Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 23:07:51	2025-06-12 23:25:30	1059 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,131 [root] INFO: Date set to: 20250612T08:46:27, timeout set to: 1000
2025-06-12 09:46:27,555 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-12 09:46:27,555 [root] DEBUG: Storing results at: C:\nvRcCS
2025-06-12 09:46:27,555 [root] DEBUG: Pipe server name: \\.\PIPE\ygcqzFMNOh
2025-06-12 09:46:27,555 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-12 09:46:27,555 [root] INFO: analysis running as an admin
2025-06-12 09:46:27,555 [root] INFO: analysis package specified: "exe"
2025-06-12 09:46:27,555 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-12 09:46:28,165 [root] DEBUG: imported analysis package "exe"
2025-06-12 09:46:28,165 [root] DEBUG: initializing analysis package "exe"...
2025-06-12 09:46:28,165 [lib.common.common] INFO: wrapping
2025-06-12 09:46:28,165 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-12 09:46:28,165 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\DataExchangeHost.exe
2025-06-12 09:46:28,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-12 09:46:28,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-12 09:46:28,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-12 09:46:28,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-12 09:46:28,368 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-12 09:46:28,462 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-12 09:46:28,493 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-12 09:46:28,509 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-12 09:46:28,509 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-12 09:46:28,509 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-12 09:46:28,524 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-12 09:46:28,524 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-12 09:46:28,524 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-12 09:46:28,524 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-12 09:46:28,524 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-12 09:46:28,524 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-12 09:46:28,524 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-12 09:46:28,524 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-12 09:46:28,524 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-12 09:46:28,524 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-12 09:46:28,524 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-12 09:46:28,524 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-12 09:46:39,993 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-12 09:46:39,993 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-12 09:46:39,993 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-12 09:46:39,993 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-12 09:46:39,993 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-12 09:46:39,993 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-12 09:46:39,993 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-12 09:46:39,993 [modules.auxiliary.disguise] INFO: Disguising GUID to 17f92b02-79d2-44f4-a080-01a9f0954dcc
2025-06-12 09:46:39,993 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-12 09:46:39,993 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-12 09:46:39,993 [root] DEBUG: attempting to configure 'Human' from data
2025-06-12 09:46:39,993 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-12 09:46:39,993 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-12 09:46:40,009 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-12 09:46:40,009 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-12 09:46:40,009 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-12 09:46:40,009 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-12 09:46:40,009 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-12 09:46:40,024 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-12 09:46:40,024 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-12 09:46:40,024 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-12 09:46:40,024 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-12 09:46:40,024 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-12 09:46:40,024 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-12 09:46:40,024 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-12 09:46:40,071 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-12 09:46:40,071 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-12 09:46:40,071 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-12 09:46:40,071 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-12 09:46:40,071 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-12 09:46:40,071 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-12 09:46:40,071 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-12 09:46:40,071 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\SvhbRq.dll, loader C:\tmp_gell1p8\bin\DAYmMlFe.exe
2025-06-12 09:46:40,165 [root] DEBUG: Loader: IAT patching disabled.
2025-06-12 09:46:40,180 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\SvhbRq.dll.
2025-06-12 09:46:40,227 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-12 09:46:40,227 [root] INFO: Disabling sleep skipping.
2025-06-12 09:46:40,227 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-12 09:46:40,227 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-12 09:46:40,227 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-12 09:46:40,227 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-12 09:46:40,227 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-12 09:46:40,227 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-12 09:46:40,243 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-12 09:46:40,243 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-12 09:46:40,243 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822670000, thread 500, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-12 09:46:40,243 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-12 09:46:40,259 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-12 09:46:40,259 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-12 09:46:40,259 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\SvhbRq.dll.
2025-06-12 09:46:40,259 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-12 09:46:4 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 23:07:51	2025-06-12 23:25:10	none

File Details

File Name	DataExchangeHost.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	243216 bytes
MD5	75ff7c9e62c79513a73879d2f78256ef
SHA1	a79f6bbe4995cb48771445270997cef0a0a6125b
SHA256	d0b9e7c79bd8462b182157df410cfebdd2d28d1e89773590df383acec9826957 [VT] [MWDB] [Bazaar]
SHA3-384	5847443c403dd1460bb35ff81bd6956bea02ea6532251feb7b1cf12183c04f99831850c58d5cff36c0128dd1e0b030b8
CRC32	15061AFF
TLSH	T1D0343A6717DC0CD6E92AA13D85C3C64DF6B278521722C6CF4221825F4F7B6E5AD3A360
Ssdeep	6144:wSkZ96rm7z4Y/Wje/GGB8dAm5NIygmwN8a:XSJX4Y/Qe/udNnq8a
PE	File Strings BinGraph Vba2Graph VirusTotal

LockResource

l$ VWATAVAWH

Microsoft Corporation1.0,

l$ VWAVH

@.data

d95tuw

LocalAlloc

.idata$6

Dropped

RoRegisterActivationFactories

USVWAVH

.idata$4

WindowsCreateStringReference

?what@exception@@UEBAPEBDXZ

CloseThreadpoolTimer

<assemblyIdentity

api-ms-win-core-heap-l1-1-0.dll

fA9<Bu

A9@$r

ReleaseMutex

no such process

GetStartupInfoW

D9w tVH

GetParent

.rdata$T$brc

GetTokenInformation

L$ SUVWH

ResolveDelayLoadedAPI

Microsoft Time-Stamp Service

d3d11.dll

__dllonexit

CoGetCallerTID

Windows.ApplicationModel.DataTransfer.DataPackage

connection_aborted

9C@t#H

identifier removed

CoMarshalInterThreadInterfaceInStream

@A_A^_^]

