Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-13 21:39:24	2025-06-13 22:10:20	1856 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:15,022 [root] INFO: Date set to: 20250613T10:43:42, timeout set to: 1800
2025-06-13 11:43:42,467 [root] DEBUG: Starting analyzer from: C:\tmpjeo7jmad
2025-06-13 11:43:42,467 [root] DEBUG: Storing results at: C:\iDarMfdE
2025-06-13 11:43:42,467 [root] DEBUG: Pipe server name: \\.\PIPE\IMPWOAOm
2025-06-13 11:43:42,467 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-13 11:43:42,467 [root] INFO: analysis running as an admin
2025-06-13 11:43:42,467 [root] INFO: analysis package specified: "exe"
2025-06-13 11:43:42,467 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-13 11:43:43,061 [root] DEBUG: imported analysis package "exe"
2025-06-13 11:43:43,061 [root] DEBUG: initializing analysis package "exe"...
2025-06-13 11:43:43,061 [lib.common.common] INFO: wrapping
2025-06-13 11:43:43,061 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-13 11:43:43,061 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ProximityUxHost.exe
2025-06-13 11:43:43,061 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-13 11:43:43,061 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-13 11:43:43,061 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-13 11:43:43,061 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-13 11:43:43,264 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-13 11:43:43,279 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-13 11:43:43,311 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-13 11:43:43,358 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-13 11:43:43,389 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-13 11:43:43,389 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-13 11:43:43,389 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-13 11:43:43,405 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-13 11:43:43,405 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-13 11:43:43,405 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-13 11:43:43,405 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-13 11:43:43,405 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-13 11:43:43,405 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-13 11:43:43,405 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-13 11:43:43,405 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-13 11:43:43,405 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-13 11:43:43,405 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-13 11:43:43,405 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-13 11:43:54,701 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-13 11:43:54,701 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-13 11:43:54,701 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-13 11:43:54,701 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-13 11:43:54,701 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-13 11:43:54,701 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-13 11:43:54,701 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-13 11:43:54,717 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-13 11:43:54,717 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-13 11:43:54,717 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-13 11:43:54,717 [root] DEBUG: attempting to configure 'Human' from data
2025-06-13 11:43:54,717 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-13 11:43:54,717 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-13 11:43:54,717 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-13 11:43:54,717 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-13 11:43:54,717 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-13 11:43:54,717 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-13 11:43:54,717 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-13 11:43:54,717 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-13 11:43:54,717 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-13 11:43:54,717 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-13 11:43:54,717 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-13 11:43:54,717 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-13 11:43:54,717 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-13 11:43:54,733 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-13 11:43:54,748 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmpjeo7jmad\dll\696.ini
2025-06-13 11:43:54,748 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-13 11:43:54,748 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-13 11:43:54,748 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-13 11:43:54,748 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-13 11:43:54,748 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-13 11:43:54,748 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-13 11:43:54,764 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmpjeo7jmad\dll\NmhMelLB.dll, loader C:\tmpjeo7jmad\bin\TfDuBatI.exe
2025-06-13 11:43:54,826 [root] DEBUG: Loader: IAT patching disabled.
2025-06-13 11:43:54,826 [root] DEBUG: Loader: Injecting process 696 with C:\tmpjeo7jmad\dll\NmhMelLB.dll.
2025-06-13 11:43:54,889 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-13 11:43:54,889 [root] INFO: Disabling sleep skipping.
2025-06-13 11:43:54,889 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-13 11:43:54,889 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-13 11:43:54,889 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-13 11:43:54,889 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-13 11:43:54,889 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-13 11:43:54,889 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-13 11:43:54,904 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-13 11:43:54,904 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-13 11:43:54,904 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 4724, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-13 11:43:54,920 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-13 11:43:54,936 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-13 11:43:54,936 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-13 11:43:54,936 [root] DEBUG: Successfully injected DLL C:\tmpjeo7jmad\dll\NmhMelLB.dll.
2025-06-13 11:43:54,936 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-13 1 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-13 21:39:24	2025-06-13 22:10:01	none

File Details

File Name	ProximityUxHost.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	259464 bytes
MD5	fde43ec060cf634837df8732fe86d0f0
SHA1	96a97887495d359f3760fa45ded5566b992cc117
SHA256	05910cdb1c0892af91d31e7db38a09f0dedda1cad76989726f0f4c1915c7040c [VT] [MWDB] [Bazaar]
SHA3-384	22d5bf97b09c26a8ccd558c720a04c8b9e6a9ca6a0a321239d86db0d4352486701ad5f2136b874195e29164373afdea9
CRC32	5CFC2F1D
TLSH	T135444D1AA28C08D5F9A6D278C9C7924AFB72B40C273191CB2168C54D7F6B7F1BE39714
Ssdeep	6144:IR2TBxDkAYh3Do1XCvQipaFzOh86yeY83H0E+9V7GkJYe:IR2TBxYAYNqaQipaFzOh8terxGBGI
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/77)

Full Results

Engine	Result	Engine	Result	Engine	Result

D$xL!d$PL

L!uPH

Windows.UI.Notifications.ToastNotification

PA_A^A]A\_^]

LockResource

s WAVAWH

0A_A\_

Microsoft Corporation1.0,

l$ VWAVH

@.data

IUnknown_GetWindow

.idata$6

RoRegisterActivationFactories

hA_A^A]A\_^[]

