Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 05:05:45	2025-06-13 05:36:37	1852 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,272 [root] INFO: Date set to: 20250612T19:16:35, timeout set to: 1800
2025-06-12 20:16:35,881 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-12 20:16:35,881 [root] DEBUG: Storing results at: C:\wRQhaNwUv
2025-06-12 20:16:35,881 [root] DEBUG: Pipe server name: \\.\PIPE\uCXdXx
2025-06-12 20:16:35,881 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:16:35,881 [root] INFO: analysis running as an admin
2025-06-12 20:16:35,881 [root] INFO: analysis package specified: "exe"
2025-06-12 20:16:35,881 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:16:36,287 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:16:36,287 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:16:36,287 [lib.common.common] INFO: wrapping
2025-06-12 20:16:36,287 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:16:36,287 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\manage-bde.exe
2025-06-12 20:16:36,287 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:16:36,287 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:16:36,287 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:16:36,287 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:16:36,537 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:16:36,584 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:16:36,615 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:16:36,647 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:16:36,647 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:16:36,647 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:16:36,647 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:16:36,662 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:16:36,662 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:16:36,662 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:16:36,662 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:16:36,662 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:16:36,662 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:16:36,662 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:16:36,662 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:16:36,662 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:16:36,662 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:16:36,662 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:16:36,819 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-12 20:16:36,819 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:16:37,912 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:16:37,912 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:16:37,912 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:16:37,912 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:16:37,912 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:16:37,912 [modules.auxiliary.disguise] INFO: Disguising GUID to e3624786-bb4d-4b3d-ad96-f91b74fda1ff
2025-06-12 20:16:37,912 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:16:37,912 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:16:37,912 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:16:37,912 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:16:37,912 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:16:37,912 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:16:37,912 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:16:37,912 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:16:37,912 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:16:37,912 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:16:37,912 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:16:37,912 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:16:37,912 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:16:37,912 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:16:37,912 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:16:37,912 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:16:37,928 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:16:37,944 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-12 20:16:37,944 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:16:37,944 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:16:37,944 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:16:37,944 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:16:37,959 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:16:37,959 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:16:37,959 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\KuolGmJ.dll, loader C:\tmpjeo7jmad\bin\SGtTThPa.exe
2025-06-12 20:16:38,037 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:16:38,053 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\KuolGmJ.dll.
2025-06-12 20:16:38,084 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:16:38,084 [root] INFO: Disabling sleep skipping.
2025-06-12 20:16:38,084 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:16:38,084 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:16:38,084 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:16:38,084 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:16:38,084 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:16:38,084 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:16:38,116 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:16:38,116 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:16:38,116 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824DF0000, thread 1876, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-12 20:16:38,116 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:16:38,131 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:16:38,131 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:16:38,131 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\KuolGmJ.dll.
2025-06-12 20:16:38,146 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 20:16:38,146 [root <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 05:05:45	2025-06-13 05:36:17	none

File Details

File Name	manage-bde.exe
File Type	PE32+ executable (console) x86-64, for MS Windows
File Size	225280 bytes
MD5	d44d57f5aaf9d5fd64efc00c4761c304
SHA1	646b845f8c4dee99ecec859e57c238f48c747b44
SHA256	5be37eab49ceee5c5245fd7c002672b0540c8f27af74bb98e4cd109418b76150 [VT] [MWDB] [Bazaar]
SHA3-384	f8fde18698e3f7836acfb38d41a3f7c7ecaae868fb40648ee2a1ff4afd45040a6aa83d6fbf1a2bb80828b5eb28b67d50
CRC32	8901DA01
TLSH	T133249E1673E4A0E4E4768375C9664B66FBF2B82023219BCF2260856D1F376D1BE3E711
Ssdeep	6144:Ik4FMFSAh1fUVl7GF1uqq1/mcwVs7nyatGt+SYF:5FSESfWH+S+
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/76)

Full Results

Engine	Result	Engine	Result	Engine	Result

Capacity

PA_A^A]A\_^]

_>>55u:

z>g'G<

-Help

GetSuspendCount

-aadbackup

@.data

D$hE3

X,F7cX

EnumValues

zAYjbD

DisableAutoUnlock

u9H9o

LocalAlloc

8A_A^A]A\_[

.idata$6

h VWAVH

UnlockWithPassPhrase

?what@exception@@UEBAPEBDXZ

hA_A^A]A\_^[]

.idata$4

DiscoveryVolumeType

ChangeExternalKey

.rdata$zz

ResolveDelayLoadsFromDll

GetConversionStatus

</trustInfo>

BackupRecoveryInformationToCloudDomain

fD9<hu

UnlockWithNumericalPassword

uLLL(`5

`WWWY__'

