Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-11 08:35:10	2025-06-11 08:52:49	1059 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,975 [root] INFO: Date set to: 20250611T07:18:05, timeout set to: 1000
2025-06-11 08:18:05,616 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 08:18:05,616 [root] DEBUG: Storing results at: C:\QoqtHYPS
2025-06-11 08:18:05,616 [root] DEBUG: Pipe server name: \\.\PIPE\YSvIkDlxiX
2025-06-11 08:18:05,616 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 08:18:05,616 [root] INFO: analysis running as an admin
2025-06-11 08:18:05,616 [root] INFO: analysis package specified: "exe"
2025-06-11 08:18:05,616 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 08:18:06,100 [root] DEBUG: imported analysis package "exe"
2025-06-11 08:18:06,100 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 08:18:06,100 [lib.common.common] INFO: wrapping
2025-06-11 08:18:06,100 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 08:18:06,100 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\OOBENetworkCaptivePortal.exe
2025-06-11 08:18:06,100 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 08:18:06,132 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 08:18:06,132 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 08:18:06,132 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 08:18:06,382 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 08:18:06,397 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 08:18:06,429 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 08:18:06,444 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 08:18:06,460 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 08:18:06,460 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 08:18:06,460 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 08:18:06,460 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 08:18:06,460 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 08:18:06,460 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 08:18:06,460 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 08:18:06,460 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 08:18:06,460 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 08:18:06,460 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 08:18:06,475 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 08:18:06,475 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 08:18:06,475 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 08:18:06,475 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 08:18:17,726 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 08:18:17,726 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 08:18:17,945 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 08:18:17,945 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 08:18:17,945 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 08:18:17,945 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 08:18:17,945 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 08:18:17,945 [modules.auxiliary.disguise] INFO: Disguising GUID to c06db7d9-b0ac-435c-9ba2-302bf5f31f7e
2025-06-11 08:18:17,945 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 08:18:17,945 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 08:18:17,945 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 08:18:17,945 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 08:18:17,945 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 08:18:17,945 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 08:18:17,945 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 08:18:17,945 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 08:18:17,945 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 08:18:17,945 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 08:18:17,945 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 08:18:17,945 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 08:18:17,945 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 08:18:17,945 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 08:18:17,945 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 08:18:17,945 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 08:18:17,960 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 08:18:17,975 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 08:18:17,975 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 08:18:17,975 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 08:18:17,975 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 08:18:17,975 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 08:18:17,975 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 08:18:17,975 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 08:18:17,991 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\fhRRXtD.dll, loader C:\tmp_gell1p8\bin\bOYxrlQS.exe
2025-06-11 08:18:18,054 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 08:18:18,054 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\fhRRXtD.dll.
2025-06-11 08:18:18,100 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 08:18:18,100 [root] INFO: Disabling sleep skipping.
2025-06-11 08:18:18,100 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 08:18:18,100 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 08:18:18,100 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 08:18:18,100 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 08:18:18,100 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 08:18:18,116 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 08:18:18,132 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 08:18:18,132 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 08:18:18,132 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6268, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 08:18:18,132 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 08:18:18,147 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 08:18:18,147 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 08:18:18,163 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\fhRRXtD.dll.
2025-06-11 08:18:18,163 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-11 08:35:10	2025-06-11 08:52:29	none

File Details

File Name	OOBENetworkCaptivePortal.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	600376 bytes
MD5	acaaaa06db52bafbb84629a70e2313ef
SHA1	aa4c779b20d7a118fe92adbfd658833c7ae98953
SHA256	621b40b1a33b0bc91733ae1f8568e83b388f362e3ffabcdf8648c0bb68856805 [VT] [MWDB] [Bazaar]
SHA3-384	21114b571d62cfdad7622037f4c517c4d56639f07f8b0d633ba2dc82f88deb29e8bdb13a67c5a09f89bb64c495e9f1c7
CRC32	E1681863
TLSH	T199D4F7269B6C46D2D53AA07C44A6C349F6B1B4540F624BCB8160D32E6F7B9F89D3E331
Ssdeep	6144:/Gun3Od5tzGZBJRqqDBYcxjXpnotduZNIl1NWO3HvZCmmLtaAYO7GMd:+gOd5JGPJw8bZnoGZNIl1oQrNO7jd
PE	File Strings BinGraph Vba2Graph VirusTotal

H98u8H

?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z

PA_A^A]A\_^]

.PE$AAVException@Platform@@

^1?]8

Microsoft Corporation1.0,

?__abi_WinRTraiseChangedStateException@@YAXXZ

pA^_^[]

l$ VWAVH

@.data

D$hE3

?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z

D$(L;

3Vc6kM)

.idata$6

?what@exception@@UEBAPEBDXZ

USVWAVH

@SUVH

D$8H;

.idata$4

WindowsCreateStringReference

A^_^][

.?AVtask_canceled@pplx@@

)l-/u!

regex_error(error_collate): The expression contained an invalid collating element name.

api-ms-win-core-heap-l1-1-0.dll

??0OutOfMemoryException@Platform@@QE$AAA@XZ

(null Message)

;t$p|

ReleaseMutex

GetStartupInfoW

no such process

.PE$AAVNotImplementedException@Platform@@

SharedUtilities.LocalizationService.FontType

\$ AVH

PA^_^][

D9d$H};H

\$ UVAVH

Windows.UI.Xaml.PropertyMetadata

`A_A^A]A\_^[

__dllonexit

Windows.UI.Xaml.DependencyProperty

NetworkUX.MainPage

connection_aborted

identifier removed

D$<fd

@A_A^_^]

CoMarshalInterThreadInterfaceInStream

WelcomeVoiceOver

D$HE3

NlaIndicateReprobe

CreateSemaphoreExW

regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings.

