Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 07:03:40	2025-06-14 07:34:51	1871 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,991 [root] INFO: Date set to: 20250614T06:34:07, timeout set to: 1800
2025-06-14 07:34:07,174 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-14 07:34:07,174 [root] DEBUG: Storing results at: C:\MHrAwAXL
2025-06-14 07:34:07,174 [root] DEBUG: Pipe server name: \\.\PIPE\MpmIoKE
2025-06-14 07:34:07,174 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:34:07,174 [root] INFO: analysis running as an admin
2025-06-14 07:34:07,174 [root] INFO: analysis package specified: "exe"
2025-06-14 07:34:07,174 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:34:08,126 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:34:08,126 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:34:08,126 [lib.common.common] INFO: wrapping
2025-06-14 07:34:08,126 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:34:08,126 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\SearchMyFiles.exe
2025-06-14 07:34:08,126 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:34:08,126 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:34:08,126 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:34:08,126 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:34:08,314 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:34:08,329 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:34:08,439 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:34:08,455 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:34:08,455 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:34:08,455 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:34:08,455 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:34:08,470 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:34:08,470 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:34:08,470 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:34:08,470 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:34:08,470 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:34:08,470 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:34:08,470 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:34:08,470 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:34:08,470 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:34:08,470 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:34:08,470 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:34:29,876 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-14 07:34:29,876 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:34:29,876 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:34:29,876 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:34:29,876 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:34:29,892 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:34:29,892 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:34:29,892 [modules.auxiliary.disguise] INFO: Disguising GUID to 298c152b-468f-4f9f-8d56-8f8f0435a43c
2025-06-14 07:34:29,892 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:34:29,892 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:34:29,892 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:34:29,892 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:34:29,892 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:34:29,892 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:34:29,892 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:34:29,892 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:34:29,892 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:34:29,923 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:34:29,923 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:34:29,923 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:34:29,923 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:34:29,923 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:34:29,923 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:34:29,923 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:34:29,923 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:34:29,970 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-14 07:34:29,970 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:34:29,970 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:34:29,970 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:34:29,970 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:34:29,970 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:34:29,970 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:34:29,970 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\sWipaW.dll, loader C:\tmpjeo7jmad\bin\GLBRSGED.exe
2025-06-14 07:34:30,048 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:34:30,048 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\sWipaW.dll.
2025-06-14 07:34:30,048 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:34:30,048 [root] INFO: Disabling sleep skipping.
2025-06-14 07:34:30,048 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:34:30,048 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:34:30,048 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:34:30,064 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:34:30,064 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:34:30,064 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:34:30,079 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:34:30,079 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:34:30,079 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 4916, image base 0x00007FF60D500000, stack from 0x0000008EFABF4000-0x0000008EFAC00000
2025-06-14 07:34:30,079 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:34:30,095 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:34:30,095 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:34:30,095 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\sWipaW.dll.
2025-06-14 07:34:30,095 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:34:30,0 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 07:03:40	2025-06-14 07:34:32	none

File Details

File Name	SearchMyFiles.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	236408 bytes
MD5	24b8d600ecddab04a9280a4baff141de
SHA1	2c39aef4a9e82171765d3fef03e725aeac614829
SHA256	5e814bebf59998e85eb0e5aebca1487acebec63277d1b0a451308b599cd48df9 [VT] [MWDB] [Bazaar]
SHA3-384	f3f19d29ca5fbce3f90815711e27f2c48415ed852a89b0f985f329e8443ebb1f57e9c27690421b49c9dd9089d4f4a50b
CRC32	350A8354
TLSH	T161345B15A3F804A8E4B7DA75CE638627EBB2B8554730C31F536099AA1F23760FD25327
Ssdeep	6144:LPWNfOVuJ2yrSzLyzHAX9moZ2TBztvGGAulyfk:LPWZOV+2yriLyzHacA2TpFpAulyfk
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/76)