AnsiText

t6H9}0

D$HE3

D$0H!\$0H

RegisterClassExW

H9H@u

CreateSemaphoreExW

@8~8t

not supported

|hK,_

??0exception@@QEAA@AEBQEBD@Z

.?AVbad_cast@@

u*9Q<|%

H;K@H

not_a_socket

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

.CRT$XCC

D$4E3

bad_file_descriptor

__pctype_func

9\$hv;

language="*"

EdpGetFilePathsForDataObject

TWINAPI.dll

WaitForMultipleObjects

FileVersion

no space on device

CreateWindowExW

Fapcshell\shell\dataexchange\host\lib\droptargetmediator.cpp

A9H r

D$PE3

$0< u;3

.?AVlength_error@std@@

__C_specific_handler

Microsoft Corporation1&0$

SVWAVH

191123202626Z0

p AWH

.?AVsystem_error@std@@

1(0&0

A9A$r

D9APu

.didat$7

180703204550Z

D3D11CreateDevice

Locale

Windows.Foundation.AsyncOperationCompletedHandler`1<Windows.ApplicationModel.DataTransfer.DataPackageOperation>

D$XfD;

network_down

y0;D$`

UXpcshell\shell\dataexchange\host\lib\dragvisual.h

CoReleaseMarshalData

memmove

Segoe UI Semibold

not a directory

std::exception: %hs

Source app got suspended

SetPriorityClass

(caller: %p)

Height

</security>

no link

TlP0X

K UVWATAUAVAWH

wilResult

interrupted

Ubad locale name

{8uOH

A9A r

_callnewh

Y<2qp

bad address

@SUWAVH

OpenProcess

250701214655Z0|1

CD$0H

xmlns="urn:schemas-microsoft-com:asm.v1"

A_A\_

__set_app_type

GetProcessMitigationPolicy

CreateEventW

api-ms-win-core-com-l1-1-1.dll

UAVAWH

A_A^_

@8=*s

KX@8q

Width

bad allocation

memcpy_s

operation not permitted

api-ms-win-core-localization-obsolete-l1-2-0.dll

DeleteTimerQueueTimer

</dependentAssembly>

uHH!uXH

</trustInfo>

USVWATAVAWH

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

%I+6R

VWAVH

X_^[]

SetLastError

Microsoft Time-Stamp Service0

CoEnableCallCancellation

.rsrc$01

CallContext:[%hs]

!C<H!C@H!CHH!CP!CX!C\H

DebugBreak

DspBitmap

@Qm6t

system

0A_A^_^[

o\$PH

CoInitializeSecurity

ceilf

O0M0K

combase.dll

040904B0

Microsoft Corporation

A_A^A]A\_^[]

fD9,Qu

memcmp

PathFindFileNameW

KP@8q

.rdata$zETW2

_XcptFilter

229879+4379540

K0H9{

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

wrong_protocol_type

_lock

name="Microsoft.Windows.Common-Controls"

:97t6A

DspEnhancedMetafile

xL9|$ptFH

t{H95

F0E8x

not enough memory

too many symbolic link levels

WindowsCreateString

WindowsDeleteString

USVWATAUAVAWH

AcquireSRWLockShared

D$PH;

WindowFromPoint

HcA<H

CoTaskMemAlloc

__crtLCMapStringW

.?AVbad_alloc@std@@

A_A^A]A\_^]

GetCapture

@UVWATAUAVAWH

@SUVWAVH

CreateMutexExW

CoTaskMemRealloc

OwnerDisplay

DropTargetUiContext

ClientToScreen

L$XL+

<?xml version='1.0' encoding='utf-8' standalone='yes'?>

A_A^]

EventRegister

\$(H!\$0H!\$8

t6H9}

_wcsdup

GetWindowDpiAwarenessContext

GlobalLock

api-ms-win-core-util-l1-1-0.dll

W`I;Wpu

permission_denied

resource unavailable try again

@UVWH

_initterm

fE94Gu

A_A^_^]

filename_too_long

CoInitializeEx

TranslateMessage

.?AVlogic_error@std@@

fD9,Bu

_CxxThrowException

type="win32"

Immersive

.idata$5

.?AVout_of_range@std@@

{ L95

ios_base::eofbit set

GetProcessId

CreateTimerQueueTimer

LeaveCriticalSection

L9Ihv'H

HeapAlloc

A_A^A\_^

InitOnceComplete

resource deadlock would occur

h UAVAWH

L954I

@A_A^]H

not connected

CoMarshalInterface

protocol_not_supported

too many files open in system

destination address required

FXH9nHu

TargetRejected

operation_would_block

WideCharToMultiByte

L$ SVWH

.pdata

u#D9R

internal\sdk\inc\wil\Resource.h

wcschr

SVWAVAWH

t$(E3

@SVWH

dcomp.dll

SetRestrictedErrorInfo

address not available

DWriteCreateFactory

Microsoft

VarFileInfo

Microsoft Corporation1)0'

_fmode

NtQueryWnfStateData

.data$brc

file exists

L$pH3

no such file or directory

L$PH3

D$8H!|$8D

message size

callContext

k8;D$8

89:u6

Shell IDList Array

operation_in_progress

H3E H3E

InternalName

.didat$2

@UVWAVAWH

q0;D$@

CreateWindowInBand

0A^_^][H

_dwInitialButtonState == 0

@A^_^][

.text$yd

malloc

CreateStreamOnHGlobal

t#E9V0t

DropTargetName

SHTaskPoolAllowThreadReuse

win32u.dll

GetWindowLongPtrW

.data$r$brc

bad cast

_vsnwprintf

L!u0H

api-ms-win-core-profile-l1-1-0.dll

8A_A^A]A\_^][

api-ms-win-core-libraryloader-l1-2-0.dll

RtlUnsubscribeWnfNotificationWaitForCompletion

_get_current_locale

GetMessageW

DataFormat

host_unreachable

api-ms-win-core-localization-l1-2-0.dll

.rsrc$02

A9FPt

H9PHu

LcA<E3

_unlock

A9GPt

iostream

dropTargetDied

d2d1.dll

L$ A;