not supported

.?AV<lambda_a6a1a4576d02ae9225eada4132aabfaf>@@

|hK,_

wincorlib.DLL

??0exception@@QEAA@AEBQEBD@Z

.?AVbad_cast@@

Windows.UI.Xaml.DependencyObject

u*9Q<|%

\$ UVWATAWH

not_a_socket

N9l$(t

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

.CRT$XCC

.?AV<lambda_7b8498a12273488957d4576d2e3cda73>@@

@SVWAVH

bad_file_descriptor

Windows.UI.Xaml.Visibility

wcsrchr

__pctype_func

l$ VATAWH

PA^_^

L$ SVH

RSDSX

te@8=w

t*fff

FileVersion

no space on device

@SVWATAVAWH

D$,*X

cY7.L

NetworkUX.ViewContext.CurrentUrl

d$HH;8u5H

D$PE3

L$hH3

??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z

?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z

.?AVlength_error@std@@

__C_specific_handler

Microsoft Corporation1&0$

SVWAVH

t+H9{

@USVWAVAWH

1(0&0

180703204550Z

network_down

regex_error(error_brace): The expression contained mismatched { and }.

?__abi_WinRTraiseNotImplementedException@@YAXXZ

memmove

?__abi_FailFast@@YAXXZ

0A_A^A]A\_^]

not a directory

?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z

NetworkUX.Converters.BooleanToVisibilityConverter

(caller: %p)

std::exception: %hs

WindowsConcatString

list<T> too long

no link

(D$@f

TlP0X

Microsoft Corporation1-0+

?__abi_WinRTraiseDisconnectedException@@YAXXZ

\$pHc

D9d$H}5H

K]-u!

interrupted

strchr

$Microsoft Ireland Operations Limited1&0$

)l-/sT>_

_callnewh

(D$0f

?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z

D$ ba,7L

@SUWAVH

bad address

250701214655Z0|1

lower

NetworkUX.Converters.__BooleanToVisibilityConverterActivationFactory

Windows.Foundation.IReference`1<SharedUtilities.LanguageFontType>

|$ I;

__set_app_type

UAVAWH

A_A^_

|$ AVH

memcpy_s

bad allocation

operation not permitted

.?AV<lambda_ec8607199c9af24ba911c8656acddef8>@@

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

A;^ }^H

CoGetObjectContext

VWAVH

System.Enum

SetLastError

180823202650Z

PA_A^A]A\_^[

.rsrc$01

.?AV<lambda_ac53a05037946fb11f9e32b783d42fe6>@@

L$xH3

CallContext:[%hs]

DebugBreak

?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z

system

0A_A^_^[

O0M0K

D$8oy

040904B0

Microsoft Corporation

G D9m

?__abi_WinRTraiseInvalidCastException@@YAXXZ

Windows.Foundation.IReferenceArray`1<String>

CloudExperienceHostAPI.Speech.SpeechRecognition

Platform::Exception^: %ws

regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine.

wcstol

_XcptFilter

.?AV<lambda_c400c822bf5e94c9fc4f4cc94af8091f>@@

NetworkUX.ViewContext.Navigating

.?AUIDisposable@Platform@@

Windows.Foundation.Collections.IIterator`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

@SUVAVH

EH=csm

wcslen

229879+4379540

k%0}*

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

wrong_protocol_type

_lock

`A^_^][

too many symbolic link levels

not enough memory

Illegal to wait on a task in a Windows Runtime STA

AcquireSRWLockShared

?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z

WindowsCreateString

WindowsDeleteString

@WAVH

HcA<H

CoTaskMemAlloc

__crtLCMapStringW

RoReportUnhandledError

D$,2'

A_A^A]A\_^]

D9H(t

?__abi_WinRTraiseInvalidArgumentException@@YAXXZ

.?AVbad_alloc@std@@

@SUVWAVH

@UVWATAUAVAWH

CreateMutexExW

CaptivePortal

fD9tA

Windows.UI.Xaml.RoutedEventHandler

Windows.Foundation.Collections.IVectorChangedEventArgs

A_A^]

Windows.UI.Core.CoreWindow

C$9C w"H

.?AUIWeakReferenceSource@Details@Platform@@

.?AU__I?$Array@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

Windows.UI.Xaml.Application

D8l$PtRH

_wcsdup

api-ms-win-core-util-l1-1-0.dll

Concurrency.details.?$_IAsyncOperationWithProgressToAsyncOperationConverter@PE$AAVHttpResponseMessage@Http@Web@Windows@@VHttpProgress@234@

permission_denied

.data$r

NetworkUX.ViewContext.OverrideSecurity

3YWu!

resource unavailable try again

@UVWH

D9d$H

_initterm

__ExceptionPtrCurrentException

filename_too_long

t$ ATAVAWH

.?AVlogic_error@std@@

_CxxThrowException

.?AV<lambda_176225aa817888098f33c173e32a8f17>@@

Windows.UI.Xaml.Controls.Page

.idata$5

NetworkUX.View.__FontHelperActivationFactory

ButtonRefresh

.?AVout_of_range@std@@

LeaveCriticalSection

NetworkUX.ViewContext.ShowWebsite

HeapAlloc

A_A^A\_^

resource deadlock would occur

.?AV<lambda_aefb924dbecd6e8735c1d2a0a4547e70>@@

not connected

.CRT$XIYA

Windows.Foundation.TypedEventHandler`2<Windows.UI.Xaml.Controls.WebView, Windows.UI.Xaml.Controls.WebViewNavigationStartingEventArgs>

protocol_not_supported

@USVH

{|]u%

DllGetActivationFactory

minATL$__r

too many files open in system

NetworkUX.ViewModel.WeakReferenceWrapper

Windows.Foundation.Uri

destination address required

ti;Q(s^

operation_would_block

WideCharToMultiByte

.pdata

D$0#X

SVWAVAWH

@SVWH

A_A^_^[

t>y#I

address not available

SetRestrictedErrorInfo

Microsoft

VarFileInfo

Windows.Foundation.AsyncOperationCompletedHandler`1<Windows.Storage.Streams.IInputStream>

