Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 12:48:07	2025-06-12 13:18:53	1846 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,991 [root] INFO: Date set to: 20250611T17:23:40, timeout set to: 1800
2025-06-11 18:23:40,190 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 18:23:40,190 [root] DEBUG: Storing results at: C:\iDarMfdE
2025-06-11 18:23:40,190 [root] DEBUG: Pipe server name: \\.\PIPE\IMPWOAOm
2025-06-11 18:23:40,190 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 18:23:40,190 [root] INFO: analysis running as an admin
2025-06-11 18:23:40,190 [root] INFO: analysis package specified: "exe"
2025-06-11 18:23:40,190 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 18:23:41,112 [root] DEBUG: imported analysis package "exe"
2025-06-11 18:23:41,112 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 18:23:41,112 [lib.common.common] INFO: wrapping
2025-06-11 18:23:41,112 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 18:23:41,128 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\wksprt.exe
2025-06-11 18:23:41,128 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 18:23:41,128 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 18:23:41,128 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 18:23:41,128 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 18:23:41,362 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 18:23:41,393 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 18:23:41,440 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 18:23:41,440 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 18:23:41,456 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 18:23:41,456 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 18:23:41,456 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 18:23:41,456 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 18:23:41,456 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 18:23:41,456 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 18:23:41,456 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 18:23:41,456 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 18:23:41,456 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 18:23:41,472 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 18:23:41,472 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 18:23:41,472 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 18:23:41,472 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 18:23:41,472 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 18:23:41,644 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-11 18:23:41,644 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 18:23:41,644 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 18:23:41,644 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 18:23:41,644 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 18:23:41,644 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 18:23:41,644 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 18:23:41,644 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-11 18:23:41,644 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 18:23:41,644 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 18:23:41,644 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 18:23:41,644 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 18:23:41,644 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 18:23:41,644 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 18:23:41,644 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 18:23:41,644 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 18:23:41,644 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 18:23:41,644 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 18:23:41,644 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 18:23:41,644 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 18:23:41,644 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 18:23:41,644 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 18:23:41,644 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 18:23:41,644 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 18:23:41,644 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 18:23:41,659 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 18:23:41,659 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 18:23:41,659 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 18:23:41,659 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 18:23:41,659 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 18:23:41,659 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 18:23:41,659 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 18:23:41,675 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\NmhMelLB.dll, loader C:\tmp_gell1p8\bin\TfDuBatI.exe
2025-06-11 18:23:41,753 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 18:23:41,753 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-11 18:23:41,768 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 18:23:41,768 [root] INFO: Disabling sleep skipping.
2025-06-11 18:23:41,768 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 18:23:41,768 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 18:23:41,768 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 18:23:41,768 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 18:23:41,768 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 18:23:41,784 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 18:23:41,800 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 18:23:41,800 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 18:23:41,800 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 2208, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 18:23:41,800 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 18:23:41,815 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 18:23:41,815 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 18:23:41,815 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-11 18:23:41,815 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 18:23:41,815 [root <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 12:48:07	2025-06-12 13:18:33	none

File Details

File Name	wksprt.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	438784 bytes
MD5	0f80290560a291996f7a65ab899a4a4b
SHA1	3f763d9abe39685da4c86bef8402e9589f102cd1
SHA256	4cfbcc35f1403584cf932b48f1fbd9506f43874443412b35681fc66392c9b64a [VT] [MWDB] [Bazaar]
SHA3-384	c215c0f413ce9a2e309f4812070640cfef52dacdf2b594ef41bc54998de7aa145b0c7e3e3795f4845f9b0e63f6a4e6cc
CRC32	65289578
TLSH	T11C948E55E7A814E5E476C13889978A09F7727C5D1F919FCB2274860E3F3BAD09D38B02
Ssdeep	12288:WzNhO8ZDfRHm7ITO8D//MbXIB7GjFMvT3lxR:Wx0sDfRVDHMbimI
PE	File Strings BinGraph Vba2Graph VirusTotal

Failed to terminate timer list lock

Created

l$ VWATAVAWH

@.data

fA9tM

en-SG

SVWATAVAWH

HclaimCookieW

de-DE

Initialize failed

GetStartupInfoW

H VWAVH

EventLogUploadAddress

APPID

x ATAUAWH

D8XHuTE

AutomaticLogUploadServiceAddress

SizeTAdd(cchArgString + cchRdpFileContents) failed

en-TT

m@)!@

t"fD9

zh-HK

ne-NP

l$ VATAUAVAWH

SOGetClaimsToken2W

\stq^

CRdpSettingsStore::VerifySenstitiveSettings failed

bs-Latn

u*9Q<|%

ta-LK

sma-NO

mi`;>n

?|E7EE

af-ZA

correlationIdWWW

Negotiate Security Layer

Failed to close file stream!

CreateWindowExW

mn-MN

%d %s %d

GetResourceDisplayNameWW

EndDialog

ff-Latn

t0D8`

RegSetValueExW

mn-Mong

!sCC/

@8pIu

t(9}Xu

L$HE3

@8pYu

AXH9YPu

list<T> too long

</security>

method OnConnected

S$Puzqk

WsGetErrorString

IWorkspaceScriptable3WWW

0A_A^A]A\_^[

DeleteTimerQueueTimer

ku-Arab-IQ

VWAVH

L$@H+

_wcslwr

api-ms-win-shcore-scaling-l1-1-0.dll

L$xH3

sl-SI

Microsoft Corporation

LoadLibraryExW

memcmp

CRdpSettingsStore::CalculateSignScopeLength failed

type="win32"

OutputDebugStringA

_XcptFilter

RWyH1

_lock

AtlThunk_DataToCode

@8oIt

`A^_^][

ta-IN

t$ 8P9H

USVWATAUAVAWH

X6*EaL$

method GetProcessIdWWW

@SUVWAVH

UnmapViewOfFile

bstrRdpFileContents

AutoReconnection Enabled

t$PI;

method RemoveResourceW!

SECURITY

@SUVWATAUAWH

REMOTEAPPLICATION

L9t$P

o)-)=

AppID

_initterm

tt-RU

.?AVlogic_error@std@@

stdole2.tlbWWW

fD9,Bu

tlH9QXu

kr-NG

~RemoveResourceWW

.idata$5

dwCookieConnectionWW

D$`D9x

LoadLibraryW

lklxxtrE

D!e@H

saPwdCreds.Create failed!

TYPELIB

qlfE9.uMH

sms-FI

1.3.6.1.5.5.7.3.3

Content-Type: application/octet-stream

es-AR

CertDuplicateCertificateChain

.pdata

GetResourceIdWWW

[0HA=

de-AT

Microsoft

fil-PH

GetInterface for ITSRdpSignature failed

AreDpiAwarenessContextsEqual

]%6Xx

gn-PY

ar-TN

pTbl->SetPublisherCerts failed!

.?AVCAtlException@ATL@@

D8hat

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

K-4Y&

zu-ZA

sd-Arab-PK

.data$r$brc

3D`^A

en-029

CurVer = s 'WorkspaceRuntime.Workspace.1'

@8iau*H

@8sIuCH

syr-SY

M;n r

sk-SK

GetMessageW

GetModuleHandleExA

rightWWW

LoadLibraryA

@SUVWATAUAVH

!|$8M

lTimeout

towlower

http://schemas.microsoft.com/ts/2010/09/rdweb/GetRDPFiles

1#G&2

SetEvent

SleepConditionVariableSRW

_exit

ky-KG

bstrClaimsHintWW

8A_A^A\_^[

9StartWorkspaceEx

=;D|A

2.5.29.37

0A^_^

UVWATAUAVAW

~/~O~o

VMREMOTEDESKTOP

RemoteApplicationMode

H9A`t!H9Aht

@8kIu

bs-Cyrl

H!x(H!x0!x8H

H9sHvsH

szBlob

da-DK

bs-BA-Latn

D$8L!l$0L!l$(L!l$

0A_A^A\_^

SHCreateItemInKnownFolder

UnregServer

H)Uq$

V8p-"0I

HKEY_PERFORMANCE_DATA

D8x9u

InternetCrackUrlW

Mscoree.dll

$_tZ!

.\%s.mui

t$HHc

D9apt

SignScope field not found in store

pa-Arab

E8+E0

D8aIt

.tls$ZZZ

CoCreateInstance

ATL-SafeArrayCreate failed!

