Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Log(s)
FILE	exe	2025-06-10 11:21:25	2025-06-10 11:26:14	289 seconds	Show Analysis Log

2024-11-25 13:37:14,991 [root] INFO: Date set to: 20250610T11:21:24, timeout set to: 200
2025-06-10 12:21:24,025 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-10 12:21:24,025 [root] DEBUG: Storing results at: C:\iDarMfdE
2025-06-10 12:21:24,025 [root] DEBUG: Pipe server name: \\.\PIPE\IMPWOAOm
2025-06-10 12:21:24,025 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-10 12:21:24,025 [root] INFO: analysis running as an admin
2025-06-10 12:21:24,025 [root] INFO: analysis package specified: "exe"
2025-06-10 12:21:24,025 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-10 12:21:25,118 [root] DEBUG: imported analysis package "exe"
2025-06-10 12:21:25,134 [root] DEBUG: initializing analysis package "exe"...
2025-06-10 12:21:25,134 [lib.common.common] INFO: wrapping
2025-06-10 12:21:25,134 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-10 12:21:25,134 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\securekernel.exe
2025-06-10 12:21:25,134 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-10 12:21:25,134 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-10 12:21:25,134 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-10 12:21:25,134 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-10 12:21:25,321 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-10 12:21:25,352 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-10 12:21:25,384 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-10 12:21:25,384 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-10 12:21:25,415 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-10 12:21:25,415 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-10 12:21:25,415 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-10 12:21:25,431 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-10 12:21:25,431 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-10 12:21:25,431 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-10 12:21:25,431 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-10 12:21:25,431 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-10 12:21:25,431 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-10 12:21:25,431 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-10 12:21:25,431 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-10 12:21:25,431 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-10 12:21:25,431 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-10 12:21:25,431 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-10 12:21:36,821 [modules.auxiliary.digisig] DEBUG: File has a valid signature
2025-06-10 12:21:36,837 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-10 12:21:36,837 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-10 12:21:36,837 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-10 12:21:36,837 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-10 12:21:36,837 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-10 12:21:36,837 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-10 12:21:36,837 [modules.auxiliary.disguise] INFO: Disguising GUID to 88063f41-cb09-49fe-8433-82e8a31757b9
2025-06-10 12:21:36,837 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-10 12:21:36,837 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-10 12:21:36,837 [root] DEBUG: attempting to configure 'Human' from data
2025-06-10 12:21:36,837 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-10 12:21:36,837 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-10 12:21:36,837 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-10 12:21:36,837 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-10 12:21:36,837 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-10 12:21:36,837 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-10 12:21:36,837 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-10 12:21:36,837 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-10 12:21:36,837 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-10 12:21:36,837 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-10 12:21:36,837 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-10 12:21:36,837 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-10 12:21:36,837 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-10 12:21:36,853 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-10 12:21:36,868 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-10 12:21:36,868 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-10 12:21:36,884 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\NmhMelLB.dll, loader C:\tmp_gell1p8\bin\TfDuBatI.exe
2025-06-10 12:21:36,946 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-10 12:21:37,009 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-10 12:21:37,009 [root] INFO: Disabling sleep skipping.
2025-06-10 12:21:37,009 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-10 12:21:37,009 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-10 12:21:37,024 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-10 12:21:37,024 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-10 12:21:37,024 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 6208, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-10 12:21:37,024 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-10 12:21:37,056 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-10 12:21:37,056 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-10 12:21:37,056 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\NmhMelLB.dll.
2025-06-10 12:21:37,056 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-10 12:21:37,056 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2025-06-10 12:21:42,400 [root] INFO: Restarting WMI Service
2025-06-10 12:21:44,478 [root] DEBUG: package modules.packages.exe does not support configure, ignoring
2025-06-10 12:21:44,478 [root] WARNING: configuration error for package modules.packages.exe: error importing data.packages.exe: No module named 'data.packages'
2025-06-10 12:21:44,478 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-10 12:21:44,540 [lib.api.process] ERROR: Failed to execute process from path "C:\Users\Packager\AppData\Local\Temp\securekernel.exe" with arguments "None" (Error: The %1 application cannot be run in Win32 mode (ERROR_CHILD_NOT_COMPLETE))
2025-06-10 12:21:44,540 [root] INFO: You probably submitted the job with wrong package
Traceback (most recent call last):
  File "C:\ <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-10 11:21:25	2025-06-10 11:25:55	none

File Details

File Name	securekernel.exe
File Type	PE32+ executable (GUI) x86-64, for MS Windows
File Size	651304 bytes
MD5	74085de2a967b0c8625f8b5b610677c8
SHA1	0f47fae29672d13293fe1b59c9da34badde02b98
SHA256	d8be9be37be1108b2a3e7eaf990ffe7fd0bb495c244b142c1baf554983e5e5e3 [VT] [MWDB] [Bazaar]
SHA3-384	ed7631630d8cb7d9c88200088fd0d377d01b998c4042f1cf0af5804cc974a693676bd6ee5bb935451e1f3f2f1170c47d
CRC32	E4198458
TLSH	T136D47C13F3A792F9C466C2798A76C726E7B1B456132186CB1290D7792F23AE0273F351
Ssdeep	12288:uOnmqn4ON+6BrT7pULVsA67TuyEX1ZEAbuMb3DPLU9BfRo18Za8B9cmKttttON1G:gk4ON+6BrT7pULVsA6HPsZEAbuMbjLC+
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/77)

Full Results

Engine	Result	Engine	Result	Engine	Result

ShvlLockSparseGpaPageMapping

SkciFinishImageValidation

@.data

SkReleasePushLockShared

SkobDereferenceObject

SVWATAVAWH

L$XD+

KiDebugTrapOrFault

\$`fA;]

L9-^d

KiSegmentNotPresentFault

A0H)G(@

H;\$p

?????????__???????????????????????????????????????????????????????????????????????????;????????????????????G????T??????????S??F??O???????a

x ATAUAWH

ZwSetValueKey

O8H9Y u

ERROR:ServiceNumber not valid = 0x

P@t1D

A_A^A\_^][

L$xE3

H9_0t

)/z?~

tpH;{8rjH

SeQuerySecureBootPlatformManifest

RSAPRIVATEBLOB

L$HE3

D$8L9

TlP0X

RtlFindSetBits

SkAllocateNormalModePool

VslExchangeEntropy

0A_A^A]A\_^[

@8}Xu@

KeInitializeSpinLock

VWAVH

PA_A^A]A\_^[

O0M0K

SkmmMapMdl

Microsoft Corporation

tLL9J

tLH9X(t

memcmp

D$UHk

KeEnterGuardedRegion

0A_A^A]A\]

D$pH;

T$HE3

=TABLu'A

ZwDeleteValueKey

USVWATAUAVAWH

2D$\L

L$0|+L;

fD9u$u

L$0H9q@u

@SUVWAVH

t$@H;

H;C(u

IoQueueWorkItem

@8xPt>H

KiNmiInterrupt

BCryptImportKeyPair

.idata$5

00000000000000000000000000000000000000000000000

L$ VWATAVAWH

RtlAppendUnicodeToString

D$0I;Q0

.pdata

NtQuerySystemInformation

t"H9Q

Microsoft

G8L;B8r

EntropyPoolTriggerReseedForIum

D8mot

KeEnterCriticalRegion

A_A]A\_^][

D:,0u

D$`eH

SkFreeNormalModePool

A^A\_

NT Secure Kernel

D$BfD

ObfDereferenceObject

tRH9X

H9X0u

8A_A^A]A\_^][

???45678??????n0123456789???????????????????????

