Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 16:30:08	2025-06-13 17:01:18	1870 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,709 [root] INFO: Date set to: 20250613T10:29:10, timeout set to: 1800
2025-06-13 11:29:10,120 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-13 11:29:10,136 [root] DEBUG: Storing results at: C:\mZmWgxH
2025-06-13 11:29:10,136 [root] DEBUG: Pipe server name: \\.\PIPE\gxpNJC
2025-06-13 11:29:10,136 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:29:10,136 [root] INFO: analysis running as an admin
2025-06-13 11:29:10,136 [root] INFO: analysis package specified: "exe"
2025-06-13 11:29:10,136 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:29:11,042 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:29:11,042 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:29:11,042 [lib.common.common] INFO: wrapping
2025-06-13 11:29:11,042 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:29:11,042 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\MZCacheView.exe
2025-06-13 11:29:11,042 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:29:11,042 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:29:11,042 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:29:11,042 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:29:11,245 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:29:11,324 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:29:11,355 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:29:11,370 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:29:11,386 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:29:11,386 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:29:11,386 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:29:11,386 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:29:11,386 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:29:11,386 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:29:11,386 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:29:11,386 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:29:11,386 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:29:11,386 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:29:11,386 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:29:11,386 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:29:11,386 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:29:11,386 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:29:32,824 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-13 11:29:32,824 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:29:32,824 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:29:32,824 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:29:32,824 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:29:32,824 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:29:32,824 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:29:32,824 [modules.auxiliary.disguise] INFO: Disguising GUID to cb6d534e-00ef-4727-a10a-526343788069
2025-06-13 11:29:32,824 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:29:32,824 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:29:32,824 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:29:32,824 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:29:32,824 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:29:32,824 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:29:32,824 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:29:32,824 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:29:32,824 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:29:32,824 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:29:32,839 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:29:32,839 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:29:32,839 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:29:32,839 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:29:32,839 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:29:32,839 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:29:32,839 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:29:32,933 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-13 11:29:32,933 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:29:32,933 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:29:32,933 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:29:32,933 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:29:32,933 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:29:32,933 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:29:32,948 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\yLKHDT.dll, loader C:\tmp_gell1p8\bin\wBsGnKoA.exe
2025-06-13 11:29:33,027 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:29:33,027 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\yLKHDT.dll.
2025-06-13 11:29:33,042 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:29:33,042 [root] INFO: Disabling sleep skipping.
2025-06-13 11:29:33,042 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:29:33,042 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:29:33,042 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:29:33,042 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:29:33,042 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:29:33,058 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:29:33,074 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:29:33,074 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:29:33,074 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 1488, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-13 11:29:33,074 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:29:33,089 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:29:33,089 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:29:33,089 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\yLKHDT.dll.
2025-06-13 11:29:33,089 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 11:29:33,089 [ <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 16:30:08	2025-06-13 17:00:57	none

File Details

File Name	MZCacheView.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	258936 bytes
MD5	7acc0c3098525fb5f3767fbf9b4279cc
SHA1	5dc148160b8818b05e791b1d8d720dbc2188c338
SHA256	8957e20bc03029fa59c648649024e0cba2cf50fb9100213ed3d43cf3633b8a64 [VT] [MWDB] [Bazaar]
SHA3-384	67a0f80b8b8765f6bc42cec425cb85094733019a612011366609a36f3d3dc147bb2e1ebfa1dafc1ae84ad824026f62a2
CRC32	0F112F5B
TLSH	T14A4423ABE6D97C83E111553E10CB527A943CFD1036A44A61BFEAB87E30357B43A1760E
Ssdeep	6144:BCkGEVN81kWYJ7X2nkYU5iF8NdvLJWzPwgWxNeDqszTeW6p:Bu+jWY5QkYU5k+vAzM/e9zTeW6p
PE	File Strings BinGraph Vba2Graph VirusTotal

$("0@}

d2222

lRVYv

%USERTrust RSA Certification Authority

Fe8rk

3.\Qa

&66:-

A%W%V

xn'9.

55555

[s'Wed

oRS@s

cWw$1~

e\JCD

z|u\n

+.ujF\

'0UA<5X

i,048

>9^lW|

u/J5h

!Y:Tb

9N$=F

Z)~40

n[if\

7hypot

Zxp(e

S|H^X#{

J|mK)

L#~S}

VerQueryValueA

9[he.

csv_~6

0@P`

j/%Tj

&pPK

KWYY3

bC@GA

'.%jO

K!0q/3

<"#ch@O

48Z<v-

comdlg32.dll

l/mV

:EmpiS

-%\}^

(QI26

0#1i!3(

P>1S-

ALPHOK

x0Ysqx

z5Wsw.

040904b0

CdBWp

190909000000Z

t!x<t7+

181102000000Z

|g~}.

