Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-12 21:35:23	2025-06-12 22:06:22	1859 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,944 [root] INFO: Date set to: 20250611T19:41:57, timeout set to: 1800
2025-06-11 20:41:57,608 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 20:41:57,624 [root] DEBUG: Storing results at: C:\qDdlkFnGz
2025-06-11 20:41:57,624 [root] DEBUG: Pipe server name: \\.\PIPE\wXevDSJXBA
2025-06-11 20:41:57,624 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 20:41:57,639 [root] INFO: analysis running as an admin
2025-06-11 20:41:57,639 [root] INFO: analysis package specified: "exe"
2025-06-11 20:41:57,639 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 20:41:58,139 [root] DEBUG: imported analysis package "exe"
2025-06-11 20:41:58,139 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 20:41:58,139 [lib.common.common] INFO: wrapping
2025-06-11 20:41:58,139 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 20:41:58,139 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\convertvhd.exe
2025-06-11 20:41:58,139 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 20:41:58,139 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 20:41:58,139 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 20:41:58,139 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 20:41:58,311 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 20:41:58,374 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 20:41:58,436 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 20:41:58,452 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 20:41:58,452 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 20:41:58,452 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 20:41:58,452 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 20:41:58,467 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 20:41:58,467 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 20:41:58,467 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 20:41:58,467 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 20:41:58,467 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 20:41:58,467 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 20:41:58,467 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 20:41:58,467 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 20:41:58,467 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 20:41:58,467 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 20:41:58,467 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 20:42:09,764 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-11 20:42:09,764 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 20:42:09,764 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 20:42:09,764 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 20:42:09,764 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 20:42:09,764 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 20:42:09,764 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 20:42:09,764 [modules.auxiliary.disguise] INFO: Disguising GUID to 681fd063-b6e3-4307-92e0-097646af0c7f
2025-06-11 20:42:09,764 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 20:42:09,764 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 20:42:09,764 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 20:42:09,764 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 20:42:09,764 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 20:42:09,780 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 20:42:09,780 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 20:42:09,780 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 20:42:09,780 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 20:42:09,780 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 20:42:09,780 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 20:42:09,780 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 20:42:09,780 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 20:42:09,780 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 20:42:09,780 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 20:42:09,780 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 20:42:09,780 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 20:42:09,811 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 20:42:09,811 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 20:42:09,811 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 20:42:09,811 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 20:42:09,811 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 20:42:09,811 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 20:42:09,811 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 20:42:09,811 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\EeGlvdpK.dll, loader C:\tmp_gell1p8\bin\PoaYJsgW.exe
2025-06-11 20:42:09,905 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 20:42:09,905 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-11 20:42:09,952 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 20:42:09,952 [root] INFO: Disabling sleep skipping.
2025-06-11 20:42:09,952 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 20:42:09,952 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 20:42:09,952 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 20:42:09,968 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 20:42:09,968 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 20:42:09,968 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 20:42:09,983 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 20:42:09,983 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 20:42:09,983 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 188, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-11 20:42:09,983 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 20:42:10,015 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 20:42:10,015 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 20:42:10,015 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\EeGlvdpK.dll.
2025-06-11 20:42:10,015 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 20:4 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-12 21:35:23	2025-06-12 22:06:03	none

File Details

File Name	convertvhd.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	225592 bytes
MD5	8532453cd16b6a9dc0f0afc815f303a2
SHA1	c2a5499e485fa83b136e15093c2dd16180b2aa8f
SHA256	3dcd82b2b87f8b6deb6f88aa41692d4fbde2d887c3be177d62bdda8ab74eb917 [VT] [MWDB] [Bazaar]
SHA3-384	bf64bb32b756a851e838eeb9b5ef7d187f5381cfdcc42499c63912ff2ce1174ff747d24aff8259b22fffdda93d483c5b
CRC32	82D7C7F5
TLSH	T15E244B6777A404AAE2BB813DC655CA0BE7B27485075093CF0264C3BE2F27BE5A93D354
Ssdeep	3072:PvqGqk2hWI4qASYzWdk1Zgv6IYt2/GJdxw8FxzB0gzncY6XE+O:PH4hWISnyWgiIVGJdxw8FxzBJ6XM
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/77)

