Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-13 01:59:53 | 2025-06-13 02:30:37 | 1844 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,006 [root] INFO: Date set to: 20250612T19:08:10, timeout set to: 1800 2025-06-12 20:08:10,594 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-12 20:08:10,609 [root] DEBUG: Storing results at: C:\XycSRz 2025-06-12 20:08:10,609 [root] DEBUG: Pipe server name: \\.\PIPE\FkjRti 2025-06-12 20:08:10,609 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-12 20:08:10,609 [root] INFO: analysis running as an admin 2025-06-12 20:08:10,609 [root] INFO: analysis package specified: "exe" 2025-06-12 20:08:10,609 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-12 20:08:11,141 [root] DEBUG: imported analysis package "exe" 2025-06-12 20:08:11,141 [root] DEBUG: initializing analysis package "exe"... 2025-06-12 20:08:11,141 [lib.common.common] INFO: wrapping 2025-06-12 20:08:11,141 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-12 20:08:11,141 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\Dxpserver.exe 2025-06-12 20:08:11,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-12 20:08:11,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-12 20:08:11,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-12 20:08:11,141 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-12 20:08:11,344 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-12 20:08:11,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-12 20:08:11,391 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-12 20:08:11,406 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-12 20:08:11,422 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-12 20:08:11,422 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-12 20:08:11,422 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-12 20:08:11,422 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-12 20:08:11,422 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-12 20:08:11,422 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-12 20:08:11,422 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-12 20:08:11,422 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-12 20:08:11,422 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-12 20:08:11,422 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-12 20:08:11,422 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-12 20:08:11,422 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-12 20:08:11,422 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-12 20:08:11,422 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-12 20:08:11,703 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-12 20:08:11,703 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-12 20:08:11,703 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-12 20:08:11,703 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-12 20:08:11,703 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-12 20:08:11,703 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-12 20:08:11,703 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-12 20:08:11,703 [modules.auxiliary.disguise] INFO: Disguising GUID to c59a3e67-dd86-490e-8d0c-57bd409269e1 2025-06-12 20:08:11,703 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-12 20:08:11,703 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-12 20:08:11,703 [root] DEBUG: attempting to configure 'Human' from data 2025-06-12 20:08:11,703 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-12 20:08:11,703 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-12 20:08:11,703 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-12 20:08:11,703 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-12 20:08:11,703 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-12 20:08:11,703 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-12 20:08:11,703 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-12 20:08:11,703 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-12 20:08:11,703 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-12 20:08:11,703 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-12 20:08:11,703 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-12 20:08:11,703 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-12 20:08:11,703 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-12 20:08:11,719 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-12 20:08:11,735 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-12 20:08:11,750 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-12 20:08:11,750 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-12 20:08:11,750 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-12 20:08:11,750 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-12 20:08:11,750 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-12 20:08:11,750 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-12 20:08:11,750 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\jZguRFON.dll, loader C:\tmp_gell1p8\bin\YjzRcEUm.exe 2025-06-12 20:08:11,813 [root] DEBUG: Loader: IAT patching disabled. 2025-06-12 20:08:11,813 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\jZguRFON.dll. 2025-06-12 20:08:11,844 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-12 20:08:11,844 [root] INFO: Disabling sleep skipping. 2025-06-12 20:08:11,844 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-12 20:08:11,844 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-12 20:08:11,844 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-12 20:08:11,844 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-12 20:08:11,844 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-12 20:08:11,860 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-12 20:08:11,875 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-12 20:08:11,875 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-12 20:08:11,875 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 1568, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000 2025-06-12 20:08:11,875 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-12 20:08:11,875 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-12 20:08:11,891 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-12 20:08:11,891 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\jZguRFON.dll. 2025-06-12 20:08:11,891 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-12 20:08:11,891 [root] <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-13 01:59:53 | 2025-06-13 02:30:17 | none |
