Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 23:25:31	2025-06-12 23:56:16	1845 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,209 [root] INFO: Date set to: 20250612T08:47:16, timeout set to: 1800
2025-06-12 09:47:16,644 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 09:47:16,644 [root] DEBUG: Storing results at: C:\dyXKcUFom
2025-06-12 09:47:16,644 [root] DEBUG: Pipe server name: \\.\PIPE\qnnuDKbwZc
2025-06-12 09:47:16,644 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 09:47:16,644 [root] INFO: analysis running as an admin
2025-06-12 09:47:16,644 [root] INFO: analysis package specified: "exe"
2025-06-12 09:47:16,644 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 09:47:17,175 [root] DEBUG: imported analysis package "exe"
2025-06-12 09:47:17,175 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 09:47:17,175 [lib.common.common] INFO: wrapping
2025-06-12 09:47:17,175 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 09:47:17,175 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\DeviceEnroller.exe
2025-06-12 09:47:17,175 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 09:47:17,175 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 09:47:17,175 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 09:47:17,191 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 09:47:17,347 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 09:47:17,456 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 09:47:17,487 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 09:47:17,503 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 09:47:17,503 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 09:47:17,503 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 09:47:17,503 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 09:47:17,519 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 09:47:17,519 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 09:47:17,519 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 09:47:17,519 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 09:47:17,519 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 09:47:17,519 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 09:47:17,519 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 09:47:17,519 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 09:47:17,519 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 09:47:17,519 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 09:47:17,519 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 09:47:17,675 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-12 09:47:17,675 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 09:47:17,675 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 09:47:17,675 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 09:47:17,675 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 09:47:17,675 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 09:47:17,675 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 09:47:17,675 [modules.auxiliary.disguise] INFO: Disguising GUID to 13b9d14e-0f91-45a9-9fa7-caff17481462
2025-06-12 09:47:17,675 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 09:47:17,675 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 09:47:17,675 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 09:47:17,675 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 09:47:17,675 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 09:47:17,675 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 09:47:17,675 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 09:47:17,675 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 09:47:17,675 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 09:47:17,675 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 09:47:17,675 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 09:47:17,675 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 09:47:17,675 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 09:47:17,675 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 09:47:17,675 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 09:47:17,675 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 09:47:17,691 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 09:47:17,691 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 09:47:17,706 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 09:47:17,706 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 09:47:17,706 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 09:47:17,706 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 09:47:17,706 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 09:47:17,706 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 09:47:17,706 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pBKYMxnw.dll, loader C:\tmp_gell1p8\bin\GqrJjEhH.exe
2025-06-12 09:47:17,785 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 09:47:17,785 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pBKYMxnw.dll.
2025-06-12 09:47:17,847 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 09:47:17,847 [root] INFO: Disabling sleep skipping.
2025-06-12 09:47:17,847 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 09:47:17,847 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 09:47:17,847 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 09:47:17,847 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 09:47:17,847 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 09:47:17,862 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 09:47:17,878 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 09:47:17,878 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 09:47:17,878 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 2516, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-12 09:47:17,878 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 09:47:17,894 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 09:47:17,894 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 09:47:17,894 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pBKYMxnw.dll.
2025-06-12 09:47:17,894 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 09:47:1 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 23:25:31	2025-06-12 23:55:56	none

File Details

File Name	DeviceEnroller.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	358912 bytes
MD5	7bebb2aa47c633e7333fc21e54e1f6a8
SHA1	f63ec6ec9ba9a85fab5d7cea3df6a4c625b8417c
SHA256	c92623725c8f960a88007e88e96026251be79d30b14454fefcf127cd83d8b26f [VT] [MWDB] [Bazaar]
SHA3-384	f5798040a7d4546c22cf863f15c991d1160a48afb4b8468306ece5805a31382344c83dfdc170c2e415a072f5b447c782
CRC32	636C9530
TLSH	T12F74281797ED0895E53AD23D9ABB8206F67338421731C6CF0655854E2FBBAF4AD38321
Ssdeep	6144:n/BEdxjWqHFsC2KXh+MLfEyM/nXQOQ2YleOQuGjY:+/Waa/K8MLfENpu5
PE	File Strings BinGraph Vba2Graph VirusTotal

\$xf92u

api-ms-win-core-kernel32-legacy-l1-1-0.dll

@.data

fA9tM

D$hE3

AlertSourceUri

fD9<^u

SVWATAVAWH

WindowsCreateStringReference

ReleaseMutex

GetStartupInfoW

APPID

ChannelExpiryTime

Microsoft.Windows.EnterpriseManagement.ResourceManager

ActivationHandle

CreateSemaphoreExW

SOFTWARE\Microsoft\DynamicManagement

u*9Q<|%

Microsoft.Windows.DeviceManagement.ConfigManager2

??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAA@XZ

tWH9t$xH

OmaDmRegistrySetDWORD

x:;\$0

/c /Dynamo

onecoreuap\admin\enterprisemgmt\enrollactivities\exe\comserverdetails.h

Revert

SetCursor

RegSetValueExW

CreateXmlReader

ServerInitiated

EnrollEngineInitialize

[MDM Client Certificate Renew End] HRESULT: %1

Successfully discovered server (%1).

LoginTask

?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z

api-ms-win-core-string-l1-1-0.dll

VWAVH

X_^[]

MDM Unenroll: Deletion of at least one virtual smartcard certificate failed with HRESULT: %1

system

f94Gu

o\$PH

combase.dll

Microsoft Corporation

</Principal>

LoadLibraryExW

fD9,Qu

|$8L;

OutputDebugStringA

_XcptFilter

_lock

L9l$@t

ForcedReboot

?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z

Elevated

Microsoft.Windows.Kernel.Pdc

__TlgCV__

VarType

Alerts

DeviceEnrollment

{973CC073-B7F4-4B3B-ABF8-74DF3FCAE76F}

SECURITY

/o "%s" /c /PushUpgrade

Microsoft.Windows.DeviceManagement.SecurityPolicyCsp

api-ms-win-core-string-obsolete-l1-1-0.dll

AppID

_initterm

.idata$5

FunctionName

.pdata

D$XE9'u%H

Microsoft

SetRestrictedErrorInfo

_acmdln

NodeUri

Reboot

.didat$2

@UVWAVAWH

.?AVCAtlException@ATL@@

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

Leaving %1.

.data$r$brc

<RunOnlyIfIdle>false</RunOnlyIfIdle>

GetEnrollmentSID

Microsoft.Windows.EnterpriseManagement.Dynamo

L;d$P

ActivityFailure

Function

|$ 0t

SetEvent

SleepConditionVariableSRW

_exit

!\$`H

0A^_^

<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>

ext-ms-win-ntuser-message-l1-1-0.dll

PdcpProcessMessageInternal

NaRuleUnregister

%hs!%p:

AlertDataType

K SVWH

ext-ms-win-clouddomainjoin-usermanagement-l1-1-0

Clear

BootTask

f;D$ t H

??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ

ActivationCount

HKEY_PERFORMANCE_DATA

A usable private key was not found in the default key container. Either a private key must be generated in that container or CryptAquireCertificatePRivateKey can be used to gain access to the needed private key.

