Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-14 09:37:53	2025-06-14 10:08:43	1850 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,975 [root] INFO: Date set to: 20250614T06:43:22, timeout set to: 1800
2025-06-14 07:43:22,776 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-14 07:43:22,776 [root] DEBUG: Storing results at: C:\prTihHii
2025-06-14 07:43:22,776 [root] DEBUG: Pipe server name: \\.\PIPE\DeZAgRk
2025-06-14 07:43:22,776 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-14 07:43:22,776 [root] INFO: analysis running as an admin
2025-06-14 07:43:22,776 [root] INFO: analysis package specified: "exe"
2025-06-14 07:43:22,776 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-14 07:43:23,120 [root] DEBUG: imported analysis package "exe"
2025-06-14 07:43:23,120 [root] DEBUG: initializing analysis package "exe"...
2025-06-14 07:43:23,120 [lib.common.common] INFO: wrapping
2025-06-14 07:43:23,120 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-14 07:43:23,120 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\SgrmBroker.exe
2025-06-14 07:43:23,120 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-14 07:43:23,120 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-14 07:43:23,120 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-14 07:43:23,120 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-14 07:43:23,307 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-14 07:43:23,385 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-14 07:43:23,417 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-14 07:43:23,432 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-14 07:43:23,448 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-14 07:43:23,448 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-14 07:43:23,448 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-14 07:43:23,448 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-14 07:43:23,448 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-14 07:43:23,448 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-14 07:43:23,448 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-14 07:43:23,448 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-14 07:43:23,448 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-14 07:43:23,448 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-14 07:43:23,448 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-14 07:43:23,448 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-14 07:43:23,448 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-14 07:43:23,448 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-14 07:43:34,745 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-14 07:43:34,745 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-14 07:43:34,745 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-14 07:43:34,745 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-14 07:43:34,745 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-14 07:43:34,745 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-14 07:43:34,745 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-14 07:43:34,745 [modules.auxiliary.disguise] INFO: Disguising GUID to 214c6773-878f-4024-8cdf-b8e14513fc28
2025-06-14 07:43:34,761 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-14 07:43:34,761 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-14 07:43:34,761 [root] DEBUG: attempting to configure 'Human' from data
2025-06-14 07:43:34,761 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-14 07:43:34,761 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-14 07:43:34,761 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-14 07:43:34,761 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-14 07:43:34,761 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-14 07:43:34,761 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-14 07:43:34,761 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-14 07:43:34,761 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-14 07:43:34,761 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-14 07:43:34,761 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-14 07:43:34,761 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-14 07:43:34,761 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-14 07:43:34,761 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-14 07:43:34,776 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-14 07:43:34,792 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-14 07:43:34,792 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-14 07:43:34,807 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-14 07:43:34,807 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-14 07:43:34,807 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-14 07:43:34,807 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-14 07:43:34,807 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-14 07:43:34,807 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\AxNZEQJd.dll, loader C:\tmp_gell1p8\bin\cOuiwzfo.exe
2025-06-14 07:43:34,870 [root] DEBUG: Loader: IAT patching disabled.
2025-06-14 07:43:34,870 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\AxNZEQJd.dll.
2025-06-14 07:43:34,917 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-14 07:43:34,917 [root] INFO: Disabling sleep skipping.
2025-06-14 07:43:34,917 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-14 07:43:34,917 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-14 07:43:34,932 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-14 07:43:34,932 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-14 07:43:34,932 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-14 07:43:34,932 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-14 07:43:34,948 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-14 07:43:34,948 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-14 07:43:34,948 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 832, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000
2025-06-14 07:43:34,948 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-14 07:43:34,964 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-14 07:43:34,979 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-14 07:43:34,979 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\AxNZEQJd.dll.
2025-06-14 07:43:34,979 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-14 07:43:34 <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-14 09:37:53	2025-06-14 10:08:27	none

File Details

File Name	SgrmBroker.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	254832 bytes
MD5	1760ae8c5d731819a4bb1cf0448ac57c
SHA1	9cd08ccbf0785fea97cef96ea0f29d9353cbea69
SHA256	fffc540eab0035a188e47b8f2fa25bbe0c367a97b459bc0c440651388dd42647 [VT] [MWDB] [Bazaar]
SHA3-384	e77687c0e4067a63bfab2f7a58da5bc9c2fdedbf2bd4d7af9c1eff209ef7e7df5165106a4696e8bf78bf8697ca010b13
CRC32	CF89A009
TLSH	T1BA445B2A275C0CE5ED3BD17E9A87D606F6B278410321C6DB05A0929F1F97AF03E7A750
Ssdeep	3072:RsPhb23u1NxuDqYCq9pMFln1D2+TPmeurM/TmzVjWOUPvBwngZxnH/Z8N58:RsP1RuWYRCFl1djme2oCEOLwx/m
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/76)

Full Results

Engine	Result	Engine	Result	Engine	Result

L$XH!~8H

PA_A^A]A\_^]

RegisterEngFunction

api-ms-win-core-kernel32-legacy-l1-1-0.dll

Microsoft Corporation1.0,

@SVWAVAW

l$ VWAVH

@.data

OctagonRpcCallback failed

DeviceIoControl on InitializeAgent

?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z

20180915013510.016Z0

internal\sdk\inc\wil\result.h

GetCallerProcessName

LocalAlloc

.idata$6

USVWAVH

.idata$4

SetThreadpoolThreadMaximum

H!E`H

D$`E3

CloseThreadpoolTimer

Could not destroy AttestationClient

HAssertionRunCount

api-ms-win-core-heap-l1-1-0.dll

QueryFullProcessImageName

\$@H+

ReleaseMutex

EngHostCreateAttestationClient

A1k)

??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ

.rdata$T$brc

ActivityIntermediateStop

L$ SUVWH

NtSetInformationProcess

D8t$@t1L

_initterm_e

_o___stdio_common_vswprintf

GetSystemInfo

Microsoft Time-Stamp Service

?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z

t^@8=

@A_A^_^]

