Analysis

Category Package Started Completed Duration Options Log
FILE nsis 2020-06-22 15:30:09 2020-06-22 15:33:00 171 seconds Show Options Show Log
procdump = yes
2020-05-13 09:26:03,180 [root] INFO: Date set to: 20200622T13:39:43, timeout set to: 200
2020-06-22 13:39:43,093 [root] DEBUG: Starting analyzer from: C:\tmp2ssujfce
2020-06-22 13:39:43,093 [root] DEBUG: Storing results at: C:\xQbENKGLB
2020-06-22 13:39:43,093 [root] DEBUG: Pipe server name: \\.\PIPE\nbrhGfO
2020-06-22 13:39:43,093 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-06-22 13:39:43,093 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-06-22 13:39:43,093 [root] INFO: Automatically selected analysis package "nsis"
2020-06-22 13:39:43,093 [root] DEBUG: Trying to import analysis package "nsis"...
2020-06-22 13:39:43,328 [root] DEBUG: Imported analysis package "nsis".
2020-06-22 13:39:43,328 [root] DEBUG: Trying to initialize analysis package "nsis"...
2020-06-22 13:39:43,328 [root] DEBUG: Initialized analysis package "nsis".
2020-06-22 13:39:43,843 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-06-22 13:39:43,843 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-06-22 13:39:43,843 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-06-22 13:39:44,031 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-06-22 13:39:44,031 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-06-22 13:39:44,046 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-06-22 13:39:44,046 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-06-22 13:39:44,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-06-22 13:39:44,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-06-22 13:39:44,234 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-06-22 13:39:44,234 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-06-22 13:39:44,296 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-06-22 13:39:44,296 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-06-22 13:39:44,296 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-06-22 13:39:44,296 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-06-22 13:39:44,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-06-22 13:39:44,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-06-22 13:39:44,296 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-06-22 13:39:44,296 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-06-22 13:39:44,343 [lib.api.screenshot] DEBUG: Importing 'math'
2020-06-22 13:39:44,343 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-06-22 13:39:46,625 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-06-22 13:39:46,859 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-06-22 13:39:46,875 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-06-22 13:39:46,875 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-06-22 13:39:46,875 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-06-22 13:39:46,890 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-06-22 13:39:46,890 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-06-22 13:39:46,906 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-06-22 13:39:46,906 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-06-22 13:39:46,906 [root] DEBUG: Initialized auxiliary module "Browser".
2020-06-22 13:39:46,906 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-06-22 13:39:46,921 [root] DEBUG: Started auxiliary module Browser
2020-06-22 13:39:46,921 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-06-22 13:39:46,921 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-06-22 13:39:46,921 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-06-22 13:39:46,921 [root] DEBUG: Started auxiliary module Curtain
2020-06-22 13:39:46,921 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-06-22 13:39:46,921 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-06-22 13:39:46,921 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-06-22 13:39:46,937 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-06-22 13:39:47,906 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-06-22 13:39:47,906 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-06-22 13:39:47,937 [root] DEBUG: Started auxiliary module DigiSig
2020-06-22 13:39:47,937 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-06-22 13:39:47,937 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-06-22 13:39:47,937 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-06-22 13:39:47,953 [root] DEBUG: Started auxiliary module Disguise
2020-06-22 13:39:47,953 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-06-22 13:39:47,953 [root] DEBUG: Initialized auxiliary module "Human".
2020-06-22 13:39:47,953 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-06-22 13:39:47,968 [root] DEBUG: Started auxiliary module Human
2020-06-22 13:39:47,968 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-06-22 13:39:47,968 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-06-22 13:39:47,968 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-06-22 13:39:47,968 [root] DEBUG: Started auxiliary module Procmon
2020-06-22 13:39:47,968 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-06-22 13:39:47,968 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-06-22 13:39:47,968 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-06-22 13:39:47,968 [root] DEBUG: Started auxiliary module Screenshots
2020-06-22 13:39:47,968 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-06-22 13:39:47,984 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-06-22 13:39:47,984 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-06-22 13:39:47,984 [root] DEBUG: Started auxiliary module Sysmon
2020-06-22 13:39:47,984 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-06-22 13:39:47,984 [root] DEBUG: Initialized auxiliary module "Usage".
2020-06-22 13:39:47,984 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-06-22 13:39:47,984 [root] DEBUG: Started auxiliary module Usage
2020-06-22 13:39:47,984 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a DLL option
2020-06-22 13:39:47,984 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a DLL_64 option
2020-06-22 13:39:47,984 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a loader option
2020-06-22 13:39:47,984 [root] INFO: Analyzer: Package modules.packages.nsis does not specify a loader_64 option
2020-06-22 13:39:48,031 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\Louise\AppData\Local\Temp\SGQ-200875.exe" /NCRC" with pid 840
2020-06-22 13:39:48,031 [lib.api.process] INFO: Monitor config for process 840: C:\tmp2ssujfce\dll\840.ini
2020-06-22 13:39:48,031 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-22 13:39:48,031 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\xsHrMf.dll, loader C:\tmp2ssujfce\bin\grzPWtK.exe
2020-06-22 13:39:48,593 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nbrhGfO.
2020-06-22 13:39:48,625 [root] DEBUG: Loader: Injecting process 840 (thread 2568) with C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:48,640 [root] DEBUG: Process image base: 0x4ABE0000
2020-06-22 13:39:48,656 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:48,718 [root] DEBUG: InjectDllViaIAT: Failed to allocate region in target process for new import table.
2020-06-22 13:39:48,734 [root] DEBUG: InjectDll: IAT patching failed, falling back to thread injection.
2020-06-22 13:39:49,875 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 13:39:49,890 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 840 at 0x6fb40000, image base 0x4abe0000, stack from 0x333000-0x430000
2020-06-22 13:39:49,890 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\system32\cmd.exe" \c start \wait "" "C:\Users\Louise\AppData\Local\Temp\SGQ-200875.exe" \NCRC.
2020-06-22 13:39:49,953 [root] INFO: Loaded monitor into process with pid 840
2020-06-22 13:39:49,968 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2020-06-22 13:39:49,968 [root] DEBUG: InjectDll: Successfully injected DLL via thread.
2020-06-22 13:39:49,968 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:52,296 [lib.api.process] INFO: Successfully resumed process with pid 840
2020-06-22 13:39:52,328 [root] INFO: Announced 32-bit process name: SGQ-200875.exe pid: 2056
2020-06-22 13:39:52,328 [lib.api.process] INFO: Monitor config for process 2056: C:\tmp2ssujfce\dll\2056.ini
2020-06-22 13:39:52,343 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-22 13:39:52,343 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\xsHrMf.dll, loader C:\tmp2ssujfce\bin\grzPWtK.exe
2020-06-22 13:39:52,375 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nbrhGfO.
2020-06-22 13:39:52,375 [root] DEBUG: Loader: Injecting process 2056 (thread 4804) with C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:52,375 [root] DEBUG: Process image base: 0x00400000
2020-06-22 13:39:52,375 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:52,375 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-22 13:39:52,375 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:52,390 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2056
2020-06-22 13:39:52,390 [root] INFO: Disabling sleep skipping.
2020-06-22 13:39:52,390 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2020-06-22 13:39:52,421 [root] DEBUG: CreateProcessHandler: Injection info set for new process 2056, ImageBase: 0x00400000
2020-06-22 13:39:52,421 [root] INFO: Announced 32-bit process name: SGQ-200875.exe pid: 2056
2020-06-22 13:39:52,421 [lib.api.process] INFO: Monitor config for process 2056: C:\tmp2ssujfce\dll\2056.ini
2020-06-22 13:39:52,421 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-22 13:39:52,421 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\xsHrMf.dll, loader C:\tmp2ssujfce\bin\grzPWtK.exe
2020-06-22 13:39:52,453 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nbrhGfO.
2020-06-22 13:39:52,453 [root] DEBUG: Loader: Injecting process 2056 (thread 4804) with C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:52,453 [root] DEBUG: Process image base: 0x00400000
2020-06-22 13:39:52,453 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:52,453 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-22 13:39:52,453 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:52,468 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2056
2020-06-22 13:39:52,468 [root] DEBUG: ResumeThreadHandler: Dumping section view for process 2056.
2020-06-22 13:39:52,484 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 13:39:52,484 [root] DEBUG: Process dumps disabled.
2020-06-22 13:39:52,500 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 13:39:52,500 [root] INFO: Disabling sleep skipping.
2020-06-22 13:39:52,500 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-22 13:39:52,500 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2056 at 0x6fb40000, image base 0x400000, stack from 0x186000-0x190000
2020-06-22 13:39:52,500 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Users\Louise\AppData\Local\Temp\SGQ-200875.exe"  \NCRC.
2020-06-22 13:39:52,546 [root] INFO: Loaded monitor into process with pid 2056
2020-06-22 13:39:52,546 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xe8 amd local view 0x00340000 to global list.
