Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-13 05:36:37 | 2025-06-13 06:08:08 | 1891 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1
2024-11-25 13:37:15,115 [root] INFO: Date set to: 20250612T19:18:01, timeout set to: 1800 2025-06-12 20:18:01,649 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-12 20:18:01,649 [root] DEBUG: Storing results at: C:\qDdlkFnGz 2025-06-12 20:18:01,649 [root] DEBUG: Pipe server name: \\.\PIPE\wXevDSJXBA 2025-06-12 20:18:01,649 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-12 20:18:01,649 [root] INFO: analysis running as an admin 2025-06-12 20:18:01,649 [root] INFO: analysis package specified: "exe" 2025-06-12 20:18:01,649 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-12 20:18:02,165 [root] DEBUG: imported analysis package "exe" 2025-06-12 20:18:02,165 [root] DEBUG: initializing analysis package "exe"... 2025-06-12 20:18:02,165 [lib.common.common] INFO: wrapping 2025-06-12 20:18:02,165 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-12 20:18:02,165 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\LsaIso.exe 2025-06-12 20:18:02,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-12 20:18:02,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-12 20:18:02,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-12 20:18:02,165 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-12 20:18:02,399 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-12 20:18:02,446 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-12 20:18:02,493 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-12 20:18:02,493 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-12 20:18:02,509 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-12 20:18:02,509 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-12 20:18:02,509 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-12 20:18:02,509 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-12 20:18:02,509 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-12 20:18:02,509 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-12 20:18:02,509 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-12 20:18:02,509 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-12 20:18:02,509 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-12 20:18:02,509 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-12 20:18:02,525 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-12 20:18:02,525 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-12 20:18:02,525 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-12 20:18:02,525 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-12 20:18:13,962 [modules.auxiliary.digisig] DEBUG: File has a valid signature 2025-06-12 20:18:13,962 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-12 20:18:13,962 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-12 20:18:13,962 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-12 20:18:13,962 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-12 20:18:13,962 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-12 20:18:13,962 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-12 20:18:13,962 [modules.auxiliary.disguise] INFO: Disguising GUID to 681fd063-b6e3-4307-92e0-097646af0c7f 2025-06-12 20:18:13,962 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-12 20:18:13,962 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-12 20:18:13,962 [root] DEBUG: attempting to configure 'Human' from data 2025-06-12 20:18:13,962 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-12 20:18:13,962 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-12 20:18:13,978 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-12 20:18:13,978 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-12 20:18:13,978 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-12 20:18:13,978 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-12 20:18:13,978 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-12 20:18:13,978 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-12 20:18:13,978 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-12 20:18:13,978 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-12 20:18:13,978 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-12 20:18:13,978 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-12 20:18:13,978 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-12 20:18:13,978 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-12 20:18:14,040 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-12 20:18:14,040 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-12 20:18:14,040 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-12 20:18:14,040 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-12 20:18:14,040 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor 2025-06-12 20:18:14,040 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-12 20:18:14,040 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-12 20:18:14,056 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\EeGlvdpK.dll, loader C:\tmp_gell1p8\bin\PoaYJsgW.exe 2025-06-12 20:18:14,134 [root] DEBUG: Loader: IAT patching disabled. 2025-06-12 20:18:14,134 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\EeGlvdpK.dll. 2025-06-12 20:18:14,181 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-12 20:18:14,181 [root] INFO: Disabling sleep skipping. 2025-06-12 20:18:14,181 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-12 20:18:14,181 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-12 20:18:14,181 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-12 20:18:14,181 [root] DEBUG: 696: CAPE debug - unrecognised key norefer. 