Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-12 14:52:24 | 2025-06-12 15:23:11 | 1847 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,053 [root] INFO: Date set to: 20250611T17:29:10, timeout set to: 1800 2025-06-11 18:29:10,762 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-11 18:29:10,762 [root] DEBUG: Storing results at: C:\SLtSxJVgsX 2025-06-11 18:29:10,762 [root] DEBUG: Pipe server name: \\.\PIPE\TCjHsIkvb 2025-06-11 18:29:10,762 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 18:29:10,762 [root] INFO: analysis running as an admin 2025-06-11 18:29:10,762 [root] INFO: analysis package specified: "exe" 2025-06-11 18:29:10,762 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 18:29:11,168 [root] DEBUG: imported analysis package "exe" 2025-06-11 18:29:11,168 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 18:29:11,168 [lib.common.common] INFO: wrapping 2025-06-11 18:29:11,168 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 18:29:11,168 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ApproveChildRequest.exe 2025-06-11 18:29:11,168 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 18:29:11,168 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 18:29:11,168 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 18:29:11,168 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 18:29:11,481 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 18:29:11,512 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 18:29:11,543 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 18:29:11,559 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 18:29:11,574 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 18:29:11,574 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 18:29:11,574 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 18:29:11,574 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 18:29:11,574 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 18:29:11,574 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 18:29:11,574 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 18:29:11,574 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 18:29:11,574 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 18:29:11,574 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 18:29:11,574 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 18:29:11,574 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 18:29:11,574 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 18:29:11,590 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 18:29:11,715 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-11 18:29:11,715 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 18:29:11,731 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 18:29:11,731 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 18:29:11,731 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 18:29:11,731 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 18:29:11,731 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 18:29:11,731 [modules.auxiliary.disguise] INFO: Disguising GUID to 1b621a55-cfac-4e69-8e86-c2b86ccae11e 2025-06-11 18:29:11,731 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 18:29:11,731 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 18:29:11,731 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 18:29:11,731 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 18:29:11,731 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 18:29:11,731 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 18:29:11,731 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 18:29:11,731 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 18:29:11,731 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 18:29:11,731 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 18:29:11,731 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 18:29:11,731 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 18:29:11,731 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 18:29:11,731 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 18:29:11,731 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 18:29:11,731 