Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-14 07:34:51 | 2025-06-14 08:05:35 | 1844 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:14,928 [root] INFO: Date set to: 20250614T06:34:50, timeout set to: 1800 2025-06-14 07:34:50,571 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad 2025-06-14 07:34:50,571 [root] DEBUG: Storing results at: C:\WodLRYuTH 2025-06-14 07:34:50,571 [root] DEBUG: Pipe server name: \\.\PIPE\hEUVZHP 2025-06-14 07:34:50,571 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-14 07:34:50,571 [root] INFO: analysis running as an admin 2025-06-14 07:34:50,571 [root] INFO: analysis package specified: "exe" 2025-06-14 07:34:50,571 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-14 07:34:51,211 [root] DEBUG: imported analysis package "exe" 2025-06-14 07:34:51,211 [root] DEBUG: initializing analysis package "exe"... 2025-06-14 07:34:51,211 [lib.common.common] INFO: wrapping 2025-06-14 07:34:51,211 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-14 07:34:51,227 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\sethc.exe 2025-06-14 07:34:51,227 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-14 07:34:51,227 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-14 07:34:51,227 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-14 07:34:51,227 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-14 07:34:51,555 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-14 07:34:51,617 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-14 07:34:51,649 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-14 07:34:51,664 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-14 07:34:51,680 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-14 07:34:51,680 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-14 07:34:51,680 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-14 07:34:51,680 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-14 07:34:51,680 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-14 07:34:51,680 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-14 07:34:51,680 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-14 07:34:51,680 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-14 07:34:51,696 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-14 07:34:51,696 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-14 07:34:51,696 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-14 07:34:51,696 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-14 07:34:51,696 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-14 07:34:51,696 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-14 07:34:51,867 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-14 07:34:51,867 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-14 07:34:51,883 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-14 07:34:51,883 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-14 07:34:51,883 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-14 07:34:51,883 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-14 07:34:51,883 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-14 07:34:51,883 [modules.auxiliary.disguise] INFO: Disguising GUID to 3ce2e7d8-fbf7-4bb8-9102-ea325fa9ecd5 2025-06-14 07:34:51,883 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-14 07:34:51,883 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-14 07:34:51,883 [root] DEBUG: attempting to configure 'Human' from data 2025-06-14 07:34:51,883 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-14 07:34:51,883 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-14 07:34:51,883 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-14 07:34:51,883 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-14 07:34:51,883 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-14 07:34:51,883 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-14 07:34:51,883 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-14 07:34:51,883 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-14 07:34:51,883 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-14 07:34:51,883 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-14 07:34:51,883 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-14 07:34:51,883 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-14 07:34:51,883 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-14 07:34:51,883 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-14 07:34:51,914 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini 2025-06-14 07:34:51,914 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-14 07:34:51,914 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-14 07:34:51,914 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-14 07:34:51,914 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-14 07:34:51,914 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-14 07:34:51,914 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-14 07:34:51,914 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\LvlXCnF.dll, loader C:\tmpjeo7jmad\bin\UsVZZmjI.exe 2025-06-14 07:34:51,977 [root] DEBUG: Loader: IAT patching disabled. 2025-06-14 07:34:51,977 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\LvlXCnF.dll. 2025-06-14 07:34:52,008 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-14 07:34:52,008 [root] INFO: Disabling sleep skipping. 2025-06-14 07:34:52,008 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-14 07:34:52,008 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-14 07:34:52,008 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-14 07:34:52,008 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-14 07:34:52,008 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-14 07:34:52,023 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-14 07:34:52,039 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-14 07:34:52,039 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-14 07:34:52,039 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6000, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-14 07:34:52,039 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-14 07:34:52,039 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-14 07:34:52,039 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-14 07:34:52,039 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\LvlXCnF.dll. 2025-06-14 07:34:52,055 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-14 07:34:52,055 [root] DE <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-14 07:34:51 | 2025-06-14 08:05:16 | none |
File Details
| File Name |
sethc.exe
|
|---|---|
| File Type | PE32 executable (GUI) Intel 80386, for MS Windows |
| File Size | 279040 bytes |
| MD5 | 406dbf91aafcba4331aa0b487d578e33 |
| SHA1 | d0f39007c0e9ba21b62d7be40ee7efcc9b1c2189 |
| SHA256 | 708dceedc93b0da05583e0320fbd36b952e1dba1f5c896ccac2fbf1ba0d86c17 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 892cbe3e8302422291f217350314f4b1a8733c88558efa47fd1c9fa2c7bd3f721f934a4a46c3b956977912b9346b653c |
| CRC32 | C25B3030 |
| TLSH | T13954D041B3904435E2BC1A30AC3B9B2454A97C31DF6249AFB31A7BAE2C717D0797971B |
| Ssdeep | 6144:+gGAJhJYQYH8AlGr66uFz2LJGRg4kLNnei36cw:i8LYhjFCdUc |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
S\>\~
k;ow7
7oor?
caretwidth
GetStartupInfoW
ReleaseMutex
?;664!!!
DeleteProcThreadAttributeList
CreateSemaphoreExW
AeroLite.msstyles
<ccpushbutton accessible="true" layoutpos="left" margin="rect(10rp,0rp,0rp,0rp)" minsize="size(76rp,23rp)" font="gtf(CONTROLPANELSTYLE, 6, 0)"/>
sY#$/>?@V@WVjWWXXX~HjHHHHFC5"QU
===Lsss
1((%%
>">*>7>W>_>k>x>
RegSetValueExW
udt|~
<element width="500rp" layout="borderlayout()" background="window" padding="rect(16rp,16rp,16rp,16rp)">
ApplicationName
?#?)?/?d?
\dllgG
?OnPropertyChanged@Element@DirectUI@@UAEXPAUPropertyInfo@2@HPAVValue@2@1@Z
>__X2)%
</security>
.aZaZH
Software\Microsoft\Windows\CurrentVersion\Themes
`.data
#OMAU
?GetUiaFocusDelegate@Element@DirectUI@@UAEPAV12@XZ
GetProductInfo
8VWWXVVVX>X@6s
1)22(1(211999>>>:7:
l||gH
<if class="helptext">
MJGBBBG<Bg7J
$ $#
Microsoft Corporation
SRRROOJM
LoadLibraryExW
yIB1(
_XcptFilter
wwwwwx
_lock
Glv|vvwO
,99~HHF9F9F9F9FF$s
!!$#$$$%$////1/=?1?=@
$BBBBBAB7g<G<<<<<;<Z
58>-CFE3
jjk`jjk%xxy
<?xml version='1.0' encoding='utf-8' standalone='yes'?>
qjjnphh?
