Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 20:37:57	2025-06-13 21:08:40	1843 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,990 [root] INFO: Date set to: 20250613T10:41:11, timeout set to: 1800
2025-06-13 11:41:11,672 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 11:41:11,672 [root] DEBUG: Storing results at: C:\SLtSxJVgsX
2025-06-13 11:41:11,672 [root] DEBUG: Pipe server name: \\.\PIPE\TCjHsIkvb
2025-06-13 11:41:11,672 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:41:11,672 [root] INFO: analysis running as an admin
2025-06-13 11:41:11,672 [root] INFO: analysis package specified: "exe"
2025-06-13 11:41:11,672 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:41:12,173 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:41:12,173 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:41:12,173 [lib.common.common] INFO: wrapping
2025-06-13 11:41:12,173 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:41:12,173 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\PresentationHost.exe
2025-06-13 11:41:12,173 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:41:12,173 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:41:12,173 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:41:12,173 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:41:12,407 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:41:12,438 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:41:12,470 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:41:12,485 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:41:12,501 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:41:12,501 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:41:12,517 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:41:12,517 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:41:12,517 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:41:12,517 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:41:12,517 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:41:12,517 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:41:12,517 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:41:12,517 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:41:12,517 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:41:12,517 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:41:12,517 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:41:12,517 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:41:12,688 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 11:41:12,688 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:41:12,688 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:41:12,688 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:41:12,688 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:41:12,688 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:41:12,688 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:41:12,688 [modules.auxiliary.disguise] INFO: Disguising GUID to 1b621a55-cfac-4e69-8e86-c2b86ccae11e
2025-06-13 11:41:12,688 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:41:12,688 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:41:12,688 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:41:12,688 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:41:12,688 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:41:12,688 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:41:12,688 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:41:12,688 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:41:12,704 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:41:12,704 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:41:12,704 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:41:12,704 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:41:12,704 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:41:12,704 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:41:12,704 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:41:12,704 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:41:12,704 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:41:12,720 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 11:41:12,720 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:41:12,720 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:41:12,720 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:41:12,720 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:41:12,720 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:41:12,720 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:41:12,735 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\KhePLP.dll, loader C:\tmpjeo7jmad\bin\ktypyZOY.exe
2025-06-13 11:41:12,985 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:41:12,985 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\KhePLP.dll.
2025-06-13 11:41:13,032 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:41:13,032 [root] INFO: Disabling sleep skipping.
2025-06-13 11:41:13,032 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:41:13,032 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:41:13,032 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:41:13,032 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:41:13,032 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:41:13,032 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:41:13,047 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:41:13,047 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:41:13,047 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 716, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-13 11:41:13,047 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:41:13,063 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:41:13,063 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:41:13,063 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\KhePLP.dll.
2025-06-13 11:41:13,063 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 11:41:13,063 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 20:37:57	2025-06-13 21:08:21	none

File Details

File Name	PresentationHost.exe
File Type	PE32 executable (GUI) Intel 80386, for MS Windows
File Size	248832 bytes
MD5	b73ecb016b35d5b7acb91125924525e5
SHA1	37fe45c0a85900d869a41f996dd19949f78c4ec4
SHA256	b3982e67820abc7b41818a7236232ce6de92689b76b6f152fab9ef302528566d [VT] [MWDB] [Bazaar]
SHA3-384	9dfb512574a39ac8dc4c4f4c0f42076d1065cc92e633fdfbf3df3b015d88ad05fb1fa5f0430a6f6a242d9ed3e6a4e21d
CRC32	88C96794
TLSH	T14A345C53B2C549E1E177123059BA9D50856ABC31DE906A5BF38C722F7F302C26839B6F
Ssdeep	6144:gW/3xqCu+WWzLw5KNXwy3Odjp19k5KNXfB:1/3U9cQKVwy3OdLaKV
PE	File Strings BinGraph Vba2Graph VirusTotal

Faultrep.dll

en-SG

j0Xf9

de-DE

GetStartupInfoW

mscoree.dll

APPID

en-TT

QRVhPH@

CoMarshalInterThreadInterfaceInStream

zh-HK

ne-NP

QQSVW

val Extension = s '.xaml'

bs-Latn

SeDebugPrivilege

ta-LK

sma-NO

ProcessCommandLine

R@ 8gH@

zfa^'.[0

delete ' Still referencing v3 of WindowsBase for SxS compatibility. The regkey is not versioned. '

af-ZA

SeAuditPrivilege

}

mn-MN

ff-Latn

ass3R

RegSetValueExW

mn-Mong

<<<a<

"+:<Z

application/x-ms-xbap

NoRemove MIME

2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2p2t2x2|2

3 3(30383@3H3P3T3X3\3`3d3h3l3p3t3x3|3

VWWq~~

j{Xf9

;3;R;q;|;

}vv66ewZP

qj'Xf9

ku-Arab-IQ

`.data

QQQWV

sl-SI

Microsoft Corporation

LoadLibraryExW

OutputDebugStringA

p@(-p

_XcptFilter

0#0)0/050<0C0J0Q0X0_0f0l0x0

_lock

DebugSecurityZoneURL

1(2>2

ta-IN

a\N"I>

D$pSVW

UnmapViewOfFile

9 9,989D9P9\9h9t9

$"QEU

SECURITY

NoRemove Internet

AppID

_initterm

9aZxe

{

tt-RU

kr-NG

.idata$5

LoadLibraryW

}

sms-FI

|M:Fz

es-AR

de-AT

CLSIDFromProgID

SeCreatePermanentPrivilege

Microsoft

fil-PH

869E9

_acmdln

gn-PY

ar-TN

.?AVCAtlException@ATL@@

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

7(747@7L7X7d7p7|7

<&<?<F<M<T<h<s<~<

zu-ZA

sd-Arab-PK

.data$r$brc

uRhdDA

en-029

syr-SY

sk-SK

GetMessageW

1%1:1I1_1m1~1

_*Ia{{{(w>n

2agh']

nz}zzz{|zz{|zz}zg

SetEvent

HKCU Classes Access Denied

!!!!!!!!!!!!!!!!!

