Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 20:33:27	2025-06-12 21:04:27	1860 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,287 [root] INFO: Date set to: 20250611T19:40:22, timeout set to: 1800
2025-06-11 20:40:22,510 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 20:40:22,510 [root] DEBUG: Storing results at: C:\XgITVWXU
2025-06-11 20:40:22,510 [root] DEBUG: Pipe server name: \\.\PIPE\QkIhwKCq
2025-06-11 20:40:22,510 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 20:40:22,510 [root] INFO: analysis running as an admin
2025-06-11 20:40:22,510 [root] INFO: analysis package specified: "exe"
2025-06-11 20:40:22,510 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 20:40:23,057 [root] DEBUG: imported analysis package "exe"
2025-06-11 20:40:23,057 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 20:40:23,057 [lib.common.common] INFO: wrapping
2025-06-11 20:40:23,057 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 20:40:23,057 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ConfigSecurityPolicy.exe
2025-06-11 20:40:23,057 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 20:40:23,057 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 20:40:23,057 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 20:40:23,057 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 20:40:23,307 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 20:40:23,385 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 20:40:23,416 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 20:40:23,432 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 20:40:23,432 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 20:40:23,432 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 20:40:23,432 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 20:40:23,448 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 20:40:23,448 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 20:40:23,448 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 20:40:23,448 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 20:40:23,448 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 20:40:23,448 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 20:40:23,448 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 20:40:23,448 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 20:40:23,448 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 20:40:23,448 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 20:40:23,448 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 20:40:34,838 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 20:40:34,838 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 20:40:35,276 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 20:40:35,276 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 20:40:35,276 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 20:40:35,276 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 20:40:35,276 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 20:40:35,276 [modules.auxiliary.disguise] INFO: Disguising GUID to a12a810f-7248-49cb-b29e-38f635d4389d
2025-06-11 20:40:35,276 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 20:40:35,276 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 20:40:35,276 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 20:40:35,276 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 20:40:35,276 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 20:40:35,276 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 20:40:35,276 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 20:40:35,276 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 20:40:35,276 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 20:40:35,276 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 20:40:35,276 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 20:40:35,276 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 20:40:35,276 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 20:40:35,276 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 20:40:35,276 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 20:40:35,276 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 20:40:35,276 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 20:40:35,307 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 20:40:35,307 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 20:40:35,307 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 20:40:35,307 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 20:40:35,307 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 20:40:35,307 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 20:40:35,307 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 20:40:35,307 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\nJyNmW.dll, loader C:\tmp_gell1p8\bin\pgBxLdyq.exe
2025-06-11 20:40:35,354 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 20:40:35,354 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\nJyNmW.dll.
2025-06-11 20:40:35,385 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 20:40:35,385 [root] INFO: Disabling sleep skipping.
2025-06-11 20:40:35,385 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 20:40:35,385 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 20:40:35,385 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 20:40:35,385 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 20:40:35,385 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 20:40:35,385 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 20:40:35,401 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 20:40:35,401 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 20:40:35,401 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF822E30000, thread 1488, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-11 20:40:35,401 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 20:40:35,416 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 20:40:35,416 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 20:40:35,416 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\nJyNmW.dll.
2025-06-11 20:40:35,416 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 20 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 20:33:27	2025-06-12 21:04:07	none

File Details

File Name	ConfigSecurityPolicy.exe
File Type	PE32+ executable (console) x86-64, for MS Windows
File Size	310272 bytes
MD5	b5a3a34619717db8486bcd0ee10d8791
SHA1	386a0b9561b2b5c63d07a15900b23ba41339112c
SHA256	6d9589a6db768b9eb658215059b9848b9de96dd8ea701be8a11f28e062684e20 [VT] [MWDB] [Bazaar]
SHA3-384	30ee02b0a2fba794cede315741b90d54b7b8e5d68706ba63cebc28cebf986e4f6dc19a8eed18816a4774ddabc13ec812
CRC32	B645FC00
TLSH	T139645C2AB69C0CD1E872923D8581CA05FBB274661B61CBC7317C932F2F276E99D39741
Ssdeep	3072:Kns2yL/4Vn+mFSGaToJqOMa1LFLK2gg6cEADk74t+fXa/QwKeGiSMV+T8rguIcmX:+s204t+cyoJ5M8LB3iqnXrgimGbw3
Yara	shellcode_stack_strings - Match x86 that appears to be stack string creation. - Author: William Ballenthin
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/77)

Full Results

Engine	Result	Engine	Result	Engine	Result

pA^_^[]

@.data

en-SG

.?AVCResourceDllBase@ResourceHelpers@MorroCommon@@

LastPolicyErrorMessage

WinDefend

</xs:complexType>

.?AV_Generic_error_category@std@@

<xs:attribute name="Disabled" type="xs:boolean" use="optional" />

de-DE

ReleaseMutex

0A^^[

CryptCATCatalogInfoFromContext

en-TT

zh-HK

ne-NP

bs-Latn

u*9Q<|%

ta-LK

sma-NO

af-ZA

A_A^A\_^][

L$xE3

no space on device

mn-MN

f9,Nu

WritePrivateProfileStringW

ff-Latn

fD;}0

.//Features

RegSetValueExW

9t$(r

mn-Mong

not a directory

`A^A]A\_^[]

list<T> too long

</security>

TlP0X

Microsoft Security Client Policy Configuration Tool

ku-Arab-IQ

\$0H9

VWAVH

X_^[]

GetProductInfo

system

f94Gu

O0M0K

sl-SI

Microsoft Corporation

LoadLibraryExW

PathFindFileNameW

OutputDebugStringA

</xs:element>

_XcptFilter

180823202712Z

_lock

</xs:complexType>

ta-IN

UnmapViewOfFile

F@D8s

.PEAVEUnknownError@MorroCommon@@

resource unavailable try again

_initterm

tt-RU

.?AVlogic_error@std@@

kr-NG

.idata$5

api-ms-win-core-version-l1-1-0.dll

K32GetModuleFileNameExW

not connected

sms-FI

protocol_not_supported

swscanf_s

es-AR

.pdata

wcschr

de-AT

MUI\%04hx

Microsoft

E@yEH

fil-PH

<xs:element minOccurs="0" maxOccurs="unbounded" name="PolicySection">

operation_in_progress

gn-PY

ar-TN

or: ConfigSecurityPolicy -c <policy_xml_content_text>

.?AVCAtlException@ATL@@

zu-ZA

sd-Arab-PK

.data$r$brc

en-029

syr-SY

sk-SK

CloseServiceHandle

host_unreachable

towlower

SetEvent

connection refused

read only file system

GSF9:

SleepConditionVariableSRW

_exit

ky-KG

|DfD;A

.?AVCPredefinedMpHeapsHolder@CommonUtil@@

nb-no

gNULL

operation would block

0A^_^

.?AUIXMLReader@SecurityClient@Microsoft@@

bs-Cyrl

.?AV?$_Tree_comp@$0A@V?$_Tmap_traits@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@$0A@@std@@@std@@

