Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 11:10:09	2025-06-14 11:41:03	1854 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,069 [root] INFO: Date set to: 20250614T06:47:28, timeout set to: 1800
2025-06-14 07:47:28,617 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-14 07:47:28,633 [root] DEBUG: Storing results at: C:\dyXKcUFom
2025-06-14 07:47:28,633 [root] DEBUG: Pipe server name: \\.\PIPE\qnnuDKbwZc
2025-06-14 07:47:28,633 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:47:28,633 [root] INFO: analysis running as an admin
2025-06-14 07:47:28,633 [root] INFO: analysis package specified: "exe"
2025-06-14 07:47:28,633 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:47:29,149 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:47:29,149 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:47:29,149 [lib.common.common] INFO: wrapping
2025-06-14 07:47:29,149 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:47:29,149 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\SIHClient.exe
2025-06-14 07:47:29,149 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:47:29,149 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:47:29,149 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:47:29,149 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:47:29,414 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:47:29,430 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:47:29,461 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:47:29,477 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:47:29,493 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:47:29,493 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:47:29,493 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:47:29,493 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:47:29,493 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:47:29,493 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:47:29,508 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:47:29,508 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:47:29,508 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:47:29,508 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:47:29,508 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:47:29,508 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:47:29,508 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:47:29,508 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:47:40,758 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-14 07:47:40,758 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:47:40,758 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:47:40,758 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:47:40,758 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:47:40,758 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:47:40,758 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:47:40,758 [modules.auxiliary.disguise] INFO: Disguising GUID to a14f3656-ba97-4174-bfe0-7fb544c182f5
2025-06-14 07:47:40,758 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:47:40,758 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:47:40,758 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:47:40,758 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:47:40,758 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:47:40,774 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:47:40,774 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:47:40,774 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:47:40,774 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:47:40,774 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:47:40,774 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:47:40,774 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:47:40,774 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:47:40,774 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:47:40,774 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:47:40,774 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:47:40,774 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:47:40,805 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-14 07:47:40,805 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:47:40,805 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:47:40,805 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:47:40,805 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:47:40,805 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:47:40,805 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:47:40,805 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pBKYMxnw.dll, loader C:\tmp_gell1p8\bin\GqrJjEhH.exe
2025-06-14 07:47:40,899 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:47:40,899 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pBKYMxnw.dll.
2025-06-14 07:47:40,946 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:47:40,946 [root] INFO: Disabling sleep skipping.
2025-06-14 07:47:40,946 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:47:40,946 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:47:40,946 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:47:40,946 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:47:40,946 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:47:40,946 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:47:40,977 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:47:40,977 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:47:40,977 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 4100, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:47:40,977 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:47:40,993 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:47:40,993 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:47:40,993 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pBKYMxnw.dll.
2025-06-14 07:47:41,008 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:4 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 11:10:09	2025-06-14 11:40:44	none

File Details

File Name	SIHClient.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	287696 bytes
MD5	1601b33695b22ee8fe116fc8ddd4cbd5
SHA1	747a48eb0d2244ddb4ee8c77a5dbef30d3fff318
SHA256	3118826c737001df153068efc171276509739c660d756c6129d8ab3d31d91b9c [VT] [MWDB] [Bazaar]
SHA3-384	f50bffd79d7be6f333bf3c257a774e7851d8303a5453be7ff43c450b441ed2c4cef2f74da95cf93bda4e754a5cf97e7f
CRC32	D7A64386
TLSH	T1A4544C2667E409B4E6BBD638DAB68106FB72B4452730D6CF06A1841E1F33AE4ED3C751
Ssdeep	6144:P7Ux/VyGIvDqgwOVcZ93McOZWsxpZdCfFMZVTXS:P7UDXgTVwFMc2TjC9sdXS
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/76)

Full Results

Engine	Result	Engine	Result	Engine	Result

+D$03

Auto Update\RequestedAppCategories

WinHttp: Downloaded on weak SSL

D$HD3

api-ms-win-core-kernel32-legacy-l1-1-0.dll

CertFindCertificateInStore

pA^_^[]

@.data

D$hE3

RevertToSelf

hA_A^A]A\_^[]

\\.\root\cimv2

WinHttpSetOption

_initterm_e

SIHBoot

_o_strtol

_o__purecall

RegSetValueExW

%lu.%lu.%lu.%lu

WinHttp: downloading to FILE %ls

getNamedItem

t$@I;

L$HE3

TlP0X

TOKEN: Using interactive token

?%02d%02d%02d%02d%02d

MinimumBuffers

cV is not provided.

api-ms-win-core-localization-obsolete-l1-2-0.dll

S-1-5-80-3864065939-1897331054-469427076-3133256761-1570309435

SelectionNamespaces

fE99u

api-ms-win-core-string-l1-1-0.dll

WinHttp: CheckSSLCertificateTrust failed

VWAVH

H!\$ 3

8_^][

ValidateRevision

PA_A^A]A\_^[

GetProductInfo

WinHttp: SendRequestToServerForFileInformation

$D)'B@(V$D)'BG(A$D)'BA(b$D)B$E)p!D)'BE(A$D)'BM('$D)'B

{hD9}HtwH

O0M0K

o\$PH

SLS\Programs

Microsoft Corporation

memcmp

Environment ID [%ws] Revision [%d]...

IsBackground

f;D$ u

HcD$0H

D$(H!L$ E

__TlgCV__

USVWATAUAVAWH

nQi ,];

UnmapViewOfFile

.u(f9X

WinHttp: Caller requires download over SSL

\$pD9

Making request with URL %ws and send SLS events.

Request Failed

_initterm

get_nodeValue

.idata$5

autest.txt

LoadLibraryW

CheckSecurity

api-ms-win-core-version-l1-1-0.dll

SLSBlockNoneMatchHeader

CCommonAttributeProvider::GetCommonAttributes

|$pE3

ExpireContent is set. Expiring cache data...

.pdata

NtQuerySystemInformation

KWEMz

StoreAppProperties

Microsoft

sls.cab

.didat$2

xHD9D$@|A;D$@

Context

.data$r$brc

xh9l$ht<H

AppAU

CryptHashPublicKeyInfo

_o__initialize_wide_environment

.?AV<lambda_0866d54c17f9e6855f8794f88a4ebaa5>@@

_o_rand

|$ 0t

L$XE3

fD90t`H

UrlPath

E*zB$D)B$D)B$D)K\

_o__configthreadlocale

0A^_^

MoveFileExW

Legal_Policy_Statement

GetFileTime

WinHTTPConnectionTime

DownloadFile %ws => %ws not downloaded

_o___p__commode

0A_A^A\_^

SLSHost

OfflineSync

,7B7S

GetSLSExpireSecsInADay SecsInADay = %d.