GetCommandLineW

D8X`uTE

RemoteApplicationExpandWorkingdir

GetSystemMetricsForDpi

H0b).^

GetMenuItemCount

sr-Latn-ME

GetFileAttributesW

ne-IN

XA_A^A]A\^[

D8aau-H

ybCountUnauthenticatedCredentials

RecordToString failed

IWorkspace2 InterfaceW

gq=sQN

.CRT$XIA

Failed to get RdpClientUtils

LocalServer32 = s '%MODULE%'

lFlagsWW

val AppID = s '%APPID%'

|$(E3

DispatchMessageW

wcstombs_s

es-PA

>sHfn

sa-IN

ResetEvent

x UAVAWH

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

CreatePopupMenu

CRdpSettingsStore::GenerateSecureSettingsBlob failed

FileDescription

BuildImmersiveClientArgString failed

GetAppContainerRegistryLocation

\$ UVWH

~.22B

too few bytes in signature

CryptProtectData

dz-BT

\$ VWAVH

UWATAVAWH

</asmv3:application>

A_A^A]A\_[

{"y7>

Advapi32.dll

bstrWorkspaceParamsW

Failed to unregister the thread window class

ntdll.dll

method IsWorkspaceCredentialSpecifiedW

}

$>>^b

}xJZv>']

10.0.17763.1

I+I H

zh-CHT

InitializeCriticalSection

WakeAllConditionVariable

A_A^A\_^

UVAVH

HKEY_DYN_DATA

uHf9C

SetWindowLongPtrW

L$hE3

@8hIu

J7I5r

lkl8lklxlkl

D8x9t

sr-SP-Cyrl

WsCloseServiceProxy

StringCchLength(strRdpFileContentsWithCreds) failed

version="6.0.0.0"

TsOpenFileSettingsStore failed

D$l+D$pA

@8iIu*H

szBuf

N0I!~(

D$(E3

RegQueryValueEx failed

bstrMessageWL

CLSID

@8pIt

fA9<Hu

xh-ZA

xg;\$@

System\CurrentControlSet\Services\TScPubRPC

it-CH

0R.>=

ar-DZ

es-HN

en-GB

ml-IN

fi-FI

memmove_s

1{$zA

method GetWorkspaceNamesWW

UVWAVAWH

StartRemoteApplicationEx failed

L$0E3

L$8H3

H;(u$A

D$ H+

ka-GE

ts-ZA

tJ@8x

GetDpiForMonitor

Unable to initialize file name from moniker!

R43:z

A_A^A\_]

L;d$@

StringCchCopy failed

pCertArray

RdpSignCertChainRevocationCheck

NvnOr

@8hIt

ConstructCertificateChain failed!

pbSignedBlob

MKV>a

uRich

TerminateProcess

r%M@j )B

F ~71

CEtwEventProvHelper

zero-length signature field

en-BZ

StringCbLength failed!

SerializeStore failed

\$ A;

DevicesToRedirect

^Cv3b

method RegisterErrorLogMessage

ar-AE

CompareStringW

PathRemoveFileSpecW

tg-Cyrl-TJ

_2dTo

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

L$$E3

fr-MA

t+H!x

D$`H+

$tN(Z

@A_A^A]A\_^[

quc-Latn-GT

ko-KR

fF94Bu

RedirectPOSDevices

.text$x

wo-SN

DU]wJ

ConnectionCorrelationId

.\%s\%s.mui

method GetResourceIdWW

RemoteApplicationFile

wk$6v

.xdata$x

L$HH3

%s\%s\%s.mui

ar-YE

H!l$0M

A^_^

GetModuleHandleW

GetTimeFormatW

sd-Arab

pulProcessId,

6~}e^

.CRT$XLZ

SHGetIDListFromObject failed

.giats

t9@8h

fr-SN

t;!t$8M

bs-Latn-BA

SystemTimeToFileTime

method GetResourceDisplayNameW

<GetCertificate failed

ru-RU

{

ig-NG

H9l$Ht$H

C$H;A$t

0A_A^_

E8x9t

pa-IN

OriginalFilename

CertCloseStore

D8X8uTE

SizeTAdd(cchArgString + cchRdpFileContentsWithCreds) failed

Software\Microsoft\Workspaces\Feeds

en-JM

7aL8Aj

StringCchPrintf failed

AdjustWindowRectExForDpi

> !KfK

.ASPXAUTH=

pt-PT

WsCreateError

es-DO

chr-Cher

D9|$`u

az-Cyrl

D8pat

\<LANG_NAME>\

D$,9G

\$8E3

IssueDisconnectWX

bstrAppContainer

_resetstkoflw

11Q"p

SizeTAdd(cchArgString + 1 for null char) failed

D8sau&H

!|$0L

tj!l$8M

WsGetErrorProperty

DisconnectWorkspaceByFriendlyName failed

es-ES_tradnl

H9{Xv?H

CRdpSettingsStore::VerifySignature failed

UVWATAUAVAWH

IWorkspaceWW

t'D8a

zh-Hant

CloseHandle

Unable to construct cert chain for signing

0>[E

closing settings store failed

@.reloc

t-D8h

D9|$<t

swscanf

tzm-Latn-DZ

D8y9u*H

E0+EHH

StartRemoteApplication failed!

HA_A^A]A\_^[]

Failed to move pointer to the beginning of the file!

LoadResource

_purecall

WININET.dll

la-001

GetSystemTimeAsFileTime

f90toH

RegEnumValueW

IdnToUnicode

AtlThunk_InitData

bstrWorkspaceFriendlyNameWWW

e A_A^A]A\]

@8sIuFH

ar-LB

twH91t

GetInterface for ITSRdpCertSignature failed

RemoteApplicationIcon

LD@fD

attempt to sign with missing certificate/data

yo-NG

GetWorkspaceNameFromMenuId failed

WsCall

iu-Cans-CA

|$HE3

??0exception@@QEAA@AEBQEBDH@Z

RegisterWindowMessageW

CharNextW

%s (%d)

WsFreeHeap

D!l$h3

f9<Hu

SetUnhandledExceptionFilter

D8gIt

[RyJQ

R~fny

fB9,ru

StringCchPrintfW failed

pap-029

\$hE3

L!l$PL

&)(%`+

D$ E3

.text

@UATAUAVAWH

InsertErrorInfo failed

t[0T@

{pw+F^

TaskbarCreated

phKey

iOnAuthenticatedW

/9Tj6

.rdata$brc

GetScaleFactorForMonitor

TerminateThread

H!t$ H

pt-BR

fo-FO

IWorkspace3W

L$`E3

tp!\$8

Win32DpiApi::CreateInstance failed!

bo-CN

id-ID

CertChainContextToArray failed

A_A^A]A\_[]

D$(L;

fA9\}

LocalAlloc

@8p8u

M!/D8nD

CreateReconnectMenuEntry failed

.idata$4

yi-001

ForceRemove {4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C} = s 'Workspace Class'

GetACP

@s9HZ

E8Y`u

LoadBalanceInfo

L9|$0u`L

mk-MK

.rdata$T$brc

D8aIu

se-FI

`A_A^A]A\_^[

GetCurrentPackageFamilyName

rrrtccc

__dllonexit

m{TNA

Component Categories

sr-Latn-RS

fclose

H!t$

RegEnumKeyExW

>^;$i

E8iat

userenv.dll

COMCTL32.dll

Failed to get module specific class name

t(@8p

Failed to get Iunknown interface

method DisconnectWorkspaceByFriendlyNameWW

__C_specific_handler

f9<Au

InternetConnectW

TraceMessage

Failed to initialize timer list lock

@8qIu-H

Failed to create settings store!

0A_A^A]A\_^]

~vStartRemoteApplicationEx

CertFreeCertificateContext

tDfD93t>H

fD90t

en-IE

%s\%s

co-FR

1.3.6.1.5.5.7.3.1

CreateEventW

<Br]z5

|$ AVH

LoadLibraryExA

bad allocation

pRdpSig

Y"d(@U

^x~`7

.text$mn$00

t$ WH

hH0 e

SetLastError

.rsrc$01

t#fD9

Unable to get AppContainer registry location.

