Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 12:21:45	2025-06-13 12:52:33	1848 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,256 [root] INFO: Date set to: 20250613T09:54:26, timeout set to: 1800
2025-06-13 10:54:26,198 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 10:54:26,198 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-13 10:54:26,198 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-13 10:54:26,198 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 10:54:26,198 [root] INFO: analysis running as an admin
2025-06-13 10:54:26,198 [root] INFO: analysis package specified: "exe"
2025-06-13 10:54:26,198 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 10:54:27,104 [root] DEBUG: imported analysis package "exe"
2025-06-13 10:54:27,104 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 10:54:27,104 [lib.common.common] INFO: wrapping
2025-06-13 10:54:27,104 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 10:54:27,104 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ExtPassword.exe
2025-06-13 10:54:27,104 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 10:54:27,104 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 10:54:27,104 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 10:54:27,104 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 10:54:27,292 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 10:54:27,308 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 10:54:27,339 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 10:54:27,417 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 10:54:27,417 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 10:54:27,417 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 10:54:27,417 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 10:54:27,432 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 10:54:27,432 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 10:54:27,432 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 10:54:27,432 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 10:54:27,432 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 10:54:27,432 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 10:54:27,432 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 10:54:27,432 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 10:54:27,432 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 10:54:27,432 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 10:54:27,432 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 10:54:27,620 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 10:54:27,620 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 10:54:27,620 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 10:54:27,620 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 10:54:27,620 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 10:54:27,620 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 10:54:27,620 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 10:54:27,620 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-13 10:54:27,620 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 10:54:27,620 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 10:54:27,620 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 10:54:27,620 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 10:54:27,620 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 10:54:27,620 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 10:54:27,620 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 10:54:27,620 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 10:54:27,620 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 10:54:27,620 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 10:54:27,636 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 10:54:27,636 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 10:54:27,636 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 10:54:27,636 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 10:54:27,636 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 10:54:27,636 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 10:54:27,636 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 10:54:27,667 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 10:54:27,667 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 10:54:27,667 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 10:54:27,667 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 10:54:27,667 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 10:54:27,667 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 10:54:27,667 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 10:54:27,667 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\pQxbIz.dll, loader C:\tmpjeo7jmad\bin\EPCPTrhb.exe
2025-06-13 10:54:27,761 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 10:54:27,761 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-13 10:54:27,808 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 10:54:27,823 [root] INFO: Disabling sleep skipping.
2025-06-13 10:54:27,823 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 10:54:27,823 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 10:54:27,823 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 10:54:27,823 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 10:54:27,823 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 10:54:27,823 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 10:54:27,839 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 10:54:27,839 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 10:54:27,839 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6136, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-13 10:54:27,839 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 10:54:27,854 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 10:54:27,854 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 10:54:27,854 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-13 10:54:27,870 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 10:54:27,870 [root]  <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 12:21:45	2025-06-13 12:52:13	none

File Details

File Name	ExtPassword.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	287232 bytes
MD5	105b0f5799d0b0675cd52a967b2418e1
SHA1	34f1ce12a91648e0acfe725a5459a53df571bd7e
SHA256	ae679fcf67055042c852bee4695b480549a1e15f24e5fb98e82d02ad8093faae [VT] [MWDB] [Bazaar]
SHA3-384	68e95ed11fd9922f984d36fe51b0eaf5cce0937cc1cf8d4c30d703ba48aacd0b5968684e1349cb70cf2b4c6bfb13b148
CRC32	716CCB0A
TLSH	T13654230A6B6903B4CAE75B7E8173577907168F46A171001BCCC2D26EF6E56C82E3E53D
Ssdeep	6144:+EVvaObm0dGsL50fml5JFpxlnIG1KrPDQymvxQPpj18VjjOmNOrj:/3bm0csLhFNUrrQDvsIPNO3
Yara	INDICATOR_TOOL_ExtPassword - Detects ExtPassword External Drive Password Recovery - Author: ditekSHen
PE	File Strings BinGraph Vba2Graph

VirusTotal (14/77) - Grayware

Full Results

Engine	Result	Engine	Result	Engine	Result
Skyhigh	BehavesLike.Win32.Generic.dc	McAfee	HTool-PassView	CrowdStrike	win/grayware_confidence_60% (W)
APEX	Malicious	McAfeeD	ti!AE679FCF6705	Trapmine	malicious.moderate.ml.score
Sophos	NirPassView (PUA)	Webroot	W32.Adware.Gen	Antiy-AVL	GrayWare/Win32.Wacapew
Kingsoft	malware.kb.b.793	Gridinsoft	Trojan.Win32.Gen.cl	Cylance	Unsafe
MaxSecure	Trojan.Malware.219731199.susgen	DeepInstinct	MALICIOUS

z~F8x

G!9IO

*[= @?

*)[_cl

_u.8FV

uQ, t

~;oJq

0At>'

^dLl&

=Duof#c

8^D|Z

({!Mg

:QC_'W,

]@n2p

O:\xTR

x5^VA

@Dz}]

HXZf0~k

a*$5A_

GHK@_2P

tbl_!rootp

TbDrO

,|K|Av

m'^b#

_l|7

\{pH?

L//oC;

@ss"t

NR)$tH

2XjTsq

hiOm;

^9)t9-

xPq>.

cf>>+!M

JS&BSG

o[[=WCC

v+]0g

"<*>{

LVQ%q

xlsExk

<0 (uD

23p$4

nUHVUk

ZBKJg

J+}].H4^

^p*6P

21FkY1

~Stringq74

0HDwo

91~"f

H]CXb

>,J$6:

B=bol

cmkX(J

M'BRz<

}v)F/

mjB?A@us

WQ`iFjv

~t9y

|3+=p

JdSTM

iwv:D

&0$c9p

NQhlH}

ia1Pq

comdlg32.dll

,tjwW:

{]s=_84

}P(0

[8LbI

2Q}UL

Yl68[Q

,508A

040904b0

[WQi}

}PD_X

/5vKd

>cM6}P

V 0 #

XAk@

mmjcOO

hzp0o

a-\g'(t]

KERNEL32.DLL

>bDA0B

<b5[2`R&

WK.`O

l9<t7u

dRaj7

u.W,piY

.4ht5

4nP2Wm

c9d3P

am)}R

]2>"FTTwn;

*j [<

O;X-T

/ d {Ht

,Y(

{0\]aei

DpJ6<p#

dhdkE

H2v~iXS

gf;H0s

b$WRU

&h<IT

48<F(

==v/BR

!V#8'`M^

rUZd+

$sQ\M

!j\nI

y015-07

-27 13:49

>#Llc

'8?j\

EW8dSS$ p

2S2H}K

&@Dp$>

bMMG]JJ

"Hx`kh%p+

D5<R9D

]^_`dh

\qjF&#

8xQR/

Dt')M

/WTi6

a@.>0

i|]p%

(PVjpJr$

a`V:g

PW/>y

fVwao

i`#+*UC

:[4$W

I|h\N|

T\SS/~

_ku\L

C2H,x

'at`|

ahdLG`

AFelC

3>,&;

/@~"F

bX?Su

H,cC8

4NIbH

LoadLibraryA

y\`dh

.W$%!

