Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-11 16:32:06	2025-06-11 16:49:40	1054 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,912 [root] INFO: Date set to: 20250611T16:05:10, timeout set to: 1000
2025-06-11 17:05:10,265 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-11 17:05:10,265 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-11 17:05:10,265 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-11 17:05:10,265 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 17:05:10,265 [root] INFO: analysis running as an admin
2025-06-11 17:05:10,265 [root] INFO: analysis package specified: "exe"
2025-06-11 17:05:10,265 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 17:05:11,125 [root] DEBUG: imported analysis package "exe"
2025-06-11 17:05:11,125 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 17:05:11,125 [lib.common.common] INFO: wrapping
2025-06-11 17:05:11,125 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 17:05:11,125 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\UNPUXLauncher.exe
2025-06-11 17:05:11,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 17:05:11,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 17:05:11,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 17:05:11,125 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 17:05:11,328 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 17:05:11,359 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 17:05:11,452 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 17:05:11,468 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 17:05:11,484 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 17:05:11,484 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 17:05:11,484 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 17:05:11,484 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 17:05:11,484 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 17:05:11,484 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 17:05:11,484 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 17:05:11,484 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 17:05:11,484 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 17:05:11,484 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 17:05:11,484 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 17:05:11,484 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 17:05:11,484 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 17:05:11,484 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 17:05:22,812 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 17:05:22,812 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 17:05:22,812 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 17:05:22,812 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 17:05:22,812 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 17:05:22,812 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 17:05:22,812 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 17:05:22,812 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-11 17:05:22,827 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 17:05:22,827 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 17:05:22,827 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 17:05:22,827 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 17:05:22,827 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 17:05:22,827 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 17:05:22,827 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 17:05:22,827 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 17:05:22,827 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 17:05:22,827 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 17:05:22,827 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 17:05:22,827 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 17:05:22,827 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 17:05:22,827 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 17:05:22,827 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 17:05:22,827 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 17:05:22,827 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 17:05:22,859 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-11 17:05:22,859 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 17:05:22,859 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 17:05:22,859 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 17:05:22,859 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 17:05:22,859 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 17:05:22,859 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 17:05:22,874 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\pQxbIz.dll, loader C:\tmpjeo7jmad\bin\EPCPTrhb.exe
2025-06-11 17:05:22,937 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 17:05:22,937 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-11 17:05:22,984 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 17:05:22,984 [root] INFO: Disabling sleep skipping.
2025-06-11 17:05:22,984 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 17:05:22,984 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 17:05:22,984 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 17:05:22,984 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 17:05:22,984 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 17:05:22,984 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 17:05:22,999 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 17:05:22,999 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 17:05:23,015 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 2868, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 17:05:23,015 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 17:05:23,031 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 17:05:23,031 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 17:05:23,031 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\pQxbIz.dll.
2025-06-11 17:05:23,046 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 17:05:23,0 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-11 16:32:06	2025-06-11 16:49:21	none

File Details

File Name	UNPUXLauncher.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	486400 bytes
MD5	289b579f9f559b27f16e9eb8f454757f
SHA1	097a0d0c90501c3609cff649690639b15b5c5f74
SHA256	22a98a3262c6d53079e80b18a7bc24f407bd007be09113d440c53a1aef32b381 [VT] [MWDB] [Bazaar]
SHA3-384	37d375fda536a4fce3896848bb2907557207f600a744ce92970ecb113b986239f4f47e962a8cb657219aca71a89b99d4
CRC32	671DF2FA
TLSH	T198A43A1593C800E6E5B79238C6628705EEB1BC6327608ACF52A4B55D2F77AE0DE7C731
Ssdeep	6144:9+1xxy+vuQeC/nUox8zgqJ+STeghQ/7CWlxs6skUbJINy5w8ArYBgNoJn:J+WQdOrJPTrhQDCWLpci1Q
PE	File Strings BinGraph Vba2Graph VirusTotal

fD9$Xu

fD9$Fu

NewDocument = this->AllocateStreamObject()

Not-null check failed: Destination

UNPCampaignCreateOrUpdateLaunchUITaskFailed

l$ VWATAVAWH

pA^_^[]

@.data

regData

en-SG

9\$PtjL

*ppvAlloc = RtlAllocateHeap((((PPEB)__readgsqword(((LONG)(LONG_PTR)&(((TEB *)0)->ProcessEnvironmentBlock))))->ProcessHeap), 0, cb)

Software\Microsoft\UNP\Detector

::RtlIsLUtf8StringValid(String)

hA_A^A]A\_^[]

WindowsCreateStringReference

%s: Executing LangPack node

detectorVersionFromXml

de-DE

ReleaseMutex

GetStartupInfoW

UNPCampaignManagerGetCampaignSubState

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetElementsByTagNameNS

PA^_^][

GetCampaignState: TTGL has not been reached

fFound

_initterm_e

en-TT

Successfully retrieved custom JS Handler File Name: %s

H;\$(sML

ReadPolicy

CMicrodom_Blob

zh-HK

ne-NP

f9,Qu

CreateSemaphoreExW

^9|$8tAL

bs-Latn

G H;G(v

(DestinationMaximumLength == 0) || (DestinationBuffer != 0)

ta-LK

sma-NO

ContentRevision

CXmlCursor::CompareExtents

CXmlCursor::XmlAlloc

MDM is not detected

af-ZA

mn-MN

H;{(u

_o__purecall

H!]8L

ff-Latn

Current User is Azure Active Domain Joined

w@I9X

RegSetValueExW

UXHelpers: Error getting campaign config information

xwD9l$htpM

f9L<0u

mn-Mong

ShortcutPath

t$@D;

L$HE3

BUCL::Rtl::Add<SIZE_T>( sizeof(MICRODOM_HEADER), cbStringPoolSize, cbDomLayoutSize, cbPositionDataSize, cbDoctypeDataSize, cbRequiredSize)

CMicrodomBuilder::CNamespaceNameExistenceCheck::AddAndCheckExistence

</security>

TlP0X

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetMicrodomBinaryRepresentation

H9Gxt

%s: Main failed

%s: Evaluating RetailDemo node

\$pH!\$hH

ku-Arab-IQ

I;>u

Software\Microsoft\UNP

VWAVH

Not-null check failed: ComparisonResult

8_^][

t1D9|$@u\

LaunchHoldoffExpiryTime

MdDlA

O0M0K

o\$PH

Not-null check failed: DocumentNode

DetectorProcessStart

UnpSubmitRequestForSettingsOrContentFailedCall

WindowSurfacesClient: ShowAppSurface succeeded

sl-SI

Microsoft Corporation

IMPLIED

cbRequiredSize <= BUCL::CMaximumInteger<ULONG>::Value

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::EndOpenElement

LoadLibraryExW

fD9,Qu

memcmp

D!t$$H

8T$4tD

D9u@u

pA_A^A]_^[]

(Params->SourceType == Windows::Microdom::Rtl::CreateMicrodomSource::Stream) || (Params->SourceType == Windows::Microdom::Rtl::CreateMicrodomSource::BlobProvider) || (Params->SourceType == Windows::Microdom::Rtl::CreateMicrodomSource::Blob)

`A^_^][

ta-IN

USVWATAUAVAWH

%s: Evaluating MDM node

a9\$`

@SUVWAVH

f9zBu

CompletedSubKey

t.HcC<

MicrodomImplementation::CDomLayoutCache::FindObject

RtlWriteDataIntoSmartLBlobWritingContext

ContentDirectory

_initterm

tt-RU

%ls\toastreviewsettings.xml

fD9,Bu

L$<D9d$@uVL

H+~ I

kr-NG

;\$T|

.idata$5

LoadLibraryW

False

MicrodomImplementation::CMicrodom::DecodeXmlString

L$ VWATAVAWH

Not-null check failed: Writer

wwwwwwwwwwww

sms-FI

experienceBlocked

ALLOWEDEXECUTABLES

Software\Microsoft\Windows\CurrentVersion\MDM

RtlCompareEncodedLBlobs

es-AR

.pdata

internal\sdk\inc\wil\Resource.h

wcschr

de-AT

ConfigCatalogVersion

Microsoft\Windows\UNP\UNPCampaigns\%s

Microsoft

9s(tEH

isRetailDemoManaged

fil-PH

wwwwww

UNPCampaignInvalidContentSignature

L;G(uZH9Q

campaignSubState

BUCL::Rtl::ConvertInteger( ((ULONG_PTR)pvWriteCursor) - ((ULONG_PTR)pHeader), pHeader->TotalSize)

https://go.microsoft.com/fwlink/?linkid=844161

%s: Executing RegQWORD node

gn-PY

D9l$<

L!uHL

ar-TN

.didat$2

@UVWAVAWH

D9oHuwL

MicrodomImplementation::CMicrodom::Initialize

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetItem

NewEntityDecl = this->AllocateStreamObject()

.?AVCAtlException@ATL@@

Using Language Test Override: %s

uJH9=

zu-ZA

sd-Arab-PK

.data$r$brc

en-029

syr-SY

8A_A^A]A\_^][

WindowSurfacesClient: ShowAppSurface - surface is already showing

sk-SK

_o__initialize_wide_environment

operation

fD94Bu

SetEvent

DetectorAllowedLocations

L$XE3

_o__configthreadlocale

ky-KG

CMicrodomBuilder::ConsumeComment

!\$`H

D8n1t

SHFileOperationW

MicrodomImplementation::CreateBinaryMicrodomFromXml

0A^_^

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetDocumentElement

MoveFileExW

w"I9Y

bs-Cyrl

H9A r

NodeIndex < m_pTargetObject->m_LayoutCache.TotalObjectCount()

K VWAUAVAWH

x1;\$`|

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::WriteComment

Legal_Policy_Statement

NotificationActivated

Thales TSS ESN:2137-37A0-4AAA1%0#

%s: UNP Detector: Formula evaluated to false

UpdatePolicy.dll

*** Source File: %s, line %ld

%hs!%p:

NetFreeAadJoinInformation

hResult

K SVWH

da-DK

_o___p__commode

Main: Unrecognized Block bypass passed in

0A_A^A\_^

RtlCalculateUtf16StringLengthFromLUtf8String

0A_A^^

%s: Execution of RegCommon node was blocked for regkey: %s

Attempting to retrieve the scheduled tasks: %s

p WAVAWH

L;l$P

EPu/H

pStringPool->Signature == ('pSdM')

globalShutoff

SOFTWARE\Microsoft\SMS\Mobile Client

exeFullPath

Software\Microsoft\UNP\UpdateNotificationMgr\UNPCampaigns

CMicrodom

pa-Arab

D;@(u

%d.%d.%d

D9.uV;

.tls$ZZZ

CoCreateInstance

nCipher NTS ESN:2665-4C3F-C5DE1+0)

Blob->Buffer = (PUCHAR)((*RtlAllocateStringRoutine)(Bytes))

NewTempBytesRequired > TempBytesRequired

sr-Latn-ME

:MdLct

%s: Expected, %d; Actual, %d; Op, %d

GetFileAttributesW

Successfully retrieved Filetime value

Microsoft Time-Stamp PCA 20100

ne-IN

UXHelper: Error creating shortcut

0.3.0.0

api-ms-win-crt-string-l1-1-0.dll

Software\Microsoft\UNP\Detector\%s

CompareFileTime

H9Y t

MaxHeight

.rdata$r

f9,Ku

%s: Executing Domain node

allowRetailDemoManaged

.CRT$XIA

WSdp,

RtlNtStatusToDosError

G(H9G v

No more than one flag set check failed: __e

111019184142Z

Not-null check failed: Document

Expression

ShellNotificationBlock

H9|$(t

!fExisted

D$DDtRH

hA_A^A]A\_^][

Filter[*]

CampaignConfigVersion

CAMPAIGNPAUSED

tDf9)t?L

pHeader->ulOffsetToStringPool < pHeader->ulTotalSize

es-PA

sa-IN

ResetEvent

x UAVAWH

allowDomainJoinedManaged

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

%s: Executing SCCM node

FileDescription

%Microsoft Windows Production PCA 2011

D!l$@

MicrodomImplementation::CMicrodom::GetElementsByTagNameCommon

\$ UVWH

L$8L;h

UpdateNotificationPipeline

REVISION

9{ v@L

dz-BT

\$ VWAVH

Microsoft Corporation1

UWATAVAWH

t+D9@ u

u+L!e

taskName

ED$`H

ntdll.dll

::RtlIsLUtf8StringValid(Candidates[i])

Microsoft America Operations1'0%

WinVerifyTrust

D9e@thL

StringId < m_Entries.Length

Binary

10.0.17763.1

MHL!t$ L

WakeAllConditionVariable

InitializeCriticalSection

BUCL::Rtl::ConvertInteger(WriteBlock.Length, pHeader->ulOffsetToDoctypeData)

A_A^A\_^

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetNamedItem

Microsoft Time-Stamp PCA 2010

Not-null check failed: fHasAttribute

H;D$

Successfully retrieved value: %s

LocalState

RetailDemo

RtlDeleteCriticalSection

UVWATAWH

D9t$0t

E9'ugE3

UnpCampaignManagerFailedToDeleteDirectory

Key, %s\%s; Expected, %lu; Actual, %lu; Op, %d

PUBLIC

OsVersion

&4?B@1>

UXHelper: Cleared history

UNPUXLauncher: Processing arg: %s

UXHelper: Could not clear toast history

9l$Ht

Not-null check failed: Blob

D$(E3

%s: Executing formula %ul

PathIsFileSpecW

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::WriteProcessingInstruction

xh-ZA

message

it-CH

originatingContextName

Successfully retrieved Detector XML

Main: Error registering for notification support

0A_A^_^]

)t$@H

E/u7H

RtlConcatenateLUtf8Strings

ar-DZ

es-HN

ENTITY

en-GB

L$(E3

fi-FI

ml-IN

L9I t

.rdata$zETW9

%d.%d

campaignPaused

isMDMManaged

UVWAVAWH

Root != Root.InvalidValue()

L$0E3

ExpandEnvironmentStringsForUserW

D$xD;h

L$8H3

ka-GE

ts-ZA

A_A^A\_]

DownloadFileAction::Execute local file was up to date {%s}

FUPShared.dll

100701213655Z

D$0L9

Attempting to open catalog file: %s

RtlIsLUtf8StringValid(NamespaceURI)

RoOriginateError

TerminateProcess

uIH;J

minATL$__m

%wetY

D8d$\u

%s: Executing MDM node

f9,Au

t5H9w

ConfigLocation

Evaluating OR node

L9z u-M

InitializeConditionVariable

en-BZ

_o__seh_filter_exe

%s %s %s

%s: Getting action for formula %lu

;t$hr

xZE8e

BUCL::Rtl::ConvertInteger(Pairs.Length, pHeader->TotalCount)

ar-AE

CompareStringW

tg-Cyrl-TJ

A_A^A]

BUCL::Rtl::Multiply(WorkingBufferSize, MultiplicativeGrowthFactor, WorkingBufferSize)

fr-MA

ContentUrl

Microsoft Windows0

UXWindowSurfacesClientCoCreateFailed

w(I9X

D$`H+

quc-Latn-GT

@SUVWATAVH

Not-null check failed: Value

.CRT$XPZ

ko-KR

MicrodomImplementation::CMicrodom::FindObject

D9t$Du

whichDoc.Reserved == m_pTargetObject->m_LayoutCache.DocumentId()

.text$x

wo-SN

CreateMutexW

R!s4Z

T$ E3

Not-null check failed: pOutputStream

MicrodomImplementation::CDomLayoutCache::AdvanceCachedPointer

UXHelpers: Retrieved launch holdoff expiry from registry=%llu

fD9#t

CMicrodomBuilder::ConsumeEntityDecl

.xdata$x

L$HH3

WATAWH

t$PH;

ar-YE

standalone

UNPCampaignSignatureCheckFailed

A^_^

m_StoredTable.Initialize()

GetModuleHandleW

B|$`D

CMicrodomBuilder::EndAttlist

CMicrodomXmlWalker::XmlError

sd-Arab

L$DH!t$P

Not-null check failed: StringIn

MicrodomImplementation::CMicrodom::GetElementNodeSet

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::WriteRawString

.CRT$XLZ

_o__register_onexit_function

D8f0t

kernelbase.dll

VAVAWH

fr-SN

.rsrc

bs-Latn-BA

SystemTimeToFileTime

fD9<Fu

ru-RU

a9|$P

%s: Filter was valid for this machine

api-ms-win-core-winrt-error-l1-1-0.dll

ig-NG

DETECTOR\TelTimeoutInMinutes

0A_A^_

pa-IN

contentUrl

OriginalFilename

DETECTOR\CollectTel

CMicrodomBuilder::InsertDefaultAttributes

RETAILDEMO

requestQueryString

en-JM

WindowAppearanceBlock

Not-null check failed: Decoder

Content.cab

%s: Failed to get exists else action

-Embedding

pt-PT

$Microsoft Ireland Operations Limited1

L+~ M

es-DO

chr-Cher

H SUVWAVAWH

az-Cyrl

fD94Au

DownloadUrl

toast

t=;w$}bLc

Config version = %d

0A_A^A\_^[]

MicrodomImplementation::CMicrodom::GetNamedNodeMapItem

BlockEvaluator: %s will be bypassed

%s: Getting expersion for formula %lu

CMicrodomBuilder::ProduceStringTable

es-ES_tradnl

campaignState

NAMEDARGUMENTSLIST

UVWATAUAVAWH

SOFTWARE\Microsoft\Windows\CurrentVersion\RetailDemo\OobeWrite

zh-Hant

Main: Unused parameter [%s] passed to UNPLauncher.

CloseHandle

L$8E3

0A^A]_

D9X,u

.?AVexception@std@@

@.reloc

RtlAppendUcsCharacterToLUtf8String

bad array new length

Content1

DETECTOR\Version

%s: Evaluating RegQWORD node

tzm-Latn-DZ

H9Z0u

HA_A^A]A\_^[]

0A_A^A]_^

D$(H;X

m_PropertyCache.Allocate(m_LayoutCache.TotalObjectCount())

NtYieldExecution

DownloadContentAction

z.9Wv

VirtualProtect

isAADJUserManaged

la-001

D9K(t

failureCount

GetSystemTimeAsFileTime

%s: Evaluating Domain node

A(L9g

ControlTraceW

H!|$

MicrodomImplementation::CDomLayoutCache::GetNodeChildren

ar-LB

D9d$T

D9X0t

r!L!v

%s: Executing else for formula %ul

UNPCampaignSubbStateDetectorBlockError

9qPvzH

yo-NG

Pairs.Allocate(m_StringTable.GetEntryCount())

RunDetectorAction

iu-Cans-CA

#comment

D$2M;

Error getting package version

::RtlIsLUtf8StringValid(&Sources[i])

SetUnhandledExceptionFilter

regValue

ConfigFile

|$2fD

d<0f9L$0H

Clearing notifications for the campaign

pap-029

tZfD9&tTH

!\$(H!\$

.?AVtype_info@@

D$ E3

RtlFreeHeap

.text

%s: Formula failed to evaluate

H9Eht

CampaignManager::GetCampaign: Zero Exhaust enabled

Version

Microsoft.Windows.UpdateNotificationPipeline

encoding

Clearing all tasks for the campaign

CampaignManager::GetCampaign: Called with GUID_NULL

UNPCampaignManagerCatalogValues

.rdata$brc

%s: Key, %s\%s; Expected, %llu; Actual, %llu; Op, %d

originatingContextId

fo-FO

CMicrodomBuilder::Initialize

pt-BR

WAUAVH

bo-CN

id-ID

tAH9S(u6

%wctW

A_A^A]A\_[]

/campaignID

m_AttdefListTable.FindOrInsertIfNotPresent( ulElementName, NewAttdefList, &pAttdefList)