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 18:29:11,731 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 18:29:11,762 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-11 18:29:11,762 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 18:29:11,762 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 18:29:11,762 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 18:29:11,762 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-11 18:29:11,762 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 18:29:11,762 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 18:29:11,762 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\KhePLP.dll, loader C:\tmp_gell1p8\bin\ktypyZOY.exe 2025-06-11 18:29:11,996 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 18:29:11,996 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\KhePLP.dll. 2025-06-11 18:29:12,059 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 18:29:12,059 [root] INFO: Disabling sleep skipping. 2025-06-11 18:29:12,059 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 18:29:12,059 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 18:29:12,074 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 18:29:12,074 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-11 18:29:12,074 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 18:29:12,074 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 18:29:12,090 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 18:29:12,090 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 18:29:12,090 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 3632, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-11 18:29:12,090 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 18:29:12,106 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 18:29:12,106 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 18:29:12,106 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\KhePLP.dll. 2025-06-11 18:29:12,106 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-11 18:29:12 <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-12 14:52:24 | 2025-06-12 15:22:52 | none |
File Details
| File Name |
ApproveChildRequest.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 238592 bytes |
| MD5 | 1b30285c8ee44822c327e3a452f9f149 |
| SHA1 | 00afbc2944f06e6a1a70f58f42deedfabd38e41b |
| SHA256 | 6ad4c8709495483139f91f2fdc27294650d56eb94a01c8ac45ff15aa51a89c6f [VT] [MWDB] [Bazaar] |
| SHA3-384 | 724e1db17d7e73c598f8f5664c942ad72403a03c479ecdc8039f3ee0e47ad7ee72352bce23c4540fdb8f6d53129ca4c7 |
| CRC32 | 4E9E7EEF |
| TLSH | T135348D1B779841E6D036923DCD968B56F3B3F8A50B2287CF02A0531E1F7BAE46D39251 |
| Ssdeep | 6144:bbRRDFOlneBetbvAqGQga2nfRGKdDPDvV:6uet8qGccnjDt |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
M<QzB
.?AU_Crt_new_delete@std@@
srrpB
2,'2h
ar-sy
@.data
internal\sdk\inc\wil\result.h
noBBBnBBBBB<n
.idata$6
44DDUU1
?id@?$collate@G@std@@2V0locale@2@A
=U}$p
FTKCI
n~WUU
.idata$4
#7cnaGp
??1_Locinfo@std@@QEAA@XZ
fa-af
L$pL;
Global\ShellCreateObjectTaskReadyEvent
ReleaseMutex
GetStartupInfoW
TGWWVLg
_Wcscoll
ActivityIntermediateStop
L$ SUVWH
9SbL~
_initterm_e
ar-ae
_o___stdio_common_vswprintf
Gj#RMH
Y&]?:
D$HE3
_o__cexit
CreateSemaphoreExW
W^^^^^
H;8u/H
$DDDD
PzzzKzzz(
.?AV<lambda_c704725d65217970f518ae4a3ea67ca6>@@
``___G
9\uJH
api-ms-win-core-com-l1-1-0.dll
d[@?6
?_Xlength_error@std@@YAXPEBD@Z
CHD1p
wEB%w
_o_malloc
'444334353
smF>ws
t$ UWAVH
ApproveChildRequest.pdb
_o__initialize_onexit_table
SA-qE6C
(|_XX
X3O_mGk
_o_free
FileVersion
_o__purecall
jponB87ux^^^Y
!$+,-5
.?AV?$_Func_base@XAEAV?$Optional@V?$LockBox@V?$unordered_map@_KPEAUThreadInfo@Private@@U?$hash@_K@std@@U?$equal_to@_K@4@V?$allocator@U?$pair@$$CB_KPEAUThreadInfo@Private@@@std@@@4@@std@@$0PPPPPPPP@@@@@@std@@
t$@I+
D$PE3
L$hH3
qZ4oV
}#ZK7#
@tI;H
__C_specific_handler
G/a?YV
V-!\>
TlsAlloc
YJjjJ
TraceMessage
.?AV_Root_node@std@@
:!$+,-/
o*AAg
!"$+.M
fF;M1
memmove
.?AV<lambda_6cb0875dbd498b753205169807926f30>@@
0A_A^A]A\_^]
std::exception: %hs
?_Xbad_function_call@std@@YAXXZ
t$ E3
(caller: %p)
fa-iq
list<T> too long
e`fh_{
'O=~]
jiggeVXa
wilResult
strchr
<:iY{
8=Yqr
a<>PU