R9^Ai

#lIpq

HUQ488xL]:LH

X"a@A

ts,/A

BxVS/H T

.M3li

8EAu:

RWUo|("

ljA{x

rkR_lS

Rt U$l

R%Py!

IG^PXR

<8UWDtFK

;~n0q

eSaK,

uRH,at

_`Gl8

h0USJn+

R9/)"

0@)<0

hy4mPw

g+};

/JRG\8

*;)&L4&

18P2t,4t

ame_e

GLOBYIF:

d;~ v

ZhxDWI

=p$fa^tuW_

Q,yZkp

SW[o

,k#sD

E *E$jL\

RD~ _9

InH~W

#``TN

; 'x2

LWt;PH

AtW:"_

-f*(I%V

:-UuJ

8Q(;}

3t?X;

wV@Fcb

ashol

kZRxr

gSS-fRR8iUU6kWW

La0|r

<@XLPTe

gWr]]

W?u(rz

$M84<

'xS|<b

:*%}H

+nr$:

BL|c0F@2

k&XHeLQ

PuuN&r

De6pes

,f6Hw

!V AZX;

rS0F,

`0q-f

A$KdA

ExtPassword!

>DbC s

:/x4!<

FileDescription

|l`Vx

aP|F&/

rTz.S<

YB\H9HT7

) 43!

7FRmx

4jT$`

kCjWG1

t?T:;

\P-m

@$@uB

];yH 0

H?TKL

@^8+h

2-N:`+

N/237u

u`w<]

QDfLP

v@PH-

\Lq`y

Di{|Bc;

(8RyS

yP59=

xr\*H

JX@de>fK

-qhVp{:

~2T\9

>0XR(

uoZ,+

nsfulwk

~|p#DZ

4RJlL

xQF

",(

itx-v

gb?6Zq

d"87,<

^S9($

6_Ua`

oZ~!9J}

`A(Oo

p =JD

k_B.,

6<fLh

F$u*l

a a84W

`gUB;B

Z\H7=

z(m#R

PR{+M

p'ug;

U$(_FA

P6BdCB

,J#PR

OC"fS#88

!<",#

]OQ-S

$#D;'&10

2DTfv

pmhxZ

2019 - 2022 Nir Sofer

|i/OG

mYY)Q==

P5$P#re

,QW;SW

xdUd"H

7kpB^

ta~\h(

,uDIQ/0C

C??2@YAPAXI@Z

i#t{P1

Yh+PV

4s<1U

AkQQ^

f~,?6

imYh^

]uxaX

)L!S2WWW

=QV@+

0.0,v1

!yxZ#

^8nrZ

KMnG`

/_H|r

Q[e}XU

s-P1rR-.

)(<Uj

W>;?@A

.TQ.(&"

N'tMkV

@L$!j4

L57Lt

92233720368547$

\234.

X]_!x&'

AP"t>A

G<P<@DHt

,F./:

(uj2%

gLhHl

40,(4@

$e[%D

r1G|:t

S(&+p

NUP*"Wy

T>2;g8o

ra0Hl8a^

:v<$tF

~2;1Y]

ND?;4

9l4Ft

kYexp84

(j"Z+

~%Gr:

xT^$d

W@1kg

a\hH+?Hw

`RPVU/V.

.rsrc

(sB,_m

/520w

p1\fU

p2k_A

[AW`&L

]@9P8|

2RFSR

9{&R`"

FPSR^E

PQ:`O

CJ2CP

RdcI#'4

B>5N69

4~@(A8

OriginalFilename

=sL`%

+Qp5X

OFilExRW

V#T$J

8&W_5D

4_&Ti

bH2@vi

48<9C8v

xBt$H

,048####<@DH

nt#valueB

m@I]g

J%J(0RV

`R1:SDp

NMG:#

xK ,

X0JFt

DIUicC

+-xr=4E

?,Wf}

}@6L[Py4<

WH_Hb

G`\R;

~TQ}u

#C<<M

Vj6l'

i^kpwTF

;sea\

TRTVCx<

-ap0P$n

sT4t=,

twf80\

n\4OI

Q4J0;-t

Pqu6

;3,]J

wZ,.JE

+VG$F

<=>.?

4 &(>

)X4 H

^^I8m

*Q,}G

\M)"I

0^@E<

f;~L[

onoffalsey

CHECK

+CW_N

VirtualProtect

C(H,'1+

Lr2r((8

4 SHnI

:1H/H

|Ij0:

\8Xlit

s`@8(

T,Aaj%T

d6A|X

k-"<'!

%M_ p"

`o0SR

oL2~{R}

Q;SDn

gsJ+-

PzTD~

C_*PU

</application>

KUPQR

taSuY

M`Q[I

V#}jaD

GE%bS

C?`hSE

E@}'YBo

"W,0

Yuu;oDr6

iK`\OG

YBR3PB

;j2g,

[C[Zs|

.lif6

DBB>/<Y

t/`+<

3 ~sC

2%SVP8

@D/F P

RRSeTU

8'5F)

(3Rao]R

L:cW&

o4j6QQ

aDIUfv

FC2Is

aKVPH

t,X$t

Fm_Ot

?H?rK

^\jX_2plP

Ve`F.

