Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 20:07:13	2025-06-13 20:37:57	1844 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,787 [root] INFO: Date set to: 20250613T10:40:26, timeout set to: 1800
2025-06-13 11:40:26,098 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 11:40:26,098 [root] DEBUG: Storing results at: C:\TZGwkCd
2025-06-13 11:40:26,098 [root] DEBUG: Pipe server name: \\.\PIPE\QDyaMUzOhJ
2025-06-13 11:40:26,098 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:40:26,098 [root] INFO: analysis running as an admin
2025-06-13 11:40:26,098 [root] INFO: analysis package specified: "exe"
2025-06-13 11:40:26,098 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:40:27,285 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:40:27,301 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:40:27,301 [lib.common.common] INFO: wrapping
2025-06-13 11:40:27,301 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:40:27,301 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\pnputil.exe
2025-06-13 11:40:27,317 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:40:27,317 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:40:27,317 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:40:27,317 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:40:27,473 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:40:27,488 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:40:27,520 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:40:27,535 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:40:27,613 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:40:27,613 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:40:27,613 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:40:27,613 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:40:27,613 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:40:27,613 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:40:27,613 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:40:27,613 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:40:27,613 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:40:27,613 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:40:27,613 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:40:27,613 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:40:27,613 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:40:27,613 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:40:27,786 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 11:40:27,786 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:40:27,786 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:40:27,786 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:40:27,786 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:40:27,786 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:40:27,786 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:40:27,801 [modules.auxiliary.disguise] INFO: Disguising GUID to 49b3c931-c86a-4b38-bb90-6f49beae8921
2025-06-13 11:40:27,801 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:40:27,801 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:40:27,801 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:40:27,801 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:40:27,801 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:40:27,801 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:40:27,801 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:40:27,801 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:40:27,801 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:40:27,801 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:40:27,801 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:40:27,801 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:40:27,801 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:40:27,801 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:40:27,801 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:40:27,801 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:40:27,801 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:40:27,832 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 11:40:27,832 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:40:27,832 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:40:27,832 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:40:27,832 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:40:27,832 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:40:27,832 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:40:27,832 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\AIcaGWIg.dll, loader C:\tmpjeo7jmad\bin\AbwEKHXG.exe
2025-06-13 11:40:27,910 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:40:27,910 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\AIcaGWIg.dll.
2025-06-13 11:40:27,926 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:40:27,926 [root] INFO: Disabling sleep skipping.
2025-06-13 11:40:27,926 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:40:27,926 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:40:27,926 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:40:27,926 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:40:27,926 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:40:27,942 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:40:27,957 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:40:27,957 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:40:27,957 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 1764, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-13 11:40:27,957 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:40:27,973 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:40:27,973 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:40:27,973 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\AIcaGWIg.dll.
2025-06-13 11:40:27,973 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 11:40:27,973 [ro <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 20:07:13	2025-06-13 20:37:37	none

File Details

File Name	pnputil.exe
File Type	PE32+ executable (console) x86-64, for MS Windows
File Size	267776 bytes
MD5	f90f59ac0dd8f246070e4cfb97362610
SHA1	18feefe0e5f5930c254e646177aa3e17dc5717c8
SHA256	38f65ccc55e9c28bfb8e44a11a8295f3dd9f73de29f67ff5e043f0bd5a2003ef [VT] [MWDB] [Bazaar]
SHA3-384	5b7415df4afca6d5533795eaa1d7688c389c8c93fddc547ce8bd544723f65060f0ef24234df10c3bcde2a6a0e71652c6
CRC32	E869AC95
TLSH	T1F6442911A3E50EE5ED7BC67D99BB8502BA72B8161B01D6CF1270885D1F23BE1E93C316
Ssdeep	3072:BCJDyM6Wz63GfINmCTfzAn6SFD4bJjgwQ+sJ6ZtAupdZppPsYtaLC:BCJDyM6WzBfINmccn6qxH78UY
PE	File Strings BinGraph Vba2Graph VirusTotal

SYSTEM\CurrentControlSet\Control\ServiceGroupOrder

Boot\BCD

l$ VWATAVAWH

api-ms-win-core-kernel32-legacy-l1-1-0.dll

CreateHardLinkW

@.data

D$hE3

LogMaxFileSize

NtOpenProcessTokenEx

[Exit status: SUCCESS]

Microsoft-Windows-UserPnp%4DeviceInstall.evtx

Select

Section end

RtlUnicodeToMultiByteSize

uS9t$0vM

Control\DeviceClasses\

u*9Q<|%

BSPDRIVERS

Failed to find hive under '%ws'. Error = 0x%08X

@SVWAVH

fE98A

Failed to create hive path '%ws'. Error = 0x%08X

%SystemRoot%\INF

Architecture = %s

A_A^A\_^][

L$xE3

WritePrivateProfileStringW

RtlGetOwnerSecurityDescriptor

BuildGUID

H!]8L

RegSetValueExW

L$HE3

</security>

NtOpenProcessToken

Microsoft-Windows-Kernel-PnP/Driver Diagnostic

UVATAVAWH

H AVH

fD9d]

api-ms-win-core-string-l1-1-0.dll

VWAVH

system

o\$PH

Microsoft Corporation

LCMapStringW

System32

memcmp

_XcptFilter

D$pH;

D$@!t$@E3

System.evtx

D9|$H

USVWATAUAVAWH

@SUVWAVH

UnmapViewOfFile

fE9,@u

GetTempPathA

t.HcC<

SECURITY

H9\$PuIH

Failed to unload hive key '%ws'. Error = 0x%08X

_initterm

uK9t$0vE

LogMask

DiUninstallDriverW

.idata$5

inbox

onecore\base\servicing\offlinehives\offlinehives.cpp

SOFTWARE\Policies\Microsoft\Windows\DeviceInstall

PA_A^A]_^[]

BootDriverFlags

api-ms-win-core-version-l1-1-0.dll

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Kernel-PnP/Configuration">*[System[Provider[@Name='Microsoft-Windows-Kernel-PnP']]]</Select></Query></QueryList>

l$PE3

SYSTEM\DriverDatabase

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-UserPnp/DeviceInstall">*[System[Provider[@Name='Microsoft-Windows-UserPnp']]]</Select></Query></QueryList>

LdrGetProcedureAddress

.pdata

internal\onecorebase\inc\rtlstringutil.h

wcschr

NtQuerySystemInformation

setupact.log

Microsoft

td!\$@H

C ){(H

CoInstallers32

Enum\

D9d$ht

.didat$2

G8L9@ t

Detail::StaticStringAndBufferImpl<struct _LUNICODE_STRING,255>::Reallocate

SYSTEM\CurrentControlSet\Control\OSExtensionDatabase

Microsoft-Windows-Kernel-PnP/Boot Diagnostic

CloseServiceHandle

System\CurrentControlSet\Hardware Profiles

fD94Bu

l$(H!]

