Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 12:42:46	2025-06-14 13:13:31	1845 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,100 [root] INFO: Date set to: 20250614T06:51:35, timeout set to: 1800
2025-06-14 07:51:35,415 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-14 07:51:35,431 [root] DEBUG: Storing results at: C:\wRQhaNwUv
2025-06-14 07:51:35,431 [root] DEBUG: Pipe server name: \\.\PIPE\uCXdXx
2025-06-14 07:51:35,431 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:51:35,431 [root] INFO: analysis running as an admin
2025-06-14 07:51:35,431 [root] INFO: analysis package specified: "exe"
2025-06-14 07:51:35,431 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:51:36,244 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:51:36,244 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:51:36,244 [lib.common.common] INFO: wrapping
2025-06-14 07:51:36,244 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:51:36,244 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\TieringEngineService.exe
2025-06-14 07:51:36,244 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:51:36,244 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:51:36,244 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:51:36,244 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:51:36,478 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:51:36,509 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:51:36,556 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:51:36,556 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:51:36,572 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:51:36,572 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:51:36,572 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:51:36,572 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:51:36,572 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:51:36,572 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:51:36,572 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:51:36,572 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:51:36,587 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:51:36,587 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:51:36,587 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:51:36,587 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:51:36,587 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:51:36,587 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:51:36,712 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-14 07:51:36,712 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:51:36,712 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:51:36,712 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:51:36,712 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:51:36,712 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:51:36,712 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:51:36,712 [modules.auxiliary.disguise] INFO: Disguising GUID to b3124c33-8696-4805-8a42-f6e841a2b993
2025-06-14 07:51:36,712 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:51:36,712 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:51:36,712 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:51:36,712 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:51:36,712 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:51:36,728 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:51:36,728 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:51:36,728 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:51:36,728 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:51:36,728 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:51:36,728 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:51:36,728 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:51:36,728 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:51:36,728 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:51:36,728 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:51:36,728 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:51:36,728 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:51:36,743 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-14 07:51:36,743 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:51:36,743 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:51:36,743 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:51:36,743 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:51:36,743 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:51:36,743 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:51:36,743 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\KuolGmJ.dll, loader C:\tmp_gell1p8\bin\SGtTThPa.exe
2025-06-14 07:51:36,853 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:51:36,853 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\KuolGmJ.dll.
2025-06-14 07:51:36,884 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:51:36,884 [root] INFO: Disabling sleep skipping.
2025-06-14 07:51:36,884 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:51:36,884 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:51:36,884 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:51:36,884 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:51:36,884 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:51:36,884 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:51:36,900 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:51:36,900 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:51:36,900 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6892, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:51:36,900 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:51:36,915 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:51:36,915 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:51:36,915 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\KuolGmJ.dll.
2025-06-14 07:51:36,915 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:51:36 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 12:42:46	2025-06-14 13:13:12	none

File Details

File Name	TieringEngineService.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	310272 bytes
MD5	33e60a1bd76a877683fcd7dc93a10635
SHA1	57a3f1bb5d26537f9735bddda9b6de300f218c9f
SHA256	917f104892ff1890be2ab218b99c2dfed8287ab93ea6895ba74090783d4e341c [VT] [MWDB] [Bazaar]
SHA3-384	54e0820a5b5d0276bfd24e04e539398aa6d576bc0857ad3f7f4c2f6a4ad28014f86f2b50fcf665e8fa966180a663a50b
CRC32	02685B7B
TLSH	T15A645B35D39814F9E4B7C2B4829A1B46FF72385D2F219ACB1878D5193F12FE0A939709
Ssdeep	6144:EjWq9JnJtFSsydvFyshpyNqZkNw16puxRbkGqG:Ei2JnJyhh+gkyxIg
PE	File Strings BinGraph Vba2Graph VirusTotal

PA_A^A]A\_^]

fD9$Fu

s WAVAWH

CTieredVolume::SetCurrentLocation_ApiHandler

api-ms-win-core-kernel32-legacy-l1-1-0.dll

D$2f;

@.data

fD9|$`

H;Y(t

currentHddTierSize

desiredStorageTierClass

CLUSAPI.dll

JetCreateInstance2W

.idata$6

fA9<Qu

resumeKeyPriority

f94Hu

totalDiskHeatClusters

JetBeginTransaction

SetThreadpoolThreadMaximum

t$`E3

.idata$4

\??\Volume

TieringPinnedCache.db

%s{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}

CTieringEngineLib::ProcessEvents

TieringJetSession::OpenJetTableInternal

CTieredVolume::Processing_Pass3

A]A\_

TieringPinnedFiles

t*@8q

t)D8q

t4D8y

lastSourceId

GetStartupInfoW

D9Y tDL;H0u

APPID

EnableJetMultiInstance

.rdata$T$brc

L!d$ 3

PA_A^_^[

L$ SUVWH

ResolveDelayLoadedAPI

AllocateAndSetupJetInstance

TieringMovementSession::Teardown

__dllonexit

WATAUH

ATAUAVH

DiskToFlashMovementTable

t{@8y

D$HE3

JetResetSessionContext

@8~8t

RtlSetThreadErrorMode

u*9Q<|%

JetPrepareUpdate

R$fA;Z*

percentOfTotalIOsServedFromSsdTier

api-ms-win-core-com-l1-1-0.dll

wlfD;