E;G+5`5

8RzdP

U.S.wnm^

FG2<U

~.4^6

hV //Xu!

tdaQO

a4jyLt

KERNEL32.DLL

OyK:*

#1tz+RKT</^XA(

_0{CQ

M,4_8

STATIC

sflM<

"""",

\h)(<-

YrQc"*

ahPyh

isI,"

|?h(A-,

4:v1>8

9>=6%3A

c':lUn

0v;GpR

Y>Qvb

]+us)F

kt9'1

X`1Qt1

2NpBC

NGVZS

SBcPDf

BrY60

0.h=+v

5 Pgk

!h+W2X

"b"no k

pHONZ,

A5hMJ

Sectigo RSA Time Stamping CA0

20220301123254Z

u,JGP

W45x.

t*WSU

cF:"g

BbNNNNbbbb

2`Z}j

J<MYO

@?7ZsZ;

p6+Zr9R

<u>_L

RX,&tyhj

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="NirSoft" type="win32"></assemblyIdentity><description>NirSoft</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency></assembly>PAD

`a AGVp^b

TUFYJ

X$(0y*]

~~~~~~v

948_(

Q?KTr

xapiza

.t0 F7

4JK)L!

LoadLibraryA

;Q{Ti

,6xlP

'PRa]Mt

j?hpS

Mytl*

AIsu|Fe

ss(0'

g!&ao

vG~(3

Tpw][

ogQ #

mt^Ju~

r<x9<s1L

u(X?]_

,%h(Tyv

zysW)v

ARuNih

UJ~0%{

888887y

QaqZ7

QG2THP

LE'NICOD

^.o 3

G/Pt&

U^~V+

s2]<h

"i1d}(

21l8.

*r#O4

Xm9)\

plhd`^\y

>m_b=

kPizVl

GLUp^

090#L

@fZxs0

pn:se

p>D0LINE

-KO{/3

8I#LP,i

s0xF_

_US'

]-S6Y

V)-Mc

| bg^l

@ZF<)

yK W@D

PK}')+

0 c@W

#8(Q,$

CPgR/S

FindTextA

301231235959Z0|1

?tK%pD8

CVbU+!V

pip<TP:ny

1&LE\

9?o|&

wLn@)

+oKg$

9NT0&m

vDpup'

tl`XP

.JPGrz

Jh-.,

/`:02

K<5}r

ve%!_

S@T&iw

{fr$O

ZepZn4

N;ENq}O

FhGEDITwG

"@D&kc~

I0G0E

>oSO|

Y`Gvb

T"/<e

@0&.N

H);V#

rTh07

^Rmpa,\

`NJFB

http://ocsp.usertrust.com0

\4_M(-

Qoh:A(v

Zi{t;Pj

3];k_

=St;>rSM

vAm}?

Dw_>0

Eyih<A8\

Y8MEMV

201023000000Z

h@X p7A

-H0ZL#=

##EE`

'vZNK

OW_ofy

8^tR?W7

FileDescription

gO(j]

^[S!?ip

$F,jdX

@Q`a

5I\-e

!<FC.

Lh=P@N

https://sectigo.com/CPS0C

yoQ15

n~zzc

`/si\g

cU`;R

"-j j

1F"Ya

K4pro4>

0_^]K

a5I'g

FXrlw

]s||t

i>2B&x

8xJ_qV7

]bDV"

d%`-\

lOx!f

lIt]&

?/ixr

[#sp:3

Z-t$``

6BB;;

<M^ed)

DXx2@>k

v[SVP

<"ukO

DnJ<GdW

uyobA

w`A+,

TC-_j [C

fXeJ'

SFI#]

aX[vXXY

C;T<Y@

fZj/6

DC-b/

H.^[X

QknH8

!m0"p

T^uK^L~

e %1"

18^i a/

SCF*h

xd6E*

XL?C$

Eu}6@

%gaL?m

KX89G<t

B+:7Q

D<|K9^

`*HdX

;&RX^)8

N88888

MJXY:Bv

8F&yU

^<8h'

(!/_^d

N7Luc

CP<>e

azdh1

\FlD8

zM#`v">

\@.hv

y77777

m:_*?

w<0|m

.""cT

rOxTB

tp|hS

'IHmy

1rE\' %d:

'?;%;

n!mcf

,E3UM

46SIN

Greater Manchester1

yj Rj

t=nMZu3

W/R,f

,.?AV

O. -_H-H

"yFj)

8sTu_%N

hnajax

@ :NA

c]apc

]d?28

])2u>

s$mQwTZ

b!g.l:r

0y)h7

0x2$J=

/U-sxm

pou $Q

Ct`0s

m $FpJ

~48N$

e2;.i

~w,;F8}

8BgD.

$%s'>~

#RPP,B%

ha=<j

5"Rc0

!@g^0

D/7T0QYj

k 7xtU

A,D,B

h2f^G

(FFKYu

T)f|$

$(@4m

|>'O`

=9Gw(

G`.u@

9YqXF

|myffk

2If"L

)lmk3

[C]e=P

tNIt?

(xt0m

i<e#n

^(d^6>

w~5*V

tO.dm"?

/(TYfY

IArFy''

^^@gI

m8zdt5}t"

.rsrc

~jFlZ

r.KERNEL32.DLL

08rd5

}EIO&x60s{JR

Nxsp~BA|

/\:@!

1\[Dn

`vPb&:B

9~\t N

D&GEu

