Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 19:31:14	2025-06-12 20:02:09	1855 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,366 [root] INFO: Date set to: 20250611T19:37:08, timeout set to: 1800
2025-06-11 20:37:08,806 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 20:37:08,806 [root] DEBUG: Storing results at: C:\pvZafqQC
2025-06-11 20:37:08,806 [root] DEBUG: Pipe server name: \\.\PIPE\xVrVnxQMgC
2025-06-11 20:37:08,806 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 20:37:08,806 [root] INFO: analysis running as an admin
2025-06-11 20:37:08,806 [root] INFO: analysis package specified: "exe"
2025-06-11 20:37:08,806 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 20:37:09,150 [root] DEBUG: imported analysis package "exe"
2025-06-11 20:37:09,150 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 20:37:09,150 [lib.common.common] INFO: wrapping
2025-06-11 20:37:09,150 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 20:37:09,197 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\CHXSmartScreen.exe
2025-06-11 20:37:09,197 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 20:37:09,197 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 20:37:09,197 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 20:37:09,197 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 20:37:09,462 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 20:37:09,493 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 20:37:09,540 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 20:37:09,540 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 20:37:09,556 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 20:37:09,556 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 20:37:09,556 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 20:37:09,571 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 20:37:09,571 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 20:37:09,571 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 20:37:09,571 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 20:37:09,571 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 20:37:09,571 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 20:37:09,571 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 20:37:09,571 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 20:37:09,571 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 20:37:09,571 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 20:37:09,571 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 20:37:20,837 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 20:37:20,837 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 20:37:20,837 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 20:37:20,837 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 20:37:20,837 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 20:37:20,837 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 20:37:20,837 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 20:37:20,837 [modules.auxiliary.disguise] INFO: Disguising GUID to d174c01b-2927-46cb-bfdb-c843affbea4a
2025-06-11 20:37:20,853 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 20:37:20,853 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 20:37:20,853 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 20:37:20,853 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 20:37:20,853 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 20:37:20,853 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 20:37:20,853 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 20:37:20,853 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 20:37:20,853 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 20:37:20,853 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 20:37:20,853 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 20:37:20,853 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 20:37:20,853 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 20:37:20,853 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 20:37:20,853 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 20:37:20,853 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 20:37:20,853 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 20:37:20,884 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 20:37:20,884 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 20:37:20,884 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 20:37:20,884 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 20:37:20,884 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 20:37:20,884 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 20:37:20,884 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 20:37:20,900 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\lTUiRm.dll, loader C:\tmp_gell1p8\bin\uQchymxO.exe
2025-06-11 20:37:20,978 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 20:37:20,978 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\lTUiRm.dll.
2025-06-11 20:37:21,025 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 20:37:21,025 [root] INFO: Disabling sleep skipping.
2025-06-11 20:37:21,025 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 20:37:21,025 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 20:37:21,025 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 20:37:21,025 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 20:37:21,025 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 20:37:21,040 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 20:37:21,056 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 20:37:21,056 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 20:37:21,056 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6212, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 20:37:21,056 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 20:37:21,087 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 20:37:21,087 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 20:37:21,087 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\lTUiRm.dll.
2025-06-11 20:37:21,087 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 20:37: <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 19:31:14	2025-06-12 20:01:49	none

File Details

File Name	CHXSmartScreen.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	369168 bytes
MD5	6ea385782f523a0625857b70e537009b
SHA1	e0f513e46dd195a42c22ffcda565d1cf9423c826
SHA256	5361e075552716e77cfabd48dbf31e661221e4589937b1d65bc3eecac0685b0a [VT] [MWDB] [Bazaar]
SHA3-384	a167ac8725f98ca5d27057d8c8727a40a2d10241f955dc5f467b2af90cfab7c6e63c3d22493e2eeb6b3a13b494151e97
CRC32	E6F94E91
TLSH	T14074396A5F9C58E2E63661794892C345F772B4210B6187CB4171432F7F7B1F8AC3A2B2
Ssdeep	6144:DLVHcjQvwEp8XCh3PN6jK2pFvV34+LrbWwjaOfHuQ+:DLVHxbaJrphVDFff+
PE	File Strings BinGraph Vba2Graph VirusTotal

?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z

PA_A^A]A\_^]

.PE$AAVException@Platform@@

^1?]8

l$ VWATAVAWH

t$hL+

?__abi_WinRTraiseChangedStateException@@YAXXZ

Microsoft Corporation1.0,

pA^_^[]

l$ VWAVH

@.data

?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z

D$(L;

.idata$6

?what@exception@@UEBAPEBDXZ

USVWAVH

D$8H;