Full Results

Engine	Result	Engine	Result	Engine	Result

L$8E+M

@.data

HideEmptySummaryFolders

<$ ug

SelectObject

%USERTrust RSA Certification Authority

SetMenuItemInfoW

L$8t@

GetMenuStringW

K 9s

GetStartupInfoW

&Rename

x ATAUAWH

c:\Projects\VS2005\SearchMyFiles\x64\Release\SearchMyFiles.pdb

WATAUH

A;@(}

,Show all duplicate names (Files and Folders)1Show all duplicate names - only files, no folders0Show only duplicate names with identical content4Show only duplicate names with non-identical content

fD9=6

Time Range (GMT)

Use Windows search handlers to find text inside Microsoft Office documents and other file types

SHGetDesktopFolder

fD9=k

L$2f!\$03

L$xE3

CreateWindowExW

WritePrivateProfileStringW

(%d) %s

Preferred DropEffect

Shlwapi.dll

EndDialog

A]A\^

SetCursor

RegSetValueExW

&Copy Files Information

8"u8fff

SummarySort

MaxMRU

FileTimeCreated2

DuplicateNamesMode

comdlg32.dll

_wcslwr

A8I;@8

040904b0

WATAU

190909000000Z

181102000000Z

|g~}.

LoadLibraryExW

SysDateTimePick32

Auto Size Columns On Search End

memcmp

_XcptFilter

Mark D&uplicate Files

zzzzzz

D9ktt

wwwwwx

D;fh}

STATIC

Recent Config Files

Minimize/Restore Both Windows At Once

A]A\_

D$8Lc

No Action

SysListView32

wwwwww~fww

/deleteregkey

%s %s

D9fh~WL

_initterm

/stabular

#bML"

LoadLibraryW

{098f2470-bae0-11cd-b579-08002b30bfeb}

L9s H

FileSizeAtMost

OpenFileOnDoubleClick

Wasted Space

unknown compression method

SearchMyFiles Config File

.pdata

wcschr

OH;H(s

GetModuleFileNameExW

wwwwww

Sectigo RSA Time Stamping CA0

Error: Cannot load the common control classes.

Directory\Background

Copy Exception

L$ Lc

H9sPuAH

/nosaveload

SetMenu

IncludeOnlyFoldersMRU

A^A\_

DrawTextExW

_ui64tow

&Explorer Copy

DDDGGG

file error

8A_A^A]A\_^][

Process32Next

header crc mismatch

wwwwwwwwwwwp

GetMessageW

+t$TH

<font

sprintf

D9c@A

invalid literal/lengths set

Properties

_exit

RegisterClipboardFormatW

mt^Ju~

tvf9}

SHFileOperationW

fwrite

UVWATAUAVAW

MPR.dll

^.o 3

NJ2"v

Last XX hours

|$@Hc

D$0fA

incompatible version

9\$PA

%s\shell\%s\command

7Be aware that completely empty folders will be deleted.

shell32.dll

H WATAUAVAW

FileContainsText

towupper

Include Subfolders in Summary Totals

Shift+Del

Hc^PH

u#9\$P

_memicmp

Base Folders:

/SingleBaseFolder

GetPrivateProfileIntW

CoCreateInstance

EAX=%16.16I64X EBX=%16.16I64X ECX=%16.16I64X EDX=%16.16I64X

wwwwwwp

301231235959Z0|1

ewh/?y

report.html

GetMenuItemCount

GetLogicalDrives

GetFileAttributesW

t$ WATAU

CompareFileTime

\$(uDM

I0G0E

http://ocsp.usertrust.com0

DispatchMessageW

L9|$Pu

hA_A^A]A\_^][

Created:

EIP=%16.16I64X

201023000000Z

TranslatorURL

Duplicate Group

DestroyIcon

D;G@|

WAVAW

LoadMenuW

L$0A;

CreatePopupMenu

XA_A^A]A\_^][

\$t+\$l3

FileDescription

HTML File - Horizontal

D$(Hc

\$ UVWH

l6qnk

https://sectigo.com/CPS0C

File Contains...