89:u,9z

CoCreateFreeThreadedMarshaler

p WAVAWH

ActivityStoppedAutomatically

<Author>$(@%systemRoot%\system32\deviceenroller.exe,-101)</Author>

.tls$ZZZ

CoCreateInstance

GetCommandLineW

SubTask

\$(L!|$ A

D8l$\t

Windows.Networking.PushNotifications.PushNotificationChannelManager

HttpSendRequest failed with (%1).

f9,Ku

ActivationsUpCounter

.CRT$XIA

?_Add_vtordisp2@?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAAXXZ

RtlNtStatusToDosError

DispatchMessageW

api-ms-win-core-rtlsupport-l1-1-0.dll

hA_A^A]A\_^][

OpenEventW

ReturnCode

generic

NetUserGetInfo

ResetEvent

x UAVAWH

CoRevertToSelf

FileDescription

\$ UVWH

OmDmRegistryAllocAndGetString

S-1-5-18

onecoreuap\admin\enterprisemgmt\dynamo\lib\stateenumerator.cpp

l$xfD9m

\$ VWAVH

UWATAVAWH

ntdll.dll

GetChannelObjectActivity

GetEnrollmentType

PDCt3

10.0.17763.1

win:Informational

InitializeCriticalSection

WakeAllConditionVariable

HKEY_DYN_DATA

.?AV_com_error@@

Message2

AdjustTokenPrivileges

<Description>$(@%systemRoot%\system32\deviceenroller.exe,-104)</Description>

OMADM::TargetedUserSID

DeleteTask

l$0E3

States

CoWaitForMultipleHandles

D$(E3

fD9<Hu

CLSID

message

Using the default certificate hash algorithm to enroll.

originatingContextName

0A_A^_^]

GetTickCount64

22CoCreateTaskScheduler2

UMgrQueryDefaultAccountToken

L$(E3

spRootFolder->GetFolder()

.rdata$zETW9

api-ms-win-core-delayload-l1-1-0.dll

ChannelURI

UVWAVAWH

L$0E3

A_A^A\_]

?_Add_vtordisp1@?$basic_ios@GU?$char_traits@G@std@@@std@@UEAAXXZ

??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z

<Command>%windir%\system32\deviceenroller.exe</Command>

Failed to get minimal key length from response.

TerminateProcess

\$ UVWAVAW

D!}@H

f9,Au

Run a Cmd as the User

DWORD2

?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ

?_Xout_of_range@std@@YAXPEBD@Z

Software\Microsoft\Enrollments\

H!D$@3

Using the default certificate private key algorithm to enroll.

Message4

PushStatus

L$<H;

?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ

CoCreateTaskScheduler

.text$x

@8|$Qt

T$ E3

_wtoi

PushRenewal

api-ms-win-core-processenvironment-l1-1-0.dll

AlpcGetMessageAttribute

DmDeleteTask

fD9#t

.xdata$x

Return value from function = %1.

GetModuleHandleW

ContextTriggeredActivity

api-ms-win-core-registry-l1-1-0.dll

L$ E3

RebootHandlerActivity

.CRT$XLZ

DmGetCurrentUserSid

??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ

.giats

kernelbase.dll

.rsrc

api-ms-win-core-shutdown-l1-1-0.dll

SystemTimeToFileTime

@H;]Pu

api-ms-win-core-winrt-error-l1-1-0.dll

RenewActivity

https://login.windows.net

0A_A^_

OriginalFilename

win:Start

UserNotificationStatus

9w(v#H

[MDM Enroll Start] state machine: %1

sprintf_s

[MDM Unenroll End] Success

FileTimeToSystemTime

H!\$xH

onecoreuap\admin\enterprisemgmt\dynamo\lib\contextentry.cpp

Push_NotificationReceivedErrorLaunchingSession

onecoreuap\admin\enterprisemgmt\dynamo\lib\datastore.cpp

fD94Au

\$8E3

D8|$0

D9yL|

UVWATAUAVAWH

ProcessId

CloseHandle

L$8E3

Failed to convert minimal key length to integer. Default will be used.

@.reloc

onecoreuap\admin\enterprisemgmt\enrollactivities\dmscheduleadminlib\utils.cpp

LoadResource

_purecall

D9K(t

failureCount

GetSystemTimeAsFileTime

SeShutdownPrivilege

samcli.dll

DisableContextActivity

CoGetMalloc

TTBLX

Unknown authentication mode (%1) is used.

fD9:u

PRVAh

Soap Response Message: %1

Writing to temporary file (%1) failed with (%2).

9PdcA

CharNextW

NaturalAuthClient.dll

SetUnhandledExceptionFilter

\$hE3

?_Syserror_map@std@@YAPEBDH@Z

D$ E3

RtlFreeHeap

.text

ext-ms-win-rtcore-ntuser-cursor-l1-1-0.dll

DMCmnUtils.dll

EnterpriseDeviceManagement.Enrollment.ReflectedEnroller

onecoreuap\admin\enterprisemgmt\mdmpush\lib\mdmpush.cpp

Software\Microsoft\Provisioning\ServerConfig\%s\CustomAlertConfiguration

.rdata$brc

ext-ms-win-security-chambers-l1-1-1

originatingContextId

EnrollmentID

Cx9D$Pu

ext-ms-win-devmgmt-dm-l1-1-0.dll

SOAP message (%1) created.

PdcpAlpcProcessMessage

s WAVAWH

/SID

Contexts

LocalAlloc

ExpiryTime

.idata$4

H!E`H

MDMRegistration.DLL

DmRaiseToastNotification

.rdata$T$brc

`A_A^A]A\_^[

Component Categories

__dllonexit

RegEnumKeyExW

Push_PFNRegistrationFailure

Function %1 failed with result (%2).

api-ms-win-core-com-l1-1-0.dll

protocol

AlertData

__C_specific_handler

WEVTl

9PdcAu

std::exception: %hs

Start AutoEnrollMDM.