.idata$4

WindowsCreateStringReference

MissingContentLengthSupport

.?AVtask_canceled@pplx@@

??0OutOfMemoryException@Platform@@QE$AAA@XZ

;t$p|

GetStartupInfoW

.PE$AAVNotImplementedException@Platform@@

no such process

PA^_^][

`A_A^A]A\_^[

Microsoft Time-Stamp Service

ErrorHttpInvalidServerResponse

__dllonexit

BadRequest

connection_aborted

identifier removed

NavigationError

@A_A^_^]

toH91uj

D$HE3

Ipvector<T> too long

not supported

|hK,_

Windows.UI.ViewManagement.UISettings

wincorlib.DLL

??0exception@@QEAA@AEBQEBD@Z

.?AVbad_cast@@

Windows.Foundation.IReference`1<Windows.Web.WebErrorStatus>

u*9Q<|%

not_a_socket

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

.CRT$XCC

.?AV<lambda_7b8498a12273488957d4576d2e3cda73>@@

@SVWAVH

bad_file_descriptor

wcsrchr

ExpectationFailed

__pctype_func

(L$0H

PA^_^

A_A^A\_^][

.?AV<lambda_969719d66efbd5b527cc2cd3292e5844>@@

FileVersion

no space on device

localeconv

UATAVH

cY7.L

,DNP0DCHBnw9NDltYcipima+8C+Y2EooANGnAY1gISug=0Z

L$hH3

??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z

?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z

.?AVlength_error@std@@

__C_specific_handler

Microsoft Corporation1&0$

SVWAVH

.?AVsystem_error@std@@

1(0&0

180703204550Z

network_down

?__abi_WinRTraiseNotImplementedException@@YAXXZ

memmove

?__abi_FailFast@@YAXXZ

0A_A^A]A\_^]

not a directory

?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z

t$HL+7I

fD94Xu

WindowsConcatString

list<T> too long

no link

TlP0X

m{invalid string position

?__abi_WinRTraiseDisconnectedException@@YAXXZ

L$PH;

interrupted

_callnewh

(D$0f

?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z

bad address

250701214655Z0|1

__set_app_type

UAVAWH

A_A^_

Timeout

bad allocation

operation not permitted

USVWATAVAWH

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

CoGetObjectContext

VWAVH

ms-appx:///MainPage.xaml

8_^][

%FOREGROUNDTEXTCOLOR%

.?AV<lambda_e0b623a606acfd10554dbddbb0c1a7da>@@

PA_A^A]A\_^[

d$pI;

.rsrc$01

Windows.Foundation.TypedEventHandler`2<Windows.UI.Core.CoreWindow, Windows.UI.Core.WindowSizeChangedEventArgs>

GXH9oHu

UseProxy

?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z

system

0A_A^_^[

O0M0K

040904B0

Microsoft Corporation

%BUTTONCOLOR%

t$8fD

A_A^A]A\_^[]

.rdata$zETW2

8XLu.H

?__abi_WinRTraiseInvalidCastException@@YAXXZ

Windows.Foundation.IReferenceArray`1<String>

_XcptFilter

.?AUIDisposable@Platform@@

Windows.Foundation.Collections.IIterator`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

EH=csm

wcslen

229879+4379540

@USVWAVH

wrong_protocol_type

_lock

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

{R6me

(D$@H

too many symbolic link levels

?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z

not enough memory

Illegal to wait on a task in a Windows Runtime STA

AcquireSRWLockShared

WindowsCreateString

WindowsDeleteString

HcA<H

__crtLCMapStringW

gH9QPtv8QLu.H

H9QPtc8QLu.H

CoTaskMemAlloc

A_A^A]A\_^]

?__abi_WinRTraiseInvalidArgumentException@@YAXXZ

RoReportUnhandledError

.?AVbad_alloc@std@@

@SUVWAVH

HtmlContent

20180915045657.943Z0

A_A^]

EventRegister

Windows.Foundation.Collections.IVectorChangedEventArgs

.?AU__I?$Array@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

.?AUIWeakReferenceSource@Details@Platform@@

Windows.UI.Xaml.Application

_wcsdup

api-ms-win-core-util-l1-1-0.dll

permission_denied

.data$r

3YWu!

resource unavailable try again

D9d$H}=L

@UVWH

D9d$H

A_A^_^]

D$(fD

filename_too_long

__ExceptionPtrCurrentException

_initterm

.?AVlogic_error@std@@

_CxxThrowException

fF94@u

Windows.UI.Xaml.Controls.Page

.idata$5

.?AVout_of_range@std@@

H;D$0r

ios_base::eofbit set

LeaveCriticalSection

IrRich4

L9Ihv'H

A_A^A\_^

@USVWAWH

resource deadlock would occur

not connected

.CRT$XIYA

protocol_not_supported

DllGetActivationFactory

minATL$__r

Windows.UI.ColorHelper

too many files open in system

Windows.Foundation.Uri

destination address required

ti;Q(s^

operation_would_block

WideCharToMultiByte

.pdata

D9l$@}'H

SVWAVAWH

@SVWH

A_A^_^[

D$(H;

address not available

SetRestrictedErrorInfo

SeeOther

Microsoft

VarFileInfo

Microsoft Corporation1)0'