Full Results

Engine	Result	Engine	Result	Engine	Result

Unsupported operation: %u

PA_A^A]A\_^]

s WAVAWH

ClientAssertMask

Microsoft Corporation1.0,

l$ VWAVH

@.data

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization

WriteFileGather

fD9dN u

Thales TSS ESN:AB41-4B27-F0261%0#

D8o<t

.idata$6

Bt$pE

@8j(t

D$8H;

.idata$4

D$ht^L

D$`E3

CloseThreadpoolTimer

api-ms-win-core-heap-l1-1-0.dll

D8s{tK

ReleaseMutex

GetStartupInfoW

f)x{F

t(D8rxt"L

x ATAUAWH

.rdata$T$brc

L$ SUVWH

_initterm_e

_o___stdio_common_vswprintf

D8%I8

_o___stdio_common_vfwprintf

t^@8=

@A_A^_^]

D$HE3

_o__cexit

GetCurrentProcessorNumber

g2>m^

CreateSemaphoreExW

E8~}t5D

E8X(t

dataH

BTT: read_layout: external_nlba can't be 0

|hK,_

u*9Q<|%

fD9o@v

D$0;CD

E8q(t

RtlClearBits

BTT: read_flog_pair: invalid flog offset %lu

%hs is taking a long time - giving up on module: %ws

A;>t}

BTT: read_flog_pair: invalid lane %d among nfree %d

I9hPt

_o__initialize_onexit_table

BTT: read_layout: next arena offset > rawsize (%llu, %llu)

FileVersion

DH9Q(wFH

H9|$Pv7L

vhd2fileI9

fD9$Au

.CRT$XDZ

.?AVlength_error@std@@

__C_specific_handler

Microsoft Corporation1&0$

IpH9JPr

p AWH

1(0&0

I)C9Kf

KlD9o8u

180703204550Z

L$HE3

memmove

0A_A^A]A\_^]

std::exception: %hs

RtlPcToFileHeader

(caller: %p)

BTT_ARENA_INFO

TlP0X

Microsoft Corporation1-0+

metadataH

D8w(t

$Microsoft Ireland Operations Limited1&0$

RtlFindSetBits

vhdxfileI9

RPCRT4.dll

250701214655Z0|1

GetProcessMitigationPolicy

CreateEventW

UAVAWH

A_A^_

vhdxfileH

|$ AVH

.rtc$TAA

bad allocation

_o_exit

D8f(t

.text$mn$00

convertvhd.exe -sourceToken <file handle> -destinationToken <file handle> [-btt] [-toPMem]

t$ WH

E8Z(t

VWAVH

L$@H+

SetLastError

.rsrc$01

CallContext:[%hs]

DebugBreak

O0M0K

Unknown exception

TraceFlags

040904B0

Microsoft Corporation

BTT: nszero: offset + count (%lld) past end of data area (%zu)

D9Zpv:D

ub'vb'v

.CRT$XIC

api-ms-win-crt-runtime-l1-1-0.dll

fD9,Qu

memcmp

.?AVVmModuleBase@Vml@@

A_A^A\H

v`9_Dv&L

M H1E

dataI

E8Y(t

BTT: pmemblk_load_mapped_pool: maxarenasize too small (%llu)

D9j0u

D8k(t

H90u"H

t.I9@

CreateThreadpoolIo

A_A^A]

@USVWAVH

229879+4379540

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

TraceLevelsEnabled

L9apt

__std_terminate

_o___acrt_iob_func

AcquireSRWLockShared

internal\sdk\inc\wil\win32helpers.h

ntelD

HcA<H

BTT: nsmap: offset + count (%lld) past end of data area (%zu)

.?AVbad_alloc@std@@

A_A^A]A\_^]

@SUVWAVH

CreateMutexExW

.rtc$IZZ

L$XL+

Log apply failed

_o__invalid_parameter_noinfo

A_A^]

EventRegister

InitializeSListHead

D85As

zeroI

_initterm

.?AVlogic_error@std@@

_CxxThrowException

.idata$5

D$`I+

headE3

InitializeSRWLock

RtlAreBitsSet

Failed to consume BAT page during full BAT read.