D9l$\u

zrr`*

Identity

PA^_]

no such process

PD9n,t!H

ProtectKeyWithCertificateFile

TPMAndPIN

A9~ u

|$8E3

L$ SUVWH

ResolveDelayLoadedAPI

w<gjkld7:>8B=#

.rdata$00$brc

__dllonexit

qx4`2

UWAWI

UWAUH

GIDAT

connection_aborted

identifier removed

OH9T$8u

H!t$

G QEf

NewVolumeKeyProtectorID

aes128_diffuser

{ UATAUAVAWI

D$HE3

H9n u

</description>

GetKeyProtectorPlatformValidationProfile

not supported

$JmVWW

FindValidCertificates

-Cancel

??0exception@@QEAA@AEBQEBD@Z

]]]%WWW-O

u*9Q<|%

ProtectKeyWithTPMAndPIN

not_a_socket

yoolor

D9|$4u

operation not supported

cross device link

_wsplitpath_s

.text$lp00manage-bde.exe!30_clientonly

.text$zy

H9/uWH

bad_file_descriptor

api-ms-win-core-com-l1-1-0.dll

L!l$P

PerformKeyPackage

y{y{70

g1Op\

q@SU\

'_dfz

SetIdentificationField

PA^_^

Bitlocker.ManageBDE.WMainStart

IsEnabled

D$(L+

A:TU5,

R``n

Fv0HD

DeviceID = "%s"

=~{%

FileVersion

no space on device

HeapSize

fFfFF

-resume

USVWATAVI

-TPMAndPIN

1'''L&

Bitlocker.ManageBDE.ValidateUsableTPMPresence

L9APu L9AHu

2a\dt

EnableKeyProtectors

D4M9^

J#,WrlU<

RecoveryPassword

.?AVlength_error@std@@

__C_specific_handler

iw8:z

@USVWAVAWH

SVWAVH

uv9E0u

uID9l$pu'H

p AWH

lj5h6sj5

-Synchronous

uv9E8t

.didat$7

CUhx~

2(wEP

)iZP(M

network_down

zrr`Q|

L$HE3

Bitlocker.ManageBDE.PerformActionComplete

manage-bde.pdb

memmove

0A_A^A]A\_^]

not a directory

GetConsoleMode

llWfN

"L@"e

m:mo7

GetKeyProtectorAdSidInformation

root\cimv2\security\microsofttpm

<L9A(

|$XA;~

no link

[W[_w

M9n(t

vnu`#*g

interrupted

fD90t

FriendlyName

_callnewh

GjrNo

##I66

[default]

9L$@v`H

bad address

GetKeyPackage

.[[[lom#

%s\%s

rCG`\n

A9~\u

PerformChangePassPhrase

__set_app_type

GetFileVersionInfoExW

3379p

UAVAWH

zrT5h

memcpy_s

LoadLibraryExA

X[[ckk

bad allocation

|!KJr5

operation not permitted

GetKeyProtectorNumericalPassword

SaveExternalKeyToFile

-changepassword

4e2MI

5:+k$

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

type="win32"

19y6e

VWAVH

X__/\

Bitlocker.ManageBDE.WMainComplete

IjP_)

dRGUe

Y&''Q

.rsrc$01

IDATx

Win32_Volume

T$XA;V

system

HResult

CoInitializeSecurity

o\$PH

xxs77w7

$xD8x

H9G8tK3

r*.,51c

.K+u&&

=MWB"V

.Ef5<

W_}u,

-EncryptionMethod

@WATAUAWH

-CertificateThumbprint

040904B0

Microsoft Corporation

dP/&i0

LoadLibraryExW

A_A^A]A\_^[]

]Mwn6

Fi4,v

~vljjr~

DriveLetter = "x:"

aes256

.rdata$zETW2

a0AZ>

_XcptFilter

G5[cV#

TestError

ProtectKeyWithCertificateThumbprint

7ctO5`pb5_og5`pe:j{(

wrong_protocol_type

_lock

u}u=S

PerformOff

DriveLetter

KERNEL32.DLL

too many symbolic link levels

a@Kvz

not enough memory

BRBeFf

36{1/_

099I&#Q*

USVWATAUAVAWH

swprintf_s

Bitlocker.ManageBDE.PerformActionStart

name="PropSheetStress"

VerQueryValueW

LMMUUUbgiii0Y&g`#:

,GkiE

PMM-\.

wvv8|

HcA<H

NumericalPassword

-forceRecovery

D;w0r

.?AVbad_alloc@std@@

A_A^A]A\_^]

;wnstt

TestStatus

-lock

@UVWATAUAVAWH

9Fhu69D$Du09FHu+9F8u&H

NMMGwtt

-WipeFreeSpace

i4d8w

PerformOn

A_A^]

EventRegister

8S0~E

-used

l$HE3

PerformUpgrade

31wp{xx

%s\BitLocker Key Package %s.KPG

GetKeyProtectors

M9nHt

$d$IY

permission_denied

Win32_Tpm

GetExternalKeyFromFile

resource unavailable try again

toupper

_initterm

filename_too_long

CoInitializeEx

.?AVlogic_error@std@@

ury{{/W#ig 1

_CxxThrowException

SidString

ForceEncryptionType

IsNumericalPasswordValid

\root\default

SYSTEM\CurrentControlSet\Control\MiniNT

PerformUnlock

.idata$5

Z8mVWW

9yDuNH

-SetIdentifier

@A^A]_^]

.?AVout_of_range@std@@

'lrU]

A9~Xu

w3yssyy

E1Yu`

L9e(u

PrepareVolumeEx

api-ms-win-core-version-l1-1-0.dll

HeapAlloc

A_A^A\_^

-TPMAndPINAndStartupKey

resource deadlock would occur

ujL9q(udL9q u^H

l$8E3

not connected

&kkkloo

`Ofd.

protocol_not_supported

TelemetryAssertDiagTrack

`GT<7

~qgjj*z

too many files open in system

-adbackup

I\$(H

destination address required

ccct:

operation_would_block

WideCharToMultiByte

.pdata

t$(E3

Microsoft

VarFileInfo

address not available

u&L9.

7@GCS^

uJD9l$l

sttT(

r9TUUa

InitializationFlags

k+TJ[

_fmode

fD9?t

file exists

.data$brc

no such file or directory

.?AVexception@@

message size

XWn_W_7@Ij\R\`5+4/#

XXo[_[n

operation_in_progress

h69rh

H3E H3E

A0S)~

InternalName

.didat$2

v\%0i

9n@v)L

</requestedPrivileges>

KeyPackage

__Path

.text$yd

malloc

.?AVCAtlException@ATL@@

W,\.s

97tzH

{wm_a

BJL\]

ChangePIN

yojjoo

|$p;{

PerformChangePIN

.data$r$brc

jK{}6]

:{{{<z

Y(t?E

I=*De

@UWATH

_vsnwprintf

L9~ u

}WZo'(

HB7'a

X\\D$

PrepareVolume

-delete

D9t$L

Label

host_unreachable

]N4r]

-ADAccountOrGroup

.rsrc$02

j4X^Z

7w778

baP/^

PA_A^_^]

LcA<E3

hfgdheVah

SuspendCount

CreateFileW

_unlock

T$LE3

D$`9D$Ts@L

vUzSj

iostream

ModuleCollection

T-Jai

0.0.0.0

?"#**Y

d$8D9

connection refused

read only file system

fD98t

aea696=64

wrong protocol type

CS\Vgozzt.>7,

v[PYD

_exit

DiskPassword

.\~)s

-sync

D$dE3

]|s$Uk

-RecoveryKey

-Type

en-US

2S5VY

GetExternalKeyFileName

A9~@u

address family not supported

qKMKT`j

operation would block

;?WA~

u%L9.

OLEAUT32.dll

}XA;~

.bss$00

CoSetProxyBlanket

S'oz.

EU5\o

9D$du

stream timeout

AcquireSRWLockExclusive

!X*o-

.text$di

GetProtectionStatus

fF9du

FormatMessageW

WWW0WWW

DDD>5;

Nb$X6

J`ossh^QJ(&/Y"Ud W

XXnnaaWNXX`nxxuR

ProtectKeyWithTPMAndPINAndStartupKey

protocol not supported

VWATAVAWH

ClearAllAutoUnlockKeys

u=H9C

LegalCopyright

TPM Protection

SELECT * FROM %s WHERE %s

bad message

D9uPt

D$0E9N

<<22b

A_A^A]A\_

uN9E8u

@ggivi

-unlock

10.0.17763.1 (WinBuild.160101.0800)

GetCurrentProcessId

h~F2;d48

PsHT$

SelfEncryptionDriveEncryptionMethod

KBvYxs

IsAutoUnlockKeyStored

p WAVAWH

ConvertStringSidToSidW

towupper

UsS)9;;

yF8{L

9t$`u

J+$9Jg

.rdata$zETW0

argument list too long

-ForceEncryptionType

host unreachable

-legacy_Vista

PerformSetIdentifier

RtlCaptureContext

VolumeKeyProtectorID

Hardware

ProtectKeyWithAdSid

WipingStatus

-status

Oox6_8

~vvqlCCo~

K SUVWH

CoCreateInstance

!u@E3

0FctN:

8# X_

_wsetlocale

PublicKey

UVWATAUAWH

H!u@M

Xl[%(

network_reset

ReturnValue

SWATAVAWH

InitOnceExecuteOnce

x ATAVAWH

io error

DelayLoadFailureHook

lL.m2

<7lnl

ProtectKeyWithTPM

zKHB

054]A

OOO+a

@A_A^A]A\_^]

EncryptionFlags

iostream stream error

Y[[+w

xts_aes128

L$0H3

d+vn`X,

.bss$zz

u)M9f

D$`;D$H

WriteConsoleW

NGlmm

l<@H;

operation canceled

D"!MOO3=

!L$0H

IfggI

NewProtectorID

argument out of domain

.rdata$zzzdbg

~Cjp~~

=VV:4[m:

ProtectKeyWithPassPhrase

TPMAndPin

F47F- *47888M6(

ProtectKeyWithExternalKey

-enable

PerformLock

PerformPause

bad file descriptor

-changepin

T_[M6544=L=J6

vbuuU*

ResumeConversion

-protectors

HA_A^_^[]

WAVAWH

ForceDismount

no such device or address

0m8??O"

-RemoveVolumeShadowCopies

BindingState

.CRT$XIA

.rdata

]4Ed(#

-CertificateFile

}eVXn#

??1type_info@@UEAA@XZ

UpgradeVolume

u2M9n(u,M9n u&H

lFMCC

8'_|%

_wtoi64

GetStdHandle

-e-42

l$(E3

too many files open

fff8z

A_A^_^[]

|$(E3

.rdata$00

<m*e/

BVTZV

A_A^_

K`vvn

GGGKX

connection_already_in_progress

address_in_use

.CRT$XIZ

BitLocker Drive Encryption Command Line Tool

h$$qB

EEE@;7

H&4DA

no lock available

generic

H!\$PL

k,/-S.

-ForceDismount

udD9e

D$@!\$(E3

x UAVAWH

WriteFile

[7ortt

r~uuU

<IZH)

.data$dk00$brc

PauseConversion

YYYEWWW

4MkFb

18@Z2

FileDescription

!This program cannot be run in DOS mode.

x&D9t$D

5##1+

FGkE^(

CCCLOMr

A_A^A\

\$ UVWH

1APz}

GetConsoleOutputCP

@A^_^

D$ I;

W&{u #

address in use

already connected

qln=j

L$ VWH

invalid_argument

ProtectKeyWithNumericalPassword

fggi4j

LegacyMode

|:M-A

CETW0

g&:2J

-rvsc

AJ.\vw

-pause

UWATAVAWH

F#677

ASSOCIATORS OF {Win32_Volume.DeviceID="%s"} WHERE AssocClass = Win32_MountPoint

ufjiY/

t$@E3

@USVWATAVAWH

GetModuleFileNameA

GetKeyProtectorCertificate

GetVersion

UnlockWithCertificateFile

ntdll.dll

<M@q?

timestamp

ePA;~

no stream resources

owner dead

>#.n#

\.RoTp

9::b8

nqrrB

t$8E3

network unreachable

imageName

10.0.17763.1

directory not empty

:# #

EncryptAfterHardwareTest

mrymD2B6BFGig6

ProtectKeyWithTPMAndStartupKey

-tpsk

vXTKNB4

A_A^A\_^

xMD9d$d

~jjo~

memcpy

~^6EQ

.idata$3

W^aww

-StartupKey

E9|$ ueH

!|$ E3

//////3

`t4({5

network reset

zzz;rrr

-ProtectionAsErrorLevel

R+<`f<

__wgetmainargs

ReleaseSRWLockExclusive

-path

ProtectionStatus

file too large

invalid seek

w_BjjHDE/1

wQU52

profapi.dll

.didat$5

DeviceID

not a socket

|\N"u

HeapSetInformation

t$TD;t$`

RtlLookupFunctionEntry

root\cimv2

f9H\u

L9m(u

is a directory

.CRT$XCU

YZZbee

D9t$|u

D$(E3

45)H$

api-ms-win-core-delayload-l1-1-1.dll

Pe|Dar$

dY/KiC

ExternalKey

PA_A^A\_[

QueryPerformanceCounter

no protocol option

root\cimv2\security\microsoftvolumeencryption

0)2d!lQK"d`

$KcUs

-UsedSpaceOnly

A.*,A

IsAutoUnlockEnabled

A^A\_^[]

LookupAccountNameW

ConvertSidToStringSidW

string too long

$H-QE

USAWI

\$ VH

Assert

mOYk=C

-KeyPackage

PerformResume

msvcrt.dll

t&fA9

GetKeyProtectorFriendlyName

j6#rR

StringFileInfo

-TPMAndStartupKey

oD$ f

no child process

-service

.rdata$zETW9

Software

0A_A^A]A\_

no buffer space

ole32.dll

GetCurrentProcess

mmmhj

h6QEN

<assembly

UVWAVAWH

(_^][

__setusermatherr

UATAUAVAWH

BootVolume

DisableCount

HeapFree

|$hA;~

D9l$hu

invalid string position

already_connected

@A_A^A\_^

no message available

ht-)j

assertVersion

GetTickCount

A_A^A\_]

D!L$ H

T$PE3

T$4vVI

-ForceUpgrade

GDqL(

a7A]XYae

4-j>1::

N D9n

>?666t

TsMMM-

.text$mn

broken pipe

D$XE3

not a stream

L$ SH

LocalFree

}8ZLQ

.text$zz

.CRT$XIY

LockStatus

IdentificationField

EBFDF

TerminateProcess

"0[+,M

PA\_]

LookupAccountSidW

</assembly>

RJVWW

.didat$3

=lNwOo

A_A^_^][

PerformChangeKey

teL9y(t_A

protocol error

manage-bde.exe

Translation

h<askH

9D$\u

eYA<C.

ManageBDETraceLoggingProvider

aes128

d2e:M9

DisableKeyProtectors

[none]

CompareStringEx

68LT[WS*

Y[[c:

manifestVersion="1.0">

8=9a8

-cert

z177W8|

text file busy

SVWWI

T$XH9/u

operation_not_supported

0RJa<

UWAVH

CryptBinaryToStringW

!\$ 3

EventWriteTransfer

*j{hQ

fD9|$p

??_V@YAXPEAX@Z

C@BB.>O

@BLRVV`.<XMMI32;9"

\\\,]]]WVVV

}^PZm

bad_address

address_not_available

oL$0f

\.LOO

wcsncmp

EncryptionPercentage

connection_reset

EventSetInformation

9;{{{x13w

3?Xeg

Password

*l{5>>

6I.SR

\\%s\%s

ProductVersion

address_family_not_supported

GlobalCollection

api-ms-win-eventing-provider-l1-1-0

GetFileVersionInfoSizeExW

D$@E3

.text$x

%h+_XWX+.%|XXN

L9|$PuP

:;;kP

CertThumbprint

T$ E3

not_connected

ConversionStatus

too many links

D$0fD

w&''O

EncryptionMethodFlags

WVVk][[

-ClearAllKeys

.didat$4

|$@vVH

= 011

5bSZE

t2!]#L

__CxxFrameHandler3

)_ N-

jt;mDID

.didat$6

wcstoul

(cjwA

A_A]A\_^]

|$ ATAVAWH

connection_refused

IsUsableTPMPresent

.xdata$x

_onexit

TelemetryAssert

EncryptionMethod

GetKeyProtectorType

NewPIN

advapi32

A^_^

ActionName

.CRT$XIAA

~~o,X*)

GetModuleHandleW

fD9<Au

xmlns="urn:schemas-microsoft-com:asm.v1"

J-?e4

WipingPercentage

hDefKey

no_protocol_option

9D$Xu

uiAccess="false"

2)TWi6

-upgrade

inappropriate io control operation

A_A^A\_^[]

timed out

Windows

function not supported

8A^_^[

NewPassPhrase

|$hE3

UPL9j

PlatformValidationProfile

ZZZEccc

IsSrkAuthCompatible

.giats

CryptStringToBinaryW

VAVAWH

.rdata$zETW1

.rsrc

GGG;edc

%1.2f

EnableAutoUnlock

D$0E3

??1exception@@UEAA@XZ

invalid argument

7H&3lK

m@A9~0u

connection reset

D9{@v\H

d(NNN

lnnR.

permission denied

UnlockWithCertificateThumbprint

no such device

RtlVirtualUnwind

Decrypt

.idata$2

|$ UH

x AVH

e@A9>

x'D9m$t

L9A(u

connection aborted

GetModuleFileNameW

E%`U^s

rhnn.

0A_A^_

??3@YAXPEAX@Z

x<a4I

OriginalFilename

WATAUAVAWH

state not recoverable

+%%%)

ml,nPh]

GetLockStatus

illegal byte sequence

count

P(0>>N

totalHits

TPMAndStartupKey

D$HD;d$@r

HHHt\\\2WWW

9pydT

GetEncryptionMethod

destination_address_required

L$PH!\$@3

~0A;w

\K(Ml

1=@jFJBh

-RecoveryPassword

J@`@:QyS

nXPX`v

u]FGG

TBmeRZ

PathWithFileName

9T$`H

processorArchitecture="amd64"

SSSLOM!H"

t*M~`

|$ E3

.CRT$XCA

.CRT$XCAA

.xdata

h4Y\\d8

j."t]

riKc$*

\$@E3

T$4E3

.gfids

UnlockWithExternalKey

X,fMef

KERNEL32.dll

\$ UH

w337790

D$PfD98t

D$XH;L$`

ADVAPI32.dll

connection already in progress

[X.8.

N'zMU%,

U?ZmC

level="asInvoker"

no message

GetFullPathNameW

??0exception@@QEAA@AEBV0@@Z

Operating System

kiXw%

1"uq

H!x M

%WINDIR%\System32\wbem\wmiutils.dll

.00cfg

|$hD9.uhI

)Q0'IF

lmmqxxXPR[

_wcsicmp

EventProviderEnabled

DeleteKeyProtector

j.5M\

IsKeyProtectorAvailable

@.didat

UnhandledExceptionFilter

DBcqq

-Certificate

GetFileType

FreeLibrary

GetModuleHandleExW

B *_G

BackupRecoveryInformationToActiveDirectory

D9AXu

4Rich

WXW7GF=NBvNKK

operation in progress

UVWATAUAVAWH

EventUnregister

-changekey

Y]]ekk

_cexit

CloseHandle

L$8E3

fD9<Cu

+3340

T$0E3

ProtectKeyWithNetworkCertificate

aes256_diffuser

@.reloc

XWXW_W_orr<ggJiB#:::F:

StdRegProv

%u.%u.%u

sqQ9T

<none>

GetHardwareTestStatus

Certificate

FcD4E85

.bss$dk00

IsOwned

WI =_===LP:

+D9AX

HA_A^A]A\_^[]

UVWAUAVH

(r@2r]

`kk+b

;y!|2

CompanyName

VS_VERSION_INFO

H9n(u

_purecall

GetLastError

GetCurrentThreadId

SWATAUAVAWH

@USVWATAUAVAWH

@A_A^_

timed_out

PerformWipeFreeSpace

_commode

GetSystemTimeAsFileTime

api-ms-win-core-synch-l1-2-0.dll

n<FJjmJ1#

3h@JI

x UATAUAVAWH

#FGGi4

`J)\.

p]brT

filename too long

D9A0u

!L$4A

_amsg_exit

i\=A9

.CRT$XCZ

GetIdentificationField

~-i6XX

H!|$

fttTz

SetConsoleMode

A_A]A\_

L9m u

p WATAUAVAWH

Win32_EncryptableVolume

?terminate@@YAXXZ

imageSize

&,X=D

u HcA<H

[W8??/

A_A^^

!|$ 3

="1*155GQfI

\$XA;^

qq]]Eg

=bdd$j

KeyProtectorType

-DiscoveryVolumeType

B+VVVX\\

message_size

GetProcessHeap

Iq07Y

H!x L

SetThreadPreferredUILanguages

TPMAndPINAndStartupKey

Sleep

JUDQ

sNames

sss76

??0exception@@QEAA@AEBQEBDH@Z

-SkipHardwareTest

Encrypt

GetSecureBootBindingState

-disable

{p`O`

too_many_files_open

F1FDH

FileName

no_buffer_space

L$pE3

d$HE3

SetUnhandledExceptionFilter

2Is

sSubKeyName

ChangePassPhrase

Flags

pA_A^A]A\_^]

.data

CertType

[[[=XXX

UnlockWithAdSid

CRYPT32.dll

Mi4Z<

network down

888m[[[$

executable format error

PassPhrase

BitLocker Drive Encryption: Configuration Tool

C}:!0

PrecisionFactor

device or resource busy

-ComputerName

<requestedExecutionLevel

A_A^A]A\]

D$ E3

.text

O3{h:

