Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-11 15:23:54	2025-06-11 15:41:30	1056 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,381 [root] INFO: Date set to: 20250611T07:18:41, timeout set to: 1000
2025-06-11 08:18:41,137 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 08:18:41,137 [root] DEBUG: Storing results at: C:\gHzlKZ
2025-06-11 08:18:41,137 [root] DEBUG: Pipe server name: \\.\PIPE\rHrtLqJID
2025-06-11 08:18:41,137 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 08:18:41,153 [root] INFO: analysis running as an admin
2025-06-11 08:18:41,153 [root] INFO: analysis package specified: "exe"
2025-06-11 08:18:41,153 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 08:18:42,200 [root] DEBUG: imported analysis package "exe"
2025-06-11 08:18:42,200 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 08:18:42,200 [lib.common.common] INFO: wrapping
2025-06-11 08:18:42,200 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 08:18:42,200 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\OOBENetworkConnectionFlow.exe
2025-06-11 08:18:42,200 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 08:18:42,200 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 08:18:42,200 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 08:18:42,200 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 08:18:42,387 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 08:18:42,481 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 08:18:42,496 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 08:18:42,512 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 08:18:42,527 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 08:18:42,527 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 08:18:42,527 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 08:18:42,527 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 08:18:42,527 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 08:18:42,527 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 08:18:42,527 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 08:18:42,527 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 08:18:42,527 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 08:18:42,527 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 08:18:42,527 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 08:18:42,527 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 08:18:42,527 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 08:18:42,527 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 08:18:53,778 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 08:18:53,778 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 08:18:53,778 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 08:18:53,778 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 08:18:53,778 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 08:18:53,778 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 08:18:53,778 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 08:18:53,778 [modules.auxiliary.disguise] INFO: Disguising GUID to da52efaa-94ca-42bc-b9ed-e09355c09058
2025-06-11 08:18:53,778 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 08:18:53,778 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 08:18:53,778 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 08:18:53,793 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 08:18:53,793 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 08:18:53,793 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 08:18:53,793 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 08:18:53,793 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 08:18:53,793 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 08:18:53,793 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 08:18:53,793 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 08:18:53,793 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 08:18:53,793 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 08:18:53,793 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 08:18:53,793 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 08:18:53,793 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 08:18:53,793 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 08:18:53,825 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 08:18:53,825 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 08:18:53,825 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 08:18:53,825 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 08:18:53,825 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 08:18:53,825 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 08:18:53,825 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 08:18:53,840 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\yOjggjR.dll, loader C:\tmp_gell1p8\bin\xkGaAUPF.exe
2025-06-11 08:18:53,903 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 08:18:53,903 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\yOjggjR.dll.
2025-06-11 08:18:53,950 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 08:18:53,950 [root] INFO: Disabling sleep skipping.
2025-06-11 08:18:53,950 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 08:18:53,950 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 08:18:53,950 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 08:18:53,950 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 08:18:53,950 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 08:18:53,950 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 08:18:53,965 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 08:18:53,965 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 08:18:53,965 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 2868, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 08:18:53,965 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 08:18:53,996 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 08:18:53,996 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 08:18:53,996 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\yOjggjR.dll.
2025-06-11 08:18:54,012 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-0 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-11 15:23:54	2025-06-11 15:41:10	none

File Details

File Name	OOBENetworkConnectionFlow.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	549688 bytes
MD5	263e3099ef381e3f63a4fae56adffe5c
SHA1	eed2322639cf5e0c1d5b763a38a7291cbd1e6529
SHA256	5430d26fc5dcc293989756bb357da300d26eadaebb5ea92e5f01d55415d05f37 [VT] [MWDB] [Bazaar]
SHA3-384	3f0d6791b77c1d23d67e5de9d33bac59d611f3761d6cd7e0f60c8a47396c5fd57875e173009558fe96717128215b9299
CRC32	2AFC281C
TLSH	T1D0C4E7254B9C46D5D675A13C899B8382F5B2B8140F214BCB51B0D32E2F7BAF4AC3E365
Ssdeep	6144:faAhsbbxYgd2+WIJECZYpbHsb7hYmd2Fwt/Rm7inUivNjBS6Dq:rQFR2+W7poYmdbminxo6Dq
PE	File Strings BinGraph Vba2Graph VirusTotal

H98u8H

?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z

IsThirdPartyVPNProfileOrCustomUI

PA_A^A]A\_^]

.PE$AAVException@Platform@@

^1?]8

InvokeCommand

Microsoft Corporation1.0,

QuickActionIcon

?__abi_WinRTraiseChangedStateException@@YAXXZ

NetworkUX.ViewContext.ComposerHintProvider

l$ VWAVH

@.data

OOBENetworkConnectionFlow.pdb

?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z

IsConditional

Windows.Foundation.IReference`1<NetworkUX.ViewModel.SettingFlowType>

ContextMenuText

.idata$6

NetworkUX.ViewContext.IsVPNDividerRequired

)D$`H

?what@exception@@UEBAPEBDXZ

@SUVH

D$8H;

.idata$4

WindowsCreateStringReference

OOBENetworkConnectionFlow.App

A^_^][

IsEditModeSupported

NetworkUX.Category.Connectivity

regex_error(error_collate): The expression contained an invalid collating element name.

api-ms-win-core-heap-l1-1-0.dll

??0OutOfMemoryException@Platform@@QE$AAA@XZ

(null Message)

;t$p|

ReleaseMutex

GetStartupInfoW

no such process

.PE$AAVNotImplementedException@Platform@@

\$ AVH

PA^_^][

D9d$H};H

HeaderSource

\$ UVAVH

`A_A^A]A\_^[

NetworkUX.ViewModel.ViewModelContext

__dllonexit

OOBENetworkConnectionFlow

NetworkUX.MainPage

Windows.UI.Xaml.Controls.DataTemplateSelector

connection_aborted

identifier removed

NetworkUX.ViewModel.AutoProgressHandlingType

@A_A^_^]

