That's actually the funny and at the same time very difficult part of encoding.
the euro sign € can be also represented by just one byte in other encodings for instance ISO8859-15 has 0xa4 as a currency sign, see https://en.wikipedia.org/wiki/Currency_s...ypography), https://en.wikipedia.org/wiki/ISO/IEC_88...EC_8859-15.
That's probably why you see the euro sign in the maskprocessor output. but of course 1 byte passwords (euro sign ISO8859-15 encoded) are not the same as 3 bytes (UTF8) passwords.
so yeah, undeath pretty much explained it perfectly... your hash was generated with more than 1 bytes (for utf16le, as used by NTLM, it's actually 2 bytes 0xac20 !)
so now we know 0xa4 (ISO8859-15), 0xe282ac (UTF8) and 0xac20 (UTF16LE) all represent the "same" euro sign. This just shows how confusing encoding is
the euro sign € can be also represented by just one byte in other encodings for instance ISO8859-15 has 0xa4 as a currency sign, see https://en.wikipedia.org/wiki/Currency_s...ypography), https://en.wikipedia.org/wiki/ISO/IEC_88...EC_8859-15.
That's probably why you see the euro sign in the maskprocessor output. but of course 1 byte passwords (euro sign ISO8859-15 encoded) are not the same as 3 bytes (UTF8) passwords.
so yeah, undeath pretty much explained it perfectly... your hash was generated with more than 1 bytes (for utf16le, as used by NTLM, it's actually 2 bytes 0xac20 !)
so now we know 0xa4 (ISO8859-15), 0xe282ac (UTF8) and 0xac20 (UTF16LE) all represent the "same" euro sign. This just shows how confusing encoding is