Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 09:13:23	2025-06-13 09:44:09	1846 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,256 [root] INFO: Date set to: 20250612T19:25:18, timeout set to: 1800
2025-06-12 20:25:18,303 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 20:25:18,303 [root] DEBUG: Storing results at: C:\HqhOwdA
2025-06-12 20:25:18,303 [root] DEBUG: Pipe server name: \\.\PIPE\UDCbSEKv
2025-06-12 20:25:18,303 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 20:25:18,303 [root] INFO: analysis running as an admin
2025-06-12 20:25:18,303 [root] INFO: analysis package specified: "exe"
2025-06-12 20:25:18,303 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 20:25:19,147 [root] DEBUG: imported analysis package "exe"
2025-06-12 20:25:19,147 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 20:25:19,147 [lib.common.common] INFO: wrapping
2025-06-12 20:25:19,147 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 20:25:19,162 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\imecfmui.exe
2025-06-12 20:25:19,162 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 20:25:19,162 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 20:25:19,162 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 20:25:19,162 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 20:25:19,350 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 20:25:19,381 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 20:25:19,474 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 20:25:19,490 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 20:25:19,490 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 20:25:19,490 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 20:25:19,490 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 20:25:19,506 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 20:25:19,506 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 20:25:19,506 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 20:25:19,506 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 20:25:19,506 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 20:25:19,506 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 20:25:19,506 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 20:25:19,506 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 20:25:19,506 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 20:25:19,506 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 20:25:19,506 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 20:25:19,693 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-12 20:25:19,693 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 20:25:19,693 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 20:25:19,693 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 20:25:19,693 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 20:25:19,693 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 20:25:19,693 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 20:25:19,693 [modules.auxiliary.disguise] INFO: Disguising GUID to bcf0c39a-e22d-4a86-93af-b9f9232a4a50
2025-06-12 20:25:19,693 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 20:25:19,693 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 20:25:19,693 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 20:25:19,693 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 20:25:19,693 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 20:25:19,693 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 20:25:19,693 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 20:25:19,693 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 20:25:19,693 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 20:25:19,693 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 20:25:19,693 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 20:25:19,693 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 20:25:19,693 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 20:25:19,693 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 20:25:19,693 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 20:25:19,693 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 20:25:19,693 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 20:25:19,709 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 20:25:19,709 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 20:25:19,709 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 20:25:19,709 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 20:25:19,709 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 20:25:19,709 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 20:25:19,709 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 20:25:19,724 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\YAxvnBH.dll, loader C:\tmp_gell1p8\bin\htHrhPVk.exe
2025-06-12 20:25:19,818 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 20:25:19,818 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\YAxvnBH.dll.
2025-06-12 20:25:19,850 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 20:25:19,850 [root] INFO: Disabling sleep skipping.
2025-06-12 20:25:19,850 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 20:25:19,850 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 20:25:19,850 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 20:25:19,850 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 20:25:19,850 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 20:25:19,865 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 20:25:19,865 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 20:25:19,865 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 20:25:19,865 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6348, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-12 20:25:19,865 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 20:25:19,881 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 20:25:19,881 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 20:25:19,881 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\YAxvnBH.dll.
2025-06-12 20:25:19,881 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 20:25:19,881 [root]  <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 09:13:23	2025-06-13 09:43:50	none

File Details

File Name	imecfmui.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	237056 bytes
MD5	bfe780aa3aff68557e04a7452e282dde
SHA1	42419208caf70547b2e9ac06238871340836a1f8
SHA256	b1d0dda4668eade6c0dfdc9daf4ce801175f0903fe15b97518673d05f6504cb5 [VT] [MWDB] [Bazaar]
SHA3-384	7caa0b51b1fd51e9a8e82c2d65a47b3e1f21e3000fa2a82724b0418571db1a8f7c49463b4cafb7bdd3a584492d6e512f
CRC32	56102371
TLSH	T10234381133E5C475E2F32A30587DEBB52A7AFCA14B30868F6314662E1E35AD09D34B67
Ssdeep	6144:sYOlmU1TKkl4VT1yD+3t7LQc6/P/mn1V3NzuZgBk8SK0QO:sYOlmURK/14+mc6/P/mnvBS5
PE	File Strings BinGraph Vba2Graph VirusTotal

!t$,3

ztpLdH

<M=j=

OX[Y0

SelectObject

3&3L3

0E0`0|0

ReleaseMutex

GetStartupInfoW

${5$>

With this setting turned ON, IME will automatically determine mis-conversion and save them on your computer. You can choose to send this data to Microsoft.

101X1

OX[W0~0Y0

Rk0j0

S+T(W

windows\feime\win8\ea-shared\imecfm\ui\winmain.cpp

CreateSemaphoreExW

t/VVh

windows\feime\win8\ea-shared\imecfm\ui\ccfmdlgmain.cpp

t_1.$

313C3U3i3

IMEWatson\IMEVersion

Sc0_0

no space on device

CreateWindowExW

EndDialog

PolicyManager_GetPolicyInt

SetCursor

Sh84@

RegSetValueExW

00CJi

eQW[2N;

not a directory

:%;4;I;a;u;

cn0e\tk

</security>

??0exception@@QAE@ABQBDH@Z

Malgun Gothic

077:,

:#:-:_:p:

`.data

PPh,-@

4H4i4z4

8*^4a

system

=@=P=\=d=

Microsoft Corporation

LoadLibraryExW

$$5o>

memcmp

DialogBoxIndirectParamW

ta98u]

type="win32"

1;1c1

Pj0jf

_XcptFilter

_wcstoi64

wwwwwx

_lock

<1=A=a=q=

Click this balloon to change the setting to record conversion errors.

t*j"Yf9

SysListView32

<A>View the contents of this report</A>

7.7Q7

tiPSj

resource unavailable try again

585`5

_initterm

.?AVlogic_error@std@@

.idata$5

l~"aZ

1:1^1w1

2t2f3{3

SQM sender: Start method called.

NY0P0

not connected

<!<;<P<m<

protocol_not_supported

originName

3B3k3

internal\sdk\inc\wil\Resource.h

wcschr

PPh84@

Microsoft

3 4@4L4l4t4

?+?3?9?O?f?

operation_in_progress

W8*$]w>4

.didat$2

Task ID: IME CustomerFeedbackManagerUI SendReport

RhH7@

7!8D8

Microsoft JhengHei UI

SQM sender: Pause method called.

.data$r$brc

7u8}8

_get_current_locale

GetMessageW

host_unreachable

??0exception@@QAE@ABQBD@Z

regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence.