.?AV<lambda_2ac3edc49f8b8483bd44c4a6e550a1a0>@@
!R<wR#M
sVGDDL
NamedCallContextActivity
lower
RoInitialize
::::::::>g
yLIJx
8($T>
hfdUO
$}9IR
ApproveChildRequest.exe
LocalScreenTimeExtensionGranted
.rtc$TAA
UAVAWH
A_A^_
|$ AVH
_o_exit
bad allocation
Microsoft.Windows.FamilySafety.Reliability
Microsoft.Windows.Shell.CoCreateInstanceAsSystem
.?AV_Node_assert@std@@
-B@GS8
`R%_@
.text$mn$00
t$ WH
L$@H+
VWAVH
SetLastError
.?AV?$_Func_impl_no_alloc@V<lambda_44698917a729147103f13ca46b9ff343>@@XAEAPEBU_TlgProvider_t@@@std@@
w1qs5dD
?id@?$ctype@G@std@@2V0locale@2@A
.rsrc$01
ucH;{ u]
IDATx
fD9,Yu
.?AV?$_Func_base@X$$V@std@@
.?AV_Node_endif@std@@
DebugBreak
/8FfP
K PcqxH}
!@1jr
ar-dz
!\3"S)
[;+h'
u{w5L|lx
tIfD9
Unknown exception
040904B0
Microsoft Corporation
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
Z%7Z>
.CRT$XIC
api-ms-win-crt-runtime-l1-1-0.dll
fD9,Qu
D9w tJH
w3s!3
_o___std_type_info_name
Y6c6(M
kkjP_^]
.rdata$zETW2
M H1E
####$3
1FVceJ
ar-iq
.u$H;3
{|]uxH
Yz9N
__std_terminate
__TlgCV__
AcquireSRWLockShared
.?AV?$_Func_impl_no_alloc@V<lambda_087c2220fdc14446cdcfc41ecca1f282>@@XAEAPEBU_TlgProvider_t@@@std@@
rrrrrrrpoo
ntelD
.?AV?$_Func_base@XAEAPEBU_TlgProvider_t@@@std@@
tlLD~
r8xv_
{]~\4
D9qL|
.?AVbad_alloc@std@@
A_A^A]A\_^]
Microsoft.FamilySafety
tIwFr
#'1>@
.?AV<lambda_44698917a729147103f13ca46b9ff343>@@
p@:*E
CreateMutexExW
.rtc$IZZ
>[c"U}
7ss1x
L$XL+
_o__invalid_parameter_noinfo
A_A^]
EventRegister
%$'c^
??1facet@locale@std@@MEAA@XZ
InitializeSListHead
HHDHI
GetTraceEnableLevel
;"rr~~
_initterm
CoInitializeEx
J+s=:mll
deque<T> too long
_CxxThrowException
IDAT/$
M!E=$
.?AV_Node_rep@std@@
.idata$5
RSDSw3
@+J!5r/H
Nb]=2
?_Incref@facet@locale@std@@UEAAXXZ
InitializeSRWLock
zsx88
P3GDM
LeaveCriticalSection
_o__set_fmode
sww7r78
HeapAlloc
jh7avQ
InitOnceComplete
|LlLl
b<cF:
4/ AV
nT`XT0Q#
PPPzQRRx
f9)uBH
.rtc$IAA
.?AU?$ILockableT@V?$unordered_map@_KPEAUThreadInfo@Private@@U?$hash@_K@std@@U?$equal_to@_K@4@V?$allocator@U?$pair@$$CB_KPEAUThreadInfo@Private@@@std@@@4@@std@@@@
p"zXC
L$ SVWH
.pdata
internal\sdk\inc\wil\Resource.h
GetTraceLoggerHandle
|$ UATAVH
.?AV<lambda_4c57ad977a2abee826ad43ae1e8a0797>@@
.?AV?$_Func_base@XAEAV?$Optional@V?$map@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@VDay@@ULessNoCase@StringAlgo@@V?$allocator@U?$pair@$$CBV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@VDay@@@std@@@2@@std@@@@@std@@
;K9<&9
@SVWH
()) "&22344=
VWAUAVAWH
t>y#I
CP_s#
*3o:m
Y4;M#
!nJ+c
Microsoft
lvZIW
Microsoft Corporation. All rights reserved.
.data$brc
callContext
L$PH3
_o__itoa_s
Fu@`Jf
tMfD91u@H
TVaTj
EA N8
h30Pe
H3E H3E
InternalName
.?AVErrorCodeException@@
.text$yd
.?AV?$_Node_class@GV?$regex_traits@G@std@@@std@@
9\u<H
.PEBVGlobals@@
()$^.*+?[]|\-{},:=!
.data$r$brc
bad cast
IsProcessorFeaturePresent
``NN_
fF9,Au
api-ms-win-core-profile-l1-1-0.dll
'11112333*
9\uNH
,4vAt
ar-om
_o__initialize_wide_environment
.rsrc$02
ActivityFailure
?_Xbad_alloc@std@@YAXXZ
!x-sys-default-locale
.?AV?$_Func_impl_no_alloc@V<lambda_9139b00e51d47a9efaa659cf401ab3fc>@@X$$V@std@@
pnnnnononnAs
PXyF.&
.?AVThreadCancelledException@@
rV:D@
T$ H;
SleepConditionVariableSRW
_um{6
t^@8=4
_o__configthreadlocale
fD9,Zu
.?AV?$_Func_impl_no_alloc@V<lambda_6f3db37b64316ef4e298bc0608939a64>@@X$$V@std@@
shell\lib\comtaskserverutil.cpp
.?AVNamedCallContextActivity@Reliability@Providers@TraceLog@@
Local\SM0:%d:%d:%hs
api-ms-win-core-winrt-l1-1-0.dll
en-US
T!HL>
ar-bh
@.rsrc
T$@H;
TlsSetValue
qAu%]
OLEAUT32.dll
EIM`P
rpnB86uYYIHH
^|H;N
sw3x1s01ww
wtMCt
##%&$3
AcquireSRWLockExclusive
^LCo=4`
##%$$$
.text$di
api-ms-win-crt-private-l1-1-0.dll
FormatMessageW
.?AV<lambda_896c2242833e9f179c27a55a2c01d926>@@
ssqLllv
originatingContextMessage
module
ConvertFiberToThread
.?AV_Facet_base@std@@
%hs!%p:
<<n99
L$@fD
F11.0
K SVWH
VWATAVAWH
LegalCopyright
C$9C w(H
_o___p__commode
CoUninitialize
0A_A^A\_^
R\u\u
3vfKn
ar-ly
function
A_A^A]A\_
.?AVGlobals@@
.?AV_Node_back@std@@
.rtc$TZZ
E'C\H
xdigit
10.0.17763.1 (WinBuild.160101.0800)
GetCurrentProcessId
" '
## )4E
L$XH3
p WAVAWH
f/TUe
DeleteCriticalSection
9\uCH
.rdata$zETW0
ActivityStoppedAutomatically
api-ms-win-shcore-obsolete-l1-1-0.dll
he-il
:nnnABBB<=A=
_Wcsxfrm
!!"'>>????