High Contrast Scheme
4q*T`````n
_initterm
l|lwH
type="win32"
InitThread
.idata$5
5,505P5l5p5
<element layout="borderlayout()" layoutpos="top" padding="rect(25rp,7rp,0,0)">
!!!#$!$!%$,%%////:/%
6mmg9
P__e^^^UXXaX?????L
{cc^^C
kc/fm{
@;Z_}~
u===0=*9
FDlFFLlee
tddlx
egfdv
Microsoft
wwwwww
NtQueryWnfStateData
5r1R1"
*VWVVVXVX@@@X,
&&& &!
togglekeys
Ge|xxx
-\u@<L
?HandleUiaEventListener@Element@DirectUI@@UAEXPAUEvent@2@@Z
.?AVCAtlException@ATL@@
/>
wwmhmgm
.data$r$brc
"GGrT
S'Oe0
?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z
jjk`jjk%
'XXXXXXXXXXXA4z
m'/4'46
484@4L4l4t4|4
vV|||w
5B6}6
gmmgmkkkgg`|
!!!!!!!!$!%!%#$%$$#$#$ k
_exit
wFFV|vV
>/>>>F>[>d>i>
s!Gmo
?OnInput@HWNDElement@DirectUI@@UAEXPAUInputEvent@2@@Z
SetDesktopColorTransform
publicKeyToken="6595b64144ccf1df"
colorfiltering
*VVU`U>
?OnPropertyChanging@Element@DirectUI@@UAE_NPAUPropertyInfo@2@HPAVValue@2@1@Z
iZ|o
QQSVWj
v`RRfS111111==1*QMy
%hs!%p:
?GetElementProviderImpl@Element@DirectUI@@UAEJPAVInvokeHelper@2@PAPAVElementProvider@2@@Z
*iuuuuuuuuZ
;*<6<V<[<l<
Software\Microsoft\Windows\CurrentVersion\Themes\HighContrast
doFz"U
<macro expand="disableshortcutkey" layoutpos="top"/>
{_V.q
9P22221&
_ggkg`__`__^^Xaz
B^cRRRROr
zb);j~
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
/r?0z}3
yY___eP
CoCreateInstance
xwtvVwx
$ '
tlvf_
! !!007==I63
>LUru
wwmwmY
PVWQRj+
GetFileAttributesW
CI|7A
=$|]M
#'&&&& &
:2;7;
tel|v
t9*uw
?Register@HWNDElement@DirectUI@@SGJXZ
xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"
.CRT$XIA
TerminateOnDesktopSwitch
7?7M7^7
<stylesheets>
?OnHosted@Element@DirectUI@@MAEXPAV12@@Z
>62H&
Winlogon
f$$%,/?/66V|
((117:::>>LLLLcL
989I9c9
Explorer
type="win32"
|/|O|o
FileDescription
name="Microsoft.windows.sethc"
&611Vztt
keyboardpref
FTldFH
|3OJY
1VVVVV>V>>@>,
ms-settings:easeofaccess-keyboard
323V3`3o3
ntdll.dll
FFFFG
JJJBBBBBgG
10.0.17763.1
InitializeCriticalSection
Fd|gFVVFDdFDd
H]_Ky
(1::=>LLLLcaaa
tdelv||~
t|b>F)r"
I^RRROOCCk
lkl8lklxlkl
9,9H9^9d9
GGLdtg
OpenJobObjectW
56FI7
Z%;<<<74
&>VVVVVV>V>@>)
Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
message
?OnMouseFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z
originatingContextName
Ymggggg`_`___UO
VC!PH
PVSh0
memmove_s
.rdata$zETW9
{5p)@m
\AGgAB<A<B7B
lf|vLg
g??[zy
;D;K;
,0004080@0X0p0
>;;;6;;4""
~z}o$
5o'z<
S{^N?
8OOBBBBBBAB8?
[eU_XPP
:(:O:X:b:k:u:~:
Startup
disableshortcutkey
TerminateProcess
?HandleUiaPropertyListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
JgB:k>
eGVVVVSs
>K?U?\?w?
<if class="ShortcutKeyButton">
)FUKGJ5
windowtrackingzorder
+VXVVVXVV>@@>K
level="asInvoker"
%s %s %s
?DefaultAction@Element@DirectUI@@UAEJXZ
1>>8=====$
sst7vvw
sstZsst
6PPPmiii
7OsU@
a-?z-
GetUserObjectInformationW
Active
:8:x:
?;;;6;4"""
?Paint@Element@DirectUI@@UAEXPAUHDC__@@PBUtagRECT@@1PAU4@2@Z
?333?
.H]][]]Ex
>$>,>4><>D>L>X>x>
</element>
FsN]H
.text$x
CreateMutexW
_wtoi
5!63686v6
gtp#:
juuusssnS
.xdata$x
GetModuleHandleW
|v||l
z-TVV`V>
2(2@2X2l2x2}2
SecureDesktopAccommodation
a{/Wy
<<;<;=;6=;666=;6/;%6%/%%%%,
?_SelfLayoutUpdateDesiredSize@Element@DirectUI@@MAE?AUtagSIZE@@HHPAVSurface@2@@Z
caretbrowsing
.giats
kernelbase.dll
!! !!#!$$%$%%%///:::1/@
?SetLayoutPos@Element@DirectUI@@QAEJH@Z
audiodescription
{*/fuuurrrrrf
</if>
StartList::SaveSessionKey
(BBA%
1"161J1+3
OriginalFilename
KS@Il[
141@1`1l1
<Button foreground="gtc(CONTROLPANELSTYLE,10,4,3803)" font="gtf(CONTROLPANELSTYLE,10,4)"/>
%%,%$_
stickykeys
;J;a;r;v;
,=/=666$v
3-3t3
X73L_
Ud_ae^^^^XX?XL???C
F{4A>m
Y__^[
?OnGetDlgCode@HWNDElement@DirectUI@@UAEXPAUtagMSG@@PAJ@Z
-}~~~~~~c
0.0U0
VVjdjdj
:$:g:
<if enabled="false">
CloseHandle
@.reloc
filterkeys
FreeSid
#%%$7'7888IIA
eltvG
6 6&6*696u6
LoadResource
_purecall
;'<V<
version="1.0.0.0"
<if class="normaltext">
\ltdldx
~yXN>
GetSystemTimeAsFileTime
failureCount
__p__fmode
RegEnumValueW
""""""!""!"!"