_o__set_fmode

HeapAlloc

191123202654Z0

InitOnceComplete

descA

;dataD

ReadFile

.vhdpmem

.rtc$IAA

ConvertVhd.pdb

|$ AWH

BTT: read_flog_pair: flog layout error: bad seq numbers %d %d

L$ SVWH

.pdata

.?AVConvertVhdModule@@

t$(E3

@SVWH

Microsoft

VarFileInfo

H;xHr

D$@OAUW

.data$brc

RtlInitializeBitMap

:descL

H9s u

H3E H3E

InternalName

fD9:t

JZJ{.

Fx;Ft

.text$yd

A^A\_

E8~(t

LeakWaitSeconds

.data$r$brc

StopLevel

AX;Q\r

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll

L$PH+L$0I

WATAVH

tQD8L$0t

_o__initialize_wide_environment

api-ms-win-core-localization-l1-2-0.dll

.rsrc$02

D$@A;

D85ur

CreateFileW

onecore\vm\common\vml\vmmodules.h

)D9m8

L$XE3

SleepConditionVariableSRW

BTT: nsread: offset + count (%lld) past end of data area (%zu)

_o__configthreadlocale

T$PL+

Local\SM0:%d:%d:%hs

D9QP~)H

regiA

@.rsrc

RegGetValueW

0A^_^

D8|$ht

VHD Conversion Tool [Version 1.00]

AcquireSRWLockExclusive

D$pD#

&H;AHw

.text$di

api-ms-win-crt-private-l1-1-0.dll

Legal_Policy_Statement

FormatMessageW

IhH9JPr

D85Vq

`A_A^A]A\_^]

l$ E3

onecore\vm\dv\storage\vhd\btt\tools\convertvhdbtt.cpp

%hs!%p:

L$@fD

t*f;5

K SVWH

VWATAVAWH

BTT: nsis_memory_range_good: offset + count (%lld) past end of data area (%zu)

RtlFindLastBackwardRunClear

LegalCopyright

_o___p__commode

SetFileInformationByHandle

0A_A^A\_^

HcyPH

A_A^A]A\_

.rtc$TZZ

10.0.17763.1 (WinBuild.160101.0800)

GetCurrentProcessId

UVWAVAW

p WAVAWH

_o__wcsicmp

I0G1-0+

L9bHtlH

DeleteCriticalSection

u1D9_<

api-ms-win-shcore-obsolete-l1-1-0.dll

CreateThreadpoolWork

t$(D;

RtlCaptureContext

D8MXH

.tls$ZZZ

M0K0I

api-ms-win-core-file-l1-1-0.dll

RtlSetBits

H;H A

CloseThreadpoolWork

x ATAVAWH

D8Z(t

0A^_^][

H;|$Pr

could not enable log

t{HcL$ HcD$$H

WaitForSingleObjectEx

.CRT$XLA

_o___std_exception_copy

@A_A^A]A\_^]

Misaligned request: Offset = %I64u, Length = %I64u

Failed to apply cache node.