RtlCaptureContext
K x0"8
ponoooooonA
CoCreateInstance
sssBm
/w4t*
.?AV_Node_capture@std@@
&H[3X
f]}yS
u]c{{
x ATAVAWH
ar-kw
t{HcL$ HcD$$H
WaitForSingleObjectEx
_o___std_exception_copy
ar-xa
|'4r6
>1zde`/@
L$0H3
.?AV?$Global@V?$map@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@VDay@@ULessNoCase@StringAlgo@@V?$allocator@U?$pair@$$CBV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@VDay@@@std@@@2@@std@@@@
pNKw+
??0_Lockit@std@@QEAA@H@Z
fa-ru
.?AU?$ILockableT@PEAX@@
9\u=H
alpha
EXH!E`H
riW6Lk
api-ms-win-crt-string-l1-1-0.dll
_o__configure_wide_argv
nj% I
wilActivity
Main Thread
yp*8/
fD9<Bu
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
.rdata$zzzdbg
.rdata$r
f9,Ku
EtwTraceMessage
.?AUIFailureCallback@details@wil@@
f94Au
.?AV<lambda_8d09d1e622c439c6b510b57ff56d9177>@@
'"""*'*''
###%%&+
ChildSID
.?AVModule@Com@@
Y.RT/T
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
lRHQ!g
$@E)a
WAVAWH
VVuZ|
:\u:L
#'''11<
.CRT$XIA
.rdata
?is@?$ctype@G@std@@QEBA_NFG@Z
1"%<v
_o_iswascii
api-ms-win-core-errorhandling-l1-1-0.dll
??0_Locinfo@std@@QEAA@PEBD@Z
' |L$
PostThreadMessageW
dUG[{
.?AV?$_Func_impl_no_alloc@V<lambda_cca712188da15066abcb6c401651c71d>@@X$$V@std@@
.?AV?$collate@G@std@@
9{tu"
5]=3w
-/amP
api-ms-win-core-rtlsupport-l1-1-0.dll
hA_A^A]A\_^][
{xbuY
|$@H+
GetErrorMode
tLt|lv
wX1Q.
A_A^_
OpenEventW
.CRT$XIZ
jKT72
tGf9)u;H
ar-jo
.?AV?$_Func_impl_no_alloc@V<lambda_6cb0875dbd498b753205169807926f30>@@X$$V@std@@
fa-tj
~t!4I
ActivityError
/`P2n
_o_wcscpy_s
x UAVAWH
P(?:([0-9]+)D)?(?:T(?:([0-9]+)H)?(?:([0-9]+)M)?(?:([0-9]+)(?:\.([0-9]+))?S)?)?
_o__invalid_parameter_noinfo_noreturn
msvcp_win.dll
??0facet@locale@std@@IEAA@_K@Z
fa-bh
FileDescription
!This program cannot be run in DOS mode.
bmEUU
.?AUIModule@Com@@
Msg:[%ws]
A_A^A\
WaitForSingleObject
u*0Y(
@A^_^
;v\~y.
Tq;SHM/
D$0H;
l^pcR
.?AV?$ActivityBase@VReliability@Providers@TraceLog@@$00$0A@$04U_TlgReflectorTag_Param0IsProviderType@@@wil@@
api-ms-win-eventing-provider-l1-1-0.dll
b`_MN
Dx{EQ
bHz7S
##%%$&
\$ VWAVH
api-ms-win-core-processthreads-l1-1-0.dll
UWATAVAWH
*rME.#L
7B"i~
.?AV?$LockBox@V?$unordered_map@_KPEAUThreadInfo@Private@@U?$hash@_K@std@@U?$equal_to@_K@4@V?$allocator@U?$pair@$$CB_KPEAUThreadInfo@Private@@@std@@@4@@std@@$0PPPPPPPP@@@
GetModuleFileNameA
ED$`H
0vBegT
jD}oK
ntdll.dll
_o__set_app_type
0A_A^A\
_register_thread_local_exe_atexit_callback
Q^aqi
USER32.dll
print
api-ms-win-core-sysinfo-l1-1-0.dll
10.0.17763.1
InitializeCriticalSection
t"D8=
WakeAllConditionVariable
.?AV<lambda_cca712188da15066abcb6c401651c71d>@@
ar-eg
A_A^A\_^
4z;X0
{{w7sx8
b_\\t
api-ms-win-core-synch-l1-1-0.dll
memcpy
.idata$3
D$ fD
_o_terminate
kJ %%
}}}}{x
H SWH
L9{@u
OpenSemaphoreW
.?AV?$LockBox@PEAX$0PPPPPPPP@@@
ReleaseSRWLockExclusive
;u sLM
.?AV?$_Func_impl_no_alloc@V<lambda_821a0f12845a14b96db5f2eb03f35e4b>@@X$$V@std@@
e !#f
.?AV?$HrException@$0?HPPPLPPM@@@
:N+Rq&
#@MwT
,gm`wC_ro
*5555F5F53
FallbackError
HeapSetInformation
t>y&H