0S0h0L0B0

connection refused

read only file system

SleepConditionVariableSRW

_exit

<H=O=

operation would block

<j<q<

LLLL@

Other Information

QQSVWj

%hs!%p:

[+8j@

$&''',)hLA>H

0S0h0o0B0

9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x6Microsoft Pinyin SimpleFast Mis-Conversion Report Tool9Microsoft Pinyin NewExperience Mis-Conversion Report Tool-Microsoft Bopomofo Mis-Conversion Report Tool1Microsoft New ChangJie Mis-Conversion Report Tool.Microsoft New Quick Mis-Conversion Report Tool8Microsoft Hong Kong Cantonese Mis-Conversion Report Tool

; IMEWatson\MisConversion\FirstConversion\Reading; 108;

.tls$ZZZ

CoCreateInstance

UUUUU

8/8;8G8O8p8

TEMP(

GetStringTypeW

IMEWatson\ProfileID

?%?=?O?~?

VWj03

<;=o=

/IMEWatson\MisConversion\FirstConversion\Reading/IMEWatson\MisConversion\FirstConversion\Display&IMEWatson\MisConversion\ExpectedResult*Microsoft IME

WilStaging_02

argument out of domain

t2Qh,4@

:2;R;o;

5.5D5\5l5

.CRT$XIA

/IMEWatson\MisConversion\FirstConversion\Reading/IMEWatson\MisConversion\FirstConversion\Display&IMEWatson\MisConversion\ExpectedResult

The setting for "Save mis-conversions to file" is turned OFF. If this setting is turned ON, all of the mis-conversion data up to now will be deleted. Would you like to proceed?9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x

5"6A6R6u6

imewatsonal

DispatchMessageW

Ph0-@

WWSh/

Watson

connection_already_in_progress

generic

DestroyIcon

GetSidSubAuthority

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

3 3(3\3l3x3

FileDescription

trqM=<

1'10191B1K1T1]1f1

0r021B2J3T3

1#2m2

RtlSubscribeWnfStateChangeNotification

<>=G=

ntdll.dll

no stream resources

10.0.17763.1

directory not empty

Please help us improve the quality of IME by sending us mis-conversion data.

win:Informational

WakeAllConditionVariable

regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression.

network reset

SetWindowLongW

t,Wh1

Include &prediction data

version="6.0.0.0"

@55Oc

Information for most recently inputted %d mis-conversion strings.

4 494L4^4z4

S0n01XJTk0o0

Re&move

Thread ID

;A;_;

message

no protocol option

originatingContextName

.?AVruntime_error@std@@

ConvertSidToStringSidW

upper

??0exception@@QAE@ABV0@@Z

pattern

1XJTn0

&Send mis-conversion data

+GL+OL

memmove_s

u>SSh

.rdata$zETW9

Microsoft\IME\15.0\%s\Watson

no buffer space

0$0,040<0D0L0T0\0d0l0t0|0

iK8Hg>#

707A7Q7p7y7

The following files will be included in this report.

edk!k

7/7]7

t!jZV

GetSidSubAuthorityCount

PPPPPh

vector<bool> too long

DllCanUnloadNow

TerminateProcess

DrawEdge

4<4D4L4X4x4

___mb_cur_max_func

~*]=4

:>:L:l:

=f>}>

F$;~h|

CompareStringW

tnSj0Zj

OHt*f;

bad_address

1/2>2g2

5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5

.text$x

not_connected

_wtoi

too many links

regex_error(error_badbrace): The expression contained an invalid range in a { expression }.

SetDlgItemTextW

:1;a;'<G<S<h<t<

blank

ZjP[-

.xdata$x

GetModuleHandleW

5(5H5P5X5h5

:U:x:~:

Segoe UI

wcsnlen

inappropriate io control operation

Rh07@

Pj(Y+

.?AVregex_error@std@@

&Edit

.CRT$XLZ

".!gf

.giats

kernelbase.dll

.rsrc

W8*=N

AllowJapaneseIMESurrogatePairCharacters

:yW0j0D0(

connection reset

?D?x?

(111(<ssD6m

connection aborted

OriginalFilename

win:Start

/oo,l

onecoreuap\windows\feime\win8\ea-shared\imecfm\lib\cfmpriv\ccfmwatsondatafilemgr.cpp

?8?[?r?

SQM sender: Start method ends successfully. hr = %1, Thread ID = %2.

destination_address_required

8?8x8

9U9[9h9s9

RO0`0U0D0

b/f/}Mz

9@:n:

___lc_handle_func

6(6H6P6X6d6

AllowLinguisticDataCollection

7$7Y7

0,1O1^1k1

202<2V2b2

Y__^[

EnableWindow

9!9(9A9Z9v9

9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x

7|Y9::P

u$h 9@

L$,^3

P(u(W

<L<\<q<

lstd::exception: %hs

8?8r8

NtUpdateWnfStateData

??0bad_cast@@QAE@PBD@Z

CloseHandle

9wh~ZV

4X4v4

@.reloc

internal\sdk\inc\wil/Staging.h

Y;Y;K;

I%%+6^

?*?D?w?

Data to be sent includes the followings. You can select an item to edit before reporting.

LoadResource

_purecall

vn0_0

0~0Y0

timed_out

GetSystemTimeAsFileTime

failureCount

__p__fmode

S&elected candidate:

___lc_codepage_func

0~0_0o0

ujG\__`b

TBfk0f[

0k0n0

(&E):

1-1E1O1l1

Input characters; IMEWatson\MisConversion\FirstConversion\Reading; 108;Candidate characters; IMEWatson\MisConversion\FirstConversion\Display; 108;Selected candidate; IMEWatson\MisConversion\ExpectedResult; 108;

{{{{{

RegisterWindowMessageW

2(242T2`2

SetUnhandledExceptionFilter

imecfmui.exe

network down

executable format error

.text

324?4_4h4m4

9,9_9

:_<n<w<

7.7<7

featureId

.rdata$brc

SetWindowPos

Ph(-@

The data includes the following information relating with finalized conversion results.

originatingContextId

GetDlgItemTextW

cntrl

If you click on "Send mis-conversion data" below, mis-conversion and predictive input data will be sent to Microsoft.

Microsoft IME

??1bad_cast@@UAE@XZ

000L0a0n0w0|0

.idata$4

Vh84@

1$1,141<1D1L1T1\1d1l1t1|1

j!j!h6

regex_error(error_collate): The expression contained an invalid collating element name.

.rdata$T$brc

GetTokenInformation

__dllonexit

connection_aborted

identifier removed

))TF[_``bb`b

[L0!q

regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings.