L$0H3

>headuBL

.BTT VHDX Conversion Tool

Microsoft Time-Stamp PCA 20100

0A^_]

api-ms-win-crt-string-l1-1-0.dll

_o__configure_wide_argv

u#D8myt

.rdata$zzzdbg

t9@8}(t3H

.rdata$r

f9,Ku

BTT: btt_init: rawsize smaller than BTT_MIN_SIZE %u

D8r`t

A8H(t

E8^(t

StartThreadpoolIo

WAVAWH

fD9l$d

I9<$uVH

` UAVAWH

GetActiveProcessorCount

Log write failure

.CRT$XIA

.rdata

RSDSy

api-ms-win-core-errorhandling-l1-1-0.dll

9^|vF

111019184142Z

headL

api-ms-win-core-rtlsupport-l1-1-0.dll

wEH9J

hA_A^A]A\_^][

A_A^_

20180915013010.24Z0

DebugBreakEnabled

.CRT$XIZ

Microsoft Corporation1200

,wU5T5uDtC+G9jGPYgb57pkkDk/uKh8eMF4mzKKbbhso=0Z

:zerou#L

destination

WriteFile

x UAVAWH

onecore\vm\dv\storage\vhd\btt\tools\convertvhdmodule.cpp

Washington1

%Microsoft Windows Production PCA 20110

_o__invalid_parameter_noinfo_noreturn

BTT: read_layout: nfree can't be 0

XA_A^A]A\_^][

XT=oH

FileDescription

!This program cannot be run in DOS mode.

t H9S$u

%Microsoft Windows Production PCA 2011

20180915065459Z

Msg:[%ws]

A_A^A\

A8~(t

WaitForSingleObject

@A^_^

K32GetModuleInformation

RtlWriteNonVolatileMemory

D$0H;

Failed read operation

api-ms-win-eventing-provider-l1-1-0.dll

L$ UVWATAUAVAWH

A_A^_H

api-ms-win-core-threadpool-l1-2-0.dll

api-ms-win-core-heap-l2-1-0.dll

Trace%i

E8h(t

\$ VWAVH

Microsoft Corporation1

x AUAVAWH

api-ms-win-core-processthreads-l1-1-0.dll

Only fixed VHDXs are supported.

File Flush failure.

USAGE:

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

@USVWATAVAWH

GetModuleFileNameA

|$8L;d$0u

ED$`H

8L$1t#H

|$8L9i8r

ntdll.dll

_o__set_app_type

0A_A^A\

_register_thread_local_exe_atexit_callback

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\VML

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

H9S,t

=loge

WakeAllConditionVariable

t"D8=

InitializeCriticalSection

A_A^A\_^

Microsoft Time-Stamp PCA 2010

BAT failure on page in

api-ms-win-core-synch-l1-1-0.dll

memcpy

.idata$3

D$ fD

_o_terminate

H SVWH

L9{@u

OpenSemaphoreW

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

L9I8r

regiI

D$8A;

ReleaseSRWLockExclusive

\$0H95?

api-ms-win-core-psapi-l1-1-0.dll

Microsoft Time-Stamp service

L9N u

r~akow

@8o(t

HeapSetInformation

RtlLookupFunctionEntry

toPMem

Reading %d arenas on lane %d

Source differencing disks are not supported.

Detected a leaked instance - this leak should be fixed ASAP - terminating process rather than waiting forever or risking crash during module cleanup due to invalid state.

.CRT$XCU

logeH

H+\$0I

internal\sdk\inc\wil\resource.h

RtlDllShutdownInProgress

EPI9@Pu'I

\$ E3

tQf;5ef

>headu?L

fD9<Hu

api-ms-win-core-processtopology-obsolete-l1-1-0.dll

[%hs(%hs)]

.?AV?$VmExeModule@VConvertVhdModule@@@Vml@@

fA9,Qu

QueryPerformanceCounter

_o__get_wide_winmain_command_line

string too long

"Microsoft Window

t{H9y

BTT: nis_memory_range_good: offset + count (%lld) is in a bad memory region

ReadFileScatter

\$ UVWATAUAVAWH

StringFileInfo

L$(E3

0A_A^A]A\_^]H

oK0D$"<

H UATAUAVAWH

%hs(%d) tid(%x) %08X %ws

t$ WAVAWH

0A_A^A]A\_

D9_<u

(u0U0

GetCurrentProcess

api-ms-win-core-handle-l1-1-0.dll

Write

UVWAVAWH

(_^][

Microsoft Windows %u.%u.%u.%u

H9GPtT

UATAUAVAWH

HeapFree

D8~(t

zerouHD;