2025-06-12 20:18:14,181 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-12 20:18:14,181 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-12 20:18:14,197 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-12 20:18:14,197 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-12 20:18:14,197 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 2072, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000 2025-06-12 20:18:14,197 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-12 20:18:14,212 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-12 20:18:14,212 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-12 20:18:14,212 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\EeGlvdpK.dll. 2025-06-12 20:18:14,228 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-12 20:18:1 <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-13 05:36:37 | 2025-06-13 06:07:48 | none |
File Details
| File Name |
LsaIso.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 278416 bytes |
| MD5 | 287010f09b804d9df5a9f02a299472e7 |
| SHA1 | 972647c94db371477c351e3b75baab62d87d075f |
| SHA256 | 630d9c23ccdcb8f9d52e71383494f7182fc246f8bc2715d800b93e3212a4537c [VT] [MWDB] [Bazaar] |
| SHA3-384 | 9186ee73fa47d894f31546c33f41daa5ff495cbcabb6a1bf5062435939275c4d16b2a739f22e6478e7ab4c463e9fd434 |
| CRC32 | D3AFD7D6 |
| TLSH | T12A442779A2641CE9EE76917DA1929102E7B3B47E1391CFCB0030D2291F972E67E3D385 |
| Ssdeep | 6144:ZI6AanLZ8XwHmY1YhPLFPbE0z1PY9nXi:D9uJPbEaOJi |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
!D$(D
NtlmIumGetCredentialKey
PA_A^A]A\_^]
Microsoft Corporation1.0,
ASN1BERDecU32Val
BCryptDestroyHash
@.data
KerbIumComputeTgsChecksum
LsaIsoIumDecrypt
GetTaggedData
MsvpPasswordValidate
LocalAlloc
.idata$6
Thales TSS ESN:AB41-4B27-F0261%0#
BCryptVerifySignature
BCryptIumVerifySignature
?what@exception@@UEBAPEBDXZ
.idata$4
ECDH_P384
H9=q2
BCryptIumImportKey
KerbIumBuildEncryptedAuthData
9U(uMH
D$`E3
api-ms-win-core-heap-l1-1-0.dll
U@uNH
6h*J^
.tPolicy
api-ms-win-eventing-obsolete-l1-1-0.dll
no such process
ReleaseMutex
9U(umH
f)x{F
NdrMesTypeEncode3
KerbIumUnpackKdcReplyBody
L$ SUVWH
KerbIumDHKeyAgreement::FinalizeKey
LsaIsoMgmtIumRpcInit
ASN1_FreeDecoded
__dllonexit
connection_aborted
identifier removed
t^@8=
H!t$
ASN1BERDecObjectIdentifier
ASN1DEREncCharString
9U(uuH
D$HE3
ASN1DEREncOctetString
CreateSemaphoreExW
NtCreateEvent
NtlmIumRpcInit
not supported
t|D86}PL
|hK,_
9U(uxH
CAPIDSAPRIVATEBLOB
??0exception@@QEAA@AEBQEBD@Z
u*9Q<|%
not_a_socket
operation not supported
9\$xu
cross device link
KerbClientShared.dll
BCryptSetProperty
bad_file_descriptor
PA^_^
RtlSetProcessIsCritical
PUBLICBLOB
FileVersion
no space on device
((HRESULT)0x80090027L)
L$hH3
H9=y8
KerbIumCreateApReqAuthenticator
KerbIumConvertCredManPasswordToKerbPassword
.?AVlength_error@std@@
__C_specific_handler
Microsoft Corporation1&0$
SVWAVH
p AWH
9U(uBH
ASN1BERDecS32Val
1(0&0
LSA_ISO_RPC_SERVER
TraceMessage
RSAPRIVATEBLOB
MSASN1.dll
network_down
KerbClientComputeTgsChecksum
memmove
epA_A^]
not a directory
t$p!t$TH!t$h!t$XH
(caller: %p)
t$ E3
no link
TlP0X
Microsoft Corporation1-0+
D87}^L
interrupted
$Microsoft Ireland Operations Limited1&0$
_callnewh
9U(u<H
NtlmIumRpcCleanup
RPCRT4.dll
bad address
KerbIumPackApReply
BCryptHash
250701214655Z0|1
__set_app_type
UAVAWH
A_A^_
|$ AVH
9U(u7H
memcpy_s
bad allocation
operation not permitted
D87}DL
H9=A/
KerbClientVerifyFastArmoredTgsReply
KerbClientBuildEncryptedAuthData
fD9;t
ASN1BERDecExplicitTag
.text$mn$00
api-ms-win-core-string-l1-1-0.dll
t$ WH
VWAVH
L$@H+
KerbClientIumRpcCleanup
SetLastError
onecore\ds\security\cryptoapi\ncrypt\ium\trustlet\bcryptiumrpcimpl.cxx
KerbIumSignPkcsMessage
.rsrc$01
CallContext:[%hs]
L$xH3
DebugBreak
PA_A^]
system
ASN1DEREncBitString
O0M0K
__ImagePolicyMetadata
ProvIumCheckMachineKey
040904B0
Microsoft Corporation
9U(uEH
H9=g!
A_A^A]A\_^[]
fD9,Qu
t$\H9
memcmp
KerbIumDestroyKeyAgreement
.rdata$zETW2
ASN1_CloseEncoder
MesEncodeIncrementalHandleCreate
AlgorithmName
KeyLength
ASN1BERDecOctetString
_XcptFilter
NtlmSharedInit
cqp1n
KerbClientVerifyFastArmoredKdcReply
180606185755Z
0A_A^A]A\]
A_A^A]
@USVWAVH
wrong_protocol_type
_lock
BCryptImportKey
Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0
mzuz^
too many symbolic link levels
not enough memory
9U(uOH
2.16.840.1.101.3.4.2.3
KerbClientBuildKeyList
NtlmIumCalculateNtResponse
:ISOBuH
HcA<H
.?AVbad_alloc@std@@
A_A^A]A\_^]
KerbClientSharedCleanup
EncryptData
BCryptIumEncrypt
CreateMutexExW
BCryptIumGenerateSymmetricKey
VirtualAlloc
2.16.840.1.101.3.4.2.2
Credential
L$XL+
A_A^]
EventRegister
BCryptIumImportKeyPair
KerbClientPackApReply
GetTraceEnableLevel
permission_denied
resource unavailable try again
_initterm
filename_too_long
KerbIumRpcInitStatus
.?AVlogic_error@std@@
_CxxThrowException
BCryptImportKeyPair
RpcMgmtWaitServerListen
.idata$5
cryptdll.dll
I_RpcMapWin32Status
.?AVout_of_range@std@@
9T$HuTH
HeapAlloc
9T$8u
NtlmSuppCred
191123202654Z0
resource deadlock would occur
not connected
BCryptIumGetProperty
9|$lt
9U(u;H
ValidatePkinitAuthenticator
protocol_not_supported
KerbIumAreEncryptionKeysEqual
too many files open in system
ASN1BERDecBitString
destination address required
NtlmIumLm20GetNtlm3ChallengeResponse
operation_would_block
WideCharToMultiByte
L$ SVWH
.pdata
GetTraceLoggerHandle
NtQuerySystemInformation
KerbIumBuildPasswordList
RtlTimeFieldsToTime
Microsoft
VarFileInfo
MsvpCompareCredentials
address not available
tsH9Z
fA9<Dt
z~&qA]H+
Microsoft Corporation. All rights reserved.