IsActivated

-SaveExternalKey

@SUVWAVAWH

u]j5O{W6

Version

</security>

BL1#y

P-oc&s

memset

xts_aes256

value too large

`.rdata

L9~(u

-Password

oT$@f

D$xA;F

#0L2a^

P1r.m$

unknown error

FAT32

-autounlock

result out of range

r6?@0

.rdata$brc

t$Hff

api-ms-win-core-libraryloader-l1-1-0.dll

version="1.0.0.0"

wg^@3

|hkc"

network_unreachable

<trustInfo

<assemblyIdentity

xmlns="urn:schemas-microsoft-com:asm.v3">

s UATAUAVAWI

TPMAndPinAndStartupKey

|$ UATAUAVAWH

GetProcAddress

RVV/^B

(tX+a

L9e u

#(-~g

9D$`u

u!M9f

xDJk!

ProductName

-RebootCount

EncMethod

T-BGFGNQ

ReadConsoleW

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x140000000	0x0000adf0	0x0004519f	0x0004519f	10.0	manage-bde.pdb	2089-05-16 04:05:56	6262338345a797a40b7dbae29bdffe06		131c686777afe2ef5231f53a346c5f24	cd1fba63b85b0c96676efc5a3b78acfc	e0a8eed8d0a22464

Version Infos

CompanyName	Microsoft Corporation
FileDescription	BitLocker Drive Encryption: Configuration Tool
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	manage-bde.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	manage-bde.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0001725b	0x00017400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.28
.rdata	0x00017800	0x00019000	0x00007928	0x00007a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.55
.data	0x0001f200	0x00021000	0x000008ac	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.84
.pdata	0x0001f400	0x00022000	0x00001350	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.02
.didat	0x00020800	0x00024000	0x00000018	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.16
.rsrc	0x00020a00	0x00025000	0x00016100	0x00016200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	7.12
.reloc	0x00036c00	0x0003c000	0x000002d0	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.50

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0003b030	0x000000d0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.70	None
RT_ICON	0x00025a78	0x00000668	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.24	None
RT_ICON	0x000260e0	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.40	None
RT_ICON	0x000263c8	0x000001e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.49	None
RT_ICON	0x000265b0	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.32	None
RT_ICON	0x000266d8	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.69	None
RT_ICON	0x00027580	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.66	None
RT_ICON	0x00027e28	0x000006c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.22	None
RT_ICON	0x000284f0	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.93	None
RT_ICON	0x00028a58	0x0000e0d4	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.99	None
RT_ICON	0x00036b30	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.41	None
RT_ICON	0x000390d8	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.59	None
RT_ICON	0x0003a180	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.67	None
RT_ICON	0x0003ab08	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.87	None
RT_GROUP_ICON	0x0003af70	0x000000bc	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.07	None
RT_VERSION	0x00025698	0x000003dc	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.46	None
RT_MANIFEST	0x000253c0	0x000002d7	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.46	None

Imports

Name	Address
EventRegister	0x14001a180
EventWriteTransfer	0x14001a188
EventUnregister	0x14001a190
ConvertStringSidToSidW	0x14001a198
LookupAccountNameW	0x14001a1a0
ConvertSidToStringSidW	0x14001a1a8
LookupAccountSidW	0x14001a1b0
EventProviderEnabled	0x14001a1b8

Name	Address
GetModuleHandleExW	0x14001a1c8
HeapSetInformation	0x14001a1d0
GetLastError	0x14001a1d8
GetProcessHeap	0x14001a1e0
SetThreadPreferredUILanguages	0x14001a1e8
HeapFree	0x14001a1f0
FormatMessageW	0x14001a1f8
LoadLibraryExW	0x14001a200
LocalFree	0x14001a208
GetStdHandle	0x14001a210
GetFileType	0x14001a218
GetConsoleMode	0x14001a220
WriteConsoleW	0x14001a228
GetConsoleOutputCP	0x14001a230
WideCharToMultiByte	0x14001a238
HeapAlloc	0x14001a240
WriteFile	0x14001a248
SetConsoleMode	0x14001a250
ReadConsoleW	0x14001a258
HeapSize	0x14001a260
GetFullPathNameW	0x14001a268
CreateFileW	0x14001a270
CloseHandle	0x14001a278
LocalAlloc	0x14001a280
FreeLibrary	0x14001a288
LoadLibraryExA	0x14001a290
AcquireSRWLockExclusive	0x14001a298
ReleaseSRWLockExclusive	0x14001a2a0
Sleep	0x14001a2a8
UnhandledExceptionFilter	0x14001a2b0
DelayLoadFailureHook	0x14001a2b8
SetUnhandledExceptionFilter	0x14001a2c0
GetCurrentProcess	0x14001a2c8
TerminateProcess	0x14001a2d0
GetModuleHandleW	0x14001a2d8
QueryPerformanceCounter	0x14001a2e0
GetCurrentProcessId	0x14001a2e8
GetCurrentThreadId	0x14001a2f0
GetSystemTimeAsFileTime	0x14001a2f8
GetProcAddress	0x14001a300
GetModuleFileNameA	0x14001a308
GetTickCount	0x14001a310

