Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 04:03:16	2025-06-13 04:34:13	1857 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,990 [root] INFO: Date set to: 20250612T19:12:01, timeout set to: 1800
2025-06-12 20:12:01,206 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 20:12:01,206 [root] DEBUG: Storing results at: C:\tVbiHTGN
2025-06-12 20:12:01,206 [root] DEBUG: Pipe server name: \\.\PIPE\RuezaLsf
2025-06-12 20:12:01,206 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:12:01,206 [root] INFO: analysis running as an admin
2025-06-12 20:12:01,206 [root] INFO: analysis package specified: "exe"
2025-06-12 20:12:01,206 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:12:02,190 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:12:02,190 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:12:02,190 [lib.common.common] INFO: wrapping
2025-06-12 20:12:02,190 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:12:02,190 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\Microsoft.AAD.BrokerPlugin.exe
2025-06-12 20:12:02,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:12:02,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:12:02,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:12:02,190 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:12:02,378 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:12:02,394 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:12:02,425 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:12:02,440 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:12:02,518 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:12:02,518 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:12:02,518 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:12:02,518 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:12:02,518 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:12:02,518 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:12:02,534 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:12:02,534 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:12:02,534 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:12:02,534 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:12:02,534 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:12:02,534 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:12:02,534 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:12:02,534 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:12:13,863 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-12 20:12:13,863 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:12:13,863 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:12:13,863 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:12:13,863 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:12:13,863 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:12:13,863 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:12:13,863 [modules.auxiliary.disguise] INFO: Disguising GUID to 5945a030-8817-45fb-b2c0-dd97f5659752
2025-06-12 20:12:13,863 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:12:13,863 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:12:13,863 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:12:13,863 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:12:13,863 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:12:13,878 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:12:13,878 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:12:13,878 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:12:13,878 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:12:13,878 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:12:13,878 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:12:13,878 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:12:13,878 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:12:13,878 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:12:13,878 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:12:13,878 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:12:13,878 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:12:13,909 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 20:12:13,909 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:12:13,909 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:12:13,909 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:12:13,909 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:12:13,909 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:12:13,909 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:12:13,925 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\MWpquJ.dll, loader C:\tmp_gell1p8\bin\jbfRauFG.exe
2025-06-12 20:12:14,003 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:12:14,003 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\MWpquJ.dll.
2025-06-12 20:12:14,050 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:12:14,050 [root] INFO: Disabling sleep skipping.
2025-06-12 20:12:14,050 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:12:14,050 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:12:14,050 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:12:14,050 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:12:14,050 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:12:14,050 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:12:14,065 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:12:14,081 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:12:14,081 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 4552, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-12 20:12:14,081 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:12:14,097 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:12:14,097 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:12:14,097 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\MWpquJ.dll.
2025-06-12 20:12:14,097 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 04:03:16	2025-06-13 04:33:53	none

File Details

File Name	Microsoft.AAD.BrokerPlugin.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	229688 bytes
MD5	67fa2debc06f28f56a08f59a013aff2f
SHA1	06e2b299ccbd130e6d62076a4dcba1f6d3b4583e
SHA256	68c0d0cf9076650118dd276e00d3c2ea00869acf43923720c9748f5c109de285 [VT] [MWDB] [Bazaar]
SHA3-384	71ef1b0341d87961c37fe6a5714f2f3aeb52ec231dfd115e12b774156756cc0a1dfe804675360190653112b6b8e80d5a
CRC32	AC671FAF
TLSH	T19324B56A7F6C90D2D535607D44858348F772F8A10F225BCB9560833E5E3B6F8AD3A2B1
Ssdeep	3072:bVUPOk4LSDfRVqIIc7jhu4OwhqIsfJnxZzUemVOWa0kfW6vTSgWygUyQmZV4Rbe7:bVkOCzRVqII/4tARvoTpku6vTS3
PE	File Strings BinGraph Vba2Graph VirusTotal

AAD.Core.WebAccountProcessor

?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z

PA_A^A]A\_^]