2020-06-22 13:39:52,562 [root] DEBUG: DLL loaded at 0x736C0000: C:\Windows\system32\UXTHEME (0x80000 bytes).
2020-06-22 13:39:52,562 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-06-22 13:39:52,562 [root] DEBUG: DLL loaded at 0x74440000: C:\Windows\system32\profapi (0xb000 bytes).
2020-06-22 13:39:52,578 [root] DEBUG: DLL loaded at 0x76800000: C:\Windows\system32\SETUPAPI (0x19d000 bytes).
2020-06-22 13:39:52,578 [root] DEBUG: DLL loaded at 0x76200000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2020-06-22 13:39:52,578 [root] DEBUG: DLL loaded at 0x76430000: C:\Windows\syswow64\OLEAUT32 (0x91000 bytes).
2020-06-22 13:39:52,609 [root] DEBUG: DLL loaded at 0x76EC0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2020-06-22 13:39:52,609 [root] DEBUG: DLL loaded at 0x74CD0000: C:\Windows\system32\APPHELP (0x4c000 bytes).
2020-06-22 13:39:52,609 [root] DEBUG: DLL loaded at 0x6FA00000: C:\Windows\system32\PROPSYS (0xf5000 bytes).
2020-06-22 13:39:52,625 [root] DEBUG: DLL loaded at 0x702F0000: C:\Windows\system32\DWMAPI (0x13000 bytes).
2020-06-22 13:39:52,625 [root] DEBUG: DLL loaded at 0x6F9C0000: C:\Windows\system32\OLEACC (0x3c000 bytes).
2020-06-22 13:39:52,625 [root] DEBUG: DLL loaded at 0x76170000: C:\Windows\system32\CLBCATQ (0x83000 bytes).
2020-06-22 13:39:52,625 [root] DEBUG: DLL loaded at 0x74380000: C:\Windows\system32\NTMARTA (0x21000 bytes).
2020-06-22 13:39:52,625 [root] DEBUG: DLL loaded at 0x76E50000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2020-06-22 13:39:52,640 [root] DEBUG: DLL loaded at 0x73590000: C:\Windows\system32\VERSION (0x9000 bytes).
2020-06-22 13:39:52,812 [root] DEBUG: DLL loaded at 0x70380000: C:\Windows\system32\SHFOLDER (0x5000 bytes).
2020-06-22 13:39:53,031 [root] DEBUG: DLL unloaded from 0x74F40000.
2020-06-22 13:39:53,078 [root] DEBUG: DLL loaded at 0x6F900000: C:\Windows\System32\shdocvw (0x2f000 bytes).
2020-06-22 13:39:53,343 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\formcontrols.xml
2020-06-22 13:39:53,359 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\sbscmp10.dll
2020-06-22 13:39:53,359 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\18.opends60.dll
2020-06-22 13:39:53,437 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\SmartDevHowDoI80.xml
2020-06-22 13:39:53,500 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\s390-linux.xml
2020-06-22 13:39:53,546 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\prs.sid.xml
2020-06-22 13:39:53,562 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\unresolvedaddress.xml
2020-06-22 13:39:53,578 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\27.opends60.dll
2020-06-22 13:39:53,593 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dll
2020-06-22 13:39:53,625 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\x-icns.xml
2020-06-22 13:39:53,640 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\conmanui.dll
2020-06-22 13:39:53,656 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\com.ubuntu.notifications.settings.gschema.xml
2020-06-22 13:39:53,671 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\ship\model122.xml
2020-06-22 13:39:53,703 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\can\x-s3m.xml
2020-06-22 13:39:53,718 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\can\iso6395.xml
2020-06-22 13:39:53,750 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\can\roletemplateprivileges.xml
2020-06-22 13:39:53,796 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dll
2020-06-22 13:39:53,859 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\can\resgen.exe
2020-06-22 13:39:53,859 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\can\org.gnome.Logs.enums.xml
2020-06-22 13:39:53,875 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\can\intro.xml
2020-06-22 13:39:53,921 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\rct\webservices\genasm.exe
2020-06-22 13:39:53,921 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\rct\webservices\10.opends60.dll
2020-06-22 13:39:53,953 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\rct\webservices\SamplesTable.xml
2020-06-22 13:39:53,968 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Roaming\rct\webservices\org.gnome.desktop.datetime.gschema.xml
2020-06-22 13:39:54,000 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\mc.exe
2020-06-22 13:39:54,015 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dll
2020-06-22 13:39:54,046 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\83.opends60.dll
2020-06-22 13:39:54,109 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\Cogency
2020-06-22 13:39:54,140 [root] INFO: Added new file to list with pid None and path C:\Users\Louise\AppData\Local\Temp\SwatVelamen.dll
2020-06-22 13:39:54,218 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 5052
2020-06-22 13:39:54,218 [lib.api.process] INFO: Monitor config for process 5052: C:\tmp2ssujfce\dll\5052.ini
2020-06-22 13:39:54,296 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-22 13:39:54,296 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\xsHrMf.dll, loader C:\tmp2ssujfce\bin\grzPWtK.exe
2020-06-22 13:39:54,328 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nbrhGfO.
2020-06-22 13:39:54,328 [root] DEBUG: Loader: Injecting process 5052 (thread 2972) with C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:54,328 [root] DEBUG: Process image base: 0x00270000
2020-06-22 13:39:54,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:54,328 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-06-22 13:39:54,328 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:54,359 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5052
2020-06-22 13:39:54,453 [root] DEBUG: CreateProcessHandler: using lpCommandLine: C:\Windows\system32\rundll32.exe SwatVelamen,Pretor.
2020-06-22 13:39:54,453 [root] DEBUG: CreateProcessHandler: Injection info set for new process 5052, ImageBase: 0x00270000
2020-06-22 13:39:54,453 [root] INFO: Announced 32-bit process name: rundll32.exe pid: 5052
2020-06-22 13:39:54,468 [lib.api.process] INFO: Monitor config for process 5052: C:\tmp2ssujfce\dll\5052.ini
2020-06-22 13:39:54,468 [lib.api.process] INFO: Option 'procdump' with value 'yes' sent to monitor
2020-06-22 13:39:54,468 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp2ssujfce\dll\xsHrMf.dll, loader C:\tmp2ssujfce\bin\grzPWtK.exe
2020-06-22 13:39:54,484 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nbrhGfO.
2020-06-22 13:39:54,484 [root] DEBUG: Loader: Injecting process 5052 (thread 2972) with C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:54,484 [root] DEBUG: Process image base: 0x00270000
2020-06-22 13:39:54,484 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:54,484 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2020-06-22 13:39:54,484 [root] DEBUG: Successfully injected DLL C:\tmp2ssujfce\dll\xsHrMf.dll.
2020-06-22 13:39:54,500 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 5052
2020-06-22 13:39:55,546 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-06-22 13:39:55,546 [root] DEBUG: Process dumps disabled.
2020-06-22 13:39:55,546 [root] DEBUG: Dropped file limit defaulting to 100.
2020-06-22 13:39:55,546 [root] INFO: Disabling sleep skipping.
2020-06-22 13:39:55,562 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-06-22 13:39:55,562 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 5052 at 0x6fb40000, image base 0x270000, stack from 0x2c4000-0x2d0000
2020-06-22 13:39:55,562 [root] DEBUG: Commandline: C:\Windows\System32\rundll32.exe SwatVelamen,Pretor.
2020-06-22 13:39:55,609 [root] INFO: Loaded monitor into process with pid 5052
2020-06-22 13:39:55,718 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x10c amd local view 0x10000000 to global list.
2020-06-22 13:39:55,734 [root] DEBUG: DLL loaded at 0x10000000: C:\Users\Louise\AppData\Local\Temp\SwatVelamen (0x11000 bytes).
2020-06-22 13:39:55,750 [root] DEBUG: set_caller_info: Adding region at 0x00140000 to caller regions list (ntdll::LdrGetDllHandle).
2020-06-22 13:39:55,781 [root] DEBUG: set_caller_info: Adding region at 0x02580000 to caller regions list (kernel32::GetSystemTime).
2020-06-22 13:39:55,812 [root] DEBUG: DumpMemory: Exception occured reading memory address 0x2580000
2020-06-22 13:39:55,859 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\xQbENKGLB\CAPE\5052_17169961655192022162020 (size 0xffe)
2020-06-22 13:39:55,859 [root] DEBUG: DumpRegion: Dumped stack region from 0x02580000, size 0x1000.
2020-06-22 13:39:55,906 [root] DEBUG: DumpMemory: CAPE output file successfully created: C:\xQbENKGLB\CAPE\5052_80084645755192022162020 (size 0x7bc)
2020-06-22 13:39:55,906 [root] DEBUG: DumpRegion: Dumped stack region from 0x00140000, size 0x2000.
2020-06-22 13:39:55,921 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x114 amd local view 0x763F0000 to global list.
2020-06-22 13:39:55,921 [root] DEBUG: DLL loaded at 0x763F0000: C:\Windows\syswow64\ws2_32 (0x35000 bytes).
2020-06-22 13:39:55,921 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x760B0000 for section view with handle 0x114.
2020-06-22 13:39:55,921 [root] DEBUG: DLL loaded at 0x760B0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2020-06-22 13:39:55,937 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x118 amd local view 0x6EA70000 to global list.
2020-06-22 13:39:55,937 [root] DEBUG: DLL loaded at 0x6EA70000: C:\Windows\SysWOW64\winhttp (0x58000 bytes).
2020-06-22 13:39:55,937 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x6EA20000 for section view with handle 0x118.
2020-06-22 13:39:55,937 [root] DEBUG: DLL loaded at 0x6EA20000: C:\Windows\SysWOW64\webio (0x50000 bytes).
2020-06-22 13:39:55,953 [root] DEBUG: MapSectionViewHandler: Updated local view to 0x00150000 for section view with handle 0x118.
2020-06-22 13:40:13,531 [root] INFO: Process with pid 5052 has terminated
2020-06-22 13:40:13,578 [root] DEBUG: DLL unloaded from 0x6F900000.
2020-06-22 13:40:13,609 [root] DEBUG: DLL unloaded from 0x6FA00000.
2020-06-22 13:40:13,671 [root] DEBUG: DLL unloaded from 0x76680000.
2020-06-22 13:40:13,671 [root] DEBUG: DLL unloaded from 0x74380000.
2020-06-22 13:40:13,687 [root] INFO: Process with pid 2056 has terminated
2020-06-22 13:40:13,718 [root] DEBUG: DLL unloaded from 0x76680000.
2020-06-22 13:40:13,734 [root] INFO: Process with pid 840 has terminated
2020-06-22 13:40:19,296 [root] INFO: Process list is empty, terminating analysis.
2020-06-22 13:40:20,312 [root] INFO: Created shutdown mutex.
2020-06-22 13:40:21,312 [root] INFO: Shutting down package.
2020-06-22 13:40:21,312 [root] INFO: Stopping auxiliary modules.
2020-06-22 13:40:21,500 [lib.common.results] WARNING: File C:\xQbENKGLB\bin\procmon.xml doesn't exist anymore
2020-06-22 13:40:21,500 [root] INFO: Finishing auxiliary modules.
2020-06-22 13:40:21,500 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-06-22 13:40:22,812 [root] WARNING: Folder at path "C:\xQbENKGLB\debugger" does not exist, skip.
2020-06-22 13:40:22,812 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_1 win7x64_5 KVM 2020-06-22 15:30:09 2020-06-22 15:33:00

