Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-11 06:13:09	2025-06-11 06:30:33	1044 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,068 [root] INFO: Date set to: 20250611T05:39:54, timeout set to: 1000
2025-06-11 06:39:54,799 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 06:39:54,799 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-11 06:39:54,799 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-11 06:39:54,799 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 06:39:54,799 [root] INFO: analysis running as an admin
2025-06-11 06:39:54,814 [root] INFO: analysis package specified: "exe"
2025-06-11 06:39:54,814 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 06:39:55,127 [root] DEBUG: imported analysis package "exe"
2025-06-11 06:39:55,127 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 06:39:55,127 [lib.common.common] INFO: wrapping
2025-06-11 06:39:55,127 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 06:39:55,189 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ImeBroker.exe
2025-06-11 06:39:55,189 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 06:39:55,189 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 06:39:55,189 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 06:39:55,189 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 06:39:55,377 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 06:39:55,486 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 06:39:55,517 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 06:39:55,517 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 06:39:55,533 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 06:39:55,533 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 06:39:55,533 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 06:39:55,549 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 06:39:55,549 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 06:39:55,549 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 06:39:55,549 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 06:39:55,549 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 06:39:55,549 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 06:39:55,549 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 06:39:55,549 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 06:39:55,549 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 06:39:55,549 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 06:39:55,549 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 06:39:55,705 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-11 06:39:55,705 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 06:39:55,705 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 06:39:55,705 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 06:39:55,705 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 06:39:55,705 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 06:39:55,705 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 06:39:55,705 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-11 06:39:55,705 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 06:39:55,705 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 06:39:55,705 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 06:39:55,705 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 06:39:55,705 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 06:39:55,705 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 06:39:55,705 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 06:39:55,705 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 06:39:55,705 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 06:39:55,705 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 06:39:55,705 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 06:39:55,705 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 06:39:55,705 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 06:39:55,705 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 06:39:55,705 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 06:39:55,705 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 06:39:55,705 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 06:39:55,720 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 06:39:55,720 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 06:39:55,720 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 06:39:55,720 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 06:39:55,720 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 06:39:55,720 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 06:39:55,720 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 06:39:55,736 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe
2025-06-11 06:39:55,830 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 06:39:55,830 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-11 06:39:55,877 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 06:39:55,877 [root] INFO: Disabling sleep skipping.
2025-06-11 06:39:55,877 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 06:39:55,877 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 06:39:55,877 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 06:39:55,877 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 06:39:55,877 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 06:39:55,877 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 06:39:55,893 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 06:39:55,908 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 06:39:55,908 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF824800000, thread 6348, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 06:39:55,908 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 06:39:55,923 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 06:39:55,923 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 06:39:55,923 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-11 06:39:55,939 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 06:39:55,939 [root] DE <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-11 06:13:09	2025-06-11 06:30:13	none

File Details

File Name	ImeBroker.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	570880 bytes
MD5	b1cc8c8331a05c0a1fa35f4a18abada2
SHA1	e68a43baa48c4c8eb10983b967e7a7e2f1b687ec
SHA256	8a33f306c829a34b16d5835b7fabf33d2a99c0e971f6f433f5989e9b3ddba9eb [VT] [MWDB] [Bazaar]
SHA3-384	b12a02682ca262bfe5f9de175a44cebbed291eab422bf3b2507de8c1e8ae29d7fd20fca22a0c27cc3c5e435ec9617750
CRC32	19785475
TLSH	T126C45B2AA79C43F4E13BD13D85968247F7F174451B328ACB42A1865E2F37AE19E3D321
Ssdeep	6144:LOCKhQmFbBFhaRCnFX6vs2pYwTtJ29RWpByu7ofDBSLjJbxUujRWRi8cOtFWgN:LpGbTcEUs2pTtA90pobVSLjrUujRWHc
PE	File Strings BinGraph Vba2Graph VirusTotal

l$ VWATAVAWH

@.data

D$hE3

PathCchRemoveBackslash

$D9UhD

A0123456789abcdefghijklmnopqrstuvwxyz

LoadLibraryEx failed: IMJPTK.DIC

Software\Microsoft\IME\15.0\IMEJP\Dictionaries

ReleaseMutex

GetStartupInfoW

CreateSemaphoreExW

L9-AX

OpenFileMappingW

AddressOnly

u*9Q<|%

0123456789abcdefABCDEF

A_A^A\_^][

no space on device

localeconv

CreateWindowExW

PolicyManager_GetPolicyInt

xH;]Pu

$0< u;3

FNRM_CleanupGarbageFiles

RegSetValueExW

CreateXmlReader

CreateTransaction

not a directory

SetPriorityClass

</security>

ImeAutomaticPrivateModeMutex

CLSIDFromString

SetEntriesInAclW

CacheDataCorruptionCount

Reading

|$ I;

D#D$ H

api-ms-win-core-string-l1-1-0.dll

VWAVH

D8t$Lt

PA_A^A]A\_^[

system

%H : %M

o\$PH

combase.dll

OT,nX

d$@E3

Microsoft Corporation

t$8fD

LoadLibraryExW

fD9,Qu

memcmp

PathFindFileNameW

_XcptFilter

_lock

:97t6A

< t <$

GetCandidates

USVWATAUAVAWH

@SUVWAVH

UnmapViewOfFile

CreateFileMapping returns NULL @ CFMFileLess::GetManagementBlock.

l$4D8t$1u

z8u6H

imscprop.exe

tbI9|$

resource unavailable try again

_initterm

.?AVlogic_error@std@@

.idata$5

BuildExplicitAccessWithNameW

LoadLibraryW

9;|DE3

api-ms-win-core-version-l1-1-0.dll

h UAVAWH

not connected

protocol_not_supported

swscanf_s

originName

OnDemandSuccessfulQueryCount

.pdata

internal\sdk\inc\wil\Resource.h

D+{ H

Microsoft

u7L9%

uA@8t$@t:E

CreateFileMapping returns NULL @ CFMRawBase::GetManagementBlock.

NtQueryWnfStateData

<%ucH

!ahYFq

D$8;D$0u

operation_in_progress

D8mot

.didat$2

A^A\_

_Strftime

t#E9V0t

onecoreuap\windows\feime\win8\ea-shared\imecfm\lib\cfmutil\cimewatsonreport.cpp

LoadLibraryEx failed: IMJPST.DIC

D;A(v

_W_Gettnames

.data$r$brc

8A_A^A]A\_^][

_get_current_locale

GetMessageW

L9-T[

host_unreachable

ActivityFailure

L9-SV

SetEvent

connection refused

read only file system

RollbackTransaction

PathIsUNCEx

L$XE3

SleepConditionVariableSRW

_exit

H_^][

:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December

operation would block

0A^_^

mM%`_

MoveFileExW

t$(H+7H

_Getdays

%hs!%p:

hResult

K SVWH

L$PH;L$Xv"H+L$XH

[+8j@

0A_A^A\_^

x+fD9D$ t

api-ms-win-core-synch-l1-2-1.dll

8%uLH

CCacheModel GetAllCounts failed.

p WAVAWH

GetOverlappedResultEx

ActivityStoppedAutomatically

NBestPaths

fB9<Ju

H!T$ H

formatVer

.tls$ZZZ

D8uwt

CoCreateInstance

GetStringTypeW

Words

t$4D8d$1u

GetFileAttributesW

l$PD;l$H

M9&urH

AutoRecoverDict.ByMMFailure

WilStaging_02

argument out of domain

f9,Ku

;(u%H

.CRT$XIA

fE9<Xu

|$8E#

RtlNtStatusToDosError

E`9Mh

imewatsonal

api-ms-win-core-rtlsupport-l1-1-0.dll

DispatchMessageW

hA_A^A]A\_^][

OpenEventW

connection_already_in_progress

onecoreuap\windows\feime\win8\ea-shared\imelm\profile\jpn\oslib\telemetrystub.cpp

generic

L9-U_

fA9:u

LcE H

x UAVAWH

InputStringWords

GetSidSubAuthority

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

FileDescription

Auto recovery triggered by CreateFileMapping failure.