.PE$AAVException@Platform@@

^1?]8

Microsoft Corporation1.0,

?__abi_WinRTraiseChangedStateException@@YAXXZ

?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z

@.data

A_A^A]_^[

Thales TSS ESN:AB41-4B27-F0261%0#

.idata$6

?what@exception@@UEBAPEBDXZ

.idata$4

WindowsCreateStringReference

??0OutOfMemoryException@Platform@@QE$AAA@XZ

;t$p|

GetStartupInfoW

.PE$AAVNotImplementedException@Platform@@

no such process

m0Xs,

f)x{F

\$ AVH

PA^_^][

D9d$H};H

`A_A^A]A\_^[

__dllonexit

connection_aborted

identifier removed

D$HE3

Ipvector<T> too long

not supported

|hK,_

wincorlib.DLL

??0exception@@QEAA@AEBQEBD@Z

u*9Q<|%

not_a_socket

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

.CRT$XCC

bad_file_descriptor

wcsrchr

l$ VATAWH

PA^_^

FileVersion

no space on device

@SVWATAVAWH

cY7.L

d$HH;8u5H

D$PE3

L$hH3

??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z

?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z

.?AVlength_error@std@@

__C_specific_handler

Microsoft Corporation1&0$

SVWAVH

1(0&0

180703204550Z

network_down

?__abi_WinRTraiseNotImplementedException@@YAXXZ

memmove

?__abi_FailFast@@YAXXZ

not a directory

WindowsConcatString

no link

TlP0X

Microsoft Corporation1-0+

?__abi_WinRTraiseDisconnectedException@@YAXXZ

D9t$(|-H;u0t'H

D9d$H}5H

interrupted

$Microsoft Ireland Operations Limited1&0$

_callnewh

(D$0f

?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z

bad address

250701214655Z0|1

__set_app_type

A_A^_

|$ AVH

bad allocation

operation not permitted

.text$mn$00

t$ WH

VWAVH

@8{Lt(

ms-appx:///MainPage.xaml

PA_A^A]A\_^[

.rsrc$01

?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z

system

O0M0K

D$8oy

040904B0

Microsoft Corporation

G D9m

?__abi_WinRTraiseInvalidCastException@@YAXXZ

Windows.Foundation.IReferenceArray`1<String>

_XcptFilter

.?AUIDisposable@Platform@@

Windows.Foundation.Collections.IIterator`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

wcslen

229879+4379540

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

wrong_protocol_type

_lock

too many symbolic link levels

?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z

not enough memory

WindowsCreateString

WindowsDeleteString

AcquireSRWLockShared

@WAVH

Microsoft.AAD.BrokerPlugin.exe

HcA<H

CoTaskMemAlloc

RoReportUnhandledError

.?AVbad_alloc@std@@

A_A^A]A\_^]

?__abi_WinRTraiseInvalidArgumentException@@YAXXZ

@UVWATAUAVAWH

@SUVWAVH

Windows.UI.Xaml.RoutedEventHandler

Windows.Foundation.Collections.IVectorChangedEventArgs

.?AU__I?$Array@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

.?AUIWeakReferenceSource@Details@Platform@@

Windows.UI.Xaml.Application

api-ms-win-core-util-l1-1-0.dll

permission_denied

.data$r

3YWu!

resource unavailable try again

@UVWH

D9d$H

_initterm

filename_too_long

.?AVlogic_error@std@@

_CxxThrowException

Windows.UI.Xaml.Controls.Page

.idata$5

.?AVout_of_range@std@@

191123202654Z0

A_A^A\_^

resource deadlock would occur

not connected

.CRT$XIYA

D9t$(

protocol_not_supported

minATL$__r

too many files open in system

.rdata$T

destination address required

Windows.Foundation.Uri

ti;Q(s^

operation_would_block

.pdata

@SVWH

A_A^_^[

SetRestrictedErrorInfo

address not available

Microsoft

VarFileInfo

?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z

_fmode

.?AVexception@@

file exists

L$pH3

no such file or directory

L$PH3

message size

_acmdln

operation_in_progress

H3E H3E

InternalName

@UVWAVAWH

?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z

@A^_^][

.text$yd

malloc

0A_A\_^]

TUUUUUU

()$^.*+?[]|\-{},:=!

