyFileW

mAZpeK

P{?^P

eRSP.

9)Gjve

#3NKtR

V&'i{w

JMTH\K

b4}QTm]

&u~}Z

Control Panel\Desktop\ResourceLocale

Error writing temporary file. Make sure your temp folder is valid.

<A<OZ

)SHS#

u3l8G

$U~{ Pd

SHFOLDER

\~|Wvq

AnhfV

y?P+3pH

i:6?)@

}^Yyey

>/zBl

VSX\il

wO_7{

GetWindowLongW

z,0>4

4d$Xc

b7[6L

J,C-n

+aBF.

(AFx u

6bPc$

/KNEg

KNGWvs6

\<N,^7

xF/o5

GetFileSize

o<WmQ

Cg<Ep

D3't5

<$W)\

w^ZH=b#^"

\ @C9LQX

e>%Tn

ii+Qz

O[D)}P

wo<S

{055M

zjT6TS

GetDeviceCaps

Xh77l5

2/rY-

YB7W1

7hiuU

"}d[r

Error launching installer

x|"5D\

eXjMg

)ugEQ

r(t'PN

?2<H#

7Wa8J

W5$v8

V{oAj

U5VC(

wt)a#

d[8G4

[t4M2

q;`j

Sw|n*

9-(gE

[rpHU/

TXmA,

WriteFile

>YIC7

;g4h7

KERNEL32

DestroyWindow

12P_|0

VuRV>*^=

%,~O2

<p?{q

"obmwQtc

bi96i

]c2!

GetVersion

BBp#z

"?,h"

SetWindowTextW

o\cpw

g76j4>3I

}0ma|

y?@P|

8Kj#+Y

+: hBx]

VSUbOI:

Wo}onH

\u f9O

YJyt#

HO@DFFDD'!"

OC!P}

qg>Sc

EnableMenuItem

LoadCursorW

SHGetSpecialFolderLocation

7ec|oZ

iNF;5

!cDJg

9B=oqz

fVSO<

p2CN;

&Rem.1j

Hb~&

tms2!nn

UWvxv

$9WCd

W!.|=J

*oDcmV>

,EFWe

Jmg8j

7Hrhls

P:xJs

RichEd20

StringFileInfo

WZ|LM0

0P77[-@

ole32.dll

SHBrowseForFolderW

35A\T

PortableApps.comFormatVersion

k8hYz5

;ItZW<

_1>K+

*W-Evy

BrIeB

GlobalUnlock

dgT`D

q%Y=g

OG'y$

r_Y6^

1@aZ/

8d @z

HUK^m

nDS {

r01^9

+>n61

(PO&S

k37{J

ojI4($3C6f,

C1F4@

R{[w-

OLEACC

`LrNR

!%r@C6

DfiR6

pYk? cyR%1

483`kby

5"ImJ

N2WUIBIikK.28

q+(Xw

olj}xyGK

J?~"M

Z\rMM!%

x7IzT

gef88

`Qr![

'{`bH

%4J)3

q^]|_

U=Ak8

|ZZ:i

n7vZ/

QK?I^YM

rR#1#

2Ug^%

Zlp)p$

LJ'VqWe

NAz+@)J

P?'j>

3;<0A

|cH='B

3s9ty`n

#D5/J

softuV

GetModuleFileNameW

"%SG,.V

cPFIF

42?D%'L

M26GtI

20n2EB|6"

Mv:N/

#mTRl

['>'Cb

]jdB>

B=#$@9

=BXE"

>@xbi

SetTimer

P: e_

SetClassLongW

bcs}-

{^<Lv]>

:I)+i

8W,9+p

jCU!m8'

v}~jJ

GL{([

;Zm>_

f9=(gD

lstrcmpW

%@0JK

KERNEL32.dll

RichEd32

OleInitialize

j};9Z

(qWIV

"6aFLP

*_Sk)}

!hni`a

8$}/P

h}}+8

KU1'O

H1Vfgh

K^zs/

j~/,@

:zt=p

BfBJ[

GetWindowsDirectoryW

-+-V,+O

DefWindowProcW

}"F6v

LGGNMKg

"D?2j

uH>U0

|}"S+

g)0M,

0WZHBMko:.2

4R61n

Q|eDQ!KY !O

<X*`=

ygI-Kh

iHDAx

eB6B[m

5c75k

GetSystemDirectoryW

e\;a'