'fD9e

fA91t A

<:u3H

TASKH

api-ms-win-core-shlwapi-legacy-l1-1-0.dll

D;uH@

\$ VWAVH

UWATAVAWH

D$HH!|$HH

RtlSubscribeWnfStateChangeNotification

fF9<Ou

ntdll.dll

no stream resources

Software\Microsoft\IME\15.0\IMEJP\directories

10.0.17763.1

directory not empty

PathIsUNCServerW

vswprintf_s

win:Informational

InitializeCriticalSection

WakeAllConditionVariable

BL$(A

s@fD97u

SetWindowLongPtrW

L$hE3

HcD$TL

network reset

MultipleInstanceOfImeBroker

_Gettnames

HcL$ HcD$$H

GetFileVersionInfoSizeW

Create File on NonMed IL or Elevated IL Process

profapi.dll

w%rke

H9i`u

mandatoryLabel

D$(E3

L$PL9t$xt

I9Q w

~0uUH

CreateFileSub failed : ERROR_ACCESS_DENIED

GetAllCounts Error

message

no protocol option

originatingContextName

.?AVruntime_error@std@@

A;K(v

0A_A^_^]

ConvertSidToStringSidW

L$PI+

%H : %M : S

GetTickCount64

L$(E3

memmove_s

UniCache

FNRM_UnregisterAllPerUserFilesExcept

.rdata$zETW9

api-ms-win-core-delayload-l1-1-0.dll

Microsoft\IME\15.0\%s\Watson

no buffer space

fD9B$uE

UVWAVAWH

L$0E3

L$8H3

C\$hL

api-ms-win-core-file-l1-2-0.dll

DaysSinceLastCacheDataCorruption

t$@F;|6

SaveAutoTuneDataToFile

RegDeleteKeyValueW

A_A^A\_]

https://go.microsoft.com/fwlink/?linkid=856448&clcid=

GetSidSubAuthorityCount

f;L$Pu

DllCanUnloadNow

u{D8g

L9-\O

TerminateProcess

\$ UVWAVAW

f9,Au

___mb_cur_max_func

Values on registry changed while initializing s_dicProp.

L9kHu

fB9<@u

CJDictsLockFailedInInit

)D$pE3

D$PHcL$@

CompareStringW

PathRemoveFileSpecW

A_A^A]

ReportIntervalFrequent

CCacheModel GetUniTotalCount failed.

errorString

bad_address

PRVAP

onecoreuap\windows\feime\win8\ea-shared\libraries\unifieddictionary\lib\cjdictscountofwords.cpp

%systemroot%\system32\

.text$x

xH;]pu

CreateMutexW

T$ E3

not_connected

_wtoi

too many links

api-ms-win-core-processenvironment-l1-1-0.dll

SetFileAttributesW

FlagCount

D$pI;

x(fD9?u

)D$pH+

Microsoft.Windows.Desktop.TextInput.JapaneseIme

ForwardException

FileAccessError

.xdata$x

L$HH3

t$PH;

A^_^

A;B(v

GetModuleHandleW

wcsnlen

memchr

inappropriate io control operation

api-ms-win-core-registry-l1-1-0.dll

t*f9p

L$ E3

.CRT$XLZ

.giats

kernelbase.dll

D+D$`D

tEE9J

.rsrc

AllowJapaneseIMESurrogatePairCharacters

D$ H;

SystemTimeToFileTime

connection reset

connection aborted

0A_A^_

OriginalFilename

win:Start

onecoreuap\windows\feime\win8\ea-shared\imecfm\lib\cfmutil\cjpnwatsonhelper.cpp

onecoreuap\windows\feime\win8\ea-shared\imecfm\lib\cfmpriv\ccfmwatsondatafilemgr.cpp

8H;]Pu

uc8Y$t

L9-]Q

sprintf_s

<S>

destination_address_required

-Embedding

SDDS0411.DIC

L$0fD

featureEnabledEntryPoint

fD94Au

strcspn

A_A^A\_^[]

___lc_handle_func

\$8E3

InitDicts Error

D9yL|

0A_A^A\_^[]

L9t$0

UVWATAUAVAWH

NtUpdateWnfStateData

Microsoft\IME\15.0\SQM\Upload

CloseHandle

L$8E3

@.reloc

@USVWAUAVH

fD9|}

.dctx

CCacheModel GetUniCount failed.

HA_A^A]A\_^[]

tZL;E@rT3

OpenExtendedDict

H9D$Ht

LoadResource

_purecall

timed_out

L9-"D

GetSystemTimeAsFileTime

failureCount

D;B(v

RegEnumValueW

___lc_codepage_func

u;L9UPu5

L9-W`

fD94xu

H98u0A8h

0123456789ABCDEFabcdef-+Xx

)L$PH

u{D9=T

??0exception@@QEAA@AEBQEBDH@Z

CharNextW

SetUnhandledExceptionFilter

imecfmui.exe

wcscmp

api-ms-win-core-file-l2-1-0.dll

network down

executable format error

\$hE3

%s\Microsoft\IME\15.0

D$ E3

PolicyManager_IsPolicySetByMobileDeviceManager

.text

N9t$@t7H

:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday

featureId

t$hfB

.rdata$brc

@USVWATAUAVH

x}u\H

\ime\imetc\

originatingContextId

WaitForInputIdle

L$`E3

LoadLibraryEx failed: IMJPNW.DIC

api-ms-win-security-provider-l1-1-0.dll

L$$H+

isupper

imjpdct.exe

D8o^t

D$(L;

onecoreuap\windows\feime\win8\ea-shared\imelm\profile\jpn\oslib\filepathutils.cpp

Software\Microsoft\IME\15.0\SHARED\CustomerFeedback\SIUF\1028

WriteFileTimeout

.idata$4

L9-MK

%s#L+

MinDupCount

A]A\_

H9=^i

t$0H9]

.rdata$T$brc

GetTokenInformation

CacheWatson\BiTotal

__dllonexit

onecoreuap\windows\feime\win8\ea-shared\suggestion\ds\server\cloudcandidateprocessor.cpp

connection_aborted

identifier removed

DictTimeStamp

toH91uj

OpenMutexW

<:u/H

@8=jC

.?AVbad_cast@@

H;K@H

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

fD9|$Xu

\$(Hc

__C_specific_handler

@USVWAVAWH

D$0.fD

fF9<Fu

0A_A^A]A\_^]

std::exception: %hs

IMECHX

L9|$pveH;

no link

|$@E3

%s\%s

CreateEventW

L9-<d

|$ AVH

bad allocation

)|$PH

.text$mn$00

t$ WH

SetLastError

d$pI;

.rsrc$01

CallContext:[%hs]

DebugBreak

t$XuzH

A_A^A]A\_^[]

TextInput

RegDeleteValueW

IMJP Leave Learning

D$pE3

L9-_c

H;D$pr

ImeBroker.exe

CommitTransaction

Software\Microsoft\IME\15.0\IMEJP\ResetExcludeProperties\IHDSReLearn

name="Microsoft.Windows.onecoreuapwindows.ImeBroker"

api-ms-win-shell-shdirectory-l1-1-0.dll

mM%`p

CCacheModel WriteBiWord failed.