?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z

(D$@L

_fmode

NotAcceptable

Windows.Foundation.TypedEventHandler`2<Windows.UI.Xaml.Controls.WebView, Windows.UI.Xaml.Controls.WebViewNavigationCompletedEventArgs>

.?AVexception@@

file exists

L$pH3

no such file or directory

L$PH3

message size

D$h,fD

_acmdln

operation_in_progress

H3E H3E

NotModified

InternalName

@UVWAVAWH

Windows.UI.Xaml.Input.FocusManager

?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z

@A^_^][

Eh=csm

.text$yd

malloc

cancel

A^A\_

VSDesignerDllMain

TUUUUUU

()$^.*+?[]|\-{},:=!

raB3G

CertificateCommonNameIsIncorrect

bad cast

Unauthorized

IrQnLs.

.CRT$XIYB

api-ms-win-core-profile-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll

?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z

_get_current_locale

WATAVH

host_unreachable

.rsrc$02

PA_A^_^]

LcA<E3

&3Kr-j

_unlock

aS'-0L

CHXSmartScreen.MainPage

iostream

@8~(u'A

IrQn@s3

SetEvent

connection refused

T$ H;

read only file system

.PE$AAVFailureException@Platform@@

wrong protocol type

_exit

(D$`f

?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z

Concurrency.details.?$_AsyncTaskThunk@U?$_AsyncAttributes@V<lambda_c3f0d08433fc9d7ea7ef610403845976>@@XXU?$_TaskTypeTraits@X$0A@@details@Concurrency@@$0A@$0A@@details@Concurrency@@

XamlTypeInfo.InfoProvider.XamlTypeInfoProvider

address family not supported

@.rsrc

operation would block

SUVWAVH

0A^_^

CHXSmartScreen.App

AcquireSRWLockExclusive

stream timeout

.text$di

58_Lu

?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z

api-ms-win-core-winrt-string-l1-1-0.dll

Legal_Policy_Statement

.edata

?UninitializeData@Details@Platform@@YAXH@Z

TemporaryRedirect

Windows.Globalization.ApplicationLanguages

?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ

@WAVAWH

protocol not supported

__ExceptionPtrDestroy

Platform.?$WriteOnlyArray@PE$AAUIXamlMetadataProvider@Markup@Xaml@UI@Windows@@$00

VWATAVAWH

LegalCopyright

IrQnJs6

D8"u3H

bad message

L$(H3

A_A^A]A\_

CoCreateFreeThreadedMarshaler

10.0.17763.1 (WinBuild.160101.0800)

"Microsoft Time Source Master Clock0

GetCurrentProcessId

Platform.?$WriteOnlyArray@PE$AAVString@Platform@@$00

?ReCreateException@Exception@Platform@@SAPE$AAV12@H@Z

@8yxt

L$XH3

D9&tZA

NotImplemented

uc8X$t

I0G1-0+

DeleteCriticalSection

@8y@t

.rdata$zETW0

argument list too long

UnexpectedStatusCode

host unreachable

?333333

191123202627Z0

RtlCaptureContext

.?AU__I?$WriteOnlyArray@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

__ExceptionPtrCreate

M0K0I

?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z

minATL$__z

?__abi_WinRTraiseAccessDeniedException@@YAXXZ

network_reset

x ATAVAWH

io error

0A^_^][

.?AUIValueType@Platform@@

@8yht

WaitForSingleObjectEx

D$HH;

@A_A^A]A\_^]

??0ChangedStateException@Platform@@QE$AAA@XZ

iostream stream error

GetStringTypeW

CannotConnect

.PE$AAUIDisposable@Platform@@

L$0H3

?then() cannot be called on a default constructed task.

t$0H!}

Microsoft Time-Stamp PCA 20100

.?AV?$Module@$04VInProcModule@Details@Platform@@@WRL@Microsoft@@

.?AV<lambda_06d2dc4c043a0f873ac4cf0b5624ae20>@@

operation canceled

MovedPermanently

__ExceptionPtrRethrow

.?AV<lambda_cdc646561116cd7a9091e5cd2a6888a8>@@

Windows.UI.Xaml.Window

argument out of domain

.rdata$zzzdbg

OperationCanceled

.rdata$r

`A^_^

Message

??0Object@Platform@@QE$AAA@XZ

.?AVInProcModule@Details@Platform@@

rQsu!

