AxCrypt Artifacts

Author Name
Matt Nelson

Artifact or Program Version
AxCrypt 1.7.2976.0

Artifact Description
From the AxCrypt website: (http://www.axantum.com/axcrypt/)

AxCrypt is the leading open source file encryption software for Windows. It integrates seamlessly with Windows to compress, encrypt, decrypt, store, send and work with individual files.

Features:

Password Protect any number of files using strong encryption.

Right-click integration with Windows Explorer makes AxCrypt the easiest way to encrypt individual files in Windows.

Double-click integration makes it as easy to open, edit and save protected files as it is to work with unprotected files.

Many additional features, but no configuration required. Just install it and use it.

AxCrypt encrypts files that are safely and easily sent to other users via e-mail or any other means. Self-decrypting files are also supported, removing the need to install AxCrypt to decrypt.

Registry Keys
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\axcrypt.File

HKLM\SOFTWARE\Classes\CLSID\{C3DFC144-30F8-4138-81F9-578DBEB9324A}

HKLM\SOFTWARE\Classes\CLSID\{C3DFC144-30F8-4138-81F9-578DBEB9324A}\InprocServer32

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\axcrypt.File

HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\87A9C44140AFC0B46B4FF660E3C886D5

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\87A9C44140AFC0B46B4FF660E3C886D5

KLM\SOFTWARE\Classes\.axx

HKLM\SOFTWARE\Classes\axcrypt.File

HKLM\SOFTWARE\Classes\axcrypt.File\CLSID

HKLM\SOFTWARE\Classes\axcrypt.File\DefaultIcon

HKLM\SOFTWARE\Classes\axcrypt.File\shell

HKLM\SOFTWARE\Classes\axcrypt.File\shell\open

HKLM\SOFTWARE\Classes\axcrypt.File\shell\open\command

HKLM\SOFTWARE\Classes\axcrypt.File\shellex

HKLM\SOFTWARE\Classes\axcrypt.File\shellex\PropertySheetHandlers

HKLM\SOFTWARE\Classes\axcrypt.File\shellex\PropertySheetHandlers\{C3DFC144-30F8-4138-81F9-578DBEB9324A}

HKLM\SOFTWARE\Axantum

HKLM\SOFTWARE\Axantum\AxCrypt

HKU\[USERSID]\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Axantum AxCrypt

HKU\[USERSID]\Software\Axantum

HKU\[USERSID]\Software\Axantum\AxCrypt

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{38350E9E-D50E-454A-BAFC-58BBDDBE08C4}\DisplayName: “AxCrypt 1.7.2976.0″

HKLM\SOFTWARE\Axantum\AxCrypt\FileExtension: “.axx”

HKLM\SOFTWARE\Axantum\AxCrypt\ProductName: “AxCrypt”

HKLM\SOFTWARE\Axantum\AxCrypt\CLSID: “{C3DFC144-30F8-4138-81F9-578DBEB9324A}”

HKLM\SOFTWARE\Axantum\AxCrypt\ShowActivationMenu: 0×00000000

HKLM\SOFTWARE\Axantum\AxCrypt\KeyWrapIterations: 0x00003A98

HKLM\SOFTWARE\Axantum\AxCrypt\AllowPrograms: 0×00000000

HKLM\SOFTWARE\Axantum\AxCrypt\DisableSaveEncryptionKey: 0×00000000

HKLM\SOFTWARE\Axantum\AxCrypt\DisableSaveDecryptionKey: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\installed: 0×00000001

HKU\[USERSID]\Software\Axantum\AxCrypt\CompressThreshold: 0×00000014

HKU\[USERSID]\Software\Axantum\AxCrypt\ServerMode: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\ServerErrorShellCmd: “”

HKU\[USERSID]\Software\Axantum\AxCrypt\EventLogLevel: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\NoShowUnsafeWipeWarn: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\SaveEncKey: 0×00000001

HKU\[USERSID]\Software\Axantum\AxCrypt\SaveDecKey: 0×00000001

HKU\[USERSID]\Software\Axantum\AxCrypt\NoDecryptMenu: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\DisableRenameMenu: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\TryBrokenFile: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\AllowAnyExtension: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\FastModeDefault: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\KeepTimeStamp: 0×00000000

HKU\[USERSID]\Software\Axantum\AxCrypt\AllowPrograms: 0×00000000

File Locations
C:\Program Files\Axantum\AxCrypt

Research Links

http://www.axantum.com/axcrypt/

Forensic Programs of Use
Regshot – http://regshot.sourceforge.net/

MiTeC HEX Editor – http://www.mitec.cz/hex.html

wxHexEditor – http://www.wxhexeditor.org/

Other Information
First 21 bytes for AxCrypt encrypted file(s):

C0 B9 07 2E 4F 93 F1 46 A0 15 79 2C A1 D9 E8 21 15 00 00 00 02

Raw:

0000000 C0 B9 07 2E 4F 93 F1 46 A0 15 ….O..F..

0000010 79 2C A1 D9 E8 21 15 00 00 00 y,…!….

0000020 02 .