Some malware could be password protected:

One technique consists in dumping the memory of the infected system and to look for strings along with the context (we know that the malware is named "lab1.exe"):

$ strings /media/cdrom/lab1.img | grep -C5 -i "lab1\.exe" 
[SNIP]
--
N4QP3
1) Insert USB drive
2) Autoruns should execute run.cmd. If autoruns is turned off then open USB drive in windows explorer, and manually execute run.cmd
3) When prompted for password, copy & paste the following pwd: Thiswilltakealongtimetobruteforce
4) close help and unmount & remove usb drive
5) lab1.exe will now be running
w_^[
QQSV
w_^]
[SNIP]

Comments