Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 22:10:20	2025-06-13 22:41:03	1843 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,084 [root] INFO: Date set to: 20250613T10:48:10, timeout set to: 1800
2025-06-13 11:48:10,805 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-13 11:48:10,805 [root] DEBUG: Storing results at: C:\aHAFZHloeD
2025-06-13 11:48:10,821 [root] DEBUG: Pipe server name: \\.\PIPE\oRAVqRH
2025-06-13 11:48:10,821 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:48:10,821 [root] INFO: analysis running as an admin
2025-06-13 11:48:10,821 [root] INFO: analysis package specified: "exe"
2025-06-13 11:48:10,821 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:48:11,259 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:48:11,259 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:48:11,259 [lib.common.common] INFO: wrapping
2025-06-13 11:48:11,259 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:48:11,259 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\regedit.exe
2025-06-13 11:48:11,259 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:48:11,259 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:48:11,259 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:48:11,259 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:48:11,430 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:48:11,446 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:48:11,477 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:48:11,493 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:48:11,509 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:48:11,509 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:48:11,509 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:48:11,509 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:48:11,509 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:48:11,509 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:48:11,509 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:48:11,509 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:48:11,509 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:48:11,509 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:48:11,509 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:48:11,509 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:48:11,509 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:48:11,509 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:48:11,790 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 11:48:11,790 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:48:11,790 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:48:11,790 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:48:11,790 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:48:11,790 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:48:11,790 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:48:11,790 [modules.auxiliary.disguise] INFO: Disguising GUID to 37278e2c-fe95-4e0c-8251-55b5a7563e38
2025-06-13 11:48:11,790 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:48:11,790 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:48:11,790 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:48:11,790 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:48:11,790 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:48:11,790 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:48:11,790 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:48:11,790 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:48:11,790 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:48:11,790 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:48:11,790 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:48:11,790 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:48:11,790 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:48:11,790 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:48:11,790 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:48:11,790 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:48:11,806 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:48:11,821 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-13 11:48:11,837 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:48:11,837 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:48:11,837 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:48:11,837 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:48:11,837 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:48:11,837 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:48:11,837 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\HlDAOuyZ.dll, loader C:\tmp_gell1p8\bin\FUhIHDOo.exe
2025-06-13 11:48:11,883 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:48:11,883 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\HlDAOuyZ.dll.
2025-06-13 11:48:11,915 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:48:11,915 [root] INFO: Disabling sleep skipping.
2025-06-13 11:48:11,915 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:48:11,915 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:48:11,915 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:48:11,915 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:48:11,915 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:48:11,930 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:48:11,930 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:48:11,930 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:48:11,930 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 1568, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-13 11:48:11,930 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:48:11,946 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:48:11,946 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:48:11,946 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\HlDAOuyZ.dll.
2025-06-13 11:48:11,962 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 11:48:11,962 [ro <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 22:10:20	2025-06-13 22:40:43	none

File Details

File Name	regedit.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	329216 bytes
MD5	092d4e7fa32499f18b879080aa994c46
SHA1	4375b47a094f329d75d36233098ce20f9883dde0
SHA256	a9bfe5633ced879d8a94b66a06a294bc6d6ef466eaee46ae4d25cb0e3a1d79a5 [VT] [MWDB] [Bazaar]
SHA3-384	30d4c849c18250a58b93f933d35c3b09965e3bd912672bbd6c4019d5521d86fae060f9598886dbd0c2854a32fb5333f5
CRC32	3334A9DC
TLSH	T1E664B487E90874F8F451B2FE9BABD57D0EE66C2015F40C9F27C8F21F6430D82652A666
Ssdeep	6144:6qoAOc6qKhTsywE2KBiBQRZ66z+n4VZbd8g79pgrXNgRnVLjyzhbkidNN2:6qvOFhg5KIQRZ66z24VZbdrpgrXN2LWr
PE	File Strings BinGraph Vba2Graph

VirusTotal (1/74)

Full Results

Engine	Result	Engine	Result	Engine	Result
Cynet	Malicious (score: 100)

0f0x0

u<WSSh

Cb#Fz}c

SelectObject

8!8,8L8\8v8

JlokC

SetMenuItemInfoW

<'<3<V<l<u<~<

Ph<$@

IsDlgButtonChecked

2 2c2r2

+ChqP

>">)>0>7>>>E>L>S>Z>a>h>o>

ReleaseMutex

GetStartupInfoW

I&30Dvj

:/;U;g;{;

6J7m7

0-0=0F0L0

regserver

CreateSemaphoreExW

243>3R3a3}3

CheckRadioButton

:6:C:M:c:

=5=G=`=x=

@Vh,$@

?DebugDump@OBJECT@@UBEXE@Z

9<9d9

131d1p1

?Initialize@ARRAY@@QAEEKK@Z

444g4

2BVl+/

Vby{#

: :+:

3&3e3u3

CreateWindowExW

SetThreadDpiAwarenessContext

4!4.4=4H4O4b4

0&040=0M0Y0g0s0

EndDialog

8"8/8C8J8h8|8

D$XPSj

D$4Pj

RegSetValueExW

SetCursor

PrintDlgExW

?'?8???K?R?]?

GetSecurityDescriptorControl

%08x

[DelRegRegedit]

>k?r?

</security>

j4j1j0S

VW9Y t

%#I64x

787>7L7j7

`.data

7by{#RS

0<0Y0}0

041?1

5B5p5

HKCR,".reg",,,"regfile"

Microsoft Corporation

t1j"Yf;

X[){+

type="win32"

RegOpenKeyW

_XcptFilter

jnjxV

f;D$ u

PhP$@

_lock

<)<Q<y<

j\Xf9

=*~N)O

SysListView32

ClientToScreen

?!?D?Z?f?r?{?