8CBOBBBBAAAAA
060`0f0
?#?A?V?`?{?
MGEj<
v|vvX
<dependency>
??0HWNDElement@DirectUI@@QAE@XZ
_ltow_s
dltd|gGl|||v
wmmmmgm
SetUnhandledExceptionFilter
IROOOBOBBBAy
RegLoadMUIStringW
6P')))
.text
yc^RRR
La__U)
<element resid="modernsettingsdisableshortcutkey" id="atom(modernsettingsdisableshortcutkey)" layout="flowlayout(0)">
\Narrator.lnk
Ykkkgkg`g_`__O
.rdata$brc
SetWindowPos
<Button accessible="true" accrole="link" accdefaction="click" contentalign="middleleft | endellipsis" foreground="gtc(CONTROLPANELSTYLE,10,1,3803)" font="gtf(CONTROLPANELSTYLE,10,1)" overhang="false"/>
?AddBehavior@Element@DirectUI@@UAEJPAUIDuiBehavior@@@Z
@LB;
originatingContextId
/<<==6=6////%%%
:*:::C:R:X:^:e:s:
ltvvvt
'89HHF9FFFFFFFCFCF$d
animations
.idata$4
=TWTH
_XL@3
soundsentry
>+>;>k>w>
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility
<assemblyIdentity
4X5j5B6
\|||||lvx
6&77x
__dllonexit
ThemeUI.dll
RegEnumKeyExW
OpenMutexW
!&!0!
757G7^7h7{7
5"6@6L6X6a6
Shh)@
l|vV|h
overlappedcontent
<k=x=
<ccpushbutton id="atom(cancel)" class="ShortcutKeyButton" foreground="windowtext" content="resstr(1134)"/>
Pre-High Contrast Scheme
Software\Microsoft\Windows NT\CurrentVersion\AccessibilityTemp
<if mousefocused="true">
eM7d?
??_V@YAXPAX@Z
TraceMessage
,/6,6,6r
?B==x[UU
??1DUIFactory@DirectUI@@QAE@XZ
Gl|v|||w
$??B2
minimumhitradius
UCeuU
!#68>IINUUVVVaaa]]XXWF|
WinSqmAddToStream
JJJJJJJJBBB
+VV>V>V1>>@>6_
?SetVisible@Element@DirectUI@@QAEJ_N@Z
PlaySndSrv.DLL
\On-Screen Keyboard.lnk
?OnUnHosted@Element@DirectUI@@MAEXPAV12@@Z
:::m:
SetLastError
.rsrc$01
CallContext:[%hs]
*abbaccc6
DebugBreak
FAm;]jh"
?GetContentSize@Element@DirectUI@@UAE?AUtagSIZE@@HHPAVSurface@2@@Z
wcscspn
.idata
?OnNoChildWithShortcutFound@HWNDElement@DirectUI@@UAEXPAUKeyboardEvent@2@@Z
@sVj?l
K32EnumProcessModules
FDdVFF\vF
4.555G5N5
@xa7\
aggggge
rqr rqr
OLEACC.dll
E#a?L?
jjk`jjk
<element class="normaltext" layoutpos="top" content="resstr(1138)"/>
%vag4
CoInitialize
88AIIAN5
(('%''%$
GetTraceEnableLevel
wxwxx
UnInitProcessPriv
PSSSSSSSj
MOQKS41rm
l|||v
] QoG
GetThreadDesktop
PPPPj W
!!77I8>69)E-.EHa]]XX]XFs
LeaveCriticalSection
{41-_
7AB<B<A<<7j
?Click@Button@DirectUI@@SG?AVUID@@XZ
<element class="helptext" layoutpos="top" content="resstr(1124)"/>
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig
GetTraceLoggerHandle
x\}}}a}ci@
ud##%//=???@@VVVWWWjXXXHHHHHHFFFC
?GetClassInfoPtr@CCPushButton@DirectUI@@SGPAUIClassInfo@2@XZ
<Button cursor="hand" foreground="gtc(CONTROLPANELSTYLE,10,2,3803)" font="gtf(CONTROLPANELSTYLE,10,2)"/>
?!G),
<Button contentalign="middleleft | focusrect | endellipsis"/>
Qh`!@
tldeg
Microsoft Corporation. All rights reserved.
QVPQQ
^^_<oop
callContext
IOOOOCBBBAAA
_controlfp
.text$yd
,XX~~~HXXXXXH9M
),?"4B=
AIII7?
$$$,o
<!$@%pa
IsProcessInJob
wDeed||eggg
''1>>1@>8===
>CBBBBIAA8AA8
sG<BA<B<A<<j
222@2I2s2
Qv?e\
}^@ioO
9(9E9h9
080@0H0P0\0|0
windowtracking
@.rsrc
<element accessible="true" accrole="statictext" contentalign="wrapleft" padding="rect(0,0,0,14rp)" font="gtf(CONTROLPANELSTYLE, 6, 0)"/>
Y4%`$
/>
Qh` @
AccessibilitySoundAgentRunning
gwmmmmkgm|
LegalCopyright
;4$44$4!$!!!!!
?GetUIAElementProvider@Element@DirectUI@@UAEJABU_GUID@@PAPAX@Z
function
_8G6q7
7JJBjJBBBBG<B<gs
1$1/181A1J1$6:6G6S6_6k6w6
%systemroot%\Resources\Ease of Access Themes\hcblack.theme
``a`a`>
egF|v|v
&.4t
<style resid="s">
O9OcR
<dependentAssembly>
4"""""""!"
)20(11::>>>?LLLaa
|||lg
<element class="normaltext" layoutpos="top" content="resstr(1142)"/>
\7waE
glv||d
'>XXVXVXXX@X>,
Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\
NormalColor
bWTTTd
HeapDestroy
<element class="helptext" layoutpos="top" content="resstr(1118)"/>
.rdata$zzzdbg
#!$$%$//=?=???VVVWWWXXXX~HXHHHFFFFFCCCDC
#
processorArchitecture="*"
LoadStringW
Accessibility shortcut keys
naH8Fl
A&U`e
;8<|<W>A?_?x?
dJJJJBJGBBG7
.rdata
|+R5]b/
td|leldo
<element class="normaltext" layoutpos="top" content="resstr(1139)"/>
<ccpushbutton id="atom(ok)" class="ShortcutKeyButton" foreground="windowtext" content="resstr(1135)"/>
<if class="link">
FVFVVGx
3$3,343d3
</asmv3:application>
4;;;;""
& & &!
z:UKSKSg
x*/]uurrrprssf
@#>>{
?SetAccessible@Element@DirectUI@@QAEJ_N@Z
$$#
StartList::CreateATProcess
WaitForSingleObject
gA<<<<<<<<;;;<;66666666\
</stylesheets>
6+63696Q6V6\6a6f6k6p6v6~6
GetModuleFileNameA
SystemParametersInfoW
MessageBoxW
wwwwwp
>=>O>U>p>v>
FindResourceExW
!,,,%,6,,O
0b(o*
?GetKeyFocused@Element@DirectUI@@UAE_NXZ
##%$$////1/Q,)')=V@,',,8>>HHHHHF9FFFCFFFFFDC1z
GGGgg
`cN|G
'PFL"
.idata$3
MJJBBBBBBG<J
??2')'&
UORCC
t@j\V
/>4!!!!!!!!!#!!
