Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 08:42:40	2025-06-13 09:13:22	1842 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,990 [root] INFO: Date set to: 20250612T19:23:21, timeout set to: 1800
2025-06-12 20:23:21,526 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 20:23:21,526 [root] DEBUG: Storing results at: C:\qDdlkFnGz
2025-06-12 20:23:21,526 [root] DEBUG: Pipe server name: \\.\PIPE\wXevDSJXBA
2025-06-12 20:23:21,526 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:23:21,526 [root] INFO: analysis running as an admin
2025-06-12 20:23:21,526 [root] INFO: analysis package specified: "exe"
2025-06-12 20:23:21,526 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:23:22,136 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:23:22,136 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:23:22,136 [lib.common.common] INFO: wrapping
2025-06-12 20:23:22,136 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:23:22,151 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\IMEPADSV.EXE
2025-06-12 20:23:22,151 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:23:22,151 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:23:22,151 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:23:22,151 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:23:22,510 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:23:22,557 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:23:22,589 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:23:22,604 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:23:22,620 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:23:22,620 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:23:22,620 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:23:22,620 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:23:22,620 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:23:22,620 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:23:22,636 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:23:22,636 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:23:22,636 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:23:22,636 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:23:22,636 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:23:22,636 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:23:22,636 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:23:22,636 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:23:22,776 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-12 20:23:22,776 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:23:22,776 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:23:22,776 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:23:22,776 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:23:22,776 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:23:22,776 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:23:22,776 [modules.auxiliary.disguise] INFO: Disguising GUID to eebf7374-c733-4252-9a71-d3c91b91d619
2025-06-12 20:23:22,776 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:23:22,776 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:23:22,776 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:23:22,776 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:23:22,776 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:23:22,776 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:23:22,776 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:23:22,776 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:23:22,776 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:23:22,776 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:23:22,776 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:23:22,776 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:23:22,776 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:23:22,776 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:23:22,776 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:23:22,776 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:23:22,776 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:23:22,823 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 20:23:22,823 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:23:22,823 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:23:22,823 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:23:22,823 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:23:22,823 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:23:22,823 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:23:22,839 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\EeGlvdpK.dll, loader C:\tmp_gell1p8\bin\PoaYJsgW.exe
2025-06-12 20:23:22,901 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:23:22,901 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-12 20:23:22,917 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:23:22,917 [root] INFO: Disabling sleep skipping.
2025-06-12 20:23:22,917 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:23:22,917 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:23:22,917 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:23:22,917 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:23:22,917 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:23:22,932 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:23:22,948 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:23:22,948 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:23:22,948 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 872, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-12 20:23:22,948 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:23:22,963 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:23:22,963 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:23:22,963 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-12 20:23:22,963 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 20:23:22,963 [ <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 08:42:40	2025-06-13 09:13:05	none

File Details

File Name	IMEPADSV.EXE
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	297984 bytes
MD5	a07d9f4bb94099917ae0051c3c1b4b56
SHA1	9c527eda7f873272cf68f1d0229a2cd7055322ce
SHA256	70482716fd2273aa00f2f5428945a47c4aa6f3a1f5fc4355bb241b165f6a98f3 [VT] [MWDB] [Bazaar]
SHA3-384	62d1b921c7f74da627313967e4e57dffc3729d9ee095853489986b9f9f14ce5397b1d2a46a69003b29852cf2a7ce3463
CRC32	948D9CD9
TLSH	T1A55429922AB04471D47E10B7CD1EA5EC2F796C5197F238863E90FB9B29E05B0F92D346
Ssdeep	6144:P5wz3arm74fx1h5GmwldmL1MSZIbbUz13:xwz3ay74fz3hwldOiDK
PE	File Strings BinGraph Vba2Graph VirusTotal

9P9e9

SelectObject

4(4H4P4X4d4

v(h,*@

ReleaseMutex

GetStartupInfoW

606B6R6h6w6

.?AV<lambda_ebe5a1daf8810236659e36dce3d280bd>@@

Sh 5@

9*9<9D9I9N9p9v9}9

2(222?2I2S2e2

CreateSemaphoreExW

QQSVW

520ZGLIu4e [

SetRectEmpty

`=Q_22

CheckRadioButton

1"1@1v1

SysAnimate32

353T3Y3

no space on device

CreateWindowExW

SetThreadDpiAwarenessContext

EndDialog

SetCursor

RegSetValueExW

PWWh,1@

padrs

<==Q=^=g=p=z=

not a directory

8 8d8h8p8x8

Qht,@

</security>

??0exception@@QAE@ABQBDH@Z

767J7S7h7o7

;?<a<,=8=C=

A4;B4u

SSSSh

*))55'

api-ms-win-core-localization-obsolete-l1-2-0.dll

svwB[ei

@@@@@@AAAG@@@@8

api-ms-win-core-string-l1-1-0.dll

`.data

:?;|;

4R4V4\4`4f4j4p4t4z4~4

system

Microsoft Corporation

MsgStringCreateShared

JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ

memcmp

DialogBoxIndirectParamW

type="win32"

_XcptFilter

_F_hb98

_lock

D$4+D$,P

t*j"Yf9

Ph$,@

Tjjjspqpppng

SysListView32

GetMonitorInfoA

@B^4f [

6#6*616;6B6U6u6

api-ms-win-core-string-obsolete-l1-1-0.dll

8!9@9V9p9

resource unavailable try again

_initterm

0)Mc(

.?AVlogic_error@std@@

.idata$5

g$$$$

LoadLibraryW

rrrpZei

api-ms-win-core-version-l1-1-0.dll

CreateSolidBrush

not connected

protocol_not_supported

originName

static

181@1\1l1x1

Microsoft

9!:I:T:f:|:

8F8P8

&Applet bar:

NtQueryWnfStateData

operation_in_progress

?#?:?O?d?r?y?

535P5\5h5t5

FillRect

puv(pon

DrawTextExW

.data$r$brc

GetMessageW

host_unreachable

cmq_hgfrc

??0exception@@QAE@ABQBD@Z

777R7

92:A:N:|:

connection refused

read only file system

SleepConditionVariableSRW

_exit

3@3K3V3f3

C>><CA(....((

operation would block

jFkF8f

'<eWZoe

qqq$nnn

;(;<;B;Y;m;x;

=)=0=H=P=r=

GetThemeBackgroundContentRect

%hs!%p:

Software\Microsoft\IME\15.0\SHARED\ImePad

4"4S4h4

0000**

J0a0l0

Input\Core.AlpcPort\Server

1;1B1V1a1h1~1

M:`KKKK

333P3\3s3

TLLSJJJJJJJJJ

9_4uM

686P6h6

485@5F5K5T5[5`5f5k5q5v5|5

.tls$ZZZ

CoCreateInstance

Cannot find specified Applet.1This operation requires Administrator privileges.