bad file descriptor

WindowsDuplicateString

UnexpectedClientError

ConnectionReset

WAVAWH

no such device or address

.CRT$XIA

.rdata

NotFound

??1type_info@@UEAA@XZ

??0exception@@QEAA@XZ

api-ms-win-core-errorhandling-l1-1-0.dll

180823202627Z

CoTaskMemFree

t$HL+

111019184142Z

.?AV<lambda_56510bbaec512180b02d49944db7c9e5>@@

too many files open

ios_base::failbit set

api-ms-win-core-rtlsupport-l1-1-0.dll

RequestEntityTooLarge

Windows.Foundation.TypedEventHandler`2<Windows.UI.Core.CoreWindow, Windows.UI.Core.KeyEventArgs>

minATL$__a

A_A^_

f#D$@H

connection_already_in_progress

address_in_use

.CRT$XIZ

?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z

.?AVbad_function_call@std@@

Microsoft Corporation1200

no lock available

generic

?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z

D$$I;

:cY7.u!

??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z

ResetEvent

Washington1

m_GetFocusButton

abort

CH}#6%

?__abi_WinRTraiseNullReferenceException@@YAXXZ

%Microsoft Windows Production PCA 20110

RequestTimeout

InitializeCriticalSectionEx

EncodePointer

FileDescription

!This program cannot be run in DOS mode.

%Microsoft Windows Production PCA 2011

CoGetApartmentType

H9Ahs

HttpToHttpsOnRedirection

A_A^A\

\$ UVWH

?__abi_WinRTraiseFailureException@@YAXXZ

@A^_^

address in use

already connected

invalid_argument

api-ms-win-eventing-provider-l1-1-0.dll

w)H9Q

?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z

?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z

Microsoft Corporation1

api-ms-win-core-processthreads-l1-1-0.dll

UWATAVAWH

get() cannot be called on a default constructed task.

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

PA_A^A\_^[]

?__abi_WinRTraiseWrongThreadException@@YAXXZ

Microsoft Operations Puerto Rico1&0$

L90t}L

(t$@H

Microsoft.Windows.SmartScreen

no stream resources

SVWATAUAVAWH

owner dead

0A_A^A\

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

directory not empty

t$XfD

InitializeCriticalSection

CHXSmartScreen.__CssTemplateInfoActivationFactory

CertificateExpired

A_A^A\_^

Microsoft Time-Stamp PCA 2010

api-ms-win-core-synch-l1-1-0.dll

memcpy

.?AV<lambda_763529b0c7473cbc215a52d189ac9b18>@@

.idata$3

?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z

Windows.System.Threading.WorkItemHandler

network reset

WindowsIsStringEmpty

CHXSmartScreen.pdb

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

ReleaseSRWLockExclusive

?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z

MultipleChoices

file too large

invalid seek

r~akow

not a socket

D9d$H}7L

RtlLookupFunctionEntry

f9H\u

EnterCriticalSection

is a directory

|$ HcN

.CRT$XCU

ServiceUnavailable

%BUTTONHOVERCOLOR%

\$ E3

D$h.fD

"2 X6

.8SLu

)D$@L

_errno

QueryPerformanceCounter

.PE$AAUIEquatable@Details@Platform@@

no protocol option

.?AVruntime_error@std@@

??0FailureException@Platform@@QE$AAA@XZ

bad locale name

t$0fD

)t$@H

t$0E3

string too long

.PE$AAVChangedStateException@Platform@@

"Microsoft Window

@8yXt

??0bad_cast@@QEAA@PEBD@Z

<}wdI

CD$(H

Windows.Foundation.TypedEventHandler`2<Windows.UI.Xaml.UIElement, Windows.UI.Xaml.Input.GettingFocusEventArgs>

msvcrt.dll

StringFileInfo

CreateEventExA

oK0D$"<

no child process

(t$@D

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.XmlnsDefinition>

D9d$H}lH

.rdata$zETW9

Concurrency.details.?$_AsyncTaskGeneratorThunk@V<lambda_c3f0d08433fc9d7ea7ef610403845976>@@

no buffer space

ole32.dll

)t$@D

9E9xH

GetCurrentProcess

api-ms-win-core-handle-l1-1-0.dll

%DEFAULTBUTTONCOLOR%

UVWAVAWH

D$HH9

__setusermatherr

UATAUAVAWH

?ToString@Enum@Platform@@QE$AAAPE$AAVString@2@XZ

L$8H3

@8ypt

?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ

.?AVModuleBase@Details@WRL@Microsoft@@

UWATAUAVH

already_connected

no message available

Windows.UI.Xaml.Controls.NotifyEventHandler

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

??0OutOfBoundsException@Platform@@QE$AAA@XZ

GetTickCount

IrQnHs2

A_A^A\_]