File Details

File Name SGQ-200875.exe
File Size 449953 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
PE timestamp 2019-12-16 00:51:03
MD5 9895f8fe3df4c3309b81cd5cf08c0e24
SHA1 1006644a248bc248d1c1db6909ae886afa7d3478
SHA256 315992fe86f3bc95dc19312739fe9e89ee80a85f94c02bbebb420919bfaec5d6
SHA512 09920434094c9b9e96497d3ba942535b0734e02be084a14ac41985fa1debcac69b43b57ca19a447af80bd29090e2c916e18bad292119a7e92e1945cc46e0c9a3
CRC32 31275587
Ssdeep 6144:3PCganNX6s0RvwftukfjX8MpWiOPYr+NZDDsDB/oWzuI0n0WsY2OAl9p/556Nf0u:NandZ0qVzIMVOPR5DKdpZWglj5OupV6
Download Download ZIP Resubmit sample

Signatures

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction - unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Hit: PID 0 trigged the Yara rule 'embedded_pe'
Hit: PID 5052 trigged the Yara rule 'shellcode_patterns'
Hit: PID 5052 trigged the Yara rule 'shellcode_stack_strings'
Dynamic (imported) function loading detected
DynamicLoader: VERSION.dll/GetFileVersionInfoA
DynamicLoader: SHFOLDER.dll/SHGetFolderPathA
DynamicLoader: SHLWAPI.dll/
DynamicLoader: CRYPTBASE.dll/SystemFunction036
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_Size_ExW
DynamicLoader: SETUPAPI.dll/CM_Get_Device_Interface_List_ExW
DynamicLoader: COMCTL32.dll/
DynamicLoader: kernel32.dll/GetUserDefaultUILanguage
DynamicLoader: ole32.dll/CoRevokeInitializeSpy
DynamicLoader: COMCTL32.dll/
DynamicLoader: ole32.dll/NdrOleInitializeExtension
DynamicLoader: ole32.dll/CoGetClassObject
DynamicLoader: ole32.dll/CoGetMarshalSizeMax
DynamicLoader: ole32.dll/CoMarshalInterface
DynamicLoader: ole32.dll/CoUnmarshalInterface
DynamicLoader: ole32.dll/StringFromIID
DynamicLoader: ole32.dll/CoGetPSClsid
DynamicLoader: ole32.dll/CoTaskMemAlloc
DynamicLoader: ole32.dll/CoTaskMemFree
DynamicLoader: ole32.dll/CoCreateInstance
DynamicLoader: ole32.dll/CoReleaseMarshalData
DynamicLoader: ole32.dll/DcomChannelSetHResult
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: COMCTL32.dll/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetDefaultPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverPackagePathW
DynamicLoader: WINSPOOL.DRV/CorePrinterDriverInstalledW
DynamicLoader: WINSPOOL.DRV/GetCorePrinterDriversW
DynamicLoader: WINSPOOL.DRV/UploadPrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/InstallPrinterDriverFromPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/AddPrinterConnection2W
DynamicLoader: WINSPOOL.DRV/OpenPrinter2W
DynamicLoader: WINSPOOL.DRV/DeletePrinterKeyW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataExW
DynamicLoader: WINSPOOL.DRV/EnumPrinterKeyW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataExW
DynamicLoader: WINSPOOL.DRV/GetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataExW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDataW
DynamicLoader: WINSPOOL.DRV/EnumPrinterDataW
DynamicLoader: WINSPOOL.DRV/SpoolerPrinterEvent
DynamicLoader: WINSPOOL.DRV/SetPortW
DynamicLoader: WINSPOOL.DRV/DocumentPropertySheets
DynamicLoader: WINSPOOL.DRV/DevicePropertySheets
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeW
DynamicLoader: WINSPOOL.DRV/IsValidDevmodeA
DynamicLoader: WINSPOOL.DRV/AddPortExW
DynamicLoader: WINSPOOL.DRV/DeletePrintProvidorW
DynamicLoader: WINSPOOL.DRV/AddPrintProvidorW
DynamicLoader: WINSPOOL.DRV/DeletePrintProcessorW
DynamicLoader: WINSPOOL.DRV/DeleteMonitorW
DynamicLoader: WINSPOOL.DRV/AddMonitorW
DynamicLoader: WINSPOOL.DRV/StartDocDlgW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/AdvancedDocumentPropertiesA
DynamicLoader: WINSPOOL.DRV/DocumentPropertiesW
DynamicLoader: WINSPOOL.DRV/DeviceCapabilitiesW
DynamicLoader: WINSPOOL.DRV/DeletePrinterIC
DynamicLoader: WINSPOOL.DRV/PlayGdiScriptOnPrinterIC
DynamicLoader: WINSPOOL.DRV/CreatePrinterIC
DynamicLoader: WINSPOOL.DRV/SetJobW
DynamicLoader: WINSPOOL.DRV/GetJobW
DynamicLoader: WINSPOOL.DRV/EnumJobsW
DynamicLoader: WINSPOOL.DRV/AddPrinterW
DynamicLoader: WINSPOOL.DRV/SetPrinterW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverW
DynamicLoader: WINSPOOL.DRV/GetPrinterDriverDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintersW
DynamicLoader: WINSPOOL.DRV/AddPrinterConnectionW
DynamicLoader: WINSPOOL.DRV/DeletePrinterConnectionW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrinterDriverExA
DynamicLoader: WINSPOOL.DRV/EnumPrinterDriversW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverExW
DynamicLoader: WINSPOOL.DRV/AddPrintProcessorW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorsW
DynamicLoader: WINSPOOL.DRV/GetPrintProcessorDirectoryW
DynamicLoader: WINSPOOL.DRV/EnumPrintProcessorDatatypesW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/SplDriverUnloadComplete
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: WINSPOOL.DRV/OpenPrinterW
DynamicLoader: WINSPOOL.DRV/OpenPrinterA
DynamicLoader: WINSPOOL.DRV/ResetPrinterW
DynamicLoader: WINSPOOL.DRV/StartDocPrinterW
DynamicLoader: WINSPOOL.DRV/FlushPrinter
DynamicLoader: WINSPOOL.DRV/GetPrinterDataW
DynamicLoader: WINSPOOL.DRV/SetPrinterDataW
DynamicLoader: WINSPOOL.DRV/AddJobW
DynamicLoader: WINSPOOL.DRV/ScheduleJob
DynamicLoader: WINSPOOL.DRV/WaitForPrinterChange
DynamicLoader: WINSPOOL.DRV/FindNextPrinterChangeNotification
DynamicLoader: WINSPOOL.DRV/PrinterMessageBoxW
DynamicLoader: WINSPOOL.DRV/ClosePrinter
DynamicLoader: WINSPOOL.DRV/AddFormW
DynamicLoader: WINSPOOL.DRV/DeleteFormW
DynamicLoader: WINSPOOL.DRV/GetFormW
DynamicLoader: WINSPOOL.DRV/SetFormW
DynamicLoader: WINSPOOL.DRV/EnumFormsW
DynamicLoader: WINSPOOL.DRV/EnumPortsW
DynamicLoader: WINSPOOL.DRV/EnumMonitorsW
DynamicLoader: WINSPOOL.DRV/AddPortW
DynamicLoader: WINSPOOL.DRV/ConfigurePortW
DynamicLoader: WINSPOOL.DRV/DeletePortW
DynamicLoader: WINSPOOL.DRV/GetPrinterW
DynamicLoader: WINSPOOL.DRV/DeletePrinterDriverPackageW
DynamicLoader: WINSPOOL.DRV/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: SwatVelamen.DLL/PretorW
DynamicLoader: SwatVelamen.DLL/PretorA
DynamicLoader: SwatVelamen.DLL/Pretor
DynamicLoader: kernel32.dll/VirtualAlloc
DynamicLoader: kernel32.dll/CloseHandle
DynamicLoader: kernel32.dll/GetFileSize
DynamicLoader: kernel32.dll/GlobalAlloc
DynamicLoader: kernel32.dll/ReadFile
DynamicLoader: kernel32.dll/CreateFileA
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: kernel32.dll/VirtualProtect
DynamicLoader: kernel32.dll/LoadLibraryA
DynamicLoader: USER32.dll/MessageBoxA
DynamicLoader: ADVAPI32.dll/MakeSelfRelativeSD
Reads data out of its own binary image
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x00000000, length: 0x0000e000
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x00011e1c, length: 0x00008000
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x00021e1c, length: 0x00008000
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x009ec31c, length: 0x00004000
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x019ec21c, length: 0x00004000
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x019ec31c, length: 0x00004000
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x029ec21c, length: 0x00040000
self_read: process: SGQ-200875.exe, pid: 2056, offset: 0x069ec21c, length: 0x00003f81
CAPE extracted potentially suspicious content
rundll32.exe: Unpacked Shellcode
rundll32.exe: Unpacked Shellcode
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\SGQ-200875.exe
Tries to unhook or modify Windows functions monitored by Cuckoo
unhook: function_name: WinHttpSendRequest, type: modification
unhook: function_name: WinHttpSetOption, type: modification
unhook: function_name: WinHttpOpenRequest, type: modification
Network activity detected but not expressed in API logs
File has been identified by 12 Antiviruses on VirusTotal as malicious
Bkav: HW32.Packed.
Qihoo-360: HEUR/QVM20.1.11B9.Malware.Gen
Symantec: ML.Attribute.HighConfidence
APEX: Malicious
Kaspersky: UDS:DangerousObject.Multi.Generic
McAfee-GW-Edition: BehavesLike.Win32.ObfusRansom.gc
Jiangmin: TrojanDropper.Scrop.ake
Webroot: W32.Trojan.Gen
ZoneAlarm: HEUR:Trojan.Win32.Injuke.gen
Microsoft: Trojan:Win32/Wacatac.C!ml
Ikarus: Trojan.Win32.Injector
MaxSecure: Trojan.Malware.300983.susgen