~~~~v

x~#,^

&;KEh

VQP.W

\(0)/

+p}>h}d

OriginalFilename

q0-YS@D

btvip

P&GMT

B>std5puH

%vFfPg

2:ISBN

`\TD

~?.HS

ALTER +l

zOVdC[M

l(iEz

&2\kb0<S

`%be6v

-BG4_

5vfP:8

rsGHA

33333

l'F:G

[1FL@

MxT n'2`

%hm$vO

orlq0

H;er 8^d

usSJ4a

y_2}^

r0hmW4hu

@a$CL

LV3qeY

,.t'a

~-~e~

$V7uA

k(nIPAh

=h,C~

#Sectigo RSA Time Stamping Signer #20

nB~C3

aC ] R

9EXIMb)\#

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

>.`$Rr

<~ful

VirtualProtect

'd nw

o#X?F

UK)quh6

~-ht1

Pg+ncl

%->*;

fedcba`

VEy<R

U[C }8j0s

!Dw hT

UC,.0B

YWOt

<<(T,

.qFWpa

GJ&*(

zykVn

L|5$T

t<N6I47

d4tZ0

\[Oo6

78.:$NI

iTtM-$

~l^hnFk

j0h0?

Xxos>al

B44B@~b

^esFolr

U}k(o

Z# 79Q[

S^j`t

nx9el

NNNbbb

ntelu

,zyJz

/jcZy:

:.s5(A

Z`-[t

;1Of("

k6VdsY

XAow%

^P4S%WK

'UA-4{

AVJ*X

]4Q4p

=0;09

sT0#TW<]

dhb9]

6Ll"X

`Th6H

tD.0?

x)}PN

&&^ZO(xx[!

y DK(

PwTUV

'XTw@

x<U8iMM

hGBCL

N_U9203

C4cDC

nguchU^m2

]2WDJ//w

ghijklmnopqrstuvwxyz{|}~

VbH4h@I

R~^qo

z?aUY

"k zOm

URyF:

6^ i-t

I/O% l

).j()i

|@p#'B

m%k=1

xx;)tBt`4

x?i4H

VERSION.dll

a9{8t(

Mr&G76

V;aT?

`O_AC$

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

SHGetMalloc

COMCTL32.dll

i(08@P

GXe7u

&L"vWN

Th\yO

P]jd8

NirSoft

(0rVh

Sae >uz

43, X

?LQBG

!ddd84

S8]H=nD

_N&lU,

t4T84

"){"0'

*c}q"

Neg$by

H'"p

X NOT

d0DK

GtIr'7

2&-jWp

h" Rod

&Xu,Ij

[Op4?

MZCacheView.exe

t@#Pc

U@q7q

t^xqfq&

A2^uvh

-TLYZ5

!Ds,+i

<<Ye=

*)C;=|

regkey

BX@@Gl

56789

5;FJ$,XEK4<

XI+"~

XpRM&q9.

B3Y?

S4)UO

#qe=J6

@;C8}2

'v{j,`.`@

iz;Aj

]5R&S'

%USERTrust RSA Certification Authority0

CoInitialize

PneG"

EAX=I79

cA0~10

//'jd

$" }G

M0[%NlE!P*

=PZPt#

@wl.8

0#.-l_[7

(3TVXY,

7654|10/.-,+*)('&%$#"!

Pi{)U

'bCF&

Waf4M

<hjp0

GWr!W

N{eLS

a*SeqL

Jx-iN

k, C#

\h7@<

SJr6.M

b83PP

fiWk+

.tjNYcPhn

d}S,;

R'-J

a$\<O

R_T5Y

lej"r

b"j(1"n\

$0x@p

M}RO*

>AQ&l+

ta http-`iv='

0#/)&9d

4vCFF,@

tJSWU

pze g

UJ*x1

E<G&Iw

),p"*D

`38hx<h

kRrHN

nf&"^QT@

`u/'\

Oa+2L

-64OS

\.PTLXi

dbrary if

\Ci>O{F<

?.Ipi

tux*Dp&

DV(+_

qvQt^<

K*zAMx

a" KlB

wCsnC

hXiBcA

4 $$(

nyp`j

6 {B5

D|N,'

MvA1AC

4<5,A

\`fd0]

A8P<TVP

EH]K4

(<-t$

*_V8(0,B

{XAB5

<,s! 5

ht8lt

NVV@%.eE

LegalCopyright

H[E0$So

Kad$P

WBr~h<

TFt1b

yx<|&

C-i]o

txm<&@

|5@'^

\trWHZ

k-7Uw5q

dbbbb

jP,b'

jf*Vi

<,||Qp"Vx

_JRj`3{

hO'G6i

F?Z,;KoA

C&uc4

V8DYWX'

P#Ex@

`[m/T

DVDs7]

XCJ'~

l^FPT

B0_F4

#"Ah4x

\nV Rf

LL$n,L(

dW&,gs

dKW>soDFGXK

d996%t_f

x'hR,

kStrW

j _$\r2

!"#$%&

1|Bxp

c3Vax

*nKUp0Gr

RppliU has mz

bt=6Bf

Hz/|

_XA*l

i)|!(

SWu9x

Sectigo RSA Code Signing CA

\ `$d

bb''''bbbb

z;H s

Kcf0F

T^&d%er bug

z'HuC]

t(htDV"D

ftwde\N

,j\j/

!y'4,

WDe?FlsFree

J<HYF

6l\XVU

dlBNvz!/u{1?cmR^

V r;vS+

sOG?F!P

M](Prtjb0\Q"

/MIME\

New Jersey1

$bGC*

o-QAvSpinCou!