Legal_Policy_Statement

f9,Xu

.?AVCArgvIter@CommonUtil@@

da-DK

bs-BA-Latn

0A_A^A\_^

<xs:element name="WmiPropertySettings" minOccurs="0" maxOccurs="1">

%04X%c

.\%s.mui

WTSEnumerateSessionsW

pa-Arab

.tls$ZZZ

GetPrivateProfileIntW

CoCreateInstance

<xs:complexType>

8\$@u

nCipher NTS ESN:2665-4C3F-C5DE1+0)

.//%ws/@%ws

sr-Latn-ME

GetFileAttributesW

Microsoft Time-Stamp PCA 20100

.?AV?$CRefObjectFor@UIXMLFeatures@SecurityClient@Microsoft@@@CommonUtil@@

ne-IN

WmiPropertySettings

argument out of domain

.rdata$r

.?AV?$_Vector_alloc@$0A@U?$_Vec_base_types@V?$AutoRefWrapper@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@V?$allocator@V?$AutoRefWrapper@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@@std@@@std@@@std@@

`A^_^

SwitchToThread

.?AVCProductUtils@MorroCommon@@

.CRT$XIA

RtlNtStatusToDosError

111019184142Z

api-ms-win-core-rtlsupport-l1-1-0.dll

BrandName

connection_already_in_progress

generic

tjf9t_

DestroyIcon

es-PA

sa-IN

ResetEvent

GetSidSubAuthority

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

FileDescription

%Microsoft Windows Production PCA 2011

.?AU?$IForwardIterator@$$CBG@CommonUtil@@

8\$Ht

dz-BT

Microsoft Corporation1

UWATAVAWH

H9|$Xu%L

ntdll.dll

no stream resources

fprintf

Microsoft America Operations1'0%

WinVerifyTrust

it-it

directory not empty

zh-CHT

CreateEnvironmentBlock

vswprintf_s

.?AV?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@

InitializeCriticalSection

WakeAllConditionVariable

Microsoft Time-Stamp PCA 2010

network reset

AdjustTokenPrivileges

sr-SP-Cyrl

GetFileVersionInfoSizeW

LastFailedToApplyPolicyTimeUTC

SelectionLanguage

GetNativeSystemInfo

.?AV?$CRefObjectFor@UIXMLBrandedColors@SecurityClient@Microsoft@@@CommonUtil@@

D$(E3

.?AV?$_Tree_val@U?$_Tree_simple_types@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@@std@@@std@@

fA9<Hu

xh-ZA

no protocol option

it-CH

H9\$@

ar-DZ

.?AVCXMLReader@SecurityClient@Microsoft@@

es-HN

en-GB

ml-IN

fi-FI

H UATAUAVAWH

memmove_s

no buffer space

UVWAVAWH

</xs:element>

fE9$Ku

ka-GE

ts-ZA

.?AVCWin32@MorroCommon@@

nl-nl

A_A^A\_]

GetSidSubAuthorityCount

100701213655Z

</xs:sequence>

.?AV?$CRefObjectFor@UIXMLReader@SecurityClient@Microsoft@@@CommonUtil@@

t3fA;

TerminateProcess

f9,Au

en-BZ

H9\$8D

<xs:attribute name="Name" type="xs:string" use="required" />

ar-AE

PathRemoveFileSpecW

tg-Cyrl-TJ

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

fr-MA

Microsoft Windows0

bad_address

pt-pt

quc-Latn-GT

SOFTWARE\Microsoft\Microsoft Security Essentials

LastSuccessfullyAppliedPolicyTimeUTC

ko-KR

.text$x

wo-SN

CreateMutexW

R!s4Z

not_connected

too many links

.\%s\%s.mui

KillTimer

wcstoul

.xdata$x

L$HH3

%s\%s\%s.mui

ar-YE

A^_^

CryptCATAdminAcquireContext

GetModuleHandleW

fD9$Su

PathIsRelativeW

sd-Arab

inappropriate io control operation

|x4;1

L$ E3

HcQ<H

.CRT$XLZ

__RELPATH

.giats

fr-SN

bs-Latn-BA

D$ H;

SystemTimeToFileTime

connection reset

<xs:attribute name="Name" type="xs:string" use="required" />

<xs:element maxOccurs="unbounded" name="IgnoreKey">

ru-RU

<xs:simpleContent>

ig-NG

<xs:extension base="xs:string">

C$H;A$t

connection aborted

0A_A^_

H9|$Pt

pa-IN

OriginalFilename

destination_address_required

en-us

en-JM

FileTimeToSystemTime

<xs:attribute name="Description" type="xs:string" use="optional" />

pt-PT

$Microsoft Ireland Operations Limited1

es-DO

chr-Cher

<xs:complexType>

az-Cyrl

fD94Au

VWATH

4.18.17763.1

fA9,@u

[]/0.

.?AVCCertCheckFactory@MorroCommon@@

es-ES_tradnl

WTSQuerySessionInformationW

</xs:choice>

UVWATAUAVAWH

zh-Hant

CloseHandle

L$8E3

@A__^

sr-latn-cs

@.reloc

_vsnprintf

targetNamespace="http://forefront.microsoft.com/FEP/2010/01/PolicyData"

Error: arguments missing.

.?AUILockedCertCheck@MorroCommon@@

FreeSid

tzm-Latn-DZ

REG_QWORD

fwprintf

0A_A^A]_^

z.9Wv

LoadResource

_purecall

ChangeServiceConfigW

timed_out

la-001

GetSystemTimeAsFileTime

PathIsDirectoryW

A^_]

ControlTraceW

.?AVCBrandingSettings@CBrandedResourceWrapper@MpCommonEx@@

ar-LB

</xs:sequence>

.//UpgradeSequence/PackageRef[@id]

yo-NG

MSEv2

iu-Cans-CA

et-ee

??0exception@@QEAA@AEBQEBDH@Z

.?AUIBrandParams@MpCommonEx@@

%s failed to apply policy "%s". Error: %s. Error code: 0x%08X.

SetUnhandledExceptionFilter

ja-jp

wcscmp

.?AV?$_Tree_val@U?$_Tree_simple_types@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@std@@@std@@

%ws\%ws

network down

pap-029

GetSystemDefaultLangID

executable format error

.?AUIBrandedResources@MpCommonEx@@

D$ E3

.text

Thales TSS ESN:57C8-2D15-1C8B1%0#

H!\$0H!\$8H

.rdata$brc

@USVWATAUAVH

uUfA9

ControlService

fo-FO

pt-BR

L$ USVWATAUAVH

bo-CN

id-ID

fF9<Su

.idata$4

yi-001

.//BrandedString[@name and @value]

.?AV?$_Vector_val@U?$_Simple_types@V?$AutoRefWrapper@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@@std@@@std@@

<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"