_exit

P,bf*

ky-KG

vqRI64!

FilesToKeep=null

4\4e4k4

bs-Cyrl

NoRemove Microsoft

da-DK

ReportFault

+;<QY?

bs-BA-Latn

*3::5

UnregServer

HKEY_PERFORMANCE_DATA

InternetCrackUrlW

.\%s.mui

=K>n>

pa-Arab

u@h C@

CoCreateInstance

AssocQueryStringW

0F5bm

GetCommandLineW

wwwwwwp

;0;L;

q(9>u

val DocObject = s '0'

sr-Latn-ME

@(A6k

ne-IN

OE1Q|

v`gmX

+7:X\h

qttT9

tUI72%2

N|\L<

SwitchToThread

.CRT$XIA

rR,,,$

%i,B$

Windows Presentation Foundation Host

DispatchMessageW

9?:F:

OpenEventW

?^?y?

SS"+6

3-3;3n3

es-PA

sa-IN

ResetEvent

GetSidSubAuthority

< <,<8<D<P<\<h<t<

l8z]v

FileDescription

+qd_X

t!j0_W

{vUG6

dz-BT

p:j?U

ntdll.dll

LaunchApplication

.+pa<

9wptx

.FJJ3

}

10.0.17763.1

zh-CHT

Registration failed. HRESULT: 0x%0X.

InitializeCriticalSection

? ?,?8?D?P?\?h?t?

Yo7#~

HKEY_DYN_DATA

{

sr-SP-Cyrl

x;mq~/

GetFileVersionInfoSizeW

GetNativeSystemInfo

$.>CMMz

Hea3 K

TraceEvent

CLSID

xh-ZA

it-CH

^"%ffZ

j;8jv

wwwwwwwwwwwwwwwwwwwwwp

ar-DZ

es-HN

":K"?`

9$9,949@9`9h9p9x9

9/9<9E9K9h9|9

ml-IN

fi-FI

en-GB

memmove_s

6%6/676T6j6}6

262A2L2W2i2q2w2

5<6F6b6

ka-GE

ts-ZA

GetSidSubAuthorityCount

application/x-ms-xbap

>0>g>

TerminateProcess

Fj'Xf

General_AppName=Windows Presentation Foundation Host

en-BZ

Tu&U]

+N[ZZ

GetEnvironmentVariableW

:);X;

4 4$4(4,4044484<4@4D4H4L4P4X4`4h4p4x4

ar-AE

tg-Cyrl-TJ

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

fr-MA

L$XQV

8I8c8

PPhhE@

quc-Latn-GT

ko-KR

QQQQQQQPQQQ

q2@b>

.text$x

ofZH;

wo-SN

.\%s\%s.mui

CoInternetCombineUrl

.xdata$x

%s\%s\%s.mui

rcu6[

ar-YE

GetModuleHandleW

LsaNtStatusToWinError

VhPI@

sd-Arab

=">:>T>Z>r>w>

.giats

fr-SN

bs-Latn-BA

SVWh8E@

j=Xf9

7(7w8

9':e:

{

ru-RU

ig-NG

ActivateActCtx

NoRemove 'Content Type'

pa-IN

OriginalFilename

GetDeploymentDataFromManifest

<%<7<C<I<N<W<

en-JM

LocalServer32 = s '%MODULE_RAW%'

>!>(>1>A>Z>p>

FileTimeToSystemTime

5U6|6

SetTokenInformation

pgg'Q9

clr.dll

WebBrowserPermission

pt-PT

es-DO

chr-Cher

open

az-Cyrl

Bootstrap.XBAP

;$;0;<;H;T;`;l;x;

command = s '%MODULE% "%%1" %%*'

Y__^[

InternetCreateUrlW

es-ES_tradnl

Windows.Xbap = s 'XAML Browser Application'

wwK}=u

zh-Hant

CloseHandle

@.reloc

NoRemove CLSID

0"0&080X0d0

@YnX!

t!j0^V

tzm-Latn-DZ

!!..............!!333333333

LoadResource

^d_A6%&

WININET.dll

muq!R

''''''''''

1f1z1

GetSystemTimeAsFileTime

CreateRestrictedToken

la-001

Qh44@

__p__fmode

RegEnumValueW

4VKu`^!

ar-LB

:(:4:@:L:X:d:p:|:

GetKernelObjectSecurity

yo-NG

$!jyDL

3!3N3

Internet Explorer

iu-Cans-CA

v=TkM8]

7<7D7L7T7`7

CharNextW

:<:R:\:

SetUnhandledExceptionFilter

1Dz]7

Y8~qkk

L$<QVP

pap-029

0uhX)+

t#Sj0[S

val InfoTip = s '@%MODULE%,-3307'

.text

DeactivateActCtx

val 'Content Type' = s 'application/x-ms-xbap'