_fmode

?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z

NtQueryWnfStateData

Windows.Foundation.TypedEventHandler`2<Windows.UI.Xaml.Controls.WebView, Windows.UI.Xaml.Controls.WebViewNavigationCompletedEventArgs>

.?AVexception@@

file exists

L$pH3

no such file or directory

L$PH3

message size

_acmdln

operation_in_progress

H3E H3E

InternalName

D$4Hr

@UVWAVAWH

D9|$(}

?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z

t$0D;v

.?AV<lambda_88babc906efe4cfa559a4995840024b9>@@

?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z

@A^_^][

Eh=csm

.text$yd

malloc

0A_A\_^]

cancel

9\u<H

,EmxOe/4gsh8zCBPIhZdG6S+ccIGBUe4enbjx/BBggT8=0Z

VSDesignerDllMain

TUUUUUU

ShowWarning

Windows.Foundation.AsyncOperationWithProgressCompletedHandler`2<Windows.Storage.Streams.IInputStream, UInt64>

H9{HsFH

()$^.*+?[]|\-{},:=!

bad cast

_vsnwprintf

.CRT$XIYB

y|?uo

api-ms-win-core-profile-l1-1-0.dll

l$ VWATAUAVH

api-ms-win-core-libraryloader-l1-2-0.dll

HA\^][

RtlUnsubscribeWnfNotificationWaitForCompletion

?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z

_get_current_locale

host_unreachable

api-ms-win-core-localization-l1-2-0.dll

.rsrc$02

regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence.

LcA<E3

Windows.ApplicationModel.Resources.ResourceLoader

_unlock

iostream

@USVWAUAVAWH

L$(I;

OverrideSecurity

SetEvent

connection refused

T$ H;

read only file system

.PE$AAVFailureException@Platform@@

L$XE3

wrong protocol type

_exit

?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z

(t$0H

Local\SM0:%d:%d:%hs

pA^^]

t$0@82u

@.rsrc

H;Yxt/H

address family not supported

.?AV<lambda_5f374f0996274e857c93c5d54cce9b3e>@@

operation would block

WebViewMain

String

0A^_^

AcquireSRWLockExclusive

stream timeout

.text$di

ButtonStop

?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z

api-ms-win-core-winrt-string-l1-1-0.dll

FormatMessageW

Legal_Policy_Statement

.edata

d:\os\src\shellcommon\shell\windows.ui.shell\networkux\oobe\captiveportal\host\networknotification.h

?UninitializeData@Details@Platform@@YAXH@Z

regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.

?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ

%hs!%p:

.PE$AAVInvalidArgumentException@Platform@@

@WAVAWH

protocol not supported

__ExceptionPtrDestroy

Concurrency.details.?$_IAsyncOperationWithProgressToAsyncOperationConverter@PE$AAUIInputStream@Streams@Storage@Windows@@_K

VWATAVAWH

Windows.Foundation.IReference`1<Double>

Platform.?$WriteOnlyArray@PE$AAUIXamlMetadataProvider@Markup@Xaml@UI@Windows@@$00

LegalCopyright

I90u6A

0A_A^A\_^

D8"u3H

bad message

L$(H3

A_A^A]A\_

20180915063442Z

)l-/L

CoCreateFreeThreadedMarshaler

Windows.Foundation.TypedEventHandler`2<Windows.UI.Core.CoreDispatcher, Windows.UI.Core.AcceleratorKeyEventArgs>

xdigit

10.0.17763.1 (WinBuild.160101.0800)

GetCurrentProcessId

Platform.?$WriteOnlyArray@PE$AAVString@Platform@@$00

?ReCreateException@Exception@Platform@@SAPE$AAV12@H@Z

L$XH3

D9&tZA

I0G1-0+

SharedUtilities.LocalizationService

DeleteCriticalSection

??0InvalidArgumentException@Platform@@QE$AAA@XZ

argument list too long

SharedUtilities.LanguageFontType

host unreachable

success

RtlCaptureContext

.?AU__I?$WriteOnlyArray@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

NetworkUX.ViewContext.ShowWarning

__ExceptionPtrCreate

:\u4L

M0K0I

?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z

PanelNavigationBar

NetworkUX.HttpsStreamResolver

minATL$__z

?__abi_WinRTraiseAccessDeniedException@@YAXXZ

Windows.Web.Http.Filters.HttpBaseProtocolFilter

network_reset

x ATAVAWH

regex_error(error_syntax)

io error

NetworkUX.__ViewContextActivationFactory

.?AUIValueType@Platform@@

WaitForSingleObjectEx

GetStringTypeW

D$HH;

H9y`tsH

l$ VWAWH

regex_error

iostream stream error

??0ChangedStateException@Platform@@QE$AAA@XZ

.PE$AAUIDisposable@Platform@@

L$0H3

uNfff

derived class must implement

Microsoft Time-Stamp PCA 20100

.?AV?$Module@$04VInProcModule@Details@Platform@@@WRL@Microsoft@@

alpha

Windows.Foundation.IReference`1<Windows.UI.Xaml.Visibility>

Windows.UI.Xaml.PropertyChangedCallback

operation canceled

A_A^A\_^[

__ExceptionPtrRethrow

D9t$8}

.?AV<lambda_cdc646561116cd7a9091e5cd2a6888a8>@@

Windows.UI.Xaml.Window

argument out of domain

.rdata$zzzdbg

_vsnprintf_s

.rdata$r

CloudExperienceHostAPI.HostedApplicationResult

@8~(u#

`A^_^

|$`A;N$

9\u;H

??0Object@Platform@@QE$AAA@XZ

Windows.UI.Xaml.Data.PropertyChangedEventArgs

.?AVInProcModule@Details@Platform@@

bad file descriptor

WindowsDuplicateString

.?AV<lambda_f27859999738d169ea104f3bb74285c2>@@

uh9Y(t#

regex_error(error_paren): The expression contained mismatched ( and ).