8#u(H

NumDataNotifyFrequent

.?AVrange_error@std@@

api-ms-win-core-registry-l2-1-0.dll

api-ms-win-core-version-l1-1-1.dll

f;+t8

<:wuH

api-ms-win-core-util-l1-1-0.dll

H!^(H!^0H!^8H!^@3

EnableLUA

permission_denied

D8yDt

deque<T> too long

_CxxThrowException

Task ID: IMJP Learning

GetUniTotalCount Error

t+fE91t%L

H+L$ x<H

IMJP_Learning

fD9<Wu

LeaveCriticalSection

D$0M+

resource deadlock would occur

too many files open in system

L$ SVWH

I9:u)A8h

D$(H;

address not available

.?AVexception@@

callContext

L$PH3

message size

OnDemandCloudSuggestion

a_'FNRM_SetActiveFile

@A^_^][

.text$yd

SetEndOfFile

fA94Fu

MTFServer.dll

pA^_]

GetWindowLongPtrW

t$ fD9t$@u

CreateDirectoryW

bad cast

9|$8u

WATAVH

api-ms-win-core-localization-l1-2-0.dll

D$xH;

PA_A^_^]

LcA<E3

D$(H9

AllowSetForegroundWindow

isspace

TotalCount

(t$pH

AcquireSRWLockExclusive

)D$pH

CacheMaxPages

Browser

`A_A^A]A\_^]

imjpset.exe

MsgWaitForMultipleObjects

l$ E3

corruptionCount

protocol not supported

onecoreuap\windows\feime\win8\ea-shared\imebroker\main\cexesvr.cpp

Software\Policies\Microsoft\IME\Shared

LegalCopyright

]pu7H

function

AllowIMENetworkAccess

%s\%s\%s

GetSystemTime

"""""""

FileWriteError

api-ms-win-ntuser-sysparams-l1-1-0.dll

originLineNumber

%I : %M : %S %p

H UVWATAUAVAWH

H!](H

@A_A^A]A\_^]

TriCounts

L$0H3

[ UVWH

tmL9o

E!)E!i

FileOpenError

\$hH;

wilActivity

fD9<Bu

.rdata$zzzdbg

_vsnprintf_s

numdatanotify

api-ms-win-core-path-l1-1-0.dll

WAVAWH

fD9 u8E3

)|$`H

realloc

.rdata

SOFTWARE\Classes\CLSID\%s\InprocServer32

??1type_info@@UEAA@XZ

??0exception@@QEAA@XZ

api-ms-win-core-errorhandling-l1-1-0.dll

Software\Microsoft\IME\15.0\IMEJP

too many files open

A_A^_^[]

D95:x

|$0H;

api-ms-win-appmodel-runtime-l1-1-0.dll

t$pH9\$ u

no lock available

L$ WH

api-ms-win-rtcore-ntuser-synch-l1-1-0.dll

D$$I;

api-ms-win-rtcore-ntuser-window-l1-1-0.dll

<assemblyIdentity

D:AR(A;;GA;;;IU)(A;OICI;GA;;;AC)(A;;GRGX;;;S-1-15-3-1024-79080987-3398622760-2608912076-1085899501-4039864605-4024366022-736258278-368603348)

fD9,Au

</S>

WaitForSingleObject

-id KeyboardDiagnostic -skip true -ep IMEContextMenu

address in use

d$HfD9d$pu

L$ UVWATAUAVAWH

CacheFileError

OpenProcessToken

onecoreuap\windows\feime\win8\ea-shared\imelm\profile\jpn\profile\userdic.h

__crtLCMapStringA

GetModuleFileNameA

D$zH9D$Hu

SVWATAUAVAWH

owner dead

0A_A^A\

FindResourceExW

f9\$@t

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

SHGetKnownFolderPath

internal\sdk\inc\wil\Result.h

SetNamedSecurityInfoW

H+L$(xBH

memcpy

.idata$3

_W_Getmonths

invalid seek

RegCreateKeyTransactedW

.didat$5

PrivateModeEnabled

IsNumVariation

SetErrorMode

is a directory

\$$H+_

RtlDllShutdownInProgress

000004b0

Software\Microsoft\IME\15.0\SHARED\CustomerFeedback

IMJP Learning End

f;D$Ruvf;L$TuoI

string too long

SHGetFolderPathW

??0bad_cast@@QEAA@PEBD@Z

t$HfD

k VWAVH

CloudSuggestionFilteringParameter

_Wcsftime

ExpandEnvironmentStringsW

no child process

t$@B9|6

bad conversion

D$ H9

(_^][

LEVL@

__setusermatherr

fD9"u

UATAUAVAWH

f9\$0t

HeapFree

?"u%fA

invalid string position

no message available

@A_A^A\_^

ImeBrokerExistenceMutex

currentContextId

GetTickCount

T$PE3

L$@E3

WritePairWord Error

.CRT$XIY

L$@H3

@SUVWAWH

Write File on NonMed IL or Elevated Process

CacheWatson\BiCounts\L R="%s" D="%s" P="%d"\R R="%s" D="%s" P="%d"

LoadLibraryEx failed: User dictionary

t$HH!\$0L

D$XH;

WEVT_TEMPLATE

Microsoft IME

TempOpen_

MemoryLearning

D$pHcL$@

imepadsv.exe

T$`E3

UWAVH

_W_Getdays

MultiByteToWideChar

\$hI;

A_A^A\

api-ms-win-core-memory-l1-1-0.dll

@VWAVH

connection_reset

EventSetInformation

|$PfD

??1bad_cast@@UEAA@XZ

UWAUAVAWH

OutputDebugStringW

L9-5^

D8t$@

stoi argument out of range

CCacheModel GetAllUniCounts failed.

SHCreateMemStream

ReturnHr

IMEJP

T$XE3

CoAddRefServerProcess

GetUniCount Error

L$4A;

u*D9%-

Automatic

@A^_]

onecoreuap\windows\feime\win8\ea-shared\libraries\unifieddictionary\lib\filemap.cpp

api-ms-win-core-libraryloader-l1-2-1.dll

A^A\]

t$0L9e

LoadLibraryEx failed: IMJPZP.DIC

_ismbblead

T$PL;

9\$Pt

H9D$XrAH

8%u+H

<network>\

@8,1u

CreateProcessW

:WVDGh

@SUVWATAVAWH

UWATAUAWH

WATAUAVAWH

SUVWH

timeMs

IMJPZP.DIC

IL$`A

fD92}

A^_^[]

ShellExecuteW

GetPairCount Error

fD9t]

0A^_^[]

comment

t$ I+

api-ms-win-security-base-l1-1-0.dll

A_A^A]A\_

|$ E3

.CRT$XCAA

originCallerReturnAddressOffset

ReleaseSRWLockShared

\$ UH

DictionaryPath

wcsncat_s

connection already in progress

no message

z&u$H

(|$`H

8tTfE

CreateThread

CoRevokeClassObject

L9{0t#H

.00cfg

\$XH;

_wcsicmp

QualityMetrics

FreeLibrary

@SUVWH

timeoutInterval

%;1)\5\`e

FailFast

%s,%d,%d

t$hIc

D$XLcD$@I

internal\sdk\inc\wil\staging.h

T$0E3

UVWATAVH

ATAVAWH

user.dic

E9<$~yM

CompanyName

invalid map/set<T> iterator

Software\Microsoft\IME\15.0\IMEJP\MSIME

GetCurrentThreadId

@A_A^_

fD9$Hu

}0H+}(H

\$&f9t$&t

WaitForThreadpoolTimerCallbacks

AutoRecoverDict.MMFailure

D+d$8D+

u HcA<H

@SVWATAUAVAWH

O:%sD:(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)(A;;GA;;;RC)(A;;GA;;;S-1-15-2-1)(A;;GA;;;S-1-15-3-1024-79080987-3398622760-2608912076-1085899501-4039864605-4024366022-736258278-368603348)S:(ML;;0x1;;;LW)