'8~~H~HH~H~HHX~F
RtlDllShutdownInProgress
lklxlkl8
%s /start %s %s %s
gJO5>
ExpandEnvironmentStringsW
FGFedux
~H.bjvivivij
windowtrackingtimeout
V|~3l
AccessibleObjectFromWindow
__setusermatherr
<element class="helptext" layoutpos="top" content="resstr(1122)"/>
HeapFree
_except_handler4_common
currentContextId
vuuspVH
GetTickCount
,HHHHHHHF9~HHF9+
46?ABLIGE3
?DoubleBuffered@Element@DirectUI@@QAEX_N@Z
'e-wJI/Q
^T?M4
%<<7""""
{|+o<
%SystemRoot%\Resources\Ease of Access Themes\hc2.theme
.CRT$XIY
deFv|lv
<element class="helptext" layoutpos="top" content="resstr(1128)"/>
lkl=lkl
3#3H3M3
1"121B1R1b1r1
?_SelfLayoutDoLayout@Element@DirectUI@@MAEXHH@Z
78>AJu
2%2A2J2P2p2
MIwl!
1XXXXXXXX>XXX*
/>
|ddllgFV
!""""!"!!!!!$!
9h9z9
FFVGG
||||w
QQhT(@
vjf]ZC
OLd_CHG=YdLO
5:AMPD-_
<2<D<j<
MultiByteToWideChar
|~|~w
EventSetInformation
888#ZZ[kggh
w?eaGj3
>%?7?
:$:q:
v|v|v
GetShellWindow
8&8Z8}8
OutputDebugStringW
?QueryInterface@Element@DirectUI@@UAGJABU_GUID@@PAPAX@Z
UnregisterTraceGuids
,Narrator
2$3U3t3
6 7&7-727?7N7V7^7r7z7
ReturnHr
?Create@NativeHWNDHost@DirectUI@@SGJPBGPAUHWND__@@PAUHICON__@@HHHHHHIPAPAV12@@Z
SHELL32.dll
ZPr`%
DDDedd|tedvVvVlvGg
</dependency>
VQPWV
.rdata$sxdata
</duixml>
?UpdateTooltip@HWNDElement@DirectUI@@UAEXPAVElement@2@@Z
PRVQhp
%SystemRoot%\Resources\Ease of Access Themes\hcblack.theme
BUUP22&a
lkl8xwx
CreateProcessW
LastHighContrastTheme
?CreateStyleParser@HWNDElement@DirectUI@@UAEJPAPAVDUIXmlParser@2@@Z
f|||vvv|vV
(2211111:(2(
0%1E1Z1k1
SettingConfiguration
=V=c=y=
uiAccess="false"
ShellExecuteW
%SystemRoot%\system32\EaseOfAccessDialog.exe
?ShowWindow@NativeHWNDHost@DirectUI@@QAEXH@Z
%SystemRoot%\Resources\Ease of Access Themes\hc1.theme
.CRT$XCAA
'>V1>>1X1>>88K
wwmmmmg
ADVAPI32.dll
<E?Eg
;(:0:
?OnEvent@HWNDElement@DirectUI@@UAEXPAUEvent@2@@Z
?Remove@Element@DirectUI@@UAEJPAPAV12@I@Z
.00cfg
;CB(1
_wcsicmp
FreeLibrary
FailFast
GetKeyState
InitProcessPriv
@<<<<<;;=<6<=6;6666%6%6%%`
Jy6acc]a>
``agppq
,u'J]m
7J8u8
)MLAX
CompanyName
QR|!f
?Add@Element@DirectUI@@UAEJPAPAV12@I@Z
(_^[]
GetCurrentThreadId
|v||v
/hardwarebuttonlaunch
=.>p>w>}>
^L=~&
StrToID
l|gow
vLhT'@
GetProcessHeap
DtlvLv
Sleep
141K1m1r1
tdFLdgx
O1zL3
ProcessIdToSessionId
x(?83
wtv||||
%PP9P99%
<element resid="disableshortcutkey" id="atom(disableshortcutkey)" layout="flowlayout(0)">
gweggggFVVFG
,9>Laac|}}~~~
DialogRunningMutex
7__h]
ohhzd]]
"07:=ILLccd}}~~~
{^RRRCO72"
!##%$...)
UnInitThread
RegOpenKeyExW
ReleaseSemaphore
DUI70.dll
5$606;6a6g6u6
U___e^e_^^^X?X??L
gl|gx
v|||~
!!!$$$$%$%%$%/////?
LockResource
jjk%jjk`jjk
Global\Windows.Machine.OOBE
'89~FF9FFFFFFFFFF$d
hmmmmkmkk`|
:sf/D1L
?SetLayout@Element@DirectUI@@QAEJPAVLayout@2@@Z
>;</;;;;;6:<666666/6%%%%%%[
StartParams
JJGGJJ
<~MJ}~l
7'7P7
3#4/4?4s4
t$pVQ
DddvG
_c|}z
bAHSL
<:<@<F<Y<
lv|vf
<A<A<A<<<;g
CheckTokenMembership
QJOSiiSOJQ
8o8t8
wcsrchr
focusborderheight
AH`[y
/+((Sgaa
gbsm^
skk>rjjnskk
G:y;zO
%44""""""
<EAAze^^
2"222B2R2b2s2
vjuuussosoS
highcontrast
r'$SKQO_3^
(caller: %p)
?IsContentProtected@Element@DirectUI@@UAE_NXZ
W.CH)
a9>=>=
l|v||
<element class="helptext" layoutpos="top" content="resstr(1117)"/>
_callnewh
Y7<<<7<7;;"
OpenProcess
__set_app_type
l98>X~~~HHXHXHHXH)
(null)
"!!!!!