Nu5"4'

O<89`L

s`6,T

H0;'t1

"|Xl)`

Zhlw0y<

.M\IiD

W{ ZA

v>1&/<

teN/yG

p=.>Y

?w*lCr

-rZI#n

xJr^U7

320122235959Z0

]O%(L

@vNlC

/eaQQ

'{2;8

ISO-8859-

ELH3(

>h NSU

fj".T\CMek2>x

&& t

DATA[ *N

ykxQa!

'#TC;

:U< 0

n5z#/fO@

h|aH]

J>@Px

ahUnes

190502000000Z

l@gbtE

@0QQk

I8N`Bh

>`; w

s+@,B<0

J@AQF

<2x8d

~=LX|

6B?Qc'M

tDQ#<

ZFb[z

ohfhR'

<~n\F6y

bq)l7

m\lMm

a[w0?c<

x<t:l

Oa0Z,C

KYF>$

;}n4

9IExd

/QS0y

KW0."

fqrM+

CRP2(

5TK9a

^eT s

J >:62t

l>6NM

b[u&ch

t`/\n

Ns<b=

"""""""""""

E{(M{

c^S6:

{w"2?

4%S{#6365

TD" h#

lNPE,

@Eb|J

=8(%O

@bFCX

d20G-

NS6sf

D.C.

~44>:L

7=MtQ

Zw(E!

aR#lZO

A=0`z

NadfE

q(Yxx+

Ku{H"

`pZ=~

UQPXY]Y

gyaN,

e$l(s

X#H@z

>y%d@

$qZ v

+NrSw8

sd#j$

\[ZYX+hc

k,;+Fl

KVi]|*g

g|cdF

4gBcv

7S(o 2

n lix

S~YU2

SHELL32.dll

VTRPJ

/E|"WS

i*|T&9fZ

Tzv26>

=9!9a

s~_so

Q-9rn

:;|Jt

M]Bg+

zhvT%

y01234

IP/}Y

`PDF4

HpjbFke

`V_tWb

DTD13

u:g@a

E^<(J

3HAmp1

Boypn

n1axoZ

:*6'a

c[mu+

o}VnO

v-18s1

?++5p=lf

f$#R600

#ke]$

o MUK}:

DBM&(

&c2"=A

|@!DS

Hw)p

espcLm[d~q

CI'Lf

'Pd0X

y009876

UGTy2

S 2GS

<rt,@5

^b/gb

~@/v@

uc&:W

E.pdb

5n#y D

ADVAPI32.dll

8N ;\

&|SJab

<}-Y!

LSl@?

@>"Hd

90705

?{<Yv8

!WK[*

hmTlrCr

F7xNE

zxtsDT

lr(jV

T PF*

aJbXV`:

fFHf&g` X

tJVUP

oPA`(

orSqD\

<G.aMj

"POSTf

u -Y|

`mlswpN

WilI5>faq

8"3hrf

%gjQX

3snA\

M*`:P+

sXD)UPiQS

CompanyName

5u*Fvr

6hHP~a

AbshZ

\Cs1\

BiH'd

n]G@_p

w!NULL

f*f/a

NBKl\3

/}W{n

gn"ntac

qFuomi

Z-<OLf<

__]^(:

Y5(>d P

a|/~<p

+r,WP

*(VW2

",Dq~`

*@r9S

|7,h-

V~ZUm

+8,AuDfv4

WqS6cc

("![

y^ss+D

.XPl```

q:Ddf2

Nln[0];

Q~Zs7a

toD,y#

QtR1YY

NF )F

S?Cwc

); }p:V/

, <Xw

&xr(*

https://sectigo.com/CPS0D

]F}~m

9<?xm

pBab}j

WUpKN

H/ p+

o.kIo<

yt<tWv

http://ocsp.sectigo.com0

XJSi:

^I2-;I

bad alloca&

2{br^D

TLOSS

JJuda_

{#p8R

#Addv

/$V.Q

K\?V8!

.)pw>L#

#Op42n

&yGET"

%&'()

^]\#]0;]4tWB

Ghse.x[Hp0\

^PDHxpj

sc`xT7<

|]5!K

EncoXPoi

WR06YD

P`p1v

(NL29.

t/P%`+

&Cp$d

,_![S

@hT9ht2h

[:n7n

<^kt&

lfGUY

skcdU

[u-F?

}n+}>]

|a#:S

Id(T'

%8.8Xnc

~~AxQJ3

xzN"k

7&F|If

y66655

`C32X

F_ce_

2gv)n

-,gA!

X7x!--

FPA$0

L9 u&

:VSP(k

x?PwY

9Vht9Ua

""""(

Mbj[c

jUS<+F

5ZAg<

2rHG1

JQCDa

<]EQ h(B

u&I"`

FJFFFF)4T

L"*,@L/

ed,S?

ms4vl

|"ph]

%C3%n4ZjtfEXPIc

.vpGF

7qh#}

~""'x

!|,M"

h_LKF

"t^9(uZ

f5!Ud

u,Zr,

RX! Z@

n<1]#&

u>@ry

F',x[

aP fh

_A xg

e%.@1

x!0,b

VP8X Ld

1\lK_

`_$hh3(hl

J uzWh

-pG\G

) 8 l2

sGw&N

F\Pjp

^rt;FG

eWr9q

!.<(c

`D"N>r;h

d.Pv,

<T@T)]z

.JP%)

jAhD}

Z#-DLU[3=h

?!?wK

>"ZP#

z;xhx&V

VarFileInfo

bu{Y5 <dJ'

-El,M9

3xVVhiU*

1#QNAN

FE~Fp-`%

tXI((

p$W|[92

6t9@u40m

!42@

230909235959Z0q1

<9C``ub

W?.4_

~~~~~`

srrCDL

lJ]Ay

"b}b*XhUu

xcP/F

~~~~~p

XGyeP`

Rh6~(

xU's<

)Fh<h

&`~JF

g&#824

TL5M{$

~.{{!