Software\Microsoft\IME\15.0\SHARED

calloc

CoRegisterClassObject

message_size

GetProcessHeap

|$`fD9}

fD9 u

Sleep

%b %d %H : %M : %S %Y

Software\Microsoft\IME\15.0\SHARED\CustomerFeedback\SIUF\1041

SharedPath

\$$E3

\Dicts

IMEKR

EnabledFeatureUsage

fD9<_u

GlobalFree

isalnum

FreeLibraryAndExitThread

t$ UWATAVAWH

H!\$8H

@SUVWAVAWH

(t$ H

D8\$1u

T$0H+

value too large

fF9,@u

oT$@f

]@9] s/D

RegOpenKeyExW

;}8t"

ReleaseSemaphore

H9_Hs<

DD$@H

network_unreachable

fE9,tu

wcsncpy_s

IMJPNW.DIC

ExcludeJapaneseIMEExceptJIS0208

_wcsnicmp

FindFirstFileW

fD9 u=E3

PA_A^A]A\_^]

LockResource

DIC00

l$ VWAVH

_IMJP_15_UD_ManagementBlock_{8bbff7b9-ccde-414f-96ed-936990babd2d}

?what@exception@@UEBAPEBDXZ

USVWAVH

tYH9C uSH

D$0D;D$`t%H

l$4E3

callerModule

CloseThreadpoolTimer

D9t$HH

RSDS@

|$8E3

L$ SUVWH

FNRM_GetRegistrationLevel

ResolveDelayLoadedAPI

imebroker_hidden_window

H;0u5

:AM:am:PM:pm

RegisterClassExW

not supported

Cloud

??0exception@@QEAA@AEBQEBD@Z

GetCurrentPackageFullName

R$fA;Z*

t<f9]

wcsrchr

onecoreuap\windows\feime\win8\jpn\lib\pocutil\pocutil.cpp

D$\E3

8#uDH

WaitForMultipleObjects

UATAVH

D$PE3

InputString

DICTSTREAM

FeatureVariantUsage

t$HE3

.didat$7

network_down

memmove

l$xfD

(caller: %p)

RegOpenKeyTransactedW

*%qbE

d$XI+

interrupted

_callnewh

f94Bu

M(knN

Cache

StringFromGUID2

__set_app_type

FeatureUsage

GetAllUniCounts Error

f3EZf

?"u$f

.rdata$zETW2

LastVersionMS

ExcludeJapaneseIMEExceptShiftJIS

0123456789ABCDEFSoftware\Microsoft\Windows\CurrentVersion\Policies\System

SizeofResource

wcstol

fD9$ru

CreateFileMappingW

@USVWAVH

wrong_protocol_type

too many symbolic link levels

not enough memory

AcquireSRWLockShared

swprintf_s

\$pE3

HcA<H

__crtLCMapStringW

.?AVbad_alloc@std@@

A_A^A]A\_^]

_IMJP_15_UD_Mutex_{24471f0a-93ba-4398-b4c1-54a70707b2c2}

Conversion

@A__^[]

PeekMessageW

A_A^]

LOCALSERVICE

Global\

CImeMutexElapsedTooLong

ext-ms-win-shell32-shellfolders-l1-1-0.dll

m0fD9

D$(fD

filename_too_long

TranslateMessage

pWatson

wdi2y

fD9 u<E3

LastVersionLS

;N(v%

DIC%02d

Prediction2

H;]`u

InitOnceComplete

@USVWAWH

D9U`u

fF9<Gu

\ime\imesc\

operation_would_block

WideCharToMultiByte

RegQueryValueExW

\$xE3

@SVWH

VarFileInfo

_fmode

no such file or directory

|$hf9:u

CacheCount

AllowJapaneseNonPublishingStandardGlyph

CreateStreamOnHGlobal

(H;]`u

raB3G

originModule

GetFileVersionInfoW

_vsnwprintf

H9Y u

+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v

api-ms-win-core-libraryloader-l1-2-0.dll

tjH+9L

ResumeThread

RtlUnsubscribeWnfNotificationWaitForCompletion

Microsoft-Windows-IME-Broker

/profile %d %s %d

_Getmonths

CreateFileW

FirstConversionWords

<description>ImeBroker</description>

Supplemental

GlobalAlloc

Enable Cloud Candidate

f9D$

L9-4\

AllocateAndInitializeSid

L9~8H

*+W`H

D$T9p

WriteUniWord Error

F0D8#ukD8c

Local\SM0:%d:%d:%hs

address family not supported

)D$p3

RegGetValueW

WordId

L$PE3

stream timeout

O:%sD:(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;0x1;;;ME)

FormatMessageW

version="5.1.0.0"

module

L9~(H

CoUninitialize

LoadLibraryEx failed: Unknown dictionary

L9-LP

fA9<vu

A_A^A]A\_

D$@fD

10.0.17763.1 (WinBuild.160101.0800)

uD;u@u?H

D9&tZA

DeleteCriticalSection

\$ WH

onecoreuap\windows\feime\win8\ea-shared\imebroker\main\imebroker.cpp

RtlCaptureContext

_IMEBROKER_HIDDEN_CLASS

0123456789abcdefghijklmnopqrstuvwxyz

\$4D8g

PathCchCanonicalize

D$@H9

.dctxc

D9k0u

x ATAVAWH

gfffffffH

io error

O:%sD:(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)(A;;GR;;;S-1-15-2-1)(A;;GR;;;S-1-15-3-1024-79080987-3398622760-2608912076-1085899501-4039864605-4024366022-736258278-368603348)S:(ML;;0x1;;;ME)

.CRT$XLA

|$PuKH

D$@I;

ReplaceFileW

GetFileSize

Local\

operation canceled

L9-D3

LoadLibraryEx failed: Memory dictionary

H#D$8

ext-ms-win-shell-shell32-l1-2-0.dll

` UAVAWH

memory.dic

CoResumeClassObjects

A^A]A\_^[]

L9t$x

(D$pL

xfffe<IMEWatson>

\$<A;

AddressSuggestionMode

A_A^_

PathFindExtensionW

f#D$@H

LastCacheDataCorruptionDate

onecoreuap\windows\feime\win8\ea-shared\libraries\privatemode\privatemodehelper.cpp

ActivityError

WriteFile

D+S +{ H

Software\Microsoft\IME\15.0

GetBiTotalCount Error

fD;1~

CL$H3

enabled

CreateFileMapping returns NULL @ CFMFileLess::CreateOrOpenMemoryMapping.

Auto recovery triggered by other than CreateFileMapping failure.

onecoreuap\windows\feime\win8\ea-shared\imelm\profile\jpn\profile\userdic.cpp

ExcludeJapaneseIMEExceptJIS0208andEUDC

fE9,$

D$ I;

DestroyWindow

originFile

D$0H;

invalid_argument

fA9>t

H;SXu

api-ms-win-core-threadpool-l1-2-0.dll

GetAllBiCounts Error

api-ms-win-core-heap-l2-1-0.dll

x AUAVAWH

L$hH+

api-ms-win-core-processthreads-l1-1-0.dll

processName

z%u#H

Information

@USVWATAVAWH

IMJPST.DIC

CCacheModel GetAllBiCounts failed.