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Windows\WindowsShell.Manifest
\Device\KsecDD
\??\MountPointManager
C:\Users\Louise\AppData\Local\Temp\
C:\Users\Louise\AppData\Local\Temp
C:\Users\Louise\AppData\Local\Temp\nsr8575.tmp
C:\Users\Louise\AppData\Local\Temp\SGQ-200875.exe
C:\Users\Louise\AppData\Local\Temp\nsn8651.tmp
C:\Users
C:\Users\Louise
C:\Users\Louise\AppData
C:\Users\Louise\AppData\Local
C:\Users\Louise\AppData\Local\Temp\ship
C:\Users\Louise\AppData\Local\Temp\ship\formcontrols.xml
C:\Users\Louise\AppData\Local\Temp\ship\sbscmp10.dll
C:\Users\Louise\AppData\Local\Temp\ship\18.opends60.dll
C:\Users\Louise\AppData\Local\Temp\ship\SmartDevHowDoI80.xml
C:\Users\Louise\AppData\Local\Temp\ship\s390-linux.xml
C:\Users\Louise\AppData\Local\Temp\ship\prs.sid.xml
C:\Users\Louise\AppData\Local\Temp\ship\unresolvedaddress.xml
C:\Users\Louise\AppData\Local\Temp\ship\27.opends60.dll
C:\Users\Louise\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dll
C:\Users\Louise\AppData\Local\Temp\ship\x-icns.xml
C:\Users\Louise\AppData\Local\Temp\ship\conmanui.dll
C:\Users\Louise\AppData\Local\Temp\ship\com.ubuntu.notifications.settings.gschema.xml
C:\Users\Louise\AppData\Local\Temp\ship\model122.xml
C:\Users\Louise\AppData\Roaming
C:\Users\Louise\AppData\Roaming\can
C:\Users\Louise\AppData\Roaming\can\x-s3m.xml
C:\Users\Louise\AppData\Roaming\can\iso6395.xml
C:\Users\Louise\AppData\Roaming\can\roletemplateprivileges.xml
C:\Users\Louise\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dll
C:\Users\Louise\AppData\Roaming\can\resgen.exe
C:\Users\Louise\AppData\Roaming\can\org.gnome.Logs.enums.xml
C:\Users\Louise\AppData\Roaming\can\intro.xml
C:\Users\Louise\AppData\Roaming\rct
C:\Users\Louise\AppData\Roaming\rct\webservices
C:\Users\Louise\AppData\Roaming\rct\webservices\genasm.exe
C:\Users\Louise\AppData\Roaming\rct\webservices\10.opends60.dll
C:\Users\Louise\AppData\Roaming\rct\webservices\SamplesTable.xml
C:\Users\Louise\AppData\Roaming\rct\webservices\org.gnome.desktop.datetime.gschema.xml
C:\Users\Louise\AppData\Local\Temp\dan
C:\Users\Louise\AppData\Local\Temp\dan\wsdl
C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal
C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\mc.exe
C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dll
C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\83.opends60.dll
C:\Users\Louise\AppData\Local\Temp\Cogency
C:\Users\Louise\AppData\Local\Temp\SwatVelamen.dll
C:\Windows\SysWOW64\SwatVelamen
C:\Windows\System32\SwatVelamen
C:\Windows\system\SwatVelamen
C:\Windows\SwatVelamen
C:\Users\Louise\AppData\Local\Temp\SwatVelamen
C:\Python27\SwatVelamen
C:\Python27\Scripts\SwatVelamen
C:\Windows\System32\wbem\SwatVelamen
C:\Windows\System32\WindowsPowerShell\v1.0\SwatVelamen
C:\ProgramData\chocolatey\bin\SwatVelamen
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\Scripts\SwatVelamen
C:\Users\Louise\AppData\Local\Programs\Python\Python38-32\SwatVelamen
C:\Users\Louise\AppData\Roaming\Python\Scripts\SwatVelamen
C:\Windows\SysWOW64\SwatVelamen.DLL
C:\Windows\System32\SwatVelamen.DLL
C:\Windows\system\SwatVelamen.DLL
C:\Windows\SwatVelamen.DLL
C:\Users\Louise\AppData\Local\Temp\SwatVelamen.DLL
C:\Windows\SysWOW64\winhttp.dll
C:\Windows\SysWOW64\webio.dll
C:\Windows\WindowsShell.Manifest
\Device\KsecDD
C:\Users\Louise\AppData\Local\Temp\nsr8575.tmp
C:\Users\Louise\AppData\Local\Temp\SGQ-200875.exe
C:\Users\Louise\AppData\Local\Temp\nsn8651.tmp
C:\Users\Louise\AppData\Local\Temp\SwatVelamen.DLL
C:\Users\Louise\AppData\Local\Temp\Cogency
C:\Windows\SysWOW64\winhttp.dll
C:\Windows\SysWOW64\webio.dll
C:\Users\Louise\AppData\Local\Temp\nsn8651.tmp
C:\Users\Louise\AppData\Local\Temp\ship\formcontrols.xml
C:\Users\Louise\AppData\Local\Temp\ship\sbscmp10.dll
C:\Users\Louise\AppData\Local\Temp\ship\18.opends60.dll
C:\Users\Louise\AppData\Local\Temp\ship\SmartDevHowDoI80.xml
C:\Users\Louise\AppData\Local\Temp\ship\s390-linux.xml
C:\Users\Louise\AppData\Local\Temp\ship\prs.sid.xml
C:\Users\Louise\AppData\Local\Temp\ship\unresolvedaddress.xml
C:\Users\Louise\AppData\Local\Temp\ship\27.opends60.dll
C:\Users\Louise\AppData\Local\Temp\ship\MicrosoftWindowsCEForms.dll
C:\Users\Louise\AppData\Local\Temp\ship\x-icns.xml
C:\Users\Louise\AppData\Local\Temp\ship\conmanui.dll
C:\Users\Louise\AppData\Local\Temp\ship\com.ubuntu.notifications.settings.gschema.xml
C:\Users\Louise\AppData\Local\Temp\ship\model122.xml
C:\Users\Louise\AppData\Roaming\can\x-s3m.xml
C:\Users\Louise\AppData\Roaming\can\iso6395.xml
C:\Users\Louise\AppData\Roaming\can\roletemplateprivileges.xml
C:\Users\Louise\AppData\Roaming\can\MicrosoftVisualStudioVSHelp.dll
C:\Users\Louise\AppData\Roaming\can\resgen.exe
C:\Users\Louise\AppData\Roaming\can\org.gnome.Logs.enums.xml
C:\Users\Louise\AppData\Roaming\can\intro.xml
C:\Users\Louise\AppData\Roaming\rct\webservices\genasm.exe
C:\Users\Louise\AppData\Roaming\rct\webservices\10.opends60.dll
C:\Users\Louise\AppData\Roaming\rct\webservices\SamplesTable.xml
C:\Users\Louise\AppData\Roaming\rct\webservices\org.gnome.desktop.datetime.gschema.xml
C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\mc.exe
C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\msats10ui.dll
C:\Users\Louise\AppData\Local\Temp\dan\wsdl\paypal\83.opends60.dll
C:\Users\Louise\AppData\Local\Temp\Cogency
C:\Users\Louise\AppData\Local\Temp\SwatVelamen.dll
C:\Users\Louise\AppData\Local\Temp\nsr8575.tmp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VBoxGuest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\LoggingEnabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\SwatVelamen.DLL
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
DisableUserModeCallbackFilter
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{9a0b8d7d-300f-11ea-b342-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a657-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{80b5a658-2730-11e9-8620-806e6f6e6963}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\SwatVelamen.DLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VBoxGuest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\LoggingEnabled
lpk.dll.LpkEditControl
kernel32.dll.SetDefaultDllDirectories
version.dll.GetFileVersionInfoA
shfolder.dll.SHGetFolderPathA
shlwapi.dll.#437
cryptbase.dll.SystemFunction036
setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
setupapi.dll.CM_Get_Device_Interface_List_ExW
comctl32.dll.#386
kernel32.dll.GetUserDefaultUILanguage
ole32.dll.CoRevokeInitializeSpy
comctl32.dll.#388
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
oleaut32.dll.#500
advapi32.dll.UnregisterTraceGuids
comctl32.dll.#321
winspool.drv.#218
winspool.drv.#217
winspool.drv.SetDefaultPrinterW
winspool.drv.GetDefaultPrinterW
winspool.drv.GetPrinterDriverPackagePathW
winspool.drv.CorePrinterDriverInstalledW
winspool.drv.GetCorePrinterDriversW
winspool.drv.UploadPrinterDriverPackageW
winspool.drv.InstallPrinterDriverFromPackageW
winspool.drv.#251
winspool.drv.AddPrinterConnection2W
winspool.drv.OpenPrinter2W
winspool.drv.DeletePrinterKeyW
winspool.drv.DeletePrinterDataExW
winspool.drv.EnumPrinterKeyW
winspool.drv.EnumPrinterDataExW
winspool.drv.GetPrinterDataExW
winspool.drv.SetPrinterDataExW
winspool.drv.DeletePrinterDataW
winspool.drv.EnumPrinterDataW
winspool.drv.SpoolerPrinterEvent
winspool.drv.SetPortW
winspool.drv.DocumentPropertySheets
winspool.drv.DevicePropertySheets
winspool.drv.IsValidDevmodeW
winspool.drv.IsValidDevmodeA
winspool.drv.AddPortExW
winspool.drv.DeletePrintProvidorW
winspool.drv.AddPrintProvidorW
winspool.drv.DeletePrintProcessorW
winspool.drv.DeleteMonitorW
winspool.drv.AddMonitorW
winspool.drv.StartDocDlgW
winspool.drv.AdvancedDocumentPropertiesW
winspool.drv.AdvancedDocumentPropertiesA
winspool.drv.DocumentPropertiesW
winspool.drv.DeviceCapabilitiesW
winspool.drv.DeletePrinterIC
winspool.drv.PlayGdiScriptOnPrinterIC
winspool.drv.CreatePrinterIC
winspool.drv.SetJobW
winspool.drv.GetJobW
winspool.drv.EnumJobsW
winspool.drv.AddPrinterW
winspool.drv.SetPrinterW
winspool.drv.GetPrinterDriverW
winspool.drv.GetPrinterDriverDirectoryW
winspool.drv.EnumPrintersW
winspool.drv.AddPrinterConnectionW
winspool.drv.DeletePrinterConnectionW
winspool.drv.AddPrinterDriverExW
winspool.drv.AddPrinterDriverExA
winspool.drv.EnumPrinterDriversW
winspool.drv.DeletePrinterDriverW
winspool.drv.DeletePrinterDriverExW
winspool.drv.AddPrintProcessorW
winspool.drv.EnumPrintProcessorsW
winspool.drv.GetPrintProcessorDirectoryW
winspool.drv.EnumPrintProcessorDatatypesW
winspool.drv.#207
winspool.drv.#209
winspool.drv.#211
winspool.drv.#212
winspool.drv.SplDriverUnloadComplete
winspool.drv.#213
winspool.drv.#214
winspool.drv.OpenPrinterW
winspool.drv.OpenPrinterA
winspool.drv.ResetPrinterW
winspool.drv.StartDocPrinterW
winspool.drv.FlushPrinter
winspool.drv.GetPrinterDataW
winspool.drv.SetPrinterDataW
winspool.drv.AddJobW
winspool.drv.ScheduleJob
winspool.drv.WaitForPrinterChange
winspool.drv.FindNextPrinterChangeNotification
winspool.drv.PrinterMessageBoxW
winspool.drv.ClosePrinter
winspool.drv.AddFormW
winspool.drv.DeleteFormW
winspool.drv.GetFormW
winspool.drv.SetFormW
winspool.drv.EnumFormsW
winspool.drv.EnumPortsW
winspool.drv.EnumMonitorsW
winspool.drv.AddPortW
winspool.drv.ConfigurePortW
winspool.drv.DeletePortW
winspool.drv.GetPrinterW
winspool.drv.DeletePrinterDriverPackageW
winspool.drv.#234
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
swatvelamen.dll.Pretor
kernel32.dll.VirtualAlloc
kernel32.dll.CloseHandle
kernel32.dll.GetFileSize
kernel32.dll.GlobalAlloc
kernel32.dll.ReadFile
kernel32.dll.CreateFileA
kernel32.dll.LoadLibraryA
kernel32.dll.VirtualProtect
user32.dll.MessageBoxA
advapi32.dll.MakeSelfRelativeSD
C:\Windows\system32\rundll32.exe SwatVelamen,Pretor