ExecAction

@A_A^A\_]

Request

CoCreateInstance

l$XD9

CCommonAttributeProvider::AppendDeviceTarget

wuaueng.dll

ClientVersion

/boot-periodic

GetFileAttributesW

Microsoft Time-Stamp PCA 20100

api-ms-win-crt-string-l1-1-0.dll

GetProcessInformation

CompareFileTime

2#K.s

.rdata$r

WinHttp: AppendCacheBreaker

CertGetEnhancedKeyUsage

.CRT$XIA

Boot start.

DetermineSubCAIdentity

111019184142Z

\dist\

Certificate used for SSL failed chain check

|$(E3

api-ms-win-core-rtlsupport-l1-1-0.dll

PathIsUNCW

EnvironmentIDconfig test override set[%d]. EnforceMatch.

/SLSResponse/HResult

*.etl

ImpersonateLoggedOnUser

ChH9Cpt

IsServerFileNewer: Local time: %x%0x. Remote time: %x%0x.

L$0;J

_o__invalid_parameter_noinfo_noreturn

FileDescription

%Microsoft Windows Production PCA 2011

SHA256

api-ms-win-core-shlwapi-legacy-l1-1-0.dll

/SLS/

UWATAVAWH

ntdll.dll

WinVerifyTrust

Environment ID

10.0.17763.1

0123456789abcdef

SIHClient.pdb

InitializeCriticalSection

Microsoft Time-Stamp PCA 2010

L$hE3

CA_CAB2_SHA2

KfD9`

profapi.dll

n(M9&t

GetNativeSystemInfo

StagePackage.

FALSE

D$(E3

fD9<Hu

CL$XL

fA9,Qu

EKU not found for SubCA

L$@!t$@H

.?AVruntime_error@std@@

0A_A^_^]

WUCurrentVersion

Transaction committed.

####-##-##T##:##:##S

GetTickCount64

autest.cab

L$(E3

S-1-5-80-2061335713-3568801033-2152086647-2969402057-49938183

Shared

.rdata$zETW9

api-ms-win-core-delayload-l1-1-0.dll

L9t$`u

CCabDecompressor::CabDecompressorFileOpenHelper

SLSFixedURL

UVWAVAWH

L$0E3

CCommonAttributeProvider::AppendProductType

CCommonAttributeProvider::AppendPrograms

L$8H3

Request Start

ProtocolTalker

SIH Client

A_A^A\_]

D$(L!l$

.?AV<lambda_ea598680358a6310c8827e0b1a761f1d>@@

100701213655Z

Int64ToDWord

@8|$`t)H

OutputDebugLevel

TerminateProcess

H;D$`H

l$(D8D$PH

_o__seh_filter_exe

Skipping Validate Revision Check.

CompareStringW

?_Xout_of_range@std@@YAXPEBD@Z

SLSScheme

SUVWAVAWH

text/xml;

DisabledCategories

\siheng.dll

Validation Succeeded

ext-ms-win-session-winsta-l1-1-1

@A_A^A]A\_^[

SusCreateFileRetryIfSharingViolation

.CRT$XPZ

/H9l$0t

WinHttp: Request result: %d

.text$x

R!s4Z

There are applicable actions, but none of them can be executed.

Failed

>$7<EK

api-ms-win-core-processenvironment-l1-1-0.dll

SetFileAttributesW

|$ ATAVAWH

.xdata$x

L$HH3

File %ws failed validation.

D8d$1

A^_^

WinHttpQueryOption

GetModuleHandleW

Download

PathIsRelativeW

api-ms-win-core-registry-l1-1-0.dll

CPH9CXt

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Test\SubCAOverrides

L$ E3

_o__register_onexit_function

.giats

CA_CAB1_SHA2

.rsrc

.?AV<lambda_46a304c4d65ab6baae69ab942a5fe6f4>@@

SystemTimeToFileTime

.?AV<lambda_94d6c34a3edb92470fd57d80dcfc4644>@@

WinHttpSendRequest

SLSExpireSecsInADay

Sending request to %ws using automatic proxy.

Infrastructure signed: %ws

L9t$XuZ

0A_A^_

OriginalFilename

CertCloseStore

WebServices

PendingRebootActionID = <%ws>, applicable = %ws

d$0E3

api-ms-win-core-interlocked-l1-1-0.dll

Microsoft signed: %ws

@USVAVAWH

FileTimeToSystemTime

Manufacturer

$Microsoft Ireland Operations Limited1

fD94Au

CCommonAttributeProvider::AppendClientHash

Enabling online revocation check for SSL CertChain build...

f;}ot-

Send succeeded. Impersonate flags: %lu

0A_A^A\_^[]

CCabDecompressor::CabDecompressorFileOpen

GetFileType

/ServiceEnvironment

UVWATAUAVAWH

u4D9c

CloseHandle

.?AVexception@std@@

@.reloc

_o_qsort

bad array new length

SIHScheduled

FreeSid

fA9Dx

0A_A^A]_^

z.9Wv

Action %ws has a package, but it was not downloaded.

LoadResource

GetSystemTimeAsFileTime

RegEnumValueW

Setup

ControlTraceW

.?AV<lambda_80acbda2a37054f2d125b09271df0745>@@

DataStore

Revision

fD;t$Xt

ClientVersion: %ws = %hu.%hu.%hu.%hu

SetUnhandledExceptionFilter

WinHttpSetStatusCallback

api-ms-win-core-file-l2-1-0.dll

.?AVtype_info@@

Returning WU_E_REDIRECTOR_LOAD_XML after loadXML

D$ E3

.text

_o_srand

Auto Update\LastOnlineScanTimeForAppCategory

Certificate used for SSL failed chain policy check

GetComputerInfoFromWMI

.rdata$brc

Microsoft Windows Publisher0

DownloadFile calleridentity

L$`E3

pA^_^

%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X

Sending request to %ws. ImpersonatedAsUser : %ws

WUTraceLogging

CCallerIdentity::GetDefAppsToken

f9<FtE

LocalAlloc

fE9 t

f94Hu

.idata$4

Method failed

ext-ms-win-session-usertoken-l1-1-0

SLSWriteRequestToRegistry

GetTokenInformation

PopulateFromDataStore

`A_A^A]A\_^[

_o___stdio_common_vswprintf

CA_SSL2_SHA2

_o__cexit

RegEnumKeyExW

L9}Pt

stage mkdir %ws

api-ms-win-core-com-l1-1-0.dll

KVG'H

Reverting %ws ...

WinHttpCloseHandle

Unsupported content type in response: %ws

fD91t

GetSlsData

fD;e@t1

__C_specific_handler

f9<Au

D$(H!t$ D

CT$pH

D$XD9t$PvoD

0A_A^A]A\_^]

StatusCode

Microsoft Corporation1-0+

PathStripToRootW

D$(fH

CertFreeCertificateContext

Inventory

/ServiceEnvironment[@ServiceID="E7A50285-D08D-499D-9FF8-180FDC2332BC"]/SIHClientData/Actions[@elementVersion="1"]/Action

%s\%s

fD9)sM

1.3.6.1.5.5.7.3.1

GetFileVersionInfoExW

SusClientId

\\?\Volume{

bad allocation

RemoveDirectoryW

.text$mn$00

t$ WH

DecompressCabFile %ws -> %ws

SetLastError

.rsrc$01

Win32_ComputerSystem

D8?u$H

_o_strncpy_s

SLS Response is Error response type!

