Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-11 13:19:46 | 2025-06-11 13:37:22 | 1056 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,647 [root] INFO: Date set to: 20250611T08:29:33, timeout set to: 1000 2025-06-11 09:29:33,223 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad 2025-06-11 09:29:33,223 [root] DEBUG: Storing results at: C:\qtjkmF 2025-06-11 09:29:33,223 [root] DEBUG: Pipe server name: \\.\PIPE\RZVgkDBfkM 2025-06-11 09:29:33,223 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 09:29:33,223 [root] INFO: analysis running as an admin 2025-06-11 09:29:33,223 [root] INFO: analysis package specified: "exe" 2025-06-11 09:29:33,223 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 09:29:33,957 [root] DEBUG: imported analysis package "exe" 2025-06-11 09:29:33,957 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 09:29:33,957 [lib.common.common] INFO: wrapping 2025-06-11 09:29:33,957 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 09:29:33,957 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\SecurityHealthService.exe 2025-06-11 09:29:33,957 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 09:29:33,957 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 09:29:33,957 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 09:29:33,957 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 09:29:34,285 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 09:29:34,301 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 09:29:34,332 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 09:29:34,348 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 09:29:34,363 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 09:29:34,363 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 09:29:34,363 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 09:29:34,363 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 09:29:34,363 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 09:29:34,363 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 09:29:34,379 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 09:29:34,379 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 09:29:34,379 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 09:29:34,379 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 09:29:34,379 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 09:29:34,379 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 09:29:34,379 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 09:29:34,379 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 09:29:45,754 [modules.auxiliary.digisig] DEBUG: File has a valid signature 2025-06-11 09:29:45,754 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 09:29:45,973 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 09:29:45,973 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 09:29:45,973 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 09:29:45,973 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 09:29:45,973 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 09:29:45,973 [modules.auxiliary.disguise] INFO: Disguising GUID to 52cb7b0b-87bc-442b-837e-accfda0a4113 2025-06-11 09:29:45,973 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 09:29:45,973 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 09:29:45,973 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 09:29:45,973 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 09:29:45,973 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 09:29:45,973 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 09:29:45,973 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 09:29:45,973 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 09:29:45,973 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 09:29:45,973 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 09:29:45,973 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 09:29:45,973 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 09:29:45,973 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 09:29:45,989 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 09:29:45,989 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 09:29:45,989 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 09:29:45,989 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 09:29:46,004 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini 2025-06-11 09:29:46,020 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 09:29:46,020 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 09:29:46,020 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 09:29:46,020 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-11 09:29:46,020 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 09:29:46,020 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 09:29:46,020 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\ptkGIrQZ.dll, loader C:\tmpjeo7jmad\bin\RQuFeujb.exe 2025-06-11 09:29:46,082 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 09:29:46,082 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\ptkGIrQZ.dll. 2025-06-11 09:29:46,145 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 09:29:46,145 [root] INFO: Disabling sleep skipping. 2025-06-11 09:29:46,145 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 09:29:46,145 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 09:29:46,145 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 09:29:46,145 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-11 09:29:46,145 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 09:29:46,145 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 09:29:46,161 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 09:29:46,161 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 09:29:46,161 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 5084, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-11 09:29:46,176 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 09:29:46,192 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 09:29:46,192 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 09:29:46,207 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\ptkGIrQZ.dll. 2025-06-11 09:29:46,207 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-0 <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-11 13:19:46 | 2025-06-11 13:37:02 | none |
File Details
| File Name |
SecurityHealthService.exe
|
|---|---|
| File Type | PE32+ executable (console) x86-64, for MS Windows |
| File Size | 864056 bytes |
| MD5 | 8a5d2b1121b8e61a504e325be5647751 |
| SHA1 | 61943cbeee742df6c1b530f76d37d6822159356d |
| SHA256 | 359b9f5426377a2706913ac56cec43ab2f0538ccd788d6fdf2dce21554dddb3a [VT] [MWDB] [Bazaar] |
| SHA3-384 | 5d52c599b0c403efd3caf3a2e0695b92182147a6dc812a3e09051225ad2b92e8e7d87c8e83486d712f8aef22674aa4d3 |
| CRC32 | 3FE6570C |
| TLSH | T147055B6B7BEC00E8D172923985918355EBB3B41E3B719BCB1128821E3F236F95E39355 |
| Ssdeep | 24576:Q7LoRf03RFXz2eBvRpG9Pfxf4W5maYhIomoVMBVJliB:Q7so3q+MoVMBVTiB |
| PE | File Strings BinGraph Vba2Graph |
Full Results
| Engine | Result | Engine | Result | Engine | Result |
|---|
AccountProtection_MicrosoftAccount_Disconnected_Dismissed2
IsSampleSubmissionByPolicy
ScRunAssessmentFailed
api-ms-win-core-kernel32-legacy-l1-1-0.dll
@.data
CleanPCLastRunTime
?I;}p
.?AVAutoUserImpersonator@ShieldProvider@@
L$4A;N u
Threat_3rdP_SettingsNeeded_ScanRecommended
SVWATAVAWH
DefenderAvHealth
RevertToSelf
`A_A^A\_^][
hA_A^A]A\_^[]
SetThreadpoolThreadMaximum
WindowsCreateStringReference
</trustInfo>
InstallDate
fD94_u
ReleaseMutex
wf.msc
AccountProtection_DynamicLock_Monitoring
G(9C(u
CryptCATCatalogInfoFromContext
4.18.1807.16384 (WinBuild.160101.0800)
_initterm_e
Company
.?AV?$CSecurityAttributesAlloc@U?$CAutoLocalPtr@PEAX@CommonUtil@@@CommonUtil@@
t$hH;
wevtapi.dll
Windows Defender Exploit Guard\ASR
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@U?$IAsyncOperationCompletedHandler@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@@Foundation@Windows@@VFtmBase@23@@WRL@Microsoft@@
fD9<Ou
MpCleanOpen
CreateSemaphoreExW
PillarStatusFlag_AppAndBrowser_StoreAppsSmartScreenOff
I;F(u
zuNH9
Software\Microsoft\Windows\Signature
SeDebugPrivilege
Real-Time Protection
)xGmj
SOFTWARE\Microsoft\Windows Security Health\State\Persist
/clearTpm
A_A^A\_^][
u.A8Y
f9,Nu
.?AVCPeriodicTaskManagerWorkItem@CPeriodicTaskManager@ShieldProvider@@
SecurityHealthService
Threat_3rdP_ScanRecommended
PolicyManager_GetPolicyInt
AccountProtection_DynamicLock_BluetoothOff
Environment : %ls
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@U?$IAsyncOperationCompletedHandler@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@Foundation@Windows@@VFtmBase@23@@WRL@Microsoft@@
RegSetValueExW
MpConfigOpen
Threat_3rdP_SettingsNeeded_UpdatesRecommended
RemoveAllImageMitigationPolicies
D$tE;
IsDefenderAsDisabled
list<T> too long
TlP0X
Family options
TimeServiceAssessmentStart
Malgun Gothic
D9d$hu"9U
H9iHuO
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$02@WRL@Microsoft@@UIWscBrokerManagerSink@SecurityCenter@Windows@@@WRL@Microsoft@@
SetEntriesInAclW
UpdateMonitorBinaryCorruptionStart
0A_A^A]A\_^[
DeleteTimerQueueTimer
H AVH
\$0H9
UnregisterServer done, hr = %08X
System\WaaS\WaasMedic\State
api-ms-win-core-string-l1-1-0.dll
VWAVH
ManagementShield
X_^[]
Firewall and network protection
191123202700Z0
PA_A^A]A\_^[
Defender_SModeSigsDue
90tZH
L$xH3
__std_exception_destroy
Defender_RebootRequired
f94Gu
O0M0K
o\$PH
Microsoft Corporation
SummaryNotificationDisabled
L9}0u8
Event/System/TimeCreated/@SystemTime
LoadLibraryExW
fD9,Qu
D!t$$H
D8}HtyH
X\?E/5
D$pH;
.?AVNotificationsManager@ShieldProvider@@
.?AVStorageHealthEvalResults@HealthAdvisor@WSD@@
USVWATAUAVAWH
nQi ,];
.?AVShieldProcessLauncher@0@
expectedPayload
@SUVWAVH
DisableRealtimeMonitoring
H9<1tIH
180823202700Z
Account protection
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Application Error
Threat_3rdP_ScanNeeded_UpdatesRecommended
AccountProtection_DynamicLock_NoPairedDevices
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIForceFieldShield@@@WRL@Microsoft@@
d$`E3
L9] u\
MpCleanStart
AppID
.?AUIDefenderShield@@
_initterm
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIExploitShield@@@Details@WRL@Microsoft@@
.?AVFirewallManager@ShieldProvider@@
