Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 19:36:26	2025-06-13 20:07:13	1847 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,803 [root] INFO: Date set to: 20250613T10:39:02, timeout set to: 1800
2025-06-13 11:39:02,057 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-13 11:39:02,057 [root] DEBUG: Storing results at: C:\uyHCokWh
2025-06-13 11:39:02,057 [root] DEBUG: Pipe server name: \\.\PIPE\IpEgLKC
2025-06-13 11:39:02,057 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:39:02,073 [root] INFO: analysis running as an admin
2025-06-13 11:39:02,089 [root] INFO: analysis package specified: "exe"
2025-06-13 11:39:02,089 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:39:03,136 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:39:03,136 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:39:03,136 [lib.common.common] INFO: wrapping
2025-06-13 11:39:03,136 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:39:03,136 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\PinningConfirmationDialog.exe
2025-06-13 11:39:03,136 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:39:03,136 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:39:03,136 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:39:03,136 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:39:03,307 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:39:03,323 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:39:03,432 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:39:03,448 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:39:03,448 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:39:03,448 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:39:03,448 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:39:03,464 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:39:03,464 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:39:03,464 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:39:03,464 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:39:03,464 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:39:03,464 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:39:03,464 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:39:03,464 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:39:03,464 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:39:03,464 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:39:03,464 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:39:03,682 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-13 11:39:03,682 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:39:03,682 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:39:03,682 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:39:03,682 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:39:03,682 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:39:03,682 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:39:03,698 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-13 11:39:03,698 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:39:03,698 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:39:03,698 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:39:03,698 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:39:03,698 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:39:03,698 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:39:03,698 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:39:03,698 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:39:03,698 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:39:03,698 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:39:03,698 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:39:03,698 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:39:03,698 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:39:03,698 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:39:03,698 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:39:03,698 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:39:03,698 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:39:03,729 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-13 11:39:03,729 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:39:03,729 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:39:03,729 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:39:03,729 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:39:03,729 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:39:03,729 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:39:03,729 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\pQxbIz.dll, loader C:\tmp_gell1p8\bin\EPCPTrhb.exe
2025-06-13 11:39:03,776 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:39:03,776 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-13 11:39:03,807 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:39:03,807 [root] INFO: Disabling sleep skipping.
2025-06-13 11:39:03,807 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:39:03,807 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:39:03,807 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:39:03,807 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:39:03,807 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:39:03,823 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:39:03,838 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:39:03,838 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:39:03,838 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 3972, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-13 11:39:03,838 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:39:03,854 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:39:03,854 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:39:03,854 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\pQxbIz.dll.
2025-06-13 11:39:03,854 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 11:39: <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 19:36:26	2025-06-13 20:06:50	none

File Details

File Name	PinningConfirmationDialog.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	307712 bytes
MD5	5d137fe7a078a4a5bc82c86d005d1287
SHA1	0d0af21e7490a17b027347b10fa1586549768264
SHA256	28bca4d3873eb8ac2faa7ed5ef0629e7a7b13d984030a157479e0c0b0653ca67 [VT] [MWDB] [Bazaar]
SHA3-384	bfaa448b7d120ae19721a9d2e31dc1284d136885a275e802b66325a391ea9f66c82f501acfb5214fad327184f10ee0e9
CRC32	D49B4F6D
TLSH	T1CA64072A2F5C4CD6E926617E4896C345F272B8500B61C7CB4274432FAF7B6F49D3A2B1
Ssdeep	6144:QZmtIPNLpMUCVXZ6iuqMTIzb9I2y7cTi2Pd5AN:o5pMUc0Rq/NyYTi2di
PE	File Strings BinGraph Vba2Graph VirusTotal

?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z

.PE$AAVException@Platform@@

^1?]8

D9g0|

l$ VWATAVAWH

?__abi_WinRTraiseChangedStateException@@YAXXZ

l$ VWAVH

@.data

?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z

t$@L;

D$HH!\$@H

.idata$6

?what@exception@@UEBAPEBDXZ

.idata$4

WindowsCreateStringReference

regex_error(error_collate): The expression contained an invalid collating element name.

api-ms-win-core-heap-l1-1-0.dll

??0OutOfMemoryException@Platform@@QE$AAA@XZ

(null Message)

;t$p|

ReleaseMutex

GetStartupInfoW

no such process

.PE$AAVNotImplementedException@Platform@@

PA^_^][

L$ SUVWH

`A_A^A]A\_^[

L$ Mc

__dllonexit

connection_aborted

identifier removed

D$HE3

H;0u'L

CreateSemaphoreExW

Ipvector<T> too long

G L;'u

regex_error(error_range): The expression contained an invalid character range, such as [b-a] in most encodings.

not supported

Windows.UI.Xaml.DependencyObject

wincorlib.DLL

??0exception@@QEAA@AEBQEBD@Z

.?AVbad_cast@@

u*9Q<|%

9\uJH

not_a_socket

operation not supported

api-ms-win-core-com-l1-1-0.dll

cross device link

.CRT$XCC

@SVWAVH

bad_file_descriptor

PinningConfirmationDialog.App

wcsrchr

t]fD9#tWH

__pctype_func

\$ UVWAVH

PA^_^

CHD1p

fD91t

FileVersion

no space on device

cY7.L

L$hH3

??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z

.?AVlength_error@std@@

__C_specific_handler

SVWAVH

network_down

regex_error(error_brace): The expression contained mismatched { and }.