uPH9\$puIA9[
_fmode
NtlmIumMakeSecretPasswordNT5
.data$brc
file exists
.?AVexception@@
no such file or directory
L$PH3
message size
\LSA_ISO_READY_D
CDLocateCheckSum
operation_in_progress
H3E H3E
MOIBH
InternalName
ASN1BEREncExplicitTag
fA9<G
1.2.840.113549.1.1.11
MsvpLm20GetNtlm3ChallengeResponse
.text$yd
2.5.4.3
malloc
0A_A\_^]
V2CAPIDSAPRIVATEBLOB
NdrMesTypeAlignSize3
NtlmIumCompareCredentials
ASN1BERDecZeroCharString
ASN1_CreateDecoder
.data$r$brc
ECDH_P521
NtlmIumConvertCredManPasswordToSupplementalCredential
A^A]_^]
!t$0L
UUUUPERSISTEDUUU
LsaIso.pdb
_vsnwprintf
NtlmShared.dll
api-ms-win-core-profile-l1-1-0.dll
MesHandleFree
8A_A^A]A\_^][
api-ms-win-core-libraryloader-l1-2-0.dll
BCryptGenerateKeyPair
BCryptCloseAlgorithmProvider
9E'u$
host_unreachable
KerbIumCreateDHKeyAgreement
.rsrc$02
iumCryptMsgOpenToEncode
9T$Ht
api-ms-win-core-localization-l1-2-0.dll
PA_A^_^]
LcA<E3
_unlock
ncalrpc
iostream
@USVWAUAVAWH
RtlEqualUnicodeString
KerbDHGetLegacyDHParameters
connection refused
read only file system
MsvpDecryptDpapiMasterKey
wrong protocol type
_exit
LsaIsoRpcWaitFailure
!|$0H
CredManIumRpcInit
LsaIsoPassword
tsH;=u
CDLocateCSystem
UUUUUUUUffffffff LsaIso Memory
iumCryptEncodeObjectEx
Local\SM0:%d:%d:%hs
address family not supported
@.rsrc
BCryptDuplicateKey
operation would block
GetPkinitAuthenticator
GetSecureIdentitySigningKey
BCryptIumSignHash
L$PE3
BCryptGetProperty
ASN1octetstring_free
190529185755Z0p1
stream timeout
ASN1BEREncBool
6Ifa!]
.text$di
MesIncrementalHandleReset
A^A]]
KeyStrength
ePA^A]]
FormatMessageW
Legal_Policy_Statement
USVWAVAWH
.edata
ProvIumCreateMachineCertificateRequest
%hs!%p:
L$@fD
protocol not supported
IumpUnprotectCredential
K SVWH
NtlmIumPasswordValidateNetwork
NtlmFailure
LegalCopyright
KerbClientPackAsn1Buffer
BCryptKeyDerivation
ASN1BERDecSkip
IMSVA
bad message
BCryptOpenAlgorithmProvider
A_A^A]A\_
ASN1_CreateEncoder
10.0.17763.1 (WinBuild.160101.0800)
ASN1charstring_free
GetCurrentProcessId
L$XH3
p WAVAWH
GetSystemTime
I0G1-0+
VirtualQuery
.rdata$zETW0
IUMBASE.dll
argument list too long
host unreachable
RtlCaptureContext
RtlCompareMemory
9U(uUH
9T$ht"
BCryptIumOpenAlgorithmProvider
iumCryptMsgGetParam
M0K0I
t!&zc?/1
network_reset
tGD9-I
InitOnceExecuteOnce
io error
KerbClientIumRpcInit
9U(u!
NtlmSuccess
20180915013021.714Z0
t{HcL$ HcD$$H
NtlmIumUpdateSharedConfiguration
NtQuerySystemInformationFailure
e@A_A^A]_]
BCryptIumRpcInitStatus
WaitForSingleObjectEx
iostream stream error
,C3WZhjpxOGEgNtFUV/L8+455W7MdtoFeDQp5UIhUnRY=0Z
L$0H3
KerbClientVerifyFastArmoredKerbError
Microsoft Time-Stamp PCA 20100
DHPRIVATEBLOB
CreateSelfSignedCertificate
0A^_]
9\$0t
RpcServerUnregisterIf
@8>}DL
operation canceled
NtlmIumGetContext
KerbIumBuildFastArmoredKdcRequest
RtlTimeToTimeFields
9U(uyH
KerbIumVerifyServiceTicket
argument out of domain
.rdata$zzzdbg
_vsnprintf_s
f9,Ku
D8?}FL
BCryptIumSecretAgreement
bad file descriptor
Export Policy
WAVAWH
no such device or address
` UAVAWH
9\$`u
NtlmIumMakeOwfsFromIumSupplementalCredential
MsvpValidateSupplementalCredsBuffer
ASN1BERDecBool
.CRT$XIA
.rdata
BCryptIumCreateClaim
ASN1BERDecPeekTag
api-ms-win-core-errorhandling-l1-1-0.dll
BCryptIumImportKeyGeneric
RtlNtStatusToDosError
??0exception@@QEAA@XZ
??1type_info@@UEAA@XZ
ValidateDhParams
KerbClientUpdateSharedConfiguration
111019184142Z
ASN1_CloseDecoder
SetThreadStackGuarantee
too many files open
BCryptIumDeriveKey
|$(E3
H!\$HH
hA_A^A]A\_^][
QX>c>
LsaIsoExit
ASN1DecSetError
A_A^_
IsSecureProcess
1.3.132.0.35
ISOPROTECTEDBLOB
connection_already_in_progress
address_in_use
.CRT$XIZ
Microsoft Corporation1200
9U(usH
ASN1BEREncS32
1.3.132.0.34
BCryptFinishHash
no lock available
generic
SystemFunction011
9U(u3H
KerbIumUpdateSharedConfiguration
LsaIsoRpcServerListenFailure
iumCryptExportPublicKeyInfoFromBCryptKeyHandle
NtClose
x UAVAWH
x AWH
Washington1
RtlImageNtHeader
%Microsoft Windows Production PCA 20110
{8707a7ae-3c56-4f56-95de-b84467f507a2}
FileDescription
!This program cannot be run in DOS mode.