SetServiceStatus
AppHVSIPrintingSettings
.idata$5
False
FwAnalyzeFirewallPolicy
h UAVAWH
HA_A^A]_^[
S~=5p
Network_ThirdPartyInstalled
.pdata
NtQuerySystemInformation
Microsoft
.?AVApplicationErrorEvent@HealthAdvisor@WSD@@
NtQueryWnfStateData
VbsGetIssues
.didat$2
D$`A3
Number of System Errors
fD9,Hu
Application
t$`I;
Microsoft JhengHei UI
SeIncreaseQuotaPrivilege
`A_A^A\_[
.?AVDeviceDriverResults@HealthAdvisor@WSD@@
.data$r$brc
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIWeakReference@@@Details@WRL@Microsoft@@
_set_new_mode
8A_A^A]A\_^][
H;X(u
CloseServiceHandle
GetMessageW
.?AUIAdvisorEngineSink@HealthAdvisor@WSD@@
payload
Products
Wldp.dll
D9d$huJL
api-ms-win-security-lsalookup-l1-1-2.dll
y:I9n
fD94Bu
ew0hp
SetEvent
`A_A^A]A\^[]
MpQuarantineRequest
SYSTEM\WaaS\Upfc
_exit
fD9,Ou
m]#0D
8A_A^A\_^[
HealthAdvisor_StorageDiskspaceLow
0A^_^
Defender_AsSigsDue
Network_3rdP_Expired
ReliabilityScore
Legal_Policy_Statement
Network_3rdP_L2L1_NoAction
%hs!%p:
"Gfhr=0x%08X
hResult
, Name : %ls
f4Og|
0A_A^A\_^
SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
SWATH
&:.%e
CoCreateFreeThreadedMarshaler
DisableTpmFirmwareUpdateWarning
p WAVAWH
D$X9Ktu
@A_A^A\_]
api-ms-win-crt-locale-l1-1-0.dll
Third Party
.tls$ZZZ
CoCreateInstance
.?AUIForceFieldShield@@
t$XI;
MpGetCallistoDetections
SpecRequiredMemoryInGB
DpaDisabled
millisecondsTimeout
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UINetworkProtectionHealthSink@@UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
FirewallAPI.dll
GetFileAttributesW
Microsoft Time-Stamp PCA 20100
UnexpectedAction
api-ms-win-crt-string-l1-1-0.dll
I+?E3
Yu Gothic UI Semibold
QueryMitigationPolicyFailure
.?AVWscManager@ShieldProvider@@
Exploit Shield
CompareFileTime
.rdata$r
f9,Ku
Unexpected
`A^_^
SwitchToThread
ExploitShield
MpDeleteAsrHistory
Hardware_Healthy
Microsoft-Windows-HVSI-Enabled
MitigationPolicyValuePostSet
.CRT$XIA
RtlNtStatusToDosError
111019184142Z
|$(E3
DispatchMessageW
Hardware Shield
EnableASRConsumers
hA_A^A]A\_^][
D$pA3
BlockReason
ScDiskAllGood
DisableAntiSpyware
Microsoft JhengHei UI Bold
tjf9t_
HvciIncompatibilityScanInitialize
ImpersonateLoggedOnUser
ResetEvent
SELECT ConfigManagerErrorCode, Name, Status FROM Win32_PnPEntity
x UAVAWH
ThreatProtectionHealth
HealthAdvisor_BatteryBrightnessAlert
CoRevertToSelf
Health Advisor Shield
FileDescription
%Microsoft Windows Production PCA 2011
T$|E3
_configthreadlocale
\$ UVWH
ul%G1
S-1-5-18
L9}0uJ
HealthAdvisor_Unknown
ti5s!n
PA_A^A]A\_[]
\$ VWAVH
UWATAVAWH
A_A^A]A\_[
RtlSubscribeWnfStateChangeNotification
LcMxH
bgOne
<?xml version="1.0" encoding="UTF-16"?><Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task" version="1.4"> <RegistrationInfo> <Author>$(@%systemroot%\system32\WaasMedicSvc.dll,-102)</Author> <Source>$(@%systemroot%\system32\WaasMedicSvc.dll,-103)</Source> <Description>$(@%systemroot%\system32\WaasMedicSvc.dll,-104)</Description> <URI>\Microsoft\Windows\WaaSMedic\PerformRemediation</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)</SecurityDescriptor> </RegistrationInfo> <Triggers> <TimeTrigger> <Enabled>true</Enabled> <RandomDelay>PT4H</RandomDelay> <StartBoundary>2000-10-15T03:00:00</StartBoundary> <Repetition> <Interval>P7D</Interval> </Repetition> </TimeTrigger> </Triggers> <Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <AllowHardTerminate>true</AllowHardTerminate> <AllowStartOnDemand>true</AllowStartOnDemand> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <Enabled>false</Enabled> <ExecutionTimeLimit>PT72H</ExecutionTimeLimit> <Hidden>false</Hidden> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <Priority>7</Priority> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <StartWhenAvailable>true</StartWhenAvailable> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> </Settings> <Actions Context="LocalSystem"> <ComHandler> <ClassId>{72566e27-1abb-4eb3-b4f0-eb431cb1cb32}</ClassId> <Data>None</Data> </ComHandler> </Actions> </Task>
uzEoG
yLI9n
ntdll.dll
0A_A]A\_^][
WinVerifyTrust
CreateEnvironmentBlock
WakeAllConditionVariable
SetThreadPriority
AccountProtection_WindowsHello_Configured
<F.uSA
UVAVH
A_A^A\_^
Microsoft Time-Stamp PCA 2010
RemoveDllDirectory
D$H9Kdu
.?AV_com_error@@
FWGetConfig
H SVWH
41Q)<
Normal
UnregisterGPNotification
AdjustTokenPrivileges
%ls!%ls!%ls
AccountProtection_MicrosoftAccount_Disconnected_Dismissed1
.?AVOSProtectionShield@ShieldProvider@@
CoWaitForMultipleHandles
DriverStatus
Threat_3rdP_SignaturesOutOfDate
MpManagerVersionQuery
D$(E3
%programdata%\Microsoft\Windows Security Health
fD9<Hu
CLSID
Battery
RtlPublishWnfStateData
fA9,Qu
ThreatProtectionShield
Threat_3rdP_UpdatesNeeded
|$0(
%ls %ls
.?AV?$CRefObjectFor@UIMpThreadPool@CommonUtil@@@CommonUtil@@
<security>
Threat_3rdP_Expired
0A_A^_^]
ConvertSidToStringSidW
SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
####-##-##T##:##:##S
GetTickCount64
D9d$hu(D9U
_configure_wide_argv
UWATH
.?AVCRefCountedBaseX@@
Windows Security Health Service
Device performance and health
NT AUTHORITY
Containers\WindowsDefenderApplicationGuard.wim
D$pL9?t
H UATAUAVAWH
Threat_3rdP_UpdatesNeeded_ScanSettingsRecommended
.rdata$zETW9
/update
Enterprise Customization
Threat_3rdP_L1_SingleActionNeeded
K WATAUAVAWH
Threat_3rdP_SettingsUpdatesNeeded_ScanRecommended
.?AVSystemErrorEvent@HealthAdvisor@WSD@@
UVWAVAWH
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIDataProtectionShield@@@WRL@Microsoft@@
L$0E3
.?AUIClassFactory@@
MsMpLics.dll
RtlRunOnceExecuteOnce
u6H!]8H
ohI+o`H
A_A^A\_]
MpHandleClose
CapturedMitigationAuditPolicyValue
100701213655Z
IsCloudByPolicy
EnablePrinters
%s-%s.etl
/disable
L9]0u^
D$Xy9H
RoOriginateError
Application Guard Shield
TerminateProcess
ReliabilityAssessmentStart
Threat_3rdP_UpdatesNeeded_ScanRecommended
9sTvIH
f9,Au
x2D97ur
InitializeConditionVariable
ForceField_Error
AccountProtection_DynamicLock_Scanning
L!mHE;
Rpcss
USWAVH
SetupDiDestroyDeviceInfoList
h0|g%
9:vXH
D!t$`H
CompareStringW
%ls <Query Path='Application'> <Select>Event/System[Provider[@Name="%ls"] and Level <=3 and TimeCreated[timediff(@SystemTime) <=%lu]]</Select> </Query>
?_Xout_of_range@std@@YAXPEBD@Z
.?AVUpdateMonitorTask@UpdateMonitor@WSD@@
OS Protection Shield
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
D$`H+
@A_A^A]A\_^[
PUAProtection
.CRT$XPZ
LastSuccessfullyAppliedPolicyTimeUTC
Version : %ls
EvtQuery
PA_A^A\_^
t7I9n
ChangeServiceConfig2W
__stdio_common_vswprintf
Threat_3rdP_ScanSettingsNeeded_UpdatesRecommended
.text$x
R!s4Z
/launch /av
>$7<EK
AccountProtection_WindowsHello_NotAvailable
.?AUIDataProtectionShield@@
BatteryStatus
D$pI;
ToastThrottling
.xdata$x
L$HH3
A^_^
CryptCATAdminAcquireContext
GetModuleHandleW
Segoe UI
DataProtection_CloudBackupProviderSetupRequired
ForceField_Healthy
Threat_3rdP_L1_NoAction
api-ms-win-core-registry-l1-1-0.dll
ApplicationGuardShield
OS Protection Shield Class
L$ E3
EnableLifetimeManagement
TpmGetDeviceInformation
.CRT$XLZ
AccessCheck
mpssvc
WDSC UI
.giats
kernelbase.dll
Account Protection Shield
%ls\MpClient.dll
.rsrc
9wLv[H
api-ms-win-core-shutdown-l1-1-0.dll
AccountProtection_MicrosoftAccount_Disconnected
H;_Pu
ScLowDisk
SystemTimeToFileTime
.?AVForceFieldShield@ShieldProvider@@
api-ms-win-core-winrt-error-l1-1-0.dll
@USVWATAUH
HealthAdvisor_DriverStatusNonOperationalOther
0A_A^_
OriginalFilename
SmartScreenStorePolicy
Windows.Internal.Security.SmartScreen.UriReputationService
?S;zF0B
A^A]A\_[
/renew
@USVAVAWH
AccountProtectionStatus
FileTimeToSystemTime
ReliabilityStatus
RemoveAllImageMitigationPoliciesFailure
HcD$@
PayloadRestriction
MpManagerDisable
FileTrustOriginRemovableMedia
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIDefenderNotificationsSink@@@Details@WRL@Microsoft@@
$Microsoft Ireland Operations Limited1
M;a s:H
NetworkProtectionShield
ScIsSmartStorageEnabled
.?AVCMpThreadPoolProviderVista@CommonUtil@@
fD94Au
@A_A^^[]
%ls{ FwList : [
u#H9<
AddDllDirectory
length
.?AVHardwareShield@ShieldProvider@@
EnableInApp
UVWATAUAVAWH
Network_MultipleFwOff
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
HealthAdvisor_Critical
CloseHandle
L$8E3
.?AVexception@std@@
Data Protection Shield Class
SOFTWARE\Microsoft\CleanPC
@.reloc
bad array new length
FreeSid
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIDashboard@@UIManagementStatusSink@@UIDefenderNotificationsSink@@UIThreatProtectionStatusSink@@UINetworkProtectionHealthSink@@UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
20190116062834.857Z0
HA_A^A]A\_^[]
@8t$`@
0A_A^A]_^
WlanOpenHandle
z.9Wv
l$xE3
.?AU?$IAsyncOperationCompletedHandler_impl@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@Foundation@Windows@@
LoadResource
_purecall
.?AUIAccountProtectionNotificationsSink@@
Failed to register class %ls, hr = %08X
ChangeServiceConfigW
D9K(t
GetSystemTimeAsFileTime
|$8Hi
;L$xr
A^_]
RegEnumValueW
SeShutdownPrivilege
ControlTraceW
PowerReadDCValue
mmc.exe
9|$,u
DefenderAvStatus
ThreatProtectionStatus
Network_3rdP_Off
Software\Microsoft\HVSI
D$HH#
xv#?H
Threat protection Shield Class
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIApplicationGuardShield@@@WRL@Microsoft@@
TaskUpdateActionBitmask
Network_Unknown
Leelawadee UI Bold
L9}0uM
f9<Hu
vY}xW
SetUnhandledExceptionFilter
.?AUINetworkProtectionHealthSink@@
Defender_ActiveThreats
wcscmp
%ws\%ws
.?AVtype_info@@
D$ E3
.text
D$ (
Thales TSS ESN:86DF-4BBC-93351%0#
Version
@UATAUAVAWH
__stdio_common_vsprintf
SpyNet
ReliabilityAssessmentEnd
.?AUIStorageHealthEvalResults@@
.rdata$brc
fF9<wu
l$tE3
%windir%\system32\firewall.cpl
Microsoft Windows Publisher0
.?AUIShieldProcessLauncher@@
AppHVSIClipboardSettings
.?AUIUtilRegListener@CommonUtil@@
9;vXH
PeriodicTaskSubmitDelay
L$`E3
.?AV?$CRefObjectFor@UIUtilRegListener@CommonUtil@@@CommonUtil@@
Exploit Shield Class
DllEnumerateClasses
api-ms-win-crt-heap-l1-1-0.dll
@%systemroot%\system32\SecurityHealthAgent.dll,-1002
api-ms-win-security-provider-l1-1-0.dll
VbsApi.dll
_initialize_wide_environment
RegisterServer
.?AV?$RuntimeClassBaseT@$01@Details@WRL@Microsoft@@
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$00$00$0A@UISecurityAppBrokerSink@SecurityCenter@Windows@@@Details@WRL@Microsoft@@
isAssessmentBlocked
RegisterServer done, hr = %08X
SVWATAUAWH
.?AUIUtilRegEnumKeyValues@CommonUtil@@
LocalAlloc
.idata$4
D8}Pt
MpFreeMemory
Application Hang
HA^_[]
ke|u!