D$0,fD

u%A8h

fE94tu

T$`f9

H9=&.

fF9<ru

AllowIMELogging

__wgetmainargs

ReleaseSRWLockExclusive

x ATAUAVAWL

BasicUsageCount

featureVersion

|$PfD9}

RtlLookupFunctionEntry

u$L97t

O:%sD:(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)(A;;GA;;;RC)

D$PH9

internal\sdk\inc\wil\resource.h

[%hs(%hs)]

clsid://{e126b7dd-1c3b-4821-b861-a6da9ce6f096}/JpnComponentLayouts.dgml

api-ms-win-core-delayload-l1-1-1.dll

\$ fA9

QueryPerformanceCounter

H;]`u

threadId

t$0E3

H;C8tvH

msvcrt.dll

\$ UVWATAUAVAWH

StringFileInfo

BiCounts

oD$ f

<}wWI

t$ WAVAWH

0A_A^A]A\_

(D$pH

process

l$ <0u

ole32.dll

api-ms-win-core-handle-l1-1-0.dll

already_connected

91u'H

@WATAUAVAWH

CL$HA

imjp15cu.dic

H9=6G

.text$mn

l$ VWAUAVAWH

Dictionaries

RegSetKeyValueW

broken pipe

failureId

szPath = %s.

setlocale

protocol error

CCacheModel WriteUniWord failed.

Software\AppDataLow\Software\Microsoft\IME\15.0\IMEJP

imjpst.dic

SUVWATAUAVAWH

text file busy

HcD$TH=

H;t$Hs

onecoreuap\windows\feime\win8\jpn\lib\propmgr\dicprop.cpp

@UWAVH

addend

DecodePointer

EventWriteTransfer

fD9,Cu

ext-ms-win-ntuser-misc-l1-1-0.dll

0123456789-+Ee

oL$0f

H9;u*H

fA9>u

)D$pM

L$`H3

address_family_not_supported

%d / %m / %y

ReLearnRequest

WordGUID

D$@E3

D,(<

|$`fD

\$`H;\$ht

numdatacurrent

0123456789ABCDEFabcdef-+XxPp

onecoreuap\windows\feime\win8\ea-shared\imebroker\lib\invokeimecommand.cpp

%.0Lf

fotmatSignature

IMJPTK.DIC,1,8

.didat$6

__mb_cur_max

onecoreuap\windows\feime\win8\ea-shared\libraries\eamisc\cjdictslock.cpp

s8fE90t!fA

(< t6<$t,<+t"<vt

timed out

8A^_^[

H;SPt

IsDebuggerPresent

EventActivityIdControl

.rdata$zETW1

A^A\_^]

??1exception@@UEAA@XZ

PredictionHistoryOnly

@A_A^A\

permission denied

lpacIME

RtlVirtualUnwind

https://go.microsoft.com/fwlink/?LinkID=232828&clcid=

_wcmdln

imjpgn.grm

GetModuleFileNameW

L$@I+

fD9B$u

??3@YAXPEAX@Z

RaiseFailFastException

state not recoverable

A_A^A]_^

onecoreuap\windows\feime\win8\ea-shared\imecfm\lib\cfmutil\cjpnwordinfo.cpp

fE9$_u

L$@H;

islower

.CRT$XCA

fF9dE

E9V0u

<xuG@

SetThreadpoolTimer

fD90t,

)t$`H

ImeShipAssert

UnhandledExceptionFilter

operation in progress

DefWindowProcW

EventUnregister

IMESC

LoadLibraryEx failed: Dictionary name is not full-path.

Cannot Create Directory

wcscpy_s

currentContextName

C9fD9?u-

RtlNtStatusToDosErrorNoTeb

GetVersionExW

@SUVWATAUAVAWH

MapViewOfFile

_free_locale

GetSystemDirectoryW

D$0L;

VS_VERSION_INFO

\$xH;

api-ms-win-core-synch-l1-2-0.dll

0123456789-

L9-$]

x UATAUAVAWH

A_A^_^]

filename too long

fB9<Bu

.CRT$XCZ

(t$`H

%s%04d%s

msdt.exe

featureBaseVersion

map/set<T> too long

currentContextMessage

H#L$0

Exception

AllowJapaneseUserDictionary

CCacheModel GetBiCount failed.

`A^_^[]

api-ms-win-core-string-l2-1-0.dll

D$@H!\$@D

CacheDataCorrupted

too_many_files_open

LastReportTime

api-ms-win-shcore-stream-l1-1-0.dll

L$pE3

Software\Microsoft\InputMethod\JPN\roaming\mon

false

.data

fE94|u

|$8L9%4

A_A^A]A\_^][

device or resource busy

PathFileExistsW

91u[H

HcD$@Li

memset

Software\Microsoft\IME\15.0\SHARED\MODEFLAG

CT$HA

CURRENT_USER\

[%hs]

pred_imewatsonal

H;C8u

L$`H;L$p

unknown error

ldexp

CCacheModel Init failed.

result out of range

CacheWatson\Duration

variant

\$ UVWAVAWH

GetProcAddress

f9|$@u

</trustInfo>

ProductName

AllowJapaneseIVSCharacters

fB9,Nu

.idata$6

SDDS0411.DIC,1,15

RinnaSuggestionMode

t$`E3

api-ms-win-core-heap-l1-1-0.dll

CreateXmlWriter

fD9+u

_hH;_p

L9n@@

no such process

callerReturnAddressOffset

D9w tVH

H#KhH

ActivityIntermediateStop

onecoreuap\windows\feime\win8\ea-shared\suggestion\ds\server\cmtfdatasourcesvr.cpp

Inconsistent state data size in wnf_query

fF9,Cu

L9{ u7L

L9-VT

t^@8=

@A_A^_^]

D$HE3

)t$0H

:#u&H

PathRemoveBackslashW

not_a_socket

.CRT$XCC

bad_file_descriptor

z:u8H

__pctype_func

D$xt7I

t$ UWAVH

CCacheModel GetBiTotalCount failed.

|$hHk

FileVersion

D$hHcL$@

imjp15cache.dat

fD9$Au

tolower

)D$0A

L$hH3

FeatureError

.?AVlength_error@std@@

SVWAVH

p AWH

onecoreuap\windows\feime\win8\ea-shared\libraries\imemdmpolicywrapper\imemdmpolicywrapper.cpp

T$Pf9

H+C8H=

t$ E3

fD94Xu

wilResult

ImeBroker.pdb

{8uOH

DD$XH

result

bad address

GetExitCodeProcess

(H;\$hu

fA9Z*v$A

A_A^_

UAVAWH

memcpy_s

operation not permitted

HHtfH

SetFilePointer

H9~@@

8-uGH

USVWATAVAWH

)D$pH+_

f;L$Rt

CHANl

CompareStringOrdinal

D$`H;

0A_A^_^[

CoInitializeSecurity

fD9>u

9D$tuWH

ext-ms-win-devmgmt-policy-l1-1-0.dll

CJDictsLockTimeoutOnMutexAcquisition

{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}

|$8tQE

D$PH;

VerQueryValueW

fF9$@u

/notify

Write attempt to system dictionary

@UVWATAUAVAWH

internal\onecore\priv_sdk\inc\textinput\jpnservicecandmtfhelper.h

CreateMutexExW

L$XL+

EventRegister

D9kHu5L;

szPath = %s, fReadOnly = %d.