zRE}*
0A^A\_^]
ASN1_Encode
BCryptExportKey
%Microsoft Windows Production PCA 2011
20180915065459Z
Msg:[%ws]
\$ UVWH
WaitForSingleObject
SHA256
@A^_^
A_A^A]_^[]
ASN1BERDecOpenType2
RtlInitUnicodeString
D$ I;
LsaIsoStartup
D$xH!\$@
address in use
D$0H;
already connected
ValidateAuthPackBuffer
invalid_argument
api-ms-win-eventing-provider-l1-1-0.dll
tID9-
\$ VWAVH
Microsoft Corporation1
x AUAVAWH
UWATAVAWH
api-ms-win-core-processthreads-l1-1-0.dll
KerbIumFinalizeKeyAgreement
\LSA_ISO_READY
Microsoft.Windows.Security.BCryptIum
@A_A^]
KerbIumDecryptPacCredentials
Redmond1
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
GetModuleFileNameA
RpcServerUseProtseqEpW
D$hH9
ValidateKey
KerbDHCreateBCryptKey
ntdll.dll
Status
no stream resources
A^_^[]
owner dead
RSAFULLPRIVATEBLOB
4UVE-G
BCryptGenerateSymmetricKey
GetSignedReport
network unreachable
api-ms-win-core-sysinfo-l1-1-0.dll
KerbClientUnpackKdcReplyBody
CAPIPRIVATEBLOB
directory not empty
10.0.17763.1
H"KerbECDHKeyAgreement::FinalizeKey
x UATAVH
LsaIsoBeginRpcWait
SignalLsaIsoReadyOpenEventFailed
MsvpMakeSecretPasswordNT5
RtlAvlRemoveNode
BCryptSecretAgreement
api-ms-win-core-synch-l1-1-0.dll
ASN1bitstring_free
memcpy
Microsoft Time-Stamp PCA 2010
.idata$3
D$ fD
network reset
9T$HtB
L9{@u
UVWATAWH
RtlDeleteCriticalSection
OpenSemaphoreW
261019185142Z0
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
__wgetmainargs
Microsoft Time-Stamp service
BCryptIumDecrypt
file too large
invalid seek
@UAUAVH
r~akow
BCryptIumDestroySecret
ImportMachineKey
9T$ht+
KerbIumBuildAsReqAuthenticator
not a socket
RtlAvlInsertNodeEx
NdrServerCallAll
RtlLookupFunctionEntry
MsvpGMSACred
f9H\u
l$p@8i
is a directory
.CRT$XCU
internal\sdk\inc\wil\resource.h
9U(uFH
RtlDllShutdownInProgress
D$(E3
GetTraceEnableFlags
SystemFunction009
[%hs(%hs)]
QueryPerformanceCounter
no protocol option
NtlmIumProtectSspCredentialPassword
string too long
"Microsoft Window
KerbIumSignS4UPreauthData
ASN1intx_free
9U(uqH
d$ AWH
D$\Hc
KerbIumEncryptPassword
msvcrt.dll
StringFileInfo
%hs(%d) tid(%x) %08X %ws
oK0D$"<
no child process
BCryptIumCloseAlgorithmProvider
ASN1BEREncEndOfContents
.rdata$zETW9
no buffer space
ASN1BEREncOpenType
EncryptSupplementalCredentials
KerbIumRpcInit
9U(u?H
api-ms-win-core-handle-l1-1-0.dll
GetCurrentProcess
(u0U0
UVWAVAWH
(_^][
L$0E3
D$HH9
KeyDataBlob
__setusermatherr
H!t$0H
BCryptHashData
9O@t%L
UATAUAVAWH
D8d$IA
L$8H3
RpcExceptionFilter
HeapFree
invalid string position
UWATAUAVH
already_connected
no message available
Microsoft Primitive Provider
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
GetTickCount
ECCPUBLICBLOB
|$p@8y
KerbClientDecryptPacCredentials
fD92u,eH
Microsoft.Windows.Security.Ntlm
A_A^A\_]
MsvpPutClearOwfsInPrimaryCredential
Microsoft Time-Stamp service0
ASN1intx_setuint32
SignalLsaIsoReadySetEventFailed
9Heapu
NtLmAlterRtlEqualUnicodeString
L$@E3
KerbIumVerifyEncryptedChallengePaData
@A_A^A]
.text$mn
100701213655Z
!\$xH
broken pipe
not a stream
LocalFree
BCryptIumReleaseContext
ASN1DEREncGeneralizedTime
.CRT$XIY
L9o@t
.?AVResultException@wil@@
ASN1objectidentifier_free
!t$0H
TerminateProcess
LsaIsoIumEncrypt
iumCryptMsgUpdate
StckH
BCryptIsoKeyData
f9,Au
BCryptIumExportKey
protocol error
KerbClientAlloc
Translation
ISOLATED_KEY_ENVELOPE
BCryptIumCheckKey
A_A^A]A\_^]
BCryptIumKeyDerivation
Too many client requests for auth cookie
9U(uRH
MsvpCredentialToCachePasswords
api-ms-win-core-heap-obsolete-l1-1-0.dll
BCryptDecrypt
NtStatus
KerbIumCreateECDHKeyAgreement
ASN1ztcharstring_free
SUVWATAUAVAWH
BCryptIumSetProperty
H!EPH
RtlEnterCriticalSection
text file busy
KerbIumKeyAgreementGenerateNonce
CDGenerateRandomBits
operation_not_supported
KerbHashS4UPreauth
UWAVH
PRIVATEBLOB
NtlmIumCalculateUserSessionKeyNt
WilError_02
EventWriteTransfer
H9l$(t
` AUAVAWH
20180916065459Z0w0=
Microsoft Windows0
t/D9B
bad_address
address_not_available
MesDecodeBufferHandleCreate
api-ms-win-core-memory-l1-1-0.dll
9U(ulH
1.2.840.10045.3.1.7
connection_reset
EventSetInformation
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