0$ j >i

ws_XVs

Z-`!?C

]kHOK

>K@uM

5M88-

$8JVy

L6SP/{@

J@&(i!m

fQ Gv

&(b8 Qh

+kQaX+

VSS8ZD

,qNiA

ZSV9h

+zNlT

3#-G~

5$9w$

)(JP/

B<_|0

0;~`|

VPQf

XG.U$

A*E@~}

GwKO/

8vE-t5

T$(,0%

t0X'B

Q0R"7f

Euixn

VERSION.dll

A@jM,g

/B!7G

;},v58W

$~?GT

doexV

j5col

r4?WE

COMCTL32.dll

M$Q5S

50,[!

\NPpN;m

VPPqWu

G`m$.

u$F%~u

_^_.7

0;N`|

]A)e(

NirSoft

;o4s!

>GDBa

fhWR/

IGN KE

_;/tt

9f;:Z

)!@\ib

`%XI9

FJNFN

G&>tR

1\@r{

-xm'OHS

Nyjmau

O/9WS

chBlt

L8BhN

R>>2ZGG

3|8|^@

y 8A!<R

R\9BE

6cu.:8g

L:H>@x

KtA3[

#d%[;

PQGQR7t

3H!}q

0$0h`$

P4|=>

qIx3?V/

J%, y

Ttfg8t

s{n{G

20dce

(F5,)H

hl6Fu5l

riveKeyIm

R_LookupAccoj

hBVlp`

i=(_S

ExtPassword.exe

DWxHcP

.eHVQ2Q

Q(f+

GP$~`

2Q4~1

'(()*

[GG;ZFF

4]D$0(

Ptp)By

{qM7\

#oTKx"6

r^^,XDDjfRR

,ohUA

thEnumw7s

5K(6p

/BAkAs

%[V6RU

-]k'vt

RKo l

kjx#MbR

q3$86<p

PW\hG

"#$%&

_T3^$

LfQ(X

uAkhi^U

;W,r{o

.6.78.9:;

3U`e7@(

R'D"G

.(YZ[\

>u(+2OZ

@FqHa

OxVWd

@7B;a

NDEXE

W8GuPp

pSll|

tP+cG

J~<t?

p M<5

_x>uAD

8Z*["

B*/$^

8/`p}

;>s{Dt

N \VhH

PW?K\

vG+`s

)uV(y~

+bD>@

]H|Qh

</asmv3:application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

n ]hI

@XN4w

ef(2%

ERZW1

ugPKK

@4@D^

)%C2SQ

T9d<R

I7LUSIV

`6d]D

YZe[\

<QUY]_y

not aPab

y"ln(

4",4-

;0*]_U

;kD2Vy

?Wa+n6w1TwWg

8$(_

ly:f0q@

Nf=d$Q

b }`b!

:m~o"

]8Qx4

TFWNr

PCcpk

j"Soo6{

+l)<M|

ULoK]

)LR_(

].Bf@P@

G6<q5

*T,h5#q./2

q]]'WBCffRR

LegalCopyright

y&_u"

cWfbBua

4"MQT

X;m}r

~8r&Z

QF*hG

-<:sU

p%*Vm,

^<THI

R'Hm0

*RU[cu

|3^-+jd

ttSidW

u!+S^

}qpn<,

y$%)-1

*N0,\

k!Op,%Rh8

$88(Z{

Ah~*x

)<@8x

r?oFF

X{xkP

0<v\-

IDHL(_

_Cv\6

]^_`abc

Cs43Kt

_uU9m

]^,s@

BA3">

Squ4C

@>Jpq

+G:\\

9jeTR

HOpw*

S4>HO

304(,

XJ0Jr

79T$T

RhlLb

UFbiNE

mcRKp

vGh6^D

p(fZ

uiqa[

#HtA<

8dna&

Z0.Bs

7\.W2

uGR3q{S/4A

dD0#c(2

fRR&s__

%Jl=8

HrN;9

r6@^x

QMl(T"

A.,L$

h4L@t4

,dKkZA(`

l<v`t4e

q0WPL

nAgx3

_BZD:

FV@$>

T13mE

FB?I<

mw8MG=

Hb<H7

na]gt

TUM OMz

@83H(

,} <W

f?x^f

NN("'

t]kGM

uI"u?

TVdC!

Pp5(?k

W!^e!

XB$rTx

t\OF&

ajo}n U[

LT1(3

*d9:,

>=/X!

1Fz6;

Wm ;xD~

%kF:V

formSubmit

QChang)s?

*IH(D(

N!ZTFK%

OSW:Pd

;k8Rh?V

xd,N$

SHPWC

^HWSjT

1*f[DE

9^(K0

K[+D8

P8>>8

8pzm4v

2K|\,

b#qOR

|Lzt5s`gd

.)VpN6

9HLkX

/6cXS0

1dbQx

:Z')zp

ZuH~]

cel:H

!,B%_

uCi2"ru

@Nhj6y

+=^x5

>=WSK[

T3 ~5I-

A.9M|v

x>!#A

iU R3

v<;>w

c9xpA

UYnS0|

=8PQ(+]

@!a4:

eQQ]zef

a,&U"

&WnL}

g9]TP;

DQRhlG

$Ns8W

rWr$y

3BH\t

n}iJQ

CG+L~g2

&/`2ZM

Z87Ht``FN;

ghhKs

`48%,

$Yj g

WVC&X

=TE-?

0Gscm

'%q'.`6

@ ,4'Cd

,z"xV

E,;a|

hx8cI

TL~VW

?&8G}

Me 8hi0

dv6jl

f8LB!u

cPu,x

G/y8G

S5789=

;;t f

2XX:(

[kC%f

O3"l

,'CMH,h

C~.uI

tF2p

aHkBK

tSx"uM

%ov-

j4`:d

It'LuD

_\aXm

MICos

w(a@Y

UZhOk

cAL@m

p ^.Mp

aGqj/

HIJKLg

4`#(l@

<OFF>

SHELL32.dll

gi =wxs

hTT,nZZ

wJMQE

4\|pA

7i*PH

R^0sU:

@&*-%

1HA`n

9;} ~

(.tD=

;,|N$<

5y3CJ<q

EyP64

4dUPp

rDvR u

0V<@!