?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

VerSetConditionMask

D$HE3

D$0H!\$0H

_o__cexit

QueryFullProcessImageNameA

CreateSemaphoreExW

?__ExceptionPtrAssign@@YAXPEAXPEBX@Z

Protocol failure: MapFile

BrokerWarning

|hK,_

RpcBindingCreateW

?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z

ProcessCpuTotalAccounting

H;K@H

OAssertionLogicEntryCount

Microsoft Platform Crypto Provider

EngineAccountingRecord

H!~8H

?_Xlength_error@std@@YAXPEBD@Z

StartupOctagon: SetThreadPriority Begin failed

\\.\MSSGRMAGENTSYS

Driver cannot be null

Protocol failure: ReferenceDeviceObject

IsSenseRegistered

NCryptOpenKey

.?AV<lambda_9eaa9b778f9080c067a6b7ac01dc921e>@@

_o_malloc

_o__initialize_onexit_table

RpcImpersonateClient

AgentController::FreezeThread

EnclaveControllerShim::Initialize

_o_free

?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ

\"Rich4

WaitForMultipleObjects

FileVersion

_o__get_initial_wide_environment

_o__purecall

LuaPcallCount

1,0*0

ProgramData

97}GH

D$PE3

L$hH3

$0< u;3

Microsoft Corporation1&0$

DeviceIoControl failure: ReferenceDeviceObject

__C_specific_handler

SVWAVH

Protocol failure: UnMapVirtualAddress

p AWH

Error opening driver

1(0&0

Thales TSS ESN:C0F4-3086-DEF81%0#

191123202628Z0

H90tdH

memmove

K32GetProcessMemoryInfo

0A_A^A]A\_^]

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

std::exception: %hs

HAccountingRecordCreationTimestamp

t$ E3

?_Xbad_function_call@std@@YAXXZ

(caller: %p)

list<T> too long

TlP0X

T$PH+

LuaScriptSVN

Assists::_SetTimer

wilResult

??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z

HostWrapper::CreateAttestationClient::<lambda_f1cd5f4f2f45cb2ccc56021abcb279d8>::operator ()

{8uOH

AssertionVersion

(D$0f

CT$8H

OpenProcess

Attest

LogicalProcessorCount

RPCRT4.dll

GetExitCodeProcess

tbs.dll

250701214655Z0|1

CreateEventW

UAVAWH

A_A^_

|$ AVH

.rtc$TAA

StartupOctagon: CreateAgent failed

@USVWATAVH

CL$xE3

bad allocation

DeviceIoControl failure: GetProcess

QuotaPeakPagedPoolUsage

_o_exit

?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ

d$\fD

USVWATAVAWH

?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z

.text$mn$00

t$ WH

?_XGetLastError@std@@YAXXZ

?uncaught_exception@std@@YA_NXZ

VWAVH

L+!I+

SetLastError

Microsoft Time-Stamp Service0

EngineInitializationCompleted

AgentController::GetProcess

T$ A;

L$xH3

.rsrc$01

CallContext:[%hs]

DebugBreak

D$`H;

DeviceIoControl failure: GetKernelFieldInfo

onecore\amcore\octagon\broker\source\lib\lpachost.cpp

HResult

Unable to close timer handle

api-ms-win-service-core-l1-1-0.dll

?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z

tED9t$

?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ

O0M0K

Unknown exception

LoadEnclaveImage

040904B0

ExecuteNextAssertionTotalUserTimeMs

Microsoft Corporation

NCryptFreeObject

LuaEngineMajorVersion

A_A^A]A\_^[]

fD9,Qu

AgentController::UnmapFile

.CRT$XIC

api-ms-win-crt-runtime-l1-1-0.dll

memcmp

AgentController::CopyFromMemory

.rdata$zETW2

M H1E

|$8L;

Not enough room in InputBuffer for ReferenceDriverObject

LuaMemoryCommit

J9>tFA

A_A^A]

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

EnclaveControllerVsm::Initialize

?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z

ScriptId

__std_terminate

NCryptOpenStorageProvider

SgrmRpc

Not enough room in InputBuffer for ReferenceDeviceObject

AgentController::GetKernelFieldInfo

AcquireSRWLockShared

ntelD

NativeCallbackFailureCount

D$PH;

??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ

VerifyVersionInfoW

LuaScriptLoading

A_A^A]A\_^]

G0A8@

D$hL;

.?AVbad_alloc@std@@

@UVWATAUAVAWH

190529185749Z0z1

D,xfC

.rtc$IZZ

CreateMutexExW

SgrmBroker

L$XL+

SgrmBroker.pdb

_o__invalid_parameter_noinfo

A_A^]

EventRegister

onecore\amcore\octagon\broker\source\lib\reghelpers.cpp

OctBrokerSvc::ServiceStopCallback

Failed to initialize agent

InitializeSListHead

CallEnclave

D8t$@t;L

NativeCallbackReadMappedCount

TerminateJobObject

Protocol failure: DereferenceDeviceObject

api-ms-win-core-job-l2-1-0.dll

_initterm

A_A^_^]

Unable to create waitable timer

A8]8t

deque<T> too long

RpcStringFreeW

_CxxThrowException

D$xfD

SetServiceStatus

Protocol failure: ReferenceDriverObject

D$`I+

LuaScriptDigest

.idata$5

AudienceUri

?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z

LoadLibraryW

InitializeSRWLock

EnclaveError

LeaveCriticalSection

_o__set_fmode

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ

L9Ihv'H

HeapAlloc

A_A^A\_^

InitOnceComplete

20180915073521Z

@USVWAWH

Address cannot be null

h UAVAWH

Protocol failure: PurgeReferences

RpcBindingFree

230367+4361460

ReadFile

.rtc$IAA

\$TH9

0A__^

LoadLibrary

L$ SVWH

.pdata

RegQueryValueExW

onecore\amcore\octagon\broker\source\lib\hostwrapper.cpp

Process cannot be null

Protocol failure: DereferenceProcess

D3N2u

@SVWH

A_A^_^[

Microsoft

VarFileInfo

OctBrokerSvc::ServiceManager::StartupOctagon

GetProcessTimes

RpcSecurityHelper::ImpersonateAndCheckAccess

http://www.microsoft.com/windows0

Set service status failed

Microsoft Corporation1)0'

SystemIdleTime

NtQueryWnfStateData

Reserved1

.data$brc

L$pH3

callContext

L$PH3

D$8H!|$8D

t8D9P

HostWrapper::GetSessionReport

PA_A^_

s_SgrmGetReport

AuditMode

AssignProcessToJobObject

H3E H3E

InternalName

Could not get exit code for LPAC

api-ms-win-core-psapi-ansi-l1-1-0.dll

Failed to register wait object

SgrmEnclave_secure.dll

.text$yd

180606185749Z

DeviceIoControl failure: GetNextProcess

t#E9V0t

VWAWH

AgentController::OpenDevice

Exception caught in GetRuntimeReport

MappedAddress cannot be null

.data$r$brc

MapGenericMask

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0.dll

|$xM;

api-ms-win-core-libraryloader-l1-2-0.dll

EnclaveInfo

ResumeThread

RtlUnsubscribeWnfNotificationWaitForCompletion

OctBrokerSvc::ServiceStopCallback::<lambda_d4b0c135f1a10d94b5e426c4d6d92b5e>::operator ()

_o__initialize_wide_environment

AgentController::ThawThread

api-ms-win-core-localization-l1-2-0.dll

.rsrc$02

Nonce

PA_A^_^]

DeviceIoControl failure: DereferenceThread

Exception caught in GetSessionCertificate

CreateWaitableTimerW

CreateFileW

unitedkingdom.sgrm.microsoft.com

ncalrpc

Function

_o_rand

SetEvent

T$ H;

D$T9p

RegQueryValueExA

_o__configthreadlocale

Protocol failure: MapVirtualAddress

C`H!ChH

en-US

F0D8#ukD8c

Local\SM0:%d:%d:%hs

qq2W76

@.rsrc

RegGetValueW

D$hfD

Hc8I+

v/sZ!

0A^_^

I_RpcBindingInqLocalClientPID

kernel32.dll

L$PE3

CT$XH

Protocol failure: ThawThread

AcquireSRWLockExclusive

.text$di

C D8U@u

AgentController::PurgeReferences

api-ms-win-crt-private-l1-1-0.dll

OctBrokerSvc::ServiceMain

FormatMessageW

RegisterWaitForSingleObject

EngHostShutdown

Legal_Policy_Statement

Cannot initialize Enclave, agent was not initialized

?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z

originatingContextMessage

module

`A_A^A]A\_^]

Region

InitializeCriticalSectionAndSpinCount

%hs!%p:

UnregisterWait

K SVWH

VWATAVAWH

LuaPcallFailureCount

LegalCopyright

_o___p__commode

?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z

0A_A^A\_^

ExitThread

Microsoft Corporation1$0"

??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ

function

??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ

A_A^A]A\_

DeviceIoControl failure: UnMapVirtualAddress

SystemKernelTime

D$@fD

QuotaPagedPoolUsage

.rtc$TZZ

api-ms-win-core-synch-l1-2-1.dll

GetCurrentProcessId

"Microsoft Time Source Master Clock0

10.0.17763.1 (WinBuild.160101.0800)

Protocol failure: GetNextProcess

AccountingRecordRetrievalTimestamp

p WAVAWH

T$XH+

GetSystemTime

?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z

I0G1-0+

DeleteCriticalSection

DeviceIoControl failure: GetNextThread

TerminateEnclave

.rdata$zETW0

RaiseException

ActivityStoppedAutomatically

CreateThreadpoolTimer

CreateThreadpoolWork

D$P@8

RtlCaptureContext

.tls$ZZZ

M0K0I

CL$hL

9D$ps

OpenDevice() failed!

api-ms-win-core-file-l1-1-0.dll

?__ExceptionPtrCreate@@YAXPEAX@Z

onecore\amcore\octagon\common\corecryptobcryptlib\bcryptutils.cpp

AgentController::ReferenceDriverObject

CloseThreadpoolWork

H;1tZH

x ATAVAWH

GetThreadTimes

t{HcL$ HcD$$H

api-ms-win-power-base-l1-1-0.dll

WaitForSingleObjectEx

.CRT$XLA

_o___std_exception_copy

H!T$0H!T$(H

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ

RpcBindingBind

ge\&Qu

L$0H3

[ UVWH

\Microsoft\Crypto\PCPKSP\WindowsAIK

ValidateResponseSize

?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ

MS-CV:

s_SgrmUnregisterSense

Microsoft Time-Stamp PCA 20100

EXH!E`H

StartupOctagon: CreateEngine failed

api-ms-win-crt-string-l1-1-0.dll

_o__configure_wide_argv

H!|$0H

RegisterSense

wilActivity

Protocol failure: DereferenceThread

fD9<Bu

WilStaging_02

.rdata$zzzdbg

EngHostInitialize

StartupOctagon: HeapEnableTerminationOnCorruption failed

f9,Ku

onecore\amcore\octagon\broker\source\svc\octbrokersvcrpc.cpp

RpcRevertToSelf

Early exit in service shutdown

DeviceIoControl failure: DereferenceProcess

Message

AssertionRecordCount

.rdata$r

?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ

api-ms-win-core-path-l1-1-0.dll

WAVAWH

CreateJobObjectW

.CRT$XIA

.rdata

GetThreadPriority

StartupOctagon: SgrmSessionManager Initialize failed

api-ms-win-core-errorhandling-l1-1-0.dll

RpcBindingUnbind

O:SYG:SYD:(A;;RC;;;BA)(A;;RC;;;S-1-5-80-1523878533-411328482-2798077809-3098663872-2604013308)

s_GetSessionReport

111019184142Z

Value cannot be null

SetThreadpoolThreadMinimum

OctBrokerSvc::ServiceManager::ShutdownOctagon

SgrmEnclave.dll

rMfD9?w

@8t$Pt

QueryFullProcessImageNameW

api-ms-win-core-rtlsupport-l1-1-0.dll

T$8H+

SgrmLpac.exe

hA_A^A]A\_^][

Protocol failure: DereferenceDriverObject

PageFaultCount

RegOpenKeyExA

A_A^_

.CRT$XIZ

EngHostGetSessionCertificate

Microsoft Corporation1200

L$ WH

?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ

;05Dz<

ConvertStringSecurityDescriptorToSecurityDescriptor

ActivityError

Not enough room in InputBuffer for GetKernelFieldInfo

ResetEvent

_o_wcscpy_s

G+e~0$

x UAVAWH

Washington1

%Microsoft Windows Production PCA 20110

_o__invalid_parameter_noinfo_noreturn

InitializeCriticalSectionEx

XA_A^A]A\_^][

CD$XH

msvcp_win.dll

api-ms-win-core-processthreads-l1-1-2.dll

!This program cannot be run in DOS mode.