5=5H5f5

79ZMQ

.rdata$brc

6m6s6

PVWh@:@

pt-BR

fo-FO

WaitForInputIdle

S0U8i

bo-CN

2!H&1

id-ID

Microsoft.Windows.CommonLanguageRuntime

LocalAlloc

ePTfP

?=u/W

.idata$4

_N.r%]

yi-001

mk-MK

2&2=2c2

GetTokenInformation

<C=o=

SeTakeOwnershipPrivilege

se-FI

Component Categories

sr-Latn-RS

__dllonexit

4O4b4

CLRCreateInstance

val Extension = s '.xbap'

VERSION.dll

RegEnumKeyExW

https://go.microsoft.com/fwlink/?linkid=54520

n2MFn

SeCreateTokenPrivilege

,@MQMW

6 6,686D6P6\6h6t6

assemblyIdentity

^D4%4

3$3(343<3d3|3

F@9^0t

B}.@B

uG88>

en-IE

%s\%s

co-FR

CreateEventW

application/x-zip-compressed

?0PZY5A

SetLastError

.rsrc$01

444i4p4

zyXSM@>4B%*---77&

ar-OM

SeImpersonatePrivilege

*ggmpp}}y

RegDeleteValueW

moh-CA

.idata

en-ZW

tTj/Zf;

sr-Latn-CS

MessageBeep

4)4B4]4|4

.xaml = s 'Windows.XamlDocument'

az-Latn-AZ

:":C:x:

\Microsoft Shared\DW\dw20.exe

InitializeAcl

CreateActCtxW

CoTaskMemRealloc

CoInitialize

PresentationHost.pdb

RegistrySetup

GetSecurityDescriptorDacl

RegEnumKeyW

GetTraceEnableLevel

my-MM

<L<X<p<v<

chr-Cher-US

_CxxThrowException

3Rh M@

SeEnableDelegationPrivilege

>5>F>M>X>e>k>x>

PhLH@

en-ZA

sr-SP-Latn

GetTraceLoggerHandle

am-ET

sq-AL

gsw-FR

!&&00&}

eu-ES

_controlfp

.text$yd

718H8

D$ PVVV

>+!zF

EPo{(u

fr-HT

E,--]

ar-SA

Wj0[Sj

Wadvapi32.dll

fr-BE

9rPeY

QhxHA

t"j0_W

ifZHD7**

ReleaseActCtx

@.rsrc

5!5'5u5

*79^^cfP

`RpE}

ziSNJ@J&((**';

_#) O,

MsgWaitForMultipleObjects

LegalCopyright

nl-BE

PresentationHost.exe

0CEIdf

m+++(

282D2a2

ATL$__a

fr-MC

QQSVW3

SeLoadDriverPrivilege

!2-0u

4VImL

arn-CL

;2;c;

;A;F;L;Q;X;g;

wwwwwwwwwwwwwwww

soo/?B0S

Y"MBo

is-IS

W(9W(t

3(343@3L3X3d3p3|3

dsb-DE

;;;XZZ

zHp~~

sw-KE

HeapDestroy

.rdata$zzzdbg

GetRequestedRuntimeInfo

api-ms-win-core-path-l1-1-0.dll

SeCreateGlobalPrivilege

LoadStringW

fr-LU

realloc

.rdata

-KiR&g

5'5-5L5s5

RegDeleteKeyW

ur-PK

(O`kk

ar-SY

DefaultIcon = s '%MODULE%,3'

PWWh0N@

t0j4_W

ti-ER

ba-RU

IsWow64Process

urlmon.dll

f9D$Hs@j

WaitForSingleObject

RtlInitUnicodeString

F<n'.

en-ID

j'Xf;

ZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

OpenProcessToken

MessageBoxW

val BrowserFlags = d 4096

FindResourceExW

fr-FR

SHGetKnownFolderPath

PhxG@

1$101<1H1T1`1l1x1

memcpy

wwpx(

.idata$3

766"Vxzzz

l6qpp0T

5Y5n5z5

kd)Ukqq

mn-Mong-MN

SeAssignPrimaryTokenPrivilege

<)<V<

WindowsBase

az-Cyrl-AZ

p|iXN

SHGetFolderPathW

Hsu 3~9%sn

0J0Y0x0

ExpandEnvironmentStringsW

=?Ypp}

LsaLookupPrivilegeValue

SearchPathW

{

4$434<4E4Z4o4~4

__setusermatherr

es-CR

HeapFree

ff-Latn-SN

_except_handler4_common

SeRestorePrivilege

RegisterBindStatusCallback

0+01070[0

GetTickCount

VWWm.

Do you want to open a page that has information about how to download and install the .NET Framework?

&@AEO=

ProgId = s 'Windows.XamlDocument'

0.0.0

CoInternetCreateSecurityManager

.CRT$XIY

PostMessageW

SSSSSSSPSSSV

>1>?>N>[>

9,..F

9"9Y9z9

iu-Latn

MultiByteToWideChar

_9^a/

D$<PV

zh-MO

es-CL

:h8D@

*3:IXWUP

uz-Latn-UZ

hr-HR

Version=131072

:2:D:

OutputDebugStringW

= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=

VVPVRQh

qps-ploc

OLE32.dll

SHELL32.dll

(x64)

en-CA

ha-Latn-NG

val Xml = s '<IPermission class="System.Security.Permissions.MediaPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Audio="SafeAudio" Video="SafeVideo" Image="SafeImage"/>'

tn-ZA

.rdata$sxdata

K@R8r

_ismbblead

1 1$1(1,1014181D1H1

CreateProcessW

f]HCC

ro-RO

=:=m=

ShellExecuteW

"%s" -d "%s"

NoHostTimeoutSeconds

5 5(505<5H5T5`5l5x5

quz-PE

tn-BW

.CRT$XCAA

uY==>Yq

6!6n6

XPS document1Contains markup and resources for an XPS document

sr-Cyrl-ME

(,$zQ!