SetEvent

connection refused

read only file system

fD98t

AllowSetForegroundWindow

wrong protocol type

SleepConditionVariableSRW

7Rich

D$T9p

D;C(}6H

E8;E0u

_exit

D9C(}

CoCancelCall

version="6.0.0.0"

RiffAudio

en-US

F0D8#ukD8c

u D9J

api-ms-win-core-winrt-l1-1-0.dll

SetCapture

Local\SM0:%d:%d:%hs

address family not supported

RegGetValueW

operation would block

0A^_^

)|$ D

DspMetaFilePict

L$PE3

publicKeyToken="6595b64144ccf1df"

AcquireSRWLockExclusive

stream timeout

.imrsiv

EdpGetAppLockerUniqueAppIdentifier

.text$di

RoOriginateErrorW

api-ms-win-core-threadpool-legacy-l1-1-0.dll

api-ms-win-core-winrt-string-l1-1-0.dll

FormatMessageW

Legal_Policy_Statement

uBD9R

Windows.UI.ViewManagement.ApplicationViewTransferContext

originatingContextMessage

module

`A_A^A]A\_^]

api-ms-win-core-debug-l1-1-1.dll

%hs!%p:

@WAVAWH

protocol not supported

K SVWH

VWATAVAWH

H9{`v0H

SHTaskPoolQueueTask

LegalCopyright

f9,^u

CoUninitialize

AttachThreadInput

0A_A^A\_^

D8"u3H

GetTopLevelWindow

bad message

9C$r9A

function

OEMText

A_A^A]A\_

EdpCheckAccessForContext

D$@fD

CoCreateFreeThreadedMarshaler

api-ms-win-core-synch-l1-2-1.dll

NtCreateCompositionInputSink

GetCurrentProcessId

"Microsoft Time Source Master Clock0

10.0.17763.1 (WinBuild.160101.0800)

D9&tZA

p WAVAWH

I0G1-0+

DeleteCriticalSection

api-ms-win-ntuser-sysparams-l1-1-0.dll

.rdata$zETW0

RaiseException

argument list too long

GetWindowLongW

ActivityStoppedAutomatically

EdpFreeContext

CreateThreadpoolTimer

host unreachable

RtlCaptureContext

L$8D9L$8t

`.imrsiv

K VWATAVAWH

.tls$ZZZ

RoGetAgileReference

Microsoft Corporation1

M0K0I

t^@8=Ts

CoCreateInstance

api-ms-win-core-file-l1-1-0.dll

minATL$__z

SetProcessDefaultLayout

network_reset

EdpGetContextForWindow

DuplicateHandle

InitOnceExecuteOnce

x ATAVAWH

io error

DelayLoadFailureHook

t{HcL$ HcD$$H

WaitForSingleObjectEx

.CRT$XLA

GetStringTypeW

@A_A^A]A\_^]

iostream stream error

L$0H3

[ UVWH

Fpcshell\shell\dataexchange\host\lib\dragdropargs.cpp

tMH!}8L

ShellHandled

DragDropSession

Microsoft Time-Stamp PCA 20100

0A^_]

GetSystemMetrics

operation canceled

pcshell\shell\dataexchange\host\exe\dataexchangehost.cpp

tSE;a rMA;Q$rGE;A(|AH

H!|$0H

CustomDragVisual

wilActivity

fD9<Bu

WilStaging_02

CompareFileTime

argument out of domain

.rdata$zzzdbg

_vsnprintf_s

f9,Ku

!E;` r

Message

processorArchitecture="*"

GetWindowThreadProcessId

{9F4C2855-9F79-4B39-A8D0-E1D42DE1D5F3} 5

bad file descriptor

WindowsDuplicateString

xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"

IsErrorPropagationEnabled

WAVAWH

C @8}Wu

no such device or address

` UAVAWH

EdpRequestAccessForContext

.rdata

.CRT$XIA

CoResumeClassObjects

H9~8ti

??1type_info@@UEAA@XZ

@USWH

??0exception@@QEAA@XZ

api-ms-win-core-errorhandling-l1-1-0.dll

RtlNtStatusToDosError

@USVWH

CoTaskMemFree

111019184142Z

9C(|0H

D9L$`vHL

rMfD9?w

too many files open

GetDesktopWindow

ios_base::failbit set

QueryFullProcessImageNameW

api-ms-win-core-rtlsupport-l1-1-0.dll

DispatchMessageW

hA_A^A]A\_^][

api-ms-win-appmodel-runtime-l1-1-0.dll

\$XE3

minATL$__a

userEscaped

A_A^_

f#D$@H

connection_already_in_progress

address_in_use

.CRT$XIZ

Microsoft Corporation1200

Desktop

no lock available

L$ WH

H!1H;

D$$I;

generic

UnregisterClassW

xS9|$ptMH

api-ms-win-rtcore-ntuser-window-l1-1-0.dll

ActivityError

ResetEvent

x UAVAWH

Washington1

GetSidSubAuthority

abort

A;P$r

%Microsoft Windows Production PCA 20110

20180915082501Z

InitializeCriticalSectionEx

Microsoft.Windows.DataExchange.DragDrop

EncodePointer

FileDescription

!This program cannot be run in DOS mode.