RtlLookupFunctionEntry
SetErrorMode
`w7.W
EnterCriticalSection
7ssxxs
.CRT$XCU
}% Z*
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
internal\sdk\inc\wil\resource.h
?_0cT
RtlDllShutdownInProgress
GetTraceEnableFlags
Microsoft.FamilySafety.Monitor
[%hs(%hs)]
punct
.?AV?$_Func_impl_no_alloc@V<lambda_c704725d65217970f518ae4a3ea67ca6>@@X$$V@std@@
fA9,Qu
.?AVNonCopyable@@
QueryPerformanceCounter
message
_o__get_wide_winmain_command_line
,%`kPR>F
originatingContextName
9d1&(>
b84X]
.?AVTraceLoggingProvider@wil@@
threadId
:Bs~=
2:Ff-*
string too long
upper
.?AV?$_Node_str@G@std@@
fa-uz
A^Y+0
graph
|}xxy{{J{
$us~dY
xwJwwIJI
StringFileInfo
mZWeedv
%hs(%d) tid(%x) %08X %ws
##%%&&
s`[[_
t$ WAVAWH
.rdata$zETW9
.?AV?$_Func_impl_no_alloc@V<lambda_36229ff2afe94a26310aa614b46db198>@@X$$V@std@@
.?AU?$ILockableT@V?$Optional@V?$stack@PEAVGlobals@@V?$deque@PEAVGlobals@@V?$allocator@PEAVGlobals@@@std@@@std@@@std@@@@@@
ole32.dll
GetCurrentProcess
8IN2Kgr\Ru}|Ms{
UVWAVAWH
(_^][
L$0E3
[&|z3
9JS@S
HeapFree
|Y"/mQ
cc`_NN
ssssssop
currentContextId
GetTickCount
`c5 E)
j!M3(
CtfD;
A_A^A\_]
fileName
.?AV<lambda_1045e2cc1ea707392ed7811b31122c1c>@@
uWL95
.?AV?$_Func_impl_no_alloc@V<lambda_4c57ad977a2abee826ad43ae1e8a0797>@@XAEAV?$Optional@PEBU_TlgProvider_t@@@@@std@@
6~9H`
R4#Gz
9cfffzZ
L$@E3
:\u5L
.text$mn
~VC88
vector<bool> too long
LocalFree
L$ SH
.?AV<lambda_701992cd54336967b334c5b58053aba8>@@
D$8E3
L9o@t
.?AVResultException@wil@@
[u[VX
failureId
_"( !
9\u?L
sssssp
TerminateProcess
H@$~Y
G0E8p
&x"Yv
/Ud>W
-Q[Or
p$A4JIw"
[7.cwo
f9,Au
}wFCcb]]
hhdUQ
.?AVReliability@Providers@TraceLog@@
{wx{ss
BK{o6
3WEph
Translation
o`PUhg3E
HHHHH
A_A^A]A\_^]
.?AV?$_Func_base@XAEAV?$Optional@PEBU_TlgProvider_t@@@@@std@@
.?AVbad_array_new_length@std@@
.?AV_Node_end_group@std@@
}}u^^^
_o__seh_filter_exe
ar-qa
dDWLl||
*A#EY
A^h:C6
TlsFree
alnum
%(q3ah
RoUninitialize
.?AV<lambda_36229ff2afe94a26310aa614b46db198>@@
.?AV<lambda_176ec4311a926f8daada8c21c07d14ba>@@
.?AV?$_Func_impl_no_alloc@V<lambda_d491092b0b42a92e3410d6e14a433b1e>@@XAEAPEBU_TlgProvider_t@@@std@@
UWAVH
WilError_02
EventWriteTransfer
ssssss
_o__callnewh
RegisterTraceGuidsW
sEy@B
fa-lb
49fa6
.?AUILockable@@
9X<01
OpenThread
EventSetInformation
jrnBn
??Bid@locale@std@@QEAA_KXZ
T$@E3
.CRT$XPZ
~}]YIH
rn7e}x[^[
5OI&~
{[ZWL
.CRT$XIAC
L$`H3
ProductVersion
_c_exit
.?AV_Node_base@std@@
D$@E3
.text$x
Gut||
<CQXs
)L;t}
OutputDebugStringW
CtH;K
b_OKX
&#%d;
lXPIY
UnregisterTraceGuids
.?AV<lambda_087c2220fdc14446cdcfc41ecca1f282>@@
tHfD91u;H
oN$>y
}/|s0
__CxxFrameHandler3
ReturnHr
_o__set_new_mode
blank
.xdata$x
L$HH3
j"MB
A^_^
.CRT$XIAA
*??@@
#%%$F
GetModuleHandleW
fD9<Au
}^bB\
7#$++--B
>Pl@U}
@`u"2l
.?AV?$_Func_impl_no_alloc@V<lambda_176ec4311a926f8daada8c21c07d14ba>@@XAEAV?$Optional@PEBU_TlgProvider_t@@@@@std@@
{v/bi
ar-sa
G3E-IE/
failureType
` AVH
Windows
t?y&I
WUi}G
HekD*
IsDebuggerPresent
space
_o__register_onexit_function
EventActivityIdControl
A^A\]
o5bc\`^
.CRT$XTA
hresult
KO)!J.