8-uKH

_wcsdup

@UVWH

ModulePath

A_A^_^]

DeleteFileW

CoInitializeEx

SHD9j

__crtCompareStringA

.?AVout_of_range@std@@

/uilang %d /profile %d %s %d

DisableAllPlugInDict

HeapAlloc

A_A^A\_^

LearningLevel

%s\Microsoft\IME\15.0\IMEJP

onecoreuap\windows\feime\win8\ea-shared\libraries\unifieddictionary\lib\uindex.cpp

destination address required

T$pE3

D8o^tD

SVWAVAWH

l$HfD

8%uoH

%s\IMEJP

.data$brc

file exists

L$pH3

H#ShH

8.thfA

H3E H3E

InternalName

elapsedTime

fileSize

malloc

LcD$@I

sdds0411.dic

A__^][

api-ms-win-core-profile-l1-1-0.dll

.rsrc$02

L9i`u

_unlock

iostream

wrong protocol type

LearnFileEnable

\$\E;

(t$0H

L9-*3

0L9UPt

FindNextFileW

L9-I2

OLEAUT32.dll

.text$di

CreateFileSub failed on GetFileSize

FindClose

H;]pu

USVWAVAWH

originatingContextMessage

IME_JP_CACHERECOVERED.EventObject

originCallerModule

H9D$Pt

VWATAVAWH

</requestedPrivileges>

GetTempPathW

Dicts

D8"u3H

bad message

PredictionCurrentNumber

L$(H3

\$0fA9

RtlDeriveCapabilitySidsFromName

GetCurrentProcessId

fB9,Cu

L$XH3

RegCreateKeyExW

privateMode

UniFlag

|$@A_A^A]A\

.rdata$zETW0

argument list too long

CreateThreadpoolTimer

D9u0A

host unreachable

api-ms-win-core-file-l1-1-0.dll

CloudAndSupplemental

network_reset

DelayLoadFailureHook

D$hI;

WaitForSingleObjectEx

iostream stream error

fF94Gu

GetSystemMetrics

IMJP Learning Start

IMJPTK.DIC

api-ms-win-core-io-l1-1-1.dll

t$ WATAUH

<:w@H

bad file descriptor

H;Epu

H;]Pu

C @8}Wu

l$hI+

no such device or address

@USWH

@USVWH

CoTaskMemFree

processorArchitecture="amd64"

rMfD9?w

maxdatastore

.CRT$XIZ

address_in_use

H91u~

.?AVinvalid_argument@std@@

abort

InitializeCriticalSectionEx

L9-}R

EncodePointer

DllGetClassObject

!This program cannot be run in DOS mode.

processId

Msg:[%ws]

I9N(u

@A^_^

9\$@t

already connected

txH;0u/H

92tvB;

OPCOT

api-ms-win-eventing-provider-l1-1-0.dll

w)H9Q

A_A^A]A\_^[

GetLocaleInfoW

onecoreuap\windows\feime\win8\ea-shared\imecfm\lib\cfmutil\jpnlminfo.cpp

A8_8t

Software\Policies\Microsoft\IME\IMEJP

E;*fQ

A^_^[]

Candidate

\$ Lc

%m / %d / %y

CreateFileMappingError

|$P9|$H

t"D8=

__crtCompareStringW

NOINPUTHISTORY

api-ms-win-core-synch-l1-1-0.dll

d$XfD

STREAM

%s\%s*%s

D$ fD

<}wYI

api-ms-win-core-registry-l1-1-1.dll

f3E^f

L9{@u

x.f9\$ t

L9-y]

OpenSemaphoreW

fF9<@u

file too large

onecoreuap\windows\feime\win8\ea-shared\libraries\unifieddictionary\lib\umemmgr.cpp

not a socket

D8i\u

L9n0

FallbackError

HeapSetInformation

fF9$Ou

f9H\u

EnterCriticalSection

___lc_collate_cp_func

.CRT$XCU

\$ E3

ConvertStringSecurityDescriptorToSecurityDescriptorW

_errno

bad locale name

(|$PH

/report

AutoRecoverDict.ByOtherReasons

fB9,Gu

LmRuleApplied

%hs(%d) tid(%x) %08X %ws

`A_A^_^]

isdigit

GetCurrentProcess

L9-\W

t$4@2

FileWriteTakesTooLong

isServerMode

;(}YA

Nodes

win:Stop

AutoRecoverDict.Cache

fileName

d$ E3

not a stream

LocalFree

fD90u=E3

IMJPZP.DIC,1,271

D$8E3

L9o@t

.?AVResultException@wil@@

D8u1t

type="win32"/>

</assembly>

.didat$3

A_A^_^][

Translation

l$\fD

CT$8D

L9UXt

.back

fD9D$ t

daysSinceLastCorruption

operation_not_supported

Cannot Create New File

WilError_02

??_V@YAXPEAX@Z

GetNamedSecurityInfoW

fB9,Bu

H;L$(t

9k(tyH

address_not_available

wcsncmp

AutoRecoverDict.LastMMFailure

H9|$@

Dicts Lock timeout

GetTempFileNameW

ProductVersion

D$8H!|$8H

9;|;E3

f9t$@t,3

D$X@8|$xt5L

t$PE3

t.D8u

.didat$4

Microsoft-Windows-IME-Broker/Analytic

L9-|N

featureStage

__CxxFrameHandler3

connection_refused

variantKind

_onexit

H WAVAWH

IsValidSid

.CRT$XIAA

D9l$\v

fD9<Au

no_protocol_option

A_A^A\_^[]

failureType

L$PD9

Windows

function not supported

x-fD9D$0t

FileMapError

SUVWATAVAWH

hresult

D$0E3

unH9A

invalid argument

Microsoft.Windows.Wil.FeatureLogging

@8|$4t(A

no such device

Microsoft.Windows.Desktop.TextInput.ImeCommon

Fktmw32.dll

.idata$2

api-ms-win-core-debug-l1-1-0.dll

x AVH

.CRT$XCL

illegal byte sequence

D$8L;

CoReleaseServerProcess

UseCloudSuggestion

.tls$

fD94Cu

m_strFilePath = %s.

D$ L;

@VWATAVAWH

.xdata

Microsoft\IME\15.0\IMEJP\UserDict

IMJP Enter Learning

0A__^[]

.gfids

imtcprop.exe

FileHeaderError

imccphr.exe

L9L$(D

XmlLite.dll

??0exception@@QEAA@AEBV0@@Z

%hs(%d)\%hs!%p:

Operating System

69|$|

vector<T> too long

@.didat

fA9<Ru

NHD9n

GetModuleHandleExW

IIDFromString

H;K`H

_cexit

imjpuex.exe

<%ufH

SDDS0411.DIC cannot be initialized.

fD9<qu

onecoreuap\windows\feime\win8\ea-shared\libraries\unifieddictionary\lib\cjdictscountforkey.cpp

|$0E3

pA_A^A\_^[]

\$X@2

t$ WATAUAVAWH

_IMJP_15_UD_FileMapping_{b4f0aa5b-77d3-486f-b999-53049e87159e}

GetLastError

_commode

@USVWATAUAVAWH

LogHr

fffffff

_amsg_exit

??0bad_cast@@QEAA@AEBV0@@Z

LearnEnable

Software\Policies\Microsoft\InputMethod\Settings\Shared

A_A]A\_]

?terminate@@YAXXZ

api-ms-win-security-trustee-l1-1-1.dll

Start

fD9mpu

t$XL9t$x

api-ms-win-security-sddl-l1-1-0.dll

no_buffer_space

pA_A^A]A\_^]

9t$pA

5<aP

D$pD8k

invalid stoi argument

Display

api-ms-win-core-timezone-l1-1-0.dll

A_A^A]A\]

A_A^A]_]

)t$pH

<vth<x

InitOnceBeginInitialize

`.rdata

UserDict

t$0H9}

CloudSuggestion

internal\sdk\inc\wil\ResultMacros.h

RegQueryInfoKeyW

RegCloseKey

IMETC

t3H!|$@!|$8H!|$0

fD97u

HA^A]_^[]