.?AUIWeakReference@@
D:P(A;;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;GA;;;SY)(A;OICIIO;GA;;;SY)(A;;GRGX;;;BU)(A;OICIIO;GRGX;;;BU)(A;;GRGX;;;AC)(A;OICIIO;GRGX;;;AC)
D$tD3
Shield systray SSO
PA^_]
Defender Shield Class
App and Browser Shield Class
SeTakeOwnershipPrivilege
.rdata$T$brc
GetTokenInformation
Microsoft YaHei UI Bold
`A_A^A]A\_^[
L$xH;E
ForceField Web Protection Shield
FWOpenPolicyStore
ATAUAVH
Hardware_SecureBootOnRecommended
setupapi.dll
VerSetConditionMask
9sTvEH
Appliation Guard Shield Class
HealthAdvisor_Healthy
api-ms-win-crt-stdio-l1-1-0.dll
api-ms-win-core-com-l1-1-0.dll
Defender_AvSigsDue
!D$ A
.?AVCMpPrivateThreadPool@CommonUtil@@
Network_3rdP_NoAction
HcD$ H
Shield Provider Service
L9]0uO
Network_3rdP_L2L1_ActionRecommended
L9}@D
OneDrive Business
__C_specific_handler
DynamicCode
AllowPersistence
TraceMessage
0A_A^A]A\_^]
9|$4u
Network_3rdP_L2L1_MultipleActionNeeded
.?AVCExplicitAccessControl@CommonUtil@@
Microsoft Corporation1-0+
AppAndBrowser_StoreAppsSmartScreenOff
EnableForToasts
oLW\f
%s\%s
SetMitigationPolicy
CreateEventW
Network_PublicFwOff
A]A\_^[]
zCg/`
|$ AVH
bad allocation
SpecRequiredProcessorCount
\$pIi
.text$mn$00
t$ WH
.?AUIMpPrivateThreadPool@CommonUtil@@
SetLastError
%ls , %ls , %ls , %ls , %ls , %ls , %ls
.rsrc$01
CallContext:[%hs]
Microsoft JhengHei UI Light
DebugBreak
SHS-*.etl
SecurityHealthService.exe
SeImpersonatePrivilege
A_A^A]A\_^[]
RegDeleteValueW
NetworkProtectionStatus
D$pE3
.?AV?$CRegListenerFunctorAdapter@V<lambda_a24e8a6029b8f6fea26431f3bf5e7760>@@@CommonUtil@@
_beginthreadex
y^1",e
forwarders\%ws
fE9<lu
A_A^A]
__stdio_common_vfwprintf
.?AUIDefenderNotificationsSink@@
ntelD
.?AVDefenderToastManager@ShieldProvider@@
D;u0r
Managed
L$pI+
AuditApplicationGuard
N8H9F
.?AVEventLogEvent@HealthAdvisor@WSD@@
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIHardwareShield@@@WRL@Microsoft@@
BI+~{Vs<i
HvciGetConfig
InitializeAcl
9]@~kH
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIDataProtectionShield@@@Details@WRL@Microsoft@@
DataProtectionShield
USERENV.dll
} D9}
GetSecurityDescriptorDacl
api-ms-win-core-registry-l2-1-0.dll
InitializeSListHead
Network_NonSecureState
AccountProtectionHealth
GetTraceEnableLevel
T$PD9
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIAccountProtectionShield@@@WRL@Microsoft@@
.?AUIWaitForServiceCancellation@CommonUtil@@
deque<T> too long
_CxxThrowException
HealthAdvisor_Warning
$(SQO
fD9<Wu
LeaveCriticalSection
.?AUIExploitShield@@
##:##
4.18.1807.16384
HideRansomwareRecovery
OSProtectionShield
Hardware Shield Class
|$ AWH
L$ SVWH
GetTraceLoggerHandle
MpThreatHistoryRequest
AppAndBrowser_Unknown
D$(H;
Hardware_NoTPM
Microsoft Corporation. All rights reserved.
AppAndBrowser_Healthy
^`H;^ht_H
L$PH3
DsrFreeCxhScenarioInfo
L$PI;
Hardware_TpmClearNeeded
DefenderShield
@A^_^][
.text$yd
IM8x)
UpdateMonitorHealthAssessmentStart
CreateDirectoryW
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIForceFieldShield@@@Details@WRL@Microsoft@@
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$$V@Details@WRL@Microsoft@@
WATAVH
api-ms-win-core-localization-l1-2-0.dll
D$xH;
GetStoragePolicySettings
@USVWAUAVAWH
.?AVCError@@
.?AUIShieldProviderToast@@
.?AVManagementShield@ShieldProvider@@
BlackoutNotExpired
BlockNonEnterpriseContent
api-ms-win-core-winrt-l1-1-0.dll
.?AUIForceFieldSink@@
@8kauOH
.?AVWscForceFieldBrokerSink@ShieldProvider@@
Status Codes
api-ms-win-core-threadpool-legacy-l1-1-0.dll
api-ms-win-crt-private-l1-1-0.dll
byjA`
RegisterWaitForSingleObject
ImageSignature
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIDataProtectionSink@@@Details@WRL@Microsoft@@
`A_A^A]A\_^]
.?AVExploitShield@ShieldProvider@@
l$ E3
DriverRunAssessmentStart
.?AUIAssessmentSink@HealthAdvisor@WSD@@
O:BAG:BAD:(A;;0x3;;;SY)(A;;0x3;;;BA)(A;;0x3;;;IU)(A;;0x3;;;LS)(A;;0x3;;;S-1-15-2-2668987081-2569674137-3179742174-4270009011-3803107086-2981642713-3349210623)
ExploitGuard_ASR_Rules
LegalCopyright
SHS-*.bin
sTfD;
Not Set
WSC Broker
NgcIsAnyContainerInVsm
Enabled
/enable
UnregisterServer
GetSystemTime
Malgun Gothic Semilight
,B>DY
SmartScreenAppPolicy
<QueryList>
.?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@
EHH;EX
A_A]]
Virus and threat protection
H9_xt
D:P(A;;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;GA;;;SY)(A;OICIIO;GA;;;SY)(A;;GA;;;BA)(A;OICIIO;GA;;;BA)(A;;GRGX;;;BU)(A;OICIIO;GRGX;;;BU)(A;;GRGX;;;AC)(A;OICIIO;GRGX;;;AC)
M0K0I
zuWL9
H;H A
.?AVFtmBaseMarker@Details@WRL@Microsoft@@
Ly^X`
Network_Healthy
@A_A^A]A\_^]
@.r"S-4
>HiD$ P
L$0H3
.?AVAssessmentBase@HealthAdvisor@WSD@@
T$0v^H
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$00$$V@Details@WRL@Microsoft@@
EvtNext
.?AVThreatProtectionShield@ShieldProvider@@
BootAfterCleanPC
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@U?$IAsyncOperationCompletedHandler@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@@Foundation@Windows@@VFtmBase@23@@Details@WRL@Microsoft@@
IsCloudEnabled
Shield Provider Toast Class
.rdata$zzzdbg
api-ms-win-core-path-l1-1-0.dll
WAxK0i
WAVAWH
A__^
.rdata
api-ms-win-core-errorhandling-l1-1-0.dll
RegDeleteKeyW
SetThreadpoolThreadMinimum
.?AVMpClientForwarder@ShieldProvider@@
BatteryRunAssessmentStart
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
Unknown parameter.
OpenSCManagerW
QueryFullProcessImageNameW
Da6N^
D9l$huBH
%UM;%
D$P9Klu
I;]hu
Device Driver
h_^[]
MpUpdateControl
Defender_Healthy
fD9,Au
NoBuildInfo
%Microsoft Windows Production PCA 20110
ErrorInvalidReason
EnablePersistence
0A^A\_^]
ProviderType
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIForceFieldShield@@@Details@WRL@Microsoft@@
WaitForSingleObject
.?AVRuntimeClassBase@Details@WRL@Microsoft@@
ScRunAssessmentStart
Threat_3rdP_Snoozed
t$pE3
__stdio_common_vswscanf
TpmGetCapLockoutInfo
OpenProcessToken
BlockUntilTimeStatus
.?AVAssessmentRuntimeInfo@HealthAdvisor@WSD@@
GetModuleFileNameA
.?AUIDashboard@@
StartTraceW
.?AUIManagementStatusSink@@
SVWATAUAVAWH
.?AVQueryAndActionManager@ShieldProvider@@
Phone
0A_A^A\
d$HyDH
_register_thread_local_exe_atexit_callback
api-ms-win-core-sysinfo-l1-1-0.dll
ForceField_Warning
SOFTWARE\Microsoft\Windows Security Health\Miscellaneous
SHGetKnownFolderPath
CM_Get_DevNode_Status
SetNamedSecurityInfoW
memcpy
H!\$
.idata$3
.?AUIInspectable@@
DisallowExploitProtectionOverride
261019185142Z0
EnableClipboard
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
D9l$huAL
Microsoft Time-Stamp service
%windir%\explorer.exe
D8}Ht
NotifyServiceStatusChangeW
1!!!Z
MpConveyUserChoiceForSampleList
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
.didat$5
H!\$ H
SeAssignPrimaryTokenPrivilege
RtlDllShutdownInProgress
SmartScreenEdgePolicy
/id PowerDiagnostic
FilesBlockedNotificationDisabled
.?AUINetworkProtectionShield@@
ew|>&=4_
DefenderAvCurrentRunningMode
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
Software\Microsoft\Windows Security Health\Health Advisor\
.?AVOSProtectionManager@ShieldProvider@@
WlanQueryInterface
Threat_3rdP_UpdatesRecommended
Defender_FullScanRequired
string too long
"Microsoft Window
D8}Hu;D8}Pu5
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$0A@UIWscBrokerManagerSink@SecurityCenter@Windows@@UIWeakReferenceSource@@@Details@WRL@Microsoft@@
O:BAG:BAD:(A;;CCDCLC;;;SY)(A;;CCDCLC;;;BA)(A;;CCDCLC;;;IU)(A;;CCDCLC;;;LS)(A;;CCDCLC;;;S-1-15-2-2668987081-2569674137-3179742174-4270009011-3803107086-2981642713-3349210623)
ExpandEnvironmentStringsW
BatteryRunAssessmentEnd
Management Shield Class
T$JI+
UATAUAVAWH
TgeG*
HeapFree
Malgun Gothic Bold
UWATAUAVH
.?AVBatteryAssessment@HealthAdvisor@WSD@@
@A_A^A\_^
d}mifU{
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
CLSID\%ls
SeRestorePrivilege
AppID\%ls
SOFTWARE\Microsoft\Microsoft Security Client
GetTickCount
Microsoft YaHei UI Light
]HH!]@H
DisableEnhancedNotifications
HvciIncompatibilityScanFree
DriverRunAssessmentEnd
+D$hD3
Threat_3rdP_ScanNeeded_SettingsUpdatesRecommended
Network protection Shield
L$@H3
USWATAUAVAWH
wcstok_s
.?AV?$CRefObjectFor@UIWaitForServiceCancellation@CommonUtil@@@CommonUtil@@
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIAppAndBrowserShield@@@WRL@Microsoft@@
.?AVDeviceDriverAssessment@HealthAdvisor@WSD@@
MpConfigGetValueAlloc
QueryServiceConfigW
.?AVCHResultException@CommonUtil@@
Block
actualMilliseconds
.?AUIDataProtectionSink@@
SUVWATAUAWH
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIManagementStatusSink@@UIDefenderNotificationsSink@@UIThreatProtectionStatusSink@@UINetworkProtectionHealthSink@@UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
T$`E3
UWAVH
M0uaM
r;ext-ms-win-storage-sense-l1-2-0.dll
.?AVSignatureUpdateManager@ShieldProvider@@
{ Firewall : %ls, Exe : %ls, State: %d, SigUpToDate: %ls%ls}
EvtCreateRenderContext
HideSecureBoot
NoActionNotificationDisabled
UpdateMonitorHealthAssessmentEnd
.?AVFTMEventDelegate@?1???$WaitForCompletion@U?$IAsyncOperationCompletedHandler@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@@Foundation@Windows@@U?$IAsyncOperation@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@@23@@@YAJPEAU?$IAsyncOperation@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@@Foundation@Windows@@W4tagCOWAIT_FLAGS@@PEAX@Z@
A_A^A\
NetworkProtectionHealth
C0H!,
@VWAVH
L9a sEL
ShieldProcessLauncher
AppAndBrowserHealth
EventSetInformation
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
230280+4361160
\$pMi
0A_A^A]^]
Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a
_c_exit
UWAUAVAWH
@A^A]A\_]
IsAvDisableByPolicy
OutputDebugStringW
AppAndBrowserShield
UnregisterTraceGuids
SEHOP
stoi argument out of range
@SVWAVAWH
PathToSignedReportingExe : %ls
<requestedPrivileges>
StartServiceCtrlDispatcherW
ReturnHr
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
WldpQueryWindowsLockdownMode
OLE32.dll
WscUnRegisterChanges
WINTRUST.dll
VbsIsCapable
CoAddRefServerProcess
IcfChangeNotificationDestroy
UUUUUUU
L!*L!.A
t$hI;
@A^_]
A^A\]
IcfChangeNotificationCreate
.CRT$XTA
consumers
Threat_3rdP_ScanSettingsUpdatesNeeded
GetSystemPowerStatus
.?AVFtmBase@WRL@Microsoft@@
`A_A^^[]
DataProtectionRevokeWarning
ERy*g!
