Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 18:29:06	2025-06-12 19:00:14	1868 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,678 [root] INFO: Date set to: 20250611T17:34:19, timeout set to: 1800
2025-06-11 18:34:19,177 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-11 18:34:19,177 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-11 18:34:19,177 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-11 18:34:19,192 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 18:34:19,192 [root] INFO: analysis running as an admin
2025-06-11 18:34:19,192 [root] INFO: analysis package specified: "exe"
2025-06-11 18:34:19,192 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 18:34:20,067 [root] DEBUG: imported analysis package "exe"
2025-06-11 18:34:20,067 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 18:34:20,067 [lib.common.common] INFO: wrapping
2025-06-11 18:34:20,067 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 18:34:20,067 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\BluetoothLogView.exe
2025-06-11 18:34:20,067 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 18:34:20,067 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 18:34:20,067 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 18:34:20,067 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 18:34:20,223 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 18:34:20,317 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 18:34:20,349 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 18:34:20,364 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 18:34:20,380 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 18:34:20,380 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 18:34:20,380 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 18:34:20,396 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 18:34:20,396 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 18:34:20,396 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 18:34:20,396 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 18:34:20,396 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 18:34:20,396 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 18:34:20,396 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 18:34:20,396 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 18:34:20,396 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 18:34:20,396 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 18:34:20,396 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 18:34:42,770 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 18:34:42,770 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 18:34:42,770 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 18:34:42,770 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 18:34:42,770 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 18:34:42,770 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 18:34:42,786 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 18:34:42,786 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-11 18:34:42,786 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 18:34:42,786 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 18:34:42,786 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 18:34:42,786 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 18:34:42,786 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 18:34:42,786 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 18:34:42,786 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 18:34:42,786 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 18:34:42,786 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 18:34:42,786 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 18:34:42,786 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 18:34:42,786 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 18:34:42,786 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 18:34:42,786 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 18:34:42,786 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 18:34:42,786 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 18:34:42,786 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 18:34:42,817 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-11 18:34:42,817 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 18:34:42,817 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 18:34:42,817 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 18:34:42,817 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 18:34:42,817 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 18:34:42,817 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 18:34:42,817 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\pQxbIz.dll, loader C:\tmpjeo7jmad\bin\EPCPTrhb.exe
2025-06-11 18:34:42,880 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 18:34:42,880 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-11 18:34:42,880 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 18:34:42,880 [root] INFO: Disabling sleep skipping.
2025-06-11 18:34:42,880 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 18:34:42,880 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 18:34:42,880 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 18:34:42,880 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 18:34:42,880 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 18:34:42,880 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 18:34:42,895 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 18:34:42,895 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 18:34:42,895 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 3612, image base 0x00007FF60D500000, stack from 0x0000008EFABF4000-0x0000008EFAC00000
2025-06-11 18:34:42,895 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 18:34:42,911 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 18:34:42,911 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 18:34:42,911 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-11 18:34:42,911 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 18:34:4 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 18:29:06	2025-06-12 18:59:54	none

File Details

File Name	BluetoothLogView.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	266448 bytes
MD5	0dd1ede1018e0b309bbf7aaab0703b59
SHA1	3899b3b8aa5b70775d09c111c8985e2dbeb147c7
SHA256	ef93532a598416507c92e4512bc61ef2f3b83f368c2fa102d8593c6efcdb2de1 [VT] [MWDB] [Bazaar]
SHA3-384	a9b10f99521f25ddcfc564e9deffe8866fd6f7bb384847faf8afe87bd3e96ae3791be17a62e68cf59c811eb1931bf35b
CRC32	7B2E6622
TLSH	T17A4412574126A648E65394B8F6BB4D399321A7827CF8616F10B4869BBCFC3A1FD0113F
Ssdeep	6144:rZwM9ghtkdLdUjmn3Uby9Do6aIIhBqkRYL7IloSm:rWP8JdUjmn3TDoLthB/8IloSm
PE	File Strings BinGraph Vba2Graph