T$@E3
LsaIsoDecryptAsymmetricKeyBlob
BCryptIumDestroyKey
CRYPTSP.dll
ASN1DecAlloc
9U(uPH
ASN1Free
Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a
t(H;{
ProductVersion
address_family_not_supported
ProvIumCreateMachineKey
NdrServerCall2
ExitCode
D$@E3
UWAUAVAWH
.text$x
R!s4Z
ProvIumCreateMachineSelfSignedCertificate
not_connected
OutputDebugStringW
BCryptSignHash
too many links
KerbDHGetSharedSecretFromCapiKeyBuffer
H9=T'
UnregisterTraceGuids
LsaIsoAsymmetricKeyBlob
ASN1BERDecGeneralizedTime
__CxxFrameHandler3
ASN1BERDecEndOfContents
9U(ueH
ReturnHr
connection_refused
_onexit
.xdata$x
L$HH3
KerbClientVerifyEncryptedChallengePaData
` UAUAVH
FinishKeyAgreementCreation
A^_^
D87}FL
.CRT$XIAA
kYpwW
KerbIumVerifyFastArmoredTgsReply
GetModuleHandleW
T$XE3
RpcServerListen
iOPpH
\LSA_ISO_DISABLE_CREDENTIAL_GUARD
no_protocol_option
2.16.840.1.101.3.4.2.1
H9]8}4H
.Zp]f
inappropriate io control operation
ASN1BEREncSX
L$ E3
D$(!t$ E3
timed out
KerbClientSharedInit
Windows
function not supported
8A^_^[
@A^_]
RpcStatus
IsDebuggerPresent
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
NdrMesTypeDecode3
A^A\]
.giats
kernelbase.dll
9L$Pu\H
.rdata$zETW1
KerbKdcReplyContainsTgt
D$0E3
A^A\_^]
SystemTimeToFileTime
invalid argument
ASN1_Decode
??1exception@@UEAA@XZ
@A_A^A\
connection reset
KerbClientFreeStoredCred
BCryptEncrypt
D87}EL
permission denied
no such device
RtlVirtualUnwind
.idata$2
@8,1u
KerbIumVerifyChecksum
|$ UH
x AVH
api-ms-win-core-debug-l1-1-0.dll
connection aborted
KerbIumHashS4UPreauth
0A_A^_
RegisterTraceGuidsA
??3@YAXPEAX@Z
!|$(H
WATAUAVAWH
RaiseFailFastException
state not recoverable
NtlmRootSecret
ASN1_FreeEncoded
1/0-0
MsvpDeriveSecureCredKey
OriginalFilename
illegal byte sequence
ASN1BERDecSXVal
ASN1_CreateModule
BCryptCreateHash
fD9t]
XA_A^_^[]
SystemFunction007
$`2X`F
BCryptIumPingTrustlet
destination_address_required
tCD9-q
MsvpUpdateSharedConfiguration
@UAVAWH
NtlmIumMakeOwfsFromIumEncryptedPassword
HeapH
RtlLengthSid
A_A^A]A\_
LsaIsoEncryptAsymmetricKeyBlob
KerbECDHKeyAgreement::ValidateKerbAuthPack
.CRT$XCA
L$0fD
LsaIso TraceLogging Provider
.CRT$XCAA
.xdata
$Microsoft Ireland Operations Limited1
.gfids
D$xH9
\$ UH
D$@fA
CAPIDHPRIVATEBLOB
A^A]A\_]
ASN1BERDecCharString
232770+4362250
9U(ucH
connection already in progress
NtlmIumIsGMSACred
no message
??0exception@@QEAA@AEBV0@@Z
%hs(%d)\%hs!%p:
Operating System
MesEncodeDynBufferHandleCreate
MesDecodeIncrementalHandleCreate
KerbDHGetLittleEndianPublicKey
LsaIsoInvalidArgumentsFailure
CreateThread
L9{0t#H
.00cfg
KerbPackKdcReplyWithEncryptedSessionKey
9T$htG
_wcsicmp
N0L0J
!|$0L
xefD;7t
T$8H!\$8
UnhandledExceptionFilter
GetModuleHandleExW
KerbClientFree
api-ms-win-eventing-classicprovider-l1-1-0.dll
RtlInitializeCriticalSection
operation in progress
FailFast
UVWATAUAVAWH
EventUnregister
NtlmIumPasswordValidateInteractive
gTJp6Dtc
525341310010000003000000000200000000000000000000010001f3d9a4dc78c4a06f086cd63b6e12d1e611e2dfba6690220490eadcc96f5c204218eca500de46922dd1bef85c39042091fc80f1fbc7197d291728801ebf7225a7075f5c99af719765051b3443815526533efb72262888a63f11305a86c1201d6de343569587b2c9c545276248379a4b063276bf7730c6f3e26a3ae08cb3e7918dcbca3fd4d4ebc897a49c7a346ec5cd8457192fbfac174a1437c48b9fd6d1b77f43c44604e6db235b744c1e7374e36a861f00699b1940bd5ae4db67ef8954fa6464e49fa73ac649719cdb9a508ba79080b475944fef90bdd957391dcb52383d96d4ba84375c168850a7a8bdeaba4dcedbfceb3bd20d39ef06a472c5daa669ebbed6efbad9c0ba6ae616e5ca95f28b89b5c330e8b8a49a91b1989ece16d9cfa480f4eab6d32c17bb8cfb339cff486107406d6dc62496433827c71f4cfa8ef1eb5efca98eb2fd497c1b2423b19e7dfb08e28a90a3afdf83fa8c7893c5ea88ac9a04e326dc2adf6e7f7805e80dad6eb4eca862a2a70cb013842d63d9fef855abf6af758105b1daafa6f4588ca4e7838687dfbb162d5c2514045686a7fd7c8c1a806d61516a92559bc7af26cf54872a4facbe4ee2bcfa5db92777eb542c7c3ccf465e795cde5f1d2b7701a240c604b4f9cfc907f06f90ee4b0a3b1894e7fdc0e81d4ff1b98d8b0720d112cb1318bce08f815873aa5c0dd15d269f4060c083fb2bd1df
0A_A^]
BCryptIumFinalizeKeyPair
_cexit
t\D8>}@L
KerbClientVerifyChecksum
CloseHandle
L$8E3
9U(u4H