E4O`1

c(<z9b|t

d from lo

ne{ p4

QT$(B

z%Mtp]

VU6Im

5!-SV

~B_xe

$|8Q3

03yvY

U6pI|

ShellExecuteW

j.Ppt

EL!mO

pb3_dZl

+1HpnN!9

z&?VE

N_0_

!bP"B

M"q83

KCxZAmq@

2B/}Pm

5I/Ok

{O}/9C^

Vhh"=

}X%)=

Ep$tr

_nUCK

Q;+H9

xrH[+

n.e,` uH

ADVAPI32.dll

s4d`G

.LV?k

74koW

2ae,k

v!X~97

@sg(7@

TS0vX

Ii\9[

mj$ca

:Ny;"

!:JXT

lhelp32Snapsho

@.pp8

6;IsoV

22,$0

?P^ D$c

FindTextW

44ki+

RQkQ2g

@%p,O

JdKSA

QZH*i(Wh

?;G`~

|Dt8qB

w[{fh

z]l$LP

LLQ D

A@TYD

9^xu;

x|M1u

CompanyName

.|s(0w

rX\`d

(WVDV

Xgv~2

_W)oI

uOHYl

z80LO

6C*lT

VD<we

A@h9J

_4CO QX0

2'qrVnn

O,!tb

pZs6#v

X9{\Z

J&@}C?

C:%`w`

mO2NH

vBBI+

8OF8k

JS Ez

u%M$42c

~#0M!

++,,-./0e1

6.HEpO

^["fRl6:

edUM%PU$ti

R}!f}

r`&0%

yp*ak

p),!(

Yd`aX

^UUU@:;

S0SN^b

.;d~K`

M}9F@

g1h]$^$

H]9]Fe

Lx~<

V<QX8L)|d

yDHXd\X

^u,r98

`QKTk

_P(B

4S> q

30{K(,Z

_V_hM

HM:O>

'oa1&

J7m`R

x['.{

[Rnrj

g?noEx

b|*tX

h=CkX

zu]9rT

Gj"41"

: PZ0X

boBox

Vvq:T

jVV*UBA

uK<AuG

AES-256&'

heI4"}

D7fI7

"'cRQ

.%, J

-V#VON

#6Y=V

\*D0H

Jllii

_,q/=

xpEJa

l\6GUZ

A.BCDEFG

AyL&Y|!{

:vxtW/R~p/g

$6NuLa@4xj

HIrZ@

HTWnk:B

rdhWl

uF;@;

Fj bd

3%f~k

lV+iG

G Dnt

.c:%d:-

h~M1N

Q2V~

SJJfM

xuDg<

iXu%;

IfEPt1

@$>^K

8F+t.

VW3QQ

a/.=A

(n$u3d^,9TZ(

CryptAcqui

8JAWa

5Zz:0

t@0<

z8uTj

</S@(%

Fh$C=

.J)TJ

VKN[1

OE P>$

MM?V=h

ktVx9

3X`8x

SHAutoIej2:pl

LzN0K{3

4<zsSK8!2M

*VCGK

delay<ms

E6`rs

:CEt-[/W/

9PE/v\

Qrt.x

\zJ'GGi

v?8s;

qpGSZGo

`5hV$#

<<OSS-

I<+@3

N4qG\~X@*D

mc.&`!

CUUMEC

*0{ul

vC#]u

\omm|

yWl)c

E8M#0.

i2OR0

9hxQmK0

5VP}|_

b32=0

Ky|X}e

bLHHH|

2#R8O

S6jGh

$T8S:

WtQ[;

z0?:@

9Rmg|:R

zL*&$

LowArY

U]"q?

ixZWP"

&O@5Cr2XO>U

~k.0QI$g

&h >^<~$(`c

Rp$\$dlC

^\kRW

u8n\@

WuR)~

TD~%u

dA dn

e$T90:

_url, actio

(,b>W8

7)' ;#

@X3HX_

k`b~2 *

P-Qh$J<6

u&tKD

S":=d

kb&Wl_

8TUVn

yIr-{bx

uj~/uWH$4<oh&

S,M4T

TION^U

'6!TPj8

~83yH

[*nP=

<-Ga#

TE TBL

H$f$Q{

84q!&f

7UHx^

{PtJz

8XA1,9

rbZPD

pjD"Q

N&pY -

rsJ]+z

9(uad

VarFileInfo

9^<^F,PPJhSGF$

D9!XP

=Wai(\S:2Obj

Cav^4

(`aL[

`dlAM

("}\Q

EFGHIIJK

{D^G$Z

t'zn#

G<PLAINSTDDA

8DYe@y

wZC9 |4

<xtXu

$_$hT

[^_jZ8

`Zib*r

^&10s]V

,4(64n

pZpAE

kDu0}

R~?VT

4/0,>

p,fA'@

8DtAlKs

k!.tN?\

60&vstno4

J?OF`

48H:~N

<@3YN

Z:n`|

p8Yc,

PaDaak

8hI[A

290~9

eH*\T

[_#C8

E$k0`

<A+@%

1yU4W

IOwNb

:8V`S

721H%

(>NtKF

_>RBM

r9;~@u

HmXbi

J^,0?

`C/Os

;W)SX

SELECT origin_

datvc

6(utb

t'Ni>

[>QiAM<

8\N`XA

RSuC3

A\*heH

}>ISI

z[}r(z

2%`dYe

"~lC1

Q/H4s+

2e4361f099c0b720o

d(vU"QF

0i,"x

P4I[1

@8$)=

$.@.NRo;

w8*RPVHG

T>B-H

\J%t%XH

JxtgH

t1c#m!f)

_SPj9]

47!iC

CG4?*

C*Gr$l

rw.0Z

JtNE[h5;M

sNquy}

u;$)AtCCR`

Q_IA!bf

xbbwTAB

(Vn8#

mB2-_

Ct3+dt

COagDMo

A,MW(R

A<,#V

H-uApe"

]g|%_

f;A`"

,D$<+

$KP./

t_.ap_

npUS-

<hL*>

iPX=6!J

{tyC=

Q umh'

[<3N\.

}&*N%|E

pRVPU

z_PdB%

I,=C`

HQ_,Rs

P+%hw>

4i*%V

@f8p.K

typmisc

A(Wjh>

j,>WP6

234456789:;<=

0_WS:

x3CZdAbx

\2222

MZN>NNNj

JGROUPE

m|&dcy

L4tb7

WSz l)

4CwM"

jr_X!h

Wf{ti

;o!hG

al`AL

|B|`T

+4t*F

#`/7H%

#G8X<l@

x O;d

L.A B

/ uN.