GetLastModified

D;T$Pr

A_A^A]A\_^[]

RegDeleteValueW

CertVerifyCertificateChainPolicy(): pass %d returning %#lx

WinHttp: SendRequestUsingProxy failed for <%ws>

L9t$XuC

Explicit cert: %ws

WinHttp: Making %ls request for %ls

ntelD

api-ms-win-shell-shdirectory-l1-1-0.dll

MapViewOfFileEx

_o__invalid_parameter_noinfo

Hash of public key doesn't match the known values, but failed to get the hash as hex string.

InitializeSListHead

%ws is signed by an explicitly trusted certificate.

Thales TSS ESN:E041-4BEE-FA7E1%0#

DoWithCatchHResult caught

fD99t

_CxxThrowException

GetSystemWindowsDirectoryW

L9t$XueD

T$pM+

LeaveCriticalSection

##:##

_o__set_fmode

EnumUILanguagesW

Milliseconds

kRKiWtg

@8s(u,H

CachedEngineVersion

SafeCreateFile

180823202649Z

ServiceGuid

EventScenario

ActionID %ws is applicable : %ws

.text$yd

CCommonAttributeProvider::GetOSVersionInfoEx

AllowNonPPL

Software\Microsoft\Windows\CurrentVersion\Appx

Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.91

CreateDirectoryW

+D$83

WATAVH

api-ms-win-core-localization-l1-2-0.dll

get_attributes

\$HI;

]q8BR}

Reporting

.?AV<lambda_c33f21c3549d18586e5cd238cd3f3283>@@

H WATAUAVAWH

Cab does not contain correct inner CAB file.

api-ms-win-core-file-l1-2-1.dll

UpdatePolicy\PolicyState

api-ms-win-crt-private-l1-1-0.dll

WinHttpOpen

CertFreeCertificateChain

EEHandler

LegalCopyright

Failed to set String value in registry for key %ws/%ws and url =>%ws<=CSLSRequest::GetUrl

\SoftwareDistribution

api-ms-win-core-processthreads-l1-1-3.dll

&h#hI

GetSystemTime

"""""""

M0K0I

DeployPackage.

ImpersonateDefApps

Impersonating DefApps test override enabled.

_o___std_exception_copy

D$HH;

L$0H3

Volume{

/ServiceEnvironment[@ServiceID="E7A50285-D08D-499D-9FF8-180FDC2332BC"]/SIHClientData/Engine[@elementVersion="1"]/Package

_o__configure_wide_argv

D8d$o

.rdata$zzzdbg

f94Au

WAVAWH

GetDriveTypeW

.rdata

api-ms-win-core-errorhandling-l1-1-0.dll

Getting sls response ...

Online refresh failed. Using expired cache content.

PathIsRootW

|$0H;

Certificate failed SSL intermediate CA check.

fF9<Bu

Payload

value

D9t$Pt

fD9,Au

WinHttp: Failed to get the content type

fA9<@u

WinHttpReceiveResponse

%Microsoft Windows Production PCA 20110

Auto Update\Power

sih::CSls::GetResponse

xmlns:pssr="http://schemas.microsoft.com/msus/2002/12/PrimaryServiceSLSResponse"

WaitForSingleObject

A_A^^[]

environment.xml

\$8I;

api-ms-win-eventing-consumer-l1-1-0.dll

CCommonAttributeProvider::AppendWindowsUpdateAgentVersion

%04u-%02u-%02u%s%02u:%02u:%02u.%07u%s

Validating SSL certificate for:%ws%ws

CabDecompressorFileRead - ReadFile

D$XD9t$PvkD

Validation Failed

_o___stdio_common_vsprintf_s

StartTraceW

nUpdatePolicy-UpdateManagementGroup

_o__set_app_type

SVWATAUAVAWH

_register_thread_local_exe_atexit_callback

SoftwareUpdateClientTelemetry

api-ms-win-core-sysinfo-l1-1-0.dll

ext-ms-win-session-winsta-l1-1-2

loadXML

MaximumFileSize

memcpy

D9|$

.idata$3

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

Microsoft Time-Stamp service

EnforceRevisionCheck override set for service[%08lX].

.didat$5

CachedSLSDataForReboot

Exiting VerifyKnownCerts() with return code

vH~|(

L96tDL

ew|>&=4_

WinHttp: SafeCreateFile

"Microsoft Window

Install

|Rev:1|State:0;

x AV3

ExpandEnvironmentStringsW

Win32_BIOS

GetPersistedRegistryLocationW

SetFileTime

(_^][

CertGetCertificateContextProperty() with CERT_SHA1_HASH_PROP_ID has size(%d) different than c_hashValSize(%d)

fD9't

UATAUAVAWH

HeapFree

UuidToStringA

invalid string position

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

sihclient.exe

L$@E3

wuauclt.exe

GetServerFileTime

localRevisionId

GetStringHeaderValue

GetVolumeInformationW

Trace

CCommonAttributeProvider::AppendArchitecture

L$@H3

_trace_log

L9t$XuBA

.P6AJU_GUID@@PEBG1PEAH@Z

Started

L9t$Xu

fD94pu

Auto Update

T$`E3

Retrieving SLS response from server using ETAG %ws...

UWAVH

MultiByteToWideChar

fD9|$p

<vZuN

A_A^A\

,bOhlNHOOAQbKFHRfsbS/L8eRZvQWYaSCXK++nKLwIAA=0Z

api-ms-win-core-memory-l1-1-0.dll

EventSetInformation

RevisionIdNew

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

230280+4361160

Hash of public key doesn't match the known values, cbKeyId=%d, rgbKeyId=%ws.

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

_c_exit

GetFileVersionInfoSizeExW

UWAUAVAWH

SetCV

Test keys enabled for substitution of file '%ws' in place of file '%ws' for the computation of the file hash

OutputDebugStringW

Normal success.

Cannot find the revision tag within SLS response xml.

{ARCH}

_o__set_new_mode

.?AV<lambda_f31a0e44a999172e4b17782226fdf835>@@

WINTRUST.dll

CheckPPL

SLSDiscovery

z+mF0

Quorum Signing Check failed

api-ms-win-core-libraryloader-l1-2-1.dll

.CRT$XTA

EnvironmentIDConfig

Cached response absent/expired. Online refresh is needed but the caller has explicitly disallowed it.

ApiSetQueryApiSetPresence

Actual Hash: %ws.