%Microsoft Windows Production PCA 2011

TargetTimeOut

D$@H!\$@H

H9Ahs

Msg:[%ws]

A_A^A\

\$ UVWH

WaitForSingleObject

@A^_^

RtlInitUnicodeString

DestroyWindow

address in use

already connected

D$0H;

api-ms-win-core-shlwapi-legacy-l1-1-0.dll

r!BT~

minATL$__f

invalid_argument

api-ms-win-eventing-provider-l1-1-0.dll

WM_DISPLAYCHANGE

L$ UVWATAUAVAWH

#D$p;

api-ms-win-core-threadpool-l1-2-0.dll

api-ms-win-core-heap-l2-1-0.dll

\$ VWAVH

CoIncrementMTAUsage

x AUAVAWH

UWATAVAWH

OpenProcessToken

api-ms-win-core-processthreads-l1-1-0.dll

GetLocaleInfoW

CoFreeUnusedLibrariesEx

GetClassInfoExW

api-ms-win-rtcore-ntuser-clipboard-l1-1-0.dll

RtlSubscribeWnfStateChangeNotification

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

@USVWATAVAWH

A8_8t

GetModuleFileNameA

PA_A^A\_^[]

DataExchangeHost

Microsoft Operations Puerto Rico1&0$

SystemParametersInfoW

ntdll.dll

no stream resources

owner dead

0A_A^A\

FindResourceExW

USER32.dll

GetCurrentThread

ukL9=

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

WIN://SYSAPPID

10.0.17763.1

directory not empty

internal\sdk\inc\wil\Result.h

WakeAllConditionVariable

t"D8=

InitializeCriticalSection

Microsoft Time-Stamp PCA 2010

SetWindowLongPtrW

WaveAudio

L$hE3

api-ms-win-core-synch-l1-1-0.dll

memcpy

SetForegroundWindow

.idata$3

D$ fD

GetForegroundWindow

network reset

WindowsIsStringEmpty

L9{@u

OpenSemaphoreW

Software\Microsoft\Windows\CurrentVersion\DataExchange

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

__wgetmainargs

ReleaseSRWLockExclusive

api-ms-win-core-psapi-l1-1-0.dll

(t$PL

file too large

invalid seek

r~akow

inputTimedOut

.didat$5

not a socket

FallbackError

HeapSetInformation

u$L97t

RtlLookupFunctionEntry

SetErrorMode

f9H\u

EnterCriticalSection

is a directory

.CRT$XCU

GetPackageFullName

DataInterchangeFormat

RtlDllShutdownInProgress

Segoe MDL2 Assets

\$ E3

D$(E3

9C rBA

PathIsFileSpecW

_errno

,q9jZn2DLxfsU6TnlgsN7yIYBEvDB1ZWvXFwg6rZ6fcU=0Z

api-ms-win-core-delayload-l1-1-1.dll

~0uUH

[%hs(%hs)]

QueryPerformanceCounter

RoReportFailedDelegate

message

no protocol option

originatingContextName

.?AVruntime_error@std@@

0A_A^_^]

9GPt(

threadId

string too long

"Microsoft Window

VK_ESCAPE in _OnPointerUpdate

??0bad_cast@@QEAA@PEBD@Z

89:u!

msvcrt.dll

CoGetCallContext

\$ UVWATAUAVAWH

StringFileInfo

dragSourceDied

L$(E3

%hs(%d) tid(%x) %08X %ws

oK0D$"<

memmove_s

oD$ f

no child process

.rdata$zETW9

api-ms-win-core-delayload-l1-1-0.dll

0A_A^A]A\_

</requestedPrivileges>

no buffer space

\$xf9

GetCurrentProcess

D95:<

api-ms-win-core-handle-l1-1-0.dll

<assembly

UVWAVAWH

(_^][

L$0E3

GetSysColor

H;{`r

T$`H;Q0t

__setusermatherr

DCompositionCreateDevice2

"d(dP

UATAUAVAWH

L$8H3

api-ms-win-core-atoms-l1-1-0.dll

HeapFree

invalid string position

A9@(|

already_connected

@A_A^A\_^

no message available

pcshell\shell\dataexchange\host\lib\shelldroptargetmediator.cpp

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

currentContextId

DataExchangeHost.exe

GetTickCount

fileName

A_A^A\_]

|GD!Z

T$PE3

NtQueryInformationToken

.text$mn

__uncaught_exception

%=*K<C

100701213655Z

broken pipe

not a stream

LocalFree

api-ms-win-rtcore-ntuser-private-l1-1-0.dll

pcshell\shell\dataexchange\host\lib\dragvisual.cpp

.CRT$XIY

L9o@t

.?AVResultException@wil@@

RoOriginateError

failureId

ios_base::badbit set

GlobalUnlock

EnableMultiDrag

TerminateProcess

L$@H3

PostMessageW

setlocale

</assembly>

u8D9R

minATL$__m

.didat$3

f9,Au

DragSourceName

protocol error

@$A9A

Translation

Cancelled

)t$ H

ScreenToClient

)hYnv

l$\fD

XA^_][

api-ms-win-core-heap-obsolete-l1-1-0.dll

D9c r

<description>DataExchange Host</description>

VK_ESCAPE in _OnMouseInput

level="asInvoker"

___mb_cur_max_func

SUVWATAUAVAWH

EdpGetDataInfoFromDataObject

;t$hr

text file busy

operation_not_supported

B(A9A

MPx(H

.?AVexception@@

@UWAVH

A_A^A]

UWAVH

DecodePointer

MultiByteToWideChar

WilError_02

EventWriteTransfer

GetRestrictedErrorInfo

??_V@YAXPEAX@Z

GetClipboardFormatNameW

SetProcessMitigationPolicy

Microsoft Operations Puerto Rico1'0%

fD94Pu

A_A^A\

SendInput

Microsoft Windows0

EnhancedMetafile

bad_address

address_not_available

oL$0f

@VWAVH

onecore\shell\lib\calleridentity\calleridentity.cpp

CoDecrementMTAUsage

<requestedExecutionLevel

connection_reset

DragSourceUiContext

EventSetInformation

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

@8upt2H

fD9<Gu

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

RtlCompareUnicodeString

_7]9p

L$`H3

@8qxt

address_family_not_supported

Thales TSS ESN:31C5-30BA-7C911%0#

ProductVersion

@8~qt

H9yxu.H

??1bad_cast@@UEAA@XZ

D$@E3

.text$x

.?AVfailure@ios_base@std@@

R!s4Z

OutputDebugStringW

not_connected

_pcshell\shell\dataexchange\host\lib\edp.cpp

too many links

t$PE3

.didat$4

fD94^u

__CxxFrameHandler3

fD9#t

ReturnHr

.didat$6

connection_refused

_onexit

ShowWindow

manifestVersion="1.0"