#vn,ua

SetMenuDefaultItem

_initterm

CURRENT_USER

:R;Y;e;p;

.idata$5

<.<C<S<Y<b<h<

LoadLibraryW

<"<(<:<G<M<_<d<

2-2D2Y2~2

4,4<4L4\4l4y4

;0;B;H;

wcschr

Microsoft

:':[:a:o:

_acmdln

.didat$2

8$898Z8j8p8x8

4"414C4L4U4^4

0!141=1B1G1M1X1c1k1q1v1

1<1e1u1

PVPPPPh

unregserver

GetMessageW

RegEdit_HexData

[AddRegRegedit]

Qhh"@

`;zzX

G09G8}

_exit

RegSetKeySecurity

RegisterClipboardFormatW

233G3U3

\cY"'

2=2v2

WYfi0*

=5=D=n=

QQSVWj

2;2Q2\2

%hs!%p:

<'<.<

050:0H0N0T0|0

Wh00A

l,1pI

%-10u

RegSaveKeyW

+P^pi

414T4

D$$PSh>

CoCreateInstance

1'2,242:2?2E2M2W2h2

3"3<3I3j3w3

GetCommandLineW

GetSystemMetricsForDpi

<&=u=

506G6U6\6

5$5.5@5]5c5l5x5

Q18}E

<!<(</<5<A<L<Q<V<\<f<p<

ImageList_ReplaceIcon

/040L0

.CRT$XIA

EndDoc

1p-}my

Php @

9.9L9j9

9W9a9g9q9

DispatchMessageW

CharLowerW

L$PQj\

=/>D>J>U>|>

DestroyIcon

Explorer

Registry Editor

GetSidSubAuthority

LoadMenuW

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

;+<f<v<

FileDescription

D$ SPd

omv.Ko&

2@3M3]3f3l3

SVWh S

<$</<b<

3$3H3V3l3u3

8'8L8Z8o8

dBGUe

BeginPaint

tmf97t!

q-:C~_

ntdll.dll

.classes

&';u9

0(0,0004080<0@0D0H0L0P0T0i0

[RegExe]

?[?z?

0123456789abcdef

SetWindowPlacement

2$2>2O2v2

%08x %08x %08x %08x %08x

SetWindowLongW

D$4jPP

processorArchitecture="x86"

AdjustTokenPrivileges

version="6.0.0.0"

2/2F2j2

jHYh0

>->Y>b>

SetSecurityDescriptorGroup

t$$Rj

R-_o

qxPG~

GetSysColor

ExcludeClipRect

Qq,}pi/

293?3S3|3

=.=N=a=~=

*?.`W

GetSidSubAuthorityCount

HKCR,"regedit",,,"%DESC_RegFile%"

10.0.17763.168

TerminateProcess

L$<_^[3

8(9Q9

HKCR,"regfile\DefaultIcon",,,"regedit.exe,1"

PathCchCombine

D$4YY

6L7^7w7

D$$PSh?

7@7m7

HKCR,"regedit\shell\open\command",,,"regedit.exe %1"

.text$x

dwJkL

=S3pX

KillTimer

SetDlgItemTextW

QWWWP

.xdata$x

_L"nO

??1OBJECT@@UAE@XZ

VWj"X

GetModuleHandleW

GetTimeFormatW

w,h`$@

585h5{5

;%;-;5;=;I;R;W;];g;q;

2=2M2l2

.giats

kernelbase.dll

[UnregExe]

.rsrc

<Z*ML

OriginalFilename

EndPage

:':1:@:v:

FileTimeToSystemTime

Signature="$CHICAGO$"

5%G04

758:8O8r8

=2===|=

@_1;/

u }3tL

QVQVP

:2;>;D;t;

REG_FULL_RESOURCE_DESCRIPTOR

7H8f8

&4/&ro

%I64x

;*;=;B;X;

929h9

_resetstkoflw

QPPPV

%.192s

061B1K1T1w1

787B7M7

Y__^[

EnableWindow

U30 z9

5-5b5i5

1!1*131:1K1`1~1

)$.'U

DisableRegistryTools

Lyk<V|

CloseHandle

@.reloc

name="Microsoft.Windows.Regedit" type="win32" />

REG_QWORD

6B6b6h6u6

333G3}3

w8z7`

_purecall

GetSystemTimeAsFileTime

2$2.2R2Z2b2t2

Vhh"@

__p__fmode

RegEnumValueW

IsIconic

:%:H:^:g:p:y:

5F5~5

HKCR,"regfile",,,"%DESC_RegFile%"

IsCharAlphaNumericW

REG_RESOURCE_REQUIREMENTS_LIST

CharNextW

:(:N:

SetUnhandledExceptionFilter

CreateCaret

Q,ob&

"]|NLb

RtlFreeHeap

.text

RegLoadKeyW

H2N/<

SVWjfQ

[G10t

5)575G5w5

8'8-8?8I8O8a8k8q8

.rdata$brc

SetWindowPos

@S5>}

FontFace

GetDlgItemTextW

;';.;?;I;P;a;k;r;

ggk#V

1%202M2Y2

SetCursorPos

G=u73

<-<7<><O<Y<`<q<{<

LocalAlloc

8-949y9

hEdGXX

?L#>v

.idata$4

%s\%s%s

9^9g9

clb.dll

__dllonexit

7#8A8K8h8}8

QQVW3

RegEnumKeyExW

r;>4M

3 3$3(3l3p3x3

=%=,===G=N=_=i=p=

InitializeSecurityDescriptor

2N2U2\2~2

COMCTL32.dll

> >'>

-Wh $@

1;1u1

ShowCaret

CreateBitmap

tXj0^V

jdXPj@

; <4<

5"}JW9

5 5B5|5

y,97t3W

>2>:>h>

MoveWindow

4MCS4,

='=>=c=

sdj +

X!37g

LoadAcceleratorsW

%s\%s

WV;C\uf

DeleteObject

CharUpperBuffW

</windowsSettings>

EmptyClipboard

SetLastError

j j3Y

.rsrc$01

CallContext:[%hs]

DebugBreak

WWWWjdjdWWj

$C<E2

RegDeleteValueW

.idata

8"939A9K9]9

MessageBeep

Consolas

InitializeAcl

505E5f5

RegEnumKeyW

GetSecurityDescriptorDacl

606@6N6]6l6{6

GetWindowRect

u)j0Xj1Zf;E

^,~)I

REG_BINARY

QQPQS

EndPaint

SetAbortProc

9Akoy

iH~MC

7$8L8t8

>E?Y?w?

:K;d;

SetClipboardData

989x9

:h:l:p:t:x:|:

HKCR,"regedit"

DelReg=DelRegRegedit

GetDateFormatW

5)5E5Z5t5

_controlfp

.text$yd

>'>4>C>N>U>H?[?}?