&221221212
</trustInfo>
@A<<<<<;<;;;;6666666%6%/p
0"020B0R0b0r0
??1HWNDElement@DirectUI@@UAE@XZ
LoadIconW
! &! !&
XPQSh
tdF\g
4=4T4j4
2Active
040904B0
<dpiAware>true</dpiAware>
u$WSQ
.rdata$zETW2
8==81//>#
SizeofResource
b(@Up
?IsRTLReading@Element@DirectUI@@UAE_NXZ
?MessageCallback@Element@DirectUI@@UAEIPAUtagGMSG@@@Z
name="Microsoft.Windows.Common-Controls"
@@AFTTU|]]^
?_OnUIStateChanged@HWNDElement@DirectUI@@MAEXGG@Z
,/6,6,6,,,
|v]Wj
wwwww
selectedFilter
>LS\?rpi
Ug___`__^e^^XX?XL
FTtleddD
DlddF
tl|gFv
sst]sst*
FVFFV
,8>9HHHFFFFFFCFCFFFC$d
=G>M>W>
!!!!!!!
?OnGroupChanged@HWNDElement@DirectUI@@UAEXH_N@Z
# & &! #
Zg`x+
SHLWAPI.dll
<requestedPrivileges>
?Destroy@Element@DirectUI@@QAEJ_N@Z
&K:t9'
giOd?
!!$!$!$#%$%$////.::1%
sst8{{|
InitOnceComplete
!!!$$$$%$%%///:/1===,
H~z{*
lklxlkl8xwx
%}V^^
"""""!!"!!!!!!!!
RegQueryValueExW
VarFileInfo
$0E<>
?EnsureVisible@Element@DirectUI@@UAE_NHHHH@Z
mousekeys
cccbRu
RROOC
%%%%'''7
WinSqmIsOptedIn
?GetHWND@HWNDElement@DirectUI@@UAEPAUHWND__@@XZ
z@*.Zijusrppppps]
tdtvg
8%8/858>8C8s8
60676O6
gghXvvw
!!$!!!$!$!%$%%%%///%
B<B<B<<g7<<;<;;<6;666:
_vsnwprintf
Configuration
<element class="normaltext" layoutpos="top" content="resstr(1140)"/>
8*80848x8
;B;S;^;c;
RegDeleteTreeW
t@:KJJ4
Aauna
AllocateAndInitializeSid
V\vGg
7+777C7O7
9(999W9y9
Local\SM0:%d:%d:%hs
RegGetValueW
,,/6,,_
Aero.msstyles
PlaySoundServerInitialize
UxTheme.dll
ARRROOOCBBk
FormatMessageW
2 282T2x2|2
?WndProc@HWNDElement@DirectUI@@UAEJPAUHWND__@@IIJ@Z
module
BBB<B<BgG7g<<<<<;;<a
windowarranging
#5>Ao
QLcC:1
<security>
|||vl|v
CoUninitialize
K32EnumProcesses
8XXXXX~HHXXHX,
~}}cZ
?GetContentStringAsDisplayed@Element@DirectUI@@UAEPBGPAPAVValue@2@@Z
10.0.17763.1 (WinBuild.160101.0800)
7;7<<;;;7"n
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
focusborderwidth
jjk%xxy
DeleteCriticalSection
!$$$#
CopySettingsToLockedDesktop
RaiseException
D*]uuuuuuuu]
WinlogonAccess
II6.m
$ ^ (,GGFD-
!EIII*
Scxzs
dlfVF
;';1;D;N;T;Z;`;d;j;n;~;
sst&wwx
sethc.pdb
161R1Z1`1
t|v|w
2 2$2d2h2p2x2
3;4F4T4
GetWindowThreadProcessId
BI"Pw
?RemoveBehavior@Element@DirectUI@@UAEJPAUIDuiBehavior@@@Z
HeapReAlloc
klppqojke
wegFFFV
WinSqmIncrementDWORD
:&)(2(:(999:>>>L??:
! !$!$$$%$////:/:?/?/|
"!!!!!!!!!!#"%!$$#
|||ew
g/p3g
2/3e3
101H1`1x1
?GetKeyFocusedElement@HWNDElement@DirectUI@@SGPAVElement@2@XZ
?GetWindowClassNameAndStyle@HWNDElement@DirectUI@@UAEXPAPBGPAI@Z
<if keyfocused="true">
FbAxCN
|el|dt|lg
sethc.exe
sst]sst
$ $ $
=;=I=P=[=u=
Control Panel\Accessibility\HighContrast
rjjK|uu
I}z}/
?ActivateTooltip@HWNDElement@DirectUI@@UAEXPAVElement@2@K@Z
8!8{8
>&?>?k?
""!!!!!!$!!$!
SetWindowTextW
QQQQP
JMJ0p
<duixml>
sst/xxy
\pAg`
?Initialize@HWNDElement@DirectUI@@QAEJPAUHWND__@@_NIPAVElement@2@PAK@Z
hmkgggg
?Host@NativeHWNDHost@DirectUI@@QAEXPAVElement@2@@Z
\~}}}ice
?Insert@Element@DirectUI@@UAEJPAPAV12@II@Z
__wgetmainargs
{lv7u
FFGFV
uNPPV
<button class="link" id="atom(eoa)" content="resstr(1137)"/>
SVWj@3
tdedV
8HH~H~HXHH~FXF8P
internal\sdk\inc\wil\resource.h
GetTraceEnableFlags
[%hs(%hs)]
Fxhz+Js3#
QueryPerformanceCounter
</style>
threadId
<<<<>;;;<;;;6<66=666%6%6Q
msvcrt.dll
StringFileInfo
wF|wv||w
ole32.dll
$$$$,////===?=6l|8@
lelelv
:l9G4
4V5u5
1:9>LLaaZd
<macro expand="ShortcutKeyButtons" layoutpos="top"/>
al9:F2
OJ~z}
OLaT!