%Microsoft Windows Production PCA 2011

\Sgrm\SgrmAssertions.cat

FileDescription

}Jnv"

D$@H!\$@H

H9Ahs

Msg:[%ws]

A_A^A\

ThreadPriorityBumpCount

WaitForSingleObject

@A^_^

@8(t#L

WaitForThreadpoolWorkCallbacks

GetProc

LuaScriptMinorVersion

D$0H;

\ProgramData

PCP_ALTERNATE_KEY_STORAGE_LOCATION

(VOID*)Size cannot be null

Thread cannot be null

api-ms-win-core-shlwapi-legacy-l1-1-0.dll

InitializeEnclave

api-ms-win-eventing-provider-l1-1-0.dll

L$ UVWATAUAVAWH

onecore\amcore\octagon\broker\source\lib\sessionmanager.cpp

@A_A^A\_^][

api-ms-win-core-threadpool-l1-2-0.dll

5q<Wc

api-ms-win-core-heap-l2-1-0.dll

PerformanceAccounting

??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ

\$ VWAVH

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z

api-ms-win-core-processthreads-l1-1-0.dll

UWATAVAWH

A_A^A]A\_^[

LuaMemoryCommitGc

?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z

WorkingSetSize

RtlSubscribeWnfStateChangeNotification

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

@USVWATAVAWH

GetModuleFileNameA

RpcServerUseProtseqEpW

s_SgrmCreateSession

api-ms-win-core-kernel32-legacy-l1-1-1.dll

api-ms-win-core-enclave-l1-1-1.dll

VirtualAddress cannot be null

LuaScriptSize

??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z

Microsoft Operations Puerto Rico1&0$

ntdll.dll

Status

_o__set_app_type

A^_^[]

Ct$hH

?_BADOFF@std@@3_JB

QueryPerformanceFrequency

_register_thread_local_exe_atexit_callback

GetReportRequest

~Ba7l

GetCurrentThread

api-ms-win-core-sysinfo-l1-1-0.dll

10.0.17763.1

DeviceIoControl

Microsoft.Windows.Oct.Broker

ExecuteNextAssertionLongestUserTimeMs

WakeAllConditionVariable

t"D8=

ContextJson

ReportAccessRequestCount

SetThreadPriority

LuaPanicCount

UVAVH

InitializeCriticalSection

Microsoft Time-Stamp PCA 2010

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

Device cannot be null

api-ms-win-core-synch-l1-1-0.dll

memcpy

s_SgrmRegisterSense

.idata$3

StartupOctagon: SetThreadPriority End failed

NCryptSetProperty

D$ fD

AgentController::UnMapVirtualAddress

_o_terminate

HostWrapper::Attest

.?AV<lambda_b524af3a1b3e74969f5035b215ba6417>@@

L9{@u

OpenSemaphoreW

ActiveClientCount

?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

ReleaseSRWLockExclusive

onecore\amcore\octagon\common\tpmattestation\attesttpm.cpp

api-ms-win-core-psapi-l1-1-0.dll

L$@HcQ

180823202628Z

SignatureEnforcementType

fD94{u

r~akow

System Guard Runtime Monitor Broker Service

PeakWorkingSetSize

NdrServerCallAll

LpacStop

FallbackError

HeapSetInformation

RtlLookupFunctionEntry

EnterCriticalSection

process cannot be null

.CRT$XCU

internal\sdk\inc\wil\resource.h

RtlDllShutdownInProgress

D$(E3

ConvertStringSecurityDescriptorToSecurityDescriptorW

fD9<Hu

[%hs(%hs)]

OctBroker

~0uUH

L$`H;

fA9,Qu

ReportAccessRequestFailureCount

DeviceIoControl failure: CopyFromMemory

QueryPerformanceCounter

message

CallerProcess

ProcessKernelTime

\Sgrm\SgrmAssertions.bin

originatingContextName

A!rZv

effffff

A^A\_^[]

0A_A^_^]

threadId

Protocol failure: GetKernelFieldInfo

CreateThreadpool

string too long

EngHostAttest

ServiceStart

EnclaveControllerShim::CallEnclave

"Microsoft Window

H!|$XH

ServiceStop

DeviceIoControl failure: MapVirtualAddress

Protocol failure: GetNextThread

ErrorMessage

\$ UVWATAUAVAWH

StringFileInfo

%hs(%d) tid(%x) %08X %ws

oK0D$"<

2333333

t$ WAVAWH

.rdata$zETW9

`A_A^_^]

0A_A^A]A\_

HAssertionLogicFailureCount

GetCurrentProcess

?__ExceptionPtrDestroy@@YAXPEAX@Z

api-ms-win-core-handle-l1-1-0.dll

UVWAVAWH

(_^][

L$0E3

CreateEnclave

OctBrokerSvc::InitializeEnclave

?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z

UATAUAVAWH

L$8H3

LpacStart

EngHostDestroyAttestationClient

CreateSession

HeapFree

@A_A^A\_^

?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

currentContextId

AgentController::ReferenceDeviceObject

A_A^A\_]

T$`I+

T$PE3

Protocol failure: UnmapFile

IsEnclaveTypeSupported

fileName

?__ExceptionPtrRethrow@@YAXPEBX@Z

;D$@t

ExecuteNextAssertionCount

L$@E3

.text$mn

100701213655Z

??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ

LocalFree

EnclaveWarning

D$8E3

L9o@t

.?AVResultException@wil@@

failureId

TerminateProcess

xA_A^_^][

L$@H3

\$ UVWAVAW

DeviceIoControl failure: MapFile

SessionHandle

PowerUnregisterSuspendResumeNotification

Exception caught in GetSessionReport

8Y`u$H

f9,Au

ncrypt.dll

RegisterServiceCtrlHandlerExW

InitializeConditionVariable

Translation

CorrelationVector

HNativeCallbackCount

A_A^A]A\_^]