Thales TSS ESN:7D2E-3782-B0F71%0#

.text$mn

?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z

__uncaught_exception

100701213655Z

broken pipe

%BUTTONTEXTCOLOR%

not a stream

DllCanUnloadNow

ProxyAuthenticationRequired

.CRT$XIY

launchurl

RoOriginateError

ios_base::badbit set

TerminateProcess

L$@H3

9t$p~;H

setlocale

minATL$__m

Windows.UI.Xaml.ApplicationInitializationCallback

%BACKGROUNDCOLOR%

protocol error

Translation

Windows.ApplicationModel.Core.CoreApplication

?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z

|GN/_

Windows.Foundation.Collections.IVectorView`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

InternalServerError

UserAction

(t$PH

Windows.UI.Xaml.Markup.IXamlType

___mb_cur_max_func

?CreateException@Exception@Platform@@SAPE$AAV12@H@Z

tH9XPu

text file busy

\$ A;

LengthRequired

operation_not_supported

t$@fD

GatewayTimeout

T$`E3

@UWAVH

UWAVH

DecodePointer

MultiByteToWideChar

EventWriteTransfer

.?AV?$Array@PE$AAVString@Platform@@$00@Platform@@

t$0fD90u

?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ

??_V@YAXPEAX@Z

t$hfD

IrQnKs5

\$hI;

Microsoft Operations Puerto Rico1'0%

Microsoft Windows0

A_A^A\

Windows.System.Launcher

bad_address

t$XfD90u

address_not_available

@VWAVH

?InitializeData@Details@Platform@@YAJH@Z

Disconnected

connection_reset

EventSetInformation

??0NotImplementedException@Platform@@QE$AAA@XZ

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

IrQnIs5

UnsupportedMediaType

Windows.Foundation.IReference`1<Windows.UI.Color>

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

UnexpectedRedirection

ProductVersion

address_family_not_supported

??1bad_cast@@UEAA@XZ

D$@E3

.text$x

?__abi_WinRTraiseObjectDisposedException@@YAXXZ

fD90u

.?AVfailure@ios_base@std@@

@A_A^_^[

T$ E3

not_connected

R!s4Z

launchUrl:

RequestedRangeNotSatisfiable

too many links

.PE$AAVOutOfMemoryException@Platform@@

?__abi_WinRTraiseCOMException@@YAXJ@Z

@SVWAVAWH

.?AU?$IBoxArray@PE$AAVString@Platform@@@Platform@@

?__abi_WinRTraiseOutOfMemoryException@@YAXXZ

__CxxFrameHandler3

connection_refused

_onexit

t$(H;

Windows.Foundation.Collections.IObservableVector`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

.xdata$x

L$HH3

WindowsGetStringRawBuffer

A^_^

.CRT$XIAA

H;}PH

GetModuleHandleW

no_protocol_option

inappropriate io control operation

L$ E3

timed out

Windows

CertificateContainsErrors

function not supported

8A^_^[

@A^_]

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

smartScreenWebView

SUVWATAVAWH

A^A\]

.giats

iSHp6

`A_A^A\_^

.rdata$zETW1

?Free@Heap@Details@Platform@@SAXPEAX@Z

_ismbblead

D$ H;

??0DisconnectedException@Platform@@QE$AAA@XZ

Windows.UI.Xaml.SuspendingEventHandler

RedirectFailed

??1exception@@UEAA@XZ

__ExceptionPtrCopy

invalid argument

A^_^[

connection reset

ServerUnreachable

permission denied

BadGateway

no such device

RtlVirtualUnwind

.idata$2

%DEFAULTBUTTONTEXTCOLOR%

api-ms-win-core-winrt-error-l1-1-0.dll

??0Delegate@Platform@@QE$AAA@XZ

x AVH

HttpVersionNotSupported

connection aborted

EX=csm

.CRT$XCL

??3@YAXPEAX@Z

.?AVObject@Platform@@

1/0-0

OriginalFilename

WATAUAVAWH

SUVWH

state not recoverable

.?AU__abi_Module@@

illegal byte sequence

)D$@H

.?AV<lambda_7dbfe4b53791f5d12ea6d1aace3b0249>@@

PaymentRequired

sprintf_s

$`2X`F

H;\$8u

HostNameNotResolved

destination_address_required

Windows.Web.WebErrorStatus

.?AU__abi_IUnknown@@

.?AV?$WriteOnlyArray@PE$AAVString@Platform@@$00@Platform@@

Ex=csm

tvA;_(siI

.PE$AAUIPrintable@Details@Platform@@

UnexpectedServerError

?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z

A_A^A]A\_

.CRT$XCA

.CRT$XCAA

.xdata

CHXSmartScreen.exe

?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z

.PEAX

.?AV_Interruption_exception@details@pplx@@

.gfids

.?AV<lambda_bb3ea35c7a129712676a4a6472ecdc6a>@@

$Microsoft Ireland Operations Limited1

Windows.UI.Xaml.Controls.Frame

InsufficientRangeSupport

RequestUriTooLong

Windows.UI.Core.DispatchedHandler

.PE$AAVCOMException@Platform@@

ReleaseSRWLockShared

\$ UH

D$xH!D$0L

Windows.UI.Xaml.Controls.UserControl

A^A]A\_]