5Rich

QuickActions.ViewModel.ViewModelContext.ClientName

D$HE3

)t$0H

CreateSemaphoreExW

regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings.

not supported

|hK,_

Windows.UI.Xaml.DependencyObject

wincorlib.DLL

??0exception@@QEAA@AEBQEBD@Z

.?AVbad_cast@@

NetworkUX.ViewModel.SettingEntry.DisplayName

u*9Q<|%

QuickActions.AdvancedPageInfo.HeaderSource

\$ UVWATAWH

not_a_socket

N9l$(t

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

.CRT$XCC

IsUpdating

@SVWAVH

bad_file_descriptor

wcsrchr

NetworkUX.ViewModel.SettingEntry.AllowHostingOutsidePage

__pctype_func

l$ VATAWH

Windows.Foundation.Collections.IObservableVector<NetworkUX.ViewModel.SettingEntry>

PA^_^

L$ SVH

IsEnabled

Range

t*fff

QuickActions.ViewModel.IQuickActionViewModel.AdvancedPageHeaderSource

no space on device

@SVWATAVAWH

FileVersion

NetworkUX.OOBEEsimDiscoveryPage

cY7.L

d$HH;8u5H

NetworkUX.ViewContext.IsLoading

NetworkUX.ViewModel.SettingEntry.SettingItem

NetworkUX.ViewModel.SettingEntry.IsUpdating

D$PE3

L$hH3

??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z

?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z

FlowType

.?AVlength_error@std@@

__C_specific_handler

Microsoft Corporation1&0$

SVWAVH

QuickActions.ViewModel.ViewModelContext.InEditMode

Windows.Internal.UI.XAMLHost.IUIThreadDispatcher

1(0&0

180703204550Z

network_down

regex_error(error_brace): The expression contained mismatched { and }.

NetworkUX.ViewModel.SettingEntry.ShouldTrackUsage

?__abi_WinRTraiseNotImplementedException@@YAXXZ

memmove

?__abi_FailFast@@YAXXZ

0A_A^A]A\_^]

not a directory

?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z

std::exception: %hs

(caller: %p)

IsDividerRequired

WindowsConcatString

no link

TlP0X

Microsoft Corporation1-0+

?__abi_WinRTraiseDisconnectedException@@YAXXZ

\$pHc

D9d$H}5H

interrupted

strchr

FriendlyName

$Microsoft Ireland Operations Limited1&0$

_callnewh

?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z

bad address

@SUWAVH

250701214655Z0|1

lower

|$ I;

__set_app_type

XtO\2

CategoryGUID

A_A^_

|$ AVH

memcpy_s

20180915013051.662Z0

bad allocation

operation not permitted

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

A;^ }^H

System.Enum

VWAVH

QuickActions.ViewModel.QuickActionViewModel.ContextMenuText

SetLastError

PA_A^A]A\_^[

FullScreen

.rsrc$01

~\<P]

L$xH3

CallContext:[%hs]

QuickActions.QuickActionTemplateSelector.TypedTemplates

DebugBreak

?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z

system

BottomMargin

0A_A^_^[

O0M0K

QuickActions.ViewModel.QuickActionViewModel.AdvancedPageHeaderSource

ShouldTrackUsage

040904B0

Microsoft Corporation

Dialog

G D9m

Windows.Foundation.IReference`1<Windows.Internal.QuickActions.QuickActionType>

?__abi_WinRTraiseInvalidCastException@@YAXXZ

Windows.Foundation.IReferenceArray`1<String>

Platform::Exception^: %ws

regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine.

IsQuickSettingsVisible

wcstol

_XcptFilter

.?AUIDisposable@Platform@@

Windows.Foundation.Collections.IIterator`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

@SUVAVH

EH=csm

wcslen

229879+4379540

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

wrong_protocol_type

_lock

too many symbolic link levels

?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z

not enough memory

AcquireSRWLockShared

WindowsCreateString

WindowsDeleteString

NetworkUX.ViewModel.SettingEntry.IsSetByGroupPolicy

@WAVH

NetworkUX.ViewModel.SettingEntry.IsApplicable

QuickActions.ViewModel.ViewModelContext.IsExpanded

HcA<H

CoTaskMemAlloc

__crtLCMapStringW

RoReportUnhandledError

.?AVbad_alloc@std@@

A_A^A]A\_^]

D9H(t

?__abi_WinRTraiseInvalidArgumentException@@YAXXZ

QuickActions.TypedTemplate

@UVWATAUAVAWH

@SUVWAVH

CreateMutexExW

fD9tA

Windows.Foundation.Collections.IVectorChangedEventArgs

Launcher

C$9C w"H

.?AUIWeakReferenceSource@Details@Platform@@

.?AU__I?$Array@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

WindowsInternal.ComposableShell.ComposerHintsAPI.ComposerHintDataProperty.Type

Windows.UI.Xaml.Application

_wcsdup

api-ms-win-core-util-l1-1-0.dll

permission_denied

.data$r

3YWu!

resource unavailable try again

NetworkUX.ViewModel.SettingEntry.IsConditional

@UVWH

D9d$H

_initterm

filename_too_long

t$ ATAVAWH

.?AVlogic_error@std@@

QuickActions.ViewModel.QuickActionViewModel.IsEnabled

_CxxThrowException

QuickActions.TypedTemplate.TemplateKey

Windows.UI.Xaml.Controls.Page

.idata$5

False

5Vwn5

.?AVout_of_range@std@@

LeaveCriticalSection

ItemsList

InEditMode

QuickActions.ViewModel.QuickActionsListEntry.View

HeapAlloc

A_A^A\_^

IsVPNContentVisible

resource deadlock would occur

b+[*K,Ea$n'