=====

5#545D5_5r5

RN520Z

9C:S:t:

!020e0l0~1

2#313<3

GetMenuItemCount

zt.exe

WilStaging_02

argument out of domain

7H7k7

us9F@tpW

*^[DDD@D6

/@@@@@@9

.CRT$XIA

>0>>>L>\>

DispatchMessageW

ooofooo

202C2H2

$7<Gz1i

connection_already_in_progress

+++P1

.?AVbad_function_call@std@@

3 3H3]3~3

generic

4e [M

DestroyIcon

F(+F

ShowAllApplets

Toolbar

4&4m4|4

msimePadToolbarCls

GetSidSubAuthority

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

CreatePopupMenu

II%%@

FileDescription

4>4I4`4

_}Me f

Bopomofo/ChangJie

t7h$0@

9F9`9l9]:d:v:}:

</asmv3:application>

?\fYKMM^bbb

RtlSubscribeWnfStateChangeNotification

BeginPaint

A ;B tA3

2X2z2

9;:A:x:

ntdll.dll

no stream resources

Button

WinVerifyTrust

10.0.17763.1

directory not empty

0(1-1?1]1q1w1&2D2S2\2e2z2

InitializeCriticalSection

WakeAllConditionVariable

""##$"$

:&:2:@:R:\:

?-?6?C?L?W?

GetForegroundWindow

=,=?=W=a=p=

network reset

SetWindowLongW

5@6z6

9 9<9@9\9`9h9|9

QQQQSP

GetFileVersionInfoSizeW

version="6.0.0.0"

='=1=<=w=

Space

`owMpooc

message

no protocol option

A@;B@u

originatingContextName

D$<h$

??0exception@@QAE@ABV0@@Z

L$\_^[3

#U]gmfk+++

msime98imepad

j\Yf;

memmove_s

.rdata$zETW9

no buffer space

GetSysColor

CharPrevW

0$0,040<0D0L0T0\0d0l0t0|0

JJJ&MMM

9bvqxv]#998

CoreUIFactoryCreate

baa'sss

BPMF/Chgjie

GetSidSubAuthorityCount

t#h8?B

DllCanUnloadNow

TerminateProcess

vvvrkkk

DrawEdge

!;*;1

JJJJJJJJVYJ

6<7s7

ScrollBar

CompareStringW

GetUserObjectInformationW

bad_address

5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5

PPPh\0@

-R,++I++++

<V<m<

CloseThemeData

4!5C5

.text$x

CreateMutexW

not_connected

1+131B1

too many links

api-ms-win-core-processenvironment-l1-1-0.dll

KillTimer

070]0l0|0

&Pi\-r

.xdata$x

CoreUIClientCreate

@@@@@@HDDD><

GetModuleHandleW

Segoe UI

msimePadServer

wcsnlen

inappropriate io control operation

api-ms-win-core-registry-l1-1-0.dll

A0;B0u

.CRT$XLZ

Property

.giats

kernelbase.dll

connection reset

@@@@@@%""!

~09F<t

6FJ9[TR

connection aborted

OriginalFilename

~4PkF8h

_5.+)%

::FDIKG

destination_address_required

43494o4

@-.zk

L$L_^3

)$O yCy>U/

&What's this?

CreateCompatibleBitmap

4"5/595@5T5e5

&Show Applets for current IME

Y__^[

EnableWindow

A@VW3

lstd::exception: %hs

BUTTON

L}+>3+{

%s%s%d

NtUpdateWnfStateData

;/;A;O;Z;i;r;

RQR"hhh

CloseHandle

GZB^4

?*?H?b?

:!;D;w;

<V?b?

@.reloc

internal\sdk\inc\wil/Staging.h

t)WjXj

IME Pad Properties

<H<[<n<y<

LoadResource

_purecall

timed_out

GetSystemTimeAsFileTime

failureCount

__p__fmode

QSVWh

4'444V4m4

eu{~Qlll

Undef

596?6J6\6c6

User Settings

= =T=

69?+^^1

CurrentApplet

SetUnhandledExceptionFilter

dddCwww

network down

9:?EIBA@

2 303

GetSystemDefaultLangID

&PiX,s

executable format error

S9F@uA

@@@@@@@@@@@@@@@@@@3

>N>g>r>}>

.text

bad function call

vvvpfff

featureId

.rdata$brc

SetWindowPos

>D>L>T>d>p>x>

JJJJJJJJJ,

originatingContextId

WinHelpW

><EHIKA

.-ATLLLLLO[JJJJJ

appletbarlayout

>%?0?N?e?

m99d++

Listbox

;0;A;^;n;

.idata$4

1$1,141<1D1L1T1\1d1l1t1|1

6>7G7b7w7

.rdata$T$brc

GetTokenInformation

2b~QR

C<kC@

__dllonexit

m>QT`^

connection_aborted

identifier removed

RegEnumKeyExW

747]7

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

546I6Z6

UnregClass

sfc.dll

54V[ZYXW9i

r7PPi

??_V@YAXPAX@Z

&Extended Buttons:

GetSysColorBrush

::kf{

5X6j6

no link

PK./7J++++

%s\%s

bad allocation

DeleteObject

SSSSP

[[]a/2+)!

Escape

SetLastError

FrameRect

5=5f5

.rsrc$01

B;Q$r

CallContext:[%hs]

7&8Q8t8

DebugBreak

Window

0W0^0

MonitorFromRect

Pinyin

.idata

;-;Q;p;

MMM"fff

OffsetRect

,````^^^I

^HQSSS

GetCapture

7!747=7O7

CoInitialize

Not enough memory.

<P<b<z<

GetWindowRect

95,?B

api-ms-win-core-version-l1-1-1.dll

AppletCLSIDList

EnableLUA

permission_denied

ChildWindowFromPointEx

deque<T> too long

`nsUppp\

_CxxThrowException

EndPaint

IsWindow

2imepadsm.dll

5<5U5n5

GetThreadDesktop

7@@@@@@CL@@@@@@

;"<A<

LeaveCriticalSection

7$7W7v7

resource deadlock would occur

9~<upj

too many files open in system

8F8^8h8

address not available

.?AVexception@@

callContext

message size

1+1@1M1V1p1}1

:G:o:

ProductVersionLS

4#4)4/494>4D4

_controlfp

="=&=2=6=A=G=Q=\=q=w=

a,C<><~C,A,,,,

.text$yd

IsWindowVisible

Applet Menu

D$D+D$<h

t2C3>QQ?