OmaDmRegistrySetBinary

EnrollmentId

[MDM Enroll End] Success

CreateEventW

StartWaitForUnenrollment

D9s u

.text$mn$00

win:Verbose

t$ WH

Accepted

OSData\SOFTWARE\Microsoft\DynamicManagement

SetLastError

.rsrc$01

CallContext:[%hs]

DebugBreak

?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z

Y@H9;u%L

ShellChromeAPI.dll

Microsoft.Windows.DeviceManagement.DevInfo

A_A^A]A\_^[]

[MDM Schedule Enrollment Cert Expired Start] Cert Expiration: %1

RegDeleteValueW

HR of SessionInitiate

H;D$pr

PdcVersion

uO9T$`vIL

%s: Unexpected ALPC message type - %x

CoTaskMemRealloc

NetApiBufferFree

api-ms-win-core-registry-l2-1-0.dll

_CxxThrowException

com.microsoft:mdm.unenrollment.userrequest

InitializeSRWLock

contextId

LeaveCriticalSection

??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z

NaRuleRegister

%s_%llu

L$ SVWH

CopyString

.?AVexception@@

callContext

L$PH3

<Description>$(@%systemRoot%\system32\deviceenroller.exe,-103)</Description>

</Actions>

?{uSH

.text$yd

Microsoft Corporation"Schedule created for session retry

NaRuleQuery

onecoreuap\admin\enterprisemgmt\enrollactivities\exe\main.cpp

<Exec>

Redirect server (%1) received from HTTP.

|$@L9y

WATAVH

api-ms-win-core-localization-l1-2-0.dll

PA_A^_^]

LcA<E3

@8t$0u

msvcp110_win.dll

HttpSendRequest() was asked to send (%1) bytes.

@USVWAUAVAWH

Wadvapi32.dll

ApplyContextActivity

api-ms-win-core-winrt-l1-1-0.dll

<RunLevel>HighestAvailable</RunLevel>

AcquireSRWLockExclusive

deviceenroller.pdb

Microsoft.Windows.EnterpriseManagement.PolicyManager

`A_A^A]A\_^]

l$ E3

L$@fD

%sSoftware\Microsoft\Enrollments\%s\Push

LegalCopyright

DismissToastActivity

[MDM Unenroll Start] serverid: %1; unenrollment type: %2.

function

Microsoft.Windows.DeviceManagement.DevDetailCsp

Microsoft.Windows.DeviceManagement.DmAccCsp

GetSystemTime

AutoEnrollMDM

Device Enroller

RtlIsMultiUsersInSessionSku

CreatePushRenewalScheduleActivity

OPCOx

[MDM DMScheduleAdmin Poll Values] Name: %1; Value: %2

D$HH;

L$0H3

?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ

wilActivity

fD9<Bu

.rdata$zzzdbg

_vsnprintf_s

ThreadId

ChannelChangeInitiatedAlertEvent

f94Au

OS Edition Upgrade alert to server after user logs on

LoadStringW

CreateTaskForUser

WAVAWH

com.microsoft:mdm.passportforworkcreated

realloc

.rdata

Apply

??1type_info@@UEAA@XZ

??0exception@@QEAA@XZ

api-ms-win-core-errorhandling-l1-1-0.dll

Gather

UnicodeToMB

RegDeleteKeyW

OnPremise authentication mode is used.

UnenrollSource

win:Error

L$ WH

D$$I;

fF9<Bu

ProvInitiatedSession

Pinging server (%1).

CoGetApartmentType

Sending empty discovery request to server (%1).

WaitForSingleObject

RtlInitUnicodeString

\Microsoft\Windows\EnterpriseMgmt

/s "%s" /c /OsEditionUpgradeAlert /SID "%s"

H;\$@u

Win10 S Mode alert to server after user logs on

NetLocalGroupGetMembers

OpenProcessToken

GetAlertDataActivity

deviceenroller.exe

@A_A^]

GetModuleFileNameA

??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@J@Z

Using the default certificate key length to enroll.

SVWATAUAVAWH

Data transmission final status (%1).

FindResourceExW

t$8E3

api-ms-win-core-sysinfo-l1-1-0.dll

FederatedAuthenticationURL:%1

GMb=Lk

Microsoft.Windows.DeviceManagement.OmaDmApiProvider

D$0L!|$(L!|$ E

memcpy

.idata$3

|$XfD9>u

UMgrQueryUserContext

Entering %1.

TpWaitForAlpcCompletion

com.microsoft:mdm.pushchannelrenew

.didat$5

RtlDllShutdownInProgress

MigrationAlert

string too long

(_^][

fD9't

__setusermatherr

?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z

UATAUAVAWH

GetEnrollmentPartnerOpaqueID

HeapFree

invalid string position

NOT Running User Phase of unenroll

currentContextId

GetTickCount

%s: Error receiving message from PO %x

T$xL9

L$@E3

fD9=m

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/S

.CRT$XIY

L$@H3

OmaDmRegistryGetDWORD

onecoreuap\admin\enterprisemgmt\dynamo\lib\taskcreator.cpp

@8t$0tP

WEVT_TEMPLATE

SettingsPack

fF9,Bu

GetEndpointsFromResponse() uses authentication mode (%1).

RoUninitialize

;L9&t

%04d-%02d-%02dT%02d:%02d:%02d

UWAVH

MultiByteToWideChar

UserLoginHandlerActivity

/fD;e

PFWEvent

<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

EventSetInformation

UWAUAVAWH

OutputDebugStringW

fB94zu

PDCV2_ClientCallback

SHCreateMemStream

ReturnHr

InitializeActivity

%windir%\system32\deviceenroller.exe

internal\sdk\inc\wil\resultmacros.h

NaRuleValidate

CoAddRefServerProcess

Microsoft.Windows.EnterpriseManagement.ConfigManagerHook

%s: ALPC message id=%x required continuation unexpectedly.Cancelling it.

H;L$PH

A^A\]

_ismbblead

IsPhoneOS

\$HH;

Opening a connection to server (%1).

ApiSetQueryApiSetPresence

ActivationDuration

@8,1u

f;D$ t

WATAUAVAWH

[MDM Unenroll End] Error HRESULT: %1

Device

NetLocalGroupAddMembers

fD9t]

0A^_^[]

?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z

ServerUnenrollAADUnjoinFailed

api-ms-win-security-base-l1-1-0.dll

A_A^A]A\_

|$ E3

.CRT$XCAA

S-1-5-32-545

9PdcAH

ReleaseSRWLockShared

\$ UH

H!\$pH!]

</Principals>

RtlGetDeviceFamilyInfoEnum

DynamicManagement

CoRevokeClassObject

Message3

L9{0t#H

.00cfg

\$XH;

_wcsicmp

RuleId

FreeLibrary

Error

</RegistrationInfo>

FailFast

lstrlenA

[MDM Unenroll Start Error] MDM Unenroll Start hit error trying to initiate the asynchronous start to unenrollment. HRESULT: %1

fD9<Cu

UVWATAVH

ATAVAWH

Enrollment succeeded with server (%1).

CompanyName

Push_ChannelURIFailedToBeClosed

RegisterDeviceWithManagementUsingAADCredentials

GetCurrentThreadId

@A_A^_

__getmainargs

WaitForThreadpoolTimerCallbacks

DmRevertToSelf

EnterpriseMgmt

UuidFromStringW

u HcA<H

@SVWATAUAVAWH

CoRegisterClassObject

DYNAMO::CONTEXTID

GetProcessHeap

SafeWideCharToMultiByte

Sleep

HKEY_CLASSES_ROOT

Result

LastRenewalTime

t$ UWATAVAWH

com.microsoft:mdm.osmode

API for MDM Enrollment

H!\$hH!]