USVWAWH

9;t@A

`'nDM

ar-OM

Y@H9;u%L

D$DE3

A_A^A]A\_^[]

RegDeleteValueW

moh-CA

D$pE3

H!|$0M

]xH;]pt`L

en-ZW

@8jau

sr-Latn-CS

A_A^A]

Failed to load file contents!

uO9T$`vIL

insufficient number of signature verification parameters

\$@fA

az-Latn-AZ

6\d@b0@2

CRdpSettingsStore::GetSignature failed

@O)Qv

CoTaskMemRealloc

QDAE

VirtualAlloc

u,D9J

GetSystemWindowsDirectory failed

GetTraceEnableLevel

my-MM

CERT_HASH

chr-Cher-US

Failed to get the file contents as a string!

_CxxThrowException

pWkspMenuItem

GetSystemWindowsDirectoryW

A;_xs

fF94@u

LeaveCriticalSection

yzz{m

H!t$0

A8hau

NoRemove AppID

en-ZA

StringCchCopy for login cookie failed

sr-SP-Latn

GetTraceLoggerHandle

am-ET

fC94Ku

SOFTWARE\Microsoft\Terminal Server Client\%s

sq-AL

.?AVexception@@

L$PH3

gsw-FR

GetDateFormatW

?{uSH

eu-ES

,o~Alu

RemoteApplicationGuid

pTscRemoteSessionsManager->StartRemoteApplication failed!

.text$yd

fD9{l

GetWindowLongPtrW

O`D8q(t

OverwriteByteBlob failed

fr-HT

fWorkspaceSSOEnabled

Z)T+Q*

SetCookie failed

ar-SA

PublisherNameSuffix

D$xH;

fF9$Bu

e?KF$

PA_A^_^]

LcA<E3

M@L;F

CRdpSettingsStore::ApplyCertSignature failed

Wadvapi32.dll

fr-BE

AllowSetForegroundWindow

IWorkspaceRegistration InterfaceW

szSignature

HttpOpenRequestW

H WATAUAVAWH

@.rsrc

RegisterErrorLogMessageW

AcquireSRWLockExclusive

CertFreeCertificateChain

l$ E3

ErrorMap_InsertInfo failed

Shell Working Directory

LegalCopyright

GetProviderInstanceHelper failed

nl-BE

CallWindowProcW

e!6v)2

ATL$__a

IWorkspaceScriptable2WWW

fr-MC

method AddResourceExWW

StringCchCopy failed!

@USWATAUAVAWH

GetSystemTime

bstrWorkspace

tJfA;

val AccessPermission = b '010004803000000040000000000000001400000002001c0001000000000014000300000001010000000000050a0000000102000000000005200000002002000001020000000000052000000020020000'

fA9<$

vlL9nX

http://schemas.microsoft.com/ts/2010/09/rdweb

Rld6)6:

arn-CL

RdpX_CreateObject CertSignature failed!

spRdpSettingsStore->GetSignatureType failed

PTSTR

CTsRdpSignature

SHGetIDListFromObject

is-IS

fD9|U

D8gauCH

webservices.dll

@A_A^A]A\_^]

dsb-DE

L$0H3

sw-KE

SVATAUAVAWH

FlushInstructionCache

0]>m9T*

GetCertificateChainContext failed

bstrRequestingAppFamilyNameW

U$@"

%?KF%

fD9<Bu

NoRemove CLSID

*ppThumbprint

.rdata$zzzdbg

8_N7-

LoadStringW

WAVAWH

A__^

WsCreateServiceProxy failed

fr-LU

realloc

AtlThunk_FreeData

CRdpSettingsStore

|$XE3

_pAnsiLineBuf

.rdata

Ix}~O

method RegisterErrorEventW

??1type_info@@UEAA@XZ

:/tDf

H!|$HH

RegDeleteKeyW

WsAddMappedHeader

`-f%:)9

szSignScope

ur-PK

FUIsWorkspaceSSOEnabledWWW

ar-SY

val LaunchPermission = b '010004805c0000006c00000000000000140000000200480003000000000014000b000000010100000000000512000000000018000b00000001020000000000052000000020020000000014000b0000000101000000000005040000000102000000000005200000002002000001020000000000052000000020020000'

RemoteApplicationCmdLine

ti-ER

D8{9t

ba-RU

L$ WH

D$$I;

fF9<Bu

<assemblyIdentity

L9{Pt

x AWH

t<@8i

m_cs.Init failed!

CertDuplicateCertificateContext

_c:@`

WaitForSingleObject

I8b*9

method IsErrorMessageRegisteredWWW

en-ID

name="Microsoft.Windows.TerminalServices.Wksprt"

ReconnectContents

GetClassInfoExW

Full Address

PA_A^A\_^[]

t1D8`

SVWATAUAVAWH

0A_A^A\

FindResourceExW

fr-FR

@)\9D

PAL_SYS_WIN32_TIMER_WNDCLASS

memcpy

f!cv

SetForegroundWindow

D8fDA

.idata$3

CreateTimerQueue failed

method StartWorkspaceExWWW

D9&u%

!D9{hH

l$ VWATAVAW

mn-Mong-MN

D;AxuMH

L$`L;G

method SetClaimsTokenW!

lklxlkl8

+-&&Vy

az-Cyrl-AZ

u%A8hat

AQ:3C

string too long

@8p`u

DeleteTimerQueueEx

L$PL!d$@H

k VWAVH

L$ fD

'sC#e

ExpandEnvironmentStringsW

Close on the memory stream failed!

SearchPathW

f9,Fu

this->ConvertToBinary failed

(_^][

__setusermatherr

D8I9t

UATAUAVAWH

SignScope

<description>Workspace Runtime</description>

HeapFree

GetRDPFilesResponse

invalid string position

c0fJy>

ff-Latn-SN

es-CR

GetTickCount

L$@E3

InternalSign failed

Failed to capture error message

wcstombs_s failed

user32.dll

.CRT$XIY

9|$pu

A^A]A\_^

=U@2&

lkl=lkl

IWorkspace3 InterfaceW

L$@H3

PostMessageW

wcstok_s

ITsRdpSignature::SetUnsignedBlob failed

SetClaimsTokenWW

H!~PH!~XH

Failed to initialize the MUI resource loader!

t2@8h

GatewayHostname

CopySecureSettings failed

GetThreadDpiAwarenessContext

iu-Latn

ValidateCertificate failed

reconnect content is corrupt

?U@5(

UWAVH

IWorkspaceScriptable3 InterfaceWWW

u(8Y`t

D8hYu

MultiByteToWideChar

ATL$__m

CreateEvent failed!

zh-MO

es-CL

L9aht

hA_A^A]A\_[

/fD;e

DisableConnectionSharing

cannot serialize empty signature

D$(9G

uz-Latn-UZ

hr-HR

Failed to create memory settings stream!

fputws

pWorkspace.CoCreateInstance failed

H!L$0

8Q9u+H

UnregisterTraceGuids

qps-ploc

@SVWAVAWH

{4FCDA643-B15B-41C6-84F8-5E447F6F6D25}

SHELL32.dll

en-CA

ha-Latn-NG

tn-ZA

UUUUUUU

W\~y/

RRsF)

tufE9xl

Publisher

AddResourceW

pTbl->SetCredential failed!

CopyTo failed!

TrackPopupMenuEx

CryptMsgOpenToDecode

WATAUAVAWH

VWATAUAVH

pbSSOEnabled

ro-RO

)D$@H

\@vxk&

V>DM$

ShellExecuteW

WsFreeServiceProxy

L$ UH

D$(H;D$0s

D9}Hu>A

SerializeStore(2nd call) failed

D8z8uUD

VerifySignature failed

val AuthenticationLevel = d 6

quz-PE

tn-BW

A_A^A]A\_

|$ E3

D8bIu-H

.CRT$XCAA

CreateThread failed!

t=D8h

Require pre-authentication

fD98u

sr-Cyrl-ME

\$ UH

iu-Latn-CA

lv-LV

qlfD96uJH

ADVAPI32.dll

method StartWorkspaceW%

'TypeLib' = s '{1B8D8AE1-A595-4687-A7AD-9E3828E09B79}'

qbstrUserHint

LoginCookie

CreateThread

CoRevokeClassObject

aPijZ\%

.00cfg

\$XH;

D$@H;G

_wcsicmp

failed to clear error log

AudioMode

DialogBoxParamW

FreeLibrary

yEeX|/

H;KXr

CryptAcquireContextW

Failed to copy event message

qps-plocm

IWorkspaceReportMessageWL

es-CU

T$0E3

Failed to get string length

UVWATAVH

ks-Deva-IN

ATAVAWH

2~} )

E8x9u

H!T$8H

CompanyName

invalid map/set<T> iterator

EL$0L

Signature verification failed

GetCurrentThreadId

@A_A^_

nso-ZA

D8z9t

InternetOpenW

9ullAccessTokenExpiration

u HcA<H

@SVWATAUAVAWH

TsCryptBinaryToString failed!