File Details
| File Name |
Dxpserver.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 308224 bytes |
| MD5 | 9965747d48fdab2b468051f1168339da |
| SHA1 | 6820af53c10814a666d6fedfcb49fb79c9de53ab |
| SHA256 | 914714ac5287f34e5c836abd6bd918c8f68fcb805990ef7bab378bfe4da27f44 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 49bd06011d4b8841a288497cafd372f2175706158c542e4128c49ea78d8edd044e24bf08bd7d05641eaa2f4cc44c3a3e |
| CRC32 | CF5F1848 |
| TLSH | T12164281663EC18D5EDB6A27C8657C60AFB7278192B11C7CB1630824E1FB76E4AD3D321 |
| Ssdeep | 6144:NtyMZ6s/52E+/7pJ0mYNJ8V6IreJm3wAV:NtyMU4sRdoICawA |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
l$ VWATAVAWH
registryKeyExists
@.data
GdipGetImageHeight
SelectObject
PSCreateMemoryPropertyStore
hA_A^A]A\_^[]
uq;~X
Component.Hub
ReleaseMutex
GetStartupInfoW
APPID
x ATAUAWH
CryptCATCatalogInfoFromContext
Display.Projector
Display.TV.LCD
Network.NIC
Media.Storage.Flash.MemoryStick
CoMarshalInterThreadInterfaceInStream
version="7.0.0.0"
CreateSemaphoreExW
u*9Q<|%
backgroundColor
t>fD9u
CreateWindowExW
Component.Bridge.Storage
Display.TV
Media.Storage.Optical
RegSetValueExW
CreateXmlReader
Communication.Phone
CopyFileExW
X UVWATAUAVAWH
L$HE3
Microsoft.DxpOpen
Component.System
</security>
revocation
statusProvider
sheen
Health.Pedometer
endDate
equivalentAutoPlayHandler
Media.Storage.Optical.DVD
System.RelatedProperty.NotificationLinkProperty
SelectionNamespaces
VWAVH
Multimedia
SUgceeeeeaOGC3/
system
d$@E3
LCMapStringW
Microsoft Corporation
Component.Controller.Storage.Raid
LoadLibraryExW
fD9,Qu
memcmp
D!t$$H
OutputDebugStringA
_XcptFilter
f;D$ u
_lock
AtlThunk_DataToCode
PropVariantCopy
T$HE3
H9L$pu
USVWATAUAVAWH
@8FS
@SUVWAVH
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
SECURITY
tgf;(tbH
L9t$P
AppID
_initterm
fD9,Bu
type="win32"
.idata$5
%s\*.*
H;D$(uEH
fG94Cu
swscanf_s
PSGetPropertyDescriptionByName
marketingBullets
t{LcC
.pdata
category
\$Xu8H
Microsoft
Component.Controller.Storage.SCSI
GdipDeleteGraphics
deviceBehavior
H;t$X}1H
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
/>
prop:
8A_A^A]A\_^][
Communication.Headset.Bluetooth
GetMessageW
D$XH9D$PtIH
VP;VTu>
SetEvent
t"E8z
_exit
Sensor.Motion
OpenActivity
0A^_^
publicKeyToken="6595b64144ccf1df"
->?><6+
%hs!%p:
HKCU\
Component.Tuner.TV.Proprietary
f;D$(u-H
0A_A^A\_^
Storage.CardReader.Combo
launcherThumbnail
UnregServer
HKEY_PERFORMANCE_DATA
x`D;e@sZH
Mscoree.dll
description
Storage.UFD
yqoej
HKCR\
p WAVAWH
guidTask
u.fD;|$8
Component.Hub.1394
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
Component.Controller.Storage
ActivityStoppedAutomatically
x>D;f`}8H
WinSqmAddToStreamEx
Display.Monitor.Plasma
Sensor.Location
CoCreateInstance
GetCommandLineW
%4hu-%2hu-%2huT%2hu:%2hu:%2huZ
xHfD;|$0u
'<=YallccSQD9
GetFileAttributesW
Microsoft.DXP.AttachedDevice.%s
CompareFileTime
|$HD8q
Computer.Portable
Storage.Changer
xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"
t"D8y
tEfD9e
.CRT$XIA
GdipDisposeImage
name="Microsoft.Windows.DXPServer"
LocalServer32 = s '%MODULE%'
%s\sign.cat
DispatchMessageW
fA9,Au
![3!A
watermarkImage
x.;PH})
DestroyIcon
ResetEvent
Component.Hub.USB
linkColor
x UAVAWH
type="win32"
taskGroupId
FileDescription
A?f;D$ u
behavior.xml
Component.Cable.Transfer.USB
D8g8t
-~G')v<
\$ VWAVH
CreateRectRgn
UWATAVAWH
http://schemas.microsoft.com/windows/2008/deviceExperienceTasks
ntdll.dll
10.0.17763.1
D9e0t
win:Informational
InitializeCriticalSection
A_A^A\_^
HKEY_DYN_DATA
SetWindowLongPtrW
L$hE3
Network.WUSB
nH9D$@u.A
SelectionLanguage
Media
Network.NIC.Ethernet
D$(E3
fD9<Hu
V:D0'
SUWgklccc_PHC3/
CLSID
Multimedia.DVR
command
System.RelatedProperty.NotificationLinkText
message
originatingContextName
0A_A^_^]
DeviceConnect
zzz2p
valign
L$(E3
memmove_s
.rdata$zETW9
taskId
UVWAVAWH
L$0E3
L$8H3
Storage.FDD
D$ H+
Storage.HDD
issueTime
A_A^A\_]
NetBIOS
TerminateProcess
format
f9,Au
3;DD>6$
86ANQS,
http://schemas.microsoft.com/windows/DeviceMetadata/DeviceStage/2008/1/
LessThan
level="asInvoker"
,$fE;)
manifestVersion="1.0">
nation
Object
requirements
Device Stage Platform Server
Network.Bluetooth
PathRemoveFileSpecW
A_A^A]
Storage
System.RelatedProperty.Text
categoryRef
D$`H+
categoryId
.text$x
HKEY_LOCAL_MACHINE\
CreateMutexW
Equal
SetFileAttributesW
Sensor.Mechanical
wcstoul
L$HH3
descriptionColor
A^_^
CryptCATAdminAcquireContext
SHStrDupW
GetModuleHandleW
HostedSiteWithDevice
Network.Router
L$ E3
@USVWAUH
Computer.SpaceSaving
.giats
kernelbase.dll
Network.MobileBroadband
SystemTimeToFileTime
Provider\Microsoft.Base.DevQueryObjects//DDO:{00000000-0000-0000-FFFF-FFFFFFFFFFFF}
Media.Storage.Flash.CompactFlash
f;+t'H
Microsoft.DevicesAndPrinters
center
0A_A^_
Component.Cable
OriginalFilename
win:Start
Hc*3
LcvP3
LcWH3
Sensor.Environmental.Temp
D9|$`u
CommandInvoked
fD94Au
Lc}XH
Component.Tuner.TV.OpenCable
singleInstance
CreateCompatibleBitmap
\$8E3
D9yL|
Display.Monitor.CRT
x ATH
9Y`~+;Q`s&
;^`}/
Network.PrintServer
UVWATAUAVAWH
CloseHandle
L$8E3
PersonalIdentity.FaceScanner
f;l$(
@.reloc
HA_A^A]A\_^[]
0A_A^A]_^
x/;Q`}*H
LoadResource
_purecall
xvD;n`}pH
D9K(t
failureCount
GetSystemTimeAsFileTime
HostedSite
A__^[]
Multimedia.VoiceRecorder
IsIconic
DispatchMessageA
0{B]
AtlThunk_InitData
\PackageInfo.xml
dwmapi.dll
<dependency>
|$HE3
#comment
Computer.Tablet
RegisterWindowMessageW
CharNextW
SetUnhandledExceptionFilter
>_]cYHZ[=.