strcspn

connection already in progress

___lc_handle_func

190726204550Z0p1

HttpsToHttpOnRedirection

no message

??0exception@@QEAA@AEBV0@@Z

Operating System

Conflict

Windows.Foundation.Collections.ValueSet

Windows.UI.Color

Windows.Foundation.AsyncOperationCompletedHandler`1<Boolean>

.00cfg

E6T:F

?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z

N0L0J

UnhandledExceptionFilter

operation in progress

UVWATAUAVAWH

EventUnregister

_cexit

CloseHandle

;cY7.u'

U0S0Q

Microsoft Time-Stamp Service0

ConnectionAborted

v:fD;

http://www.microsoft.com/windows0

@.reloc

CHXSmartScreen.CssTemplateInfo

Found

ATAVAWH

_free_locale

t$xfD

H;}`H

z.9Wv

VS_VERSION_INFO

A8Y(t&I

CompanyName

t$ WATAUAVAWH

_purecall

.PE$AAVDisconnectedException@Platform@@

GetCurrentThreadId

@USVWATAUAVAWH

UWAWH

@A_A^_

timed_out

_commode

api-ms-win-core-synch-l1-2-0.dll

GetSystemTimeAsFileTime

CertificateIsInvalid

__getmainargs

<xt"E3

E8=csm

.?AV<lambda_c3e0711ae922f212b6e5afc7efefebc7>@@

A__^[]

filename too long

?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z

_amsg_exit

.CRT$XCZ

??0bad_cast@@QEAA@AEBV0@@Z

___lc_codepage_func

?terminate@@YAXXZ

Platform.?$WriteOnlyArray@VXmlnsDefinition@Markup@Xaml@UI@Windows@@$00

u HcA<H

.?AVinvalid_operation@pplx@@

@SVWATAUAVAWH

E(=csm

?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ

calloc

map/set<T> too long

message_size

fD94Hu

PreconditionFailed

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

Windows.UI.ViewManagement.ApplicationView

Sleep

HA^_^[

20180916002813Z0w0=

Unknown

`A^_^[]

??0exception@@QEAA@AEBQEBDH@Z

Forbidden

CHXSmartScreen.__MainPageActivationFactory

too_many_files_open

IrQnMss

WindowsCompareStringOrdinal

no_buffer_space

%DEFAULTBUTTONHOVERCOLOR%

SetUnhandledExceptionFilter

RoFailFastWithErrorContext

.?AV?$Module@$00VInProcModule@Details@Platform@@@WRL@Microsoft@@

false

.data

.PE$AAVObject@Platform@@

nCipher NTS ESN:57F6-C1E0-554C1+0)

MethodNotAllowed

network down

*:>;z7

executable format error

device or resource busy

api-ms-win-core-winrt-error-l1-1-1.dll

A_A^A]A\]

.text

(D$@3

CertificateRevoked

.?AV<lambda_ef729b3483172d63d4487ce32853fb2e>@@

bad function call

jcY7.

memset

D$8H+D$0H9G

value too large

`.rdata

?__abi_WinRTraiseOutOfBoundsException@@YAXXZ

unknown error

)Microsoft Root Certificate Authority 20100

L;0u*H

Windows.UI.Xaml.Navigation.NavigationFailedEventHandler

t$hfB

result out of range

.PE$AAVOutOfBoundsException@Platform@@

D$@H;

network_unreachable

XamlTypeInfo.InfoProvider.XamlSystemBaseType

?__abi_WinRTraiseOperationCanceledException@@YAXXZ

sSVhl0

\$ UVWAVAWH

pi'!4

ScriptNotifyError

Failed to load Page

Windows.System.Threading.ThreadPool

ProductName

20180915002813Z

?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Exported DLL Name
0x140000000	0x0002e880	0x0005bd7d	0x0005bd7d	6.0	CHXSmartScreen.pdb	2018-09-15 04:38:31	d07f339917a9f6afac8eaaba678a78a7	CHXSmartScreen.exe