LastFailedToApplyPolicy

mk-MK

.rdata$T$brc

GetTokenInformation

se-FI

sr-Latn-RS

__dllonexit

.?AVCBrandedAPI@MpCommonEx@@

connection_aborted

identifier removed

fclose

PathMatchSpecW

<xs:sequence>

operation not supported

cross device link

WmiSettingsApplied

Kernel32.dll

__C_specific_handler

TraceMessage

no link

tr-tr

%s%s%ls%s

en-IE

%s\%s

co-FR

CreateEventW

GetFileVersionInfoExW

da-dk

bad allocation

RemoveDirectoryW

.text$mn$00

t$ WH

fD9mw

SetLastError

.?AUIXMLBrandedValues@SecurityClient@Microsoft@@

.rsrc$01

ru-ru

t<f;*t7H

ar-OM

t 8\$@L

.?AU?$ISimpleIterator@$$CBG@CommonUtil@@

A_A^A]A\_^[]

RegDeleteValueW

moh-CA

en-ZW

.?AV?$CStdVector@V?$AutoRefWrapper@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@V?$allocator@V?$AutoRefWrapper@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@@std@@@CommonUtil@@

sr-Latn-CS

forwarders\%ws

A_A^A]

az-Latn-AZ

DefaultSqmOptIn

USERENV.dll

api-ms-win-core-version-l1-1-1.dll

GetTraceEnableLevel

my-MM

permission_denied

Enter to

chr-Cher-US

_CxxThrowException

.?AV_System_error_category@std@@

f9,Pu

f9<Xu

H9\$8A

LookupPrivilegeNameW

LeaveCriticalSection

resource deadlock would occur

Disabled

ko-kr

too many files open in system

en-ZA

</xs:sequence>

sr-SP-Latn

L$ SVWH

GetTraceLoggerHandle

am-ET

<xs:attribute name="Disabled" type="xs:boolean" use="optional" />

address not available

<xs:attribute name="ProductVersion" type="xs:string" use="optional"/>

<xs:attribute name="Name" type="xs:string" use="required" />

sq-AL

.?AVexception@@

message size

gsw-FR

<xs:attribute name="Name" type="xs:string" use="required" />

eu-ES

.text$yd

.?AVCBrandedColors@SecurityClient@Microsoft@@

CreateDirectoryW

fr-HT

ar-SA

D$xH;

PA_A^_^]

LcA<E3

.?AVCBrandedResources@MpCommonEx@@

fr-BE

SignatureUpdateFrequency

.?AV?$_Tree_comp@$0A@V?$_Tmap_traits@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@KU?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@@4@$0A@@std@@@std@@

.?AVCMpGlobalVarsTable@CommonUtil@@

@.rsrc

AcquireSRWLockExclusive

`A_A^A]A\_^]

</xs:complexType>

protocol not supported

LegalCopyright

nl-BE

<xs:complexType>

fr-MC

GetSystemTime

<2Q!<

arn-CL

M0K0I

is-IS

dsb-DE

sw-KE

\$hH;

HeapDestroy

fD9<Bu

.rdata$zzzdbg

LoadStringW

WAVAWH

fr-LU

GetDriveTypeW

realloc

.rdata

Process32NextW

??1type_info@@UEAA@XZ

??0exception@@QEAA@XZ

api-ms-win-core-errorhandling-l1-1-0.dll

RegDeleteKeyW

ur-PK

<xs:attribute name="Name" type="xs:string" use="required" />

too many files open

OpenSCManagerW

.?AVEUnknownError@MorroCommon@@

ar-SY

ti-ER

wcsstr

ba-RU

no lock available

7B#Ee

cs-cz

fF9<Bu

IsWow64Process

value

pA_A^A]A\_^[

%Microsoft Windows Production PCA 20110

WaitForSingleObject

address in use

en-ID

.?AVCHResultWithMessageException@SecurityClient@Microsoft@@

OpenProcessToken

.//BrandedColors

MessageBoxW

SVWATAUAVAWH

owner dead

FindResourceExW

8EPt2

network unreachable

api-ms-win-core-sysinfo-l1-1-0.dll

fr-FR

.//Packages/Package

@8|$0L

sv-se

memcpy

SetForegroundWindow

.idata$3

261019185142Z0

%I64u

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

invalid seek

CommandFile %s line %Iu

AddKey

mn-Mong-MN

.?AVCLockEntireFile@MorroCommon@@

<xs:complexType>

SetErrorMode

H!\$ H

is a directory

H9\$PL

fflush

az-Cyrl-AZ

SecurityPolicy

string too long

"Microsoft Window

SHGetFolderPathW

H!|$XH

|$HfD

ExpandEnvironmentStringsW

no child process

SearchPathW

D$ H9

(_^][

__setusermatherr

UATAUAVAWH

HeapFree

es-CR

invalid string position

ff-Latn-SN

no message available

SOFTWARE\Microsoft\Microsoft Security Client

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

GetTickCount

MsMpRes.Dll

L$@E3

<xs:complexType>

WTSFreeMemory

.CRT$XIY

L$@H3

PostMessageW

H95<-

_wfopen

D$XH;

iu-Latn

.?AVCHResultException@CommonUtil@@

UWAVH

MultiByteToWideChar

zh-MO

es-CL

A_A^A\

u\H!\$@L

@VWAVH

connection_reset

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

.//BrandedValues

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

iswspace

hr-HR

uz-Latn-UZ

fgetws

UnregisterTraceGuids

</xs:extension>

qps-ploc

SHELL32.dll

.?AU_Container_base0@std@@

*.com

*.exe

ha-Latn-NG

en-CA

WINTRUST.dll

tn-ZA

@A^_]

<xs:element minOccurs="1" maxOccurs="unbounded" name="Class">

</xs:complexType>

A^_^[

CreateProcessW

.?AVCHResultExceptionImpl@CommonUtil@@

@SUVWATAVAWH

<xs:extension base="xs:string">

WATAUAVAWH

ro-RO

H;J r

$`2X`F

|$`L;

quz-PE

ConfigSecurityPolicy.exe

tn-BW

A_A^A]A\_

.CRT$XCAA

\$@E3

fD98u

WTHelperGetProvSignerFromChain

sr-Cyrl-ME

\$ UH

iu-Latn-CA

<xs:complexType>

lv-LV

ADVAPI32.dll

connection already in progress

no message

vi-vn

CreateThread

.00cfg

\$XH;

_wcsicmp

.//InstallSequence/PackageRef[@id]

</xs:schema>

FreeLibrary

</xs:sequence>

<xs:attribute name="PreviousValue" type="xs:string" use="optional" />

<xs:choice minOccurs="0" maxOccurs="unbounded">

H9E0w

qps-plocm

fD93t

es-CU

http://www.microsoft.com/windows0

ks-Deva-IN

.?AVCFeatureBrand@SecurityClient@Microsoft@@

.?AUIXMLDeployment@SecurityClient@Microsoft@@

ATAVAWH

CompanyName

<xs:element minOccurs="0" maxOccurs="unbounded" name="Namespace">

f9,Zu

H!\$PH

GetCurrentThreadId

@A_A^_

nso-ZA

LastPolicyErrorCode

VirtualLock

.?AV?$_Tree@V?$_Tmap_traits@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@KU?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@@4@$0A@@std@@@std@@

f;|$H

.?AUIXMLFeatures@SecurityClient@Microsoft@@

u HcA<H

<xs:attribute name="Type" type="xs:string" use="required" />

CryptCATAdminReleaseContext

message_size

GetProcessHeap

fy-NL

SetThreadPreferredUILanguages

Sleep

@8=p(

x5fD;