.rdata$zETW1
kernelbase.dll
s_Wgb
Vk&vIeWX
D$0E3
HsY/
@A_A^A\
IX1eaw
k'Fu2
F{.RY_{
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
RtlVirtualUnwind
.idata$2
rpprrrrponB
LdEe6
@8,1u
_o__crt_atexit
x AVH
l<6KNA
l6?-p
oKlT=
.CRT$XCL
0A_A^_
OriginalFilename
WATAUAVAWH
RaiseFailFastException
api-ms-win-core-processthreads-l1-1-1.dll
.?AV<lambda_d491092b0b42a92e3410d6e14a433b1e>@@
T`zx&
A_A^A]_^
ovector<T> too long
.?AV<lambda_821a0f12845a14b96db5f2eb03f35e4b>@@
##+,0
.?AV?$_Func_impl_no_alloc@V<lambda_2ac3edc49f8b8483bd44c4a6e550a1a0>@@XAEAV?$Optional@PEBU_TlgProvider_t@@@@@std@@
Fgv5T
VarFileInfo
fD9t]
api-ms-win-core-interlocked-l1-1-0.dll
)1E3k
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
>^8K{\e[-]
Z>?5I
]SS-2"
fD94Cu
PPOisrq
@VWATAVAWH
.CRT$XCA
.CRT$XCAA
L$0fD
.xdata
cE&V9.
poB:6W^^YYH
.gfids
.?AV?$Global@V?$LockBox@V?$unordered_map@_KPEAUThreadInfo@Private@@U?$hash@_K@std@@U?$equal_to@_K@4@V?$allocator@U?$pair@$$CB_KPEAUThreadInfo@Private@@@std@@@4@@std@@$0PPPPPPPP@@@@@
D9w u=H
phkkhk
KERNEL32.dll
ReleaseSRWLockShared
\$ UH
fD94Au
M6X;w
ADVAPI32.dll
.CRT$XTZ
^9# 0
\$8E3
$+,-/
%hs(%d)\%hs!%p:
Grant more screen time
Operating System
D9yL|
L9{0t#H
.00cfg
V~{`:
.?AV_Node_end_rep@std@@
,,..,!
T$8H!\$8
UnhandledExceptionFilter
|?9=nB:{
|Ajs-
GetModuleHandleExW
9\u5H
CGJ'%
8fwG9
FailFast
9;hg;;
UVWATAUAVAWH
EventUnregister
_o_realloc
ar-ye
.?AVbad_cast@std@@
"#$+?
CloseHandle
L$8E3
&0031?
zGV-8
CoCreateCOMTaskServerObject
6d[P'id
t>y#H
currentContextName
.?AVexception@std@@
lkTRRa`bk
p\Microsoft\Windows\Shell\CreateObjectTask
@.reloc
@SUVWATAUAVAWH
d$4I;
bad array new length
Microsoft.FamilySafety.Dev
ATAVAWH
sso=}~}}x
.?AV_Node_if@std@@
{|?uXH
iG&[#A+'
_o___std_exception_destroy
CloseThreadpool
Jua:7
)**1**1**
.?AVfacet@locale@std@@
??1_Lockit@std@@QEAA@XZ
CompanyName
VS_VERSION_INFO
t$ WATAUAVAWH
zssys
GetLastError
GetCurrentThreadId
@A_A^_
fa-ae
9\uBH
D9K(t
failureCount
GetSystemTimeAsFileTime
""$4AAALLL
CoCreateInstanceAsSystem
ApproveChildRequestExe
A_A^_^]
AuthD
LogHr
ipF ?