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Icon Icon Exact Hash Icon Similarity Hash
0x00400000 0x004033a9 0x00000000 0x00073b4c 4.0 2019-12-16 00:51:03 7c2c71dfce9a27650634dc8b1ca03bf0 31eb0addbcb1fed351c395b934dbb62a fdafe005c1c4392b977b58162f3ce3e3

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x00006455 0x00006600 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.44
.rdata 0x00006a00 0x00008000 0x0000134a 0x00001400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.24
.data 0x00007e00 0x0000a000 0x00025538 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 4.13
.ndata 0x00000000 0x00030000 0x00010000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.00
.rsrc 0x00008400 0x00040000 0x00005958 0x00005a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.07

Overlay

Offset 0x0000de00
Size 0x0005ffa1

Resources

Name Offset Size Language Sub-language Entropy File type
RT_ICON 0x00044e90 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_ICON 0x00044e90 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_ICON 0x00044e90 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_ICON 0x00044e90 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_ICON 0x00044e90 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_ICON 0x00044e90 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_ICON 0x00044e90 0x00000128 LANG_ENGLISH SUBLANG_ENGLISH_US 0.00 None
RT_DIALOG 0x000453d8 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 2.90 None
RT_DIALOG 0x000453d8 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 2.90 None
RT_DIALOG 0x000453d8 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 2.90 None
RT_DIALOG 0x000453d8 0x000000ee LANG_ENGLISH SUBLANG_ENGLISH_US 2.90 None
RT_GROUP_ICON 0x000454c8 0x00000068 LANG_ENGLISH SUBLANG_ENGLISH_US 1.44 None
RT_MANIFEST 0x00045530 0x00000423 LANG_ENGLISH SUBLANG_ENGLISH_US 5.30 None

Imports

0x408074 CreateFileA
0x408078 GetFileSize
0x40807c GetModuleFileNameA
0x408080 ReadFile
0x408084 GetCurrentProcess
0x408088 CopyFileA
0x40808c Sleep
0x408090 GetTickCount
0x408098 GetTempPathA
0x40809c GetCommandLineA
0x4080a0 lstrlenA
0x4080a4 GetVersion
0x4080a8 SetErrorMode
0x4080ac lstrcpynA
0x4080b0 ExitProcess
0x4080b4 SetFileAttributesA
0x4080b8 GlobalLock
0x4080bc CreateThread
0x4080c0 GetLastError
0x4080c4 CreateDirectoryA
0x4080c8 CreateProcessA
0x4080cc RemoveDirectoryA
0x4080d0 GetTempFileNameA
0x4080d4 WriteFile
0x4080d8 lstrcpyA
0x4080dc MoveFileExA
0x4080e0 lstrcatA
0x4080e4 GetSystemDirectoryA
0x4080e8 GetProcAddress
0x4080ec GetExitCodeProcess
0x4080f0 WaitForSingleObject
0x4080f4 CompareFileTime
0x4080f8 SetFileTime
0x4080fc GetFileAttributesA
0x408104 MoveFileA
0x408108 GetFullPathNameA
0x40810c GetShortPathNameA
0x408110 SearchPathA
0x408114 CloseHandle
0x408118 lstrcmpiA
0x40811c GlobalUnlock
0x408120 GetDiskFreeSpaceA
0x408124 lstrcmpA
0x408128 DeleteFileA
0x40812c FindFirstFileA
0x408130 FindNextFileA
0x408134 FindClose
0x408138 SetFilePointer
0x408144 MulDiv
0x408148 MultiByteToWideChar
0x40814c FreeLibrary
0x408150 LoadLibraryExA
0x408154 GetModuleHandleA
0x408158 GlobalAlloc
0x40815c GlobalFree
0x408184 GetSystemMenu
0x408188 SetClassLongA
0x40818c EnableMenuItem
0x408190 IsWindowEnabled
0x408194 SetWindowPos
0x408198 GetSysColor
0x40819c GetWindowLongA
0x4081a0 SetCursor
0x4081a4 LoadCursorA
0x4081a8 CheckDlgButton
0x4081ac GetMessagePos
0x4081b0 CallWindowProcA
0x4081b4 IsWindowVisible
0x4081b8 CloseClipboard
0x4081bc SetClipboardData
0x4081c0 EmptyClipboard
0x4081c4 OpenClipboard
0x4081c8 ScreenToClient
0x4081cc GetWindowRect
0x4081d0 GetDlgItem
0x4081d4 GetSystemMetrics
0x4081d8 SetDlgItemTextA
0x4081dc GetDlgItemTextA
0x4081e0 MessageBoxIndirectA
0x4081e4 CharPrevA
0x4081e8 DispatchMessageA
0x4081ec PeekMessageA
0x4081f0 GetDC
0x4081f4 ReleaseDC
0x4081f8 EnableWindow
0x4081fc InvalidateRect
0x408200 SendMessageA
0x408204 DefWindowProcA
0x408208 BeginPaint
0x40820c GetClientRect
0x408210 FillRect
0x408214 EndDialog
0x408218 RegisterClassA
0x408220 CreateWindowExA
0x408224 GetClassInfoA
0x408228 DialogBoxParamA
0x40822c CharNextA
0x408230 ExitWindowsEx
0x408234 LoadImageA
0x408238 CreateDialogParamA
0x40823c SetTimer
0x408240 SetWindowTextA
0x408244 SetForegroundWindow
0x408248 ShowWindow
0x40824c SetWindowLongA
0x408250 SendMessageTimeoutA
0x408254 FindWindowExA
0x408258 IsWindow
0x40825c AppendMenuA
0x408260 TrackPopupMenu
0x408264 CreatePopupMenu
0x408268 DrawTextA
0x40826c EndPaint
0x408270 DestroyWindow
0x408274 wsprintfA
0x408278 PostQuitMessage
0x40804c SelectObject
0x408050 SetTextColor
0x408054 SetBkMode
0x408058 CreateFontIndirectA
0x40805c CreateBrushIndirect
0x408060 DeleteObject
0x408064 GetDeviceCaps
0x408068 SetBkColor
0x40816c ShellExecuteExA
0x408174 SHBrowseForFolderA
0x408178 SHGetFileInfoA
0x40817c SHFileOperationA
0x408004 RegCreateKeyExA
0x408008 RegOpenKeyExA
0x40800c SetFileSecurityA
0x408010 OpenProcessToken
0x408018 RegEnumValueA
0x40801c RegDeleteKeyA
0x408020 RegDeleteValueA
0x408024 RegCloseKey
0x408028 RegSetValueExA
0x40802c RegQueryValueExA
0x408030 RegEnumKeyA
0x408038 ImageList_Create
0x40803c ImageList_AddMasked
0x408040 None
0x408044 ImageList_Destroy
0x408280 OleUninitialize
0x408284 OleInitialize
0x408288 CoTaskMemFree
0x40828c CoCreateInstance