VS_VERSION_INFO

IHa}?<<

GetDiskFreeSpaceW

C=1V;6+

4\x$N2

OD}=Z

baP`g|

Q'2^s

A2GRG/

GV4~:QH5

+^;KU

RKr&9.

c\DfG

p^C@%

gNu6M

^XU]0

3pCWQ

PostQuitMessage

zTbP%

SUl#F{

#q-R|

lr"5e

o9CRq

T0\T|=

IBG>:

Vj%SSS

}i y

d)'xM

Is]kD

nU?N$Q^

*Q_l.

SendMessageW

{49=Ii

SVWj _3

5XP?6

XR$m%

tZj\V

Bc|^$

+v><U

OpenClipboard

&g7Q,

}{I1g

W";'/

[i9>5

_jlvzyxb^

SdV0D

SMALHB7

OP{&;

?1J,U

%;|MI

GetProcAddress

\FmT69K!

:#R]'y"

ErA/C

zuqYq

)44E

0&DiYlB

IsWindowEnabled

ProductName

;4F?>@6.,

94**wma

/sNx,u

S+[dU

/pv6`

M6JGW

SetFileSecurityW

ExitProcess

DBTb>91

AHeTC

E-Ce/-E

\gF2Ws

Zkz\"4

GFeO@

;6sij

2zX03

*ckI+h

{,p1J

MoveFileW

_sJ[I

FileVersion

http://nsis.sf.net/NSIS_Error

Please wait while Setup is loading...

?RC'V

a&ZZG=Y

`*;O,

YU!v~)

~<>R3

pO}T%2

oOL[N<

Q2{RV

CreateDialogParamW

QNSfef

G%01$

nS@|r

LlmWD

c@G0Ln9'

';h{ #

GetExitCodeProcess

IEFNlD89A4/k

LGLtPPp

WDP;ZhRQ

[Rename]

SetFilePointer

D$$+D$

XZ4&E

2MOBFv

_7GA9

W+kht

RegisterClassW

lxIqy

(eB{3

pG@K|

\EnK;#@{

RichEdit20W

)]@$2c`%

,lQ{T

(/iTG3CJWf,+*

wHAzP

(aQPF

VerQueryValueW

CheckDlgButton

r%t@b

!W6,{

Dvh,'

1-RZ

bhS\-

TinyTaskPortable_1.77_English.paf.exe

=T42y

9nM603CIf9

d_4Vu

}g~]L+

GlobalLock

SHLWAPI

%oi*b

M63r\}

DeleteFileW

lstrcatW

Syq/V:n7]

GetPrivateProfileStringW

GDI32.dll

NTMARTA

c`K~

>id*%

95R-HYW&2

AN$Dk

InvalidateRect

SQVPW

a#PHZ

PxzQI

`dUDj3

^vD85y

9'FxM

23Qe:?|

Gpo/U,

iv/S$RQ0

nV+f)&Im

$3?U,d

*jc8q

!{6,i

${1i$

InternalName

jHjZW

5szBfM

F^&wTAqv

JYspE

:cD/~

uSOPoU

?Z\hR

f")*9A,Ip

W!!&V

-?BOL,pt

3<S,!I

Software\Microsoft\Windows\CurrentVersion

imaF~

}fSQj'

W~T6Z

u:FeV

qR15`

{yHR<dI

5dJar_

gn|XG

o, >Uk

GetDC

SetTextColor

XU_^RL;

os$0p

i_G@6}

WAn=F

Jrt71

HCIs&%

XhgPQ7

oCD[3

K@fam

FindNextFileW

_zOf

;8*wEZ

z0Q8Lz8

G;qQF

k8fS[

FindClose

[UISaYNd|sg

ookrW|P

KB6p

9GWgoR.

6Rmm=

D$ Ph

MulDiv

GetTempPathW

M62};

o4M1>

RegCreateKeyExW

incomplete download and damaged media. Contact the

*DWX8

Gu6:Zs@;

or(n6)

B<0crj]

H#H5OB!

s495

C*4%U

^:9Uy!