D$pfD9

D9}@t

StatusCode for transaction returned from WinHttpQueryHeaders is %lu

UWATAUAWH

WATAUAVAWH

MaxLogFolderSize

Timer

$`2X`F

ext-ms-win-session-winsta-l1-1-0

Reporting\DontExpirePolledEvents

SOFTWARE\Microsoft\SQMClient

api-ms-win-security-base-l1-1-0.dll

A_A^A]A\_

.CRT$XCAA

api-ms-win-core-sysinfo-l1-2-0.dll

T$4E3

WTHelperGetProvSignerFromChain

D;\$Pr

\$ UH

wuapi.dll

.CRT$XTZ

mH!;H

Error: verifying trust for %ws

_o_iswalnum

RtlGetDeviceFamilyInfoEnum

.00cfg

Cur eng files invalid

WUWebDownloadTrustOverride

FreeLibrary

CryptAcquireContextW

ManageReboot

http://www.microsoft.com/windows0

handler

UVWATAVH

ATAVAWH

CompanyName

D$`I;

newRevisionId

@A_A^_

GetCurrentThreadId

Entering Validate Revision Check.[Audit mode]

Exiting IsCertInTrustedPublisherStore() with return code

Auto Update\RebootRequired\Mandatory

UpdateID

WUDeviceID

ResponsePayloadFilePath

AppxRoot

LogDir

GetRegKeyPath

_o__exit

GetProcessHeap

,I&<*(

Sleep

GetFileSizeEx

StickyUpdates

/boot and /boot-periodic are both set, but should be mutual exclusive.

S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779

u0HcH<H

./File

t$ UWATAVAWH

D$(H!\$ D

Hash check on file %ws using algorithm %ws failed; hash values did not match.

{ AVH

_o__errno

|$0H!\$(H

oT$@f

/boot

)Microsoft Root Certificate Authority 20100

RegOpenKeyExW

Program name invalid, invalid char: %ws

CA_CAB3_SHA2

L9t$XuhD

Reporter

ixlCm

.?AV<lambda_fbc59218332fbd9d8e022dcac9a639ed>@@

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/string too long

FindFirstFileW

WinHttp: Invalid components

TOKEN: Using cached token

Level

PA_A^A]A\_^]

\stage\

0A_A\_

%hs: CreateFile %ws failed

[%hs:%lu]

SLS Response - Failed to parse hresult string=>%ws<=

Revert %ws

USVWAVH

l$hE3

ValidateFile %ws, %ws, %ws

_9|$`u

T$8H;

L$ SUVWH

ResolveDelayLoadedAPI

)C$D)'BF(C$D)RichB$D)

|hK,_

.P6AJU_GUID@@PEBG1@Z

CheckTokenMembership

wcsrchr

?_Xlength_error@std@@YAXPEBD@Z

_o__initialize_onexit_table

_o_free

L9t$hu

AllowAnySSL

D$PE3

EvalApplicability

Performing hash check on file %ws using algorithm %ws.

.didat$7

memmove

Services\Pending\

?_Xbad_function_call@std@@YAXXZ

Model

D9l$pu*H

UILangEnumProc

strchr

AllowAdmin

Send SLS Discovery Validation [%d] event [%08lX].

Request Succeeded

RPCRT4.dll

250701214655Z0|1

StringFromGUID2

WinHttpAddRequestHeaders

.rtc$TAA

Checking SSL intermediate CA ...

ApplicableUpdateInfo

HResult

UPfE9&t

040904B0

.CRT$XIC

u?fD9S

.rdata$zETW2

M H1E

!t$ M

CreateFileMappingW

LocalFileTimeToFileTime

H;\$@t}

\$pE3

|$0I;

.?AVbad_alloc@std@@

A_A^A]A\_^]

.rtc$IZZ

A_A^]

AdjustFileTime - SetFileTime

GetEnv

Failed to set WinHttp max connections per server. We might go out with multiple TCP connections

180606185719Z

%u.%u.%u.%u

?_Xinvalid_argument@std@@YAXPEBD@Z

?u(fD9c

Boot NoOp success.

191123202649Z0

Send SLS Discovery Revision Check[Old] Event.

Error: searching publisher store

ReadFile

.rtc$IAA

environment.cab

BD$`H

WideCharToMultiByte

RegQueryValueExW

CabDecompressorFileSeek - SetFilePointer

*** Potential Failover Scenario ***

t$(E3

@SVWH

VarFileInfo

VWAUAVAWH

1.3.6.1.4.1.311.72.1.1

SQMClientLink

SIHClient non-std

Metadata

Invalid Revision Detected

api-ms-win-core-libraryloader-l1-2-0.dll

CreateFileW

SLSResponseCabOverridePath

AllocateAndInitializeSid

fD98t

Digital Signatures on file %ls are not trusted

%hs: ReadFile %ws

RegGetValueW

_o__wtol

Validating sls response ...

t\A;v

ext-ms-win-session-usertoken-l1-1-0.dll

EndPointProvider

WinHttp: got failed status code from server %d

CCommonAttributeProvider::AppendLanguages

GetDownloadedOnWeakSSLCert

CoUninitialize

CA_SSL1_SHA2

Microsoft Corporation1$0"

.?AV<lambda_922e92d8f403ec447702ed488b018511>@@

A_A^A]A\_

ComApi

.rtc$TZZ

10.0.17763.1 (WinBuild.160101.0800)

Failed to convert dateTime to Filetime =>%ws<=

DeleteCriticalSection

.?AV<lambda_52c4891a1ca4c53a63dad6749425a1f2>@@

Retrieving SLS response from server...

\$ WH

RtlCaptureContext

WVT was not able to determine online revocation. Continuing ...

T$HH+

bstrFilePath.Assign

stoul argument out of range

x ATAVAWH

D$pfE9

GetFileSize

Cab does not contain correct XML CAB file.

HashFileData validate file %ws

PendingRebootActions

CheckForUpdates

WTHelperProvDataFromStateData

version

fE9<vu

Will impersonate the next time. Status code was %d, AuthSchemes to use: 0x%lx

` UAVAWH

HeapReAlloc

GetLengthSid

Updating engine.

SkipQuorumSignatureChecks

SusMakeDirectoryForFile

20180915012955.695Z0

StrRChrW

application/octet-stream

A_A^_

CSLSResponse::ValidateRevision

Microsoft Corporation1200

WTHelperGetProvCertFromChain

%hu.%hu.%hu.%hu

strength

WriteFile

Washington1

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Test\SLS

msvcp_win.dll

hr_exception

fD9|^

A_A^A\

9t$ht

selectSingleNode

Auto Update\RebootRequired

Safe_wtoi64

RSA/SHA1;RSA/SHA256;RSA/SHA384;RSA/SHA512;ECDSA/SHA256;ECDSA/SHA384;ECDSA/SHA512

WinHttp: IsFileToBeDownloaded

api-ms-win-core-heap-l2-1-0.dll

WUAVersion

api-ms-win-core-processthreads-l1-1-0.dll

@USVWATAVAWH

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Test\Security\HashSubstitution

ext-ms-win-session-usermgr-l1-2-0

WinHttp: Server file is not newer. Skipping download.