T$PI+

@A_A\_

D$(

CTieredVolume::GetVolumeBitmapInfoByTier

A_A^A\_^][

MoveFileW

L9u u

FileVersion

PA^A\_^]

D9d$`t

FlashToDiskMovementTable

TieringHeatSession::ClearPinnedFlagForFileId

D$XH+

D$PE3

L$hH3

JetSetSystemParameterW

CM_Unregister_Notification

__C_specific_handler

SVWAVH

f9<Au

p AWH

CTieredVolume::GetGeneralVolumeInfo

tiH91u

CTieredVolume::ClearPinnedFlagFromHeatDb

CTieredVolume::GetPinnedFileCount_ApiHandler

t$HE3

.didat$7

TraceMessage

d$pL;

L$HE3

CoReleaseMarshalData

D$PI+

InitiateTierProcessingStart

MaxInMemoryTreeSize

fD9$Bu

t$ E3

TieringJetDatabase::Initialize

t"@8y

</security>

t+D8a

\$dL;

CTieredVolume::IsFilePinned_ApiHandler

@8y(t

fA99t

_callnewh

percentOfIOsFromPinnedFileOnHdd

xmlns="urn:schemas-microsoft-com:asm.v1"

__set_app_type

CreateEventW

UnknownTable

CTieringEngineTaskHandler::ScanTaskStart

fA9Z*v$A

A_A^_

UAVAWH

CTieringEngineLib::ProcessTieringEvents

D$0D8

CTieringEngineTaskHandler::FinalConstruct

VolumeChange

CTieringEngineTaskHandler::Start

jetDBFileName

0A_A^A]A\_^[

JetInit3W

(null)

CTieredVolume::GetFiles_ApiHandler

</trustInfo>

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

SizeOfCapacityTierPinnedFiles

VWAVH

Storage Tiers Optimization

u7LcD$dH

numberOfHeatBuckets

CTieredVolume::Processing_Pass1

api-ms-win-core-synch-l1-2-0.dll

t$HD8a

CTieredVolume::GetFilePlacementByTier_ApiHandler

GetVolumeNameForVolumeMountPointW

CTieredVolume::PinFileInPinnedDb

t-D8a

.rsrc$01

CTieringEngineTaskHandler::Stop

TTBL|

edb.log

api-ms-win-service-core-l1-1-0.dll

o\$PH

HResult

D$d9D$`

Y@H9;u%L

040904B0

Microsoft Corporation

A_A^A]A\_^[]

RtlCreateSystemVolumeInformationFolder

D$pE3

api-ms-win-core-file-l2-1-2.dll

numberOfActiveVolumes

.rdata$zETW2

CTieredVolume::GetPinnedFileCountFromPinnedDb

CTieredVolume::SetDesiredStorageClass

fA9(t

_XcptFilter

TieringJetDatabase::WaitForDatabaseClose

PathCchStripToRoot

t"D8q

@USVWAUAWH

@USVWAVH

_lock

AskedToMoveToFlash

xt9t$htnH

D$pH;

AskedToMoveToDisk

AcquireSRWLockShared

USVWATAUAVAWH

fB94Su

TieringHeatSession::UpdateRecordsGivenPlacementList

N(D8yMtX

swprintf_s

D$PH;

EVNT0

tieredVolumeCsvGuidRoothPath

TieringJetError

JetCloseDatabase

SeManageVolumePrivilege

HcA<H

CoTaskMemAlloc

en-US

.?AVbad_alloc@std@@

A_A^A]A\_^]

CallJetTerm

|$\.u

<?xml version='1.0' encoding='utf-8' standalone='yes'?>

JetMove

ProcessVolumeTablesEnd

fA9<Au

A_A^]

EventRegister

Lct$hE

@SUVWATAUAWH

l$HE3

TieredVolumeMountHeatEventLoss

EnablePrivilegesInProcess

\$h;\$xsF

OpenVolumeHandle

GetTraceEnableLevel

numberOfEntries

_initterm

DeleteFileW

SetThreadpoolWait

CoInitializeEx

RSDSU)

WinSqmStartSession

_CxxThrowException

GetSystemWindowsDirectoryW

SetServiceStatus

"PercentOfCapacityTierPinnedFilesIO

\$`;\$dsfL

)D$pA

FindNextVolumeW

.idata$5

Microsoft-Windows-Storage-Tiering/Admin

PrivilegeCheck

t*@8y

t$ UATAWH

edb.chk

fA94Gu

InitializeSRWLock

{ ATAVAWH

FindFirstVolumeW

wcscat_s

CTieredVolume::GetPinnedFilesFromPinnedDb

A_A^A\_^

@USVWAWH

CoMarshalInterface

Windows

s'f;D$@s

PercentOfCapacityTierPinnedFilesIO

GetFinalPathNameByHandleW

JetCreateTableColumnIndex2W

EnableDebugInterface

VolumeName

CloseThreadpoolCleanupGroupMembers

A0I;@(t

|$ AWH

TotalIOPercentFromPerfTier

!D$(H

SizeOfPerfTierPinnedFiles

.pdata

GetTraceLoggerHandle

SVWAVAWH

Microsoft

VarFileInfo

VWAUAVAWH

$0< u 9\$tu

_fmode

\Microsoft\Windows\Storage Tiers Management

ProcessTimeInMinutes

.data$brc

L$pH3

RtlInitializeBitMap

L$PH3

t#@8y

CTieredVolume::GetFilesFromFileSystem

FfF9tF

priorityToRetain

H3E H3E

GetFileIdAndVolumePathByFilePath

InternalName

D$`8D$b

D$(`

.didat$2

NewTieredVolumeMount

JetTerm2

NtOpenFile

\$0E+

.text$yd

4ww6H

D8}XtDM;