Y:SnW

N;TL%

Zc[>c

SETUPAPI

vSH@al6

A:[bf<"R

n7'I-

vpw/}

:>roK

cWEnl!

<g:`.bgo

GetSystemMetrics

OA]]5w

D$$SPS

x5}0E

3?a2n

EgW p:

=7+1JD7cRL@

WwtC'

Z;z8}h

*%4r84Cp,#

Psc=2

KjPZ7

Kdpy

QsU`x

PortableApps.com is a registered trademark of Rare Ideas, LLC.

5r_h%

djdih

CoTaskMemFree

GetDlgItem

CloseClipboard

l:7HN

-EHMm

t`FIt\y

MS Shell Dlg

q:27G

O8p=cH

'^nm.

2-{Y1

A"2y'

$KX W

l.G##

5+SuP

m*JpH

aaOh0

dOI1j}

o_V G

~g~=Y

<4*F:5L

Ztyz_

GetShortPathNameW

!This program cannot be run in DOS mode.

PGCTl~aD

rA*{:

se|)"

n693HV&W

R'l#}d

@Af]WY

@;>n3&

8CG9*

W97nA

<f('c

>e2Z#S

!]4qC-

4/4y&@

USER32.dll

hb|@p

|#+Y5y

0P[Vm

|fwon|=+

z4uy@

"Rr^R

JZJ!5[

APPHELP

Lk?!L

746!%%A

SVWj"

~TqMm

CreateFontIndirectW

A8zx?

RegDeleteKeyExW

=vdqH!HZ

$9j?!

fSAw)

V")T8

o0x1t

LoadImageW

c&0xpf

[hX_S

!B dBU

ZdXE'

=*lG`G

?1{hK

(#.P=U

wE~d0H

lstrcmpiA

CP8!S

X9\)K

l#U9'*

N/"Bs

9&zQl

GetCurrentProcess

,N*Xx

v~yme

?UGYj

g%JH&

pFOOHSNNSMFB&%

\FYt0

dKSYt

SHGetFileInfoW

7n,_3

H!%q!

!a>:pa

Y@R[6

.ndata

6=Im>

GetClassInfoW

yn~=:

TinyTaskPortable

&xtS#

MSs34lw

^2vgfO

4u`bt

8u/j!

GA=;KJf

]<!eR

hQlmu

ScreenToClient

Translation

NvF9M

vhmlF

eLL"D

:<u`w

zmbGF

;&=~O

%s%S.dll

OleUninitialize

KXWVe

\Cc4R

\B&=CV2

y2F3P

j#2;'

CWVWin|

FCK{YY~

!SA_3

:I[+C

""\N/9

lzN~[

dP8 q

)t-;y

>`,N?

70ihw

GetTempFileNameW

0^ft@

ProductVersion

KKFhC

K6#hqHx

av.-{

z--GT

+-]q8<t

ShowWindow

i\gdl$G

=)a&n

RichEdit

RZdBD PS

ko;gj

A5yJK*

\]Zi*

0*"?%%B

dtGA_

u{U:t

c33~"6

FRNIp|feX

82o:[8BJ(

)@~EN

q5>u}

D>Fz/*

GkcPUU

lv-l[8

_)=(e

by/1YZ

!l|]R~!

UXTHEME

M/+\~

H$R@v

Dcq6+:k

85HO\^

eH9]{v

DWMAPI

F<hD^

tnyU6E

)og$|

vX95H

LookupPrivilegeValueW

@g 58

%$krpy

^."xm

CharNextA

=Gtm9

\)Q6#

"1?2,1$

TDQV|

!w'gH

qJvly

%Ago&

-2%<C

PJ$!a<

cHjHo

Hj\("

l:.#[

mXSVA

hJ!{>

fA P|

MG@.USd

?S<OF

2sY+F

HegCZl

[zd=}

ARwcP

c)444

Z6tI4

kT@=L

;-*<f"

f58ksIN

*4'f`N

$bz{Bg

Cq_Ht

GetLastError

1 ns$

[r0s8

nV1CPh

@os/U

@^x_!

s4R-T

T28GKcC

D%e|8

aC/: b

+&/d,-U

zX~^}

!0C\1

*Ujrj

Qq+|/

69NF>

O@ntBz.