Push_NoPFNSet

Policy service URL (%1) and enrollment service URL (%2) are used.

BitsEvent

Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

T$0H+

fF9,@u

oT$@f

Windows.Internal.Management.dll

RegOpenKeyExW

H9_Hs<

ReleaseSemaphore

wcsncpy_s

CreateEventExW

HttpReadData() read (%1) bytes of data.

HttpOpenRequest failed with (%1).

ContextID

GetChannelObjectHelperActivity

fD94zu

FW|yOcYL

SignalDefinition

internal\sdk\inc\wil\result.h

`A_A^A\_^[]

USVWAVH

D$xH+D$pI9E

CloseThreadpoolTimer

Push_Success

L$ SUVWH

ResolveDelayLoadedAPI

Administrators

R$fA;Z*

Windows.Internal.Management.Provision.SessionManager

?_Xlength_error@std@@YAXPEBD@Z

Shell_LaunchSessionGeneric

First Login Schedule created by enrollment client

?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ

fD9*u

UATAVH

ServerAlertStatus

D$PE3

PushUpgrade

CallbackReason

RetryEvent

.didat$7

memmove

RecordDiagnosticsError

(caller: %p)

strchr

_callnewh

RPCRT4.dll

<AllowStartOnDemand>false</AllowStartOnDemand>

OpenProcess

f94Bu

StringFromGUID2

fD92u

__set_app_type

Microsoft.Windows.EnterpriseManagement.MDMPush

NtDeleteWnfStateName

OSData\Software\Microsoft\Enrollments\

Data transmission attempt (%1) failed with (%2).

040904B0

D9w tJH

WindowsMDMPush

.rdata$zETW2

SizeofResource

D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FA;;;

@USVWAVH

WindowsDeleteString

ext-ms-win-session-usermgr-l1-1-0.dll

lstrcmpiW

AcquireSRWLockShared

swprintf_s

HcA<H

ServerUnenrollTBRemoveAccountFailed

.?AVbad_alloc@std@@

A_A^A]A\_^]

Dynamo

omadmapi.dll

PeekMessageW

A_A^]

AlertTask

Warning

TranslateMessage

GetComputerNameW

[MDM Schedule Enrollment Cert Renew Session Start] Renew period: %1; Renew retry interval: %2; Robo mode: %3; Cert Expiration: %4

Soap Request Message: %1

Number of data transmission attempts (%1) exceeds max (%2).

Microsoft.Windows.DeviceManagement.OMADMPRC

The new enrollment certificate is expired compared to the device time. Thumbprint: %1 Cert: %2, Device: %3

L9Ihv'H

InitOnceComplete

@USVWAWH

ForceRemove

[MDM Schedule Enrollment Cert Renew Session End] Success

fF9<Gu

onecoreuap\admin\enterprisemgmt\dynamo\lib\defaultfactories.h

Global\SC_AutoStartComplete

D:(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)

RegQueryValueExW

@SVWH

VarFileInfo

onecoreuap\admin\enterprisemgmt\dynamo\lib\userstore.h

GetEnrollmentState

_fmode

Microsoft.Windows.EMPS.Enrollment

[MDM Schedule Enrollment Cert Expired End] Error: HRESULT: %1

PdcClientCallWatchdogFired

ClientID

VWAWH

_vsnwprintf

AlpcInitializeMessageAttribute

api-ms-win-core-libraryloader-l1-2-0.dll

PDCV2_Deactivate

d$pfD

RegDeleteTreeW

Sending request to server (%1).

WnfStateName

</Exec>

HRichV3

ZwClose

InternalRenewActivity

Local\SM0:%d:%d:%hs

RegGetValueW

Reversed-Domain-Name:com.microsoft.mdm.dynamicmanagement.failedtoapply

MhL9g

!D$4H

L$PE3

Windows.System.Threading.ThreadPoolTimer

onecoreuap\admin\dm\published\inc\dmraii.hxx

api-ms-win-core-winrt-string-l1-1-0.dll

FormatMessageW

module

Push_NoChannelURI

MigrationAlertSendFail

CT$`L

Altitude

CoUninitialize

SettingsPackResponse

internal\sdk\inc\wil\winrt.h

??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ

A_A^A]A\_

DataType

10.0.17763.1 (WinBuild.160101.0800)

NoRemove

D9e uNL

DeleteCriticalSection

Failed to run a schedule at the end of enrollment. HRESULT: %1

RaiseException

RtlCaptureContext

win:Info

onecoreuap\admin\enterprisemgmt\dynamo\lib\helpers.cpp

Mb=Lk

x ATAVAWH

t{HcL$ HcD$$H

.CRT$XLA

D$@I;

Windows.SystemToast.DeviceManagement

EVNT

A_A^A\_^[

[MDM Client Certificate Renew End] Success

AlertType

?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ

fD9$xu

` UAVAWH

Push_InvalidMSAAuthentication

<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>

dmenterprisediagnostics.dll

HKEY_LOCAL_MACHINE

WnfTrigger

A_A^_

OmaDmRegistryGetAllSubKeys

ActivityError

</Task>

A_A^A\

DMEnrollEngine Activity Succeed: %1

H;]Pu

onecoreuap\admin\enterprisemgmt\enrollactivities\exe\automdmnotificationcallback.cpp

D$0H;

api-ms-win-core-threadpool-l1-2-0.dll

api-ms-win-core-heap-l2-1-0.dll

api-ms-win-core-processthreads-l1-1-0.dll

L$ UATAVH

ProcessExeName

RaiseToastActivity

Information

@USVWATAVAWH

CoCreateTaskScheduler Retry

Status

7fD;>u

GH9t$xH

ReleaseSRWLockExclusive

LoadCursorW

RtlLookupFunctionEntry

MsgWaitForMultipleObjectsEx

DWORD3

internal\sdk\inc\wil\resource.h

[%hs(%hs)]

PdcPH

api-ms-win-core-delayload-l1-1-1.dll

fF94Ju

QueryPerformanceCounter

internal\onecoreuapbase\inc\createwpnsystemplatform.h

threadId

CreateThreadpool

f8V_G

msvcrt.dll

StringFileInfo

L9d$pr

oD$ f

t$ WAVAWH

srand

Software

0A_A^A]A\_

api-ms-win-core-handle-l1-1-0.dll

G0A8h

.text$mn

RegSetKeyValueW

OMADM::ServerID

D$XE3

failureId

LookupAccountSidW

vDbgPrintEx

DWORD1

TimeBombWarning

t$0H;