\)UHhi

?Qy0[

Bt9HHt.

BH`1&

T#$NY

hLpC7kR

]P<1ZD

<v@AB

I.B/=

Cf9vWr>

Jersey City1

}jvq4

JYD8'c

RWF?;dobte

^P;?`

>KO;0

~6&jV

fUFLH

FiL74

Gf95)1&!

Vxe@@

I.$k,

i048s

$L`i#

7Ix9(

END x

':l9rt

N22222

b($ekiCs

=*t`d`-

_%<bI

"DPI,

tW8*gug

DB,pV3

)QR{@

~BN@:

Zy7(M

!#-ha

BPQSP

RA mHKl

Dor0$,

>{6GR

h'h(,

mG.[?xSp33- A

)<fMM

2"QTn0|

idna\

HH:mm:

/P}uYp

J $s

3http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t

3U$.s

\u6Ca!

T*bLHD=

nV2@h

Genuu

L$@5SZ

th,C

J8>Et!<

ipro+

Iz"LUP

380118235959Z0}1

sPurr

DTvh!*

0%C+D

D%28|

^Ycke

<#o`1V

_X BH

dhLPXE'

"""""""""""""

@4S-`

;,\@f

)$d<--

fX$O;

MZCacheView

Hgcour

OhXE;

[LC:2

S@kja

3G.^8<

DNdw?7

|&<<=

. 3%.

D8%C<|*

B"jlos

&g8&\b

Sectigo RSA Time Stamping CA

\^wLJHF

e)5*-

YNJy)t*

}W|ZC

9 0F8

%e/VL$D$

u!)1;

71351171

~(@gmR

XPy!W1

>\H3o

GHIJKLMNO

yotW. I

Y@|s9

1,|Xj

Sectigo RSA Code Signing CA0

$!:4|`*

qO@.($

220301123254Z0?

{LCMV

TN?Xl

%aXR/p

<xL<X%

(e.g.

&HH9b

sIQ.g

54N00

AKK8RW

WWK7P

nBL@L

f=G%"5

kUc`X

zSQ\?

r2{.9

[WUY%8\i

=Cf2z

LX73l

BitBlt

W"LrU

PV<wd

|6E,0

9op<G

^a.tjmpt to &

.vrdb

\s9PkPs_C6

8f$[tN

;7.a#i

: WcF, ?

StringFileInfo

Po3|a

!-0:.4

l?,g8BN#B

/cW7_

ole32.dll

n`p]4!3

T0Pt4Ll

|t2<4

r!=8O0

Vo$e!

P['B0.

#,N0K

Q 8PX.

Gnq2^*

6!.w(;+

Sj.V7

M;<s@

LY"X8

mw~GV

Wx{4P

S SaB

iNlo0

n(6;(V

J^u4]~

Xjx|F

8u\gi

c^u] t#

c#9uB

W008O

}?8Y@

/1.E5PH

~[8[tS

+dNaj

- 9} 7}

Rl=~m

qCR}C.

C'ClslPa

CfW`5

#CfU7

3z2H8

DW(FT

`abcdef

o=%2F @S

4$v)J|a

E4SQCQDp

"$,dj

KF0}#A

O d f

TIhM

x)J4P;

7J3mM

sgxgFREEGmd

(Catn

V5.$T*

9csm<*

h0f0?

;RIFF

sy aB~xR

ls/moz

j0n<WPv}

4'''',$

Jf#[,

y !"#$

Salford1

<SLE=

SF+``

%1.1X\

!(c*`8G Ee1

]&c7]

iIQPPb(X

%CXbP

rKph+

n.?'N

p[k&+

t@hpRX

vZsC/[

87frePxa

-}I*h7l0

*cN` v

4MYKYYW

VxHS-

1F0A@z

H06Jr&

*+,-./y

y$D$D

fj#@8a

bn0s}Q_@r~aoPq

i++)ws

Vs6bV

77776

PQWVX

U+(US)

BA'Je

7=4Pj

(ds+

', S61:

#\P,$

.mixcrt

CNNv`{

hsEPl

6N0'N

!x` 8

F+U#2

h2m:_RC

7'u($

W'w8b

J~JS7

:;<=>?E

W[+k#

E@&9@

kjihg

~IO,z

UadqMjX

=}G0G4w

L$;S=@

4T23:h

PWonW

support@nirsoft.net0

,l,`$$:

DAl]tR

MxING

W[Xp!