!This program cannot be run in DOS mode.
.text
`.rdata
@.data
.ndata
.rsrc
s495l
tTj\V
jHjZW
VQSPW
SQVPW
vX95(
Instu_
softuV
NulluM
D$8h`
D$$Ph
D$(SPS
Vj%SSS
SWShD
tT<"u
SPSj0
D$$+D$
D$,+D$$P
UUUUW
t$,VW
PWVh$
SSSSjn
uDSSh
tc<.u
^j\PN
@PWQh
HtVHtHH
UXTHEME
USERENV
SETUPAPI
APPHELP
PROPSYS
DWMAPI
CRYPTBASE
OLEACC
CLBCATQ
NTMARTA
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
GetDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
ShellExecuteExA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
SetFileSecurityA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
\Temp
NSIS Error
%u.%u%s%s
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
SHELL32
InitiateShutdownA
RegDeleteKeyExA
ADVAPI32
GetUserDefaultUILanguage
GetDiskFreeSpaceExA
SetDefaultDllDirectories
KERNEL32
[Rename]
%s=%s
*?|<>/":
%s%s.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.05</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInst
+XDpPq
~hG8e
4Io^#
mhQG3
J '|]+
hQYQaI!M
O[ki"
4*Sdj"Y
v1)lf
JBa3g
z:#.f
K!%ZF[
: 6jhP
f_:Cb
wGh dJ
Ni?mS
$8:C[?
OgA`:O
6(wDz
?.>Gg
5p)qq1
GGl-HL
#*-w'
*\.|h]
>m]n.
leHng
`o+|`
%':cy
;&o{8
fcUx{I
ZAreJwF6V
w'VhO
H+xI)
*uP[")
.gaty
(nT[W4W
v*cmD
cgkO,
mcYh~
2JoSO(
R0z0u`
#}ez[
&;'{N
9y9+r,9\
?jbY.
?T0QJ
KQ:GR
Mu6/r-
k?Y5t
\~y+C
*leME
5#5~#6
V7q&l
[O%s1Bc
p\q^x$
^-<M[Sc
J7_+!
sSi4zeE
/uQG/
A0N8.
5~Ktn
!u#;c
J5yDHd
iH3 m
IgFk&
2i19b
V0qF)8
n(-`]
c]n-~
m6tIpc
U{CW[aW4
AkuF8
Q'?<y
_v`v0
wY6VQ
"miZc
g(223
${PvB
8'&k|
<2\d^
?o~Yq~!O
-P)-=
1)5x0
!R?WW
SGQd&
Zx{U:
3n)&1H[^
o|(<L
Oh7ML
O+_)mg]nG
8teX-
f<ym(
be+q"
Lie-]~`SU
P#:aQ*
Aq*B^
y^,J7
8}K/P
k0.e[
S7LNi^
hUlS\
o+>U|
*^=R=A
h5K5:M
~qAvR%
k-M"I
1+-(fA_B
fEu##-`
[J/Nk
C0~5z
ipTyu
OAT=nX
WTzosP
0TbpE
!0T!F
UVzi'e
XU66T
8gohM
:"vhLCf'
zKSKh
dUFFUr
U2}U2
*EFrZ
&lJ\\
H*.|<|
w4x1z,
tQ;,,
OR[2x>
W2KZ.
uDp%GD
zp}M]{$-
$I!Sx
= ) U
"=8,l
z_BmNd
An&5`
$ }jx_
w<:q/
n')4;
Igcg98
FK=Kp
_ZQEA
3Ykuy
{wE=q}|
Z+TtZ
9ZF_y
>XJ$>T
BH"#*0
;uaya
'^6)\B
yqrt*
H9k3j
I1ZOZ
C2Ud4
871+~
|6d=!
'oM|)
o<~<v
$'JpXA
^Y|w7,B
%%Wlx
/JxLz}
I/~|[
^N|`=Sy
[N%d^
/-;\6
1U\o1
=OV0W4
(q"ui76
7ZD`B
Q:M>)
(%&!?
6zp{8
W><mMO
MXKq2
}{+1$;
U6\Uh7
dX#62
GTk-V
GTQ\V4
jZf6\
Wu3(g
;{pjY
5B_&G
C}BCR
3hT>XB
rd)r<
&OQ(T
g5YNLT
l:}=pU
"=U7T
o/XS]
{<gx
}(T!u3
NKVVWW
5\mrU
[Og.|c
xqdN\|=
2=C%g
Ki[!dtr
pYxwv
F,% -
riw|)V
E3x)-S
{D7OGP~j
vVBYf
bRBn!D
9k;{^
3#._2
GY){Dw
10}>{
[3ak&l
@S^Cp#
B^VVC9
s 7=H
5aT-]N
Q-Ac S=
9CrRk
e`nYqSm
+?YUG1
glnQ>n
rcQeEiUa
,c%:V8
:V<u*
II`KR
J2Z!"
o":*O
(s|fB
|}JlM
}@Kg+
=JXs~
_:?11
D2u"p
1#J~)
@%Qv9
<XgX2
8"ec*
DLy}"
BSEV2;
!k)kX
nv!{~
sNNMN}
}9Gs^
)+N;{|
Hnlr{
qC (q
U`U#R
tt0te;
>T::4
zE< X9
w{k]E
Um,Q`
Aj8Xz1
l%UB)
xz)'<
oQFl||yI
jl)[H>
4'ps"
23^Js
db:{.B
YIyO~G
mt={D
657PXL
zZ{N_
iu]MS
dD3(2
!;x!&
\D?$_3
<O5)>k
O[A(3-
|Ha>O!k
T'@#1[
!Ep<x*
)[<sT
z3ucy
%=3-#
Jz0hb
??Y&(o_
&M9:6
%QIfZ)M
(B1RD
)#;{V
LqNGfH
6/3m>`4
yf{~$
m3JE1/
g~T],0
k^>&l
wxS ~!
XX?)QJ
G.\Zt9
vqwzi
g+\G1
F4/4!,3a
=rw$ <
`cO'
g%}5!
_3{=)
5x)@3
VB^ix
Q`kWr
H<d~Ewc
IK,NfO~
+-[YA
si^k1q
dc-Te
%;l[`
2 LbV
$<A^j
rG<[%
jFkuJ
7i(DmR
yeogtBJ
F}lDS
M GE>ay
7:e1z
`u>'0
<hW jj
q}Fl1
[-$YT
iYb7m
`^VO-
>9vA#
UvlPo
%)IoN
1DqjqR
Ub1AI
wPv_1
C<BY<
D.%EE
-jE)"
HBXVo
ON':@
rGqp
te(u OV
)>;B\
,]5-*V
!VN(l
uN[<F-WF
F-`>5
OoJzrR
02Cc]
^ 3R[
_X+ O!
,=C]A
(ikdi
zqMN'
&<ea~H
ghgxsDqv{
:K+>X
q"_Tp
w9}83
?#_=~TIv
!f]Uu}Ck;
#(DU#
DgPt;lJ
6>/5]y
1q qrK
w*:tQ
]>gwl
=xYnz
i7;~#
CO>r\
YK(e8a
m;JGw
*%Z5RBp
<onHH
MH>x.
]wh)L
Ei<)-
-/ax/W
1GS6v(
84>Qg
IA%5^u
{LT1=W
]xtk[
1|+HO
v-~gt
8QD-<
OpqwA
?LamC
~vh4\
VOzuJm
?l:@_k
_;\;0X
X'PcM
rlo?:$
z?gi%
.c?JR
t# H)
`iAKi
@yv}S
CV<Zv6p
1)h6j
KS8B5
>Lzl`
%9L#F
Xq?H("G
A#z`.
wv:x&
A;dom
N7?6W
\^w9G
?[s8j
vbs(`q
z!rLz
DR#!|
5sFstO
1?=Oj
~tSDO
18O]6
2sov7
8Gvns
%sxrI
ov>yP
#fV=n
yjC3b
zqXt}
1HZB26Fnc
{|ND2%
os[T8
ZkV>G#
_WnY[
LL)ds
.*/,(TJ
6)}/6O
W%4Qy^
/?5I;
;fx<9][0L
$cy:5
\DfZC
wWeV[
/b./04g
1">1v
-Ysp~
=A`Yoa
)$N`Y/
o*,bT
(R&[Euoo
^Gd5{
DRkh:
gnBYn
jX+Az
^=76:[G>5D
wN:VIQ
#no-f
M<.Ho
|yaMk
2xW[t
3|FzL
{}Q*7
Y[uP}
tQv]$
O?\U/%!
%E:r:
m<T'Jpg
]_u*5
@S'm~
^!r'K^
7ut;7
Si"i1
"\jL%
wb,TO&
v\Ydl.N
c7CKH~2
t$D^/
Lw$]d2
9Zt4?#
+F'op
yn-yj
C!ISy
Fy:^l
SV`{^
:98{#
^Sror~^<
xqsv<V
%d]^<
&X7R*$d
XXH1O2W
Gc0OH
"_nE.
bE&c#
<UMZ2:
_Q<7Q
PDwv7
DIwa}
.\rsu
U'ns!
iX\z2O+
N*"L-
5LHD
G^_?<
|H2Gc
'6vqX2
OB[i8d
).Me*
T>o7w
%uNi08
GDrF*
?.c0/4Z
n;<E3
: qm3
[KJz]
Er".G
j=Ckyn^
Z7n$*
.:"<TQ
y2!`G"
Hp_[B
7g+<.
;-iUA
N&`G5
vti9C
;fR2[}
uz52`G>
DgaF>C
B"`GjB>
=>^l#
(RjT `G
+A^Tj"
tR,t!.
h?s:m
&^T;"
xf>3S
8"!(bo
gTYKF
NHQR%
+s(o<
zbsH~a
yQIgi{
e,kGe
[}kq}
BBYnO
R8R1>'
Lhl.h
1~(N:
/!J+H
m $9E
_*O'^
CpNf?
%7t_w
^DUT~T
Ohwx{
_Aq##!
H]ry{
1r,Z8bt
/TXbc
^5aC'
]+Bt0
(LtM^
UZzAl
~eV9+
Ww7,|>
2nm1'
e,yLb
d>d|N
\|x31Y
"@?qL
Xahqs
3 eaN|
=-rv}
SH-C$
LImgF85
JlN O
P!P$u7xe
C):Qb"S
U`/O|
4o>K]1
l3mks
ZJFF;
!qay&u5
0yz;1
ph+rqHs
imYY/~4{.EO
uQ>_8
<l\bur
4&Vod'5
3e#y+
1GfK^
ZdkbKz
q-xt.
\k"~W]#
[-%`)jr
kQ~c8
,"%\m
A\;N2
v?uFS}m<O
LVYPB
vZHQ~
zc;*#
r!CK3p
-08I~z
0NIgm
Bf62e
3-CN9
&(K_B
hd-);
;vAC^Q
|`?8,z
Z]65LF
SrWq(^R
i<,O>
vijib
p9rrd\
>{5:!
{04|$
JWZg2
nnadM{D
Jh;.X#O
PP^,^
e|5lN[
: 1jM
O{ldI
OyF*U
gk\~?
xJxKy
Q)#P<9
Y AkP
\u{bw
&qz~E
l-XZHG^L
;7h!HY
&/{g=
.-Ee&
SLxx9
U?mlh
+/*VQ^
LW:6e
.9stX
sy7kM
}afj|yM7K
m)b9B
Q%+n6
udjs=
O @N!\
xo CB
Ebx'Zwq
Goh^f
OIXpv~}
QkS|e
I5X\U
k*M*t
!Q rd
qCmqx2
ns"#M5T
S\|+t#
neic
Tc_`2
(g%*&
88nT5\
7R/2r
W*jcy
[];1P
rje6$
DO![OE^Q
JhtrI
aKJ7#
8j3~6
(\tf1
K;is}
/j`V,
3rdq <N
L[10y
v~X3J
u8=rc
cfmY$
Cd7CJ+
N"pyQ
*.%X+
;p3)
E.H+=n
N#N`{
R96+TxK
9|TSh-p
?!Jes
!Zdru
b4vf?
,JJ[N
m18do
wQ4TN
.*8[P
dA8G6
B$C+E
Ok3(W:
&I~J)
JX. 7N
Y4x/N
6L$V%
2[Oac
Yw~-A
Ct87rQ
zb"J%
}w5ME
<k/5aT|
f5u1j
3+yW>
$!%L.
4b=:^d
Ji:vR
izyff
ZY4\Ph
[rH^J
^9Ow\=
jf01n
7:qqP
l`m&0
j);R-
\&95h>*2kx
I58]j
-j[0D[
8Z4qt
-4&$G
nj$ZV
_.>[0
~PIoB
/{33=YX
R$C_8m
uuIK#
NinG3
-iVw=
udU!5
JHmM{
'Gr\T
@k1Hp
KHw~;
!eI<3t
?RMWE
Y^}s*
&igd+
:5W~Xr
OKyM?p
S.o<.
xv|B9
h1N(<Re
j{qDLm/
6!"N*
ixQQHJ
T&6{P
==)^Z
0.iX6&%G
^+SGN
2S,bf
L"`5&
5(O2+
,FZr$$