^'x'Ik1
fD9$Gu
.CRT$XCZ
9\uFH
.?AV?$_Func_impl_no_alloc@V<lambda_701992cd54336967b334c5b58053aba8>@@X$$V@std@@
###%&$F
~o0`)
%B5v>pj
a7E-F
;Zk9??
_o_towlower
!LAbZjl[
digit
~}u^K
.?AV<lambda_9139b00e51d47a9efaa659cf401ab3fc>@@
D$8H!t$8H
{xbu_
{z{XV
.?AV?$_Func_impl_no_alloc@V<lambda_1045e2cc1ea707392ed7811b31122c1c>@@XAEAV?$Optional@V?$map@V?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@VDay@@ULessNoCase@StringAlgo@@V?$allocator@U?$pair@$$CBV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@VDay@@@std@@@2@@std@@@@@std@@
~x]KH
~8GES
((*)>
map/set<T> too long
currentContextMessage
CommandLineToArgvW
_o__exit
Exception
GetProcessHeap
{]Ubc
OLOcI
7X]aXa
.?AV?$LockBox@V?$Optional@V?$stack@PEAVGlobals@@V?$deque@PEAVGlobals@@V?$allocator@PEAVGlobals@@@std@@@std@@@std@@@@$0PPPPPPPP@@@
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
Y"x"D
Sleep
+y7ee
.?AV?$_Func_impl_no_alloc@V<lambda_896c2242833e9f179c27a55a2c01d926>@@XAEAV?$Optional@V?$LockBox@V?$unordered_map@_KPEAUThreadInfo@Private@@U?$hash@_K@std@@U?$equal_to@_K@4@V?$allocator@U?$pair@$$CB_KPEAUThreadInfo@Private@@@std@@@4@@std@@$0PPPPPPPP@@@@@@std@@
ADX[[
HIDAT
nml[__^
.CRT$XPA
^Bb'1
ssw7w
Uvvu],
SetUnhandledExceptionFilter
cwoG'VBj
h+SK[
USSRRSaa__M
57wxx
EhL~.
.data
^9# 9
fa-ir
I#!"?
?tolower@?$ctype@G@std@@QEBAGG@Z
u0HcH<H
t$ UWATAVAWH
.?AVtype_info@@
.?AV?$Global@PEBU_TlgProvider_t@@@@
44K5)R
.text
~}u^YZ
InitOnceBeginInitialize
fcXmbbP
M#\UI
#&##$<
hfdTv
_o__errno
T$0H+
memset
.?AV?$_Func_impl_no_alloc@V<lambda_8d09d1e622c439c6b510b57ff56d9177>@@X$$V@std@@
.?AV_Ref_count_base@std@@
_o___stdio_common_vsnprintf_s
tzD9uHttH
35k*V
`.rdata
*3ws-
'#y.K`
CallContext:[%hs]
[%hs]
.?AV?$_Ref_count_obj@VModule@Com@@@std@@
7]Joy
~NWI9
v:;;o
{xuux
.rdata$brc
jsN%K
f9Axu`
H9_Hs<
ReleaseSemaphore
EFFIIFFz
_c]\>9
<P69C
.?AV<lambda_6f3db37b64316ef4e298bc0608939a64>@@
originatingContextId
\$ UVWAVAWH
GetProcAddress
CreateEventExW
fa-pk
9S|ucH
WAUAVH
D$0H;8u
lineNumber
ProductName
cntrl
A^A]_
fa-kw
QueueUserAPC
TlsGetValue
8x{{w
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x00013b60 | 0x0004277d | 0x0004277d | 10.0 | ApproveChildRequest.pdb | 2100-07-01 19:58:57 | 9d738a87bb08c56551e21d25473b01d6 |  |
3deb17843c93cbafadcaa88b6cf864b4 | 8d981ae729edefd0a4ffeaf901546a26 | c8cc8c9cd4fe7870 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Grant more screen time |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | ApproveChildRequest.exe |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | ApproveChildRequest.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x00015285 | 0x00015400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.16 |
| .rdata | 0x00015800 | 0x00017000 | 0x00009828 | 0x00009a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.37 |
| .data | 0x0001f200 | 0x00021000 | 0x00002d20 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.35 |
| .pdata | 0x00021600 | 0x00024000 | 0x000013ec | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.00 |
| .rsrc | 0x00022a00 | 0x00026000 | 0x000174d8 | 0x00017600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.41 |
| .reloc | 0x0003a000 | 0x0003e000 | 0x0000037c | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.93 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x0003d408 | 0x000000d0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.68 | None |
| RT_ICON | 0x00026750 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.09 | None |
| RT_ICON | 0x00026db8 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.24 | None |
| RT_ICON | 0x000270a0 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.98 | None |
| RT_ICON | 0x00027288 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.47 | None |
| RT_ICON | 0x000273b0 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.77 | None |
| RT_ICON | 0x00028258 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.15 | None |
| RT_ICON | 0x00028b00 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.29 | None |