QuickActions.quickactions_XamlTypeInfo.XamlMetaDataProvider

not connected

.CRT$XIYA

Disabled

protocol_not_supported

@USVH

{|]u%

DllGetActivationFactory

OOBE Network Connection Flow

too many files open in system

destination address required

ti;Q(s^

operation_would_block

WideCharToMultiByte

IsSetByGroupPolicy

.pdata

AutomationId

SVWAVAWH

@SVWH

A_A^_^[

t>y#I

address not available

SetRestrictedErrorInfo

Microsoft

VarFileInfo

_fmode

?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z

.?AVexception@@

file exists

Description

no such file or directory

L$PH3

message size

_acmdln

Windows.Foundation.Collections.IObservableVector<QuickActions.TypedTemplate>

NetworkUX.ViewModel.SettingEntry.ShouldLaunchAsFlow

operation_in_progress

H3E H3E

InternalName

@UVWAVAWH

D9|$(}

NetworkUX.ViewContext.IsMBBContentVisible

?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z

t$0D;v

?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z

@A^_^][

Eh=csm

.text$yd

^1'u!

malloc

0A_A\_^]

QuickActions.ViewModel.QuickActionViewModel.Type

Context

9\u<H

VSDesignerDllMain

TUUUUUU

QuickActions.ViewModel.QuickActionViewModel.QuickActionIsBlinking

NetworkUX.ViewModel.DeclaredParentId

H9{HsFH

()$^.*+?[]|\-{},:=!

NetworkUX.Category.IsShared

bad cast

QuickActions.ViewModel.IQuickActionViewModel.ContextMenuText

_vsnwprintf

.CRT$XIYB

y|?uo

api-ms-win-core-profile-l1-1-0.dll

l$ VWATAUAVH

QuickActions.AdvancedPageInfo.ParentQuickActionViewModel

api-ms-win-core-libraryloader-l1-2-0.dll

MediaType

QuickActionIsBlinking

HA\^][

?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z

_get_current_locale

host_unreachable

api-ms-win-core-localization-l1-2-0.dll

.rsrc$02

regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence.

LcA<E3

_unlock

iostream

NetworkUX.ViewModel.SettingsListEntry

@USVWAUAVAWH

Platform.Guid

L$(I;

connection refused

read only file system

.PE$AAVFailureException@Platform@@

wrong protocol type

_exit

DisplayName

CustomLaunchAsFlowTemplateKey

?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z

QuickActions.TypedTemplate.Type

(t$0H

Local\SM0:%d:%d:%hs

QuickActionTitle

CanWrite

pA^^]

t$0@82u

@.rsrc

address family not supported

XamlTypeInfo.InfoProvider.XamlTypeInfoProvider

String

operation would block

QuickActions.ViewModel.IQuickActionViewModel

0A^_^

BlockedReason

20180916065655Z0w0=

Windows.Internal.QuickActions.IQuickActionsProvider

NetworkUX.MainPageBase

NetworkUX.Category.IsDeviceTunnelVPNProfile

AcquireSRWLockExclusive

stream timeout

.text$di

?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z

api-ms-win-core-winrt-string-l1-1-0.dll

FormatMessageW

Legal_Policy_Statement

QuickActionStatus

.edata

PageTitle

?UninitializeData@Details@Platform@@YAXH@Z

NetworkUX.ViewModel.ViewModelBase.Context

regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.

?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ

%hs!%p:

.PE$AAVInvalidArgumentException@Platform@@

@WAVAWH

protocol not supported

Windows.Foundation.IReference`1<Windows.UI.Xaml.Interop.TypeName>

Platform.?$WriteOnlyArray@PE$AAUIXamlMetadataProvider@Markup@Xaml@UI@Windows@@$00

VWATAVAWH

LegalCopyright

I90u6A

PageSource

0A_A^A\_^

D8"u3H

bad message

IsApplicable

L$(H3

Single

OOBENetworkConnectionFlow.exe

A_A^A]A\_

LabeledString

CoCreateFreeThreadedMarshaler

10.0.17763.1 (WinBuild.160101.0800)

xdigit

GetCurrentProcessId

Enabled

IsSecure

L$XH3

D9&tZA

"'xinvalid stoi argument

I0G1-0+

DeleteCriticalSection

??0InvalidArgumentException@Platform@@QE$AAA@XZ

q~='W

argument list too long

host unreachable

DisplayString

RtlCaptureContext

NetworkUX.ViewModel.SettingEntry.CustomLaunchAsFlowTemplateKey

.?AU__I?$WriteOnlyArray@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

Windows.UI.Core.CoreDispatcher

QuickActions.ViewModel.IQuickActionViewModel.CustomTemplateKey

:\u4L

M0K0I

?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z

ShouldLaunchAsFlow

minATL$__z

?__abi_WinRTraiseAccessDeniedException@@YAXXZ

NetworkUX.OOBEProfilePropertiesPage

network_reset

x ATAVAWH

regex_error(error_syntax)

io error

QuickActionIsAttentionRequired

.?AUIValueType@Platform@@

QuickActions.ViewModel.IQuickActionViewModel.SecondaryInvokeCommand

WaitForSingleObjectEx

GetStringTypeW

D$HH;

regex_error

l$ VWAWH

iostream stream error

??0ChangedStateException@Platform@@QE$AAA@XZ

QuickActions.ViewModel.ViewModelContext.Dispatcher

.PE$AAUIDisposable@Platform@@

L$0H3

uNfff

Microsoft Time-Stamp PCA 20100

QuickActions.ViewModel.QuickActionViewModel.Context

.?AV?$Module@$04VInProcModule@Details@Platform@@@WRL@Microsoft@@

alpha

QuickActions.ViewModel.QuickActionViewModel.FriendlyName

operation canceled

A_A^A\_^[

D9t$8}

Windows.UI.Xaml.Window

argument out of domain

.rdata$zzzdbg

_vsnprintf_s

.rdata$r

191123202702Z0

`A^_^

NetworkUX.ViewModel.SettingEntry.AsyncInvokeSucceeded

|$`A;N$

9\u;H

??0Object@Platform@@QE$AAA@XZ

NetworkUX.OOBEMultivariantPage

.?AVInProcModule@Details@Platform@@

bad file descriptor

WindowsDuplicateString

uh9Y(t#

GQmhR

regex_error(error_paren): The expression contained mismatched ( and ).