.?AVbad_array_new_length@std@@

_o__seh_filter_exe

T$`H+

GetEnvironmentVariableW

Jt~9AKgv

LPAC terminated with non-zero exit code

AgentController::DereferenceDeviceObject

?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ

Protocol failure: FreezeThread

BrokerInfo

93}GH

AgentController::InitializeAgent

|$@*s

UWAVH

Not enough room in InputBuffer for MapFile

WilError_02

_o___p___wargv

EventWriteTransfer

/v1.0/Attestation

SystemDrive

SetProcessMitigationPolicy

Microsoft Operations Puerto Rico1'0%

_o__callnewh

EngHostGetSessionReport

OpenThread

EventSetInformation

?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

.CRT$XPZ

d$8M;

Reserved3

.CRT$XIAC

EnclaveControllerVsm::CallEnclave

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

AgentController::GetNextThread

api-ms-win-core-io-l1-1-0.dll

L$`H3

?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ

ProductVersion

NdrServerCall2

_c_exit

AOctagonRpcCallback

AgentController::ReadMsr

LuaScriptMajorVersion

?__ExceptionPtrToBool@@YA_NPEBX@Z

D$@E3

.text$x

Protocol failure: CopyFromMemory

SetWaitableTimerEx

?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z

R!s4Z

T$ E3

DeviceIoControl failure: FreezeThread

OutputDebugStringW

SystemUserTime

api-ms-win-core-processenvironment-l1-1-0.dll

AssertionId

PDNWb

?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z

QuotaNonPagedPoolUsage

__CxxFrameHandler3

ReturnHr

StartServiceCtrlDispatcherW

_o__set_new_mode

H9Qhv#H

EngHostGetRuntimeReport

EngineInitialization

L$HH3

AXH90tbH

.xdata$x

StartupOctagon: ProcessEnableLogging failed

A^_^

.CRT$XIAA

GetModuleHandleW

_o_wcsncpy_s

QuotaPeakNonPagedPoolUsage

@8t$@

A_A^A\_^[]

failureType

Reserved2

api-ms-win-core-registry-l1-1-0.dll

L$PD9

LoadEnclaveImageW

Tbsi_Get_TCG_Log_Ex

8A^_^[

GetRuntimeReport

Windows

H!~(H!~0H!~8H!~@3

SleepConditionVariableCS

.CRT$XLZ

AccessCheck

onecore\amcore\octagon\broker\source\inc\work_queue.h

Microsoft.Windows.Oct.Enclave

SUVWATAVAWH

_o__register_onexit_function

DeviceIoControl failure: ReferenceDriverObject

IsDebuggerPresent

F0A8P

.CRT$XTA

hresult

EventActivityIdControl

.rdata$zETW1

??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@H@Z

kernelbase.dll

Agent is already initialized

D$ H;

D$0E3

NCryptGetProperty

SystemTimeToFileTime

unH9A

@A_A^A\

T$PL;

<TNI8(u;@

NativeCallbackReadDirectCount

RtlVirtualUnwind

?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ

RpcServerRegisterIfEx

.idata$2

wsH9Q

?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z

SubmitThreadpoolWork

@8,1u

_o__crt_atexit

api-ms-win-core-debug-l1-1-0.dll

x AVH

CreateProcessW

EngHostGetReport

@SVWATAUAVAW

L$@I+

0A_A^_

OriginalFilename

WATAUAVAWH

pA_A^_^]

RaiseFailFastException

Failed to initialize engine. Falling back.

RpcServerUseProtseqEp

DeviceIoControl failure: ThawThread

NCryptCreateClaim

api-ms-win-core-processthreads-l1-1-1.dll

A^_^[]

20180916073521Z0t0:

fD9t]

AssertionFailed

api-ms-win-core-interlocked-l1-1-0.dll

$`2X`F

.tls$

?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z

T$pI+

PathStripPathW

l4vBT

D$ L;

LuaEngineMinorVersion

PowerRegisterSuspendResumeNotification

api-ms-win-security-base-l1-1-0.dll

MFi}f

A_A^A]A\_

.CRT$XCA

ShutdownOctagon: SgrmSessionManager EndAllSgrmSessions failed

L$0fD

.CRT$XCAA

.xdata

UpdateProcThreadAttribute

api-ms-win-core-sysinfo-l1-2-0.dll

.gfids

F0A8H

=}n!_

$Microsoft Ireland Operations Limited1

E9V0u

DeviceIoControl failure: UnmapFile

RpcBindingInqAuthClient

ReportResultWriteCount

ReleaseSRWLockShared

\$ UH

OctagonRpcInitialize

fD94Au

TerminateThread

SgrmBroker::SgrmSessionManager::EndSgrmSession

CL$xD

unitedstates.sgrm.microsoft.com

A_A^A\_^[]

.CRT$XTZ

InitializeProcThreadAttributeList

s_GetRuntimeReport

.?AVSafeIntException@utilities@msl@@

x ATAVAWI

SOFTWARE\Microsoft\Windows\CurrentVersion\Sgrm

\$8E3

fD9,Wu

AgentController::DereferenceProcess

ReportSize

H UWAVH

api-ms-win-core-enclave-l1-1-0.dll

SetThreadpoolTimer

AssertionIds

D9yL|

<(mW0Y

%hs(%d)\%hs!%p:

Operating System

fD90t,

HAssertionRecordPassedWriteCount

CreateThread

HostWrapper::GetRuntimeReport

L9{0t#H

u#H9<

UnregisterSense

.00cfg

?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ

N0L0J

vector<T> too long

O:SYG:SYD:(A;;RC;;;S-1-5-80-1523878533-411328482-2798077809-3098663872-2604013308)

T$8H!\$8

UnhandledExceptionFilter

FreeLibrary

GetModuleHandleExW

FailFast

C@H!CHH!CPH!CX

UVWATAUAVAWH

EventUnregister

H;K`H

NtUpdateWnfStateData

G0A8H

internal\sdk\inc\wil\staging.h

AgentController::GetNextProcess

EngHostNotify

pA^A\_^]