UpperFilterDefaultLevel

SetEvent

Properties

L!d$(H

L$XE3

_exit

DriverStoreImportW

fE9$Hu

SetThreadToken

fD9.u

RtlMultiByteToUnicodeN

tXfA9

LogConf

0A^_^

MoveFileExW

SOFTWARE\Policies\Microsoft\Windows\DriverSearching

SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching

D;uHr

L;|$P

*** Source File: %s, line %ld

fD9nL

H!D$0H

ComputeServer

SOFTWARE\Microsoft\Windows Media Foundation\HardwareMFT

NtEnumerateValueKey

api-ms-win-core-file-l1-2-2.dll

UpperFilterLevels

(rfeH

Hardware Profiles

RegSaveKeyW

CM_Get_Device_Interface_ListW

@A_A^A\_]

SYSTEM\CurrentControlSet\Control\Power

\Registry\User\

*Upper

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\DynamicInstalled

RtlEqualSid

\REGISTRY\MACHINE\SOFTWARE\Classes

.DEFAULT

D9eHvuH

D!d$@

SYSTEM\CurrentControlSet\Control\DeviceContainers

SYSTEM\CurrentControlSet\Control\Video

D9|$@u

CM_MapCrToWin32Err

GetFileAttributesW

u7H!T$0H

Microsoft-Windows-DeviceSetupManager/Operational

RtlTimeToTimeFields

CM_Get_Device_ID_ListW

.CRT$XIA

RtlNtStatusToDosError

{%ws: %ws}

SYSTEM\Setup\Pnp

fD93u

A_A^A\_^]

|$(E3

api-ms-win-core-rtlsupport-l1-1-0.dll

D$DDtRH

hA_A^A]A\_^][

RegSaveKeyExW

%SystemRoot%\Logs\NetSetup

rBH;E

service.*.etl

D9|$pu

x UAVAWH

[%s - %s]

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

RtlImageNtHeader

FileDescription

\$ UVWH

SYSTEM\CurrentControlSet\Control

SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services

MatchingDeviceId

SYSTEM\CurrentControlSet\Hardware Profiles

UWATAVAWH

D9d$t

Firmware

Installer32

ntdll.dll

10.0.17763.1

DeviceIoControl

l$@H!\$8H

SOFTWARE\Microsoft\Windows\CurrentVersion

IconPath

L$hE3

AdjustTokenPrivileges

StorageServer

OsVersion

Microsoft-Windows-Kernel-PnP%4Boot Diagnostic.evtx

HardwareConfig

GetNativeSystemInfo

LdrLoadDll

ShutdownTime

SYSTEM\CurrentControlSet\Control\NetworkSetup

Not-null check failed: Blob

D$(E3

FirmwareBootDevice

SmallBusinessRestricted

c AUAVAWH

RtlInitUnicodeStringEx

0A_A^_^]

RtlLengthSecurityDescriptor

H!\$ I

ext-ms-win-newdev-config-l1-1-2

GetTickCount64

RtlCreateSecurityDescriptor

L$(E3

EvtExportLog

H UATAUAVAWH

%d.%d

ServerNT

UVWAVAWH

{,9{(v,

SYSTEM\CurrentControlSet\Control\CriticalDeviceDatabase

D$ H+

L!|$(E3

api-ms-win-core-file-l1-2-0.dll

WinSxS

SYSTEM\CurrentControlSet\Control\Errata

DriverStoreDeleteW

LdrGetDllHandle

A_A^A\_]

LastConfig

H!t$ I

enum-drivers

RtlSetGroupSecurityDescriptor

GetSystemFirmwareTable

D$`L+

Unloaded private hive '%ws'.

D9D$Xu

TerminateProcess

RtlFormatCurrentUserKeyPath

Personal

f9,Au

oem*.inf

SYSTEM\CurrentControlSet\Control\FirmwareResources

%u.%u

NtCreateKeyTransacted

%04d/%02d/%02d %02d:%02d:%02d.%03d

SYSTEM\CurrentControlSet\Control\ComputerName

*Lower

RtlConvertSidToUnicodeString

\$ A;

Driver Parameters

HcD$x

CompareStringW

A_A^A]

t$hfD

@A_A^A]A\_^[

u fE9

NtSetInformationThread

.text$x

T$ E3

api-ms-win-core-processenvironment-l1-1-0.dll

SetFileAttributesW

setuperr.log

wcstoul

L$HH3

NtAdjustPrivilegesToken

A^_^

GetModuleHandleW

fB9<`u

api-ms-win-core-registry-l1-1-0.dll

L$ E3

.rsrc

fD9,Nu

api-ms-win-core-shutdown-l1-1-0.dll

fD9|E

\REGISTRY\MACHINE

hal.dll

CommunicationServer

0A_A^_

Blade

OriginalFilename

%s\%s\%s\%s

%02d:%02d:%02d.%03d

TerminalServer

%SystemRoot%\Panther

ProviderName

FileTimeToSystemTime

D9t$tt

L$0fD

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles

fA9<\u

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep

fD94Au

add-driver

PnpHive

FSFilterClass

RtlAppendUnicodeStringToString

GetFullPathNameW

_resetstkoflw

Enterprise

Control\CriticalDeviceDatabase

@UVWATAVAWH

UVWATAUAVAWH

HcD$0

CloseHandle

L$8E3

H9\$Ht

fD9d$4

@.reloc

_vsnprintf

Section start

HA_A^A]A\_^[]

0x%08X

VirtualProtect

D$@L+

GetSystemTimeAsFileTime

Control

Failed to enable backup/restore privileges. Error = 0x%08X

Failed to close hive key '%ws'. Error = 0x%08X

{%ws: exit(0x%08x)}

SeShutdownPrivilege

ControlSet%03d

H!\$(H

fA9\F

T$HD;

GetKernelObjectSecurity

SYSTEM\CurrentControlSet\Control\Network

L$XfA

Microsoft-Windows-Kernel-PnP/Configuration

u4H!\$8H

|$HE3

unconfigure

SetUnhandledExceptionFilter

wcscmp

%SystemRoot%\System32\Sysprep\Panther

api-ms-win-core-file-l2-1-0.dll

EmbeddedRestricted

CM_Get_Device_Interface_List_SizeW

D$ E3

RtlFreeHeap

.text

RegLoadKeyW

Version

DriverPackageGetVersionInfoW

D$xeH

pnpstate.ini

.rdata$brc

@USVWATAUAVH

ext-ms-win-newdev-config-l1-1-1.dll

L$`E3

Unable to unload hive key '%ws' loaded by another process. Error = 0x%08X, Time = %u ms

SpVersion

Windows::StringUtil::Rtl::SubStringByCharCount

DriverStoreEnumObjectsW

A_A^A]A\_[]