VS_VERSION_INFO

L@q %

51hn(

n+mR&~

E4jPY

9i4z(u

lhpCm

o#p{*

gCO@h^)1

\2Nm fpmA

#Sectigo RSA Time Stamping Signer #2

Gx=2U

3m3drG

!Xc1c

g7sO7

xheSj

nX_x6

e:do;B

!|JO-

QeBsX

QHlQ H

HY.CA

<SCRIPTR

)u#JO

QR0a<

Nir Sofer0

,ZG_43

. ;NX}3

(DK(d

^q{+<

I4!G5

76#3Ii

ajPOj

FPFQk"

?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v

7J\[TzI

K#<yP

2IpLl*

I40uQ

((0|/

(_P.

RJq8@

jNV>6:d

@)0S|Tj0^

B.:4g

fkC|.

+F.F?

?taU3I3

DS/%2.2X"S

Sectigo Limited1%0#

"MmWi

>4BjS7

)$Y@,

. Iz6VF2

GetProcAddress

^\W0uy

Lh EP 4

F\<wt

*E;*Q

zh-c0

ProductName

66"PR

h4>X <V

i;5(g

AgLaP

V8``w

;vOt>NMt

x3Rb0x

-F%7noS?q

|87uK

"`pFw

X++//

txhTH

%UX#S0

CCG\R

ExitProcess

<H#SPp

_CACHE_

tqJtE

Ah8^NusSW

+T"";

M4L\J-

4"H^,U3

be 1,

W=WbS

3<352eM

3PfrP

;HJSp

(wLL7

]IMrV

JYYu4

h/M;E

FileVersion

wvcs=UTF-8

q,<i[

H%}!p

hME*>|

q0 J'H

@rPPPr

P~6-U~/W

}c8sSs

\.d""

cT"

Q;H,^

M9@Urn

MPN`

O<jO8

,JEDbC

h08;8s

:BSPM?

ob4Y9

[_'7ll Hi

f;9t+FAA"v

`"hdv

u*DaS

By6U6

A~)2D@

e?H7~m

3g,*$

OW`(m7HS

gW<?

NS*1N

he h

#D#D$DPI

)4C x

ZOuzo

Zpy9{

t%n2>

H*9Ux

HLLPPT

<,|Li

&+S(y

}[8Tr

tAHt7

x !>V

AudiO&

FLP|A/

+htC

hU_l"

'g>O!'K

K7.l

TYPE HTML

<xyth"

td-DtCH

O>how

.Us*Obj

9s82

f'_aaJ

GDI32.dll

maytAN

C"!CS

prgC7

^JY@Dh

>2kTw

I#W2bB

SSuwa

|TV|G>x

&.5NPh.Dmy

u,f|X

!SPa5

f2E8N

A^Bht

>9~(~n

-YDTT0

eEM!Z,\

YS3Bc*

Cjo%uXg

^L~XT

.`'z8UV

.*Cd(

1/^\s+|

,XYZ[\

p!=[3

9AzRM,

8V^-$

lQLQV

2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s

i,h |

Dakar 21, Unit 821

Nir Sofer1

InternalName

}hj$WS0

h5P31Ff

Wxw?u

Far[Y

ofW"q

g`ha`

(~8r|

<p\g(m

#6+!2

W/tA+

ageBoxbUSERVs

w(mHY

P$6!>

A,+D>

%{Vs?

666666y

GetDC

THm[^

@z>nQ

VY ZVVI

`-J)-S

"""""

BODYd

zv3eR

~;06(

17^}$

\ById("x

..R|2y>Tr

\/:*>"<>

g<nNa80

8<4h"

tFV"Vy

*~ ;#

,_j4LJ

\5u,k

2LxXB.)

aDS.fLO!

z*04h

al7/$

;''bb

_[F$c

CzLciK

wjF6hp$

/" t_

qi<LM

/i,Pk

L5xCxW

0"xAY

n>c=t3

"vakd<r

-o:"-^H

r[1e

Y:@4V

s#VOA

xYt{S

0Xx3Z

zhAHnS

F:F:9H

yz0"K

i2OXn

A'-'' F47o'1"

",toZ

;`eh T

81t|u

e 1?v

<0:08

K`a44i

f8t8tJ

VF7Cs

STY[U

D]]==

';?h"

Xo5:.

(/CH#

L>E@%&A

L`LL\

s?Ow0

wsHFZ-

D&px

oZXo+?

!5!d;

Ri5Lr

*Bosd[;d0B

?GHM(M

a"~A9E`b

4M,08<

p@dD&aXe

&$" n

lX~4L

l$,)|

Sectigo Limited1$0"

giVe6jep

!This program cannot be run in DOS mode.

oZ%pb

CAx|p

4u4H8Tl

V|Ms KNJp

\blA{

E&y8T0

L~;4$>

:V>Vj

l-k.b

"l0[@[\

)\[1];P

K?:W8

$pQiQ

4nnEv>

!de3e

USER32.dll

vz8[(2

rOvIt'o

VC20XC00

s.!g$

@ZkU<

HPXlDm

`]IlT

;U([M

PGWhi

[Ee,T

CF,HV9d

zc%C1

!BE`C

>pch_jj^^"

'()*+,-./0123456789:;<=>?@ABCDEF

{n;4i

.V1na~

nprtvz|~

Te-p3

~}|{zyxwv

m%A)g

bbbbJsk

EtZf@

S$B_0~Ed

A8nRPj

' 8t`

BXQKh+

8Rich

H,)$>

'8PWF

700WP

W;{Hv

|+ `Hk

6:%+H

<*"D!D

_Xuhl

'pm`9x

k>s/)

Hh31L

hdVS%tv;

`E2;p.x

$.po2

/(tRP

xT6.@

Xzf>'

EprViEdH|

ghJSONdnl

.tfVU

V-oSi[

dm$Cw

Translation

54321

$p)&#

S@JfK

,:f+4Q

ShXP`

1;Ph4Q

N(/clr)<

,GFj?!