VirusTotal (1/76)

Full Results

Engine	Result	Engine	Result	Engine	Result
MaxSecure	Trojan.Malware.74307679.susgen

-r\G*

-z!~;

wP[[n

Gush Dan1

rS1VI

u/vH,

I8XQW

W->_@

46USa

td#5OHQ

#.f;:

]1oVD

F^=a4

="OPVDc

X|r{-

#{_oEV

Pv`e*

j6Od^

'X=o9Fg

O5r[G

hsUZ]

aAkY\6

/[`1n%

p}w+.n

7Z.o"B

PG]Qp

{rvaI@

Q@xxeS

@T{8r

qKbEu

ExitProcess

qD#{f

z_F\V

> ncoJR}R(

MBkTh

zuOmy

osPcZ_[

Z1hD=

`~_G"

F#?c7#?

LhA%|B

sz|QU

oA;%1

|`JW%m

-X9|z-_

<Cph,

8^(0h+

~W=o XZ

w}U{1

:0806

KNh9a

%K$we

@3sc\z

E0C0A

fQ!1.V)

Y%VPq;

RvrXO

k1Qnx

qg\6v

VERSION.dll

c]?zO)D

NoY_O@

T\B8J

qeT=+V

\vHc_

84W/$

t7`Jo

gG;=V

*&$0e

@s#/

zD&b6

wa!jcN

tU*G$

:yaypnk

'7]L$

+1En<

K(dy|&

s`)L$4

"_D0[

q\-$N8

&{{WM

COMCTL32.dll

L6"_3

k9HOpqv82r2

BhNcX<

b>OU+

m4cU*

)OP(C5

cs1l+

;qmMG

l$8f)

rqWkHq

tH@+l

FileVersion

Efjq61

cQb9+q

p)sJPY^><

&/./D

^<>^),]

LYD8w/

200530104838Z0

'vlhk

NirSoft

:>=r^

.4e!q

Se\o+/

v#qR7

y(.{=

COMODO CA Limited1#0!

;Q,Rf

|={5y

5l][J

/W}TK

o&'y2

161020184708Z0#

280508235959Z0}1

3(GpA

kV=K(

KXZ<d

2!t3z

:x>_;[K

kRqQc

OZEMR

07-6,

nS5ovy9

u,(%+

^fUf(

2i1q!h

>%Q(|

y5gd>

$#G^4

{CmFCe$

{AVx"a

7jyYC

</dependentAssembly>

SYN9^

'];w6

!m(f*pVt

comdlg32.dll

u!|Y'

@cr(<

HxhB|eT

h-:z'G

*A/.:

-x C

:R-?>?

L`[tZ

g~<MS

,mmX

~D#k]M6

SR)LA

w_|fK,t,z

pGy-

"Ml a

0GC2%H

tcxs|

qv&|A-q

040904b0

:_Nf+

Hh*z7p_9)

]LP\Cd

EEJj8

*1TK|!

d5$V

Q1Jg'u

ZOS m

AX!i1I

/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$

H?DpO

3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

S'e,C

!jHS

}e"9Um

q6n;{

gWJjZT*

X\)Ep

y%,~X

!o2@`

9*=c=

I_Y0V

P!@^T%n

V1Q{;

gxOJ}

'&\z3+0

#W=.A

L-sT[

KERNEL32.DLL

5C6|q

J>/U6

8cL9C*Z

#/6UX7`

C'dZ?