7BBIBBII;I8I>6
<element resid="ShortcutKeyButtons" layout="borderlayout()" padding="rect(24rp,25rp,24rp,0)">
.text$mn
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\OOBE
Rh}_[
%SystemRoot%\Resources\Ease of Access Themes\hcwhite.theme
failureId
sst*sst]sst
k:mLJJ
NOEF -t
282E2u2
?_Xaeaaaaa?|c>a??LB
<macro expand="modernsettingsdisableshortcutkey" layoutpos="top"/>
zf+yF;
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
processorArchitecture="*"
EventWriteTransfer
MJBBBBgGGABgjTLLLLLL(
u!h4(@
<requestedExecutionLevel
BBAB<B<AAg<<<<<;<<6<Y
KWi8@
hCCB1A
l|lFDDDDFF
</asmv3:windowsSettings>
J{)Y~-
u>9C u'9E
&00,7=ILOacOLOc}cacijjusuppppqoo[
manifestVersion="1.0"
%SystemRoot%\Resources\Themes\Aero\
FTddtv
sst[{{|
<element resid="main" layout="flowlayout()" sheet="s" accessible="true" accrole="pane">
t$<WP
jjk%jjk`
gmmgmgggg``__
vbZQ/6/@@WWWjj~j~~HH995=-K
IsDebuggerPresent
.rdata$zETW1
?SetKeyFocus@Element@DirectUI@@UAEXXZ
?HandleUiaPropertyChangingListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@@Z
lkljvuv
_wcmdln
RaiseFailFastException
ATExe
StartMessagePump
?OnImmersiveColorSchemeChanged@HWNDElement@DirectUI@@UAEXXZ
5yKWJ
%s\ATConfig
?IsMSAAEnabled@HWNDElement@DirectUI@@UAE_NXZ
wgmhkgge43##
.CRT$XCA
?OnDestroy@HWNDElement@DirectUI@@UAEXXZ
KERNEL32.dll
ccbcRRQ
|||v|w
JBBBBBBBBgG<Bge
5%5}5
?OnPropertyChanged@HWNDElement@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
??1type_info@@UAE@XZ
FQVhh
UnhandledExceptionFilter
1>%~
m*//4'&&&`
EventUnregister
?GetAccessibleImpl@HWNDElement@DirectUI@@UAEJPAPAUIAccessible@@@Z
currentContextName
GetVersionExW
\Magnifier.lnk
tedd|gFlwg
_wcslwr_s
VS_VERSION_INFO
BB<B<AA<g7<<<;<;;6<6=p
%SystemRoot%\System32\ATBroker.exe
wu/hp
dFLdx
.CRT$XCZ
5<ax^
?OnKeyFocusMoved@Element@DirectUI@@UAEXPAV12@0@Z
xi<us
lv|vg
())(&(
currentContextMessage
Exception
595h5x5
Zbn@>j
465n5~5
5:?ac}}}~~
.data
?Uaa???>?>)
1VWXXXVVX>XX8K
FGLth
PathFileExistsW
mI1yxl
memset
[%hs]
d,m5t
</<;;6=<=6=/>6/6i
FVdt|egLtdv
<B<AA<<<<<;<;;;6<666662
GetProcAddress
ProductName
|vl|x
StartList::SaveSettings
=$=,=4=@=d=l=t=|=
e4;4"""!!!
tGFFF
.idata$6
PhX*@
?LoadFromResource@DUIFactory@DirectUI@@QAEJPAUHINSTANCE__@@PBG1PAVElement@2@PAKPAPAV42@1@Z
>X~XXXXXXXXHA'
?HandleUiaDestroyListener@Element@DirectUI@@UAEXXZ
!BBBBBBgGG<gG<<<<<h
l|lv|x
'AAAUppp
FEdtg
|///i
?Destroy@NativeHWNDHost@DirectUI@@QAEXXZ
$ $$'
language="*"
#(9=HLOac}}}~~
?OnWmSettingChanged@HWNDElement@DirectUI@@UAEXIJ@Z
3UUP22%
FileVersion
HeapSize
SystemSetting
tlt|d|tg
((((1
<<<H<h<t<
||lgFx
SendNotifyMessageW
wilResult
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
P w-\
xmlns="urn:schemas-microsoft-com:asm.v1"
PhP#@
memcpy_s
q~J#OT
z0++(%
</dependentAssembly>
::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D555645E-D4F8-4c29-A827-D93C859C4F2A}\pageEasierToSee
?OnWmThemeChanged@HWNDElement@DirectUI@@UAEXIJ@Z
keyboardcues
CompareStringOrdinal
~7k)n
wmmmmmm
899i9s:
%!$%%%///=1==/>|
w"tu|Rk
;+<D<R<r<
Software\Microsoft\ColorFiltering
|||||l|lw
FFDdx
}xd39
Richh
<assemblyIdentity
\ldtlvg
>K>h>q>
?"?2?B?R?b?r?
<%<.<:<B<R<g<
!(A17''
3@BHD
CreateMutexExW
cHRM
<;=_=
SVWQQ3
EventRegister
]ef#M
\~~~~~~jA
505@5
DeleteFileW
QW#mH
Ggl|w
HeapAlloc
39fK]
*<LLL\
;7;77;;;4
UIFILE
f||vV|l|geegH
F$`M=
Y#!%%%///????VVVWWWjXXX~X~HHHHFFFFFC
(lyl[
JJJBJJBBBBgs
.data$brc
Description
`?fmX-
InternalName
Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\colorfiltering
22221212
NormalSize
malloc
QSVW3
vo|d#:
lkl8lklx
.rsrc$02
?,?Y?d?
_unlock
showsounds
EGGG+
9~(s2Wj
JJJBBBBBGBh
version="6.0.0.0"
en-US
[u|>i
jjk@uuv
OLEAUT32.dll
Microsoft.Windows.Settings.Accessibility
X0#SK
.text$di
?OnCompositionChanged@HWNDElement@DirectUI@@UAEXXZ
?DestroyWindow@NativeHWNDHost@DirectUI@@QAEXXZ
<element class="normaltext" layoutpos="top" content="resstr(1141)"/>
originatingContextMessage
Ph@"@
3.3Y3z3
UnregisterClassA
FVUSSK}
ColorFilter
rx&Ghq~
GetCurrentProcessId
RegCreateKeyExW
jjk"|||
.rdata$zETW0
<element layout="borderlayout()" layoutpos="right" background="window">
001::=>>LLOLaaZ
K32GetModuleBaseNameW
n4%%%;<6:
dldeddxDh
|gl|h
WaitForSingleObjectEx
/AccessibilitySoundAgent
M $`D`
JJJJBJBBG
Sa3\ul
42575=5A5F5L5a5q5{5
0'1m1x1
|dd|h
.CRT$XIZ
>IKNUUVb``]]HFe
4e4}4
::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D555645E-D4F8-4c29-A827-D93C859C4F2A}\pageMouseKeysSettings
!This program cannot be run in DOS mode.