L$8E3

CloseHandle

U0S0Q

T$0E3

PathCchCombineEx

currentContextName

.?AVexception@std@@

EngHostDispatchThread

,xQz8ERGk0aiWQg4XjMdPy0uCRfJ5NLklxMjmx41CYik=0Z

C9fD9?u-

@.reloc

RtlNtStatusToDosErrorNoTeb

@SUVWATAUAVAWH

UVWATAVH

bad array new length

OpenThreadToken

OctBrokerSvc::InitializeAgent

ATAVAWH

NotificationCount

sgrm.microsoft.com

)B]VN

T$pH+

pA_A^A\_^[]

fD94Wu

_o___std_exception_destroy

??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ

PeakPagefileUsage

CloseThreadpool

GetSystemDirectoryW

RpcServerRegisterAuthInfoW

z.9Wv

VS_VERSION_INFO

CompanyName

Protocol failure: GetProcess

ProcessMemoryTotalAccounting

??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ

AgentController::DereferenceThread

t$ WATAUAVAWH

GetLastError

GetCurrentThreadId

@USVWATAUAVAWH

@A_A^_

}0H+}(H

HttpPost

api-ms-win-core-synch-l1-2-0.dll

?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ

D9K(t

failureCount

GetSystemTimeAsFileTime

WaitForThreadpoolTimerCallbacks

A_A^_^]

AuthD

LogHr

A__^[]

H9Ghs

.CRT$XCZ

europe.sgrm.microsoft.com

onecore\amcore\octagon\broker\source\lib\assists.cpp

?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z

s_GetSessionCertificate

EnclaveInitialization

RpcBindingInqAuthClientW

\$(H;

GetSessionCertificate

@SVWATAUAVAWH

AUAVAWH

BCryptGenRandom

T$xH+

Failed to unregister wait object

AgentController::MapVirtualAddress

LpacHost::LpacTerminatedCallback

SgrmBroker.exe

D$@HcH

GetSessionReport

currentContextMessage

_o__exit

Exception

MachineId

GetProcessHeap

ProcessUserTime

BrokerError

Sleep

api-ms-win-security-sddl-l1-1-0.dll

SetInformationJobObject

F(Zhe@

GetFileSizeEx

LuaExecutionFailed

RpcServerUnregisterIfEx

@8t$P

fD9>u$H

.CRT$XPA

?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z

SetUnhandledExceptionFilter

T$(H+

pA_A^A]A\_^]

.data

api-ms-win-core-libraryloader-l1-2-1.dll

nCipher NTS ESN:57F6-C1E0-554C1+0)

ImpersonateAndCheckAccess

IsVsm

D$pL;

u0HcH<H

DeviceIoControl failure: DereferenceDriverObject

t$ UWATAVAWH

api-ms-win-core-timezone-l1-1-0.dll

.?AVtype_info@@

SmartCardKeyCertificate

HAssertionRecordFailedWriteCount

HostWrapper::GetSessionCertificate

HNotificationFailureCount

Windows AIK

A_A^A]A\]

D$ E3

.text

AgentController::MapFile

HTTP Post failed during attestation, part:

_o___p___argc

@SUVWAVAWH

Attestation memory leak

Failed to set waitable timer

HiD$0@B

NdrClientCall3

{ AVH

InitOnceBeginInitialize

H9t$Xt

Assists::_CancelTimer

_o__errno

t$0A_A^A\

L$8H;

T$0H+

memset

_o___stdio_common_vsnprintf_s

RpcServerRegisterAuthInfo

[%hs]

`.rdata

internal\sdk\inc\wil\ResultMacros.h

)Microsoft Root Certificate Authority 20100

.rdata$brc

RegOpenKeyExW

RegCloseKey

DeviceIoControl failure: DereferenceDeviceObject

H9_Hs<

ReleaseSemaphore

AgentController::DereferenceDriverObject

0A_A^A\_]

TelemetryIntervalOverride

Microsoft Windows Publisher0

originatingContextId

Could not copy AudienceUri to param struct

PagefileUsage

\$ UVWAVAWH

GetProcAddress

?__ExceptionPtrCopy@@YAXPEAXPEBX@Z

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ

CreateEventExW

DeviceIoControl failure: PurgeReferences

GetSystemTimes

pA^_^

lineNumber

bcrypt.dll

?__ExceptionPtrCurrentException@@YAXPEAX@Z

ProductName

{~`2*

DeleteEnclave

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash
0x140000000	0x00026a30	0x0004d42c	0x0004d42c	10.0	SgrmBroker.pdb	2043-12-16 13:05:26	7883701e47b5b0153af8d1dc05eb4e03

Version Infos

CompanyName	Microsoft Corporation
FileDescription	System Guard Runtime Monitor Broker Service
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	SgrmBroker
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	SgrmBroker.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x00028b25	0x00028c00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.22
.rdata	0x00029000	0x0002a000	0x0000f544	0x0000f600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.19
.data	0x00038600	0x0003a000	0x000024e8	0x00000800	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.21
.pdata	0x00038e00	0x0003d000	0x00001e84	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.24
.rsrc	0x0003ae00	0x0003f000	0x00000548	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.01
.reloc	0x0003b400	0x00040000	0x00000364	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	5.01

Overlay

Offset	0x0003b800
Size	0x00002b70

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x0003f480	0x000000c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.69	None
RT_VERSION	0x0003f0b0	0x000003cc	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.45	None

Imports

Name	Address
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z	0x14002b898
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z	0x14002b8a0
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ	0x14002b8a8
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z	0x14002b8b0
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ	0x14002b8b8
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ	0x14002b8c0
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ	0x14002b8c8
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z	0x14002b8d0
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z	0x14002b8d8
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z	0x14002b8e0
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z	0x14002b8e8
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ	0x14002b8f0
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ	0x14002b8f8
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ	0x14002b900
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ	0x14002b908
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ	0x14002b910
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ	0x14002b918
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z	0x14002b920
?uncaught_exception@std@@YA_NXZ	0x14002b928
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ	0x14002b930
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ	0x14002b938
?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z	0x14002b940
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z	0x14002b948
?_BADOFF@std@@3_JB	0x14002b950
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ	0x14002b958
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ	0x14002b960
?__ExceptionPtrCurrentException@@YAXPEAX@Z	0x14002b968
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z	0x14002b970
?_Xbad_function_call@std@@YAXXZ	0x14002b978
?_XGetLastError@std@@YAXXZ	0x14002b980
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z	0x14002b988
?__ExceptionPtrRethrow@@YAXPEBX@Z	0x14002b990
?__ExceptionPtrToBool@@YA_NPEBX@Z	0x14002b998
?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z	0x14002b9a0
?__ExceptionPtrDestroy@@YAXPEAX@Z	0x14002b9a8
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ	0x14002b9b0
?__ExceptionPtrCreate@@YAXPEAX@Z	0x14002b9b8
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z	0x14002b9c0
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV01@H@Z	0x14002b9c8
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z	0x14002b9d0
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ	0x14002b9d8
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ	0x14002b9e0
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z	0x14002b9e8
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z	0x14002b9f0
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z	0x14002b9f8
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z	0x14002ba00
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ	0x14002ba08
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ	0x14002ba10
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z	0x14002ba18
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z	0x14002ba20
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ	0x14002ba28
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ	0x14002ba30
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ	0x14002ba38
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ	0x14002ba40
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z	0x14002ba48
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ	0x14002ba50
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ	0x14002ba58
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ	0x14002ba60
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z	0x14002ba68
?pbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z	0x14002ba70
?_Xlength_error@std@@YAXPEBD@Z	0x14002ba78