@8,1u
.?AVAutoGetUserToken@ShieldProvider@@
.?AVCHResultExceptionImpl@CommonUtil@@
@SUVWATAVAWH
UWATAUAWH
WATAUAVAWH
HealthAdvisor_DriverStatusNeedsUpdate
NotSupportedInThisSku
H!\$(L
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@U?$IAsyncOperationCompletedHandler@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@@Foundation@Windows@@VFtmBase@23@@Details@WRL@Microsoft@@
A^_^[]
fD9t]
$`2X`F
0A^_^[]
20190117024319Z0w0=
api-ms-win-crt-convert-l1-1-0.dll
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIDashboard@@UIManagementStatusSink@@UIDefenderNotificationsSink@@UIThreatProtectionStatusSink@@UINetworkProtectionHealthSink@@UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@WRL@Microsoft@@
!J+R}
api-ms-win-security-base-l1-1-0.dll
DataProtectionDismissWarning
A_A^A]A\_
|$ E3
.CRT$XCAA
api-ms-win-core-sysinfo-l1-2-0.dll
D$ t9H
MpConfigIteratorOpen
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIDataProtectionShield@@@Details@WRL@Microsoft@@
WTHelperGetProvSignerFromChain
\$ UH
_initialize_onexit_table
.?AUIAssessmentBase@HealthAdvisor@WSD@@
WlanEnumInterfaces
/id AppsDiagnostic
.CRT$XTZ
CoRevokeClassObject
L9{0t#H
.00cfg
.?AUCAutoProcessInformation@HealthAdvisor@WSD@@
_wcsicmp
D8%wa
FreeLibrary
RoRevokeActivationFactories
HealthAdvisorShield
H;s8vEH
FailFast
t$hA;
xA_A]A\_^[
T$0E3
'R{=f
HardwareShield
T$dE3
http://www.microsoft.com/windows0
UVWATAVH
OpenThreadToken
ATAVAWH
H!}XH
UAUAWI
AccountProtection_MicrosoftAccount_Associated
CompanyName
hgtlCm
f9,Zu
RemoveAllImageMitigationAuditPoliciesFailure
ChangedInBootCycle
ValidateXML
@A_A^_
GetCurrentThreadId
L$pI;
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIApplicationGuardShield@@@Details@WRL@Microsoft@@
AccountProtection_MicrosoftAccount_Connected
@UVWATAVH
Runtime_platform : %ls
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIDefenderNotificationsSink@@UIThreatProtectionStatusSink@@UINetworkProtectionHealthSink@@UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIWeakReference@@@Details@WRL@Microsoft@@
NgcQueryEnabled
{ H;{(
@SVWATAUAVAWH
;D$X}
calloc
https://login.microsoft.com
CoRegisterClassObject
CryptCATAdminReleaseContext
Threat_3rdP_ScanUpdatesRecommended
GetProcessHeap
Network_3rdP_ActionNeeded
Sleep
GetFileSizeEx
SetMitigationAuditPolicyFailure
/launch /fw
QueryServiceStatus
CLASSES_ROOT\%s
AppHVSIClipboardFileType
.?AVCWscProductInfoEntry@ShieldProvider@@
.?AVAccountProtectionShield@ShieldProvider@@
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIDashboard@@UIManagementStatusSink@@UIDefenderNotificationsSink@@UIThreatProtectionStatusSink@@UINetworkProtectionHealthSink@@UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
ImageType
z?801i:It6
SOFTWARE\Microsoft\Windows NT\CurrentVersion
u0HcH<H
EvtRender
t$ UWATAVAWH
MpGetAsrBlockedProcesses
GetDiskFreeSpaceExW
.?AU?$IAsyncOperationCompletedHandler@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@@Foundation@Windows@@
HighEndThresholdMB
.?AVAdvisorEngine@HealthAdvisor@WSD@@
@SUVWAVAWH
{ AVH
</security>
.?AVTimeServiceAssessment@HealthAdvisor@WSD@@
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
_`H;_ht
TpmGatherLogs
|$ H;
.?AVCMpShutterWait@CommonUtil@@
oT$@f
)Microsoft Root Certificate Authority 20100
.?AVStorageHealthEvalAssessment@HealthAdvisor@WSD@@
_wtol
D$pA;
%ls%ls
RegOpenKeyExW
H9_Hs<
ReleaseSemaphore
.?AVStorageHealthResults@HealthAdvisor@WSD@@
CreateEventExW
D$@!|$@H
TimeServiceAssessmentEnd
_wcsnicmp
FindFirstFileW
UnregisterWaitEx
GetPhysicallyInstalledSystemMemory
09/(G
.?AUIUnknown@@
H91u^H
EnforceToastCallerCheck
PA_A^A]A\_^]
D9D$$u
LockResource
FwIsGroupPolicyEnforced
l$ VWAVH
`A_A^A\_^[]
DisableAntiVirus
ContainerImages\hvsi.wim
USVWAVH
D$8H;
Data Protection Shield
A^_^][
T$xL+
ExportMitigation
.?AUISecurityAppBrokerSink@SecurityCenter@Windows@@
.?AUIWinSecurityAcl@CommonUtil@@
.?AUIUtilRegListenerCallback@CommonUtil@@
Time Service
VbsSetScenarioEnable
cryptngc.dll
ResolveDelayLoadedAPI
DataProtection_Unknown
MD9MLH
TpmClearWithPolicyOrPPI
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$00UIWeakReferenceSource@@@Details@WRL@Microsoft@@
v#fD9t^
Default
Network_3rdP_ActionRecommended
|hK,_
Common_Healthy
Microsoft.Windows.Defender.Shield
CheckTokenMembership
.?AV?$CRefObjectFor@UIEnumFiles@CommonUtil@@@CommonUtil@@
.?AVCFlatEnumFiles@CommonUtil@@
?_Xlength_error@std@@YAXPEBD@Z
MitigationConfiguration.dll
TimeServiceStatus
WaitForMultipleObjects
PA^A\_^]
UATAVH
RtlSetImageMitigationPolicy
D$PE3
@USVATAUAVAWH
EnableControlledFolderAccess
%windir%\system32\UsoClient.exe startscan
DeviceHealthScanThrottle
.didat$7
windowsdefender://
memmove
Windows.SecurityCenter.SecurityAppBroker
O:BAG:BAD:(A;;0x3;;;SY)(A;;0x3;;;BA)(A;;0x3;;;IU)(A;;0x3;;;LS)(A;;0x3;;;AC)
(caller: %p)
fD94Fu
H!\$PE
-cleanpc
9?Zh:
CapturedMitigationPolicyValue
N(9M8u
WDSC-*.etl
MpForcedReboot
CryptCATAdminEnumCatalogFromHash
_callnewh
D$(L!L$ L
OpenProcess
250701214655Z0|1
Timestamp of assessment run
L$xD+
.rtc$TAA
DsrFreeJoinInfo
{(uAH
^HH;^PtQH
D$0=
.?AVDataProtectionShield@ShieldProvider@@
MpAllocMemory
E(H9E
uNH!]8H
Threat_3rdP_SettingsNeeded
L9] u8
Threat_3rdP_ScanUpdatesNeeded
HealthAdvisor_PristineShellContentPresent
040904B0
HardwareSecurityHealth
.CRT$XIC
.rdata$zETW2
H;\$0teH
D9u0vjA
M H1E
MpManagerEnable
SizeofResource
wcstol
w~(cMx
fD9$ru
.?AVHealthAdvisorShield@HealthAdvisor@WSD@@
@USVWAVH
WindowsDeleteString
fB94Su
'zsge
.?AUIHealthAdvisorShield@@
VerifyVersionInfoW
.?AVbad_alloc@std@@
A_A^A]A\_^]
TpmCoreProvisioning.DLL
SYSTEM\Setup
SummaryHealth
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIAppAndBrowserShield@@@Details@WRL@Microsoft@@
.rtc$IZZ
I!<$H
A_A^]
.?AVNetworkProtectionShield@ShieldProvider@@
Network protection Shield Class
Dashboard
JHcH<
Failed to unregister service, hr = %08X
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00U?$ImplementsMarker@VFtmBase@WRL@Microsoft@@@Details@23@@Details@WRL@Microsoft@@
.?AV?$_String_alloc@U?$_String_base_types@GV?$allocator@G@std@@@std@@@std@@
SHLWAPI.dll
ext-ms-win-shell32-shellfolders-l1-1-0.dll
GetComputerNameW
Microsoft-Windows-Defender-AntivirusAllowed
.?AVWeakReferenceImpl@Details@WRL@Microsoft@@
180606185719Z
Defender_EngineUnavailable
Defender_AutoSampleSubmissionDisabled
?_Xinvalid_argument@std@@YAXPEBD@Z
DataProtectionHealth
?{LQ>
CreateTimerQueueTimer
Dashboard Class
7P?O}
SOFTWARE\Policies\Microsoft\Windows Defender Security Center
.rtc$IAA
Threat_3rdP_ScanSettingsUpdatesRecommended
RegQueryValueExW
@SVWH
VarFileInfo
VWAUAVAWH
4$OkoV
WlanCloseHandle
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIApplicationGuardShield@@@Details@WRL@Microsoft@@
LHcH<
ET$hH
SecurityHealthService.pdb
MpThreatQuery
api-ms-win-service-management-l2-1-0.dll
PA_A^_
D9d$h
AllowAppHVSI
Cf9)s
</requestedPrivileges>
TUUUUUU
VWAWH
D9u0vIK
K SUVWAVAWH
StrictHandleCheck
9{Ee@
api-ms-win-core-libraryloader-l1-2-0.dll
RtlUnsubscribeWnfNotificationWaitForCompletion
OSProtection_ResetRequired
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIAppAndBrowserShield@@@Details@WRL@Microsoft@@
H9u8t
CreateFileW
D$pA9
Defender_CloudProtectionDisabled
|$(H;|$Xt}H
AllocateAndInitializeSid
D$`HcH
OneDrive Consumer
.?AUIOSProtectionHealthSink@@
BlackoutNotSet
z~Pe&
BlackoutEndTime
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIDefenderNotificationsSink@@@Details@WRL@Microsoft@@
Local\SM0:%d:%d:%hs
Runtime_platform
!\$DD
AccountProtection_DynamicLock_NotMonitoring
_seh_filter_exe
RegGetValueW
FileTrustCriteria
.?AVDashboardEx@ShieldProvider@@
USVWATAUAVH
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIThreatProtectionStatusSink@@UINetworkProtectionHealthSink@@UIAdvisorEngineSink@HealthAdvisor@WSD@@UIAppAndBrowserNotificationsSink@@UIHardwareNotificationsSink@@UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
__acrt_iob_func
api-ms-win-core-winrt-string-l1-1-0.dll
FormatMessageW
SVWAUAVAWH
InitializeCriticalSectionAndSpinCount
/id DeviceDiagnostic
TPM_Logs
@WAVAWH
HealthAdvisor_StorageHealthOkWithIssues
CoUninitialize
<!-- Copyright (c) Microsoft Corporation -->
App and Browser Shield
Microsoft Corporation1$0"
Event/EventData[Data='AppsDiagnostic']
A_A^A]A\_
.rtc$TZZ
sQPI[5T
DeleteCriticalSection
u$D9U
RaiseException
\$ WH
RtlCaptureContext
SOFTWARE\Microsoft\Windows Security Health\State
N J;<
H;Q(vBH
T$HH+
EnableCameraMicrophoneRedirection
CloseThreadpoolWork
SWATAVAWH
x ATAVAWH
CreateProcessAsUserW
%ls\%ls
Hardware_TpmUpdateNeeded
d|BNeU
api-ms-win-power-base-l1-1-0.dll
.CRT$XLA
<?xml version="1.0" encoding="UTF-8" ?>
t-9\$0
.?AVCRefCountedBase@@
__std_exception_copy
Systray
!\$p3
api-ms-win-service-management-l1-1-0.dll
ShieldHeartbeat
@WATAUAVAW
UnregisterWaitUntilOOBECompleted
WTHelperProvDataFromStateData
!\$(L
GetActiveProcessorCount
AppAndBrowser_AppRepSmartScreenOff
` UAVAWH
Shield Provider Toast
CoResumeClassObjects
u1@8-Fz
.?AUIDeviceDriverResults@@
GetLengthSid
9Edt
T$8H+
LogonUserW
A_A^_
Windows Defender Exploit Guard\Controlled Folder Access
Microsoft Corporation1200
isSmartStorageEnabled
ControlFlowGuard
AppAndBrowser_EdgeSmartScreenOff
Reliability
NtClose
\MsMpLics.dll
Washington1
msvcp_win.dll
terminate
A_A^A\
OptionalFeatures.exe
D$0H;
Shield Provider Agent
UX Configuration
wscsvc
D$x;0H
api-ms-win-core-heap-l2-1-0.dll
CoIncrementMTAUsage
api-ms-win-core-processthreads-l1-1-0.dll
H91u\H
onecoreuap\base\power\batteryalertsmanager\batteryalertsmanager.cpp
D$4A;F
_set_app_type
UseFilter
@USVWATAVAWH
GetSystemTimePreciseAsFileTime
Threat_3rdP_ScanNeeded_SettingsRecommended
!M;` s]H
imageName
^BNQ,^
LastHeartbeat
EHH!]H
UnsupportedSku
api-ms-win-oobe-notification-l1-1-0.dll
api-ms-win-devices-config-l1-1-1.dll
.?AUIWscBrokerManagerSink@SecurityCenter@Windows@@
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIAccountProtectionShield@@@Details@WRL@Microsoft@@
GH9CH
ShieldHeartbeatThrottle
MpTriggerStatusRefreshNotification
Threat_3rdP_SettingsRecommended
RtlLookupFunctionEntry
.?AVCUtilRegEnumKeyValues@CommonUtil@@
internal\sdk\inc\wil\resource.h
GetTraceEnableFlags
L$xH;
FilterFullPath
TpmInit.exe
[%hs(%hs)]
H9E8s1H
Software\Policies\Microsoft\PassportForWork\DynamicLock
QueryPerformanceCounter
effffff
Threat_3rdP_L1_MultipleActionNeeded
CreateThreadpool
DisableNotifications
D$`Li
VY$[X
\$ UVWATAUAVAWH
StringFileInfo
RegNotifyChangeKeyValue
oD$ f
t$ WAVAWH
t$ UWATAUAWH
0A_A^A]A\_
Microsoft YaHei UI
MitigationAuditPolicyValuePostSet
D$hH;
App and Browser protection
gxI3!'