33333333

w(L+w

???????

ZwOpenKey

t$ WATAVH

L$XE3

RtlSetBit

SUVATAUAVAWH

H;u@r

tJH;Y

Improperly formed scenario ID policy, status code 0x%x

|$(H;

t$(A_A^

8A_A^A\_^[

IoReuseIrp

????????????????????????=??==????

0A^_^

KiSystemCall64

H9XHu

Legal_Policy_Statement

BCeeEF?Mo????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

9|$$u

ShvlUnlockSparseGpaPageMapping

__GSHandlerCheck

@8|$0tC

EtwRegister

RtlRbRemoveNode

9kdvy

0A_A^A\_^

L9@(s

GFA9D>R

D8HPt$I

p WAVAWH

9D$Dt[

PsSetCreateProcessNotifyRoutine

L$0D;

A^A]_

Rsp = 0x

CFGRO$A

ChainingModeGCM

\$`I;

@8w'}

FUNCTBL

Gd9^,v'H

Microsoft Time-Stamp PCA 20100

.text$mn$10

|$(H!t$ E3

H;|$xv

ExAcquireFastMutex

l$(D8d$

R12 = 0x

RtlNtStatusToDosError

111019184142Z

H9|$(t

ffffff

hA_A^A]A\_^][

TRNSZERO

9L$`s

AuthenticAMD

x UAVAWH

L$0A;

XA_A^A]A\_^][

ExReleaseResourceLite

FileDescription

SKRPA

;uPI3

KeLeaveCriticalRegion

%Microsoft Windows Production PCA 2011

tQH9p

H+J H

\$ UVWH

SHA256

JJVVVVdd

)|$@D

E;w(v

I9Z(t

Microsoft Corporation1

UWATAVAWH

M$3B

Microsoft Operations Puerto Rico1&0$

L$@H)

BCryptGenerateSymmetricKey

UUUUUUUUH

A_A^A\_^

Microsoft Time-Stamp PCA 2010

L$hE3

.text$s

L9%?|

AES-GMAC

tGD9#u'9{

e0A_A^]

A_A\_

SkobCreateHandle

10.0.17763.292 (WinBuild.160101.0800)

D$(E3

H9L$8u

RtlInitUnicodeStringEx

SkciQueryImageUniqueID

L$PI+

H;OHt

L+u@L+u

BugCheckParameter1

SvcSkInitSystem

D$`H9\$`u?H9\$hu8L

L$(E3

???????????

.rdata$zETW9

$?<?t

& !

@SVATAUAVAWH

ExpInterlockedPopEntrySList

???????-???????-???????+???????????????????-

UVWAVAWH

L$0E3

(T$pD

L$8H3

A8H)G H

\$PA+

D$THk

SkpsReadPolicyMetadata: TrustletId incorrect: TrustletId = %I64u, Process->TrustletIdentity = %I64u.

A_A^A\_]

100701213655Z

SeLockSubjectContext

BugCheckProgress

Rbp = 0x

9_>:j[

D$`H+D$PH

x_f9u

.rdata$.text

BCryptDecrypt

D$[ L

VendorID

A_A^A]

;L$`r

L$0H!t$ A

Microsoft Windows0

@A_A^A]A\_^[

ExSetTimer

` UAUAWH

0A^A\_

Handle table creation failed with error 0x%x.

SkobReferenceObject

PA_A^A\_^

SkpspMapNormalProcessParameters failed with error 0x%x

Rsi = 0x

.text$x

ExFreePoolWithTag

?????????????????????????????????????????????????????????????????????????????????????????

R!s4Z

T$ E3

RtlClearAllBits

8PP

IoBuildDeviceIoControlRequest

H9A u

??????????????[]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

L$HH3

????????????-

p;^,r

A^_^

8XPt D

H9\$Hu

tFL9J

]XA;|$

skci.dll

HashDigestLength

L$ E3

???????????????()???????<>?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????-?

.rsrc

D$ H;

D$(I;

t$DE3

BCryptEncrypt

9k|t,

ExIsResourceAcquiredSharedLite

0A_A^_

OriginalFilename

H+F M

BCryptCreateHash

65$do

ExUnsubscribeWnfStateChange

SkpspReadPolicyMetadataCallback: Invalid Etw Policy type

L$HH;

T$X;T$Pv

D$,;D$4

RtlCopyUnicodeString

L$0fD

$Microsoft Ireland Operations Limited1

@8j(u=H

+L$hA;

RtlAppendUnicodeStringToString

0H9=5Q

uLL9pHu

t$8L;

RtlClearBit

t4;t$pwOA;

SecureTimers

SkciQueryImageAuthorID

L$ UVWAVAWH

D9q<u

u"H+5

&6&t]

UVWATAUAVAWH

t@L9J t:Hc

L$8E3

z.9Wv

+D$h;

@8i(t

D$(;D$$v

@SUVWATAUAVAWL

SeCaptureSubjectContext

L!t$(I

^????????????

t@8P0u

e A_A^A]A\]

H!\$(H

BCryptGenRandom

K(I;IH

(D$ f

D!l$ E3

|$$eH

KeGetCurrentProcessorNumberEx

ZwQuerySystemInformation

H9h w

L$peL

D8q0tS

wcscmp

ZwQueryInformationProcess

H!X H!X8H!X

I9vPH

D$ E3

KeLeaveGuardedRegion

.text

D$0f9

@UATAUAVAWH

????????????

@8w'|

.rdata$brc

ExSubscribeWnfStateChange

L9eXL

WAUAVH

L$`E3

A^A]_

A_A^A]A\

KiBoundFault

RtlIntegerToUnicodeString

)T$ H

PAGE$x

s WAVAWH

R9 = 0x

0H;1r

AaAaAaCcCcCcCcDd

LdrSystemDllInitBlock

KeResetEvent

K4f9L$Pu

SkmmReleasePageRestriction

0A_A^A]A\^][

Hc\$0N

e0A_A^A]A\]

.idata$4

u3M9~`t-

;Cpt)H

_invalid_parameter

ATAUAVH

<`u$A

q1{$4

IoAllocateIrp

3E#A#

D$@f9G

t$8;;

H 3O

@USVWAVAWH

__C_specific_handler

ExpInterlockedPushEntrySList

SkmmFreeSecureAllocation

;s8uR

0A_A^A]A\_^]

I0fA+

ShvlSetVpRegisters

D8H2t1

(D$@f

H;h v

D9QHw

D$PD+

ExAcquireResourceSharedLite

|$ AVH

D8ext=3

RtlEnclaveCallDispatchReturn

.text$mn$00

t$ WH

SMK0L

^GAPg

.rsrc$01

A;vPu6H

{ ATAUAWH

A_A^A]A\_^[]

R14 = 0x

D$pE3

H;{ L

IoRegisterPlugPlayNotification

pA_A^A\_^][

A_A^A]

SkIsSecureKernel

D$hH!H

D$@;D$Ls

x 9]P

????????????????????????????????????????????????????????????