Name	Address
_initterm_e	0x14002b7c0
_c_exit	0x14002b7c8
_register_thread_local_exe_atexit_callback	0x14002b7d0
_initterm	0x14002b7d8

Name	Address
memset	0x14002b7e8

Name	Address
_o__get_initial_wide_environment	0x14002b680
_o__initialize_onexit_table	0x14002b688
_o__initialize_wide_environment	0x14002b690
_o__invalid_parameter_noinfo	0x14002b698
_o__invalid_parameter_noinfo_noreturn	0x14002b6a0
_o__purecall	0x14002b6a8
_o__register_onexit_function	0x14002b6b0
_o__seh_filter_exe	0x14002b6b8
_o__set_app_type	0x14002b6c0
_o__set_fmode	0x14002b6c8
_o__set_new_mode	0x14002b6d0
memmove	0x14002b6d8
_o_exit	0x14002b6e0
_o_free	0x14002b6e8
_o_malloc	0x14002b6f0
_o_rand	0x14002b6f8
_o_terminate	0x14002b700
_o_wcscpy_s	0x14002b708
_o_wcsncpy_s	0x14002b710
__C_specific_handler	0x14002b718
_CxxThrowException	0x14002b720
_o__exit	0x14002b728
_o__errno	0x14002b730
_o__crt_atexit	0x14002b738
_o__configure_wide_argv	0x14002b740
_o__configthreadlocale	0x14002b748
_o__cexit	0x14002b750
_o__callnewh	0x14002b758
_o___stdio_common_vswprintf	0x14002b760
_o___stdio_common_vsnprintf_s	0x14002b768
_o___std_exception_destroy	0x14002b770
_o___std_exception_copy	0x14002b778
_o___p__commode	0x14002b780
_o___p___wargv	0x14002b788
_o___p___argc	0x14002b790
__std_terminate	0x14002b798
__CxxFrameHandler3	0x14002b7a0
memcmp	0x14002b7a8
memcpy	0x14002b7b0

Name	Address
FreeLibrary	0x14002b2f0
GetModuleHandleW	0x14002b2f8
GetModuleHandleExW	0x14002b300
GetModuleFileNameA	0x14002b308
GetProcAddress	0x14002b310

Name	Address
SetEvent	0x14002b4d8
WaitForSingleObjectEx	0x14002b4e0
CreateEventExW	0x14002b4e8
CreateSemaphoreExW	0x14002b4f0
CreateEventW	0x14002b4f8
SetWaitableTimerEx	0x14002b500
ReleaseSemaphore	0x14002b508
InitializeCriticalSectionAndSpinCount	0x14002b510
InitializeCriticalSection	0x14002b518
ResetEvent	0x14002b520
CreateMutexExW	0x14002b528
InitializeCriticalSectionEx	0x14002b530
WaitForSingleObject	0x14002b538
InitializeSRWLock	0x14002b540
DeleteCriticalSection	0x14002b548
EnterCriticalSection	0x14002b550
LeaveCriticalSection	0x14002b558
ReleaseMutex	0x14002b560
ReleaseSRWLockShared	0x14002b568
AcquireSRWLockShared	0x14002b570
ReleaseSRWLockExclusive	0x14002b578
AcquireSRWLockExclusive	0x14002b580
OpenSemaphoreW	0x14002b588

Name	Address
GetProcessHeap	0x14002b240
HeapFree	0x14002b248
HeapAlloc	0x14002b250
HeapSetInformation	0x14002b258

Name	Address
GetLastError	0x14002b1e0
SetUnhandledExceptionFilter	0x14002b1e8
UnhandledExceptionFilter	0x14002b1f0
RaiseException	0x14002b1f8
SetLastError	0x14002b200

Name	Address
GetExitCodeProcess	0x14002b360
InitializeProcThreadAttributeList	0x14002b368
CreateProcessW	0x14002b370
GetCurrentProcessId	0x14002b378
GetCurrentThreadId	0x14002b380
UpdateProcThreadAttribute	0x14002b388
CreateThread	0x14002b390
ExitThread	0x14002b398
GetThreadPriority	0x14002b3a0
OpenThreadToken	0x14002b3a8
GetProcessTimes	0x14002b3b0
OpenThread	0x14002b3b8
ResumeThread	0x14002b3c0
TerminateThread	0x14002b3c8
SetThreadPriority	0x14002b3d0
GetCurrentThread	0x14002b3d8
TerminateProcess	0x14002b3e0
GetCurrentProcess	0x14002b3e8

Name	Address
FormatMessageW	0x14002b330

Name	Address
DebugBreak	0x14002b178
IsDebuggerPresent	0x14002b180
OutputDebugStringW	0x14002b188

Name	Address
CloseHandle	0x14002b230

Name	Address
RpcBindingFree	0x14002b0f0
RpcServerUnregisterIfEx	0x14002b0f8
RpcServerRegisterAuthInfoW	0x14002b100
RpcServerRegisterIfEx	0x14002b108
RpcServerUseProtseqEpW	0x14002b110
I_RpcBindingInqLocalClientPID	0x14002b118
RpcRevertToSelf	0x14002b120
RpcBindingUnbind	0x14002b128
RpcBindingBind	0x14002b130
RpcBindingCreateW	0x14002b138
RpcImpersonateClient	0x14002b140
RpcBindingInqAuthClientW	0x14002b148
NdrClientCall3	0x14002b150
NdrServerCall2	0x14002b158
NdrServerCallAll	0x14002b160
RpcStringFreeW	0x14002b168