S_3Q=

C,8"$p:

5 Hashoshanim st.1

https://secure.comodo.net/CPS0C

.8h!R4

VerQueryValueW

S?[u[

Rj:*4d{

*EM{9+

b%qD`4

lG]|C

0wRQ,j

`.2jQ

HNa?P,

! ;2,

!3QFn

.y a'

VirtualAlloc

200530104838Z0{1

b{av+

<'_V!;

J`(-Cf

C$<2Yd

#nLia9

7P4suL

Xg:I\@

%3sKQ&

khH;&

TS5j-

9m@8y

9~PaV&

'tk^Pz

wb<O`

?b|D}N'

wT*fqM

sX@kIo

RlS/|

WRQ;#>

pc'["

8vFD7

R:hkC

8y9*Y

9&A[<*

E(#Pbw4

Nl9LN

t8jZ B

,ZB~tT

.}=RDu

+hzMf

l/EnD

GDI32.dll

^&-uh

Ramat Gan1

}.F,;'

A}(SG

u2+6+iT

^]6a>F

koJMUd

D/U$_

[6jw#

NCf9>

sq*ejK!

krU-y

=sw!?V

NEnj&4$

:GkYx

=N{Vi)7

RSBm"

Pyw5b

*PRa+

U'fCa

9A+qF

eK/up

Twb?[Q"*p*

A45]qg

fr1$g

_Fuz\]

`#f)Lfs

;/]cu;

L5kSn

9XN(C

.am9>

z%],6

s\G!p

$4z3U

DF84x

=}kU(

.$]M98

(/!XH

.F;o?

p9!?|

.!V%M

Fu7q;

poe4F

9l$\w_

)z,*7

u%K[m

D$t+D$\

#COMODO SHA-256 Time Stamping Signer

-.V<y

V6=z1

FHDc2

>8X3S[

:3FPs

#8kO*p

VarFileInfo

{?|5r^nEu

zHU|e

_kdhe5

=J[C@

)Jvv#

(1ea&

!'8lG

HyzV"

ZO`zT

b#]LKlkB

COMODO Code Signing CA 2

20161020184711Z

1rKK%

yW4n!

rWF @

Xw?n#{

1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t

e0c0;

9dy% v

QYf~!

ovryQ4

S3?E5G

uD\{#

rj2Qj.

<0y<O

Va&Y@0

@dw.H

HgmH.C

t$t#t$l

2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t

fO\r6{

:378.

)>_0^

P0HX/

d (i+

dLY8*kd6e

Nir Sofer1

Q/@)P

%!u0]

FGSpTG

Wt4^M

0n-Oi|

lQr^K

1http://crl.usertrust.com/UTN-USERFirst-Object.crl05

AddTrust External CA Root0

InternalName

47231'v@N3~Y

7( ~V

U!NUQ@3

COMODO CA Limited1!0

COMODO CA Limited1+0)

O)zgT

j2jXV)

$>f.[3!

@hD&Q~

@5$c?I&4`

2<'Wf

2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$

dRZL)(

fA1HU

P`Bs&

I/r1Xb

"li,p

%XN}]!

~O@-L

>ijXFe

:sqB5

][y!=

LxslY

LoadLibraryA

hy'8e

Wu>?^O

qcTJ?

S,K^R

D{AZPY

pL^9-B

]eYCz>E

x&%.

LC\\x

5!qxM%

&Zuq{!

'-iX=

+h70ey

'~!)D

GetDC

.x@`?,

+G-:W

<aRT%

C~6NR

%.@+6

VK5Z~/h#

UDaDa

[!\%vHya

gEPYG-M

dw7h_ U

i_-AB

gF0g'

F:n.z

SS1P9

gU*nM}

^?CP'

$rC$#

-kq2EH

L$8f)

O6^&,T

!9A#E

&0B3#d

rp491

x`WTo

X3a{l]

<;1+a*

!COMODO SHA-1 Time Stamping Signer0

K_T4'

130509000000Z

nbs sj

"COMODO RSA Certification Authority0

oi^\ra

'"TeY&

~afG.

JF^woy

X>@>e

OnGKl

c%Qv}i

V2\%

jQ\?2

~$x-X

sA a}

TwWd!

Uc}J!+

#d$yO

gQquJ

EbXqQ

i9>9JV

?}D^X

l](ZS?