</table>

L$0A+@

H;Aht

BeginPaint

E&xit

FilesWildcard

Non-Duplicates Search

ntdll.dll

At least:

"%s" /SingleBaseFolder "%%1"

Binary

SetWindowLongPtrW

<td bgcolor=#%s nowrap>%s

Last XX days

GetForegroundWindow

ExcludeExtensions

UVWATAWH

SetWindowLongW

/savelangfile

/sort

Search multiple values (comma delimited)

GetFileVersionInfoSizeW

Width of selected column (in pixels):

u-H9p8t

"%s" /SingleBaseFolder "%%V"

EnumChildWindows

Attributes

&Delete Selected Files

Failed to rename this file.

strings

Sort By+Do you want to delete the seleced folders ?

UVWAVAWH

GetSysColor

L$0E3

0A]A\_

&Save Files Information

Compressed Count

Greater Manchester1

Open Properties Window

!\$P9

MainFont

D$@A+

220322142005Z0?

Exception !

D$DfB

wn>Jj

Wshlwapi.dll

StretchBlt

D9G@H

%2.2X

Folder Depth

Ctrl+F11

incorrect length check

1111111

Exclude Extensions List

Modified:

D;r(}

z1111

Extension

T$ E3

_wtoi

</compatibility></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADx!

KillTimer

SetDlgItemTextW

<item>

wcstoul

WATAWH

GetModuleHandleW

GetTimeFormatW

d$HHc

[C]e=P

EnterKeyAction

D;S(}

L$ E3

&Edit

Choose Colum&ns

&Show

%I64d

SystemTimeToFileTime

FileTimeModifiedLastXX

%-18s: %s

D9l$ t

T$`Hc

A^A]A\_^

OriginalFilename

IncludeOnlyFolders

d$0E3

9D$Pt

FileTimeToSystemTime

D$JfD

FileAttrEncrypted

L$0fD

T$@E+

&File

uTf!T$ H

Total Files Size

VWATH

CreateCompatibleBitmap

x ATH

MS Sans Serif

t]f=*

ImageList_Add

wwwwp

EnableWindow

D9!t[A

width="%s"

UVWATAUAVAWH

CloseHandle

#Sectigo RSA Time Stamping Signer #20

L$"t-3

8"u!I

Checking Duplicates... %s

3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%

CHHcx

LoadResource

_purecall

Hidden Count

GetSystemTimeAsFileTime

fD9(u

invalid code lengths set

&Hide

File Content

tqf9}

LD@fD

DuplicateNamesCompareMode

UseFileSizeAtMost

</application>

{{{{{

Use Default Font

RegisterWindowMessageW

&Run As Administrator

j0h0?

wcscmp

DoubleClickAction

t{f=*

.text

Version

/StartSearch

FAT32

L$2tD

SetWindowPos

+D$|I

invalid distance too far back

Case Sensitive

Short Filename

GetDlgItemTextW

ftell

=0;09

w+OQvr

Time Range (Local Time)

ExecludedFoldersMRU

{Unknown}

Open Selected File

CreateStatusWindowW

%2.2X

GHLch

Open &Folder

A]A\_

Retrieve File Owner

|$pPK

L$DA+

A0I;@0

__dllonexit

fclose

VERSION.dll

FileContains

3http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#

wwwwpw~fhw

SHGetMalloc

COMCTL32.dll

&Properties

A_A\_^]

Files

p WATAUH

D99ti

Bytes

NirSoft

%d Folders@Warning !!! Deleted files cannot be recovered by SearchMyFiles.9Are you sure that you want to delete all selected files ?

__C_specific_handler

AddExportHeaderLine

vQO+t

T$8fD

0A_A^A]A\_^]

GetSysColorBrush

2&-jWp

MoveWindow

LoadAcceleratorsW

f!|$0A

%s\%s

040904E4

Ctrl+R

D9g0~]H

RemoveDirectoryW

DeleteObject

t$ WH

-TLYZ5

EmptyClipboard

The following application error has occurred:

DontSaveSearchOptions

Folders Count

A_A^A]

Full Report+Only folders with zero files and subfolders

%USERTrust RSA Certification Authority0

FileTimeModified1

data error

d$0I;

GetWindowRect

"%s\rundll32.exe" %s\shell32.dll,OpenAs_RunDLL %s

D9)teA

Find Files

<?xml version="1.0" ?>

` AUH

EndPaint

Don't Save Search Options Window

f!D$0H

&Find

Loading... %d7Do you want to move the selected files to Recycle Bin ?