*"MW%
3YE":}Ck
N Mz;
"3dH_po;
KO4NE
9"z15%l
`Te&N
iCx<K^
wpU\m
6B)0>{|
-Z8Fv
h}P|k
p#H[R
J4 bM
Su$ _
\$gZq
Ew$GBM
*j%(>
MCkE2[
tRvmS
vl0S&n
>!ds3
,822k
/prgW
cS}`z
kq2Fl
F>kzT
/q$2/
ES]~gs,y
)a]IV
/lHXw
9^N3>
?N) T[
MwR}$f
3&2{3
FfjuqEEQv
QdKhaA
:@%$zq#H
"OeuV
Rr;6Z
Op>3Md
Jg+>e
"8rOr
67aL(^f`t
g\i(v
#l01<
DY4W<T(
dJ,Tn
+:'em
W"eQk
_Q `U
`e'PiC
.`b%S
_<$lV%bT
_.2;\
L!Vm'9
3RM88
>dC+Py
2Yn^{
#"hD(l
\{yi$f
_V[@@ca
|.hx#=
v)A2c'
n0Rge
Y13Sl
dCl%k
Qphajc
U;bV1
<qzI6
s]:~p
JI[R85
4/O]R[C'?N
!^fG<bW
h]RHi
LT1E7
#m )@3p
Le~g9
kMNj6
k1TbAf
**Z;~
>U#eO
Q!;.se<`
rWQ&8v
lYW^Z
6{i9\"
Tewu{
o_7aB
0IgN/
N2y3l5
,#h=[
= 'TL
[(Z9aQ
z2S6~
R#zD0D
'j.tj
c./DcO
Q.:)8u
(Z+w1p
v_1QG
FyUz
M^cM1r
M9[PV
do+cZ
x6`ii
<nm.t
G& *U
3uJixT,
pbheF
!#8blf=$
nxTvH
|eo(y
xFwQz
zCk^ V_
+}>fd
~IoQZ+
"Y|N#
!!IYD
EzX1i
PQ`.M
!Ko}H
2Ua|F\
mxG9e
`CDMY
Qy|U"QB
E-6(dVp2
=h47h
USmUo
2+:{x
eAdtMH
hPzf"8o
Uw^#N
Q]E3d%
o8u1m
f51Q^
i.I72
~WtrMSdh
RToSKA
3T(fI
S^BF\
V[Rx7
tS0=g
w_u&\
lpuxy
r*$2f4"
d%9A<
c`pU{
)Hau9
Y-2[u%KQ
(0%tqR
{,UR$
HGf>L
FC;=Z
wNeQk<
vX.R ?o
^7XBs
M^rB#x
Cf_)MYA
i)zqI'
R3E4K
V+=l.
bDF#`&
fqH\~
'?#A?
1Z+rK
_Qx/p
tFnK$
q;9CLD
7.1pm
#{M;\
70EK;}g
6!{H0G
In((P
6gw=m
v)sM_Hw)
E kH:
N_(xg
C+``#V~
Ddv%s
P5&+e
$"vPFC,?
'Ysw b
CFd)1x3
*%8xc
~ZtL'
=ylIHI
RL1D$9<
'L~EE
8hy=%
Mn~Y>
e~)Kt4
\7<E}
yUb3f
=(yD7
&qj^$
lhb-O
Dq`O^
YP#9L
\nSG=r/A
}=zC'
7(;(Q
`'%~H
DqRED
zLvUy
Gu+!P
*Di5W
5{uAg
>5HJE
Y%K>D>^b
uo?YP
^&6(S
<e,r<}
Yr+3[i
zo:dX
TN~vA
cDqXg
sHwR0
i:r=_
Hy(!g[
|Bfd4
<ng#K
#0Jwp
igl!'NG
*;n03
"(tan
-IVPP
%v;G1
K 3k%
u{Pj|!
8.%d6
{;`=x
xWG*R
uA|zcO
MZtX8a
0).k:
g=/u*
|.w6G$
Ky!9b
sR+vt[xT\
$|ihc
'Tjk^
OR-(M
C[|pX
GmM(o
&9(cO
#)ly/5
[m6E-[
' gCGNL?
hM/.>
0B255
b0=dV
yt#PC
xJJSy}.}
"^;KY
Y/bJY
d|"E9Tl
]A}N6
Y[t86
Y`|?R3
]9V4va
\3z'c
iPcQdJ
Y=xd
xX}wQ
t3uDJ\
\#-o/
Y2$Xi
QLXRa=
hHlJXV
SJ#Z4
\Qt&o
daO7o
e0J3V
~&,{j
eaaIt
zy2K6
4]_d0
%8aoj=
_}'+X
X6VU,
$s;vU
uKY"!q
e#NG4
2T>$s
1PX+&8
*$%>m
I{/>x
Fh+_v
&ukZv
*'F(}
!` ;{I
:It\M.r!
F<NW^
'Z$pF
6<O)<t
Shf"1
\f\:0
#H}j
=Vh=c9=
(~%:p
MMZ$sV`
48pB4uerD
R%^lPb
vB|m=#
Aan)b
z^r] i9
]&qJy,
`6tyr
5*~_0
.cwy_
He1MA
I!A=G
nkLN,
1CJd_
GRFCPS
"QgR{
W[<WB
AT7o8
? @h'r35
.^a-q3
-4V F
_{\$
j[k.JE
CK*\]
d+fQu9
$j6pa
YDz}o
_+iIA
5CMBf
U_\W0l`-
N-_{M
>(c1m4s
^S_x5
,}'GP
4uf3{&S
2b&@mc
\YWx_
>!I;GmU
&@C7a0U
&o^Y'
8KXRZ
DUkuGD
qZ#Ag
8rre"
KGkjx
G/<kXyx
KLESc
>oKwUq
Xk)Qq
ko70k
- U[;
uBg-f
_Xq*
NcT7_
E&n<9cC
V'ix})
+Jt"m=y
.=TX>
QMh]<
;5W9(
ybn13Mv
e$lWRe
b~wi&X
JA}Ij
|@X-g
t!{M]]n
)r9g\
{#R"F
yO4!p%
Y~&K?UJ5
"t38r
AsX4J
n qEK
8Trh)
aktwzo
r?vXf
&&[FV4
0(&DP
/s0*e
j;!Ej
<ibZ~
boH~:
&3aoa
A?wY]82
&/EfY
|*\a!
mh,e~
Z_%Qee
&UKLK0
h4,hz
LmoC_I
o8uZf
HVe%{
!wo0n
8zf)V
vVB][
ifPJY
mv KSjM9N
`O:O.CKz'
AENLY
)s55#
h%lGc
q5+c|
1|Ddb
.#RjH
BY<\!
M[@3
s`HqO\
ey2e0
T{WL]
j[<3ss
zq-nY2
sS!*Uz
/x:6E
>O;CR
vhlski
?2x[y~y
=M&}")
,eMMi
$gzXdqb
+rbm]
!%@AT
2h%PI
u"%Ptn
e'}J6%#fe
JO4y^
zkM,s
H7{7cZP
)gM^T
bvI"'O
>E,",
EiF\X
puy=o
un\!s
xtrj/d
X/{+:
ec%[<
Tss;O
+r|S.
Jg|CYq`
U]hb 6`
l5C%L
DE{2m
msL^W
HNd*FH
nBY>iY
#vGK\b<
tA*nR
W`lx=
S}~;l
KXMU)R
T?|A#U
UoFnp/?
V/cBA
SPWbbRMR
qB>Pk
LSq}h
$*ikQ
w`|s?4
B s}}
aYZBR
L9m8/J`
uq|_{
tnG=a=
Um^>,
#\^#*
CyU(L
?F`8*a
X=xY'8
!9zAK
1|xu2"
KCb_M
$pGM?
3N&nQ
%_!>V
Q~V>~f
Dw6LOCB
-KPhY
>O(N$
+"q"7
27Bo^
1G1xz
:t24zD
xajo&
eq/&h
x*kHV
^}ic35"
Q*^G2
IK)[{
zA{y\:Tr#
wzr6%Y{%
e<_q2
%6!E&
hmgK!
h2Efae
32g6^
tF"I~?
x/2nO
=z]xq
|_^PRf4
k#j[TdH
Z;]w
gnS&~
;,^MY
(/9/W*^52
#oQ`V
\zEJA
b89_yV
h2g/jqpr
kF.UN
V;4r);
2#ReI%G
FHCu"
CZ'!%
].]`-
u2-V!
~j^A]
wh=I,
;2^1_C
d`Ks`
?;~};
bsRkV-q
w\T'-
td,<w
qf4=4
Eu_`;
:)>w`C
\Hvy;o(A
np*Zs
/TcO,
g#jEQ
W8tx8
jS<yp
IrQf<
o<Lk:T
K,W.s
FRrAP
^A~M(
mDx:g
7xA~%
w3LX4H}
-MSwn
wci^p
.#zZjI
LldQR
p:hzmo
x EeG
2f){8:
dT-/X
dFKX#
\MC)'
G]Qo(
5Oro/
I[9"q
(OA9]
8m pS
rSX>y!
C{c;/
1eub\)
L#dQXl
S4ald
MTB p
9E<0F
qm$(}3G
b,cb}<M
L'Qa{:
FsZ0 a
6qPY;z
D>)`<#V;
9[ |Px"
i>=tr4OjV
K1rOM
]">Pp
BjB#R
X/e's
gTt "
@(g.^
/*K[N
r4q*C-
;$x'm
w4+0b#:
ZA'\y
"xcRoO
Nv?`%
D+:*H
o+78Q
wlFH1
m_Xtmw
"ZD_
p+,Xe
Tl$mV*I
AS"=,
z?En}
/tBXN
@Q_.0
IVYHS
LG^Ik
6IR90
vImDA]
(|7ol,a
,n'9.
qfwH}
iS/Cl
N n,8
"0Ve(vwP
wc1hA
|Zopx
zB.mZ
Y}oHp>
C^IRV
6>|^#I4
OtBI]
$~ T#
4gbokf
Jv-]z
[7n'CU
HbkH%E
e~dPZV
<]-=h
i&"AQ
1;/<S-
MSmWS
c)_am
0:,4,O
ois(R
ecfy`
r!rdg
A+&Z(
yy9'k
7U?jh
>aw2T
z!yOn
R=7AM
F'CV<
O1$Fe.
M]0h&
OFM1cp
|8}-u
8Kvm1
P>M%6:
?^T.h
*0$A]
.Vsme
C$ c!+q
Ye3y]
e5%G.
;^A)"1e
-(w#i
Zi[{p$0
n|4XZ
<6&8h
z9WZF
%B~W]g!a/e
hsF[{dTJ
x&&(x
l9hEsD
EvQ^K
cl`bY
xMfGy
=OSK*K
c=R6;
VLs"a6
'Feuk[
hS/st)
U=`"8
.Gli:K
OWQWM
~,g/QB
OkSKE
<nY-W
DzVaI
$,qI_
"Ww6p
2ly]j
A!kK
e,n=^
&@\02gq
7/@&[
)TfD9
UC71;
E6SWn
AtB|6
jb,#?
+8'KqZ
J7<JZ
JBTb}
e#1&EM
W C69
tByNtZ
?(p6p
[mY4Q
`*iPR
zRuL%M
;B:vhM
31.C,
Kxptw
1_6,;
mC?l;
^~#6D
10^A.
YWHN"D
-jv;d
^O+0z~s
%;r]MJ
1h$;@
sd0Kd
.I)m)3
y(oY+
XCbQ\3
U$LG*
r#T0`
^JHsB
nHH8m
,bgF[
;}lflYr
qsvD=?r
T4Y5l
Wlrwz
u064mb
lqNjy
\~RSj
]zS)A
Wzlmv
rt\7{
Nn5.5
O-]9j
]csXo
n+,&u
Fq{ZU
loE?y
n':**
IAg{H
V|wNd
-o{$z
8a\>j
2i+K{
ogU_M
u~;oV
^o*-Yw
rzdbb
:z$aS
?.nz,
Hy$E]
pe=_1
UBVJ!
`Ey;J
zk2`$
b'IO)|2It
EC9;Jx
LY4[x
L#1F:a
xiQz]>
s`.PX
u|vLZ
68%B5x!
[B &o<
qYzK1
&x?Mt
P[Jx8
heZ5%
v)QsA
JO.Y\
0'PX?
H2iQHw
b,fg~~
L}DQs
Rjt0J
g'>>9
{RaJ$
D?g87v
HwtU.
Q<wD(
^"Dx#
dP_r.4
2BCr4'N
D"oGW
Ej=q!
02}/<
UffAt
-oB_f
iL1^y
x}EZ*7
Zaxd,
XiE A
MdY+^
>&t\\
@as w
uEzrS
aBVPx
}4>U`B)
^\aV(v
a\P]t
WypAe
{-)k*
y1_Y#
5jc`;
FhF0.d
p%2gZ
DHx&j
Qtbjjq
+U6C*y
00.462
^\e=7en(
rAQ*5
=bI{u}
,1 I%
sF%"+
/Hwz/
H?Y6s
7b{,?
G83xx
\n--&
mdcMM
>Dtb,
[Vps}
%<"lb
\h5H#7
s`+{?
>&mP-
n.?E(
6ST_pv
~4%z
i+0n'
36 p\
j9+2*
2255z
h-T\b
4+9.!:
> XKz
z-)qVt
59%iF
()-;y
T6.4:*1
721*!
(m$hM
31*(9.QK
)(<5E
3,o]fi
l^LKc
2ms+z
<z,|k>.e
O:<}Z
B+C:9
/jaoLl1
F0ne#
6S%T4
JH]${
B\S9Z>Q
-8Z>
@\"G{^
Tgf6i}
cmccv
Dx&x5
616I6
c[f[n[e{
=c_k_go
8$;d8
-=(=)-
WJf 3
![![#
KvHV,;#;/
%{ {"k
w/r/s?
a[`[l{
$Ec/p0w
\8A6U
\vIvM
8e;-w
76A{.
^|Cz;
:{8/q^
#+3;CScs
MS Shell Dlg
MS Shell Dlg
MS Shell Dlg
msctls_progress32
SysListView32
MS Shell Dlg
Please wait while Setup is loading...