U0S0Q
@8.}bL
NtlmIumDecryptDpapiMasterKey
t"D8=o
http://www.microsoft.com/windows0
-CredGuard
@.reloc
@SUVWATAUAVAWH
UVWATAVH
iumcrypt.dll
ATAVAWH
UVWAUAVH
KerbIumBuildExplicitArmorKey
z.9Wv
CompanyName
VirtualProtect
VS_VERSION_INFO
t$ WATAUAVAWH
_purecall
GetLastError
GetCurrentThreadId
@USVWATAUAVAWH
@A_A^_
_commode
timed_out
api-ms-win-core-synch-l1-2-0.dll
D9K(t
I![ 3
GetSystemTimeAsFileTime
yp^?U
x UATAUAVAWH
RpcServerRegisterIf
A_A^_^]
LogHr
Credential Guard & Key Guard
filename too long
_amsg_exit
KerbLookupCurveInfo
.CRT$XCZ
NtOpenEvent
?terminate@@YAXXZ
u HcA<H
!t$ E3
9U(uNH
AUAVAWH
D$8H!t$8H
BCryptGenRandom
9U(uIH
180823202654Z
|$ UAVAWH
Microsoft.Windows.Security.Kerberos
BCryptIumGetIdkSPub
KerbClientUnpackAsn1BufferVoid
message_size
Exception
KerbIumDecryptFastArmoredAsReply
GetProcessHeap
Jt)~!
iumCryptSignAndEncodeCertificate
Sleep
BCryptIumRpcInit
KerbClientDecryptApReply
KerbClientBuildAsReqAuthenticator
ASN1BERDecNotEndOfContents
NtSetEvent
??0exception@@QEAA@AEBQEBDH@Z
BCryptIumRpcCleanup
too_many_files_open
BCryptFinalizeKeyPair
BCryptDeriveKey
BCryptIumGetClientContext
no_buffer_space
L$pE3
SetUnhandledExceptionFilter
@UWAUAVAWH
|$p4w
KerbClientBuildFastArmoredKdcRequest
pA_A^A]A\_^]
.data
wcscmp
KerbIumBuildTicketArmorKey
ASN1BEREncObjectIdentifier
BCryptDestroyKey
network down
KerbIumDecryptApReply
t$ UWATAVAWH
executable format error
api-ms-win-core-timezone-l1-1-0.dll
KerbIumDecryptFastArmoredKerbError
@.tPolicy
device or resource busy
BCryptIumGenerateKeyPair
NtlmIumComparePasswordToProtectedPassword
A_A^A]A\]
D$ E3
.text
A_A^A]_]
GetTaggedDataSize
RtlFreeHeap
fD9,Gu
GetSystemInfo
ASN1BEREncU32
{ AVH
ASN1EncSetError
@UATAUAVAWH
DecryptData
LsaIso.exe
T$0H+
NtlmIumProtectCredential
memset
9U(uiH
`.rdata
value too large
QlP4\
[%hs]
unknown error
H95/~
NtlmStrongCredentialKey
RtlLeaveCriticalSection
)Microsoft Root Certificate Authority 20100
result out of range
ECCFULLPRIVATEBLOB
.rdata$brc
DSAPRIVATEBLOB
ECCPRIVATEBLOB
H9_Hs<
0A_A^A]
network_unreachable
@666[
D$@krb5H
0A_A^A\_]
ProvIumRpcInit
UUUUPERBOOTUUUUU
BCryptIumDuplicateKey
ReleaseSemaphore
)_% z
\$ UVWAVAWH
|$ UATAUAVAWH
GetProcAddress
D87}_L
?NtlmHash
KerbClientBuildExplicitArmorKey
9D$`u
KerbClientBuildTicketArmorKey
KerberosKey
bcrypt.dll
IumpProtectCredential
RtlAllocateHeap
ProductName
LsaIsoRpcRegistrationFailure
BCryptDestroySecret
ECDH_P256
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Exported DLL Name |
|---|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x0002a330 | 0x000513b3 | 0x000513b3 | 10.0 | LsaIso.pdb | 1980-03-05 00:29:32 | 45853e6ffd20db6061cf050c49216501 | LsaIso.exe |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Credential Guard & Key Guard |
| FileVersion | 10.0.17763.1 (WinBuild.160101.0800) |
| InternalName | LsaIso.exe |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | LsaIso.exe |
| ProductName | Microsoftรยฎ Windowsรยฎ Operating System |
| ProductVersion | 10.0.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0002a0cf | 0x0002a200 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.20 |
| .rdata | 0x0002a600 | 0x0002c000 | 0x00013180 | 0x00013200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.48 |
| .data | 0x0003d800 | 0x00040000 | 0x00001258 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 2.81 |
| .pdata | 0x0003dc00 | 0x00042000 | 0x00001a40 | 0x00001c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.22 |
| .tPolicy | 0x0003f800 | 0x00044000 | 0x000004e0 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.89 |
| .rsrc | 0x0003fe00 | 0x00045000 | 0x00000408 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 2.44 |
| .reloc | 0x00040400 | 0x00046000 | 0x00000e94 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 5.28 |
Overlay
| Offset | 0x00041400 |
| Size | 0x00002b90 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| RT_VERSION | 0x00045060 | 0x000003a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.45 | None |
Imports
| Name | Address |
|---|---|
| _exit | 0x1400347f8 |
| _cexit | 0x140034800 |
| _commode | 0x140034808 |
| ?terminate@@YAXXZ | 0x140034810 |
| exit | 0x140034818 |
| __set_app_type | 0x140034820 |
| __wgetmainargs | 0x140034828 |
| __setusermatherr | 0x140034830 |
| _amsg_exit | 0x140034838 |
| _lock | 0x140034840 |
| _onexit | 0x140034848 |
| __dllonexit | 0x140034850 |
| _unlock | 0x140034858 |
| ??0exception@@QEAA@AEBV0@@Z | 0x140034860 |
| malloc | 0x140034868 |
| _callnewh | 0x140034870 |
| ??0exception@@QEAA@AEBQEBD@Z | 0x140034878 |
| ??0exception@@QEAA@AEBQEBDH@Z | 0x140034880 |
| ?what@exception@@UEBAPEBDXZ | 0x140034888 |
| _CxxThrowException | 0x140034890 |
| memcpy | 0x140034898 |
| memmove | 0x1400348a0 |
| ??1type_info@@UEAA@XZ | 0x1400348a8 |
| __C_specific_handler | 0x1400348b0 |
| memset | 0x1400348b8 |
| _fmode | 0x1400348c0 |
| memcmp | 0x1400348c8 |
| _XcptFilter | 0x1400348d0 |
| _wcsicmp | 0x1400348d8 |
| __CxxFrameHandler3 | 0x1400348e0 |
| _initterm | 0x1400348e8 |
| ??3@YAXPEAX@Z | 0x1400348f0 |
| _purecall | 0x1400348f8 |
| ??1exception@@UEAA@XZ | 0x140034900 |
| ??0exception@@QEAA@XZ | 0x140034908 |
| wcscmp | 0x140034910 |
| Name | Address |
|---|---|
| iumCryptMsgGetParam | 0x1400347c0 |
| iumCryptMsgOpenToEncode | 0x1400347c8 |
| iumCryptMsgUpdate | 0x1400347d0 |
| iumCryptEncodeObjectEx | 0x1400347d8 |
| iumCryptSignAndEncodeCertificate | 0x1400347e0 |
| iumCryptExportPublicKeyInfoFromBCryptKeyHandle | 0x1400347e8 |
| Name | Address |
|---|---|
| LocalFree | 0x140034508 |
| LocalAlloc | 0x140034510 |
| Name | Address |
|---|---|
| UnregisterTraceGuids | 0x140034660 |
| GetTraceEnableLevel | 0x140034668 |
| GetTraceEnableFlags | 0x140034670 |
| GetTraceLoggerHandle | 0x140034678 |
| TraceMessage | 0x140034680 |
| Name | Address |
|---|---|
| EventWriteTransfer | 0x1400346a0 |
| EventRegister | 0x1400346a8 |
| EventUnregister | 0x1400346b0 |
| EventSetInformation | 0x1400346b8 |
| Name | Address |
|---|---|
| RegisterTraceGuidsA | 0x140034690 |
| Name | Address |
|---|---|
| UnhandledExceptionFilter | 0x1400344b0 |
| SetLastError | 0x1400344b8 |
| SetUnhandledExceptionFilter | 0x1400344c0 |
| GetLastError | 0x1400344c8 |
| Name | Address |
|---|---|
| CloseHandle | 0x1400344d8 |
| Name | Address |
|---|---|
| GetModuleFileNameA | 0x140034520 |
| GetModuleHandleExW | 0x140034528 |
| GetProcAddress | 0x140034530 |
| GetModuleHandleW | 0x140034538 |
| Name | Address |
|---|---|
| SetThreadStackGuarantee | 0x140034578 |
| GetCurrentThreadId | 0x140034580 |
| GetCurrentProcess | 0x140034588 |
| GetCurrentProcessId | 0x140034590 |
| TerminateProcess | 0x140034598 |
| CreateThread | 0x1400345a0 |
| Name | Address |
|---|---|
| QueryPerformanceCounter | 0x1400345b0 |
| Name | Address |
|---|---|
| WaitForSingleObject | 0x1400345d0 |
| CreateMutexExW | 0x1400345d8 |
| OpenSemaphoreW | 0x1400345e0 |
| WaitForSingleObjectEx | 0x1400345e8 |
| ReleaseMutex | 0x1400345f0 |
| ReleaseSemaphore | 0x1400345f8 |
| CreateSemaphoreExW | 0x140034600 |
| Name | Address |
|---|---|
| InitOnceExecuteOnce | 0x140034610 |
| Sleep | 0x140034618 |
| Name | Address |
|---|---|
| GetSystemInfo | 0x140034628 |
| GetSystemTime | 0x140034630 |
| GetSystemTimeAsFileTime | 0x140034638 |
| GetTickCount | 0x140034640 |
| Name | Address |
|---|---|
| SystemTimeToFileTime | 0x140034650 |
| Name | Address |
|---|---|
| GetSecureIdentitySigningKey | 0x1400340c8 |
| IsSecureProcess | 0x1400340d0 |
| EncryptData | 0x1400340d8 |
| DecryptData | 0x1400340e0 |
| GetTaggedDataSize | 0x1400340e8 |
| GetTaggedData | 0x1400340f0 |
| GetSignedReport | 0x1400340f8 |
| Name | Address |
|---|---|
| RtlLengthSid | 0x140034920 |
| RtlTimeToTimeFields | 0x140034928 |
| RtlTimeFieldsToTime | 0x140034930 |
| RtlImageNtHeader | 0x140034938 |
| RtlCompareMemory | 0x140034940 |
| RtlAvlRemoveNode | 0x140034948 |
| RtlLeaveCriticalSection | 0x140034950 |
| RtlInitializeCriticalSection | 0x140034958 |
| RtlEnterCriticalSection | 0x140034960 |
| RtlEqualUnicodeString | 0x140034968 |
| RtlAvlInsertNodeEx | 0x140034970 |
| RtlDeleteCriticalSection | 0x140034978 |