GetProvSignerFromStateData

tnfD9

_o_terminate

Read local SLS override xml

19000101******.******+***

SOFTWARE\Microsoft\WindowsUpdate

20180915065200Z

(D$pf

RtlLookupFunctionEntry

api-ms-win-core-delayload-l1-1-1.dll

cV is invalid

QueryPerformanceCounter

DecompressCabFileInternal

D$(H!|$ D

\$ UVWATAUAVAWH

StringFileInfo

L$@H;L$Ht0H

D$(H!t$ 3

oD$ f

EnvironmentId

t$ WAVAWH

E|$lH

0A_A^A]A\_

api-ms-win-core-handle-l1-1-0.dll

ClientHash2

CCommonAttributeProvider::AppendOSVersion

CabDecompressorFileWrite - WriteFile

IsServerFileNewer: Local size: %lu. Remote size: %lu

DisableWindowsUpdateOnlineRevocation

@WATAUAVAWH

Microsoft Time-Stamp service0

Succeeded

invalid stoul argument

@A_A^A]

.text$mn

L9t$Xu9

ExecFunc: %lu

_o__set_errno

D$XE3

TargetMetadataVersion

CallerIdentity Init

TOKEN: get proxy settings token

Attempting cache lookup...

l$(8\$PH

H!t$HH

EnableTraceEx2

x ATAUAVH

fE9&t

DownloadManager

.?AVbad_array_new_length@std@@

SUVWATAUAVAWH

CryptHashData

arm64

PendingReboot

Send request

y\D9}

t$XE3

_o___p___wargv

EventWriteTransfer

t_H9n

Validating signature for %ws with dwProvFlags 0x%08x:

CWUSLSParse::ExtractEnvIDRevisionID

oL$0f

Revision ID

PotentialFailover

WUPerf

L$`H3

D$@E3

L$XH;

H!\$H

.didat$6

9vRfA

WMI-related computer info disabled; WMI isn't present.

CompareStringA

8A^_^[

UuidCreate

S-1-5-80-2168654060-3115992504-1782388893-2584760693-2634250426

IsDebuggerPresent

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

cV = %ws

.rdata$zETW1

Write decompressed file to buffer

H!]HH

X-Microsoft-SLSClientCache

A^A\_^]

WinHttpQueryAuthSchemes

@A_A^A\

siheng.dll

CoCreateGuid

RtlVirtualUnwind

WinHttpSetTimeouts

RootDirectory

_o__crt_atexit

|$ UH

pA_A^_^]

api-ms-win-core-processthreads-l1-1-1.dll

EnforceRevisionCheck

}@H;~

WinHttpReadData

.CRT$XCA

CryptReleaseContext

fD9#u6fD9c

Persist pending reboot actions.

@8|$h

|$0A;

|$X8H

UnhandledExceptionFilter

FindResourceW

fD9 t

EventUnregister

U0S0Q

WinHttpOpenRequest

GetVersionExW

@SUVWATAUAVAWH

GetResponse succeeded. The file %ws downloaded.

Expected Hash: %ws.

MapViewOfFile

T$pH+

_o___std_exception_destroy

GetSystemDirectoryW

VS_VERSION_INFO

GetDiskFreeSpaceW

api-ms-win-core-synch-l1-2-0.dll

H!|$ E3

Successully got cached result, which is %wsexpired

Complete the request URL %ws with [%08X] and http status code[%d] and send SLS events.

WinHttp: Successfully downloaded %ls

x UATAUAVAWH

SOFTWARE\Microsoft\SIH

A_A^_^]

.CRT$XCZ

EnvironmentIDconfig test override set[%d]. Skip revision check.)

Computer Model Value percent-encoding

8.u5f9X

_o_towlower

\$(H;

dE7,:

Boot success.

Download\NoRangeRequests

t$PL;

Failed to get proxy settings token, not impersonating user

SLSWriteETagToRegistry

D$(H!\$

Driver

text/html;

.CRT$XPA

ParseCmdLineArgs

L$pE3

DownloadFile makedir

.data

api-ms-win-core-shlwapi-obsolete-l1-1-0.dll

WinHttpCrackUrl

CRYPT32.dll

H;|$@u

GetVolumePathNameW

A_A^A]A\_^][

.?AV<lambda_068cd58cc4fb7954bc6097b897ed3b80>@@

If-None-Match:

@8|$At

DownloadFile %ws => %ws failed

memset

SLSNoCache

LastModified

;fD9D$Pt3I

\$ UVWAVAWH

GetProcAddress

HashFileData

D9t$@H

SIHTraceLogging

ProductName

%hs: CreateFile %ws (Access = %lu, Share = %lu)(retry %u ...)

|$(A^

=MSCF

DuplicateTokenEx

strrchr

Microsoft Corporation1.0,

DisableLogTrimming

fE9<Fu

Auto Update\Results

.idata$6

)C$D)'B

190529185719Z0z1

D$`E3

CertVerifyCertificateChainPolicy

TOKEN: obtaining proxy token from caller session

api-ms-win-core-heap-l1-1-0.dll

_o_memcpy_s

r%hs: SusCreateFileAndDirectories for %ws

@A_A^_^]

D$HE3

fA9F0D

ext-ms-win-session-wtsapi32-l1-1-0

t>D9c

fE9TE

(D$0H

_o_malloc

t$ UWAVH

Failed to get the ETAG value; ignoring...

FileVersion

D9T$p

_o__get_initial_wide_environment

fD9$Au

L$hH3

Microsoft Corporation1&0$

SVWAVH

p AWH

CheckSSLCertificateTrust - revocation checking was disabled by policy.

Microsoft Test signed: %ws

1(0&0

wmain

Value

New ETAG value %ws

./Hash

T$PH+

$Microsoft Ireland Operations Limited1&0$

UAVAWH

A_A^_

_o_exit

SetFilePointer

RevisionIdLocal

api-ms-win-security-cryptoapi-l1-1-0.dll

Unknown exception

L$pA3

L$(H;

api-ms-win-crt-runtime-l1-1-0.dll

NoOp success.

Waiting for response.

D9{dt

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

Auto Update\PostRebootReporting

CertOpenStore

__std_terminate

H;t$Pt

Hash check on file %ws using algorithm %ws failed; hash sizes did not match.

CertGetCertificateContextProperty

VerQueryValueW

CoTaskMemAlloc

t$ WATAWH

EventRegister

CfE9(s

IdleTimer

H!X(9YdtLH

CertGetCertificateChain

DeleteFileW

https

CoInitializeEx

RevertAction

sls.update.microsoft.com

HeapAlloc

A_A^A\_^

.?AV<lambda_9724ca88c2c810ccf49b9c6acaf58356>@@

WinHttp: SendRequestToServerForFileInformation MakeRequest

T$pE3

IsServerFileDifferent: %ls does not exist.

*FAILED* [%08X]

DisableWindowsUpdateAccess

Cannot find the ID tag within SLS response xml for environment.