<#<*<1<8<?<F<Y<d<

MapGenericMask

?*?I?b?

K/vl9

4ArQ)Q

6P6^6c6q6

L$,_^[3

isspace

EndDeferWindowPos

VVVVVVVPV

SetCapture

:<;J;Z;a;

=5=>=c=n=x=

;);=;n;

171C1V1

SVWPj

l$7=];

6!6*636<6E6W6]6k6w6

Rn$\mC

=%=;=`=n=

h6T8*

RegUnLoadKeyW

LegalCopyright

CallWindowProcW

6(6M6

0%0.090\0f0~0

>'>K>W>

3+3V3j3{3

GetSaveFileNameW

8,8<8L8\8i8

_^[Y]

QQQQQQQQQ

StrChrIW

1,1J1b1w1

f9>uV

D$ +D$

[j"X_

CLASSES_ROOT

y{!Wjh

"_(S(V

HKCR,"regfile\shell\open",,,"Mer&ge"

D$TVP

??0DSTRING@@QAE@XZ

j4j6j5W

GetMessagePos

.rdata$zzzdbg

jnjwW

8f;>u

api-ms-win-core-path-l1-1-0.dll

7$777o7

PPPPPPPPP

LoadStringW

.rdata

FontSize

9-979=9O9Y9_9q9{9

RegDeleteKeyW

5#535A5J5

u7~kQt

ADVPACK.dll

PQQVh

ShellAboutW

5 5L5X5f5

0;0S0Y0l0

9':[:

ImageList_Create

&+z5W

4 4/4<4m4y4

ReleaseStgMedium

WaitForSingleObject

RtlInitUnicodeString

2!3_3

T;(z%

7a8w8

jXjYS

OpenProcessToken

6e6s6

GetModuleFileNameA

ModifyMenuW

5<5b5o5|5

DeleteMenu

0$1@1

K);Sf

SetNamedSecurityInfoW

memcpy

cIDATx

SetForegroundWindow

.idata$3

'oCgk

3Phx"@

AuthzInitializeContextFromSid

ShowCursor

.didat$5

;$;Z;n;

141H1Y1w1

uYVVh

FontHeight

202E2a2p2

RtlDllShutdownInProgress

)080T0j0

:,;m;

6%6F6_6m6s6

6#6)6/686E6P6

?*?b?x?

kidWJ

EoP^}

;^;{;

SearchPathW

m2Z~v

__setusermatherr

HeapFree

j`jaS

_except_handler4_common

SeRestorePrivilege

>'?9?F?Y?^?

RegSetValueW

GetTickCount

?"?P?Z?b?j?t?|?

>8?=?O?m?

msftedit.dll

.CRT$XIY

<#<5<;<I<U<f<r<

1?1_1p1

PostMessageW

494I4d4q4z4

MultiByteToWideChar

t+VPh

GetSecurityDescriptorSacl

9#939R9d9|9

7/797?7Q7[7a7s7}7

AbortDoc

~VSVj

`8rp7=

LocalReAlloc

L$(F;

|$ ;D$\u

4%5I5Y5

FontItalic

OutputDebugStringW

Phx"@

3<3I3f3o3

ReturnHr

SHELL32.dll

RICHEDIT50W

PPPPQPW

}7oMq

4;4U4{4

VQPWV

4wj\Xf

.rdata$sxdata

t$,Sj

2&2-2@2y2

7=7J7^7

IDATijBl

1l\VkhM=5

8=Jl`?

StrStrIW

_ismbblead

?Strcat@WSTRING@@QAEEPBV1@@Z

CONFIG

646G6f6{6

<'<3<K<_<k<w<

TrackPopupMenuEx

QQQQQQ

:";+;:;T;p;

UnregExe

GNO~j

RtlCreateUnicodeString

.CRT$XCAA

D$ PSj

ADVAPI32.dll

.00cfg

DialogBoxParamW

FreeLibrary

%08x %04x %04x %04x %04x %04x %04x %04x %04x

GetWindowTextW

%#08x

FailFast

?SPrintfAppend@DSTRING@@UAAEPBGZZ

%-16I64x

3'303C3]3n3

GetKeyState

LI1RN

RegConnectRegistryW

%l!h;

CompanyName

MultiStrings

GetCurrentThreadId

__getmainargs

1+212D2r2x2

:,;d;p;

000F0a0z0

j Xf;

3;3m3r3~3

ulib.dll

>+>2>O>f>w>

5A6O6b6r6

f$_j[G

GetProcessHeap

HKCR,"regfile","FriendlyTypeName",,"@regedit.exe,-309" ; IDS_FILETYPE

Sleep

{@eV%

QVPVh

HKEY_CLASSES_ROOT

SetSecurityInfo

D$(Wj

GetTextExtentPoint32W

tEWh\!@

CX9G

Vh\!@

rVkQu

1#1O1]1}1

VWj\Xj

ChooseFontW

StartPage

?SPrintf@DSTRING@@UAAEPBGZZ

?/?4?;?@?w?}?

0#050M0T0^0l0

???_?u?

RegOpenKeyExW

7Phx"@

ReleaseSemaphore

??0OBJECT@@IAE@XZ

SetBkColor

3&91I

747L7i7

_wcsnicmp

%16I64x

0$0-090E0N0W0i0o0}0

GetObjectW

SetSecurityDescriptorDacl

9"9-9M9

awutL

8"8/8L8a8{8

5 616r6

2L3M4

u"Sj4j

GetLongPathNameW

5;5D5K5m5|5

SetSecurityDescriptorOwner

"yu<X

545E5V5

ResolveDelayLoadedAPI

PathCchAddBackslash

t$pVQ

[Strings]

0x%08x%08x

RegisterClassExW

j`jbS

:(:0:6:C:]:h:r:}:

wcsrchr

SVW3

<pFA;

D$pPj

ClbSetColumnWidths

.didat$7

memmove

SHGetStockIconInfo

(caller: %p)

uiAccess="false"

-NLMs

898F8S8`8m8z8

f94Bu

__set_app_type

REGEDIT.EXE

FontWeight

LoadIconW

IDATx

:):6:C:P:]:j:s:|:

6L6h6

040904B0

535?5n5w5

cZ`)*

RegRestoreKeyW

4'4?4K4S4\4p4

lstrcmpiW

ReleaseDC

314=4N4a4q4}4

PeekMessageW

RegRenameKey

232M2S2

SHLWAPI.dll

Pj$j8j7V

GetComputerNameW

TranslateMessage

DO(ay*

5"525B5R5b5r5

tFWWh

GetClientRect

IsDialogMessageW

DFRich

PatBlt

=#>:>[>

ReadFile

dword:

5$6E6m6

WideCharToMultiByte

RegQueryValueExW

VarFileInfo

GetLastActivePopup

SetWindowTheme

7#7.747h7v7

ImageList_Destroy

7;7i7|7

ClbAddData

< <'</<;<O<|<

VPPPPhA

j\Xf9DL8

545X5

1!1O1b1w1

regedit.pdb

'XFrpnrr

_vsnwprintf

M QRSP

%08x

RequiredEngine=SETUPAPI,%ERR_NOSETUPAPI%

CreateFileW

RSDS?

="=/=6=I=T=[=

GlobalAlloc

VVQPSR

KSCV>

ACLUI.dll

[L[,&>^

D$ Pj

Local\SM0:%d:%d:%hs

%02x

RegGetValueW

4(4L4X4`4

L$d_^[3

<9<G<

L$8h\

UxTheme.dll

d"F*i

FormatMessageW

%08x %02x %02x %02x %02x %02x %02x %02x %02x - %02x %02x %02x %02x %02x %02x %02x %02x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

P)cU+`

WWWWWW

REGINST

CoUninitialize

<requestedExecutionLevel

??1DSTRING@@UAE@XZ

<8<><K<Q<[<

L$L^3

<description>Registry Editor</description>

9/9p9~9

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

GetWindowLongW

2 2C2J2~2

GetDpiForSystem

HKCR,".reg"

GetFileSize

6W7}7

>%>.>7>C>c>u>~>

GetWindow

9&9<9k9

GetDeviceCaps

2B3a3y3

DestroyMenu

DrawMenuBar

HKCR,"regfile"

718H8c8

StrRChrW

HKEY_LOCAL_MACHINE

publicKeyToken="6595b64144ccf1df"

BKv!uu

5$5+5

WriteFile

REGEDIT

0&1?1T1

GetClipboardData

DestroyWindow

InsertMenuItemW

?1?F?L?R?`?e?

j\XPW

ExtTextOutW

{voGve

IntersectRect

SetWindowTextW

AUTHZ.dll

5"6V6

6 757J7c7

DeleteDC

0)0P0h0w0

QQQQQQQQQPQ

n-z=I

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2

ttj\Z;

EnableMenuItem

uNPPV

LoadCursorW

SVWj@3

=!=&=7=C=I=U=g=m=v=

GetMenuItemID

internal\sdk\inc\wil\resource.h

>+>5><>M>W>^>o>y>

[%hs(%hs)]

cf`$O?<

Fqb ygt

QueryPerformanceCounter

3bZ/R

czo1Q

|$$+L$

QQSV3

VPu(h

msvcrt.dll

StringFileInfo

?&?9?P?g?

ole32.dll

AuthzFreeResourceManager

REG_RESOURCE_LIST

/V<O.

GetOpenFileNameW

?&?C?P?]?i?

R4y!i

GetSecurityDescriptorGroup

.text$mn

3*3H3]3

MACHINE

Reb;"

REG_DWORD_BIG_ENDIAN

GlobalUnlock

CRcHN&

LookupAccountSidW

f97udj4Y

*$S3*e

PSSSSSSSSSSW

%-20I64u

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

4pj\Xf

:<:r:

D$TPj

,F.N 1

60T0c0l0u0

REG_LINK

InitCommonControlsEx

XOY38

BeginDeferWindowPos

Windows Registry Editor Version

Wh,!@

4\4h4p4

151b1

2x2~2

;0;<;

@b nK

UpdateWindow

iswprint

u8WVQ

j.XPh

.didat$6

t$<WP

AuthzAccessCheck

TranslateAcceleratorW

8-8C8N8b8t8

IsDebuggerPresent

-PB:c

ReleaseCapture

StartDocW

QSVWj

RaiseFailFastException

LastKey

jyz7D

SetTimer

3'4H4

jpjvV

wP 19

.CRT$XCA

lstrcmpW

GetSecurityInfo

KERNEL32.dll

GetSubMenu

AuthzFreeContext

D$XPj

=6=>=E=U=[=o=y=

; ;7;h;

G89G,}#

REGEDIT: CreateFile failed, GetLastError() = %d

UnhandledExceptionFilter

?NewBuf@DSTRING@@UAEEK@Z

[iL~Iv

%04x

RegExe

iaVJL

DefWindowProcW

D$`P3

#'N 5

D$4_^[3

base\fs\utils\regedit\src\regedit.cpp

=(=4=A=

5/5:5a5l5s5

?7?J?V?g?s?

SSh v@

738:8P8

4!444c4q4

VS_VERSION_INFO

< =.=?=F=b=n=t=

hRegEdit_RegEdit

j [j\Y

HKCR,"regfile\shell\open\command",,,"regedit.exe ""%1"""

</dependency>

.CRT$XCZ

PQQQV

<'<9<

PostQuitMessage

0O0^0

?3?O?

SelectClipRgn

Exception

:S:v:|:

CFz}

SendMessageW

Phh"@

SeBackupPrivilege

.data

^dEAS

SVWjDj

OpenClipboard

,090?0

COMDLG32.dll

:&:4:@:R:[:i:r:

9"929B9R9b9o9

memset

=A=i=

[%hs]

VPPPPh?

SetFocus

?R?q?

<!<'<1<A<G<Q<d<n<v<|<

DeferWindowPos

?Compare@OBJECT@@UBEJPBV1@@Z

GetProcAddress

</trustInfo>

L$xVh

>.>4>\>

ProductName

InsertMenuW

D$\PS

.idata$6

9q uI+

ExitProcess

9!9:9R9m9

GetParent

:::H:]:e:p:v:

GetMenuItemInfoW

SetSecurityDescriptorSacl

GetWindowTextLengthW

?uo~q

g>]G|

6X6h6m6

FileVersion

D$<Wh

ERR_NOSETUPAPI = "Can not register REGEDIT.EXE because SETUPAPI.DLL is missing."