ZZ!Z%06V

BDC(T

E06\t

BKA20x

,\K+0

5d-f?D

/'T>.

glN8<

3@utRS

LwH'

W^s%O

y,J.3T

9~z7?

>\ul'T,

y:I|VP

)] cCR

+Zu99E$t4

AL6:AW

4WOt9Y

QUh FO

6lT":d

9.9!QR

3.8.1i`

j`\LP

xxxx7

4<``D

#Ic/6

0R2P.

:@5p_*+

@`P,a

?/flsJ

~eH,x

IV(g,W

msvcrt.dll

^B[Lbur_

StringFileInfo

_$Q%jQ

9_0u'SjTK@

viH!v

ls_?p

(8"cd

kdu8AB

ss BF

af+pD

:5S"2L

vLOIn

.@|y-P

LJk3H\}

)liu-

u#_%(

<m_ll

Jl|tLF4[

u#@Dyg

HTCjWhx

_$6?0

N<$>L

N\_~`U

.@4>3C

4pogZ@Z i

N%L$T<XS

[V 4c

.? P3

22rAG

0:(v#>

0(4414

fbp80

7(#V?p

F/!T6

,(IbL+

S|Pcd=

9^Z^S

]Rx>VEY

bsT4>

wKt)=

kBLjM;!

()Ph(btg8Zd

8dZx1*

JbNb$1(

]%>J(V|V

q ?z(

PUQV5

%NHX@C

HV$3)

GM;Qp

BS `)

~QWMr

?=tN0

NK[pk

` |j<{9

oPEPu

"8c65

g,7j>

</asmv3:windowsSettings>

M8s*`r

4\$$;

l/dga

[WHJ0G

d]3Rf

1Gd,a

l*yB`

^K@u>

AtEt+

<#E@N

R\X\pa

jUF/#

Jx2@V

#SBh>R

V2%c]

hjq+P

!=5T-

c_\Y"

2LT8-R

>8u08

9_Dt6

d*e\ER

`D"Of

aW{8_

^`WJK<

04{!9@

d W}Vq

T$UzO

b_FBR@<

Q8G+F

t$ tu

RKX=S

!jP".

WVKh%I

ZHTS^

79](]&5

QC$Hx

Ixh+?wF

?,Q)W0R

G060n

-}I8'

>;P|~

SfHA$

h\%"Q

+t"`i

KSF 0

9 zEM

~B<f9B.v

:hKQK$)

d %H;

[,*s6

z2JAy&i

~tPz9_H

K^OgU

FvRh@

}k(,{,

R4hD\l

]dBfA

(3<$@

kL0C_

<IS%

3>!$Q

5+9`:

C:Db=@

KO3"p

p;KD;|

3EMsh

@'!tA

Db .O

FROM moz_

8S"Il

VS_VERSION_INFO

0_fvP

2BYOH

nh@(K%

A)5!<

g"7ki

HFh h*

F1tH>

-GCM19228

|eBF&

1<'k>{

k([R< A

N4^g1(

GetPixel

H8,_`;

S+23

15C8U

F uIL

UaY6I

p$xcE

9V?-s

&e; o

Gg7op

\,rHu

w,@H-

0Q-)L

wAG>N}P

dpzws

e2apD

[KOaC

Ui!F*

8P-de

!&UQf

"|+Dz*^$

Pi6,A

$-LH8F$^

q3.m"

PWf0^

\tEgM

tA<"^

?3Ikr

:Dt-N

NT,`v`

GetProcAddress

`9k$tJ

g[@\,@

n(o$~@*4

ProductName

T8(_S

r}HJ%

~'WUj0{D

*)#8I

VSjQG

id, hostb

c:00O

A=-Am

0gv~'m

%P)tN

{D~XZ

9_.vp

I`TjQG

W8X1^

e}b]a

ExitProcess

P}:H*

<};!VS[P

N @Proc

s$He*16

FSr!I

:stk:

-:9Dk

aL!_*+

QWjd<r

fqm|-

A;|x(#

5p()j

el8;W

SVjC7

E]p(Dt

&GN@?

s.R/iPi8Hl

%_r}^)

"a469X67

~h`l

=HEH!

-chec

PhWBL

FileVersion

z!h^v

m*W0d

p4;2q

$ZbRj

\uTSH#

Sv#T$P

G\Lbx|

3.^3D

1@?hp

)^XLN

> l}@W

UF2@`

.-8zt|M

>cuOb7

ooLPt

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

~=;GWQ

u_\?v@0

-l )oLo_0

~dV3>

z,Lj(

R+R;W

T$4RVN3

56Pp=

jZGhLKVL

DHLPT

Z,u~)h

:@n!y

=B3 ?G

hdISD

$SKTt

rft_gm

QxO{!

9kT~T

BP$cp%r

%Y-%m

# $6|

(m%sV

2$'m_

s?!6bkA

od_.a

L.15g

7580R+

l`=)V

~&N|/P

\h`"#

U7?-2

,3]%uu

VerQueryValueW

3l$60

#2AA.WKD

`B&Gf

<Y_&&

o[[$L88mzff

F/NWqZj

(VHx'

HD@<$

4e2%!m

bki)sa

0<~WfW

=`3~*{

2~d@*

m^i$!Dqi

-JW(H7v2

iaQ9ff

:-65535

GDI32.dll

rssiUU2]II

jJPVQ

+Fj^S

, XAS

N0OJr

K_Fl-

2M;9C

SA)x8

I<1&<H

>eD&}

%aR4t%'

pwfI0B

"FGA<!Z(

+{?GZ

UI X"

2C"~0

pG^JM@,

.<TdxL

r2OBd

$t5?B

[\wZR~

0+-VB

{;3I!