malloc

CloseCluster

A^A\_

fA9TE

CoSuspendClassObjects

CreateStreamOnHGlobal

.?AVCAtlException@ATL@@

VWAWH

LastProcessedCycle

prioritiesPerBucket

H;Q(t

fD9DH

urfD9

.data$r$brc

CreateDirectoryW

JetCloseTable

A^A]_^]

sizeOfFilesPinnedToSsdTier

_vsnwprintf

D9T$@t

api-ms-win-core-profile-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll

FasterTierSize

UgD:U

WATAVH

api-ms-win-core-localization-l1-2-0.dll

\$`E3

D$xH;

NameChange

largestPrioritySeen

operation

LcA<E3

t$HD8

fA9+u

L!|$8H

totalIOsPinnedFlashCurrentlyDisk

F(D9``

_unlock

CreateFileW

VolumeNameLength

ByFileId

rPL;w

resumeKeyFileIdLow

ClusterCount

c AWH

SetEvent

T$PuA

fD98t

CTieredVolume::ClearPinnedFileInPinnedDb

numberOfFilesPinnedToSsdTier

_exit

+FileOffset

System Volume Information\Heat\NoLog\

\$@I;

paramId

JetOpenDatabaseW

RtlGUIDFromString

t$lL;

averagePriorityOnDisk

t6@8q

T$DE3

m2Jess*

CopyFileW

JetBeginSessionW

GetClusterInformation

RegGetValueW

|$8@8

} H!L$8L

d$HM;

T$DA:

l$@D;l$h}=3

FindNextFileW

0A^_^

OLEAUT32.dll

Microsoft.Windows.Storage.Tiering.Telemetry

tsD8y(usH

9D$du

AcquireSRWLockExclusive

InfoMakeCompat

.text$di

A^A]]

REGISTRY

priorityToDemote

processTimeInMinutes

H!|$(

FindClose

TieringHeatSession::DeleteRecordsWithGivenFileId

CTieringEngineTaskHandler::Pause

`A_A^A]A\_^]

CTieringEngineLib::StartTraceSession

hResult

VWATAVAWH

Hr = AtlMarshalPtrInProc( TaskHandlerStatus, IID_ITaskHandlerStatus, &m_TaskCompletedWorkContext.TaskHandlerStatusMarshal )

JetSeek

ByFileIdOffset

LegalCopyright

CoUninitialize

averagePriorityOnFlash

recordCount

L$\fD

NeedChkdsk

D8}`t;M;

PRVAX

CTieredVolume::GetSpecificHeatRecord_ApiHandler

ATL$__a

10.0.17763.1 (WinBuild.160101.0800)

Mscoree.dll

api-ms-win-core-synch-l1-2-1.dll

GetCurrentProcessId

HeatFileListForDiskOptimizer

CTieredVolume::UpgradePinnedDataDatabaseToDscAttribute

SetCurrentDirectoryW

api-ms-win-service-winsvc-l1-1-0.dll

p WAVAWH

RegCreateKeyExW

@USWATAUAVAWH

CTieredVolume::DeviceNotifyCallback

DeleteCriticalSection

JetCommitTransaction

CTieredVolume::Processing_Pass2

.rdata$zETW0

RaiseException

CTieredVolume::GetTieringMovementsPending_ApiHandler

CreateThreadpoolTimer

OpenCluster

FailedQueryPinnedFiles

CreateThreadpoolWork

A_A]]

JetGetObjectInfoW

RtlCaptureContext

D$h;{

defragTimeInMinutes

RtlCompareMemory

WinSqmAddToStreamEx

win:Info

.tls$ZZZ

\$HH=

CoCreateInstance

H;P0u

api-ms-win-core-file-l1-1-0.dll

JetRetrieveColumn

CTieredVolume::GetPinnedFileCountFromFileSystem

RtlSetBits

UAUAVH

t!@8y

CloseThreadpoolWork

d$8E3

SWATAVAWH

x ATAVAWH

DelayLoadFailureHook

H UVWATAUAVAWH

CTieredVolume::ClearPinnedFile_ApiHandler

{ AWH

.CRT$XLA

@A_A^A]A\_^]

l$`L;

*k@)H

CTieredVolume::IsFilePinnedInPinnedDb

TieringPinnedSession::GetFilePinnedState

GetFileAttributesW

TieringHeatSession::GetSpecificHeatRecord

fA9)t

WaitForThreadpoolWaitCallbacks

D;l$|

D$dE:

TieredVolumeArrival

A_A]A\_^][

9\$@u

0A_A^A\_[

api-ms-win-eventing-controller-l1-1-0.dll

JetAttachDatabase2W

CTieredVolume::SetupNames

.rdata$zzzdbg

CTieredVolume::IsTieredVolume_ApiHandler

api-ms-win-core-path-l1-1-0.dll

fD9$xu

LoadStringW

HcUwD

blockCountToMovedToDisk

TieringHeatSession::GetHeatRecord

WAVAWH

t6D8q

continueRequired

MaxHeatBlocksToReplaceInPercentage

MovedToDisk

CTieringEngineLib::Initialize

TieringHeatSession::SetHeatRecordExternally

Dismount

.CRT$XIA

]D9T$@tLH

.rdata

realloc

CoResumeClassObjects

*.log

win:Warning

errorCode

??1type_info@@UEAA@XZ

RtlNtStatusToDosError

CreateThreadpoolCleanupGroup

api-ms-win-core-errorhandling-l1-1-0.dll

jetError

JetSetColumns

CoTaskMemFree

System\CurrentControlSet\Services\TieringEngineService\Parameters

L9spu~

rYL;w

FveStatusChange

PostThreadMessageW

SetThreadpoolThreadMinimum

TierOptimizationReport

Report

hA_A^A]A\_^][

sizeOfFilesPinnedToHddTier

MovedToFlash

FreeLibraryWhenCallbackReturns

percentOfIOsFromPinnedFileOnSsd

I0H;K(u

heatRecordsProcessed

DismountFailed

.CRT$XIZ

TieringHeatSession::GetMovementsListForDiskOptimizer

H;L$Xu

unH99uiH

FileId

L$ WH

8Y0u0H

\$x9D$H~G3

D$$I;

!t$PH!u

ResetEvent

H;Z(t

NtClose

x UAVAWH

x AWH

\\?\Volume{bab6b806-2c70-4823-9d7c-aab8c6df6ca4}

LcL$dI

CTieringEngineTaskHandler::Resume

RtlNumberOfClearBits

FileDescription

!This program cannot be run in DOS mode.

M8:aD

A_A^A\

LockFailed

\$ UVWH

WaitForSingleObject

H!|$8L

@A^_^

RtlInitUnicodeString

D$hD8

TieringEngineHeat

WaitForThreadpoolWorkCallbacks

api-ms-win-eventing-provider-l1-1-0.dll

t9D8a

L$ UVWATAUAVAWH

api-ms-win-core-threadpool-l1-2-0.dll

api-ms-win-eventing-consumer-l1-1-0.dll

CTieredVolume::ProcessVolumeTables

jetPath

t.@8q

OpenProcessToken

api-ms-win-core-processthreads-l1-1-0.dll

UWATAVAWH

A_A^A]A\_^[

OPCO0

H;S v

GetLocaleInfoW

CTieredVolume::UpdateTieringInformationFromVolume

@USVWATAVAWH

blockCountToMovedToFlash

D8j$u

Placement

ntdll.dll

StartTraceW

SVWATAUAVAWH

A^_^[]

@A^A\_

0A_A^A\

UVWAUAWH

USER32.dll

t$8E3

api-ms-win-core-sysinfo-l1-1-0.dll

L$HH9M

DeviceIoControl

10.0.17763.1

t%A8B

CloseTrace

ForceClosed

CTieredVolume::PopulatePinnedCacheFromQfl

win:Informational

InitializeCriticalSection

Storage Tiers Management

D$peH

7L;H(u

p WATAVH

L$hE3

api-ms-win-core-synch-l1-1-0.dll

.idata$3

XA_A^A]A\_^[]

D$a8D$cu

api-ms-win-devices-config-l1-1-1.dll

TieringPinnedSession::MigratePinnedDatabaseToDscAttribute

AdjustTokenPrivileges

__wgetmainargs

ReleaseSRWLockExclusive

TieringHeatSession::SetVolumeInfoOnReservedRecord

RtlStringFromGUID

JetComputeStats

.didat$5

uuD:M

CTieredVolume::TeardownMovementSession

\$8H;

u$L97t

RtlLookupFunctionEntry

f9H\u

H;Q(s

TieringPinnedCacheFiles

.CRT$XCU

/D9}wtU

CTieredVolume::CTieredVolume

Hr = AtlUnmarshalPtr( m_TaskCompletedWorkContext.TaskHandlerStatusMarshal, IID_ITaskHandlerStatus, &TaskHandlerStatusUnknown )

\$ E3

D$(E3

t @8y

errors

GetTraceEnableFlags

api-ms-win-core-delayload-l1-1-1.dll

L$`H;

CTieredVolume::GetFileTieringState_ApiHandler

QueryPerformanceCounter

totalIOsPinnedDiskCurrentlyFlash

NtSetInformationFile

OpenFileById

JetOpenTempTable

CreateThreadpool

T$tE3

LEVLh

t$dL;

CTieredVolume::CloseJetInstance

9}`tP

priorityToPromote

H!t$pI

resumeKeyFileIdHigh

msvcrt.dll

\$ UVWATAUAVAWH

x AV3

D$XH+D$P

L$(E3

RegNotifyChangeKeyValue

r!E9L$

CloseThreadpoolCleanupGroup

oD$ f

JetDeleteTableW

StringFileInfo

pinRecordsError

.rdata$zETW9

api-ms-win-core-delayload-l1-1-0.dll

`A_A^_^]

0A_A^A]A\_

t$hE+

TieringMovementSession::DeleteMovementTables

</requestedPrivileges>

wMtNH

GetCurrentProcess

api-ms-win-core-handle-l1-1-0.dll

TieredVolumeDismount

<assembly

UVWAVAWH

(_^][

L$0E3

D$PeH

System Volume Information\Heat\Cache\

__setusermatherr

TieringMovementSession::Initialize

UATAUAVAWH

%I64u

TieringPinnedData.db

8\$@uP

UWATAUAVH

SeRestorePrivilege

api-ms-win-core-file-l1-2-0.dll

@(H;A(u

GetTickCount

{,8u0H

TieringPolicyEngineRealTimeTrace

A_A^A\_]