WAVAWH

no such device or address

ty;](smI

t"@8-p

realloc

.CRT$XIA

.rdata

api-ms-win-core-errorhandling-l1-1-0.dll

??0exception@@QEAA@XZ

??1type_info@@UEAA@XZ

NetworkUX.ViewModel.SettingEntry.Action

@USVWH

CoTaskMemFree

IsNonHolographicOOBENetworkSelectionRequired

|$0L+

111019184142Z

`A\_^][

too many files open

te@8=

api-ms-win-core-rtlsupport-l1-1-0.dll

QuickActions.ViewModel.QuickActionViewModel.QuickActionIsAllowedAboveLock

NetworkUX.ViewContext.IsSkipButtonVisible

minATL$__a

ViewModelContext

A_A^_

f#D$@H

9^ ~=L

connection_already_in_progress

address_in_use

.CRT$XIZ

?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z

Microsoft Corporation1200

Desktop

NetworkUX.Category.Action

wcsstr

Dispatcher

no lock available

generic

?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z

D$$I;

WindowsInternal.ComposableShell.ComposerHintsAPI.ComposerHintDataProperty.Name

AllowHostingOutsidePage

.?AVinvalid_argument@std@@

Washington1

abort

Provider

regex_error(error_backref): The expression contained an invalid back reference.

CH}#6%

?__abi_WinRTraiseNullReferenceException@@YAXXZ

%Microsoft Windows Production PCA 20110

InitializeCriticalSectionEx

IsMBBContentVisible

EncodePointer

56BI=

Windows.Foundation.Collections.IObservableVector<QuickActions.ViewModel.IQuickActionViewModel>

!This program cannot be run in DOS mode.

%Microsoft Windows Production PCA 2011

FileDescription

Msg:[%ws]

A_A^A\

?__abi_WinRTraiseFailureException@@YAXXZ

WaitForSingleObject

@A^_^

A_A^A]_^[]

:\uDL

QuickActions.ViewModel.QuickActionsListEntry

address in use

already connected

L$ VWH

NetworkUXMode

NetworkUX.ViewModel.SettingEntry.FlowType

invalid_argument

NetworkUX.ViewModel.SettingsListEntry.View

?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z

Windows.Core

H;8u*L

?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z

Microsoft Corporation1

api-ms-win-core-processthreads-l1-1-0.dll

UWATAVAWH

A_A^A]A\_^[

Windows.Foundation.IReference`1<Boolean>

Windows.Foundation.IReference`1<Windows.Foundation.Size>

D$HL;

.PE$AAVNullReferenceException@Platform@@

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

t$@E3

GetModuleFileNameA

Windows.UI.Xaml.Interop.TypeName

@SUVATH

NetworkUX.ViewModel.SettingFlowType

?__abi_WinRTraiseWrongThreadException@@YAXXZ

ntdll.dll

SecondaryInvokeCommand

D$xE3

0rau!

no stream resources

SVWATAUAVAWH

owner dead

Status

IsMBBDividerRequired

IsVPNDividerRequired

IsHolographicOOBENetworkSelectionRequired

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

directory not empty

TetheringQuickActionViewModel

__crtCompareStringW

NetworkUX.Category.IsRoaming

Microsoft Time-Stamp PCA 2010

api-ms-win-core-synch-l1-1-0.dll

regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression.

memcpy

QuickActions.ViewModel.QuickActionViewModel

.idata$3

?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z

Thales TSS ESN:FC41-4BD4-D2201%0#

@8,8u

QuickActions.ViewModel.QuickActionViewModel.AdvancedPageSource

network reset

UVWATAWH

WindowsIsStringEmpty

OpenSemaphoreW

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

ReleaseSRWLockExclusive

Microsoft Time-Stamp service

?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z

file too large

invalid seek

AsyncInvokeSucceeded

NetworkUX.ViewModel.SettingEntry.AutoProgressHandling

r~akow

QuickActionIsAllowedAboveLock

Windows.Foundation.IReference`1<NetworkUX.ViewModel.InteractiveState>

D$0f9(t

Boolean

not a socket

NetworkUX.Category.Status

t>y&H

RtlLookupFunctionEntry

System.ValueType

f9H\u

EnterCriticalSection

is a directory

.CRT$XCU

___lc_collate_cp_func

QuickActions.ViewModel.QuickActionViewModel.QuickActionIsAttentionRequired

IsRoaming

RtlDllShutdownInProgress

\$ E3

D$(E3

QuickActions.AdvancedPageInfo

[%hs(%hs)]

_errno

NetworkUX.ViewContext

A_A\^

punct

NetworkUX.ViewContext.TetheringQuickActionViewModel

NetworkUX.ViewModel.ViewModelBase.Id

QueryPerformanceCounter

.PE$AAUIEquatable@Details@Platform@@

no protocol option

SettingCollection

regex_error(error_ctype): The expression contained an invalid character class name.

.?AVruntime_error@std@@

H;9u2I

??0FailureException@Platform@@QE$AAA@XZ

180823202702Z

<P)9Y

string too long

.PE$AAVChangedStateException@Platform@@

"Microsoft Window

upper

\$Xf;

NetworkUX.ViewModel.SettingEntry.CustomTemplateKey

??0bad_cast@@QEAA@PEBD@Z

cY7.u*

graph

NetworkUX.ViewContext.IsHolographicOOBENetworkSelectionRequired

NetworkUX.networkux_XamlTypeInfo.XamlMetaDataProvider

msvcrt.dll

QuickActions.ViewModel.ViewModelContext.XamlHostDispatcher

StringFileInfo

%hs(%d) tid(%x) %08X %ws

oK0D$"<

)D$ H

H_^[]

D;k }9E

t$ WAVAWH

no child process

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.XmlnsDefinition>

NetworkUX.Category.IsThirdPartyVPNProfileOrCustomUI

QuickActions.ViewModel.QuickActionViewModel.SecondaryInvokeCommand

AccessibilityName

ClientName

no buffer space

RSDSiV

GetCurrentProcess

CustomTemplateKey

api-ms-win-core-handle-l1-1-0.dll

Windows.UI.Xaml.Input.ICommand

UVWAVAWH

MBQuickActionViewModel

NetworkUX.MainPageBase.ViewModelContext

__setusermatherr

NetworkUX.Category.CategoryGUID

UATAUAVAWH

?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ

L$8H3

.?AVModuleBase@Details@WRL@Microsoft@@

NetworkUX.Category.BrandingIconFile

QuickActions.ViewModel.QuickActionViewModel.Id

HeapFree

invalid string position

NetworkUX.Category.SignalStrength

already_connected

no message available

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

??0OutOfBoundsException@Platform@@QE$AAA@XZ

AdvancedPageHeaderSource

GetTickCount

@WATAUAVAWH

Windows.Foundation.IReference`1<Guid>

A_A^A\_]

Microsoft Time-Stamp service0

QuickActions.ViewModel.QuickActionViewModel.IsToggleable

SystemSettings.DataModel.SettingType

NetworkUX.ViewModel.SettingEntry.DeclaredId

.text$mn

?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z

100701213655Z

QuickActions.ViewModel.QuickActionViewModel.ActionType

broken pipe

vector<bool> too long

not a stream

Setting

DllCanUnloadNow

.CRT$XIY

D$8E3

.?AVResultException@wil@@

RoOriginateError

Windows.Foundation.Collections.IObservableVector<NetworkUX.Category>

QuickActions.ViewModel.ViewModelContext

A^^]

TerminateProcess

L$@H3

9t$p~;H

setlocale

QuickActions.ViewModel.QuickActionViewModel.QuickActionTitle

wv7"g

minATL$__m

Windows.UI.Xaml.ApplicationInitializationCallback

NetworkUX.ViewContext.WifiQuickActionViewModel

NetworkUX.ViewContext.IsNonHolographicOOBENetworkSelectionRequired

A_A^_^][

protocol error

L$XH+

t$8E2

9sM}U

Translation

AdvancedPageSource

?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z

Windows.Foundation.Collections.IVectorView`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

QuickActions.AdvancedPageInfo.PageTitle

A_A^A]A\_^]

ComposerHintProvider

NetworkUX.ViewContext.IsVPNContentVisible

t$HI+

Windows.UI.Xaml.Markup.IXamlType

___mb_cur_max_func

HcF$M

alnum

IsSkipButtonVisible

text file busy

\$ A;

d:\os\public\amd64fre\internal\sdk\inc\wil\resource.h

Object

operation_not_supported

ut8%*h@

NetworkUX.ViewContext.Size

T$`E3

QuickActions.ViewModel.IQuickActionViewModel.Context

@UWAVH

d$hE3

regex_error(error_parse)

WindowsInternal.ComposableShell.ComposerHintsAPI.ComposerHintPropertyProvider

DecodePointer

D9|$(

WilError_02

MultiByteToWideChar

QuickActions.QuickActionTemplates

QuickActionIsActive

NetworkUX.ViewModel.SettingEntry.AdvancedPageSource

.?AV?$Array@PE$AAVString@Platform@@$00@Platform@@

?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ

NetworkUX.Category.BlockedReason

IsExpanded

Microsoft Windows0

WindowsInternal.ComposableShell.ComposerHintsAPI.ComposerHintDataProperty

bad_address

address_not_available

?InitializeData@Details@Platform@@YAJH@Z

@VWAVH

BrandingIconFile

TemplateKey

connection_reset

t?@8xLt(

??0NotImplementedException@Platform@@QE$AAA@XZ

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

T$@E3

D$(fD9

NetworkUX.ViewContext.ItemsList

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

L$`H3

ProductVersion

address_family_not_supported

??1bad_cast@@UEAA@XZ

D$@E3

.text$x

?__abi_WinRTraiseObjectDisposedException@@YAXXZ

H;]PH

@A_A^_^[

OutputDebugStringW

not_connected

R!s4Z

ParentQuickActionViewModel

too many links

.PE$AAVOutOfMemoryException@Platform@@

NetworkUX.App

?__abi_WinRTraiseCOMException@@YAXJ@Z

NetworkUX.ViewModel.SettingEntry.IsEnabled

stoi argument out of range

L$ SWH

xA_A^A]A\_^][

@SVWAVAWH

regex_error(error_badbrace): The expression contained an invalid range in a { expression }.

?__abi_WinRTraiseOutOfMemoryException@@YAXXZ

.?AU?$IBoxArray@PE$AAVString@Platform@@@Platform@@

__CxxFrameHandler3

NetworkUX.Category.MediaType

ReturnHr

connection_refused

|$ ATAVAWH

_onexit

blank

.xdata$x

L$HH3

E6T:D#

WindowsGetStringRawBuffer

ActionType

0A^_[

Windows.Foundation.Collections.IObservableVector`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

A^_^

.CRT$XIAA

XamlHostDispatcher

GetModuleHandleW

cY7.u!

no_protocol_option

inappropriate io control operation

WindowsInternal.ComposableShell.ComposerHintsAPI.ComposerHintDataProperty.CanWrite

L$ E3

timed out

NetworkUX.ViewContext.MBQuickActionViewModel

t?y&I

Windows

function not supported

8A^_^[

.?AVregex_error@std@@

IsDebuggerPresent

E0D9|$(}

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

space

tAy&H

NetworkUX.ViewModel.ViewModelBase

.giats

iSHp6

`A_A^A\_^

kernelbase.dll

QuickActions.ViewModel.QuickActionViewModel.CustomTemplateKey

IsHandlerRequired

_ismbblead

?Free@Heap@Details@Platform@@SAXPEAX@Z

8A_A^_^][

D$0>/

invalid argument

fD9(t

??1exception@@UEAA@XZ

??0NullReferenceException@Platform@@QE$AAA@XZ

connection reset

permission denied

NetworkUX.ViewModel.SettingEntry.IsInteractive

no such device

RtlVirtualUnwind

H;]`H

D$8>/

.idata$2

@A_A\_^]

L$(ff

api-ms-win-core-winrt-error-l1-1-0.dll

??0Delegate@Platform@@QE$AAA@XZ

api-ms-win-core-debug-l1-1-0.dll

x AVH

connection aborted

EX=csm

l$4I;

A^A]A\_^

0A_A^_

.CRT$XCL

??3@YAXPEAX@Z

.?AVObject@Platform@@

WATAUAVAWH

pA_A^_^]

SUVWH

state not recoverable

RaiseFailFastException

.?AU__abi_Module@@

1/0-0

OriginalFilename

illegal byte sequence

|]u=H

SettingType

HcL$ H

WifiQuickActionViewModel

regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape.

$`2X`F

IsLoading

NetworkUX.ViewContext.IsMBBDividerRequired

QuickActions.ViewModel.IQuickActionViewModel.InvokeCommand

destination_address_required

D9t$8|WH;

TypedTemplates

NetworkUX.Category.AccessibilityName

.?AU__abi_IUnknown@@

)D$0H

$H;8u*L

QuickActions.ViewModel.QuickActionViewModel.QuickActionIsActive

.?AV?$WriteOnlyArray@PE$AAVString@Platform@@$00@Platform@@

\$HM;

Ex=csm

@SUVWATH

-IrZc}

.PE$AAUIPrintable@Details@Platform@@

QuickActions.ViewModel.IQuickActionViewModel.AdvancedPageSource

?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z

A_A^A]A\_

@VWATAVAWH

.CRT$XCA

.CRT$XCAA

.xdata

?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z

.PEAX

$Microsoft Ireland Operations Limited1

NetworkUX.ViewContext.BottomMargin

.gfids

Platform.?$WriteOnlyArray@PE$AAVString@Platform@@$00

Windows.Foundation.PropertyValue

.PE$AAVCOMException@Platform@@

NetworkUX.ViewModel.InteractiveState

ReleaseSRWLockShared

\$ UH

|$8H;

Windows.UI.Xaml.Controls.UserControl

NetworkUX.OOBEMainPage

NetworkUX.ViewContext.IsDividerRequired

QuickActions.ViewModel.QuickActionViewModel.IsApplicable

connection already in progress

___lc_handle_func

HasInternetConnectivity

NetworkUX.ViewContext.AirplaneModeQuickActionViewModel

NetworkUX.ViewModel.SettingEntry.Type

QuickActions.ViewModel.ViewModelContext.IsContextMenuEnabled

190726204550Z0p1

no message

??0exception@@QEAA@AEBV0@@Z

%hs(%d)\%hs!%p:

SettingItem

@SWAVH

Operating System

H;\$x

.00cfg

?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z

Windows.Foundation.Size

N0L0J

vector<T> too long

^\s+|\s*,\s*|\s+$

UnhandledExceptionFilter

IsInteractive

GetModuleHandleExW

Custom

@SUVWH

|$ L+

operation in progress

UVWATAUAVAWH

FailFast

_cexit

CloseHandle

L$8E3

t$ AVH

U0S0Q

http://www.microsoft.com/windows0

@.reloc

@SUVWATAUAVAWH

Windows.UI.Xaml.ResourceDictionary

NetworkUX.ViewModel.SettingEntry.IsHandlerRequired

NetworkUX.Category.IsSecure

ATAVAWH

_free_locale

QuickActions.ViewModel.ViewModelContext.Provider

NetworkUX.Category

DeclaredId

QuickActions.ViewModel.ViewModelContext.IsEditModeSupported

D$0L;

z.9Wv

VS_VERSION_INFO

invalid map/set<T> iterator

D$$E3

CompanyName

_purecall

Windows.Internal.QuickActions.QuickActionType

QuickActions.ViewModel.QuickActionViewModel.QuickActionStatus

GetLastError

GetCurrentThreadId

@A_A^_

_commode

api-ms-win-core-synch-l1-2-0.dll

9\uBH

timed_out

NetworkUX.ViewModel.SettingEntry

GetSystemTimeAsFileTime

__getmainargs

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_

E8=csm

A_A^_^]

LogHr

filename too long

_amsg_exit

?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z

IsShared

HA^^][

.CRT$XCZ

??0bad_cast@@QEAA@AEBV0@@Z

Flyout

NetworkUX.ViewContext.HasInternetConnectivity

WindowsInternal.ComposableShell.ComposerHintsAPI.ComposerHintDataProperty.CanRead

___lc_codepage_func

Windows.Foundation.IReference`1<SystemSettings.DataModel.SettingType>

HA^_][

?terminate@@YAXXZ

Platform.?$WriteOnlyArray@VXmlnsDefinition@Markup@Xaml@UI@Windows@@$00

9\$xu,H9

NetworkUX.ViewContext.IsQuickSettingsVisible

\$(H;

u HcA<H

digit

h_^][

@SVWATAUAVAWH

9\u4H

E(=csm

NetworkUX.ControlCenterWiFiL2Page

?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ

calloc

map/set<T> too long

IsContextMenuEnabled

20180915065655Z

AutoProgressHandling

message_size

Exception

GetProcessHeap

SignalStrength

CanRead

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

Sleep

IsDeviceTunnelVPNProfile

??0exception@@QEAA@AEBQEBDH@Z

SystemSettings.DataModel.ISettingItem

NetworkUX.ViewContext.IsWiFiContentVisible

l$ VH

NetworkUX.ViewModel.SettingEntry.AutomationId

IsWiFiContentVisible

Action

too_many_files_open

AirplaneModeQuickActionViewModel

VyqpB

WindowsCompareStringOrdinal

no_buffer_space

SetUnhandledExceptionFilter

RoFailFastWithErrorContext

.?AV?$Module@$00VInProcModule@Details@Platform@@@WRL@Microsoft@@

QuickActions.ViewModel.QuickActionViewModel.QuickActionIcon

pA_A^A]A\_^]

.data

.PE$AAVObject@Platform@@

@A_A^A]A\_

Unexpected activation kind

network down

executable format error

\$hE3

NetworkUX.ViewModel.SettingEntry.Description

device or resource busy

|$ AVI

Windows.Foundation.IReference`1<NetworkUX.ViewModel.AutoProgressHandlingType>

api-ms-win-core-winrt-error-l1-1-1.dll

Ipbad locale name

A_A^A]A\]

D$ E3

.text

,WZ5dbkmgKNxIMZ1hwSQyC76mIr6lxpuAe63SSWQPxeY=0Z

@SUVWAVAWH

NetworkUX.ViewModel.SettingEntry.SettingType

Windows.Foundation.IReference`1<Single>

9l$ }

jcY7.