.CRT$XIYB

api-ms-win-core-profile-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll

?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z

host_unreachable

.rsrc$02

LcA<E3

@Tl_H

_unlock

iostream

connection refused

read only file system

.PE$AAVFailureException@Platform@@

wrong protocol type

_exit

XamlTypeInfo.InfoProvider.XamlTypeInfoProvider

address family not supported

@.rsrc

operation would block

0A^_^

AcquireSRWLockExclusive

stream timeout

.text$di

20180915012857.508Z0

api-ms-win-core-winrt-string-l1-1-0.dll

Legal_Policy_Statement

?UninitializeData@Details@Platform@@YAXH@Z

Windows.Globalization.ApplicationLanguages

?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ

@WAVAWH

protocol not supported

Platform.?$WriteOnlyArray@PE$AAUIXamlMetadataProvider@Markup@Xaml@UI@Windows@@$00

VWATAVAWH

LegalCopyright

I90u6A

bad message

L$(H3

CoCreateFreeThreadedMarshaler

10.0.17763.1 (WinBuild.160101.0800)

GetCurrentProcessId

L$XH3

I0G1-0+

DeleteCriticalSection

argument list too long

host unreachable

RtlCaptureContext

.?AU__I?$WriteOnlyArray@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

.tls$ZZZ

M0K0I

?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z

minATL$__z

?__abi_WinRTraiseAccessDeniedException@@YAXXZ

network_reset

x ATAVAWH

io error

pefR\

.?AUIValueType@Platform@@

.CRT$XLA

D$HH;

??0ChangedStateException@Platform@@QE$AAA@XZ

iostream stream error

.PE$AAUIDisposable@Platform@@

L$0H3

uNfff

Microsoft Time-Stamp PCA 20100

.?AV?$Module@$04VInProcModule@Details@Platform@@@WRL@Microsoft@@

operation canceled

A_A^A\_^[

D9t$8}

Windows.UI.Xaml.Window

argument out of domain

.rdata$zzzdbg

.rdata$r

`A^_^

??0Object@Platform@@QE$AAA@XZ

.?AVInProcModule@Details@Platform@@

bad file descriptor

WindowsDuplicateString

uh9Y(t#

WAVAWH

no such device or address

ty;](smI

D$<>r

.CRT$XIA

.rdata

api-ms-win-core-errorhandling-l1-1-0.dll

??1type_info@@UEAA@XZ

CoTaskMemFree

|$0L+

111019184142Z

too many files open

4sz!g\

minATL$__a

connection_already_in_progress

address_in_use

.CRT$XIZ

?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z

Microsoft Corporation1200

no lock available

generic

?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z

D$$I;

??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z

Washington1

CH}#6%

?__abi_WinRTraiseNullReferenceException@@YAXXZ

%Microsoft Windows Production PCA 20110

InitializeCriticalSectionEx

FileDescription

!This program cannot be run in DOS mode.

%Microsoft Windows Production PCA 2011

20180915065459Z

A_A^A\

?__abi_WinRTraiseFailureException@@YAXXZ

@A^_^

address in use

already connected

U|.v

invalid_argument

?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z

H;8u*L

?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z

Microsoft Corporation1

api-ms-win-core-processthreads-l1-1-0.dll

A_A^A]A\_^[

D$HL;

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

?__abi_WinRTraiseWrongThreadException@@YAXXZ

ntdll.dll

no stream resources

SVWATAUAVAWH

owner dead

Failed to find main page.

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

directory not empty

Microsoft Time-Stamp PCA 2010

api-ms-win-core-synch-l1-1-0.dll

memcpy

.idata$3

network reset

UVWATAWH

WindowsIsStringEmpty

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

ReleaseSRWLockExclusive

Microsoft Time-Stamp service

?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z

file too large

invalid seek

r~akow

not a socket

AAD token broker plugin

RtlLookupFunctionEntry

f9H\u

is a directory

|$ HcN

.CRT$XCU

A_A\^

QueryPerformanceCounter

.PE$AAUIEquatable@Details@Platform@@

no protocol option

??0FailureException@Platform@@QE$AAA@XZ

string too long

.PE$AAVChangedStateException@Platform@@

"Microsoft Window

cY7.u*

D9t$(}

msvcrt.dll

StringFileInfo

oK0D$"<

)D$ H

Failed to find frame.

no child process

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.XmlnsDefinition>

`A_A^_^]

no buffer space

(u0U0

GetCurrentProcess

__setusermatherr

.?AVModuleBase@Details@WRL@Microsoft@@

L$8H3

invalid string position

already_connected

no message available

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

??0OutOfBoundsException@Platform@@QE$AAA@XZ

GetTickCount

@WATAUAVAWH

Microsoft.AAD.BrokerPlugin.pdb

Microsoft Time-Stamp service0

.text$mn

100701213655Z

broken pipe

not a stream

.CRT$XIY

RoOriginateError

TerminateProcess

L$@H3

9t$p~;H

Windows.Foundation.TypedEventHandler`2<Windows.UI.Xaml.FrameworkElement, Object>

minATL$__m

Windows.UI.Xaml.ApplicationInitializationCallback

protocol error

Translation

?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z

Windows.Foundation.Collections.IVectorView`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