WAVAWH

no such device or address

ty;](smI

D$8AA

D$<>r

.CRT$XIA

.rdata

realloc

FontSize

Windows.Web.Http.HttpClient

api-ms-win-core-errorhandling-l1-1-0.dll

??0exception@@QEAA@XZ

??1type_info@@UEAA@XZ

@USVWH

CoTaskMemFree

|$0L+

111019184142Z

yf&Ya3

H;H @

.?AV<lambda_27680ced54b72ab166cffe52b48830d9>@@

`A\_^][

too many files open

RichN[.

A_A^_^[]

api-ms-win-core-rtlsupport-l1-1-0.dll

ButtonForward

minATL$__a

A_A^_

f#D$@H

9^ ~=L

connection_already_in_progress

address_in_use

.CRT$XIZ

?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z

.?AVbad_function_call@std@@

Microsoft Corporation1200

NetworkUX.__MainPageActivationFactory

wcsstr

no lock available

?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z

D$$I;

Windows.Foundation.AsyncOperationWithProgressCompletedHandler`2<Windows.Web.Http.HttpResponseMessage, Windows.Web.Http.HttpProgress>

??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z

ResetEvent

D$,Wg

.?AVinvalid_argument@std@@

Washington1

abort

regex_error(error_backref): The expression contained an invalid back reference.

CH}#6%

?__abi_WinRTraiseNullReferenceException@@YAXXZ

%Microsoft Windows Production PCA 20110

InitializeCriticalSectionEx

XamlTypeInfo.InfoProvider.XamlTypeInfoProvider

EncodePointer

FileDescription

!This program cannot be run in DOS mode.

@SVWATAUH

then() cannot be called on a default constructed task.

%Microsoft Windows Production PCA 2011

CoGetApartmentType

Msg:[%ws]

A_A^A\

?__abi_WinRTraiseFailureException@@YAXXZ

WaitForSingleObject

@A^_^

A_A^A]_^[]

NetworkUX.ViewModel.__WeakReferenceWrapperActivationFactory

OOBECaptivePortalFlow.exe

:\uDL

address in use

already connected

D$0H;

L$ VWH

invalid_argument

D$,g$

?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z

H;8u*L

?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z

Microsoft Corporation1

api-ms-win-core-processthreads-l1-1-0.dll

UWATAVAWH

A_A^A]A\_^[

Windows.Foundation.IReference`1<Boolean>

D$HL;

.PE$AAVNullReferenceException@Platform@@

get() cannot be called on a default constructed task.

RtlSubscribeWnfStateChangeNotification

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

t$@E3

|$0H99

GetModuleFileNameA

@SUVATH

?__abi_WinRTraiseWrongThreadException@@YAXXZ

ntdll.dll

D$xE3

(t$@H

no stream resources

D$D@n

SVWATAUAVAWH

owner dead

Windows.Foundation.AsyncOperationCompletedHandler`1<Windows.Web.Http.HttpResponseMessage>

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

UINotificationHeading

directory not empty

Thales TSS ESN:2AD4-4B92-FA011%0#

__crtCompareStringW

Microsoft Time-Stamp PCA 2010

A]A\_^[

api-ms-win-core-synch-l1-1-0.dll

regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression.

memcpy

.?AV<lambda_763529b0c7473cbc215a52d189ac9b18>@@

.idata$3

?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z

Windows.System.Threading.WorkItemHandler

@8,8u

network reset

UVWATAWH

WindowsIsStringEmpty

OpenSemaphoreW

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

ReleaseSRWLockExclusive

Microsoft Time-Stamp service

NetworkUX.View.FontHelper

?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z

file too large

invalid seek

XamlTypeInfo.InfoProvider.XamlMember

r~akow

D$0f9(t

Boolean

not a socket

t>y&H

RtlLookupFunctionEntry

System.ValueType

f9H\u

EnterCriticalSection

is a directory

|$ HcN

.CRT$XCU

___lc_collate_cp_func

RtlDllShutdownInProgress

\$ E3

D$(E3

SharedUtilities.LocalizationService.FontSize

[%hs(%hs)]

_errno

NetworkUX.ViewContext

A_A\^

punct

QueryPerformanceCounter

.PE$AAUIEquatable@Details@Platform@@

no protocol option

regex_error(error_ctype): The expression contained an invalid character class name.