.idata$4

WindowsCreateStringReference

PowerClearRequest

D$`E3

PropVariantToStringAlloc

api-ms-win-core-heap-l1-1-0.dll

fA9<Bu

fE9$Au

GetStartupInfoW

fE94Au

ReleaseMutex

%s\%s%s

application/vnd.ms-windows.devicepairing

.rdata$T$brc

T$h!D$hL

ActivityIntermediateStop

L$ SUVWH

Microsoft Time-Stamp Service

application/vnd.bluetooth.ep.oob

__dllonexit

pairNamespace

t^@8=

@A_A^_^]

D$HE3

|$ AUAVAWH

T$8!D$8H

H9H@u

k(H!s0H!s8H!s@H

CreateSemaphoreExW

application/vnd.ms-windows.wfd.oob

|hK,_

d$0fD

H;F(u

xYD8e0tSH

u*9Q<|%

PathRemoveBackslashW

R$fA;Z*

api-ms-win-core-com-l1-1-0.dll

DafCloseChallengeContext

?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z

wcsrchr

9\$hv;

PA^_^

x(A;6

T$H!D$HH

A_A^A\_^][

?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ

FileVersion

L$xE3

file/none

HcD$ H

1,0*0

ProximityServicePAL.dll

ProximityConnection

D$PE3

L$hH3

DafStartReadCeremonyData

6|q:A

SetCursor

RegSetValueExW

__C_specific_handler

Microsoft Corporation1&0$

@USVWAVAWH

f9<Au

p AWH

TlsAlloc

1(0&0

TraceMessage

180703204550Z

Windows.Data.Xml.Dom.XmlDocument

Tap and send graceful socket shutdown

L$HE3

0A^A]_^]

SystemToastActivatedWindow

0A_A^A]A\_^]

H;N(u@H

(caller: %p)

t$ E3

</security>

DevCreateObjectQuery

U(a:@

TlP0X

Pairing:UPnP

NearFieldProximity_Global_Share_Content_AppId

wilResult

|$@E3

MSFT-DUMMY-ARG

fG9dM

_callnewh

RoInitialize

250701214655Z0|1

Windows.Storage.Streams.DataReader

%s\%s

duration

A_A\_

__set_app_type

CreateEventW

l1X,N

api-ms-win-core-com-l1-1-1.dll

fA9Z*v$A

A_A^_

|$ AVH

memcpy_s

fE9$hu

RemoveDirectoryW

DeleteTimerQueueTimer

t*9~4|BH

</dependentAssembly>

.text$mn$00

api-ms-win-core-string-l1-1-0.dll

t$ WH

VWAVH

</windowsSettings>

SetLastError

tKH!|$0L

CoEnableCallCancellation

.rsrc$01

9EHsG

CallContext:[%hs]

CompareStringOrdinal

DebugBreak

@Qm6t

SHTaskPoolGetUniqueContext

O0M0K

DevCreateObjectQueryFromId

040904B0

T$p!D$pH

DafCreateChallengeContext

T$`!D$`H

Microsoft Corporation

Uo!EoL

A_A^A]A\_^[]

fD9,Qu

D9w tJH

tPair

api-ms-win-devices-query-l1-1-1.dll

D$pE3

D!t$$H

memcmp

.rdata$zETW2

type="win32"

xA_A^A]A\_^[]

_XcptFilter

229879+4379540

Windows.UI.Notifications.ToastNotificationManager

@USVWAVH

_lock

8_^[]

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

ProximityUxHost.exe

:unCQu(

WindowsCreateString

WindowsDeleteString

AcquireSRWLockShared

USVWATAUAVAWH

api-ms-win-mm-playsound-l1-1-0.dll

api-ms-win-shell-shdirectory-l1-1-0.dll

HcA<H

CoTaskMemAlloc

t$ WATAWH

A_A^A]A\_^]

G0A8@

CoTaskMemRealloc

@SUVWAUH

qsort_s

CreateMutexExW

L$XL+

H;F(uuH

PeekMessageW

WS2_32.dll

A_A^]

EventRegister

?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z

?Click@TouchButton@DirectUI@@SA?AVUID@@XZ

|$XI9

?GetValue@Element@DirectUI@@QEAAPEAVValue@2@P6APEBUPropertyInfo@2@XZHPEAUUpdateCache@2@@Z

GetTraceEnableLevel

?GetClassInfoPtr@ModernProgressBar@DirectUI@@SAPEAUIClassInfo@2@XZ

DafStartFinalize

api-ms-win-core-util-l1-1-0.dll

PropVariantClear

UnInitProcessPriv

+,(7K

_initterm

A_A^_^]

TranslateMessage

ext-ms-win-shell32-shellfolders-l1-1-0.dll

?VisibleProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ

?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z

GDI32.dll

H/fA+

InitThread

.idata$5

DafStartEnumCeremonies

?ContentProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ

CreateTimerQueueTimer

fE9,lu

LeaveCriticalSection

HeapAlloc

A_A^A\_^

T$PM#

InitOnceComplete

eWaiting

PROPSYS.dll

launch

NextShareFolder

Windows.Foundation.Uri

eReceivingDescription

UIFILE

Microsoft.Windows.Shell.Proximity

L$ SVWH

.pdata

internal\sdk\inc\wil\Resource.h

GetTraceLoggerHandle

Microsoft

VarFileInfo

VWAUAVAWH

SetRestrictedErrorInfo

Microsoft Corporation1)0'