Microsoft.Windows.ImageMitigationPolicy
Side by side passive
G09C0u
SeChangeNotifyPrivilege
@WATAUAVAWH
WasEnabledBy
Threat_3rdP_ScanSettingsNeeded
Vving1
Microsoft Time-Stamp service0
SeTcbPrivilege
$>b~t
7T})gW
Number of Application Errors
.text$mn
.?AUIMarshal@@
H;\$hu
D9h voH
Size(in days) of query search window
9M<t
O:BAG:BAD:(A;;CCDCLCSWRP;;;SY)(A;;CCDCLCSWRP;;;BA)(A;;CCDCLCSWRP;;;IU)(A;;CCDCLCSWRP;;;LS)(A;;0xb;;;AC)S:(ML;;NX;;;LW)
D9l$hu&D9
ClassFactory
L$XH+
9\$Pt H
RegisterServiceCtrlHandlerExW
.?AVbad_array_new_length@std@@
SUVWATAUAVAWH
.?AVDefenderSink@ShieldProvider@@
\$xIc
Threats\ThreatIDDefaultAction
%ls <Query Path='System'> <Select>Event/System[Provider[@Name="EventLog"] and Level <=3 and TimeCreated[timediff(@SystemTime) <=%lu]]</Select> </Query>
systemreset.exe
HealthAdvisorHealth
.?AUIApplicationGuardShield@@
CryptBinaryToStringW
DecodePointer
.?AVFTMEventDelegate@?1???$WaitForCompletion@U?$IAsyncOperationCompletedHandler@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@Foundation@Windows@@U?$IAsyncOperation@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@23@@@YAJPEAU?$IAsyncOperation@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@Foundation@Windows@@W4tagCOWAIT_FLAGS@@PEAX@Z@
EventWriteTransfer
Q2SWM
T$8H!t$8H
hwp1p0
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIHardwareShield@@@Details@WRL@Microsoft@@
9u@v:H
8\$@t
AllowVirtualGPU
.?AUIHardwareNotificationsSink@@
.?AV?$CRefObjectFor@UIMpPrivateThreadPool@CommonUtil@@@CommonUtil@@
oL$0f
ImportMitigation
CoDecrementMTAUsage
AccountProtection_WindowsHello_Available
api-ms-win-crt-utility-l1-1-0.dll
T$@E3
.?AVCPeriodicTaskManager@ShieldProvider@@
__stdio_common_vsnprintf_s
NtQueryValueKey
L$`H3
Threat_3rdP_Off
D$@E3
@A_A^_^[
.?AVComClientImpersonator@ShieldProvider@@
L$XH;
DataProtection_UnsupportedOSSku
TraceMask
GD9CDu
GREEN
OHcP<
L$ SWH
T$ L!t$
SpecRequiredFreeDiskSpaceInGB
.didat$6
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@U?$IAsyncOperationCompletedHandler@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@Foundation@Windows@@VFtmBase@23@@Details@WRL@Microsoft@@
D;{Tr
d$`H;
Company : %ls
Management Provider
WindowsGetStringRawBuffer
Upgrade
DataProtection_Healthy
LowEndThresholdMB
MinutesSinceOSInstall
Software\Microsoft\CleanPC
Threat_3rdP_SettingsUpdatesNeeded
D9l$hu&D9}
_get_initial_wide_environment
ForceFieldShield
t$`A;
8A^_^[
IsDebuggerPresent
MpConfigIteratorClose
PowerGetActiveScheme
AllowCameraMicrophoneRedirection
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
.?AVStrongReference@Details@WRL@Microsoft@@
HA_A^A]A\_^][
.rdata$zETW1
20190116024319Z
SWATAUAVH
A^A\_^]
.?AUIWeakReferenceSource@@
@A_A^A\
u&H!D$0H
RtlQueryImageMitigationPolicy
MpConfigGetValue
t$ H!t$(H
RtlVirtualUnwind
ext-ms-win-networking-wlanapi-l1-1-0.dll
|$ UH
}`E9|$
GetModuleFileNameW
pA_A^_^]
RaiseFailFastException
SkipPPLRegistration
@A^A]A\_^[]
+dBVY
api-ms-win-core-processthreads-l1-1-1.dll
A_A^A]_^
.?AUIMpThreadPool@CommonUtil@@
InstallLocation
.?AVNullEvent@HealthAdvisor@WSD@@
System
L$@H;
AccountProtection_MicrosoftAccount_NotAvailable
|$HH9l$Pt
M H!] H
Defender_WdoRequired
.CRT$XCA
w9X!P/
RoGetActivationFactory
NtQueryInformationProcess
DataProtectionStatus
KERNEL32.dll
A^A]A\_]
NoAction
u\fIy
L9}0u
k UAVAWH
H UWAVH
api-ms-win-eventing-legacy-l1-1-0.dll
Threat_3rdP_UpdatesNeeded_SettingsRecommended
T$8H!\$8
FWph?r
UnhandledExceptionFilter
_set_fmode
.?AUIAppAndBrowserNotificationsSink@@
__p___argc
.?AVPathAdder@ShieldProvider@@
UpdateRunCadence
GetWindowsDirectoryW
api-ms-win-eventing-classicprovider-l1-1-0.dll
FindResourceW
EventUnregister
.?AVCPoolItem@CUtilRegListener@CommonUtil@@
t$ AVH
UVAUAVAWH
U0S0Q
GetVersionExW
Threat_3rdP_ScanSettingsRecommended
@SUVWATAUAVAWH
SetupDiGetClassDevsW
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIExploitShield@@@WRL@Microsoft@@
GetSystemDirectoryW
.?AVDontUseNewUseMake@Details@WRL@Microsoft@@
VS_VERSION_INFO
S-1-5-80-3232712927-1625117661-2590453128-1738570065-3637376297
DynamicLock
CreateWellKnownSid
api-ms-win-core-synch-l1-2-0.dll
SWATAUAVAWH
AppAndBrowserStatus
x UATAUAVAWH
A_A^_^]
w32time
.CRT$XCZ
MpErrorMessageFormat
LsaLookupUserAccountType
A;,$t
DisableLocalAdminMerge
msdt.exe
^(I9n
H;\$0tkH
D9l$huhD
S-1-5-80-1523878533-411328482-2798077809-3098663872-2604013308
EvtClose
Network_ServiceStopped
map/set<T> too long
tCH;2u/H
Exception
L$pH;E
NgcFreeEnumState
.?AV?$RuntimeClassBaseT@$02@Details@WRL@Microsoft@@
\microsoft\windows\waasmedic
IsAsDisableByPolicy
MpConfigDelValue
\hvsicontainerservice.dll
t$XH;
Health Advisor Shield Class
.?AV?$CRefObjectFor@UIUtilRegListenerCallback@CommonUtil@@@CommonUtil@@
MpScanControl
RtlGetActiveConsoleId
USVWH
\$PE3
*System Defaults*
{ AntiVirus : %ls, Exe : %ls , State : %d , SigUpToDate : %ls%ls}
H!k0H
.CRT$XPA
SeBackupPrivilege
L$pE3
WaitForMultipleObjectsEx
HealthAdvisor_ReliabilityStatusAppError
.data
TraceLevel
CRYPT32.dll
L$pH;
ScRunAssessmentEnd
YELLOW
T$$D!t$ H
H;|$hu
PathFileExistsW
Segoe UI SemiBold
SubmitSamplesConsent
0A\_[
MpCleanControl
memset
[%hs]
H!|$@H
ForceField Web Protection Shield Class
/id NetworkDiagnosticsWeb
0A_A^A\_^][
.?AUIOSProtectionShield@@
fA94Au
_crt_atexit
L$xI;
FileTrustOriginNetworkShare
\$ UVWAVAWH
GetProcAddress
l6s+o
Es|0m
ProductName
PillarStatusFlag_AppAndBrowser_EdgeSmartScreenOff
IsRtpEnabled
HardwareSecurityStatus
DuplicateTokenEx
.?AVStorageHealthAssessment@HealthAdvisor@WSD@@
wscapi.dll
Microsoft Corporation1.0,
CryptCATAdminCalcHashFromFileHandle
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@U?$IAsyncOperationCompletedHandler@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@Foundation@Windows@@VFtmBase@23@@Details@WRL@Microsoft@@
@8utt
I;_hu
.idata$6
H;t$0s
ImageLoad
RoRegisterActivationFactories
@SUVH
t$`E3
190529185719Z0z1
MpScanResult
Storage Health
DllSurrogate
D$`E3
MpGetRunningMode
CertVerifyCertificateChainPolicy
_8\$`tq
.?AUIMpThreadPoolProvider@CommonUtil@@
D$8L+
api-ms-win-core-heap-l1-1-0.dll
WarningState
Threat_3rdP_NearExpiry
NtEnumerateKey
AccountProtection_DynamicLock_Remote
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$00U?$CloakedIid@UIMarshal@@@23@@Details@WRL@Microsoft@@
@A_A^_^]
D$HE3
LocalService
MpConfigClose
fD9t^
.?AVCWString@@
IsRtpByPolicy
GetPwrCapabilities
MpNotificationRegister
H;_pu
UILockdown
D9d$huDH
ChildProcess
Threat protection Shield
0A^A]A\
HvciIncompatibilityScanStart
PA^_^
.?AU?$IAsyncOperationCompletedHandler_impl@U?$AggregateType@PEAVGetDefaultSignInAccountResult@Web@Authentication@Security@Internal@Windows@@PEAUIGetDefaultSignInAccountResult@23456@@Internal@Foundation@Windows@@@Foundation@Windows@@
AppHVSI
t$ UWAVH
FileVersion
@8k8uD
.?AUIRefObject@CommonUtil@@
D9D$,u
%s%02hu%02hu%04hu-%02hu%02hu%02hu-%x-%x
WTSAPI32.dll
|$hA;
L$hH3
FileTrustOriginMarkOfTheWeb
Microsoft Corporation1&0$
windefend
.?AVCUtilRegListener@CommonUtil@@
SVWAVH
AccountProtection_WindowsHello_Available_Dismissed1
p AWH
D9d$hu%D9U
t$ I!s
CoImpersonateClient
1(0&0
Email
<unknown>
rY&'K
t$ E3
pA^_^][
System\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard
LogonUserExExW
WDSC-
Defender_FullScanDue
$Microsoft Ireland Operations Limited1&0$
@W=7A=
GetProcessMitigationPolicy
UAVAWH
A_A^A\_]
HealthAdvisor_BatterySleepSettingsAlert
Segoe UI Light
.?AVReliabilityAssessment@HealthAdvisor@WSD@@
9D$h}
D8=tT
D;u0s:
SOFTWARE\Microsoft\Windows Security Health
DsrGetJoinInfo
MpConfigSetValue
SetMitigationPolicyFailure
CompareStringOrdinal
FileTimeToLocalFileTime
0A_A^_^[
CoInitializeSecurity
api-ms-win-service-core-l1-1-0.dll
Not running
Unknown exception
l~~!m
L$pA3
ext-ms-win-devmgmt-policy-l1-1-0.dll
api-ms-win-crt-runtime-l1-1-0.dll
4 WsU
Passive
@VWAV
H;_8u
fD9d~
MpManagerStatusQueryEx
Threat_3rdP_ScanUpdatesNeeded_SettingsRecommended
Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0
WaasMedicAction
__std_terminate
MakeAbsoluteSD
Network_3rdP_Snoozed
Threat_EnterpriseG
.?AVAssessmentQueueItem@HealthAdvisor@WSD@@
.?AVCMpShutter@CommonUtil@@
513h[
Upgrade : %ls
CoTaskMemAlloc
Defender_ServiceStopped
%ls%ls%ls
@UVWATAUAVAWH
.?AVWscBrokerSink@ShieldProvider@@
CreateMutexExW
@%systemroot%\system32\SecurityHealthAgent.dll,-1001
EventRegister
d$`I;
9;v[H
AccountProtectionShield
@UVWH
A_A^_^]
DeleteFileW
CoInitializeEx
L$hH9
GetPrivateProfileStringW
MpThreatEnumerate
.?AVScanManager@ShieldProvider@@
]erZS@
H;|$X
L$ H;
VbsIsRecommended
.?AU?$RuntimeClassFlags@$03@WRL@Microsoft@@
.?AVout_of_range@std@@
HeapAlloc
A_A^A\_^
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIAccountProtectionNotificationsSink@@UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
FAILED. This command is supported only if dev mode license is present, hr = %08X
0A__^
\SecurityProductInformation.ini
d$`A;
Failed to load plugin %ls, hr = %08X
SVWAVAWH
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIWeakReference@@@WRL@Microsoft@@
D9{Tv(H
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$00UIMarshal@@@Details@WRL@Microsoft@@
SOFTWARE\Microsoft\Windows Defender Security Center
.data$brc
\$xL;
L$pH3
9w,v[H
Y3SnA7o
H3E H3E
InternalName
.?AVILockable@@
DisableClearTpmButton
$PB2r
D9d$hu%9U
G,9C,u
malloc
Unknown switch.