.?AVruntime_error@std@@

H;9u2I

??0FailureException@Platform@@QE$AAA@XZ

bad locale name

<P)9Y

)t$@H

string too long

.PE$AAVChangedStateException@Platform@@

"Microsoft Window

upper

\$Xf;

??0bad_cast@@QEAA@PEBD@Z

cY7.u*

graph

Concurrency.details.?$_AsyncTaskGeneratorThunk@V<lambda_b071e9fad8d36fe645828619ba55bcfe>@@

msvcrt.dll

StringFileInfo

L$(E3

%hs(%d) tid(%x) %08X %ws

oK0D$"<

)D$ H

H_^[]

D;k }9E

t$ WAVAWH

no child process

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.XmlnsDefinition>

Windows.Web.Http.HttpRequestMessage

`A_A^_^]

no buffer space

GetCurrentProcess

,<rC.im_K

20180916063442Z0w0=

api-ms-win-core-handle-l1-1-0.dll

UVWAVAWH

__setusermatherr

Windows.Web.Http.HttpMethod

UATAUAVAWH

?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ

L$8H3

.?AVModuleBase@Details@WRL@Microsoft@@

HeapFree

invalid string position

already_connected

no message available

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

??0OutOfBoundsException@Platform@@QE$AAA@XZ

GetTickCount

@WATAUAVAWH

A_A^A\_]

Microsoft Time-Stamp service0

A8q(t.I

.text$mn

?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z

100701213655Z

broken pipe

D$XE3

not a stream

T$PH;

vector<bool> too long

Windows.UI.Xaml.Controls.WebViewNavigationFailedEventHandler

)t$PH

DllCanUnloadNow

.CRT$XIY

D$8E3

.?AVResultException@wil@@

RoOriginateError

A^^]

TerminateProcess

L$@H3

9t$p~;H

setlocale

minATL$__m

Windows.UI.Xaml.ApplicationInitializationCallback

A_A^_^][

protocol error

L$XH+

t$8E2

Translation

A8q(t-I

?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z

Windows.Foundation.Collections.IVectorView`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

A_A^A]A\_^]

(t$PH

t$HI+

Windows.UI.Xaml.Markup.IXamlType

___mb_cur_max_func

HcF$M

XA_A^_^][

?CreateException@Exception@Platform@@SAPE$AAV12@H@Z

alnum

text file busy

OXu$H

\$ A;

d:\os\public\amd64fre\internal\sdk\inc\wil\resource.h

operation_not_supported

Object

T$`E3

UWAVH

X_^][

d$hE3

regex_error(error_parse)

D9|$(

ba,7u!

SUVWAVAWH

WilError_02

DecodePointer

MultiByteToWideChar

.?AV?$Array@PE$AAVString@Platform@@$00@Platform@@

?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ

Microsoft Windows0

bad_address

address_not_available

?InitializeData@Details@Platform@@YAJH@Z

@VWAVH

.?AV<lambda_8f9577a20984579f6aba81c254c8fe86>@@

191123202650Z0

connection_reset

t?@8xLt(

??0NotImplementedException@Platform@@QE$AAA@XZ

.?AV<lambda_0467eb52a2b6bf05e8f7910effacea68>@@

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

T$@E3

D$(fD9

NetworkUX.Converters.__InverseBooleanToVisibilityConverterActivationFactory

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

L$`H3

ProductVersion

address_family_not_supported

=generic

SizeInPts

??1bad_cast@@UEAA@XZ

Visible

D$@E3

.text$x

?__abi_WinRTraiseObjectDisposedException@@YAXXZ

H;]PH

@A_A^_^[

T$ E3

not_connected

OutputDebugStringW

RtlQueryWnfStateData

R!s4Z

too many links

.PE$AAVOutOfMemoryException@Platform@@

NetworkUX.App

?__abi_WinRTraiseCOMException@@YAXJ@Z

stoi argument out of range

L$ SWH

xA_A^A]A\_^][

@SVWAVAWH

regex_error(error_badbrace): The expression contained an invalid range in a { expression }.

H;YXt/H

?__abi_WinRTraiseOutOfMemoryException@@YAXXZ

__CxxFrameHandler3

.?AU?$IBoxArray@PE$AAVString@Platform@@@Platform@@

ButtonBack

ReturnHr

connection_refused

|$ ATAVAWH

t$(H;

_onexit

.xdata$x

L$HH3

WindowsGetStringRawBuffer

q:G${

blank

0A^_[

Windows.Foundation.Collections.IObservableVector`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

A^_^

.CRT$XIAA

GetModuleHandleW

D$,n@

cY7.u!

no_protocol_option

inappropriate io control operation

Failed to create initial page

L$ E3

timed out

Windows

t?y&I

8A^_^[

function not supported

jiDfR+l

IsDebuggerPresent

t"@8-

.?AVregex_error@std@@

PanelMain

E0D9|$(}

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

space

tAy&H

.giats

iSHp6

`A_A^A\_^

kernelbase.dll

_ismbblead

?Free@Heap@Details@Platform@@SAXPEAX@Z

D$ H;

??0DisconnectedException@Platform@@QE$AAA@XZ

Windows.UI.Xaml.SuspendingEventHandler

(D$Pf

8A_A^_^][

invalid argument

fD9(t

??1exception@@UEAA@XZ

__ExceptionPtrCopy

??0NullReferenceException@Platform@@QE$AAA@XZ

D$ ~v)

connection reset

Windows.UI.Xaml.WindowClosedEventHandler

CurrentUrl

permission denied

.?AV<lambda_55ed8dc210ab3a485cbe30a80168ec29>@@

no such device

RtlVirtualUnwind

H;]`H

.idata$2

@A_A\_^]

L$(ff

api-ms-win-core-winrt-error-l1-1-0.dll

??0Delegate@Platform@@QE$AAA@XZ

D$,PuH

Navigating

api-ms-win-core-debug-l1-1-0.dll

x AVH

connection aborted

EX=csm

l$4I;

A^A]A\_^

0A_A^_

.CRT$XCL

??3@YAXPEAX@Z

.?AVObject@Platform@@

pA_A^_^]

WATAUAVAWH

SUVWH

state not recoverable

RaiseFailFastException

.?AU__abi_Module@@

1/0-0

OriginalFilename

illegal byte sequence

CloudExperienceHostAPI.Speech.SpeechSynthesis

)D$@H

|]u=H

EditUrl

HcL$ H

ShowWebsite

regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape.