U*l:Q

!4tn$

r^O`DS

w0c[o

LegalCopyright

COMODO CA Limited1*0(

WDLiu*

zM"HC

*gDw>

q!?hv

+t~e#.

6#Wp[

I[1~p\

,wA3)$

2(J"s

U@[Wz

wnem@

-BPmc

ipPJ<

TLEGL

(IFWb

M6xB>Av

&MIN3

'a3dY9~9

U>1x

LH(Pr

V<;%\

tP n

9S,w.

KB[da

t$\tY

?.o7r

Fhn }

$R`>E

17u"#

sd$QV

a/M`@

S,!9U

?>}59gy

"\ k"

3#2eLG^

{#}KX/

t|hed

s\mEk

9;CsY

Czrd&

bu7){#

w4aF4

!}71%

kwtZP

^=cP^|

05L|%K

?E<wv}

!fre%eB

TM}3YF

s~adI

`ppQw

MQ(bU

iD'ij

,pYix

i#7lt

+u(AV

5/HpY

6590o

rp=e_#T

'BpS6tU}=s

~A`{T

xcB$*

~S:`j'

8Z`Xy

[Y,>&Po

2{Mh|

kPm&o

6.!FT

8`<^j

<0:08

umCZU

p]@fd

nb0c]z/

ZB4q&r

151231000000Z

W+*oDn

7o7g9

X)MNR

QW`,z

Q'Q24

0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r

cWExVN

@-_Ys

5k2hi

}{7IZ

gx\G6_jX

<5Qhp

http://ocsp.usertrust.com0

p2=>\{.N

xwY]On

#09E-

jEd}pvjl<

cBJTm

- nC?

9f*<Z,m

$+Mft

i|p!3

KeSW2r

&D'#X

#COMODO SHA-256 Time Stamping Signer0

&a__r4&\

zo+ySx

O^NZ0

nUX[

laWa8

vlW3-

-Wlx9

+.I9@

110824000000Z

%oAGKa

^n_x]#D

6hLJmt

HX0:I

`/UDT

O|D72)

a@ng,

#^Y+o

nzZVB%

6&ar?

Hi@BJ%a1

)?FeTy8

D@B4W

\Ej/rn

y0F1}

Uyale

x,4!y

xv!.f

Y.LyXA

.#1/7

mL\%!

FileDescription

VirtualFree

!This program cannot be run in DOS mode.

|=JMq

PE"|

<a~^I

Pp3es

%U_|8

^/Yb&

WN*.rE

;|$Hr

~4q<rW|

Qpv:W

M xHd

l{|#1

7r>qU-Q

iw]SB

9D(/5

rB">M

_?e{7

>PrCX

kR%<H

kA<0X?

R(!;.

P:ED

_SlgS

PmfC/

P~QO@T

Np{,NS

k\g)7

SA;W8

|d@`9

.zYQV

&=FI9!

We]//

dL(S5

?-F'U

B&;~U

6]4wm

OWJLK

Gud9O

wJ&tk

KJ-qOTr

140912000000Z

lv*{*

7/BVl(

vJ]*r

e:y8 O8

w`2->f

G1b8e

p{+'8

fqY\@

E}<id

Dsbh-#

dKZSWZi

3'Y`k/s

|8{4.

k)8rb/

j~`)?{

o^J&DM

_ :nM

USER32.dll

?ucID

s-}k=

O1[P!

n%$m"/

<R3LtfW

Xif2

`p.i

F$'WM4

:/V]7"sL

2_u2v

q9IzS<

4Ej*h

++8"ai}=

COMODO CA Limited1,0*

#N>a;