Version Infos

CompanyName	Microsoft Corporation
FileDescription	CHXSmartScreen.exe
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	CHXSmartScreen.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	CHXSmartScreen.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x000325c6	0x00032600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.20
.rdata	0x00032a00	0x00034000	0x0001ba20	0x0001bc00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.51
.data	0x0004e600	0x00050000	0x00005170	0x00004800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.95
.pdata	0x00052e00	0x00056000	0x00003810	0x00003a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.42
.rsrc	0x00056800	0x0005a000	0x00000418	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.45
.reloc	0x00056e00	0x0005b000	0x00001150	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.41

Overlay

Offset	0x00058000
Size	0x00002210

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x0005a060	0x000003b4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.43	None

Imports

Name	Address
EventWriteTransfer	0x1400341f8
EventUnregister	0x140034200
EventSetInformation	0x140034208
EventRegister	0x140034210

Name	Address
WaitForSingleObjectEx	0x1400340d0
ReleaseSRWLockExclusive	0x1400340d8
InitializeCriticalSectionEx	0x1400340e0
SetEvent	0x1400340e8
ResetEvent	0x1400340f0
AcquireSRWLockShared	0x1400340f8
AcquireSRWLockExclusive	0x140034100
InitializeCriticalSection	0x140034108
DeleteCriticalSection	0x140034110
ReleaseSRWLockShared	0x140034118
LeaveCriticalSection	0x140034120
CreateEventExA	0x140034128
EnterCriticalSection	0x140034130

Name	Address
CoGetObjectContext	0x140034000
CoGetApartmentType	0x140034008

Name	Address
TerminateProcess	0x140034050
GetCurrentProcessId	0x140034058
GetCurrentProcess	0x140034060
GetCurrentThreadId	0x140034068
GetStartupInfoW	0x140034070

Name	Address
CloseHandle	0x140034030

Name	Address
?InitializeData@Details@Platform@@YAJH@Z	0x140034448
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z	0x140034450
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z	0x140034458
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z	0x140034460
?UninitializeData@Details@Platform@@YAXH@Z	0x140034468
?__abi_FailFast@@YAXXZ	0x140034470
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z	0x140034478
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z	0x140034480
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z	0x140034488
??0ChangedStateException@Platform@@QE$AAA@XZ	0x140034490
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z	0x140034498
??0OutOfBoundsException@Platform@@QE$AAA@XZ	0x1400344a0
??0FailureException@Platform@@QE$AAA@XZ	0x1400344a8
??0OutOfMemoryException@Platform@@QE$AAA@XZ	0x1400344b0
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z	0x1400344b8
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z	0x1400344c0
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z	0x1400344c8
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z	0x1400344d0
??0NotImplementedException@Platform@@QE$AAA@XZ	0x1400344d8
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z	0x1400344e0
?ReCreateException@Exception@Platform@@SAPE$AAV12@H@Z	0x1400344e8
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z	0x1400344f0
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ	0x1400344f8
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z	0x140034500
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z	0x140034508
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z	0x140034510
?CreateException@Exception@Platform@@SAPE$AAV12@H@Z	0x140034518
?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z	0x140034520
?ToString@Enum@Platform@@QE$AAAPE$AAVString@2@XZ	0x140034528
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ	0x140034530
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z	0x140034538
??0Delegate@Platform@@QE$AAA@XZ	0x140034540
??0DisconnectedException@Platform@@QE$AAA@XZ	0x140034548
??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z	0x140034550
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z	0x140034558
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z	0x140034560
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z	0x140034568
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z	0x140034570
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z	0x140034578
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ	0x140034580
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z	0x140034588
?Free@Heap@Details@Platform@@SAXPEAX@Z	0x140034590
??0Object@Platform@@QE$AAA@XZ	0x140034598
?__abi_WinRTraiseNotImplementedException@@YAXXZ	0x1400345a0
?__abi_WinRTraiseInvalidCastException@@YAXXZ	0x1400345a8
?__abi_WinRTraiseNullReferenceException@@YAXXZ	0x1400345b0
?__abi_WinRTraiseOperationCanceledException@@YAXXZ	0x1400345b8
?__abi_WinRTraiseFailureException@@YAXXZ	0x1400345c0
?__abi_WinRTraiseAccessDeniedException@@YAXXZ	0x1400345c8
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ	0x1400345d0
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ	0x1400345d8
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ	0x1400345e0
?__abi_WinRTraiseChangedStateException@@YAXXZ	0x1400345e8
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ	0x1400345f0
?__abi_WinRTraiseWrongThreadException@@YAXXZ	0x1400345f8
?__abi_WinRTraiseDisconnectedException@@YAXXZ	0x140034600
?__abi_WinRTraiseObjectDisposedException@@YAXXZ	0x140034608
?__abi_WinRTraiseCOMException@@YAXJ@Z	0x140034610
?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z	0x140034618
?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z	0x140034620
?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z	0x140034628