@8t$@u

SkpspCaptureUnicodeStringParameter:CapturedString->Buffer = 0x

+,(7K

D9l$0t

_`H9^0t6

L9S0t;L;

L$hI;

H9|$Pt=A

SkciFinalizeSecureImageHash

D$0!t$(H!t$ H

RtlDuplicateUnicodeString

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

t*H9U

@8i0t/H

T$HD9f|t

|$P;{ r

------+++???????????????????

D$(H;

Invalid PEB address.

Microsoft Corporation1)0'

H+D$0H;

RtlInitializeBitMap

L$PH3

)T$pD

H9K(u

L$PI;

t$HA_A^A]A\_

SkpsVerifyParentProcess: Parent SD is NULL or size is invalid.

SkpspReadPolicyMetadataCallback: Invalid SVN Policy - duplicate entry

@80tQeH

D$0A:

BOKSH

@A^_^][

ext-ms-win-ntos-ksr-l1-1-0.dll

D$0eH

!(FNA

SeQueryAuthenticationIdToken

u)fD9

QXLX$

WATAVH

D$xH;

ExDeletePagedLookasideList

%jpFa

RtlRbInsertNodeEx

180823202624Z

tGD8v0t4D

(D$`f

SVWAWH

H WATAUAVAWH

TtTtTtUuUuUuUuUuUuWwYy

RtlEnclaveCallDispatch

\$(t;D;

x AVAWD

XA_A^A\_^[

SkAllocatePool

`A_A^A]A\_^]

AARi*

SHA512

LegalCopyright

IofCallDriver

RtlCompareUnicodeStrings

|$@H#

0H9l0

EntropyProvideData

ERROR :Invalid ServiceNumber 0x%x

A_A]]

D$8t6

M0K0I

RtlSetBits

IofCompleteRequest

PsGetProcessCreateTimeQuadPart

KiUserInvertedFunctionTable

D$`L!0L

@A_A^A]A\_^]

Invalid scenario ID policy, status code 0x%x

L$0H3

D$XeH

rdm>ey

KeInitializeMutex

SP800_108_CTR_HMAC

D9:u6

.rdata$zzzdbg

x AVAW

D$8H9Xp

WAVAWH

.rdata

T$(A;

|$XE3

D9a|t.

M9~ht=

TRNSCODE

RtlAnsiStringToUnicodeString

+D$pA

@FUNCTBL

KeGetCurrentThread

SkciFreeImageContext

IBPBD

uy9^|t

BCryptFinishHash

G@L;B(r

pA_A^A]A\_^[

%Microsoft Windows Production PCA 20110

SkpspReadPolicyMetadataCallback: Invalid Etw Policy - duplicate entry

D$`t!

L$ I3

SkciTransferVersionResource

L$ D;

RtlInitUnicodeString

|$xE3

M@H9M

\$8I;

qsort

L$ UVWATAUAVAWH

H!^`H

ExAcquireResourceExclusiveLite

D8HPt8

SkSystemExceptionFilter

f1K>f!G>H

\$HD)l$$

SVWATAUAVAWH

0A_A^A\

ShvlGetVpRegisters

9{ r"H

t$ WATAUAVAW

RtlAvlRemoveNode

H!t$h3

memcpy

H!\$

.idata$3

fD9s&t

261019185142Z0

Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z

CreateHeap: Unable to create heap.

SecureCallbacks

SkpSendErrorMessage Status = 0x

IumDebugNumToString

wZD9R

D9c8s+

RtlFindExportedRoutineByName

"Microsoft Window

uDE3

k VWAVH

D#5Ve

SkpspCaptureUnicodeStringParameter:CapturedString->Length = 0x

D8%Xr

00000000000000000000000000000000000000

D$PeH

SkmmReserveMappingAddress

UATAUAVAWH

@8h(u3

ShvlModifySparseSpaPageHostAccess

L9%!|

1http://www.microsoft.com/PKI/docs/CPS/default.htm0@

H 3J

T$PE3

L$@E3

D$0;G

D$xL;

ShvlGetInterceptData

ExRegisterExtension

???_???

Improperly formed scenario ID policy, invalid length or missing termination

KeAcquireSpinLockRaiseToDpc

L$@H3

D$WHk

D$XH;

B0H9B(

D9t$h

T$0t]@

SUVWATAUAWH

UWAVH

A_A^A\

MmMapLockedPagesWithReservedMapping

ChainingMode

Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z

D$"D;

RtlFindNextForwardRunClear

SkeCacheInvalidatePage

E0 u)H

Chttp://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl0a

RtlCompareUnicodeString

uFfD9c<u?

D$8L#

qMM.O

T$d;T$(r

Invalid String for Process Parameter.

AWAVAUATSVWU

SkWriteProcessStartEvent

ExCreateCallback

???????????????????????????????????`

@A^_]

A^A\]

MmFreeMappingAddress

ZwQueryValueKey

securekernel.pdb

u!D;ATr

@SUVWATAVAWH

WATAUAVAWH

ProcessParams creation failed with error 0x%x

KeSaveExtendedProcessorState

L$ UH

$`2X`F

PsGetCurrentProcess

MmUnmapReservedMapping

SkpsGetSetContext:LowLimit = 0x

A_A^A]A\_

|$ E3

CngGetFipsAlgorithmMode

AAf9F

SkpBuildReportForSigning: Exception generated with status 0x%x.

I(L+I

.00cfg

SkpspReadPolicyMetadataCallback: Invalid Parent SD Policy - duplicate entry

_wcsicmp

20190116062241.829Z0

@SUVWH

RSAPUBLICBLOB

T$0E3

H;ExuoL

http://www.microsoft.com/windows0

SkmmFreeReservedMapping

ATAVAWH

SkciCompareSigningLevels

9D$ s

D$PrE

CompanyName

D$XHc

D$`I;

C0H%:

@A_A^_

D+t$<E+

D$,;D$4s:H

SkpspReadPolicyMetadataCallback: Invalid Parent SD Policy type

@SVWATAUAVAWH

CC_%x

AccessOffet

D$pA+

ExpInterlockedPopEntrySListEnd

((((( H

x AWI

L$HM;

HA^_^[

x%9|$Xt

<XuAL

B0H%:

191123202624Z0

++++++++++++

BCryptDestroyKey

8T$ht

D$HH3

SkmmUnmapMdl

p WATAWH

MmGetSystemRoutineAddress

{ AVH

ZwCreateKey

RtlGetEnabledExtendedFeatures

)Microsoft Root Certificate Authority 20100

EtwSetInformation

SkobReferenceObjectByHandle

VWATAUAVAWH

0A_A^A]

l$@E3

t$PI#

D$`A+

_wcsnicmp

SkciQueryInformation

A;6r<A

ZwEnumerateKey

PA_A^A]A\_^]

D$0D+

l$ VWAVH

t>@8{

9uwv|M

MmUnmapLockedPages

L$pL;

l$(D;

CentaurHauls

KiNpxNotAvailableFault

L$@D;AT

|hK,_

H9Y0u

R$fA;Z*

SegSs = 0x

BCryptSetProperty

CreateHeap: Unable to allocate and map initial commit VA. Error: 0x%x.