PushInitiatedSession

Microsoft.Windows.EnterpriseManagement.DeclaredConfiguration

onecoreuap\admin\enterprisemgmt\dynamo\lib\contextapplier.cpp

Timestamp

TestHookURI

Interface

Alert

Global\Dynamo-

Operation

EventWriteTransfer

oL$0f

T$@E3

ext-ms-win-security-chambers-l1-1-0

L$`H3

D$@E3

pTestHook

.didat$6

WindowsGetStringRawBuffer

fD9tE

onecoreuap\admin\enterprisemgmt\dynamo\lib\stateentry.cpp

8A^_^[

UuidCreate

IsDebuggerPresent

EventActivityIdControl

DMEnrollEngine Activity Failed: %1 HRESULT: %2

D$xH9D$pt

.rdata$zETW1

OSData\

A^A\_^]

??1exception@@UEAA@XZ

Description:

DmGetUserPermission

@A_A^A\

netutils.dll

Module_Raw

CreatePushUpgradeScheduleActivity

RtlVirtualUnwind

?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ

DmGetActiveUserSid

GetModuleFileNameW

@SVWATAUAVAW

NtCreateWnfStateName

??3@YAXPEAX@Z

fD;8ugH

RaiseFailFastException

api-ms-win-core-processthreads-l1-1-1.dll

DMAppsRes.dll

Message1

\EnterpriseMgmt

.CRT$XCA

</Settings>

RoGetActivationFactory

Win10SModeAlert

f;D$@

SetThreadpoolTimer

Processing successful response from discovery endpoint callback.

T$8H!\$8

UnhandledExceptionFilter

f9,Cu

fD9 t

EventUnregister

currentContextName

H;|$@t&L9c

RtlNtStatusToDosErrorNoTeb

@SUVWATAUAVAWH

D8l$Xt.H

Microsoft-Windows-DM-Enrollment-Provider

ySoftware\Microsoft\Enrollments

VS_VERSION_INFO

?=u$L

?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ

api-ms-win-core-synch-l1-2-0.dll

x UATAUAVAWH

A_A^_^]

.CRT$XCZ

[MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: %1

PostQuitMessage

ZwAlpcCancelMessage

OMADM::AccountID

D$@HcH

currentContextMessage

Exception

DMCSP_DevDetail_GetSwV

`A^_^[]

api-ms-win-core-string-l2-1-0.dll

RtlWakeAddressAll

USVWH

I!C H

api-ms-win-shcore-stream-l1-1-0.dll

L$pE3

WaitForMultipleObjectsEx

.data

L$pH;

ContextTask

memset

D8|$1

ZwAlpcQueryInformation

[%hs]

unknown error

|$hfD

[MDM Client Certificate Renew Start]

D$@D8

RoGetMatchingRestrictedErrorInfo

\$ UVWAVAWH

GetProcAddress

StatusPageTracking

ProductName

fD9<yu

fD; t

strrchr

<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>

_set_errno

D:(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)(A;OICI;GA;;;LS)(A;OICI;GA;;;

.idata$6

Provider Id is %1

D$`E3

D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)

api-ms-win-core-heap-l1-1-0.dll

t^@8=d

Invalid parameter passed to C runtime function.

ActivityIntermediateStop

?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z

Windows.SystemToast.DeviceEnrollmentActivity

@A_A^_^]

D$HE3

T$0L;

CT$xH

M8L9&t

(D$0H

DsrBeginDeviceUnjoin

t$ UWAVH

MDMPushTestHook

FileVersion

Push_ChannelURIExpired

L$hH3

OSData\Software\Microsoft\Enrollments

SVWAVH

<AllowHardTerminate>false</AllowHardTerminate>

CurrentEnrollmentId

Verbose

Source

Certificate authentication mode is used.

t$ E3

onecoreuap\admin\enterprisemgmt\dynamo\lib\statestore.cpp

fD94Xu

wilResult

RoInitialize

S-1-1-0

+\$HHc

PdcClientId

fA9Z*v$A

UAVAWH

memcpy_s

Delete

USVWATAVAWH

?uncaught_exception@std@@YA_NXZ

FileTimeToLocalFileTime

0A_A^_^[

CoInitializeSecurity

?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ

L$(H;

[MDM Enroll Start Error] MDM Enroll Start hit error trying to initiate the asynchronous start to enrollment. HRESULT: %1

Request Type: %1. HRESULT: %2

com.microsoft:mdm.upgrade

TestHookSet

H3UfHW3

onecoreuap\admin\enterprisemgmt\dynamo\lib\statestorefactory.h

CoTaskMemAlloc

SetUserPermissions

CreateMutexExW

L$XL+

&D9t$@t

onecoreuap\admin\enterprisemgmt\dynamo\lib\contextenumerator.cpp

EventRegister

RenewalUpCounter

@8t$0

@UVWH

CoInitializeEx

DeviceChannel

?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z

[MDM Schedule Enrollment Cert Expired End] Success

HeapAlloc

A_A^A\_^

9ff451dc-a529-468f-a37d-e0aa6144a29f

SVWAVAWH

AppId

\PdcPort

Microsoft.Windows.EnterpriseManagement.Enrollment

.data$brc

ms-settings:workplace

L$pH3

DMP certificate (%1) thumbprint (%2).

H3E H3E

InternalName

RebootCSPScheduledRebootTriggered

strncpy_s

D$8H+

malloc

HKEY_CURRENT_CONFIG

api-ms-win-core-profile-l1-1-0.dll

We have been asked to redirect server.

PermissionToReboot

.rsrc$02

RtlWaitOnAddress

\$ UVWATAUAVAW

_unlock

?_Xbad_alloc@std@@YAXXZ

iostream

[MDM Enroll End] Error HRESULT: %1

TimeoutMs

onecoreuap\admin\enterprisemgmt\dynamo\lib\datastorefactory.h

OLEAUT32.dll

.text$di

OmaDmRegistrySetString

REGISTRY

23Connect

PA__^[]

OSData\Software\Microsoft\Provisioning\OMADM\Logger

originatingContextMessage

VWATAVAWH

onecoreuap\admin\enterprisemgmt\dynamo\lib\syncmlpackprocessor.cpp

GetCurrentProcessId

RetryCount

RegCreateKeyExW

ConvertStringSidToSidW

\Microsoft\Windows

.rdata$zETW0

Column:

CreateThreadpoolTimer

ext-ms-win-ntuser-synch-l1-1-0.dll

Hardware

api-ms-win-core-file-l1-1-0.dll

DelayLoadFailureHook

WaitForSingleObjectEx

iostream stream error

Module

Leaving %1 with result (%2).

C0E8p

StateName

dmEnrollEngine.DLL

Message

TpAllocAlpcCompletion

H;]Pu

win:Warning

@USWH

CoTaskMemFree

PhoneDeepLink

.CRT$XIZ

EnrollDMPollTaskSchedulerFail

Microsoft.Windows.DeviceManagement.OmaDmClient

EnrollmentSvc

CreateTask

9T$`A

!This program cannot be run in DOS mode.