_fmode

H+F03

I!_ I!_(A!_0I!_8

f;7t5L

.data$brc

L$pH3

callContext

L$PH3

Shell IDList Array

SHCreateThread

NFP_PAYLOAD

H3E H3E

InternalName

api-ms-win-shcore-sysinfo-l1-1-0.dll

CreateWindowInBand

H;F(u}H

L$PL!d$xL

.text$yd

IsWindowVisible

malloc

Uo!EoH

GetWindowLongPtrW

_vsnwprintf

api-ms-win-core-profile-l1-1-0.dll

8A_A^A]A\_^][

api-ms-win-core-libraryloader-l1-2-0.dll

QXLX$

7$!LE

BCryptCloseAlgorithmProvider

GetMessageW

WATAVH

</application>

api-ms-win-core-localization-l1-2-0.dll

.rsrc$02

OpcServices.DLL

H9PHu

LcA<E3

CreateFileW

_unlock

180823202624Z

Global\%s

?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z

SetEvent

t$ WATAVH

L$XE3

SleepConditionVariableSRW

_exit

CoCancelCall

s#fD99t

Thales TSS ESN:98FD-C61E-E6411%0#

en-US

Local\SM0:%d:%d:%hs

api-ms-win-core-winrt-l1-1-0.dll

H WATAUAVAWH

@.rsrc

RegGetValueW

TlsSetValue

T$P!D$PH

0A^_^

OLEAUT32.dll

e:)9u

L$PE3

BCryptGetProperty

fA98t

AcquireSRWLockExclusive

RoOriginateErrorW

.imrsiv

api-ms-win-core-threadpool-legacy-l1-1-0.dll

.text$di

Windows.SystemToast.NfpAppLaunch

api-ms-win-core-winrt-string-l1-1-0.dll

FormatMessageW

fC9lE

Legal_Policy_Statement

20180915045643.818Z0

originatingContextMessage

module

`A_A^A]A\_^]

H;F0t

H;F0upH

@8y@uNH

%hs!%p:

api-ms-win-core-url-l1-1-0.dll

VATAUAVAWH

8L$@t

VWATAVAWH

SHTaskPoolQueueTask

</requestedPrivileges>

eReceiveConnecting

LegalCopyright

GetTempPathW

0A_A^A\_^

SHCreateItemInKnownFolder

function

BCryptOpenAlgorithmProvider

A_A^A]A\_

CoCreateFreeThreadedMarshaler

10.0.17763.1 (WinBuild.160101.0800)

"Microsoft Time Source Master Clock0

GetCurrentProcessId

I9<$u

application/vnd.ms-windows.wsd.oob

L$XH3

p WAVAWH

RegCreateKeyExW

I0G1-0+

DeleteCriticalSection

T$`!D$`L

.rdata$zETW0

RaiseException

application/vnd.ms-windows.nwprinting.oob

ActivityStoppedAutomatically

version="1.0.0.0"

api-ms-win-shcore-obsolete-l1-1-0.dll

Connect

RtlCaptureContext

`.imrsiv

<assemblyIdentity

u8@8-

.tls$ZZZ

RoGetAgileReference

y=L!uP

M0K0I

CoCreateInstance

AssocQueryStringW

api-ms-win-core-file-l1-1-0.dll

minATL$__z

/toast

x ATAVAWH

language="*"

WaitForSingleObjectEx

.CRT$XLA

@A_A^A]A\_^]

H:^<~O

PAL_UnregisterConsoleDisplayStateNotifications

Microsoft Time-Stamp PCA 20100

T$0!D$0L

wilActivity

ProximityUxHost.pdb

fD9<Bu

ObjectLength

t$ WATAUH

.rdata$zzzdbg

f94Au

H VWH

LoadStringW

WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0.dll

HA_A^_^[]

WAVAWH

` UAVAWH

.rdata

.CRT$XIA

CoResumeClassObjects

niaZY

api-ms-win-core-errorhandling-l1-1-0.dll

D9nD|

DafSelectCeremony

@USVWH

mimeType

CoTaskMemFree

111019184142Z

fE9,Du

processorArchitecture="amd64"

T$x!D$xH

D9L$`vHL

PAL_RegisterConsoleDisplayStateNotifications

api-ms-win-core-rtlsupport-l1-1-0.dll

DispatchMessageW

publicKeyToken="6595b64144ccf1df"

api-ms-win-appmodel-runtime-l1-1-0.dll

base\proximity\ux\lib\receivecontenthandler.cpp

minATL$__a

?CreateBool@Value@DirectUI@@SAPEAV12@_N@Z

A_A^_

.CRT$XIZ

Microsoft Corporation1200

?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z

D$$I;

TryEnterCriticalSection

ActivityError

<assemblyIdentity

ResetEvent

/toast/visual/binding/text[number(@id) = '%d']

WriteFile

x UAVAWH

fD9,Au

T$1M;

Washington1

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

fA9<@u

%Microsoft Windows Production PCA 20110

InitializeCriticalSectionEx

EncodePointer

FileDescription

!This program cannot be run in DOS mode.

%Microsoft Windows Production PCA 2011

'fD9e

ReceivedMime

CoGetApartmentType

WindowsSubstringWithSpecifiedLength

Msg:[%ws]

T$X!D$XL

WaitForSingleObject

GetPackagesByPackageFamily

DestroyWindow

DwmGetWindowAttribute

</stylesheets>

|$D@8}

D$0H;

H;F0u1

api-ms-win-core-shlwapi-legacy-l1-1-0.dll

ProximityCommon.dll

minATL$__f

application/vnd.wfa.p2p

api-ms-win-eventing-provider-l1-1-0.dll

Lct$$H

L$ UVWATAUAVAWH

T$@!D$@H

\$ VWAVH

Microsoft Corporation1

x AUAVAWH

UWATAVAWH

api-ms-win-core-processthreads-l1-1-0.dll

PlaySoundW

TapToSend_Send

L$ UATAVH

RSDS]

0A]_^][

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

t$@E3

@USVWATAVAWH

GetModuleFileNameA

Windows.System.LauncherOptions

@Qmu7

E9u vGI

PowerSetRequest

api-ms-win-core-kernel32-legacy-l1-1-1.dll

Microsoft Operations Puerto Rico1&0$

2hKu!

fF9<Ou

ntdll.dll

0A_A^A\

FindResourceExW

USER32.dll

T$(E3

BCryptGenerateSymmetricKey

audio

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

z@}PfMBS

SHGetKnownFolderPath

m4J?T

internal\sdk\inc\wil\Result.h

WakeAllConditionVariable

t"D8=

InitializeCriticalSection

A_A^A\_^

Microsoft Time-Stamp PCA 2010

api-ms-win-core-synch-l1-1-0.dll

memcpy

SetForegroundWindow

.idata$3

D$ fD

WindowsIsStringEmpty

L9{@u

H;F0uhI;

OpenSemaphoreW

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

__wgetmainargs

ReleaseSRWLockExclusive

|az f

eCancelButton

4c2^V

LoadCursorW

r~akow

A_A\_

UX!EXH

CoWaitForMultipleHandles

version="6.0.0.0"

FallbackError

fB9LM

u$L97t

RtlLookupFunctionEntry

f9H\u

MsgWaitForMultipleObjectsEx

EnterCriticalSection

.CRT$XCU

FALSE

DafCreateAssociationContext

deviceassociation.dll

RtlDllShutdownInProgress

GetTraceEnableFlags

[%hs(%hs)]

about:internet

QueryPerformanceCounter

message

t*9~4|FH

</style>

T$8!D$8L

WVbQs

originatingContextName

0A_A^_^]

threadId

"Microsoft Window

GetTickCount64

H!|$XH

eCanceled

ShareWithDevice

msvcrt.dll

\$ UVWATAUAVAWH

FvIHZD

StringFileInfo

L$(E3

%hs(%d) tid(%x) %08X %ws

oK0D$"<

H_^[]

t$ WAUAVH

t$ WAVAWH

srand

.rdata$zETW9

0A_A^A]A\_

Windows.SystemToast.NfpDevicePairing

ole32.dll

GetCurrentProcess

api-ms-win-core-handle-l1-1-0.dll

UVWAVAWH

(_^][

L$0E3

eSendContentDescription

__setusermatherr

0A]A\_

T$h!D$hH

HeapFree

Microsoft Primitive Provider

@A_A^A\_^

api-ms-win-core-file-l1-2-0.dll

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

currentContextId

DafChallengeDevicePresence

api-ms-win-devices-query-l1-1-0.dll

GetTickCount

fileName

A_A^A\_]

AppLaunch

D3DKMTNetDispQueryMiracastDisplayDeviceSupport

A,gaK

WindowsMime.text/x-vcard

@A_A^A]

.text$mn

100701213655Z

D$XE3

base\proximity\ux\lib\proximitysendtarget.cpp

api-ms-win-rtcore-ntuser-private-l1-1-0.dll

Windows.SystemToast.NfpReceiveContent

UrlUnescapeW

.CRT$XIY

L9o@t

:VbQsu3

failureId

RoOriginateError

TerminateProcess

L$@H3

PostMessageW

type="win32"/>

Nokia BH-505

</assembly>

minATL$__m

?DeterminateProp@ModernProgressBar@DirectUI@@SAPEBUPropertyInfo@2@XZ

f9,Au

TapToSend_Receive

fA9LE

fB94Hu

Translation

H9|$0

DevFreeObjectProperties

f9<Cu

BCryptDecrypt

t6E9FD

SUVWATAUAVAWH

fE9<@u

DafStartDeviceStatusNotification

DafCreateAssociationContextFromOobBlob

TlsFree

;t$hr

20180916125616Z0t0:

fE9,Fu

RoUninitialize

A_A^A]

UWAVH

DecodePointer

MultiByteToWideChar

WilError_02

EventWriteTransfer

T$8H!t$8H

ReceivedUriLaunch

SHCreateStreamOnFileEx

DafStartRemoveAssociation

ms-windows-store:PDP?PFN=

Microsoft Operations Puerto Rico1'0%

Microsoft Windows0

A_A^A\

RegisterTraceGuidsW

Windows.System.Launcher

Windows.Foundation.Collections.PropertySet

T$@H!|$@H

EventSetInformation

?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

T$@E3

%s\NfpOpcSendFile.%i%i

0A^A\_

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

L$`H3

</element>

ProductVersion

fD9$Cu

DuiCreateObject

D$@E3

UWAUAVAWH

.text$x

Extension

CreateMutexW

R!s4Z

OutputDebugStringW

fB9,xu

fA9,Du

UnregisterTraceGuids

KillTimer

@A_A^A]_^

?Click@Button@DirectUI@@SA?AVUID@@XZ

'aO8^(

Windows.Internal.StateRepository.MrtPackage

DevGetObjectPropertiesEx

__CxxFrameHandler3

ReturnHr

_onexit

activatibleClassId

SHELL32.dll

WindowsGetStringRawBuffer

WATAWH

NFP_LAUNCH

A^_^

.CRT$XIAA

@A_A^A\_^[]

SHStrDupW

GetModuleHandleW

fD9<Au

T$XE3

api-ms-win-shlwapi-winrt-storage-l1-1-1.dll

CoAddRefServerProcess

SOFTWARE\Microsoft\Windows\CurrentVersion\Proximity

Proximity UX Host

api-ms-win-core-registry-l1-1-0.dll

H+F(u

failureType

L$ E3

fC9,Lu

Windows

?_ZeroRelease@Value@DirectUI@@AEAAXXZ

api-ms-win-shcore-taskpool-l1-1-0.dll

IsDebuggerPresent

.CRT$XLZ

</duixml>

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

EventActivityIdControl

A^A\]