KiXmmException

ATAUAVAWH

UATAVH

D$PE3

KeInitializeEvent

KeQueryUnbiasedInterruptTime

T$hE3

IoAllocateWorkItem

memmove

H9x@|

D$@eH

EFlags = 0x

ShvlEnableVpVtlForPartition

R15 = 0x

250701214655Z0|1

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

H9X0r

(null)

e A_A^]

D$PL!L$HH

t8HcK

(,X< w

!t$PH

RtlImageNtHeaderEx

H;\$Xs

RtlpFreezeTimeBias

KiGeneralProtectionFault

L9qxt

__ImagePolicyMetadata

ZwEnumerateValueKey

SUBSYS

040904B0

H98ulH

RtlUTF8ToUnicodeN

.rdata$zETW2

H9xxt

T$HH;

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

ShvlSetPartitionProperty

D9c|t'

229879+4379540

>TABLu

A_A^A]A\_^]

toH9Xxt

KiNpxSegmentOverrunAbort

L!D$PH

x ATAVAW

?'??`???

SkpspReadPolicyMetadataCallback: Invalid capability Policy type

A_A^]

KPt/I

H;uHs

q8z0<

L9P0w

B.reloc

{ ATAVAWH

tRL9J

@USVWAWH

KeGetCurrentIrql

H9q@}

=XbnvE

KiUserExceptionDispatcher

T$PI#

Rdi = 0x

RtlGetPersistedStateLocation

SkciMatchHotPatch

H+H H

SkciCreateSecureImage

@SVWH

VarFileInfo

VWAUAVAWH

?de??????

,$L9o@t

KiFloatingErrorFault

Rbx = 0x

SkciSetCodeIntegrityPolicy

x H9=

IoGetDeviceObjectPointer

IDA;HLr0A;HHs

VWAWH

strnlen

_local_unwind

_vsnwprintf

It$hH

D!e$#

|$0A_A^

SkQuerySystemTime

C0D9c4t

ExAllocateTimer

TebCreate: User page alloc failed.

Thales TSS ESN:98FD-C61E-E6411%0#

ZwClose

ASj3QI

O(H;L$Ht H3L$H3

L9c0tx

$?<?u

L$PE3

VEN_%hx&DEV_%hx

D20I;

A^A]]

8@>mD

D$(D98t

RtlUserThreadStart

:RSDSu(H

{ UAVAWH

BCryptOpenAlgorithmProvider

A_A^A]A\_

L;f(t

SkpspReadPolicyMetadataCallback: Invalid capability policy with value %I64u

RtlPrefixUnicodeString

H9T$`u

KeReleaseMutex

A^A]A\

WXH9Q

RtlNumberOfSetBits

???p??st?f????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????h?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????:????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????%????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ?????????--?

\$ WH

RtlCompareMemory

MmMapLockedPagesSpecifyCache

A_A]A\

L!|$(H

IumTelemetryProvider

0D9:u*I

x ATAVAWH

SkGetIdkSignatureForData

L$Pu%

L+5]`

|$8tg

0A^_]

ObjectLength

t>LcL$PM

SkpsReadPolicyMetadata: Exception generated with status 0x%x.

Process Exe mapping failed with error 0x%x.

A>$$<

D$hH+

` UAVAWH

????I??l????OOo?????????t??TUu?????z?????????|??!?????????AaIiOoUuUuUuUuUu?Aa????GgGgKkOoOo??j????????????????????????????????????????????????????????????????????????????????????????????????????????????????g???????????????????????????????????????????????????????????????????????????????????????'"?'???????^?

tEE3

A_A^_

L9K0t.H;

Microsoft Corporation1200

H!u8H!u@

PAGEKD

Washington1

D9c|t,

H;t$0

(|$@D

A_A^A\

KiPageFault

H;-)F

D$0H;

RETPOL

R11 = 0x

MinidumpWrite

@A_A^A\_^][

H9X w

tDD9c|t,A

t%H;=

ppxxpp

x AUAVAWH

@8;G8

@USVWATAVAWH

securekernel.exe

SkAcquirePushLockExclusive

Status

SVAVAWH

L$0L;

D$@f#

KeWaitForSingleObject

m4J?T

D8@1u

10.0.17763.292

D$SHk

A_A^A]_^

RtlAvlInsertNodeEx

|$hL;

ExQueryDepthSList

D$8H9D$@t

SkpsReadPolicyMetadata: PolicyMetadata missing either parent SD or parent SD revision.

L$xH;

?????????/???????????????????????????????????????????

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

D$0E2

H+B(H

L;` r

KiRaiseAssertion

\$ UVWATAUAVAWH

HUVWH

StringFileInfo

t$ WAVAWH

IoQueueWorkItemEx

0A_A^A]A\_

H+5GR

BCryptHashData

s WATAUAVAWH

D$8E2

ExpInterlockedPopEntrySListResume

SkpsIsProcessDebuggingEnabled

KiStackFault

.text$mn

l$ VWAUAVAWH

D$XE3

KeDelayExecutionThread

L$ SH

RtlUnicodeStringToInteger

C,L9D$8u

H9D$Hu/I

H;F t9E

x ATAUAVH

H9pHu

\$0A9X

fD9~8uaeH

SkpsReadPolicyMetadata: Failed to lookup policy metadata, 0x%x.

SUVWATAUAVAWH

ZwLoadDriver

%hs: SkmmGetSecureImageInfo returned 0x%x.

SkpspReadPolicyMetadataCallback: Invalid Parent SD Revision Policy - duplicate entry

fD9u&

H!_ H!_(H!_0L

KeQueryPerformanceCounter

D$0I#T

ext-ms-win-ntos-vmsvc-l1-1-0.dll

` AUAVAWH

SeUnlockSubjectContext

Microsoft Operations Puerto Rico1'0%

H9D$8u

`h````

,X< w

T$@E3

(D$PD

L$`H3

D$@E3

SeSetAuditParameter

pA_A^A\_^

x AVAWL

D8uXu

)I#/H

HeapCommitRoutine:Size is 0.

SkpspReadPolicyMetadataCallback: Invalid SVN Policy type

INITBSS

>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

T$8t-I

KiAlignmentFault

HA_A^A]A\_^][

iSHp6

.rdata$zETW1

H9OHu*H

HeapCommitRoutine: Invalid parameters.

MmFreePagesFromMdl

@A_A^A\

KiDivideErrorFault

D$0E9Z|t

L$8H%

H9Z0t

TABLEROZ

|$ UH

M@A+M

A_A^A]_^

ExDeleteResourceLite

L9G0v

?????????????????????????????????????????????????????????????????????????????????????C????E??gHHHh?IILl?N??PPQRRR????

L$@H;

|$ 'ue

?????????

L;q(u

8\$0tDA

IUMDATAPROTECT

D$!E3

SkFreePool

SkciInitialize

u,D8c

T$XA;

|$0A;

@8|$f

ObfReferenceObject

d$`M;

`?_????????????