RtlReAllocateHeap

LanguageTestOverride

LocalAlloc

RtlGetCharacterSetDecoder

RtlInitializeGrowingList( this, sizeof(TStoredObject), m_ulElementsPerChunk, (PVOID)m_InternalBuffer, sizeof(m_InternalBuffer), Allocator )

.idata$4

yi-001

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetDocumentNodeSet

Q tzL

D$8D9`

IDREF

%s: Runonce Formula already executed

ALLOWEDMANAGEDSCENARIOS

PA^_]

mk-MK

.rdata$T$brc

H9\$Xu

GetTokenInformation

L!uXH

(FixedSizeBuffer != 0) || (DynamicBuffer != 0)

se-FI

_o___stdio_common_vswprintf

sr-Latn-RS

T$(H;

_o__cexit

Error, CV not initialized

|$X%u

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetAttributeNSNode

MdDtL

NewCData = this->AllocateStreamObject()

Regular

DisableTel

ScheduledTasksKey

HcD$ H

t$ I3

(*m_State.ParseState.pfnCompareSpecialString)(&m_State.ParseState, Extent, &ss, pResult, 0)

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetNamedItemNs

UXHelper: Deleted shortcut regkey

__C_specific_handler

@USVWAVAWH

UNPCampaignManagerCleaningCampaignTasks

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetElementNodeSet

0A_A^A]A\_^]

GetCampaignState: Configuration file for the campaign is not staged

H9\$8u<

|$@E3

f;*t$H

en-IE

COUNTRY

%s\%s

co-FR

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::Length

CreateEventW

RtlXmlDetermineStreamEncoding(&TokenizerState, &EncodingLength)

|$ AVH

LoadLibraryExA

bad allocation

Main: Attempting to launch UX

QueryTraceW

.text$mn$00

C8H+9L

t$ WH

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::WriteText

Evaluating AND node

SetLastError

Filter

.rsrc$01

CallContext:[%hs]

UXHelpers: SH User notification state=%d

Executing NOT node

RtlIsLUtf8StringValid(NamespaceURI) || (NamespaceURI == 0)

DebugBreak

ar-OM

CMicrodomBuilder::ConstructAndWriteMicrodom

BUCL::Rtl::ConvertInteger(WriteBlock.Length, pHeader->ulTotalSize)

UXHelper: Unregistered for toast notification support

A_A^A]A\_^[]

RegDeleteValueW

moh-CA

en-ZW

sr-Latn-CS

Not-null check failed: Length

$D9d$8t

::RtlIsLUtf8StringValid(Destination)

Successfully retrieved %d substates

Decoder != 0

allowSCCMManaged

BlockEvaluator: Initializing with launchtype=%s

CXmlCursor::Next

D9D$l

ntelD

detectorAllowed

az-Latn-AZ

Managed

,fa86KOAkXhZMrwxjfaLHP1J2f4W/CLb+XsHosP8LyaU=0Z

NetApiBufferFree

D9d$4t

USERENV.dll

D$x9G

RegEnumKeyW

_o__invalid_parameter_noinfo

InitializeSListHead

:MdSptG

wvH9Z

uriFullName

my-MM

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::HasAttribute

D$P!\$0H

chr-Cher-US

UTF-8

CCampaignContentInfo: Unabled to read file: %s

_CxxThrowException

!\$PH

xBD8d$\u;

UNPCampaignManagerCleaningCampaignNotifications

f9|$ t^H

BUCL::Rtl::AddInPlaceWithOverflowCheck(&MaximumLength, Sources[i].Length)

%s: Getting type for formula %lu

LeaveCriticalSection

Detector

_o__set_fmode

UXLauncherUxAlreadyUp

%s\%s.%03d.etl

EnumUILanguagesW

L9Q u

w,H9Y

D8d$hu-

AuthorityName

CCampaignContentInfo: Requested file is not located under the current content folder: %s

D9t$\u

8\$1unE;e

en-ZA

TaskXML

D9x u

am-ET

EXD98t

sq-AL

callContext

L$PH3

gsw-FR

MinWidth

eu-ES

MinHeight

.text$yd

UXHelper: Could not clear shortcut history

D8d$\

xCD8d$\u<

::BUCL::Rtl::Add<SIZE_T>( *pcElements, 10, NewCapacity)

UNPUXLauncher.exe

CreateDirectoryW

fr-HT

9\$PtGL

ar-SA

9|$Dt

Not-null check failed: fHasChildNodes

Failed to verify content: %s

PA_A^_^]

@USVWAUAVAWH

fr-BE

TempNodes.Allocate(this->m_LayoutCache.TotalObjectCount())

api-ms-win-core-winrt-l1-1-0.dll

AcquireSRWLockExclusive

api-ms-win-crt-private-l1-1-0.dll

`A_A^A]A\_^]

D9l$0

MicrodomImplementation::CMicrodom::GetNodeMapNamedItem

LegalCopyright

nl-BE

Microsoft\Windows\Start Menu\Programs\%ls.lnk

function

UNP UX Launcher

9\$Xt

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetElementsByTagName

%s: Formula evaluated to true

Successfully retrieved value: %ld

Properties.Length == Results.Length

fr-MC

Enabled

%s\%s\%s

@USWATAUAVAWH

GetSystemTime

VirtualQuery

%s: Config version is %lu

UXLauncherLaunchFailed

UNPCampaignDownloadInvalidFileSignature

arn-CL

M0K0I

TempNodes.Allocate(UpperIndex - TheElement.Reserved)

RunOnce

fullDenyReason

is-IS

H UVWATAUAVAWH

fD9@B

_o___std_exception_copy

@A_A^A]A\_^]

m_MicrodomDataBlob.Length >= sizeof(MICRODOM_HEADER)

BlockEvaluator: %s is disabled

dsb-DE

sw-KE

D8d$!t

MdHdH

_o__configure_wide_argv

Not-null check failed: String

.rdata$zzzdbg

api-ms-win-core-path-l1-1-0.dll

f94Au

20180915045716.667Z0

ENTITIES

tofD9>ti

TelOffset

A__^

WAVAWH

http://www.w3.org/XML/1998/namespace

%s: Evaluating AADJ node

fr-LU

.rdata

UNPLauncher: Launching FWLink for Toast Click

formulaId

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/%u!

RegDeleteKeyW

ur-PK

NewPcData = this->AllocateStreamObject()

UpdateNotificationCatalogRevision

A_A^_^[]

ar-SY

CMicrodomBuilder::AddString

minATL$__a

CMicrodomBuilder::CNamespaceNamePrefixToAttDef::Insert

ALLOWEDURIS

ti-ER

ba-RU

__rv.NewCursorValue != 0

fF9<Bu

Not-null check failed: Result

fD9,Au

%Microsoft Windows Production PCA 20110

D!d$|L

Main: Validated launchtype=%s

m_StoredTable.FindOrInsertIfNotPresent(Pair, pAttDef)

allowAADJMachineManaged

WaitForSingleObject

?wMtD

MachineAADJ

en-ID

OpenProcessToken

D:(A;OICI;GA;;;SY)(A;OICI;FRFX;;;LS)(A;OICI;FRFX;;;BA)(A;OICI;FRFX;;;AU)

WindowSurfacesClient: ShowAppSurface failed

MaxWidth

NewAttdef = this->AllocateStreamObject()

@A_A^]

m.Reserved < m_NamedNodeMaps.Size()

TheEndElement = this->AllocateStreamObject()

_o___stdio_common_vsprintf_s

GetModuleFileNameA

PA_A^A\_^[]

CXmlCursor::DecodeExtent

StartTraceW

_o__set_app_type

Successfully retrieved %d tasks

0A_A^A\

_register_thread_local_exe_atexit_callback

%s: Executing RetailDemo node

Starting AADJ Node

X H!X

fr-FR

SHGetKnownFolderPath

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetDocument

BUCL::Rtl::ConvertInteger(pObject->m_cChildren, pDocument->usChildNodes)

RtlIsLUtf8StringValid(LocalName)

RtlIsLBlobValid(Source)

9|$8@

memcpy

DetectorFormSkipped

.idata$3

XA_A^A]A\_^[]

CMicrodomBuilder::StartElement

Attempting to retrieve Window size

SLC.DLL

http://www.w3.org/2000/xmlns/

WindowsIsStringEmpty

261019185142Z0

StartMenuShortcutName

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

%s: Else action for formula %ul failed to execute

wAH9Y

GlobalEventCounter

Detector version = %d

.didat$5

mn-Mong-MN

9D$Du

bitmap

RtlDllShutdownInProgress

manual

CMicrodomBuilder::CElementNameToAttributeListTable::MaybeInsert

az-Cyrl-AZ

%s: Executing File Existance node

D9d$8

Got Mode as number %d

"Microsoft Window

Not-null check failed: BytesRequired

Not-null check failed: pWriter

H9UXt[

H9D$0t

k VWAVH

H!X H!X

ExpandEnvironmentStringsW

/bypass

SubmitRequestForData

?wOtF

/launchtype

GLOBALSHUTOFF

(_^][

UATAUAVAWH

xSE8e

D$4fD

!\$PL

D9uHu5A

HeapFree

es-CR

ff-Latn-SN

UWATAUAVH

PA^_^[]

@A_A^A\_^

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

currentContextId

D$XD9

|$X#t&

fE9,Gu

CXmlCursor::CompareStrings

DirectoryName

T$PE3

RestrictDetectorWrites

CCampaignContentInfo: Unable to determine size of %s

TheNode != TheNode.InvalidValue()