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

E8`(t

GetTickCount

Unsupported range type: %u

A_A^A\_]

Microsoft Time-Stamp service0

L$@E3

.text$mn

100701213655Z

api-ms-win-core-errorhandling-l1-1-2.dll

LocalFree

D9oPt

@8}(t

ConvertVhd.exe

D9_<uU

L9o@t

.?AVResultException@wil@@

TerminateProcess

\$ UVWAVAW

E8f(t

t$XI+

\$8f9>t;H

f9,Au

t*9uDv

BTT: pmemblk_load_mapped_pool: maxarenasize too large (%llu)

Translation

InitializeConditionVariable

A_A^A]A\_^]

BTT: nswrite: offset + count (%lld) past end of data area (%zu)

.?AVbad_array_new_length@std@@

_o__seh_filter_exe

(t$PH

T$`H+

D9q\v

SUVWATAUAVAWH

(A_A^A]A\_^][

@8w(u

D8s(t

source

A_A^A]

UWAVH

BaseSubIoHandler -- Op Type: %s, Range Type: %lu, Offset: %lu, Length: %lu, Data Offset: %lu

WilError_02

F(iRE

fE9$Pu

fD9dE

RtlCaptureStackBackTrace

sXPK|

Vml::VmSharableObject::WaitUntilAllocatedObjectCountIsZero

SetProcessMitigationPolicy

.?AV?$VmModule@VConvertVhdModule@@@Vml@@

20180916065459Z0w0=

_o__callnewh

Microsoft Windows0

_o___stdio_common_vswprintf_s

Downgrade failed.

L$hD;

EventSetInformation

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

T$@E3

.CRT$XPZ

.CRT$XIAC

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

api-ms-win-core-io-l1-1-0.dll

ProductVersion

FlushFileBuffers

L$ SUVWATAUAVAWH

_c_exit

D$@E3

UWAUAVAWH

.text$x

R!s4Z

OutputDebugStringW

tpf;5wY

d$$fD

RtlClearAllBits

T$`A+

t$ t3A

__CxxFrameHandler3

@8|$ t

ReturnHr

_o__set_new_mode

.xdata$x

A^_^

.CRT$XIAA

GetModuleHandleW

RtlRandomEx

D8%7:

H9y s

D9IT}

A_A^A\_^[]

api-ms-win-core-registry-l1-1-0.dll

L$ E3

Windows

H;Nxr<D

UuidCreate

IsDebuggerPresent

.CRT$XLZ

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

xX9y8u

_o__register_onexit_function

HA_A^A]A\_^][

.CRT$XTA

iSHp6

kernelbase.dll

E8n(t

D$0E3

fD9(t

GetOverlappedResult

F0H9J

H99u8H

RtlVirtualUnwind

.idata$2

SubmitThreadpoolWork

@8,1u

_o__crt_atexit

VHD Conversion Tool

api-ms-win-core-debug-l1-1-0.dll

x AVH

H9A8s

GetModuleFileNameW

0A_A^_

RtlSetAllBits

1/0-0

OriginalFilename

WATAUAVAWH

E8H(t

L9w@s

RaiseFailFastException

.CRT$XLC

Clean Cache Failed.

api-ms-win-core-processthreads-l1-1-1.dll

@8xwt

x3u.D

BTT: invalid_lba: lba out of range (nlba %ju)

logeA

fD9t]

api-ms-win-core-interlocked-l1-1-0.dll

$`2X`F

.tls$

(H;y r

A_A]A\H

A_A^A]A\_

.CRT$XCA

.CRT$XCAA

L$0fD

.xdata

RtlAreBitsClear

$Microsoft Ireland Operations Limited1

.gfids

E8P(t

:descA

ReleaseSRWLockShared

\$ UH

@8=f2

onecore\vm\common\vml\vmmoduleutils.h

.CRT$XTZ

BTT: invalid_arena_lba: arena lba out of range (nlba %ju)