IsValidSecurityDescriptor

=1=v=

666C6z6

CreateDialogParamW

GetInheritanceSourceW

6 6N6b6z6

memcpy_s

RtlFreeUnicodeString

</dependentAssembly>

424<4]4{4

SetFilePointer

VPShl

jPjRS

CompareStringOrdinal

D$$+D$

FileTimeToLocalFileTime

737<7B7J7P7h7t7z7

RegisterClassW

Wh\!@

CheckMenuItem

1?1h1

kOo||

47Vhh%@

CheckDlgButton

CoTaskMemAlloc

2[3r3w3~3

CreateMutexExW

?!?9?S?d?{?

GlobalLock

processorArchitecture="x86"

DeleteFileW

CoInitializeEx

PPPPj

GDI32.dll

UEegqv

Software\Microsoft\Windows\CurrentVersion\Policies\System

DrawAnimatedRects

InvalidateRect

GetDpiForWindow

RegInstallW

StrToIntW

GetStockObject

HeapAlloc

;!<9<@<P<

SVWj\

HKCR,"regfile\shell\open","MUIVerb",,"@regedit.exe,-310" ; IDS_MERGE

5H6i6

4<4x4

.data$brc

AddReg=AddRegRegedit

InternalName

9t$4t

0!1>1G1M1X1t1

-p^%G

HKEY_CURRENT_CONFIG

<$=R=`=~=

DragFinish

|DC9|

REG_DWORD

~AVSh

CreatePatternBrush

3,3Q3l3

</application>

.rsrc$02

[Version]

version="1.0.0.0"

1#1J1Y1w1

@Ph\!@

_unlock

6)7J7V7k7}7

0 0+0R0f0

9~(s2Wj

GetDC

SetTextColor

RegisterApplicationRestart

en-US

'k-7=s

2W3d3

?Initialize@WSTRING@@QAEEPBGK@Z

.text$di

:B:~:

BringWindowToTop

REG_EXPAND_SZ

<L<l<

9 :G:u:

Q{voG

MulDiv

</requestedPrivileges>

0!0-0>0G0U0^0o0x0

SeSecurityPrivilege

p8SWh

RtlCmDecodeMemIoResource

GetCurrentProcessId

SetViewportOrgEx

RegCreateKeyExW

DestroyCaret

k11#f

<assemblyIdentity

10.0.17763.168 (WinBuild.160101.0800)

V>D~a

RegFlushKey

PSSSV

|jbWB

DelayLoadFailureHook

2%2B2

2#222?2L2a2p2{2

WaitForSingleObjectEx

MapWindowPoints

A4xOA

6c7y7

FindFlags

GetSystemMetrics

D$lPQ

969G9

CharUpperW

D$LPSj

RegCreateKeyW

CoTaskMemFree

GetDlgItem

CloseClipboard

0(\LT

AuthzInitializeResourceManager

D$ j\P

.CRT$XIZ

DragQueryFileW

47Vh$%@

$EER5

SWSSj

QQQQQQP

!This program cannot be run in DOS mode.

Jua&&

Msg:[%ws]

ImageList_SetBkColor

D$(WSh

>:>U>

,IEBUTTM

jpjvW

2-2N2

1(191B1P1Y1m1

USER32.dll

0+1E1

E,6]r)F

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

OpenSemaphoreW

StrChrW

CreateFontIndirectW

2+272>2

HeapSetInformation

.CRT$XCU

0x%08x

LoadImageW

8 8,8<8H8V8b8r8{8

SetScrollInfo

GetDlgItemInt

SendDlgItemMessageW

6nx1X

%hs(%d) tid(%x) %08X %ws

CFSTR_DSOP_DS_SELECTION_LIST

RtlIoDecodeMemIoResource

HKEY_CURRENT_USER

i@&f`Q

GetCurrentProcess

ScrollWindowEx

;';0;6;@;F;K;[;`;f;l;v;z;

?Initialize@WSTRING@@QAEEPBV1@KK@Z

GetMenu

GetProcessDefaultLayout

=4=9=G=N=U=a=t=

5B6g6

DESC_RegFile = "Registration Entries"

2!2/282J2S2a2j2

LocalFree

7#737A7`7

5lH18}E|

</assembly>

.didat$3

=C=l=

Translation

ScreenToClient

D$\Pj

??0ARRAY@@QAE@XZ

level="highestAvailable"

FindWindowW

4K4T4

WilError_02

GetNamedSecurityInfoW

t$8Pj

w2!\1(;

wcsncmp

MVj"^f;

/@vD(n

>3>u>

4'434N4a4q4

ProductVersion

__p__commode

PVhp!@

<assemblyIdentity

.didat$4

=.=7=

1,11181F1L1^1q1x1

4T4z4

__CxxFrameHandler3

u6P[V

ShowWindow

_onexit

:D:h:

.CRT$XIAA

Windows

XPVSh

4!414B4R4c4

>!>Q>V>q>z>

=?=E=Y=a=t=

<,<9<M<Z<n<{<

818D8f8q8

RegSetValueExA

.idata$2

PPPPh

GetTextMetricsW

REGEDIT4

-it/ds'

O\:\Y

0+1?1W1]1~1

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

0G0O0U0]0d0

3'3/363>3F3P3X3e3

SYSTEM

HKEY_USERS

SysTreeView32

LookupPrivilegeValueW

.gfids

8O9`9

USERS

3 3&353;3C3I3Y3n3w3

0#1`1

%SPVj

%hs(%d)\%hs!%p:

787V7}7

Operating System

@.didat

w$h`$@

?Resize@DSTRING@@UAEEK@Z

GetModuleHandleExW

:%:+:=:G:M:_:i:o:

REG_SZ

?#?D?I?R?