>>>

.idata$4

CM_Get_Device_Interface_PropertyW

ext-ms-win-setupapi-classinstallers-l1-1-2.dll

DeviceType

CM_Get_Parent

BcdExportStore

pA_A^A\^]

DriverDate

DeviceReported

RtlGetGroupSecurityDescriptor

L$$E;

RegEnumKeyExW

Device Parameters

RtlInitAnsiString

RtlValidRelativeSecurityDescriptor

DHPRebalanceOptOut

D$@8Q

L$X;N

Files

debug

__C_specific_handler

@USVWAVAWH

u:H!l$0H

%02d/%02d/%04d

H!P I

0A_A^A]A\_^]

D;uhv

u,D8d$pL

@8|$4t

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpResources

%s\%s

CreateEventW

GetFileVersionInfoExW

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-DeviceUpdateAgent/Operational">*[System[Provider[@Name='Microsoft-Windows-DeviceUpdateAgent']]]</Select></Query></QueryList>

H!|$H3

|$ AVH

LoadLibraryExA

RemoveDirectoryW

ntoskrnl.exe

RtlMultiByteToUnicodeSize

Loaded hive '%ws'. Time = %u ms

.text$mn$00

t$ WH

System\HardwareConfig

LanmanNT

SetLastError

RtlValidSecurityDescriptor

Control\DeviceContainers\

.rsrc$01

H!\$8A

ContainerID

D$DE3

9T$8t)

A_A^A]A\_^[]

D$pE3

api-ms-win-core-file-l2-1-2.dll

;\$xs

A_A^A]

Control\DevicePanels

no title

Loaded private hive '%ws'.

! !!!"!#!$!%!&!'!(!)!*!+!,!-!.!/!0!1!2!3!4!5!6!7!8!9!:!;!<!=!>!?!@!A!B!C!D!E!F!G!H!I!J!K!L!M!N!O!P!Q!R!S!T!U!V!W!X!Y!Z![!\!]!^!_!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~!

H!UXM

D$Rf;

Control\DevicePanels\

api-ms-win-core-registry-l2-1-0.dll

TargetOsVersionPnpOverride

9|$Xt5

%04d/%02d/%02d

fD99t

SYSTEM\CurrentControlSet\Services

D$xfD

GetSystemWindowsDirectoryW

%ws_%ws

HcE(H

DriverStoreSetLogContext

CompatibleIDs

BUCL::Rtl::Multiply<TraitsT::TSize>(Offset, TraitsT::TCharSize, cbOffset)

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

System\CurrentControlSet\Control

L$ SVWH

RegLoadAppKeyW

Microsoft-Windows-DeviceUpdateAgent/Operational

L$PH3

NtUnloadKeyEx

D9s t

t$ UATAUAVAWH

SetEndOfFile

WindowsUpdate.*.etl

CreateDirectoryW

BUCL::Rtl::Add<TraitsT::TSize>(Offset, Count, TotalSize)

api-ms-win-core-localization-l1-2-0.dll

D$xH;

PA_A^_^]

SYSTEM\CurrentControlSet

LcA<E3

Cannot load registry hive '%ws' under a transaction. Error = 0x%08X

BackOffice

@USVWAUAVAWH

T$ H;W

CurrentType

RSDS&:h

RtlGUIDFromString

H WATAUAVAWH

Failed to delay unload hive key '%ws', hive may fail to unload later. Error = 0x%08X

REBOOT_REQUIRED

Creator

RtlUnicodeToMultiByteN

AcquireSRWLockExclusive

u8H!T$0H

`A_A^A]A\_^]

l$ E3

RegUnLoadKeyW

LegalCopyright

Microsoft-Windows-UserPnp%4ActionCenter.evtx

Control\DeviceContainers

%s\%s\%s

@USWATAUAVAWH

GetSystemTime

Failed to open hive key '%ws'. Error = 0x%08X

xA8MHM

VirtualQuery

CM_Open_Class_KeyW

D9t$pu

fD94Yu

%s.%04d%02d%02d_%02d%02d%02d.%s

D$HH;

@A_A^A]A\_^]

Microsoft-Windows-UserPnp/DeviceInstall

WHServer

fD98tB

SVATAUAVAWH

CM_Get_Sibling

ProductType = %d

Registry

.rdata$zzzdbg

|$2:u

LoadStringW

Failed to open/create classes root key. Error = 0x%08X

WAVAWH

.rdata

|$XE3

*.log

UINumber

SOFTWARE\Microsoft\Windows Media Foundation\FrameServer

IncludedInfs

api-ms-win-core-errorhandling-l1-1-0.dll

SYSTEM\CurrentControlSet\Control\Class

SYSTEM\Setup\DeviceCompat

RegDeleteKeyW

A_A^_^[]

tlD8%

EditionID

cch <= (((((SIZE_T)~((SIZE_T)0)) - (((SIZE_T)~((SIZE_T)0)) % sizeof(WCHAR))) / sizeof(WCHAR)) - 1)

D!|$0E

Failed to load private hive '%ws'. Error = 0x%08X

NtOpenThreadTokenEx

<assemblyIdentity

x AWH

fD9,Au

SYSTEM\CurrentControlSet\Control\CrashControl

fA9<@u

D8l$`@

ProductType

install

RtlInitUnicodeString

D9|$Ht

OpenProcessToken

subdirs

4~fA9

@A_A^]

GetModuleFileNameA

SetupUninstallOEMInfW

SVWATAUAVAWH

ProductArchitecture

0A_A^A\

RtlAddAccessAllowedAceEx

DeviceDesc

api-ms-win-core-sysinfo-l1-1-0.dll

RtlValidSid

memcpy

H!\$

.idata$3

RtlCopySid

SYSTEM\CurrentControlSet\Control\DeviceLocations

rvf9/tqI

Filters

.didat$5

SetErrorMode

H!|$8H

!t$@L

SecurityAppliance

RtlSubAuthoritySid

RtlSetOwnerSecurityDescriptor

RtlGetSaclSecurityDescriptor

ExpandEnvironmentStringsW

HcD$HA

DevicePath

(_^][

SYSTEM\Setup\Upgrade\Pnp

__setusermatherr

UATAUAVAWH

Exclusive

HeapFree

UWATAUAVH

SeRestorePrivilege

Opened existing hive key '%ws'.

SetupCopyOEMInfW

GetTickCount

Opened hive key '%ws'.

T$PE3

L$@E3

fE9$@u

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Kernel-PnP/Configuration Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-PnP']]]</Select></Query></QueryList>

.CRT$XIY

Microsoft-Windows-DeviceUpdateAgent%4Operational.evtx

fE94@u

L$@H3

D9t$dv4I

SilentInstall

H9\$x

ClassGUID

Closed hive key '%ws'.