D99t`

9\$HD

fE9.I

D;c@|

*.xml

GetModuleBaseNameW

SetClipboardData

sheet%d.xml

S&earch Options

D9)tZ

incorrect header check

0A_A]A\

SHCreateStreamOnFileW

%2.2X%2.2X%2.2X

AssignProcessToJobObject

L$PI;

GetDateFormatW

SHGetSpecialFolderPathW

IsWindowVisible

*.cfg

DDDDDD

</asmv3:application><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">

stream end

D$5u=A

WATAVH

comctl32.dll

Clear Recent Files List,Do you want to clear the recent files list ?#Cannot find the following folders:

SubFolderDepth

EndDeferWindowPos

E;`H}"D;

fD!l$pH

sysdatetimepick32

@.rsrc

L$0t$

|!A;@(}

GetDiskFreeSpaceExA

</table><p>

Wildcard

Last XX minutes

Folder

Arial

Summary Mode

LegalCopyright

MaxNumOfFiles

CallWindowProcW

@SUVWAU

TFt1b

GetSaveFileNameW

D$rfD

MonitorFromWindow

A3D$$A

Select &All

D9|$du8H

@A]A\_^]

Color Set 1

@A_A^A]A\_^]

SearchMyFiles.exe

PA\_^][

Retrieve Entry Modified Time (NTFS Only)

fread

Columns

fD9=(

LoadStringW

l$XE3

GetDriveTypeW

realloc

/nosort

wcsncpy

RegDeleteKeyW

Add Header Line To CSV/Tab-Delimited File

Gp9G|r

Sectigo RSA Code Signing CA

D$ffD

t$xE3

invalid window size

Include Only Folders:

Delete Selected Empty Folders

&Start Search

Ctrl+X

strlen

"%s",0

D;rH}"L;

ImageList_Create

FileTimeModified2

OriginalFileName

T$ D;

BaseFolder

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x140000000	0x00026880	0x00041be1	0x00041be1	4.0	c:\Projects\VS2005\SearchMyFiles\x64\Release\SearchMyFiles.pdb	2022-03-22 14:16:11	dc643b919f71d9fa4de72b92cd95e3b8		f6f926abffc697493d8118c9fe0a3750	c40854515b73d91df2ddba62cdc7a677	66bee2c2caeab205

Version Infos

CompanyName	NirSoft
FileDescription	SearchMyFiles
FileVersion	3.17
InternalName	SearchMyFiles
LegalCopyright	Copyright Â© 2009 - 2022 Nir Sofer
OriginalFilename	SearchMyFiles.exe
ProductName	SearchMyFiles
ProductVersion	3.17
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00025dab	0x00025e00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.31
.rdata	0x00026200	0x00027000	0x00009462	0x00009600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.77
.data	0x0002f800	0x00031000	0x00001ee8	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.33
.pdata	0x00030000	0x00033000	0x000013d4	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.23
.rsrc	0x00031400	0x00035000	0x00006564	0x00006600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.38