2/2>2G2U2c2r2w2

DrawThemeBackground

hG%J$

api-ms-win-core-localization-l1-2-0.dll

USER32

L$,_^[3

Software\Microsoft\IME\15.0\SHARED\AppCompat\%s

x0O6M89++++

EndDeferWindowPos

6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6

SetCapture

@.rsrc

QQh$+@

9&9,91989=9I9U9b9j9w9

AcquireSRWLockExclusive

>?EHJK@

/55+H(

80888@8H8L8P8X8l8t8|8

2.3f3

protocol not supported

LegalCopyright

RN520ZGLIu4f [

GetBkMode

function

GetLayout

GetTextExtentPointW

api-ms-win-ntuser-sysparams-l1-1-0.dll

6=6O6

MonitorFromWindow

959<9g9

>3?S?h?w?

282P2

PadHelp_HandleContextPopup

originLineNumber

TpS&'&&--

ProductVersionMS

%s - %s

NIs,t+V8

5 626Z6

System\RemoteTextInputProcessor

.rdata$zzzdbg

_vsnprintf_s

LoadStringW

.rdata

?"?&?*?9?\?c?n?r?v?z?~?

SOFTWARE\Classes\CLSID\%s\InprocServer32

=F=P=

9 9$9(9,989<9

api-ms-win-core-errorhandling-l1-1-0.dll

EnumFontFamiliesExW

too many files open

PPPP3

SetROP2

343<3D3L3T3\3d3p3x3

5Y6c647R7k7

joriokh

ggffbfdfddd

;';2;R;b;r;x;

no lock available

0"0(0.0A0[0a0

api-ms-win-rtcore-ntuser-window-l1-1-0.dll

6(6H6T6t6

GetClassLongW

>QHH~HH,HE

KKKBiii

7)727;7y7

_msImePadKeyBtn

:3;s;{;

WaitForSingleObject

SysHeader32

5_5n5

address in use

JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ

3-33393L3Q3]3j3o3z3

OpenProcessToken

lJOOJOYY

GetClassInfoExW

=3=>=P=Z=

?G?T?h?w?

GetModuleFileNameA

*^UDD@@@6

SystemParametersInfoW

MessageBoxW

owner dead

)'&&--

@I^4f [

FindResourceExW

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

msctls_hotkey32

memcpy

SetForegroundWindow

.idata$3

AKA?AA

s +F@P

>C>a>

9]:f:

141=1

,`P*****$

invalid seek

uDB>:1;+++

Japanese

SetErrorMode

''&&&-

is a directory

RtlDllShutdownInProgress

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

D$0Pj

000004b0

RLMXUY]a/2+#,-$%

QOLUT]`1

;9<d<q<

L$0Qj

string too long

ufQQV

VVVVP

AppletIIDList

{LDCIi

555a5y5

ExpandEnvironmentStringsW

no child process

JJJJJJJJJJ>8JJJJJJJJJGG

+^$j%

_CoCreateInstance@20

VhP]A

__setusermatherr

F,WWj

??0exception@@QAE@XZ

HeapFree

invalid string position

no message available

_except_handler4_common

www_www

currentContextId

GetTickCount

D$D+D$<P

StandAlone

7%7T7[7}7

5-545?5N5n5|5

<@<Q<

.CRT$XIY

RPOLXXX

5>6p6

PostMessageW

>7>F>U>{>

wcstok_s

4)404:4a4

Wj@PQ

ArrowUp

kB%I=

UpToProductVersionMS

>2>B>l>x>

Microsoft IME

Add Applets

imepadsv.exe

.?AV<lambda_b2be740b14beb6f5d34fcfeecdf3ee19>@@

Qh,&@

D$<PV

^8^[]

ArrowRight

connection_reset

EventSetInformation

/JJJJJJJJZXJWLTJJJJJJJ00?JJJJJJJJYLQON[JJJJJJJ!107

XUUrsssh

OutputDebugStringW

3Y4p4z4

?"?6?N?X?j?

GetTextColor

Input\Public.AlpcPort\Server

ReturnHr

msctls_progress32

internal\sdk\inc\wil\resultmacros.h

9#9*9:9\9o9~9

141T1x1

appletbar

Chinese(Traditional)

VQPWV

.rdata$sxdata

D$8PV

msctls_statusbar32

VWj43

api-ms-win-core-libraryloader-l1-2-1.dll

Static

9"9F9j9

ySoftware\Microsoft\Windows\CurrentVersion\Policies\System

;;;330

r-+>+

888D8J8Q8Z8`8h8n8{8

3B3_3v3

TrackPopupMenuEx

funckey

JJJJJJJJJ

T[hlqe++++

Applet's title

JTLWJJJJJJ

="=J=\=

@PQj&

UnhookWindowsHookEx

]q _?VV

>Q>e>t>

R&eset

rxzRgw~

api-ms-win-security-base-l1-1-0.dll

)'&-&

.CRT$XCAA

originCallerReturnAddressOffset

processorArchitecture="*"

520@G@I^4f

D$(+D$ j

:6:{:

0Wj03

L$4^3

ReleaseSRWLockShared

PadHelp_HandleHelp

wcsncat_s

CoreUIComponents.dll

connection already in progress

D$@+D$8

no message

SetBkMode

.00cfg

_wcsicmp

ImePad15.0_IMMSVClass

u)Pjdj

FreeLibrary

GetWindowTextW

FailFast

0Qh|&@

Help

2:2k2|263\3i3

9+9?9J9Y9m9

GetKeyState

1"1+11161;1A1\1

<(<F<c<

CompanyName

**))(

VPQj)

GetCurrentThreadId

:<:Q:w:

msctls_updown32

DrawCaption

WaitForThreadpoolTimerCallbacks

<,,A(..U*

7bi44

signal

080D0d0l0t0|0

message_size

GetProcessHeap

OpenThemeData

Sleep

FileName

F95,?B

OOO{iii

EnabledFeatureUsage

<'</<;<D<I<O<Y<c<s<

CJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJMMMIGG

GetTextExtentPoint32W

8&8;8H8V8j8|8

GetFocus

GlobalFree

D_i_]

Vhh/@

Applet bar:

GetUserDefaultUILanguage

IME Pad Menu

2i4{4

9=:A:E:I:M:Q:U:Y:]:a:e:i:m:q:u:y:}:

value too large

&Position:

RegOpenKeyExW

ReleaseSemaphore

\%s\%s%3x.dll

network_unreachable

wcsncpy_s

kJCCIk

<>>QC~ E

;H;~;

LockResource

GetObjectW

757b7

uilang

callerModule

1Q2X2h2

>2>;>x>~>

msctls_trackbar32

:Z;d;|;

CloseThreadpoolTimer

+++++++++++++++++++++++Ycjpr++++

7,7U7`7

DrawIconEx

t$pVQ

&Next >

RegisterClassExW

77jii

not supported

m>Y[`

> >'>C>x>

L$D_^[3

8/888N8x8

5>5f5

III0YYY

:+;4;H;t;

PLMXUY]`854*!%$

>0u@jXjB

FeatureVariantUsage

network_down

memmove

%a=aIM

@@@@@@@@@@@@@@@@@@@@

(caller: %p)

N520@

GP+OT

*^bsn_d+++

interrupted

?0?4?8?O?r?}?

_callnewh

t$$+t$

StringFromGUID2

__set_app_type

PPVWP

FeatureUsage

+^ j$

PPh$+@

XPQSh

.*!%$%

LQ?2FE+++

api-ms-win-ntuser-rectangle-l1-1-0.dll

,d]SSSSQ=

u$WSQ

9^<~'

.rdata$zETW2

<'<2<B<[<n<7=]=d=

wcstol

wrong_protocol_type

D$(PQ

SVWh-

too many symbolic link levels

not enough memory

lstrcmpiW

AcquireSRWLockShared

ReleaseDC

GetCurrentObject

.?AVbad_alloc@std@@

CreateDCW

Conversion

7P7d7t7

UXTHEME.DLL

Menus and Dialogs:

RN520ZGL0`4e

"\=ooA-c2f

TranslateMessage

filename_too_long

4$4,444<4D4L4T4\4d4l4t4|4

;<EHJKG

GetClientRect

'H(!*d

InitOnceComplete

<'<[<k<q<

Oqhh/n3

1D2K2

9"979<9B9I9`9x9

O$@_^[

operation_would_block

RegQueryValueExW

VarFileInfo

T$0QQV

no such file or directory

MS_WINNOTE

1<2O2W2b2l2

DrawTextW

*\O**))))'7T7

A8;B8u

JON[JJJJJJ7

GL0r4

@AAFM@@@@:

PageUp

+++++++++++++++++++++++

RN520ZGLIu4e [

jswbrqqE

CIK&`]\{x|}/

originModule

GetFileVersionInfoW

_vsnwprintf

ff.:B

api-ms-win-core-libraryloader-l1-2-0.dll

RtlUnsubscribeWnfNotificationWaitForCompletion

|$(+|$

RegDeleteTreeW

GlobalAlloc

JJJJJJJJJMMMMIIGG

Local\SM0:%d:%d:%hs

address family not supported

384l4

2(262O2

<#<*<

imepadsv.pdb

t0ht+@

stream timeout

SetRect

? ?'?/?Q?

2!2(2^2q2

8k9|9

FormatMessageW

RegClass

8"838R8X8v8

module

??3@YAXPAX@Z

6'7R7

SSSSSSh

@M@@@@@@@?<

CoUninitialize

SOOVTZ]

0%050U0j0

J0X0k0

10.0.17763.1 (WinBuild.160101.0800)

Move &Up

DeleteCriticalSection

GetWindowLongW

9>:c:v:

wwwowww

Input\Locales.AlpcPort\Server

io error

windows\feime\win8\ea-shared\imepad\imepadsv\main\cserver.cpp

.CRT$XLA

8*8W8

PageDown

GetCursorPos

GetWindow

operation canceled

&Finish

GetWindowThreadProcessId

GetDeviceCaps

D$4+D$,;

DestroyMenu

Input\Features.AlpcPort\Server

+4[sx;y

GlobalHandle

MsgRelease

9~ ti

publicKeyToken="6595b64144ccf1df"

GetIconInfo

5$5+5

3$3,343<3D3L3T3\3d3l3t3|3

enabled

DestroyWindow

originFile

MonitorFromPoint

InsertMenuItemW

invalid_argument

api-ms-win-core-threadpool-l1-2-0.dll

api-ms-win-core-processthreads-l1-1-0.dll

OOOq]

7$8g8

ExtTextOutW

CQ>H,(..UU...aB

JQWC23>t|

0/050R0Z0

SetWindowTextW

QQQQP

2 2(20282@2p2

DeleteDC

1M1o1x1

@AAK@@@@@

Input\PublicRestricted.AlpcPort\Server

__wgetmainargs

ReleaseSRWLockExclusive

featureVersion

uNPPV

LoadCursorW

666=6K6o6u6{6

VWj@3

internal\sdk\inc\wil\resource.h

[%hs(%hs)]

QueryPerformanceCounter

wwssjjnsssy

y:::`rKK

BitBlt

threadId

msvcrt.dll

StringFileInfo

layout

y4PPj

process

ole32.dll

Current A&pplets:

< &Back

already_connected

>1>9>h>n>

4'555M5_5

LoadMenuIndirectW

Pt&Vh

Failed to create folder.*There is no IME Pad Applet in this folder.

Combobox

.text$mn

broken pipe

S8[_3

ArrowDown

:3;Y;i;y;};

Hanja

failureId

GlobalUnlock

Fkhb#PP#

protocol error

LLLkfff

NS@3G5++++

G,_^]

89RN520ZGLIu4f

4F4h4

text file busy

SVWQh

@J@@@@

959H9g9

&?SW'*

addend

GetDlgCtrlID

EventWriteTransfer

@I^4f

ConsoleWindowClass

Right

BeginDeferWindowPos

:F:Z:f:r:z:

5 5&5*52565B5F5Q5a5q5

address_family_not_supported

</asmv3:windowsSettings>

ReBarWindow32

UpdateWindow

D$`SV

~|F;;E

@@@@@@IKE@@@@@*4

pppww

:9:H:P:]:v:

t$<WP

timed out

IsDebuggerPresent

7O7`7~7

uLWWh

>$>)>/>5>:>V>k>

DISPLAY

.rdata$zETW1

2C2P2

permission denied

ReleaseCapture

_wcmdln

Move &Down

GetModuleFileNameW

5 5(505<5\5d5p5

0><EHJKC

RaiseFailFastException

state not recoverable

SetTimer

0<vZWT

?)?J?o?

f9w,u

.CRT$XCA

lstrcmpW

GetAsyncKeyState

NtQueryInformationProcess

KERNEL32.dll

OOO]ggg

P&osition:

090Z0d0y0

Polyline

u"f9LF

MoveToEx

GetSubMenu

SetThreadpoolTimer

VPhpB@

1!2*2

C<HA(.Ui**i(D

CoGetClassObject

??1type_info@@UAE@XZ

UnhandledExceptionFilter

C,A((

Customize Applet Menu

FindResourceW

operation in progress

DefWindowProcW

EventUnregister

AdjustWindowRectEx

currentContextName

GetVersionExW

RtlNtStatusToDosErrorNoTeb

!1007

VS_VERSION_INFO

api-ms-win-core-synch-l1-2-0.dll

</dependency>

xxx1xxx

filename too long

;%<X<e<

.CRT$XCZ

8\9`9d9h9l9p9t9x9|9

373>3

PostQuitMessage

featureBaseVersion

currentContextMessage

~Pbn@

Exception

kernel32

api-ms-win-core-string-l2-1-0.dll

SendMessageW

too_many_files_open

.data

4SVj03

D$0+D$(;

>#><>G>R>p>w>

SetProcessDEPPolicy

device or resource busy

memset

[%hs]

GetActiveWindow

unknown error

<- &Remove

result out of range

3!4'4M4

SetFocus

0g0w0

variant

DeferWindowPos

7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7

~$9~(t

GetProcAddress

</trustInfo>

99:C:

IMEPad

IsWindowEnabled

ProductName

GetClassNameW

TlsGetValue

CreateCompatibleDC

Input\Injection.AlpcPort\Server

C(+C

XONVTZ`65.*"%$

.idata$6

#070R0_0"1?1

8?9E9T9[9

tCA=H4<+++

8'898`8r8

='=^=n=

callerReturnAddressOffset

no such process

GetParent

5D5p5

KC2WUJ

not_a_socket

KGFChhh

.CRT$XCC

j0_W3

nwU#--

bad_file_descriptor

GetWindowTextLengthW

Phx<B

2C2V2

empz[x

FileVersion

FeatureError

S?>CC8:

.?AVlength_error@std@@

TlsAlloc

=)=D=K=t=

Appkey

CreateDialogParamW

> >=>M>Z>

wilResult

A&vailable Applets:

bad address

6497d7bf-7648-40f4-9029-7e3df94ea478

memcpy_s

.-,+YLLLOX[JJJJJJ

253e3

operation not permitted

Delete

</dependentAssembly>

ListBox

=DIBJ

3@4^4

17)$u*3J

GWhX+@

LineTo

<H<z<

:g;|;

232<2r2

VerQueryValueW

CoTaskMemAlloc

PPPPP

CreateMutexExW

<CH,(.UUi**7B

7-8K8

SVWQQ3

EventRegister

5;5G5j5z5

424Z4t4

GlobalLock

5D6U6q6

~h_^]

PPPPj

GDI32.dll

i**<>Q>QQC~

4$4D4q4

='=7=I=o=

93;\;x;};

.?AVout_of_range@std@@

InvalidateRect

?$?,?4?D?P?p?x?

GetStockObject

HeapAlloc

A<;B<u

destination address required

KC?%fff

PtInRect

BackSpace

F PWj)

.data$brc

file exists

Buttons:

InternalName

CreatePen

malloc

SSSSSV

api-ms-win-core-profile-l1-1-0.dll

849Q9j9

DTLWJJJJJJJJJJ

.rsrc$02

_unlock

iostream

;$;,;R;h;

9~(s2Wj

GetDC

6%656@6J6e6w6

wrong protocol type

SetTextColor

Chinese(PRC)

=!='=3=>=C=H=N=X=b=r={=

1'1I1

> >)>2>;>D>M>

:':-:7:o:u:

JJJJJJJJJ%"#JJKJJJJJJ.-6JJJJJJJJJ&%$[QYJJJJJJ

;0B0o0v0

Yaiofk+++

0x1C/0x1C

MOXU^

.text$di

$"#@N@E@@@@@

.edata

originatingContextMessage

AppKey

bPPh_x_hbPPPOE

originCallerModule

394`4e4j4

2B3G3W3]3

</requestedPrivileges>

7N8b8

AttachThreadInput

MQRtcbab

<1<E<S<Z<d<

bad message

GetCurrentProcessId

RegCreateKeyExW

&Add ->

.rdata$zETW0

argument list too long

CreateThreadpoolTimer

host unreachable

StringFromCLSID

<assemblyIdentity

x_{Kk9

%s\%d\%s

network_reset

W9^<t

IME Pad

language="*"

WaitForSingleObjectEx

iostream stream error

A,;B,u

MapWindowPoints

xqqqqx

msime8imepad

Input\Service.AlpcPort\Server

GetSystemMetrics

7/7X7t7

+D$<P

3!474Z4

bad file descriptor

no such device or address

&Basic Buttons:

PPPPPV

;H=L=P=T=X=\=`=d=h=l=p=t=x=|=

L$<_^3

CoTaskMemFree

GetDlgItem

v4SSSSh

.CRT$XIZ

address_in_use

1S1j1

&I_i&Xu

3:3K3w3

InitializeCriticalSectionEx

DllGetClassObject

!This program cannot be run in DOS mode.

Msg:[%ws]

already connected

,<QHA(.U*iU..7

api-ms-win-eventing-provider-l1-1-0.dll

;(;D;O;^;

4+515i5

@FTkP

282`2

L$l_^[3

Undef$The specified folder does not exist.>The specified folder does not exist. Do you want to create it?

ArrowLeft

USER32.dll

273i3

wintrust.dll

Dole32.dll

&Help

api-ms-win-core-synch-l1-1-0.dll

)&'W*'(

091Q1\1b1s1

WWQPS

OpenSemaphoreW

0b1u1

C>Q<~,A((((A(

QNOXTZ]\5.+)&

;M;T;

file too large

UpToProductVersionLS

1/2a2m2

not a socket

CreateFontIndirectW

FallbackError

!;**1

:JJJJJJJJTLLLLP[JJJJJJ=;<JJJJJJJJTLLLR[JJJJJJJ4=;;

EnterCriticalSection

.CRT$XCU

SysTabControl32

<G<_<m<

LoadImageW

,fbHHHHH9

..A~C,<

8?8b8

1#1,1Q1X1f1~1

0h<&@

DDDB{

%hs(%d) tid(%x) %08X %ws

Ujt#YYY

<asmv3:application>

GetCurrentProcess

040<0D0L0T0\0d0l0t0|0

RRR,ooo

8?8d8

0%171I1m1}1

;5<@<}<

2$2,242<2D2L2T2\2d2t2|2

fileName

8)8C8S8Y8_8n8y8

SetProcessDPIAware

qgmQQgSSSQRdI

c,g6"&k

not a stream

IME Pad's Help

~4PkF8

3\xf.Og

.?AVResultException@wil@@

</assembly>

imepaden.hlp

t(h80@

;4;L;_;

Translation

L$ RW

ScreenToClient

D$<PSh2

.5,@@)@@@@@@@@@@@@@@@@@@@@@@DB=;;

}kv]98

TlsFree

PPPrkkk

operation_not_supported

#9O,u

WilError_02

6F6V6r6

Korean

Rectangle

address_not_available

3R4l4

Qh\&@

ProductVersion

ComboBox

__p__commode

hedxvvvR

featureStage

Enter

__CxxFrameHandler3

9)=L=[=g=

ShowWindow

connection_refused

variantKind

_onexit

IsValidSid

1)1M1T1

717@7H7X7j7r7

.CRT$XIAA

0p0{0

;3;>;K;s;

no_protocol_option

CoreMessaging.dll

failureType

Windows

4/464=4D4Z4

function not supported

@@@@@@

hresult

{4QPP

YPWSV

invalid argument

Microsoft.Windows.Wil.FeatureLogging

no such device

S&how Applets for all IME

.idata$2

GetTextMetricsW

0=0p0

:<:m:

Yu Gothic UI

Cancel

CoreUICreate

illegal byte sequence

?what@exception@@UBEPBDXZ

0Q0k0}0

.tls$

ev~YWgn

uuuur|

SysTreeView32

RSDS,

0 0'0

.gfids

?!?F?w?|?

SfcIsFileProtected

303n3s3

;5;C;h;

%hs(%d)\%hs!%p:

Operating System

99"""

vector<T> too long

GetDoubleClickTime

GetModuleHandleExW

IIDFromString

RN520

AD;BDu

979E9P9r9

:,:O:z:

_cexit

)XZV\`W+++

Ph@1@

GetMonitorInfoW

^<9^@t

%s\%d

>;>^>t>

GetWindowPlacement

GetLastError

Whh/@

&Close

Embedding

LogHr

_amsg_exit

ImePad15.0_UIMSVClass

L$T_^[3

?terminate@@YAXXZ

Insert

English

C9_<ut

fdwtooltip

PinYin

&Language:

ViewState

no_buffer_space

name="Microsoft.Windows.Common-Controls"

DrawFrameControl

LLKDlll

??1exception@@UAE@XZ

ToolbarWindow32

Input\Test.AlpcPort\Server

InitOnceBeginInitialize

7a7o7z7

Y95 ?B

312Voij*

2!2(272G2U2\2z2

RegCloseKey

222A2n2

PQQh|4@

QQQ<ggg

=(=7=M=

;N4}.

lineNumber

OYXddd

02JJJJJJJJJUHHHH

_vsnwprintf_s

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash	Exported DLL Name
0x00400000	0x0001eb40	0x0004b22b	0x0004b22b	10.0	imepadsv.pdb	2080-06-05 14:42:00	dbd22bb5c8e43b5cf495bcd15e726c8b		5d9deb121d7cc98fc8131b2829664e3a	1b2ff3f4b621e6ae2a889488102a809c	c8cadcf8dac6def8	imepadsv.exe

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Microsoft IME
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	Microsoft IME
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	Microsoft IME
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0000 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0001fa14	0x0001fc00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.45
.data	0x00020000	0x00021000	0x00002f40	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.72
.idata	0x00020600	0x00024000	0x00002476	0x00002600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.33
.rsrc	0x00022c00	0x00027000	0x000241a8	0x00024200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.10
.reloc	0x00046e00	0x0004c000	0x00001da4	0x00001e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.74

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_BITMAP	0x00038610	0x00011d68	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.43	None
RT_ICON	0x000284b0	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	0.94	None
RT_ICON	0x00028798	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.26	None
RT_ICON	0x000288c0	0x000000e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.20	None
RT_ICON	0x000289d8	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.65	None
RT_ICON	0x00028cc0	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.91	None
RT_ICON	0x00028e10	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.25	None
RT_ICON	0x000290f8	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.46	None
RT_ICON	0x00029220	0x00000ea8	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.34	None
RT_ICON	0x0002a0c8	0x00000ba8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.99	None
RT_ICON	0x0002ac70	0x000008a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.67	None
RT_ICON	0x0002b518	0x000006c8	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.60	None
RT_ICON	0x0002bbe0	0x00000608	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.38	None
RT_ICON	0x0002c1e8	0x00000568	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.47	None
RT_ICON	0x0002c750	0x000025a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.41	None
RT_ICON	0x0002ecf8	0x00001a68	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.00	None
RT_ICON	0x00030760	0x000010a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.85	None
RT_ICON	0x00031808	0x00000988	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.03	None
RT_ICON	0x00032190	0x000006b8	LANG_NEUTRAL	SUBLANG_NEUTRAL	6.70	None
RT_ICON	0x00032848	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.47	None
RT_ICON	0x00032d80	0x00000690	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.70	None
RT_ICON	0x00033410	0x00000568	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.79	None
RT_ICON	0x00033978	0x00000810	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.53	None
RT_ICON	0x00034188	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.72	None
RT_ICON	0x00034630	0x000006c8	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.71	None
RT_ICON	0x00034cf8	0x00000608	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.71	None
RT_ICON	0x00035300	0x00000568	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.11	None
RT_ICON	0x00035868	0x00000988	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.14	None
RT_ICON	0x000361f0	0x000006b8	LANG_NEUTRAL	SUBLANG_NEUTRAL	5.30	None
RT_ICON	0x000368a8	0x00000468	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.20	None
RT_ICON	0x00036d70	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.41	None
RT_ICON	0x00036e98	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.40	None
RT_ICON	0x00037180	0x000001e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.30	None
RT_ICON	0x00037398	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.41	None
RT_ICON	0x000374c0	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.41	None
RT_ICON	0x000377a8	0x000001e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.30	None
RT_ICON	0x000379c0	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.52	None
RT_ICON	0x00037ae8	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.58	None
RT_ICON	0x00037dd0	0x000001e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.34	None
RT_ICON	0x00037fe8	0x00000128	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.52	None
RT_ICON	0x00038110	0x000002e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.58	None
RT_ICON	0x000383f8	0x000001e8	LANG_NEUTRAL	SUBLANG_NEUTRAL	1.34	None
RT_MENU	0x0004a998	0x00000038	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.77	None
RT_DIALOG	0x00028460	0x00000050	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.48	None
RT_DIALOG	0x0004a378	0x0000033c	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.46	None
RT_DIALOG	0x0004a6b8	0x000002ae	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.56	None
RT_DIALOG	0x0004a968	0x0000002c	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.07	None
RT_STRING	0x0004a9d0	0x00000124	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.40	None
RT_STRING	0x0004aaf8	0x00000108	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.46	None
RT_STRING	0x0004ac98	0x000000a6	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.39	None
RT_STRING	0x0004ad40	0x000000d2	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.44	None
RT_STRING	0x0004ae18	0x00000108	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.40	None
RT_STRING	0x0004af20	0x00000288	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.28	None
RT_STRING	0x0004ac00	0x00000094	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.40	None
RT_GROUP_ICON	0x00032cb0	0x000000ca	LANG_NEUTRAL	SUBLANG_NEUTRAL	3.17	None
RT_GROUP_ICON	0x000289a8	0x00000030	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.51	None
RT_GROUP_ICON	0x00028de8	0x00000022	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.48	None
RT_GROUP_ICON	0x000345f0	0x0000003e	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.64	None
RT_GROUP_ICON	0x00036d10	0x0000005a	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.89	None
RT_GROUP_ICON	0x00037368	0x00000030	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.69	None
RT_GROUP_ICON	0x00037990	0x00000030	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.75	None
RT_GROUP_ICON	0x00037fb8	0x00000030	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.75	None
RT_GROUP_ICON	0x000385e0	0x00000030	LANG_NEUTRAL	SUBLANG_NEUTRAL	2.71	None
RT_VERSION	0x00027d00	0x00000390	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	None
RT_MANIFEST	0x00028090	0x000003d0	LANG_NEUTRAL	SUBLANG_NEUTRAL	4.94	None

Imports

Name	Address
GlobalUnlock	0x424094
GlobalAlloc	0x424098
GlobalLock	0x42409c
SetErrorMode	0x4240a0
CreateMutexW	0x4240a4
CreateSemaphoreExW	0x4240a8
CreateMutexExW	0x4240ac
GetCurrentProcessId	0x4240b0
LoadLibraryW	0x4240b4
LeaveCriticalSection	0x4240b8
InitializeCriticalSection	0x4240bc
OpenSemaphoreW	0x4240c0
GlobalHandle	0x4240c4
DeleteCriticalSection	0x4240c8
EnterCriticalSection	0x4240cc
WaitForSingleObjectEx	0x4240d0
ReleaseMutex	0x4240d4
ReleaseSemaphore	0x4240d8
CloseHandle	0x4240dc
SetLastError	0x4240e0
OutputDebugStringW	0x4240e4
IsDebuggerPresent	0x4240e8
GetLastError	0x4240ec
GetProcAddress	0x4240f0
DebugBreak	0x4240f4
GetModuleFileNameA	0x4240f8
WaitForSingleObject	0x4240fc
GetModuleHandleExW	0x424100
HeapAlloc	0x424104
GetProcessHeap	0x424108
HeapFree	0x42410c
GetCurrentThreadId	0x424110
FormatMessageW	0x424114
GlobalFree	0x424118
GetModuleHandleW	0x42411c

Name	Address
UnhookWindowsHookEx	0x424124
CheckRadioButton	0x424128
GetDlgCtrlID	0x42412c
EndDialog	0x424130
GetAsyncKeyState	0x424134
GetIconInfo	0x424138
DrawFrameControl	0x42413c
GetKeyState	0x424140
GetWindowPlacement	0x424144
CreateDialogParamW	0x424148
GetDlgItem	0x42414c
GetSysColorBrush	0x424150
DestroyMenu	0x424154
TrackPopupMenuEx	0x424158
InsertMenuItemW	0x42415c
CreatePopupMenu	0x424160
DrawTextW	0x424164
DrawTextExW	0x424168
GetDC	0x42416c
GetCapture	0x424170
EndPaint	0x424174
DrawIconEx	0x424178
DrawEdge	0x42417c
GetSysColor	0x424180
BeginPaint	0x424184
InvalidateRect	0x424188
SetCapture	0x42418c
GetDoubleClickTime	0x424190
SetCursor	0x424194
ReleaseCapture	0x424198
AttachThreadInput	0x42419c
DestroyIcon	0x4241a0
FillRect	0x4241a4
MapWindowPoints	0x4241a8
UpdateWindow	0x4241ac
DialogBoxIndirectParamW	0x4241b0
LoadMenuIndirectW	0x4241b4
AdjustWindowRectEx	0x4241b8
LoadCursorW	0x4241bc
LoadImageW	0x4241c0
MessageBoxW	0x4241c4
GetSubMenu	0x4241c8
GetWindowTextLengthW	0x4241cc
DrawCaption	0x4241d0
GetMenuItemCount	0x4241d4
MonitorFromPoint	0x4241d8
FrameRect	0x4241dc
GetUserObjectInformationW	0x4241e0
GetThreadDesktop	0x4241e4
GetClassLongW	0x4241e8
WinHelpW	0x4241ec
SetProcessDPIAware	0x4241f0
GetClassNameW	0x4241f4
GetForegroundWindow	0x4241f8
GetWindowThreadProcessId	0x4241fc
PostQuitMessage	0x424200
CreateWindowExW	0x424204
KillTimer	0x424208
GetActiveWindow	0x42420c
SetTimer	0x424210
IsWindow	0x424214
DestroyWindow	0x424218
DispatchMessageW	0x42421c
TranslateMessage	0x424220
GetMessageW	0x424224
SetThreadDpiAwarenessContext	0x424228
GetFocus	0x42422c
ReleaseDC	0x424230

Name	Address
memcmp	0x424410
__CxxFrameHandler3	0x424414
??3@YAXPAX@Z	0x424418
_except_handler4_common	0x42441c
_controlfp	0x424420
_onexit	0x424424
__dllonexit	0x424428
??1type_info@@UAE@XZ	0x42442c
?terminate@@YAXXZ	0x424430
_wcmdln	0x424434
_initterm	0x424438
__setusermatherr	0x42443c
__p__fmode	0x424440
_cexit	0x424444
_exit	0x424448
exit	0x42444c
__set_app_type	0x424450
__wgetmainargs	0x424454
_amsg_exit	0x424458
__p__commode	0x42445c
_XcptFilter	0x424460
_unlock	0x424464
_lock	0x424468
memmove	0x42446c
memcpy	0x424470
_CxxThrowException	0x424474
?what@exception@@UBEPBDXZ	0x424478
??0exception@@QAE@ABQBDH@Z	0x42447c
??0exception@@QAE@ABQBD@Z	0x424480
_callnewh	0x424484
malloc	0x424488
??0exception@@QAE@ABV0@@Z	0x42448c
_vsnprintf_s	0x424490
memcpy_s	0x424494
_vsnwprintf	0x424498
??1exception@@UAE@XZ	0x42449c
??0exception@@QAE@XZ	0x4244a0
_wcsicmp	0x4244a4
wcstok_s	0x4244a8
wcsncpy_s	0x4244ac
_purecall	0x4244b0
_vsnwprintf_s	0x4244b4
free	0x4244b8
signal	0x4244bc
wcstol	0x4244c0
wcsncat_s	0x4244c4
??_V@YAXPAX@Z	0x4244c8
wcsnlen	0x4244cc
memmove_s	0x4244d0
memset	0x4244d4

Name	Address
CoInitialize	0x4244e4
CoUninitialize	0x4244e8
CoTaskMemFree	0x4244ec
CoTaskMemAlloc	0x4244f0

Name	Address
InitOnceComplete	0x424308
WakeAllConditionVariable	0x42430c
SleepConditionVariableSRW	0x424310
Sleep	0x424314
InitOnceBeginInitialize	0x424318

Name	Address
ReleaseSRWLockShared	0x4242f0
ReleaseSRWLockExclusive	0x4242f4
AcquireSRWLockExclusive	0x4242f8
InitializeCriticalSectionEx	0x4242fc
AcquireSRWLockShared	0x424300

Name	Address
GetSystemDefaultLangID	0x424274

Name	Address
OpenProcessToken	0x42428c
TerminateProcess	0x424290
GetCurrentProcess	0x424294
TlsFree	0x424298
TlsGetValue	0x42429c
TlsAlloc	0x4242a0
GetStartupInfoW	0x4242a4

Name	Address
UnhandledExceptionFilter	0x424244
SetUnhandledExceptionFilter	0x424248

Name	Address
QueryPerformanceCounter	0x4242ac

Name	Address
GetTickCount	0x424320
GetSystemTimeAsFileTime	0x424324
GetVersionExW	0x424328

Name	Address
MsgStringCreateShared	0x424000
MsgRelease	0x424004
CoreUICreate	0x424008

Name	Address
CoreUIClientCreate	0x424010
CoreUIFactoryCreate	0x424014

Name	Address
GetClassInfoExW	0x424390
SetWindowLongW	0x424394
SetWindowPos	0x424398
GetWindowRect	0x42439c
SetWindowTextW	0x4243a0
GetClientRect	0x4243a4
GetWindowTextW	0x4243a8
GetCursorPos	0x4243ac
SetFocus	0x4243b0
ChildWindowFromPointEx	0x4243b4
ShowWindow	0x4243b8
IsWindowVisible	0x4243bc
GetWindowLongW	0x4243c0
IsWindowEnabled	0x4243c4
GetParent	0x4243c8
GetWindow	0x4243cc
RegisterClassExW	0x4243d0
PostMessageW	0x4243d4
SendMessageW	0x4243d8
DefWindowProcW	0x4243dc
ScreenToClient	0x4243e0
SetForegroundWindow	0x4243e4
EnableWindow	0x4243e8
EndDeferWindowPos	0x4243ec
DeferWindowPos	0x4243f0
BeginDeferWindowPos	0x4243f4

Name	Address
GetSystemMetrics	0x424380
GetMonitorInfoW	0x424384
SystemParametersInfoW	0x424388

Name	Address
CompareStringW	0x4242d4

Name	Address
PtInRect	0x42436c
OffsetRect	0x424370
SetRectEmpty	0x424374
SetRect	0x424378

Name	Address
GetModuleFileNameW	0x424250
FindResourceExW	0x424254
LoadResource	0x424258
LockResource	0x42425c
FreeLibrary	0x424260
LoadStringW	0x424264

Name	Address
FindResourceW	0x42426c

Name	Address
RegOpenKeyExW	0x4242b4
RegEnumKeyExW	0x4242b8
RegCloseKey	0x4242bc
RegDeleteTreeW	0x4242c0
RegSetValueExW	0x4242c4
RegCreateKeyExW	0x4242c8
RegQueryValueExW	0x4242cc

Name	Address
IIDFromString	0x424238
StringFromGUID2	0x42423c

Name	Address
CharPrevW	0x4242dc

Name	Address
GetUserDefaultUILanguage	0x42427c

Name	Address
lstrcmpiW	0x4242e4
lstrcmpW	0x4242e8

Name	Address
IsValidSid	0x4243fc
GetTokenInformation	0x424400
GetSidSubAuthorityCount	0x424404
GetSidSubAuthority	0x424408

Name	Address
CreateThreadpoolTimer	0x424330
SetThreadpoolTimer	0x424334
CloseThreadpoolTimer	0x424338
WaitForThreadpoolTimerCallbacks	0x42433c

Name	Address
ExpandEnvironmentStringsW	0x424284

Name	Address
EventUnregister	0x424358
EventSetInformation	0x42435c
EventWriteTransfer	0x424360
EventRegister	0x424364

Name	Address
GetFileVersionInfoSizeW	0x42434c
GetFileVersionInfoW	0x424350

Name	Address
VerQueryValueW	0x424344

Name	Address
NtQueryInformationProcess	0x4244dc

Name	Address
DeleteDC	0x42401c
GetCurrentObject	0x424020
BitBlt	0x424024
GetBkMode	0x424028
ExtTextOutW	0x42402c
DeleteObject	0x424030
LineTo	0x424034
MoveToEx	0x424038
CreatePen	0x42403c
SelectObject	0x424040
GetTextMetricsW	0x424044
SetBkMode	0x424048
CreateCompatibleDC	0x42404c
GetTextColor	0x424050
GetLayout	0x424054
GetStockObject	0x424058
CreateSolidBrush	0x42405c
GetTextExtentPointW	0x424060
Rectangle	0x424064
SetROP2	0x424068
CreateDCW	0x42406c
GetTextExtentPoint32W	0x424070
EnumFontFamiliesExW	0x424074
CreateFontIndirectW	0x424078
SetTextColor	0x42407c
Polyline	0x424080
GetDeviceCaps	0x424084
GetObjectW	0x424088
CreateCompatibleBitmap	0x42408c

Name	Address
SfcIsFileProtected	0x4244f8

Exports

Name	Address	Ordinal
_CoCreateInstance@20	0x41cd70	1

Reports: JSON

Statistics (9.77)

Usage

Processing ( 9.72 seconds )

9.135 ProcessMemory
0.575 CAPE
0.005 AnalysisInfo
0.004 BehaviorAnalysis

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: imepadsv.pdb

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 2868 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

6497d7bf-7648-40f4-9029-7e3df94ea478

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

KERNEL32

USER32

msvcrt

ole32

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

CoreMessaging

CoreUIComponents

api-ms-win-rtcore-ntuser-window-l1-1-0

api-ms-win-ntuser-sysparams-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-ntuser-rectangle-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-version-l1-1-1

api-ms-win-core-version-l1-1-0

ntdll

GDI32

sfc