D+~<D;

190726204550Z0p1

%hs(%d)\%hs!%p:

Operating System

H;~8v

A;l$ r

d$(H#

Region table update failed

L9{0t#H

.00cfg

N0L0J

vector<T> too long

T$8H!\$8

D8o?u

UnhandledExceptionFilter

GetModuleHandleExW

FailFast

u0L9t

UVWATAUAVAWH

EventUnregister

RtlGetVersion

sourceToken

D9Olv

BTT: write_layout: number of internal blocks: %lu expected at least %u

CloseHandle

L$8E3

U0S0Q

.?AVexception@std@@

http://www.microsoft.com/windows0

@.reloc

RtlNtStatusToDosErrorNoTeb

@SUVWATAUAVAWH

L$(8K H

bad array new length

_o_qsort

destinationToken

D85fs

Gt;Gp

{H;sDs

_o___std_exception_destroy

@8~vt

H9C s!H

D9j(u

z.9Wv

CompanyName

VS_VERSION_INFO

.CRT$XDA

t$ WATAUAVAWH

GetLastError

GetCurrentThreadId

@A_A^_

Failed write operation

api-ms-win-core-synch-l1-2-0.dll

D9K(t

GetSystemTimeAsFileTime

(H9A8s_D8

x UATAUAVAWH

BTT: read_layout: inconsistent lbasize. info.external_lbasize = %d; bttp->lbasize = %d

EventWrite

A_A^_^]

AuthD

LogHr

Source disk must use 4KB logical sector size.

9\$PtwH

t"D9d$h

.CRT$XCZ

RtlFlushNonVolatileMemory

Flush Failure.

\$8L;d$0u

p WATAUAVAWH

\$8H;t$0u+H;

H9Yhu

CancelThreadpoolIo

l$ f9-

F(A!}

AUAVAWH

D$8H!t$8H

fG9dA

180823202654Z

map/set<T> too long

CommandLineToArgvW

D$8L9i8riK

D9m8u

Exception

.CRT$XDU

_o__exit

GetProcessHeap

`A^_^[]

@;UDr

GetFileSizeEx

.CRT$XPA

L$pE3

SetUnhandledExceptionFilter

EventEnabled

Destination must be a .VHDPMEM file.

CloseThreadpoolIo

.data

TraceLevel

u0HcH<H

t$ UWATAVAWH

BTT: write_layout: Invalid lba size after alignment: %u

.?AVtype_info@@

9S|u6H

D$ E3

A_A^A]_]

.text

A_A^A]A\]

A8P(t

InitOnceBeginInitialize

_o___stdio_common_vsnwprintf_s

_o__errno

T$0H+

memset

_o___stdio_common_vsnprintf_s

convertvhd.exe -source <filepath> -destination <filepath> [-btt] [-toPMem]

`.rdata

[%hs]

onecore\vm\dv\storage\vhd\btt\tools\bttutil.cpp

\$`t+

_o_wcstoull

uSD8mytMH

)Microsoft Root Certificate Authority 20100

D$hH=

D$@H;

/H9A8s

.rdata$brc

RegOpenKeyExW

D$(M+

RegCloseKey

H9_Hs<

ReleaseSemaphore

)_% z

\$ UVWAVAWH

GetProcAddress

Failed to log cache node

Shutting down VHD quickly.

uWH!E

D8Y(t

ProductName

tj@8p

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x000206a0	0x000442ff	0x000442ff	10.0	ConvertVhd.pdb	2013-07-24 06:47:57	316e8da32c980b2d5631f2cb08b7cd56