Overlay

Offset	0x00037a00
Size	0x00002178

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_CURSOR	0x00035838	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.78	None
RT_BITMAP	0x0003596c	0x00000468	LANG_HEBREW	SUBLANG_DEFAULT	4.05	None
RT_BITMAP	0x00035dd4	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.41	None
RT_BITMAP	0x00035eac	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.45	None
RT_ICON	0x00035f84	0x000008a8	LANG_HEBREW	SUBLANG_DEFAULT	4.38	None
RT_ICON	0x0003682c	0x00000568	LANG_HEBREW	SUBLANG_DEFAULT	3.91	None
RT_MENU	0x00036d94	0x00000ef0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.48	None
RT_MENU	0x00037c84	0x00000352	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.30	None
RT_MENU	0x00037fd8	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.17	None
RT_DIALOG	0x00037fec	0x000000bc	LANG_HEBREW	SUBLANG_DEFAULT	2.87	None
RT_DIALOG	0x000380a8	0x00000296	LANG_HEBREW	SUBLANG_DEFAULT	3.38	None
RT_DIALOG	0x00038340	0x000010a4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.54	None
RT_DIALOG	0x000393e4	0x000000fa	LANG_HEBREW	SUBLANG_DEFAULT	3.09	None
RT_DIALOG	0x000394e0	0x00000336	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.55	None
RT_STRING	0x00039818	0x000002fa	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.20	None
RT_STRING	0x00039b14	0x0000053e	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.25	None
RT_STRING	0x0003a054	0x000000c4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_STRING	0x0003a118	0x0000003e	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.01	None
RT_STRING	0x0003a158	0x00000056	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.65	None
RT_STRING	0x0003a1b0	0x000001b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.33	None
RT_STRING	0x0003a360	0x000000c0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.66	None
RT_STRING	0x0003a420	0x00000118	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.04	None
RT_STRING	0x0003a538	0x00000052	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.20	None
RT_STRING	0x0003a58c	0x00000084	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.74	None
RT_STRING	0x0003a610	0x000000c4	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.82	None
RT_STRING	0x0003a6d4	0x0000008a	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.68	None
RT_STRING	0x0003a760	0x00000064	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.47	None
RT_STRING	0x0003a7c4	0x00000078	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.51	None
RT_STRING	0x0003a83c	0x000001b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.03	None
RT_STRING	0x0003a9ec	0x000000ae	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.98	None
RT_STRING	0x0003aa9c	0x00000110	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.25	None
RT_STRING	0x0003abac	0x0000006e	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.60	None
RT_STRING	0x0003ac1c	0x00000156	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.25	None
RT_ACCELERATOR	0x0003ad74	0x00000098	LANG_HEBREW	SUBLANG_DEFAULT	3.22	None
RT_GROUP_CURSOR	0x0003ae0c	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.84	None
RT_GROUP_ICON	0x0003ae20	0x00000022	LANG_HEBREW	SUBLANG_DEFAULT	2.42	None
RT_VERSION	0x0003ae44	0x000002d8	LANG_HEBREW	SUBLANG_DEFAULT	3.40	None
RT_MANIFEST	0x0003b11c	0x00000447	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.40	None

Imports

Name	Address
__wgetmainargs	0x140027730
_wcmdln	0x140027738
exit	0x140027740
_cexit	0x140027748
_exit	0x140027750
_c_exit	0x140027758
_XcptFilter	0x140027760
__C_specific_handler	0x140027768
_onexit	0x140027770
_initterm	0x140027778
_msize	0x140027780
calloc	0x140027788
realloc	0x140027790
strchr	0x140027798
strrchr	0x1400277a0
sprintf	0x1400277a8
_stricmp	0x1400277b0
qsort	0x1400277b8
_wcslwr	0x1400277c0
strlen	0x1400277c8
wcsrchr	0x1400277d0
wcsncpy	0x1400277d8
towupper	0x1400277e0
__setusermatherr	0x1400277e8
_commode	0x1400277f0
_fmode	0x1400277f8
__set_app_type	0x140027800
__dllonexit	0x140027808
malloc	0x140027810
_memicmp	0x140027818
free	0x140027820
modf	0x140027828
memcmp	0x140027830
wcstoul	0x140027838
_wcsicmp	0x140027840
wcschr	0x140027848
_wcsnicmp	0x140027850
??3@YAXPEAX@Z	0x140027858
??2@YAPEAX_K@Z	0x140027860
wcslen	0x140027868
_itow	0x140027870
_purecall	0x140027878
_wtoi	0x140027880
wcscpy	0x140027888
_ui64tow	0x140027890
_wtoi64	0x140027898
memset	0x1400278a0
wcscmp	0x1400278a8
memcpy	0x1400278b0
wcscat	0x1400278b8
_snwprintf	0x1400278c0
wcsncat	0x1400278c8
fseek	0x1400278d0
ftell	0x1400278d8
fwrite	0x1400278e0
ferror	0x1400278e8
fread	0x1400278f0
_wfopen	0x1400278f8
fclose	0x140027900