xBfD;e
Multimedia.GameConsole
D$ E3
2885/
.text
3cssz
Component.Tuner.Radio
H$H9Q
Component.System.Board
pA__^[]
.rdata$brc
CHAN`
originatingContextId
L$`E3
&(z2a.~8
f;|$@
msi.dll
s WAVAWH
u+fD;e
Media.SmartCard
SHParseDisplayName
AllowTask
.idata$4
x HcV
<assemblyIdentity
ywoc\\,
fE94Hu
Sensor.Environmental
Component Categories
__dllonexit
UX;UP
Network.Bridge
Input.Mouse
Sensor.Electrical
RegEnumKeyExW
fA9,Iu
fD;|$0u
9Yp~+;Qps&
fmtid
HcD$ H
DestinationListCreation
__C_specific_handler
f9<Au
TraceMessage
0A_A^A]A\_^]
tDfD93t>H
%s\%s
CreateEventW
CD9;Y_ccccSOA6
|$ AVH
LoadLibraryExA
architecture
DeleteObject
horizontal
.text$mn$00
t$ WH
SetLastError
Display.SideShow
fA9,Su
.rsrc$01
CallContext:[%hs]
DebugBreak
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Y@H9;u%L
D$DE3
f;D$0
A_A^A]A\_^[]
RegDeleteValueW
Network
Local\{9ea26f7c-c1a5-466d-9c5e-0be4435f9910}
uO9T$`vIL
f9,xu
CoTaskMemRealloc
rqH;MPwkH
VirtualAlloc
GetTraceEnableLevel
f9<Xu
T>QbM
WinVerifyTrustEx
LeaveCriticalSection
+C66ENNOIYOQNSIYO61
8;>>;3
H9D$Xt
|$ AWH
L$ SVWH
GetTraceLoggerHandle
inclusion
Component
xwL9|$Pu
Microsoft Corporation. All rights reserved.
Display.TV.CRT
callContext
L$PH3
0A_A]A\
HcMXH
SHCreateStreamOnFileW
Component.Tuner.TV.DCB-S
PrintFax.FAX
?{uSH
.text$yd
L9)u/H
fD9{l
DXPServer.pdb
GetWindowLongPtrW
//dxpTask:taskGroup/dxpTask:tasks/dxpTask:task[translate(@id, '{}-0123456789ABCDEF', '{}-0123456789abcdef')="%s"]/dxpTask:command
Lcg`E3
Storage.CardReader
t2D8i
LcA<E3
Wadvapi32.dll
u#L9I
H WATAUAVAWH
@.rsrc
Software\Policies\Microsoft\DXP\Tasks
AcquireSRWLockExclusive
/>
Input.Digitizer.Touchscreen
`A_A^A]A\_^]
MsgWaitForMultipleObjects
CoDisconnectObject
LegalCopyright
Storage.Optical.CD
property
~0;PHs+
CallWindowProcW
function
ATL$__a
hexNumber
<dependentAssembly>
Component.Controller.1394
PrintFax.Printer.Inkjet
LcwP3
!^HH!^PH
OPCOx
fD9|U
@A_A^A]A\_^]
244*'
L$0H3
tooltip
FlushInstructionCache
DwmSetIconicThumbnail
xz;kX}uH
wilActivity
fD9<Bu
NoRemove CLSID
.rdata$zzzdbg
ForceRemove 'Programmable'
processorArchitecture="*"
f94Au
LoadStringW
WAVAWH
AtlThunk_FreeData
.rdata
realloc
|$XE3
D$ uffH
,@EGGFE?07
D$hHc
RegDeleteKeyW
x7;_`}2H
D$pfA
x1;\$@s&
</asmv3:application>
WorkingSetComposition
Component.Controller.SDH
x3L9|$`u,H
D$$I;
DwmSetWindowAttribute
value
L9{Pt
fD9,Au
Input.Digitizer
SetLayout
GdiplusStartup
yoo`q*
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\%s
WaitForSingleObject
x>;\$@s3
TTBL8
PrintFax.MFP
Storage.Optical.BluRay
AEJC;X_clllSYE60
qsort
Input.Digitizer.Touchpad
GetClassInfoExW
CoFreeUnusedLibrariesEx
GetModuleFileNameA
ModifyMenuW
PA_A^A\_^[]
Multimedia.DMP
FindResourceExW
DeleteMenu
string
Component.Bridge.Network
.idata$3
H9_Xt
x-;\$@s"
?6AAN^%
Component.Controller.USB
!D9{hH
Input.Gaming.Common
RtlDllShutdownInProgress
Computer.AllInOne
AllowList
linkHoverColor
Computer.Handheld.Windows
Computer.Tower
Component.Controller.CardBus
functionRequirements
ExpandEnvironmentStringsW
experienceId
Microsoft.Windows.Shell.DeviceStage
Storage.Tape
Audio.Microphone
(_^][
LEVL@
__setusermatherr
UATAUAVAWH
HeapFree
Software\Microsoft\Windows\CurrentVersion\Uninstall
connectBehavior
UWATAUAVH
Component.KVM
currentContextId
GetTickCount
fE9,Gu
T$PE3
tGHcM
L$@E3
defaultLCID
"k*{Z
Sensor.Proximity.RFID
.CRT$XIY
Display.Monitor
hW+$M?