Version Infos

CompanyName	Microsoft Corporation
FileDescription	VHD Conversion Tool
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	ConvertVhd.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	ConvertVhd.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x000210c3	0x00021200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.25
.rdata	0x00021600	0x00023000	0x0000939c	0x00009400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.94
.data	0x0002aa00	0x0002d000	0x0000975c	0x00008400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.14
.pdata	0x00032e00	0x00037000	0x000019a4	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.23
.rsrc	0x00034800	0x00039000	0x00000408	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	2.43
.reloc	0x00034e00	0x0003a000	0x000000c8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	2.50

Overlay

Offset	0x00035000
Size	0x00002138

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x00039060	0x000003a4	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.44	None

Imports

Name	Address
_initterm_e	0x140023778
_c_exit	0x140023780
_register_thread_local_exe_atexit_callback	0x140023788
_initterm	0x140023790

Name	Address
memset	0x1400237a0

Name	Address
_o__configthreadlocale	0x140023640
_o__configure_wide_argv	0x140023648
_o__crt_atexit	0x140023650
_o__errno	0x140023658
_o__exit	0x140023660
_o__get_wide_winmain_command_line	0x140023668
_o__initialize_onexit_table	0x140023670
_o__initialize_wide_environment	0x140023678
_o__invalid_parameter_noinfo	0x140023680
_o__invalid_parameter_noinfo_noreturn	0x140023688
_o__register_onexit_function	0x140023690
_o__seh_filter_exe	0x140023698
_o__set_app_type	0x1400236a0
_o__set_fmode	0x1400236a8
_o__set_new_mode	0x1400236b0
memmove	0x1400236b8
_o__wcsicmp	0x1400236c0
_o_exit	0x1400236c8
_o_qsort	0x1400236d0
_o_terminate	0x1400236d8
_o_wcstoull	0x1400236e0
_CxxThrowException	0x1400236e8
_o___stdio_common_vswprintf_s	0x1400236f0
_o___stdio_common_vswprintf	0x1400236f8
_o___stdio_common_vsnwprintf_s	0x140023700
_o___stdio_common_vsnprintf_s	0x140023708
_o___stdio_common_vfwprintf	0x140023710
_o___std_exception_destroy	0x140023718
_o___std_exception_copy	0x140023720
_o___p__commode	0x140023728
_o__cexit	0x140023730
_o__callnewh	0x140023738
_o___acrt_iob_func	0x140023740
__C_specific_handler	0x140023748
__std_terminate	0x140023750
__CxxFrameHandler3	0x140023758
memcmp	0x140023760
memcpy	0x140023768

Name	Address
GetModuleFileNameW	0x140023418
GetModuleFileNameA	0x140023420
GetProcAddress	0x140023428
GetModuleHandleExW	0x140023430
GetModuleHandleW	0x140023438

Name	Address
WaitForSingleObject	0x140023530
InitializeCriticalSection	0x140023538
AcquireSRWLockExclusive	0x140023540
CreateSemaphoreExW	0x140023548
ReleaseSemaphore	0x140023550
ReleaseSRWLockExclusive	0x140023558
ReleaseMutex	0x140023560
WaitForSingleObjectEx	0x140023568
OpenSemaphoreW	0x140023570
ReleaseSRWLockShared	0x140023578
DeleteCriticalSection	0x140023580
CreateMutexExW	0x140023588
CreateEventW	0x140023590
InitializeSRWLock	0x140023598
AcquireSRWLockShared	0x1400235a0

Name	Address
HeapAlloc	0x1400233c0
HeapFree	0x1400233c8
HeapSetInformation	0x1400233d0
GetProcessHeap	0x1400233d8

Name	Address
GetLastError	0x140023330
SetUnhandledExceptionFilter	0x140023338
SetLastError	0x140023340
UnhandledExceptionFilter	0x140023348

Name	Address
InitializeConditionVariable	0x1400235b0
SleepConditionVariableSRW	0x1400235b8
InitOnceBeginInitialize	0x1400235c0
InitOnceComplete	0x1400235c8
WakeAllConditionVariable	0x1400235d0