T$0H+

memset

_XamlTypeInfo.InfoProvider.XamlMember

t$hH+

`.rdata

value too large

[%hs]

?__abi_WinRTraiseOutOfBoundsException@@YAXXZ

unknown error

)Microsoft Root Certificate Authority 20100

result out of range

.PE$AAVOutOfBoundsException@Platform@@

l$ WH

WindowsGetStringLen

Connectivity

Plugin

QuickActions.ViewModel.QuickActionViewModel.InvokeCommand

ReleaseSemaphore

network_unreachable

XamlTypeInfo.InfoProvider.XamlSystemBaseType

?__abi_WinRTraiseOperationCanceledException@@YAXXZ

IsToggleable

QuickActions.QuickActionTemplateSelector

GetProcAddress

regex_error(error_brack): The expression contained mismatched [ and ].

H9=YL

NetworkUX.Category.Name

pA^_^

ProductName

|$(A^

cntrl

D$8fD

QuickActions.AdvancedPageInfo.PageSource

?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Exported DLL Name
0x140000000	0x0004bb10	0x0008778c	0x0008778c	6.0	OOBENetworkConnectionFlow.pdb	2018-09-15 01:00:53	f8e1bc3043535d715f41c35afffca8e6	OOBENetworkConnectionFlow.exe

Version Infos

CompanyName	Microsoft Corporation
FileDescription	OOBE Network Connection Flow
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	OOBENetworkConnectionFlow
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	OOBENetworkConnectionFlow.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0005071c	0x00050800	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.10
.rdata	0x00050c00	0x00052000	0x00029cac	0x00029e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.57
.data	0x0007aa00	0x0007c000	0x00004088	0x00003600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.90
.pdata	0x0007e000	0x00081000	0x00004cf8	0x00004e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.67
.rsrc	0x00082e00	0x00086000	0x00000448	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.57
.reloc	0x00083400	0x00087000	0x00000d70	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.39

Overlay

Offset	0x00084200
Size	0x00002138

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x00086060	0x000003e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None

Imports

Name	Address
GetProcAddress	0x140052098
GetModuleHandleExW	0x1400520a0
GetModuleFileNameA	0x1400520a8
GetModuleHandleW	0x1400520b0

Name	Address
LeaveCriticalSection	0x140052150
WaitForSingleObject	0x140052158
ReleaseMutex	0x140052160
ReleaseSRWLockExclusive	0x140052168
AcquireSRWLockExclusive	0x140052170
ReleaseSemaphore	0x140052178
EnterCriticalSection	0x140052180
DeleteCriticalSection	0x140052188
AcquireSRWLockShared	0x140052190
CreateMutexExW	0x140052198
CreateSemaphoreExW	0x1400521a0
WaitForSingleObjectEx	0x1400521a8
OpenSemaphoreW	0x1400521b0
ReleaseSRWLockShared	0x1400521b8
InitializeCriticalSectionEx	0x1400521c0

Name	Address
HeapAlloc	0x140052078
HeapFree	0x140052080
GetProcessHeap	0x140052088

Name	Address
GetLastError	0x140052040
UnhandledExceptionFilter	0x140052048
SetLastError	0x140052050
SetUnhandledExceptionFilter	0x140052058

Name	Address
CoTaskMemFree	0x140052000
CoTaskMemAlloc	0x140052008
CoCreateFreeThreadedMarshaler	0x140052010

Name	Address
TerminateProcess	0x1400520d0
GetCurrentThreadId	0x1400520d8
GetStartupInfoW	0x1400520e0
GetCurrentProcessId	0x1400520e8
GetCurrentProcess	0x1400520f0

Name	Address
FormatMessageW	0x1400520c0

Name	Address
IsDebuggerPresent	0x140052020
DebugBreak	0x140052028
OutputDebugStringW	0x140052030

Name	Address
CloseHandle	0x140052068

Name	Address
_free_locale	0x140052290
_get_current_locale	0x140052298
__crtLCMapStringW	0x1400522a0
__crtCompareStringW	0x1400522a8
_wcsdup	0x1400522b0
abort	0x1400522b8
calloc	0x1400522c0
__pctype_func	0x1400522c8
___lc_codepage_func	0x1400522d0
___lc_handle_func	0x1400522d8
___mb_cur_max_func	0x1400522e0
setlocale	0x1400522e8
memmove	0x1400522f0
memcpy	0x1400522f8
??0exception@@QEAA@AEBQEBDH@Z	0x140052300
_callnewh	0x140052308
_CxxThrowException	0x140052310
wcslen	0x140052318
memset	0x140052320
??0bad_cast@@QEAA@AEBV0@@Z	0x140052328
??1bad_cast@@UEAA@XZ	0x140052330
wcsrchr	0x140052338
??0exception@@QEAA@AEBQEBD@Z	0x140052340
?what@exception@@UEBAPEBDXZ	0x140052348
wcstol	0x140052350
_errno	0x140052358
wcsstr	0x140052360
_vsnprintf_s	0x140052368
?terminate@@YAXXZ	0x140052370
??0exception@@QEAA@AEBV0@@Z	0x140052378
_commode	0x140052380
_fmode	0x140052388
_acmdln	0x140052390
__setusermatherr	0x140052398
_ismbblead	0x1400523a0
_cexit	0x1400523a8
_exit	0x1400523b0
exit	0x1400523b8
__set_app_type	0x1400523c0
__getmainargs	0x1400523c8
_initterm	0x1400523d0
malloc	0x1400523d8
_amsg_exit	0x1400523e0
_XcptFilter	0x1400523e8
_onexit	0x1400523f0
__dllonexit	0x1400523f8
_unlock	0x140052400
_lock	0x140052408
__C_specific_handler	0x140052410
??1type_info@@UEAA@XZ	0x140052418
realloc	0x140052420
strchr	0x140052428
free	0x140052430
___lc_collate_cp_func	0x140052438
??0bad_cast@@QEAA@PEBD@Z	0x140052440
??0exception@@QEAA@XZ	0x140052448
??1exception@@UEAA@XZ	0x140052450
_purecall	0x140052458
memcpy_s	0x140052460
_vsnwprintf	0x140052468
??3@YAXPEAX@Z	0x140052470
__CxxFrameHandler3	0x140052478