.xdata$x

L$HH3

WATAWH

WindowsGetStringRawBuffer

activatibleClassId

H9;u#H

A^_^

.CRT$XIAA

Local\WinRtDragSynchronizationMutex

D9l$\v

GetModuleHandleW

RoTransformError

CoAddRefServerProcess

</dependency>

no_protocol_option

inappropriate io control operation

A_A^A\_^[]

failureType

api-ms-win-core-registry-l1-1-0.dll

timed out

L$PD9

Windows

8A^_^[

function not supported

api-ms-win-shcore-taskpool-l1-1-0.dll

H!~(H!~0H!~8H!~@3

IsDebuggerPresent

.CRT$XLZ

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

ZwQueryWnfStateData

EventActivityIdControl

.giats

iSHp6

hresult

kernelbase.dll

.rdata$zETW1

.rsrc

_ismbblead

DragWindow

D$0E3

Windows.Foundation.Diagnostics.AsyncCausalityTracer

??1exception@@UEAA@XZ

unH9A

invalid argument

SymbolicLink

connection reset

Palette

Apcshell\shell\dataexchange\host\lib\oleinteroptarget.cpp

T$PL;

permission denied

ReleaseCapture

DspText

no such device

RtlVirtualUnwind

_dwInitialButtonState != (dwKeyState & (MK_LBUTTON | MK_RBUTTON | MK_MBUTTON))

.idata$2

_wcmdln

api-ms-win-core-winrt-error-l1-1-0.dll

@8,1u

api-ms-win-core-debug-l1-1-0.dll

x AVH

connection aborted

L$@I+

.CRT$XCL

0A_A^_

??3@YAXPEAX@Z

CoDisableCallCancellation

1/0-0

WATAUAVAWH

fD9<Zu

pA_A^_^]

state not recoverable

RaiseFailFastException

OriginalFilename

illegal byte sequence

api-ms-win-core-processthreads-l1-1-1.dll

uiAccess="false"

A^_^[]

CoReleaseServerProcess

WindowsStringHasEmbeddedNull

SetTimer

fD9t]

uc8Y$t

$`2X`F

destination_address_required

20180916082501Z0w0=

.tls$

fD94Ou

fD94Cu

api-ms-win-security-base-l1-1-0.dll

DeviceIndependentBitmapV5

A_A^A]A\_

.CRT$XCA

.CRT$XCAA

L$0fD

.xdata

$Microsoft Ireland Operations Limited1

.gfids

8\$0u

GetAsyncKeyState

RoGetActivationFactory

E9V0u

B$A9A

ReleaseSRWLockShared

\$ UH

|$8H;

fD94Au

ImmersiveBrowser

onecoreuap\shell\dataexchange\common\lib\winrtexclusiontoken.cpp

A_A^A\_^[]

connection already in progress

___lc_handle_func

\$8E3

onecoreuap\shell\dataexchange\common\lib\edp.cpp

190726204550Z0p1

no message

Q8H!u8M

??0exception@@QEAA@AEBV0@@Z

D9yL|

SetThreadpoolTimer

RoActivateInstance

%hs(%d)\%hs!%p:

fD90t,

0A_A^A\_^[]

Operating System

CoRevokeClassObject

)t$`H

L9{0t#H

.00cfg

Data Exchange Host

N0L0J

T$8H!\$8

@.didat

UnhandledExceptionFilter

RoRevokeActivationFactories

GetModuleHandleExW

PenData

operation in progress

FailFast

UVWATAUAVAWH

EventUnregister

DefWindowProcW

H;K`H

NtUpdateWnfStateData

_cexit

internal\sdk\inc\wil\staging.h

@8=is

TaggedImageFileFormat

pA^A\_^]

L$8E3

AHH90t[L

fD9<Cu

T$0E3

CloseHandle

currentContextName

U0S0Q

v:fD;

http://www.microsoft.com/windows0

C9fD9?u-

@.reloc

RtlNtStatusToDosErrorNoTeb

@SUVWATAUAVAWH

UVWATAVH

OpenThreadToken

\$hH!D$PM

ATAVAWH

_free_locale

pA_A^A\_^[]

DWrite.dll

z.9Wv

CompanyName

isCancelled

7pcshell\shell\dataexchange\host\lib\olebroker.cpp

D$$E3

VS_VERSION_INFO

;|$`r

t$ WATAUAVAWH

_purecall

9~ tUH

@(A9A

LoadResource

GetLastError

GetCurrentThreadId

@A_A^_

@USVWATAUAVAWH

}0H+}(H

L$pI;

timed_out

_commode

D9K(t

failureCount

GetSystemTimeAsFileTime

api-ms-win-core-synch-l1-2-0.dll

x UATAUAVAWH

WaitForThreadpoolTimerCallbacks

A_A^_^]

LogHr

DeviceIndependentBitmap

filename too long

(|$@I

_amsg_exit

IsIconic

.CRT$XCZ

(t$`H

??0bad_cast@@QEAA@AEBV0@@Z

MetaFilePict

___lc_codepage_func

ImmersiveBroker

WM_POINTERROUTEDRELEASED

?terminate@@YAXXZ

@8sxt

u HcA<H

\$PH!D$(D

CoGetMalloc

(|$ D

20180915045710.041Z0

calloc

map/set<T> too long

currentContextMessage

CoRegisterClassObject

CheckRemoteDebuggerPresent

message_size

Exception

GetProcessHeap

Windows.Foundation.IAsyncOperation`1<Windows.ApplicationModel.DataTransfer.DataPackageOperation>