REG_MULTI_SZ

_cexit

6M7a7

GetSecurityDescriptorOwner

e?vee

6-6=6Q6^6k6

=&>N>W>]>b>n>v>

jpjvS

GetWindowPlacement

GetLastError

<dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2</dpiAwareness>

LogHr

:&;L;s;

_amsg_exit

=D=R=h=s=

6'646A6N6[6h6u6

%08x %16I64x %16I64X

2Software\Microsoft\Windows\CurrentVersion\RegEdit

HideCaret

?terminate@@YAXXZ

DX1V[

6+6I6e6

<G<_<

%#08x%08x

9 9$919A9R9V9\9`9f9j9q9 :T:]:c:h:y:

t9Sj\[

8-929D9

:4:R:k:{:

SetCaretPos

2&2:2Z2c2l2x2

name="Microsoft.Windows.Common-Controls"

>)>:>R>j>

<#<,<9<Q<X<b<p<

4!4%4)4-4145494=4A4E4I4M4]4r4{4

:+:G:W:g:{:

K"d-$,

h:T8*

7oM-*

;';9;R;j;

RegQueryInfoKeyW

RegCloseKey

IsClipboardFormatAvailable

2O2W2q2

7 888V8r8

6B7S7Y7b7n7

3#3)3?3R3j3o3

RtlAllocateHeap

Ph\!@

REG_NONE

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x0001c810	0x000558d6	0x000558d6	10.0	regedit.pdb	2066-02-17 13:41:57	c6e1b8202aded47b7c2380a87886d20c		f901816b70161996bd4fe110b651f900	a5a4cab5c571a1536dfbd294a85cd033	64e0b4a4dadcf810

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Registry Editor
FileVersion	10.0.17763.168 (WinBuild.160101.0800)
InternalName	REGEDIT
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	REGEDIT.EXE
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.168
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0001c534	0x0001c600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.37
.data	0x0001ca00	0x0001e000	0x00042288	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.73
.idata	0x0001cc00	0x00061000	0x000026a8	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.64
.didat	0x0001f400	0x00064000	0x00000008	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.06
.rsrc	0x0001f600	0x00065000	0x0002ea88	0x0002ec00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.94
.reloc	0x0004e200	0x00094000	0x00002298	0x00002400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.73

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x00093988	0x00000100	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.73	None
REGINST	0x00066200	0x0000033d	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.21	None
RT_CURSOR	0x00091720	0x00000134	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.74	None
RT_CURSOR	0x00091858	0x00000334	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.90	None
RT_CURSOR	0x00091b90	0x00000434	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.23	None
RT_CURSOR	0x00091fc8	0x00000934	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.98	None
RT_CURSOR	0x00092900	0x00001034	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.67	None
RT_ICON	0x00066540	0x00001c9c	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.84	None
RT_ICON	0x000681e0	0x00004228	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.69	None
RT_ICON	0x0006c408	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.76	None
RT_ICON	0x0006e9b0	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.97	None
RT_ICON	0x00070418	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.99	None
RT_ICON	0x000714c0	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.25	None
RT_ICON	0x00071e48	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None
RT_ICON	0x00072500	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_ICON	0x000729e0	0x00002661	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.92	None
RT_ICON	0x00075048	0x00004228	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.79	None
RT_ICON	0x00079270	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.98	None
RT_ICON	0x0007b818	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.18	None
RT_ICON	0x0007d280	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.13	None
RT_ICON	0x0007e328	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.53	None
RT_ICON	0x0007ecb0	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.86	None
RT_ICON	0x0007f368	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.42	None
RT_ICON	0x0007f848	0x00004f15	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.96	None
RT_ICON	0x00084760	0x00004228	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.39	None
RT_ICON	0x00088988	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.54	None
RT_ICON	0x0008af30	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.67	None
RT_ICON	0x0008c998	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.74	None
RT_ICON	0x0008da40	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.05	None
RT_ICON	0x0008e3c8	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.09	None
RT_ICON	0x0008ea80	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.08	None
RT_ICON	0x0008ef60	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.01	None
RT_ICON	0x0008f088	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.44	None
RT_ICON	0x0008f5f0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.62	None
RT_ICON	0x0008fa58	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.59	None
RT_ICON	0x00090340	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.98	None
RT_ICON	0x00090468	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.45	None
RT_ICON	0x000909d0	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.74	None
RT_ICON	0x00090e38	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.34	None
RT_GROUP_CURSOR	0x00093938	0x0000004c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.74	None
RT_GROUP_ICON	0x00072968	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_GROUP_ICON	0x0007f7d0	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.00	None
RT_GROUP_ICON	0x0008eee8	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.98	None
RT_GROUP_ICON	0x00090300	0x0000003e	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.65	None
RT_GROUP_ICON	0x000916e0	0x0000003e	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.60	None
RT_VERSION	0x00065e78	0x00000384	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.52	None
RT_MANIFEST	0x000659c0	0x000004b2	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.95	None

Imports

Name	Address
RegOpenKeyW	0x461008
RegDeleteValueW	0x46100c
RegCreateKeyW	0x461010
RegGetValueW	0x461014
RegOpenKeyExW	0x461018
RegSetValueExW	0x46101c
RegEnumKeyExW	0x461020
RegCreateKeyExW	0x461024
RegEnumKeyW	0x461028
RegLoadKeyW	0x46102c
RegUnLoadKeyW	0x461030
RegDeleteKeyW	0x461034
RegQueryInfoKeyW	0x461038
RegRenameKey	0x46103c
GetSecurityInfo	0x461040
RegQueryValueExW	0x461044
OpenProcessToken	0x461048
RegSetKeySecurity	0x46104c
GetSecurityDescriptorControl	0x461050
AdjustTokenPrivileges	0x461054
LookupPrivilegeValueW	0x461058
RegConnectRegistryW	0x46105c
RegEnumValueW	0x461060
SetSecurityDescriptorGroup	0x461064
LookupAccountSidW	0x461068
MapGenericMask	0x46106c
SetSecurityInfo	0x461070
InitializeAcl	0x461074
InitializeSecurityDescriptor	0x461078
IsValidSecurityDescriptor	0x46107c
SetSecurityDescriptorSacl	0x461080
GetSecurityDescriptorOwner	0x461084
GetNamedSecurityInfoW	0x461088
SetNamedSecurityInfoW	0x46108c
RegFlushKey	0x461090
GetSidSubAuthority	0x461094
GetSecurityDescriptorGroup	0x461098
GetSidSubAuthorityCount	0x46109c
SetSecurityDescriptorOwner	0x4610a0
GetSecurityDescriptorDacl	0x4610a4
SetSecurityDescriptorDacl	0x4610a8
GetSecurityDescriptorSacl	0x4610ac
RegSetValueW	0x4610b0
RegRestoreKeyW	0x4610b4
RegSetValueExA	0x4610b8
RegSaveKeyW	0x4610bc
GetInheritanceSourceW	0x4610c0
RegCloseKey	0x4610c4