iu-Latn-CA

lv-LV

ADVAPI32.dll

>F>~>

t5j!h

PSSSSSS

1**}[

"m/,,

CoRevokeClassObject

%d.%d.%d.%d

.00cfg

_wcsicmp

FreeLibrary

val Xml = s '<IPermission class="System.Security.Permissions.WebBrowserPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Level="Safe"/>'

<'<-<5<<<B<H<N<c<n<t<|<

qps-plocm

=(=4=@=L=X=d=p=|=

es-CU

ks-Deva-IN

application/xaml+xml

6)767w7

CompanyName

GetCurrentThreadId

nso-ZA

__getmainargs

CreateURLMonikerEx

}

P3=%d.%d.%d.%d.%d%s

MediaPermission

CoRegisterClassObject

GetProcessHeap

fy-NL

{

Sleep

2 2,2L2X2x2

es-EC

HKEY_CLASSES_ROOT

uz-Cyrl

G4;G8

GetUserDefaultUILanguage

? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?

val InfoTip = s '@%MODULE%,-3301'

ShellExecuteExW

?mt[=

en-HK

sd-Deva-IN

Composite Font File2Windows Presentation Foundation Font Cache 3.0.0.0

mi-NZ

Software\Classes

URLDownloadToCacheFileW

tzm-Tfng-MA

RegOpenKeyExW

4$40484P4h4

ServerExecutable = s '%MODULE_RAW%'

HHJ}O

X!w]W

wcsncpy_s

9w$u]

{

*3:WDplh

_wcsnicmp

FindFirstFileW

AddAccessAllowedAce

kn-IN

Deactivate

t+j0^V

tk-TM

2^BDH

SeRemoteShutdownPrivilege

ffZXYY

zh-CN

Bl{X*

es-BO

VWWO|n

th-TH

en-NZ

9Fo0Bbm Z

B.Wb|

===p=

si-LK

bmmmh

6-6m6

en-IN

ha-Latn

es-419

\Required Categories

xM`75

%s\%s.mui

val FriendlyTypeName = s '@%MODULE%,-3300'

5 OB~

sr-Cyrl-RS

<gffN83t:1

7)7B7k7x7

8&82888D8Z8j8o8u8

gl-ES

ug-CN

omm)V>

fr-CA

bs-BA-Cyrl

tzm-Tfng

ry[[}M

SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting

fr-ML

hy-AM

CoReleaseMarshalData

WhhM@

}

:5:h;

_callnewh

OpenProcess

>5>J>[>

StringFromGUID2

__set_app_type

DocObject = s '0'

mn-Cyrl

ar-MA

^a]:.*

R0Wdx

5T5_5

val CLSID = s '{CF1BF3B6-7AD0-4410-996B-C78EAFCD3269}'

|.--U^

mni-IN

IDATx

GetAce

040904B0

SizeofResource

M{~tt

CreateBindCtx

CreateFileMappingW

{zsQNna

en-PH

lstrcmpiW

Windows Markup File5Contains markup for a Windows application or document

ProgId = s 'Windows.Xbap'

PeekMessageW

H)Vu-

application/xaml+xml

,t:Sl$;

NoRemove NamedPermissionSets

%ProgramW6432%\Internet Explorer

SHLWAPI.dll

TranslateMessage

rXr0l3|

ms-MY

sah-RU

TE$ D

CreateTimerQueueTimer

wcscat_s

st-ZA

@j-Yj/ZC;]

ForceRemove

?|#AN

cy-GB

}

GetAclInformation

CLSID = s '{ADBE6DEC-9B04-4A3D-A09C-4BB38EF1351C}'

br-FR

RegQueryValueExW

VarFileInfo

0D0H0L0h0l0p0

WhxM@

9V:sH

~F]K4

{

8 8,888D8P8\8h8t8

0"0~0

2#3l4

ve-ZA

mscorwks.dll

SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\Namespaces

oc-FR

GetFileVersionInfoW

_vsnwprintf

SeCreatePagefilePrivilege

smn-FI

Z-,-u

}

5 5,585D5P5\5h5t5

DocObject = s '0'

CreateFileW

smj-NO

{ADBE6DEC-9B04-4A3D-A09C-4BB38EF1351C} = s 'XAML Browser Application'

zh-TW

y**PresentationHost: ETW registration failed, error = %d.

1+181X1q1

0(040@0L0X0d0p0|0

Optimizes performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data. WPF applications will start this service if it is not already running. It can be disabled, though doing so will degrade the performance of WPF applications.

-;;DDEJ=

ca-ES

RI62&B

L$ QVVV

nl-NL

FormatMessageW

(rp<;

et-EE

CoUninitialize

val EditFlags = d 65536

prs-AF

3}OsqHG6

10.0.17763.1 (WinBuild.160101.0800)

=,===W=

NoRemove

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

CLSID\

GetClassFileOrMime

$h5$VV

DeleteCriticalSection

DefaultIcon = s '%MODULE%,2'

^hP@A

RaiseException

bg-BG

8LMME

CreateProcessAsUserW

{CF1BF3B6-7AD0-4410-996B-C78EAFCD3269} = s 'Windows Markup File'

rw-RW

u\?1(

uz-Latn

urUPrM37777>7@*

766prr

1$Cx_6

EqualSid

qps-Latn-x-sh

^^^N$

&Hik7-H

cVg7b{

version

uz-Cyrl-UZ

tzm-Latn

HeapReAlloc

GetLengthSid

fr-029

: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:

HKEY_LOCAL_MACHINE

u*j}Xf9

s?hA9

shell

bs-Cyrl-BA

;|l"RVw

PathFindExtensionW

quc-Latn

zwSNS

WriteFile

SeMachineAccountPrivilege

he-IL

t SSSj

#5CIfY

wininet.dll

Debug

!KzZ.