GetFileSizeEx

es-EC

QueryServiceStatus

x+D;q

ProcessIdToSessionId

api-ms-win-shcore-registry-l1-1-0.dll

uz-Cyrl

@A_A^A]A\_

GetUserDefaultUILanguage

GetDiskFreeSpaceExW

th-th

en-HK

sd-Deva-IN

|$ H;

mi-NZ

value too large

.?AV?$CRefObjectFor@U?$IForwardIterator@$$CBG@CommonUtil@@@CommonUtil@@

<xs:simpleContent>

)Microsoft Root Certificate Authority 20100

tzm-Tfng-MA

RegOpenKeyExW

iswalpha

network_unreachable

FindFirstFileW

_wcsnicmp

%s successfully applied policy: "%s".

kn-IN

PA_A^A]A\_^]

LockResource

fA94Iu

l$ VWAVH

tk-TM

lv-lv

?what@exception@@UEBAPEBDXZ

D$8H;

zh-CN

GetLongPathNameW

es-BO

L$pL;

.?AVCSystemInfo@MorroCommon@@

th-TH

L$ SUVWH

en-NZ

sk-sk

%ws.%ws

v#fD9t^

<xs:element minOccurs="1" maxOccurs="unbounded" name="Instance">

si-LK

en-IN

Instance

ha-Latn

es-419

not supported

|hK,_

uk-ua

H9|$@tZH

??0exception@@QEAA@AEBQEBD@Z

%s\%s.mui

<xs:element maxOccurs="unbounded" name="AddKey">

CheckTokenMembership

SHGetPathFromIDListW

wcsrchr

.?AV?$CRefObjectFor@UIBrandParams@MpCommonEx@@@CommonUtil@@

sr-Cyrl-RS

gl-ES

ug-CN

fr-CA

bs-BA-Cyrl

tzm-Tfng

fr-ML

hy-AM

network_down

memmove

</xs:complexType>

de-de

<xs:attribute name="IsBuiltIn" type="xs:boolean" use="optional" />

CryptCATAdminEnumCatalogFromHash

interrupted

@8y(t

OpenProcess

f94Bu

250701214655Z0|1

and @file and @type]

StringFromGUID2

__set_app_type

mn-Cyrl

%s failed to apply policy "%s". Error code: 0x%08X.

ar-MA

</trustInfo>

LoadIconW

mni-IN

.?AVCPtrObjectProcessHeap@CommonUtil@@

040904B0

SizeofResource

CreateFileMappingW

229879+4379540

<xs:attribute name="CreatedBy" type="xs:string" use="optional" />

@USVWAVH

wrong_protocol_type

</xs:complexType>

XPath

too many symbolic link levels

en-PH

not enough memory

fB94Su

HcA<H

VerifyVersionInfoW

.?AVbad_alloc@std@@

A_A^A]A\_^]

unknown policy section

es-es

A_A^]

<xs:choice minOccurs="0" maxOccurs="unbounded">

SHLWAPI.dll

filename_too_long

ms-MY

@8|$0I

Identifier

sah-RU

IsDialogMessageW

H;]`u

st-ZA

cy-GB

CreateToolhelp32Snapshot

ReadFile

br-FR

operation_would_block

WideCharToMultiByte

RegQueryValueExW

.PEAVEHresultException@MorroCommon@@

@SVWH

A_A^_^[

VWAUAVAWH

<xs:attribute name="Disabled" type="xs:boolean" use="optional" />

.?AV?$CRefObjectFor@UIXMLBrandedValues@SecurityClient@Microsoft@@@CommonUtil@@

<xs:complexType>

<xs:sequence>

VarFileInfo

<xs:sequence>

_fmode

<xs:attribute name="Version" type="xs:nonNegativeInteger" use="optional" />

Class

no such file or directory

EppManifest.dll

AMSKUID

ve-ZA

</compatibility>

http://forefront.microsoft.com/FEP/2010/01/PolicyData

.?AV?$CRefObjectFor@UIXMLBrandedStrings@SecurityClient@Microsoft@@@CommonUtil@@

oc-FR

GetFileVersionInfoW

_vsnwprintf

smn-FI

api-ms-win-core-libraryloader-l1-2-0.dll

CreateFileW

smj-NO

zh-TW

AllocateAndInitializeSid

hr-hr

CopyFileW

ro-ro

fi-fi

ca-ES

f94Xu

address family not supported

H!|$0E3

SUVWAVH

stream timeout

<xs:complexType>

AMSignatureDownloadGUID

nl-NL

FormatMessageW

et-EE

bg-bg

InitializeCriticalSectionAndSpinCount

ConfigSecurityPolicy.pdb

CoUninitialize

prs-AF

A_A^A]A\_

H;A r

t$PfD

DeleteCriticalSection

RaiseException

9D$H}

RtlCaptureContext

.?AVCBrandedStrings@SecurityClient@Microsoft@@

bg-BG

,+ycZyymlVli13OuYjNViahAKl2qOcxXLDlN1ZVMn21I=0Z

x ATAVAWH

io error

CreateProcessAsUserW

rw-RW

.CRT$XLA

D$@I;

GetFileSize

uz-Latn

operation canceled

Microsoft Security Client

</xs:element>

qps-Latn-x-sh

GetWindowThreadProcessId

WTHelperProvDataFromStateData

<?xml version="1.0" encoding="utf-8"?>

.//BrandedStrings

uz-Cyrl-UZ

A^A]A\_^[]

tzm-Latn

HeapReAlloc

GetLengthSid

%ws%ws

fr-029

BT$8H

</xs:element>

A_A^_

bs-Cyrl-BA

quc-Latn

Microsoft Corporation1200

<xs:attribute name="Name" type="xs:string" use="optional" />

WriteFile

Washington1

he-IL

A_A^A\

hu-hu

az-Latn

H;]Pu

D$ I;

DestroyWindow

H9\$pufH

invalid_argument

api-ms-win-core-processthreads-l1-1-0.dll

qps-ploca

be-BY

lt-LT

@USVWATAVAWH

SetWindowTextW

nb-NO

ja-JP

x5H9l$X|.H

</xs:complexType>

</xs:element>

tCH;]

gd-GB

__wgetmainargs

ReleaseSRWLockExclusive

SHGetSpecialFolderLocation

CompInstall

4NL;t$8

ru-MD

RtlLookupFunctionEntry

GetTraceEnableFlags

.?AVCResourceDll@ResourceHelpers@MorroCommon@@

de-CH

QueryPerformanceCounter

~$QR_2

.?AV?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@

msvcrt.dll

.?AVCMuiApi@MorroCommon@@

StringFileInfo

ar-EG

t$ WAVAWH

ole32.dll

D$hH;