CA^_^]

memmove

?__abi_WinRTraiseNotImplementedException@@YAXXZ

?__abi_FailFast@@YAXXZ

0A_A^A]A\_^]

not a directory

9Ct|eD

?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z

t$HL+7I

(caller: %p)

std::exception: %hs

WindowsConcatString

no link

?__abi_WinRTraiseDisconnectedException@@YAXXZ

L$PH;

K]-u!

interrupted

strchr

)l-/sT>_

_callnewh

?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z

bad address

lower

Windows.Foundation.IReference`1<SharedUtilities.LanguageFontType>

__set_app_type

pinningconfirmationdialog.exe

A_A^_

|$ AVH

memcpy_s

bad allocation

operation not permitted

IcV4E

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

System.Enum

VWAVH

ms-appx:///MainPage.xaml

SetLastError

PA_A^A]A\_^[

.rsrc$01

CallContext:[%hs]

DebugBreak

?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z

system

0A_A^_^[

040904B0

Microsoft Corporation

fD9,Qu

8XLu.H

pinningconfirmationdialog.pdb

?__abi_WinRTraiseInvalidCastException@@YAXXZ

Platform::Exception^: %ws

Windows.Foundation.IReferenceArray`1<String>

regex_error(error_space): There was insufficient memory to convert the expression into a finite state machine.

wcstol

_XcptFilter

.?AUIDisposable@Platform@@

Windows.Foundation.Collections.IIterator`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

.u$H;3

wcslen

@USVWAVH

wrong_protocol_type

_lock

too many symbolic link levels

?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z

not enough memory

WindowsCreateString

WindowsDeleteString

AcquireSRWLockShared

|$0I;

HcA<H

__crtLCMapStringW

gH9QPtv8QLu.H

H9QPtc8QLu.H

RoReportUnhandledError

A_A^A]A\_^]

?__abi_WinRTraiseInvalidArgumentException@@YAXXZ

CoTaskMemAlloc

L9d$(t5L

@SUVWAVH

.?AVbad_alloc@std@@

CreateMutexExW

Windows.UI.Xaml.RoutedEventHandler

L$XL+

Windows.Foundation.Collections.IVectorChangedEventArgs

A_A^]

C$9C w"H

.?AUIWeakReferenceSource@Details@Platform@@

.?AU__I?$Array@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

Windows.UI.Xaml.Application

_wcsdup

api-ms-win-core-util-l1-1-0.dll

permission_denied

.data$r

resource unavailable try again

3YWu!

D9d$H}=L

@UVWH

D9d$H

A_A^_^]

_initterm

filename_too_long

.?AVlogic_error@std@@

_CxxThrowException

fF94@u

Windows.UI.Xaml.Controls.Page

.idata$5

.?AVout_of_range@std@@

LeaveCriticalSection

HeapAlloc

A_A^A\_^

resource deadlock would occur

not connected

.CRT$XIYA

protocol_not_supported

DllGetActivationFactory

minATL$__r

too many files open in system

f9)uBH

0A__^

destination address required

Windows.Foundation.Uri

ti;Q(s^

operation_would_block

WideCharToMultiByte

L$ SVWH

.pdata

D9l$@}'H

SVWAVAWH

@SVWH

A_A^_^[

td@85o

VWAUAVAWH

address not available

SetRestrictedErrorInfo

Microsoft

VarFileInfo

_fmode

?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z

.?AVexception@@

L$ Lc

file exists

no such file or directory

L$PH3

message size

_acmdln

tMfD91u@H

operation_in_progress

H3E H3E

InternalName

?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z

?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z

@A^_^][

.text$yd

malloc

9\u<H

TUUUUUU

()$^.*+?[]|\-{},:=!

bad cast

_vsnwprintf

.CRT$XIYB

api-ms-win-core-profile-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll

D9z4u

_get_current_locale

?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z

host_unreachable

api-ms-win-core-localization-l1-2-0.dll

.rsrc$02

regex_error(error_stack): There was insufficient memory to determine whether the regular expression could match the specified character sequence.

PA_A^_^]

LcA<E3

_unlock

iostream

connection refused

read only file system

.PE$AAVFailureException@Platform@@

wrong protocol type

_exit

(t$0H

Local\SM0:%d:%d:%hs

XamlTypeInfo.InfoProvider.XamlTypeInfoProvider

|$0I9

@.rsrc

H98u2H

address family not supported

operation would block

0A^_^

L$PE3

^|H;N

AcquireSRWLockExclusive

stream timeout

.text$di

58_Lu

T$(L+)3

?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z

api-ms-win-core-winrt-string-l1-1-0.dll

FormatMessageW

|=HcF

.edata

?UninitializeData@Details@Platform@@YAXH@Z

regex_error(error_complexity): The complexity of an attempted match against a regular expression exceeded a pre-set level.

?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ

%hs!%p:

.PE$AAVInvalidArgumentException@Platform@@

@WAVAWH

protocol not supported

Platform.?$WriteOnlyArray@PE$AAUIXamlMetadataProvider@Markup@Xaml@UI@Windows@@$00

K SVWH

VWATAVAWH

Windows.Foundation.IReference`1<Double>

E6T:X

LegalCopyright

0A_A^A\_^

D8"u3H

bad message

L$(H3

A_A^A]A\_

)l-/L

t$PfD

CoCreateFreeThreadedMarshaler

xdigit

10.0.17763.1 (WinBuild.160101.0800)

GetCurrentProcessId

@8yxt

L$XH3

D9&tZA

uc8X$t

SharedUtilities.LocalizationService

DeleteCriticalSection

9\uCH

??0InvalidArgumentException@Platform@@QE$AAA@XZ

@8y@t

argument list too long

SharedUtilities.LanguageFontType

host unreachable

L$ Hc

RtlCaptureContext

PinningConfirmationDialogText

.?AU__I?$WriteOnlyArray@PE$AAVString@Platform@@$00PublicNonVirtuals@Platform@@

?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z

minATL$__z

?__abi_WinRTraiseAccessDeniedException@@YAXXZ

network_reset

L$(M;

x ATAVAWH

regex_error(error_syntax)

io error

.?AUIValueType@Platform@@

t{HcL$ HcD$$H

@8yht

WaitForSingleObjectEx

D$HH;

regex_error

??0ChangedStateException@Platform@@QE$AAA@XZ

iostream stream error

GetStringTypeW

.PE$AAUIDisposable@Platform@@

L$0H3

9\u=H

.?AV?$Module@$04VInProcModule@Details@Platform@@@WRL@Microsoft@@

alpha

operation canceled

Windows.UI.Xaml.Window

argument out of domain

.rdata$zzzdbg

_vsnprintf_s

.rdata$r

f9,Ku

`A^_^

??0Object@Platform@@QE$AAA@XZ

$L;0u*H

.?AVInProcModule@Details@Platform@@

bad file descriptor

WindowsDuplicateString

regex_error(error_paren): The expression contained mismatched ( and ).

WAVAWH

:\u:L

no such device or address

realloc

.CRT$XIA

.rdata

FontSize

api-ms-win-core-errorhandling-l1-1-0.dll

??0exception@@QEAA@XZ

??1type_info@@UEAA@XZ

CoTaskMemFree

CT$8L

9{tu"

too many files open

api-ms-win-core-rtlsupport-l1-1-0.dll

hA_A^A]A\_^][

D;{ }*E

minATL$__a

A_A^_

f#D$@H

connection_already_in_progress

address_in_use

.CRT$XIZ

?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z

tGf9)u;H

wcsstr

no lock available

generic

?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z

D$$I;

d$HfD

:cY7.u!

??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z

.?AVinvalid_argument@std@@

x UAVAWH

abort

regex_error(error_backref): The expression contained an invalid back reference.

CH}#6%

?__abi_WinRTraiseNullReferenceException@@YAXXZ

InitializeCriticalSectionEx

EncodePointer

FileDescription

!This program cannot be run in DOS mode.

Msg:[%ws]

fHD9gHL

A_A^A\

\$ UVWH

WaitForSingleObject

?__abi_WinRTraiseFailureException@@YAXXZ

@A^_^

galnum

PinningConfirmationDialog.__MainPageActivationFactory

address in use

already connected

D$0H;

invalid_argument

?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z

?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z

\$ VWAVH

api-ms-win-core-processthreads-l1-1-0.dll

UWATAVAWH

.PE$AAVNullReferenceException@Platform@@

@USVWATAVAWH

GetModuleFileNameA

PA_A^A\_^[]

?__abi_WinRTraiseWrongThreadException@@YAXXZ

ntdll.dll

no stream resources

A^_^[]

SVWATAUAVAWH

owner dead

0A_A^A\

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

UINotificationHeading

directory not empty

InitializeCriticalSection

__crtCompareStringW

A_A^A\_^

api-ms-win-core-synch-l1-1-0.dll

regex_error(error_badrepeat): One of *?+{ was not preceded by a valid regular expression.

memcpy

.idata$3

?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z

D$ fD

network reset

WindowsIsStringEmpty

L9{@u

OpenSemaphoreW

A_A^A]_^

t6D8l$

Lcg8E;e8

ReleaseSRWLockExclusive

?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z

file too large

invalid seek

not a socket

{xauQ

D9d$H}7L

t>y&H

RtlLookupFunctionEntry

f9H\u

EnterCriticalSection

is a directory

|$ HcN

.CRT$XCU

___lc_collate_cp_func

System.ValueType

RtlDllShutdownInProgress

HcO0H

.8SLu

_errno

[%hs(%hs)]

punct

QueryPerformanceCounter

.PE$AAUIEquatable@Details@Platform@@

no protocol option

regex_error(error_ctype): The expression contained an invalid character class name.

.?AVruntime_error@std@@

??0FailureException@Platform@@QE$AAA@XZ

bad locale name

t$0E3

string too long

.PE$AAVChangedStateException@Platform@@

upper

??0bad_cast@@QEAA@PEBD@Z

GtH;O

graph

msvcrt.dll

f9<^u

StringFileInfo

%hs(%d) tid(%x) %08X %ws

no child process

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.XmlnsDefinition>

D9d$H}lH

no buffer space

GetCurrentProcess

api-ms-win-core-handle-l1-1-0.dll

UVWAVAWH

(_^][

D$HH9

D;} }XI

__setusermatherr

?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ

L$8H3

@8ypt

.?AVModuleBase@Details@WRL@Microsoft@@

HeapFree

invalid string position

L$PfD

9\u5L

already_connected

no message available

??0OutOfBoundsException@Platform@@QE$AAA@XZ

GetTickCount

A_A^A\_]

T$PE3

fA96u

v(A;]4|

:\u5L

.text$mn

?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z

broken pipe

D$XE3

not a stream

vector<bool> too long

;M$|DI

\$@L+

DllCanUnloadNow

.CRT$XIY

A^A]A\_^

L9o@t

.?AVResultException@wil@@

RoOriginateError

TerminateProcess

L$@H3

9t$p~;H

setlocale

minATL$__m

Windows.UI.Xaml.ApplicationInitializationCallback

f9,Au

protocol error

Hc_4A;]4}CH

Translation

?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z

Windows.Foundation.Collections.IVectorView`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

A_A^A]A\_^]

___mb_cur_max_func

HcF$M

tH9XPu

text file busy

\$ A;

d:\os\public\amd64fre\internal\sdk\inc\wil\resource.h

Object

operation_not_supported

PinningConfirmationDialog.pinningconfirmationdialog_XamlTypeInfo.XamlMetaDataProvider

UWAVH

regex_error(error_parse)

DecodePointer

E9w ~/L

WilError_02

MultiByteToWideChar

.?AV?$Array@PE$AAVString@Platform@@$00@Platform@@

?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ

\$hI;

(t$pI

bad_address

address_not_available

?InitializeData@Details@Platform@@YAJH@Z

@VWAVH

connection_reset

??0NotImplementedException@Platform@@QE$AAA@XZ

fD94X

L$`H3

ProductVersion

address_family_not_supported

??1bad_cast@@UEAA@XZ

D$@E3

UWAUAVAWH

.text$x

?__abi_WinRTraiseObjectDisposedException@@YAXXZ

@A_A^_^[

OutputDebugStringW

not_connected

CtH;K

too many links

.PE$AAVOutOfMemoryException@Platform@@

?__abi_WinRTraiseCOMException@@YAXJ@Z

stoi argument out of range

tHfD91u;H

@SVWAVAWH

.?AU?$IBoxArray@PE$AAVString@Platform@@@Platform@@

?__abi_WinRTraiseOutOfMemoryException@@YAXXZ

regex_error(error_badbrace): The expression contained an invalid range in a { expression }.

__CxxFrameHandler3

PinningConfirmationDialog.MainPage

ReturnHr

connection_refused

_onexit

blank

Windows.Foundation.Collections.IObservableVector`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

.xdata$x

L$HH3

WindowsGetStringRawBuffer

A^_^

.CRT$XIAA

H;}PH

GetModuleHandleW

no_protocol_option

inappropriate io control operation

A_A^A\_^[]

Failed to create initial page

L$ E3

` AVH

timed out

Windows

function not supported

8A^_^[

.?AVregex_error@std@@

IsDebuggerPresent

space

tAy&H

.giats

HA_A^A]A\_^][

`A_A^A\_^

kernelbase.dll

_ismbblead

?Free@Heap@Details@Platform@@SAXPEAX@Z

??0DisconnectedException@Platform@@QE$AAA@XZ

L$PH+

8A_A^_^][

??1exception@@UEAA@XZ

invalid argument

??0NullReferenceException@Platform@@QE$AAA@XZ

A^_^[

connection reset

permission denied

no such device

RtlVirtualUnwind

.idata$2

HcGHH

A_A^A\_^][

api-ms-win-core-winrt-error-l1-1-0.dll

@8,1u

??0Delegate@Platform@@QE$AAA@XZ

api-ms-win-core-debug-l1-1-0.dll

x AVH

connection aborted

.CRT$XCL

Windows.ApplicationModel.Resources.ResourceLoader

??3@YAXPEAX@Z

@SUVWATAVAWH

.?AVObject@Platform@@

OriginalFilename

WATAUAVAWH

VWATAUAVH

SUVWH

state not recoverable

RaiseFailFastException

.?AU__abi_Module@@

illegal byte sequence

fD9t]

regex_error(error_escape): The expression contained an invalid escaped character, or a trailing escape.

Double

destination_address_required

.?AU__abi_IUnknown@@

.?AV?$WriteOnlyArray@PE$AAVString@Platform@@$00@Platform@@

tvA;_(siI

.PE$AAUIPrintable@Details@Platform@@

?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z

A_A^A]A\_

.CRT$XCA

.CRT$XCAA

L$0fD

.xdata

?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z

.PEAX

Windows.UI.Xaml.Controls.Frame

.gfids

Platform.?$WriteOnlyArray@PE$AAVString@Platform@@$00

Windows.Foundation.PropertyValue

.PE$AAVCOMException@Platform@@

ReleaseSRWLockShared

\$ UH

D$xH!D$0L

Windows.UI.Xaml.Controls.UserControl

Windows.UI.Xaml.Markup.IXamlType2

t$@H!t$0L

connection already in progress

___lc_handle_func

\$8E3

no message

??0exception@@QEAA@AEBV0@@Z

%hs(%d)\%hs!%p:

Operating System

L9{0t#H

.00cfg

?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z

T$8H!\$8

UnhandledExceptionFilter

^\s+|\s*,\s*|\s+$

GetModuleHandleExW

9\u5H

operation in progress

FailFast

UVWATAUAVAWH

_cexit

UITitle

CloseHandle

L$8E3

;cY7.u'

t>y#H

@.reloc

@VWAWH

@SUVWATAUAVAWH

_free_locale

{|?uXH

H;}`H

CompanyName

VS_VERSION_INFO

t$ WATAUAVAWH

_purecall

.PE$AAVDisconnectedException@Platform@@

GetLastError

GetCurrentThreadId

@A_A^_

_commode

api-ms-win-core-synch-l1-2-0.dll

9\uBH

timed_out

|$ M;

D9K(t

GetSystemTimeAsFileTime

__getmainargs

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_

FontType

A_A^_^]

LogHr

filename too long

_amsg_exit

?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z

.CRT$XCZ

??0bad_cast@@QEAA@AEBV0@@Z

___lc_codepage_func

?terminate@@YAXXZ

Platform.?$WriteOnlyArray@VXmlnsDefinition@Markup@Xaml@UI@Windows@@$00

PinningConfirmationDialog.pinningconfirmationdialog_XamlTypeInfo.__XamlMetaDataProviderActivationFactory

u HcA<H

digit

@SVWATAUAVAWH

calloc

?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ

map/set<T> too long

L$HM;

message_size

Exception

GetProcessHeap

Windows.Foundation.IReferenceArray`1<Windows.UI.Xaml.Markup.IXamlMetadataProvider>

Sleep

`A^_^[]

??0exception@@QEAA@AEBQEBDH@Z

too_many_files_open

WindowsCompareStringOrdinal

L$HL;

no_buffer_space

SetUnhandledExceptionFilter

RoFailFastWithErrorContext

.?AV?$Module@$00VInProcModule@Details@Platform@@@WRL@Microsoft@@

t"D8=7

.data

.PE$AAVObject@Platform@@

invalid stoi argument

network down

t$ UWATAVAWH

executable format error

\$hE3

:)l-/u!

device or resource busy

t$@fD90u

api-ms-win-core-winrt-error-l1-1-1.dll

D$ E3

A_A^A]_]

.text

@SUVWAVAWH

jcY7.

T$0H+

memset

l$`E3

_XamlTypeInfo.InfoProvider.XamlMember

value too large

`.rdata

[%hs]

?__abi_WinRTraiseOutOfBoundsException@@YAXXZ

unknown error

L;0u*H

result out of range

.PE$AAVOutOfBoundsException@Platform@@

WindowsGetStringLen

f9Axu`

H9_Hs<

ReleaseSemaphore

network_unreachable

XamlTypeInfo.InfoProvider.XamlSystemBaseType

?__abi_WinRTraiseOperationCanceledException@@YAXXZ

PinningConfirmationDialog.exe

\$ UVWAVAWH

GetProcAddress

regex_error(error_brack): The expression contained mismatched [ and ].

9S|ucH

WAUAVH

UIText

ProductName

cntrl

A^A]_

?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Exported DLL Name
0x140000000	0x000293b0	0x0004dc10	0x0004dc10	6.0	pinningconfirmationdialog.pdb	2018-09-15 00:58:41	0efd17eec9a0f557c48d0f4b1feff45c	pinningconfirmationdialog.exe

Version Infos

CompanyName	Microsoft Corporation
FileDescription	PinningConfirmationDialog.exe
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	PinningConfirmationDialog.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	PinningConfirmationDialog.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002be8c	0x0002c000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.23
.rdata	0x0002c400	0x0002d000	0x00017162	0x00017200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.54
.data	0x00043600	0x00045000	0x00003ee0	0x00003600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.73
.pdata	0x00046c00	0x00049000	0x00003048	0x00003200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.45
.rsrc	0x00049e00	0x0004d000	0x00000450	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.56
.reloc	0x0004a400	0x0004e000	0x00000c98	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.27

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x0004d060	0x000003f0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.41	None

Imports

Name	Address
FormatMessageW	0x14002d0c0

Name	Address
GetModuleHandleW	0x14002d098
GetModuleHandleExW	0x14002d0a0
GetModuleFileNameA	0x14002d0a8
GetProcAddress	0x14002d0b0

Name	Address
ReleaseSRWLockShared	0x14002d150
WaitForSingleObjectEx	0x14002d158
AcquireSRWLockExclusive	0x14002d160
ReleaseSRWLockExclusive	0x14002d168
AcquireSRWLockShared	0x14002d170
ReleaseMutex	0x14002d178
InitializeCriticalSectionEx	0x14002d180
WaitForSingleObject	0x14002d188
LeaveCriticalSection	0x14002d190
InitializeCriticalSection	0x14002d198
OpenSemaphoreW	0x14002d1a0
CreateMutexExW	0x14002d1a8
ReleaseSemaphore	0x14002d1b0
CreateSemaphoreExW	0x14002d1b8
DeleteCriticalSection	0x14002d1c0
EnterCriticalSection	0x14002d1c8

Name	Address
HeapFree	0x14002d078
GetProcessHeap	0x14002d080
HeapAlloc	0x14002d088

Name	Address
SetLastError	0x14002d040
GetLastError	0x14002d048
SetUnhandledExceptionFilter	0x14002d050
UnhandledExceptionFilter	0x14002d058

Name	Address
GetCurrentProcessId	0x14002d0d0
GetStartupInfoW	0x14002d0d8
TerminateProcess	0x14002d0e0
GetCurrentProcess	0x14002d0e8
GetCurrentThreadId	0x14002d0f0

Name	Address
IsDebuggerPresent	0x14002d020
DebugBreak	0x14002d028
OutputDebugStringW	0x14002d030

Name	Address
CloseHandle	0x14002d068

Name	Address
?terminate@@YAXXZ	0x14002d298
??1type_info@@UEAA@XZ	0x14002d2a0
__C_specific_handler	0x14002d2a8
__dllonexit	0x14002d2b0
_onexit	0x14002d2b8
_XcptFilter	0x14002d2c0
_amsg_exit	0x14002d2c8
__getmainargs	0x14002d2d0
__set_app_type	0x14002d2d8
exit	0x14002d2e0
_exit	0x14002d2e8
_cexit	0x14002d2f0
__setusermatherr	0x14002d2f8
_initterm	0x14002d300
_acmdln	0x14002d308
_fmode	0x14002d310
_commode	0x14002d318
___mb_cur_max_func	0x14002d320
_lock	0x14002d328
___lc_collate_cp_func	0x14002d330
setlocale	0x14002d338
memmove	0x14002d340
memcpy	0x14002d348
??0exception@@QEAA@AEBQEBDH@Z	0x14002d350
_callnewh	0x14002d358
malloc	0x14002d360
_CxxThrowException	0x14002d368
wcslen	0x14002d370
memset	0x14002d378
realloc	0x14002d380
strchr	0x14002d388
??0bad_cast@@QEAA@PEBD@Z	0x14002d390
??1bad_cast@@UEAA@XZ	0x14002d398
??0bad_cast@@QEAA@AEBV0@@Z	0x14002d3a0
free	0x14002d3a8
wcstol	0x14002d3b0
_errno	0x14002d3b8
wcsrchr	0x14002d3c0
??0exception@@QEAA@AEBQEBD@Z	0x14002d3c8
?what@exception@@UEBAPEBDXZ	0x14002d3d0
wcsstr	0x14002d3d8
_vsnprintf_s	0x14002d3e0
??0exception@@QEAA@AEBV0@@Z	0x14002d3e8
??0exception@@QEAA@XZ	0x14002d3f0
??1exception@@UEAA@XZ	0x14002d3f8
_purecall	0x14002d400
memcpy_s	0x14002d408
_vsnwprintf	0x14002d410
___lc_handle_func	0x14002d418
_free_locale	0x14002d420
_get_current_locale	0x14002d428
__crtLCMapStringW	0x14002d430
__crtCompareStringW	0x14002d438
_wcsdup	0x14002d440
abort	0x14002d448
calloc	0x14002d450
__pctype_func	0x14002d458
_ismbblead	0x14002d460
_unlock	0x14002d468
___lc_codepage_func	0x14002d470
??3@YAXPEAX@Z	0x14002d478
__CxxFrameHandler3	0x14002d480

Name	Address
?GetActivationFactory@Details@Platform@@YAJPEAVModuleBase@1WRL@Microsoft@@PEAUHSTRING__@@PEAPEAUIActivationFactory@@@Z	0x14002d490
?ReCreateFromException@Details@Platform@@YAJPE$AAVException@2@@Z	0x14002d498
?__abi_FailFast@@YAXXZ	0x14002d4a0
?GetActivationFactoryByPCWSTR@@YAJPEAXAEAVGuid@Platform@@PEAPEAX@Z	0x14002d4a8
?UninitializeData@Details@Platform@@YAXH@Z	0x14002d4b0
?InitializeData@Details@Platform@@YAJH@Z	0x14002d4b8
?__abi_ObjectToString@__abi_details@@YAPE$AAVString@Platform@@PE$AAVObject@3@_N@Z	0x14002d4c0
?EventSourceGetTargetArrayEvent@Details@Platform@@YAPEAXPEAXIPEBXPEA_J@Z	0x14002d4c8
?EventSourceGetTargetArraySize@Details@Platform@@YAIPEAX@Z	0x14002d4d0
?EventSourceGetTargetArray@Details@Platform@@YAPEAXPEAXPEAUEventLock@12@@Z	0x14002d4d8
?get@FullName@Type@Platform@@QE$AAAPE$AAVString@3@XZ	0x14002d4e0
?GetTypeCode@Type@Platform@@SA?AW4TypeCode@2@PE$AAV12@@Z	0x14002d4e8
?GetIBoxVtable@Details@Platform@@YAPEAXPEAX@Z	0x14002d4f0
?CreateValue@Details@Platform@@YAPE$AAVObject@2@W4TypeCode@2@PEBX@Z	0x14002d4f8
??0Delegate@Platform@@QE$AAA@XZ	0x14002d500
??0DisconnectedException@Platform@@QE$AAA@XZ	0x14002d508
??0ChangedStateException@Platform@@QE$AAA@XZ	0x14002d510
?EventSourceInitialize@Details@Platform@@YAXPEAPEAX@Z	0x14002d518
??0FailureException@Platform@@QE$AAA@XZ	0x14002d520
??0OutOfMemoryException@Platform@@QE$AAA@XZ	0x14002d528
?EventSourceAdd@Details@Platform@@YA?AVEventRegistrationToken@Foundation@Windows@@PEAPEAXPEAUEventLock@12@PE$AAVDelegate@2@@Z	0x14002d530
?EventSourceRemove@Details@Platform@@YAXPEAPEAXPEAUEventLock@12@VEventRegistrationToken@Foundation@Windows@@@Z	0x14002d538
?EventSourceUninitialize@Details@Platform@@YAXPEAPEAX@Z	0x14002d540
?ResolveWeakReference@Details@Platform@@YAPE$AAVObject@2@AEBU_GUID@@PEAPEAU__abi_IUnknown@@@Z	0x14002d548
??0OutOfBoundsException@Platform@@QE$AAA@XZ	0x14002d550
??0NullReferenceException@Platform@@QE$AAA@XZ	0x14002d558
??0InvalidArgumentException@Platform@@QE$AAA@XZ	0x14002d560
??0NotImplementedException@Platform@@QE$AAA@XZ	0x14002d568
?GetWeakReference@Details@Platform@@YAPEAU__abi_IUnknown@@QE$ADVObject@2@@Z	0x14002d570
?CreateException@Exception@Platform@@SAPE$AAV12@HPE$AAVString@2@@Z	0x14002d578
?get@Message@Exception@Platform@@QE$AAAPE$AAVString@3@XZ	0x14002d580
?GetIBoxArrayVtable@Details@Platform@@YAPEAXPEAX@Z	0x14002d588
?Allocate@Heap@Details@Platform@@SAPEAX_K0@Z	0x14002d590
??0FailureException@Platform@@QE$AAA@PE$AAVString@1@@Z	0x14002d598
?AllocateException@Heap@Details@Platform@@SAPEAX_K0@Z	0x14002d5a0
?__abi_make_type_id@@YAPE$AAVType@Platform@@AEBU__abi_type_descriptor@@@Z	0x14002d5a8
??BType@Platform@@SA?AVTypeName@Interop@Xaml@UI@Windows@@PE$AAV01@@Z	0x14002d5b0
?ReleaseTarget@ControlBlock@Details@Platform@@AEAAXXZ	0x14002d5b8
?AlignedFree@Heap@Details@Platform@@SAXPEAX@Z	0x14002d5c0
?Free@Heap@Details@Platform@@SAXPEAX@Z	0x14002d5c8
??0Object@Platform@@QE$AAA@XZ	0x14002d5d0
?__abi_WinRTraiseNotImplementedException@@YAXXZ	0x14002d5d8
?__abi_WinRTraiseInvalidCastException@@YAXXZ	0x14002d5e0
?__abi_WinRTraiseNullReferenceException@@YAXXZ	0x14002d5e8
?__abi_WinRTraiseOperationCanceledException@@YAXXZ	0x14002d5f0
?__abi_WinRTraiseFailureException@@YAXXZ	0x14002d5f8
?__abi_WinRTraiseAccessDeniedException@@YAXXZ	0x14002d600
?__abi_WinRTraiseOutOfMemoryException@@YAXXZ	0x14002d608
?__abi_WinRTraiseInvalidArgumentException@@YAXXZ	0x14002d610
?__abi_WinRTraiseOutOfBoundsException@@YAXXZ	0x14002d618
?__abi_WinRTraiseChangedStateException@@YAXXZ	0x14002d620
?__abi_WinRTraiseClassNotRegisteredException@@YAXXZ	0x14002d628
?__abi_WinRTraiseWrongThreadException@@YAXXZ	0x14002d630
?__abi_WinRTraiseDisconnectedException@@YAXXZ	0x14002d638
?__abi_WinRTraiseObjectDisposedException@@YAXXZ	0x14002d640
?__abi_WinRTraiseCOMException@@YAXJ@Z	0x14002d648
?GetIidsFn@@YAJHPEAKPEBU__s_GUID@@PEAPEAVGuid@Platform@@@Z	0x14002d650
?GetCmdArguments@Details@Platform@@YAPEAPEA_WPEAH@Z	0x14002d658
?TerminateModule@Details@Platform@@YA_NPEAVModuleBase@1WRL@Microsoft@@@Z	0x14002d660

Name	Address
RoOriginateError	0x14002d218
RoFailFastWithErrorContext	0x14002d220
SetRestrictedErrorInfo	0x14002d228

Name	Address
RoReportUnhandledError	0x14002d238

Name	Address
WindowsCreateStringReference	0x14002d248
WindowsDeleteString	0x14002d250
WindowsDuplicateString	0x14002d258
WindowsGetStringLen	0x14002d260
WindowsGetStringRawBuffer	0x14002d268
WindowsCreateString	0x14002d270
WindowsConcatString	0x14002d278
WindowsIsStringEmpty	0x14002d280
WindowsCompareStringOrdinal	0x14002d288

Name	Address
EncodePointer	0x14002d200
DecodePointer	0x14002d208

Name	Address
CoCreateFreeThreadedMarshaler	0x14002d000
CoTaskMemFree	0x14002d008
CoTaskMemAlloc	0x14002d010

Name	Address
GetStringTypeW	0x14002d130
WideCharToMultiByte	0x14002d138
MultiByteToWideChar	0x14002d140

Name	Address
Sleep	0x14002d1d8

Name	Address
RtlCaptureContext	0x14002d110
RtlVirtualUnwind	0x14002d118
RtlLookupFunctionEntry	0x14002d120

Name	Address
QueryPerformanceCounter	0x14002d100

Name	Address
GetTickCount	0x14002d1e8
GetSystemTimeAsFileTime	0x14002d1f0

Exports

Name	Address	Ordinal
DllCanUnloadNow	0x140029df0	1
DllGetActivationFactory	0x140029e10	2

Reports: JSON

Statistics (0.79)

Usage

Processing ( 0.73 seconds )

0.709 CAPE
0.013 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_im
0.002 poullight_files
0.001 banker_zeus_p2p
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.003 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: pinningconfirmationdialog.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.UI.Xaml.Application\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount

Local\SM0:832:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.