m0D9m
IsProcessorFeaturePresent
M@L9y
L$pD3
uI.[j,}fl
NtOpenKey
UnknownSku
IsProviderRuntimeRegistered
.rsrc$02
IsCfaByPolicy
H9u@t
;D$ u
MonitoringPulse
__p___wargv
Failed to register AppID, hr = %08X
EnableTrace
H;\$0tpH
FindNextFileW
OLEAUT32.dll
HealthAdvisor_TimeServiceStatusDisabled
kernel32.dll
CoSetProxyBlanket
/launch
MpThreatOpen
.?AVNWPServiceWaitCancel@ShieldProvider@@
.text$di
FindClose
DD9D$4u
MpGetAsrBlockedActions
A8V0u
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$0A@UISecurityAppBrokerSink@SecurityCenter@Windows@@UIWeakReferenceSource@@@Details@WRL@Microsoft@@
L$XtQ
9+tPH
9{ v)H
VWATAVAWH
SeSecurityPrivilege
MpManagerOpen
UpdateMonitorBinaryCorruptionEnd
L$ 9y8v=
GetCurrentProcessId
L$XH3
api-ms-win-service-winsvc-l1-1-0.dll
RegCreateKeyExW
ConvertStringSidToSidW
@A^_^[]
I0G1-0+
.rdata$zETW0
8T$>u
$&v6v
t$hE3
CreateThreadpoolWork
StringFromCLSID
L!d$xL!d$pH
api-ms-win-core-file-l1-1-0.dll
.?AUIHardwareShield@@
+D$x3
pA_A^_^[
.?AV?$CWinSecurityAclAlloc@U?$CAutoLocalPtr@PEAU_ACL@@@CommonUtil@@@CommonUtil@@
DelayLoadFailureHook
0A^_^][
WaitForSingleObjectEx
FWClosePolicyStore
%s\Logs
D9l$hu#D9}
Defender_QuickScanDue
Microsoft-Windows-WaasMedic-Enable-Remediations
L$ E;
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@UIExploitShield@@@Details@WRL@Microsoft@@
api-ms-win-eventing-controller-l1-1-0.dll
\]#17
H;_hu
.?AVShieldManagementProvider@ShieldProvider@@
AccountProtection_DynamicLock_NotConfigured
U@!]@H
Xdj[qD4
sspicli.dll
DestroyEnvironmentBlock
errorCode
@USWH
.?AVApplicationGuardShield@ShieldProvider@@
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$02@WRL@Microsoft@@UISecurityAppBrokerSink@SecurityCenter@Windows@@@WRL@Microsoft@@
@USVWH
CoTaskMemFree
H9kH@
PostThreadMessageW
%ls</QueryList>
.?AUIAppAndBrowserShield@@
H;\$0tzH
Containers\Serviced\WindowsDefenderApplicationGuard.wim
Common_Unknown
IsDefenderAvDisabled
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIHardwareShield@@@Details@WRL@Microsoft@@
.CRT$XIZ
PathCchAppend
Storage Health Metrics
HideSystray
+|$xA3
.?AVinvalid_argument@std@@
OsProtectionStatus
PA__^
DsrGetCxhScenarioInfo
EncodePointer
!This program cannot be run in DOS mode.
+YBu3
Failed to unregister AppID, hr = %08X
RunCadenceInHours
Msg:[%ws]
.?AU?$Implements@U?$RuntimeClassFlags@$02@WRL@Microsoft@@U?$CloakedIid@UIMarshal@@@23@@WRL@Microsoft@@
SystemCallDisable
@A^_^
A_A^A]_^[]
WaitForThreadpoolWorkCallbacks
CreateServiceW
api-ms-win-eventing-provider-l1-1-0.dll
.?AVCSecurityAttributesHolder@CommonUtil@@
Lct$$H
.?AUIExplicitAccessControl@CommonUtil@@
.?AVIRefCounted@@
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@UIAccountProtectionShield@@@Details@WRL@Microsoft@@
x=@8uut7
A_A^A]A\_^[
.?AVCMpThreadPoolItemBase@CommonUtil@@
Redmond1
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
RegisterWaitForSingleObjectEx
api-ms-win-core-kernel32-legacy-l1-1-1.dll
winsta0\default
L9h0t|A
S-1-5-80-259296475-4084429506-1152984619-38739575-565535606
PathToSignedReportingExe
A^_^[]
ProviderState
L9]0u@
USER32.dll
RegisterGPNotification
GetCurrentThread
A^A\_
OpenServiceW
t"D8=
a4x6
Yu Gothic UI Light
L$X99vIL
Defender_RtpDisabled
api-ms-win-core-synch-l1-1-0.dll
.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@UIDefenderNotificationsSink@@@WRL@Microsoft@@
OsProtectionHealth
ROOT\CIMV2
Microsoft-Windows-Immersive-Shell
D$ fD
OSProtection_Healthy
D$@9K\u
L9{@u
HealthAdvisorStatus
OpenSemaphoreW
D$xH9X
api-ms-win-core-psapi-l1-1-0.dll
.?AUIThreatProtectionStatusSink@@
.9|$$u
r~akow
.?AUIAccountProtectionShield@@
IsCfaEnabled
folder
EnterCriticalSection
.CRT$XCU
Software\Microsoft\Windows Defender
G@9C@u
,gyC8oWSwmk2EVQrFoTsElvTsAyxniNZ1a9ux3hBSQl0=0Z
\$ E3
ConvertStringSecurityDescriptorToSecurityDescriptorW
_errno
LookupAccountNameW
SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
Threat_3rdP_ScanNeeded
Threat_3rdP_SettingsUpdatesRecommended
Network_PrivateFwOff
onecore\windows\hvsi\policymanager\lib\hvsipolicymanager.cpp
DataProtectionCloudBackupProviderUpdate
CryptCATAdminReleaseCatalogContext
%hs(%d) tid(%x) %08X %ws
oK0D$"<
.?AUIEnumFiles@CommonUtil@@
2333333
X VWAVH
G49C4
MpOfflineScanStatusQuery
MpUpdateStartEx
.?AVUpdateMonitorAssessment@UpdateMonitor@WSD@@
.?AVShieldProviderToast@ShieldProvider@@
SeSystemEnvironmentPrivilege
GetCurrentProcess
I;]Pu
fD96u"3
Leelawadee UI Semilight
Failed to unregister class %ls, hr = %08X
AccountProtection_Healthy
QueryMitigationPolicy
MpScanStart
MpIsGivenRunningModeSupported
D$pD3
d$ E3
OSProtection_RebootRequired
MpQueryDefaultFolderGuardList
NgcEnumContainers
advapi32.dll
.?AU?$IAsyncOperationCompletedHandler@PEAU?$IVectorView@PEAVWebAccount@Credentials@Security@Windows@@@Collections@Foundation@Windows@@@Foundation@Windows@@
.?AVTracer@ShieldProvider@@
{2eb6d15c-5239-41cf-82fb-353d20b816cf}
PeriodicTaskInitialDelay
PillarStatusFlag_HealthAdvisor_TimeServiceStatusDisabled
LocalFree
C4~$vP>C
ExtensionPointDisable
D$D;E
L9o@t
`A^_]
.?AVResultException@wil@@
BuildLabEx
S-1-5-80-1601830629-990752416-3372939810-977361409-3075122917
</assembly>
Network_3rdP_L2L1_ActionNeeded
tFH;:u2
.didat$3
.?AVAppAndBrowserShield@ShieldProvider@@
ms-cxh://NTHNGCUPSELL
Translation
api-ms-win-power-setting-l1-1-0.dll
D$`D3
u2V3I
A_A^A]A\_^]
H;H(u
L$ VWAWH
Network_DomainFwOff
LastSuccessfullyAppliedPolicy
MpGetSampleListRequiringConsent
Windows Defender Exploit Guard\ASR\Rules
Threat_3rdP_L1_MultipleActionRecommended
freeMb
WilError_02
DataProtection_DataRestoreRequired
Threat_3rdP_L1_SingleActionRecommended
x\fD9
GetNamedSecurityInfoW
RegisterTraceGuidsW
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIOSProtectionHealthSink@@UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
(A_A^_^][
Threat_3rdP_NoAction
L9} uF
SetupDiEnumDeviceInfo
fD9<Gu
WscRegisterForChanges
.?AVCMpSimpleThreadPool@CommonUtil@@
.CRT$XIAC
WscStatusAvFw
ProductVersion
WinSta0
dsreg.dll
WlanFreeMemory
__p__commode
.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$02@WRL@Microsoft@@$00$00$0A@UIWscBrokerManagerSink@SecurityCenter@Windows@@@Details@WRL@Microsoft@@
RtlQueryWnfStateData
zuRH9
FwActivate
.didat$4
AccountProtection_WindowsHello_Available_Dismissed2
ServicesActive
__CxxFrameHandler3
L9}0u^
H WAVAWH
IsSampleSubmissionEnabled
`A_A^_^[
.CRT$XIAA
@A_A^A\_^[]
|$xI;
fD9<Au
Windows.Internal.Security.SmartScreen.AppReputationService
1o?-XfF
WscJsonStatusAvFw
A_A^A\_^[]
` AVH
Windows
ForceField_Unknown
SleepConditionVariableCS
_register_onexit_function
SUVWATAVAWH
returnCode
.?AUIStorageHealthResults@@
D$0E3
8A_A^_^][
Account Protection Shield Class
LcMxE
Notifications
.idata$2
HideTPMTroubleshooting
SubmitThreadpoolWork
api-ms-win-core-debug-l1-1-0.dll
x AVH
Yu Gothic UI
{ AvList : [
EnableVirtualGPU
CLSID\{bfe74cfe-3264-4d44-a930-64b77e14b685}
1/0-0
NHcH<
toast type
-{>J@
H9l$Pt H
CoReleaseServerProcess
L$dE3
t$`H;
InitiateSystemShutdownExW
.?AVDefenderShield@ShieldProvider@@
.tls$
fD94Cu
+D$h3
DataProtection_UnsupportedODVersion
LookupPrivilegeValueW
.?AV?$CWinSecurityAclAlloc@V?$CAutoUniquePtr@U_ACL@@X@CommonUtil@@@CommonUtil@@
.xdata
L9] uQ
.gfids
performremediation
G89C8
t$PHi
\$`Ii
Hardware_Unknown
Segoe Pseudo
LaunchPermission
WTSQueryUserToken
SOFTWARE\Microsoft\Windows Security Health\State\Dynamic
statusCode
Software\Microsoft\Policies\PassportForWork\DynamicLock
%hs(%d)\%hs!%p:
Operating System
RoActivateInstance
Environment
Update Monitor
mitigationOption
N0L0J
vector<T> too long
@.didat
SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
.?AVCClassFactory@@
System\WaaS\WaasMedic
GetModuleHandleExW
Failed to register service, hr = %08X
%ProgramFiles%\Windows Defender
Defender_Unknown
QueryMitigationAuditPolicyFailure
_cexit
Device security
MpOfflineScanInstall
GetSecurityDescriptorOwner
GetLocalTime
FontDisable
_invalid_parameter_noinfo_noreturn
M(H!](H
VG2/iI
9+v9H
Common_ThirdParty_UnknownStatus
"%s" %s
PeriodicTaskPeriodicity
CloseThreadpool
RegOpenCurrentUser
t$ WATAUAVAWH
MpConfigIteratorEnum
ConfigManagerErrorCode
GetLastError
@USVWATAUAVAWH
tII9n
Defender Shield
.?AVCRefObject@CommonUtil@@
Embedding
AuthD
LogHr
O:BAG:BAD:(A;;CCDCLC;;;SY)(A;;CCDCLC;;;BA)(A;;CCDCLC;;;IU)(A;;CCDCLC;;;LS)(A;;CCDCLC;;;AC)
E@H;EP
p WATAUAVAWH
A_A]A\_]
DataProtectionEnterWarning
.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00UIForceFieldSink@@UIDataProtectionSink@@@Details@WRL@Microsoft@@
AUAVAWH
H;0u2
@+ljM
|$ UAVAWH
fD94Ku
LcEpH
T$@H+
KpH91u^H
@A^A\_^]
fD94Hu
HA_A^_^][
u'D9U
Unknown
fD94Gu
api-ms-win-security-sddl-l1-1-0.dll
api-ms-win-security-lsalookup-l2-1-0.dll
microsoft-windows-diagnosis-scripted/operational
Network_3rdP_L2L1_MultipleActionRecommended
ShieldProviderToast
Action
HvciIncompatibilityScanGetResult
StartServiceW
PurgeAgeIndays
Threat_3rdP_SettingsNeeded_ScanUpdatesRecommended
.?AU?$Selector@U?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$$V@Details@WRL@Microsoft@@U?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00U?$ImplementsMarker@VFtmBase@WRL@Microsoft@@@Details@23@@234@@Details@WRL@Microsoft@@
OSProtection_Unknown
pA_A^A]A\_^]
DeleteService
M@;1r
_invalid_parameter_noinfo
invalid stoi argument
f9)sB
RegisterWaitUntilOOBECompleted
api-ms-win-core-timezone-l1-1-0.dll
Leelawadee UI
D9d$`
@A^^]
A_A^A]A\]
A_A^A]_]
AccountProtection_Unknown
CopySid
.?AUIManagementShield@@
SpyNetReporting
HvciIsActive
.?AUIThreatProtectionShield@@
<requestedExecutionLevel level="asInvoker" uiAccess="false" />
`.rdata
.?AVCMpThreadPoolVistaHelper@CommonUtil@@
.?AUImplementsBase@Details@WRL@Microsoft@@
bWti^
Hardware_HvciOnRecommended