SYSTEM\CurrentControlSet\Control\DeviceOverrides

tPfD9'uJH;

SOFTWARE

!t$(I

UWAVH

MultiByteToWideChar

ext-ms-win-newdev-config-l1-1-0

A_A^A\

api-ms-win-core-memory-l1-1-0.dll

\REGISTRY\USER\

Microsoft-Windows-DeviceSetupManager%4Admin.evtx

D;t$8

|$tfD

api-ms-win-core-io-l1-1-0.dll

SYSTEM\CurrentControlSet\Control\StateSeparation

GetFileVersionInfoSizeExW

uninstall

Hive Key Name = %s

Microsoft-Windows-Kernel-PnP%4Configuration Diagnostic.evtx

T$XE3

Default Service

@A^_]

ProductSuite

A^A\]

SYSTEM\CurrentControlSet\Control\ProductOptions

RtlHashEncodedLBlob

LocationInformation

NtSetValueKey

T$PL;

HcD$PH

ApiSetQueryApiSetPresence

t$ Lc

UpperFiltersCache

@SUVWATAVAWH

WATAUAVAWH

NtQueryKey

CM_Get_Device_IDW

L9D$H

NtCreateKey

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SysprepExteral

api-ms-win-security-base-l1-1-0.dll

RtlLengthSid

RtlCreateUnicodeString

{bf1a281b-ad7b-4476-ac95-f47682990ce7}

A_A^A]A\_

|$ E3

.CRT$XCAA

api-ms-win-core-sysinfo-l1-2-0.dll

D$xH#

\$ UH

!\$HH

G8L9@(t

NtQueryInformationFile

(v)eH

:/u2H

System\CurrentControlSet\Hardware Profiles\Current

.00cfg

_wcsicmp

FreeLibrary

reboot

SYSTEM\Setup\BuildUpdate

OpenThreadToken

ATAVAWH

@8|$5t

ResourcePickerExceptions

CompanyName

REBOOT_INITIATED

GetCurrentThreadId

@A_A^_

Failed to flush hive '%ws'. Error = 0x%08X

u HcA<H

@SVWATAUAVAWH

9\$pt;

force

GetProcessHeap

SetThreadPreferredUILanguages

E;,$s

Sleep

setupapi.ev3

fD9<_u

SYSTEM\CurrentControlSet\Control\NetworkSetup2

SOFTWARE\Microsoft\Windows NT\CurrentVersion

t$ UWATAVAWH

\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT

@SUVWAVAWH

{ AVH

SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer

oT$@f

RegOpenKeyExW

Windows::StringUtil::Rtl::SubStringByByteCount

u7H!\$8H

SYSTEM\CurrentControlSet\Control\Wdf

RtlAbsoluteToSelfRelativeSD

_wcsnicmp

FindFirstFileW

G8L9@0u

Events

sSOFTWARE\Classes

{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}

PA_A^A]A\_^]

setupapi.ev1

l$ VWAVH

SOFTWARE\Microsoft\DriverFlighting\Partner

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Kernel-PnP/Boot Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-PnP']]]</Select></Query></QueryList>

{00000000-0000-0000-0000-000000000000}

CM_Get_Child

api-ms-win-core-console-l1-1-0.dll

A^_^][

XUnload Offline Registry Hive

fE94Au

Failed to open current control set key. Error = 0x%08X

NtUnloadKey2

NtOpenKeyTransacted

%s\%04u\%s\%s\%s

L$ SUVWH

H9\$@u

ext-ms-win-wevtapi-eventlog-l1-1-0.dll

WinNT

Default

[Exit]

name="Microsoft.Windows.PnpUtil"

Microsoft-Windows-DeviceSetupManager%4Operational.evtx

wcsrchr

Failed to close current control set key. Error = 0x%08X

DriverPackageOpenW

SYSTEM\CurrentControlSet\Control\Session Manager

ext-ms-win-newdev-config-l1-1-2.dll

UATAVH

D$XH+

D$PE3

OS Version = %d.%d.%d

Microsoft-Windows-DeviceSetupManager/Admin

!\$@A

D9|$tt

::RtlStringCchCopyNW(KeyNameBuffer, KeyNameBufferSize, lusKeyName.Buffer, cchKeyName)

.didat$7

NtQuerySecurityObject

T$hE3

memmove

SOFTWARE\Microsoft\Analog\Providers

setupapi.ev?

E`HcM0H

C(H!L$8H!L$HH!L$@I

fD94Fu

uiAccess="false"

D$@eH

SYSTEM\HardwareConfig

PnpUtil

FriendlyName

__set_app_type

SystemStartOptions

SYSTEM\CurrentControlSet\Control\PnP

fD9\A

T$8E3

RtlInitLUnicodeStringFromNullTerminatedString

BUCL::Rtl::Multiply<TraitsT::TSize>(Count, TraitsT::TCharSize, cbCount)

DriverStoreFindW

DriverStoreGetObjectPropertyW

040904B0

SetupOverride

CreateFileMappingW

%s\%04u\%s

@USVWAVH

RegRestoreKeyW

swprintf_s

HcA<H

A_A^A]A\_^]

ext-ms-win-wevtapi-eventlog-l1-1-2

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Kernel-PnP/Driver Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-PnP']]]</Select></Query></QueryList>

L$PL+

CurrentControlSet

A_A^]

CM_Locate_DevNodeW

fA9,Xu

u6H!\$8H

RtlAcquireSRWLockExclusive

DriverVersion

configure

DeviceCharacteristics

@SUWATAUAVAWH

\Registry\Machine\

DEFAULT

!\$8H!\$0H!\$(H!\$

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-DeviceSetupManager/Operational">*[System[Provider[@Name='Microsoft-Windows-DeviceSetupManager']]]</Select></Query></QueryList>

ReadFile

!\$XA

WideCharToMultiByte

RegQueryValueExW

InstallationType

t$(E3

@SVWH

^w$fA

Offline

VarFileInfo

t,D!}

Control\CoDeviceInstallers

_fmode

(reeH

Class

NtSetSecurityObject

System\CurrentControlSet\Control\DeviceContainers\%s

SingleUserTS

_vsnwprintf

Configuration

api-ms-win-core-libraryloader-l1-2-0.dll

ProcessorArchitecture

%u.%u.%u.%u

tCI9X

CreateFileW

CM_Get_Class_PropertyW

fD98t

CopyFileW

FileTimeToDosDateTime

L$PE3

unattend.xml

SYSTEM\CurrentControlSet\Control\ManufacturingMode

FormatMessageW

version="5.1.0.0"

DRIVERS

Failed to load hive from '%ws'. Error = 0x%08X, Time = %u ms

<requestedExecutionLevel

A_A^A]A\_

10.0.17763.1 (WinBuild.160101.0800)

RtlPrefixUnicodeString

D84;u

GetTempFileNameA

RaiseException

ext-ms-win-newdev-config-l1-1-1

RtlCaptureContext

RtlCompareMemory

Microsoft-Windows-Kernel-PnP%4Driver Diagnostic.evtx

x ATAVAWH

D!d$0L

DataCenter

HardwareID

%04d/%02d/%02d %02d:%02d:%02d:%04d

GetLoadedHiveKeyNameInternal

GetFileSize

api-ms-win-service-management-l1-1-0.dll

::RtlIsLBlobValid(Blob)