$`2X`F

Collapsed

Double

destination_address_required

D9t$8|WH;

.?AU__abi_IUnknown@@

)D$0H

$H;8u*L

OOBENetworkCaptivePortal.pdb

.?AV?$WriteOnlyArray@PE$AAVString@Platform@@$00@Platform@@

L$@H;

\$HM;

Ex=csm

@SUVWATH

.PE$AAUIPrintable@Details@Platform@@

?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z

A_A^A]A\_

@VWATAVAWH

.CRT$XCA

.CRT$XCAA

.xdata

CoGetInterfaceAndReleaseStream

?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z

.PEAX

.?AV<lambda_bb3ea35c7a129712676a4a6472ecdc6a>@@

.gfids

.?AV_Interruption_exception@details@pplx@@

.?AV<lambda_44efe2e116ffe5139cfd02181edd72f0>@@

$Microsoft Ireland Operations Limited1

Windows.UI.Xaml.Controls.Frame

Windows.UI.Core.DispatchedHandler

Windows.Foundation.PropertyValue

.PE$AAVCOMException@Platform@@

ReleaseSRWLockShared

\$ UH

|$8H;

Windows.UI.Xaml.Controls.UserControl

20180915013048.635Z0

connection already in progress

___lc_handle_func

190726204550Z0p1

no message

??0exception@@QEAA@AEBV0@@Z

%hs(%d)\%hs!%p:

Operating System

@SWAVH

H;\$x

Windows.Foundation.Collections.ValueSet

Windows.Foundation.AsyncOperationCompletedHandler`1<Boolean>

.00cfg

?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z

N0L0J

vector<T> too long

H;Y`t/H

^\s+|\s*,\s*|\s+$

UnhandledExceptionFilter

d:\os\src\shellcommon\shell\windows.ui.shell\networkux\oobe\captiveportal\host\view\fonthelper.cpp

GetModuleHandleExW

@SUVWH

_assert

u><`@

|$ L+

operation in progress

UVWATAUAVAWH

FailFast

_cexit

OOBENetworkCaptivePortal.exe

UITitle

CloseHandle

L$8E3

t$ AVH

U0S0Q

T$0E3

NetworkUX.Converters.InverseBooleanToVisibilityConverter

NetworkUX.__HttpsStreamResolverActivationFactory

http://www.microsoft.com/windows0

@.reloc

RtlNtStatusToDosErrorNoTeb

@SUVWATAUAVAWH

Windows.UI.Xaml.ResourceDictionary

ATAVAWH

_free_locale

Concurrency.details.?$_AsyncTaskThunk@U?$_AsyncAttributes@V<lambda_b071e9fad8d36fe645828619ba55bcfe>@@XPE$AAUIInputStream@Streams@Storage@Windows@@U?$_TaskTypeTraits@V?$task@PE$AAUIInputStream@Streams@Storage@Windows@@@Concurrency@@$0A@@details@Concurrency@@$0A@$0A@@details@Concurrency@@

D$0L;

nlaapi.dll

z.9Wv

t$pH;

D$$E3

invalid map/set<T> iterator

VS_VERSION_INFO

CompanyName

_purecall

.PE$AAVDisconnectedException@Platform@@

GetLastError

GetCurrentThreadId

@A_A^_

_commode

api-ms-win-core-synch-l1-2-0.dll

9\uBH

timed_out

FontType

GetSystemTimeAsFileTime

__getmainargs

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_

E8=csm

A_A^_^]

LogHr

filename too long

_amsg_exit

?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z

D$<*<

HA^^][

.CRT$XCZ

??0bad_cast@@QEAA@AEBV0@@Z

___lc_codepage_func

HA^_][

?terminate@@YAXXZ

Platform.?$WriteOnlyArray@VXmlnsDefinition@Markup@Xaml@UI@Windows@@$00

9\$xu,H9

3I{7-U

u HcA<H

.?AVinvalid_operation@pplx@@

h_^][

@SVWATAUAVAWH

digit

args != nullptr

9\u4H

E(=csm

?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ

calloc

map/set<T> too long

message_size

Exception

GetProcessHeap

.?AV<lambda_5c53c6ebd255f41eed50bc612c505ef2>@@

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

Sleep

??0exception@@QEAA@AEBQEBDH@Z

l$ VH

Result

too_many_files_open

WindowsCompareStringOrdinal

no_buffer_space

SetUnhandledExceptionFilter

RoFailFastWithErrorContext

.?AV?$Module@$00VInProcModule@Details@Platform@@@WRL@Microsoft@@

pA_A^A]A\_^]

.data

Windows.Foundation.AsyncOperationWithProgressCompletedHandler`2<Boolean, Double>

.PE$AAVObject@Platform@@

@A_A^A]A\_

Unexpected activation kind

invalid stoi argument

network down

executable format error

PanelTitlebar

\$hE3

device or resource busy

|$ AVI

api-ms-win-core-winrt-error-l1-1-1.dll

A_A^A]A\]

D$ E3

.text

@SUVWAVAWH

OOBECaptivePortalFlow

.?AV<lambda_ef729b3483172d63d4487ce32853fb2e>@@

9l$ }

bad function call

T$0H+

jcY7.

memset

OOBE Captive Portal Flow

ms-appx:///Theme.xaml

t$hH+

`.rdata

value too large

[%hs]

_ms-appx:///MainPage.xaml

?__abi_WinRTraiseOutOfBoundsException@@YAXXZ

unknown error

)Microsoft Root Certificate Authority 20100

result out of range

.PE$AAVOutOfBoundsException@Platform@@

l$ WH

WindowsGetStringLen

ReleaseSemaphore

network_unreachable

XamlTypeInfo.InfoProvider.XamlSystemBaseType

?__abi_WinRTraiseOperationCanceledException@@YAXXZ

CreateEventExW

GetProcAddress

regex_error(error_brack): The expression contained mismatched [ and ].