Name	Address
?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z	0x140052488
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z	0x140052490
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z	0x140052498
?__abi_FailFast@@YAXXZ	0x1400524a0
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z	0x1400524a8
?UninitializeData@Details@Platform@@YAXH@Z	0x1400524b0
?InitializeData@Details@Platform@@YAJH@Z	0x1400524b8
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z	0x1400524c0
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z	0x1400524c8
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z	0x1400524d0
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ	0x1400524d8
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z	0x1400524e0
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z	0x1400524e8
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z	0x1400524f0
??0ChangedStateException@Platform@@QE$AAA@XZ	0x1400524f8
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z	0x140052500
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z	0x140052508
??0OutOfBoundsException@Platform@@QE$AAA@XZ	0x140052510
??0FailureException@Platform@@QE$AAA@XZ	0x140052518
??0OutOfMemoryException@Platform@@QE$AAA@XZ	0x140052520
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z	0x140052528
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z	0x140052530
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z	0x140052538
?__abi_cast_String_to_Object@__abi_details@@YAPE$AAVObject@Platform@@PE$AAVString@3@@Z	0x140052540
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z	0x140052548
??0NullReferenceException@Platform@@QE$AAA@XZ	0x140052550
??0InvalidArgumentException@Platform@@QE$AAA@XZ	0x140052558
??0NotImplementedException@Platform@@QE$AAA@XZ	0x140052560
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z	0x140052568
??0Delegate@Platform@@QE$AAA@XZ	0x140052570
?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z	0x140052578
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ	0x140052580
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z	0x140052588
??0Object@Platform@@QE$AAA@XZ	0x140052590
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z	0x140052598
?__abi_cast_Object_to_String@__abi_details@@YAPE$AAVString@Platform@@_NPE$AAVObject@3@@Z	0x1400525a0
??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z	0x1400525a8
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z	0x1400525b0
?__abi_WinRTraiseNotImplementedException@@YAXXZ	0x1400525b8
?__abi_WinRTraiseInvalidCastException@@YAXXZ	0x1400525c0
?__abi_WinRTraiseNullReferenceException@@YAXXZ	0x1400525c8
?__abi_WinRTraiseOperationCanceledException@@YAXXZ	0x1400525d0
?__abi_WinRTraiseFailureException@@YAXXZ	0x1400525d8
?__abi_WinRTraiseAccessDeniedException@@YAXXZ	0x1400525e0
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ	0x1400525e8
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ	0x1400525f0
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ	0x1400525f8
?__abi_WinRTraiseChangedStateException@@YAXXZ	0x140052600
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ	0x140052608
?__abi_WinRTraiseWrongThreadException@@YAXXZ	0x140052610
?__abi_WinRTraiseDisconnectedException@@YAXXZ	0x140052618
?__abi_WinRTraiseObjectDisposedException@@YAXXZ	0x140052620
?__abi_WinRTraiseCOMException@@YAXJ@Z	0x140052628
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ	0x140052630
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z	0x140052638
?Free@Heap@Details@Platform@@SAXPEAX@Z	0x140052640
?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z	0x140052648
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z	0x140052650
?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z	0x140052658

Name	Address
SetRestrictedErrorInfo	0x140052210
RoOriginateError	0x140052218
RoFailFastWithErrorContext	0x140052220

Name	Address
RoReportUnhandledError	0x140052230

Name	Address
WindowsIsStringEmpty	0x140052240
WindowsGetStringRawBuffer	0x140052248
WindowsGetStringLen	0x140052250
WindowsDeleteString	0x140052258
WindowsCreateStringReference	0x140052260
WindowsCreateString	0x140052268
WindowsConcatString	0x140052270
WindowsCompareStringOrdinal	0x140052278
WindowsDuplicateString	0x140052280

Name	Address
RtlLookupFunctionEntry	0x140052110
RtlCaptureContext	0x140052118
RtlVirtualUnwind	0x140052120

Name	Address
Sleep	0x1400521d0

Name	Address
QueryPerformanceCounter	0x140052100

Name	Address
GetSystemTimeAsFileTime	0x1400521e0
GetTickCount	0x1400521e8

Name	Address
EncodePointer	0x1400521f8
DecodePointer	0x140052200

Name	Address
WideCharToMultiByte	0x140052130
MultiByteToWideChar	0x140052138
GetStringTypeW	0x140052140

Exports

Name	Address	Ordinal
DllCanUnloadNow	0x14004db30	1
DllGetActivationFactory	0x14004db50	2
VSDesignerDllMain	0x14001be10	3

Reports: JSON

Statistics (0.87)

Usage

Processing ( 0.81 seconds )

0.794 CAPE
0.012 BehaviorAnalysis
0.005 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 banker_zeus_p2p
0.001 bot_drive
0.001 bot_drive2
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: OOBENetworkConnectionFlow.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

Local\SM0:7008:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Overlay

Resources

Imports

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

msvcrt

wincorlib

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-string-l1-1-0