0r1eH

` UAVAWH

A^A]A\_^[]

SYSTEM\CurrentControlSet\Control\DevicePanels

HeapReAlloc

GetStdHandle

l$(E3

A_A^_

Control\DeviceClasses

WriteFile

NtClose

api-ms-win-core-privateprofile-l1-1-0.dll

LowerFilterLevels

os: Version = %d.%d.%d, Service Pack = %d.%d, Suite = 0x%04x, ProductType = %d, Architecture = %s

pnputil.pdb

A_A^A\

RtlReleaseSRWLockExclusive

Control\DeviceInterfaces

t5fD9 u/M

D$ I;

D$0!\$(H!\$

D$0H;

KD9l$\uD

NoInstallClass

api-ms-win-core-heap-l2-1-0.dll

x AUAVAWH

api-ms-win-core-processthreads-l1-1-0.dll

Microsoft-Windows-Kernel-PnP/Configuration Diagnostic

SYSTEM\CurrentControlSet\Control\Nsi

@USVWATAVAWH

u,H!\$0H

SYSTEM\CurrentControlSet\Control\Windows

T$(E3

SYSTEM\CurrentControlSet\Control\IDConfigDB

InfSectionExt

Hardware Profiles\

TRichN

SYSTEM\CurrentControlSet\Control\CoDeviceInstallers

UINumberDescFormat

Not-null check failed: FullOfflineHiveFilePath

api-ms-win-devices-config-l1-1-1.dll

__wgetmainargs

ReleaseSRWLockExclusive

smbios.dat

SystemBootDevice

RtlLookupFunctionEntry

\REGISTRY\MACHINE\SOFTWARE\CLASSES

<QueryList><Query Id="0"><Select Path="System">*[System[Provider[@Name='Microsoft-Windows-UserPnp']]]</Select></Query></QueryList>

QueryPerformanceCounter

L$0H+

NtSetInformationFile

GetCommandLineA

SYSTEM\CurrentControlSet\Control\GraphicsDrivers

<description>PnPutil</description>

DI_DO_DEFAULT

msvcrt.dll

\$ UVWATAUAVAWH

StringFileInfo

oD$ f

t$ WAVAWH

L9.u=H

0A_A^A]A\_

L$hH;

api-ms-win-core-handle-l1-1-0.dll

BSP\Windows

H!X I

SYSTEM\CurrentControlSet\Control\SystemResources

Control\Class

%d-%d-%d

Pv/eH

HARDWARE

@A_A^A]

.text$mn

D$XE3

D!P H

Suite = 0x%04x

D$T="

RtlUnicodeStringToInteger

SOFTWARE\Policies\Microsoft\Windows\Device Metadata

Timestamp

RtlGetDaclSecurityDescriptor

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

9|$Ht

SUVWATAUAVAWH

Load Offline Registry Hive

Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic

Microsoft-Windows-UserPnp/ActionCenter

HTREE\ROOT\0

u(H!L$(H

arm64

K UATAUAVAWH

t$XE3

D9"v3fE

` AUAVAWH

RESTART_REQUIRED

E@HcM

oL$0f

setupapi.dev.log

Delay unloading hive key '%ws'.

D$ H!]

NtQueryValueKey

L$`H3

D$8E#

!p!q!r!s!t!u!v!w!x!y!z!{!|!}!~!

Failed to create hive under '%ws'. Error = 0x%08X

D$@E3

GetFileInformationByHandle

ext-ms-win-wevtapi-eventlog-l1-1-0

setupapi.ev2

.didat$6

RtlRandomEx

setupapi.app.log

t"D9U

D!t$xH

DEVICES

IsDebuggerPresent

u2H!\$0H

CM_Get_Device_ID_List_SizeW

DeleteFileA

@A_A^A\

\$4H9

Ex!uxA

[BeginLog]

RtlVirtualUnwind

USVWAUAVAWH

D9t$hv<I

System

SYSTEM\CurrentControlSet\Control\GroupOrderList

Created hive '%ws'.

H!L$PH

fD9,~u

DeviceInstance

.CRT$XCA

A^A]A\_]

34j&V

System\CurrentControlSet\Control\DeviceClasses

\REGISTRY\USER

H;}Xu

fA9;t

UnhandledExceptionFilter

DriverStoreUpdateDevicesW

Service Pack = %d.%d

Microsoft-Windows-Kernel-PnP%4Device Enumeration Diagnostic.evtx

fD9 t

ResourcePickerTags

D$@!t$@A

Unloaded hive key '%ws'.

D$Pf;

@SUVWATAUAVAWH

SOFTWARE\Microsoft\Windows Media Foundation\Platform

%u.%u.%u

MapViewOfFile

SYSTEM\CurrentControlSet\Control\NetDrivers

VS_VERSION_INFO

api-ms-win-core-synch-l1-2-0.dll

x UATAUAVAWH

t$4fA;

A_A^_^]

.CRT$XCZ

Devices

\$PE3

Driver

ext-ms-win-newdev-config-l1-1-3

Control\Class\

SeBackupPrivilege

L$pE3

.data

A_A^A]A\^[

A_A^A]A\_^][

Failed to close classes root key. Error = 0x%08X

LogPath

memset

SleepEx

CoreNT

RtlSetDaclSecurityDescriptor

LastDeleteDate

CreateFileA

ProductID

DriverDateData

\$ UVWAVAWH

GetProcAddress

Security

System32\DriverStore

</trustInfo>

ProductName

DuplicateTokenEx

NoDisplayClass

u9H!\$8H

.idata$6

T$xE3

H!|$PI!>D

D$`E3

api-ms-win-core-heap-l1-1-0.dll

Bunknown

NtEnumerateKey

%04lX

@A_A^_^]

SYSTEM\CurrentControlSet\Control\NetworkProvider

D$HE3

Software\Microsoft\Windows\CurrentVersion\Setup

SYSTEM\CurrentControlSet\Control\SystemInformation

type="win32"

PA^_^

t$ UWAVH

FileVersion

Failed to unload hive key '%ws' loaded above. Error = 0x%08X, Time = %u ms

\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current

p AWH

PendingFileRenameOperations

t D9#s

GetConsoleMode

t$ E3

xA^_^[

D!d$

RtlDosPathNameToNtPathName_U

UAVAWH

A_A^_

RtlFreeUnicodeString

Address

%SystemRoot%\Logs\WindowsUpdate

SetFilePointer

USVWATAVAWH

SYSTEM\CurrentControlSet\Control\COM Name Arbiter

FileTimeToLocalFileTime

|$ HcL$,HcT$$HcD$(H

xA_A^A]A\_^[]