]xH;]pt|H

lineNumber

_vsnwprintf_s

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x0003eee0	0x000962ca	0x000962ca	10.0	ImeBroker.pdb	2008-03-30 14:26:48	99fbb9713acd706c274d04c3a5701bb4

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Microsoft IME
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	ImeBroker.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	ImeBroker.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0000 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00065c8c	0x00065e00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.37
.rdata	0x00066200	0x00067000	0x0001ead0	0x0001ec00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.91
.data	0x00084e00	0x00086000	0x0000f430	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.65
.pdata	0x00085600	0x00096000	0x000045a8	0x00004600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.74
.didat	0x00089c00	0x0009b000	0x00000070	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.71
.rsrc	0x00089e00	0x0009c000	0x00000c30	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.73
.reloc	0x0008ac00	0x0009d000	0x00000950	0x00000a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.33

Name	Offset	Size	Language	Sub-language	Entropy	File type
WEVT_TEMPLATE	0x0009c948	0x000002e2	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.31	None
RT_MESSAGETABLE	0x0009c788	0x000001c0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.32	None
RT_VERSION	0x0009c3f8	0x00000390	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.43	None
RT_MANIFEST	0x0009c150	0x000002a1	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.03	None

Imports

Name	Address
_wtoi	0x140069fd0
_wcsnicmp	0x140069fd8
_wcsicmp	0x140069fe0
islower	0x140069fe8
_free_locale	0x140069ff0
_get_current_locale	0x140069ff8
__crtLCMapStringA	0x14006a000
_W_Gettnames	0x14006a008
__crtLCMapStringW	0x14006a010
__crtCompareStringA	0x14006a018
__crtCompareStringW	0x14006a020
_wcsdup	0x14006a028
_vsnwprintf_s	0x14006a030
__mb_cur_max	0x14006a038
abort	0x14006a040
_Wcsftime	0x14006a048
_Gettnames	0x14006a050
calloc	0x14006a058
isupper	0x14006a060
_Strftime	0x14006a068
isspace	0x14006a070
__pctype_func	0x14006a078
memchr	0x14006a080
___lc_collate_cp_func	0x14006a088
isalnum	0x14006a090
wcsncmp	0x14006a098
vswprintf_s	0x14006a0a0
localeconv	0x14006a0a8
strcspn	0x14006a0b0
??_V@YAXPEAX@Z	0x14006a0b8
isdigit	0x14006a0c0
swprintf_s	0x14006a0c8
wcsrchr	0x14006a0d0
sprintf_s	0x14006a0d8
ldexp	0x14006a0e0
memset	0x14006a0e8
_ismbblead	0x14006a0f0
free	0x14006a0f8
swscanf_s	0x14006a100
___lc_codepage_func	0x14006a108
___lc_handle_func	0x14006a110
_Getmonths	0x14006a118
_W_Getdays	0x14006a120
tolower	0x14006a128
___mb_cur_max_func	0x14006a130
setlocale	0x14006a138
wcscpy_s	0x14006a140
??1type_info@@UEAA@XZ	0x14006a148
?terminate@@YAXXZ	0x14006a150
??0bad_cast@@QEAA@PEBD@Z	0x14006a158
_onexit	0x14006a160
__dllonexit	0x14006a168
_unlock	0x14006a170
_lock	0x14006a178
_commode	0x14006a180
??1bad_cast@@UEAA@XZ	0x14006a188
_fmode	0x14006a190
_wcmdln	0x14006a198
??0bad_cast@@QEAA@AEBV0@@Z	0x14006a1a0
realloc	0x14006a1a8
wcsncpy_s	0x14006a1b0
__C_specific_handler	0x14006a1b8
_initterm	0x14006a1c0
__setusermatherr	0x14006a1c8
_cexit	0x14006a1d0
_exit	0x14006a1d8
exit	0x14006a1e0
__set_app_type	0x14006a1e8
__wgetmainargs	0x14006a1f0
_amsg_exit	0x14006a1f8
_XcptFilter	0x14006a200
memmove	0x14006a208
memcpy	0x14006a210
_CxxThrowException	0x14006a218
?what@exception@@UEBAPEBDXZ	0x14006a220
??0exception@@QEAA@AEBQEBDH@Z	0x14006a228
??0exception@@QEAA@AEBQEBD@Z	0x14006a230
_callnewh	0x14006a238
malloc	0x14006a240
memmove_s	0x14006a248
_vsnprintf_s	0x14006a250
??0exception@@QEAA@AEBV0@@Z	0x14006a258
_errno	0x14006a260
??0exception@@QEAA@XZ	0x14006a268
??1exception@@UEAA@XZ	0x14006a270
_purecall	0x14006a278
??3@YAXPEAX@Z	0x14006a280
wcsncat_s	0x14006a288
_W_Getmonths	0x14006a290
wcstol	0x14006a298
memcpy_s	0x14006a2a0
_vsnwprintf	0x14006a2a8
memcmp	0x14006a2b0
wcsnlen	0x14006a2b8
_Getdays	0x14006a2c0
__CxxFrameHandler3	0x14006a2c8
wcscmp	0x14006a2d0

Name	Address
GetModuleFileNameW	0x140069a60
FreeLibraryAndExitThread	0x140069a68
GetModuleHandleExW	0x140069a70
FreeLibrary	0x140069a78
LoadLibraryExW	0x140069a80
GetModuleHandleW	0x140069a88
GetProcAddress	0x140069a90
LockResource	0x140069a98
FindResourceExW	0x140069aa0
LoadResource	0x140069aa8
GetModuleFileNameA	0x140069ab0
SizeofResource	0x140069ab8

Name	Address
CreateMutexExW	0x140069cd0
CreateEventW	0x140069cd8
ReleaseMutex	0x140069ce0
OpenMutexW	0x140069ce8
ReleaseSemaphore	0x140069cf0
OpenSemaphoreW	0x140069cf8
WaitForSingleObjectEx	0x140069d00
WaitForSingleObject	0x140069d08
SetEvent	0x140069d10
InitializeCriticalSectionEx	0x140069d18
ReleaseSRWLockExclusive	0x140069d20
CreateMutexW	0x140069d28
AcquireSRWLockExclusive	0x140069d30
DeleteCriticalSection	0x140069d38
EnterCriticalSection	0x140069d40
AcquireSRWLockShared	0x140069d48
CreateSemaphoreExW	0x140069d50
LeaveCriticalSection	0x140069d58
OpenEventW	0x140069d60
ReleaseSRWLockShared	0x140069d68
InitializeCriticalSection	0x140069d70

Name	Address
HeapAlloc	0x140069a08
GetProcessHeap	0x140069a10
HeapFree	0x140069a18
HeapSetInformation	0x140069a20

Name	Address
SetUnhandledExceptionFilter	0x140069930
SetLastError	0x140069938
UnhandledExceptionFilter	0x140069940
SetErrorMode	0x140069948
GetLastError	0x140069950

Name	Address
GetCurrentProcess	0x140069b48
OpenProcessToken	0x140069b50
GetExitCodeProcess	0x140069b58
CreateProcessW	0x140069b60
SetPriorityClass	0x140069b68
GetCurrentThreadId	0x140069b70
ResumeThread	0x140069b78
GetStartupInfoW	0x140069b80
GetCurrentProcessId	0x140069b88
TerminateProcess	0x140069b90
CreateThread	0x140069b98

Name	Address
GetLocaleInfoW	0x140069ad8
FormatMessageW	0x140069ae0

Name	Address
DebugBreak	0x1400698f0
OutputDebugStringW	0x1400698f8
IsDebuggerPresent	0x140069900