\0}W$

fp.s0

*RA[:2

ShpN<W!

yma@t9

f4OA7

vAl|aua

| }PR

na\cI]

?1YZ,

%j0%"f

U<FAg

GRCC"

InternalName

@ H5-s'

+t>U2

.P$46

f9Jv;

6*xA^dR~

H&OBp8h

p]*k*

U6D3[*

<Lq,\

]K6(pb

8 u.,=

#Py{E`!

nZZ,T@@

J>}2|

QRoh! l

wRx+`

Cl$=)(

RpDzJ

FW*R l

8PnN_L]

9Y$t)

X@4k)

`,](1f

&.l</

ZD#HS

H,LK>8

8<@Dw6

(.nt)

GetDC

Z&pBU

$}@=c

D_vl=

i"l4\

7=txet

f'V%h

,0<(L@z

|o@Bd

E.~e|

rkIQwr

_$Vp5

t9!#t

RA%9N

oSOb8_

wPU}|

xKa|OL

oINRT!:

[i AS

7?_n'

@r#Eg

Anf#[GR

`@k:4p

Gdefghiijkhhlmnopqr

f9W0Vv+

"!F*n

FII,.#

9djKo

Qu6_7h

%SW 45

[0Y`V[T

ock8 :c

Ia~S6

ov_,uW

Hj#OT

*8]At

$jA(Q

L$(y0

iModule&Fi

eim~*

DRRQg

4D DZjU

Y)fbv@Lh

%u b

W+f.M

Q@Zn"

iCb.5u

9H4@

SLiuJ

,^fzUh

6tzZbN

N(PQ^

00N4t3/

hK+2@w

aY&}5

F,{N0R

ld_x$

^htHak

K]o-{-{

,D\.

R8PKFx

C@U{Uh

tbL;[

P,6Rk

:jNhi

6Bd,R

BuffK&

ytUa`

M$ .r

G>X(

nE)Y(

Rh$Sa

!This program cannot be run in DOS mode.

X,[A]

->5LD

n1\p9

K:\z];c

bt;IZOR8

Lt;W=dU

F}sPAl

@t&l'

mc#*1

8Qyll

XJF:!>Q!

KOBXx

GYaZ%

U,R960i

.![TRU

v;PS)

F<:>|

YH_*R

TqRyl

Os= 0x%lx

p({+d

M9bD*

r)$.t

USER32.dll

|1dRD

8CA8bX

@H&X28$j

"ZthMW\

PgT=]F

o-tk%X\

9;9`$p

c-&#A;:

]`JN(

`9@3@

#zvpE\j

g$E>HKS

y!6~P

R!T0c

@d%'F

QRPj.

>C&J^

,{E`H

r(23\v*03

l|AUh

>^4tbh

'cu$N

f@\61q

1KHW{8<e

hL0y5

h%o0a

&a\9;

t>I=p}`

#G p6

tJH<*

0A#,`

(ha~RL"

jw5uT

g`AA1\

B TL&

Y)*!$K(

stuvwxyz{{|}v~

p\\2\HHthTT

O^}QM,'

z'8^%

C2]:[

pl&p|q)

}5fvi

c@}I/

w4PZ#

=6wavL

,$H3$

Field

T*HLPT8

UUUup

*'40X"Em

4u-mp?

s8/8L.g

CrG_xu

External Drive Password Recovery

\tto1s

yo ?P3

Zm[u7

wuT+.

B)h=z

t?mEkH

3u%<Sr

VBV Tm

ty6hxP

Translation

wV@4F

T]>UA

HA4:8L

}.M<'C

h;R/%

ZVdb

QajRP

[Lt&pY

$&8%'

k SdXl

_0;JX~!

SQoe|

`A.Q;

\dlt|

o>k0`

(PVl3

ehY0h+

"PRVzH

F~.tX

wa1*a@lQU

V*?\^

97!+^z

tkXE^

I-DSH

</compatibility></assembly>PAD

p8tL3

Q80V1

:%MS&O

ProductVersion

/z&gp-

6t64o

!<#Dzxt[f#L

4ujW7

0in<P

+2z0qz

-PG)l

w9,tjb

?Bu&f

(\u79(

5#wDC

\. $(,

4W$7+

=rahcV

8@t"#

;rhpP

e7a_F

0K;7xa

EA7H!

$1MHO

`o{/;

4`)lDH

uj;Ftdvv"

2_}$P-\K

i~t60eU1

Yk$U/

aRtfIhQ

?23$!

UWuPj

_Z#[m

Lw8;Phr5

uoSj,

h_=XT

%DgA%p

H-Rt"

d"Y%8-[

p+C^?h

4|h+~

Cs;8J

L2XCk

1j8c

;b,hY

:`MDiP

H0,<(T

rXCwQ

rWvf`

]xsAZ

BDQ}:^

[>t)HPnTMp

1H8#A4

N00Dt@

bG?8!

:)/tv

%lR'H

VWV@ \

u%sWmo

M9)H0

pDNp<

($bHF

A7[I[

xLdoR

{9:t!

wH@:}

t51\{@

:P{PS

Z,~~'

Cs6e1

lu(SjtWL

bB?VH

I>Av"`8D$

p.|?rI

YHDQe

d0|k<

LVP5i

VXa zp

"Tu%M

-3~iP

~lTo$P

nnw6M

UvM0E$

Z^;3HKo

czi|Y

y6DPAPIIn

Uh1g>

)u%<

,">0*

0@vtt@x@P

8 %/Gfy

password#Ck

KY<B#

?v9k1

"*zU3]-

3CCMGI

XL7rM

/TEXT

[fc?Xj

{H\Cp;

T~;F6

,p>BP

BM)Q7

u),L2

egft8H

WQD*F

?:t<r

&vfRd

P>Bt'

are0f

xc?4!

lVXxBwq

N&-u<

.M:Wm

K2h"e

M12345

WC+cgW^

TT@ \

s{9SY:8Gx

)J8*8

tR7O}

a WHERE=6

r"wcslw

r^^#T?@biUU

WPINK

XPTPSW

wPA.V

xQPI}

dsXU}x/d

4~xRVR

A"CRWf/

u8LPD

00d#K*

[R"0\

p0B0l

Ru^~ vX

2@+P8

qK:^~+iP

yXRtD

(!|h{

DAo )

^u&4k

dVTNI

RegCloseKey

``mrhY0<

G& u#y

${57HS

~-(%h

U{#pP

"T@<E

rvY8F

with|s

Ha~qV\

kBY r

Ka3Y^

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x00097280	0x00000000	0x0005370f	4.0	2022-03-30 11:08:51	054ed5669824fa18897ef0884269086d		e6997c1696c31f6fcfc1cbf05163a928	cdf1421c5d57caafaaa5bcaba76ebab1	804c42dcf088e870