Name	Address
GetModuleHandleExW	0x4611a0
FreeLibrary	0x4611a4
GetTimeFormatW	0x4611a8
FileTimeToLocalFileTime	0x4611ac
LoadLibraryW	0x4611b0
FileTimeToSystemTime	0x4611b4
lstrcmpW	0x4611b8
WideCharToMultiByte	0x4611bc
GetFileSize	0x4611c0
DeleteFileW	0x4611c4
MultiByteToWideChar	0x4611c8
CreateFileW	0x4611cc
SetFilePointer	0x4611d0
WriteFile	0x4611d4
SearchPathW	0x4611d8
ReadFile	0x4611dc
GetCurrentProcess	0x4611e0
ExitProcess	0x4611e4
HeapSetInformation	0x4611e8
GetLongPathNameW	0x4611ec
GetCommandLineW	0x4611f0
lstrcmpiW	0x4611f4
LocalAlloc	0x4611f8
IsDebuggerPresent	0x4611fc
RegisterApplicationRestart	0x461200
GetDateFormatW	0x461204
GlobalAlloc	0x461208
GetProcAddress	0x46120c
GlobalLock	0x461210
GetModuleHandleW	0x461214
LocalReAlloc	0x461218
DebugBreak	0x46121c
GlobalUnlock	0x461220
CreateSemaphoreExW	0x461224
HeapFree	0x461228
SetLastError	0x46122c
ReleaseSemaphore	0x461230
CompareStringOrdinal	0x461234
WaitForSingleObject	0x461238
MulDiv	0x46123c
GetProcessHeap	0x461240
GetCurrentProcessId	0x461244
GetComputerNameW	0x461248
LocalFree	0x46124c
CreateMutexExW	0x461250
GetCurrentThreadId	0x461254
ReleaseMutex	0x461258
FormatMessageW	0x46125c
GetLastError	0x461260
HeapAlloc	0x461264
OutputDebugStringW	0x461268
WaitForSingleObjectEx	0x46126c
OpenSemaphoreW	0x461270
CloseHandle	0x461274
Sleep	0x461278
GetStartupInfoW	0x46127c
UnhandledExceptionFilter	0x461280
SetUnhandledExceptionFilter	0x461284
TerminateProcess	0x461288
QueryPerformanceCounter	0x46128c
GetSystemTimeAsFileTime	0x461290
GetTickCount	0x461294
ResolveDelayLoadedAPI	0x461298
DelayLoadFailureHook	0x46129c
GetModuleFileNameA	0x4612a0

Name	Address
GetStockObject	0x46113c
GetTextExtentPoint32W	0x461140
StartPage	0x461144
AbortDoc	0x461148
EndDoc	0x46114c
DeleteDC	0x461150
SetViewportOrgEx	0x461154
SetAbortProc	0x461158
StartDocW	0x46115c
EndPage	0x461160
CreatePatternBrush	0x461164
CreateBitmap	0x461168
PatBlt	0x46116c
SelectClipRgn	0x461170
GetObjectW	0x461174
ExcludeClipRect	0x461178
SelectObject	0x46117c
GetDeviceCaps	0x461180
GetTextMetricsW	0x461184
SetTextColor	0x461188
SetBkColor	0x46118c
DeleteObject	0x461190
CreateFontIndirectW	0x461194
ExtTextOutW	0x461198

Name	Address
IsIconic	0x4612e0
GetDpiForSystem	0x4612e4
LoadMenuW	0x4612e8
LoadImageW	0x4612ec
UpdateWindow	0x4612f0
DialogBoxParamW	0x4612f4
PostQuitMessage	0x4612f8
CheckMenuItem	0x4612fc
GetSystemMetricsForDpi	0x461300
SetCursor	0x461304
InsertMenuW	0x461308
EndDeferWindowPos	0x46130c
DrawMenuBar	0x461310
GetProcessDefaultLayout	0x461314
LoadIconW	0x461318
TranslateMessage	0x46131c
TranslateAcceleratorW	0x461320
GetSysColor	0x461324
SetThreadDpiAwarenessContext	0x461328
SetMenuDefaultItem	0x46132c
SetWindowPlacement	0x461330
SetMenuItemInfoW	0x461334
ClientToScreen	0x461338
DestroyIcon	0x46133c
DispatchMessageW	0x461340
BeginDeferWindowPos	0x461344
ShowWindow	0x461348
LoadStringW	0x46134c
LoadAcceleratorsW	0x461350
GetWindowPlacement	0x461354
RegisterClassExW	0x461358
SetWindowTextW	0x46135c
ScreenToClient	0x461360
DeleteMenu	0x461364
CreateWindowExW	0x461368
GetDpiForWindow	0x46136c
InsertMenuItemW	0x461370
GetMenu	0x461374
GetMenuItemID	0x461378
PostMessageW	0x46137c
GetMenuItemInfoW	0x461380
DeferWindowPos	0x461384
GetMessageW	0x461388
GetClientRect	0x46138c
CharNextW	0x461390
SetCursorPos	0x461394
CreateDialogParamW	0x461398
CheckDlgButton	0x46139c
IntersectRect	0x4613a0
GetMessagePos	0x4613a4
ModifyMenuW	0x4613a8
DrawAnimatedRects	0x4613ac
SetForegroundWindow	0x4613b0
FindWindowW	0x4613b4
BringWindowToTop	0x4613b8
GetLastActivePopup	0x4613bc
PeekMessageW	0x4613c0
IsDialogMessageW	0x4613c4
GetWindow	0x4613c8
CharUpperBuffW	0x4613cc
IsCharAlphaNumericW	0x4613d0
CharUpperW	0x4613d4
GetWindowRect	0x4613d8
GetDC	0x4613dc
SetWindowPos	0x4613e0
HideCaret	0x4613e4
EndDialog	0x4613e8
GetSystemMetrics	0x4613ec
MessageBeep	0x4613f0
SetCaretPos	0x4613f4
GetSubMenu	0x4613f8
OpenClipboard	0x4613fc
SetTimer	0x461400
CloseClipboard	0x461404
EmptyClipboard	0x461408
CreateCaret	0x46140c
SetDlgItemTextW	0x461410
MapWindowPoints	0x461414
SendDlgItemMessageW	0x461418
MoveWindow	0x46141c
DestroyMenu	0x461420
EnableWindow	0x461424
GetWindowTextLengthW	0x461428
CallWindowProcW	0x46142c
GetDlgItemInt	0x461430
CheckRadioButton	0x461434
SendMessageW	0x461438
GetDlgItemTextW	0x46143c
IsDlgButtonChecked	0x461440
SetFocus	0x461444
GetClipboardData	0x461448
ScrollWindowEx	0x46144c
LoadCursorW	0x461450
DestroyCaret	0x461454
SetCapture	0x461458
SetClipboardData	0x46145c
SetWindowLongW	0x461460
TrackPopupMenuEx	0x461464
GetDlgItem	0x461468
GetParent	0x46146c
GetWindowTextW	0x461470
GetWindowLongW	0x461474
SetScrollInfo	0x461478
RegisterClipboardFormatW	0x46147c
DefWindowProcW	0x461480
GetKeyState	0x461484
DestroyWindow	0x461488
IsClipboardFormatAvailable	0x46148c
ShowCaret	0x461490
KillTimer	0x461494
EnableMenuItem	0x461498
ReleaseCapture	0x46149c
InvalidateRect	0x4614a0
ReleaseDC	0x4614a4
BeginPaint	0x4614a8
EndPaint	0x4614ac
CharLowerW	0x4614b0
ShowCursor	0x4614b4
RegisterClassW	0x4614b8