SkReleasePushLockExclusive

20190116125755Z

PPPPPPPPPPPPPPPP

SkmmMapMdlWithReservedMapping

ALMOSTROZ

t*;C,u%

wcscpy_s

U0S0Q

Microsoft Time-Stamp Service0

D$Pf;

RtlNtStatusToDosErrorNoTeb

@SUVWATAUAVAWH

(L$`D

__GSHandlerCheck_SEH

VS_VERSION_INFO

I;n8t

H99u;H

L$0Lc

x UATAUAVAWH

F`t#I

D$0H9OX

A_A^_^]

f9uHta

SkpspReadPolicyMetadataCallback: Invalid Parent SD Revision Policy type

SkpsGetSetContext:HighLimit = 0x

bsearch

D8n'E

\$AA+

TrustletIdentity

3L$P#

RtlUpcaseUnicodeChar

<Xu]L

__chkstk

vRiche

9IPCAuT

L!t$(H

D$VHk

D$(H!\$

ObReferenceObjectByHandle

L$pE3

ExAllocatePoolWithTag

D$(H9J

ta=UUU

ExEventObjectType

KeRestoreExtendedProcessorState

.data

A_A^A]A\^[

L9t$p

nCipher NTS ESN:57F6-C1E0-554C1+0)

A_A^A]A\_^][

R10 = 0x

H9D$h

Unable to read Policy Metadata with error 0x%x.

memset

SegCs = 0x

ZwUnloadDriver

<XunH

RrRrRrSsSsSs

20190117125755Z0t0:

\$ UVWAVAWH

ProductName

ZwQueryKey

8HPuY@8

9D$pw4

Microsoft Corporation1.0,

u_9_ptZL

dEeEeEeEeEeGgGgGgGgHhHhIiIiIiIiIi??JjKk?LlLlLl??LlNnNnNn???OoOoOo

BCryptDestroyHash

L!l$0A

H98u1H

.idata$6

A_A^_^[

BCryptVerifySignature

ExNotifyCallback

D$`E3

M(I+M H

.tPolicy

KiDoubleFaultAbort

Microsoft Time-Stamp Service

t$`!t$PA

D$XI9

TABLERO

@A_A^_^]

D$HE3

PAGE$s

ExReleasePushLockSharedEx

ExInitializeResourceLite

PA^_^

(D$0H

t$ UWAVH

KeBugCheckEx

FileVersion

1,0*0

ALMOSTRO

ShvlGetPartitionProperty

ExAcquirePushLockSharedEx

?????????+???+???+???+???+???????

L$hH3

RtlQueryRegistryValuesEx

Microsoft Corporation1&0$

H+~ H

SVWAVH

p AWH

@VWATAUAVAWH

1(0&0

180703204550Z

d$pL;

t$ E3

D$\;D$Tt

ExReleasePushLockExclusiveEx

9^|tD

L;|$Ht

UAVAWH

A_A^_

RtlFreeUnicodeString

o(A9w,

T$@eH

D$ A;

<@ukD

SkFwA

D$`H;

)rj;>rfA

SkobCreateObject

|$8@A

A^A]A\

|$@H;

`ZEROPAGE

L$HeH

D6DE3

PAGEDATAZ

ProcessPool creation failed with 0x%x

SkInitializePushLock

xA_A^A]A\_^[]

Ehttp://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt0

hA__^[

A9(u I

t68L$ht

T$HI#

@UVWATAUAVAWH

KsrSkInitSystem

KiInvalidTssFault

L$4H9GXt

CrThA

SkpsGetSetContext:ContextRecord.Rsp = 0x

???"????????????????????????

u)H;E(r#H;E0s

A_A^_^]

L$ USVWATAUAVAWH

fD9t$4t

\SystemRoot\system32\skdumpdef.dll

EtwWriteTransfer

SkpsReadPolicyMetadata

u#fD;

A_A^A\_^

J:2J92J8

(D$ L

RtlTimeFieldsToTime

8\$0t

D$(H+

SVWAVAWH

DbgPrintEx

L+}@I

u D8]Xu

.data$brc

L$pH3

ShvlCompleteIntercept

InternalName

ExInitializePagedLookasideList

RtlUnicodeToUTF8N

L$HtxA

L$0eH

EntropyRegisterSource

nlsdata

BCryptCloseAlgorithmProvider

KeBugCheck

.rsrc$02

L9%C~

6D9g|t A

ZwSetSystemInformation

k VWAUAVAWH

RtlEqualUnicodeString

D9N|t

Rax = 0x

H+T$PH

H9{8u-

ZwDeleteKey

CFGRO

HygonGenuine

IumALPCClient ZwAlpcSendWaitReceivePort failed = 0x

L9L$xI

BCryptGetProperty

{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}

PA__^[]

.edata

K>f3O>f#

ExAcquirePushLockExclusiveEx

SeQuerySecureBootPolicyValue

VWATAVAWH

H9XPu

L9R8t

BCryptKeyDerivation

D8J(u-L

"Microsoft Time Source Master Clock0

IumDebugPrintNt

H!|$(A

L$XH3

H9|$Xu

L$0HcL$(J

I0G1-0+

L9o@u

.rdata$zETW0

SkQuerySecureKernelInformation

A_A^A]A\_^

ObSetSecurityObjectByPointer

D9c4u

(E E3

;L$`rsH

H!|$0

GenuineIntel

?Z???Z?K

VSMHIBERNATE

L$x8X9u

d$(E3

@A_A^A]A\^][

r)D;D$ |"H

SeAuditFipsCryptoSelftests

KiMcheckAbort

EtwWrite

cng.sys

`TRNS

<-uV@

?L9cHt

Peb creation failed with error 0x%x.

A0H9A(t

%hs: Exception generated with status 0x%x.

K6f9L$Rt

tQ@8{

RtlCallEnclaveReturn

D$RHk

\$*fA#

<8u4H

ExceptionCode

IoDeleteDevice

BugCheckCode

<6uEA

KiOverflowTrap

KiInvalidOpcodeFault

SkpspFindPolicy

uNH9_PuHH9_0uBH

D$XH9A

SkAcquirePushLockShared

D9g|t

.text$mn$21

!This program cannot be run in DOS mode.

l$ VWAVAW

D9JHt

@A^_^

t<H;j

E9"t~

L$ H#

bsearch_s

x AWD

D9t$$v

D9w|t

ERROR:FcIndex not valid not valid = 0x

A_A^A]A\_^[

Redmond1

>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0

D$@H)

l$8D+

ExpInterlockedPopEntrySListFault

RSA1A

!D$$H

MmAllocateMappingAddress

3u;I;

Unhandled user-mode exception

r~akow

DeviceID

D$deH

?b????????

D9g|t5D

\$(E3

[@f!G>

Failed to map normal thread = 0x

f;j ul

D$0H!pPH

t*H;C

KeSetEvent

D$8+A

L9Q t

oK0D$"<

isdigit

ExReleaseFastMutex

700WP

]_^[A\A]A^A_

SkciValidateDynamicCodePages

RSDS|

H!_`H

d$pE3

%hs: Looking for PolicyKeySize returns error 0x%x.

d$ E3

??P????

KeReleaseSpinLock

t'H9A

SkmmRestrictPage

IoUnregisterPlugPlayNotificationEx

t+H;_Ht%

t]I9w0uG

D$8E3

A+4$+u

D9f|t

Translation

A_A^A]A\_^]

D$dH+

SkpsGetTrustletCrashdumpKey

LdrInitializeThunk

D$0MDMP

T$0Hi

A;FLr

wcsncmp

D9a4u

ProductVersion

SystemPrng

BCryptSignHash

t$PE3

|$(A_

A;Sdr

PAGECONST

D$xI;

u4L95

t$(H;

D$0H3

` UAUAVH

SkhalpPciBlockUnknownConfigSpaceAccess

tbA9h|t!A

L9t$pt~H

%hs: SkpspFindPolicy returned 0x%x and DebugEnable is %d.