Name	Address
CloseHandle	0x1400699f8

Name	Address
EventRegister	0x140069e70
EventUnregister	0x140069e78
EventActivityIdControl	0x140069e80
EventSetInformation	0x140069e88
EventWriteTransfer	0x140069e90

Name	Address
CLSIDFromString	0x140069878
CoTaskMemFree	0x140069880
CreateStreamOnHGlobal	0x140069888
IIDFromString	0x140069890
CoCreateInstance	0x140069898
StringFromGUID2	0x1400698a0
CoRegisterClassObject	0x1400698a8
CoUninitialize	0x1400698b0
CoRevokeClassObject	0x1400698b8
CoResumeClassObjects	0x1400698c0
CoInitializeEx	0x1400698c8
CoInitializeSecurity	0x1400698d0
CoReleaseServerProcess	0x1400698d8
CoAddRefServerProcess	0x1400698e0

Name	Address
WaitForMultipleObjects	0x140069db0

Name	Address
WakeAllConditionVariable	0x140069d80
SleepConditionVariableSRW	0x140069d88
InitOnceBeginInitialize	0x140069d90
Sleep	0x140069d98
InitOnceComplete	0x140069da0

Name	Address
SetThreadpoolTimer	0x140069df8
CreateThreadpoolTimer	0x140069e00
CloseThreadpoolTimer	0x140069e08
WaitForThreadpoolTimerCallbacks	0x140069e10

Name	Address
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x140069f70
ConvertSidToStringSidW	0x140069f78

Name	Address
GlobalFree	0x140069a30
LocalFree	0x140069a38
GlobalAlloc	0x140069a40

Name	Address
RtlLookupFunctionEntry	0x140069c38
RtlVirtualUnwind	0x140069c40
RtlCaptureContext	0x140069c48

Name	Address
QueryPerformanceCounter	0x140069ba8

Name	Address
GetSystemTimeAsFileTime	0x140069dc0
GetSystemTime	0x140069dc8
GetSystemDirectoryW	0x140069dd0
GetVersionExW	0x140069dd8
GetTickCount64	0x140069de0
GetTickCount	0x140069de8

Name	Address
AllowSetForegroundWindow	0x140069ec0
SetWindowLongPtrW	0x140069ec8
GetWindowLongPtrW	0x140069ed0
DefWindowProcW	0x140069ed8
RegisterClassExW	0x140069ee0
PeekMessageW	0x140069ee8
CreateWindowExW	0x140069ef0
GetMessageW	0x140069ef8
DestroyWindow	0x140069f00
TranslateMessage	0x140069f08
DispatchMessageW	0x140069f10

Name	Address

Name	Address
CharNextW	0x140069cc0

Name	Address
AllocateAndInitializeSid	0x140069f20
GetSidSubAuthority	0x140069f28
GetSidSubAuthorityCount	0x140069f30
IsValidSid	0x140069f38
GetTokenInformation	0x140069f40

Name	Address
RegDeleteValueW	0x140069bb8
RegEnumValueW	0x140069bc0
RegQueryInfoKeyW	0x140069bc8
RegOpenKeyExW	0x140069bd0
RegQueryValueExW	0x140069bd8
RegCloseKey	0x140069be0
RegCreateKeyExW	0x140069be8
RegGetValueW	0x140069bf0
RegSetValueExW	0x140069bf8

Name	Address
ExpandEnvironmentStringsW	0x140069b38

Name	Address
SysAllocString	0x140069830
SysStringLen	0x140069838
SysFreeString	0x140069840

Name	Address
FindClose	0x140069960
WriteFile	0x140069968
FindFirstFileW	0x140069970
CreateFileW	0x140069978
CreateDirectoryW	0x140069980
DeleteFileW	0x140069988
SetFileAttributesW	0x140069990
GetFileAttributesW	0x140069998
GetFileSize	0x1400699a0
SetEndOfFile	0x1400699a8
GetTempFileNameW	0x1400699b0
SetFilePointer	0x1400699b8
FindNextFileW	0x1400699c0

Name	Address
MultiByteToWideChar	0x140069c90
WideCharToMultiByte	0x140069c98
GetStringTypeW	0x140069ca0
CompareStringOrdinal	0x140069ca8
CompareStringW	0x140069cb0

Name	Address
LoadLibraryW	0x140069ac8

Name	Address
GetFileVersionInfoSizeW	0x140069e58
GetFileVersionInfoW	0x140069e60

Name	Address
VerQueryValueW	0x140069e48

Name	Address
RegSetKeyValueW	0x140069c08
RegDeleteKeyValueW	0x140069c10

Name	Address
EncodePointer	0x140069e30
DecodePointer	0x140069e38

Name	Address
SetEntriesInAclW	0x140069f50
SetNamedSecurityInfoW	0x140069f58
GetNamedSecurityInfoW	0x140069f60

Name	Address
NtQueryWnfStateData	0x14006a2e0
RtlDeriveCapabilitySidsFromName	0x14006a2e8
RtlNtStatusToDosError	0x14006a2f0

Name	Address
PathFindFileNameW	0x140069c58
PathFindExtensionW	0x140069c60
PathRemoveBackslashW	0x140069c68
PathRemoveFileSpecW	0x140069c70
PathFileExistsW	0x140069c78
PathIsUNCServerW	0x140069c80

Name	Address

Name	Address
SHCreateMemStream	0x140069f98

Name	Address
GetSystemMetrics	0x140069ea0

Name	Address
CreateXmlWriter	0x140069850
CreateXmlReader	0x140069858

Name	Address
RegCreateKeyTransactedW	0x140069c20
RegOpenKeyTransactedW	0x140069c28

Name	Address
CreateFileMappingW	0x140069af0
OpenFileMappingW	0x140069af8
MapViewOfFile	0x140069b00
UnmapViewOfFile	0x140069b08

Name	Address
ReplaceFileW	0x1400699e0
MoveFileExW	0x1400699e8

Name	Address
SystemTimeToFileTime	0x140069e20

Name	Address
GetTempPathW	0x1400699d0

Name	Address
PathCchCanonicalize	0x140069b18
PathIsUNCEx	0x140069b20
PathCchRemoveBackslash	0x140069b28

Name	Address
ResolveDelayLoadedAPI	0x140069920

Name	Address
DelayLoadFailureHook	0x140069910

Name	Address
BuildExplicitAccessWithNameW	0x140069f88

Name	Address

Name	Address
GetCurrentPackageFullName	0x140069868

Name	Address
MsgWaitForMultipleObjects	0x140069eb0

Name	Address
GetOverlappedResultEx	0x140069a50

Reports: JSON

Statistics (10.97)

Usage

Processing ( 10.91 seconds )

10.153 ProcessMemory
0.746 CAPE
0.007 BehaviorAnalysis
0.006 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: ImeBroker.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00089c00', 'virtual_address': '0x0009b000', 'virtual_size': '0x00000070', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.71'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 2868 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Resources

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-rtcore-ntuser-window-l1-1-0

combase

api-ms-win-core-string-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

OLEAUT32

api-ms-win-core-file-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-version-l1-1-1

api-ms-win-core-version-l1-1-0

api-ms-win-core-registry-l1-1-1

api-ms-win-core-util-l1-1-0

api-ms-win-security-provider-l1-1-0

ntdll

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shell-shdirectory-l1-1-0

api-ms-win-shcore-stream-l1-1-0

api-ms-win-ntuser-sysparams-l1-1-0

XmlLite

api-ms-win-core-registry-l2-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-file-l2-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-security-trustee-l1-1-1

profapi

api-ms-win-appmodel-runtime-l1-1-0

api-ms-win-rtcore-ntuser-synch-l1-1-0

api-ms-win-core-io-l1-1-1