Msg:[%ws]
929S9d9i9
)68IIKNUUVV``H]XXWEe
090@0N0`0f0
vJJ>>0:
wwwwwwww
?RemoveTooltip@HWNDElement@DirectUI@@UAEXPAVElement@2@@Z
MOBC1
USER32.dll
! #!$$,///??????VVVWWWX>XHX~H~HHFFFFCFDDCCCC5'
$ $ O
IDATx^
!211212111299(1Oy
Lggg__Q
!!7!)kt
lkl=vuv
OpenSemaphoreW
wlj0X
lvV|hxx
[w90\
FallbackError
HeapSetInformation
/,,G~xx
EnterCriticalSection
.CRT$XCU
46AA@LIIGFC\
4C0;p
`7_b;OT
:C:`:}:
,magnifierpane
111::>>LLLLOaLa
0!1:1N1b1y1
>;=;;;6<6666=6/////6/6%%%%%_
<button class="link" id="atom(eoa)" content="resstr(1143)"/>
J~J|I
%hs(%d) tid(%x) %08X %ws
</requestedPrivileges>
caaLa
GetCurrentProcess
<assembly
wcsspn
H5MY6
fileName
?OnThemeChanged@HWNDElement@DirectUI@@UAEXPAUThemeChangedEvent@2@@Z
###%$.//1/???VVVjVWWWjXXX~HHHHHFFFCFCCCCDC
Ukg_gg___^^^XX?L
tlell|e
[xSOl
</assembly>
Eddtext
?EndDefer@Element@DirectUI@@QAEXK@Z
StartExe
/launchquickstart
Translation
m+HaH]HaF
<element accessible="true" accrole="statictext" font="gtf(CONTROLPANELSTYLE, 6, 0)"/>
Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATConfig\
?<<6=;66=;6=6///%$6%/%,6,%%+
)Dp#H!
&asOR
QQhP(@
dVDte
$$$8788IIAu
WilError_02
j[^jU
SendInput
RegisterTraceGuidsW
'_w{Z
%%'%''778867w
kN_M|
9(939:9L9R9X9^9d9j9q9x9
rjw/N
rqrFrqr
tdvElv
TTT\|||
xF*@^
vjjsusspoooWJ
<asmv3:application>
ProductVersion
tz}3#
</if>
__p__commode
PSSh,,@
__CxxFrameHandler3
<<<<<;;;<:<6666=666%66%%%.
_onexit
]ijjjujujuC
el|~V
lvVt|l||w
l|||lVx
8-8G8U8
.CRT$XIAA
?Create@FillLayout@DirectUI@@SGJPAPAVLayout@2@@Z
>
tdDex
(9P22121))
failureType
Windows
hresult
jGBBBAB<B<G<B<B<e
gggkgeg
=L9o<
VhD @
FilterType
.idata$2
9Nia4w3
.CRT$XCL
! ! 0077#
skkEskk
ufRMQ
H|-C$6
7778>IIIA
?CanSetFocus@HWNDElement@DirectUI@@UAE_NXZ
UpdateProcThreadAttribute
##$$,//?/??@g@gWWWXXXXHXH~HHHFFFCCCFC
.gfids
@<A<<<<<;;7
bA[/k
|ledld
8HHH~H~F~F~F9HF,
InitializeProcThreadAttributeList
n-GFyO`;F
faR/)
8#9T9[9b9i9p9
%hs(%d)\%hs!%p:
Operating System
yJ;sm
?Add@Element@DirectUI@@QAEJPAV12@@Z
wwwwtw
FVFtv|v|||v
GetModuleHandleExW
wwwwx
r00//*4&
Dtdel|ele
twwwmwh
FFDdG
SimpleProfile
_cexit
Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Session
8N8X8c8u8
7"8.898p8v8
$!$$$$/%/////?1=?=/>
""""""""!"!"
9*9q9
6!)G@
tdedlelgGEw
GetLastError
t>+H]]X]X]Gn
PSQhh)@
?GetAdjacent@Element@DirectUI@@UAEPAV12@PAV12@HPBUNavReference@2@K@Z
LogHr
_amsg_exit
C=99tSMM
5 D@W
OGBGB7BgA<g74$
?terminate@@YAXXZ
=,=H=|=
?OnPropertyChanging@Element@DirectUI@@UAE_NPBUPropertyInfo@2@HPAVValue@2@1@Z
}rQ78
GLvVt
Profile
?GetImmersiveFocusRectOffsets@Element@DirectUI@@UAEXPAUtagRECT@@@Z
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
messageduration
sst]vvw
>0?T?\?d?l?t?|?
?Destroy@Layout@DirectUI@@QAEXXZ
PJJJBBBBBBGj
242<2D2L2T2\2d2l2t2
<description>Utilman</description>
VWI!_=
InitOnceBeginInitialize
tv\v|vv
thph}
^gzbw
lklxlkl
?GetClassInfoW@HWNDElement@DirectUI@@UAEPAUIClassInfo@2@XZ
RegCloseKey
sst*wwx
r0<00**&{
\1? -
lineNumber
}k.Gs#CI
4K5l5
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x00400000 | 0x0000c8f0 | 0x00053bf9 | 0x00053bf9 | 10.0 | sethc.pdb | 2010-11-18 08:24:09 | ff6cd3b74ec85b090ada7bc370b10526 |  |
3244f7238a7619c88c954145a09ab023 | ae8b2bdfb549e9c4f65a0172caa6f19f | f0b2b1c4ecb9d070 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Accessibility shortcut keys |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | sethc.exe |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | sethc.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0000d594 | 0x0000d600 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.28 |
| .data | 0x0000da00 | 0x0000f000 | 0x00000d64 | 0x00000a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.46 |
| .idata | 0x0000e400 | 0x00010000 | 0x00002790 | 0x00002800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.77 |
| .rsrc | 0x00010c00 | 0x00013000 | 0x00032768 | 0x00032800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 7.02 |
| .reloc | 0x00043400 | 0x00046000 | 0x00000cf4 | 0x00000e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 6.49 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x00045688 | 0x000000e0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.73 | None |
| UIFILE | 0x000139a0 | 0x000009ae | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.19 | None |
| UIFILE | 0x00014350 | 0x000009ae | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.19 | None |
| UIFILE | 0x00014d00 | 0x000009a0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.19 | None |
| UIFILE | 0x000156a0 | 0x000009a0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.19 | None |
| UIFILE | 0x00016040 | 0x000009ae | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.19 | None |
| RT_ICON | 0x000169f0 | 0x000016e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.02 | None |
| RT_ICON | 0x000180d8 | 0x00000a68 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.15 | None |
| RT_ICON | 0x00018b40 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.02 | None |
| RT_ICON | 0x000191a8 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.42 | None |
| RT_ICON | 0x00019490 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.16 | None |
| RT_ICON | 0x00019678 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.56 | None |
| RT_ICON | 0x000197a0 | 0x00002ca8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.70 | None |