Version Infos

CompanyName	NirSoft
FileDescription	External Drive Password Recovery
FileVersion	1.00
InternalName	ExtPassword!
LegalCopyright	Copyright Â© 2019 - 2022 Nir Sofer
OriginalFilename	ExtPassword.exe
ProductName	ExtPassword!
ProductVersion	1.00
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
UPX0	0x00000400	0x00001000	0x00053000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00000400	0x00054000	0x00044000	0x00043600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.91
.rsrc	0x00043a00	0x00098000	0x00003000	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	5.33

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_CURSOR	0x0008f808	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.11	None
RT_BITMAP	0x0008f93c	0x00001528	LANG_HEBREW	SUBLANG_DEFAULT	7.88	None
RT_BITMAP	0x00090e64	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.16	None
RT_BITMAP	0x00090f3c	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.70	None
RT_ICON	0x0009880c	0x000010a8	LANG_HEBREW	SUBLANG_DEFAULT	5.48	None
RT_ICON	0x000998b8	0x00000468	LANG_HEBREW	SUBLANG_DEFAULT	6.08	None
RT_ICON	0x00099d24	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	2.30	None
RT_MENU	0x0009264c	0x00000466	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.72	None
RT_MENU	0x00092ab4	0x000001c4	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.29	None
RT_MENU	0x00092c78	0x00000012	LANG_HEBREW	SUBLANG_DEFAULT	3.79	None
RT_DIALOG	0x00092c8c	0x000000a2	LANG_HEBREW	SUBLANG_DEFAULT	6.15	None
RT_DIALOG	0x00092d30	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	6.98	None
RT_DIALOG	0x00092fc8	0x000002ec	LANG_HEBREW	SUBLANG_DEFAULT	7.03	None
RT_DIALOG	0x000932b4	0x000000fa	LANG_HEBREW	SUBLANG_DEFAULT	6.53	None
RT_DIALOG	0x000933b0	0x000000f8	LANG_HEBREW	SUBLANG_DEFAULT	6.68	None
RT_DIALOG	0x000934a8	0x00000336	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.40	None
RT_STRING	0x000937e0	0x000000d6	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.48	None
RT_STRING	0x000938b8	0x00000108	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.99	None
RT_STRING	0x000939c0	0x00000044	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.99	None
RT_STRING	0x00093a04	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.34	None
RT_STRING	0x00093bf0	0x000000a0	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.95	None
RT_STRING	0x00093c90	0x000000a6	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.28	None
RT_STRING	0x00093d38	0x000000a4	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.70	None
RT_STRING	0x00093ddc	0x00000124	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.44	None
RT_STRING	0x00093f00	0x0000003a	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.02	None
RT_STRING	0x00093f3c	0x00000038	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.20	None
RT_STRING	0x00093f74	0x00000042	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.14	None
RT_STRING	0x00093fb8	0x000000e4	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.22	None
RT_STRING	0x0009409c	0x00000062	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.84	None
RT_STRING	0x00094100	0x00000066	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.82	None
RT_STRING	0x00094168	0x00000036	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.37	None
RT_ACCELERATOR	0x000941a0	0x00000070	LANG_HEBREW	SUBLANG_DEFAULT	6.17	None
RT_GROUP_CURSOR	0x00094210	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.12	None
RT_GROUP_ICON	0x00099e50	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.31	None
RT_GROUP_ICON	0x00099e78	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	1.92	None
RT_VERSION	0x00099e90	0x000002fc	LANG_HEBREW	SUBLANG_DEFAULT	3.37	None
RT_MANIFEST	0x0009a190	0x00000445	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.40	None

Imports

Name	Address
RegCloseKey	0x49a6a0

Name	Address

Name	Address
FindTextW	0x49a6b0

Name	Address
GetPixel	0x49a6b8

Name	Address
LoadLibraryA	0x49a6c0
ExitProcess	0x49a6c4
GetProcAddress	0x49a6c8
VirtualProtect	0x49a6cc

Name	Address
free	0x49a6d4

Name	Address
ShellExecuteW	0x49a6dc

Name	Address
GetDC	0x49a6e4

Name	Address
VerQueryValueW	0x49a6ec

Reports: JSON

Statistics (33.68)

Usage

Processing ( 33.58 seconds )

31.184 ProcessMemory
2.315 CAPE
0.074 BehaviorAnalysis
0.004 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.008 antiav_detectreg
0.008 ransomware_files
0.006 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.002 masquerade_process_name
0.001 bot_drive
0.001 antidebug_devices
0.001 antivm_parallels_keys
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 qulab_files
0.001 revil_mutexes
0.001 modirat_behavior
0.001 lokibot_mutexes

Reporting ( 0.03 seconds )

0.022 CAPASummary
0.005 JsonDump

Signatures

Queries the keyboard layout

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': 'UPX0', 'raw_address': '0x00000400', 'virtual_address': '0x00001000', 'virtual_size': '0x00053000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000080', 'entropy': '0.00'}

unknown section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00054000', 'virtual_size': '0x00044000', 'size_of_data': '0x00043600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.91'}

The binary likely contains encrypted or compressed data

section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x00054000', 'virtual_size': '0x00044000', 'size_of_data': '0x00043600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.91'}

Binary file triggered YARA rule

Binary triggered YARA rule: INDICATOR_TOOL_ExtPassword

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 188 triggered the Yara rule 'INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore' with data '['SELECT ', 'S\x00e\x00l\x00e\x00c\x00t\x00 \x00', 's\x00e\x00l\x00e\x00c\x00t\x00 \x00', ' from logins', ' FROM moz_logins', 'name', 'N\x00a\x00m\x00e\x00', 'n\x00a\x00m\x00e\x00', 'Name', 'NAME', 'password_value']'