Name	Address
CreateToolbarEx	0x140027040
ImageList_Add	0x140027048
CreateStatusWindowW	0x140027050
ImageList_AddMasked	0x140027060
ImageList_Create	0x140027068
ImageList_SetImageCount	0x140027070

Name	Address
GetFileVersionInfoW	0x1400276e8
GetFileVersionInfoSizeW	0x1400276f0
VerQueryValueW	0x1400276f8

Name	Address
WNetGetUniversalNameW	0x140027348

Name	Address
ReadProcessMemory	0x140027110
GetCurrentProcess	0x140027118
GetCurrentProcessId	0x140027120
ExitProcess	0x140027128
RemoveDirectoryW	0x140027130
DeleteFileW	0x140027138
CreateProcessW	0x140027140
OpenProcess	0x140027148
EnumResourceTypesW	0x140027150
GetDiskFreeSpaceW	0x140027158
GetLocalTime	0x140027160
SetFilePointerEx	0x140027168
GetTickCount	0x140027170
GetVolumeInformationW	0x140027178
GetStartupInfoW	0x140027180
MultiByteToWideChar	0x140027188
SetErrorMode	0x140027190
GlobalFree	0x140027198
GetStdHandle	0x1400271a0
GetPrivateProfileStringW	0x1400271a8
EnumResourceNamesW	0x1400271b0
GetPrivateProfileIntW	0x1400271b8
GetModuleHandleW	0x1400271c0
CreateFileW	0x1400271c8
GetProcAddress	0x1400271d0
CloseHandle	0x1400271d8
CompareFileTime	0x1400271e0
GetLastError	0x1400271e8
GetSystemTimeAsFileTime	0x1400271f0
MoveFileW	0x1400271f8
FileTimeToLocalFileTime	0x140027200
LoadLibraryW	0x140027208
FileTimeToSystemTime	0x140027210
FreeLibrary	0x140027218
SystemTimeToFileTime	0x140027220
GetDriveTypeW	0x140027228
GetLogicalDrives	0x140027230
ExpandEnvironmentStringsW	0x140027238
GlobalUnlock	0x140027240
GlobalLock	0x140027248
GlobalAlloc	0x140027250
FindResourceW	0x140027258
LocalFree	0x140027260
LoadResource	0x140027268
GetNumberFormatW	0x140027270
GetSystemDirectoryW	0x140027278
lstrlenW	0x140027280
LockResource	0x140027288
lstrcpyW	0x140027290
LoadLibraryExW	0x140027298
WideCharToMultiByte	0x1400272a0
LocalFileTimeToFileTime	0x1400272a8
GetTempPathW	0x1400272b0
GetLocaleInfoW	0x1400272b8
SizeofResource	0x1400272c0
GetDateFormatW	0x1400272c8
GetTempFileNameW	0x1400272d0
FormatMessageW	0x1400272d8
GetFileSize	0x1400272e0
GetVersionExW	0x1400272e8
FindNextFileW	0x1400272f0
FindFirstFileW	0x1400272f8
FindClose	0x140027300
GetTimeFormatW	0x140027308
GetFileAttributesW	0x140027310
WriteFile	0x140027318
ReadFile	0x140027320
GetModuleFileNameW	0x140027328
GetWindowsDirectoryW	0x140027330
WritePrivateProfileStringW	0x140027338