| RtlNtStatusToDosError | 0x140034980 |
| _vsnprintf_s | 0x140034988 |
| memcpy_s | 0x140034990 |
| _vsnwprintf | 0x140034998 |
| RtlVirtualUnwind | 0x1400349a0 |
| RtlLookupFunctionEntry | 0x1400349a8 |
| RtlCaptureContext | 0x1400349b0 |
| RtlFreeHeap | 0x1400349b8 |
| NtSetEvent | 0x1400349c0 |
| NtCreateEvent | 0x1400349c8 |
| RtlSetProcessIsCritical | 0x1400349d0 |
| NtClose | 0x1400349d8 |
| RtlInitUnicodeString | 0x1400349e0 |
| NtOpenEvent | 0x1400349e8 |
| NtQuerySystemInformation | 0x1400349f0 |
| RtlAllocateHeap | 0x1400349f8 |
| Name | Address |
|---|---|
| RpcExceptionFilter | 0x1400343f8 |
| NdrMesTypeDecode3 | 0x140034400 |
| MesDecodeBufferHandleCreate | 0x140034408 |
| MesHandleFree | 0x140034410 |
| NdrMesTypeEncode3 | 0x140034418 |
| NdrMesTypeAlignSize3 | 0x140034420 |
| RpcServerUseProtseqEpW | 0x140034428 |
| RpcMgmtWaitServerListen | 0x140034430 |
| RpcServerListen | 0x140034438 |
| MesEncodeIncrementalHandleCreate | 0x140034440 |
| MesEncodeDynBufferHandleCreate | 0x140034448 |
| MesDecodeIncrementalHandleCreate | 0x140034450 |
| NdrServerCallAll | 0x140034458 |
| RpcServerUnregisterIf | 0x140034460 |
| RpcServerRegisterIf | 0x140034468 |
| NdrServerCall2 | 0x140034470 |
| I_RpcMapWin32Status | 0x140034478 |
| MesIncrementalHandleReset | 0x140034480 |
| Name | Address |
|---|---|
| BCryptFinalizeKeyPair | 0x1400346c8 |
| BCryptGenerateKeyPair | 0x1400346d0 |
| BCryptOpenAlgorithmProvider | 0x1400346d8 |
| BCryptExportKey | 0x1400346e0 |
| BCryptCloseAlgorithmProvider | 0x1400346e8 |
| BCryptCreateHash | 0x1400346f0 |
| BCryptHashData | 0x1400346f8 |
| BCryptDestroyHash | 0x140034700 |
| BCryptFinishHash | 0x140034708 |
| BCryptHash | 0x140034710 |
| BCryptGenerateSymmetricKey | 0x140034718 |
| BCryptSecretAgreement | 0x140034720 |
| BCryptSetProperty | 0x140034728 |
| BCryptSignHash | 0x140034730 |
| BCryptDestroySecret | 0x140034738 |
| BCryptDeriveKey | 0x140034740 |
| BCryptImportKey | 0x140034748 |
| BCryptDecrypt | 0x140034750 |
| BCryptDuplicateKey | 0x140034758 |
| BCryptVerifySignature | 0x140034760 |
| BCryptGetProperty | 0x140034768 |
| BCryptKeyDerivation | 0x140034770 |
| BCryptEncrypt | 0x140034778 |
| BCryptGenRandom | 0x140034780 |
| BCryptImportKeyPair | 0x140034788 |
| BCryptDestroyKey | 0x140034790 |
| Name | Address |
|---|---|
| CDLocateCSystem | 0x1400347a0 |
| CDGenerateRandomBits | 0x1400347a8 |
| CDLocateCheckSum | 0x1400347b0 |
| Name | Address |
|---|---|
| SystemFunction009 | 0x1400340a8 |
| SystemFunction007 | 0x1400340b0 |
| SystemFunction011 | 0x1400340b8 |
| Name | Address |
|---|---|
| DebugBreak | 0x140034490 |
| OutputDebugStringW | 0x140034498 |
| IsDebuggerPresent | 0x1400344a0 |
| Name | Address |
|---|---|
| HeapAlloc | 0x1400344e8 |
| GetProcessHeap | 0x1400344f0 |
| HeapFree | 0x1400344f8 |
| Name | Address |
|---|---|
| FormatMessageW | 0x140034548 |
| Name | Address |
|---|---|
| VirtualProtect | 0x140034558 |
| VirtualAlloc | 0x140034560 |
| VirtualQuery | 0x140034568 |
| Name | Address |
|---|---|
| WideCharToMultiByte | 0x1400345c0 |
Exports
| Name | Address | Ordinal |
|---|---|---|
| __ImagePolicyMetadata | 0x140044470 | 1 |
Usage
Processing ( 10.60 seconds )
- 10.119 ProcessMemory
- 0.472 CAPE
- 0.004 AnalysisInfo
- 0.001 BehaviorAnalysis
Signatures ( 0.05 seconds )
- 0.008 ransomware_files
- 0.005 antianalysis_detectfile
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 infostealer_bitcoin
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.01 seconds )
- 0.004 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: LsaIso.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
The binary contains an unknown PE section name indicative of packing
unknown section: {'name': '.tPolicy', 'raw_address': '0x0003f800', 'virtual_address': '0x00044000', 'virtual_size': '0x000004e0', 'size_of_data': '0x00000600', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '3.89'}
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 3116 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.