Hit: PID 188 triggered the Yara rule 'INDICATOR_TOOL_ExtPassword' with data '['E\x00x\x00t\x00P\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00!\x00', 'G\x00R\x00e\x00a\x00d\x00i\x00n\x00g\x00 \x00C\x00h\x00r\x00o\x00m\x00e\x00 \x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00 \x00f\x00i\x00l\x00e\x00:\x00 \x00%\x00s\x00', '\\\x00\\\x00?\x00\\\x00G\x00L\x00O\x00B\x00A\x00L\x00R\x00O\x00O\x00T\x00\\\x00D\x00e\x00v\x00i\x00c\x00e\x00\\\x00H\x00a\x00r\x00d\x00d\x00i\x00s\x00k\x00V\x00o\x00l\x00u\x00m\x00e\x00S\x00h\x00a\x00d\x00o\x00w\x00C\x00o\x00p\x00y\x00%\x00d\x00', '2015-07-27 13:49:41 b8e92227a469de677a66da62e4361f099c0b79d0', "metadata WHERE id = 'password'", 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00C\x00r\x00e\x00d\x00e\x00n\x00t\x00i\x00a\x00l\x00s\x00 \x00f\x00o\x00l\x00d\x00e\x00r\x00', 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00F\x00i\x00r\x00e\x00f\x00o\x00x\x00 \x00a\x00n\x00d\x00 \x00o\x00t\x00h\x00e\x00r\x00 \x00M\x00o\x00z\x00i\x00l\x00l\x00a\x00 \x00W\x00e\x00b\x00 \x00b\x00r\x00o\x00w\x00s\x00e\x00r\x00s\x00', 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00O\x00u\x00t\x00l\x00o\x00o\x00k\x00 \x00a\x00c\x00c\x00o\x00u\x00n\x00t\x00s\x00', 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00V\x00a\x00u\x00l\x00t\x00', 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00d\x00i\x00a\x00l\x00u\x00p\x00/\x00V\x00P\x00N\x00 \x00i\x00t\x00e\x00m\x00s\x00', 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00w\x00i\x00r\x00e\x00l\x00e\x00s\x00s\x00 \x00k\x00e\x00y\x00s\x00', 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00s\x00e\x00c\x00u\x00r\x00i\x00t\x00y\x00 \x00q\x00u\x00e\x00s\x00t\x00i\x00o\x00n\x00s\x00', 'S\x00c\x00a\x00n\x00n\x00i\x00n\x00g\x00 \x00v\x00a\x00u\x00l\x00t\x00 \x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00s\x00']'

Hit: PID 188 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }', '{ E8 00 00 00 00 58 }']'

Accessed credential storage files

file: C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\SAM

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\SystemResources\ExtPassword.exe.mun
C:\Users\Packager\AppData\Local\Temp\ExtPassword_lng.ini
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\ExtPassword.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Windows\win.ini
C:\Users\Packager\AppData\Local\Temp\ExtPassword.cfg
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp
C:\Windows\System32\en-US\USER32.dll.mui
\Device\HarddiskVolumeShadowCopy0\*
\Device\HarddiskVolumeShadowCopy1\*
\Device\HarddiskVolumeShadowCopy2\*
\Device\HarddiskVolumeShadowCopy3\*
\Device\HarddiskVolumeShadowCopy4\*
\Device\HarddiskVolumeShadowCopy5\*
\Device\HarddiskVolumeShadowCopy6\*
\Device\HarddiskVolumeShadowCopy7\*
\Device\HarddiskVolumeShadowCopy8\*
\Device\HarddiskVolumeShadowCopy9\*
\Device\HarddiskVolumeShadowCopy10\*
\Device\HarddiskVolumeShadowCopy11\*
\Device\HarddiskVolumeShadowCopy12\*
\Device\HarddiskVolumeShadowCopy13\*
\Device\HarddiskVolumeShadowCopy14\*
\Device\HarddiskVolumeShadowCopy15\*
\Device\HarddiskVolumeShadowCopy16\*
\Device\HarddiskVolumeShadowCopy17\*
\Device\HarddiskVolumeShadowCopy18\*
\Device\HarddiskVolumeShadowCopy19\*
\Device\HarddiskVolumeShadowCopy20\*
\Device\HarddiskVolumeShadowCopy21\*
\Device\HarddiskVolumeShadowCopy22\*
\Device\HarddiskVolumeShadowCopy23\*
\Device\HarddiskVolumeShadowCopy24\*
\Device\HarddiskVolumeShadowCopy25\*
\Device\HarddiskVolumeShadowCopy26\*
\Device\HarddiskVolumeShadowCopy27\*
\Device\HarddiskVolumeShadowCopy28\*
\Device\HarddiskVolumeShadowCopy29\*
\Device\HarddiskVolumeShadowCopy30\*
\Device\HarddiskVolumeShadowCopy31\*
C:\Windows\System32\shell32.dll
C:\Users\Packager\AppData\Local\Temp\Users
C:\Users\Packager\AppData\Local\Temp\Documents And Settings\*
C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\*
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Windows\sysnative\en-US\KERNELBASE.dll.mui
C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\system
C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache\MicrosoftAccount\*
C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\systemprofile\AppData\Local\Microsoft\Credentials
C:\Users\Packager\AppData\Local\Temp\Documents And Settings\*.pbk
C:\Users\Packager\AppData\Local\Temp\Documents And Settings\AppData\Roaming\Microsoft\Network\Connections\Pbk
C:\Users\Packager\AppData\Local\Temp\Documents And Settings\Application Data\Microsoft\Network\Connections\Pbk
C:\Users\Packager\AppData\Local\Temp\Documents And Settings\*.*
C:\Users\Packager\AppData\Local\Temp\Windows\System32\ras\rasphone.pbk
C:\Users\Packager\AppData\Local\Temp\ProgramData\Microsoft\Wlansvc\Profiles\*.*
C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\SAM
C:\Users\Packager\AppData\Local\Temp\ProgramData\Microsoft\Vault
C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\systemprofile\AppData\Local\Microsoft\Vault
C:\Users\Packager\AppData\Local\Temp\Windows\System32\Config\Software

HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\ExtPassword.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03b5835f-f03c-411b-9ce2-aa23e1171e36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531fdebf-9b4c-4a43-a2aa-960e8fcdc732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{6a498709-e00b-4c45-a018-8f9e4081ae40}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{7C472071-36A7-4709-88CC-859513E583A9}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81d4e9c9-1d3b-41bc-9e6c-4b40bf79e35e}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81EA0A17-AA39-455B-BA20-EA79A8F98966}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a028ae76-01b1-46c2-99c4-acd9858ae02f}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a1e2b86b-924a-4d43-80f6-8a820df7190f}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{B115690A-EA02-48D5-A231-E3578D2FDF80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C2CB2CF0-AF47-413E-9780-8BC3A3C16068}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts

Local\SM0:188:168:WilStaging_02
Local\SM0:188:64:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.