Full Results

Engine Signature Engine Signature Engine Signature
Bkav HW32.Packed. MicroWorld-eScan Clean FireEye Clean
CAT-QuickHeal Clean Qihoo-360 HEUR/QVM20.1.11B9.Malware.Gen McAfee Clean
Cylance Clean Zillya Clean SUPERAntiSpyware Clean
Sangfor Clean K7AntiVirus Clean Alibaba Clean
K7GW Clean Cybereason Clean TrendMicro Clean
Baidu Clean F-Prot Clean Symantec ML.Attribute.HighConfidence
TotalDefense Clean APEX Malicious Avast Clean
ClamAV Clean Kaspersky UDS:DangerousObject.Multi.Generic BitDefender Clean
NANO-Antivirus Clean Paloalto Clean AegisLab Clean
Tencent Clean Endgame Clean TACHYON Clean
Sophos Clean Comodo Clean F-Secure Clean
DrWeb Clean VIPRE Clean Invincea Clean
McAfee-GW-Edition BehavesLike.Win32.ObfusRansom.gc Trapmine Clean CMC Clean
Emsisoft Clean SentinelOne Clean Cyren Clean
Jiangmin TrojanDropper.Scrop.ake Webroot W32.Trojan.Gen Avira Clean
Fortinet Clean Antiy-AVL Clean Kingsoft Clean
Arcabit Clean ViRobot Clean ZoneAlarm HEUR:Trojan.Win32.Injuke.gen
Avast-Mobile Clean Microsoft Trojan:Win32/Wacatac.C!ml Cynet Clean
AhnLab-V3 Clean Acronis Clean VBA32 Clean
ALYac Clean MAX Clean Ad-Aware Clean
Malwarebytes Clean Zoner Clean ESET-NOD32 Clean
TrendMicro-HouseCall Clean Rising Clean Yandex Clean
Ikarus Trojan.Win32.Injector eGambit Clean GData Clean
BitDefenderTheta Clean AVG Clean Panda Clean
CrowdStrike Clean MaxSecure Trojan.Malware.300983.susgen
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.6 50764 1.1.1.1 53
192.168.1.6 52555 1.1.1.1 53
192.168.1.6 56304 1.1.1.1 53
192.168.1.6 57593 1.1.1.1 53
192.168.1.6 58697 1.1.1.1 53
192.168.1.6 60016 1.1.1.1 53
192.168.1.6 63241 1.1.1.1 53
192.168.1.6 63713 1.1.1.1 53
192.168.1.6 64201 1.1.1.1 53
192.168.1.6 65048 1.1.1.1 53
192.168.1.6 137 192.168.1.255 137
192.168.1.6 50764 8.8.8.8 53
192.168.1.6 52555 8.8.8.8 53
192.168.1.6 56304 8.8.8.8 53
192.168.1.6 57593 8.8.8.8 53
192.168.1.6 58697 8.8.8.8 53
192.168.1.6 60016 8.8.8.8 53
192.168.1.6 63241 8.8.8.8 53
192.168.1.6 63713 8.8.8.8 53
192.168.1.6 64201 8.8.8.8 53
192.168.1.6 65048 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature
  • T1089 - Disabling Security Tools
    • Signature - antisandbox_unhook

    Processing ( 3.683 seconds )

    • 1.755 VirusTotal
    • 0.46 NetworkAnalysis
    • 0.357 Static
    • 0.35 CAPE
    • 0.312 BehaviorAnalysis
    • 0.277 Dropped
    • 0.081 Deduplicate
    • 0.037 TargetInfo
    • 0.029 AnalysisInfo
    • 0.012 Strings
    • 0.007 peid
    • 0.005 Debug
    • 0.001 Suricata

    Signatures ( 0.29500000000000015 seconds )

    • 0.034 ransomware_files
    • 0.027 antiav_detectreg
    • 0.017 masquerade_process_name
    • 0.017 ransomware_extensions
    • 0.016 antiav_detectfile
    • 0.012 territorial_disputes_sigs
    • 0.011 infostealer_ftp
    • 0.008 infostealer_bitcoin
    • 0.007 api_spamming
    • 0.007 stealth_timeout
    • 0.007 antianalysis_detectfile
    • 0.007 infostealer_im
    • 0.006 decoy_document
    • 0.006 infostealer_browser
    • 0.006 persistence_autorun
    • 0.005 NewtWire Behavior
    • 0.005 antivm_vbox_files
    • 0.004 Doppelganging
    • 0.004 mimics_filetime
    • 0.004 ransomware_message
    • 0.004 reads_self
    • 0.004 antianalysis_detectreg
    • 0.004 infostealer_mail
    • 0.003 antivm_generic_disk
    • 0.003 betabot_behavior
    • 0.003 bootkit
    • 0.003 kibex_behavior
    • 0.003 network_tor
    • 0.003 stealth_file
    • 0.003 virus
    • 0.003 antidbg_devices
    • 0.003 geodo_banking_trojan
    • 0.002 infostealer_browser_password
    • 0.002 sets_autoconfig_url
    • 0.002 tinba_behavior
    • 0.002 antivm_vbox_keys
    • 0.002 antivm_vmware_keys
    • 0.002 predatorthethief_files
    • 0.002 qulab_files
    • 0.001 antidbg_windows
    • 0.001 antiemu_wine_func
    • 0.001 cerber_behavior
    • 0.001 dynamic_function_loading
    • 0.001 exec_crash
    • 0.001 hancitor_behavior
    • 0.001 hawkeye_behavior
    • 0.001 Raccoon Behavior
    • 0.001 ipc_namedpipe
    • 0.001 kazybot_behavior
    • 0.001 kovter_behavior
    • 0.001 malicious_dynamic_function_loading
    • 0.001 persistence_autorun_tasks
    • 0.001 rat_nanocore
    • 0.001 securityxploded_modules
    • 0.001 shifu_behavior
    • 0.001 antivm_parallels_keys
    • 0.001 antivm_vbox_devices
    • 0.001 antivm_vmware_files
    • 0.001 antivm_xen_keys
    • 0.001 banker_zeus_mutex
    • 0.001 browser_security
    • 0.001 codelux_behavior
    • 0.001 darkcomet_regkeys
    • 0.001 disables_browser_warn
    • 0.001 revil_mutexes
    • 0.001 limerat_regkeys
    • 0.001 obliquerat_files
    • 0.001 rat_pcclient
    • 0.001 recon_fingerprint
    • 0.001 remcos_files
    • 0.001 sniffer_winpcap

    Reporting ( 31.536 seconds )

    • 31.464 BinGraph
    • 0.065 MITRE_TTPS
    • 0.007 PCAP2CERT