IMEWatsonCollection

.?AVbad_cast@@

yso(@<

operation not supported

cross device link

141L1l1

(&L):

ttrnH=

S&ave mis-conversions to file

p..B"",

-#2ZZ

676R6

??_V@YAXPAX@Z

9^h~t

Wh +@

545<5H5P5

wer.dll

no link

R2QX[

1$161u1

WerReportAddFile

V1XgQ

%s\%s

bad allocation

Oy&^^$$*{5

::J0g0Jg!5

:12@dn`]_eDCBx

SetLastError

=0D0{0

AAw&&&]*55*&

.rsrc$01

CallContext:[%hs]

DebugBreak

D$8PjnZ

3#4>4Y4t4

;S;p;

TextInput

363X3m3s3

.idata

Vhl/@

Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic

CoInitialize

&IB$(

O(uY0

GetWindowRect

<3<9<s<

PPhX-@

g'Y<P(

: ;F;V;

EnableLUA

permission_denied

D0D0H0]

_CxxThrowException

8*$]y=4>

/optinnotify

< <(<,<4<H<P<d<l<

5*585J5T5b5t5~5

DrawStateW

LeaveCriticalSection

334T4

resource deadlock would occur

?!?3?H?S?r?

too many files open in system

If you click on "No", the setting will not be changed, and IME will not automatically save mis-conversion data on your computer.

SQM sender: Task thread ended.

address not available

Software\Microsoft\Input\TIPC

.?AVexception@@

callContext

message size

IME_SQMsender

6 6,6L6T6`6

_controlfp

.text$yd

PLGtc@

<)<=<o<

Microsoft-Windows-IME-CustomerFeedbackManager/Debug

IME

bad cast

=0=n=

d=2y_

22.$,Pl

j\Xf9FHu

PolicyManager_FreeGetPolicyData

AllowSetForegroundWindow

bJT-N

N*geg

9:9L9Z9

g2QX[(W

6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6

OPCO0

RW0_0

/opencfg

o0D0]

AcquireSRWLockExclusive

0W0D0g0Y0K0

protocol not supported

LegalCopyright

8$8-8=8K8\8d8z8

0k0o0

function

WerReportSetParameter

979^9

xdigit

Enabled

QQSVW3

AllowIMENetworkAccess

N(PSW

2>2I2g2~2

u/VVh

566=6

originLineNumber

Wh,-@

QQhX-@

5'5M5T5

1?2c2

<L=g=

2!2c2

=W=^=z=

0W0f0O0`0U0D0

$$&'')(eMCLdOiw

$&'''))d=<V

P@<|'

alpha

9GD|(

.rdata$zzzdbg

_vsnprintf_s

? ?,?4?h?x?

realloc

.rdata

SOFTWARE\Classes\CLSID\%s\InprocServer32

>8>k>

too many files open

TBfk0

6e7u7}7

no lock available

~')hFF[\_`_`a

/hwnd

WaitForSingleObject

: ;p;

<8<@<H<T<\<

address in use

OpenProcessToken

uySSh

GetClassInfoExW

GetModuleFileNameA

3@4G4c4

MessageBoxW

owner dead

FindResourceExW

0F0j0

network unreachable

``_FTq,,

P(u(Wq}

memcpy

SetForegroundWindow

.idata$3

F8,BI:,

9 :0:]:g:u:}:

ubSSh

invalid seek

8 :n:

.didat$5

V0j0w0

is a directory

RtlDllShutdownInProgress

000004b0

Software\Microsoft\IME\15.0\SHARED\CustomerFeedback

punct

&Input characters:

eIME

string too long

SHGetFolderPathW

SQM sender: Stop method ends successfully.

9<9@9D9H9X9\9`9d9h9l9p9t9x9|9

F;wh|

ExpandEnvironmentStringsW

no child process

5*555>5[5i5

11262=2D2K2R2Y2`2g2n2u2|2

LEVL@

__setusermatherr

??0exception@@QAE@XZ

455;5

353f3

HeapFree

invalid string position

no message available

_except_handler4_common

currentContextId

GetTickCount

O(uU0

>->k>

.CRT$XIY

0k0Y0

u{9FTtvV

PostMessageW

RichEo

With this setting turned ON, auto-tuning data will also be sent to Microsoft when sending mis-conversion data. Microsoft will use the auto-tuning data received to improve the grammar and dictionary information of IME.

; IMEWatson\MisConversion\ExpectedResult; 108;

WEVT_TEMPLATE

Microsoft IME

Sh,-@

regex_error(error_parse)

Phh5@

MultiByteToWideChar

}/-"""

The task thread is already running.

tnA>>

connection_reset

EventSetInformation

<:8>bM$H

FFF&".

zvn0_0

vpenc(u

('7>Gt?T<V

OutputDebugStringW

PRVAp

IMEJP

ReturnHr

SHELL32.dll

0L0+T~0

(?:[^-\s`!@#$%^&*()\[\]_{}:;\"'|<>?,\/\\]+|\"(?:[^\"]|\\\")*\")@(?:[^-\s`!@#$%^&*()\]_{};\"'|<>?,\/\\]+\.[^-\s`!@#$%^&*()\[_{};\"'|<>?,\/\\]+)

VQPWV

.rdata$sxdata

0D0T0`0h0

282D2L2

VWj43

w$h,4@

space

0S0k0t0

_ismbblead

ySoftware\Microsoft\Windows\CurrentVersion\Policies\System

r\\\\\\

r-+>+

TrackPopupMenuEx

<A>Read our Privacy Statement Online</A>

ShellExecuteW

3)4J4o4w4

.CRT$XCAA

originCallerReturnAddressOffset

processorArchitecture="*"

If you click on "Yes", the setting will be turned ON, and IME will begin to automatically save mis-conversion data on your computer.

WerReportCloseHandle

Ph<5@

L$4^3

ReleaseSRWLockShared

8)8d8

windows\feime\win8\ea-shared\imecfm\ui\ccfmwndserver.cpp

&Candidate characters:

ADVAPI32.dll

wcsncat_s

connection already in progress

858x8

no message

ZC#:$

.00cfg

][_`b

FreeLibrary

GetWindowTextW

FailFast

0c0f0

Microsoft-Windows-IME-CustomerFeedbackManager

isoptinuiinvoked

GetKeyState

tbh(8@

penc(u

_alnum

f9F(u

CompanyName

Send mis-conversion data when the mis-conversion count hits the maximum number (100) or after a certain period of time. If unchecked a notification is shown when the mis-conversion data is ready to be sent.

GetCurrentThreadId

6F6v6

7>7e7}7

WaitForThreadpoolTimerCallbacks

ub!D$t

SendReport Start

:):J:T:n:

<=<Q<W<

0L0Y0y0f0JRd

%_***

,00040<0`0d0h0l0t0

O(uW0~0Y0

767C7]7

calloc

Vh`.@

Rn09e

message_size

GetProcessHeap

Sleep

?,?y?

2L2U2

Shell_NotifyIconW

Mis-Conversion data &list:

[g0M0

jS'S_X %

;";2;8;>;R;X;M<h<

0g0o0

IMEKR

EnabledFeatureUsage

0/1v1b2

>#>A>_>

GetTextExtentPoint32W

858<8

Rh$7@

CreateDialogIndirectParamW

6:7@7f7

IME version, language, property settings for key input methods.;https://go.microsoft.com/fwlink/?LinkId=521839&clcid=0x%04x,Send automatically saved mis-conversion data

: :(:4:<:p:

value too large

RegOpenKeyExW

~$_^[

(&H)

ReleaseSemaphore

+))hFFFF\\\]

network_unreachable

wcsncpy_s

ExcludeJapaneseIMEExceptJIS0208

FindFirstFileW

LockResource

QQh,-@

GetObjectW

7$767<7B7H7N7T7[7b7i7p7w7~7

AT+APj(

2Update Error Log Setting

=9>w>

T$ PQ

SQM sender: No task thread to stop.