.giats

iSHp6

hresult

Windows.Internal.StateRepository.Protocol

.rdata$zETW1

kernelbase.dll

9\$8u3H

providerName

</if>

L$0E2

BCryptEncrypt

RtlVirtualUnwind

DafMemFree

.idata$2

_wcmdln

api-ms-win-core-winrt-error-l1-1-0.dll

3me#\

|$ UH

fA94Cu

x AVH

api-ms-win-core-debug-l1-1-0.dll

SetCurrentProcessExplicitAppUserModelID

0A_A^_

@SUVWATAVAWH

CoDisableCallCancellation

OriginalFilename

WATAUAVAWH

fD9<Zu

RaiseFailFastException

<description>ProximityUxHost</description>

CoReleaseServerProcess

WindowsStringHasEmbeddedNull

SHCreateAssociationRegistration

SetTimer

$`2X`F

0A\_^

?StateProp@ModernProgressBar@DirectUI@@SAPEBUPropertyInfo@2@XZ

.tls$

fD94Ou

eError

fD94Cu

UnrecognizedType

Pairing:Bluetooth

A_A^A]A\_

.CRT$XCA

.CRT$XCAA

.xdata

processorArchitecture="*"

PowerCreateRequest

$Microsoft Ireland Operations Limited1

.gfids

F0A8H

RoGetActivationFactory

Windows.Foundation.PropertyValue

FGfBq

ReleaseSRWLockShared

\$ UH

fD94Au

VWATH

eReceiveFinishing

CoAllowSetForegroundWindow

H;N0u3=

J=AppLaunch

\$8E3

L!d$PH

190726204550Z0p1

%hs(%d)\%hs!%p:

Operating System

D9yL|

RoActivateInstance

CoRevokeClassObject

CreateThread

L9{0t#H

T$X!D$XH

.00cfg

Windows.Networking.Proximity.PeerFinder:StreamSocket

t$ UWAUAVAWH

N0L0J

T$8H!\$8

UnhandledExceptionFilter

eInstructions

RoRevokeActivationFactories

GetModuleHandleExW

api-ms-win-eventing-classicprovider-l1-1-0.dll

FailFast

DefWindowProcW

UVWATAUAVAWH

nullptr

EventUnregister

_cexit

SHCreateWorkerWindowW

CloseHandle

fD9<Cu

L$8E3

U0S0Q

0A^A]_

L$ VATAUAVAWH

T$0E3

currentContextName

Microsoft Time-Stamp Service0

http://www.microsoft.com/windows0

@.reloc

E;u r

@SUVWATAUAVAWH

DafCloseAssociationContext

InitProcessPriv

?PositionProp@ModernProgressBar@DirectUI@@SAPEBUPropertyInfo@2@XZ

ms-winsoundevent:Notification.Proximity

[EI&5Wn

t4A!_

UVWAUAVH

HA_A^A]A\_^[]

0A_A^A]_^

hA_A^_^[]

AppShareUri

NDEF:wkt.Hs

z.9Wv

CompanyName

VS_VERSION_INFO

?CustomProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ

;|$`r

t$ WATAUAVAWH

_purecall

LoadResource

?AccessibleProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ

,6RonLSjZuaJHdx8333nmbXjrGpjjdQd0HerviN1j/mM=0Z

GetLastError

GetCurrentThreadId

@A_A^_

@USVWATAUAVAWH

L$pI;

_commode

api-ms-win-core-synch-l1-2-0.dll

eProgressBar

D9K(t

@A^A]_

M@9M0vzH

failureCount

x UATAUAVAWH

GetSystemTimeAsFileTime

H!s H!s(!s0H!s8!sD@

</dependency>

QvvQC

A_A^_^]

LogHr

_amsg_exit

name="Microsoft.Windows.ProximityUxHost"

20180915125616Z

fD9$Gu

.CRT$XCZ

StrToID

?terminate@@YAXXZ

u HcA<H

CoGetMalloc

PostQuitMessage

dwmapi.dll

BCryptGenRandom

tK91u

|$ UAVAWH

t,D9nD

fA9Du

currentContextMessage

CoRegisterClassObject

fF9,Hu

Exception

GetProcessHeap

t,9O,|BH

Sleep

fD94Gu

`A^_^[]

SendMessageW

T$0!D$0H

USVWH

m;(u#c

eSendContentTitle

Tap and send receiving data

WindowsCompareStringOrdinal

api-ms-win-shcore-stream-l1-1-0.dll

WindowsUri

L$pE3

SetUnhandledExceptionFilter

WaitForMultipleObjectsEx

191123202624Z0

pA_A^A]A\_^]

.data

fB94iu

wcscmp

fD9<_u

nCipher NTS ESN:57F6-C1E0-554C1+0)

BCryptDestroyKey

A_A^A]A\_^][

t$ UWATAVAWH

name="Microsoft.Windows.Common-Controls"

ShellExecuteExW

T$$D!t$ H

api-ms-win-core-winrt-error-l1-1-1.dll

A_A^A]A\]

A_A^A]_]

.text

@A_A^A]A\^

InitOnceBeginInitialize

UpButton

memset

%OShareWithDevice

l$`E3

?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ

[%hs]