<<<

DriverDesc

D$PH;

VerQueryValueW

*** Assertion failed: %s

[Exit status: FAILURE(0x%08x)]

L$4D;

{%ws}

H!t$(H

fA90t

toupper

DeleteFileW

OSDATA\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\DynamicInstalled

SYSTEM\CurrentControlSet\Control\DeviceClasses

system32

ConfigFlags

UpperFilters

L$ H;

RemovalPolicy

HeapAlloc

A_A^A\_^

d$(L+

BaseContainers

G8H!|$@H!|$0eH

BuildLab

Hardware Configuration: %s

A_A^A]A\_][

D9d$0

DbgPrintEx

.data$brc

L$pH3

Services

onecore\base\lstring\lblob.cpp

H3E H3E

InternalName

Not-null check failed: KeyNameBuffer

D9l$0u>H

NoUseClass

api-ms-win-core-profile-l1-1-0.dll

NtOpenKey

.rsrc$02

OSData\Windows

Current

System\CurrentControlSet\

SmallBusiness

RtlEqualUnicodeString

SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing

NtDuplicateToken

;D$pv

en-US

\$(A!

FindNextFileW

Service

kernel32.dll

SuiteMask

FindClose

t$tfD

Windows

VWATAVAWH

</requestedPrivileges>

GetTempPathW

Hive Filename = %s

\$0E3

GetCurrentProcessId

L$XH3

RegCreateKeyExW

System32\config

SYSTEM\CurrentControlSet\Enum

%SystemRoot%\System32\LogFiles\SRT

}PfD97t

NtDeleteValueKey

api-ms-win-core-file-l1-1-0.dll

RegFlushKey

H9\$@t

SYSTEM\CurrentControlSet\Control\DeviceMigration

WaitForSingleObjectEx

HcD$HI

d$(E3

System\CurrentControlSet\Control\Class

WriteConsoleW

export-driver

[Boot Session: %04d/%02d/%02d %02d:%02d:%02d.%03d]

ssshim.dll

InfSection

@USWH

D9l$\

<ins>

LowerLogoVersion

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Update\TargetingInfo\Installed

processorArchitecture="amd64"

SYSTEM\CurrentControlSet\Control\SafeBoot

.CRT$XIZ

EnumPropPages32

bcd.dll

PortableOperatingSystem

!This program cannot be run in DOS mode.

A_A^A]_^[]

f98t4f9

SetupVerifyInfFileW

A_A^A]A\_^[

LdrUnloadDll

L$ H+

D$xE3

LowerFilters

A^_^[]

{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\%04lX

cmd: %s

GetCurrentThread

ext-ms-win-setupapi-classinstallers-l1-1-1

ext-ms-win-wevtapi-eventlog-l1-1-3

onecore\base\lstring\lunicode_string.cpp

api-ms-win-core-synch-l1-1-0.dll

NtOpenThreadToken

u6fD9d$2u.A

%s\%04u\%s\%s

\$(E3

f9H\u

RegDeleteKeyExW

\$ E3

D9l$Tv

ConvertStringSecurityDescriptorToSecurityDescriptorW

f9<ku

$D;/s

RtlInitializeSRWLock

L$D;L$x

DiInstallDriverW

8A_A^A]A\_^[]

GetCurrentProcess

RtlRaiseStatus

G8L9@

[Exit status: SUCCESS (%s)]

d$ E3

NtQueryInformationToken

LocalFree

D$8E3

BuildLabEx

</assembly>

L$Lf;

.didat$3

A_A^_^][

Translation

RtlCreateAcl

H!\$@

SYSTEM\Setup\Upgrade\NsiMigrationRoot

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-DeviceSetupManager/Admin">*[System[Provider[@Name='Microsoft-Windows-DeviceSetupManager']]]</Select></Query></QueryList>

f9,yu

fD9<Gu

System32\winevt\Logs

H9D$H

System\CurrentControlSet\Control\DevicePanels\%s

ProductVersion

L$0H;

GetTempFileNameW

FlushFileBuffers

LogLevel

%s.????????_??????.%s

SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State

SYSTEM\CurrentControlSet\Control\DevQuery

t$PE3

fD9,{u

H!](E3

.didat$4

setupapi.offline.log

SysARM32

.CRT$XIAA

@A_A^A\_^[]

fD9<Au

fB9,{u

fE97t3H

A_A^A\_^[]

!!!

Windows

amd64

TargetRing

Unloaded hive key '%ws'. Time = %u ms

Cabinet.dll

export-pnpstate

D$0E3

ext-ms-win-setupapi-classinstallers-l1-1-0

level="asInvoker"

api-ms-win-core-apiquery-l1-1-0.dll

.idata$2

NtDeleteKey

DriverStoreCopyW

api-ms-win-core-debug-l1-1-0.dll

x AVH

BootTime

Microsoft-Windows-Kernel-PnP%4Configuration.evtx

CM_Get_DevNode_PropertyW

_ultow_s

}HfD97t

|$PE3

SYSTEM

InitiateSystemShutdownExW

RtlAddAce

fD94Cu

InstallFlags

Not-null check failed: PseudoKeyOut

LowerFiltersCache

LookupPrivilegeValueW

.xdata

.gfids

< H9/u

delete-driver

Operating System

,NfD9m

<A%uDE

t ;D$0s

@.didat

ext-ms-win-wevtapi-eventlog-l1-1-1

t4A9~

LowerFilterDefaultLevel

RtlInitializeSid

SYSTEM\Setup\SetupapiLogStatus

InfPath

RtlGetVersion

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic">*[System[Provider[@Name='Microsoft-Windows-Kernel-PnP']]]</Select></Query></QueryList>

_cexit

GetLocalTime

SOFTWARE\Microsoft\Windows\CurrentVersion\DeviceSetup

H!D$HH

|$0E3

EmbeddedNT

Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.