L$ I#

A_A^A\_^[]

Windows

Invalid NormalProcessParameters - Status: 0x%x

thH;5

SkpsReadPolicyMetadata: Owner process verification failed with error 0x%x.

ZEROPAGE

D$0E3

9T$(tI

T$0eH

.idata$2

PAGELK

x AVH

SeReleaseSubjectContext

=CFGRu

_ultow_s

OGrC\

D$xD9l$P

|$PE3

fffff

I9Z0tQA

T$deH

L;uXuyH

Rdx = 0x

@UAVAWH

IoWMIRegistrationControl

H9X0s

@TABLERO

H;C0t

|$8A_A^A\

L$0I;

l$@A_A^_^

H;]HsZ

,LvUwJt8P27U0QnLbfA/rUiAnhneCkcrL1MNqbuMgg7E=0Z

.xdata

tDL;s

K(H+K H

SkciCreateCodeCatalog

I H9J(t

Rip = 0x

R8 = 0x

)L$`D

190726204550Z0p1

0 (P

Operating System

t9@8=[

D;Nhu

N0L0J

RtlAssert

SkeZeroPages

T$ H#

RtlGetVersion

H;L$(v

R13 = 0x

xA_A^_^[]

IoCreateDevice

t$ WATAUAVAWH

@USVWATAUAVAWH

UWAWH

t.HcL$XL

SystemSleepCheckpoint

fffffff

GB9GR

tQwBH

p WATAUAVAWH

rYH;=

f9D$6t

HeapCommitRoutine:No resource.

|$ UAVAWH

%t#A"

H H9J(t

0123456789ABCDEF

L$0H!\$ A

aMicrosoft Windows Exchange VSM (SK side)

t$@H+

t39_@u.

A_A]A\

udu'H

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

pA_A^A]A\_^]

Rcx = 0x

|$`D9l$Pu:A

D9d$pu

L$@9y

|$0fE

L$8I#

D9d$`

SeReportSecurityEventWithSubCategory

A_A^A]A\]

AccessLength

L$HE;

t+L;z

PsLookupProcessByProcessId

A(H9A t

v???8????|?????n????????????:?????~???????????

\IUM_TRUSTLET_DUMP_SERVER

L9A u

l$hD3

D9L$P

EtwUnregister

@:y2tQD

0A_A^A\_]

H;\$Pr

xA_A^^[

9D$`u

SkciValidateImageData

)D$PD

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Exported DLL Name
0x140000000	0x000076a0	0x000ac7e0	0x000ac7e0	10.0	securekernel.pdb	2074-11-13 13:51:47	db0403c15a18773f1cbc7ff2f808026d	securekernel.exe

Version Infos

CompanyName	Microsoft Corporation
FileDescription	NT Secure Kernel
FileVersion	10.0.17763.292 (WinBuild.160101.0800)
InternalName	securekernel.exe
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	securekernel.exe
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.292
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000600	0x00001000	0x00073197	0x00073200	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.41
TRNS	0x00073800	0x00075000	0x00000290	0x00000400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.71
PAGELK	0x00073c00	0x00076000	0x0000036e	0x00000400	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.41
ZEROPAGE	0x00000000	0x00077000	0x00001000	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
TABLERO	0x00000000	0x00078000	0x00001980	0x00000000	IMAGE_SCN_CNT_UNINITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
.rdata	0x00074000	0x0007a000	0x0000b82a	0x0000ba00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.81
.data	0x0007fa00	0x00086000	0x0000cfc8	0x00003c00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.99
.pdata	0x00083600	0x00093000	0x0000441c	0x00004600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.75
TABLERO	0x00087c00	0x00098000	0x000001e8	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	2.24
ALMOSTRO	0x00087e00	0x00099000	0x000021a0	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.29
nlsdata	0x00088000	0x0009c000	0x000128f2	0x00012a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	1.10
FUNCTBL	0x0009aa00	0x000af000	0x00001810	0x00001a00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.00
CFGRO	0x0009c400	0x000b1000	0x00000008	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	0.08
.rsrc	0x0009c600	0x000b2000	0x00000408	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	2.46
.reloc	0x0009cc00	0x000b3000	0x000001f4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	4.87

Overlay

Offset	0x0009ce00
Size	0x00002228

Name	Offset	Size	Language	Sub-language	Entropy	File type
RT_VERSION	0x000b2060	0x000003a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.48	None

Imports

Name	Address
SkciInitialize	0x14007a400
SkciQueryInformation	0x14007a408
SkciTransferVersionResource	0x14007a410
SkciValidateDynamicCodePages	0x14007a418
SkciMatchHotPatch	0x14007a420
SkciQueryImageAuthorID	0x14007a428
SkciQueryImageUniqueID	0x14007a430
SkciCompareSigningLevels	0x14007a438
SkciCreateSecureImage	0x14007a440
SkciSetCodeIntegrityPolicy	0x14007a448
SkciCreateCodeCatalog	0x14007a450
SkciFreeImageContext	0x14007a458
SkciFinishImageValidation	0x14007a460
SkciFinalizeSecureImageHash	0x14007a468
SkciValidateImageData	0x14007a470

Name	Address
EntropyPoolTriggerReseedForIum	0x14007a328
BCryptImportKeyPair	0x14007a330
BCryptOpenAlgorithmProvider	0x14007a338
BCryptHashData	0x14007a340
BCryptGenRandom	0x14007a348
EntropyProvideData	0x14007a350
CngGetFipsAlgorithmMode	0x14007a358
SystemPrng	0x14007a360
BCryptDecrypt	0x14007a368
BCryptEncrypt	0x14007a370
BCryptFinishHash	0x14007a378
BCryptDestroyHash	0x14007a380
BCryptCreateHash	0x14007a388
BCryptKeyDerivation	0x14007a390
BCryptGenerateSymmetricKey	0x14007a398
BCryptGetProperty	0x14007a3a0
BCryptSignHash	0x14007a3a8
BCryptDestroyKey	0x14007a3b0
BCryptCloseAlgorithmProvider	0x14007a3b8
BCryptVerifySignature	0x14007a3c0
EntropyRegisterSource	0x14007a3c8
BCryptSetProperty	0x14007a3d0