5,636Q6X6

callerModule

SQM sender: szLocalLowFolderRelative = %1

CloseThreadpoolTimer

l\\\*+Z9Y

ResolveDelayLoadedAPI

t$pVQ

cn0OUL

RegisterClassExW

not supported

JCff%%%%

Uk0)R(uW0~0Y0

0k0]0n0

SQM sender: The task thread has stopped already by someone else.

Report Contents

D$8PjqZ

SQM sender: Find file loop 2: (%1) => %2

$&&'&

c]V~v_,S

JHZY/

FeatureVariantUsage

.didat$7

D0D0_0W0~0Y0

network_down

memmove

9https://go.microsoft.com/fwlink/?linkid=225315&clcid=0x%x

(caller: %p)

IMECustomerFeedback

0S0S0

strchr

interrupted

=!>f>

_callnewh

lower

9'9=9s9

__set_app_type

FeatureUsage

2B3f3

M=,u

f99tp

5-5P5

XPQSh

Data to be sent

9<9G9

u$WSQ

Microsoft IME Error Logging

.rdata$zETW2

ExcludeJapaneseIMEExceptShiftJIS

regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine.

0~0[0

wrong_protocol_type

D$(PQ

too many symbolic link levels

not enough memory

AcquireSRWLockShared

ReleaseDC

wwwww

__crtLCMapStringW

.?AVbad_alloc@std@@

countopened

6F6p6

2#ZZL

WWSh1

2F2V2j2

Currently, the setting for "Save mis-conversions to file" is turned OFF. Would you like to turn ON?

1#2F2

OW0~0Y0

TranslateMessage

filename_too_long

4$4,444<4D4L4T4\4d4l4t4|4

(Input characters, candidate characters, selected candidate)

wdi2y

GetClientRect

IsDialogMessageW

Wh\:@

InitOnceComplete

OW0f0D0_0`0D0_0f[

./;;46

operation_would_block

WideCharToMultiByte

RegQueryValueExW

VarFileInfo

2$2,242<2D2L2T2\2l2t2|2

GetLastActivePopup

T$0QQV

HRESULT

no such file or directory

1!2'272

u$h49@

VhP/@

AllowJapaneseNonPublishingStandardGlyph

NpeL0

()$^.*+?[]|\-{},:=!

originModule

_vsnwprintf

IME_ShipAsserts

RtlUnsubscribeWnfNotificationWaitForCompletion

;F<\<b<n<

Microsoft-Windows-IME-CustomerFeedbackManagerUI

CreateFileW

countsent

u$hL9@

; IMEWatson\MisConversion\FirstConversion\Display; 108;

Local\SM0:%d:%d:%hs

address family not supported

RegGetValueW

4,4o4

9$909P9\9|9

ui!D$\

stream timeout

Qhl/@

FormatMessageW

vpenc

module

??3@YAXPAX@Z

regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.

TTBLL

NL0+T~0

E+!Kj

4i5p5

10.0.17763.1 (WinBuild.160101.0800)

=9>l>

:yW0~0Y0

DeleteCriticalSection

GetWindowLongW

7HH-''(K

win:Info

SendReport

n<H-33

regex_error(error_syntax)

io error

S2QX[I

{L?uT

Input characters; IMEWatson\MisConversion\FirstConversion\Reading; 108;Candidate characters; IMEWatson\MisConversion\FirstConversion\Display; 108;S&elected candidate; IMEWatson\MisConversion\ExpectedResult; 108;

.CRT$XLA

GetCursorPos

6>6Z6

operation canceled

="=)=J=\=

GetDeviceCaps

GetWindowThreadProcessId

DestroyMenu

OX[(W

TASKD

OW0f0D0_0`0O0h0

EnumWindows

The collected data will be used for statistical analysis, and will only be used for the purpose of research of natural language and improving our products. The collected data will be copied, translated, modified, published, transmitted, and used in other ways only for these purposes. The data will not be used to determine your identity or to contact you.

publicKeyToken="6595b64144ccf1df"

>U?h?{?

UnregisterClassW

%E7)w

t$(PjoZ

WriteFile

regex_error(error_backref): The expression contained an invalid back reference.

=,>Z>a>

3$3,343<3D3L3T3\3d3l3t3|3

enabled

ExcludeJapaneseIMEExceptJIS0208andEUDC

:.:4:b:,;:;};

7(737:7

DestroyWindow

originFile

<![CDATA[%s]]>

invalid_argument

>'>G>O>[>h>x>

Information

th]zsi`

0S0n0-

SetWindowTextW

5c5w5

IMEWatson\DictVersion

t$SSh

SQM sender: Resume method called.

We shouldn't collect any other information. If the collected data contains personally identifiable information, it will not be used to contact or identify you.

AllowIMELogging

__wgetmainargs

ReleaseSRWLockExclusive

featureVersion

uNPPV

LoadCursorW

?N?Z?m?~?

VWj@3

[%hs(%hs)]

0f0D0

QueryPerformanceCounter

OW0j0D0(

regex_error(error_ctype): The expression contained an invalid character class name.

threadId

N,neQ

msvcrt.dll

StringFileInfo

&&')hJBOOSSjprw

0#0;0A0R0q0

process

ole32.dll

6"626G6

Microsoft YaHei UI

:\<,=

:2;6;<;@;F;J;P;T;Z;^;r;v;|;

NUOpenc

WerReportCreate

already_connected

LoadMenuIndirectW

fDo not s&how notification icon

WWSh5

1f;2u

2F2L2R2e2

.text$mn

broken pipe

A;1Xpv_

Setting

sn0q}

failureId

j0Yf;

setlocale

0n0XS

protocol error

6(787D7d7p7

text file busy

:':-:@:Q:y:

=$=3=<=E=Z=o=~=

%s%s%s

addend

DecodePointer

e&Open IME mis-conversion report

EventWriteTransfer

1,181@1

080j0|0

3#3'3,32383>3D3J3P3V3]3c3i3o3y3

De&tails

address_family_not_supported

onecoreuap\windows\feime\win8\ea-shared\imecfm\lib\cfmpriv\ccfmwatsonreportfilemgr.cpp

numdatacurrent

UpdateWindow

TKN(u

.didat$6

6#6S6m6u6{6

=:>l>

;M<`<

t$<WP

eQW[2N(

timed out

<1<F<b<f<l<p<v<z<

IsDebuggerPresent

.rdata$zETW1

PolicyManager_GetPolicy

vk0$R

K<Gj4X

permission denied

Rh<7@

_wcmdln

QSVWj

RaiseFailFastException

state not recoverable

lHr,g

$&')(IDESkTxyyytt

regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape.