L$@H3
PostMessageW
TaskbarButtonCreated
indirect
WinSqmSetString
GdiplusShutdown
/>
scalingBehavior
textColor
D$XH;
WEVT_TEMPLATE
System.RelatedProperty.NotificationText
GetSystemDefaultLCID
Media.Storage.Optical.BluRay
UWAVH
u(8Y`t
MultiByteToWideChar
ATL$__m
A_A^A\
/fD;e
Component.Capture.Video
EventSetInformation
4<>>84'
maximizeLogoSize
Storage.HDD.SolidState
GdipCloneImage
fA9<wu
iswspace
UWAUAVAWH
isvGuid
OutputDebugStringW
D$0fD
UnregisterTraceGuids
% -)!!#
PropVariantToGUID
H9_xt*H
ReturnHr
PrintFax.Printer
SHELL32.dll
operator
WINTRUST.dll
xmlns="urn:schemas-microsoft-com:asm.v1"
</dependency>
Tasks
@A^_]
A^A\]
tufE9xl
region
Audio.Speakers.Wireless
Network.NIC.IR
H;l$`
3;;;6+$
WATAUAVAWH
0HcY`H
Device
-QfnnqrrqnhhR
uiAccess="false"
;hxt$H
Communication.Headset
A_A^A]A\_
.CRT$XCAA
requirementId
\$@E3
WTHelperGetProvSignerFromChain
\$ UH
ADVAPI32.dll
(HcAP3
CreateThread
CoRevokeClassObject
L9{0t#H
.00cfg
t$ UWAUAVAWH
Component.Cable.Transfer
FreeLibrary
Component.SmartCardReader
FailFast
Imaging.Scanner
fD;l$@
Multimedia.DMR.MCX
%s\Microsoft\Device Stage
fD9tDNt
userGeoID
CompanyName
GetCurrentThreadId
@A_A^_
UuidFromStringW
Display.TV.Plasma
u HcA<H
Network.Modem
tK91u
t2HcV
CoRegisterClassObject
CryptCATAdminReleaseContext
GetProcessHeap
{ AUAVAWH
Sleep
Shell_NotifyIconW
HKEY_CLASSES_ROOT
FileName
fD9<_u
t$ UWATAVAWH
ShellExecuteExW
LessThanOrEqual
GdipGetImageWidth
atlthunk.dll
Input.Gaming.Steering
tyfD9u
RegOpenKeyExW
invert
H9_Hs<
H9D$xt
ReleaseSemaphore
wcsncpy_s
Display.PictureFrame
CoUnmarshalInterface
Network.Switch
FindFirstFileW
D$HH9D$@t
Computer.Notebook.Sub
PA_A^A]A\_^]
IsWindowUnicode
Component.Controller.WUSB
productInstalled
l$ VWAVH
internal\sdk\inc\wil\result.h
|$ UAUAVH
A^_^][
LcfX3
CloseThreadpoolTimer
PropVariantToStringAlloc
Storage.Network
fE9$Au
fE94Au
xU;^`}P
fA9,Bu
Audio.Speakers.USB
L$ SUVWH
DrawIconEx
D$$9D$ t
fC9<wu
fD9d$pH
RegisterClassExW
\Required Categories
Communication.Phone.Cell
R$fA;Z*
x)fD;|$Pu
]0H+]
Storage.Network.Wireless
%h-y$g-B
D$PE3
#i:LF
logos
(caller: %p)
CryptCATAdminEnumCatalogFromHash
(t$pH9L$Pu
_callnewh
RPCRT4.dll
xzD;v
StringFromGUID2
__set_app_type
(null)
SignatureVerification
H;M`w|H
Component.Bridge
</trustInfo>
T$8E3
Network.WUSB.DWA
GetUserDefaultLCID
HResult
040904B0
AutoPlayLaunch
%s\PackageInfo.xml
w0H9_
WXA;W\uRA
D9w tJH
<dpiAware>true</dpiAware>
.rdata$zETW2
SizeofResource
!t$ M
\$0tB
GdipCreateBitmapFromFile
l$@D8q
Bluetooth
@USVWAVH
name="Microsoft.Windows.Common-Controls"
wqihaaL
XPath
lstrcmpiW
swprintf_s
http://schemas.microsoft.com/windows/2008/deviceExperienceBehavior
HcA<H
CreateIconIndirect
A_A^A]A\_^]
PeekMessageW
product
A_A^]
DeviceAccess
Media.Storage
fE9,Xu
fE9,Nu
SHLWAPI.dll
TranslateMessage
<requestedPrivileges>
t"D8=j
WinSqmStartSession
%s\Device\%s
right
wcscat_s
InitOnceComplete
@USVWAWH
ForceRemove
PROPSYS.dll
RegQueryValueExW
@SVWH
VarFileInfo
VWAUAVAWH
_fmode
L9l$H
KpD8y(t
val AppID = s '%APPID%'
WinSqmIsOptedIn
PRVA@
t$`fD9t$`t2H
CoSuspendClassObjects
Metadata
_vsnwprintf
CreateDIBSection
Input.Digitizer.Multitouch
Health.HeartRate
firstConnectTask
t-D8i
x";_X}h
CreateFileW
ForceRemove {b8f87e75-d1d5-446b-931c-3f61b97bca7a}
StgDeserializePropVariant
Audio.Speakers
@A]_^[]
Component.Tuner.TV
Local\SM0:%d:%d:%hs
f;D$(t
RegGetValueW
Network.UWB
USVWATAUAVH
L$PE3
Communication.Phone.Speaker
Sensor.Light
A^A]]
Imaging.Webcam
FormatMessageW
module
InitializeCriticalSectionAndSpinCount
SHQueryUserNotificationState
Display.Dock
<security>
%s,%d
CoUninitialize
{ UAVAWH
A_A^A]A\_
D$@fD
10.0.17763.1 (WinBuild.160101.0800)
GdipDrawImageRectI
NoRemove
CLSID\
runOnce
DeleteCriticalSection
RaiseException
GetWindowLongW
D9etuN
RtlCaptureContext
win:Info
Component.System.Processor
Communication.Phone.IP
L!t$0E3
registryValue
x ATAVAWH
dateRange
;~P}~
Component.Tuner.TV.PAL
QUWgnoqlgcTSNO&
win:ResponseTime
PrintFax.Printer.Laser
WTHelperProvDataFromStateData
Computer.Laptop
CoResumeClassObjects
Network.Bridge.Wifi2Ether
yoo`\i%
EnumWindows
HcUp3
HKEY_LOCAL_MACHINE
f;D$0uCH
l$pE3
WinSqmIncrementDWORD
A_A^_
GetIconInfo
SetWindowRgn
d$HfD
ActivityError
Imaging
fD;d$p
VirtualFree
A_A^A\
sP=*`J
ShellExecute
PersonalIdentity.Smartcard
Sensor.Proximity
D$0H;
x AUAVAWH
DXPServer.EXE
@USVWATAVAWH
H;D$X
GetMenuState
InterlockedPopEntrySList
vertical
Status
7fD;>u
SetWindowTextW
T$(E3
E H9K@t'H
Computer.Sealed
D9sp~&;sps!