Name	Address
KsrSkInitSystem	0x14007a3e0

Name	Address
SvcSkInitSystem	0x14007a3f0

Exports

Name	Address	Ordinal
DbgPrintEx	0x140058da0	1
EtwRegister	0x1400518d0	2
EtwSetInformation	0x140051ca8	3
EtwUnregister	0x140051aa8	4
EtwWrite	0x140051f08	5
EtwWriteTransfer	0x140051d88	6
ExAcquireFastMutex	0x140007ecc	7
ExAcquirePushLockExclusiveEx	0x140007ecc	8
ExAcquirePushLockSharedEx	0x140007ecc	9
ExAcquireResourceExclusiveLite	0x140007ecc	10
ExAcquireResourceSharedLite	0x140007ecc	11
ExAllocatePoolWithTag	0x140007ecc	12
ExAllocateTimer	0x140007ecc	13
ExCreateCallback	0x140007ecc	14
ExDeletePagedLookasideList	0x140007ecc	15
ExDeleteResourceLite	0x140007ecc	16
ExEventObjectType	0x140007ecc	17
ExFreePoolWithTag	0x140007ecc	18
ExInitializePagedLookasideList	0x140007ecc	19
ExInitializeResourceLite	0x140007ecc	20
ExIsResourceAcquiredSharedLite	0x140007ecc	21
ExNotifyCallback	0x140007ecc	22
ExQueryDepthSList	0x140007ecc	23
ExRegisterExtension	0x140007ecc	24
ExReleaseFastMutex	0x140007ecc	25
ExReleasePushLockExclusiveEx	0x140007ecc	26
ExReleasePushLockSharedEx	0x140007ecc	27
ExReleaseResourceLite	0x140007ecc	28
ExSetTimer	0x140007ecc	29
ExSubscribeWnfStateChange	0x140007ecc	30
ExUnsubscribeWnfStateChange	0x140007ecc	31
ExpInterlockedPopEntrySList	0x140007ecc	32
ExpInterlockedPushEntrySList	0x140007ecc	33
IoAllocateIrp	0x140007ecc	34
IoAllocateWorkItem	0x140007ecc	35
IoBuildDeviceIoControlRequest	0x140007ecc	36
IoCreateDevice	0x140007ecc	37
IoDeleteDevice	0x140007ecc	38
IoGetDeviceObjectPointer	0x140007ecc	39
IoQueueWorkItem	0x140007ecc	40
IoQueueWorkItemEx	0x140007ecc	41
IoRegisterPlugPlayNotification	0x140007ecc	42
IoReuseIrp	0x140007ecc	43
IoUnregisterPlugPlayNotificationEx	0x140007ecc	44
IoWMIRegistrationControl	0x140007ecc	45
IofCallDriver	0x140007ecc	46
IofCompleteRequest	0x140007ecc	47
IumDebugNumToString	0x140052098	48
IumDebugPrintNt	0x14005082c	49
KeAcquireSpinLockRaiseToDpc	0x140007ecc	50
KeBugCheck	0x140007ecc	51
KeBugCheckEx	0x140007d5c	52
KeDelayExecutionThread	0x140007ecc	53
KeEnterCriticalRegion	0x140007ecc	54
KeEnterGuardedRegion	0x140007ecc	55
KeGetCurrentIrql	0x140001ee0	56
KeGetCurrentProcessorNumberEx	0x14000cfd4	57
KeGetCurrentThread	0x140007ecc	58
KeInitializeEvent	0x140007ecc	59
KeInitializeMutex	0x140007ecc	60
KeInitializeSpinLock	0x140007ecc	61
KeLeaveCriticalRegion	0x140007ecc	62
KeLeaveGuardedRegion	0x140007ecc	63
KeQueryPerformanceCounter	0x140007ecc	64
KeQueryUnbiasedInterruptTime	0x140007ecc	65
KeReleaseMutex	0x140007ecc	66
KeReleaseSpinLock	0x140007ecc	67
KeResetEvent	0x140007ecc	68
KeRestoreExtendedProcessorState	0x140007ecc	69
KeSaveExtendedProcessorState	0x140007ecc	70
KeSetEvent	0x140007ecc	71
KeWaitForSingleObject	0x140007ecc	72
MmAllocateMappingAddress	0x140007ecc	73
MmFreeMappingAddress	0x140007ecc	74
MmFreePagesFromMdl	0x140007ecc	75
MmGetSystemRoutineAddress	0x140007ecc	76
MmMapLockedPagesSpecifyCache	0x140007ecc	77
MmMapLockedPagesWithReservedMapping	0x140007ecc	78
MmUnmapLockedPages	0x140007ecc	79
MmUnmapReservedMapping	0x140007ecc	80
NtQuerySystemInformation	0x140007ecc	81
ObReferenceObjectByHandle	0x140007ecc	82
ObSetSecurityObjectByPointer	0x140007ecc	83
ObfDereferenceObject	0x140007ecc	84
ObfReferenceObject	0x140007ecc	85
PsGetCurrentProcess	0x140007ecc	86
PsGetProcessCreateTimeQuadPart	0x140007ecc	87
PsLookupProcessByProcessId	0x140007ecc	88
PsSetCreateProcessNotifyRoutine	0x140007ecc	89
RtlAnsiStringToUnicodeString	0x140058f8c	90
RtlAppendUnicodeStringToString	0x140059124	91
RtlAppendUnicodeToString	0x140059080	92
RtlAssert	0x140007ecc	93
RtlAvlInsertNodeEx	0x140059418	94
RtlAvlRemoveNode	0x140059528	95
RtlClearAllBits	0x140057f58	96
RtlClearBit	0x140057f38	97
RtlCompareMemory	0x14006b390	98
RtlCompareUnicodeString	0x1400711f0	99
RtlCompareUnicodeStrings	0x1400710b8	100
RtlCopyUnicodeString	0x140007ecc	101
RtlDuplicateUnicodeString	0x140071484	102
RtlEqualUnicodeString	0x140071224	103
RtlFindExportedRoutineByName	0x1400715bc	104
RtlFindNextForwardRunClear	0x140058680	105
RtlFindSetBits	0x140057f8c	106
RtlFreeUnicodeString	0x14007108c	107
RtlGetEnabledExtendedFeatures	0x14005a8d0	108
RtlGetPersistedStateLocation	0x140007ecc	109
RtlGetVersion	0x140071718	110
RtlImageNtHeaderEx	0x14005a8f8	111
RtlInitUnicodeString	0x14005a9d0	112
RtlInitUnicodeStringEx	0x14005aa14	113
RtlInitializeBitMap	0x140057f28	114
RtlIntegerToUnicodeString	0x1400718d8	115
RtlNtStatusToDosError	0x140007ecc	116
RtlNtStatusToDosErrorNoTeb	0x140007ecc	117
RtlNumberOfSetBits	0x1400584e0	118
RtlPrefixUnicodeString	0x140071364	119
RtlQueryRegistryValuesEx	0x140007ecc	120
RtlRbInsertNodeEx	0x1400597f8	121
RtlRbRemoveNode	0x140059c80	122
RtlSetBit	0x140057f48	123
RtlSetBits	0x140058438	124
RtlTimeFieldsToTime	0x14005aa58	125
RtlUTF8ToUnicodeN	0x140071c9c	126
RtlUnicodeStringToInteger	0x140007ecc	127
RtlUnicodeToUTF8N	0x140071954	128
RtlUpcaseUnicodeChar	0x140071030	129
SeAuditFipsCryptoSelftests	0x140007ecc	130
SeCaptureSubjectContext	0x140007ecc	131
SeLockSubjectContext	0x140007ecc	132
SeQueryAuthenticationIdToken	0x140007ecc	133
SeQuerySecureBootPlatformManifest	0x140074044	134
SeQuerySecureBootPolicyValue	0x140073dac	135
SeReleaseSubjectContext	0x140007ecc	136
SeReportSecurityEventWithSubCategory	0x140007ecc	137
SeSetAuditParameter	0x140007ecc	138
SeUnlockSubjectContext	0x140007ecc	139
ShvlCompleteIntercept	0x14001a408	140
ShvlEnableVpVtlForPartition	0x14001a064	141
ShvlGetInterceptData	0x14001a3b0	142
ShvlGetPartitionProperty	0x140019f90	143
ShvlGetVpRegisters	0x14001a1a0	144
ShvlLockSparseGpaPageMapping	0x14001a304	145
ShvlModifySparseSpaPageHostAccess	0x14001a29c	146
ShvlSetPartitionProperty	0x14001a004	147
ShvlSetVpRegisters	0x14001a220	148
ShvlUnlockSparseGpaPageMapping	0x14001a364	149
SkAcquirePushLockExclusive	0x14000d278	150
SkAcquirePushLockShared	0x14000d28c	151
SkAllocateNormalModePool	0x14000d36c	152
SkAllocatePool	0x14000d2f8	153
SkFreeNormalModePool	0x14000d498	154
SkFreePool	0x14000d31c	155
SkGetIdkSignatureForData	0x14000d974	156
SkInitializePushLock	0x14000d26c	157
SkIsSecureKernel	0x140006f04	158
SkQuerySecureKernelInformation	0x14000d004	159
SkQuerySystemTime	0x14000e474	160
SkReleasePushLockExclusive	0x14000d2a0	161
SkReleasePushLockShared	0x14000d2b4	162
SkSystemExceptionFilter	0x14000e458	163
SkeCacheInvalidatePage	0x140068d00	164
SkeZeroPages	0x140068cb0	165
SkmmFreeReservedMapping	0x14001d77c	166
SkmmFreeSecureAllocation	0x14001e2bc	167
SkmmMapMdl	0x14001e870	168
SkmmMapMdlWithReservedMapping	0x14001e928	169
SkmmReleasePageRestriction	0x140022a90	170
SkmmReserveMappingAddress	0x14001d730	171
SkmmRestrictPage	0x140022a3c	172
SkmmUnmapMdl	0x14001e9a4	173
SkobCreateHandle	0x14003febc	174
SkobCreateObject	0x1400407fc	175
SkobDereferenceObject	0x140040984	176
SkobReferenceObject	0x1400408e8	177
SkobReferenceObjectByHandle	0x14003f7cc	178
VslExchangeEntropy	0x140007ecc	179
ZwClose	0x140007ecc	180
ZwCreateKey	0x140007ecc	181
ZwDeleteKey	0x140007ecc	182
ZwDeleteValueKey	0x140007ecc	183
ZwEnumerateKey	0x140007ecc	184
ZwEnumerateValueKey	0x140007ecc	185
ZwLoadDriver	0x140007ecc	186
ZwOpenKey	0x140007ecc	187
ZwQueryInformationProcess	0x140007ecc	188
ZwQueryKey	0x140007ecc	189
ZwQuerySystemInformation	0x140007ecc	190
ZwQueryValueKey	0x140007ecc	191
ZwSetSystemInformation	0x140007ecc	192
ZwSetValueKey	0x140007ecc	193
ZwUnloadDriver	0x140007ecc	194
__C_specific_handler	0x140065fdc	195
__GSHandlerCheck	0x140066218	196
__GSHandlerCheck_SEH	0x1400662a4	197
__chkstk	0x14006c010	198
_invalid_parameter	0x14000e7cc	199
_local_unwind	0x140007ecc	200
_ultow_s	0x140067b1c	201
_vsnwprintf	0x140007ecc	202
_wcsicmp	0x140066338	203
_wcsnicmp	0x14006638c	204
atoi	0x1400663fc	205
atol	0x140066410	206
bsearch	0x140066438	207
bsearch_s	0x140066548	208
isdigit	0x140066664	209
memcmp	0x1400666a0	210
memcpy	0x14006f5c0	211
memmove	0x14006f5c0	212
memset	0x14006f900	213
qsort	0x140066780	214
strnlen	0x140066b34	215
wcscmp	0x140066b54	216
wcscpy_s	0x140067c78	217
wcsncmp	0x140066b90	218