.?AU?$Selector@VFtmBase@WRL@Microsoft@@U?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00U?$ImplementsMarker@VFtmBase@WRL@Microsoft@@@Details@23@@Details@23@@Details@WRL@Microsoft@@
RegCloseKey
0A_A^A\_]
t^@8=A
Windows.SecurityCenter.WscBrokerManager
|$ UATAUAVAWH
H;D$(u
.?AUISecurityAttributes@CommonUtil@@
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash |
|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x0008f500 | 0x000db331 | 0x000db331 | 10.0 | SecurityHealthService.pdb | 2102-10-29 03:40:06 | 7a867126866d220c502e98cc873fed68 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Windows Security Health Service |
| FileVersion | 4.18.1807.16384 (WinBuild.160101.0800) |
| InternalName | SecurityHealthService |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | SecurityHealthService.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 4.18.1807.16384 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x000932b2 | 0x00093400 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.41 |
| .rdata | 0x00093800 | 0x00095000 | 0x0002df98 | 0x0002e000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.58 |
| .data | 0x000c1800 | 0x000c3000 | 0x00007ca0 | 0x00007000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.62 |
| .pdata | 0x000c8800 | 0x000cb000 | 0x00004fd4 | 0x00005000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.88 |
| .didat | 0x000cd800 | 0x000d0000 | 0x00000198 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.42 |
| .rsrc | 0x000cda00 | 0x000d1000 | 0x00000638 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.53 |
| .reloc | 0x000ce200 | 0x000d2000 | 0x00000db4 | 0x00000e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.40 |
Overlay
| Offset | 0x000cf000 |
| Size | 0x00003f38 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x000d1260 | 0x000003d8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.53 | None |
| RT_MANIFEST | 0x000d10a0 | 0x000001bf | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.81 | None |
Imports
| Name | Address |
|---|---|
| __stdio_common_vfwprintf | 0x140098388 |
| __stdio_common_vswscanf | 0x140098390 |
| _set_fmode | 0x140098398 |
| __stdio_common_vswprintf | 0x1400983a0 |
| __stdio_common_vsprintf | 0x1400983a8 |
| __stdio_common_vsnprintf_s | 0x1400983b0 |
| __acrt_iob_func | 0x1400983b8 |
| __p__commode | 0x1400983c0 |
| Name | Address |
|---|---|
| __p___argc | 0x1400982d0 |
| _crt_atexit | 0x1400982d8 |
| _register_onexit_function | 0x1400982e0 |
| _beginthreadex | 0x1400982e8 |
| _initialize_onexit_table | 0x1400982f0 |
| terminate | 0x1400982f8 |
| _register_thread_local_exe_atexit_callback | 0x140098300 |
| _c_exit | 0x140098308 |
| _invalid_parameter_noinfo | 0x140098310 |
| _cexit | 0x140098318 |
| __p___wargv | 0x140098320 |
| _errno | 0x140098328 |
| _exit | 0x140098330 |
| exit | 0x140098338 |
| _invalid_parameter_noinfo_noreturn | 0x140098340 |
| _initterm_e | 0x140098348 |
| _initterm | 0x140098350 |
| _seh_filter_exe | 0x140098358 |
| _set_app_type | 0x140098360 |
| _configure_wide_argv | 0x140098368 |
| _initialize_wide_environment | 0x140098370 |
| _get_initial_wide_environment | 0x140098378 |
| Name | Address |
|---|---|
| _configthreadlocale | 0x140098270 |
| Name | Address |
|---|---|
| calloc | 0x140098240 |
| _set_new_mode | 0x140098248 |
| free | 0x140098250 |
| _callnewh | 0x140098258 |
| malloc | 0x140098260 |
| Name | Address |
|---|---|
| __std_terminate | 0x140098280 |
| memcpy | 0x140098288 |
| _purecall | 0x140098290 |
| __C_specific_handler | 0x140098298 |
| __CxxFrameHandler3 | 0x1400982a0 |
| __std_exception_copy | 0x1400982a8 |
| __std_exception_destroy | 0x1400982b0 |
| _CxxThrowException | 0x1400982b8 |
| memmove | 0x1400982c0 |
| Name | Address |
|---|---|
| CoRegisterClassObject | 0x140097dc0 |
| CoResumeClassObjects | 0x140097dc8 |
| CoUninitialize | 0x140097dd0 |
| CoInitializeSecurity | 0x140097dd8 |
| CoInitializeEx | 0x140097de0 |
| CoAddRefServerProcess | 0x140097de8 |
| CoReleaseServerProcess | 0x140097df0 |
| CoTaskMemFree | 0x140097df8 |
| CoRevokeClassObject | 0x140097e00 |
| Name | Address |
|---|---|
| DispatchMessageW | 0x140097e70 |
| GetMessageW | 0x140097e78 |
| PostThreadMessageW | 0x140097e80 |
| Name | Address |
|---|---|
| RoGetActivationFactory | 0x1400981e0 |
| RoRegisterActivationFactories | 0x1400981e8 |
| RoActivateInstance | 0x1400981f0 |
| RoRevokeActivationFactories | 0x1400981f8 |
| Name | Address |
|---|---|
| TraceMessage | 0x140098420 |
| UnregisterTraceGuids | 0x140098428 |
| RegisterTraceGuidsW | 0x140098430 |
| GetTraceEnableLevel | 0x140098438 |
| GetTraceLoggerHandle | 0x140098440 |
| GetTraceEnableFlags | 0x140098448 |
| Name | Address |
|---|---|
| WindowsGetStringRawBuffer | 0x140098208 |
| WindowsDeleteString | 0x140098210 |
| WindowsCreateStringReference | 0x140098218 |
| Name | Address |
|---|---|
| ConvertStringSidToSidW | 0x140098588 |
| ConvertSidToStringSidW | 0x140098590 |
| ConvertStringSecurityDescriptorToSecurityDescriptorW | 0x140098598 |
| Name | Address |
|---|---|
| StartServiceCtrlDispatcherW | 0x1400985a8 |
| SetServiceStatus | 0x1400985b0 |
| RegisterServiceCtrlHandlerExW | 0x1400985b8 |
| Name | Address |
|---|---|
| RegDeleteValueW | 0x140098078 |
| RegNotifyChangeKeyValue | 0x140098080 |
| RegQueryValueExW | 0x140098088 |
| RegCloseKey | 0x140098090 |
| RegGetValueW | 0x140098098 |
| RegOpenKeyExW | 0x1400980a0 |
| RegOpenCurrentUser | 0x1400980a8 |
| RegSetValueExW | 0x1400980b0 |
| RegEnumValueW | 0x1400980b8 |
| RegCreateKeyExW | 0x1400980c0 |
| Name | Address |
|---|---|
| CloseServiceHandle | 0x1400985c8 |
| OpenServiceW | 0x1400985d0 |
| CreateServiceW | 0x1400985d8 |
| OpenSCManagerW | 0x1400985e0 |
| DeleteService | 0x1400985e8 |
| StartServiceW | 0x1400985f0 |
| Name | Address |
|---|---|
| NotifyServiceStatusChangeW | 0x140098600 |
| ChangeServiceConfigW | 0x140098608 |
| QueryServiceConfigW | 0x140098610 |
| ChangeServiceConfig2W | 0x140098618 |
| Name | Address |
|---|---|
| EventRegister | 0x140098480 |
| EventSetInformation | 0x140098488 |
| EventWriteTransfer | 0x140098490 |
| EventUnregister | 0x140098498 |
| Name | Address |
|---|---|
| AccessCheck | 0x1400984e8 |
| MakeAbsoluteSD | 0x1400984f0 |
| AdjustTokenPrivileges | 0x1400984f8 |
| GetLengthSid | 0x140098500 |
| RevertToSelf | 0x140098508 |
| InitializeAcl | 0x140098510 |
| CheckTokenMembership | 0x140098518 |
| FreeSid | 0x140098520 |
| GetSecurityDescriptorOwner | 0x140098528 |
| CreateWellKnownSid | 0x140098530 |
| CopySid | 0x140098538 |
| AllocateAndInitializeSid | 0x140098540 |
| GetSecurityDescriptorDacl | 0x140098548 |
| ImpersonateLoggedOnUser | 0x140098550 |
| GetTokenInformation | 0x140098558 |
| DuplicateTokenEx | 0x140098560 |
| Name | Address |
|---|---|
| ControlTraceW | 0x140098458 |
| StartTraceW | 0x140098460 |
| Name | Address |
|---|---|
| EnableTrace | 0x140098470 |
| Name | Address |
|---|---|
| CreateProcessAsUserW | 0x140098038 |
| OpenProcessToken | 0x140098040 |
| OpenThreadToken | 0x140098048 |
| Name | Address |
|---|---|
| LookupPrivilegeValueW | 0x140098570 |
| LookupAccountNameW | 0x140098578 |
| Name | Address |
|---|---|
| CreateSemaphoreExW | 0x140098108 |
| WaitForMultipleObjectsEx | 0x140098110 |
| WaitForSingleObject | 0x140098118 |
| WaitForSingleObjectEx | 0x140098120 |
| SetEvent | 0x140098128 |
| OpenSemaphoreW | 0x140098130 |
| CreateMutexExW | 0x140098138 |
| CreateEventExW | 0x140098140 |
| ReleaseSemaphore | 0x140098148 |
| ReleaseMutex | 0x140098150 |
| Name | Address |
|---|---|
| DeleteFileW | 0x140097f58 |
| FileTimeToLocalFileTime | 0x140097f60 |
| GetDiskFreeSpaceExW | 0x140097f68 |
| CompareFileTime | 0x140097f70 |
| Name | Address |
|---|---|
| VariantClear | 0x140097e10 |
| SysFreeString | 0x140097e18 |
| VariantInit | 0x140097e20 |
| VariantTimeToSystemTime | 0x140097e28 |
| SysAllocString | 0x140097e30 |
| SysStringLen | 0x140097e38 |
| Name | Address |
|---|---|
| UnregisterWaitEx | 0x1400981a8 |
| Name | Address |
|---|---|
| CoWaitForMultipleHandles | 0x140097ed8 |
| CoImpersonateClient | 0x140097ee0 |
| CoRevertToSelf | 0x140097ee8 |
| CoDecrementMTAUsage | 0x140097ef0 |
| CoIncrementMTAUsage | 0x140097ef8 |
| StringFromCLSID | 0x140097f00 |
| CoSetProxyBlanket | 0x140097f08 |
| CoCreateInstance | 0x140097f10 |
| CoTaskMemAlloc | 0x140097f18 |
| CoCreateFreeThreadedMarshaler | 0x140097f20 |
| Name | Address |
|---|---|
| RegisterWaitUntilOOBECompleted | 0x1400984a8 |
| UnregisterWaitUntilOOBECompleted | 0x1400984b0 |
| Name | Address |
|---|---|
| CreateEnvironmentBlock | 0x140097e90 |
| UnregisterGPNotification | 0x140097e98 |
| RegisterGPNotification | 0x140097ea0 |
| DestroyEnvironmentBlock | 0x140097ea8 |
| Name | Address |
|---|---|
| GetWindowsDirectoryW | 0x140098170 |
| GetVersionExW | 0x140098178 |
| GetSystemTime | 0x140098180 |
| GetTickCount64 | 0x140098188 |
| Name | Address |
|---|---|
| CM_Get_DevNode_Status | 0x140098410 |
| Name | Address |
|---|---|
| GetPwrCapabilities | 0x1400984c0 |
| Name | Address |
|---|---|
| GetComputerNameW | 0x140097fb0 |
| GetSystemPowerStatus | 0x140097fb8 |
| Name | Address |
|---|---|
| SystemTimeToFileTime | 0x1400981b8 |
| FileTimeToSystemTime | 0x1400981c0 |
| Name | Address |
|---|---|
| RaiseException | 0x140097f40 |
| SetLastError | 0x140097f48 |
| Name | Address |
|---|---|
| RoOriginateError | 0x1400981d0 |
| Name | Address |
|---|---|
| Sleep | 0x140098160 |
| Name | Address |
|---|---|
| QueryServiceStatus | 0x140098628 |
| Name | Address |
|---|---|
| QueryFullProcessImageNameW | 0x140098068 |