pA^_^

UIText

Concurrency.details.?$_IAsyncOperationWithProgressToAsyncOperationConverter@_NN

Windows.System.Threading.ThreadPool

WelcomeDetailsVoiceOver

ProductName

|$(A^

cntrl

D$8fD

?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Exported DLL Name
0x140000000	0x0004fc70	0x000983b0	0x000983b0	6.0	OOBENetworkCaptivePortal.pdb	2018-09-15 01:02:15	f9f88fe5cc811f57d6311499e5c8edfa	OOBENetworkCaptivePortal.exe

Version Infos

CompanyName	Microsoft Corporation
FileDescription	OOBE Captive Portal Flow
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	OOBECaptivePortalFlow
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	OOBECaptivePortalFlow.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0005748c	0x00057600	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.12
.rdata	0x00057a00	0x00059000	0x00029ecc	0x0002a000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.56
.data	0x00081a00	0x00083000	0x000072f8	0x00006800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.02
.pdata	0x00088200	0x0008b000	0x00006438	0x00006600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.75
.rsrc	0x0008e800	0x00092000	0x00000430	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.53
.reloc	0x0008ee00	0x00093000	0x0000192c	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.41

Overlay

Offset	0x00090800
Size	0x00002138

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x00092060	0x000003d0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.47	None

Imports

Name	Address
DebugBreak	0x140059040
OutputDebugStringW	0x140059048
IsDebuggerPresent	0x140059050

Name	Address
GetCurrentThreadId	0x1400590f0
GetStartupInfoW	0x1400590f8
TerminateProcess	0x140059100
GetCurrentProcessId	0x140059108
GetCurrentProcess	0x140059110

Name	Address
FormatMessageW	0x1400590e0

Name	Address
GetLastError	0x140059060
SetLastError	0x140059068
UnhandledExceptionFilter	0x140059070
SetUnhandledExceptionFilter	0x140059078

Name	Address
CoTaskMemAlloc	0x140059000
CoGetInterfaceAndReleaseStream	0x140059008
CoMarshalInterThreadInterfaceInStream	0x140059010
CoGetApartmentType	0x140059018
CoTaskMemFree	0x140059020
CoCreateFreeThreadedMarshaler	0x140059028
CoGetObjectContext	0x140059030

Name	Address
GetModuleHandleExW	0x1400590b8
GetModuleHandleW	0x1400590c0
GetModuleFileNameA	0x1400590c8
GetProcAddress	0x1400590d0

Name	Address
DeleteCriticalSection	0x140059170
AcquireSRWLockExclusive	0x140059178
ResetEvent	0x140059180
ReleaseSRWLockShared	0x140059188
WaitForSingleObjectEx	0x140059190
OpenSemaphoreW	0x140059198
CreateMutexExW	0x1400591a0
AcquireSRWLockShared	0x1400591a8
SetEvent	0x1400591b0
ReleaseSRWLockExclusive	0x1400591b8
ReleaseMutex	0x1400591c0
WaitForSingleObject	0x1400591c8
InitializeCriticalSectionEx	0x1400591d0
LeaveCriticalSection	0x1400591d8
ReleaseSemaphore	0x1400591e0
EnterCriticalSection	0x1400591e8
CreateEventExW	0x1400591f0
CreateSemaphoreExW	0x1400591f8

Name	Address
HeapAlloc	0x140059098
GetProcessHeap	0x1400590a0
HeapFree	0x1400590a8

Name	Address
CloseHandle	0x140059088

Name	Address
RtlSubscribeWnfStateChangeNotification	0x140059500
NtQueryWnfStateData	0x140059508
RtlQueryWnfStateData	0x140059510
RtlUnsubscribeWnfNotificationWaitForCompletion	0x140059518

Name	Address
_free_locale	0x1400592c8
_get_current_locale	0x1400592d0
__crtLCMapStringW	0x1400592d8
__crtCompareStringW	0x1400592e0
_commode	0x1400592e8
_wcsdup	0x1400592f0
abort	0x1400592f8
___lc_collate_cp_func	0x140059300
calloc	0x140059308
__pctype_func	0x140059310
___lc_codepage_func	0x140059318
___lc_handle_func	0x140059320
___mb_cur_max_func	0x140059328
setlocale	0x140059330
_callnewh	0x140059338
memmove	0x140059340
memcpy	0x140059348
??0exception@@QEAA@AEBQEBDH@Z	0x140059350
_CxxThrowException	0x140059358
wcslen	0x140059360
memset	0x140059368
_fmode	0x140059370
_acmdln	0x140059378
_ismbblead	0x140059380
_cexit	0x140059388
_exit	0x140059390
exit	0x140059398
__set_app_type	0x1400593a0
__getmainargs	0x1400593a8
_initterm	0x1400593b0
malloc	0x1400593b8
_amsg_exit	0x1400593c0
_XcptFilter	0x1400593c8
_onexit	0x1400593d0
__dllonexit	0x1400593d8
_unlock	0x1400593e0
_lock	0x1400593e8
__C_specific_handler	0x1400593f0
??1type_info@@UEAA@XZ	0x1400593f8
realloc	0x140059400
strchr	0x140059408
free	0x140059410
??0bad_cast@@QEAA@PEBD@Z	0x140059418
??1bad_cast@@UEAA@XZ	0x140059420
??0bad_cast@@QEAA@AEBV0@@Z	0x140059428
wcsrchr	0x140059430
wcstol	0x140059438
_errno	0x140059440
wcsstr	0x140059448
_vsnprintf_s	0x140059450
memcpy_s	0x140059458
??0exception@@QEAA@AEBQEBD@Z	0x140059460
?what@exception@@UEBAPEBDXZ	0x140059468
?terminate@@YAXXZ	0x140059470
_purecall	0x140059478
__ExceptionPtrCreate	0x140059480
__ExceptionPtrCurrentException	0x140059488
__ExceptionPtrRethrow	0x140059490
__ExceptionPtrCopy	0x140059498
__ExceptionPtrDestroy	0x1400594a0
??0exception@@QEAA@AEBV0@@Z	0x1400594a8
??0exception@@QEAA@XZ	0x1400594b0
??1exception@@UEAA@XZ	0x1400594b8
_assert	0x1400594c0
??3@YAXPEAX@Z	0x1400594c8
_vsnwprintf	0x1400594d0
__CxxFrameHandler3	0x1400594d8
__setusermatherr	0x1400594e0

Name	Address
NlaIndicateReprobe	0x1400594f0

Name	Address
?InitializeData@Details@Platform@@YAJH@Z	0x140059528
??0ChangedStateException@Platform@@QE$AAA@XZ	0x140059530
??0OutOfBoundsException@Platform@@QE$AAA@XZ	0x140059538
??0FailureException@Platform@@QE$AAA@XZ	0x140059540
??0OutOfMemoryException@Platform@@QE$AAA@XZ	0x140059548
?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z	0x140059550
??0InvalidArgumentException@Platform@@QE$AAA@XZ	0x140059558
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ	0x140059560
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z	0x140059568
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z	0x140059570
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z	0x140059578
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z	0x140059580
??0NullReferenceException@Platform@@QE$AAA@XZ	0x140059588
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z	0x140059590
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z	0x140059598
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z	0x1400595a0
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z	0x1400595a8
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z	0x1400595b0
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z	0x1400595b8
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z	0x1400595c0
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z	0x1400595c8
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z	0x1400595d0
?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z	0x1400595d8
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ	0x1400595e0
?ReCreateException@Exception@Platform@@SAPE$AAV12@H@Z	0x1400595e8
?CreateException@Exception@Platform@@SAPE$AAV12@H@Z	0x1400595f0
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z	0x1400595f8
?__abi_FailFast@@YAXXZ	0x140059600
??0Delegate@Platform@@QE$AAA@XZ	0x140059608
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z	0x140059610
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z	0x140059618
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z	0x140059620
??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z	0x140059628
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z	0x140059630
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z	0x140059638
?__abi_WinRTraiseNotImplementedException@@YAXXZ	0x140059640
?__abi_WinRTraiseInvalidCastException@@YAXXZ	0x140059648
?__abi_WinRTraiseNullReferenceException@@YAXXZ	0x140059650
?__abi_WinRTraiseOperationCanceledException@@YAXXZ	0x140059658
?__abi_WinRTraiseFailureException@@YAXXZ	0x140059660
?__abi_WinRTraiseAccessDeniedException@@YAXXZ	0x140059668
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ	0x140059670
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ	0x140059678
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ	0x140059680
?__abi_WinRTraiseChangedStateException@@YAXXZ	0x140059688
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ	0x140059690
?__abi_WinRTraiseWrongThreadException@@YAXXZ	0x140059698
?__abi_WinRTraiseDisconnectedException@@YAXXZ	0x1400596a0
?__abi_WinRTraiseObjectDisposedException@@YAXXZ	0x1400596a8
?__abi_WinRTraiseCOMException@@YAXJ@Z	0x1400596b0
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ	0x1400596b8
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z	0x1400596c0
?Free@Heap@Details@Platform@@SAXPEAX@Z	0x1400596c8
??0Object@Platform@@QE$AAA@XZ	0x1400596d0
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z	0x1400596d8
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z	0x1400596e0
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z	0x1400596e8
?UninitializeData@Details@Platform@@YAXH@Z	0x1400596f0
?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z	0x1400596f8
??0DisconnectedException@Platform@@QE$AAA@XZ	0x140059700
?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z	0x140059708
??0NotImplementedException@Platform@@QE$AAA@XZ	0x140059710
?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z	0x140059718

Name	Address
RoFailFastWithErrorContext	0x140059248
RoOriginateError	0x140059250
SetRestrictedErrorInfo	0x140059258

Name	Address
RoReportUnhandledError	0x140059268

Name	Address
WindowsGetStringLen	0x140059278
WindowsDuplicateString	0x140059280
WindowsIsStringEmpty	0x140059288
WindowsDeleteString	0x140059290
WindowsGetStringRawBuffer	0x140059298
WindowsCompareStringOrdinal	0x1400592a0
WindowsConcatString	0x1400592a8
WindowsCreateString	0x1400592b0
WindowsCreateStringReference	0x1400592b8

Name	Address
RtlLookupFunctionEntry	0x140059130
RtlCaptureContext	0x140059138
RtlVirtualUnwind	0x140059140

Name	Address
Sleep	0x140059208

Name	Address
QueryPerformanceCounter	0x140059120

Name	Address
GetTickCount	0x140059218
GetSystemTimeAsFileTime	0x140059220

Name	Address
DecodePointer	0x140059230
EncodePointer	0x140059238

Name	Address
GetStringTypeW	0x140059150
MultiByteToWideChar	0x140059158
WideCharToMultiByte	0x140059160

Exports

Name	Address	Ordinal
DllCanUnloadNow	0x140051d10	1
DllGetActivationFactory	0x140051d30	2
VSDesignerDllMain	0x14003f340	3

Reports: JSON

Statistics (1.11)

Usage

Processing ( 1.05 seconds )

1.003 CAPE
0.029 AnalysisInfo
0.012 BehaviorAnalysis
0.002 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: OOBENetworkCaptivePortal.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

Local\SM0:4484:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.