H9Ahs

Msg:[%ws]

UpgradeActivity

ZwAlpcDisconnectPort

xT;\$H|9H

@A^_^

A_A^A]_^[]

/s "%s" /c /Win10SModeAlert /SID "%s"

UTF-16

api-ms-win-eventing-provider-l1-1-0.dll

A_A^A]A\_^[

StartServer

t$@E3

A^_^[]

?_BADOFF@std@@3_JB

A^A\_

t"D8=

api-ms-win-core-synch-l1-1-0.dll

D$ fD

GetPolicyFromResponse() uses hash algorithm (%1).

api-ms-win-core-registry-l1-1-1.dll

L9{@u

OpenSemaphoreW

?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z

ModuleName

CreateXmlReaderInputWithEncodingName

V1_Unknown

FallbackError

\$(E3

f9H\u

EnterCriticalSection

[MDM Client Certificate Renew Start Error] MDM Client Certificate Renew Start hit error trying to initiate the asynchronous start to enrollment. HRESULT: %1

.CRT$XCU

RegDeleteKeyExW

\$ E3

ConvertStringSecurityDescriptorToSecurityDescriptorW

Line:

_errno

Software\Microsoft\Provisioning\OMADM\Logger

Function entry.

t$0I;

Target

Windows.Security.Authentication.Web.Core.WebAuthenticationCoreManager

Discovery enpoint callback failed with (%1).

%hs(%d) tid(%x) %08X %ws

`A_A^_^]

HKEY_CURRENT_USER

GetCurrentProcess

win:Stop

ZwAlpcConnectPort

StopWaitForUnenrollment

fileName

d$ E3

./Device/Vendor/MSFT/DynamicManagement/Contexts/

Schedule created by enrollment client for automatically enrolling in MDM from AAD

D9d$4}

LocalFree

D$8E3

L9o@t

.?AVResultException@wil@@

.didat$3

Translation

EventType

D:P(A;;GA;;;BA)(A;;GA;;;SY)

fF9,Gu

WilError_02

??_V@YAXPEAX@Z

RemoveAWA

TEMP,

app://5B04B775-356B-4AA0-AAF8-6491FFEA562A/_default

Push_NotAvailableOnSKU

Microsoft.Windows.EnterpriseManagement.ResourceManagerUnenrollHook

FileType

ProductVersion

fD9/u

dsreg.dll

-%s %s

OmaDmSession

.didat$4

?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z

__CxxFrameHandler3

_onexit

.CRT$XIAA

fD9<Au

</RestartOnFailure>

onecoreuap\admin\enterprisemgmt\dynamo\lib\wnfgenerator.cpp

Microsoft-Windows-DeviceManagement-W7NodeProcessor

A_A^A\_^[]

onecoreuap\admin\enterprisemgmt\dynamo\lib\naturalauth.cpp

failureType

Windows

@8~<u

|$0E9'u(H

hresult

D$0E3

=L9o<

/o "%s" /c /y

api-ms-win-core-apiquery-l1-1-0.dll

.idata$2

DmImpersonate

api-ms-win-core-debug-l1-1-0.dll

x AVH

.CRT$XCL

D8s@t

IsDeviceChannel

L$(H+

CoReleaseServerProcess

SYSTEM

InitiateSystemShutdownExW

.tls$

HKEY_USERS

@UAVAWH

T$8A;

LookupPrivilegeValueW

.xdata

.gfids

Microsoft.Windows.DeviceManagement.SessionManagement

XmlLite.dll

??0exception@@QEAA@AEBV0@@Z

%hs(%d)\%hs!%p:

Operating System

RoActivateInstance

TypeLib

vector<T> too long

@.didat

GetModuleHandleExW

GetPolicyFromResponse() uses private key algorithm (%1).

fD9?u

_cexit

EventData

com.microsoft:mdm.oseditionupgrade

CloseThreadpool

OsEditionUpgradeAlert

DmRemoveToastNotification

??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ

Read group policy registry value PolicyValue: %1 HRESULT: %1

ZwAlpcSendWaitReceivePort

onecoreuap\admin\enterprisemgmt\dynamo\lib\dynamicmanagement.cpp

@USVWATAUAVAWH

RtlIsStateSeparationEnabled

Device is already enrolled.

_commode

GetLastError

\$@H;

Embedding

LogHr

_amsg_exit

onecoreuap\admin\enterprisemgmt\enrollactivities\exe\serverclassfactory.h

?terminate@@YAXXZ

?endl@std@@YAAEAV?$basic_ostream@GU?$char_traits@G@std@@@1@AEAV21@@Z

D$8H!t$8H

H9t$xr

Start

api-ms-win-security-lsalookup-l2-1-0.dll

fD94Gu

api-ms-win-security-sddl-l1-1-0.dll

Running User Phase of unenroll %1

pA_A^A]A\_^]

SyncmlPackProcessor

api-ms-win-core-timezone-l1-1-0.dll

@8t$Qt

api-ms-win-core-winrt-error-l1-1-1.dll

A_A^A]A\]

A_A^A]_]

InitOnceBeginInitialize

`.rdata

?_Winerror_map@std@@YAPEBDH@Z

D$@H;

RegQueryInfoKeyW

RegCloseKey

%s: Unable to cancel ALPC message id=%x

|$`I+

TpReleaseAlpcCompletion

strtol

lineNumber

RtlAllocateHeap

D$8fD

_vsnwprintf_s

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x00035db0	0x0005bbd4	0x0005bbd4	10.0	deviceenroller.pdb	2061-10-03 18:28:52	2ed7eadd460e2fcdf75f4c11011a4ebd

Version Infos

CompanyName	Microsoft Corporation
FileDescription	API for MDM Enrollment
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	API for MDM Enrollment
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	deviceenroller.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00038fe6	0x00039000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.17
.rdata	0x00039400	0x0003a000	0x00016868	0x00016a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.92
.data	0x0004fe00	0x00051000	0x000011c4	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.13
.pdata	0x00050600	0x00053000	0x00002514	0x00002600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.41
.didat	0x00052c00	0x00056000	0x00000168	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.23
.rsrc	0x00052e00	0x00057000	0x00004570	0x00004600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.41
.reloc	0x00057400	0x0005c000	0x00000490	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.73

Name	Offset	Size	Language	Sub-language	Entropy	File type
WEVT_TEMPLATE	0x00059628	0x00001e92	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_STRING	0x0005b4c0	0x000000ac	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.77	None
RT_MESSAGETABLE	0x00057518	0x0000210c	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.52	None
RT_VERSION	0x00057150	0x000003c4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.44	None

Imports

Name	Address
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z	0x14003b5f0
??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAA@XZ	0x14003b5f8
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z	0x14003b600
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@J@Z	0x14003b608
?endl@std@@YAAEAV?$basic_ostream@GU?$char_traits@G@std@@@1@AEAV21@@Z	0x14003b610
?_Xbad_alloc@std@@YAXXZ	0x14003b618
?_Add_vtordisp2@?$basic_ostream@GU?$char_traits@G@std@@@std@@UEAAXXZ	0x14003b620
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ	0x14003b628
?_Xout_of_range@std@@YAXPEBD@Z	0x14003b630
?_Winerror_map@std@@YAPEBDH@Z	0x14003b638
?_Xlength_error@std@@YAXPEBD@Z	0x14003b640
?_Syserror_map@std@@YAPEBDH@Z	0x14003b648
?uncaught_exception@std@@YA_NXZ	0x14003b650
?_BADOFF@std@@3_JB	0x14003b658
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z	0x14003b660
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ	0x14003b668
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ	0x14003b670
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z	0x14003b678
?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z	0x14003b680
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ	0x14003b688
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z	0x14003b690
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ	0x14003b698
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ	0x14003b6a0
?_Add_vtordisp1@?$basic_ios@GU?$char_traits@G@std@@@std@@UEAAXXZ	0x14003b6a8
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z	0x14003b6b0
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ	0x14003b6b8
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z	0x14003b6c0
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ	0x14003b6c8
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ	0x14003b6d0
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ	0x14003b6d8
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ	0x14003b6e0
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z	0x14003b6e8
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z	0x14003b6f0
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z	0x14003b6f8
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ	0x14003b700

Name	Address
memcpy	0x14003b710
_CxxThrowException	0x14003b718
memmove	0x14003b720
exit	0x14003b728
??3@YAXPEAX@Z	0x14003b730
__CxxFrameHandler3	0x14003b738
??_V@YAXPEAX@Z	0x14003b740
_vsnwprintf	0x14003b748
memcpy_s	0x14003b750
_purecall	0x14003b758
??1exception@@UEAA@XZ	0x14003b760
srand	0x14003b768
rand	0x14003b770
_vsnwprintf_s	0x14003b778
strncpy_s	0x14003b780
_set_errno	0x14003b788
strtol	0x14003b790
strchr	0x14003b798
strrchr	0x14003b7a0
sprintf_s	0x14003b7a8
_wtoi	0x14003b7b0
swprintf_s	0x14003b7b8
??0exception@@QEAA@XZ	0x14003b7c0
??0exception@@QEAA@AEBV0@@Z	0x14003b7c8
_vsnprintf_s	0x14003b7d0
__C_specific_handler	0x14003b7d8
_wcsicmp	0x14003b7e0
free	0x14003b7e8
malloc	0x14003b7f0
wcsncpy_s	0x14003b7f8
realloc	0x14003b800
_errno	0x14003b808
??1type_info@@UEAA@XZ	0x14003b810
_onexit	0x14003b818
__dllonexit	0x14003b820
_unlock	0x14003b828
_lock	0x14003b830
?terminate@@YAXXZ	0x14003b838
_commode	0x14003b840
_fmode	0x14003b848
_acmdln	0x14003b850
_initterm	0x14003b858
__setusermatherr	0x14003b860
_ismbblead	0x14003b868
_cexit	0x14003b870
_exit	0x14003b878
memset	0x14003b880
__set_app_type	0x14003b888
__getmainargs	0x14003b890
_amsg_exit	0x14003b898
_XcptFilter	0x14003b8a0
_callnewh	0x14003b8a8

Name	Address
GetEnrollmentSID	0x14003b5a0
GetEnrollmentPartnerOpaqueID	0x14003b5a8
GetEnrollmentType	0x14003b5b0
EnrollEngineInitialize	0x14003b5b8
GetEnrollmentState	0x14003b5c0

Name	Address
DmGetCurrentUserSid	0x14003af60
OmaDmRegistrySetString	0x14003af68
IsPhoneOS	0x14003af70
DmGetUserPermission	0x14003af78
UnicodeToMB	0x14003af80
DmImpersonate	0x14003af88
DmRemoveToastNotification	0x14003af90
SafeWideCharToMultiByte	0x14003af98
DmRevertToSelf	0x14003afa0
OmaDmRegistryGetAllSubKeys	0x14003afa8
OmaDmRegistryGetDWORD	0x14003afb0
OmaDmRegistrySetDWORD	0x14003afb8
DmRaiseToastNotification	0x14003afc0
CopyString	0x14003afc8
DmGetActiveUserSid	0x14003afd0
OmaDmRegistrySetBinary	0x14003afd8
OmDmRegistryAllocAndGetString	0x14003afe0
DmDeleteTask	0x14003afe8

Name	Address

Name	Address
GetModuleFileNameW	0x14003b180
LoadResource	0x14003b188
LoadStringW	0x14003b190
FindResourceExW	0x14003b198
FreeLibrary	0x14003b1a0
SizeofResource	0x14003b1a8
GetModuleFileNameA	0x14003b1b0
GetModuleHandleExW	0x14003b1b8
GetModuleHandleW	0x14003b1c0
GetProcAddress	0x14003b1c8
LoadLibraryExW	0x14003b1d0

Name	Address
OpenSemaphoreW	0x14003b338
CreateEventW	0x14003b340
CreateMutexExW	0x14003b348
InitializeSRWLock	0x14003b350
AcquireSRWLockShared	0x14003b358
WaitForSingleObjectEx	0x14003b360
ResetEvent	0x14003b368
DeleteCriticalSection	0x14003b370
EnterCriticalSection	0x14003b378
SetEvent	0x14003b380
OpenEventW	0x14003b388
LeaveCriticalSection	0x14003b390
AcquireSRWLockExclusive	0x14003b398
ReleaseSRWLockShared	0x14003b3a0
ReleaseMutex	0x14003b3a8
InitializeCriticalSection	0x14003b3b0
ReleaseSRWLockExclusive	0x14003b3b8
WaitForSingleObject	0x14003b3c0
WaitForMultipleObjectsEx	0x14003b3c8
ReleaseSemaphore	0x14003b3d0
CreateEventExW	0x14003b3d8
CreateSemaphoreExW	0x14003b3e0

Name	Address
HeapFree	0x14003b138
GetProcessHeap	0x14003b140
HeapAlloc	0x14003b148

Name	Address
RaiseException	0x14003b0e8
SetLastError	0x14003b0f0
GetLastError	0x14003b0f8
SetUnhandledExceptionFilter	0x14003b100
UnhandledExceptionFilter	0x14003b108

Name	Address
WindowsCreateStringReference	0x14003b4e0
WindowsGetStringRawBuffer	0x14003b4e8
WindowsDeleteString	0x14003b4f0

Name	Address
GetCurrentThreadId	0x14003b200
OpenProcessToken	0x14003b208
GetCurrentProcess	0x14003b210
TerminateProcess	0x14003b218
GetCurrentProcessId	0x14003b220
GetStartupInfoW	0x14003b228

Name	Address
FormatMessageW	0x14003b1e0

Name	Address
RoActivateInstance	0x14003b4b8
RoInitialize	0x14003b4c0
RoGetActivationFactory	0x14003b4c8
RoUninitialize	0x14003b4d0

Name	Address
OutputDebugStringW	0x14003b0a0
IsDebuggerPresent	0x14003b0a8
DebugBreak	0x14003b0b0
OutputDebugStringA	0x14003b0b8

Name	Address
CloseHandle	0x14003b128

Name	Address
SysAllocStringByteLen	0x14003aff8
VariantChangeTypeEx	0x14003b000
SysFreeString	0x14003b008
VarUI4FromStr	0x14003b010
VariantClear	0x14003b018
VariantInit	0x14003b020
SafeArrayCreate	0x14003b028
SafeArrayDestroy	0x14003b030
SafeArrayGetUBound	0x14003b038
SafeArrayUnlock	0x14003b040
SafeArrayGetLBound	0x14003b048
SysAllocStringLen	0x14003b050
SysStringByteLen	0x14003b058
SysAllocString	0x14003b060
SafeArrayLock	0x14003b068

Name	Address
EventWriteTransfer	0x14003b500
EventRegister	0x14003b508
EventUnregister	0x14003b510
EventSetInformation	0x14003b518
EventActivityIdControl	0x14003b520

Name	Address
WakeAllConditionVariable	0x14003b3f0
SleepConditionVariableSRW	0x14003b3f8
InitOnceComplete	0x14003b400
InitOnceBeginInitialize	0x14003b408
Sleep	0x14003b410

Name	Address
LookupAccountSidW	0x14003b540
LookupPrivilegeValueW	0x14003b548

Name	Address
GetCommandLineW	0x14003b1f0

Name	Address
InitiateSystemShutdownExW	0x14003b2f0

Name	Address
RegSetValueExW	0x14003b258
RegDeleteValueW	0x14003b260
RegQueryValueExW	0x14003b268
RegQueryInfoKeyW	0x14003b270
RegGetValueW	0x14003b278
RegOpenKeyExW	0x14003b280
RegCreateKeyExW	0x14003b288
RegEnumKeyExW	0x14003b290
RegCloseKey	0x14003b298
RegDeleteTreeW	0x14003b2a0

Name	Address
LocalAlloc	0x14003b158
LocalFree	0x14003b160

Name	Address
NetLocalGroupGetMembers	0x14003b9e8
NetUserGetInfo	0x14003b9f0
NetLocalGroupAddMembers	0x14003b9f8

Name	Address
CharNextW	0x14003b310

Name	Address
MultiByteToWideChar	0x14003b300

Name	Address
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14003b558
ConvertStringSidToSidW	0x14003b560

Name	Address
AdjustTokenPrivileges	0x14003b530

Name	Address
NetApiBufferFree	0x14003b8b8

Name	Address
GetTickCount	0x14003b420
GetSystemTime	0x14003b428
GetTickCount64	0x14003b430
GetSystemTimeAsFileTime	0x14003b438

Name	Address
RtlVirtualUnwind	0x14003b2d0
RtlCaptureContext	0x14003b2d8
RtlLookupFunctionEntry	0x14003b2e0

Name	Address
QueryPerformanceCounter	0x14003b248

Name	Address
SetRestrictedErrorInfo	0x14003b498

Name	Address
RoGetMatchingRestrictedErrorInfo	0x14003b4a8

Name	Address
SystemTimeToFileTime	0x14003b480
FileTimeToSystemTime	0x14003b488

Name	Address
FileTimeToLocalFileTime	0x14003b118

Name	Address
lstrcmpiW	0x14003b320
lstrlenA	0x14003b328

Name	Address
GetComputerNameW	0x14003b170

Name	Address
RtlGetDeviceFamilyInfoEnum	0x14003b8c8
NtCreateWnfStateName	0x14003b8d0
NtDeleteWnfStateName	0x14003b8d8
RtlNtStatusToDosErrorNoTeb	0x14003b8e0
vDbgPrintEx	0x14003b8e8
RtlIsStateSeparationEnabled	0x14003b8f0
RtlFreeHeap	0x14003b8f8
RtlIsMultiUsersInSessionSku	0x14003b900
RtlAllocateHeap	0x14003b908
ZwClose	0x14003b910
RtlNtStatusToDosError	0x14003b918
ZwAlpcCancelMessage	0x14003b920
RtlWakeAddressAll	0x14003b928
TpAllocAlpcCompletion	0x14003b930
ZwAlpcDisconnectPort	0x14003b938
ZwAlpcSendWaitReceivePort	0x14003b940
TpReleaseAlpcCompletion	0x14003b948
ZwAlpcQueryInformation	0x14003b950
RtlInitUnicodeString	0x14003b958
RtlWaitOnAddress	0x14003b960
ZwAlpcConnectPort	0x14003b968
TpWaitForAlpcCompletion	0x14003b970
AlpcInitializeMessageAttribute	0x14003b978
AlpcGetMessageAttribute	0x14003b980

Name	Address
ApiSetQueryApiSetPresence	0x14003b090

Name	Address

Name	Address
CreateXmlReader	0x14003b078
CreateXmlReaderInputWithEncodingName	0x14003b080

Name	Address
SHCreateMemStream	0x14003b570

Name	Address
RecordDiagnosticsError	0x14003b5e0

Name	Address
OpenProcess	0x14003b238

Name	Address
RegSetKeyValueW	0x14003b2b0

Name	Address
CreateThreadpool	0x14003b448
CreateThreadpoolTimer	0x14003b450
CloseThreadpoolTimer	0x14003b458
CloseThreadpool	0x14003b460
SetThreadpoolTimer	0x14003b468
WaitForThreadpoolTimerCallbacks	0x14003b470

Name	Address
ResolveDelayLoadedAPI	0x14003b0d8

Name	Address
DelayLoadFailureHook	0x14003b0c8

Name	Address
RegDeleteKeyW	0x14003b2c0

Reports: JSON

Statistics (11.43)

Usage

Processing ( 11.36 seconds )

10.217 ProcessMemory
1.106 CAPE
0.025 AnalysisInfo
0.011 BehaviorAnalysis
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.007 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 ursnif_behavior
0.002 antivm_vbox_files
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_generic_diskreg
0.001 antivm_parallels_keys
0.001 antivm_vbox_keys
0.001 antivm_vmware_files
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: deviceenroller.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00052c00', 'virtual_address': '0x00056000', 'virtual_size': '0x00000168', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '2.23'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 3732 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

msvcp110_win

msvcrt

dmEnrollEngine

DMCmnUtils

omadmapi

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

OLEAUT32

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shutdown-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l2-1-0

samcli

api-ms-win-core-string-l2-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-security-base-l1-1-0

netutils

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

ntdll

api-ms-win-core-apiquery-l1-1-0

combase

XmlLite

api-ms-win-shcore-stream-l1-1-0

dmenterprisediagnostics

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-registry-l2-1-0