w*e&H

T8f[8W

dD<)<

K$qAiE"a

w3HZoZ

cvG^/;%

IS8Rq

G 7\w

_*V{T

8aKw?m

&=2/X

P-+)]^@P!,Z

9t]&^]@

:FL\}5_

{|uH3

wr_fP

za+%+](

7ff1\

UTN-USERFirst-Object0

@>'Nk

COMODO RSA Code Signing CA

h+'15

SN20s

0<y4Zj

drbl>+

cvu{ks

UxLT

|N4?1I9/

x^ -=

X$J e

4K;}1

""<z$

F~m^k

Yu\g3p

3jW9|4

cpWvL

@F_N/

h{|B{~

JbfWi

QHJ02A[

^|:3i

6Z4]d

D!5]<

FaK%j&W

$AF@`

E^uJ{J

9L$ts

;0907

-e/-V#

lZGfD{

"LL)L

9l$tr

We{][(

9gzir

;^ nz

6v22S

oFwk

9SJRr

'!H#d

:]1s\J

$%0E!

n-n!k

AAF\0

X"]ZI=

:<^ O

t\\+g

!Sla

msvcrt.dll

bsr55

X]Q[R

C]&o\S

StringFileInfo

lC3f*F

yL:Sy

C/b1EIjTk

lwdH#^

AddTrust External TTP Network1"0

6rpipo

b3j2_

9;D8K

:jwjz

'vM'd

ex?3n

o\X|b

jzk#%s,

JRich

AddTrust AB1&0$

r])Go

6:c)

qvCoI

hVWIA

(q%xb

*V]Y_*

=e`Q9

85<>~lP#

q)/'-

j}vQ=

dJ)XV

my?B_

WD)/l

)gVm4

@y.Vwj

Greater Manchester1

<l+lM

X_qm>t]

vGhao

tI/P2

JHu*{

.)D$H)

]I/[b

ZilHt"f

38$Vca

o8C]w

.|></

HJx"f[re

V*e{x

<8nZZ

eab9b

+OOo

QLl]':

ql8)=jO

eD ,\

=;jq[~emJ

&-RX2

yG<mK

)D$H)

^wnJhY

N0:_ 3

7| t9"r

'1Oqtn

UUm_@F

ib\];

E`O,WR

~O095

,m/<|

J&Ex8nz

I_yzX

Y9)BX

`XLT/

"dSA)

7"((K

+#OX67

YQ0[0

Translation

*cLs2

`,1@]S,

((U9aYz5

9qss@~

http://ocsp.comodoca.com0

u&2pAoL

]xf R

^!_+&

:]S\~

fdMcR4

/Fo.]

'%le_

S!]1?

(m^xJ

%0L['

~gC'-

;cFWCl

`3_G|r

4jRe|

c~B1k57y

C3p5Cu l

^J__Cs

=|FG*

f4>15XnG

} 7_R_

9.1~W~

N/~L/

dVeM7}k%

'j@>X

hz`/x<&Q

k\mxc}

Salt Lake City1

i<vHV

HsQ&M

ieT=)

xORMh

6_O TQ

7.yNk

K(A?C

8)$Zo

.:FQy

="|7E

v.ph6

x?]yeh4Zg

2KOX%

(&oCU

&dS8r;

~`\S^

[:@0C

5.sPCk

#p\O&

.ZOcC

-gT<&~i

aRR<2

(!s;5

<Zls>

X!t$A

1WA T

)LU6<

ProductVersion

]#^vb`S

z"') 9

D$tIt

"@((!

P~^`v

$*GEX

,s%#X

FRWYe2

Ih.~mJ

{}V$6b

.Dq!Z

y6y$A5

t`J]WT

wg}`7<Yq

Nl}* V

qNs"l

050607080910Z

fe[?`

,<_\D

3)v58

gg7q)RO

S{ClN

R")tV

uU{},

x,*ij

YTA-c

n-IylE.>

Y.J]Vj

wZ}j{

[Fn_2H

W|&Kr

dAjVO

SHELL32.dll

?}Y8{O

qWN4/

Salford1

hbTv%

euAW(

MQ'OG

bG^w>\

'-T)*

<ZP)+

</dependency>

ap||x`Rd

%Wn=vG

UNt9j

!9hmWU

`_>'k*$

C1\aY

eaozz

NSk@\tq

*x?{G

https://secure.comodo.net/CPS0A

@%wh5

"KX?b

p$& %

WcI%DM

UTN-USERFirst-Object

4Y!}bo

j<$0\

=-eL%

%Af,ZcEE

|[^_]

6:%r'

xL:\E

.rsrc

HJ%_*

--N+J

%b7ZN>-

bYD!H

}(+{v

(wgb#

JDv6c

@qG&%X

61VZ,

fVKw:O

_xzf.

X/A:G

ZjX6%JU

p=_f>

luif]?`

160330000000Z

Ffo$,

8$@-g

&r&,;?y

34/n2

rh"69

RIV8P

uj^?8D

OriginalFilename

`jvL4

!I;yH)"

,uGA`S

ShellExecuteW

\W8-f

!7)Xo

$hiAU:

$I]/@

QOcDt$a

$cN<>r

Voz7p

hhVp"P

D$t#D$h

CAGqm

8YHn4d=x

$l)b~

L?0+M

&g,LD

Gk@%/V+

P%'Bp+

2p6/ayl

M2c>S

A)5F"

UY]Gb

vrc'B8l

;~;A4

(,Gx#d

EXq/`

bt)z<

a?LX+

x;/|,

~VMa9

]^"[^7

_NRD:

Q3D2>n

~,iaHa^

:${|p(a

BVgqd

BU^S&

vwj!#Z

WF8v(W

</assembly>PA

E+&)SEoa

`v1V~

kug oWfh

y992

iXGB"

fa#e]p9Mk

}9G)+4

PGIh*+?

apwAd

Zx[5-

KblTl>

N&4YXX

>#xRy

sQSh8}

$FjfX

UEk%O

SetBkMode

525831

OqtUje

9_W`!7V

A ~B4*M

#bRB|

jT4_)

{]"bwc

CM/3NQ

6WFia

r#1ey

@5rAM

2012 - 2016 Nir Sofer

;a7G?

V+0$W.t$>y

h0f0=

]+mD

[&Mu9

5z:6(\

amHp{<

fcCU&

Q'J&G

tt]^zqy

IKPP=

A=:1>W

dnd1b

x[5NL

support@nirsoft.net0

ZQRFLi]

FindTextW

?0=0;

m6(dDL

}O>J?

4P8)0;

'T&=W(-

,,$4]h

GW#]A

+Ml(c

w#*OY

2m\ENc

U)Kx>

s4x|T

)}"<Np

8/aZk

^&-2X

JZpr-

0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$

VirtualProtect

V0l:nqw

VS_VERSION_INFO

CompanyName

u{73L

x\1A{

<U>mL

161020184711Z0+

uy,w

COMODO RSA Code Signing CA0

qj[?m

)gB!-

190709184036Z0

<PQ?r

?4Z`i

6V~-4+

* Nt+-

7^Giz

{4@`C7D

+$XUg

?XhAh

(S^*Dm

7AWuLf

<ouzRh

aeWDh

q%E-[

y3X-9

2be&-

P5t9@

EH9*,C

.`^d;

Jd:wA

COMODO Code Signing CA 20

=zewA

;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q

o9E8$

P :&>-u

+2iN>

&tm<wNI

{*)9_

K:4KA%R

[@~]g

2ksCy

~4/uF

^;>/^

{*?=?.

*FMVO

4%$&98

'>1i"

b\ZN*

N(Dwy

fSV,_

Nir Sofer0

WSjy1

jy0$du

XK5>a

k~9`D

NUxBO

|<#37

31a'`

/s7p-

@B{\S

yAQ\K

BHbnt

OW5]N

t|=7o`1

E`RE|

(KZyJ

XPTPSW

_Lw1m

190630235959Z0

>d(~V

b"ECoa8

uXg=Z

f0d0<

BluetoothLogView.exe

JjV%^

L}%2a

The USERTRUST Network1!0

:W/3}+hG

'vm|v

s,va5

,`_i|

~0;q5Q

M3[9?

DTl2K)

<H]gF0{

f.HI"

M5^z&

kE6^X\

u~To6<I

"k5|1

qfaf,

|Q<0

B3`:qm

_PEmq

*<{e6

K;m1b

$2SwP]S

,Xia~

F>&a@

8| 3o

!"~y<

=fJQ?

EsO2f0p=

piie{

XJsvF7

eFA(hlo

http://www.usertrust.com1

3Pwis

)0'0%

fBFKv

~JA$

1yr@M

GehY{

Ez6>g3^

OOL&M

m`z3$7

=o%[iJab

4*{nt3a

gSjpt

}!3Sg

"9Ds{8

G2lsV

mc`mS

Qh~2-o

zPd@*

BG'$9

ks,f2$

!S0&1

t?{6(

k~+l^

z<%()S

fMF!CF

GetProcAddress

FFShm

zo}s?,

:m+nl

^T;<k

h0f0>

%-))@

=0;09

$}/9K

ProductName

Dr33@

190912235959Z0

0|?t4

?**m4'

A|BY}

0@Uuql+

1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%

hjSz)\

BluetoothLogView

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000c38e0	0x00049905	0x00049905	4.0	2016-10-20 18:44:21	2a37c4ac423f1eeadf124485462e7165		6434cf519068026ab80eadb8ec63a8a6	cc2c8a4983610f883f05e2bd877cc372	d8dad0d878f0ca6c

Version Infos

CompanyName	NirSoft
FileDescription	BluetoothLogView
FileVersion	1.12
InternalName	BluetoothLogView
LegalCopyright	Copyright Â© 2012 - 2016 Nir Sofer
OriginalFilename	BluetoothLogView.exe
ProductName	BluetoothLogView
ProductVersion	1.12
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
UPX0	0x00000400	0x00001000	0x00088000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00000400	0x00089000	0x0003c000	0x0003b600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	8.00
.rsrc	0x0003ba00	0x000c5000	0x00003000	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.59

Overlay

Offset	0x0003e200
Size	0x00002ed0

Name	Offset	Size	Language	Sub-language	Entropy	File type
BIN	0x00011828	0x000ac70a	LANG_ENGLISH	SUBLANG_ENGLISH_US	0.00	None
RT_CURSOR	0x000bdf34	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.34	None
RT_BITMAP	0x000be068	0x000003e8	LANG_HEBREW	SUBLANG_DEFAULT	7.82	None
RT_BITMAP	0x000be450	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.11	None
RT_BITMAP	0x000be528	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.01	None
RT_ICON	0x000c582c	0x000010a8	LANG_HEBREW	SUBLANG_DEFAULT	4.55	None
RT_ICON	0x000c68d8	0x00000468	LANG_HEBREW	SUBLANG_DEFAULT	5.63	None
RT_ICON	0x000c6d44	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	2.80	None
RT_ICON	0x000c6e70	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	2.64	None
RT_MENU	0x000bfd60	0x00000460	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.82	None
RT_MENU	0x000c01c0	0x000001c4	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.47	None
RT_MENU	0x000c0384	0x0000005e	LANG_HEBREW	SUBLANG_DEFAULT	6.21	None
RT_DIALOG	0x000c03e4	0x000000ea	LANG_HEBREW	SUBLANG_DEFAULT	7.04	None
RT_DIALOG	0x000c04d0	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	7.73	None
RT_DIALOG	0x000c0768	0x000000fa	LANG_HEBREW	SUBLANG_DEFAULT	7.12	None
RT_DIALOG	0x000c0864	0x00000336	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.75	None
RT_STRING	0x000c0b9c	0x0000011e	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.27	None
RT_STRING	0x000c0cbc	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.22	None
RT_STRING	0x000c0dd4	0x00000052	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.19	None
RT_STRING	0x000c0e28	0x000000bc	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.88	None
RT_STRING	0x000c0ee4	0x0000003c	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.66	None
RT_STRING	0x000c0f20	0x00000068	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.33	None
RT_STRING	0x000c0f88	0x0000004c	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.06	None
RT_STRING	0x000c0fd4	0x00000038	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.65	None
RT_STRING	0x000c100c	0x00000086	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.65	None
RT_STRING	0x000c1094	0x00000078	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.58	None
RT_STRING	0x000c110c	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.94	None
RT_STRING	0x000c11e4	0x00000112	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.24	None
RT_STRING	0x000c12f8	0x00000072	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.46	None
RT_STRING	0x000c136c	0x0000002e	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.44	None
RT_ACCELERATOR	0x000c139c	0x00000048	LANG_HEBREW	SUBLANG_DEFAULT	6.06	None
RT_GROUP_CURSOR	0x000c13e4	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.22	None
RT_GROUP_ICON	0x000c6f9c	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.31	None
RT_GROUP_ICON	0x000c6fc4	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	1.92	None
RT_GROUP_ICON	0x000c6fdc	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.02	None
RT_VERSION	0x000c6ff4	0x000002f8	LANG_HEBREW	SUBLANG_DEFAULT	3.34	None
RT_MANIFEST	0x000c72f0	0x0000016a	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.07	None