REMOTEDESKTOP

}

@8wIt

calloc

CoRegisterClassObject

GetProcessHeap

fy-NL

Sleep

Shell_NotifyIconW

D$8L!d$0L!d$(L!d$

es-EC

HKEY_CLASSES_ROOT

D8`at

uz-Cyrl

F;#Ld

CreateProviderInstanceHelper failed.

t$ UWATAVAWH

ITsRdpSignature::Serialize failed

fD9t}

Username and Password can't be NULL if no existing credentials.

GetUserDefaultUILanguage

ShellExecuteExW

en-HK

@SUVWAVAWH

sd-Deva-IN

atlthunk.dll

UXH9Q

?D8wIt

mi-NZ

tzm-Tfng-MA

method RemoveResourceExWWW

RegOpenKeyExW

@8jIu

VWATAUAVAWH

wcsncpy_s

E8iYu

D8hau

t=D8`

GetWorkspaceNames failed

_wcsnicmp

1#b-6

sxRs9

I9:u)A8hat

kn-IN

PA_A^A]A\_^]

could not allocate bHashAlgorithm

fB94@u

fA94Iu

l$ VWAVH

tk-TM

`A_A^A\_^[]

E8Y8u

InternetSetStatusCallbackW

?what@exception@@UEBAPEBDXZ

USVWAVH

.5`O R

method StartWorkspaceEx2WW

zh-CN

A^_^][

jpbCredExistW

es-BO

RemoveResourceEx

t<@8y

[^bstrWorkspaceDisplayName

L$ SUVWH

IWorkspace2W,

th-TH

en-NZ

SerializeStore failed!

si-LK

en-IN

Failed StringCchPrintf

RegisterClassExW

CWorkspaceCredential

ha-Latn

es-419

@8~8t

\Required Categories

??0exception@@QEAA@AEBQEBD@Z

%s\%s.mui

RoV%8

H!t$8L

spRdpSettingsStore->VerifySignature failed

KxL\$.]A

sr-Cyrl-RS

% ?O@

gl-ES

ug-CN

WaitForMultipleObjects

fr-CA

bs-BA-Cyrl

v]Od$

D$PE3

tzm-Tfng

StringCchLength failed

fr-ML

hy-AM

E|$pE3

%s-%s

memmove

BeginWorkspaceReconnect failed

uiAccess="false"

t/D8h

eWorkspaceRuntimeLibW

9p><

CTsRdpSignature::Initialize failed

_callnewh

f94Bu

StringFromGUID2

l$HD!t$8L

__set_app_type

A_A^A]A\^

mn-Cyrl

GatewayUsageMethod

ar-MA

*1&IM

LoadIconW

mni-IN

Alternate Full Address

040904B0

6H;t$h

VP)0|

w=N2r"

SizeofResource

wcstol

CreateFileMappingW

*U2sFr

#Rs^!

`A_A]A\_^][

@8pau

en-PH

lstrcmpiW

swprintf_s

;9C8u

HcA<H

.?AVbad_alloc@std@@

A_A^A]A\_^]

2~Oe>g

~H~go?

HashAlgorithm registry type is incorrect

A_A^]

could not allocate bHashAlgorithmA

D8I9u

CRdpSettingsStore::GetSignatureType failed

SHLWAPI.dll

TranslateMessage

H!\$8H!\$0H!\$(H!\$ 3

AllowSetForegroundWindow failed!

ms-MY

@SUWATAUAVAWH

fA9<Yu

sah-RU

t*@8y

GetClientRect

IsDialogMessageW

PromptCredentialOnce

H!t$0M

CreateTimerQueueTimer

wcscat_s

)Xd V

RDP file signature has a wrong type.

st-ZA

L$ +D$XE3

ForceRemove

cy-GB

Authentication Level

ReadFile

@8jIt

J)@z2

Pre-authentication server address

8NMIWorkspaceRegistrationWW

br-FR

pCertSig->GetCertificateThumbPrint failed

WideCharToMultiByte

RegQueryValueExW

A_A^_^[

@SVWH

+Vjy#

VarFileInfo

R}F!y

D8kauRL

_fmode

@8jHuUD

wkspRC

ve-ZA

val AppID = s '%APPID%'

f9\$luY

t$`fD9t$`t2H

Failed to set memory stream contents!

method AddResource

StringCchCopy for WebService URL failed

CoSuspendClassObjects

TUUUUUU

VWAWH

oc-FR

IWorkspace InterfaceWW

_vsnwprintf

smn-FI

;QhuPH

E8pau<I

Pu<Hc

RegDeleteTreeW

CreateFileW

smj-NO

zh-TW

X-/5]c

t.D8`

method IssueDisconnect

IdnToNameprepUnicode

ca-ES

E8YHu

|$`+|$h

0H;]`u

Signature is zero-length

RegGetValueW

)lynA

A8Q9u

YvbstrErrorMessageType

SUVWAVH

L$PE3

WsAddMappedHeader failed

2f:A2 N

_ITSWkspEventsWW

nl-NL

FormatMessageW

version="5.1.0.0"

processorArchitecture="amd64"

et-EE

1.3.6.1.4.1.311.54.1.1

InitializeCriticalSectionAndSpinCount

@WAVAWH

LD"i?z

CreateTimerQueueTimer failed

CoUninitialize

VersionIndependentProgID = s 'WorkspaceRuntime.Workspace'

<requestedExecutionLevel

{ UAVAWH

Q2+O0>7

prs-AF

@8j`uUD

WorkspaceRuntime.Workspace.1 = s 'Workspace Class'

A_A^A]A\_

Mx~9J

t$PfD

10.0.17763.1 (WinBuild.160101.0800)

NoRemove

H9S(u

CLSID\

Initialize failed.

DeleteCriticalSection

RaiseException

fD9!t

Failed to terminate timer globals

RtlCaptureContext

6bstrWorkspaceIdW

EA[`/

pTbl->set_RedirectorName failed!

bg-BG

D$@H9

bstrPassword

x ATAVAWH

rw-RW

.CRT$XLA

GetFileSize

uz-Latn

GetCursorPos

dwErrorCodeW

RemoveConnectionInfoFromTable failed

method OnDisconnectedW

RedirectSmartCards

qps-Latn-x-sh

method ResourceDisconnectedWWW!

DestroyMenu

version

5^^&5m

uz-Cyrl-UZ

CoResumeClassObjects

tzm-Latn

'%APPID%' = s 'WkspRT'

FindAndRemoveMenuItem failed

fr-029

HKEY_LOCAL_MACHINE

publicKeyToken="6595b64144ccf1df"

GetRDPFiles

A_A^_

bs-Cyrl-BA

quc-Latn

E`+EXA

<NULL>

bstrImmersiveClientActivationContext

t^H+Y 3

UnregisterClassW

ITsRdpSignature::Sign failed

CryptDecodeObject

WriteFile

StartRemoteApplicationWW

spRemoteDesktopClient->GetProcessId failed!

he-IL

CreateWebService failed

%p-%s

VirtualFree

A_A^A\

SetProcessDpiAwareness

az-Latn

L!f8H

DestroyWindow

d$PH;

VvDisconnectWorkspaceByFriendlyNameWWW

9YRb"

D$0H;

InsertMenuItemW

@(J1l

bstrWorkspaceId

x AUAVAWH

RedirectPrinters

qps-ploca

be-BY

lt-LT

@USVWATAVAWH

hwndCredUiParent

pPZMA

InterlockedPopEntrySList

Failed signature type check on signature

CertFindExtension

dY,OY

GenerateMenu failed

CRdpSettingsMemoryStream

7fD;>u

SetWindowTextW

T$(E3

nb-NO

E H9K@t'H

ja-JP

Opened

&@m ?