DownloadFileAction: local file {%s} did not exist

L$@E3

denyReason

H!]HE3

L$@H3

UNPUXLauncher.pdb

fE9dE

regKey

Machine is Azure Active Domain Joined

iu-Latn

UxLauncherCampaignInactive

WZ-_$`

RoUninitialize

%s: Failed to get expression

UWAVH

MultiByteToWideChar

fD;3u

(ulElementType == (0x2)) || (ulElementType == (0x3)) || (ulElementType == (0x5)) || (ulElementType == (0x1)) || (ulElementType == (0x6)) || (ulElementType == (0x7)) || (ulElementType == (0x4))

skippedFormulaDetectorVersion

zh-MO

es-CL

?w$tU

CMicrodomBuilder::ConsumePCData

Machine is domain joined

%w^tR

@VWAVH

A9<$t

EventSetInformation

UXHelpers: Updated registry with launch holdoff expiration date=%llu

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

NewComment = this->AllocateStreamObject()

L9x uAI

D;P0t

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

9\$T~%3

uz-Latn-UZ

hr-HR

&0?@@1>a@0>mE1>

_c_exit

UWAUAVAWH

m_CurrentStreamObject != 0

OutputDebugStringW

fD9<Yu

D$ H#

Main: Default Campaign cannot be used for launcher

;l$@t

qps-ploc

D9t$Pu*D9t$Tu

ReturnHr

_o__set_new_mode

SHELL32.dll

ActionType

D;@0tVH

en-CA

ha-Latn-NG

WINTRUST.dll

CoAddRefServerProcess

tn-ZA

CampaignRoot

D9}8u

/trigger

Attempting to retrieve config value for: %s

@A^_]

?wQtH

StrStrIW

.CRT$XTA

|$XNu1D

RtlHashEncodedLBlob

%s\UNP\UpdateNotificationMgr

onecore\base\xml\udom_writer.cpp

::RtlXmlExtentToUtf8String( 0, &m_State.ParseState.RawTokenState, &Src, TempString.GetMutablePointer(), &cRequired)

9\$Pt

@8,1u

@SUVWATAVAWH

WATAUAVAWH

DownloadContentAction: Error trying to get the current content url

ro-RO

UNPCampaignDownloadSignatureCheckFailed

fD9t]

$`2X`F

RtlCreateDefaultMicrodomXmlWriter

E0D!v

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::HasAttributes

%s: Executing AADJ node

D9d$@

quz-PE

L$PfH

A_A^A]A\_

tn-BW

.CRT$XCAA

Software\Microsoft\UNP\LocalState

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetXml

9|$8t

L!t$ H

WTHelperGetProvSignerFromChain

UXHelper: Retrieved app name from toast xml=%ls

ReleaseSRWLockShared

\$ UH

sr-Cyrl-ME

lv-LV

D9l$8t

iu-Latn-CA

ADVAPI32.dll

.CRT$XTZ

<description>UNP UX Launcher</description>

9MdHdt

CoRevokeClassObject

%d.%d.%d.%d

L9{0t#H

w9H9Y

NewAttribute = this->AllocateStreamObject()

.00cfg

fD9,Fu

RtlAppendLBlobToLBlob

Created scheduled task %s

%s: Executing RegCommon node

RoRevokeActivationFactories

FreeLibrary

@SUVWH

Error

T$89T$<

RtlXmlDefaultCompareStrings(&m_State.ParseState, Left, Right, pResult)

CMicrodomBuilder::StartDocument

RtlInitializeCriticalSection

gfffffffI

FailFast

WindowSurfacesClient: CoCreateInstance of WindowSurfaces succeeded

qps-plocm

CloserElement = this->AllocateStreamObject()

es-CU

Windows::uDom::Rtl::RtlDestroyMicrodomUpdateContext

RtlIsLBlobValid(BinaryData)

http://www.microsoft.com/windows0

UVWATAVH

ks-Deva-IN

D9}ou

fA9qxu

CompanyName

D$`I;

DOCTYPE

GetCurrentThreadId

@A_A^_

nso-ZA

ROCF^

Complete

x3D8d$\u,

revision

allowAADJUserManaged

CAMPAIGNTIMETOGOLIVE

H UWATAVAWH

Not-null check failed: Out

Successfully retrieved Window Size(MinWidth:%d MinHeight:%d MaxWidth:%d MaxHeight:%d)

CoRegisterClassObject

E_E9H

_o__exit

onecore\base\xml\udom_xmlcursor.cpp

GetProcessHeap

fy-NL

M9w@t*I

fE9<^u

GetFileSizeEx

es-EC

FileName

uz-Cyrl

GlobalFree

NOTATION

;w$}qH

u0HcH<H

D9|$Tu

t$ UWATAVAWH

GetUserDefaultUILanguage

_o__wcsnicmp

en-HK

%s: Execution of RegString node was blocked for regkey: %s

{ AVH

sd-Deva-IN

%s: Getting formula %lu

_o__errno

IDI_UNP_WINDOW_ICON

%s: Evaluating File Existance node, Filename = %s, Op = %d

Software\Microsoft\UNP\UpdateNotificationMgr\UNPCampaigns\%s

mi-NZ

oT$@f

Country

fD9rBu

)Microsoft Root Certificate Authority 20100

x1;|$P|

ALLOWNONADMIN

tzm-Tfng-MA

RegOpenKeyExW

H!]8H

H9_Hs<

ReleaseSemaphore

wNH9Z

Failed to get a proper GlobalEventCounter for telemetry, using 0

MINSUPPORTEDOS

DependsOn

Not Complete

TaskName

RtlReallocateLBlob

T$hI;

kn-IN

%s: Filter date, %s

t/H9k u

PA_A^A]A\_^]

ProductCode

m_Entries.Allocate(PoolHeader->TotalCount)

l$ VWAVH

tk-TM

`A_A^A\_^[]

{00000000-0000-0000-0000-000000000000}

h VWAVH

zh-CN

es-BO

9t$Pu

th-TH

|$8E3

L$ SUVWH

en-NZ

H9\$@u

HcL$P

MicrodomImplementation::CDomLayoutCache::DecodeElementCounts

PathCchAddBackslash

parameterName

si-LK

en-IN

DownloadContentAction::Cleanup: Failed to delete the content directory. May not have existed

H9H@u

ha-Latn

Catalog file successfully parsed

es-419

MicrodomImplementation::CStringpoolCache::AttachToStringPool

|hK,_

(D$0L

H!\$8M

wRI9Y

D$8H!\$0

E9w$~&I

CampaignID

9\$hv;

sr-Cyrl-RS

Attempting to initialize Platform configuration filepath=%s

xH8\$ t

gl-ES

ug-CN

_o__initialize_onexit_table

_o_free

%s: Executing Genuine node

Valid flags check failed: Flags

fr-CA

CampaignDone

D$PE3

tzm-Tfng

TheDocument.Reserved == m_pTargetObject->m_LayoutCache.DocumentId()

Main: Launched with Embedding switch, getting new cmd parameters from Activator

\$ L9f u

A0D!b

Not-null check failed: Matches

.didat$7

hy-AM

fr-ML

memmove

UNPCampaignSubbStateDetectorAllowed

(caller: %p)

uiAccess="false"

EPD9uH

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetAttributeNode

pHeader->ulTotalSize == m_MicrodomDataBlob.Length

ConfigRevision

RPCRT4.dll

250701214655Z0|1

(Properties.Elements != 0) && (Results.Elements != 0)

A_A\_

.rtc$TAA

UnpCampaignManagerNamedParameterNotAllowed

NDATA

mn-Cyrl

ar-MA

{3f5c1adb-a179-4718-8e9f-0b616dd7abe7}

GetVersionExA

D;H,u

D9u8tFL

9\$(v

mni-IN

CustomJSHandler

DETECTOR\Filters

xFD9t$@t?

NonAdmin

HResult

040904B0

AH9w0t*H

%s: Formula %ul failed to execute

.CRT$XIC

MicrodomImplementation::CMicrodom::CreateInterface

ulIndex < m_Header->ulTotalNodeCount

&3?`@1>Richa@1>

.rdata$zETW2

{ ATH

M H1E

Content2

CMicrodomBuilder::ConsumeAttdef

229879+4379540

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::WriteCData

Windows.UI.Notifications.ToastNotificationManager

%s: Evaluating RegCommon node

@USVWAVH

EtwEventUnregister

en-PH

_o_bsearch

PA_A^A\_^][

AcquireSRWLockShared

ReleaseDC

WindowsDeleteString

wwwww

xEH;t$Ps9L

.?AVbad_alloc@std@@

A_A^A]A\_^]

BUCL::Rtl::ConvertInteger(WriteBlock.Length, pHeader->ulOffsetToDomLayout)

D$`D9`

UNP UXLauncher

C H;C(v

PackageVersion

.rtc$IZZ

Source.Length >= 2

D8D$3

A_A^]

Not-null check failed: MatchIndex

fA9,Xu

%s: Starting Moirai from XML

BUCL::Rtl::Increment(m_NextStringId)

uXD9uH

t$ sU@

L$ L;

internal\onecorebase\inc\rtl_object_library.h

SHLWAPI.dll

Warning

ms-MY

sah-RU

InitOnceComplete

st-ZA

cy-GB

L!t$HH

9D$ u

RtlDuplicateLUtf8String

K SUVWAVH

ReadFile

.rtc$IAA

br-FR

Stamped a new expiration {%s} expiration date {%I64u}

RegQueryValueExW

\$xE3

@SVWH

VarFileInfo

VWAUAVAWH

pDoctype->ulSignature == ('tDdM')

ve-ZA

A_A\_^]

D9d$h

H;t$`

Params->fRequireUtf8

triggerName

isDomainJoinedManaged

%s: Added formula id %lu

onecore\base\xml\udom_builder.cpp

oc-FR

smn-FI

Global\Microsoft.Windows.UpdateNotificationPipeline.Telemetry

20180914213558Z

H9PHu

CreateFileW

smj-NO

zh-TW

Not-null check failed: NodeList

UNPCampaignManagerGetCampaignState

D9d$0L

RSDS2l

H!l$0E3

UXHelper: Registered for toast notification support

Local\SM0:%d:%d:%hs

D$ L9r u

RtlNsInitialize(this, Comparison, pvCompareContext, Alloc)

ca-ES

Not-null check failed: Params->Source.pBlob

Resultant

EncodingSizer != 0

_o__wtol

SUVWAVH

Notification Activate launched with command line: %s

%s: Key, %s\%s; Expected, %s; Actual, %s; Op, %d

RoOriginateErrorW

A^A]]