L;I0u

t @8q

D$`D88

D$@H+

.text$mn

L$ SH

.CRT$XIY

t1D8a

ProcessingPass3Start

D$8E3

ProcessTrace

JetMakeKey

EnableTraceEx2

TEMPT

TieringHeatSession::GetSpaceUsedForTier

CTieredVolume::GetTierInfo

TerminateProcess

JetSetCurrentIndexW

H!_8H

WearingOut

</assembly>

.didat$3

CM_Register_Notification

jetInstanceName

Translation

H;H(u

UniqueIdChange

WEVT_TEMPLATE

|$hA8

E9<$uMA

level="asInvoker"

ATL$__z

SUVWATAUAVAWH

ProcessVolumeTablesStart

A(I;@(t

NtFsControlFile

TieringJetSession::OpenJetTable

L$pL;]

TieringJetDatabase::CloseDatabase

\$ A;

JetOpenTableW

PathCchStripPrefix

T$`E3

DeviceInterface

CompareStringW

UWAVH

f9L$Tu,L

QueryUnbiasedInterruptTime

EventWriteTransfer

JetRollback

_snwprintf_s

ATL$__m

%I64u%s%02d

A^A\^[]

A_A^A\

tE@8y

RegisterTraceGuidsW

@A_A^A]A\_^[

oL$0f

wcsncmp

<requestedExecutionLevel

EventSetInformation

api-ms-win-core-file-l2-1-1.dll

System Volume Information\Heat\

tS@8y

RtlCompareUnicodeString

api-ms-win-core-io-l1-1-0.dll

L$`H3

ProductVersion

OpenTraceW

CHANp

CTieringEngineLib::OnNewVolume

D$@E3

.text$x

B8I;@(u

WinSqmEndSession

D8}HtGM;

\$P@2

PinnedFileListForDiskOptimizer

D$4I;

api-ms-win-core-processenvironment-l1-1-0.dll

w{fA;

UnregisterTraceGuids

A_A\]

.didat$4

t'A8)t"E

__CxxFrameHandler3

wuI9k

.didat$6

functionName

StartServiceCtrlDispatcherW

manifestVersion="1.0"

_onexit

TEMP<

L$xL;

.xdata$x

WATAWH

.CRT$XIAA

FileOffset

TieringMovementSession::CreateMovementTables

GetModuleHandleW

D$PI;

TieringEngineService.exe

{6DF5BCF4-22E9-446D-8763-A2C7677ECF7D}

A_A^A\_^[]

api-ms-win-core-registry-l1-1-0.dll

` AVH

L$ E3

@8-\v

t$dr5I

L$HH+L$PH

8A^_^[

tieredVolumeCsvGuidRootPath

@A^_]

H9|$p

d$Hr,H

sourceId

approxBlockCountToMoveToFlash

D$(!

pinnedToFlashClusterCount

uof9U

.CRT$XLZ

ESENT.dll

DefragTimeInMinutes

.giats

hresult

.rdata$zETW1

.rsrc

H;\$P

CTieredVolume::OnDumpTableToDatabase

D$0E3

A^A\_^]

fD9(t

t$2u{

@A_A^A\

=L9o<

CoCreateGuid

CTieredVolume::GetTieringStateForPinnedFiles

;Ewsh

StartTieringEngine

RtlGetThreadErrorMode

RtlVirtualUnwind

:$DSC:$LOGGED_UTILITY_STREAM

.idata$2

CTieredVolume::QueryDesiredStorageClass

_wcmdln

SubmitThreadpoolWork

x AVH

t:D8a

H;Q(t%H

.CRT$XCL

0A_A^_

@SUVWATAVAWH

L$`E9

OriginalFilename

WATAUAVAWH

UAUAWH

TieringHeatSession::GetHeatRecordsByIndexNumber

<description>Microsoft Tiering Engine Service</description>

PreparingEject

CTieredVolume::InitializeJetInstance

s:L9F0u4H

A_A^A]_^

uiAccess="false"

CreateSemaphoreW

JetCreateDatabase2W

L$dE3

CTieredVolume::Initialize

totalFlashHeatClusters

.tls$

StopTieringEngine

JetEndSession

D$XM;

Y(8SM

D$x9D$h

PhysicalConfigurationChange

JetDelete

CsvQueryMdsPath

failedPinRecord

TieringPinnedSession::AddOrUpdatePinnedRecord

numberOfFilesPinnedToHddTier

pinnedToDiskClusterCount

api-ms-win-security-base-l1-1-0.dll

WEVTt

.rsrc$02

Unlock

L$0I;

A_A^A]A\_

|$ E3

.CRT$XCA

.CRT$XCAA

.xdata

RtlCopyUnicodeString

LookupPrivilegeValueW

History

PercentOfPerfTierPinnedFilesIO

.gfids

ProcessingPass3End

TieringPinnedSession::GetPinnedFilesListForDiskOptimizer

fD9$Pu

ReleaseSRWLockShared

\$ UH

NtQueryInformationFile

A^A]A\_]

H;L$puLH

flags

wfL9F

\$8E3

CTieringEngineLib::StopTraceSession

FindVolumeClose

SetThreadpoolTimer

Operating System

@USVATAVH

pA_A^A]A\_[]

CsvNameLength

TieringHeatData.db

CreateThread

CoRevokeClassObject

currentSsdTierSize

.00cfg

t$ UWAUAVAWH

t5@8q

L!d$ E3

T$PI;