Event

az-Latn

~:{f)

H$z33

Vh@:@

NoRemove LocalIntranet

xGh|E@

qps-ploca

9s v[

be-BY

lt-LT

90b6B0hK*c

val 'Content Type' = s 'application/xaml+xml'

val CLSID = s '{ADBE6DEC-9B04-4A3D-A09C-4BB38EF1351C}'

nb-NO

ja-JP

gd-GB

application/vnd.ms-xpsdocument

{

1d36r6

ru-MD

PWWhT>@

}

05_?m

de-CH

QueryPerformanceCounter

JOOQROOOOOOOOOOOOOOOOOO

$e*;py

:S:}:

v4.0.0

msvcrt.dll

r5$1^

;D;P;

StringFileInfo

cYk>q

ar-EG

Software

777K7i7

Windows.XamlDocument = s 'Windows Markup File'

PSSSSSSW

GetSystemDefaultUILanguage

es-ES

;$<q<

5\5c5t5z5

CBKl`

UBl "ll

SeTcbPrivilege

.text$mn

>no,bav

NoRemove .NETFramework

5D6b7

j0Yf;

0CEIn]m

=q>y>

NoRemove Database

j%Yf;

DUraf~ww

fr-CI

CoInternetParseUrl

k; kt

8:9G9c9

kok-IN

DjQP$

Interface

L$|_^[3

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

u_SSSSSSS

kJJ$IR

Activate

5(5>5L5o5

uk-UA

LsaOpenPolicy

uWhT@@

1 1(141T1`1

|fVeY"

3=3Q3W3

&u8i;

bnnN/

ForwardTranslateAccelerator

zh-Hans

sr-Cyrl-BA

3C3H3a3

tg-Cyrl

fr-CD

2*3\3

}pt:A

ar-LY

343O3j3

ks-Arab

9/9C9O9W9n9

x9Vhl@@

IsDebuggerPresent

8Z8a8m8u8|8

t%j4^V

hu-HU

z+e@ HC

Module_Raw

ur-IN

*:9UgmQ

f1P^]

sr-BA-Cyrl

tzm-Arab-MA

GetModuleFileNameW

494J4Z4}4

aiii B)

Omnn>

VWWQ,

6D6M6^6c6o6

},,.b

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0

=0>s>

0O1b1

=-=8=B=M=X=b=s=

qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq

.CRT$XCA

?M?v?

(|sJe1

KERNEL32.dll

B|I E

.xbap = s 'Windows.Xbap'

es-SV

SeSystemtimePrivilege

//buc

??1type_info@@UAE@XZ

UnhandledExceptionFilter

9T9^9o9

wcscpy_s

xpmm-B

EventType=WPFHostActivationProblem

GetVersionExW

MapViewOfFile

s7+4q

Wj4_Wj

5<<x8H?}

SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts

VS_VERSION_INFO

CreateWellKnownSid

:4;A;v;

n^ZEC9$

ff-NG

as-IN

.CRT$XCZ

bsearch

9::Y:j:

sma-SE

lb-LU

PostQuitMessage

u89wXu

sv-SE

nn-NO

T*aaa

ActivateDeploymentExW

SeBackupPrivilege

.data

j-Yj/Z

SetProcessDEPPolicy

RunUnrestricted

memset

mt-MT

RegServer

iswdigit

t:SSSj

98:D:J:Q:Z:`:h:n:{:

bRJD73D

GetProcAddress

dv-MV

ProductName

0 131:1

0`1l1

ga-IE

.idata$6

6$6,646<6D6L6X6x6

=D=Q=f=s=z=

t&j4^V

G4;G8u

ExitProcess

KKK8>>

el-GR

Invalid parameter passed to C runtime function.

9(9S9v9

506\6

ql7U(

?___/

}1znn

Gl2ZP

tr-TR

NoRemove Policy

AddAce

ZZZZZZZZZZZZZZZZ]_]ZZZZZZZZZl

-;D:R

D*C\"

zjSqG&

(:@-r

set;]

te-IN

FileVersion

WWhX9@

HeapSize

QQQQQ

tolower

t!j0[S

F,T7"

Locale

6(646@6L6X6d6p6|6

ar-JO

QQSVWQ3

3*4>4V4[4r4|4

sr-Cyrl

OE(k

ar-KW

or-IN

GetExitCodeProcess

nJJJOS

memcpy_s

< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<

Delete

ReportingFlags=2048

>>>[>i>

Microsoft .NET Framework Setup

@Qm6t

quz-EC

5 5(5L5\5h5

0J1R1

val FriendlyTypeName = s '@%MODULE%,-3306'

dfshim.dll

om-ET

\Implemented Categories

VerQueryValueW

CoTaskMemAlloc

es-GT

?%?+?2?9?@?G?N?U?\?d?l?t?

PPPPP

8E8f8v8~8

es-PR

kk-KZ

5t6~6

;6;A;S;[;`;e;

t0j0^V

{

'}xkkk

The content you are trying to access requires the Microsoft .NET Framework.