DetectorExecutionBitmap

nl-NL

api-ms-win-core-winrt-string-l1-1-0.dll

FormatMessageW

et-EE

MdSpI

module

PauseAction

SHQueryUserNotificationState

InitializeCriticalSectionAndSpinCount

&5?o@1>

D9t$du

NewElement = this->AllocateStreamObject()

CoUninitialize

ReleaseUpdatePolicyValue

(E'fH

<requestedExecutionLevel

prs-AF

UXHelpers: Overflow error when saving holdoff expiration to registry

j < ValidProperties.Length

onecore\base\xml\udom_modify.cpp

A_A^A]A\_

>MdDlt

.rtc$TZZ

Main: Launched with Embedding switch

10.0.17763.1 (WinBuild.160101.0800)

u(H;J

DeleteCriticalSection

CRtlGrowingList<struct _XMLDOC_ATTRIBUTE,50,4>::Initialize

RaiseException

%s: Execution of RegQWORD node was blocked for regkey: %s

\$ WH

RtlCaptureContext

!l$(H

UpdateNotificationMgr

D;P,u

NETAPI32.dll

bg-BG

minATL$__z

H+w H

PathCchCanonicalize

^9|$8tVL

Mb=Lk

x ATAVAWH

L99u3

rw-RW

t!fD;

RtlXmlDestroyNextLogicalThing(this)

.CRT$XLA

D;d$l

l$ VWAWH

CAMPAIGNREG

y$L9U

GetFileSize

TimeBlock

RtlTranscodeLBlobs

uz-Latn

9\$0t

9|$0@

Not-null check failed: Target

Locals.Allocate()

::RtlIsLBlobValid(Blob)

qps-Latn-x-sh

D$@E!

GetDeviceCaps

WTHelperProvDataFromStateData

fA9Qrv

version

D;|$h

` UAVAWH

uz-Cyrl-UZ

CoResumeClassObjects

tzm-Latn

t#L9H

fr-029

r9L!b

D9L$`vHL

CV not initialized

H+} H

ContentExpireDate

SLGetProductSkuInformation

SLGetSLIDList

LastTime

STRING

A_A^_

bs-Cyrl-BA

__rv.UcsCharacter != (0xffffffff)

quc-Latn

|$DA9~

Microsoft Corporation1200

Creating scheduled tasks for the campaign substate %s

D9d$4u

Washington1

he-IL

MAXSUPPORTEDOS

SLOpen

RtlCopyLBlob

campaignLive

A_A^A\

az-Latn

NMTOKENS

D$0H;

Package version = %s

E I+F

@A_A^A\_^][

RtlDuplicateLBlob

x AUAVAWH

qps-ploca

wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

Content version = %d

be-BY

Information

@USVWATAVAWH

UXLauncherBlockAllowed

lt-LT

GetVersion

MicrodomImplementation::CMicrodom::IRtlMicrodom_Cast

Machine

MicrodomImplementation::CMicrodom::GetElementById

T$(E3

TheElement != TheElement.InvalidValue()

ja-JP

nb-NO

DetectorFormulaExecuteElseActionFailed

pHeader->ulOffsetToDomLayout < pHeader->ulTotalSize

D9l$8

_o_terminate

L;B(u

RtlMatchLUtf8StringAgainstPointerList

onecore\base\xml\udom_microdom.cpp

gd-GB

ReleaseSRWLockExclusive

Attempting to retrieve content value for: %s

ru-MD

RtlLookupFunctionEntry

%s: Formula evaluated to false

TaskFolder

Unable to setup logging file location

[%hs(%hs)]

de-CH

QueryPerformanceCounter

D9t$Hu8D9t$Lu

threadId

H!]X3

L9y u

Executing RegDWORD node for key: %s, value: %s

UnpCampaignManagerIsZeroExhaustEnabledFailed

\$ UVWATAUAVAWH

StringFileInfo

G E9 uuI

oD$ f

ar-EG

t$ WAVAWH

RtlDuplicateLUtf8StringToLUnicodeString

0A_A^A]A\_

ole32.dll

D;X(u

NewAttlist = this->AllocateStreamObject()

9Y4~)D

(NamespaceURI == 0) || RtlIsLUtf8StringValid(NamespaceURI)

ugL9I

RtlIsLUtf8StringValid(Source)

es-ES

%s: Executing RegString node

IsTestMode

Not-null check failed: Source

CCampaignContentInfo: File size of %s is greater that the maximum size allowed. Expected less than: %d, got %I64d

GetCampaignState: Campaign is currently paused

CMicrodomBuilder::DetermineStringTableSize

+fD;:t

@A_A^A]

.text$mn

D$XE3

GENUINE

EnableTraceEx2

failureId

LocationHeader->Signature == ('cLdM')

SLGetLicensingStatusInformation

\$pL9s t?D8shu9D8siu3

L$XH+

fr-CI

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetAttribute

kok-IN

H9t$Pu>

.?AVbad_array_new_length@std@@

9]0u79]8u

Software\Microsoft\UNP\Settings

SUVWATAUAVAWH

d$H9]

m_AttdefListTable.Initialize()

u5L9n

uk-UA

DecodePointer

Operation

EventWriteTransfer

T$8H!t$8H

T$PLcv

::RtlIsLBlobValid(Data)

SETUPAPI.dll

oL$0f

w+I9X

DownloadContentAction::Execute::OpenCABFile

RtlCopyLUtf8StringToLUnicodeString

zh-Hans

sr-Cyrl-BA

T$@E3

CCampaignContentInfo: Unable to open file: %s

CMicrodomBuilder::WriteXmlDom

%s: Evaluating SCCM node

tg-Cyrl

L$`H3

D$@E3

fr-CD

Successfully retrieved values: %s : %d, %s : %d, %s : %d, %s : %d, %s : %d, %s : %d

D$0H9]

EH9\$8t

AdminBlock

UXLauncherLaunchSuccess

L$ SWH

.didat$6

activatibleClassId

ar-LY

WindowsGetStringRawBuffer

OsVersionBlock

Temp = (*RtlReallocateStringRoutine)(Bytes, Blob->Buffer)

Attempting to open campaign configuration file: %s

EtwEventEnabled

L$ UWATAVAWH

ks-Arab

Windows is activated

(Params->InputType == Windows::Microdom::Rtl::CreateMicrodomSource::Binary) || (Params->InputType == Windows::Microdom::Rtl::CreateMicrodomSource::Xml)

UuidCreate

UnpSubmitRequestForSettingsOrContentSuccessfulCall

IsDebuggerPresent

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

fD9,yu

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::HasAttributeNs

Test override set to disable signing check

L!t$ L

iSHp6

%s: Getting else action for formula %lu

.rdata$zETW1

UNP Detector

hu-HU

A^A\_^]

#text

@A_A^A\

ur-IN

MicrodomImplementation::CDomPositionCache::GetLocation

RtlVirtualUnwind

_o__crt_atexit

Not-null check failed: Root

|$ UH

D9D$h

tzm-Arab-MA

pA_A^_^]

RaiseFailFastException

A_A^A]_^

RunDetectorAction: Executing detector xml %s

WindowsStringHasEmbeddedNull

D9l$@tqL

::RtlIsLUtf8StringValid(StringIn)

DownloadContentAction::Execute: Failed downloading the Campaign Catalog {%s}

u3H;J

_o_iswspace

.CRT$XCA

9\$Pu

ulWhich < TheMap->Length

RtlXmlInitializeTokenization(&TokenizerState, &TokenizerInit)

RoGetActivationFactory

D9|$0t

downloadUrl

%s: Execution of RegDWORD node was blocked for regkey: %s

KERNEL32.dll

SetupIterateCabinetW

A^A]A\_]

%s\UNP

es-SV

DetectorFormExecution

Successfully retrieved content version: %d

\$@fD99tdL

this->m_PositionList.Allocate(LocationHeader->ulItemCount)

NewAttlistClose = this->AllocateStreamObject()

0A_A^A]_]

Downloads

DomainJoined

.w,t*

ElseAction

T$8H!\$8

UnhandledExceptionFilter

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::CloseElement

180823202619Z

|$dI;

LocalFileName

fD9 t

!9y8t

EventUnregister

E;u4|

U0S0Q

Microsoft Time-Stamp Service0

Campaign configuration file successfully parsed

fE9,Lu

currentContextName

|$(I;

@SUVWATAUAVAWH

DetectorProcessEnd

MicrodomImplementation::CMicrodom::GetDocumentNodeSet

(DynamicBuffer == 0) || (DynamicBuffer->Length == 0)

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetAttributeNS

`!\$PL

_o___std_exception_destroy

x AVE3

VS_VERSION_INFO

TmpNodes.Resize(cNecessary)

;|$`r

ObjectHeader->uElementType == ucObjectType

H!|$`

Source.Length >= 3

api-ms-win-core-synch-l1-2-0.dll

Main: Failed to update launch hold off expiry

RtlReallocateLUtf8String

D9eXu

x UATAUAVAWH

D9t$ht

ff-NG

A_A^_^]

x[9|$H@

as-IN

.CRT$XCZ

%s: Evaluating LangPack node

sma-SE

lb-LU

sv-SE

Campaign for Custom JS Handler not found in Campaign Catalog.

nn-NO

Id[*]

X64PATH

currentContextMessage

Exception

`A^_^[]

campaignExpired

D9#u`H

Not-null check failed: String1

.CRT$XPA

false

.data

x UAUAVH

CRYPT32.dll

Not-null check failed: String2

D9iD~'M

PoolHeader->Signature == ('pSdM')

T$$D!t$ H

BUCL::Rtl::ConvertInteger(WriteBlock.Length, pHeader->ulOffsetToPositionData)

Software\Microsoft\UNP\UpdateNotificationMgr

RtlXmlNextLogicalThing( &m_State, &m_Namespaces, &m_CurrentThing, &m_AttributeList )

Windows is not activated

memset

[%hs]

mt-MT

BUCL::Rtl::AddInPlaceWithOverflowCheck(&cbRequired, (*EncodingSizer)(ucsch))

(Destination->Buffer != 0) || (Destination->MaximumLength == 0)

0A_A^A\_^][

D$ L#

rv.UcsCharacter < 0x110000

m_StoredTable.FindOrInsertIfNotPresent(Pair, Value, 0, pfExisted)

MicrodomImplementation::DecodeXmlCharacterToUcsChar

RtlInitializeSmartLBlobWritingContext

\$ UVWAVAWH

GetProcAddress

dv-MV

L9l$8t

</trustInfo>

Global\Microsoft.Windows.UNP.Content

ProductName

TempTempElements.Allocate(NewCapacity)

NewProcessingInstruction = this->AllocateStreamObject()

CMicrodomBuilder::GetXmlDomSize

BUCL::Rtl::Add<SIZE_T>( cbNecessary, Iter.Key.Length, sizeof(UCHAR), cbNecessary)

t\f9)tWH

UXLauncherLaunchDenied

Microsoft Corporation1.0,

SubState

fE9<Fu

ga-IE

D9t$`u

wrI9X

MicrodomImplementation::CMicrodom::GetElementsByTagName

.idata$6

RoRegisterActivationFactories

#document

D$`E3

CertVerifyCertificateChainPolicy

el-GR

metadata.json

_o_memcpy_s

####-##-##S

Microsoft Time-Stamp Service

L$XD8d$\uV

9D$8u

t^@8=

>o@1>

@A_A^_^]

REQUIRED

tr-TR

D$HE3

Software\Microsoft\UNP\UXLauncher

LANGPACK

NetGetAadJoinInformation

TempElements.Allocate(NewCapacity)

Not-null check failed: pStream

D$0L9l$H

DownloadContentAction::Execute: Content was up to date for Campaign {%s}

fF9<Cu

te-IN

PA^_^

(D$0H

_o_malloc

t$ UWAVH

RtlXmlInitializeNextLogicalThing(this, &Init)

MoveFileW

TillExecute

AllowedVersions

onecore\base\lstring\ucsdecoders.cpp

FileVersion

CMicrodomBuilder::ConsumeCData

EtwEventWrite

fD9$Au

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::CTempOutputStream::CreateInterface

L$hH3

Error getting campaign config version

Microsoft Corporation1&0$

p AWH

Verbose

1(0&0

Not-null check failed: DataBlock

180703204550Z

Windows.Data.Xml.Dom.XmlDocument

Got Resultant

9(t-H

ar-JO

Value

sr-Cyrl

pA^_^][

|$X\u

D9l$@

Not-null check failed: fHasAttributes

wilResult

ar-KW

GetCampaignState: Campaign has expired

fB9,Au

RoInitialize

EtwEventRegister

or-IN

(LocationHeader->ulFlags & ~((0x00000001) | (0x00000002) | (0x00000003))) == 0

9D$@v

H9]'t

UAVAWH

A_A^_

_o_exit

SLClose

Error getting campaign content version

SetFilePointer

USVWATAVAWH

D$ A;

F D8d$\t

%s: Initializing with from XML

CompareStringOrdinal

ulValue < MultFactor

|$X'u%A

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::WriteEscapedString

quz-EC

Unknown exception

api-ms-win-crt-runtime-l1-1-0.dll

@8t$T

Catalog version = %d

xA_A^A]A\_^[]

9]Pt L

MicrodomImplementation::CStringpoolCache::FindString

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

CMicrodomBuilder::CFourStringIdTable<struct _MICRODOM_XML_ATTDEF const *>::Initialize

WindowsCreateString

http://www.w3.org/2000/09/xmldsig#

om-ET

*** Assertion failed: %s

D8d$\tR

NewInstance.Allocate()

es-GT

RtlIsLUtf8StringValid(TagName) || (TagName == 0)

>c@1>

CreateMutexExW

ShellExecuteA

D$pD9G

EventRegister

es-PR

NOTIFICATIONFREQUENCYINSECONDS

%s: Evaluating Country node

@8t$0

fD9{rr

kk-KZ

@UVWH

A_A^_^]

D9oHu

DeleteFileW

GDI32.dll

ED9d$<u

%watU

w/H9Y

D9t$Xu

ConfigurationExpireDate

L$ H;

Successfully retrieved value: %d.%d.%d

D;H(u

H9]/t

de-LU

HeapAlloc

A_A^A\_^

Software\Microsoft\UNP\Detector\%s\%lu

RtlIsMicrodomUpdateContextValid(TheContext)

CDATA

es-PY

Windows::Rtl::CRtlObjectTypeDescription<class MicrodomImplementation::CMicrodom>::CreateInstance

D$(H+

D9d$0

DbgPrintEx

t$H;D$<

Error getting Detector version

ps-AF

.data$brc

H9u7t

ibb-NG

configExpired

ELEMENT

F H;F(v

onecore\base\lstring\lblob.cpp

MicrodomImplementation::CMicrodom::GetNamedNodeMapLength

DWORD

H3E H3E

InternalName

DownloadFileAction::Execute: Failed downloading from url {%s}

PoolHeader != 0

ATTLIST

en-AU

F(H9F v

km-KH

9(tTH

NetGetJoinInformation

hr-BA

%s: Failed to get else action

UNPSelfHost.dll

hi-IN

CurrentUserAADJ

0b2-D

IsProcessorFeaturePresent

UNPUXLauncher.EXE

_o_wcstoul

CXmlLogicalState::Initialize

.rsrc$02

Attempting to retrieve campaign actions

D$8L9D$0t1A

::RtlIsLUtf8StringValid(Source)

CMicrodomBuilder::StartAttlist

0.0.0.0

9L$<I

CXmlLogicalState::~CXmlLogicalState

GetDC

A;H(t

fr-RE

t$HA;

requestAbsoluteUrl

xmlns

en-US

ku-Arab

OLEAUT32.dll

kernel32.dll

ManagedBlock

BUCL::Rtl::Add(cbReturnSize, cbThisSize, cbReturnSize)

WindowAppearance

.text$di

MicrodomImplementation::CDomPositionCache::AttachToPositionList

Global\Microsoft.Windows.Unp

ti-ET

originatingContextMessage

ii-CN

VWATAVAWH

MulDiv

DetectorFormulaEvaluateFailed

</requestedPrivileges>

isAADJMachineManaged

DetectorPing

ca-ES-valencia

L$(H3

Main: validating CampaignID

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetPropertiesSetup

haw-US

ACTIONS

"Microsoft Time Source Master Clock0

GetCurrentProcessId

PreserveContent

ro-MD

L$XH3

D$dA;

_o__wcsicmp

RegCreateKeyExW

I0G1-0+

Main: Validated Campaign Guid=%s

DownloadFileAction

es-PE

pHeader->ulOffsetToPositionData < pHeader->ulTotalSize

.rdata$zETW0

L$&fA;

Not-null check failed: Params

pl-PL

9MdSpt

vi-VN

NodeMap != Windows::Microdom::Rtl::NamedNodeMap::InvalidValue()

WaitForSingleObjectEx

::RtlIsLBlobValid(Destination)

ar-QA

MDM is detected

Software\Microsoft\UNP\Detector\%s\State

GetSystemMetrics

lo-LA

&2?b@1>

RtlAppendLUtf8StringToLUtf8String

Message

Evaluating RegDWORD node

MicrodomWriterImplementation::CMicrodomWriter::CreateInterface

%w`tT

Action for substate %s is %s

errorCode

@USWH

Got Mode %s

@USVWH

CoTaskMemFree

ms-BN

fr-CM

configStaged

.CRT$XIZ

UpdateNotificationCatalog.json

%s: Expected, %lu; Actual, %lu; Op, %d

Temp = (PUCHAR)((*RtlAllocateStringRoutine)(Bytes))

Software\Microsoft\UNP\LocalState\Telemetry

EncodePointer

!This program cannot be run in DOS mode.

Msg:[%ws]

D$xH;H

@A^_^

A_A^A]_^[]

RtlIsLUtf8StringValid(Name)

minATL$__f

UTF-16

Microsoft America Operations1&0$

Campaign content file successfully parsed: %s

Lct$$H

ACTIVECAMPAIGNS

%s: Getting existence of else action for formula %lu

CMicrodomBuilder::ConsumeProcessingInstruction

wwwwwwww

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

BUCL::Rtl::QuickSort(Pairs, CompareStringSlot)

GetGeoInfoW

Executing AND node

?MdDtt

%s\UNP\UpdateNotificationMgr\UNPCampaigns\%s

IDREFS

A^_^[]

USER32.dll

pHeader->ulSignature == ('dHdM')

t"D8=

|$DA;~

DownloadContentAction: Content url has changed

uOL9-

D$ fD

L9{@u

OpenSemaphoreW

UXHelpers: Retreived notification frequency from campaign manager=%d seconds

d$@D9t$l

r~akow

GetUserGeoID

E(I9E v

FallbackError

T$@9r

ContentVersion

EnterCriticalSection

.CRT$XCU

es-NI

whichElement != Windows::Microdom::Rtl::Element::InvalidValue()

m_StoredTable.FindOrInsertIfNotPresent(p, (USHORT)0, 0, &fExisted)

ConvertStringSecurityDescriptorToSecurityDescriptorW

fE9Qrr

bn-BD

L+u L

sr-Latn

D;X$u

_o__get_wide_winmain_command_line

(D$PL

CampaignBase: Clearing up after campaign since we do not have an active action

(SourceCount == 0) || (Sources != 0)

BlockEvaluator: error creating %s

launchType

D9d$0t

H9h u

%s: Failed to get action

%hs(%d) tid(%x) %08X %ws

oK0D$"<

Encoder != 0

RtlWriteMicrodomXml

Formula[Id=%lu]

pDomLayout->ulSignature == ('lDdM')

wytL'