8Q9u0H

A8hIt

WorkspaceId

CRdpSettingsStore::InitializeSignature failed.

SZH13

method GetClaimsToken2

@8hat

A8hat

tWfA;

Workspace ClassWWW

PathIsContentTypeW

__wgetmainargs

ReleaseSRWLockExclusive

gd-GB

{

9t$PtVH;

EnableMenuItem

LoadCursorW

ru-MD

AddResourceExWWW

RtlLookupFunctionEntry

M@8P9

u$L97t

fD9$~u

\IDATx^

GetTraceEnableFlags

de-CH

QueryPerformanceCounter

RDGIsKDCProxy

||NXA

InitializeFromMoniker failed!

effffff

!l$8M

t$0E3

8S9u?H

LaunchImmersiveClient failed

msvcrt.dll

StringFileInfo

RegNotifyChangeKeyValue

ar-EG

t$ WAVAWH

Software

0A_A^A]A\_

ole32.dll

?=StartWorkspaceWW

GetSystemDefaultUILanguage

es-ES

anonymous

.aspx

.text$mn

RegSetKeyValueW

D$XE3

*~(o-B7

+/`&

./RDWebService.asmx

fr-CI

method ClearWorkspaceCredentialWWW

kok-IN

Interface

fC9\E

yeR0y

CryptHashData

D;|$0

fE9,Fu

t$@fD

uk-UA

d$hE3

CryptBinaryToStringW

DecodePointer

InitCommonControlsEx

Alternate Shell

H{bottomWW

szTempScope

zh-Hans

sr-Cyrl-BA

tg-Cyrl

D$D9t$@tX

L$`H3

ITsRdpSignature::SetCertificate failed

D$@E3

</asmv3:windowsSettings>

|$`fD

ArrayOfReconnectContent

fr-CD

ATL:%p

&tAI!8

fD94^u

RegisterErrorEventWW

OnDisconnectedWWd

H9~8tPH

ar-LY

xzqPv

ppwszSettingsStore

L!|$8I

RDP Client

ks-Arab

6Failed to create file settings stream!

4~*$&

StartRemoteApplicationEx: saPwdCreds.Attach failed!

8A^_^[

!|$hH

SuppressReconnect

EventActivityIdControl

D$xH9D$pt

H!]HH

ObfuscateUserName: CreatePrintableHash failed!

Settings in signscope and file do not match up

hu-HU

EndMenu

??1exception@@UEAA@XZ

@A_A^A\

JSbstrRedirectorNameWW

Module_Raw

CoCreateGuid

ur-IN

RtlVirtualUnwind

_wcmdln

O$@5@

\dwErrorTypeW

sr-BA-Cyrl

tzm-Arab-MA

d$PI;

9l$4t

@SVWATAUAVAW

GetModuleFileNameW

USVWAUAVAWH

??3@YAXPEAX@Z

fD;8ugH

IWorkspaceScriptable Interface

E8iYt

pfErrorExistL

CRdpSettingsFileStream

wksprt.pdb

Rf\N)

D$xL9

StringCchCat failed

.CRT$XCA

CryptReleaseContext

D9|$0t

KERNEL32.dll

{left

Server Port

es-SV

@8kat

@A_A^_H

f;D$@

8S9uIL

UnhandledExceptionFilter

TsCryptEncryptString failed!

fD9 t

DefWindowProcW

EventUnregister

6~}eo

wcscpy_s

this->StartTimer failed

GetVersionExW

D$X+V@

@SUVWATAUAVAWH

invalid signature version

+SdAt

IWorkspaceScriptable2 InterfaceWWW

MapViewOfFile

invalid length of signature field

RemoteApplicationName

D$0L;

VS_VERSION_INFO

?=u$L

'WkspRT.exe'

SWATAUAVAWH

4$$Xr

SetProcessDpiAwarenessContext

x UATAUAVAWH

</dependency>

ff-NG

A_A^_^]

fB9<Bu

IsErrorMessageRegistered

as-IN

.CRT$XCZ

bsearch

,Hb/H"

sma-SE

lb-LU

Failed GenerateSignScope

PostQuitMessage

qKDisconnectWorkspaceW

I9:u)A8hIt

sv-SE

nn-NO

SysAllocString(szEventLogUploadAddress) failed

map/set<T> too long

D+\$HH

Could not create copy of RDP file contents (TsOpenMemorySettingsStore failed)

SendMessageW

RedirectClipboard

>?O{z.

RemoveMenu

1mAGk

false

D8iau8H

.data

CRYPT32.dll

?Kv`+

IWorkspaceRegistration2 InterfaceW

CryptVerifyDetachedMessageSignature

D8wIu&H

A_A^A]A\_^][

GetRDPFilesResult

tspsaParamsWWW

pbBinary

memset

mt-MT

GetActiveWindow

RegServer

uF!cy

u%E8x9t

ht4Z.

9A98u6A9x

H;D$8

GetProcAddress

dv-MV

SHCreateItemInKnownFolder failed

</trustInfo>

ProductName

InternetCombineUrlW

1}v@Z

D8cIt

5=o{t

fD; t

E8wau

ga-IE

.idata$6

fA9<Qu

CertVerifyCertificateChainPolicy

el-GR

t5@8x

$%e>:

Invalid parameter passed to C runtime function.

pWorkspaceCredential->Init failed!

RedirectDrives

`{}xz

@A_A^_^]

A9_xv5M

tr-TR

D$HE3

zxA9@A

GetMenuItemInfoW

type="win32"

ClearWorkspaceCredential

+lMA[

te-IN

2z_Ld

t$ UWAVH

FileVersion

6q3~z~

4~+xi

WorkspaceRuntime 1.0 Type LibraryW

fD9$Au

.?AVlength_error@std@@

SVWAVH

0;;G@

p AWH

TlsAlloc

Locale

3U2=<U)

ar-JO

Field in SignScope not found in store

t$ E3

D8rau

saPwdCreds.SetAt failed!

CreateDialogParamW

sr-Cyrl

pA^_^][

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

ar-KW

or-IN

@8jHuVD

UAVAWH

A_A^_

memcpy_s

Delete

</dependentAssembly>

SetFilePointer

USVWATAVAWH

IsTextUnicode

~hf9~

CombineUrl failed

EnableCredSspSupport

D$`H;

0A_A^_^[

quz-EC

@8pHu

RemoteApp and Desktop Connection Runtime

I!vhH

QueryInterface for IID_ITaskHandlerStatus failed

D$h+t$h3

PBYTE

t:@8y

D8z8uVD

CertOpenStore

{t&H-

om-ET

\Implemented Categories

CertGetCertificateContextProperty

O6$lD>`>V

CoTaskMemAlloc

es-GT

rc%G!,

cHRM

EventRegister

es-PR

CertGetCertificateChain

kk-KZ

no signature field

toupper

DeleteFileW

CoInitializeEx

pWorkspace.GetWorkspaceNames failed

.?AVout_of_range@std@@

GetProcessId

GatewayProfileUsageMethod

DrivesToRedirect

GetDpiForWindow

de-LU

_ITSWkspEvents InterfaceWW

HeapAlloc

A_A^A\_^

teD8h

StringCchCatCRLF failed

70StartWorkspaceEx2WWW!