}

CoEEShutDownCOM

>(?N?b?k?{?

de-LU

HeapAlloc

tttt}

es-PY

dfdll.dll

ps-AF

.data$brc

ibb-NG

vwwwFv3N

LoadFromHistory

InternalName

`AR;D1

m+T*

en-AU

km-KH

malloc

HKEY_CURRENT_CONFIG

hr-BA

hi-IN

6Y7|7

.rsrc$02

_unlock

;'<1<7<A<\<

j-Yf;

fr-RE

en-US

ku-Arab

OLEAUT32.dll

kernel32.dll

.text$di

REGISTRY

FindClose

:L:j:

NoRemove Extensions

ti-ET

ii-CN

Ph I@

SeSecurityPrivilege

GetTempPathW

D|yyY

ca-ES-valencia

UnregisterClassA

haw-US

GetCurrentProcessId

ro-MD

RegCreateKeyExW

es-PE

Tgsss

Hardware

pl-PL

vi-VN

PSSSV

zXO-pD@

2 2,282D2P2\2h2t2

wXSMM* &"&

j{Xf;

ar-QA

Module

8$808<8H8T8`8l8x8

lo-LA

[s<#P

+vagN3

CoTaskMemFree

>$>0><>H>T>`>l>x>

ms-BN

9(949@9L9X9d9p9|9

1oBFLBB@Q

omscoree.dll

fr-CM

.CRT$XIZ

PathCchAppend

MCAX$q5e

!This program cannot be run in DOS mode.

+++X__

RSDS$

q4E(%

7$707<7H7T7`7l7x7

,arK|

292[2

;T;p;

GetLocaleInfoW

wwwwwwww

CLSID = s '{CF1BF3B6-7AD0-4410-996B-C78EAFCD3269}'

0&0E0q0

NoRemove Security

x0Ox=/Hh

USER32.dll

Ce=Vz

6,727=7D7J7P7U7p7

IPersistMoniker Marshaling

VWhT?@

9D5co

HeapSetInformation

>$>)>5>

.CRT$XCU

es-NI

RegDeleteKeyExW

_errno

bn-BD

sr-Latn

NoRemove SOFTWARE

tnj'[f;

8j{p\

isdigit

HKEY_CURRENT_USER

GetCurrentProcess

cs-CZ

so-SO

fa-IR

REGISTRYSETUP

0 0/090

PresentationHostDLL.dll

h8v/w;

LocalFree

P1=PresentationHost.exe

5Xh}}

4$404<4H4T4`4l4x4

smj-SE

mn-Mong-CN

Translation

en-MY

rm-CH

mr-IN

se-NO

ATL$__z

7B7I7U7`7g7s7~7

it-IT

wwwwwwwwwwwwwww

HNUU^Z

121H1h1

RegisterTraceGuidsW

#RM(:

wcsncmp

http://schemas.openxmlformats.org/markup-compatibility/2006

> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>

FileType

:4:8:T:X:`:|:

PhX8@

zh-SG

GetTempFileNameW

ProductVersion

iu-CA-Latn

sv-FI

__p__commode

XAML Browser Application<Contains deployment manifest for an XAML browser application

xwwwwwwwww

AppData Folder Access Denied

gu-IN

8(8H8P8\8|8

t1j4^V

__CxxFrameHandler3

!0.{%

_onexit

?5?Z?r?

.CRT$XIAA

^0SWS

LsaClose

Windows

es-US

XPVSh

iu-Cans

9lXY}

quz-BO

DisableSingleVersionOptimization

=L9o<

+/\(D

.idata$2

hsb-DE

pa-Arab-PK

2:2H2`2k2

]+*_!

.CRT$XCL

@[]aacgma

SYSTEM

sr-Cyrl-CS

IEXPLORE.EXE

HKEY_USERS

8"8s869g9u9

P2=%s

.gfids

$Iprr

0Rj@P

zh-CHS

^UcZ(K

SaveToHistory

Operating System

1Vou,g4\

; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;

TypeLib

VkOoz2

"$"078H,

LoadLibraryShim

yWK9F

_cexit

fr-CH

Ignorable

es-UY

se-SE

es-CO

,/,CFG_jaP

GetLastError

ar-IQ

@ze'}v"

Embedding

_amsg_exit

es-VE

QVVVVPV

?terminate@@YAXXZ

bin-NG

CommandLineToArgvW

uc-y/8

sr-Latn-BA

es-MX

8<Bt:

83Q~^

1#182E2y2

}

KKK8<<

4n4}4

bn-IN

sr-BA-Latn

8),%`r

CopySid

GjO>xz

\^Jlnn

SO=Ui

ar-BH

RegQueryInfoKeyW

GetFileAttributesExW

RegCloseKey

de-LI

?%?3?B?J?U?b?f?k?

?_"y"

:1:@:I:b:g:m:q:v:|:

kl-GL

PWhxG@

x<BON

CommonProgramFiles

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x00011ae0	0x00049c4d	0x00049c4d	10.0	PresentationHost.pdb	1983-04-20 10:47:57	88138f425fd4cf0102598c830d4a0eb1		d38cf5c59d3b04b59983b47b0524283f	54cf88800431449d9ef30ec16acc6b0e	aab2ecce8686ba00

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Windows Presentation Foundation Host
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	PresentationHost.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	PresentationHost.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00012a98	0x00012c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.05
.data	0x00013000	0x00014000	0x000009bc	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.23
.idata	0x00013200	0x00015000	0x0000173c	0x00001800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.37
.rsrc	0x00014a00	0x00017000	0x00026ae0	0x00026c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	6.68
.reloc	0x0003b600	0x0003e000	0x0000157c	0x00001600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.53