Reports: JSON

Statistics (0.89)

Usage

Processing ( 0.83 seconds )

0.825 CAPE
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.06 seconds )

0.009 antianalysis_detectfile
0.008 ransomware_files
0.005 antiav_detectreg
0.005 ransomware_extensions
0.003 ursnif_behavior
0.002 antianalysis_detectreg
0.002 antiav_detectfile
0.002 infostealer_ftp
0.002 poullight_files
0.002 territorial_disputes_sigs
0.001 banker_zeus_p2p
0.001 bot_drive
0.001 bot_drive2
0.001 antivm_vbox_files
0.001 antivm_vbox_keys
0.001 geodo_banking_trojan
0.001 browser_security
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 infostealer_bitcoin
0.001 cryptbot_files
0.001 echelon_files
0.001 infostealer_im
0.001 infostealer_mail
0.001 masquerade_process_name
0.001 revil_mutexes
0.001 modirat_behavior

Reporting ( 0.00 seconds )

0.001 CAPASummary

Signatures

The PE file contains a PDB path

pdbpath: securekernel.pdb

The binary contains an unknown PE section name indicative of packing

unknown section: {'name': 'TRNS', 'raw_address': '0x00073800', 'virtual_address': '0x00075000', 'virtual_size': '0x00000290', 'size_of_data': '0x00000400', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000020', 'entropy': '3.71'}

unknown section: {'name': 'PAGELK', 'raw_address': '0x00073c00', 'virtual_address': '0x00076000', 'virtual_size': '0x0000036e', 'size_of_data': '0x00000400', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x60000020', 'entropy': '5.41'}

unknown section: {'name': 'ZEROPAGE', 'raw_address': '0x00000000', 'virtual_address': '0x00077000', 'virtual_size': '0x00001000', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000080', 'entropy': '0.00'}

unknown section: {'name': 'TABLERO', 'raw_address': '0x00000000', 'virtual_address': '0x00078000', 'virtual_size': '0x00001980', 'size_of_data': '0x00000000', 'characteristics': 'IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000080', 'entropy': '0.00'}

unknown section: {'name': 'TABLERO', 'raw_address': '0x00087c00', 'virtual_address': '0x00098000', 'virtual_size': '0x000001e8', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '2.24'}

unknown section: {'name': 'ALMOSTRO', 'raw_address': '0x00087e00', 'virtual_address': '0x00099000', 'virtual_size': '0x000021a0', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.29'}

unknown section: {'name': 'nlsdata', 'raw_address': '0x00088000', 'virtual_address': '0x0009c000', 'virtual_size': '0x000128f2', 'size_of_data': '0x00012a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ', 'characteristics_raw': '0x40000040', 'entropy': '1.10'}

unknown section: {'name': 'FUNCTBL', 'raw_address': '0x0009aa00', 'virtual_address': '0x000af000', 'virtual_size': '0x00001810', 'size_of_data': '0x00001a00', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.00'}

unknown section: {'name': 'CFGRO', 'raw_address': '0x0009c400', 'virtual_address': '0x000b1000', 'virtual_size': '0x00000008', 'size_of_data': '0x00000200', 'characteristics': 'IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'characteristics_raw': '0xc0000040', 'entropy': '0.08'}

Anomalous binary characteristics

anomaly: Found duplicated section names

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No process dumps.