""""""""H

\]4uA

JetRetrieveColumns

fD9$zu

@.didat

UnhandledExceptionFilter

TieringEngineService

D9}gt

GetModuleHandleExW

JetGetColumnInfoW

CTieredVolume::PinFile_ApiHandler

t$@8y

fD9 t

CloseThreadpoolWait

UVWATAUAVAWH

EventUnregister

api-ms-win-eventing-classicprovider-l1-1-0.dll

JetEnableMultiInstanceW

\??\GLOBALROOT\Device\HardDisk%u\ClusterPartition%u\

_cexit

CTieredVolume::GetHeatRecords_ApiHandler

JetSetSessionContext

CloseHandle

wcscpy_s

resumeKeyLastFileOffset

EventData

@.reloc

UVWATAVH

CTieredVolume::ReportProcessingTerminated

ATAVAWH

maxHeatReplaceInPercentage

processingResult

FailedMigratePinnedDbToDscAttrib

UVWAUAVH

CloseThreadpool

TieringPinnedSession::ClearPinnedRecordGivenFileId

D$LM;

CompanyName

VS_VERSION_INFO

processingState

|$LE3

tieredVolumeBytesPerCluster

_purecall

RegisterServiceCtrlHandlerW

GetLastError

GetCurrentThreadId

@A_A^_

@USVWATAUAVAWH

A_A]_^]

InitializeJetInstance

_commode

CreateThreadpoolWait

H;P(u

D8L$PthH

A8D9X

GetSystemTimeAsFileTime

x UATAUAVAWH

G(8XMt

Mount

CTieredVolume::OpenFileHandle

t8@8x

A_A^_^]

@A^A]A\

WaitForThreadpoolTimerCallbacks

A__^[]

CTieringEngineLib::StartTieringEngine

_amsg_exit

D8D$0t

.CRT$XCZ

ControlTraceW

p WATAUAVAWH

D8t$Uu}D

@8|$btiI

t-D8y

?terminate@@YAXXZ

|$LD8a

}HE8>

u HcA<H

diskClustersFree

CTieredVolume::BeginOrCompleteDefragReconcile

TieringEngineService.pdb

rAJcL

TieringHeatSession::GetFileTieringStateNonPinned

edbtmp.log

.TieringHeatSession::GetVolumeInfoFromReservedRecord

ChangeSize

|$ UAVAWH

flashClustersFree

CsvName

Microsoft-Windows-Storage-Tiering

approxBlockCountToMoveToDisk

CoRegisterClassObject

\$HE3

NumberEntries

Hr = CoInit.Initialize( COINIT_MULTITHREADED )

\$dM;

Sleep

api-ms-win-security-lsalookup-l2-1-0.dll

|$Pr*I

GetFileInformationByHandleEx

tieredVolumeGuid

JetUpdate

BackgroundFormat

D$hA:

L$pE3

SetUnhandledExceptionFilter

Flags

pA_A^A]A\_^]

|$XrgI

.data

api-ms-win-core-realtime-l1-1-0.dll

api-ms-win-core-file-l2-1-0.dll

L$pH;

+FileId

t$ UWATAVAWH

!D$0I

@(H;B(u

t"D9Y u

t&D8a

u"H!G@H

A_A^A]A\]

D$ E3

.text

A_A^A]_]

L$`M;

*.jrs

totalFlashClusters

CTieredVolume::SetHeatRecord_ApiHandler

memset

`.rdata

NtWaitForSingleObject

f9<Bu

t&D8y

oT$@f

L9L$`u

fA94Au

\\?\Volume

.rdata$brc

fE9DE

fF94Ft

9A98u6A9x

A_A]_^[]

failedMigrateCount

requiredSsdBytes

|$ UATAUAVAWH

TieringPinnedSession::GetPinnedFilesListByRow

CoUnmarshalInterface

ProductName

|$(A^

WormNearFull

FindFirstFileW

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x0003d630	0x00054552	0x00054552	10.0	TieringEngineService.pdb	2003-12-27 20:49:45	e803dc35cc0f3853734dd4b09d47793a

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Storage Tiers Management
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	TieringEngineService
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	TieringEngineService.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0003dd89	0x0003de00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.38
.rdata	0x0003e200	0x0003f000	0x00009b80	0x00009c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.15
.data	0x00047e00	0x00049000	0x00000cf4	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	1.96
.pdata	0x00048200	0x0004a000	0x00001704	0x00001800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.34
.didat	0x00049a00	0x0004c000	0x00000010	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.10
.rsrc	0x00049c00	0x0004d000	0x00001cd8	0x00001e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.84
.reloc	0x0004ba00	0x0004f000	0x000001f0	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.91

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0004ebd8	0x00000100	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.89	None
REGISTRY	0x0004d438	0x0000000c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.79	None
REGISTRY	0x0004d458	0x0000000c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.79	None
REGISTRY	0x0004d448	0x0000000c	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.79	None
WEVT_TEMPLATE	0x0004d838	0x0000139a	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.72	None
RT_VERSION	0x0004d468	0x000003d0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.43	None
RT_MANIFEST	0x0004d210	0x00000221	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.81	None