Name	Address
_commode	0x140034220
_fmode	0x140034228
_acmdln	0x140034230
__setusermatherr	0x140034238
_cexit	0x140034240
_exit	0x140034248
exit	0x140034250
__set_app_type	0x140034258
__CxxFrameHandler3	0x140034260
_purecall	0x140034268
??3@YAXPEAX@Z	0x140034270
??0exception@@QEAA@AEBV0@@Z	0x140034278
?what@exception@@UEBAPEBDXZ	0x140034280
??1exception@@UEAA@XZ	0x140034288
??0exception@@QEAA@AEBQEBD@Z	0x140034290
sprintf_s	0x140034298
??0bad_cast@@QEAA@AEBV0@@Z	0x1400342a0
??1bad_cast@@UEAA@XZ	0x1400342a8
??0bad_cast@@QEAA@PEBD@Z	0x1400342b0
free	0x1400342b8
??_V@YAXPEAX@Z	0x1400342c0
localeconv	0x1400342c8
strcspn	0x1400342d0
??0exception@@QEAA@XZ	0x1400342d8
__ExceptionPtrDestroy	0x1400342e0
__ExceptionPtrCopy	0x1400342e8
__ExceptionPtrRethrow	0x1400342f0
__ExceptionPtrCurrentException	0x1400342f8
__ExceptionPtrCreate	0x140034300
?terminate@@YAXXZ	0x140034308
wcsrchr	0x140034310
_errno	0x140034318
_CxxThrowException	0x140034320
memcpy	0x140034328
memmove	0x140034330
??0exception@@QEAA@AEBQEBDH@Z	0x140034338
malloc	0x140034340
_callnewh	0x140034348
__uncaught_exception	0x140034350
setlocale	0x140034358
_lock	0x140034360
_unlock	0x140034368
___mb_cur_max_func	0x140034370
___lc_handle_func	0x140034378
___lc_codepage_func	0x140034380
_ismbblead	0x140034388
memset	0x140034390
__pctype_func	0x140034398
calloc	0x1400343a0
abort	0x1400343a8
_wcsdup	0x1400343b0
__crtLCMapStringW	0x1400343b8
_get_current_locale	0x1400343c0
_free_locale	0x1400343c8
wcslen	0x1400343d0
??1type_info@@UEAA@XZ	0x1400343d8
__dllonexit	0x1400343e0
__C_specific_handler	0x1400343e8
_onexit	0x1400343f0
_XcptFilter	0x1400343f8
_amsg_exit	0x140034400
_initterm	0x140034408
__getmainargs	0x140034410
pow	0x140034418

Name	Address
CoCreateFreeThreadedMarshaler	0x140034428
CoTaskMemAlloc	0x140034430
CoTaskMemFree	0x140034438

Name	Address
RoOriginateError	0x140034180
SetRestrictedErrorInfo	0x140034188
RoFailFastWithErrorContext	0x140034190

Name	Address
RoReportUnhandledError	0x1400341a0

Name	Address
WindowsConcatString	0x1400341b0
WindowsCompareStringOrdinal	0x1400341b8
WindowsIsStringEmpty	0x1400341c0
WindowsCreateString	0x1400341c8
WindowsGetStringRawBuffer	0x1400341d0
WindowsDuplicateString	0x1400341d8
WindowsDeleteString	0x1400341e0
WindowsCreateStringReference	0x1400341e8

Name	Address
MultiByteToWideChar	0x1400340b0
WideCharToMultiByte	0x1400340b8
GetStringTypeW	0x1400340c0

Name	Address
DecodePointer	0x140034168
EncodePointer	0x140034170

Name	Address
Sleep	0x140034140

Name	Address
RtlCaptureContext	0x140034090
RtlVirtualUnwind	0x140034098
RtlLookupFunctionEntry	0x1400340a0

Name	Address
SetUnhandledExceptionFilter	0x140034018
UnhandledExceptionFilter	0x140034020

Name	Address
QueryPerformanceCounter	0x140034080

Name	Address
GetTickCount	0x140034150
GetSystemTimeAsFileTime	0x140034158

Name	Address
GetModuleHandleW	0x140034040

Exports

Name	Address	Ordinal
DllCanUnloadNow	0x14002f410	1
DllGetActivationFactory	0x14002f430	2
VSDesignerDllMain	0x1400236f0	3

Reports: JSON

Statistics (0.91)

Usage

Processing ( 0.84 seconds )

0.826 CAPE
0.011 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_im
0.002 poullight_files
0.001 banker_zeus_p2p
0.001 bot_drive
0.001 bot_drive2
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: CHXSmartScreen.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

Local\SM0:3796:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Overlay

Resources

Imports

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

wincorlib

msvcrt

ole32

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-libraryloader-l1-2-0