Name	Address
SetWindowLongPtrW	0x1400273b0
CallWindowProcW	0x1400273b8
MonitorFromWindow	0x1400273c0
GetMonitorInfoW	0x1400273c8
ChildWindowFromPoint	0x1400273d0
ReleaseDC	0x1400273d8
GetDC	0x1400273e0
LoadCursorW	0x1400273e8
SetCursor	0x1400273f0
GetSysColorBrush	0x1400273f8
ShowWindow	0x140027400
UpdateWindow	0x140027408
SetDlgItemInt	0x140027410
SetDlgItemTextW	0x140027418
GetDlgItemTextW	0x140027420
BeginPaint	0x140027428
GetSystemMetrics	0x140027430
GetClientRect	0x140027438
DeferWindowPos	0x140027440
CreateWindowExW	0x140027448
KillTimer	0x140027450
SendDlgItemMessageW	0x140027458
EndDialog	0x140027460
GetDlgItem	0x140027468
GetWindowRect	0x140027470
GetDlgItemInt	0x140027478
InvalidateRect	0x140027480
GetWindow	0x140027488
DrawFrameControl	0x140027490
EndPaint	0x140027498
SetWindowTextW	0x1400274a0
GetWindowPlacement	0x1400274a8
MessageBoxW	0x1400274b0
PostMessageW	0x1400274b8
SetMenu	0x1400274c0
TranslateAcceleratorW	0x1400274c8
LoadAcceleratorsW	0x1400274d0
DefWindowProcW	0x1400274d8
SendMessageW	0x1400274e0
RegisterClassW	0x1400274e8
IsDialogMessageW	0x1400274f0
GetForegroundWindow	0x1400274f8
TranslateMessage	0x140027500
PeekMessageW	0x140027508
DispatchMessageW	0x140027510
LoadImageW	0x140027518
SetWindowLongW	0x140027520
GetWindowLongW	0x140027528
GetSysColor	0x140027530
SetFocus	0x140027538
EndDeferWindowPos	0x140027540
BeginDeferWindowPos	0x140027548
GetMenu	0x140027550
EmptyClipboard	0x140027558
EnableMenuItem	0x140027560
GetSubMenu	0x140027568
GetClassNameW	0x140027570
InsertMenuItemW	0x140027578
OpenClipboard	0x140027580
MoveWindow	0x140027588
GetMenuItemCount	0x140027590
CheckMenuItem	0x140027598
GetMenuStringW	0x1400275a0
CheckMenuRadioItem	0x1400275a8
GetCursorPos	0x1400275b0
SetClipboardData	0x1400275b8
EnableWindow	0x1400275c0
CloseClipboard	0x1400275c8
MapWindowPoints	0x1400275d0
GetParent	0x1400275d8
GetWindowTextW	0x1400275e0
LoadMenuW	0x1400275e8
ModifyMenuW	0x1400275f0
GetMenuItemInfoW	0x1400275f8
GetDlgCtrlID	0x140027600
DestroyMenu	0x140027608
DialogBoxParamW	0x140027610
CreateDialogParamW	0x140027618
EnumChildWindows	0x140027620
LoadStringW	0x140027628
DestroyWindow	0x140027630
CreatePopupMenu	0x140027638
GetKeyState	0x140027640
LoadIconW	0x140027648
SetMenuItemInfoW	0x140027650
DestroyIcon	0x140027658
RegisterWindowMessageW	0x140027660
DrawTextExW	0x140027668
TrackPopupMenu	0x140027670
PostQuitMessage	0x140027678
GetMessageW	0x140027680
SetClipboardViewer	0x140027688
SetTimer	0x140027690
ChangeClipboardChain	0x140027698
RegisterClipboardFormatW	0x1400276a0
IsWindowVisible	0x1400276a8
GetFocus	0x1400276b0
DeleteMenu	0x1400276b8
SetForegroundWindow	0x1400276c0
InsertMenuW	0x1400276c8
RemoveMenu	0x1400276d0
SetWindowPos	0x1400276d8