SQBaz

es-PY

InsertMenuItem failed

|$HI9

SVWAVAWH

A^A]A\_^][

A_A^A]A\_][

N^lyQ

method StartRemoteApplicationW

ps-AF

.data$brc

L$pH3

ibb-NG

attempt to sign with invalid signer certificate

GetCertificateThumbPrint failed

@8kau

EnableWorkspaceReconnect

H3E H3E

InternalName

OpenStore failed!

en-AU

km-KH

d <RdpClientParameters> <RdpFileContents><![CDATA[%s]]></RdpFileContents> <Context><![CDATA[%s]]></Context> </RdpClientParameters>

malloc

HKEY_CURRENT_CONFIG

RedirectDirectX

Microsoft Enhanced RSA and AES Cryptographic Provider

hr-BA

rdpStream

T$@Hc

TbstrEventLogUploadAddressWWW

I92u)E8x9t

m@L9i

t1f9^

E8iau

hi-IN

normaliz.dll

pWkspScript.CoCreateInstance failed

|$xfD

.rsrc$02

d+pbstrAccessToken

Q/z2,AW

D8`au

@8j`uVD

\$ UVWATAUAVAW

_unlock

fr-RE

IWorkspaceReportMessage InterfaceW

;\$H|fH

en-US

2Vw[}

ku-Arab

H!\$0M

bstrWkspIdWW

OLEAUT32.dll

kernel32.dll

U|o{{

/^uaA

.text$di

REGISTRY

D9|$8u-M

H;]pu

method OnAuthenticated(

/name Microsoft.RemoteAppAndDesktopConnections

HashAlgorithm

ti-ET

L$`L!t$0M

~>Oj7

fF9$Gu

X$"^$<

PAL_SYS_WIN32_THREAD_WNDCLASS

VATAUAVAWH

ii-CN

VWATAVAWH

D8qat

</requestedPrivileges>

GetTempPathW

f9,^u

CorrelationId

ca-ES-valencia

=WRo)

D8z9u

L$(H3

UnregisterClassA

EncryptedPassword

*ppbOutBlob

|$`E3

SizeTAdd(cchArgString + cchImmersiveClientActivationContext) failed

haw-US

bstrRefreshTokenX

=%>b{e

GetCurrentProcessId

AIWorkspaceScriptable

ro-MD

RegCreateKeyExW

@A^_^[]

StringCchCopy for WorkspaceId Name failed

InternetCanonicalizeUrlW

RemoteApplicationProgram

es-PE

ProgID = s 'WorkspaceRuntime.Workspace.1'

Empty signscope field

method DisconnectWorkspace

Hardware

<assemblyIdentity

WorkspaceWWW

pl-PL

bstrUserName

v|pF"

vi-VN

tHD9O

%s%s#%d.rdp

GatewayCredentialsSource

this->NextToken failed

Mandatory sensitive setting empty

Win32DpiApi

tbH+Y 3

ar-QA

Wq-xCFx;?

HBZ5H

t(@8y

fE9$~u

Module

lo-LA

]@H!]0H!]

Signature

CharUpperW

RemoteApplicationExpandCmdLine

!t$0D

Software\Microsoft\Workspaces

Use Redirection Server Name

Failed version check on signature

D8iYu8H

RDP file signature is missing.

CoTaskMemFree

GetDlgItem

@8p9u

L$0L+

PostThreadMessageW

processorArchitecture="amd64"

ms-BN

text/html

fr-CM

A8Q9t

CreateTimerQueue

WsFreeError

\$@L!|$XH

LB;$0

.CRT$XIZ

InterlockedPushEntrySList

ObfuscateUserName: StringCchLength failed!

StringCchCopy for Publisher Name failed

CNotifyWnd.InsertMenuItem failed

9T$`A

EncodePointer

!This program cannot be run in DOS mode.

u%A8hIt

@A^_^

A_A^A]_^[]

ppInstance

fA9<Fu

CLSID = s '{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}'

9A(u:H

pWorkspace.QueryInterface failed

t3D8h

HttpSendRequestExW

A_A^A]A\_^[

GetLocaleInfoW

~a0~x

3%WI?)Pa

>bLaunchIntoImmersiveClientWW

@8jIuBH

H9n8t

USER32.dll

IWorkspaceClientExt InterfaceW

pNewWorkspaceCredential->Init failed!

xD;\$@

A8hIu

Mandatory sensitive setting missing from file

BinaryToBase64String failed

fF9<@u

StringCchLength(XML template) failed

RebuildDisconnectWorkspaceMenuItems failed

A_A^A]A\^

f9H\u

EnterCriticalSection

.CRT$XCU

es-NI

D8H9t

RegDeleteKeyExW

\$ E3

t,D8a

XA_A^A]A\_^

|L@\t

_errno

bn-BD

sr-Latn

%>^MbHu

Q#G.G

CryptMsgClose

InitializeReconnectConfiguration failed

CryptGetHashParam

WsOpenServiceProxy failed

`A_A^_^]

HKEY_CURRENT_USER

<asmv3:application>

GetCurrentProcess

cs-CZ

w,ccs=UNICODE

Prompt For Credentials

f7bstrRequestingAppIdW

fE9,~u

so-SO

fa-IR

PAL_System_CondReset failed

Support URL

C:*!=bPDa

d$ E3

advapi32.dll

L$`H!\$0M

xB^iqL

LocalFree

D!n@D

D$8E3

s2b*q

</assembly>

A_A^_^][

smj-SE

RemoteApplicationFileExtensions

mn-Mong-CN

Translation

en-MY

l$HHc

insufficient buffer is ok

rm-CH

mr-IN

ReconnectContent

PAL_System_CondSignal failed

ATL$__z

se-NO

XA_A^_^][

J1(r 1

t&D8h

TlsFree

tagRECTW

it-IT

$V@I(

_CreateDialogInitEvent failed

??_V@YAXPEAX@Z

fB9,Bu

TsCryptEncryptAndEncodeString failed!

RegisterTraceGuidsW

!\$8L

CryptCreateHash

wcsncmp

Mandatory sensitive setting not present

DeleteTimerQueueTimer failed

FileType

D$0H+

Failed to initialize timer globals

RDWebServiceSoap_GetRDPFiles failed

zh-SG

L$0H;

ProductVersion

t$ I;

iu-CA-Latn

sv-FI

D8{9u

WsCreateHeap

fD90u

CRdpSettingsStore::SetUnsignedBlob failed

t'D8`

F<?g6V

rectCredUiParent

t$PE3

gu-IN

__CxxFrameHandler3

ShowWindow

wksprt.exe

E8H9u<I

_onexit

!|$ L

fD94ru

`A_A^_^[

H9A8t

.CRT$XIAA

E9nPu

IsWorkspaceCredentialSpecifiedWW

h8Yj?

2.16.840.1.101.3.4.2.1

WsCreateServiceProxy

Windows

es-US

H9AHt

CryptStringToBinaryW

CClientUtils

iu-Cans

D$0E3

quz-BO

level="asInvoker"

=L9o<

D8hYt

this->GetFullFileName failed!

D8`IuCH

szEncoded

ppptRRR

}P+}XA

CryptSignMessage

.idata$2

hsb-DE

pa-Arab-PK

bstrWorkspaceNameWWW

x AVH

Software\Microsoft\Workspaces\Cache\

method StartRemoteApplicationExWWW

.CRT$XCL

Base64StringToBinary failed

Close failed on stream!

H;HHs

D$xD9x

|$PE3

StartWorkspaceNotificationThread failed!

SYSTEM

sr-Cyrl-CS

.tls$

HKEY_USERS

AtlThunk_AllocateData

@8jat

wksprt

.xdata

RedirectCOMPorts

0A__^[]

InternetCloseHandle

p?/t#J

invalid signature type

.gfids

control.exe

zh-CHS

CryptDestroyHash

this->IsWorkspaceSSOEnabled failed!

method IsWorkspaceSSOEnabledWW

d;0r<x

fC9<Ou

H;>tFH

L$PH!\$@E3

??0exception@@QEAA@AEBV0@@Z

Operating System

IWorkspaceRegistration2W

D$$9G

TypeLib

vector<T> too long

CalculateSecureSettingsLength failed

EnableNonClientDpiScaling

lklj|{|

u9!_t>.

<,HJ

CreateTempRDPFile failed!

psaWkspNames

_cexit

fr-CH

Z?ny~{

es-UY

se-SE

es-CO

@8kIt

9TpdwCookieWWWX

@8hau

t$ WATAUAVAWH

GetLastError

@USVWATAUAVAWH

_commode

ar-IQ

EventWrite

DBOnConnectedW

_amsg_exit

es-VE

?terminate@@YAXXZ

GetWorkspaceNamesWWW

l$@H;

RReJ1

bin-NG

|$ UAVAWH

0123456789ABCDEF

D[0T@5

CryptMsgUpdate

\$HE3

@A^A\_^]

sr-Latn-BA

>=(U+

8o1IWorkspaceClientExtW

H!|$(H

KDCProxyName

es-MX

WsOpenServiceProxy

A_A]A\

D8kYuRL

Failed to unregister the timer window class

CoCreateInstance failed!