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0003da00	0x000000e0	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.84	None
REGISTRY	0x0003c040	0x000013ba	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.13	None
RT_ICON	0x00017c40	0x00000668	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.06	None
RT_ICON	0x000182a8	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.21	None
RT_ICON	0x00018590	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.82	None
RT_ICON	0x000186b8	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.98	None
RT_ICON	0x00019560	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.98	None
RT_ICON	0x00019e08	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.63	None
RT_ICON	0x0001a370	0x000060f4	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.96	None
RT_ICON	0x00020468	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.37	None
RT_ICON	0x00022a10	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.61	None
RT_ICON	0x00023ab8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.92	None
RT_ICON	0x00023fb8	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.14	None
RT_ICON	0x000240f8	0x00000668	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.47	None
RT_ICON	0x00024760	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.97	None
RT_ICON	0x00024a48	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.11	None
RT_ICON	0x00024b70	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.48	None
RT_ICON	0x00025a18	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.20	None
RT_ICON	0x000262c0	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.49	None
RT_ICON	0x00026828	0x0000594e	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.96	None
RT_ICON	0x0002c178	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.99	None
RT_ICON	0x0002e720	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.01	None
RT_ICON	0x0002f7c8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.75	None
RT_ICON	0x0002fcc8	0x00000668	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.06	None
RT_ICON	0x00030330	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.21	None
RT_ICON	0x00030618	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.82	None
RT_ICON	0x00030740	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.98	None
RT_ICON	0x000315e8	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.98	None
RT_ICON	0x00031e90	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.63	None
RT_ICON	0x000323f8	0x000060f4	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.96	None
RT_ICON	0x000384f0	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.37	None
RT_ICON	0x0003aa98	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.61	None
RT_ICON	0x0003bb40	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.92	None
RT_STRING	0x0003d400	0x00000474	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.29	None
RT_STRING	0x0003d878	0x00000182	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.01	None
RT_GROUP_ICON	0x00023f20	0x00000092	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.90	None
RT_GROUP_ICON	0x000240e0	0x00000014	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.02	None
RT_GROUP_ICON	0x0002fc30	0x00000092	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.00	None
RT_GROUP_ICON	0x0003bfa8	0x00000092	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.04	None
RT_VERSION	0x00017860	0x000003e0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.40	None

Imports

Name	Address
exit	0x4152a0
_unlock	0x4152a4
__set_app_type	0x4152a8
__getmainargs	0x4152ac
_amsg_exit	0x4152b0
__p__commode	0x4152b4
_XcptFilter	0x4152b8
__dllonexit	0x4152bc
_onexit	0x4152c0
_callnewh	0x4152c4
__setusermatherr	0x4152c8
_lock	0x4152cc
memmove_s	0x4152d0
iswdigit	0x4152d4
_wcsnicmp	0x4152d8
??1type_info@@UAE@XZ	0x4152dc
_except_handler4_common	0x4152e0
wcscat_s	0x4152e4
_errno	0x4152e8
realloc	0x4152ec
_controlfp	0x4152f0
memcpy	0x4152f4
_initterm	0x4152f8
_CxxThrowException	0x4152fc
wcscpy_s	0x415300
_exit	0x415304
_cexit	0x415308
__p__fmode	0x41530c
tolower	0x415310
_ismbblead	0x415314
_acmdln	0x415318
isdigit	0x41531c
?terminate@@YAXXZ	0x415320
memcpy_s	0x415324
malloc	0x415328
wcsncpy_s	0x41532c
_wcsicmp	0x415330
free	0x415334
_vsnwprintf	0x415338
__CxxFrameHandler3	0x41533c
bsearch	0x415340
wcsncmp	0x415344
memset	0x415348

Name	Address
SysFreeString	0x415204
VarUI4FromStr	0x415208
SysAllocStringLen	0x41520c

Name	Address
CreateTimerQueueTimer	0x415094
TerminateProcess	0x415098
ExpandEnvironmentStringsW	0x41509c
IsWow64Process	0x4150a0
FreeLibrary	0x4150a4
LocalAlloc	0x4150a8
FindFirstFileW	0x4150ac
FindClose	0x4150b0
GetLastError	0x4150b4
GetTempPathW	0x4150b8
GetTempFileNameW	0x4150bc
CreateFileW	0x4150c0
WriteFile	0x4150c4
GetVersionExW	0x4150c8
GetNativeSystemInfo	0x4150cc
CloseHandle	0x4150d0
GetEnvironmentVariableW	0x4150d4
CreateProcessW	0x4150d8
HeapSize	0x4150dc
GetExitCodeProcess	0x4150e0
CreateEventW	0x4150e4
ResetEvent	0x4150e8
SetEvent	0x4150ec
HeapReAlloc	0x4150f0
HeapFree	0x4150f4
HeapAlloc	0x4150f8
OutputDebugStringW	0x4150fc
GetProcessHeap	0x415100
DeactivateActCtx	0x415104
ActivateActCtx	0x415108
CreateActCtxW	0x41510c
GetFileAttributesExW	0x415110
FileTimeToSystemTime	0x415114
ReleaseActCtx	0x415118
MultiByteToWideChar	0x41511c
FormatMessageW	0x415120
LocalFree	0x415124
SwitchToThread	0x415128
ExitProcess	0x41512c
HeapDestroy	0x415130
GetCurrentProcess	0x415134
GetStartupInfoW	0x415138
GetCommandLineW	0x41513c
GetModuleFileNameW	0x415140
LoadLibraryW	0x415144
Sleep	0x415148
UnhandledExceptionFilter	0x41514c
SetUnhandledExceptionFilter	0x415150
OutputDebugStringA	0x415154
QueryPerformanceCounter	0x415158
GetCurrentThreadId	0x41515c
GetSystemTimeAsFileTime	0x415160
GetTickCount	0x415164
OpenProcess	0x415168
MapViewOfFile	0x41516c
CreateFileMappingW	0x415170
UnmapViewOfFile	0x415174
GetLocaleInfoW	0x415178
GetCurrentProcessId	0x41517c
OpenEventW	0x415180
IsDebuggerPresent	0x415184
GetProcAddress	0x415188
LoadLibraryExW	0x41518c
GetModuleHandleW	0x415190
GetUserDefaultUILanguage	0x415194
GetSystemDefaultUILanguage	0x415198
lstrcmpiW	0x41519c
SetLastError	0x4151a0
SearchPathW	0x4151a4
WaitForSingleObject	0x4151a8
LoadResource	0x4151ac
HeapSetInformation	0x4151b0
RaiseException	0x4151b4
InitializeCriticalSection	0x4151b8
SizeofResource	0x4151bc
DeleteCriticalSection	0x4151c0
FindResourceExW	0x4151c4