.data$brc

L$pH3

Services

%04u-%02u-%02u

H3E H3E

InternalName

ServiceID

Windows Update Test Key Authorization File

H!L$

Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Test

.?AV<lambda_ff7adcd398b3075f26fbfa81df152a3a>@@

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0.dll

_o_wcstoul

Normal start.

Validate Revision completes for Environment ID [%ws] (New [%d] Old [%d] Buffer [%d]).

.rsrc$02

CCabDecompressor::DecompressInternal

Engine update succeeded.

Content Type for Response: %ws

SOFTWARE\Microsoft\WindowsUpdate\EditionSettings

ext-ms-win-session-usermgr-l1-1-0

en-US

+D$8+

NextExpirationTime

FindNextFileW

OLEAUT32.dll

DownloadType

WinHttp: SendRequestToServerForFileInformation (retrying with default proxy)

SLSBlockNoneMatchHeader override set.

BufferSize

PPL level %lu

WinHttpQueryHeaders

.text$di

FindClose

NoCache override set.

Expiration

VWATAVAWH

api-ms-win-stateseparation-helpers-l1-1-0.dll

GetCurrentProcessId

AlternateTestCabPath

RegCreateKeyExW

ConvertStringSidToSidW

I0G1-0+

.rdata$zETW0

RSDSf

TestCert

api-ms-win-core-file-l1-1-0.dll

WinHttp: DoFileDownload MakeRequest

DelayLoadFailureHook

Auto Update\CommitRequired

Cert chain length check failed, length=%d

Extended Winhttp Message: %ws.

d$(E3

T$pL;

f;D$ t

D$(L!l$ 3

api-ms-win-eventing-controller-l1-1-0.dll

WindowsUpdate

@USWH

CoTaskMemFree

%hs: CreateFile(%ws)

D8d$0u

text/html

SLSCDNXML

./Package

L$`I;

.CRT$XIZ

t D;-CR

WinHttp: Initialize

Handler

!This program cannot be run in DOS mode.

L$Pt7A

SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

fE98u%H

t)D85

WPPLogDisabled

H!t$ A

local from %ws

Library download error. Will retry. Retry Counter:%d

api-ms-win-eventing-provider-l1-1-0.dll

CertControlStore

GetLocaleInfoW

WinHttpDNSResolutionTime

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

%ws.%04u%02u%02u.%02u%02u%02u.%03u.%%d.etl

D$xE3

text/xml

Trusted Publisher: %ws

CloseTrace

A^A\_

Reboot required: %ws

.?AV<lambda_016f3e2fa5cb765678594f43cbf3e62a>@@

SusMakeDirectoryForFile %ws

8.u$f9X

20180916065200Z0w0=

api-ms-win-core-synch-l1-1-0.dll

GetCompressedFileSizeW

StrChrW

r~akow

HTTPStatusCode

\$(E3

xmlns:plugin="http://schemas.microsoft.com/msus/2011/04/StoreWUAuthInitialization"

EnterCriticalSection

.CRT$XCU

QueryUserToken

L$`H;

S-1-5-80-2284069148-621670086-2606570695-3321162879-2563206788

+D$0D3

CryptGetHashParam

oK0D$"<

GetCurrentProcess

t$4L;v

C\$8I

H!t$0H

CallerApplicationName

D$pD3

K AVH

d$ E3

WinHttp: DoFileDownload PerformDownload

L9v0tBD8v8u<H

WinHttp: Content-Type header is text/html (Bailing)

}}H<&

LocalFree

WinHttp: SSL revocation checking was disabled by policy.

DownloadPackage.

D$8E3

Agent

WinHttpConnect

.didat$3

Evaluating action %ws.

Send SLS Discovery Revision Check[Invalid] Event.

Translation

LocalSystem

1.3.6.1.4.1.311.10.3.3

SusMoveFileRetryIfSharingViolation %ws -> %ws

./Hashes

(A_A^A]A\_^][

XA_A^_^][

fA98u

[service(%08lX)] Local [value = %d]; New [%d] [value = %d]; Buffer [value = %d]; EnvironmentIDconfig [%d], override set.

was not

_o__callnewh

CryptCreateHash

|$`D;

root

|$8I;

application/octet-stream;

.CRT$XIAC

L$0H;

GetTempFileNameW

ProductVersion

WinHttp: Content-Type header is %ls. Continuing.

CCommonAttributeProvider::AppendServicePack

DataByteLen

.?AV<lambda_25f19ca75bbdea5f7f5d3c5ce3bcfe67>@@

t$PE3

.didat$4

__CxxFrameHandler3

%hs: %ws (Access: %lu, Share: %lu)

IsValidSid

.CRT$XIAA

fD9<Au

L$ UWAUAVAWH

HTTPS

A_A^A\_^[]

Windows

.?AV<lambda_24199be866fe334a56a2e25a87b0e587>@@

amd64

Test override Fixed URL ==>%ws<== -

Failed to validate file %ws

Cabinet.dll

DeleteFile %ws

Old but valid Revision Detected

D$0E3

api-ms-win-core-apiquery-l1-1-0.dll

.idata$2

TOKEN: Using NULL token for %ws

api-ms-win-core-debug-l1-1-0.dll

x AVH

TrustedPublisher

.?AVhr_exception@sih@@

1/0-0

DatastoreLookup got error. Continuing...

d$PD8a

Computer Make Value percent-encoding

WINHTTP.dll

EKU not found for leaf cert

L$0I;

.xdata

.gfids

CryptDestroyHash

Operating System

Disabled by policy.

WinHttp: Connect

URL ==>%ws<== - CSLSRequest::GetUrl

fD9;uG3

vector<T> too long

N0L0J

@.didat

IIDFromString

GetModuleHandleExW

CoInit

DWordMult

GetLocalTime

MaximumBuffers

bad alloc

Executing Action %ws...

t$ WATAUAVAWH

_o__wtoi64

2.16.840.1.113730.4.1

GetLastError

@USVWATAUAVAWH

DosDateTimeToFileTime

|$ Hk

@A^A]A\

AuthD

A_A]A\_]

SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate

AUAVAWH

_w4,%

ExtractEnvIDRevisionID

@+ljM

Expires

|$ UAVAWH

9t$@t

0123456789ABCDEF

%hs: CryptHashData of %ws

Unknown

api-ms-win-security-sddl-l1-1-0.dll

|$htYf;

RSA/1024;ECDSA/256

Flags

RevisionBuffer

CCommonAttributeProvider::AppendServiceID

api-ms-win-core-timezone-l1-1-0.dll

ext-ms-win-session-winsta-l1-1-3

A_A^A]A\]

A_A^A]_]

_o___p___argc

CopySid

%04u-%02u-%02u%s%02u:%02u:%02u%s

1.3.6.1.4.1.311.76.6.1

`.rdata

Program name invalid, exceeded max length: %ws

RegQueryInfoKeyW

GetFileAttributesExW

RegCloseKey

SLSExpireContent

RpcStringFreeA

|$ UATAUAVAWH

ReadPolicy: failed

Found hash matching #%d of %d passed-in certs!

fD;t$X

EventInstanceID

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x0002c370	0x00056134	0x00056134	10.0	SIHClient.pdb	2014-08-18 19:11:51	3bbd1eea2778ee3dcd883a4d5533aec3

Version Infos

CompanyName	Microsoft Corporation
FileDescription	SIH Client
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	SIH Client
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	sihclient.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002dfb8	0x0002e000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.36
.rdata	0x0002e400	0x0002f000	0x00012042	0x00012200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.54
.data	0x00040600	0x00042000	0x00001200	0x00000c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.80
.pdata	0x00041200	0x00044000	0x000018c0	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.31
.didat	0x00042c00	0x00046000	0x00000048	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.51
.rsrc	0x00042e00	0x00047000	0x00000500	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.86
.reloc	0x00043400	0x00048000	0x0000022c	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	3.49

Overlay

Offset	0x00043800
Size	0x00002bd0

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x00047438	0x000000c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.69	None
RT_VERSION	0x000470b0	0x00000388	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.43	None

Imports

Name	Address
?_Xlength_error@std@@YAXPEBD@Z	0x1400300e8
?_Xbad_function_call@std@@YAXXZ	0x1400300f0
?_Xout_of_range@std@@YAXPEBD@Z	0x1400300f8
?_Xinvalid_argument@std@@YAXPEBD@Z	0x140030100

Name	Address
_initterm_e	0x14002ff98
_register_thread_local_exe_atexit_callback	0x14002ffa0
_initterm	0x14002ffa8
_c_exit	0x14002ffb0

Name	Address
memset	0x14002ffc0

Name	Address
_o__purecall	0x14002fdf8
_o__register_onexit_function	0x14002fe00
_o__seh_filter_exe	0x14002fe08
_o__set_app_type	0x14002fe10
_o__set_errno	0x14002fe18
_o__set_fmode	0x14002fe20
_o__set_new_mode	0x14002fe28
memmove	0x14002fe30
_o__wtoi64	0x14002fe38
_o__wtol	0x14002fe40
_o_exit	0x14002fe48
_o_free	0x14002fe50
_o_iswalnum	0x14002fe58
_o_malloc	0x14002fe60
_o_memcpy_s	0x14002fe68
_o_qsort	0x14002fe70
_o_rand	0x14002fe78
_o_srand	0x14002fe80
_o_strncpy_s	0x14002fe88
_o_strtol	0x14002fe90
_o_terminate	0x14002fe98
_o_towlower	0x14002fea0
_o_wcstoul	0x14002fea8
__C_specific_handler	0x14002feb0
_CxxThrowException	0x14002feb8
_o__invalid_parameter_noinfo_noreturn	0x14002fec0
_o__invalid_parameter_noinfo	0x14002fec8
_o__get_initial_wide_environment	0x14002fed0
wcsrchr	0x14002fed8
_o__initialize_wide_environment	0x14002fee0
_o__initialize_onexit_table	0x14002fee8
_o__exit	0x14002fef0
_o__errno	0x14002fef8
_o__crt_atexit	0x14002ff00
_o__configure_wide_argv	0x14002ff08
_o__configthreadlocale	0x14002ff10
_o__cexit	0x14002ff18
_o__callnewh	0x14002ff20
_o___stdio_common_vswprintf	0x14002ff28
_o___stdio_common_vsprintf_s	0x14002ff30
_o___std_exception_destroy	0x14002ff38
_o___std_exception_copy	0x14002ff40
_o___p__commode	0x14002ff48
_o___p___wargv	0x14002ff50
_o___p___argc	0x14002ff58
strchr	0x14002ff60
strrchr	0x14002ff68
__std_terminate	0x14002ff70
__CxxFrameHandler3	0x14002ff78
memcmp	0x14002ff80
memcpy	0x14002ff88

Name	Address
UuidToStringA	0x14002f898
RpcStringFreeA	0x14002f8a0
UuidCreate	0x14002f8a8

Name	Address
StringFromGUID2	0x14002f948
CoTaskMemAlloc	0x14002f950
CoTaskMemFree	0x14002f958
IIDFromString	0x14002f960
CoCreateInstance	0x14002f968
CoUninitialize	0x14002f970
CoCreateGuid	0x14002f978
CoInitializeEx	0x14002f980

Name	Address
CompareStringW	0x14002fd08
MultiByteToWideChar	0x14002fd10
WideCharToMultiByte	0x14002fd18

Name	Address
GetProcessInformation	0x14002fc30

Name	Address
GetCurrentThreadId	0x14002fbf8
GetCurrentProcessId	0x14002fc00
GetCurrentProcess	0x14002fc08
TerminateProcess	0x14002fc10

Name	Address
EventSetInformation	0x140030000
EventRegister	0x140030008
EventWriteTransfer	0x140030010
EventUnregister	0x140030018

Name	Address
RegGetValueW	0x14002fc50
RegEnumKeyExW	0x14002fc58
RegQueryInfoKeyW	0x14002fc60
RegEnumValueW	0x14002fc68
RegOpenKeyExW	0x14002fc70
RegCloseKey	0x14002fc78
RegDeleteValueW	0x14002fc80
RegSetValueExW	0x14002fc88
RegCreateKeyExW	0x14002fc90
RegQueryValueExW	0x14002fc98

Name	Address
IsDebuggerPresent	0x14002f990
OutputDebugStringW	0x14002f998

Name	Address
SetLastError	0x14002f9c8
GetLastError	0x14002f9d0
UnhandledExceptionFilter	0x14002f9d8
SetUnhandledExceptionFilter	0x14002f9e0

Name	Address
RtlLookupFunctionEntry	0x14002fca8
RtlCaptureContext	0x14002fcb0
RtlVirtualUnwind	0x14002fcb8

Name	Address
IsProcessorFeaturePresent	0x14002fc20

Name	Address
QueryPerformanceCounter	0x14002fc40

Name	Address
GetSystemTime	0x14002fd68
GetSystemTimeAsFileTime	0x14002fd70
GetLocalTime	0x14002fd78
GetTickCount64	0x14002fd80
GetSystemDirectoryW	0x14002fd88
GetSystemWindowsDirectoryW	0x14002fd90
GetVersionExW	0x14002fd98

Name	Address
InitializeSListHead	0x14002fb30

Name	Address
GetModuleHandleExW	0x14002fb50
GetModuleHandleW	0x14002fb58
FreeLibrary	0x14002fb60
GetProcAddress	0x14002fb68
LoadResource	0x14002fb70

Name	Address
GetProcessHeap	0x14002faf0
HeapAlloc	0x14002faf8
HeapFree	0x14002fb00
HeapReAlloc	0x14002fb08

Name	Address
MapViewOfFile	0x14002fbc0
CreateFileMappingW	0x14002fbc8
UnmapViewOfFile	0x14002fbd0
MapViewOfFileEx	0x14002fbd8