GetSystemDefaultUILanguage

</xs:simpleContent>

SOFTWARE\Policies\Microsoft\Windows Defender

already_connected

es-ES

@WATAUAVAWH

.?AV_Iostream_error_category@std@@

</xs:element>

.text$mn

broken pipe

L$ SH

Process32FirstW

</application>

protocol error

fr-CI

kok-IN

f9<Cu

SUVWATAUAVAWH

Usage: ConfigSecurityPolicy <policy_xml1> [<policy_xml2> <policy_xml3> ...]

text file busy

TelemetryReportRate

uk-UA

@UWAVH

DecodePointer

PathAppendW

@A\_^

zh-Hans

sr-Cyrl-BA

tg-Cyrl

L$`H3

address_family_not_supported

D$@E3

fr-CD

not

ar-LY

SetProperty

%ARC%

ks-Arab

AddValue

<xs:attribute name="Identifier" type="xs:string" use="required" />

Command Line - Option already specified %s

timed out

8A^_^[

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

HA_A^A]A\_^][

iSHp6

hu-HU

??1exception@@UEAA@XZ

.?AVCPtrObject@CommonUtil@@

@A_A^A\

E##'P

CoCreateGuid

permission denied

ur-IN

RtlVirtualUnwind

sr-BA-Cyrl

tzm-Arab-MA

GetModuleFileNameW

lGetFileVersionInfoSizeExW

state not recoverable

SetTimer

.?AV?$_Tree_buy@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@2@@std@@

.CRT$XCA

.PEAX

KERNEL32.dll

<xs:element name="LocalGroupPolicySettings" minOccurs="0" maxOccurs="1">

es-SV

Namespace

<xs:attribute name="Disabled" type="xs:boolean" use="optional" />

</xs:choice>

UnhandledExceptionFilter

\$ H+

FindResourceW

GetWindowsDirectoryW

operation in progress

AdjustWindowRectEx

<xs:sequence>

wcscpy_s

U0S0Q

Microsoft Time-Stamp Service0

GetVersionExW

MapViewOfFile

.?AV?$CRefObjectFor@UIXMLDeployment@SecurityClient@Microsoft@@@CommonUtil@@

GetSystemDirectoryW

VS_VERSION_INFO

Error: too many arguments, make sure command line policy XML is supplied as a single argument.

api-ms-win-core-synch-l1-2-0.dll

ff-NG

A_A^_^]

filename too long

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Essentials

as-IN

.CRT$XCZ

bsearch

sma-SE

lb-LU

D9}@~YH

20180915045301.63Z0

.?AV?$_Tree_alloc@$0A@U?$_Tree_base_types@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@2@@std@@@std@@

sv-SE

nn-NO

l$ H;~

map/set<T> too long

t 8\$HL

H9\$8H

SendMessageW

.//BrandedValue[@name and @value]

too_many_files_open

.data

lt-lt

_wchmod

CRYPT32.dll

device or resource busy

PathFileExistsW

memset

mt-MT

unknown error

fA94Au

I!>I!~

result out of range

.?AVEHresultException@MorroCommon@@

.?AUICmdOptionsLookup@CommonUtil@@

GetProcAddress

<xs:element name="PolicyCustomData" type="xs:string" minOccurs="0" maxOccurs="1"/>

dv-MV

*.scr

ProductName

DuplicateTokenEx

D$pH9}

Microsoft Corporation1.0,

ga-IE

CryptCATAdminCalcHashFromFileHandle

4.18.17763.1 (WinBuild.160101.0800)

.idata$6

H;t$0s

<xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip" namespace="##other"/>

.?AV?$CRefClass@V?$CStdRefVector@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@@CommonUtil@@

CertVerifyCertificateChainPolicy

api-ms-win-core-heap-l1-1-0.dll

el-GR

Invalid parameter passed to C runtime function.

no such process

Microsoft Time-Stamp Service

fr-fr

@A_A^_^]

tr-TR

</xs:element>

D$HE3

H95U-

fD9t^

not_a_socket

H!|$ H

bad_file_descriptor

.?AUIXMLBrandedColors@SecurityClient@Microsoft@@

te-IN

PA^_^

MoveFileW

FileVersion

.?AUIRefObject@CommonUtil@@

HeapSize

WTSAPI32.dll

L$hH3

.?AVlength_error@std@@

Microsoft Corporation1&0$

SVWAVH

.?AVCDeploymentBrand@SecurityClient@Microsoft@@

1(0&0

Locale

180703204550Z

ar-JO

__NO_STRING_EXPANSION

CreateDialogParamW

sr-Cyrl

H;0u2H

zh-cn

ar-KW

bad address

.?AV?$CStdRefVector@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@

or-IN

GetExitCodeProcess

.//Feature[@name and @value]

UAVAWH

A_A^_

memcpy_s

operation not permitted

D$`H;

SHDeleteKeyW

0A_A^_^[

quz-EC

<xs:complexType>

fE9<Hu

@8|$0M

<xs:attribute name="LastModifiedBy" type="xs:string" use="optional" />

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

</xs:extension>

om-ET

VerQueryValueW

es-GT

.?AVCCmdOptionsLookupMap@CommonUtil@@

.?AVerror_category@std@@

D;d$

.?AV?$_Tree@V?$_Tmap_traits@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@$0A@@std@@@std@@

es-PR

20180914212612Z

kk-KZ

<xs:attribute name="Disabled" type="xs:boolean" use="optional" />

@UVWH

DeleteFileW

CoInitializeEx

L$hH9

GetPrivateProfileStringW

PrivilegeCheck

.?AVout_of_range@std@@

de-LU

HeapAlloc

Market

destination address required

es-PY

LocalGroupPolicySettings

SVWAVAWH

__iob_func

ps-AF

.data$brc

file exists

.//Deployment

ibb-NG

f9,zu

H3E H3E

InternalName

en-AU

km-KH

malloc

hr-BA

.?AV?$CRefObjectFor@UICmdOptionsLookup@CommonUtil@@@CommonUtil@@

hi-IN

REG_DWORD

|$XfD

</xs:complexType>

api-ms-win-core-profile-l1-1-0.dll

%MARKET%

|$|.u

.rsrc$02

</xs:complexType>

_unlock

iostream

wrong protocol type

fr-RE

en-US

EnableTrace

ku-Arab

FindNextFileW

OLEAUT32.dll

kernel32.dll

CoSetProxyBlanket

command line argument

.text$di

FindClose

ti-ET

REG_EXPAND_SZ

.?AV?$_Tree_buy@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@@2@@std@@

FreeResource

f9D$X

ii-CN

VWATAVAWH

GetTempPathW

.?AV?$vector@V?$AutoRefWrapper@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@V?$allocator@V?$AutoRefWrapper@V?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@U?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@V12@@std@@@4@@std@@@CommonUtil@@@CommonUtil@@@std@@@std@@

ca-ES-valencia

bad message

UnregisterClassA

haw-US

"Microsoft Time Source Master Clock0

GetCurrentProcessId

ro-MD

RegCreateKeyExW

I0G1-0+

.?AVCBrandedValues@SecurityClient@Microsoft@@

es-PE

argument list too long

L$0H!\$0

host unreachable

CD$`L

/A8vQH

D$ H=#

pl-PL

vi-VN

pA_A^_^[

network_reset

0A^_^][

fE9<Au

iostream stream error

Intended

ar-QA

GetSystemMetrics

fE9$Iu

lo-LA

fD9mwu

bad file descriptor

H;]Pu

no such device or address

.?AVCMpUtilsLibrary@CommonUtil@@

el-gr

DestroyEnvironmentBlock

@USWH

@USVWH

PostThreadMessageW

ms-BN

microsoft antimalware

fr-CM

H9l$Ht

.CRT$XIZ

fA9L}

address_in_use

.?AVinvalid_argument@std@@

9|$0~

191123202712Z0

.//BrandedColor[@name and @r and @g and @b]

EncodePointer

!This program cannot be run in DOS mode.