??0bad_cast@@QAE@ABV0@@Z

.CRT$XCA

KERNEL32.dll

%FRL

`_Fxrq,,

u"f9LF

GetSubMenu

SetThreadpoolTimer

G PQQ

SSj1jf

??1type_info@@UAE@XZ

UnhandledExceptionFilter

S\OvQ

/IMEWatson\MisConversion\FirstConversion\Reading/IMEWatson\MisConversion\FirstConversion\Display&IMEWatson\MisConversion\ExpectedResult=Please help us improve IME by sending us mis-conversion data.5To send a mis-conversion data now, please click here.#Microsoft IME Mis-conversion report

IMESC

operation in progress

EventUnregister

DefWindowProcW

kfp,d=

8C9W9w9

>1>K>]>o>

currentContextName

/profile

GetVersionExW

RtlNtStatusToDosErrorNoTeb

6L6i6u6

_free_locale

0S0h0g0

[email]

1&2T2o2

;";.;=;P;f;q;

VS_VERSION_INFO

)))

6=7z7

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_

</dependency>

filename too long

.CRT$XCZ

digit

PostQuitMessage

Vh,-@

OW0f0D0_0`0D0_0

1(1@1M1V1d1}1

featureBaseVersion

map/set<T> too long

currentContextMessage

Exception

AllowJapaneseUserDictionary

WerReportSubmit

SQM sender: Task thread started.

kernel32

SQM sender: Stop method called.

SendMessageW

too_many_files_open

imecfmui.pdb

LastReportTime

.data

0~0_0

SetProcessDEPPolicy

device or resource busy

EEEEE

imewatson

<G<|<

1B1K1V1u1

memset

[%hs]

pred_imewatsonal

unknown error

result out of range

GF\_b

4*474V4`4x4

variant

7 7$7(7,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7p7t7x7|7

GetProcAddress

</trustInfo>

ProductName

W0_0Bfk0

GetClassNameW

AllowJapaneseIVSCharacters

1"1V1d1s1

:%:/:`:l:w:}:

OYuS_MR

.idata$6

bb_[FRs

ime15.imecfmui.server

callerReturnAddressOffset

no such process

/ooh$

L>SYX

not_a_socket

.CRT$XCC

bad_file_descriptor

~,9~$t

__pctype_func

: ;0;<;\;h;p;

i#rP9

=0=j=|=

FileVersion

k0T0TS

4+434B4

By recording conversion errors, your problem information will be feed into the future Microsoft IME through selecting to send the data.

FeatureError

2o3v3

.?AVlength_error@std@@

- Input string and selected candidate

2(3=3~3

regex_error(error_brace): The expression contained mismatched { and }.

onecoreuap\windows\feime\win8\ea-shared\libraries\imemdmpolicywrapper\imemdmpolicywrapper.cpp

wilResult

8$808P8X8`8h8t8

result

bad address

memcpy_s

operation not permitted

QhP/@

</dependentAssembly>

/deleteall

NL0yr

Details

ext-ms-win-devmgmt-policy-l1-1-0.dll

{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}

949<9H9P9

SQM sender: Find file loop 1: (%1) => %2

CheckDlgButton

/notify

CreateMutexExW

1*2F2r2

,PVQW

SVWQQ3

[W0_0

EventRegister

60;U\a

_wcsdup

1$1,141@1`1l1

DeleteFileW

~h_^]

f90tcj XQf

GDI32.dll

b`_FXsq,)q

:T:`?h?u?{?

.?AVout_of_range@std@@

5.565>5R5Z5a5

VhP1@

!ahYFqNtQueryWnfStateData

InvalidateRect

GetStockObject

HeapAlloc

SQM sender: Waiting for the task thread to terminate.

PW[2N

destination address required

4&5:5H5_5r5

606V6j6

9*9D9J9P9b9h9

0S0h0L0g0M0~0Y0

212<2

.data$brc

file exists

OX[U0

7U8}8

InternalName

malloc

|.000

in0XS

VPjtZ

243N3u3

Xd+X`

4B5I5U5`5r5

.rsrc$02

gff%%'

_unlock

0.0.0.0

iostream

9~(s2Wj

GetDC

dKLMB",^bRROO

wrong protocol type

tnvW\

>!>1>Q>a>

- Usage frequency of each word-pair

FindNextFileW

OLEAUT32.dll

.text$di

FindClose

SQM sender: SqmStartUpload failed with GLE = %1

originatingContextMessage

PVj(^+

originCallerModule

</requestedPrivileges>

GetTempPathW

ext-ms-win-devmgmt-policy-l1-1-1.dll

bad message

PredictionCurrentNumber

6#6'6+6/63676;6?6C6G6K6O6S6g6~6

Mis-conversion rate statistics and information of candidate selection.

GetCurrentProcessId

:#;-;>;D;H;M;S;W;b;s;

<-<A<

RegCreateKeyExW

.rdata$zETW0

argument list too long

CreateThreadpoolTimer

Rk0j0c0f0D0~0Y0

host unreachable

<assemblyIdentity

Microsoft

fn09e

network_reset

DelayLoadFailureHook

language="*"

0F0k0-

WaitForSingleObjectEx

regex_error

iostream stream error

xNAA&$85$=4ax

MapWindowPoints

%s="%s"

W0_0Bf

GetSystemMetrics

Microsoft will use the mis-conversion data received to improve conversion accuracy.

=:=J=

bad file descriptor

regex_error(error_paren): The expression contained mismatched ( and ).

;4;=;

no such device or address

iMicrosoft

PSjJW

(100)

GetDlgItem

maxdatastore

8 8,888P8X8`8h8p8x8

.CRT$XIZ

address_in_use

OH=T^

g@b6e

c`^YTfo,)

p..BB,,

abort

SQM sender: Calling SqmStartUpload(%1).

InitializeCriticalSectionEx

EncodePointer

DllGetClassObject

!This program cannot be run in DOS mode.

Msg:[%ws]

already connected

OPCOT

IMEWatson\MisConversion\FirstConversion\Reading

;https://go.microsoft.com/fwlink/?LinkId=521839&clcid=0x%04x

EVNTp

USER32.dll

__crtCompareStringW

<-<t<

<SVWjj

%s\%s*%s

OpenSemaphoreW

w&"*8W

file too large

not a socket

CreateFontIndirectW

FallbackError

EnterCriticalSection

.CRT$XCU

Wh84@

___lc_collate_cp_func

0x%08x

</%s>

6 616N6r6

_errno

LoadImageW

bad locale name

dKLM"",^bRROO

Rk0j0c0f0D0~0[0

/report

graph

SendDlgItemMessageW

!<?EIKtu`Z5

%hs(%d) tid(%x) %08X %ws

VPhPI@

Y;d;K;

GetCurrentProcess

Wh ;@

:,:4:<:D:L:P:X:l:t:

GetCursor

win:Stop

fileName

Settin&g

SetProcessDPIAware

0S0n0

not a stream

LocalFree

SysLink

.?AVResultException@wil@@

</assembly>

.didat$3

Translation

L$ RW

8 8@8L8l8t8

Ph@8@

07`7/k

operation_not_supported

&Include auto-tuning data

1u2)3R3}3

2 2:2V2e2

WilError_02

MapDialogRect

address_not_available

mwVtH

With this setting turned ON, prediction usage data will also be sent to Microsoft when sending mis-conversion data. Microsoft will use the prediction data received to improve prediction experience of IME. The data includes the following information.