Name	Address
__set_app_type	0x14001a3e8
__wgetmainargs	0x14001a3f0
_amsg_exit	0x14001a3f8
_XcptFilter	0x14001a400
memmove	0x14001a408
memcpy	0x14001a410
_CxxThrowException	0x14001a418
?what@exception@@UEBAPEBDXZ	0x14001a420
??1exception@@UEAA@XZ	0x14001a428
??0exception@@QEAA@AEBV0@@Z	0x14001a430
??0exception@@QEAA@AEBQEBDH@Z	0x14001a438
??0exception@@QEAA@AEBQEBD@Z	0x14001a440
_commode	0x14001a448
_callnewh	0x14001a450
malloc	0x14001a458
exit	0x14001a460
_wcsicmp	0x14001a468
??_V@YAXPEAX@Z	0x14001a470
memcpy_s	0x14001a478
swprintf_s	0x14001a480
_vsnwprintf	0x14001a488
_wsplitpath_s	0x14001a490
towupper	0x14001a498
wcsncmp	0x14001a4a0
wcstoul	0x14001a4a8
_exit	0x14001a4b0
_cexit	0x14001a4b8
__setusermatherr	0x14001a4c0
__C_specific_handler	0x14001a4c8
free	0x14001a4d0
toupper	0x14001a4d8
_onexit	0x14001a4e0
_wsetlocale	0x14001a4e8
__dllonexit	0x14001a4f0
_unlock	0x14001a4f8
__CxxFrameHandler3	0x14001a500
_lock	0x14001a508
??3@YAXPEAX@Z	0x14001a510
_wtoi64	0x14001a518
_fmode	0x14001a520
_purecall	0x14001a528
??1type_info@@UEAA@XZ	0x14001a530
?terminate@@YAXXZ	0x14001a538
_initterm	0x14001a540
memset	0x14001a548

Name	Address
RtlCaptureContext	0x14001a558
RtlLookupFunctionEntry	0x14001a560
RtlVirtualUnwind	0x14001a568

Name	Address
VariantInit	0x14001a320
SafeArrayAccessData	0x14001a328
SafeArrayCreate	0x14001a330
SafeArrayUnaccessData	0x14001a338
SysFreeString	0x14001a340
SysStringLen	0x14001a348
VariantCopy	0x14001a350
SysStringByteLen	0x14001a358
SysAllocString	0x14001a360
VariantClear	0x14001a368
SysAllocStringLen	0x14001a370

Name	Address
CoInitializeSecurity	0x14001a578
CoInitializeEx	0x14001a580

Name	Address

Name	Address
CompareStringEx	0x14001a3a8

Name	Address
CoSetProxyBlanket	0x14001a380
CoCreateInstance	0x14001a388

Name	Address
VerQueryValueW	0x14001a3c8
GetFileVersionInfoExW	0x14001a3d0
GetFileVersionInfoSizeExW	0x14001a3d8

Name	Address
InitOnceExecuteOnce	0x14001a3b8

Name	Address
GetModuleFileNameW	0x14001a398

Reports: JSON

Statistics (11.73)

Usage

Processing ( 11.67 seconds )

11.097 ProcessMemory
0.556 CAPE
0.009 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 ursnif_behavior
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.004 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: manage-bde.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00020800', 'virtual_address': '0x00024000', 'virtual_size': '0x00000018', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.16'}

The binary likely contains encrypted or compressed data

section: {'name': '.rsrc', 'raw_address': '0x00020a00', 'virtual_address': '0x00025000', 'virtual_size': '0x00016100', 'size_of_data': '0x00016200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.12'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 5148 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\Temp\manage-bde.exe
C:\Windows\System32\en-US\KERNELBASE.dll.mui
C:\Users\Packager\AppData\Local\Temp\netmsg.dll
C:\Windows\System32\netmsg.dll
C:\Windows\System32\en-US\netmsg.dll.mui
C:\Windows\System32\en\netmsg.dll.mui

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Resources

Imports

ADVAPI32

KERNEL32

msvcrt

ntdll

OLEAUT32

ole32

profapi

api-ms-win-core-string-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-1-0