.?AV?$CRefObjectFor@UIBrandedResources@MpCommonEx@@@CommonUtil@@

@A^_^

n,mX=af

already connected

Microsoft America Operations1&0$

A_A^A]A\_^[

.?AV?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@KU?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@@4@@std@@

GetLocaleInfoW

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

hr=0x%08X

USER32.dll

<xs:attribute name="CreationTime" type="xs:dateTime" use="optional" />

<xs:attribute name="LastModificationTime" type="xs:dateTime" use="optional" />

H9t$hvGH

OpenServiceW

api-ms-win-core-synch-l1-1-0.dll

.?AUIXMLBrandedStrings@SecurityClient@Microsoft@@

</xs:sequence>

%04u-%02u-%02uT%02u:%02u:%02u.%03uZ

/%ws/%ws

H99tGH

file too large

r~akow

not a socket

HeapSetInformation

f9H\u

EnterCriticalSection

.CRT$XCU

es-NI

</xs:sequence>

\$ E3

ConvertStringSecurityDescriptorToSecurityDescriptorW

_errno

bn-BD

L$`H;

sr-Latn

LoadImageW

.?AVCLockedCertCheckImpl@MorroCommon@@

CryptCATAdminReleaseCatalogContext

oK0D$"<

<xs:attribute name="Disabled" type="xs:boolean" use="optional" />

</requestedPrivileges>

GetCurrentProcess

cs-CZ

fD96u"3

so-SO

fa-IR

K SWH

_vscwprintf

Command file %s not found!

not a stream

LocalFree

D$8E3

20180915212612Z0w0=

</assembly>

smj-SE

Changed

mn-Mong-CN

Translation

A_A^A]A\_^]

en-MY

rm-CH

mr-IN

se-NO

FindWindowW

LastSuccessfullyAppliedPolicy

operation_not_supported

it-IT

.?AV?$_Tree_alloc@$0A@U?$_Tree_base_types@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@@2@@std@@@std@@

H9|$Xu$M

RegisterTraceGuidsW

address_not_available

wcsncmp

zh-SG

GetTempFileNameW

ProductVersion

Bad entry - %s

iu-CA-Latn

sv-FI

<xs:element minOccurs="1" maxOccurs="unbounded" name="SetProperty">

P7f;Q

fD9|~

</xs:element>

gu-IN

__CxxFrameHandler3

ShowWindow

.?AV?$CRefClass@V?$map@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@KU?$less@V?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@@std@@V?$allocator@U?$pair@$$CBV?$CStdBasicString@GU?$mp_char_traits@G@CommonUtil@@V?$allocator@G@std@@@CommonUtil@@K@std@@@4@@std@@@CommonUtil@@

connection_refused

_onexit

.CRT$XIAA

no_protocol_option

A_A^A\_^[]

Windows

function not supported

es-US

iu-Cans

D$0E3

quz-BO

invalid argument

=L9o<

no such device

.idata$2

hsb-DE

pa-Arab-PK

.?AVCMuiResourceDll@ResourceHelpers@MorroCommon@@

api-ms-win-core-debug-l1-1-0.dll

x AVH

.CRT$XCL

1/0-0

@SVAVH

fC94Ou

\$89t$

illegal byte sequence

pl-pl

9|$$w

sr-Cyrl-CS

InitiateSystemShutdownExW

.tls$

GetExitCodeThread

LookupPrivilegeValueW

.xdata

.gfids

zh-CHS

WTSQueryUserToken

190726204550Z0p1

??0exception@@QEAA@AEBV0@@Z

.//UninstallSequence/PackageRef[@id]

Operating System

N0L0J

vector<T> too long

MUI\0409

REG_SZ

PathCombineW

RtlGetVersion

<xs:element name="AddValue">

_cexit

<xs:attribute name="Name" type="xs:string" use="required" />

fr-CH

GetLocalTime

es-UY

@VWAWH

se-SE

es-CO

Microsoft Corporation1%0#

.?AVCFileUtils@MorroCommon@@

IgnoreKey

GetLastError

@USVWATAUAVAWH

_commode

ar-IQ

.?AVCRefObject@CommonUtil@@

_amsg_exit

fD9$Gu

es-VE

?terminate@@YAXXZ

AUAVAWH

PolicySection

bin-NG

GlobalFindAtomW

sr-Latn-BA

<xs:element name="SecurityPolicy" >

</xs:element>

zh-tw

es-MX

pt-br

</xs:simpleContent>

no_buffer_space

pA_A^A]A\_^]

bn-IN

sr-BA-Latn

A_A^A]A\]

<xs:sequence>

CopySid

.?AVCPathUtils@MorroCommon@@

`.rdata

ar-BH

l$ WH

RegCloseKey

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client

D;}@|

.?AVCSimpleMapItem@CCmdOptionsLookupMap@CommonUtil@@

<xs:sequence>

de-LI

kl-GL

S:f;Q

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x000258e0	0x0004fb85	0x0004fb85	10.0	ConfigSecurityPolicy.pdb	2065-05-05 01:05:58	c87fc829e4403cb94530225a7adc688a

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Microsoft Security Client Policy Configuration Tool
FileVersion	4.18.17763.1 (WinBuild.160101.0800)
InternalName	ConfigSecurityPolicy.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	ConfigSecurityPolicy.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	4.18.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00028c22	0x00028e00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.23
.rdata	0x00029200	0x0002a000	0x00017612	0x00017800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.21
.data	0x00040a00	0x00042000	0x00003ef0	0x00003400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.73
.pdata	0x00043e00	0x00046000	0x00002778	0x00002800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.44
.rsrc	0x00046600	0x00049000	0x00002390	0x00002400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	4.51
.reloc	0x00048a00	0x0004c000	0x00000e40	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.22

Overlay

Offset	0x00049a00
Size	0x00002200

Name	Offset	Size	Language	Sub-language	Entropy	File type
XML	0x00049ad0	0x000018bc	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.92	None
RT_VERSION	0x000496d0	0x000003fc	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.49	None
RT_MANIFEST	0x000490f0	0x000005d9	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.19	None