ProductVersion

0~0_0o0]0n0

1?2n2

__p__commode

.didat$4

featureStage

__CxxFrameHandler3

ShowWindow

connection_refused

variantKind

_onexit

IsValidSid

#33nq

C+;I%i

z^O"zZHrF.

AT+APVj(

.CRT$XIAA

Q98V

To learn more, read our <A>Privacy Statement</A> online.

no_protocol_option

PRVAt

41464<4A4F4K4P4V4^4f4z4

SendReport Stop

failureType

Windows

function not supported

303@3P3`3

4+4e4

>P>`>l>

0,1<1s1

hresult

3C3f3

9%9<9Y9n9

4W5k5r5

invalid argument

Microsoft.Windows.Wil.FeatureLogging

`1XL0+T~0

N~0g0

no such device

.idata$2

.CRT$XCL

Yu Gothic UI

Cancel

illegal byte sequence

?what@exception@@UBEPBDXZ

CP tZ

{*!

l/o,

.tls$

657@7N7

0MRk0

Microsoft IME Mis-Conversion Report Tool

ZxNA&,

.gfids

OX[W0~0[0

zytrv

%hs(%d)\%hs!%p:

Operating System

9R9m9

vector<T> too long

@.didat

20393@3

GetModuleHandleExW

3F3Y3

YW0_04X

5.676g6n6

;%<5<_<k<w<

_cexit

0g0M0

;1;_;

EventData

&Don't Send

countnotsent

8 9O9

Rk0W0~0Y0K0

7E7L7p7

(&I):

7 7(707<7\7h7

(&C):

Settings

GetLastError

&Close

LogHr

_amsg_exit

[U0~0n0m

j$^;]

H99eh_vDm#

?terminate@@YAXXZ

Microsoft

:":(:2:<:L:S:~:

0,0R0[0a0i0o0

/uilang

Start

MisConversion

0}j0<

NNN(g"

; ;(;<;T;X;x;

2Y2g2

1*151S1^1

no_buffer_space

%s%s%d%s

name="Microsoft.Windows.Common-Controls"

Se&nd mis-conversion data automatically

??1exception@@UAE@XZ

5{$]=4

InitOnceBeginInitialize

&'))KDEFFFGm

/open

RegCloseKey

IMETC

t$Ff;

=">'>7>=>C>I>N>[>i>s>

regex_error(error_brack): The expression contained mismatched [ and ].

lineNumber

>0?A?f?

PhT7@

_vsnwprintf_s

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x0001b6d0	0x00045966	0x00045966	10.0	imecfmui.pdb	2009-03-13 20:46:26	2d39a6d57d3b4041aeecd037739b6951		4bc9feb2c52641027dc88b439a1b9886	9f0f2a6e1dcd6169695f5dcb53ededdd	fc78f9e1b0b0c042

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Microsoft IME
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	imecfmui.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	imecfmui.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0000 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0001edbc	0x0001ee00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.47
.data	0x0001f200	0x00020000	0x0000134c	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.48
.idata	0x0001f400	0x00022000	0x00001910	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.58
.didat	0x00020e00	0x00024000	0x00000014	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.16
.rsrc	0x00021000	0x00025000	0x00017218	0x00017400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.20
.reloc	0x00038400	0x0003d000	0x00001884	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.55