SysWOW64

SYSTEM\%ws

t$ WATAUAVAWH

ext-ms-win-setupapi-classinstallers-l1-1-2

*.txt

GetLastError

@USVWATAUAVAWH

_commode

RtlIsStateSeparationEnabled

u3H!\$8H

drvstore.dll

_amsg_exit

?terminate@@YAXXZ

|$ UAVAWH

lusSanitizedFilePath.Length != 0

ConvertSecurityDescriptorToStringSecurityDescriptorW

T$@H+

u4H!T$0H

Capabilities

api-ms-win-security-lsalookup-l2-1-0.dll

fD94Gu

api-ms-win-security-sddl-l1-1-0.dll

u/H!\$0H

pnputil.exe

DriverStoreEnumW

<QueryList><Query Id="0"><Select Path="Microsoft-Windows-UserPnp/ActionCenter">*[System[Provider[@Name='Microsoft-Windows-UserPnp']]]</Select></Query></QueryList>

ClassDesc

uUD!T$PH

pA_A^A]A\_^]

D$`D!d$0L!d$(H

[Device Install Log]

api-ms-win-core-timezone-l1-1-0.dll

Classes

A_A^A]A\]

GetSystemInfo

setupapi.*.log

`.rdata

Failed to unload private hive '%ws'. Error = 0x%08X

pnputil

Exported %ws

RegQueryInfoKeyW

RegCloseKey

fD9$^u

System\CurrentControlSet\Enum

RtlAllocateHeap

T$ H+

fD9'u

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x0002e0f0	0x00050bb5	0x00050bb5	10.0	pnputil.pdb	2089-10-05 17:15:10	77c66aa0a4495185a477c13839b45d00

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Microsoft PnP Utility - Tool to add, delete, export, and enumerate driver packages.
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	pnputil.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	pnputil.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002e020	0x0002e200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.33
.rdata	0x0002e600	0x00030000	0x00010464	0x00010600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.93
.data	0x0003ec00	0x00041000	0x00001034	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.30
.pdata	0x0003ee00	0x00043000	0x000014b8	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.27
.didat	0x00040400	0x00045000	0x00000060	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.58
.rsrc	0x00040600	0x00046000	0x00000860	0x00000a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.77
.reloc	0x00041000	0x00047000	0x00000464	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.58

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x00046798	0x000000c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.72	None
RT_VERSION	0x00046380	0x00000414	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.47	None
RT_MANIFEST	0x000460f0	0x0000028d	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.89	None

Imports

Name	Address
memset	0x140032730
memcmp	0x140032738
memcpy	0x140032740
memmove	0x140032748
_vsnwprintf	0x140032750
_ultow_s	0x140032758
?terminate@@YAXXZ	0x140032760
_commode	0x140032768
_fmode	0x140032770
_initterm	0x140032778
__setusermatherr	0x140032780
_cexit	0x140032788
_exit	0x140032790
exit	0x140032798
__set_app_type	0x1400327a0
__wgetmainargs	0x1400327a8
wcstoul	0x1400327b0
swprintf_s	0x1400327b8
_amsg_exit	0x1400327c0
toupper	0x1400327c8
_vsnprintf	0x1400327d0
_resetstkoflw	0x1400327d8
_XcptFilter	0x1400327e0
wcschr	0x1400327e8
__C_specific_handler	0x1400327f0
_wcsnicmp	0x1400327f8
_wcsicmp	0x140032800
wcsrchr	0x140032808
wcscmp	0x140032810

Name	Address
DeleteFileA	0x1400321d0
FindNextFileW	0x1400321d8
FileTimeToLocalFileTime	0x1400321e0
WriteFile	0x1400321e8
FindClose	0x1400321f0
GetFileAttributesW	0x1400321f8
SetEndOfFile	0x140032200
FindFirstFileW	0x140032208
SetFilePointer	0x140032210
FlushFileBuffers	0x140032218
ReadFile	0x140032220
GetTempFileNameW	0x140032228
CreateDirectoryW	0x140032230
CreateFileA	0x140032238
GetFileInformationByHandle	0x140032240
CreateFileW	0x140032248
DeleteFileW	0x140032250
GetFileSize	0x140032258
SetFileAttributesW	0x140032260
RemoveDirectoryW	0x140032268
GetFullPathNameW	0x140032270

Name	Address
GetProcessHeap	0x1400322e0
HeapFree	0x1400322e8
HeapReAlloc	0x1400322f0
HeapAlloc	0x1400322f8

Name	Address
RaiseException	0x140032198
SetUnhandledExceptionFilter	0x1400321a0
UnhandledExceptionFilter	0x1400321a8
GetLastError	0x1400321b0
SetErrorMode	0x1400321b8
SetLastError	0x1400321c0

Name	Address
GetCommandLineA	0x1400323d0
GetStdHandle	0x1400323d8
ExpandEnvironmentStringsW	0x1400323e0

Name	Address
CM_Locate_DevNodeW	0x140032600
CM_Get_Parent	0x140032608
CM_Get_Device_Interface_PropertyW	0x140032610
CM_Get_Device_ID_List_SizeW	0x140032618
CM_Open_Class_KeyW	0x140032620
CM_Get_Device_ID_ListW	0x140032628
CM_Get_DevNode_PropertyW	0x140032630
CM_Get_Sibling	0x140032638
CM_Get_Device_Interface_ListW	0x140032640
CM_Get_Device_Interface_List_SizeW	0x140032648
CM_Get_Child	0x140032650
CM_Get_Device_IDW	0x140032658
CM_Get_Class_PropertyW	0x140032660
CM_MapCrToWin32Err	0x140032668

Name	Address
GetConsoleMode	0x140032170
WriteConsoleW	0x140032178

Name	Address
LCMapStringW	0x140032370
SetThreadPreferredUILanguages	0x140032378
FormatMessageW	0x140032380

Name	Address
FileTimeToSystemTime	0x1400325d0

Name	Address
GetSystemFirmwareTable	0x1400325b8
GetNativeSystemInfo	0x1400325c0

Name	Address
LoadLibraryExA	0x140032338
GetModuleHandleW	0x140032340
FreeLibrary	0x140032348
GetModuleFileNameA	0x140032350
GetProcAddress	0x140032358
LoadStringW	0x140032360

Name	Address
LocalFree	0x140032308

Name	Address
CompareStringW	0x140032510
MultiByteToWideChar	0x140032518
WideCharToMultiByte	0x140032520

Name	Address
GetSystemTimeAsFileTime	0x140032578
GetTickCount	0x140032580
GetSystemInfo	0x140032588
GetLocalTime	0x140032590
GetSystemWindowsDirectoryW	0x140032598
GetTickCount64	0x1400325a0
GetSystemTime	0x1400325a8

Name	Address
RegFlushKey	0x140032448
RegLoadKeyW	0x140032450
RegQueryInfoKeyW	0x140032458
RegOpenKeyExW	0x140032460
RegLoadAppKeyW	0x140032468
RegRestoreKeyW	0x140032470
RegSetValueExW	0x140032478
RegDeleteKeyExW	0x140032480
RegQueryValueExW	0x140032488
RegEnumKeyExW	0x140032490
RegCloseKey	0x140032498
RegSaveKeyExW	0x1400324a0
RegCreateKeyExW	0x1400324a8
RegUnLoadKeyW	0x1400324b0