| Name | Address |
|---|---|
| FormatMessageW | 0x140098018 |
| Name | Address |
|---|---|
| HeapAlloc | 0x140097f80 |
| GetProcessHeap | 0x140097f88 |
| HeapFree | 0x140097f90 |
| Name | Address |
|---|---|
| GetModuleHandleExW | 0x140097fd8 |
| GetModuleFileNameA | 0x140097fe0 |
| LoadLibraryExW | 0x140097fe8 |
| AddDllDirectory | 0x140097ff0 |
| GetProcAddress | 0x140097ff8 |
| GetModuleFileNameW | 0x140098000 |
| RemoveDllDirectory | 0x140098008 |
| Name | Address |
|---|---|
| OutputDebugStringW | 0x140097f30 |
| Name | Address |
|---|---|
| FWOpenPolicyStore | 0x140097b68 |
| FwActivate | 0x140097b70 |
| FWGetConfig | 0x140097b78 |
| FwAnalyzeFirewallPolicy | 0x140097b80 |
| IcfChangeNotificationCreate | 0x140097b88 |
| IcfChangeNotificationDestroy | 0x140097b90 |
| FWClosePolicyStore | 0x140097b98 |
| FwIsGroupPolicyEnforced | 0x140097ba0 |
| Name | Address |
|---|---|
| SetupDiGetClassDevsW | 0x1400986e0 |
| SetupDiEnumDeviceInfo | 0x1400986e8 |
| SetupDiDestroyDeviceInfoList | 0x1400986f0 |
| Name | Address |
|---|---|
| WTSQueryUserToken | 0x140097eb8 |
| Name | Address |
|---|---|
| TpmGetCapLockoutInfo | 0x140097e48 |
| TpmGatherLogs | 0x140097e50 |
| TpmGetDeviceInformation | 0x140097e58 |
| TpmClearWithPolicyOrPPI | 0x140097e60 |
| Name | Address |
|---|---|
| EvtQuery | 0x140098700 |
| EvtClose | 0x140098708 |
| EvtNext | 0x140098710 |
| EvtCreateRenderContext | 0x140098718 |
| EvtRender | 0x140098720 |
| Name | Address |
|---|---|
| VerSetConditionMask | 0x140098198 |
| Name | Address |
|---|---|
| VerifyVersionInfoW | 0x140097fc8 |
| Name | Address |
|---|---|
| InitiateSystemShutdownExW | 0x1400980e0 |
| Name | Address |
|---|---|
| CertVerifyCertificateChainPolicy | 0x140097b50 |
| CryptBinaryToStringW | 0x140097b58 |
| Name | Address |
|---|---|
| GetProcessMitigationPolicy | 0x140098058 |
| Name | Address |
|---|---|
| LocalAlloc | 0x140097fa0 |
| Name | Address |
|---|---|
| CompareStringW | 0x1400980f0 |
| CompareStringOrdinal | 0x1400980f8 |
| Name | Address |
|---|---|
| PowerReadDCValue | 0x1400984d0 |
| PowerGetActiveScheme | 0x1400984d8 |
| Name | Address |
|---|---|
| WldpQueryWindowsLockdownMode | 0x140097ec8 |
| Name | Address |
|---|---|
| RtlQueryWnfStateData | 0x140098658 |
| RtlRunOnceExecuteOnce | 0x140098660 |
| RtlGetActiveConsoleId | 0x140098668 |
| NtQueryWnfStateData | 0x140098670 |
| RtlUnsubscribeWnfNotificationWaitForCompletion | 0x140098678 |
| NtQuerySystemInformation | 0x140098680 |
| RtlPublishWnfStateData | 0x140098688 |
| NtQueryInformationProcess | 0x140098690 |
| RtlSetImageMitigationPolicy | 0x140098698 |
| RtlSubscribeWnfStateChangeNotification | 0x1400986a0 |
| NtEnumerateKey | 0x1400986a8 |
| NtOpenKey | 0x1400986b0 |
| NtClose | 0x1400986b8 |
| RtlNtStatusToDosError | 0x1400986c0 |
| NtQueryValueKey | 0x1400986c8 |
| RtlQueryImageMitigationPolicy | 0x1400986d0 |
| Name | Address |
|---|---|
| ?_Xout_of_range@std@@YAXPEBD@Z | 0x140098638 |
| ?_Xlength_error@std@@YAXPEBD@Z | 0x140098640 |
| ?_Xinvalid_argument@std@@YAXPEBD@Z | 0x140098648 |
| Name | Address |
|---|---|
| ldiv | 0x140098400 |
| Name | Address |
|---|---|
| PathCchAppend | 0x140098028 |
| Name | Address |
|---|---|
| RegDeleteKeyW | 0x1400980d0 |
Usage
Processing ( 11.26 seconds )
- 10.411 ProcessMemory
- 0.826 CAPE
- 0.02 BehaviorAnalysis
- 0.007 AnalysisInfo
- 0.001 Debug
Signatures ( 0.06 seconds )
- 0.008 ransomware_files
- 0.006 antianalysis_detectfile
- 0.006 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 infostealer_ftp
- 0.003 territorial_disputes_sigs
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_bitcoin
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.01 seconds )
- 0.006 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: SecurityHealthService.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
Possible date expiration check, exits too soon after checking local time
process: SecurityHealthService.exe, PID 3612
The binary contains an unknown PE section name indicative of packing
unknown section: {'name': '.didat', 'raw_address': '0x000cd800', 'virtual_address': '0x000d0000', 'virtual_size': '0x00000198', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '2.42'}
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 3612 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Binary compilation timestomping detected
anomaly: Compilation timestamp is in the future
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Windows\System32\policymanager.dll
C:\Users\Packager\AppData\Local\Temp\msvcp110_win.dll
C:\Windows\System32\msvcp110_win.dll
C:\Windows\System32\MsMpLics.dll
C:\Users\Packager\AppData\Local\Temp\msvcp110_win.dll
C:\Windows\System32\msvcp110_win.dll
C:\Windows\System32\MsMpLics.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\PolicyType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Behavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\MergeAlgorithm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirectMapped
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyname
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicypath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyismultisz
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicymultiszSeparatorChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataDevice
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataBoth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Value
HKEY_LOCAL_MACHINE\software\policies\Microsoft\AppHVSI
HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\current\Device\AppHVSI
HKEY_LOCAL_MACHINE\Software\Microsoft\HVSI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableClipboard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePrinters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableCameraMicrophoneRedirection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePersistence
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableVirtualGPU
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Alias
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\PolicyType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Behavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\MergeAlgorithm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirectMapped
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyname
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicypath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyismultisz
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicymultiszSeparatorChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataDevice
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataBoth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Value
HKEY_LOCAL_MACHINE\software\policies\Microsoft\AppHVSI
HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\current\Device\AppHVSI
HKEY_LOCAL_MACHINE\Software\Microsoft\HVSI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableClipboard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePrinters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableCameraMicrophoneRedirection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePersistence
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableVirtualGPU
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Alias
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\PolicyType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Behavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\MergeAlgorithm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirectMapped
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyname
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicypath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyismultisz
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicymultiszSeparatorChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataDevice
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataBoth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableClipboard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePrinters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableCameraMicrophoneRedirection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePersistence
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableVirtualGPU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Alias
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Behavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\MergeAlgorithm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirectMapped
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\RegKeyPathRedirect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyname
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicypath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicyismultisz
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\grouppolicymultiszSeparatorChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataDevice
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\ADMXMetadataBoth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI\Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableClipboard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePrinters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableCameraMicrophoneRedirection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnablePersistence
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Hvsi\EnableVirtualGPU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Alias
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.