BKlA#

-fD[|

N#[:$kr1

U20JUw

V6p>v:

,9mv`)+

884B=

5Meuc

]a]a]]

`.rdata

3X*qy/

;HzHUeg)3D

2Cd\6.

5:xL<A|

n[E;]

RegCloseKey

GetSystemMenu

Y1!BL|

M578

IJX'QG"

vS w?

Yd-N]5*

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000034a5	0x00000000	0x0005c5b0	4.0	2018-12-15 22:26:01	1f23f452093b5c1ff091a2f9fb4fa3e9		2c09465cc979677d65781d9403176c31	5c00f471cce984e3b873ef9ade242aed	71e0e4b8cccccce0

Version Infos

Comments	For additional details, visit PortableApps.com
CompanyName	PortableApps.com
FileDescription	TinyTask Portable
FileVersion	1.77.0.0
InternalName	TinyTask Portable
LegalCopyright	2007-2019 PortableApps.com, PortableApps.com Installer 3.5.14.0
LegalTrademarks	PortableApps.com is a registered trademark of Rare Ideas, LLC.
OriginalFilename	TinyTaskPortable_1.77_English.paf.exe
PortableApps.comAppID	TinyTaskPortable
PortableApps.comFormatVersion	3.5.14
PortableApps.comInstallerVersion	3.5.14.0
ProductName	TinyTask Portable
ProductVersion	1.77.0.0
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00006409	0x00006600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.41
.rdata	0x00006a00	0x00008000	0x00001396	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.15
.data	0x00007e00	0x0000a000	0x00066358	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.00
.ndata	0x00000000	0x00071000	0x00174000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rsrc	0x00008400	0x001e5000	0x00019a68	0x00019c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.52

Overlay

Offset	0x00022000
Size	0x0003405d

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x001e5388	0x00012524	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.98	None
RT_ICON	0x001f78b0	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.17	None
RT_ICON	0x001f9e58	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.51	None
RT_ICON	0x001faf00	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_ICON	0x001fbda8	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.65	None
RT_ICON	0x001fc730	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x001fcfd8	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.67	None
RT_ICON	0x001fd540	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_DIALOG	0x001fd9a8	0x000000b4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.72	None
RT_DIALOG	0x001fda60	0x00000120	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.56	None
RT_DIALOG	0x001fdb80	0x00000200	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_DIALOG	0x001fdd80	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.91	None
RT_DIALOG	0x001fde78	0x000000ee	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_GROUP_ICON	0x001fdf68	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.80	None
RT_VERSION	0x001fdfe0	0x000005a0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.40	None
RT_MANIFEST	0x001fe580	0x000004e1	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.29	None

Imports

Name	Address
ExitProcess	0x408070
SetFileAttributesW	0x408074
Sleep	0x408078
GetTickCount	0x40807c
CreateFileW	0x408080
GetFileSize	0x408084
GetModuleFileNameW	0x408088
GetCurrentProcess	0x40808c
SetCurrentDirectoryW	0x408090
GetFileAttributesW	0x408094
SetEnvironmentVariableW	0x408098
GetWindowsDirectoryW	0x40809c
GetTempPathW	0x4080a0
GetCommandLineW	0x4080a4
GetVersion	0x4080a8
SetErrorMode	0x4080ac
lstrlenW	0x4080b0
lstrcpynW	0x4080b4
CopyFileW	0x4080b8
GetShortPathNameW	0x4080bc
GlobalLock	0x4080c0
CreateThread	0x4080c4
GetLastError	0x4080c8
CreateDirectoryW	0x4080cc
CreateProcessW	0x4080d0
RemoveDirectoryW	0x4080d4
lstrcmpiA	0x4080d8
GetTempFileNameW	0x4080dc
WriteFile	0x4080e0
lstrcpyA	0x4080e4
MoveFileExW	0x4080e8
lstrcatW	0x4080ec
GetSystemDirectoryW	0x4080f0
GetProcAddress	0x4080f4
GetModuleHandleA	0x4080f8
GetExitCodeProcess	0x4080fc
WaitForSingleObject	0x408100
lstrcmpiW	0x408104
MoveFileW	0x408108
GetFullPathNameW	0x40810c
SetFileTime	0x408110
SearchPathW	0x408114
CompareFileTime	0x408118
lstrcmpW	0x40811c
CloseHandle	0x408120
ExpandEnvironmentStringsW	0x408124
GlobalFree	0x408128
GlobalUnlock	0x40812c
GetDiskFreeSpaceW	0x408130
GlobalAlloc	0x408134
FindFirstFileW	0x408138
FindNextFileW	0x40813c
DeleteFileW	0x408140
SetFilePointer	0x408144
ReadFile	0x408148
FindClose	0x40814c
lstrlenA	0x408150
MulDiv	0x408154
MultiByteToWideChar	0x408158
WideCharToMultiByte	0x40815c
GetPrivateProfileStringW	0x408160
WritePrivateProfileStringW	0x408164
FreeLibrary	0x408168
LoadLibraryExW	0x40816c
GetModuleHandleW	0x408170

Name	Address
GetSystemMenu	0x408194
SetClassLongW	0x408198
EnableMenuItem	0x40819c
IsWindowEnabled	0x4081a0
SetWindowPos	0x4081a4
GetSysColor	0x4081a8
GetWindowLongW	0x4081ac
SetCursor	0x4081b0
LoadCursorW	0x4081b4
CheckDlgButton	0x4081b8
GetMessagePos	0x4081bc
LoadBitmapW	0x4081c0
CallWindowProcW	0x4081c4
IsWindowVisible	0x4081c8
CloseClipboard	0x4081cc
SetClipboardData	0x4081d0
EmptyClipboard	0x4081d4
OpenClipboard	0x4081d8
ScreenToClient	0x4081dc
GetWindowRect	0x4081e0
GetDlgItem	0x4081e4
GetSystemMetrics	0x4081e8
SetDlgItemTextW	0x4081ec
GetDlgItemTextW	0x4081f0
MessageBoxIndirectW	0x4081f4
CharPrevW	0x4081f8
CharNextA	0x4081fc
wsprintfA	0x408200
DispatchMessageW	0x408204
PeekMessageW	0x408208
ReleaseDC	0x40820c
EnableWindow	0x408210
InvalidateRect	0x408214
SendMessageW	0x408218
DefWindowProcW	0x40821c
BeginPaint	0x408220
GetClientRect	0x408224
FillRect	0x408228
DrawTextW	0x40822c
EndDialog	0x408230
RegisterClassW	0x408234
SystemParametersInfoW	0x408238
CreateWindowExW	0x40823c
GetClassInfoW	0x408240
DialogBoxParamW	0x408244
CharNextW	0x408248
ExitWindowsEx	0x40824c
DestroyWindow	0x408250
GetDC	0x408254
SetTimer	0x408258
SetWindowTextW	0x40825c
LoadImageW	0x408260
SetForegroundWindow	0x408264
ShowWindow	0x408268
IsWindow	0x40826c
SetWindowLongW	0x408270
FindWindowExW	0x408274
TrackPopupMenu	0x408278
AppendMenuW	0x40827c
CreatePopupMenu	0x408280
EndPaint	0x408284
CreateDialogParamW	0x408288
SendMessageTimeoutW	0x40828c
wsprintfW	0x408290
PostQuitMessage	0x408294

Name	Address
SelectObject	0x40804c
SetBkMode	0x408050
CreateFontIndirectW	0x408054
SetTextColor	0x408058
DeleteObject	0x40805c
GetDeviceCaps	0x408060
CreateBrushIndirect	0x408064
SetBkColor	0x408068

Name	Address
SHGetSpecialFolderLocation	0x408178
ShellExecuteExW	0x40817c
SHGetPathFromIDListW	0x408180
SHBrowseForFolderW	0x408184
SHGetFileInfoW	0x408188
SHFileOperationW	0x40818c

Name	Address
AdjustTokenPrivileges	0x408000
RegCreateKeyExW	0x408004
RegOpenKeyExW	0x408008
SetFileSecurityW	0x40800c
OpenProcessToken	0x408010
LookupPrivilegeValueW	0x408014
RegEnumValueW	0x408018
RegDeleteKeyW	0x40801c
RegDeleteValueW	0x408020
RegCloseKey	0x408024
RegSetValueExW	0x408028
RegQueryValueExW	0x40802c
RegEnumKeyW	0x408030

Name	Address
ImageList_Create	0x408038
ImageList_AddMasked	0x40803c
ImageList_Destroy	0x408040

Name	Address
OleUninitialize	0x40829c
OleInitialize	0x4082a0
CoTaskMemFree	0x4082a4
CoCreateInstance	0x4082a8

Reports: JSON

Statistics (2.37)

Usage

Processing ( 2.26 seconds )

2.075 CAPE
0.171 BehaviorAnalysis
0.01 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.007 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.002 masquerade_process_name
0.001 antidebug_devices
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 persistence_shim_database
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.05 seconds )

0.041 CAPASummary
0.009 JsonDump

Signatures

Queries the keyboard layout

Enumerates running processes

process: System with pid 4

process: Registry with pid 92

process: smss.exe with pid 384

process: csrss.exe with pid 476

process: wininit.exe with pid 552

process: services.exe with pid 656

process: lsass.exe with pid 696

process: fontdrvhost.exe with pid 784

process: svchost.exe with pid 808

process: svchost.exe with pid 924

process: svchost.exe with pid 976

process: svchost.exe with pid 1036

process: svchost.exe with pid 1108

process: svchost.exe with pid 1116

process: svchost.exe with pid 1204

process: svchost.exe with pid 1240

process: svchost.exe with pid 1296

process: svchost.exe with pid 1348

process: svchost.exe with pid 1392

process: svchost.exe with pid 1428

process: svchost.exe with pid 1452

process: svchost.exe with pid 1544

process: svchost.exe with pid 1552

process: svchost.exe with pid 1676

process: svchost.exe with pid 1756

process: svchost.exe with pid 1772

process: svchost.exe with pid 1788

process: Memory Compression with pid 1844

process: svchost.exe with pid 1864

process: svchost.exe with pid 1940

process: svchost.exe with pid 1964

process: svchost.exe with pid 1976

process: svchost.exe with pid 1364

process: svchost.exe with pid 2024

process: svchost.exe with pid 1692

process: svchost.exe with pid 2116

process: svchost.exe with pid 2128

process: svchost.exe with pid 2136

process: svchost.exe with pid 2144

process: svchost.exe with pid 2252

process: spoolsv.exe with pid 2340

process: svchost.exe with pid 2384

process: svchost.exe with pid 2416

process: svchost.exe with pid 2568

process: svchost.exe with pid 2580

process: svchost.exe with pid 2596

process: svchost.exe with pid 2608

process: svchost.exe with pid 2640

process: svchost.exe with pid 2736

process: svchost.exe with pid 2756

process: svchost.exe with pid 2764

process: MsMpEng.exe with pid 2772

process: svchost.exe with pid 2800

process: svchost.exe with pid 2852

process: svchost.exe with pid 3136

process: svchost.exe with pid 3772

process: svchost.exe with pid 3912

process: MicrosoftEdgeUpdate.exe with pid 3080

process: svchost.exe with pid 64

process: svchost.exe with pid 820

process: svchost.exe with pid 3692

process: SearchIndexer.exe with pid 5088

process: svchost.exe with pid 5940

process: svchost.exe with pid 6084

process: svchost.exe with pid 6092

process: svchost.exe with pid 5208

process: svchost.exe with pid 3440

process: dasHost.exe with pid 4544

process: svchost.exe with pid 4576

process: SecurityHealthService.exe with pid 4392

process: NisSrv.exe with pid 5416

process: svchost.exe with pid 6748

process: svchost.exe with pid 7040

process: svchost.exe with pid 6580

process: SgrmBroker.exe with pid 1796

process: svchost.exe with pid 6248

process: svchost.exe with pid 572

process: svchost.exe with pid 3184

process: svchost.exe with pid 3180

process: svchost.exe with pid 5236

process: svchost.exe with pid 1572

process: svchost.exe with pid 5020

process: csrss.exe with pid 6676

process: winlogon.exe with pid 780

process: fontdrvhost.exe with pid 4680

process: dwm.exe with pid 3860

process: sihost.exe with pid 2360

process: svchost.exe with pid 2216

process: svchost.exe with pid 6832

process: svchost.exe with pid 5524

process: taskhostw.exe with pid 7156

process: explorer.exe with pid 640

process: svchost.exe with pid 4968

process: StartMenuExperienceHost.exe with pid 4628

process: RuntimeBroker.exe with pid 6224

process: SearchApp.exe with pid 2060

process: RuntimeBroker.exe with pid 2732

process: SearchApp.exe with pid 952

process: ctfmon.exe with pid 5664

process: SkypeBackgroundHost.exe with pid 648

process: TextInputHost.exe with pid 676

process: smartscreen.exe with pid 5572

process: RuntimeBroker.exe with pid 6932

process: SecurityHealthSystray.exe with pid 5404

process: OneDrive.exe with pid 4508

process: SystemSettings.exe with pid 5096

process: ApplicationFrameHost.exe with pid 4160

process: UserOOBEBroker.exe with pid 5852

process: audiodg.exe with pid 5596

process: dllhost.exe with pid 1856

process: svchost.exe with pid 1632

process: ShellExperienceHost.exe with pid 5964

process: RuntimeBroker.exe with pid 6872

process: conhost.exe with pid 2892

process: upfc.exe with pid 1216

process: svchost.exe with pid 5864

process: backgroundTaskHost.exe with pid 5536

process: CompatTelRunner.exe with pid 816

process: TrustedInstaller.exe with pid 1376

process: MoUsoCoreWorker.exe with pid 5176

process: TiWorker.exe with pid 580

process: conhost.exe with pid 1492

process: svchost.exe with pid 2036

process: sppsvc.exe with pid 1404

process: SppExtComObj.Exe with pid 1660

process: RuntimeBroker.exe with pid 2516

process: RuntimeBroker.exe with pid 5560

process: svchost.exe with pid 6212

process: WmiPrvSE.exe with pid 4368

process: WmiPrvSE.exe with pid 2068

process: svchost.exe with pid 6196

process: dllhost.exe with pid 6964

process: TinyTaskPortable_1.7.exe with pid 872

Reads data out of its own binary image

self_read: process: TinyTaskPortable_1.7.exe, pid: 872, offset: 0x00000000, length: 0x00056059

self_read: process: TinyTaskPortable_1.7.exe, pid: 872, offset: 0x30785c206331785c, length: 0x00004000

self_read: process: TinyTaskPortable_1.7.exe, pid: 872, offset: 0x30785c606331785c, length: 0x00008000

self_read: process: TinyTaskPortable_1.7.exe, pid: 872, offset: 0x785c3530785c6059, length: 0x00000004

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00008400', 'virtual_address': '0x001e5000', 'virtual_size': '0x00019a68', 'size_of_data': '0x00019c00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.52'}

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\??\MountPointManager
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\nse6CA.tmp
C:\Users\Packager\AppData\Local\Temp\TinyTaskPortable_1.7.exe
C:\Users\Packager\AppData\Local\Temp\nsj738.tmp
C:\Users\Packager\AppData\Local\Temp\nso758.tmp
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\PortableApps\*.*
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\System.dll
C:\PortableApps
C:\Windows\System32\en-US\USER32.dll.mui
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\modern-wizard.bmp
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\nsDialogs.dll
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\TextShaping.dll
C:\Data\PortableApps.comInstaller\license.ini
C:\Windows\win.ini
C:\Windows\System32\UXTHEME.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\TinyTaskPortable_1.7.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\System32\shell32.dll
C:\Windows\System32\imageres.dll
C:\Windows\SystemResources\imageres.dll.mun

C:\Users\Packager\AppData\Local\Temp\nsj738.tmp
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\System.dll
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\modern-header.bmp
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\modern-wizard.bmp
C:\Users\Packager\AppData\Local\Temp\nso758.tmp\nsDialogs.dll

C:\Users\Packager\AppData\Local\Temp\nse6CA.tmp
C:\Users\Packager\AppData\Local\Temp\nso758.tmp

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\TinyTaskPortable_1.7.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI

Local\SM0:872:168:WilStaging_02
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI
Local\SM0:872:64:WilError_03

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.