Name	Address
NtSetInformationThread	0x140032820
RtlUnicodeToMultiByteN	0x140032828
RtlUnicodeToMultiByteSize	0x140032830
NtSetInformationFile	0x140032838
NtQueryInformationFile	0x140032840
RtlImageNtHeader	0x140032848
RtlRandomEx	0x140032850
RtlGUIDFromString	0x140032858
RtlFreeHeap	0x140032860
RtlAllocateHeap	0x140032868
RtlMultiByteToUnicodeN	0x140032870
RtlMultiByteToUnicodeSize	0x140032878
RtlRaiseStatus	0x140032880
DbgPrintEx	0x140032888
RtlFormatCurrentUserKeyPath	0x140032890
NtClose	0x140032898
NtDeleteKey	0x1400328a0
NtOpenKey	0x1400328a8
NtCreateKey	0x1400328b0
NtQueryValueKey	0x1400328b8
NtSetValueKey	0x1400328c0
NtEnumerateKey	0x1400328c8
RtlGetSaclSecurityDescriptor	0x1400328d0
RtlGetDaclSecurityDescriptor	0x1400328d8
RtlInitializeSRWLock	0x1400328e0
RtlAcquireSRWLockExclusive	0x1400328e8
RtlReleaseSRWLockExclusive	0x1400328f0
RtlCreateUnicodeString	0x1400328f8
RtlEqualUnicodeString	0x140032900
RtlValidRelativeSecurityDescriptor	0x140032908
RtlLengthSecurityDescriptor	0x140032910
RtlInitUnicodeStringEx	0x140032918
RtlUnicodeStringToInteger	0x140032920
NtOpenThreadToken	0x140032928
NtOpenProcessToken	0x140032930
NtQuerySecurityObject	0x140032938
NtDuplicateToken	0x140032940
RtlLengthSid	0x140032948
RtlCopySid	0x140032950
RtlCreateAcl	0x140032958
RtlAddAce	0x140032960
RtlCreateSecurityDescriptor	0x140032968
RtlSetDaclSecurityDescriptor	0x140032970
NtSetSecurityObject	0x140032978
NtEnumerateValueKey	0x140032980
NtDeleteValueKey	0x140032988
NtOpenThreadTokenEx	0x140032990
NtOpenProcessTokenEx	0x140032998
NtQueryInformationToken	0x1400329a0
RtlEqualSid	0x1400329a8
RtlConvertSidToUnicodeString	0x1400329b0
RtlAppendUnicodeStringToString	0x1400329b8
RtlAddAccessAllowedAceEx	0x1400329c0
RtlValidSecurityDescriptor	0x1400329c8
RtlAbsoluteToSelfRelativeSD	0x1400329d0
LdrGetDllHandle	0x1400329d8
RtlInitAnsiString	0x1400329e0
RtlPrefixUnicodeString	0x1400329e8
RtlTimeToTimeFields	0x1400329f0
RtlSetGroupSecurityDescriptor	0x1400329f8
RtlSetOwnerSecurityDescriptor	0x140032a00
RtlValidSid	0x140032a08
RtlSubAuthoritySid	0x140032a10
RtlInitializeSid	0x140032a18
RtlGetGroupSecurityDescriptor	0x140032a20
RtlGetOwnerSecurityDescriptor	0x140032a28
LdrUnloadDll	0x140032a30
LdrGetProcedureAddress	0x140032a38
LdrLoadDll	0x140032a40
NtAdjustPrivilegesToken	0x140032a48
NtUnloadKey2	0x140032a50
RtlInitUnicodeString	0x140032a58
NtQuerySystemInformation	0x140032a60
NtQueryKey	0x140032a68
RtlNtStatusToDosError	0x140032a70
RtlDosPathNameToNtPathName_U	0x140032a78
RtlIsStateSeparationEnabled	0x140032a80
RtlFreeUnicodeString	0x140032a88
RtlGetVersion	0x140032a90

Name	Address
RegDeleteKeyW	0x1400324c0
RegSaveKeyW	0x1400324c8

Name	Address
Sleep	0x140032568

Name	Address
CloseHandle	0x1400322d0

Name	Address
CopyFileW	0x1400322c0

Name	Address

Name	Address
TerminateProcess	0x1400323f0
OpenThreadToken	0x1400323f8
SetThreadToken	0x140032400
GetCurrentThread	0x140032408
GetCurrentProcess	0x140032410
GetCurrentProcessId	0x140032418
OpenProcessToken	0x140032420
GetCurrentThreadId	0x140032428

Name	Address
GetTempPathA	0x140032290
GetTempFileNameA	0x140032298

Name	Address
FileTimeToDosDateTime	0x140032328

Name	Address
WritePrivateProfileStringW	0x1400323c0

Name	Address
InitiateSystemShutdownExW	0x140032500

Name	Address
GetTempPathW	0x140032280

Name	Address
GetKernelObjectSecurity	0x140032678
DuplicateTokenEx	0x140032680
AdjustTokenPrivileges	0x140032688

Name	Address
LookupPrivilegeValueW	0x140032698

Name	Address
IsDebuggerPresent	0x140032188

Name	Address
RtlLookupFunctionEntry	0x1400324d8
RtlVirtualUnwind	0x1400324e0
RtlCaptureContext	0x1400324e8
RtlCompareMemory	0x1400324f0

Name	Address
QueryPerformanceCounter	0x140032438

Name	Address
DriverStoreEnumW	0x1400326d0
DriverPackageOpenW	0x1400326d8
DriverStoreFindW	0x1400326e0
DriverStoreUpdateDevicesW	0x1400326e8
DriverStoreImportW	0x1400326f0
DriverStoreSetLogContext	0x1400326f8
DriverPackageGetVersionInfoW	0x140032700
DriverStoreGetObjectPropertyW	0x140032708
DriverStoreEnumObjectsW	0x140032710
DriverStoreCopyW	0x140032718
DriverStoreDeleteW	0x140032720

Name	Address
GetFileVersionInfoSizeExW	0x1400325e0
VerQueryValueW	0x1400325e8
GetFileVersionInfoExW	0x1400325f0

Name	Address
ReleaseSRWLockExclusive	0x140032530
SleepEx	0x140032538
SetEvent	0x140032540
CreateEventW	0x140032548
WaitForSingleObjectEx	0x140032550
AcquireSRWLockExclusive	0x140032558

Name	Address
CloseServiceHandle	0x1400326c0

Name	Address
CreateFileMappingW	0x140032390
VirtualQuery	0x140032398
VirtualProtect	0x1400323a0
MapViewOfFile	0x1400323a8
UnmapViewOfFile	0x1400323b0

Name	Address
DeviceIoControl	0x140032318

Name	Address
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x1400326a8
ConvertSecurityDescriptorToStringSecurityDescriptorW	0x1400326b0

Name	Address
CreateHardLinkW	0x1400322a8
MoveFileExW	0x1400322b0

Name	Address
ApiSetQueryApiSetPresence	0x140032160

Reports: JSON

Statistics (10.92)

Usage

Processing ( 10.87 seconds )

10.276 ProcessMemory
0.574 CAPE
0.007 AnalysisInfo
0.007 BehaviorAnalysis
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.004 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: pnputil.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00040400', 'virtual_address': '0x00045000', 'virtual_size': '0x00000060', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.58'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6208 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Users\Packager\AppData\Local\Temp\pnputil.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.