DragCanceled

Sleep

xM9\$XtGL

FileDrop

`A^_^[]

t;M;8u'H

SendMessageW

??0exception@@QEAA@AEBQEBDH@Z

Bitmap

Result

too_many_files_open

E9~ u=I

WindowsCompareStringOrdinal

no_buffer_space

SetUnhandledExceptionFilter

pA_A^A]A\_^]

.data

nCipher NTS ESN:57F6-C1E0-554C1+0)

network down

180823202626Z

pcshell\shell\dataexchange\host\lib\dragwindow.cpp

t$ UWATAVAWH

executable format error

GetUserDefaultUILanguage

GetPropW

DragVisualWindow

DataExchangeHost.pdb

device or resource busy

Fpcshell\shell\dataexchange\host\lib\dragdropbroker.cpp

api-ms-win-core-winrt-error-l1-1-1.dll

A_A^A]A\]

RtlFreeHeap

.text

K0;D$p@

InitOnceBeginInitialize

onecore\shell\lib\calleridentity\calleridentity_window.cpp

T$0H+

memset

value too large

[%hs]

oT$@f

unknown error

)Microsoft Root Certificate Authority 20100

result out of range

l$ WH

.rdata$brc

WindowsGetStringLen

H9_Hs<

ReleaseSemaphore

D9mgu

network_unreachable

originatingContextId

RoGetMatchingRestrictedErrorInfo

\$ UVWAVAWH

a0H9Yp

GetProcAddress

CreateEventExW

GlobalGetAtomNameW

pcshell\shell\dataexchange\host\lib\dragdropoperationinternal.cpp

bcpcshell\shell\dataexchange\host\lib\inputcapture.cpp

CoUnmarshalInterface

EdpGetEnterpriseIdForDataObject

lineNumber

RtlAllocateHeap

ProductName

ext-ms-win-edputil-policy-l1-1-0.dll

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x000257d0	0x000418cd	0x000418cd	10.0	DataExchangeHost.pdb	2066-05-18 03:09:27	fc5227cf37437ac08b058f1016f70459

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Data Exchange Host
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	DataExchangeHost
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	DataExchangeHost.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x000271ac	0x00027200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.21
.imrsiv	0x00000000	0x00029000	0x00000004	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rdata	0x00027600	0x0002a000	0x0000e1be	0x0000e200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.87
.data	0x00035800	0x00039000	0x00000fc8	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.48
.pdata	0x00035c00	0x0003a000	0x00002004	0x00002200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.10
.didat	0x00037e00	0x0003d000	0x00000048	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.63
.rsrc	0x00038000	0x0003e000	0x00000908	0x00000a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.19
.reloc	0x00038a00	0x0003f000	0x00000874	0x00000a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.10

Overlay

Offset	0x00039400
Size	0x00002210

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0003e840	0x000000c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.67	None
RT_VERSION	0x0003e488	0x000003b4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None
RT_MANIFEST	0x0003e0f0	0x00000394	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.83	None

Imports

Name	Address
_commode	0x14002cde0
_fmode	0x14002cde8
_lock	0x14002cdf0
?terminate@@YAXXZ	0x14002cdf8
??1type_info@@UEAA@XZ	0x14002ce00
_unlock	0x14002ce08
_onexit	0x14002ce10
_wcmdln	0x14002ce18
__C_specific_handler	0x14002ce20
_initterm	0x14002ce28
__dllonexit	0x14002ce30
__setusermatherr	0x14002ce38
_cexit	0x14002ce40
_exit	0x14002ce48
exit	0x14002ce50
__set_app_type	0x14002ce58
__wgetmainargs	0x14002ce60
_amsg_exit	0x14002ce68
_XcptFilter	0x14002ce70
_purecall	0x14002ce78
??_V@YAXPEAX@Z	0x14002ce80
_vsnprintf_s	0x14002ce88
??0exception@@QEAA@AEBV0@@Z	0x14002ce90
??0exception@@QEAA@XZ	0x14002ce98
??1exception@@UEAA@XZ	0x14002cea0
??3@YAXPEAX@Z	0x14002cea8
__CxxFrameHandler3	0x14002ceb0
free	0x14002ceb8
?what@exception@@UEBAPEBDXZ	0x14002cec0
??0exception@@QEAA@AEBQEBD@Z	0x14002cec8
??0bad_cast@@QEAA@PEBD@Z	0x14002ced0
??0bad_cast@@QEAA@AEBV0@@Z	0x14002ced8
??1bad_cast@@UEAA@XZ	0x14002cee0
memmove_s	0x14002cee8
wcschr	0x14002cef0
malloc	0x14002cef8
_callnewh	0x14002cf00
??0exception@@QEAA@AEBQEBDH@Z	0x14002cf08
_CxxThrowException	0x14002cf10
memcpy	0x14002cf18
memmove	0x14002cf20
setlocale	0x14002cf28
__pctype_func	0x14002cf30
___lc_handle_func	0x14002cf38
___lc_codepage_func	0x14002cf40
calloc	0x14002cf48
___mb_cur_max_func	0x14002cf50
_errno	0x14002cf58
_ismbblead	0x14002cf60
memset	0x14002cf68
__uncaught_exception	0x14002cf70
abort	0x14002cf78
_wcsdup	0x14002cf80
__crtLCMapStringW	0x14002cf88
_get_current_locale	0x14002cf90
_free_locale	0x14002cf98
memcmp	0x14002cfa0
_vsnwprintf	0x14002cfa8
memcpy_s	0x14002cfb0
ceilf	0x14002cfb8

Name	Address
GetModuleHandleW	0x14002c898
GetModuleHandleExW	0x14002c8a0
GetProcAddress	0x14002c8a8
GetModuleFileNameA	0x14002c8b0
LoadResource	0x14002c8b8
LockResource	0x14002c8c0
FindResourceExW	0x14002c8c8

Name	Address
EnterCriticalSection	0x14002ca00
OpenSemaphoreW	0x14002ca08
WaitForSingleObjectEx	0x14002ca10
ReleaseMutex	0x14002ca18
InitializeCriticalSectionEx	0x14002ca20
CreateMutexExW	0x14002ca28
AcquireSRWLockShared	0x14002ca30
LeaveCriticalSection	0x14002ca38
ReleaseSRWLockExclusive	0x14002ca40
WaitForSingleObject	0x14002ca48
InitializeCriticalSection	0x14002ca50
SetEvent	0x14002ca58
AcquireSRWLockExclusive	0x14002ca60
ReleaseSemaphore	0x14002ca68
CreateEventExW	0x14002ca70
CreateSemaphoreExW	0x14002ca78
DeleteCriticalSection	0x14002ca80
ReleaseSRWLockShared	0x14002ca88
ResetEvent	0x14002ca90
CreateEventW	0x14002ca98

Name	Address
HeapAlloc	0x14002c840
HeapSetInformation	0x14002c848
HeapFree	0x14002c850
GetProcessHeap	0x14002c858

Name	Address
GetLastError	0x14002c7e0
RaiseException	0x14002c7e8
SetUnhandledExceptionFilter	0x14002c7f0
UnhandledExceptionFilter	0x14002c7f8
SetErrorMode	0x14002c800
SetLastError	0x14002c808

Name	Address
GetCurrentProcess	0x14002c900
OpenProcessToken	0x14002c908
GetProcessId	0x14002c910
GetStartupInfoW	0x14002c918
GetCurrentThreadId	0x14002c920
GetCurrentProcessId	0x14002c928
GetCurrentThread	0x14002c930
OpenThreadToken	0x14002c938
TerminateProcess	0x14002c940
SetPriorityClass	0x14002c948

Name	Address
GetLocaleInfoW	0x14002c8d8
FormatMessageW	0x14002c8e0

Name	Address
OutputDebugStringW	0x14002c790
IsDebuggerPresent	0x14002c798
DebugBreak	0x14002c7a0

Name	Address
DuplicateHandle	0x14002c828
CloseHandle	0x14002c830

Name	Address
OpenProcess	0x14002c958
SetProcessMitigationPolicy	0x14002c960
GetProcessMitigationPolicy	0x14002c968

Name	Address
CreateStreamOnHGlobal	0x14002c6a0
CoGetCallContext	0x14002c6a8
CoTaskMemAlloc	0x14002c6b0
CoReleaseMarshalData	0x14002c6b8
CoGetCallerTID	0x14002c6c0
CoMarshalInterface	0x14002c6c8
CoTaskMemRealloc	0x14002c6d0
CoUnmarshalInterface	0x14002c6d8
CoTaskMemFree	0x14002c6e0
CoGetMalloc	0x14002c6e8
CoEnableCallCancellation	0x14002c6f0
CoCancelCall	0x14002c6f8
CoResumeClassObjects	0x14002c700
CoRegisterClassObject	0x14002c708
CoRevokeClassObject	0x14002c710
CoAddRefServerProcess	0x14002c718
CoReleaseServerProcess	0x14002c720
CoCreateFreeThreadedMarshaler	0x14002c728
CoMarshalInterThreadInterfaceInStream	0x14002c730
CoUninitialize	0x14002c738
CoDecrementMTAUsage	0x14002c740
CoFreeUnusedLibrariesEx	0x14002c748
CoInitializeEx	0x14002c750
CoIncrementMTAUsage	0x14002c758
CoCreateInstance	0x14002c760
CoInitializeSecurity	0x14002c768
CoDisableCallCancellation	0x14002c770

Name	Address
SetRestrictedErrorInfo	0x14002cb60
GetRestrictedErrorInfo	0x14002cb68
RoTransformError	0x14002cb70
RoOriginateError	0x14002cb78
RoOriginateErrorW	0x14002cb80

Name	Address
EncodePointer	0x14002cb48
DecodePointer	0x14002cb50

Name	Address
RoActivateInstance	0x14002cbb0
RoGetActivationFactory	0x14002cbb8
RoRevokeActivationFactories	0x14002cbc0
RoRegisterActivationFactories	0x14002cbc8

Name	Address
WindowsDeleteString	0x14002cbd8
WindowsStringHasEmbeddedNull	0x14002cbe0
WindowsCompareStringOrdinal	0x14002cbe8
WindowsGetStringLen	0x14002cbf0
WindowsCreateString	0x14002cbf8
WindowsGetStringRawBuffer	0x14002cc00
WindowsIsStringEmpty	0x14002cc08
WindowsDuplicateString	0x14002cc10
WindowsCreateStringReference	0x14002cc18

Name	Address
LocalAlloc	0x14002c868
LocalFree	0x14002c870

Name	Address
WakeAllConditionVariable	0x14002caa8
InitOnceBeginInitialize	0x14002cab0
InitOnceExecuteOnce	0x14002cab8
SleepConditionVariableSRW	0x14002cac0
InitOnceComplete	0x14002cac8
Sleep	0x14002cad0

Name	Address
RtlLookupFunctionEntry	0x14002c9a8
RtlVirtualUnwind	0x14002c9b0
RtlCaptureContext	0x14002c9b8

Name	Address
QueryPerformanceCounter	0x14002c978

Name	Address
GetSystemTimeAsFileTime	0x14002caf0
GetTickCount	0x14002caf8

Name	Address
GetTokenInformation	0x14002cd68
GetSidSubAuthority	0x14002cd70

Name	Address
EventRegister	0x14002cc28
EventWriteTransfer	0x14002cc30
EventSetInformation	0x14002cc38
EventUnregister	0x14002cc40
EventActivityIdControl	0x14002cc48

Name	Address
IsErrorPropagationEnabled	0x14002cb90
RoReportFailedDelegate	0x14002cb98
RoGetMatchingRestrictedErrorInfo	0x14002cba0

Name	Address
SHTaskPoolAllowThreadReuse	0x14002cd80
SHTaskPoolQueueTask	0x14002cd88

Name	Address
RoGetAgileReference	0x14002c780

Name	Address
RegGetValueW	0x14002c998

Name	Address
CompareFileTime	0x14002c818

Name	Address
GetUserDefaultUILanguage	0x14002c8f0

Name	Address
CreateTimerQueueTimer	0x14002cb30
DeleteTimerQueueTimer	0x14002cb38

Name	Address
WaitForThreadpoolTimerCallbacks	0x14002cb08
CloseThreadpoolTimer	0x14002cb10
SetThreadpoolTimer	0x14002cb18
CreateThreadpoolTimer	0x14002cb20

Name	Address
PathIsFileSpecW	0x14002c9c8
PathFindFileNameW	0x14002c9d0

Name	Address
QueryFullProcessImageNameW	0x14002c988

Name	Address
CheckRemoteDebuggerPresent	0x14002c7b0

Name	Address
GlobalUnlock	0x14002c880
GlobalLock	0x14002c888

Name	Address
WaitForMultipleObjects	0x14002cae0

Name	Address
ZwQueryWnfStateData	0x14002cfc8
RtlNtStatusToDosError	0x14002cfd0
RtlCompareUnicodeString	0x14002cfd8
RtlFreeHeap	0x14002cfe0
NtQueryInformationToken	0x14002cfe8
RtlInitUnicodeString	0x14002cff0
RtlAllocateHeap	0x14002cff8
RtlNtStatusToDosErrorNoTeb	0x14002d000

Name	Address
GetStringTypeW	0x14002c9e0
WideCharToMultiByte	0x14002c9e8
MultiByteToWideChar	0x14002c9f0

Name	Address
GlobalGetAtomNameW	0x14002c690

Name	Address
WindowFromPoint	0x14002cc90
GetWindowLongW	0x14002cc98
GetParent	0x14002cca0
GetWindowThreadProcessId	0x14002cca8
GetDesktopWindow	0x14002ccb0
AllowSetForegroundWindow	0x14002ccb8
ScreenToClient	0x14002ccc0
GetPropW	0x14002ccc8
ShowWindow	0x14002ccd0
SetForegroundWindow	0x14002ccd8
SendMessageW	0x14002cce0
UnregisterClassW	0x14002cce8
PostMessageW	0x14002ccf0
SetTimer	0x14002ccf8
GetMessageW	0x14002cd00
TranslateMessage	0x14002cd08
DispatchMessageW	0x14002cd10
GetClassInfoExW	0x14002cd18
RegisterClassExW	0x14002cd20
CreateWindowExW	0x14002cd28
SetWindowLongPtrW	0x14002cd30
GetWindowLongPtrW	0x14002cd38
DefWindowProcW	0x14002cd40
DestroyWindow	0x14002cd48
ClientToScreen	0x14002cd50
GetForegroundWindow	0x14002cd58

Name	Address
GetSystemMetrics	0x14002cc58
SystemParametersInfoW	0x14002cc60

Name	Address
CreateWindowInBand	0x14002cc80

Name	Address
DWriteCreateFactory	0x14002c5e0

Name	Address
GetClipboardFormatNameW	0x14002cc70

Name	Address
GetPackageFullName	0x14002c680

Name	Address

Name	Address

Name	Address
NtCreateCompositionInputSink	0x14002d010

Name	Address
SendInput	0x14002c608
GetWindowDpiAwarenessContext	0x14002c610
GetTopLevelWindow	0x14002c620
IsIconic	0x14002c630
GetCapture	0x14002c638
SetCapture	0x14002c648
GetSysColor	0x14002c650
GetAsyncKeyState	0x14002c658
SetProcessDefaultLayout	0x14002c660
ReleaseCapture	0x14002c668
AttachThreadInput	0x14002c670

Name	Address

Name	Address
D3D11CreateDevice	0x14002cdc0

Name	Address
DCompositionCreateDevice2	0x14002cdd0

Name	Address
ResolveDelayLoadedAPI	0x14002c7d0

Name	Address
DelayLoadFailureHook	0x14002c7c0

Reports: JSON

Statistics (11.58)

Usage

Processing ( 11.51 seconds )

10.902 ProcessMemory
0.577 CAPE
0.027 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_im
0.002 poullight_files
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.006 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: DataExchangeHost.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: DataExchangeHost.exe, PID 6716

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.imrsiv', 'raw_address': '0x00000000', 'virtual_address': '0x00029000', 'virtual_size': '0x00000004', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000080', 'entropy': '0.00'}

unknown section: {'name': '.didat', 'raw_address': '0x00037e00', 'virtual_address': '0x0003d000', 'virtual_size': '0x00000048', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.63'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 6716 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DataExchangeHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DataExchangeHost.exe\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C2E9756F-8155-4EAC-9ED5-0B690169D412}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C2E9756F-8155-4EAC-9ED5-0B690169D412}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C2E9756F-8155-4EAC-9ED5-0B690169D412}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DataExchangeHost.exe\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C2E9756F-8155-4EAC-9ED5-0B690169D412}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{C2E9756F-8155-4EAC-9ED5-0B690169D412}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC07F1AC-9ADD-4DEF-93DF-6F755F2A88A1}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

PE Information

Version Infos

Sections

Overlay

Resources

Imports

msvcrt

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-com-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-synch-l1-2-1

ntdll

api-ms-win-core-string-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-rtcore-ntuser-window-l1-1-0

api-ms-win-ntuser-sysparams-l1-1-0

api-ms-win-rtcore-ntuser-private-l1-1-0

DWrite

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

api-ms-win-appmodel-runtime-l1-1-0

combase

TWINAPI

win32u

USER32

d2d1

d3d11

dcomp

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0