EventEnabled

rX%3|gI

pA_A^A]A\_^]

bpny6

m_cs.Init failed

name="Microsoft.Windows.Common-Controls"

@8pXu

bn-IN

sr-BA-Latn

A_A^A]A\]

D$xD;x

UserName

&*2HL

_wfopen_s

xfJ}z

`.rdata

f9<Bu

bstrAccessTokenW

+{!XAZ

ar-BH

_stat

D$@H;

RegQueryInfoKeyW

HResourceDismissedWWWL

RegCloseKey

ZvG7cT

GetSystemMenu

WorkspaceRuntime.Workspace = s 'Workspace Class'

de-LI

CWorkspaceCredential::CreateTimerQueue failed

]m<gM<

SetCertificate failed

DD@fB

kl-GL

I!~@I!~HA!~PA!~T

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x140000000	0x0003a620	0x0006ef4c	0x0006ef4c	10.0	wksprt.pdb	2083-11-19 22:19:30	f60eaa8ac4165371e5ea639793bc771f		abcfd68bdb08bd4a6b468d18429bcc0a	59ec56db5f58348e30011e80777f94db	e4a68687ce6cb2c0

Version Infos

CompanyName	Microsoft Corporation
FileDescription	RemoteApp and Desktop Connection Runtime
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	wksprt
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	wksprt.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0003c283	0x0003c400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.33
.rdata	0x0003c800	0x0003e000	0x000141ec	0x00014200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.76
.data	0x00050a00	0x00053000	0x00000c58	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.07
.pdata	0x00050e00	0x00054000	0x00002244	0x00002400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.41
.rsrc	0x00053200	0x00057000	0x00017038	0x00017200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.47
.reloc	0x0006a400	0x0006f000	0x00000d90	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.37

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0006df40	0x000000f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.86	None
REGISTRY	0x00057b68	0x000002ca	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.30	None
REGISTRY	0x00057e38	0x00000270	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.40	None
TYPELIB	0x0006bb80	0x000023c0	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.67	None
RT_ICON	0x000580a8	0x0000ffde	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.93	None
RT_ICON	0x00068088	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.55	None
RT_ICON	0x0006a630	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.56	None
RT_ICON	0x0006b6d8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.62	None
RT_GROUP_ICON	0x0006bb40	0x0000003e	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.45	None
RT_VERSION	0x000577b0	0x000003b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.44	None
RT_MANIFEST	0x00057300	0x000004ae	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.92	None

Imports

Name	Address
RegCloseKey	0x140042c50
RegQueryInfoKeyW	0x140042c58
RegEnumKeyExW	0x140042c60
RegOpenKeyExW	0x140042c68
RegSetValueExW	0x140042c70
RegCreateKeyExW	0x140042c78
RegDeleteValueW	0x140042c80
EventActivityIdControl	0x140042c88
TraceMessage	0x140042c90
RegQueryValueExW	0x140042c98
RegNotifyChangeKeyValue	0x140042ca0
RegGetValueW	0x140042ca8
RegEnumValueW	0x140042cb0
RegDeleteTreeW	0x140042cb8
GetTraceLoggerHandle	0x140042cc0
GetTraceEnableLevel	0x140042cc8
GetTraceEnableFlags	0x140042cd0
RegisterTraceGuidsW	0x140042cd8
UnregisterTraceGuids	0x140042ce0
RegSetKeyValueW	0x140042ce8
CryptCreateHash	0x140042cf0
IsTextUnicode	0x140042cf8
CryptReleaseContext	0x140042d00
CryptGetHashParam	0x140042d08
CryptDestroyHash	0x140042d10
CryptHashData	0x140042d18
CryptAcquireContextW	0x140042d20

Name	Address
GetLastError	0x140042de0
GetProcAddress	0x140042de8
LoadLibraryExW	0x140042df0
GetModuleHandleW	0x140042df8
InitializeCriticalSection	0x140042e00
RaiseException	0x140042e08
MultiByteToWideChar	0x140042e10
SizeofResource	0x140042e18
LoadResource	0x140042e20
FindResourceExW	0x140042e28
FreeLibrary	0x140042e30
LeaveCriticalSection	0x140042e38
EnterCriticalSection	0x140042e40
DeleteCriticalSection	0x140042e48
DeleteFileW	0x140042e50
GetTempPathW	0x140042e58
lstrcmpiW	0x140042e60
GetSystemWindowsDirectoryW	0x140042e68
GetVersionExW	0x140042e70
FormatMessageW	0x140042e78
ResetEvent	0x140042e80
TlsFree	0x140042e88
TlsAlloc	0x140042e90
LoadLibraryA	0x140042e98
GetSystemTime	0x140042ea0
SystemTimeToFileTime	0x140042ea8
LoadLibraryW	0x140042eb0
Sleep	0x140042eb8
LocalFree	0x140042ec0
LocalAlloc	0x140042ec8
ExpandEnvironmentStringsW	0x140042ed0
GetACP	0x140042ed8
ReadFile	0x140042ee0
GetFileSize	0x140042ee8
SetFilePointer	0x140042ef0
WriteFile	0x140042ef8
GetFileAttributesW	0x140042f00
CreateFileW	0x140042f08
OutputDebugStringA	0x140042f10
GetTickCount	0x140042f18
GetSystemTimeAsFileTime	0x140042f20
QueryPerformanceCounter	0x140042f28
SleepConditionVariableSRW	0x140042f30
WakeAllConditionVariable	0x140042f38
AcquireSRWLockExclusive	0x140042f40
ReleaseSRWLockExclusive	0x140042f48
TerminateProcess	0x140042f50
SetUnhandledExceptionFilter	0x140042f58
UnhandledExceptionFilter	0x140042f60
GetStartupInfoW	0x140042f68
InterlockedPopEntrySList	0x140042f70
InterlockedPushEntrySList	0x140042f78
FlushInstructionCache	0x140042f80
GetProcessHeap	0x140042f88
DecodePointer	0x140042f90
HeapAlloc	0x140042f98
EncodePointer	0x140042fa0
LoadLibraryExA	0x140042fa8
VirtualAlloc	0x140042fb0
GetCurrentProcess	0x140042fb8
VirtualFree	0x140042fc0
HeapFree	0x140042fc8
InitializeCriticalSectionAndSpinCount	0x140042fd0
MapViewOfFile	0x140042fd8
CreateFileMappingW	0x140042fe0
UnmapViewOfFile	0x140042fe8
GetLocaleInfoW	0x140042ff0
GetUserDefaultUILanguage	0x140042ff8
GetSystemDefaultUILanguage	0x140043000
WideCharToMultiByte	0x140043008
GetModuleFileNameW	0x140043010
WaitForSingleObject	0x140043018
GetModuleHandleExA	0x140043020
CreateTimerQueue	0x140043028
DeleteTimerQueueEx	0x140043030
CreateTimerQueueTimer	0x140043038
DeleteTimerQueueTimer	0x140043040
SetEvent	0x140043048
CompareStringW	0x140043050
GetCurrentProcessId	0x140043058
SearchPathW	0x140043060
CreateEventW	0x140043068
CreateThread	0x140043070
TerminateThread	0x140043078
GetCommandLineW	0x140043080
SetLastError	0x140043088
GetCurrentThreadId	0x140043090
GetDateFormatW	0x140043098
CloseHandle	0x1400430a0
WaitForMultipleObjects	0x1400430a8
GetTimeFormatW	0x1400430b0