DevCloseObjectQuery

f9<Bu

?CreateInt@Value@DirectUI@@SAPEAV12@HW4DynamicScaleValue@@@Z

?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z

UnInitThread

T$p!D$pL

)Microsoft Root Certificate Authority 20100

MIME\Database\content type\%s

.rdata$brc

WindowsGetStringLen

UnrecognizedUri

RegCloseKey

H9_Hs<

0A_A^A]

ReleaseSemaphore

DUI70.dll

Windows.SystemToast.NfpAppAcquire

originatingContextId

RoGetMatchingRestrictedErrorInfo

\$ UVWAVAWH

T$H!D$HL

|$ UATAUAVAWH

;Y)0r

WAUAVH

CreateEventExW

GetProcAddress

BlockLength

eDone

</trustInfo>

lineNumber

|$xf;

bcrypt.dll

ProductName

H;F(u>H

A^A]_

L$xL!d$xL

TlsGetValue

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x0002f440	0x0004dd06	0x0004dd06	10.0	ProximityUxHost.pdb	2071-11-07 04:19:30	9899bdf95278b78739193ac50bb8c6e4

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Proximity UX Host
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	ProximityUxHost.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	ProximityUxHost.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0002ef4e	0x0002f000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.32
.imrsiv	0x00000000	0x00030000	0x00000004	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rdata	0x0002f400	0x00031000	0x0000969c	0x00009800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.38
.data	0x00038c00	0x0003b000	0x00000b08	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.77
.pdata	0x00038e00	0x0003c000	0x00001860	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.14
.rsrc	0x0003a800	0x0003e000	0x00001b48	0x00001c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.09
.reloc	0x0003c400	0x00040000	0x000004e4	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.97

Overlay

Offset	0x0003ca00
Size	0x00002b88

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0003fa70	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.76	None
UIFILE	0x0003e998	0x000010d7	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.95	None
RT_VERSION	0x0003e5e8	0x000003b0	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.47	None
RT_MANIFEST	0x0003e150	0x00000498	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.98	None

Imports

Name	Address
_vsnwprintf	0x140032c88
memcmp	0x140032c90
_purecall	0x140032c98
srand	0x140032ca0
rand	0x140032ca8
qsort_s	0x140032cb0
memset	0x140032cb8
?terminate@@YAXXZ	0x140032cc0
__CxxFrameHandler3	0x140032cc8
_onexit	0x140032cd0
__dllonexit	0x140032cd8
_unlock	0x140032ce0
_lock	0x140032ce8
_commode	0x140032cf0
_fmode	0x140032cf8
_wcmdln	0x140032d00
__C_specific_handler	0x140032d08
_initterm	0x140032d10
__setusermatherr	0x140032d18
_cexit	0x140032d20
wcsrchr	0x140032d28
_exit	0x140032d30
exit	0x140032d38
__set_app_type	0x140032d40
__wgetmainargs	0x140032d48
malloc	0x140032d50
_callnewh	0x140032d58
_amsg_exit	0x140032d60
_XcptFilter	0x140032d68
free	0x140032d70
memcpy_s	0x140032d78
memcpy	0x140032d80
wcscmp	0x140032d88

Name	Address
GetTraceLoggerHandle	0x140032a98
TraceMessage	0x140032aa0
UnregisterTraceGuids	0x140032aa8
RegisterTraceGuidsW	0x140032ab0
GetTraceEnableFlags	0x140032ab8
GetTraceEnableLevel	0x140032ac0

Name	Address
CreateEventExW	0x140032850
WaitForSingleObject	0x140032858
ReleaseSRWLockShared	0x140032860
SetEvent	0x140032868
ResetEvent	0x140032870
TryEnterCriticalSection	0x140032878
AcquireSRWLockExclusive	0x140032880
InitializeCriticalSectionEx	0x140032888
CreateMutexExW	0x140032890
LeaveCriticalSection	0x140032898
EnterCriticalSection	0x1400328a0
CreateMutexW	0x1400328a8
InitializeCriticalSection	0x1400328b0
DeleteCriticalSection	0x1400328b8
WaitForMultipleObjectsEx	0x1400328c0
CreateSemaphoreExW	0x1400328c8
CreateEventW	0x1400328d0
ReleaseSemaphore	0x1400328d8
AcquireSRWLockShared	0x1400328e0
ReleaseMutex	0x1400328e8
WaitForSingleObjectEx	0x1400328f0
OpenSemaphoreW	0x1400328f8
ReleaseSRWLockExclusive	0x140032900

Name	Address
CoRevokeClassObject	0x1400325b8
CoRegisterClassObject	0x1400325c0
CoTaskMemRealloc	0x1400325c8
CoGetMalloc	0x1400325d0
CoTaskMemFree	0x1400325d8
CoResumeClassObjects	0x1400325e0
CoReleaseServerProcess	0x1400325e8
CoDisableCallCancellation	0x1400325f0
CoCreateInstance	0x1400325f8
PropVariantClear	0x140032600
CoTaskMemAlloc	0x140032608
CoCancelCall	0x140032610
CoCreateFreeThreadedMarshaler	0x140032618
CoGetApartmentType	0x140032620
CoWaitForMultipleHandles	0x140032628
CoEnableCallCancellation	0x140032630
CoAddRefServerProcess	0x140032638

Name	Address
SHCreateThread	0x140032b68

Name	Address
CreateThread	0x140032778
TlsFree	0x140032780
GetCurrentThreadId	0x140032788
GetCurrentProcess	0x140032790
GetStartupInfoW	0x140032798
TlsAlloc	0x1400327a0
TlsSetValue	0x1400327a8
TerminateProcess	0x1400327b0
GetCurrentProcessId	0x1400327b8
TlsGetValue	0x1400327c0