CMicrodomBuilder::CFourStringIdTable<unsigned short>::Initialize

RtlAllocateLBlob

`A_A^_^]

GetCurrentProcess

cs-CZ

9|$8t'L

Not-null check failed: pDocument

so-SO

RtlRaiseStatus

fa-IR

fileName

d$ E3

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::HasChildNodes

|H!T$PL

Not-null check failed: Data

LocalFree

%s: Executing Country node

L!l$H

L9o@t

.?AVResultException@wil@@

</assembly>

UCS-2

%s: Evaluating RegString node

.didat$3

CAMPAIGNEXPIREDATE

smj-SE

mn-Mong-CN

f9hrt

LoadJsonFromFile

(D$PH

Translation

A_A^A]A\_^]

onecore\base\lstring\lutf8_string.cpp

en-MY

rm-CH

mr-IN

DetectorVersion

se-NO

(A_A^A]A\_^][

NMTOKEN

it-IT

Error getting campaign catalog version

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::EmitAttribute

%s: Getting formula ids

UXLauncherBlockDenied

E9<$u

WilError_02

_o__callnewh

CompletedValue

(A_A^_^][

f9,yu

%s: Getting and evaluating formula %lu

fD9<Gu

::BUCL::Rtl::Add<SIZE_T>( cElements, 10, NewCapacity)

.CRT$XIAC

allowMDMManaged

zh-SG

ProductVersion

UCS-4

Not-null check failed: NodeSet

sv-FI

f94Cu

D$(I+

CMicrodomBuilder::EndElement

MicrodomWriterImplementation::CMicrodomWriter_IRtlMicrodomXmlWriter::BeginOpenElement

8A^A\_^][

t$PE3

waI9Y

.didat$4

gu-IN

__CxxFrameHandler3

RtlIsLUtf8StringValid(ElementId)

.CRT$XIAA

D9v$~3I

%!_ma@1>a@1>a@1>h8

fD9<Au

u,A9D

A_A^A\_^[]

failureType

FIXED

DOMAIN

Windows

SleepConditionVariableCS

es-US

20180915213558Z0w0=

SUVWATAVAWH

CXmlNamespaceManager::Initialize

hresult

M9H u

iu-Cans

6a0m}

quz-BO

level="asInvoker"

RtlpSmartLBlobWritingContextResizePolicy

&8?[@1>

Evaluating NOT node

.idata$2

hsb-DE

pa-Arab-PK

t:D9@ u

x AVH

MicrodomImplementation::CMicrodom_IRtlMicrodomTearoff::GetElementById

1/0-0

LocationHeader != 0

LaunchHoldoffNotExpired

BUCL::Rtl::Add(pCachedInfo->m_ulChildCount, pCachedInfo->m_ulAttributeCount, cNecessary)

%s: Evaluating formula %ul

l$LE3

Not-null check failed: Params->Source.pIStream

D$8L;

CoReleaseServerProcess

SYSTEM

>`@1>

A;w$|

sr-Cyrl-CS

}XH!}`M

.tls$

@UAVAWH

fD94Cu

L$`H+

ulLocation < m_PositionList.Length

Not-null check failed: PseudoKeyOut

BUCL::Rtl::Add<SIZE_T>(DataLength, OldLength, TempSize)

UXHelper: Deleted shortcut %ls

.xdata

D$(H+G H

.gfids

CoAllowSetForegroundWindow

%s %s %s %s

TestOverride

Entity.Length != 0

190726204550Z0p1

%hs(%d)\%hs!%p:

Operating System

RoActivateInstance

N0L0J

@.didat

blockName

t4A9~

GetModuleHandleExW

D:PAI(A;OICI;FA;;;WD)

0A_A^]

fr-CH

UnpCampaignManagerExeNotAllowed

es-UY

UxLauncherCampaignDone

::RtlIsLBlobValid(Source)

Unable to start logging to file

se-SE

QWORD

es-CO

A0D!z

Not-null check failed: Context

pA_A^A\_^[]

onecore\base\xml\udom_xmlwalker.h

%s: Evaluating Genuine node

m_pTargetObject->IsNamedNodeMapValid(NodeMap)

Microsoft Corporation1%0#

t$ WATAUAVAWH

GetLastError

191123202619Z0

@USVWATAUAVAWH

ar-IQ

AuthD

LogHr

u>H;J

wwwwwwwwww

ShellNotificationsBlocked

DETECTOR\Formulas

es-VE

CreateScheduledTasksAction

Task name: %s

bin-NG

|$ UAVAWH

D9l$4t

fD94Hu

sr-Latn-BA

scheduled

Successfully retrieved value: %d

fD94Gu

L$8tAH

es-MX

Action

d$HE3

%wgt[

D9e@u

pA_A^A]A\_^]

H USVWAVAWH

%s: Failed to get formula type

isSCCMManaged

RtlIsLUtf8StringValid(LocalName) || (LocalName == 0)

8#u'H

DetectorXmlKey

bn-IN

A_A^A]A\]

A_A^A]_]

InitOnceBeginInitialize

GetSystemInfo

DownloadContentAction: Content directory did not exist

%04u-%02u-%02u%s%02u:%02u:%02u%s

_o___stdio_common_vsnprintf_s

_@88t

`.rdata

(Flags & ((0x00000002) | (0x00000004))) != ((0x00000002) | (0x00000004))

D;`$u

DestinationMaximumLength >= SourceLength

ar-BH

RtlCreateMicrodom

DetectorFormulaExecuteActionFailed

RegQueryInfoKeyW

RegCloseKey

D8n1u

Executing OR node

UnpCampaignManagerUriNotAllowed

de-LI

lineNumber

RtlAllocateHeap

kl-GL

%s: Filter country, %s

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x140000000	0x00047bc0	0x00081228	0x00081228	10.0	UNPUXLauncher.pdb	2070-02-03 16:15:47	31325687cfa1b16848381c29d847ec78		75186613e8ddeb363433761332f980c7	c5c5797dda45f82b92cd5b6b3a7ad49d	808484a4a4848480

Version Infos

CompanyName	Microsoft Corporation
FileDescription	UNP UXLauncher
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	UNPUXLauncher.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	UNPUXLauncher.EXE
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00049348	0x00049400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.39
.rdata	0x00049800	0x0004b000	0x0001a48a	0x0001a600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.87
.data	0x00063e00	0x00066000	0x00000ccc	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.47
.pdata	0x00064200	0x00067000	0x00002754	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.63
.didat	0x00066a00	0x0006a000	0x00000018	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.19
.rsrc	0x00066c00	0x0006b000	0x0000d498	0x0000d600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.63
.reloc	0x00074200	0x00079000	0x0000073c	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.16

Overlay

Offset	0x00074a00
Size	0x00002200

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_ICON	0x0006b9b8	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.29	None
RT_ICON	0x0006bca0	0x000001e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.30	None
RT_ICON	0x0006be88	0x000001a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.19	None
RT_ICON	0x0006c030	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.49	None
RT_ICON	0x0006c158	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.86	None
RT_ICON	0x0006ca00	0x000006c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.47	None
RT_ICON	0x0006d0c8	0x00000608	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.49	None
RT_ICON	0x0006d6d0	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	1.24	None
RT_ICON	0x0006dc38	0x00004228	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.19	None
RT_ICON	0x00071e60	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.24	None
RT_ICON	0x00074408	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.24	None
RT_ICON	0x00075e70	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.45	None
RT_ICON	0x00076f18	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.29	None
RT_ICON	0x000778a0	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.53	None
RT_ICON	0x00077f58	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.76	None
RT_GROUP_ICON	0x000783c0	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.19	None
RT_VERSION	0x0006b610	0x000003a4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.48	None
RT_MANIFEST	0x0006b400	0x0000020a	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.83	None

Imports

Name	Address
EventWriteTransfer	0x14004dd98
EventUnregister	0x14004dda0
EventSetInformation	0x14004dda8
EventRegister	0x14004ddb0
RegSetValueExW	0x14004ddb8
RegOpenKeyExW	0x14004ddc0
RegCloseKey	0x14004ddc8
RegCreateKeyExW	0x14004ddd0
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14004ddd8
RegQueryValueExW	0x14004dde0
ControlTraceW	0x14004dde8
StartTraceW	0x14004ddf0
QueryTraceW	0x14004ddf8
EnableTraceEx2	0x14004de00
RegDeleteValueW	0x14004de08
OpenProcessToken	0x14004de10
GetTokenInformation	0x14004de18
RegQueryInfoKeyW	0x14004de20
RegEnumKeyW	0x14004de28
RegDeleteKeyW	0x14004de30