Imports

Name	Address
_vsnwprintf	0x140040090
_onexit	0x140040098
realloc	0x1400400a0
_snwprintf_s	0x1400400a8
_CxxThrowException	0x1400400b0
__dllonexit	0x1400400b8
wcscat_s	0x1400400c0
swprintf_s	0x1400400c8
wcsncmp	0x1400400d0
_unlock	0x1400400d8
__CxxFrameHandler3	0x1400400e0
_lock	0x1400400e8
??1type_info@@UEAA@XZ	0x1400400f0
?terminate@@YAXXZ	0x1400400f8
_commode	0x140040100
_fmode	0x140040108
_wcmdln	0x140040110
_initterm	0x140040118
__setusermatherr	0x140040120
_cexit	0x140040128
_exit	0x140040130
exit	0x140040138
__set_app_type	0x140040140
__wgetmainargs	0x140040148
_amsg_exit	0x140040150
_XcptFilter	0x140040158
wcscpy_s	0x140040160
_callnewh	0x140040168
malloc	0x140040170
free	0x140040178
_purecall	0x140040180
__C_specific_handler	0x140040188
memset	0x140040190

Name	Address
RtlSetBits	0x1400401a0
RtlInitializeBitMap	0x1400401a8
RtlCreateSystemVolumeInformationFolder	0x1400401b0
NtQueryInformationFile	0x1400401b8
NtSetInformationFile	0x1400401c0
RtlCopyUnicodeString	0x1400401c8
NtFsControlFile	0x1400401d0
NtWaitForSingleObject	0x1400401d8
NtOpenFile	0x1400401e0
RtlGetThreadErrorMode	0x1400401e8
RtlSetThreadErrorMode	0x1400401f0
RtlNumberOfClearBits	0x1400401f8
RtlStringFromGUID	0x140040200
WinSqmEndSession	0x140040208
WinSqmStartSession	0x140040210
NtClose	0x140040218
RtlNtStatusToDosError	0x140040220
RtlGUIDFromString	0x140040228
RtlCompareUnicodeString	0x140040230
RtlInitUnicodeString	0x140040238
RtlCompareMemory	0x140040240
RtlVirtualUnwind	0x140040248
RtlLookupFunctionEntry	0x140040250
RtlCaptureContext	0x140040258
WinSqmAddToStreamEx	0x140040260

Name	Address
VariantClear	0x14003fba8
SysAllocString	0x14003fbb0
SysFreeString	0x14003fbb8
VariantInit	0x14003fbc0

Name	Address
GetTraceEnableFlags	0x14003ffa0
RegisterTraceGuidsW	0x14003ffa8
TraceMessage	0x14003ffb0
UnregisterTraceGuids	0x14003ffb8
GetTraceEnableLevel	0x14003ffc0
GetTraceLoggerHandle	0x14003ffc8

Name	Address
UnhandledExceptionFilter	0x14003fc68
SetUnhandledExceptionFilter	0x14003fc70
RaiseException	0x14003fc78
GetLastError	0x14003fc80

Name	Address
CoUnmarshalInterface	0x14003fbd0
CreateStreamOnHGlobal	0x14003fbd8
CoReleaseMarshalData	0x14003fbe0
CoCreateInstance	0x14003fbe8
CoSuspendClassObjects	0x14003fbf0
CoTaskMemFree	0x14003fbf8
CoTaskMemAlloc	0x14003fc00
CoCreateGuid	0x14003fc08
CoInitializeEx	0x14003fc10
CoRevokeClassObject	0x14003fc18
CoRegisterClassObject	0x14003fc20
CoMarshalInterface	0x14003fc28
CoResumeClassObjects	0x14003fc30
CoUninitialize	0x14003fc38

Name	Address
InitializeCriticalSection	0x14003fe48
AcquireSRWLockExclusive	0x14003fe50
ReleaseSRWLockShared	0x14003fe58
AcquireSRWLockShared	0x14003fe60
ReleaseSRWLockExclusive	0x14003fe68
DeleteCriticalSection	0x14003fe70
WaitForSingleObject	0x14003fe78
SetEvent	0x14003fe80
InitializeSRWLock	0x14003fe88
ResetEvent	0x14003fe90
CreateEventW	0x14003fe98

Name	Address
EventRegister	0x140040018
EventUnregister	0x140040020
EventSetInformation	0x140040028
EventWriteTransfer	0x140040030

Name	Address
GetModuleHandleExW	0x14003fd60
GetModuleHandleW	0x14003fd68
LoadStringW	0x14003fd70

Name	Address
GetCurrentProcess	0x14003fdb8
GetCurrentProcessId	0x14003fdc0
CreateThread	0x14003fdc8
OpenProcessToken	0x14003fdd0
GetStartupInfoW	0x14003fdd8
TerminateProcess	0x14003fde0
GetCurrentThreadId	0x14003fde8

Name	Address
CloseHandle	0x14003fd30

Name	Address
SetServiceStatus	0x140040068
StartServiceCtrlDispatcherW	0x140040070

Name	Address
Sleep	0x14003fea8

Name	Address
RegisterServiceCtrlHandlerW	0x140040080

Name	Address
WaitForThreadpoolWorkCallbacks	0x14003fee8
CloseThreadpoolWait	0x14003fef0
CreateThreadpoolTimer	0x14003fef8
CreateThreadpoolWait	0x14003ff00
CloseThreadpoolCleanupGroup	0x14003ff08
CloseThreadpool	0x14003ff10
WaitForThreadpoolWaitCallbacks	0x14003ff18
CreateThreadpool	0x14003ff20
SetThreadpoolThreadMaximum	0x14003ff28
CloseThreadpoolWork	0x14003ff30
WaitForThreadpoolTimerCallbacks	0x14003ff38
CloseThreadpoolCleanupGroupMembers	0x14003ff40
SubmitThreadpoolWork	0x14003ff48
SetThreadpoolTimer	0x14003ff50
SetThreadpoolThreadMinimum	0x14003ff58
CreateThreadpoolWork	0x14003ff60
FreeLibraryWhenCallbackReturns	0x14003ff68
SetThreadpoolWait	0x14003ff70
CreateThreadpoolCleanupGroup	0x14003ff78

Name	Address
CompareStringW	0x14003fe38

Name	Address
SetCurrentDirectoryW	0x14003fda8

Name	Address
QueryPerformanceCounter	0x14003fdf8

Name	Address
GetTickCount	0x14003fec8
GetSystemTimeAsFileTime	0x14003fed0
GetSystemWindowsDirectoryW	0x14003fed8

Name	Address
CreateSemaphoreW	0x14003feb8

Name	Address
FindFirstVolumeW	0x14003fc90
DeleteFileW	0x14003fc98
FindClose	0x14003fca0
GetFinalPathNameByHandleW	0x14003fca8
FindNextVolumeW	0x14003fcb0
CreateFileW	0x14003fcb8
FindVolumeClose	0x14003fcc0
FindNextFileW	0x14003fcc8
GetFileAttributesW	0x14003fcd0
CreateDirectoryW	0x14003fcd8
FindFirstFileW	0x14003fce0

Name	Address
RegNotifyChangeKeyValue	0x14003fe18
RegCreateKeyExW	0x14003fe20
RegGetValueW	0x14003fe28

Name	Address
StartTraceW	0x14003fff8
ControlTraceW	0x140040000
EnableTraceEx2	0x140040008

Name	Address
ProcessTrace	0x14003ffd8
CloseTrace	0x14003ffe0
OpenTraceW	0x14003ffe8

Name	Address
GetVolumeNameForVolumeMountPointW	0x14003fcf0

Name	Address
DeviceIoControl	0x14003fd40

Name	Address
LookupPrivilegeValueW	0x140040058

Name	Address
AdjustTokenPrivileges	0x140040040
PrivilegeCheck	0x140040048

Name	Address
GetLocaleInfoW	0x14003fd80

Name	Address
GetFileInformationByHandleEx	0x14003fd00

Name	Address
PathCchStripPrefix	0x14003fd90
PathCchStripToRoot	0x14003fd98

Name	Address
CM_Unregister_Notification	0x14003ff88
CM_Register_Notification	0x14003ff90

Name	Address
OpenFileById	0x14003fd10

Name	Address
QueryUnbiasedInterruptTime	0x14003fe08

Name	Address
CopyFileW	0x14003fd20

Name	Address
MoveFileW	0x14003fd50

Name	Address
JetCreateTableColumnIndex2W	0x14003fa90
JetOpenTableW	0x14003fa98
JetDeleteTableW	0x14003faa0
JetSetCurrentIndexW	0x14003faa8
JetCreateDatabase2W	0x14003fab0
JetOpenDatabaseW	0x14003fab8
JetAttachDatabase2W	0x14003fac0
JetBeginSessionW	0x14003fac8
JetEndSession	0x14003fad0
JetCloseDatabase	0x14003fad8
JetCloseTable	0x14003fae0
JetInit3W	0x14003fae8
JetTerm2	0x14003faf0
JetSetSystemParameterW	0x14003faf8
JetCreateInstance2W	0x14003fb00
JetGetColumnInfoW	0x14003fb08
JetResetSessionContext	0x14003fb10
JetSetSessionContext	0x14003fb18
JetRetrieveColumns	0x14003fb20
JetSetColumns	0x14003fb28
JetPrepareUpdate	0x14003fb30
JetUpdate	0x14003fb38
JetMove	0x14003fb40
JetMakeKey	0x14003fb48
JetSeek	0x14003fb50
JetBeginTransaction	0x14003fb58
JetRetrieveColumn	0x14003fb60
JetDelete	0x14003fb68
JetCommitTransaction	0x14003fb70
JetRollback	0x14003fb78
JetComputeStats	0x14003fb80
JetGetObjectInfoW	0x14003fb88
JetOpenTempTable	0x14003fb90
JetEnableMultiInstanceW	0x14003fb98

Name	Address
GetClusterInformation	0x14003fa70
OpenCluster	0x14003fa78
CloseCluster	0x14003fa80

Name	Address
ResolveDelayLoadedAPI	0x14003fc58

Name	Address
DelayLoadFailureHook	0x14003fc48

Reports: JSON

Statistics (10.91)

Usage

Processing ( 10.85 seconds )

10.249 ProcessMemory
0.585 CAPE
0.008 AnalysisInfo
0.007 BehaviorAnalysis
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 ursnif_behavior
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: TieringEngineService.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00049a00', 'virtual_address': '0x0004c000', 'virtual_size': '0x00000010', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.10'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 1436 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\TieringEngineService.exe

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

msvcrt

ntdll

OLEAUT32

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-service-core-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-service-winsvc-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-eventing-controller-l1-1-0

api-ms-win-eventing-consumer-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-io-l1-1-0

api-ms-win-security-lsalookup-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-devices-config-l1-1-1

api-ms-win-core-file-l2-1-1

api-ms-win-core-realtime-l1-1-0

api-ms-win-core-file-l2-1-2

api-ms-win-core-kernel32-legacy-l1-1-0

ESENT

CLUSAPI

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0