Name	Address
DeleteObject	0x140027080
SetBkMode	0x140027088
GetDeviceCaps	0x140027090
SetTextColor	0x140027098
SetBkColor	0x1400270a0
GetTextExtentPoint32W	0x1400270a8
GetStockObject	0x1400270b0
SetStretchBltMode	0x1400270b8
CreateCompatibleBitmap	0x1400270c0
StretchBlt	0x1400270c8
GetObjectW	0x1400270d0
DeleteDC	0x1400270d8
GetPixel	0x1400270e0
SetPixel	0x1400270e8
SelectObject	0x1400270f0
CreateCompatibleDC	0x1400270f8
CreateFontIndirectW	0x140027100

Name	Address
ChooseFontW	0x140027708
FindTextW	0x140027710
GetOpenFileNameW	0x140027718
GetSaveFileNameW	0x140027720

Name	Address
RegCloseKey	0x140027000
GetFileSecurityW	0x140027008
RegSetValueExW	0x140027010
RegCreateKeyExW	0x140027018
RegQueryValueExW	0x140027020
RegOpenKeyExW	0x140027028
RegDeleteKeyW	0x140027030

Name	Address
SHBindToParent	0x140027358
SHGetDesktopFolder	0x140027360
SHBrowseForFolderW	0x140027368
SHGetPathFromIDListW	0x140027370
SHGetMalloc	0x140027378
SHFileOperationW	0x140027388
SHGetFileInfoW	0x140027390
ShellExecuteW	0x140027398
ShellExecuteExW	0x1400273a0

Name	Address
OleInitialize	0x140027910
CoCreateInstance	0x140027918
OleUninitialize	0x140027920

Reports: JSON

Statistics (32.78)

Usage

Processing ( 32.58 seconds )

31.849 ProcessMemory
0.539 CAPE
0.185 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 antiav_detectreg
0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 infostealer_mail
0.002 poullight_files
0.001 bot_drive
0.001 antivm_parallels_keys
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.13 seconds )

0.123 CAPASummary
0.009 JsonDump

Signatures

Queries the keyboard layout

The PE file contains a PDB path

pdbpath: c:\Projects\VS2005\SearchMyFiles\x64\Release\SearchMyFiles.pdb

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 7108 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Users\Packager\AppData\Local\SystemResources\SearchMyFiles.exe.mun
C:\Users\Packager\AppData\Local\Temp\SearchMyFiles_lng.ini
C:\Windows\Fonts\staticcache.dat
C:\Users\Packager\AppData\Local\Temp\TextShaping.dll
C:\Windows\System32\TextShaping.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
\Device\DeviceApi\CMApi
\??\MountPointManager
C:\Windows
C:\Users\Packager\AppData\Local\Temp\SearchMyFiles.cfg
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\WinTypes.dll
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Local\Temp\SearchMyFiles.exe.Local\
C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9
C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\COMCTL32.dll.mui

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\SearchMyFiles.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Directory\shell\SearchMyFiles
HKEY_CURRENT_USER\Software\Classes\Directory\Background\shell\SearchMyFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Arial
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03b5835f-f03c-411b-9ce2-aa23e1171e36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531fdebf-9b4c-4a43-a2aa-960e8fcdc732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{6a498709-e00b-4c45-a018-8f9e4081ae40}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{7C472071-36A7-4709-88CC-859513E583A9}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81d4e9c9-1d3b-41bc-9e6c-4b40bf79e35e}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81EA0A17-AA39-455B-BA20-EA79A8F98966}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a028ae76-01b1-46c2-99c4-acd9858ae02f}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a1e2b86b-924a-4d43-80f6-8a820df7190f}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{B115690A-EA02-48D5-A231-E3578D2FDF80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C2CB2CF0-AF47-413E-9780-8BC3A3C16068}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-10e03f000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{01989354-0000-0000-0000-300300000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts

Local\SM0:7108:304:WilStaging_02
Local\SM0:7108:120:WilError_03
Local\MSCTF.Asm.MutexDefault3
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault3
DefaultTabtip-MainUI

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Overlay

Resources

Imports

msvcrt

COMCTL32

VERSION

MPR

KERNEL32

USER32

GDI32

comdlg32

ADVAPI32

SHELL32

ole32