t$HI+

Windows.UI.Xaml.Markup.IXamlType

text file busy

\$ A;

operation_not_supported

DecodePointer

.?AV?$Array@PE$AAVString@Platform@@$00@Platform@@

BrokerPlugin.App

20180916065459Z0w0=

Microsoft Windows0

bad_address

address_not_available

?InitializeData@Details@Platform@@YAJH@Z

@VWAVH

connection_reset

t?@8xLt(

??0NotImplementedException@Platform@@QE$AAA@XZ

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

L$`H3

ProductVersion

address_family_not_supported

?__abi_WinRTraiseObjectDisposedException@@YAXXZ

.text$x

H;]PH

@A_A^_^[

R!s4Z

not_connected

,reW3OTp8PpalY39mONjm7osgkbouIjtnmimKuRrVZz0=0Z

too many links

.PE$AAVOutOfMemoryException@Platform@@

?__abi_WinRTraiseCOMException@@YAXJ@Z

@SVWAVAWH

.?AU?$IBoxArray@PE$AAVString@Platform@@@Platform@@

?__abi_WinRTraiseOutOfMemoryException@@YAXXZ

__CxxFrameHandler3

connection_refused

|$ ATAVAWH

_onexit

Windows.Foundation.Collections.IObservableVector`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

.xdata$x

L$HH3

WindowsGetStringRawBuffer

.CRT$XIAA

GetModuleHandleW

D$,n@

cY7.u!

no_protocol_option

inappropriate io control operation

timed out

Windows

function not supported

8A^_^[

.CRT$XLZ

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

.giats

iSHp6

`A_A^A\_^

?Free@Heap@Details@Platform@@SAXPEAX@Z

_ismbblead

??0DisconnectedException@Platform@@QE$AAA@XZ

Windows.UI.Xaml.SuspendingEventHandler

D$0E3

??1exception@@UEAA@XZ

invalid argument

connection reset

permission denied

no such device

RtlVirtualUnwind

H;]`H

.idata$2

D$ qF

api-ms-win-core-winrt-error-l1-1-0.dll

??0Delegate@Platform@@QE$AAA@XZ

D$,PuH

x AVH

connection aborted

.CRT$XCL

0A_A^_

??3@YAXPEAX@Z

.?AVObject@Platform@@

1/0-0

SUVWH

OriginalFilename

state not recoverable

.?AU__abi_Module@@

illegal byte sequence

$`2X`F

destination_address_required

D9t$8|WH;

.tls$

.?AU__abi_IUnknown@@

)D$0H

.?AV?$WriteOnlyArray@PE$AAVString@Platform@@$00@Platform@@

.PE$AAUIPrintable@Details@Platform@@

?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z

@VWATAVAWH

.CRT$XCA

.CRT$XCAA

.xdata

?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z

.PEAX

$Microsoft Ireland Operations Limited1

Windows.UI.Xaml.Controls.Frame

.gfids

Platform.?$WriteOnlyArray@PE$AAVString@Platform@@$00

Windows.UI.Core.DispatchedHandler

.PE$AAVCOMException@Platform@@

ReleaseSRWLockShared

\$ UH

Windows.UI.Xaml.Controls.UserControl

connection already in progress

190726204550Z0p1

no message

??0exception@@QEAA@AEBV0@@Z

Operating System

BrokerPlugin.__MainPageActivationFactory

.00cfg

E6T:F

N0L0J

UnhandledExceptionFilter

@SUVWH

operation in progress

_cexit

U0S0Q

t$ AVH

T$0E3

http://www.microsoft.com/windows0

@.reloc

z.9Wv

CompanyName

VS_VERSION_INFO

invalid map/set<T> iterator

_purecall

.PE$AAVDisconnectedException@Platform@@

GetCurrentThreadId

@A_A^_

_commode

api-ms-win-core-synch-l1-2-0.dll

timed_out

GetSystemTimeAsFileTime

BrokerPlugin.MainPage

__getmainargs

A_A^_^]

filename too long

?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z

_amsg_exit

.CRT$XCZ

?terminate@@YAXXZ

Platform.?$WriteOnlyArray@VXmlnsDefinition@Markup@Xaml@UI@Windows@@$00

9\$xu,H9

u HcA<H

h_^][

@SVWATAUAVAWH

180823202654Z

?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ

map/set<T> too long

message_size

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

Sleep

??0exception@@QEAA@AEBQEBDH@Z

too_many_files_open

WindowsCompareStringOrdinal

no_buffer_space

SetUnhandledExceptionFilter

RoFailFastWithErrorContext

.?AV?$Module@$00VInProcModule@Details@Platform@@@WRL@Microsoft@@

pA_A^A]A\_^]

.data

.PE$AAVObject@Platform@@

@A_A^A]A\_

network down

executable format error

device or resource busy

api-ms-win-core-winrt-error-l1-1-1.dll

.text

9l$ }

jcY7.

memset

value too large

`.rdata

?__abi_WinRTraiseOutOfBoundsException@@YAXXZ

unknown error

)Microsoft Root Certificate Authority 20100

Windows.UI.Xaml.Navigation.NavigationFailedEventHandler

result out of range

.PE$AAVOutOfBoundsException@Platform@@

@SVWAUAVAWH

network_unreachable

XamlTypeInfo.InfoProvider.XamlSystemBaseType

?__abi_WinRTraiseOperationCanceledException@@YAXXZ

)_% z

pA^_^

webView

Failed to load Page

ProductName

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x0001ad50	0x0003ad75	0x0003ad75	6.0	Microsoft.AAD.BrokerPlugin.pdb	2018-09-15 00:59:57	0e0e694e039f91b3ae24e6b1020e3eff

Version Infos

CompanyName	Microsoft Corporation
FileDescription	AAD token broker plugin
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	Microsoft.AAD.BrokerPlugin.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	Microsoft.AAD.BrokerPlugin.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0001d61c	0x0001d800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.97
.rdata	0x0001dc00	0x0001f000	0x000120d0	0x00012200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.43
.data	0x0002fe00	0x00032000	0x00003308	0x00002c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.63
.pdata	0x00032a00	0x00036000	0x000023a0	0x00002400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.28
.rsrc	0x00034e00	0x00039000	0x00000450	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.59
.reloc	0x00035400	0x0003a000	0x00000ab0	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.25

Overlay

Offset	0x00036000
Size	0x00002138

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x00039060	0x000003ec	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.46	None

Imports

Name	Address
ReleaseSRWLockExclusive	0x14001f088
DeleteCriticalSection	0x14001f090
AcquireSRWLockExclusive	0x14001f098
AcquireSRWLockShared	0x14001f0a0
ReleaseSRWLockShared	0x14001f0a8
InitializeCriticalSectionEx	0x14001f0b0

Name	Address
RoOriginateError	0x14001f0f8
RoFailFastWithErrorContext	0x14001f100
SetRestrictedErrorInfo	0x14001f108

Name	Address
SetUnhandledExceptionFilter	0x14001f020
UnhandledExceptionFilter	0x14001f028

Name	Address
DecodePointer	0x14001f0e8

Name	Address
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z	0x14001f2b8
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z	0x14001f2c0
?__abi_FailFast@@YAXXZ	0x14001f2c8
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z	0x14001f2d0
?UninitializeData@Details@Platform@@YAXH@Z	0x14001f2d8
?InitializeData@Details@Platform@@YAJH@Z	0x14001f2e0
?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z	0x14001f2e8
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z	0x14001f2f0
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z	0x14001f2f8
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z	0x14001f300
??0ChangedStateException@Platform@@QE$AAA@XZ	0x14001f308
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z	0x14001f310
??0OutOfBoundsException@Platform@@QE$AAA@XZ	0x14001f318
??0FailureException@Platform@@QE$AAA@XZ	0x14001f320
??0OutOfMemoryException@Platform@@QE$AAA@XZ	0x14001f328
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z	0x14001f330
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z	0x14001f338
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z	0x14001f340
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z	0x14001f348
??0NotImplementedException@Platform@@QE$AAA@XZ	0x14001f350
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z	0x14001f358
??0Object@Platform@@QE$AAA@XZ	0x14001f360
??0Delegate@Platform@@QE$AAA@XZ	0x14001f368
??0DisconnectedException@Platform@@QE$AAA@XZ	0x14001f370
??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z	0x14001f378
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z	0x14001f380
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z	0x14001f388
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z	0x14001f390
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z	0x14001f398
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z	0x14001f3a0
?__abi_WinRTraiseNotImplementedException@@YAXXZ	0x14001f3a8
?__abi_WinRTraiseInvalidCastException@@YAXXZ	0x14001f3b0
?__abi_WinRTraiseNullReferenceException@@YAXXZ	0x14001f3b8
?__abi_WinRTraiseOperationCanceledException@@YAXXZ	0x14001f3c0
?__abi_WinRTraiseFailureException@@YAXXZ	0x14001f3c8
?__abi_WinRTraiseAccessDeniedException@@YAXXZ	0x14001f3d0
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ	0x14001f3d8
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ	0x14001f3e0
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ	0x14001f3e8
?__abi_WinRTraiseChangedStateException@@YAXXZ	0x14001f3f0
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ	0x14001f3f8
?__abi_WinRTraiseWrongThreadException@@YAXXZ	0x14001f400
?__abi_WinRTraiseDisconnectedException@@YAXXZ	0x14001f408
?__abi_WinRTraiseObjectDisposedException@@YAXXZ	0x14001f410
?__abi_WinRTraiseCOMException@@YAXJ@Z	0x14001f418
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ	0x14001f420
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z	0x14001f428
?Free@Heap@Details@Platform@@SAXPEAX@Z	0x14001f430
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z	0x14001f438

Name	Address
??0exception@@QEAA@AEBV0@@Z	0x14001f170
memset	0x14001f178
wcslen	0x14001f180
_CxxThrowException	0x14001f188
?terminate@@YAXXZ	0x14001f190
??1type_info@@UEAA@XZ	0x14001f198
_lock	0x14001f1a0
_unlock	0x14001f1a8
__dllonexit	0x14001f1b0
__C_specific_handler	0x14001f1b8
wcsrchr	0x14001f1c0
_amsg_exit	0x14001f1c8
__getmainargs	0x14001f1d0
__set_app_type	0x14001f1d8
exit	0x14001f1e0
_exit	0x14001f1e8
_cexit	0x14001f1f0
_ismbblead	0x14001f1f8
__setusermatherr	0x14001f200
_initterm	0x14001f208
_acmdln	0x14001f210
_fmode	0x14001f218
_commode	0x14001f220
??0exception@@QEAA@AEBQEBD@Z	0x14001f228
??1exception@@UEAA@XZ	0x14001f230
?what@exception@@UEBAPEBDXZ	0x14001f238
_purecall	0x14001f240
__CxxFrameHandler3	0x14001f248
??3@YAXPEAX@Z	0x14001f250
malloc	0x14001f258
_callnewh	0x14001f260
??0exception@@QEAA@AEBQEBDH@Z	0x14001f268
memcpy	0x14001f270
memmove	0x14001f278
_XcptFilter	0x14001f280
_onexit	0x14001f288

Name	Address
RtlCaptureContext	0x14001f298
RtlVirtualUnwind	0x14001f2a0
RtlLookupFunctionEntry	0x14001f2a8

Name	Address
RoReportUnhandledError	0x14001f118

Name	Address
WindowsIsStringEmpty	0x14001f128
WindowsGetStringRawBuffer	0x14001f130
WindowsDuplicateString	0x14001f138
WindowsDeleteString	0x14001f140
WindowsCreateStringReference	0x14001f148
WindowsCreateString	0x14001f150
WindowsConcatString	0x14001f158
WindowsCompareStringOrdinal	0x14001f160

Name	Address
CoTaskMemFree	0x14001f000
CoCreateFreeThreadedMarshaler	0x14001f008
CoTaskMemAlloc	0x14001f010

Name	Address
Sleep	0x14001f0c0

Name	Address
GetStartupInfoW	0x14001f048
GetCurrentProcess	0x14001f050
TerminateProcess	0x14001f058
GetCurrentProcessId	0x14001f060
GetCurrentThreadId	0x14001f068

Name	Address
GetModuleHandleW	0x14001f038

Name	Address
QueryPerformanceCounter	0x14001f078

Name	Address
GetTickCount	0x14001f0d0
GetSystemTimeAsFileTime	0x14001f0d8

Reports: JSON

Statistics (0.68)

Usage

Processing ( 0.62 seconds )

0.599 CAPE
0.011 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_im
0.002 poullight_files
0.001 banker_zeus_p2p
0.001 bot_drive
0.001 bot_drive2
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: Microsoft.AAD.BrokerPlugin.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

Local\SM0:2272:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Overlay

Resources

Imports

api-ms-win-core-synch-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-util-l1-1-0

wincorlib

msvcrt

ntdll

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0