Name	Address
ReadFileScatter	0x140023368
WriteFileGather	0x140023370
FlushFileBuffers	0x140023378
CreateFileW	0x140023380
WriteFile	0x140023388
GetFileSizeEx	0x140023390
ReadFile	0x140023398
SetFileInformationByHandle	0x1400233a0

Name	Address
TerminateProcess	0x140023458
GetCurrentProcessId	0x140023460
GetCurrentProcess	0x140023468
GetCurrentThreadId	0x140023470
GetStartupInfoW	0x140023478

Name	Address
FormatMessageW	0x140023448

Name	Address
IsDebuggerPresent	0x140023310
OutputDebugStringW	0x140023318
DebugBreak	0x140023320

Name	Address
CloseHandle	0x1400233b0

Name	Address
RtlVirtualUnwind	0x140023500
RtlLookupFunctionEntry	0x140023508
RtlCaptureContext	0x140023510
RtlPcToFileHeader	0x140023518
RtlCaptureStackBackTrace	0x140023520

Name	Address
EventUnregister	0x1400237b0
EventEnabled	0x1400237b8
EventSetInformation	0x1400237c0
EventRegister	0x1400237c8
EventWrite	0x1400237d0

Name	Address
RegCloseKey	0x1400234e0
RegGetValueW	0x1400234e8
RegOpenKeyExW	0x1400234f0

Name	Address
SetProcessMitigationPolicy	0x140023488
GetProcessMitigationPolicy	0x140023490
IsProcessorFeaturePresent	0x140023498
GetCurrentProcessorNumber	0x1400234a0

Name	Address
CommandLineToArgvW	0x1400237e0

Name	Address
RaiseFailFastException	0x140023358

Name	Address
K32GetModuleInformation	0x1400234d0

Name	Address
LocalFree	0x1400233e8

Name	Address
GetTickCount	0x1400235e0
GetSystemTimeAsFileTime	0x1400235e8

Name	Address
QueryPerformanceCounter	0x1400234c0

Name	Address
InitializeSListHead	0x1400233f8

Name	Address
RtlGetVersion	0x1400237f0
RtlInitializeBitMap	0x1400237f8
RtlWriteNonVolatileMemory	0x140023800
RtlFlushNonVolatileMemory	0x140023808
RtlFindSetBits	0x140023810
RtlAreBitsClear	0x140023818
RtlSetBits	0x140023820
RtlRandomEx	0x140023828
RtlClearBits	0x140023830
RtlFindLastBackwardRunClear	0x140023838
RtlAreBitsSet	0x140023840
RtlSetAllBits	0x140023848
RtlClearAllBits	0x140023850

Name	Address
GetActiveProcessorCount	0x1400234b0

Name	Address
CancelThreadpoolIo	0x1400235f8
CloseThreadpoolTimer	0x140023600
StartThreadpoolIo	0x140023608
CreateThreadpoolIo	0x140023610
CloseThreadpoolIo	0x140023618
SubmitThreadpoolWork	0x140023620
CloseThreadpoolWork	0x140023628
CreateThreadpoolWork	0x140023630

Name	Address
GetOverlappedResult	0x140023408

Name	Address
UuidCreate	0x140023300

Reports: JSON

Statistics (11.50)

Usage

Processing ( 11.44 seconds )

10.849 ProcessMemory
0.57 CAPE
0.008 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 bot_drive
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior
0.001 lokibot_mutexes

Reporting ( 0.01 seconds )

0.004 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: ConvertVhd.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 3552 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\en-US\KERNELBASE.dll.mui

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\VML
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\ClientAssertMask
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\ClientAssertMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

Local\SM0:3552:120:WilError_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Overlay

Resources

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-errorhandling-l1-1-2

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-interlocked-l1-1-0

ntdll

api-ms-win-core-processtopology-obsolete-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-io-l1-1-0

RPCRT4