>@(A~hp-

!=$ng$

H}?HI

D@<0$

Y%gSX;

s:02Yg

=^wnL

SmJ97

N@;:X

2007 - 2022 Nir Sofer

ProductVersion

g0e0>

U"LOU$

-+*Gl>wO|&

]3iT.

K8Os;rZ8

&8W4W]

]VCA\

6kc3C_

rRj;B7|

tyaL|

The USERTRUST Network1.0,

InLcx@

-<n}l

u4C6N

MnZ/rs

@Ml8|

`{vy8

|Tag?A

mD +JnC

}\3<4

HRNAx

H.EIa]B

L29$j

V>dP?

oTymR

Gt!0x

VAFxJl~("$8D

9 P\\

J8F;5

@'3bk

gG2jU

uArxo

iv\,:m`YqsG

W*d`\/a

"|Wr}&

-bQP+@

UdZ1ho

gKz0|

rrrWX`dN

09>H@

8U$`g$

BZ{GuX

Or{ox s

cF8i!

7><(uML

xui!7

f0jQu

nPv`~p@g(M

DUSmw

jCqdIX,

<Ttv`m

*#(Um

s'dT_

;PH_ta

x1wps

HjtB`

[X}#y.

(8HL8aa

pYX+.,\

l~Ph-nD

48`x?2+

mElG}

*t9jR%t

Sectigo Limited1,0*

%=V@l0

ONOUT$

PhdR^_

z[Cyo

6`bH,

BCT]$

u+}y@i

HTTP-.1

2<\%t

wo_(%

3`nph

~~~~f

d, M

ut/Tg

L@fRP

_cL!h

d]#dg

A| r,

eFAQs

z cRD

(&t D>

CmW' .

y.GK=

K=fs,

.5.5x

4~(0~

9D8tr,

f!70y

XPTPSW

""""""

F8^|W

([ WRB

)<P*C

-4/(#dAq{

FAD\t

K3+=j

vxSQii(

C;7>:

1I#,!C

2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#

\#06

5`;As'

#jYhRB_

W z/Z

RegCloseKey

;fuFk

wCorExitPr

;x!bl

8wZ)7

]},$&i

m$q7J

E(KJIBFEDCBA@?>=<;:98

="8l"> r

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x0008a0b0	0x0004e325	0x0004e325	4.0	2022-03-01 12:29:17	7c2755b900ae1587aee680d82dfba487		d79d3df00b7d19c68624c5f18f7e0597	cd59d1263c367d5e6b856bebe5a90acc	c6f0f4e6ececcaf2

Version Infos

CompanyName	NirSoft
FileDescription	MZCacheView
FileVersion	2.15
InternalName	MZCacheView
LegalCopyright	Copyright Â© 2007 - 2022 Nir Sofer
OriginalFilename	MZCacheView.exe
ProductName	MZCacheView
ProductVersion	2.15
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
UPX0	0x00000400	0x00001000	0x0004e000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
UPX1	0x00000400	0x0004f000	0x0003c000	0x0003b400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	7.94
.rsrc	0x0003b800	0x0008b000	0x00002000	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.61

Overlay

Offset	0x0003d200
Size	0x00002178

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_CURSOR	0x00083808	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.05	None
RT_CURSOR	0x0008393c	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.03	None
RT_BITMAP	0x00083a70	0x00000668	LANG_HEBREW	SUBLANG_DEFAULT	7.79	None
RT_BITMAP	0x000840d8	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.91	None
RT_BITMAP	0x000841b0	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.88	None
RT_ICON	0x0008b80c	0x000002e8	LANG_HEBREW	SUBLANG_DEFAULT	3.17	None
RT_ICON	0x0008baf8	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	3.15	None
RT_ICON	0x0008bc24	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	2.30	None
RT_ICON	0x0008bd50	0x000002e8	LANG_HEBREW	SUBLANG_DEFAULT	0.96	None
RT_ICON	0x0008c03c	0x00000128	LANG_HEBREW	SUBLANG_DEFAULT	2.98	None
RT_MENU	0x00084bd0	0x00000b62	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.80	None
RT_MENU	0x00085734	0x000002ac	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.58	None
RT_MENU	0x000859e0	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	4.22	None
RT_DIALOG	0x000859f4	0x000000bc	LANG_HEBREW	SUBLANG_DEFAULT	6.92	None
RT_DIALOG	0x00085ab0	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	7.48	None
RT_DIALOG	0x00085d48	0x00000300	LANG_HEBREW	SUBLANG_DEFAULT	7.64	None
RT_DIALOG	0x00086048	0x0000058a	LANG_HEBREW	SUBLANG_DEFAULT	7.74	None
RT_DIALOG	0x000865d4	0x00000124	LANG_HEBREW	SUBLANG_DEFAULT	7.04	None
RT_DIALOG	0x000866f8	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.95	None
RT_DIALOG	0x000867f0	0x0000014c	LANG_HEBREW	SUBLANG_DEFAULT	7.25	None
RT_DIALOG	0x0008693c	0x00000336	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.63	None
RT_STRING	0x00086c74	0x00000210	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.29	None
RT_STRING	0x00086e84	0x00000032	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.48	None
RT_STRING	0x00086eb8	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.19	None
RT_STRING	0x00086fd0	0x00000044	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.42	None
RT_STRING	0x00087014	0x000001ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.81	None
RT_STRING	0x00087200	0x000000a0	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.00	None
RT_STRING	0x000872a0	0x000000aa	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.49	None
RT_STRING	0x0008734c	0x00000178	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.41	None
RT_ACCELERATOR	0x000874c4	0x000000a0	LANG_HEBREW	SUBLANG_DEFAULT	5.39	None
RT_GROUP_CURSOR	0x00087564	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.98	None
RT_GROUP_CURSOR	0x00087578	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.20	None
RT_GROUP_ICON	0x0008c168	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.48	None
RT_GROUP_ICON	0x0008c190	0x00000014	LANG_HEBREW	SUBLANG_DEFAULT	2.02	None
RT_GROUP_ICON	0x0008c1a8	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.56	None
RT_VERSION	0x0008c1d0	0x000002c8	LANG_HEBREW	SUBLANG_DEFAULT	3.41	None
RT_MANIFEST	0x0008c49c	0x000001dd	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.03	None

Imports

Name	Address
RegCloseKey	0x48c744

Name	Address

Name	Address
FindTextA	0x48c754

Name	Address
BitBlt	0x48c75c

Name	Address
LoadLibraryA	0x48c764
ExitProcess	0x48c768
GetProcAddress	0x48c76c
VirtualProtect	0x48c770

Name	Address
CoInitialize	0x48c778

Name	Address
SHGetMalloc	0x48c780

Name	Address
GetDC	0x48c788

Name	Address
VerQueryValueA	0x48c790

Reports: JSON

Statistics (32.68)

Usage

Processing ( 32.46 seconds )

30.651 ProcessMemory
1.578 CAPE
0.226 BehaviorAnalysis
0.004 AnalysisInfo
0.001 Debug

Signatures ( 0.07 seconds )

0.009 antiav_detectreg
0.008 ransomware_files
0.006 antianalysis_detectfile
0.005 ransomware_extensions
0.004 infostealer_ftp
0.004 territorial_disputes_sigs
0.003 antiav_detectfile
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 antivm_vbox_files
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.002 masquerade_process_name
0.001 antidebug_devices
0.001 antivm_parallels_keys
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 qulab_files
0.001 revil_mutexes
0.001 modirat_behavior
0.001 recon_fingerprint

Reporting ( 0.15 seconds )

0.14 CAPASummary
0.012 JsonDump

Signatures

Queries the keyboard layout

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': 'UPX0', 'raw_address': '0x00000400', 'virtual_address': '0x00001000', 'virtual_size': '0x0004e000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000080', 'entropy': '0.00'}

unknown section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x0004f000', 'virtual_size': '0x0003c000', 'size_of_data': '0x0003b400', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.94'}

The binary likely contains encrypted or compressed data

section: {'name': 'UPX1', 'raw_address': '0x00000400', 'virtual_address': '0x0004f000', 'virtual_size': '0x0003c000', 'size_of_data': '0x0003b400', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xe0000040', 'entropy': '7.94'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 728 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\bcryptPrimitives.dll
\Device\CNG
C:\Users\Packager\AppData\Local\SystemResources\MZCacheView.exe.mun
C:\Users\Packager\AppData\Local\Temp\MZCacheView_lng.ini
C:\Windows\System32\oleaut32.dll
C:\Windows\System32\msctf.dll
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Users\Packager\AppData\Local\Temp\MZCacheView.exe.Local\
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
C:\Users\Packager\AppData\Local\Temp\MZCacheView.cfg
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Windows\SystemResources\USER32.dll.mun
C:\Users\Packager\AppData\Local\Temp
C:\Windows\System32\windows.storage.dll
C:\Users\Packager\AppData\Local\Temp\Wldp.dll
C:\Windows\System32\wldp.dll
C:\Users\Packager\AppData\Roaming
C:\Users\Packager\AppData\Roaming\Mozilla\Profiles\*.*
C:\Users\Packager\AppData\Roaming\Mozilla\Firefox\Profiles\*.*
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Mozilla\Profiles\*.*
C:\Users\Packager\AppData\Local\Mozilla\Firefox\Profiles\*.*
C:\Users\Packager\AppData\Local\Temp\_CACHE_MAP_
C:\Users\Packager\AppData\Local\Temp\entries
C:\Users\Packager\AppData\Local\Temp\*.*
C:\Users\Packager\AppData\Local\Temp\57e5473f-0a5e-47f8-945c-b2162ad59cbe.tmp
C:\Users\Packager\AppData\Local\Temp\69cc8f54-5cbf-4e75-af39-d6eca6b63a46.tmp
C:\Users\Packager\AppData\Local\Temp\6b2d0a9a-00ac-4922-a419-2dc3527c991a.tmp
C:\Windows\System32\en-US\USER32.dll.mui

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\MZCacheView.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\3\KnownFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\InitFolderHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InitFolderHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData

Local\SM0:728:168:WilStaging_02
Local\SM0:728:64:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.