| RT_ICON | 0x0001c448 | 0x00001628 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.06 | None |
| RT_ICON | 0x0001da70 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.90 | None |
| RT_ICON | 0x0001e918 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.50 | None |
| RT_ICON | 0x0001f1c0 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.39 | None |
| RT_ICON | 0x0001f888 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.08 | None |
| RT_ICON | 0x0001fdf0 | 0x000137c0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.90 | None |
| RT_ICON | 0x000335b0 | 0x000094a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.72 | None |
| RT_ICON | 0x0003ca58 | 0x00004228 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.90 | None |
| RT_ICON | 0x00040c80 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.77 | None |
| RT_ICON | 0x00043228 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.01 | None |
| RT_ICON | 0x000442d0 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.95 | None |
| RT_ICON | 0x00044c58 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.31 | None |
| RT_GROUP_ICON | 0x000450c0 | 0x00000110 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.30 | None |
| RT_VERSION | 0x00013600 | 0x0000039c | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.45 | None |
| RT_MANIFEST | 0x000451d0 | 0x000004b8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.85 | None |
Imports
| Name | Address |
|---|---|
| EventUnregister | 0x410000 |
| UnregisterTraceGuids | 0x410004 |
| RegisterTraceGuidsW | 0x410008 |
| GetTraceEnableLevel | 0x41000c |
| GetTraceEnableFlags | 0x410010 |
| GetTraceLoggerHandle | 0x410014 |
| EventRegister | 0x410018 |
| CheckTokenMembership | 0x41001c |
| FreeSid | 0x410020 |
| AllocateAndInitializeSid | 0x410024 |
| TraceMessage | 0x410028 |
| EventWriteTransfer | 0x41002c |
| RegCloseKey | 0x410030 |
| RegEnumValueW | 0x410034 |
| EventSetInformation | 0x410038 |
| RegDeleteTreeW | 0x41003c |
| RegGetValueW | 0x410040 |
| RegLoadMUIStringW | 0x410044 |
| RegCreateKeyExW | 0x410048 |
| RegQueryValueExW | 0x41004c |
| RegSetValueExW | 0x410050 |
| RegEnumKeyExW | 0x410054 |
| RegOpenKeyExW | 0x410058 |
| Name | Address |
|---|---|
| LoadIconW | 0x41030c |
| SetWindowPos | 0x410310 |
| LoadStringW | 0x410314 |
| SetWindowTextW | 0x410318 |
| MessageBoxW | 0x41031c |
| SystemParametersInfoW | 0x410320 |
| GetUserObjectInformationW | 0x410324 |
| GetThreadDesktop | 0x410328 |
| SetDesktopColorTransform | 0x41032c |
| SendNotifyMessageW | 0x410330 |
| GetWindowThreadProcessId | 0x410334 |
| GetShellWindow | 0x410338 |
| GetKeyState | 0x41033c |
| SendInput | 0x410340 |
| UnregisterClassA | 0x410344 |
| Name | Address |
|---|---|
| _amsg_exit | 0x410354 |
| __wgetmainargs | 0x410358 |
| __set_app_type | 0x41035c |
| exit | 0x410360 |
| _exit | 0x410364 |
| _cexit | 0x410368 |
| __p__fmode | 0x41036c |
| __setusermatherr | 0x410370 |
| _initterm | 0x410374 |
| _XcptFilter | 0x410378 |
| _lock | 0x41037c |
| _unlock | 0x410380 |
| __dllonexit | 0x410384 |
| _onexit | 0x410388 |
| _except_handler4_common | 0x41038c |
| ?terminate@@YAXXZ | 0x410390 |
| _controlfp | 0x410394 |
| ??1type_info@@UAE@XZ | 0x410398 |
| _ltow_s | 0x41039c |
| _wcslwr_s | 0x4103a0 |
| wcscspn | 0x4103a4 |
| wcsspn | 0x4103a8 |
| ??_V@YAXPAX@Z | 0x4103ac |
| memmove_s | 0x4103b0 |
| _callnewh | 0x4103b4 |
| malloc | 0x4103b8 |
| free | 0x4103bc |
| _wcsicmp | 0x4103c0 |
| _vsnwprintf | 0x4103c4 |
| _purecall | 0x4103c8 |
| memcpy_s | 0x4103cc |
| wcsrchr | 0x4103d0 |
| _wtoi | 0x4103d4 |
| __CxxFrameHandler3 | 0x4103d8 |
| __p__commode | 0x4103dc |
| _wcmdln | 0x4103e0 |
| memset | 0x4103e4 |
| Name | Address |
|---|---|
| WinSqmIsOptedIn | 0x4103ec |
| WinSqmAddToStream | 0x4103f0 |
| NtQueryWnfStateData | 0x4103f4 |
| WinSqmIncrementDWORD | 0x4103f8 |
| Name | Address |
|---|---|
| PlaySoundServerInitialize | 0x4102f0 |
| Name | Address |
|---|---|
| AccessibleObjectFromWindow | 0x4102e0 |
| Name | Address |
|---|---|
| CoUninitialize | 0x410400 |
| CoCreateInstance | 0x410404 |
| CoInitialize | 0x410408 |
| Name | Address |
|---|---|
| SysFreeString | 0x4102e8 |
| Name | Address |
|---|---|
| ShellExecuteW | 0x4102f8 |
| Name | Address |
|---|---|
| PathFileExistsW | 0x410300 |
Usage
Processing ( 10.02 seconds )
- 9.253 ProcessMemory
- 0.747 CAPE
- 0.019 AnalysisInfo
- 0.003 BehaviorAnalysis
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.008 ransomware_files
- 0.005 antianalysis_detectfile
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 disables_appv_virtualization
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 darkcomet_regkeys
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 infostealer_bitcoin
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
- 0.001 lokibot_mutexes
Reporting ( 0.00 seconds )
- 0.003 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: sethc.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
The binary likely contains encrypted or compressed data
section: {'name': '.rsrc', 'raw_address': '0x00010c00', 'virtual_address': '0x00013000', 'virtual_size': '0x00032768', 'size_of_data': '0x00032800', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '7.02'}
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 4724 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.