Name	Address
SetThreadpoolThreadMinimum	0x14002b608
SetThreadpoolTimer	0x14002b610
CloseThreadpoolTimer	0x14002b618
CreateThreadpool	0x14002b620
CreateThreadpoolWork	0x14002b628
CreateThreadpoolTimer	0x14002b630
SubmitThreadpoolWork	0x14002b638
CloseThreadpool	0x14002b640
WaitForThreadpoolTimerCallbacks	0x14002b648
WaitForThreadpoolWorkCallbacks	0x14002b650
SetThreadpoolThreadMaximum	0x14002b658
CloseThreadpoolWork	0x14002b660

Name	Address
SetServiceStatus	0x14002b868
StartServiceCtrlDispatcherW	0x14002b870
RegisterServiceCtrlHandlerExW	0x14002b878

Name	Address
RegisterWaitForSingleObject	0x14002b2c8
UnregisterWait	0x14002b2d0

Name	Address
EventActivityIdControl	0x14002b7f8
EventWriteTransfer	0x14002b800
EventSetInformation	0x14002b808
EventUnregister	0x14002b810
EventRegister	0x14002b818

Name	Address
InitOnceBeginInitialize	0x14002b598
InitOnceComplete	0x14002b5a0
Sleep	0x14002b5a8

Name	Address
OpenProcess	0x14002b3f8
IsProcessorFeaturePresent	0x14002b400
SetProcessMitigationPolicy	0x14002b408
GetThreadTimes	0x14002b410

Name	Address
QueryFullProcessImageNameW	0x14002b458
K32GetProcessMemoryInfo	0x14002b460

Name	Address
PathStripPathW	0x14002b4c8

Name	Address
LocalFree	0x14002b268
LocalAlloc	0x14002b270

Name	Address
NtSetInformationProcess	0x14002bac0

Name	Address
RtlVirtualUnwind	0x14002b4a8
RtlCaptureContext	0x14002b4b0
RtlLookupFunctionEntry	0x14002b4b8

Name	Address
QueryPerformanceFrequency	0x14002b430
QueryPerformanceCounter	0x14002b438

Name	Address
GetSystemInfo	0x14002b5d0
GetSystemTime	0x14002b5d8
GetSystemTimeAsFileTime	0x14002b5e0
GetSystemDirectoryW	0x14002b5e8

Name	Address
InitializeSListHead	0x14002b280

Name	Address
MapGenericMask	0x14002b840
AccessCheck	0x14002b848

Name	Address
ConvertStringSecurityDescriptorToSecurityDescriptorW	0x14002b858

Name	Address
PowerUnregisterSuspendResumeNotification	0x14002b828
PowerRegisterSuspendResumeNotification	0x14002b830

Name	Address
IsEnclaveTypeSupported	0x14002b198
InitializeEnclave	0x14002b1a0
CreateEnclave	0x14002b1a8

Name	Address
SetInformationJobObject	0x14002b2a0
AssignProcessToJobObject	0x14002b2a8
CreateJobObjectW	0x14002b2b0
TerminateJobObject	0x14002b2b8

Name	Address
QueryFullProcessImageNameA	0x14002b448

Name	Address
SystemTimeToFileTime	0x14002b670

Name	Address
GetSystemTimes	0x14002b420

Name	Address
WaitForMultipleObjects	0x14002b5b8
CreateWaitableTimerW	0x14002b5c0

Name	Address
CreateFileW	0x14002b210
GetFileSizeEx	0x14002b218
ReadFile	0x14002b220

Name	Address
RegQueryValueExA	0x14002b470
RegGetValueW	0x14002b478
RegCloseKey	0x14002b480
RegOpenKeyExA	0x14002b488
RegOpenKeyExW	0x14002b490
RegQueryValueExW	0x14002b498

Name	Address
DeviceIoControl	0x14002b290

Name	Address
VerSetConditionMask	0x14002b5f8

Name	Address
VerifyVersionInfoW	0x14002b2e0

Name	Address
CallEnclave	0x14002b1b8
LoadEnclaveImageW	0x14002b1c0
DeleteEnclave	0x14002b1c8
TerminateEnclave	0x14002b1d0

Name	Address
LoadLibraryW	0x14002b320

Name	Address
Tbsi_Get_TCG_Log_Ex	0x14002bad0

Name	Address
GetEnvironmentVariableW	0x14002b350

Name	Address
NCryptCreateClaim	0x14002ba88
NCryptOpenKey	0x14002ba90
NCryptOpenStorageProvider	0x14002ba98
NCryptSetProperty	0x14002baa0
NCryptGetProperty	0x14002baa8
NCryptFreeObject	0x14002bab0

Name	Address
PathCchCombineEx	0x14002b340

Name	Address
BCryptGenRandom	0x14002b888

Reports: JSON

Statistics (11.03)

Usage

Processing ( 10.97 seconds )

10.275 ProcessMemory
0.679 CAPE
0.008 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.05 seconds )

0.008 ransomware_files
0.005 antianalysis_detectfile
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antiav_detectfile
0.002 browser_security
0.002 infostealer_ftp
0.002 infostealer_im
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 antianalysis_detectreg
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 disables_system_restore
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.01 seconds )

0.005 CAPASummary
0.001 JsonDump

Signatures

The PE file contains a PDB path

pdbpath: SgrmBroker.pdb

SetUnhandledExceptionFilter detected (possible anti-debug)

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 1424 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\OctBroker
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.

Analysis

Machine

File Details

Full Results

PE Information

Version Infos

Sections

Overlay

Resources

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

RPCRT4

api-ms-win-core-threadpool-l1-2-0

api-ms-win-service-core-l1-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-heap-l2-1-0

ntdll

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-sddl-l1-1-0

api-ms-win-power-base-l1-1-0

api-ms-win-core-enclave-l1-1-0

api-ms-win-core-job-l2-1-0

api-ms-win-core-psapi-ansi-l1-1-0

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-synch-l1-2-1

api-ms-win-core-file-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-kernel32-legacy-l1-1-1

api-ms-win-core-enclave-l1-1-1

api-ms-win-core-libraryloader-l1-2-1

tbs

api-ms-win-core-processenvironment-l1-1-0

ncrypt

api-ms-win-core-path-l1-1-0

bcrypt