Imports

Name	Address
TraceMessage	0x14002e9b0
GetTraceLoggerHandle	0x14002e9b8
GetTraceEnableLevel	0x14002e9c0
GetTraceEnableFlags	0x14002e9c8
RegisterTraceGuidsW	0x14002e9d0
UnregisterTraceGuids	0x14002e9d8
EnableTrace	0x14002e9e0
ControlTraceW	0x14002e9e8
CopySid	0x14002e9f0
GetLengthSid	0x14002e9f8
RegCreateKeyExW	0x14002ea00
RegSetValueExW	0x14002ea08
RegDeleteKeyW	0x14002ea10
RegDeleteValueW	0x14002ea18
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002ea20
RegOpenKeyExW	0x14002ea28
RegQueryValueExW	0x14002ea30
OpenProcessToken	0x14002ea38
GetTokenInformation	0x14002ea40
GetSidSubAuthorityCount	0x14002ea48
DuplicateTokenEx	0x14002ea50
GetSidSubAuthority	0x14002ea58
AllocateAndInitializeSid	0x14002ea60
CheckTokenMembership	0x14002ea68
OpenSCManagerW	0x14002ea70
OpenServiceW	0x14002ea78
ChangeServiceConfigW	0x14002ea80
ControlService	0x14002ea88
QueryServiceStatus	0x14002ea90
LookupPrivilegeValueW	0x14002ea98
PrivilegeCheck	0x14002eaa0
AdjustTokenPrivileges	0x14002eaa8
InitiateSystemShutdownExW	0x14002eab0
LookupPrivilegeNameW	0x14002eab8
RegCloseKey	0x14002eac0
FreeSid	0x14002eac8
CloseServiceHandle	0x14002ead0
CreateProcessAsUserW	0x14002ead8

Name	Address
WideCharToMultiByte	0x14002eaf8
InitializeCriticalSectionAndSpinCount	0x14002eb00
DeleteCriticalSection	0x14002eb08
SearchPathW	0x14002eb10
UnmapViewOfFile	0x14002eb18
MapViewOfFile	0x14002eb20
EncodePointer	0x14002eb28
DecodePointer	0x14002eb30
VirtualLock	0x14002eb38
CreateFileMappingW	0x14002eb40
SetErrorMode	0x14002eb48
FreeLibrary	0x14002eb50
FindClose	0x14002eb58
GetLastError	0x14002eb60
SetLastError	0x14002eb68
FindResourceW	0x14002eb70
GetProcAddress	0x14002eb78
GlobalFindAtomW	0x14002eb80
GetDriveTypeW	0x14002eb88
GetVersionExW	0x14002eb90
GetLocalTime	0x14002eb98
SystemTimeToFileTime	0x14002eba0
GetNativeSystemInfo	0x14002eba8
ProcessIdToSessionId	0x14002ebb0
GetUserDefaultUILanguage	0x14002ebb8
GetSystemDefaultUILanguage	0x14002ebc0
WritePrivateProfileStringW	0x14002ebc8
GetPrivateProfileIntW	0x14002ebd0
GetPrivateProfileStringW	0x14002ebd8
GetExitCodeThread	0x14002ebe0
CreateEventW	0x14002ebe8
ResetEvent	0x14002ebf0
SetEvent	0x14002ebf8
CreateThread	0x14002ec00
MoveFileW	0x14002ec08
GetLongPathNameW	0x14002ec10
GetFileSizeEx	0x14002ec18
GetFileSize	0x14002ec20
WriteFile	0x14002ec28
ReadFile	0x14002ec30
CreateFileW	0x14002ec38
VerifyVersionInfoW	0x14002ec40
K32GetModuleFileNameExW	0x14002ec48
HeapFree	0x14002ec50
GetProcessHeap	0x14002ec58
HeapAlloc	0x14002ec60
DeleteFileW	0x14002ec68
RemoveDirectoryW	0x14002ec70
FindNextFileW	0x14002ec78
FindFirstFileW	0x14002ec80
FreeResource	0x14002ec88
LockResource	0x14002ec90
LoadResource	0x14002ec98
Process32NextW	0x14002eca0
Process32FirstW	0x14002eca8
CreateToolhelp32Snapshot	0x14002ecb0
OpenProcess	0x14002ecb8
GetDiskFreeSpaceExW	0x14002ecc0
GetSystemDirectoryW	0x14002ecc8
GetWindowsDirectoryW	0x14002ecd0
GetExitCodeProcess	0x14002ecd8
LocalFree	0x14002ece0
IsWow64Process	0x14002ece8
CloseHandle	0x14002ecf0
ReleaseMutex	0x14002ecf8
WaitForSingleObject	0x14002ed00
CreateMutexW	0x14002ed08
CreateProcessW	0x14002ed10
GetLocaleInfoW	0x14002ed18
LoadLibraryExW	0x14002ed20
CopyFileW	0x14002ed28
GetModuleFileNameW	0x14002ed30
GetTempFileNameW	0x14002ed38
GetTempPathW	0x14002ed40
CreateDirectoryW	0x14002ed48
SwitchToThread	0x14002ed50
GetSystemDefaultLangID	0x14002ed58
SizeofResource	0x14002ed60
FindResourceExW	0x14002ed68
FormatMessageW	0x14002ed70
GetSystemTime	0x14002ed78
MultiByteToWideChar	0x14002ed80
FileTimeToSystemTime	0x14002ed88
EnterCriticalSection	0x14002ed90
LeaveCriticalSection	0x14002ed98
ExpandEnvironmentStringsW	0x14002eda0
GetFileAttributesW	0x14002eda8
HeapSetInformation	0x14002edb0

Name	Address
_purecall	0x14002f118
fgetws	0x14002f120
fclose	0x14002f128
wcsncmp	0x14002f130
_wcsnicmp	0x14002f138
memcpy_s	0x14002f140
memmove_s	0x14002f148
_wcsicmp	0x14002f150
realloc	0x14002f158
_wchmod	0x14002f160
__iob_func	0x14002f168
feof	0x14002f170
fwprintf	0x14002f178
__CxxFrameHandler3	0x14002f180
memset	0x14002f188
_wfopen	0x14002f190
_errno	0x14002f198
_vsnwprintf	0x14002f1a0
_vsnprintf	0x14002f1a8
wcsstr	0x14002f1b0
iswspace	0x14002f1b8
wcstoul	0x14002f1c0
??1type_info@@UEAA@XZ	0x14002f1c8
?terminate@@YAXXZ	0x14002f1d0
_onexit	0x14002f1d8
__dllonexit	0x14002f1e0
_unlock	0x14002f1e8
_lock	0x14002f1f0
_commode	0x14002f1f8
_fmode	0x14002f200
__C_specific_handler	0x14002f208
_initterm	0x14002f210
__setusermatherr	0x14002f218
_cexit	0x14002f220
_exit	0x14002f228
exit	0x14002f230
__set_app_type	0x14002f238
__wgetmainargs	0x14002f240
_amsg_exit	0x14002f248
_XcptFilter	0x14002f250
memmove	0x14002f258
memcpy	0x14002f260
_CxxThrowException	0x14002f268
??0exception@@QEAA@AEBQEBD@Z	0x14002f270
??0exception@@QEAA@XZ	0x14002f278
malloc	0x14002f280
free	0x14002f288
??0exception@@QEAA@AEBV0@@Z	0x14002f290
??0exception@@QEAA@AEBQEBDH@Z	0x14002f298
??1exception@@UEAA@XZ	0x14002f2a0
bsearch	0x14002f2a8
wcschr	0x14002f2b0
swscanf_s	0x14002f2b8
fprintf	0x14002f2c0
towlower	0x14002f2c8
wcsrchr	0x14002f2d0
iswalpha	0x14002f2d8
wcscpy_s	0x14002f2e0
vswprintf_s	0x14002f2e8
?what@exception@@UEBAPEBDXZ	0x14002f2f0
fflush	0x14002f2f8
_vscwprintf	0x14002f300
wcscmp	0x14002f308