Name	Address
RegDeleteValueW	0x415000
RegSetValueExW	0x415004
RegEnumKeyExW	0x415008
RegQueryInfoKeyW	0x41500c
AddAce	0x415010
GetAce	0x415014
AddAccessAllowedAce	0x415018
InitializeAcl	0x41501c
GetLengthSid	0x415020
GetAclInformation	0x415024
SetTokenInformation	0x415028
GetSecurityDescriptorDacl	0x41502c
GetKernelObjectSecurity	0x415030
CopySid	0x415034
LsaClose	0x415038
LsaNtStatusToWinError	0x41503c
LsaLookupPrivilegeValue	0x415040
LsaOpenPolicy	0x415044
CreateWellKnownSid	0x415048
EqualSid	0x41504c
CreateProcessAsUserW	0x415050
CreateRestrictedToken	0x415054
GetTokenInformation	0x415058
OpenProcessToken	0x41505c
RegQueryValueExW	0x415060
RegisterTraceGuidsW	0x415064
GetTraceLoggerHandle	0x415068
GetTraceEnableLevel	0x41506c
TraceEvent	0x415070
RegCreateKeyExW	0x415074
RegEnumKeyW	0x415078
RegCloseKey	0x41507c
GetSidSubAuthorityCount	0x415080
GetSidSubAuthority	0x415084
RegOpenKeyExW	0x415088
RegEnumValueW	0x41508c

Name	Address
ShellExecuteExW	0x415214
SHGetFolderPathW	0x415218
CommandLineToArgvW	0x41521c
ShellExecuteW	0x415220
SHGetKnownFolderPath	0x415224

Name	Address
CoTaskMemRealloc	0x4151cc
CoInitialize	0x4151d0
CoTaskMemAlloc	0x4151d4
CoUninitialize	0x4151d8
CoTaskMemFree	0x4151dc
CLSIDFromProgID	0x4151e0
CoReleaseMarshalData	0x4151e4
CoRevokeClassObject	0x4151e8
CoRegisterClassObject	0x4151ec
CoCreateInstance	0x4151f0
CreateBindCtx	0x4151f4
CoMarshalInterThreadInterfaceInStream	0x4151f8
StringFromGUID2	0x4151fc

Name	Address
PostQuitMessage	0x415238
MessageBoxW	0x41523c
DispatchMessageW	0x415240
LoadStringW	0x415244
TranslateMessage	0x415248
WaitForInputIdle	0x41524c
PeekMessageW	0x415250
MessageBeep	0x415254
GetMessageW	0x415258
MsgWaitForMultipleObjects	0x41525c
CharNextW	0x415260
PostMessageW	0x415264
UnregisterClassA	0x415268

Name	Address
PathFindExtensionW	0x41522c
AssocQueryStringW	0x415230

Name	Address
VerQueryValueW	0x415270
GetFileVersionInfoW	0x415274
GetFileVersionInfoSizeW	0x415278

Name	Address
RtlInitUnicodeString	0x415350

Name	Address
PathCchAppend	0x41528c

Name	Address
CoEEShutDownCOM	0x415294
LoadLibraryShim	0x415298

Name	Address
InternetCrackUrlW	0x415280
InternetCreateUrlW	0x415284

Name	Address
URLDownloadToCacheFileW	0x415358
CreateURLMonikerEx	0x41535c
GetClassFileOrMime	0x415360
RegisterBindStatusCallback	0x415364
CoInternetCreateSecurityManager	0x415368
CoInternetCombineUrl	0x41536c
CoInternetParseUrl	0x415370

Reports: JSON

Statistics (10.41)

Usage

Processing ( 10.35 seconds )

9.558 ProcessMemory
0.769 CAPE
0.014 BehaviorAnalysis
0.005 AnalysisInfo

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.006 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: PresentationHost.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: PresentationHost.exe, PID 6292

Creates RWX memory

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6292 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\windows.storage.dll
C:\Users\Packager\AppData\Local\Temp\Wldp.dll
C:\Windows\System32\wldp.dll
C:\Users\Packager\AppData\Local\*
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts\v4.0\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts\v4.0\CRT
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\NoHostTimeoutSeconds
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts\v4.0\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\Hosts\v4.0\CRT
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\Hosting\NoHostTimeoutSeconds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

msvcrt

OLEAUT32

KERNEL32

ADVAPI32

SHELL32

OLE32

USER32

SHLWAPI

VERSION

ntdll

api-ms-win-core-path-l1-1-0

mscoree

WININET

urlmon