Name	Address
RoActivateInstance	0x1400329d0
RoInitialize	0x1400329d8
RoRegisterActivationFactories	0x1400329e0
RoGetActivationFactory	0x1400329e8
RoUninitialize	0x1400329f0
RoRevokeActivationFactories	0x1400329f8

Name	Address
SleepConditionVariableSRW	0x140032910
InitOnceBeginInitialize	0x140032918
InitOnceComplete	0x140032920
Sleep	0x140032928
WakeAllConditionVariable	0x140032930

Name	Address
SetUnhandledExceptionFilter	0x140032678
GetLastError	0x140032680
SetLastError	0x140032688
RaiseException	0x140032690
UnhandledExceptionFilter	0x140032698

Name	Address
SHStrDupW	0x140032b20

Name	Address
EventUnregister	0x140032ad0
EventActivityIdControl	0x140032ad8
EventRegister	0x140032ae0
EventSetInformation	0x140032ae8
EventWriteTransfer	0x140032af0

Name	Address
RoOriginateError	0x1400329a0
SetRestrictedErrorInfo	0x1400329a8
RoOriginateErrorW	0x1400329b0

Name	Address
EncodePointer	0x140032988
DecodePointer	0x140032990

Name	Address
WindowsCreateString	0x140032a08
WindowsCreateStringReference	0x140032a10
WindowsStringHasEmbeddedNull	0x140032a18
WindowsCompareStringOrdinal	0x140032a20
WindowsDuplicateString	0x140032a28
WindowsSubstringWithSpecifiedLength	0x140032a30
WindowsIsStringEmpty	0x140032a38
WindowsGetStringRawBuffer	0x140032a40
WindowsGetStringLen	0x140032a48
WindowsDeleteString	0x140032a50

Name	Address
FindResourceExW	0x140032728
LoadResource	0x140032730
GetProcAddress	0x140032738
GetModuleFileNameA	0x140032740
GetModuleHandleW	0x140032748
GetModuleHandleExW	0x140032750
LockResource	0x140032758

Name	Address
QueryPerformanceCounter	0x1400327d0

Name	Address
GetSystemTimeAsFileTime	0x140032940
GetTickCount64	0x140032948
GetTickCount	0x140032950

Name	Address
RtlVirtualUnwind	0x140032808
RtlLookupFunctionEntry	0x140032810
RtlCaptureContext	0x140032818

Name	Address

Name	Address
PAL_RegisterConsoleDisplayStateNotifications	0x1400324c0
PAL_UnregisterConsoleDisplayStateNotifications	0x1400324c8

Name	Address
D3DKMTNetDispQueryMiracastDisplayDeviceSupport	0x140032450

Name	Address
TranslateMessage	0x1400324f8
SetCursor	0x140032500
LoadCursorW	0x140032508
PostQuitMessage	0x140032510
DefWindowProcW	0x140032518
SendMessageW	0x140032520
IsWindowVisible	0x140032528
GetMessageW	0x140032530
PeekMessageW	0x140032538
MsgWaitForMultipleObjectsEx	0x140032540
SetForegroundWindow	0x140032548
GetWindowLongPtrW	0x140032550
PostMessageW	0x140032558
SetTimer	0x140032560
DispatchMessageW	0x140032568
KillTimer	0x140032570
DestroyWindow	0x140032578
LoadStringW	0x140032580

Name	Address
CloseHandle	0x1400326d8

Name	Address
SysFreeString	0x140032460

Name	Address
MultiByteToWideChar	0x140032838
CompareStringOrdinal	0x140032840

Name	Address
DebugBreak	0x140032658
OutputDebugStringW	0x140032660
IsDebuggerPresent	0x140032668

Name	Address
FormatMessageW	0x140032768

Name	Address
GetProcessHeap	0x1400326e8
HeapAlloc	0x1400326f0
HeapFree	0x1400326f8

Name	Address
GetPackagesByPackageFamily	0x1400325a8

Name	Address
RegCloseKey	0x1400327e0
RegGetValueW	0x1400327e8
RegSetValueExW	0x1400327f0
RegCreateKeyExW	0x1400327f8

Name	Address
AssocQueryStringW	0x140032b88
IUnknown_GetWindow	0x140032b90
SHCreateWorkerWindowW	0x140032ba0

Name	Address
WriteFile	0x1400326a8
RemoveDirectoryW	0x1400326b0
CreateFileW	0x1400326b8

Name	Address
SHGetKnownFolderPath	0x140032c78

Name	Address

Name	Address
PlaySoundW	0x140032b00

Name	Address
DevFreeObjectProperties	0x140032a60
DevCreateObjectQueryFromId	0x140032a68
DevCloseObjectQuery	0x140032a70
DevCreateObjectQuery	0x140032a78

Name	Address
PropVariantToStringAlloc	0x140032488

Name	Address
DevGetObjectPropertiesEx	0x140032a88

Name	Address
SetCurrentProcessExplicitAppUserModelID	0x140032b40

Name	Address
PowerSetRequest	0x140032708
PowerClearRequest	0x140032710
PowerCreateRequest	0x140032718

Name	Address
GetTempPathW	0x1400326c8

Name	Address
SHCreateStreamOnFileEx	0x140032b30

Name	Address
BCryptCloseAlgorithmProvider	0x140032bb0
BCryptDestroyKey	0x140032bb8
BCryptGenerateSymmetricKey	0x140032bc0
BCryptGetProperty	0x140032bc8
BCryptOpenAlgorithmProvider	0x140032bd0
BCryptDecrypt	0x140032bd8
BCryptEncrypt	0x140032be0
BCryptGenRandom	0x140032be8