Name	Address
CoSetProxyBlanket	0x14002f330
StringFromGUID2	0x14002f338
CoUninitialize	0x14002f340
CoCreateGuid	0x14002f348
CoCreateInstance	0x14002f350
CoInitializeEx	0x14002f358

Name	Address
SleepConditionVariableSRW	0x14002f0a8
WakeAllConditionVariable	0x14002f0b0
Sleep	0x14002f0b8

Name	Address
SetUnhandledExceptionFilter	0x14002efe0
RaiseException	0x14002efe8
UnhandledExceptionFilter	0x14002eff0

Name	Address
GetModuleHandleW	0x14002f020

Name	Address
QueryPerformanceCounter	0x14002f058

Name	Address
GetCurrentProcessId	0x14002f030
TerminateProcess	0x14002f038
GetCurrentProcess	0x14002f040
GetCurrentThreadId	0x14002f048

Name	Address
GetTickCount	0x14002f0c8
GetSystemTimeAsFileTime	0x14002f0d0

Name	Address
RtlLookupFunctionEntry	0x14002f068
RtlCaptureContext	0x14002f070
RtlVirtualUnwind	0x14002f078

Name	Address
DestroyEnvironmentBlock	0x14002ef40
CreateEnvironmentBlock	0x14002ef48

Name	Address
VariantClear	0x14002edc0
VarCmp	0x14002edc8
VariantChangeType	0x14002edd0
GetErrorInfo	0x14002edd8
VarBstrCat	0x14002ede0
SysStringLen	0x14002ede8
SysAllocStringLen	0x14002edf0
VariantInit	0x14002edf8
SysFreeString	0x14002ee00
SysAllocString	0x14002ee08
SysStringByteLen	0x14002ee10
SysAllocStringByteLen	0x14002ee18

Name	Address
FindWindowW	0x14002ee90
GetWindowThreadProcessId	0x14002ee98
MessageBoxW	0x14002eea0
SendMessageW	0x14002eea8
LoadStringW	0x14002eeb0
KillTimer	0x14002eeb8
IsDialogMessageW	0x14002eec0
PostThreadMessageW	0x14002eec8
AdjustWindowRectEx	0x14002eed0
ShowWindow	0x14002eed8
PostMessageW	0x14002eee0
DestroyIcon	0x14002eee8
LoadImageW	0x14002eef0
GetSystemMetrics	0x14002eef8
SetWindowTextW	0x14002ef00
SetTimer	0x14002ef08
LoadIconW	0x14002ef10
DestroyWindow	0x14002ef18
CreateDialogParamW	0x14002ef20
UnregisterClassA	0x14002ef28
SetForegroundWindow	0x14002ef30

Name	Address
WTSEnumerateSessionsW	0x14002efa8
WTSFreeMemory	0x14002efb0
WTSQueryUserToken	0x14002efb8
WTSQuerySessionInformationW	0x14002efc0

Name	Address
VerQueryValueW	0x14002f0e0

Name	Address
GetFileVersionInfoSizeW	0x14002f0f0
GetFileVersionInfoW	0x14002f0f8

Name	Address
SHDeleteKeyW	0x14002f108

Name	Address
HeapSize	0x14002f000
HeapDestroy	0x14002f008
HeapReAlloc	0x14002f010

Name	Address
ReleaseSRWLockExclusive	0x14002f088
AcquireSRWLockExclusive	0x14002f090
InitializeCriticalSection	0x14002f098

Name	Address
OutputDebugStringA	0x14002efd0

Name	Address
SHGetSpecialFolderLocation	0x14002ee28
SHGetFolderPathW	0x14002ee30
SHGetPathFromIDListW	0x14002ee38

Name	Address
PathFindFileNameW	0x14002ee48
PathIsRelativeW	0x14002ee50
PathRemoveFileSpecW	0x14002ee58
PathIsDirectoryW	0x14002ee60
PathFileExistsW	0x14002ee68
PathCombineW	0x14002ee70
PathMatchSpecW	0x14002ee78
PathAppendW	0x14002ee80

Name	Address
RtlNtStatusToDosError	0x14002f318
RtlGetVersion	0x14002f320

Name	Address
CertVerifyCertificateChainPolicy	0x14002eae8

Name	Address
CryptCATAdminEnumCatalogFromHash	0x14002ef58
CryptCATAdminCalcHashFromFileHandle	0x14002ef60
WTHelperGetProvSignerFromChain	0x14002ef68
WTHelperProvDataFromStateData	0x14002ef70
WinVerifyTrust	0x14002ef78
CryptCATCatalogInfoFromContext	0x14002ef80
CryptCATAdminReleaseCatalogContext	0x14002ef88
CryptCATAdminReleaseContext	0x14002ef90
CryptCATAdminAcquireContext	0x14002ef98

Reports: JSON

Statistics (11.23)

Usage

Processing ( 11.16 seconds )

10.293 ProcessMemory
0.846 CAPE
0.02 AnalysisInfo
0.005 BehaviorAnalysis
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 adds_user
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 tampers_etw

Reporting ( 0.01 seconds )

0.006 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: ConfigSecurityPolicy.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Possible date expiration check, exits too soon after checking local time

process: ConfigSecurityPolicy.exe, PID 4996

Binary file triggered YARA rule

Binary triggered YARA rule: shellcode_stack_strings

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4996 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Hit: PID 4996 triggered the Yara rule 'shellcode_stack_strings' with data '['{ C7 45 E0 76 00 65 00 C7 45 E4 72 00 73 00 C7 45 E8 69 00 6F 00 C7 45 EC 6E 00 2E 00 C7 45 F0 64 00 6C 00 C7 45 F4 6C 00 00 00 }', '{ C7 45 E4 72 00 73 00 C7 45 E8 69 00 6F 00 C7 45 EC 6E 00 2E 00 C7 45 F0 64 00 6C 00 C7 45 F4 6C 00 00 00 }', '{ C7 45 E8 69 00 6F 00 C7 45 EC 6E 00 2E 00 C7 45 F0 64 00 6C 00 C7 45 F4 6C 00 00 00 }', '{ C7 45 EC 6E 00 2E 00 C7 45 F0 64 00 6C 00 C7 45 F4 6C 00 00 00 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\version.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.