Name	Offset	Size	Language	Sub-language	Entropy	File type
WEVT_TEMPLATE	0x00026658	0x00000cea	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.64	None
RT_ICON	0x00027620	0x000002e8	LANG_NEUTRAL	SUBLANG_DEFAULT	3.72	None
RT_ICON	0x00027908	0x00000128	LANG_NEUTRAL	SUBLANG_DEFAULT	2.82	None
RT_ICON	0x00027a30	0x00000ea8	LANG_NEUTRAL	SUBLANG_DEFAULT	6.05	None
RT_ICON	0x000288d8	0x00000ba8	LANG_NEUTRAL	SUBLANG_DEFAULT	5.67	None
RT_ICON	0x00029480	0x000008a8	LANG_NEUTRAL	SUBLANG_DEFAULT	6.27	None
RT_ICON	0x00029d28	0x000006c8	LANG_NEUTRAL	SUBLANG_DEFAULT	6.11	None
RT_ICON	0x0002a3f0	0x00000608	LANG_NEUTRAL	SUBLANG_DEFAULT	5.92	None
RT_ICON	0x0002a9f8	0x00000568	LANG_NEUTRAL	SUBLANG_DEFAULT	4.81	None
RT_ICON	0x0002af60	0x000025a8	LANG_NEUTRAL	SUBLANG_DEFAULT	4.93	None
RT_ICON	0x0002d508	0x00001a68	LANG_NEUTRAL	SUBLANG_DEFAULT	5.51	None
RT_ICON	0x0002ef70	0x000010a8	LANG_NEUTRAL	SUBLANG_DEFAULT	5.38	None
RT_ICON	0x00030018	0x00000988	LANG_NEUTRAL	SUBLANG_DEFAULT	5.15	None
RT_ICON	0x000309a0	0x000006b8	LANG_NEUTRAL	SUBLANG_DEFAULT	5.99	None
RT_ICON	0x00031058	0x00000468	LANG_NEUTRAL	SUBLANG_DEFAULT	5.26	None
RT_MENU	0x00034db0	0x0000004e	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	4.16	None
RT_MENU	0x000331b8	0x00000094	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.83	None
RT_MENU	0x00037ac0	0x0000005e	LANG_JAPANESE	SUBLANG_DEFAULT	4.00	None
RT_MENU	0x00036788	0x00000094	LANG_KOREAN	SUBLANG_KOREAN	2.83	None
RT_MENU	0x00034070	0x00000050	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.11	None
RT_DIALOG	0x000340c0	0x000003c2	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	4.38	None
RT_DIALOG	0x00031590	0x0000066e	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.38	None
RT_DIALOG	0x00036820	0x000004ca	LANG_JAPANESE	SUBLANG_DEFAULT	4.43	None
RT_DIALOG	0x00034e00	0x0000066e	LANG_KOREAN	SUBLANG_KOREAN	3.38	None
RT_DIALOG	0x00033250	0x00000442	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.54	None
RT_DIALOG	0x00034488	0x000001a4	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	3.42	None
RT_DIALOG	0x00031c00	0x000001c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.08	None
RT_DIALOG	0x00036cf0	0x0000018e	LANG_JAPANESE	SUBLANG_DEFAULT	3.47	None
RT_DIALOG	0x00035470	0x000001d4	LANG_KOREAN	SUBLANG_KOREAN	3.09	None
RT_DIALOG	0x00033698	0x000001a8	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.58	None
RT_DIALOG	0x00034630	0x00000228	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	5.05	None
RT_DIALOG	0x00031dc8	0x00000540	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.31	None
RT_DIALOG	0x00036e80	0x0000032a	LANG_JAPANESE	SUBLANG_DEFAULT	4.88	None
RT_DIALOG	0x00035648	0x00000548	LANG_KOREAN	SUBLANG_KOREAN	3.31	None
RT_DIALOG	0x00033840	0x00000258	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.09	None
RT_DIALOG	0x00034858	0x000002bc	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	5.05	None
RT_DIALOG	0x00032308	0x00000b50	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.33	None
RT_DIALOG	0x000371b0	0x00000672	LANG_JAPANESE	SUBLANG_DEFAULT	5.07	None
RT_DIALOG	0x00035b90	0x00000888	LANG_KOREAN	SUBLANG_KOREAN	3.33	None
RT_DIALOG	0x00033a98	0x00000344	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	5.26	None
RT_DIALOG	0x00034b18	0x000001b0	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	3.74	None
RT_DIALOG	0x00032e58	0x00000230	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.21	None
RT_DIALOG	0x00037828	0x000001aa	LANG_JAPANESE	SUBLANG_DEFAULT	3.78	None
RT_DIALOG	0x00036418	0x00000238	LANG_KOREAN	SUBLANG_KOREAN	3.24	None
RT_DIALOG	0x00033de0	0x000001b0	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.91	None
RT_DIALOG	0x00034cc8	0x000000e4	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	3.90	None
RT_DIALOG	0x00033088	0x0000012c	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.26	None
RT_DIALOG	0x000379d8	0x000000e4	LANG_JAPANESE	SUBLANG_DEFAULT	3.92	None
RT_DIALOG	0x00036650	0x00000134	LANG_KOREAN	SUBLANG_KOREAN	3.29	None
RT_DIALOG	0x00033f90	0x000000dc	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	3.88	None
RT_STRING	0x000399e8	0x000002cc	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	4.11	None
RT_STRING	0x00037b20	0x0000042c	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.34	None
RT_STRING	0x0003b5e8	0x0000035c	LANG_JAPANESE	SUBLANG_DEFAULT	4.21	None
RT_STRING	0x0003a2b0	0x0000042e	LANG_KOREAN	SUBLANG_KOREAN	3.34	None
RT_STRING	0x000390b8	0x000002f2	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.26	None
RT_STRING	0x00039cb8	0x000004fc	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	6.02	None
RT_STRING	0x00037f50	0x00000e6c	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.38	None
RT_STRING	0x0003b948	0x00000832	LANG_JAPANESE	SUBLANG_DEFAULT	5.50	None
RT_STRING	0x0003a6e0	0x00000e6c	LANG_KOREAN	SUBLANG_KOREAN	3.38	None
RT_STRING	0x000393b0	0x00000564	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	6.07	None
RT_STRING	0x0003a1b8	0x000000f8	LANG_CHINESE	SUBLANG_CHINESE_TRADITIONAL	4.69	None
RT_STRING	0x00038dc0	0x000002f8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.31	None
RT_STRING	0x0003c180	0x00000092	LANG_JAPANESE	SUBLANG_DEFAULT	2.84	None
RT_STRING	0x0003b550	0x00000092	LANG_KOREAN	SUBLANG_KOREAN	2.84	None
RT_STRING	0x00039918	0x000000cc	LANG_CHINESE	SUBLANG_CHINESE_SIMPLIFIED	4.21	None
RT_MESSAGETABLE	0x00025dd0	0x00000884	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.47	None
RT_GROUP_ICON	0x000314c0	0x000000ca	LANG_NEUTRAL	SUBLANG_DEFAULT	3.13	None
RT_VERSION	0x00025a40	0x00000390	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	None
RT_MANIFEST	0x00027348	0x000002d6	LANG_NEUTRAL	SUBLANG_DEFAULT	4.82	None

Imports

Name	Address
EventWriteTransfer	0x422000
EventRegister	0x422004
EventUnregister	0x422008
RegCreateKeyExW	0x42200c
RegSetValueExW	0x422010
RegQueryValueExW	0x422014
RegCloseKey	0x422018
EventSetInformation	0x42201c
RegGetValueW	0x422020
OpenProcessToken	0x422024
GetTokenInformation	0x422028
IsValidSid	0x42202c
ConvertSidToStringSidW	0x422030
GetSidSubAuthorityCount	0x422034
GetSidSubAuthority	0x422038
RegOpenKeyExW	0x42203c

Name	Address
LockResource	0x422060
LoadResource	0x422064
FindResourceExW	0x422068
GetSystemTimeAsFileTime	0x42206c
CompareStringW	0x422070
WakeAllConditionVariable	0x422074
DecodePointer	0x422078
EncodePointer	0x42207c
GetStringTypeW	0x422080
MultiByteToWideChar	0x422084
WideCharToMultiByte	0x422088
DelayLoadFailureHook	0x42208c
ResolveDelayLoadedAPI	0x422090
GetVersionExW	0x422094
LocalFree	0x422098
DeleteCriticalSection	0x42209c
DebugBreak	0x4220a0
CreateThreadpoolTimer	0x4220a4
ReleaseSRWLockShared	0x4220a8
SetThreadpoolTimer	0x4220ac
AcquireSRWLockExclusive	0x4220b0
InitOnceComplete	0x4220b4
CloseThreadpoolTimer	0x4220b8
ReleaseSRWLockExclusive	0x4220bc
WaitForThreadpoolTimerCallbacks	0x4220c0
InitializeCriticalSectionEx	0x4220c4
LeaveCriticalSection	0x4220c8
EnterCriticalSection	0x4220cc
InitOnceBeginInitialize	0x4220d0
FreeLibrary	0x4220d4
LoadLibraryExW	0x4220d8
ExpandEnvironmentStringsW	0x4220dc
FindClose	0x4220e0
FindNextFileW	0x4220e4
FindFirstFileW	0x4220e8
GetTempPathW	0x4220ec
DeleteFileW	0x4220f0
WriteFile	0x4220f4
CreateFileW	0x4220f8
GetTickCount	0x4220fc
QueryPerformanceCounter	0x422100
TerminateProcess	0x422104
GetCurrentProcess	0x422108
SetUnhandledExceptionFilter	0x42210c
UnhandledExceptionFilter	0x422110
GetStartupInfoW	0x422114
Sleep	0x422118
GetModuleHandleW	0x42211c
GetProcessHeap	0x422120
GetCurrentProcessId	0x422124
CreateMutexExW	0x422128
GetProcAddress	0x42212c
HeapAlloc	0x422130
CloseHandle	0x422134
OpenSemaphoreW	0x422138
WaitForSingleObjectEx	0x42213c
OutputDebugStringW	0x422140
GetLastError	0x422144
FormatMessageW	0x422148
ReleaseMutex	0x42214c
GetCurrentThreadId	0x422150
WaitForSingleObject	0x422154
GetModuleHandleExW	0x422158
ReleaseSemaphore	0x42215c
SetLastError	0x422160
HeapFree	0x422164
CreateSemaphoreExW	0x422168
GetModuleFileNameA	0x42216c
IsDebuggerPresent	0x422170
AcquireSRWLockShared	0x422174
SleepConditionVariableSRW	0x422178

Name	Address
GetTextExtentPoint32W	0x422044
SelectObject	0x422048
GetStockObject	0x42204c
CreateFontIndirectW	0x422050
GetObjectW	0x422054
GetDeviceCaps	0x422058

Name	Address
GetDlgItem	0x4221a0
EnableWindow	0x4221a4
CheckDlgButton	0x4221a8
MessageBoxW	0x4221ac
SetDlgItemTextW	0x4221b0
PostMessageW	0x4221b4
GetDlgItemTextW	0x4221b8
SendMessageW	0x4221bc
LoadImageW	0x4221c0
GetSystemMetrics	0x4221c4
SendDlgItemMessageW	0x4221c8
ReleaseDC	0x4221cc
GetKeyState	0x4221d0
UpdateWindow	0x4221d4
GetCursor	0x4221d8
SetCursor	0x4221dc
LoadCursorW	0x4221e0
MapDialogRect	0x4221e4
GetClassInfoExW	0x4221e8
RegisterClassExW	0x4221ec
UnregisterClassW	0x4221f0
CreateWindowExW	0x4221f4
DefWindowProcW	0x4221f8
GetMessageW	0x4221fc
DestroyWindow	0x422200
RegisterWindowMessageW	0x422204
SetWindowTextW	0x422208
EndDialog	0x42220c
GetWindowLongW	0x422210
GetDC	0x422214
InvalidateRect	0x422218
IsDialogMessageW	0x42221c
TranslateMessage	0x422220
DispatchMessageW	0x422224
PostQuitMessage	0x422228
GetCursorPos	0x42222c
SetForegroundWindow	0x422230
TrackPopupMenuEx	0x422234
GetSubMenu	0x422238
AllowSetForegroundWindow	0x42223c
GetWindowThreadProcessId	0x422240
SetProcessDPIAware	0x422244
LoadMenuIndirectW	0x422248
DialogBoxIndirectParamW	0x42224c
CreateDialogIndirectParamW	0x422250
DrawEdge	0x422254
DrawStateW	0x422258
GetWindowTextW	0x42225c
SetWindowPos	0x422260
MapWindowPoints	0x422264
GetWindowRect	0x422268
GetClientRect	0x42226c
EnumWindows	0x422270
GetClassNameW	0x422274
GetLastActivePopup	0x422278
DestroyIcon	0x42227c
ShowWindow	0x422280
DestroyMenu	0x422284
SetWindowLongW	0x422288

Name	Address
__CxxFrameHandler3	0x422290
_vsnwprintf	0x422294
memcpy_s	0x422298
_purecall	0x42229c
??1exception@@UAE@XZ	0x4222a0
??0exception@@QAE@XZ	0x4222a4
??0exception@@QAE@ABV0@@Z	0x4222a8
_controlfp	0x4222ac
??1type_info@@UAE@XZ	0x4222b0
?terminate@@YAXXZ	0x4222b4
_onexit	0x4222b8
__dllonexit	0x4222bc
_unlock	0x4222c0
_lock	0x4222c4
_wcmdln	0x4222c8
_initterm	0x4222cc
__setusermatherr	0x4222d0
_vsnprintf_s	0x4222d4
__p__fmode	0x4222d8
_cexit	0x4222dc
_exit	0x4222e0
exit	0x4222e4
__set_app_type	0x4222e8
__wgetmainargs	0x4222ec
_amsg_exit	0x4222f0
__p__commode	0x4222f4
_XcptFilter	0x4222f8
memmove	0x4222fc
memcpy	0x422300
_CxxThrowException	0x422304
?what@exception@@UBEPBDXZ	0x422308
??0exception@@QAE@ABQBDH@Z	0x42230c
strchr	0x422310
realloc	0x422314
free	0x422318
??0bad_cast@@QAE@ABV0@@Z	0x42231c
??1bad_cast@@UAE@XZ	0x422320
??0bad_cast@@QAE@PBD@Z	0x422324
wcsncat_s	0x422328
??_V@YAXPAX@Z	0x42232c
wcsnlen	0x422330
memmove_s	0x422334
setlocale	0x422338
___lc_collate_cp_func	0x42233c
_errno	0x422340
??3@YAXPAX@Z	0x422344
___lc_handle_func	0x422348
___lc_codepage_func	0x42234c
_ismbblead	0x422350
memset	0x422354
__pctype_func	0x422358
calloc	0x42235c
memcmp	0x422360
abort	0x422364
_wcsdup	0x422368
__crtCompareStringW	0x42236c
__crtLCMapStringW	0x422370
_get_current_locale	0x422374
_free_locale	0x422378
??0exception@@QAE@ABQBD@Z	0x42237c
_callnewh	0x422380
malloc	0x422384
wcschr	0x422388
_wcstoi64	0x42238c
_wtoi	0x422390
wcsncpy_s	0x422394
_vsnwprintf_s	0x422398
___mb_cur_max_func	0x42239c
_except_handler4_common	0x4223a0

Name	Address
CoInitialize	0x4223a8
CoCreateInstance	0x4223ac

Name	Address
SHGetFolderPathW	0x422190
ShellExecuteW	0x422194
Shell_NotifyIconW	0x422198

Name	Address
SysAllocString	0x422180
SysFreeString	0x422184
VariantClear	0x422188

Name	Address
WerReportCloseHandle	0x4223b4
WerReportSubmit	0x4223b8
WerReportCreate	0x4223bc
WerReportSetParameter	0x4223c0
WerReportAddFile	0x4223c4

Reports: JSON

Statistics (9.74)

Usage

Processing ( 9.68 seconds )

9.031 ProcessMemory
0.627 CAPE
0.012 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: imecfmui.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00020e00', 'virtual_address': '0x00024000', 'virtual_size': '0x00000014', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.16'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6212 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

ADVAPI32

KERNEL32

GDI32

USER32

msvcrt

ole32

SHELL32

OLEAUT32

wer

Usage

Processing ( 9.68 seconds )

Signatures ( 0.05 seconds )

Reporting ( 0.01 seconds )

Signatures

Screenshots

Hosts

DNS

Summary

HTTP Requests

SMTP traffic

IRC traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP