Analysis

Category Package Started Completed Duration Options Log
FILE nsis 2020-06-30 06:03:39 2020-06-30 06:08:33 294 seconds Show Options Show Log
route = tor
2020-05-13 09:13:37,282 [root] INFO: Date set to: 20200630T06:03:38, timeout set to: 200
2020-06-30 06:03:38,046 [root] DEBUG: Starting analyzer from: C:\tmpq_mrpfl7
2020-06-30 06:03:38,046 [root] DEBUG: Storing results at: C:\IWAAQLuUV
2020-06-30 06:03:38,046 [root] DEBUG: Pipe server name: \\.\PIPE\dvyKnMW
2020-06-30 06:03:38,046 [root] DEBUG: Python path: C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32
2020-06-30 06:03:38,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-30 06:03:38,062 [root] INFO: Automatically selected analysis package "nsis"
2020-06-30 06:03:38,062 [root] DEBUG: Trying to import analysis package "nsis"...
2020-06-30 06:03:38,078 [root] DEBUG: Imported analysis package "nsis".
2020-06-30 06:03:38,078 [root] DEBUG: Trying to initialize analysis package "nsis"...
2020-06-30 06:03:38,078 [root] DEBUG: Initialized analysis package "nsis".
2020-06-30 06:03:38,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-30 06:03:38,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-30 06:03:38,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-30 06:03:38,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-30 06:03:38,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-30 06:03:38,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-30 06:03:38,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-30 06:03:38,203 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-30 06:03:38,218 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-30 06:03:38,234 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-30 06:03:38,234 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-30 06:03:38,234 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-30 06:03:38,234 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-30 06:03:38,234 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-30 06:03:38,234 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-30 06:03:38,234 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-30 06:03:38,249 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-30 06:03:38,249 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-30 06:03:38,249 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-30 06:03:38,249 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-30 06:03:38,249 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-30 06:03:39,500 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-30 06:03:39,609 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-30 06:03:39,656 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-30 06:03:39,656 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-30 06:03:39,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-30 06:03:39,656 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-30 06:03:39,656 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-30 06:03:39,671 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-30 06:03:39,671 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-30 06:03:39,671 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-30 06:03:39,671 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-30 06:03:39,671 [root] DEBUG: Started auxiliary module Browser
2020-06-30 06:03:39,687 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-30 06:03:39,687 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-30 06:03:39,687 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-30 06:03:39,687 [root] DEBUG: Started auxiliary module Curtain
2020-06-30 06:03:39,687 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-30 06:03:39,687 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-30 06:03:39,687 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-30 06:03:39,687 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-30 06:03:40,031 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-30 06:03:40,031 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-30 06:03:40,046 [root] DEBUG: Started auxiliary module DigiSig
2020-06-30 06:03:40,046 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-30 06:03:40,046 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-30 06:03:40,046 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-30 06:03:40,062 [root] DEBUG: Started auxiliary module Disguise
2020-06-30 06:03:40,078 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-30 06:03:40,078 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-30 06:03:40,078 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-30 06:03:40,078 [root] DEBUG: Started auxiliary module Human
2020-06-30 06:03:40,078 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-30 06:03:40,078 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-30 06:03:40,078 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-30 06:03:40,078 [root] DEBUG: Started auxiliary module Procmon
2020-06-30 06:03:40,078 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-30 06:03:40,078 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-30 06:03:40,078 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-30 06:03:40,093 [root] DEBUG: Started auxiliary module Screenshots
2020-06-30 06:03:40,093 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-30 06:03:40,093 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-30 06:03:40,093 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-30 06:03:40,093 [root] DEBUG: Started auxiliary module Sysmon
2020-06-30 06:03:40,093 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-30 06:03:40,093 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-30 06:03:40,093 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-30 06:03:40,093 [root] DEBUG: Started auxiliary module Usage
2020-06-30 06:03:40,093 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a DLL option
2020-06-30 06:03:40,093 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a DLL_64 option
2020-06-30 06:03:40,093 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a loader option
2020-06-30 06:03:40,093 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a loader_64 option
2020-06-30 06:03:40,125 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\Rebecca\AppData\Local\Temp\XY4k2fzQ3.exe" /NCRC" with pid 2552
2020-06-30 06:03:40,125 [lib.api.process] INFO: Monitor config for process 2552: C:\tmpq_mrpfl7\dll\2552.ini
2020-06-30 06:03:40,140 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\WRMKbgAp.dll, loader C:\tmpq_mrpfl7\bin\nfbPmPb.exe
2020-06-30 06:03:40,249 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dvyKnMW.
2020-06-30 06:03:40,249 [root] DEBUG: Loader: Injecting process 2552 (thread 3968) with C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:40,249 [root] DEBUG: Process image base: 0x4A1D0000
2020-06-30 06:03:40,249 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:40,249 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-30 06:03:40,249 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-30 06:03:40,640 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 06:03:40,656 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 06:03:40,656 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2552 at 0x6b650000, image base 0x4a1d0000, stack from 0x83000-0x180000
2020-06-30 06:03:40,671 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Windows\system32\cmd.exe" \c start \wait "" "C:\Users\Rebecca\AppData\Local\Temp\XY4k2fzQ3.exe" \NCRC.
2020-06-30 06:03:40,671 [root] INFO: Loaded monitor into process with pid 2552
2020-06-30 06:03:40,687 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-30 06:03:40,687 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-30 06:03:40,687 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:42,703 [lib.api.process] INFO: Successfully resumed process with pid 2552
2020-06-30 06:03:43,046 [root] INFO: Announced 32-bit process name: XY4k2fzQ3.exe pid: 3272
2020-06-30 06:03:43,046 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpq_mrpfl7\dll\3272.ini
2020-06-30 06:03:43,062 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\WRMKbgAp.dll, loader C:\tmpq_mrpfl7\bin\nfbPmPb.exe
2020-06-30 06:03:43,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dvyKnMW.
2020-06-30 06:03:43,078 [root] DEBUG: Loader: Injecting process 3272 (thread 2324) with C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:43,078 [root] DEBUG: Process image base: 0x00400000
2020-06-30 06:03:43,093 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:43,093 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 06:03:43,093 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:43,093 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-30 06:03:43,093 [root] INFO: Disabling sleep skipping.
2020-06-30 06:03:43,093 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-30 06:03:43,234 [root] DEBUG: CreateProcessHandler: Injection info set for new process 3272, ImageBase: 0x00400000
2020-06-30 06:03:43,249 [root] INFO: Announced 32-bit process name: XY4k2fzQ3.exe pid: 3272
2020-06-30 06:03:43,249 [lib.api.process] INFO: Monitor config for process 3272: C:\tmpq_mrpfl7\dll\3272.ini
2020-06-30 06:03:43,249 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\WRMKbgAp.dll, loader C:\tmpq_mrpfl7\bin\nfbPmPb.exe
2020-06-30 06:03:43,265 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dvyKnMW.
2020-06-30 06:03:43,281 [root] DEBUG: Loader: Injecting process 3272 (thread 2324) with C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:43,281 [root] DEBUG: Process image base: 0x00400000
2020-06-30 06:03:43,281 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:43,281 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 06:03:43,281 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:43,281 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3272
2020-06-30 06:03:43,281 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 3272.
2020-06-30 06:03:43,296 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 06:03:43,296 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 06:03:43,312 [root] INFO: Disabling sleep skipping.
2020-06-30 06:03:43,312 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 06:03:43,328 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3272 at 0x6b650000, image base 0x400000, stack from 0x126000-0x130000
2020-06-30 06:03:43,328 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Users\Rebecca\AppData\Local\Temp\XY4k2fzQ3.exe"  \NCRC.
2020-06-30 06:03:43,343 [root] INFO: Loaded monitor into process with pid 3272
2020-06-30 06:03:43,343 [root] DEBUG: OpenProcessHandler: Injection info created for Pid 3272, handle 0xc4.
2020-06-30 06:03:43,343 [root] DEBUG: DLL loaded at 0x74790000: C:\Windows\system32\UXTHEME (0x40000 bytes).
2020-06-30 06:03:43,343 [root] DEBUG: DLL loaded at 0x75210000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-30 06:03:43,359 [root] DEBUG: DLL loaded at 0x75BE0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-30 06:03:43,453 [root] DEBUG: DLL loaded at 0x77830000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-06-30 06:03:43,453 [root] DEBUG: DLL loaded at 0x75C90000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-06-30 06:03:43,453 [root] DEBUG: DLL loaded at 0x76500000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-06-30 06:03:43,468 [root] DEBUG: DLL loaded at 0x75CF0000: C:\Windows\system32\DEVOBJ (0x12000 bytes).
2020-06-30 06:03:43,468 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\APPHELP (0x4c000 bytes).
2020-06-30 06:03:43,468 [root] DEBUG: DLL loaded at 0x747E0000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-30 06:03:43,484 [root] DEBUG: DLL loaded at 0x74140000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2020-06-30 06:03:43,484 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-06-30 06:03:43,484 [root] DEBUG: DLL loaded at 0x735F0000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2020-06-30 06:03:43,500 [root] DEBUG: DLL loaded at 0x76010000: C:\Windows\system32\CLBCATQ (0x83000 bytes).
2020-06-30 06:03:43,500 [root] DEBUG: DLL loaded at 0x74900000: C:\Windows\system32\NTMARTA (0x21000 bytes).
2020-06-30 06:03:43,500 [root] DEBUG: DLL loaded at 0x761A0000: C:\Windows\system32\WLDAP32 (0x45000 bytes).
2020-06-30 06:03:43,500 [root] DEBUG: DLL loaded at 0x750B0000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-30 06:03:43,765 [root] DEBUG: DLL loaded at 0x73550000: C:\Windows\system32\SHFOLDER (0x5000 bytes).
2020-06-30 06:03:43,843 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-06-30 06:03:43,875 [root] DEBUG: DLL unloaded from 0x76AE0000.
2020-06-30 06:03:43,890 [root] DEBUG: DLL loaded at 0x6ED80000: C:\Windows\System32\shdocvw (0x2f000 bytes).
2020-06-30 06:03:44,109 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\stdole.dll
2020-06-30 06:03:44,109 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\39.opends60.dll
2020-06-30 06:03:44,125 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\cutterrollfeed.xml
2020-06-30 06:03:44,218 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\x-scala.xml
2020-06-30 06:03:44,234 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\org.gnome.libgnomekbd.gschema.xml
2020-06-30 06:03:44,234 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\WebDevWebServer.exe
2020-06-30 06:03:44,249 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\evince-comicsdocument.metainfo.xml
2020-06-30 06:03:44,249 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\_template\related.xml
2020-06-30 06:03:44,390 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\Mantel
2020-06-30 06:03:44,406 [root] INFO: Added new file to list with pid None and path C:\Users\Rebecca\AppData\Local\Temp\Fireside.dll
2020-06-30 06:03:44,421 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 5304
2020-06-30 06:03:44,421 [lib.api.process] INFO: Monitor config for process 5304: C:\tmpq_mrpfl7\dll\5304.ini
2020-06-30 06:03:44,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\WRMKbgAp.dll, loader C:\tmpq_mrpfl7\bin\nfbPmPb.exe
2020-06-30 06:03:44,437 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dvyKnMW.
2020-06-30 06:03:44,437 [root] DEBUG: Loader: Injecting process 5304 (thread 1516) with C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:44,437 [root] DEBUG: Process image base: 0x009B0000
2020-06-30 06:03:44,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:44,453 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-30 06:03:44,453 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:44,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5304
2020-06-30 06:03:44,453 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\rundll32.exe Fireside,Pretor.
2020-06-30 06:03:44,453 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5304, ImageBase: 0x009B0000
2020-06-30 06:03:44,468 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 5304
2020-06-30 06:03:44,468 [lib.api.process] INFO: Monitor config for process 5304: C:\tmpq_mrpfl7\dll\5304.ini
2020-06-30 06:03:44,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmpq_mrpfl7\dll\WRMKbgAp.dll, loader C:\tmpq_mrpfl7\bin\nfbPmPb.exe
2020-06-30 06:03:44,484 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dvyKnMW.
2020-06-30 06:03:44,484 [root] DEBUG: Loader: Injecting process 5304 (thread 1516) with C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:44,484 [root] DEBUG: Process image base: 0x009B0000
2020-06-30 06:03:44,484 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:44,484 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-30 06:03:44,484 [root] DEBUG: Successfully injected DLL C:\tmpq_mrpfl7\dll\WRMKbgAp.dll.
2020-06-30 06:03:44,484 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5304
2020-06-30 06:03:44,515 [root] DEBUG: Python path set to 'C:\Users\Rebecca\AppData\Local\Programs\Python\Python38-32'.
2020-06-30 06:03:44,515 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-30 06:03:44,515 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-30 06:03:44,515 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5304 at 0x6b650000, image base 0x9b0000, stack from 0x84000-0x90000
2020-06-30 06:03:44,531 [root] DEBUG: Commandline: C:\Windows\System32\rundll32.exe Fireside,Pretor.
2020-06-30 06:03:44,531 [root] INFO: Loaded monitor into process with pid 5304
2020-06-30 06:07:02,796 [root] INFO: Analysis timeout hit, terminating analysis.
2020-06-30 06:07:02,796 [lib.api.process] INFO: Terminate event set for process 2552
2020-06-30 06:07:02,796 [root] DEBUG: Terminate Event: Attempting to dump process 2552
2020-06-30 06:07:02,796 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x4A1D0000.
2020-06-30 06:07:02,796 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 06:07:02,812 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x4A1D0000.
2020-06-30 06:07:02,812 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000829A.
2020-06-30 06:07:02,875 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\cryptbase (0xc000 bytes).
2020-06-30 06:07:02,906 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x49e00.
2020-06-30 06:07:02,921 [lib.api.process] INFO: Termination confirmed for process 2552
2020-06-30 06:07:02,921 [root] INFO: Terminate event set for process 2552.
2020-06-30 06:07:02,921 [lib.api.process] INFO: Terminate event set for process 3272
2020-06-30 06:07:02,921 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2552
2020-06-30 06:07:02,921 [root] DEBUG: Terminate Event: Attempting to dump process 3272
2020-06-30 06:07:02,921 [root] DEBUG: DoProcessDump: Dumping Imagebase at 0x00400000.
2020-06-30 06:07:02,937 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-06-30 06:07:02,937 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00400000.
2020-06-30 06:07:02,937 [root] DEBUG: DumpProcess: Module entry point VA is 0x000033A9.
2020-06-30 06:07:02,968 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x36000.
2020-06-30 06:07:02,968 [lib.api.process] INFO: Termination confirmed for process 3272
2020-06-30 06:07:02,968 [root] INFO: Terminate event set for process 3272.
2020-06-30 06:07:02,968 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 3272
2020-06-30 06:07:02,968 [lib.api.process] INFO: Terminate event set for process 5304
2020-06-30 06:07:02,968 [lib.api.process] INFO: Termination confirmed for process 5304
2020-06-30 06:07:02,968 [root] INFO: Terminate event set for process 5304.
2020-06-30 06:07:02,968 [root] INFO: Created shutdown mutex.
2020-06-30 06:07:03,968 [root] INFO: Shutting down package.
2020-06-30 06:07:03,968 [root] INFO: Stopping auxiliary modules.
2020-06-30 06:07:04,046 [lib.common.results] WARNING: File C:\IWAAQLuUV\bin\procmon.xml doesn't exist anymore
2020-06-30 06:07:04,046 [root] INFO: Finishing auxiliary modules.
2020-06-30 06:07:04,046 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-30 06:07:04,203 [root] WARNING: Folder at path "C:\IWAAQLuUV\debugger" does not exist, skip.
2020-06-30 06:07:04,203 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7_4 win7_4 KVM 2020-06-30 06:03:39 2020-06-30 06:08:33

File Details

File Name XY4k2fzQ3
File Size 312081 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
PE timestamp 2019-12-16 00:51:03
MD5 724b0343f5f55aab914f610c1164cdcd
SHA1 b451c5667a1491a99e7c54e549fa89049beba10f
SHA256 8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4
SHA512 3e8898305f745fcf12735af7be23e780474377e6e16c1b401e783439ce1ecd10602da2f5eae8672d9d9ebe0d66215eeebe8eb46e1103fc6771d936c18ae81e47
CRC32 4F4D0C49
Ssdeep 6144:VPCganNRStrVpXem5+ZbEcfqyR0IhuNyMDhSj02FfE/3TscQolEJ8:7anatrVpXZANF08MDhSRKDsc0i
Download Download ZIP Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: IMM32.DLL/ImmCreateContext
DynamicLoader: IMM32.DLL/ImmDestroyContext
DynamicLoader: IMM32.DLL/ImmNotifyIME
DynamicLoader: IMM32.DLL/ImmAssociateContext
DynamicLoader: IMM32.DLL/ImmReleaseContext
DynamicLoader: IMM32.DLL/ImmGetContext
DynamicLoader: IMM32.DLL/ImmGetCompositionStringA
DynamicLoader: IMM32.DLL/ImmSetCompositionStringA
DynamicLoader: IMM32.DLL/ImmGetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCompositionStringW
DynamicLoader: IMM32.DLL/ImmSetCandidateWindow
DynamicLoader: kernel32.dll/SetDefaultDllDirectories
DynamicLoader: VERSION.dll/GetFileVersionInfoA
DynamicLoader: SHFOLDER.dll/SHGetFolderPathA
DynamicLoader: SHLWAPI.dll/
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: comctl32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 0 trigged the Yara rule 'embedded_pe'
Reads data out of its own binary image
self_read: process: XY4k2fzQ3.exe, pid: 3272, offset: 0x00000000, length: 0x0000a000
self_read: process: XY4k2fzQ3.exe, pid: 3272, offset: 0x00011e1c, length: 0x0003a4f1
self_read: process: XY4k2fzQ3.exe, pid: 3272, offset: 0x009ec21c, length: 0x00004000
self_read: process: XY4k2fzQ3.exe, pid: 3272, offset: 0x009ec31c, length: 0x00004000
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Rebecca\AppData\Local\Temp\XY4k2fzQ3
Network activity detected but not expressed in API logs
File has been identified by 12 Antiviruses on VirusTotal as malicious
Bkav: HW32.Packed.
Cybereason: malicious.67a149
Invincea: heuristic
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Paloalto: generic.ml
Endgame: malicious (high confidence)
Jiangmin: TrojanDropper.Scrop.ake
Ikarus: Trojan.Win32.Injector
Webroot: W32.Trojan.Gen
CrowdStrike: win/malicious_confidence_60% (D)
Qihoo-360: HEUR/QVM20.1.3DD0.Malware.Gen

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

\Device\KsecDD
\??\MountPointManager
C:\Users\Rebecca\AppData\Local\Temp\
C:\Users\Rebecca\AppData\Local\Temp
C:\Users\Rebecca\AppData\Local\Temp\nsyD986.tmp
C:\Users\Rebecca\AppData\Local\Temp\XY4k2fzQ3.exe
C:\Users\Rebecca\AppData\Local\Temp\nsdDA42.tmp
C:\Users
C:\Users\Rebecca
C:\Users\Rebecca\AppData
C:\Users\Rebecca\AppData\Local
C:\Users\Rebecca\AppData\Local\Temp\_template
C:\Users\Rebecca\AppData\Local\Temp\_template\stdole.dll
C:\Users\Rebecca\AppData\Local\Temp\_template\39.opends60.dll
C:\Users\Rebecca\AppData\Local\Temp\_template\cutterrollfeed.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\x-scala.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\org.gnome.libgnomekbd.gschema.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\WebDevWebServer.exe
C:\Users\Rebecca\AppData\Local\Temp\_template\evince-comicsdocument.metainfo.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\related.xml
C:\Users\Rebecca\AppData\Local\Temp\Mantel
C:\Users\Rebecca\AppData\Local\Temp\Fireside.dll
\Device\KsecDD
C:\Users\Rebecca\AppData\Local\Temp\nsyD986.tmp
C:\Users\Rebecca\AppData\Local\Temp\XY4k2fzQ3.exe
C:\Users\Rebecca\AppData\Local\Temp\nsdDA42.tmp
C:\Users\Rebecca\AppData\Local\Temp\nsdDA42.tmp
C:\Users\Rebecca\AppData\Local\Temp\_template\stdole.dll
C:\Users\Rebecca\AppData\Local\Temp\_template\39.opends60.dll
C:\Users\Rebecca\AppData\Local\Temp\_template\cutterrollfeed.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\x-scala.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\org.gnome.libgnomekbd.gschema.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\WebDevWebServer.exe
C:\Users\Rebecca\AppData\Local\Temp\_template\evince-comicsdocument.metainfo.xml
C:\Users\Rebecca\AppData\Local\Temp\_template\related.xml
C:\Users\Rebecca\AppData\Local\Temp\Mantel
C:\Users\Rebecca\AppData\Local\Temp\Fireside.dll
C:\Users\Rebecca\AppData\Local\Temp\nsyD986.tmp
HKEY_CURRENT_USER
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\x5a60\x16aEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{4c2e3c01-5984-11ea-a9cb-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb57-272f-11e9-8326-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{210acb58-272f-11e9-8326-806e6f6e6963}\Generation
\x5a60\x16aEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
kernel32.dll.SetDefaultDllDirectories
version.dll.GetFileVersionInfoA
shfolder.dll.SHGetFolderPathA
shlwapi.dll.#437
cryptbase.dll.SystemFunction036
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
kernel32.dll.GetUserDefaultUILanguage
C:\Windows\system32\rundll32.exe Fireside,Pretor

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004033a9 0x00000000 0x0005aebc 4.0 2019-12-16 00:51:03 7c2c71dfce9a27650634dc8b1ca03bf0 394de8a65c892fbb2b2f911abb879c90 55ccb45671409552fd44cbf7d91907d9

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x00006455 0x00006600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.44
.rdata 0x00006a00 0x00008000 0x0000134a 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.24
.data 0x00007e00 0x0000a000 0x00025538 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.13
.ndata 0x00000000 0x00030000 0x00009000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00008400 0x00039000 0x00001858 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.24

Overlay

Offset 0x00009e00
Size 0x00042511

Resources

Name Offset Size Language Sub-language Entropy File type
RT_BITMAP 0x00039238 0x00000368 LANG_ENGLISH SUBLANG_ENGLISH_US 3.22 None
RT_ICON 0x00039e48 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.67 None
RT_ICON 0x00039e48 0x000002e8 LANG_ENGLISH SUBLANG_ENGLISH_US 2.67 None
RT_DIALOG 0x0003a490 0x00000060 LANG_ENGLISH SUBLANG_ENGLISH_US 2.49 None
RT_DIALOG 0x0003a490 0x00000060 LANG_ENGLISH SUBLANG_ENGLISH_US 2.49 None
RT_DIALOG 0x0003a490 0x00000060 LANG_ENGLISH SUBLANG_ENGLISH_US 2.49 None
RT_DIALOG 0x0003a490 0x00000060 LANG_ENGLISH SUBLANG_ENGLISH_US 2.49 None
RT_GROUP_ICON 0x0003a4f0 0x00000022 LANG_ENGLISH SUBLANG_ENGLISH_US 1.94 None
RT_MANIFEST 0x0003a518 0x0000033e LANG_ENGLISH SUBLANG_ENGLISH_US 5.30 None

Imports

0x408074 CreateFileA
0x408078 GetFileSize
0x40807c GetModuleFileNameA
0x408080 ReadFile
0x408084 GetCurrentProcess
0x408088 CopyFileA
0x40808c Sleep
0x408090 GetTickCount
0x408098 GetTempPathA
0x40809c GetCommandLineA
0x4080a0 lstrlenA
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrcpynA
0x4080b0 ExitProcess
0x4080b4 SetFileAttributesA
0x4080b8 GlobalLock
0x4080bc CreateThread
0x4080c0 GetLastError
0x4080c4 CreateDirectoryA
0x4080c8 CreateProcessA
0x4080cc RemoveDirectoryA
0x4080d0 GetTempFileNameA
0x4080d4 WriteFile
0x4080d8 lstrcpyA
0x4080dc MoveFileExA
0x4080e0 lstrcatA
0x4080e4 GetSystemDirectoryA
0x4080e8 GetProcAddress
0x4080ec GetExitCodeProcess
0x4080f0 WaitForSingleObject
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc GetFileAttributesA
0x408104 MoveFileA
0x408108 GetFullPathNameA
0x40810c GetShortPathNameA
0x408110 SearchPathA
0x408114 CloseHandle
0x408118 lstrcmpiA
0x40811c GlobalUnlock
0x408120 GetDiskFreeSpaceA
0x408124 lstrcmpA
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x408144 MulDiv
0x408148 MultiByteToWideChar
0x40814c FreeLibrary
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GlobalAlloc
0x40815c GlobalFree
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c EnableMenuItem
0x408190 IsWindowEnabled
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetMessagePos
0x4081b0 CallWindowProcA
0x4081b4 IsWindowVisible
0x4081b8 CloseClipboard
0x4081bc SetClipboardData
0x4081c0 EmptyClipboard
0x4081c4 OpenClipboard
0x4081c8 ScreenToClient
0x4081cc GetWindowRect
0x4081d0 GetDlgItem
0x4081d4 GetSystemMetrics
0x4081d8 SetDlgItemTextA
0x4081dc GetDlgItemTextA
0x4081e0 MessageBoxIndirectA
0x4081e4 CharPrevA
0x4081e8 DispatchMessageA
0x4081ec PeekMessageA
0x4081f0 GetDC
0x4081f4 ReleaseDC
0x4081f8 EnableWindow
0x4081fc InvalidateRect
0x408200 SendMessageA
0x408204 DefWindowProcA
0x408208 BeginPaint
0x40820c GetClientRect
0x408210 FillRect
0x408214 EndDialog
0x408218 RegisterClassA
0x408220 CreateWindowExA
0x408224 GetClassInfoA
0x408228 DialogBoxParamA
0x40822c CharNextA
0x408230 ExitWindowsEx
0x408234 LoadImageA
0x408238 CreateDialogParamA
0x40823c SetTimer
0x408240 SetWindowTextA
0x408244 SetForegroundWindow
0x408248 ShowWindow
0x40824c SetWindowLongA
0x408250 SendMessageTimeoutA
0x408254 FindWindowExA
0x408258 IsWindow
0x40825c AppendMenuA
0x408260 TrackPopupMenu
0x408264 CreatePopupMenu
0x408268 DrawTextA
0x40826c EndPaint
0x408270 DestroyWindow
0x408274 wsprintfA
0x408278 PostQuitMessage
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
0x40816c ShellExecuteExA
0x408174 SHBrowseForFolderA
0x408178 SHGetFileInfoA
0x40817c SHFileOperationA
0x408004 RegCreateKeyExA
0x408008 RegOpenKeyExA
0x40800c SetFileSecurityA
0x408010 OpenProcessToken
0x408018 RegEnumValueA
0x40801c RegDeleteKeyA
0x408020 RegDeleteValueA
0x408024 RegCloseKey
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 None
0x408044 ImageList_Destroy
0x408280 OleUninitialize
0x408284 OleInitialize
0x408288 CoTaskMemFree
0x40828c CoCreateInstance

!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.ndata
.rsrc
s495l
tTj\V
jHjZW
VQSPW
SQVPW
vX95(
Instu_
softuV
NulluM
D$8h`
D$$Ph
D$(SPS
Vj%SSS
SWShD
tT<"u
SPSj0
D$$+D$
D$,+D$$P
UUUUW
t$,VW
PWVh$
SSSSjn
uDSSh
tc<.u
^j\PN
@PWQh
HtVHtHH
UXTHEME
USERENV
SETUPAPI
APPHELP
PROPSYS
DWMAPI
CRYPTBASE
OLEACC
CLBCATQ
NTMARTA
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
GetDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteExA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
SetFileSecurityA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
\Temp
NSIS Error
%u.%u%s%s
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownA
RegDeleteKeyExA
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExA
SetDefaultDllDirectories
KERNEL32
[Rename]
%s=%s
*?|<>/":
%s%s.dll
wwwwww}
wwwwww}
wwwwww}
wwwwww}
wwwwww}
wwwwp}
wwwwp}
wwwwp}
wwwwp}
wwwwp}
wwwwp}
wwwwp}
wwwwp}
wwwwp}
wwwwp}
wwwxp}
wwwwp}
wwwwp}
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.05</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInst
6q`-0
Tr 9$
&M472
0#L`W
0B(t?
5P}Y~
#ji-fr
:H~d6Y
`29!P5
"y1Hv4j
RRYx~
\.6\m
Hi<7R
<70|~
EQ"F6
f\4{8O"Po
~i0B5<
P.PAL
fmh75
Q*BjBs
!m6jH
DT~A"*
6LPKp
0,Mx%
9Qh!({
|yt
2h~x8
>7v tBO
g'<1O
_M</k
/,?#0
P(!nLj
iNPO~
eDa1"8
>>h]L
=w`KjK
4?R 9
ic na8h
QXAlF
Xcqcac
C-)-I
+NSqS
(+}?XpQ
5E ,M
}cuR09
LcQ~RT
iV$Iq
R}@I$?
n,i,k,l,F
t0YC=
Q$n~>
:n~i_D
NVKvKn
:nI)x
~0,a:
7W9`'
?N.{p:
L!'`\
"O7V4
88t6'
C.RsFS
>]SNg
3aX4F]
k<vu]c
nvh#r
&QI!5
_P/nb
Dm{jH
}p0sc
E}|9<
y]#l$
S}=wv
gnCHL
5Nyzk
UKy/Q
WoKJOjQ|1
kw].pY
Zf7xP6D3w
0LC_{VSiER!
~+=BLg
fYYBA
9E1F.$3&
_D/ozZP
=gbMI
3'}m4
nO98U
C$$0z
S:'_}
5Yy/<
>RL?|q
Y]b*L
5HJ_r
>uiwN
QiVs.&
F,{^.z
VUw;]9
ooX|*
2T8fl
{<wu,
:>DXl
7>>f{
J7+sx
Z:Gg)
0dW]3"
i:%Mx
r8EgmS
KKG]P
Hlz/!vz
vZtMXkg-qaAl
C9-fr
,":UO
?6==8
:S[FDD46
\;9ngI
d<ab{
l|:)1
{Z<^=
_Mt[!
_y+wv
3iOf7
x(}Z{u
I2UEy6
#{v c3
v8zu!`
o:l.su9`
"KT7`
'/lzrs
2zv|.`
*`x:`x
0<cDz
:8;p{"
{d(`x/
P=e?`
7`x]z
R{.%6
v_)P+
O<4FXO3
qB'fz
!m<2f
i<]gO
$v).|[
FM=au
i=O_8t
UOO~!
{9/sEo
G-^}3
ryIDx
;Z/Bq
3S2<V
o^1?8
,~Q<K
oN]dR>1G
`G\!9
_GM=pf
R;iE#A9
s1O3cl
=_LzF
]jO+N
ZUyOV
_-_=i
Qpi*Y~e
Tz9.~
v?&/~1?h
Ty{L[c
]=[7l
ZQ5NR
)oW](
63x]_L`(C4
H~?k1
*|pk\
8UXI
#!.|!
p(@O?
kYM|YY:0cj
H#p^M
pSyy}
!Fb0k
T#"2]
z=(;V
804U!5%
#ryhD
qaH`U
C!e=$
n&H'0
cKz$P
U)sf<gR
_IpxB
:]kz0
SHaS9U\HB;
0]Hj|
8z2/W
N0~l0G
CSsC0 K
^^W4Au
"h6`t
g\#xS|
,{n%9
>qijl
_I|Sk
w&x-}
pYBde
q~)>S`&
RB%8Or
Qv{a} \
,Lp6C
T9zEw
FZdT;
!3[nE
*<^\IU
'Jv?r9
gSpI=A
WMlXj8
y=war
W8J0Bw
FazvwY
[d1g`];
[yT>qCG
yO>PY
1O*=./VL
##`QE'
Sq__+)
/*Tvqjt
>|QkWp!GL
6[7^[
wa3rK6
l"<0\Z&
H%D? *C
)[|\u
>%V|I
gK+M6
T6)}l
& 8-j
YW_#8
\%!Z3)
urQ}$
`+tjp
/T."2
%~:wUu"
LCv*fROF
ke/_w
"dJbt
jtpaWj
CL*A~
{z'Z=
v0M2s8p
yzEQU
}6[n<5;
Urc|G
d"9sE
H[_g,/b
if9;Sq
&;1*Mf9
@2&c,
hd.]z
7Pe')ex
LTI/'<s
6Mq?.
I7,6h
#N|Cql
p28fm
Cz3!Z
u'V)h~
O!h|67
b,w.#
W=$'wbZ
iuKFz_#X
^7&BU
7/}{V
:r~eW.K
`1z`=w
qvyijX
uteJ6
hbdev
{JIds
$%Vw^
|n/Rpc>
w ZJ{}
k{N92_
K14wp7g
oKw,&R
Va(y`
w.h]r
:*-TM
uK\Mw
k|I_mC
uBx%q>
?^w|o
$"+y4
25ym1m
-M>/-u
A6I-vX
{l5b 7
ZX+-D:
wOU!bC
e]l;M
)=H>G^,
<Z#Vy
QtRQ`
ElwA,V
~h|L$
G^)[L
z-G{s
H|yj>0
p)GBP
HE{%:
<.)2d
by&4By
d!O,(yfZBf
1Jgo&
u#Pg_
Z?cp8
<_$[B
/!>Nc
"?F*#
>y ]s%
9'n1`
,X1E)E-0V
\zS9!
onLC.}|"
uJ_.o},
%$|_\
Ax\4U?
{Krvu
}CXb8&
%f'$y
+Qbx-
7yrI6
X(";'Vxr
#oHh}F
@fu7
KG+HYH[
nMsFw
X^kX%_
Ra"bU
8k:}M
m"@+8
lc,RDp[
'!"OwtN
yEeQx8
}-V<.
}p(vy
im\g(
Y=2_W
}^tU;rl
hsFBo
wvSex4
zguUe
*@'H5
)-J2$
m-Lhg]
G/kyO
+W8QZY
[ab-a
R;RjJ
AM"i{
pAc=}%
=,D]3`
og%ZC
T":zq
y7i:1
X[i<a7<
~L'3F
UZ=;7?
~sW!'
n|H K
5\W:J
)t|B[
@CXe0'
EOW^+
m#}t?
3B39;
2[/WfZ
Czq{8
]=9+^
$gL?S
4m[(s~
nFQsH
$k}@<
%=qUT^
xD/:\
C7V\E
X-(aM7PD
aP/R*
fY|]%xQi
U`xp.
x;)2>W
UY"A1
]'D2;
"abJs
{OuYI
[V5_1
U'O$C
+(4!=c
2)sOw
dt!DNe
ClU9%
epPe/c1~
MfR_n
{p8K/F
n{-r*
2pWhd
S$K:B<
2={3-
7e-H,
Mr>Y,X-
WR+i4
]C|8E
/49[G*z
:NW'4
;tbFQ
59}Ts8
=C?F
xmsZAq2#
sF*bQ
:@CW?w
Hj|kG
k'NOW
ui=e[)
NXuw(
un! Z
e:B)`
ZQhql
;i}g|
ZnQ7dE[q
:-{N+
pRb+:w
5*[Eh
,pfgH
P?iPQ
W;4-#
"x]r)
^r#1Y7
?KA_D
av/jm
j/l=o
P<NW[
TE%fV
W%&_Y
[qhZR
\`U,/F
bHQf%
0_EG]
f2)SJ
mrv|}|
X-W."X
}F6LJM
Bc~2_
4wvi"
bNf}/
$L[=g^
!edRP
To>s3
o\o=EZ
21Ji$k
cRyV9X
8Oc}?gt
]VX-O
&%mPA
_p]{WH
?ctHeGV
$Lh"g
"| j-1c
XvjkY
\dhV<^
0=:(,
XBUrW
j|yX#{
AnE3Z
zpP'Q_
GFyP6
L-Z;2
lV6=Q8
8~.ku
^2Uh`j
T,M:Y
<cbnv-
]^*!R#w
V `VJ
G;k!~
bU9k%r
LN$?r2
`b*$Q
tXyDxJ\F
RcZ]RZYtR)
y24pN
Z Lh-
5M<uSX
-X7#G
]?G.3
SM%&f
Q+Zd~
y11gv
)Vk(`_
;"h.|
l",V#
``5^2
pOw#L
vjg%L
lgLv~
L;?Oo
0.h6S
uOdgxJ.
]nfB~
sNnVxrP
wuKRl
~GI7jD
RAEW/
$0V.Q
$Qg}i
Z>Mg7
"P}G0
%uWD1
EC~0)
/.Qu\1
>7B7H
ag^*$\Tl~
9vxs1;
j>-"[6E-3
[-&Hb
F3VUx
`oDq}3b0
QrjM)
FGBhsdVL
rl7[7gL
c-%,1w
FX5ZGl
LTOdL
'h7Rw
'~UCP4
kY!>I^
z]g6PE
-Pb`]
szwrL
$DJ;Y
8Gv'vVi
mDD6]x.Y
lX`O/
tDPus
QO}Pi
g>!rIH1
ml=yN
/jO\C
#qp,0
0zXV4
cD!`{@
MN"6m
fFUMD
WA_\4
&G}@}
W}$vI
K`Aw=
ZfoT*
X;ld^
{H2e~
^%{Py
UY=a2
^Je>p
Q[CW%
)faB6&5
iOttG;p
}\pz\Y
D;`0i
uS+`+
M8~B%T
p7bX3
jFs58
@/2w-
,:5n#9
'6'`em
fPTi(
F cs`
NW()R
_nJoc
cb<'?]
2EJe`L
H:-=Z
wOcFF+
\#am%x
U+tJ~
JYK/B2+
8+K-3
YnjIHc
_zVl$
q m_w
;65W*
rW.onF]%y
@0>Z0M
9Tqyl&
<_u~}
$"59Vd
IC,Gy
I^Z'S/
$*m;?
(o<n0
Ub7TM
&5eP#F
RKGgRk`
chSOH
r% >|s
ZS=so
}{NH_
U0k0=V
?]"m)
[(x1%R6kI
m*H_*
8g>\Gu
ctJ5s
6z?3xN
/"q{p
b-~i1
+WEe}
tNc{LW
gj)iS#
L0Tph
h|lV3
e*w]DE?>
aK`tn
Mb4?0BK5
6$z0~
UvXKH
}d{GO
i#}R?
EV{:X
Q(=Lq
7%pC<
rW>%0
0NKcZ
I ^Hk:k
xKTOg
D?%Hc
"c&WJ
XNPPw
j0A,G
[LB&ly
,~Dnku;
a%B7p
7^aa|k
V#ATe
sH$kl
=6G[W
_j.W)N
Z<?v4
9JH5s`:E
F__=*
c#N's
TC'P|Q
0]zLu
~Yv9&
,Fv?
)xofX
[Rao{?
2%"j3
8"HZT
k<*YM
);K#
Im47=
6V>Z1
WX_La
6X,DC`
c]"{5
(Wmk\
q>H'[l5C
h[O<*
"`~16J}
KqGvh
@dd[m
UXZYd
#SX6}
5ozLPv
0~`"-
s{)pH
M3?T{
D7{R2
T.&IZ
Xc%/i
<g4:XS
'Hs}`
^]M"/
81):Ot8
|zv\e
U,R9Y
a!.,ix
GPQ4t
[G*?p
w?k2q!1
jU6)HE
L{gMB
vRoM.
EGvjPc
S05$$
m<~B`
}m.F/b
q2],#IyU
J[>@ja
n*B)R
q1P^|
{.2Hf,9
{p2m?
tsZ[E
,mm+z
xi#lX
<Ql/O
`FIB]
`08Rj
rMfJI
iVrOfz
@PiTb
H}E1{
oS^6K
b+h2d
OWBGU
77AUL
m6:fsUS*E%(
d30&l
o:}[A6
+}@rJ
bh1Jf&H)IT
g:"HX
4Zyh{`
l#Y<l
HJR[T
<U2^=
*~~'].yE
V{=xV<#
IbwV;p
8jC0g{s
zcl+F
@WLWvG
H l8z1<
RCn18
G,?vQ
)RN^0
{=|B nTC
XHSc}
^kRV!
NQIPgeMk
\Vg3e
S(xh5BYe0
gH<#1WxMK
p:,Vq
>Nm9k,
7#h.3?
|ZNCs
T)xDt
@oufJu
OHmdkL
bG7+D\W\V
L$h f{+
:Z4_Q
0q*^C
".h|8
K}a,!}p
3A`YM
0J QWW
6RJnf"
SMG6_
C/E`'
%R.AA
V'nQ]C
$ti%b
t/uj2
%L{%5
P%;Q2U
gmk]o6
h*ID$.
O?#5sL
j)<_f
L=SKMgJ
i<D/Z
qs$%xj
{c&4/6
1I^[C
%C.^fG
!RNSw
wgHJq5
2Lj9u
L:')A[
JH~as
yGxtc
T_(l'
1T2Ec
ym>*B
9^:BA2
d,d74eZ
h<<%F4
Vy#EfN
Y ^~j
FOh7i
Tfy4Y
Tm+Q<
Q|#gf
wwEYm*
l:\x(
)v{`}2EhRu
0]c.b
u|}M_
mO'/0,
5T'G'8O=
=&yU:
&yc&P
fgkc]:5
Pe,0nlN~f
KU [)-=
Bz=\h\
{gx0Z(
[qq-.E
:C)R:
*tv!,{0
mwZRk
d`t-z~
{P~]U
2jGQI
\CH_]
GLw,W
8lL4g
$ju^hh
Rs;EEB
n$0diF
S`;,F
cubil
R:+kM_/
HHanc
H3b`~
ViG#7
YPB1a
6jc%H
aes?Zd
6M_XW
cF>?G
RavwR
;B`Q#
zaX4r
NZ/1gey
KU8zG+
L{!U^
S'\"(
%#$V:=
B4$~u
E3dPN
>U\y`-
>]D[_
/h1;ve
?[>_H
__=z1
7|NXB
T#_J]
RA[.h
@F||L
p]B;;Ui
He^8#
F`@22
nx @Cn
1<h!J
QL/KR90
hEI;L
NV6T`
7omQEq
y/^0k
J]u=d
^th$:
r:GVd.
]mt_9|7
9ml?\
6Oc'9
>VN,W`
l"@-C
\O/~S
AzVkn
l/es1
Q6GRg
j['/zi\@
{Ez$E
qh+YP
1jH>Z
blo3A
ZpA y
?E\ >
'C?k[
WXe*?Y
)DnDT
Pt Z"O
}X?-uuvCJ
9H]&4
{ewro
XsvF}
|(Czw
-9^.i[
wfa!3z
ZLYDcq
Aa4G3
sAQ;/
#CVJ;
#'lP(
I5&rw
xwt1K
U+.uSa8d
>w9F_
/2#4e
`f"UK
`.8lKc
;!pWN-mj
|5E_Ti
7v!5
MZIZ+cp
n+aN-y}#-
v1/`H
T{q~:
+'C12
/n <5.
d~/.[#Ng=5
:l2)fwW<
q<X3^+4
q+qjj
av\:2
NhOEX]
}H?L<
PgXXsn~a
<9Y>A#
fA4~U
$bD!%
E8-7|D&vzW
c-!|NR
#*wzx
9QqD'r
pBplq>K
h0"Qq
JFo'%
8ziG&
bJI|2
usq9uKH
:o9iO
1!5kp^
2HM>J
zw3OcvF
uNHo1
Zv0&/
q1zus
+0/=%
*hN$I
\qi(]
|7yJny
R9jS"[
RyO9T
:$D5R
rc `IA
'[(@Y7d
7KV7TFn
xVB9_
Xj$Wh
z1uU~
>k(pQ:
[+K8l%
D'32HONo
cEIR;
'|r?!W
8?SbC
uI8BeA<S
VVIu?a
m%gm<'
1"QdbjH=
[789G
|W*r'(?
xqYl2
)+Y+w
&NGc4
^,xQI
!ws (
J*g=O
3.o9P
GY,v.
$+6$[
JFJf>Q
49L6<\
>8."*
Lz"-B
=B9Ud
xiLeG;
^eS\S_
jT"O{
}!#)F
M&gf*^;
2U- 2odh
vm5 Ss
LYU6N
IZpUZj
vsczPo
m~fBMO
RPsS\
Bb!]w
PPP`6
&]GM6p2f
,t.`u
ed+G\
LH)T6
q~,]W
HyP(7q
@a]^.
UOykl
8[4RU
_k)nK
9a{R(
3T_;s
1>Zf8
uG1=>vx
ZLp4ra
>9frS
qk>eU
wa+\3
SzN G
9C#{<Q
yQu4s
&=,2/
6d-mB
7uh(h
szoRi
:z|4/
CTb=i<
dFJETC,
k=XAa
!a3FTm
}v']U
Brp6=|
m=Ht.o
2}6/\
~bffff
,fYhY
`8UmFF
'P,W<Q-
i<h4u6
sk%9c3
:01_/hK
&'V)@i
+rw4N
DoF/i
FE62K$|
*Ye(-
%,a'Ht,.N
!?SO0
\uRIA
}^ks
YEDB>
6v#BC
?Y#^7
&:~Wok
4%i"=e
z&\Bg
<4XSR
FK4)+\
CET}i
lZlm&
\_m`d
V`H`
]&Yzb
mU^B9
9=r2>VS
w%~fp
\ML}//
u[GZt
$q(Pq5
tPR&~
'C<6D
]i02k
DsO|GM
gX06;
W!S:w
20=Tn%
}MZOP[
cyf^bY6[
U#[FG
FvLYI.
^B L~
P|=rc.?{
hK|nKmT
)mulp
ZSN6/
z_3}E
*e,o-
fc)*[
1Gpt:F
(x3^b
2)mnq
U`S#HC
u~hP#
CS(k+
+RoBqmX
z0c}6
D`+K?y
4N{Y?J+
Ra)2T
YOeamJ
8xX$,
w<(^h9
#=R;.
+9'^x
DB<kNn
IB~l'e
@H}Q+
k9,*d
(RJQ*
4o?3!
j p%X
.<ZqG'
TSJ1a
9HyB<
NwS/HR
u:1^-
FV`fA
Eln)gU
dCdo'Lz
>g*Tm
UgEG<L
p:]$vt*
{fj+V
,?.be
1}Zlki
'=fci>
$G>2yO
|{v|}ACOk
P7vvtF
drBI0
cA xF
z^J[+
0lgxN
Q|Ozz)
T5<V?
"fF)r
QlHjY
058hU
76BJ:10
luEik
9kg"~
SfoD]
IK2&cjZ
}~AZ=
W/t(m
? Q[>
r#*Zm
wVCo|0?
LFcCO
?wf3_
Im*AhD
L1xG#
8l3B>
w(,|c
<AkyL
#}x{?
X#xCe
)@CT,
s/uM>#9
v!+rZ
)A\AD
Y]PIL6
B{FD[8X
TST[s
9k&/-
A?|`Y
zS)B,T
<Lv:Bu
&Lu<B
$Lv>Bu
e`XE |
omhi$
==[==
}w211
ffmhf
s^S N
}T(x8G
TBvj#!{
jQMe9
`4x$x"
o>eN4
Yo.3W
#+3;CScs
fff3f
3f333
MS Shell Dlg
SysTreeView32
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg

Full Results

Engine Signature Engine Signature Engine Signature
Bkav HW32.Packed. MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean McAfee Clean Cylance Clean
Zillya Clean SUPERAntiSpyware Clean Sangfor Clean
K7AntiVirus Clean Alibaba Clean K7GW Clean
Cybereason malicious.67a149 Invincea heuristic BitDefenderTheta Clean
F-Prot Clean Symantec ML.Attribute.HighConfidence TotalDefense Clean
Baidu Clean APEX Malicious Avast Clean
ClamAV Clean Kaspersky Clean BitDefender Clean
NANO-Antivirus Clean Paloalto generic.ml ViRobot Clean
Rising Clean Endgame malicious (high confidence) TACHYON Clean
Sophos Clean Comodo Clean F-Secure Clean
DrWeb Clean VIPRE Clean TrendMicro Clean
Trapmine Clean FireEye Clean Emsisoft Clean
SentinelOne Clean Cyren Clean Jiangmin TrojanDropper.Scrop.ake
eGambit Clean Avira Clean Fortinet Clean
Antiy-AVL Clean Kingsoft Clean Arcabit Clean
AegisLab Clean ZoneAlarm Clean Avast-Mobile Clean
Cynet Clean AhnLab-V3 Clean Acronis Clean
VBA32 Clean ALYac Clean MAX Clean
Ad-Aware Clean Malwarebytes Clean Zoner Clean
ESET-NOD32 Clean TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean Ikarus Trojan.Win32.Injector MaxSecure Clean
GData Clean Webroot W32.Trojan.Gen AVG Clean
Panda Clean CrowdStrike win/malicious_confidence_60% (D) Qihoo-360 HEUR/QVM20.1.3DD0.Malware.Gen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.5 54312 1.1.1.1 53
192.168.1.5 54312 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name XY4k2fzQ3.exe
PID 3272
Dump Size 221184 bytes
Module Path C:\Users\Rebecca\AppData\Local\Temp\XY4k2fzQ3.exe
Type PE image: 32-bit executable
PE timestamp 2019-12-16 00:51:03
MD5 61e29de1e4f8c4c92db18be718a40b03
SHA1 bd65b5bb6756162fe7f66d02f0ec689788acd6bd
SHA256 466728ff78b7bf790b24c07dedddb64c11712f7c05f0866535bfc5a217ca66ec
CRC32 7A2DEC57
Ssdeep 3072:tPqRxga51PDJvcYNUcudHg7fRjrz55v5udHg7fRjrz55GZnvSWu1UIRg7fRjrz5D:tPCgan9RuEufZvjgUIRtSt
Dump Filename 466728ff78b7bf790b24c07dedddb64c11712f7c05f0866535bfc5a217ca66ec
Download Download Zip
Process Name cmd.exe
PID 2552
Dump Size 302592 bytes
Module Path C:\Windows\System32\cmd.exe
Type PE image: 32-bit executable
PE timestamp 2010-11-20 09:00:27
MD5 81a598d43e92d66546288e8bc04edfb5
SHA1 7b2f054a0704bede91fe016259572e692d103e6b
SHA256 277db2b8ce7f03c690a5fcf74b6bf735c8b95cfbaf1279f094e5577ff1eb32f2
CRC32 D9F2B260
Ssdeep 3072:fS1ZeRWHt5Fiu1RFPdpOlSNi9dkwk6jyGez1c:fmZdHtHjFzGSUdkwk6mt+
Dump Filename 277db2b8ce7f03c690a5fcf74b6bf735c8b95cfbaf1279f094e5577ff1eb32f2
Download Download Zip
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 7.4 seconds )

    • 5.347 Suricata
    • 0.552 BehaviorAnalysis
    • 0.346 Static
    • 0.287 VirusTotal
    • 0.237 CAPE
    • 0.141 Deduplicate
    • 0.133 Dropped
    • 0.115 AnalysisInfo
    • 0.099 NetworkAnalysis
    • 0.078 ProcDump
    • 0.035 TargetInfo
    • 0.015 peid
    • 0.009 Strings
    • 0.006 Debug

    Signatures ( 0.21000000000000005 seconds )

    • 0.027 api_spamming
    • 0.018 stealth_timeout
    • 0.018 ransomware_files
    • 0.016 decoy_document
    • 0.016 antiav_detectreg
    • 0.011 NewtWire Behavior
    • 0.01 ransomware_extensions
    • 0.008 antiav_detectfile
    • 0.008 infostealer_ftp
    • 0.007 territorial_disputes_sigs
    • 0.006 masquerade_process_name
    • 0.005 antianalysis_detectfile
    • 0.005 infostealer_bitcoin
    • 0.005 infostealer_im
    • 0.003 infostealer_browser
    • 0.003 persistence_autorun
    • 0.003 antianalysis_detectreg
    • 0.003 antivm_vbox_files
    • 0.003 infostealer_mail
    • 0.002 guloader_apis
    • 0.002 ransomware_message
    • 0.002 sets_autoconfig_url
    • 0.002 antivm_vbox_keys
    • 0.002 geodo_banking_trojan
    • 0.001 Doppelganging
    • 0.001 antidbg_windows
    • 0.001 antivm_generic_disk
    • 0.001 betabot_behavior
    • 0.001 bootkit
    • 0.001 kibex_behavior
    • 0.001 mimics_filetime
    • 0.001 network_tor
    • 0.001 rat_nanocore
    • 0.001 reads_self
    • 0.001 stealth_file
    • 0.001 tinba_behavior
    • 0.001 virus
    • 0.001 antidbg_devices
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vmware_files
    • 0.001 antivm_vmware_keys
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 azorult_mutexes
    • 0.001 masslogger_files
    • 0.001 predatorthethief_files
    • 0.001 qulab_files
    • 0.001 revil_mutexes
    • 0.001 modirat_bheavior

    Reporting ( 12.185999999999998 seconds )

    • 10.408 BinGraph
    • 1.181 JsonDump
    • 0.597 MITRE_TTPS