| RT_ICON | 0x000291c8 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.04 | None |
| RT_ICON | 0x00029730 | 0x0000f7d5 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.98 | None |
| RT_ICON | 0x00038f08 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.26 | None |
| RT_ICON | 0x0003b4b0 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.65 | None |
| RT_ICON | 0x0003c558 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.97 | None |
| RT_ICON | 0x0003cee0 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.89 | None |
| RT_GROUP_ICON | 0x0003d348 | 0x000000bc | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.07 | None |
| RT_VERSION | 0x00026380 | 0x000003cc | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.46 | None |
Imports
| Name | Address |
|---|---|
| UnregisterTraceGuids | 0x140017a58 |
| RegisterTraceGuidsW | 0x140017a60 |
| GetTraceEnableLevel | 0x140017a68 |
| GetTraceEnableFlags | 0x140017a70 |
| GetTraceLoggerHandle | 0x140017a78 |
| TraceMessage | 0x140017a80 |
| EventWriteTransfer | 0x140017a88 |
| EventActivityIdControl | 0x140017a90 |
| Name | Address |
|---|---|
| _initterm | 0x140017e88 |
| _initterm_e | 0x140017e90 |
| _c_exit | 0x140017e98 |
| _register_thread_local_exe_atexit_callback | 0x140017ea0 |
| Name | Address |
|---|---|
| memset | 0x140017eb0 |
| Name | Address |
|---|---|
| SysAllocString | 0x140017c38 |
| SysFreeString | 0x140017c40 |
| VariantClear | 0x140017c48 |
| Name | Address |
|---|---|
| RtlLookupFunctionEntry | 0x140017ce0 |
| RtlCaptureContext | 0x140017ce8 |
| RtlVirtualUnwind | 0x140017cf0 |
| Name | Address |
|---|---|
| UnhandledExceptionFilter | 0x140017c78 |
| SetUnhandledExceptionFilter | 0x140017c80 |
| Name | Address |
|---|---|
| GetCurrentProcess | 0x140017ca0 |
| TerminateProcess | 0x140017ca8 |
| GetStartupInfoW | 0x140017cb0 |
| Name | Address |
|---|---|
| IsProcessorFeaturePresent | 0x140017cc0 |
| Name | Address |
|---|---|
| QueryPerformanceCounter | 0x140017cd0 |
| Name | Address |
|---|---|
| GetSystemTimeAsFileTime | 0x140017d18 |
| Name | Address |
|---|---|
| InitializeSListHead | 0x140017c90 |
| Name | Address |
|---|---|
| EventRegister | 0x140017ec0 |
| EventUnregister | 0x140017ec8 |
| EventSetInformation | 0x140017ed0 |
| Name | Address |
|---|---|
| EnterCriticalSection | 0x140017d00 |
| LeaveCriticalSection | 0x140017d08 |
| Name | Address |
|---|---|
| CommandLineToArgvW | 0x140017ee0 |
| Name | Address |
|---|---|
| CoUninitialize | 0x140017fc8 |
| CoInitializeEx | 0x140017fd0 |
| Name | Address |
|---|---|
| RoUninitialize | 0x140017d28 |
| RoInitialize | 0x140017d30 |
| Name | Address |
|---|---|
| PostThreadMessageW | 0x140017c58 |
| Name | Address |
|---|---|
| CoCreateInstance | 0x140017c68 |
| Name | Address |
|---|---|
| EtwTraceMessage | 0x140017fb8 |
Usage
Processing ( 10.88 seconds )
- 10.286 ProcessMemory
- 0.581 CAPE
- 0.006 BehaviorAnalysis
- 0.004 AnalysisInfo
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.009 antianalysis_detectfile
- 0.008 ransomware_files
- 0.006 antiav_detectreg
- 0.005 ransomware_extensions
- 0.004 antiav_detectfile
- 0.003 ursnif_behavior
- 0.002 antianalysis_detectreg
- 0.002 infostealer_bitcoin
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 banker_zeus_p2p
- 0.001 bot_drive
- 0.001 bot_drive2
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.01 seconds )
- 0.005 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: ApproveChildRequest.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
The binary likely contains encrypted or compressed data
section: {'name': '.rsrc', 'raw_address': '0x00022a00', 'virtual_address': '0x00026000', 'virtual_size': '0x000174d8', 'size_of_data': '0x00017600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.41'}
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 2448 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\Device\CNG
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.