Name	Address
_unlock	0x4614e0
_lock	0x4614e4
__CxxFrameHandler3	0x4614e8
_acmdln	0x4614ec
_initterm	0x4614f0
__setusermatherr	0x4614f4
_ismbblead	0x4614f8
__p__fmode	0x4614fc
_cexit	0x461500
_exit	0x461504
exit	0x461508
__set_app_type	0x46150c
__getmainargs	0x461510
_onexit	0x461514
__p__commode	0x461518
_XcptFilter	0x46151c
iswprint	0x461520
memcpy	0x461524
_except_handler4_common	0x461528
_vsnwprintf	0x46152c
atoi	0x461530
memcpy_s	0x461534
_purecall	0x461538
wcschr	0x46153c
isspace	0x461540
_wcsnicmp	0x461544
wcsrchr	0x461548
wcsncmp	0x46154c
_resetstkoflw	0x461550
?terminate@@YAXXZ	0x461554
_controlfp	0x461558
memset	0x46155c
__dllonexit	0x461560
memmove	0x461564
_amsg_exit	0x461568

Name	Address
PathCchAddBackslash	0x4614c8
PathCchCombine	0x4614cc

Name	Address
StrChrW	0x4612c0
StrRChrW	0x4612c4
StrToIntW	0x4612d0
StrChrIW	0x4612d4
StrStrIW	0x4612d8

Name	Address
ImageList_ReplaceIcon	0x4610e4
ImageList_SetBkColor	0x4610f0
InitCommonControlsEx	0x4610fc
ImageList_Create	0x461104
ImageList_Destroy	0x46110c

Name	Address
GetOpenFileNameW	0x461128
GetSaveFileNameW	0x46112c
ChooseFontW	0x461130
PrintDlgExW	0x461134

Name	Address
DragFinish	0x4612a8
DragQueryFileW	0x4612ac
SHGetStockIconInfo	0x4612b0
ShellAboutW	0x4612b8

Name	Address
AuthzInitializeContextFromSid	0x4610cc
AuthzFreeContext	0x4610d0
AuthzFreeResourceManager	0x4610d4
AuthzAccessCheck	0x4610d8
AuthzInitializeResourceManager	0x4610dc

Name	Address

Name	Address
CoTaskMemFree	0x461590
CoInitializeEx	0x461594
ReleaseStgMedium	0x461598
CoUninitialize	0x46159c
CoCreateInstance	0x4615a0
CoTaskMemAlloc	0x4615a4

Name	Address
?SPrintfAppend@DSTRING@@UAAEPBGZZ	0x4615ac
?NewBuf@DSTRING@@UAEEK@Z	0x4615b0
?Resize@DSTRING@@UAEEK@Z	0x4615b4
?Initialize@WSTRING@@QAEEPBGK@Z	0x4615b8
?Initialize@WSTRING@@QAEEPBV1@KK@Z	0x4615bc
?Strcat@WSTRING@@QAEEPBV1@@Z	0x4615c0
??0DSTRING@@QAE@XZ	0x4615c4
??1DSTRING@@UAE@XZ	0x4615c8
?SPrintf@DSTRING@@UAAEPBGZZ	0x4615cc
?Compare@OBJECT@@UBEJPBV1@@Z	0x4615d0
??1OBJECT@@UAE@XZ	0x4615d4
?Initialize@ARRAY@@QAEEKK@Z	0x4615d8
??0OBJECT@@IAE@XZ	0x4615dc
??0ARRAY@@QAE@XZ	0x4615e0
?DebugDump@OBJECT@@UBEXE@Z	0x4615e4

Name	Address
ClbSetColumnWidths	0x4614d4
ClbAddData	0x4614d8

Name	Address
RtlFreeHeap	0x461570
RtlAllocateHeap	0x461574
RtlCreateUnicodeString	0x461578
RtlInitUnicodeString	0x46157c
RtlFreeUnicodeString	0x461580
RtlIoDecodeMemIoResource	0x461584
RtlCmDecodeMemIoResource	0x461588

Name	Address
SetWindowTheme	0x4614c0

Reports: JSON

Statistics (10.11)

Usage

Processing ( 10.06 seconds )

9.485 ProcessMemory
0.555 CAPE
0.009 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: regedit.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x0001f400', 'virtual_address': '0x00064000', 'virtual_size': '0x00000008', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.06'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 1896 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\Temp\regedit.exe

HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:1896:64:WilError_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Resources

Imports

ADVAPI32

KERNEL32

GDI32

USER32

msvcrt

api-ms-win-core-path-l1-1-0

SHLWAPI

COMCTL32

COMDLG32

SHELL32

AUTHZ

ACLUI

ole32

ulib

clb

ntdll

UxTheme