Name	Address
RoGetMatchingRestrictedErrorInfo	0x1400329c0

Name	Address
SHTaskPoolGetUniqueContext	0x140032b50
SHTaskPoolQueueTask	0x140032b58

Name	Address
DeleteTimerQueueTimer	0x140032960
CreateTimerQueueTimer	0x140032968

Name	Address
ntohl	0x140032590
ntohs	0x140032598

Name	Address
ShellExecuteExW	0x1400324d8
SHCreateItemInKnownFolder	0x1400324e0
SHCreateAssociationRegistration	0x1400324e8

Name	Address
CoAllowSetForegroundWindow	0x140032d98

Name	Address
DwmGetWindowAttribute	0x140032c68

Name	Address
DafChallengeDevicePresence	0x140032bf8
DafCloseChallengeContext	0x140032c00
DafSelectCeremony	0x140032c08
DafStartRemoveAssociation	0x140032c10
DafCreateAssociationContext	0x140032c18
DafCloseAssociationContext	0x140032c20
DafMemFree	0x140032c28
DafCreateAssociationContextFromOobBlob	0x140032c30
DafCreateChallengeContext	0x140032c38
DafStartReadCeremonyData	0x140032c40
DafStartDeviceStatusNotification	0x140032c48
DafStartFinalize	0x140032c50
DafStartEnumCeremonies	0x140032c58

Name	Address

Name	Address
?Click@Button@DirectUI@@SA?AVUID@@XZ	0x140032360
?VisibleProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ	0x140032368
?CreateInt@Value@DirectUI@@SAPEAV12@HW4DynamicScaleValue@@@Z	0x140032370
?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z	0x140032378
?GetClassInfoPtr@ModernProgressBar@DirectUI@@SAPEAUIClassInfo@2@XZ	0x140032380
?StateProp@ModernProgressBar@DirectUI@@SAPEBUPropertyInfo@2@XZ	0x140032388
?PositionProp@ModernProgressBar@DirectUI@@SAPEBUPropertyInfo@2@XZ	0x140032390
?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ	0x140032398
UnInitProcessPriv	0x1400323a0
UnInitThread	0x1400323a8
InitThread	0x1400323b0
InitProcessPriv	0x1400323b8
?DeterminateProp@ModernProgressBar@DirectUI@@SAPEBUPropertyInfo@2@XZ	0x1400323c0
DuiCreateObject	0x1400323c8
?GetValue@Element@DirectUI@@QEAAPEAVValue@2@P6APEBUPropertyInfo@2@XZHPEAUUpdateCache@2@@Z	0x1400323d0
?CustomProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ	0x1400323d8
?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z	0x1400323e0
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ	0x1400323e8
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z	0x1400323f0
?AccessibleProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ	0x1400323f8
?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z	0x140032400
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z	0x140032408
?Click@TouchButton@DirectUI@@SA?AVUID@@XZ	0x140032410
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z	0x140032418
?_ZeroRelease@Value@DirectUI@@AEAAXXZ	0x140032420
?CreateBool@Value@DirectUI@@SAPEAV12@_N@Z	0x140032428
?ContentProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ	0x140032430
StrToID	0x140032438
?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z	0x140032440

Name	Address
CreateWindowInBand	0x140032b10

Name	Address
RoGetAgileReference	0x140032648

Name	Address
PathRemoveBackslashW	0x140032828

Name	Address
UrlUnescapeW	0x140032978

Reports: JSON

Statistics (10.87)

Usage

Processing ( 10.80 seconds )

10.186 ProcessMemory
0.577 CAPE
0.031 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.008 ransomware_files
0.006 antiav_detectreg
0.005 antianalysis_detectfile
0.005 ransomware_extensions
0.003 infostealer_ftp
0.003 territorial_disputes_sigs
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 infostealer_bitcoin
0.002 infostealer_im
0.002 poullight_files
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 uac_bypass_cmstpcom
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.007 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: ProximityUxHost.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': '.imrsiv', 'raw_address': '0x00000000', 'virtual_address': '0x00030000', 'virtual_size': '0x00000004', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000080', 'entropy': '0.00'}

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4788 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

\Device\CNG

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\InprocHandler
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ProximityUxHost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\InprocHandler

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDA74D11-C4A6-4577-9F73-D7CA8586E10C}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08FC06E4-C6B5-40BE-97B0-B80F943C615B}\(Default)

ntdll.dll.RtlWow64GetCurrentMachine
ntdll.dll.RtlWow64IsWowGuestMachineSupported

Local\SM0:4788:304:WilStaging_02

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Overlay

Resources

Imports

msvcrt

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

ProximityCommon

ProximityServicePAL

GDI32

USER32

api-ms-win-core-handle-l1-1-0

OLEAUT32

api-ms-win-core-string-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-appmodel-runtime-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-shlwapi-winrt-storage-l1-1-1

api-ms-win-core-file-l1-1-0

ext-ms-win-shell32-shellfolders-l1-1-0

api-ms-win-shell-shdirectory-l1-1-0

api-ms-win-mm-playsound-l1-1-0

api-ms-win-devices-query-l1-1-0

PROPSYS

api-ms-win-devices-query-l1-1-1

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-file-l1-2-0

api-ms-win-shcore-stream-l1-1-0

bcrypt

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

WS2_32

SHELL32

ole32

dwmapi

deviceassociation

OpcServices

DUI70

api-ms-win-rtcore-ntuser-private-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-url-l1-1-0