Name	Address
DispatchMessageW	0x1400431d0
DestroyWindow	0x1400431d8
RegisterClassExW	0x1400431e0
GetClassInfoExW	0x1400431e8
LoadCursorW	0x1400431f0
IsDialogMessageW	0x1400431f8
LoadStringW	0x140043200
GetMessageW	0x140043208
PostThreadMessageW	0x140043210
PostMessageW	0x140043218
AllowSetForegroundWindow	0x140043220
TranslateMessage	0x140043228
CreateWindowExW	0x140043230
UnregisterClassW	0x140043238
SendMessageW	0x140043240
UnregisterClassA	0x140043248
SetWindowLongPtrW	0x140043250
CharUpperW	0x140043258
DefWindowProcW	0x140043260
DestroyMenu	0x140043268
InsertMenuItemW	0x140043270
CreatePopupMenu	0x140043278
ShowWindow	0x140043280
LoadIconW	0x140043288
RegisterWindowMessageW	0x140043290
EnableMenuItem	0x140043298
GetMenuItemCount	0x1400432a0
GetMenuItemInfoW	0x1400432a8
RemoveMenu	0x1400432b0
EndMenu	0x1400432b8
PostQuitMessage	0x1400432c0
GetCursorPos	0x1400432c8
SetForegroundWindow	0x1400432d0
TrackPopupMenuEx	0x1400432d8
CreateDialogParamW	0x1400432e0
GetWindowLongPtrW	0x1400432e8
CallWindowProcW	0x1400432f0
GetDlgItem	0x1400432f8
GetSystemMenu	0x140043300
SetWindowTextW	0x140043308
GetActiveWindow	0x140043310
EndDialog	0x140043318
DialogBoxParamW	0x140043320
GetClientRect	0x140043328
CharNextW	0x140043330

Name	Address
fputws	0x140043390
fclose	0x140043398
??0exception@@QEAA@AEBQEBDH@Z	0x1400433a0
_callnewh	0x1400433a8
_CxxThrowException	0x1400433b0
_XcptFilter	0x1400433b8
_amsg_exit	0x1400433c0
__wgetmainargs	0x1400433c8
__set_app_type	0x1400433d0
exit	0x1400433d8
_exit	0x1400433e0
_cexit	0x1400433e8
__setusermatherr	0x1400433f0
_initterm	0x1400433f8
_wcmdln	0x140043400
_fmode	0x140043408
_commode	0x140043410
?terminate@@YAXXZ	0x140043418
_wfopen_s	0x140043420
??0exception@@QEAA@AEBQEBD@Z	0x140043428
_lock	0x140043430
_unlock	0x140043438
__dllonexit	0x140043440
_onexit	0x140043448
memmove_s	0x140043450
memcpy	0x140043458
memcmp	0x140043460
bsearch	0x140043468
wcsncmp	0x140043470
swprintf_s	0x140043478
wcsncpy_s	0x140043480
malloc	0x140043488
free	0x140043490
memcpy_s	0x140043498
??0exception@@QEAA@AEBV0@@Z	0x1400434a0
_wcsicmp	0x1400434a8
_vsnwprintf	0x1400434b0
_errno	0x1400434b8
??1type_info@@UEAA@XZ	0x1400434c0
_wcslwr	0x1400434c8
towlower	0x1400434d0
wcstol	0x1400434d8
wcstok_s	0x1400434e0
wcstombs_s	0x1400434e8
_wcsnicmp	0x1400434f0
toupper	0x1400434f8
wcscpy_s	0x140043500
?what@exception@@UEBAPEBDXZ	0x140043508
wcscat_s	0x140043510
calloc	0x140043518
_resetstkoflw	0x140043520
__C_specific_handler	0x140043528
??3@YAXPEAX@Z	0x140043530
__CxxFrameHandler3	0x140043538
memmove	0x140043540
??_V@YAXPEAX@Z	0x140043548
realloc	0x140043550
swscanf	0x140043558
??1exception@@UEAA@XZ	0x140043560
memset	0x140043568
_purecall	0x140043570

Name	Address
RtlLookupFunctionEntry	0x140043580
RtlVirtualUnwind	0x140043588
RtlCaptureContext	0x140043590

Name	Address
CoTaskMemFree	0x1400435a0
CoTaskMemRealloc	0x1400435a8
CoTaskMemAlloc	0x1400435b0
CoCreateGuid	0x1400435b8
CoCreateInstance	0x1400435c0
CoUninitialize	0x1400435c8
CoInitializeEx	0x1400435d0
StringFromGUID2	0x1400435d8
CoResumeClassObjects	0x1400435e0
CoRegisterClassObject	0x1400435e8
CoSuspendClassObjects	0x1400435f0
CoRevokeClassObject	0x1400435f8

Name	Address
RegisterTypeLib	0x1400430c0
SafeArrayRedim	0x1400430c8
LoadTypeLib	0x1400430d0
SysFreeString	0x1400430d8
VarUI4FromStr	0x1400430e0
SysAllocString	0x1400430e8
VarBstrCmp	0x1400430f0
SysStringByteLen	0x1400430f8
UnRegisterTypeLib	0x140043100
SafeArrayCreate	0x140043108
SysAllocStringByteLen	0x140043110
SysAllocStringLen	0x140043118
SysStringLen	0x140043120
SafeArrayGetUBound	0x140043128
SafeArrayDestroy	0x140043130
SafeArrayLock	0x140043138
SafeArrayUnlock	0x140043140
SafeArrayGetLBound	0x140043148
SafeArrayGetVartype	0x140043150
VariantInit	0x140043158
VariantClear	0x140043160
LoadRegTypeLib	0x140043168

Name	Address
InitCommonControlsEx	0x140042d30

Name	Address
SHCreateItemInKnownFolder	0x140043178
SHGetIDListFromObject	0x140043180
ShellExecuteExW	0x140043188
Shell_NotifyIconW	0x140043198
ShellExecuteW	0x1400431a0

Name	Address
CryptMsgUpdate	0x140042d40
CertOpenStore	0x140042d48
CryptMsgClose	0x140042d50
CryptBinaryToStringW	0x140042d58
CryptProtectData	0x140042d60
CertVerifyCertificateChainPolicy	0x140042d68
CertCloseStore	0x140042d70
CertFreeCertificateContext	0x140042d78
CertFreeCertificateChain	0x140042d80
CertDuplicateCertificateContext	0x140042d88
CertDuplicateCertificateChain	0x140042d90
CertGetCertificateContextProperty	0x140042d98
CryptDecodeObject	0x140042da0
CertGetCertificateChain	0x140042da8
CertFindExtension	0x140042db0
CryptStringToBinaryW	0x140042db8
CryptMsgOpenToDecode	0x140042dc0
CryptVerifyDetachedMessageSignature	0x140042dc8
CryptSignMessage	0x140042dd0

Name	Address
WsCall	0x140043608
WsFreeHeap	0x140043610
WsFreeServiceProxy	0x140043618
WsCreateHeap	0x140043620
WsCreateServiceProxy	0x140043628
WsFreeError	0x140043630
WsCloseServiceProxy	0x140043638
WsCreateError	0x140043640
WsGetErrorProperty	0x140043648
WsGetErrorString	0x140043650
WsAddMappedHeader	0x140043658
WsOpenServiceProxy	0x140043660

Name	Address
PathRemoveFileSpecW	0x1400431b0
PathIsContentTypeW	0x1400431c0

Name	Address
InternetCrackUrlW	0x140043340
InternetSetStatusCallbackW	0x140043348
InternetCloseHandle	0x140043350
InternetOpenW	0x140043358
InternetConnectW	0x140043360
HttpOpenRequestW	0x140043368
HttpSendRequestExW	0x140043370
InternetCombineUrlW	0x140043378
InternetCanonicalizeUrlW	0x140043380

Reports: JSON

Statistics (11.34)

Usage

Processing ( 11.27 seconds )

10.516 ProcessMemory
0.695 CAPE
0.046 BehaviorAnalysis
0.008 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.012 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_im
0.002 poullight_files
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.008 CAPASummary
0.002 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: wksprt.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00053200', 'virtual_address': '0x00057000', 'virtual_size': '0x00017038', 'size_of_data': '0x00017200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.47'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6212 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\wksprt.exe

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\AutomaticLogUploadServiceAddress
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\InprocHandler
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wksprt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\WkspRT.exe\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4FCDA643-B15B-41C6-84F8-5E447F6F6D25}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4FCDA643-B15B-41C6-84F8-5E447F6F6D25}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4FCDA643-B15B-41C6-84F8-5E447F6F6D25}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\AutomaticLogUploadServiceAddress
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F1DFCA6-3AAD-48E1-8406-4BC21A501D7C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\WkspRT.exe\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4FCDA643-B15B-41C6-84F8-5E447F6F6D25}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{4FCDA643-B15B-41C6-84F8-5E447F6F6D25}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

Local\SM0:6212:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

ADVAPI32

KERNEL32

USER32

msvcrt

ntdll

ole32

OLEAUT32

COMCTL32

SHELL32

CRYPT32

webservices

SHLWAPI

WININET