Name	Address
ExpandEnvironmentStringsW	0x14002fbe8

Name	Address
GetProductInfo	0x14002fda8
GetNativeSystemInfo	0x14002fdb0

Name	Address
SysAllocString	0x14002f860
SysAllocStringLen	0x14002f868
SysStringLen	0x14002f870
VariantClear	0x14002f878
VariantInit	0x14002f880
SysFreeString	0x14002f888

Name	Address
GetPersistedRegistryLocationW	0x1400300d8

Name	Address
FileTimeToSystemTime	0x14002fdc0
SystemTimeToFileTime	0x14002fdc8

Name	Address
Sleep	0x14002fd58

Name	Address
FreeSid	0x140030028
CopySid	0x140030030
GetLengthSid	0x140030038
DuplicateTokenEx	0x140030040
AllocateAndInitializeSid	0x140030048
GetTokenInformation	0x140030050
IsValidSid	0x140030058
RevertToSelf	0x140030060
ImpersonateLoggedOnUser	0x140030068
CheckTokenMembership	0x140030070

Name	Address
ConvertStringSidToSidW	0x1400300b8

Name	Address
LocalAlloc	0x14002fb18
LocalFree	0x14002fb20

Name	Address
DosDateTimeToFileTime	0x14002fb40

Name	Address
InitializeCriticalSection	0x14002fd28
LeaveCriticalSection	0x14002fd30
DeleteCriticalSection	0x14002fd38
WaitForSingleObject	0x14002fd40
EnterCriticalSection	0x14002fd48

Name	Address
ReadFile	0x14002f9f0
WriteFile	0x14002f9f8
SetFileAttributesW	0x14002fa00
CreateFileW	0x14002fa08
DeleteFileW	0x14002fa10
GetFileAttributesW	0x14002fa18
SetFileTime	0x14002fa20
GetFileSizeEx	0x14002fa28
CompareFileTime	0x14002fa30
GetFileType	0x14002fa38
GetDriveTypeW	0x14002fa40
FindNextFileW	0x14002fa48
FindFirstFileW	0x14002fa50
GetVolumeInformationW	0x14002fa58
LocalFileTimeToFileTime	0x14002fa60
RemoveDirectoryW	0x14002fa68
GetTempFileNameW	0x14002fa70
GetFileTime	0x14002fa78
CreateDirectoryW	0x14002fa80
GetFileAttributesExW	0x14002fa88
GetDiskFreeSpaceW	0x14002fa90
SetFilePointer	0x14002fa98
GetVolumePathNameW	0x14002faa0
FindClose	0x14002faa8
GetFileSize	0x14002fab0

Name	Address
MoveFileExW	0x14002fad0

Name	Address

Name	Address
CloseHandle	0x14002fae0

Name	Address
StartTraceW	0x14002ffe0
ControlTraceW	0x14002ffe8
EnableTraceEx2	0x14002fff0

Name	Address
GetCompressedFileSizeW	0x14002fac0

Name	Address
CloseTrace	0x14002ffd0

Name	Address
PathIsUNCW	0x14002fcc8
PathStripToRootW	0x14002fcd0
PathIsRootW	0x14002fcd8
PathIsRelativeW	0x14002fce0

Name	Address
StrRChrW	0x14002fcf0
StrChrW	0x14002fcf8

Name	Address
LoadLibraryW	0x14002fb80
FindResourceW	0x14002fb88

Name	Address

Name	Address
CompareStringA	0x14002fba8
EnumUILanguagesW	0x14002fbb0

Name	Address
WinHttpCloseHandle	0x14002f8b8
WinHttpCrackUrl	0x14002f8c0
WinHttpSetStatusCallback	0x14002f8c8
WinHttpSetOption	0x14002f8d0
WinHttpSetTimeouts	0x14002f8d8
WinHttpConnect	0x14002f8e0
WinHttpQueryHeaders	0x14002f8e8
WinHttpQueryAuthSchemes	0x14002f8f0
WinHttpReceiveResponse	0x14002f8f8
WinHttpOpenRequest	0x14002f900
WinHttpQueryOption	0x14002f908
WinHttpReadData	0x14002f910
WinHttpSendRequest	0x14002f918
WinHttpAddRequestHeaders	0x14002f920
WinHttpOpen	0x14002f928

Name	Address
CertCloseStore	0x14002f7d8
CertFreeCertificateChain	0x14002f7e0
CertFindCertificateInStore	0x14002f7e8
CertFreeCertificateContext	0x14002f7f0
CertGetCertificateContextProperty	0x14002f7f8
CertControlStore	0x14002f800
CertVerifyCertificateChainPolicy	0x14002f808
CertOpenStore	0x14002f810
CryptHashPublicKeyInfo	0x14002f818
CertGetCertificateChain	0x14002f820
CertGetEnhancedKeyUsage	0x14002f828

Name	Address
RtlGetDeviceFamilyInfoEnum	0x140030110

Name	Address
GetLocaleInfoW	0x14002fb98

Name	Address
GetFileVersionInfoExW	0x14002fdd8
VerQueryValueW	0x14002fde0
GetFileVersionInfoSizeExW	0x14002fde8

Name	Address
CryptGetHashParam	0x140030080
CryptCreateHash	0x140030088
CryptAcquireContextW	0x140030090
CryptHashData	0x140030098
CryptReleaseContext	0x1400300a0
CryptDestroyHash	0x1400300a8

Name	Address
ResolveDelayLoadedAPI	0x14002f9b8

Name	Address
DelayLoadFailureHook	0x14002f9a8

Name	Address
ApiSetQueryApiSetPresence	0x14002f938

Reports: JSON

Statistics (10.89)

Usage

Processing ( 10.83 seconds )

10.319 ProcessMemory
0.488 CAPE
0.014 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: SIHClient.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: SIHClient.exe, PID 6716

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00042c00', 'virtual_address': '0x00046000', 'virtual_size': '0x00000048', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.51'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6716 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\SoftwareDistribution
C:\
C:\Windows\Logs\SIH\
C:\Windows\Logs\SIH
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Windows\SoftwareDistribution\autest.cab
C:\Windows\Logs\SIH\*.etl
C:\Windows\Logs\SIH\SIH.20241125.091544.598.1.etl
C:\Windows\Logs\SIH\SIH.20250614.142751.117.1.etl

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\EditionSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\EditionSettings\RootDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\EditionSettings\LogDir
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MiniNT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Test
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\EditionSettings\RootDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\EditionSettings\LogDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Overlay

Resources

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

RPCRT4

api-ms-win-core-com-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-processthreads-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

OLEAUT32

api-ms-win-stateseparation-helpers-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-shell-shdirectory-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-core-file-l1-2-1

api-ms-win-eventing-consumer-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

Cabinet

api-ms-win-core-localization-obsolete-l1-2-0

WINHTTP

CRYPT32

ntdll

api-ms-win-core-localization-l1-2-0

api-ms-win-core-version-l1-1-0

api-ms-win-security-cryptoapi-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0