l_0S.B
DeleteDC
Component.Tuner.TV.NTSCMJ
GdipAlloc
tWfA;
Input
ReleaseSRWLockExclusive
__wgetmainargs
LoadCursorW
x/;Qp}*H
autoPlayEventHandlerType
InPaneLayout
Up;Ut
u$L97t
RtlLookupFunctionEntry
internal\sdk\inc\wil\resource.h
GetTraceEnableFlags
[%hs(%hs)]
Multimedia.DMC
QueryPerformanceCounter
Component.Controller.Bluetooth
D$8fD;|$Pu
threadId
RtlGetNativeSystemInformation
msvcrt.dll
g7'7p
\$ UVWATAUAVAWH
StringFileInfo
RegNotifyChangeKeyValue
t$ WAVAWH
Software
gdiplus.dll
0A_A^A]A\_
ole32.dll
MetadataID
Component.Capture
s WATAUAVAWH
'dxpServer.EXE'
Network.NIC.PLC
t^Hck
%s\%s\tsk%s
Computer.Handheld
@A_A^A]
.text$mn
D$XE3
H!MPI
L$ SH
failureId
processor
t%D8y
%s\Device
M9/uSH
Interface
f9<Cu
Network.HomeAutomation
Computer.Tower.Mini
SUVWATAUAVAWH
Component.Tuner
fE9,Fu
processorArchitecture="*"
DecodePointer
EventWriteTransfer
T$8H!t$8H
PathAppendW
KEYWD
PersonalIdentity.RetinalScanner
<requestedExecutionLevel
interfaceRequirements
T$@E3
$-11/
changeableTaskType
D$@E3
</asmv3:windowsSettings>
|$`fD
ATL:%p
Microsoft-Windows-DXP
t)@8i
resource.xml
DXPServer
IsDebuggerPresent
Computer.Desktop.Pizzabox
EventActivityIdControl
.rdata$zETW1
Module_Raw
CoCreateGuid
RtlVirtualUnwind
HciHH
_wcmdln
|$ UH
GetModuleFileNameW
preserveSpacing
Component.AudioAdapter
fD;8ugH
Input.Gaming.Generic
RaiseFailFastException
{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}
9_X~DE3
UrlEscapeW
watermarkAlign
.CRT$XCA
subsequentConnectTask
tBH9>
Health.BloodPressure
split
KERNEL32.dll
A^A]A\_]
f;D$@
SetThreadpoolTimer
x3;_H}.H
T$8H!\$8
UnhandledExceptionFilter
L9|$`ttH
DefWindowProcW
Imaging.Camcorder
EventUnregister
wcscpy_s
currentContextName
qleaj
Input.Remote
Storage.Changer.Optical
VS_VERSION_INFO
frameColor
?=u$L
halign
Hc_PA
x UATAUAVAWH
SHCreateShellItemArrayFromIDLists
A_A^_^]
.CRT$XCZ
bsearch
Multimedia.PMP
PostQuitMessage
HKEY_CURRENT_USER\
Computer.Desktop.LowProfile
currentContextMessage
Exception
Component.Controller.Serial
Input.Gaming.Controller
SendMessageW
Component.Tuner.TV.QAM
GdipSetSmoothingMode
.data
fD9lE
%s,-1
CRYPT32.dll
Network.NIC.Wireless
http://schemas.microsoft.com/windows/2008/deviceExperienceResources
D$Pf9E\t
\PropStore
T$$D!t$ H
PrintFax.Printer.Virtual
PathFileExistsW
commandLine
memset
Y2LKW!1;
k|2R1w
/241/)
[%hs]
RegServer
NotEqual
9A98u6A9x
\$ UVWAVAWH
GetProcAddress
Sensor.Proximity.NFC
ProductName
!\$ A
xoucE
l$@fD
Component.Controller.IR.MCE
fD; t
CreateCompatibleDC
Component.GraphicsCard
CryptCATAdminCalcHashFromFileHandle
InsertMenuW
.idata$6
deviceRequirements
T$xE3
D$`E3
CertVerifyCertificateChainPolicy
Invalid parameter passed to C runtime function.
GdipFree
ActivityIntermediateStop
Computer.Lunchbox
!D$ H
t^@8=
@A_A^_^]
Media.Storage.Flash.SD
D$HE3
Input.Gaming
Display.Monitor.LCD
taskCategoryMapping
K`D8y(t
language="*"
Component.Controller.IR
PA^_^
t$ UWAVH
MoveFileW
6be60881-d752-4be2-afec-3fd1d146ba7a
FileVersion
L$hH3
Computer.ThinClient
p AWH
dxpTask:arguments
t$ E3
%s\%s.dxp
ywoc`
Sensor
Component.System.Memory
wilResult
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
t+D8i
u`f9]`t;I
fA9Z*v$A
A_A^_
UAVAWH
memcpy_s
Delete
</dependentAssembly>
SetFilePointer
CompareStringOrdinal
@Qm6t
Input.Keyboard
.q7~2}=
CheckMenuItem
Component.Tuner.TV.SECAM
taskGroup
xA_A^A]A\_^[]
<assemblyIdentity
PA^A]A\_^[]
taskRef
\Implemented Categories
CoTaskMemAlloc
statusLink
beginDate
CreateMutexExW
GdipCreateFromHDC
statusPropList
L$XL+
Sensor.Orientation
EventRegister
t$@E9
Launcher
Audio.Headphone
Component.Controller
Multimedia.DMR
Audio.Speakerphone
PropVariantClear
A_A^_^]
CoInitializeEx
GDI32.dll
D9m8A
Multimedia.DMS
t"@8s
HeapAlloc
|$HI;
Computer.Netbook
requiresElevation
|$ UATAVH
LCIDToLocaleName
.data$brc
L$pH3
Network.AccessPoint
xi;sH}dH
H3E H3E
InternalName
Input.Trackball
Component.Controller.Storage.IDE
malloc
HKEY_CURRENT_CONFIG
xmlns:dxpTask='http://schemas.microsoft.com/windows/2008/deviceExperienceTasks'
.rsrc$02
EhD9$
Component.Tuner.TV.DVB-C
\$ UVWATAUAVAW
_unlock
Lcq`3
Sensor.Location.GPS
version="6.0.0.0"
Component.NIC
en-US
FindNextFileW
HKEY_CLASSES_ROOT\
OLEAUT32.dll
Computer.Rackmount
GreaterThan
@L9wHt*I
c(kx
.text$di
REGISTRY
FindClose
originatingContextMessage
Component.Tuner.TV.ISDB-T
VWATAVAWH
tasks.xml
UnregisterClassA
|$`E3
\$0E3
GetCurrentProcessId
tc!t$ H
RegCreateKeyExW
.rdata$zETW0
CreateThreadpoolTimer
Hardware
decNumber
WaitForSingleObjectEx
fE9<Au
MetadataAcquisition
Audio
GetSystemMetrics
Module
Computer.Server
CharUpperW
GetMessageA
PSGetPropertyDescriptionListFromString
%s%s\%s
GreaterThanOrEqual
tRA;Sh}j
@USWH
PersonalIdentity
CoTaskMemFree
PostThreadMessageW
Computer
ywlica
.CRT$XIZ
K(D8q(t
InterlockedPushEntrySList
Input.KVM
9T$`A
EncodePointer
!This program cannot be run in DOS mode.
Msg:[%ws]
@A^_^
header
Computer.Desktop
Health.BloodGlucose
u>A9v
?9+&!&%+%
Lct$$H
~nLcy
PrintFax
K`D8q(t
!t$ E
statusProp
backgroundImage
Component.Controller.Storage.SATA
A^_^[]
USER32.dll
x UATAVH
taskGroupGuid
fD9,qu
D$ fD
L9{@u
OpenSemaphoreW
Input.Remote.MCE
'%APPID%' = s 'dxpServer'
Media.Storage.Optical.CD
GetUserGeoID
DeviceID
FallbackError
\$(E3
f9H\u
EnterCriticalSection
.CRT$XCU
Microsoft-Windows-DXP/Analytic
RegDeleteKeyExW
D$ uSH
_errno
LoadImageW
0@BFCC;3%
CryptCATAdminReleaseCatalogContext
%hs(%d) tid(%x) %08X %ws
HKEY_CURRENT_USER
</requestedPrivileges>
GetCurrentProcess
<assembly
win:Stop
t:D;}
d$pE3
HcNPH
fileName
online
PersonalIdentity.SmartcardReader
RSDSo]
LocalFree
%s\%s\cat%s
L9l$(tdH
D$8E3
L9o@t
Component.Tuner.TV.DVB-T
Input.Gaming.Gamepad
</assembly>
LcqX3
Audio.Adapter
Translation
A_A^A]A\_^]
Component.Tuner.TV.NTSC
appPath
ATL$__z
UP!uPH
(A_A^A]A\_^][
ignoreCase
WilError_02
SHCreateStreamOnFileEx
RegisterTraceGuidsW
FileType
Storage.Optical
D$0H+
<asmv3:application>
L$0H;
ProductVersion
PropVariantChangeType
WinSqmSetDWORD
tNHcF`D
fD90u
t5D8i
f;t$(u|
WinSqmEndSession
PersonalIdentity.FingerprintReader
t$PE3
modelInfo
ShowWindow
_onexit
fE9,Au
.CRT$XIAA
Component.Controller.Storage.iSCSI
A_A^A\_^[]
failureType
Windows
amd64
Health
hresult
Communication
D$0E3
<description>Device Experience Platform</description>
=L9o<
PropVariantCompareEx
.idata$2
Input.Digitizer.Pen
x AVH
.CRT$XCL
L9Q0t-A;Sh}H
PSGetPropertyKeyFromName
uAD9n
|$PE3
CreateSemaphoreW
SYSTEM
Component.Battery
HKEY_USERS
AtlThunk_AllocateData
t.D91v)
Display.TV.DLP
.xdata
.gfids
vendorName
Media.Storage.Flash
IcGXE3
appearance
fD;|$8u
XmlLite.dll
%hs(%d)\%hs!%p:
Operating System
f;D$Pu
fD;d$Xt
TypeLib
SHGetPropertyStoreForWindow
GetModuleHandleExW
_cexit
EventData
Network.Router.Wireless
pA_A^A\_^[]
GetFileMUIPath
Imaging.Camera
shellApplicationID
t$ WATAUAVAWH
Storage.Optical.DVD
statusItems
GetLastError
propertyRequirement
@USVWATAUAVAWH
UWAWH
_commode
image
launchFlags
LogHr
_amsg_exit
NoRemove AppID
bullet
p WATAUAVAWH
?terminate@@YAXXZ
|$ UAVAWH
allowedDomain
ywwlicai}=
f;D$(u
LayoutInitialized
Display
bottom
Component.Tuner.TV.ATSC
PathParseIconLocationW
A_A^A]A\]
A_A^A]_]
InitOnceBeginInitialize
GetSystemInfo
Computer.Notebook
`.rdata
autoPlayHandler
RegQueryInfoKeyW
HKLM\
RegCloseKey
GetSystemMenu
|$ UATAUAVAWH
Other
lineNumber
/.12AGG
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x00030ac0 | 0x0005ab77 | 0x0005ab77 | 10.0 | DXPServer.pdb | 1990-05-21 19:02:26 | d9b5765d61da505c6a851775ef26187c |  |
aa6630e5d762b36bb4ff482026fecbcf | 64ec86154d08c2e3ca45e770159ac587 | 6261e422c9e8780d |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Device Stage Platform Server |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | DXPServer |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | DXPServer.EXE |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x000307bc | 0x00030800 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.25 |
| .rdata | 0x00030c00 | 0x00032000 | 0x0000d228 | 0x0000d400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.66 |
| .data | 0x0003e000 | 0x00040000 | 0x000018f8 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.68 |
| .pdata | 0x0003ec00 | 0x00042000 | 0x0000195c | 0x00001a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.29 |
| .rsrc | 0x00040600 | 0x00044000 | 0x0000a048 | 0x0000a200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.55 |
| .reloc | 0x0004a800 | 0x0004f000 | 0x00000a70 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.16 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x0004df40 | 0x00000108 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.91 | None |
| REGISTRY | 0x00044980 | 0x0000007b | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.59 | None |
| REGISTRY | 0x000448b8 | 0x000000c1 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.17 | None |
| WEVT_TEMPLATE | 0x0004d230 | 0x00000d0e | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.35 | None |
| RT_ICON | 0x00044a00 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.51 | None |
| RT_ICON | 0x00045068 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.74 | None |
| RT_ICON | 0x00045350 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.66 | None |
| RT_ICON | 0x00045538 | 0x000001a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.42 | None |
| RT_ICON | 0x000456e0 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.68 | None |
| RT_ICON | 0x00045808 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.07 | None |
| RT_ICON | 0x000466b0 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.21 | None |
| RT_ICON | 0x00046f58 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.55 | None |
| RT_ICON | 0x00047620 | 0x00000608 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.36 | None |
| RT_ICON | 0x00047c28 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.10 | None |
| RT_ICON | 0x00048190 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.04 | None |
| RT_ICON | 0x0004a738 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.25 | None |
| RT_ICON | 0x0004b7e0 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.49 | None |
| RT_ICON | 0x0004c168 | 0x000006b8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.85 | None |
| RT_ICON | 0x0004c820 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.74 | None |
| RT_GROUP_ICON | 0x0004cc88 | 0x000000d8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.15 | None |
| RT_VERSION | 0x00044510 | 0x000003a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.46 | None |
| RT_MANIFEST | 0x0004cd60 | 0x000004cd | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.90 | None |
Imports
| Name | Address |
|---|---|
| TraceMessage | 0x140034d98 |
| RegCloseKey | 0x140034da0 |
| RegQueryInfoKeyW | 0x140034da8 |
| RegEnumKeyExW | 0x140034db0 |
| RegOpenKeyExW | 0x140034db8 |
| RegSetValueExW | 0x140034dc0 |
| RegCreateKeyExW | 0x140034dc8 |
| RegDeleteValueW | 0x140034dd0 |
| EventRegister | 0x140034dd8 |
| EventUnregister | 0x140034de0 |
| GetTraceLoggerHandle | 0x140034de8 |
| GetTraceEnableLevel | 0x140034df0 |
| GetTraceEnableFlags | 0x140034df8 |
| RegisterTraceGuidsW | 0x140034e00 |
| UnregisterTraceGuids | 0x140034e08 |
| RegNotifyChangeKeyValue | 0x140034e10 |
| EventWriteTransfer | 0x140034e18 |
| EventSetInformation | 0x140034e20 |
| EventActivityIdControl | 0x140034e28 |
| RegGetValueW | 0x140034e30 |
| RegQueryValueExW | 0x140034e38 |
| Name | Address |
|---|---|
| CreateCompatibleBitmap | 0x140034e58 |
| DeleteDC | 0x140034e60 |
| SetLayout | 0x140034e68 |
| SelectObject | 0x140034e70 |
| CreateCompatibleDC | 0x140034e78 |
| DeleteObject | 0x140034e80 |
| CreateDIBSection | 0x140034e88 |
| CreateRectRgn | 0x140034e90 |
| Name | Address |
|---|---|
| wcscpy_s | 0x140035538 |
| memmove_s | 0x140035540 |
| wcscat_s | 0x140035548 |
| swprintf_s | 0x140035550 |
| bsearch | 0x140035558 |
| memcpy_s | 0x140035560 |
| _callnewh | 0x140035568 |
| _XcptFilter | 0x140035570 |
| _amsg_exit | 0x140035578 |
| __wgetmainargs | 0x140035580 |
| __set_app_type | 0x140035588 |
| exit | 0x140035590 |
| _exit | 0x140035598 |
| _cexit | 0x1400355a0 |
| _vsnwprintf | 0x1400355a8 |
| __C_specific_handler | 0x1400355b0 |
| wcsncpy_s | 0x1400355b8 |
| _purecall | 0x1400355c0 |
| __setusermatherr | 0x1400355c8 |
| _initterm | 0x1400355d0 |
| _wcmdln | 0x1400355d8 |
| _fmode | 0x1400355e0 |
| _commode | 0x1400355e8 |
| _errno | 0x1400355f0 |
| malloc | 0x1400355f8 |
| free | 0x140035600 |
| memcmp | 0x140035608 |
| ?terminate@@YAXXZ | 0x140035610 |
| _onexit | 0x140035618 |
| __dllonexit | 0x140035620 |
| _unlock | 0x140035628 |
| _lock | 0x140035630 |
| realloc | 0x140035638 |
| wcstoul | 0x140035640 |
| swscanf_s | 0x140035648 |
| iswspace | 0x140035650 |
| qsort | 0x140035658 |
| memset | 0x140035660 |
| Name | Address |
|---|---|
| CoMarshalInterThreadInterfaceInStream | 0x1400356d0 |
| CoDisconnectObject | 0x1400356d8 |
| CoFreeUnusedLibrariesEx | 0x1400356e0 |
| CoUnmarshalInterface | 0x1400356e8 |
| CoSuspendClassObjects | 0x1400356f0 |
| CoRegisterClassObject | 0x1400356f8 |
| CoRevokeClassObject | 0x140035700 |
| CoResumeClassObjects | 0x140035708 |
| CoCreateInstance | 0x140035710 |
| CoUninitialize | 0x140035718 |
| CoInitializeEx | 0x140035720 |
| CoTaskMemAlloc | 0x140035728 |
| CoTaskMemRealloc | 0x140035730 |
| CoTaskMemFree | 0x140035738 |
| StringFromGUID2 | 0x140035740 |
| CoCreateGuid | 0x140035748 |
| PropVariantCopy | 0x140035750 |
| PropVariantClear | 0x140035758 |
| Name | Address |
|---|---|
| RegisterTypeLib | 0x140035178 |
| LoadTypeLib | 0x140035180 |
| VariantClear | 0x140035188 |
| UnRegisterTypeLib | 0x140035190 |
| VarUI4FromStr | 0x140035198 |
| SysFreeString | 0x1400351a0 |
| SysAllocString | 0x1400351a8 |
| SysStringLen | 0x1400351b0 |
| VariantChangeType | 0x1400351b8 |
| VariantInit | 0x1400351c0 |
| Name | Address |
|---|---|
| PathParseIconLocationW | 0x140035280 |
| SHCreateStreamOnFileW | 0x140035288 |
| UrlEscapeW | 0x140035290 |
| SHStrDupW | 0x1400352a0 |
| PathRemoveFileSpecW | 0x1400352a8 |
| PathFileExistsW | 0x1400352b0 |
| PathAppendW | 0x1400352b8 |
| SHCreateStreamOnFileEx | 0x1400352d0 |
| Name | Address |
|---|---|
| StgDeserializePropVariant | 0x1400351d0 |
| PropVariantToGUID | 0x1400351d8 |
| PSGetPropertyKeyFromName | 0x1400351e0 |
| PropVariantToStringAlloc | 0x1400351e8 |
| PropVariantChangeType | 0x1400351f0 |
| PSCreateMemoryPropertyStore | 0x1400351f8 |
| PropVariantCompareEx | 0x140035200 |
| PSGetPropertyDescriptionByName | 0x140035208 |
| PSGetPropertyDescriptionListFromString | 0x140035210 |
| Name | Address |
|---|---|
| SHParseDisplayName | 0x140035238 |
| Shell_NotifyIconW | 0x140035248 |
| SHQueryUserNotificationState | 0x140035250 |
| SHCreateShellItemArrayFromIDLists | 0x140035258 |
| ShellExecuteExW | 0x140035260 |
| SHGetPropertyStoreForWindow | 0x140035270 |
| Name | Address |
|---|---|
| DwmSetWindowAttribute | 0x1400354a0 |
| DwmSetIconicThumbnail | 0x1400354a8 |
| Name | Address |
|---|---|
| GdipDrawImageRectI | 0x1400354b8 |
| GdipSetSmoothingMode | 0x1400354c0 |
| GdipDeleteGraphics | 0x1400354c8 |
| GdipCreateFromHDC | 0x1400354d0 |
| GdipGetImageHeight | 0x1400354d8 |
| GdipGetImageWidth | 0x1400354e0 |
| GdiplusShutdown | 0x1400354e8 |
| GdipFree | 0x1400354f0 |
| GdipDisposeImage | 0x1400354f8 |
| GdipCloneImage | 0x140035500 |
| GdipAlloc | 0x140035508 |
| GdipCreateBitmapFromFile | 0x140035510 |
| GdiplusStartup | 0x140035518 |
| Name | Address |
|---|---|
| RtlLookupFunctionEntry | 0x140035670 |
| RtlCaptureContext | 0x140035678 |
| WinSqmSetString | 0x140035680 |
| WinSqmAddToStreamEx | 0x140035688 |
| RtlVirtualUnwind | 0x140035690 |
| WinSqmSetDWORD | 0x140035698 |
| WinSqmIncrementDWORD | 0x1400356a0 |
| WinSqmStartSession | 0x1400356a8 |
| WinSqmIsOptedIn | 0x1400356b0 |
| WinSqmEndSession | 0x1400356b8 |
| RtlGetNativeSystemInformation | 0x1400356c0 |
| Name | Address |
|---|---|
| CreateXmlReader | 0x140035490 |
| Name | Address |
|---|---|
| UuidFromStringW | 0x140035220 |
| Name | Address |
|---|---|
| CertVerifyCertificateChainPolicy | 0x140034e48 |
| Name | Address |
|---|---|
| CryptCATAdminReleaseContext | 0x140035440 |
| CryptCATAdminCalcHashFromFileHandle | 0x140035448 |
| WinVerifyTrustEx | 0x140035450 |
| CryptCATAdminReleaseCatalogContext | 0x140035458 |
| CryptCATCatalogInfoFromContext | 0x140035460 |
| WTHelperProvDataFromStateData | 0x140035468 |
| CryptCATAdminAcquireContext | 0x140035470 |
| WTHelperGetProvSignerFromChain | 0x140035478 |
| CryptCATAdminEnumCatalogFromHash | 0x140035480 |
Usage
Processing ( 11.09 seconds )
- 10.46 ProcessMemory
- 0.585 CAPE
- 0.032 BehaviorAnalysis
- 0.007 AnalysisInfo
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.008 ransomware_files
- 0.006 antiav_detectreg
- 0.005 antianalysis_detectfile
- 0.005 ransomware_extensions
- 0.003 infostealer_ftp
- 0.003 territorial_disputes_sigs
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 infostealer_bitcoin
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.01 seconds )
- 0.007 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: DXPServer.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 2868 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\Device\CNG
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8F87E75-D1D5-446B-931C-3F61B97BCA7A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\InprocHandler
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Dxpserver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dxpServer.EXE\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8F87E75-D1D5-446B-931C-3F61B97BCA7A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\InprocHandler
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Dxpserver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dxpServer.EXE\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dxpServer.EXE\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b8f87e75-d1d5-446b-931c-3f61b97bca7a}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\dxpServer.EXE\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{01A39A4B-90E2-4EDF-8A1C-DD9E5F526568}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
Local\{9ea26f7c-c1a5-466d-9c5e-0be4435f9910}
Local\SM0:2868:304:WilStaging_02
Local\SM0:2868:304:WilStaging_02
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.