Imports

Name	Address
LoadLibraryA	0x4c7510
GetProcAddress	0x4c7514
VirtualProtect	0x4c7518
VirtualAlloc	0x4c751c
VirtualFree	0x4c7520
ExitProcess	0x4c7524

Name	Address

Name	Address
FindTextW	0x4c7534

Name	Address
SetBkMode	0x4c753c

Name	Address
exit	0x4c7544

Name	Address
ShellExecuteW	0x4c754c

Name	Address
GetDC	0x4c7554

Name	Address
VerQueryValueW	0x4c755c

Reports: JSON

Statistics (36.46)

Usage

Processing ( 35.22 seconds )

30.936 ProcessMemory
2.474 CAPE
1.801 BehaviorAnalysis
0.008 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.007 antiav_detectreg
0.006 ransomware_extensions
0.005 antianalysis_detectfile
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 bot_drive
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 qulab_files
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 lokibot_mutexes

Reporting ( 1.18 seconds )

1.086 CAPASummary
0.095 JsonDump

Signatures

Queries the keyboard layout

A file with an unusual extension was attempted to be loaded as a DLL.

Possible date expiration check, exits too soon after checking local time

process: BluetoothLogView.exe, PID 6928

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': 'UPX0', 'raw_address': '0x00000400', 'virtual_address': '0x00001000', 'virtual_size': '0x00088000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000080', 'entropy': '0.00'}

unknown section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00089000', 'virtual_size': '0x0003c000', 'size_of_data': '0x0003b600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '8.00'}

The binary likely contains encrypted or compressed data

section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00089000', 'virtual_size': '0x0003c000', 'size_of_data': '0x0003b600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '8.00'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6928 triggered the Yara rule 'vmdetect' with data '['VMware', '00-05-69', '00-50-56', '00-0C-29', '00-1C-14', '08-00-27']'

Hit: PID 6928 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 6928 triggered the Yara rule 'vmdetect' with data '['VMware', '00-05-69', '00-50-56', '00-0C-29', '00-1C-14', '08-00-27']'

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\Temp\oui.txt
C:\Users\Packager\AppData\Local\SystemResources\BluetoothLogView.exe.mun
C:\Users\Packager\AppData\Local\Temp\BluetoothLogView_lng.ini
C:\Windows\System32\oleaut32.dll
C:\Windows\System32\msctf.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\BluetoothLogView.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Users\Packager\AppData\Local\Temp\BluetoothLogView.cfg
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\report.html

C:\Users\Packager\AppData\Local\Temp\BluetoothLogView.cfg

C:\Users\Packager\AppData\Local\Temp\report.html

HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\BluetoothLogView.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:6928:168:WilStaging_02
Local\SM0:6928:64:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.