Name	Address
GetProcessHeap	0x14004de60
GetModuleHandleW	0x14004de68
DebugBreak	0x14004de70
IsDebuggerPresent	0x14004de78
LocalFree	0x14004de80
LocalAlloc	0x14004de88
InitOnceBeginInitialize	0x14004de90
InitOnceComplete	0x14004de98
CreateMutexW	0x14004dea0
CompareStringW	0x14004dea8
GlobalFree	0x14004deb0
DeleteFileW	0x14004deb8
MultiByteToWideChar	0x14004dec0
GetVersionExA	0x14004dec8
ReadFile	0x14004ded0
SetFilePointer	0x14004ded8
GetFileSize	0x14004dee0
CreateFileW	0x14004dee8
GetCurrentProcessId	0x14004def0
MoveFileW	0x14004def8
GetSystemTime	0x14004df00
SystemTimeToFileTime	0x14004df08
GetUserDefaultUILanguage	0x14004df10
GetFileAttributesW	0x14004df18
CreateDirectoryW	0x14004df20
HeapAlloc	0x14004df28
CompareFileTime	0x14004df30
MulDiv	0x14004df38
GetCurrentProcess	0x14004df40
GetVersion	0x14004df48
SetEvent	0x14004df50
CreateEventW	0x14004df58
DecodePointer	0x14004df60
ReleaseSRWLockExclusive	0x14004df68
AcquireSRWLockExclusive	0x14004df70
EncodePointer	0x14004df78
ReleaseSRWLockShared	0x14004df80
AcquireSRWLockShared	0x14004df88
CreateMutexExW	0x14004df90
GetFileSizeEx	0x14004df98
CloseHandle	0x14004dfa0
OpenSemaphoreW	0x14004dfa8
WaitForSingleObjectEx	0x14004dfb0
OutputDebugStringW	0x14004dfb8
GetLastError	0x14004dfc0
FormatMessageW	0x14004dfc8
ReleaseMutex	0x14004dfd0
GetCurrentThreadId	0x14004dfd8
WaitForSingleObject	0x14004dfe0
GetModuleHandleExW	0x14004dfe8
ReleaseSemaphore	0x14004dff0
SetLastError	0x14004dff8
EnumUILanguagesW	0x14004e000
CompareStringOrdinal	0x14004e008
GetGeoInfoW	0x14004e010
GetUserGeoID	0x14004e018
HeapFree	0x14004e020
CreateSemaphoreExW	0x14004e028
GetModuleFileNameA	0x14004e030
MoveFileExW	0x14004e038
GetProcAddress	0x14004e040
RaiseException	0x14004e048
GetSystemInfo	0x14004e050
LoadLibraryExA	0x14004e058
VirtualProtect	0x14004e060
ExpandEnvironmentStringsW	0x14004e068
LoadLibraryW	0x14004e070
InitializeCriticalSection	0x14004e078
LoadLibraryExW	0x14004e080
FreeLibrary	0x14004e088
VirtualQuery	0x14004e090
GetStartupInfoW	0x14004e098
InitializeSListHead	0x14004e0a0
GetSystemTimeAsFileTime	0x14004e0a8
QueryPerformanceCounter	0x14004e0b0
ResetEvent	0x14004e0b8
DeleteCriticalSection	0x14004e0c0
InitializeCriticalSectionAndSpinCount	0x14004e0c8
LeaveCriticalSection	0x14004e0d0
EnterCriticalSection	0x14004e0d8
IsProcessorFeaturePresent	0x14004e0e0
TerminateProcess	0x14004e0e8
SetUnhandledExceptionFilter	0x14004e0f0
UnhandledExceptionFilter	0x14004e0f8

Name	Address
GetDeviceCaps	0x14004de50

Name	Address
ReleaseDC	0x14004e1b8
GetDC	0x14004e1c0
GetSystemMetrics	0x14004e1c8

Name	Address
_initterm_e	0x14004e3f8
_c_exit	0x14004e400
_register_thread_local_exe_atexit_callback	0x14004e408
_initterm	0x14004e410

Name	Address
memset	0x14004e420

Name	Address
_o__errno	0x14004e2a8
_o__exit	0x14004e2b0
_o__get_wide_winmain_command_line	0x14004e2b8
_o__initialize_onexit_table	0x14004e2c0
_o__initialize_wide_environment	0x14004e2c8
_o__invalid_parameter_noinfo	0x14004e2d0
_o__purecall	0x14004e2d8
_o__register_onexit_function	0x14004e2e0
_o__seh_filter_exe	0x14004e2e8
_o__set_app_type	0x14004e2f0
_o__set_fmode	0x14004e2f8
_o__set_new_mode	0x14004e300
_o__wcsicmp	0x14004e308
_o__wcsnicmp	0x14004e310
_o__wtol	0x14004e318
_o_bsearch	0x14004e320
_o_exit	0x14004e328
_o_free	0x14004e330
_o_iswspace	0x14004e338
_o_malloc	0x14004e340
_o_memcpy_s	0x14004e348
_o_terminate	0x14004e350
_o_wcstoul	0x14004e358
__C_specific_handler	0x14004e360
_CxxThrowException	0x14004e368
_o__cexit	0x14004e370
_o__callnewh	0x14004e378
_o__configthreadlocale	0x14004e380
_o__crt_atexit	0x14004e388
_o__configure_wide_argv	0x14004e390
_o___stdio_common_vswprintf	0x14004e398
_o___stdio_common_vsprintf_s	0x14004e3a0
_o___stdio_common_vsnprintf_s	0x14004e3a8
_o___std_exception_destroy	0x14004e3b0
_o___std_exception_copy	0x14004e3b8
_o___p__commode	0x14004e3c0
wcschr	0x14004e3c8
__CxxFrameHandler3	0x14004e3d0
memcmp	0x14004e3d8
memcpy	0x14004e3e0
memmove	0x14004e3e8

Name	Address
CoUninitialize	0x14004e498
CoReleaseServerProcess	0x14004e4a0
CoTaskMemFree	0x14004e4a8
CoRevokeClassObject	0x14004e4b0
CoRegisterClassObject	0x14004e4b8
CoResumeClassObjects	0x14004e4c0
CoAddRefServerProcess	0x14004e4c8
CoAllowSetForegroundWindow	0x14004e4d0
CoCreateInstance	0x14004e4d8

Name	Address
VariantClear	0x14004e130
SysAllocString	0x14004e138
SysFreeString	0x14004e140
VariantInit	0x14004e148

Name	Address
RtlNtStatusToDosError	0x14004e430
RtlInitializeCriticalSection	0x14004e438
RtlReAllocateHeap	0x14004e440
RtlAllocateHeap	0x14004e448
RtlDeleteCriticalSection	0x14004e450
RtlRaiseStatus	0x14004e458
RtlVirtualUnwind	0x14004e460
RtlLookupFunctionEntry	0x14004e468
RtlCaptureContext	0x14004e470
DbgPrintEx	0x14004e478
RtlFreeHeap	0x14004e480
NtYieldExecution	0x14004e488

Name	Address
UuidCreate	0x14004e158

Name	Address
NetFreeAadJoinInformation	0x14004e108
NetGetJoinInformation	0x14004e110
NetGetAadJoinInformation	0x14004e118
NetApiBufferFree	0x14004e120

Name	Address
ShellExecuteA	0x14004e178
SHGetKnownFolderPath	0x14004e180
SHQueryUserNotificationState	0x14004e188
SHFileOperationW	0x14004e190

Name	Address
PathCchCanonicalize	0x14004e208
PathCchAddBackslash	0x14004e210

Name	Address
RoGetActivationFactory	0x14004e238
RoInitialize	0x14004e240
RoRegisterActivationFactories	0x14004e248
RoUninitialize	0x14004e250
RoRevokeActivationFactories	0x14004e258
RoActivateInstance	0x14004e260

Name	Address
WindowsCreateStringReference	0x14004e270
WindowsGetStringRawBuffer	0x14004e278
WindowsCreateString	0x14004e280
WindowsDeleteString	0x14004e288
WindowsIsStringEmpty	0x14004e290
WindowsStringHasEmbeddedNull	0x14004e298

Name	Address
RoOriginateErrorW	0x14004e220
RoOriginateError	0x14004e228

Name	Address
WTHelperGetProvSignerFromChain	0x14004e1e8
WTHelperProvDataFromStateData	0x14004e1f0
WinVerifyTrust	0x14004e1f8

Name	Address
CertVerifyCertificateChainPolicy	0x14004de40

Name	Address
PathIsFileSpecW	0x14004e1a0
StrStrIW	0x14004e1a8

Name	Address
SetupIterateCabinetW	0x14004e168

Name	Address
ExpandEnvironmentStringsForUserW	0x14004e1d8

Reports: JSON

Statistics (11.32)

Usage

Processing ( 11.25 seconds )

10.497 ProcessMemory
0.72 CAPE
0.024 BehaviorAnalysis
0.005 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antianalysis_detectfile
0.006 antiav_detectreg
0.005 ransomware_extensions
0.003 antiav_detectfile
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antivm_vbox_files
0.002 browser_security
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.002 masquerade_process_name
0.001 antianalysis_detectreg
0.001 antidebug_devices
0.001 antivm_vbox_keys
0.001 antivm_vmware_keys
0.001 geodo_banking_trojan
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 qulab_files
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.01 CAPASummary
0.002 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: UNPUXLauncher.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.didat', 'raw_address': '0x00066a00', 'virtual_address': '0x0006a000', 'virtual_size': '0x00000018', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.19'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 3552 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Program Files\UNP\Logs
C:\Users\Packager\AppData\Local\Temp
C:\Program Files
C:\Program Files\UNP
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.050.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.049.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.048.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.047.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.046.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.045.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.044.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.043.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.042.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.041.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.040.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.039.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.038.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.037.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.036.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.035.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.034.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.033.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.032.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.031.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.030.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.029.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.028.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.027.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.026.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.025.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.024.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.023.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.022.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.021.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.020.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.019.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.018.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.017.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.016.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.015.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.014.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.013.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.012.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.011.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.010.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.009.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.008.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.007.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.006.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.005.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.004.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.003.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.002.etl
C:\Program Files\UNP\Logs\UpdateNotificationPipeline.001.etl
C:\Windows\Globalization\Sorting\sortdefault.nls

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MiniNT
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\InprocHandler
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\UNPUXLauncher.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\UNP\LocalState\Telemetry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UNP\LocalState\Telemetry\GlobalEventCounter
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2986F5D1-3192-43F4-A734-5F3000C8587B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\Software\Microsoft\UNP\LocalState\Telemetry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UNP\LocalState\Telemetry\GlobalEventCounter

ntdll.dll.RtlWow64GetCurrentMachine
ntdll.dll.RtlWow64IsWowGuestMachineSupported

Local\SM0:3552:304:WilStaging_02
Global\Microsoft.Windows.UpdateNotificationPipeline.Telemetry

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Overlay

Resources

Imports

ADVAPI32

KERNEL32

GDI32

USER32

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

ole32

OLEAUT32

ntdll

RPCRT4

NETAPI32

SHELL32

api-ms-win-core-path-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

WINTRUST

CRYPT32

SHLWAPI

SETUPAPI

USERENV

Usage

Processing ( 11.25 seconds )

Signatures ( 0.06 seconds )

Reporting ( 0.01 seconds )

Signatures

Screenshots

Hosts

DNS

Summary

HTTP Requests

SMTP traffic

IRC traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP