Edit tour

Windows Analysis Report
MsSense.exe

Overview

General Information

Sample Name:	MsSense.exe
Analysis ID:	726559
MD5:	407ef0d901d7c8fd97cbe89787fd339f
SHA1:	b5c5e0de8ac8e6626709cb3897066b45c48cb44b
SHA256:	96ff8884cc46792e759def7b3b1d4028cc967922ab9df8c610a3d145abd7152e
Infos:

Detection

Score:	17
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Sample execution stops while process was sleeping (likely an evasion)

Program does not show much activity (idle)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

MsSense.exe (PID: 2388 cmdline: C:\Users\user\Desktop\MsSense.exe MD5: 407EF0D901D7C8FD97CBE89787FD339F)

conhost.exe (PID: 4356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: MsSense.exe

Static PE information: certificate valid

Source: MsSense.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: MsSense.pdbGCTL source: MsSense.exe
Source:	Binary string: MsSense.pdb source: MsSense.exe

Networking

NDIS Filter Driver detected (likely used to intercept and sniff network traffic)

Source: MsSense.exe

Static PE information: Found NDIS imports: FwpmTransactionBegin0, FwpmProviderDeleteByKey0, FwpmFilterAdd0, FwpmEngineClose0, FwpmGetAppIdFromFileName0, FwpmFilterEnum0, FwpmEngineOpen0, FwpmFilterDestroyEnumHandle0, FwpmSubLayerDeleteByKey0, FwpmFreeMemory0, FwpmSubLayerGetByKey0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpmProviderGetByKey0, FwpmProviderAdd0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteByKey0

Source: MsSense.exe

String found in binary or memory: https://dataservice.o365filtering.comhttps://login.windows.netRegexLruCacheRegex

Source: MsSense.exe	Binary or memory string: OriginalFilename vs MsSense.exe
Source: MsSense.exe, 00000000.00000002.509289821.00007FF6739AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \($[1-9][0-9]$)?Failed to sleep on condition variable: m_queueNotEmptyamcore\WCD\Source\inc\SyncQueue.hScanCounteramcore\wcd\source\sensecncproxy\cncwrapper\cncwrapper.cppamcore\wcd\source\common\certificateutils\filecert.cppamcore\wcd\source\common\src\fileutils.cppFileCertGenericEtwConfiguration was not parsed yetamcore\wcd\source\genericetw\src\genericetwconfigurationfactory.cpploggedOnUsersInfoFailed getting logged on usersFileInfoEventCould not read file version infoCould not retrieve file version infoamcore\wcd\source\common\src\versioninfo.cppCompanyNameOriginalFilenameFileDescription\VarFileInfo\Translation\StringFileInfo\%04x%04x\%sVerQueryValue Failed. Can't retrieve version information for the propertyProductNameProductVersionInternalNameRequestSource:Zone.Identifier:$DATA=;propertyName is null(caller: %p) %hs(%d) tid(%x) %08X %ws%hs(%u)\%hs!%p: %hs!%p: SenseDetectedDcLowTypeDefRemediationResultWcd.Data.EnvironmentStateDnsEntityClientManagementEventnull;40SchemaDefCanonicalWcd.Data.LoadImageEventWLDP_WINDOWS_LOCKDOWN_MODE_LOCKEDIpAddressInfoFileReportElementStringNullOrEmpty,0,0.02TestValueCoveragebond.VariantThis is the MD5 hash of the file's contents. For more information on MD5, see: http://en.wikipedia.org/wiki/MD5Wcd.Data.UserInfoScanEventWcd.Data.ScanEventScan result eventUserInfoVariantMicrosoft.ProtectionServices.Entities.Raw.FileReportElementWcd.Data.IpAddressInfoWcd.Data.ResourceResourceGenericEtwPropertyEntityDictionaryScrubberLoad image eventLoadImageEventnull;235bond.SchemaDefMicrosoft.ProtectionServices.Entities.Raw.CoreReportElementCoreReportElementReceivedByClientPartialSuccessWcd.Data.ClientManagementEventevent indicating client management significant occurrenceAbsentInformationSourceTerminatedCacheProcessCreationTimeAfterEventTimeWcd.Data.DnsEntitybond.GUIDGUIDClientCompletedEnvironmentStateUnique identifier of the processWcd.Data.RemediationResultPromptForCredentialsbond.TypeDefSenseDetectedFreeNetworkAvailableCreateProcessEventCreate process eventWcd.Data.CreateProcessEventHashCalculatedByRawAccessGenericEtwPropertyEntityWcd.Data.GenericEtwPropertyEntityCyberEventsBatchWcd.Data.CyberEventsBatchVMContainerIsLockdownModeLocked vs MsSense.exe
Source: MsSense.exe, 00000000.00000002.509289821.00007FF6739AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs MsSense.exe
Source: MsSense.exe, 00000000.00000002.509289821.00007FF6739AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: TdhGetProperty failed.TdhGetProperty failed Unexpected event property. Skipping the event.The standard error is redirected. Potential back-door activityThe standard output is redirected. Potential back-door activityThe standard input is redirected. Potential back-door activityQueryProcessData::GetProcessParameters failed to query the process parametersQueryProcessData::TryCreate failed to query process dataFailed to retrieve meta-data about an event.Failed to get the buffer size of the event informationFailed with ERROR_NOT_FOUND. This is probably because the event manifest is not registered properly.powershell.execmd.exeControlTrace failed with Called with generic file event that has no registered provider configurationOriginalFileNameOriginalFilePathEventSourceConvertCreateFileEventToGenericEtwEventCheckpointExtensionCalled with generic file event that has no registered rule configurationFileTypeProcessCiMicrosoftApplicationRootAuthorityStateProcessCiMicrosoftRootAuthorityStateProcessCiImageSigningChainStateProcessCiSigningChainStateProcessCiSigningLevelProcessImageOriginalNameFileRemovableMediaFileOnNetworkFileUserNameFileLastWriteTimeFileSha1ProcessSha1ProcessNativePathMimeTypeFileMarkOfTheWebInfoSizeFileMarkOfTheWebInfoFileVolumeSerialNumberFileVolumeModelFileVolumeManufacturer vs MsSense.exe
Source: MsSense.exe, 00000000.00000002.509289821.00007FF6739AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ExpectedOriginalFilename vs MsSense.exe
Source: MsSense.exe, 00000000.00000002.509289821.00007FF6739AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CustomOriginalFilename vs MsSense.exe
Source: MsSense.exe, 00000000.00000002.509289821.00007FF6739AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs MsSense.exe
Source: MsSense.exe, 00000000.00000002.509289821.00007FF6739AF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: originalFileNamePropertyName vs MsSense.exe
Source: MsSense.exe, 00000000.00000000.242261461.00007FF673998000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: \($[1-9][0-9]$)?Failed to sleep on condition variable: m_queueNotEmptyamcore\WCD\Source\inc\SyncQueue.hScanCounteramcore\wcd\source\sensecncproxy\cncwrapper\cncwrapper.cppamcore\wcd\source\common\certificateutils\filecert.cppamcore\wcd\source\common\src\fileutils.cppFileCertGenericEtwConfiguration was not parsed yetamcore\wcd\source\genericetw\src\genericetwconfigurationfactory.cpploggedOnUsersInfoFailed getting logged on usersFileInfoEventCould not read file version infoCould not retrieve file version infoamcore\wcd\source\common\src\versioninfo.cppCompanyNameOriginalFilenameFileDescription\VarFileInfo\Translation\StringFileInfo\%04x%04x\%sVerQueryValue Failed. Can't retrieve version information for the propertyProductNameProductVersionInternalNameRequestSource:Zone.Identifier:$DATA=;propertyName is null(caller: %p) %hs(%d) tid(%x) %08X %ws%hs(%u)\%hs!%p: %hs!%p: SenseDetectedDcLowTypeDefRemediationResultWcd.Data.EnvironmentStateDnsEntityClientManagementEventnull;40SchemaDefCanonicalWcd.Data.LoadImageEventWLDP_WINDOWS_LOCKDOWN_MODE_LOCKEDIpAddressInfoFileReportElementStringNullOrEmpty,0,0.02TestValueCoveragebond.VariantThis is the MD5 hash of the file's contents. For more information on MD5, see: http://en.wikipedia.org/wiki/MD5Wcd.Data.UserInfoScanEventWcd.Data.ScanEventScan result eventUserInfoVariantMicrosoft.ProtectionServices.Entities.Raw.FileReportElementWcd.Data.IpAddressInfoWcd.Data.ResourceResourceGenericEtwPropertyEntityDictionaryScrubberLoad image eventLoadImageEventnull;235bond.SchemaDefMicrosoft.ProtectionServices.Entities.Raw.CoreReportElementCoreReportElementReceivedByClientPartialSuccessWcd.Data.ClientManagementEventevent indicating client management significant occurrenceAbsentInformationSourceTerminatedCacheProcessCreationTimeAfterEventTimeWcd.Data.DnsEntitybond.GUIDGUIDClientCompletedEnvironmentStateUnique identifier of the processWcd.Data.RemediationResultPromptForCredentialsbond.TypeDefSenseDetectedFreeNetworkAvailableCreateProcessEventCreate process eventWcd.Data.CreateProcessEventHashCalculatedByRawAccessGenericEtwPropertyEntityWcd.Data.GenericEtwPropertyEntityCyberEventsBatchWcd.Data.CyberEventsBatchVMContainerIsLockdownModeLocked vs MsSense.exe
Source: MsSense.exe, 00000000.00000000.242261461.00007FF673998000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs MsSense.exe
Source: MsSense.exe, 00000000.00000000.242261461.00007FF673998000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: TdhGetProperty failed.TdhGetProperty failed Unexpected event property. Skipping the event.The standard error is redirected. Potential back-door activityThe standard output is redirected. Potential back-door activityThe standard input is redirected. Potential back-door activityQueryProcessData::GetProcessParameters failed to query the process parametersQueryProcessData::TryCreate failed to query process dataFailed to retrieve meta-data about an event.Failed to get the buffer size of the event informationFailed with ERROR_NOT_FOUND. This is probably because the event manifest is not registered properly.powershell.execmd.exeControlTrace failed with Called with generic file event that has no registered provider configurationOriginalFileNameOriginalFilePathEventSourceConvertCreateFileEventToGenericEtwEventCheckpointExtensionCalled with generic file event that has no registered rule configurationFileTypeProcessCiMicrosoftApplicationRootAuthorityStateProcessCiMicrosoftRootAuthorityStateProcessCiImageSigningChainStateProcessCiSigningChainStateProcessCiSigningLevelProcessImageOriginalNameFileRemovableMediaFileOnNetworkFileUserNameFileLastWriteTimeFileSha1ProcessSha1ProcessNativePathMimeTypeFileMarkOfTheWebInfoSizeFileMarkOfTheWebInfoFileVolumeSerialNumberFileVolumeModelFileVolumeManufacturer vs MsSense.exe
Source: MsSense.exe, 00000000.00000000.242261461.00007FF673998000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: ExpectedOriginalFilename vs MsSense.exe
Source: MsSense.exe, 00000000.00000000.242261461.00007FF673998000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CustomOriginalFilename vs MsSense.exe
Source: MsSense.exe, 00000000.00000000.242261461.00007FF673998000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs MsSense.exe
Source: MsSense.exe, 00000000.00000000.242261461.00007FF673998000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: originalFileNamePropertyName vs MsSense.exe
Source: MsSense.exe	Binary or memory string: \($[1-9][0-9]$)?Failed to sleep on condition variable: m_queueNotEmptyamcore\WCD\Source\inc\SyncQueue.hScanCounteramcore\wcd\source\sensecncproxy\cncwrapper\cncwrapper.cppamcore\wcd\source\common\certificateutils\filecert.cppamcore\wcd\source\common\src\fileutils.cppFileCertGenericEtwConfiguration was not parsed yetamcore\wcd\source\genericetw\src\genericetwconfigurationfactory.cpploggedOnUsersInfoFailed getting logged on usersFileInfoEventCould not read file version infoCould not retrieve file version infoamcore\wcd\source\common\src\versioninfo.cppCompanyNameOriginalFilenameFileDescription\VarFileInfo\Translation\StringFileInfo\%04x%04x\%sVerQueryValue Failed. Can't retrieve version information for the propertyProductNameProductVersionInternalNameRequestSource:Zone.Identifier:$DATA=;propertyName is null(caller: %p) %hs(%d) tid(%x) %08X %ws%hs(%u)\%hs!%p: %hs!%p: SenseDetectedDcLowTypeDefRemediationResultWcd.Data.EnvironmentStateDnsEntityClientManagementEventnull;40SchemaDefCanonicalWcd.Data.LoadImageEventWLDP_WINDOWS_LOCKDOWN_MODE_LOCKEDIpAddressInfoFileReportElementStringNullOrEmpty,0,0.02TestValueCoveragebond.VariantThis is the MD5 hash of the file's contents. For more information on MD5, see: http://en.wikipedia.org/wiki/MD5Wcd.Data.UserInfoScanEventWcd.Data.ScanEventScan result eventUserInfoVariantMicrosoft.ProtectionServices.Entities.Raw.FileReportElementWcd.Data.IpAddressInfoWcd.Data.ResourceResourceGenericEtwPropertyEntityDictionaryScrubberLoad image eventLoadImageEventnull;235bond.SchemaDefMicrosoft.ProtectionServices.Entities.Raw.CoreReportElementCoreReportElementReceivedByClientPartialSuccessWcd.Data.ClientManagementEventevent indicating client management significant occurrenceAbsentInformationSourceTerminatedCacheProcessCreationTimeAfterEventTimeWcd.Data.DnsEntitybond.GUIDGUIDClientCompletedEnvironmentStateUnique identifier of the processWcd.Data.RemediationResultPromptForCredentialsbond.TypeDefSenseDetectedFreeNetworkAvailableCreateProcessEventCreate process eventWcd.Data.CreateProcessEventHashCalculatedByRawAccessGenericEtwPropertyEntityWcd.Data.GenericEtwPropertyEntityCyberEventsBatchWcd.Data.CyberEventsBatchVMContainerIsLockdownModeLocked vs MsSense.exe
Source: MsSense.exe	Binary or memory string: OriginalFileName vs MsSense.exe
Source: MsSense.exe	Binary or memory string: TdhGetProperty failed.TdhGetProperty failed Unexpected event property. Skipping the event.The standard error is redirected. Potential back-door activityThe standard output is redirected. Potential back-door activityThe standard input is redirected. Potential back-door activityQueryProcessData::GetProcessParameters failed to query the process parametersQueryProcessData::TryCreate failed to query process dataFailed to retrieve meta-data about an event.Failed to get the buffer size of the event informationFailed with ERROR_NOT_FOUND. This is probably because the event manifest is not registered properly.powershell.execmd.exeControlTrace failed with Called with generic file event that has no registered provider configurationOriginalFileNameOriginalFilePathEventSourceConvertCreateFileEventToGenericEtwEventCheckpointExtensionCalled with generic file event that has no registered rule configurationFileTypeProcessCiMicrosoftApplicationRootAuthorityStateProcessCiMicrosoftRootAuthorityStateProcessCiImageSigningChainStateProcessCiSigningChainStateProcessCiSigningLevelProcessImageOriginalNameFileRemovableMediaFileOnNetworkFileUserNameFileLastWriteTimeFileSha1ProcessSha1ProcessNativePathMimeTypeFileMarkOfTheWebInfoSizeFileMarkOfTheWebInfoFileVolumeSerialNumberFileVolumeModelFileVolumeManufacturer vs MsSense.exe
Source: MsSense.exe	Binary or memory string: ExpectedOriginalFilename vs MsSense.exe
Source: MsSense.exe	Binary or memory string: CustomOriginalFilename vs MsSense.exe
Source: MsSense.exe	Binary or memory string: OriginalFilename vs MsSense.exe
Source: MsSense.exe	Binary or memory string: originalFileNamePropertyName vs MsSense.exe

Source: C:\Users\user\Desktop\MsSense.exe

Section loaded: tellib.dll

Jump to behavior

Source: MsSense.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MsSense.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\MsSense.exe C:\Users\user\Desktop\MsSense.exe
Source: C:\Users\user\Desktop\MsSense.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4356:120:WilError_01

Source: MsSense.exe	String found in binary or memory: /StopServiceAfterNoParametersFoundFailedhr
Source: MsSense.exe	String found in binary or memory: /StopServiceAfterNoParametersFoundFailedhr

Source: MsSense.exe	Binary string: 1%hsonecore\internal\sdk\inc\wil\opensource/wil/result.hSetup State ChangedOOBE completed. Continue regular service startOOBE is not supported on this OS - continue regular service startFailed to register for OOBE completion. Continue regular service startIgnore setup state registry key, only look at OOBEImageStateSetup StateIMAGE_STATE_COMPLETEIgnoreSetupStateCould not open or create the registry path. Return default valueSeSecurityPrivilegeFailed to aquire security privilegeamcore\wcd\source\common\src\etwutils.cppSeRestorePrivilegeFailed to aquire restore privilegeEtwEventListener Could not apply security setting for ETW session/provider.bad cast\\tsclient\??\UNC\tsclient\\?\UNC\tsclient\Device\Mup\tsclientFailed to expand environment strings in pathFailed to expand environment strings in path after increasing buffer sizeFailed to retrieve IP table][Failed to retrieve PC namea:a$IP callback was already initialized.Failed to register IP adapter callback\temp\systemThe call to CommandLineToArgv has failed " "GetAllUsersProfileDirectory failedSystemDriveFailed to convert security descriptor from PPL SDDL stringamcore\wcd\source\common\src\pathutils.cppGetModuleFileName failed_wsplitpath_s failed_wmakepath_s failedGetDriveNativeMapping has failed since driveRoot is not formatted as a DOS pathGetDriveNativeMapping has failed since there is no volume with the given drive rootKernelbase.dllGetTempPath2WUnable to find GetTempPath2W in kernelbase.dllUnable to get kernelbase.dll base addressUnable to get temp directoryUnable to get Long Path of temp directory, So Returning short path itselfinvalid unordered_map<K, T> keyinvalid string positionFile path exceeds MAX_PATHCould not read the fixed file infoVersionInfo::GetUtcType returned existing UTC type^[0-9]+.[0-9]+.0.0vector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigit
Source: MsSense.exe	Binary string: OpenProcessToken failedLookupPrivilegeValue failedAdjustTokenPrivileges failedSeBackupPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeFailed to get process handle. TerminateProcess failed.Failed to extract process creation timeProcess creation time differs from parameter. Canceling terminate of processFailed to terminate processProcess did not end after terminationThe call to CreateToolhelp32Snapshot has failedThe call to Process32First has failedIterating processesThe call to Process32Next has failedEnded the iterating processFailed opening processFailed getting process start timeFound process with same pid but not same start timeCan't convert more than MAXINT charsamcore\WCD\Source\inc\converters.hGetStringValue - Invalid offset valueStorage volume discoveredCould not get IConfiguration interface.\\Device\\Device\QueryDosDeviceW for volume without a drive letter failed\\?\VolumeproductIdvendorIdproductRevisionserialNumberamcore\wcd\source\common\src\volumemap.cppCreateFileW failed for volume %lsSetVolumeHardwareInformation failed - STORAGE_DEVICE_DESCRIPTOR size > 10KBDeviceIoControl failed for volume %lsInvalid storage volume pathGetVolumeInformation failedInvalid drive character$:GetVolumeNameForVolumeMountPoint for driver letter without a volumeQueryDosDevice for volume without a drive letter failed/Failed creating restricted tokenFailed locking fileFailed creating thread attributesFailed verifying original filenameFailed starting processDebugger entry is present in ImageFileExecutionOptionsFailed verifying signatureUnknown exception code Failed to add LPAC capabilitiesSafeCreateProcess about to create processFailed to free environment blockFailed to create restricted tokenSafeCreateProcess concluded pathsFailed initializing thread attribute listFailed to create environment blockFailed to create processFailed to lock binaryFailed to create restricted tokenFailed to create sense sidDynamic code mitigation policy was not set as expected. Setting it nowamcore\wcd\source\common\src\safeprocessutils.cppFailed to verify binary - microsoft signedDynamic code mitigation policy is set as expected.Failed to verify binary - original filenameSetting privilegeFailed to lookup for privilege valueFailed to get process tokenFailed to assign privilegesFailed to adjust token privilegesPrivilege was enabled before and not changedUserPrefixTableCacheamcore\WCD\Source\Common\inc\LruCache.hCan't instantiate LruCache with size 0Failed to create a timerFailed to request an opportunistic lock(oplock) on a fileFailed to open file with FILE_OPEN_REQUIRING_OPLOCK flag. maybe the FS doesn't support oplock. Retry without oplock flagFailed to open file with FILE_OPEN_REQUIRING_OPLOCK flag.Failed to get a file handleFailed opening network oplocked fileFailed to open file. Can't retrieve the MarkOfWebInformationFailed to read from MoW stream. Can't retrieve the MarkOfWebInformationFailed to retrieve the MarOfWeb stream size.GetFileVersionInfoByHandle Failed..F
Source: MsSense.exe	Binary string: JKANDNOTOriginalNormalizedFilePathOfficeFileTypeCollectedData\Temp\Cache\CompressedCollectedData\ScrubMethodInternalFileEventSourceSignatureTypeOprationalStatusReportingStatusScrubTypeInternalImageFileCpuArchitectureOsArchitectureDetectionTypeProcessorArchitectureValueTypeServiceLaunchProtectedLevelRemediationStateDefenderRunningModeAllowSampleCollectionTokenElevationTypeRawTruncationPolicyOsProductTypeProcessEvent should have parent and child processes that are not emptyparent_container_reportpersisted_context_file_reportreg_value_reportunknown_restore_rescanwindows_defender_disablehidden_filecleaning_failure_sample_requestRequiredRequiredOptionalRegistryValuesAsJsonFileRestrictedExtensionsIpJSON_PROTOCOLPRETTY_JSON_PROTOCOLTdhDnsEntityTdhGuid%user_Pictures%%user_RoamingAppData%%user_Favorites%%user_Music%%user_Desktop%%user_Contacts%%user_SkyDriveDocuments%%user_Videos%%user_SkyDrivePictures%%user_Programs%%user_PrintHood%%user_Cookies%%user_UserProgramFilesCommon%%user_SkyDrive%%user_Startup%%user_NetHood%%user_CDBurning%%user_InternetCache%%user_Downloads%%user_UserProgramFiles%%user_History%%user_Documents%%user_Recent%%user_AdminTools%%user_Templates%%user_Temp%%user_Profile%%user_LocalAppData%%user_StartMenu%%user_SentTo%TerminateProcessIdBT_UNAVAILABLEBT_STOP_BASEMODBetweenInGTLTEQAndWcd.Data.RestrictExecutionCommandStatusHpiCommandStatusWcd.Data.HpiCommandStatusStatus of hpi command responseStatus of scan command responseWcd.Data.ScanCommandStatusStatus of restrict execution command responseSenseRequestedExpediteLatencyModeSenseRequestedNormalLatencyModeRequestCredentialsDetectedQuarantineFailed%common_music%%program_filescommon%%common_programs%%systemdrive%%systemwow64%%system_public%%common_templates%%program_filesx86%%common_startmenu%%common_desktop%%common_pictures%%windows%%common_startup%%common_admin_tools%%CDIDLResources%%program_files%%common_documents%%common_video%%system_common%%programdata%lnk_componentnonestream_threatexpensive_filereg_value_report_lofistream_expensive_filesample_only_signaturedll_dependency_reportmap/set<T> too longComplexSearchAndReplaceSimpleSearchAndReplaceInUtf16HKeyUsersHKeyLocalMachineHKeyCurrentConfig\??\UNC\localhost\Admin$\Device\Mup\0:0:0:0:0:0:0:1\\Device\Mup\;LanmanRedirector\;\??\UNC\0:0:0:0:0:0:0:1\Admin$\??\UNC\127.0.0.1\Admin$\??\UNC\localhost\\\0:0:0:0:0:0:0:1\\\::1\\\?\\Device\Mup\localhost\Admin$\\\??\UNC\0:0:0:0:0:0:0:1\\Device\Mup\::1\Admin$\??\\??\UNC\::1\\\127.0.0.1\\Device\Mup\0:0:0:0:0:0:0:1\Admin$\Device\Mup\DfsClient\;\??\UNC\::1\Admin$\??\UNC\127.0.0.1\\Device\Mup\localhost\\Device\Mup\127.0.0.1\\SystemRoot\Device\Mup\::1\\Device\Mup\127.0.0.1\Admin$\\localhost\CloudDefenderGroupPolicyDefenderLocalWorkstationDemoSecCreateFileSecRenamedFile

Source: classification engine

Classification label: clean17.troj.winEXE@2/0@0/0

Source: MsSense.exe

Static file information: File size 6254368 > 1048576

Source: initial sample

Static PE information: Valid certificate with Microsoft Issuer

Source: MsSense.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: MsSense.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: MsSense.exe

Static PE information: certificate valid

Source: MsSense.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x406a00
Source: MsSense.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x163800

Source: MsSense.exe

Static PE information: More than 200 imports for msvcp_win.dll

Source: MsSense.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MsSense.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MsSense.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MsSense.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MsSense.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MsSense.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MsSense.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: MsSense.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: MsSense.pdbGCTL source: MsSense.exe
Source:	Binary string: MsSense.pdb source: MsSense.exe

Source: MsSense.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MsSense.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MsSense.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MsSense.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MsSense.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: MsSense.exe

Static PE information: section name: .didat

Source: MsSense.exe

Static PE information: 0x8BA02FAC [Fri Mar 25 15:03:08 2044 UTC]

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\MsSense.exe

Code function: 0_2_00007FF6736A9690 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6736A9690

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Process Injection	1 Network Sniffing	1 System Time Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Timestomp	LSASS Memory	1 Network Sniffing	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
MsSense.exe	0%	ReversingLabs
MsSense.exe	0%	Virustotal	Browse
MsSense.exe	0%	Metadefender	Browse

Source	Detection	Scanner	Label	Link
https://dataservice.o365filtering.comhttps://login.windows.netRegexLruCacheRegex	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://dataservice.o365filtering.comhttps://login.windows.netRegexLruCacheRegex	MsSense.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	726559
Start date and time:	2022-10-20 07:54:43 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MsSense.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean17.troj.winEXE@2/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 50%) Quality average: 50% Quality standard deviation: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com
Execution Graph export aborted for target MsSense.exe, PID 2388 because there are no executed function
Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.360206209764343
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MsSense.exe
File size:	6254368
MD5:	407ef0d901d7c8fd97cbe89787fd339f
SHA1:	b5c5e0de8ac8e6626709cb3897066b45c48cb44b
SHA256:	96ff8884cc46792e759def7b3b1d4028cc967922ab9df8c610a3d145abd7152e
SHA512:	c89adad1a41918df0d4aac68b70e8b878c92b8959c1718e7c4a2ad56ddae31112eb56d49835825c6f6252b212deaaf49ec05eb56d06a85df4e12fc01533e13f1
SSDEEP:	98304:46SiRdnf0yEd0nArywPeh1a8ajRRzWYiB7iOcCeMlJWsO4q:4uRdy0nArywPehkJjRRSYWjtMsq
TLSH:	5456292D62ED02E5E0FAD2BDCA66850BEAB27C554731A3CF0565025E0E37FE48D39B11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$..u`..&`..&`..&i.\|&...&t..'s..&t..'d..&`..&...&t..'K..&t..'...&t..'I..&t..&d..&t..'a..&t..&a..&t..'a..&Rich`..&...............

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x140118f10
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x8BA02FAC [Fri Mar 25 15:03:08 2044 UTC]
TLS Callbacks:	0x4011ae50, 0x1, 0x4011aeb0, 0x1
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	e8e64f01193c387b7f1adc4b12c55984

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	1/27/2022 11:31:18 AM 1/26/2023 11:31:18 AM
Subject Chain	CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	D5E921FDB3DD72EF8C62BF55A90AD839
Thumbprint SHA-1:	D8EA745878725AC476C31ED46E4AF6B0EAC2A3F9
Thumbprint SHA-256:	769D59284F17122FD06889F9B0F1F819EBE48A5308878FD2D884EF16BA097490
Serial:	330000036B6F36006F23F168B500000000036B

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FEF9D1DBD6Ch
dec eax
add esp, 28h
jmp 00007FEF9D1DB453h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00487C19h]
jne 00007FEF9D1DB605h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FEF9D1DB5F5h
ret
dec eax
ror ecx, 10h
jmp 00007FEF9D1DB664h
int3
int3
int3
int3
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [00303DC1h]
mov ecx, 00000001h
mov dword ptr [00488DFEh], eax
call 00007FEF9D1DBE4Eh
xor ecx, ecx
call dword ptr [00303DE1h]
dec eax
mov ecx, ebx
call dword ptr [00303DD0h]
cmp dword ptr [00488DE1h], 00000000h
jne 00007FEF9D1DB5FCh
mov ecx, 00000001h
call 00007FEF9D1DBE2Ah
call dword ptr [00303FF7h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00303FCBh]
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000000h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x561950	0x5f4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x561f44	0x780	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60e000	0x81e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5d5000	0x37a28	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x5e7400	0xfb20	.pdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x617000	0x74b4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4a8fa0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x41c448	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41c330	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x41c470	0x1e80	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x561100	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x40685c	0x406a00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x408000	0x163650	0x163800	False	0.3133165490945851	data	5.149099651908506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56c000	0x680d0	0x35800	False	0.12783385660046728	data	4.963870252846412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x5d5000	0x37a28	0x37c00	False	0.48035926989910316	data	6.338350393407139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x60d000	0x198	0x200	False	0.30078125	data	2.610515458444855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60e000	0x81e8	0x8200	False	0.19633413461538463	data	3.7133228691402294	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x617000	0x74b4	0x7600	False	0.14009533898305085	data	5.431661484962096	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
MUI	0x6160f8	0xf0	data	English	United States
WEVT_TEMPLATE	0x60e508	0x7bee	data	English	United States
RT_VERSION	0x60e110	0x3f4	data	English	United States

Imports

DLL	Import
msvcp_win.dll	??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, _Mtx_unlock, _Mtx_lock, ?_Throw_C_error@std@@YAXH@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?in_avail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JXZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ?imbue@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Syserror_map@std@@YAPEBDH@Z, ?_Winerror_map@std@@YAHH@Z, ?_Winerror_message@std@@YAKKPEADK@Z, ?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z, ?_Xbad_function_call@std@@YAXXZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAG@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAM@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAH@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_J@Z, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, _Cnd_do_broadcast_at_thread_exit, ?bad@ios_base@std@@QEBA_NXZ, ?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z, _Thrd_join, _Thrd_id, ?_Throw_Cpp_error@std@@YAXH@Z, ?__ExceptionPtrAssign@@YAXPEAXPEBX@Z, ?__ExceptionPtrToBool@@YA_NPEBX@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAN@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, _Mtx_destroy_in_situ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@M@Z, ??Bios_base@std@@QEBA_NXZ, ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ, ?_New_Locimp@_Locimp@locale@std@@CAPEAV123@AEBV123@@Z, ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?__ExceptionPtrRethrow@@YAXPEBX@Z, ?__ExceptionPtrCurrentException@@YAXPEAX@Z, ?__ExceptionPtrDestroy@@YAXPEAX@Z, ?__ExceptionPtrCopy@@YAXPEAXPEBX@Z, ?__ExceptionPtrCreate@@YAXPEAX@Z, ??0_Locinfo@std@@QEAA@PEBD@Z, ?setf@ios_base@std@@QEAAHHH@Z, ??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?classic@locale@std@@SAAEBV12@XZ, ?id@?$numpunct@D@std@@2V0locale@2@A, ?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ, ?_Incref@facet@locale@std@@UEAAXXZ, ?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ, ??0facet@locale@std@@IEAA@_K@Z, ??1facet@locale@std@@MEAA@XZ, ?is@?$ctype@_W@std@@QEBA_NF_W@Z, ?tolower@?$ctype@_W@std@@QEBA_W_W@Z, ??7ios_base@std@@QEBA_NXZ, ?good@ios_base@std@@QEBA_NXZ, ?fail@ios_base@std@@QEBA_NXZ, ?flags@ios_base@std@@QEBAHXZ, ?width@ios_base@std@@QEBA_JXZ, ?width@ios_base@std@@QEAA_J_J@Z, ?c_str@?$_Yarn@D@std@@QEBAPEBDXZ, ??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAI@Z, ??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAXAEBVlocale@2@@Z, ?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAPEAV12@PEA_W_J@Z, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEB_W_J@Z, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JPEA_W_J@Z, ?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAAGXZ, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MEAA_JXZ, ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAAXXZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UEAA@XZ, ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z, ??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAPEA_WXZ, ?setp@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W00@Z, ?epptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?setg@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W00@Z, ?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXH@Z, ?egptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?pptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?gptr@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ?eback@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WXZ, ?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ?setp@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXPEA_W0@Z, ?pbase@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEBAPEA_WXZ, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAA@XZ, ?tie@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_ostream@_WU?$char_traits@_W@std@@@2@XZ, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAGXZ, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAA_N_N@Z, _Wcsxfrm, ?id@?$collate@_W@std@@2V0locale@2@A, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@I@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@K@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_K@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?imbue@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAA?AVlocale@2@AEBV32@@Z, ?uncaught_exception@std@@YA_NXZ, _Wcscoll, ??Bid@locale@std@@QEAA_KXZ, ?tolower@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z, ?toupper@?$ctype@_W@std@@QEBAPEB_WPEA_WPEB_W@Z, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, _Query_perf_counter, ?_Xout_of_range@std@@YAXPEBD@Z, ?id@?$ctype@_W@std@@2V0locale@2@A, ?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ??0_Lockit@std@@QEAA@H@Z, ??1_Lockit@std@@QEAA@XZ, _Query_perf_frequency, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??4?$_Yarn@D@std@@QEAAAEAV01@PEBD@Z, ?_XGetLastError@std@@YAXXZ, ?setf@ios_base@std@@QEAAHH@Z, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEA_N@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@G@Z, ?eof@ios_base@std@@QEBA_NXZ, ?__ExceptionPtrCompare@@YA_NPEBX0@Z, ?swap@?$basic_iostream@_WU?$char_traits@_W@std@@@std@@IEAAXAEAV12@@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@_K@Z, ??1_Locinfo@std@@QEAA@XZ, ??5?$basic_istream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@AEAF@Z, ?_Xbad_alloc@std@@YAXXZ, ?_Xlength_error@std@@YAXPEBD@Z, ?_Random_device@std@@YAIXZ, ?precision@ios_base@std@@QEAA_J_J@Z, ?flags@ios_base@std@@QEAAHH@Z, ?exceptions@ios_base@std@@QEAAXH@Z, ?_Getlconv@_Locinfo@std@@QEBAPEBUlconv@@XZ, ?_Getfalse@_Locinfo@std@@QEBAPEBDXZ, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?_Gettrue@_Locinfo@std@@QEBAPEBDXZ, ?narrow@?$ctype@D@std@@QEBADDD@Z, ?_Addfac@_Locimp@locale@std@@AEAAXPEAVfacet@23@_K@Z, ?widen@?$ctype@D@std@@QEBADD@Z, ?tolower@?$ctype@D@std@@QEBADD@Z, ?is@?$ctype@D@std@@QEBA_NFD@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MEAA@XZ, ??0?$codecvt@_WDU_Mbstatet@@@std@@QEAA@_K@Z, ?out@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEB_W1AEAPEB_WPEAD3AEAPEAD@Z, ?swap@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IEAAXAEAV12@@Z, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEA_W3AEAPEA_W@Z, ?_Getcvt@_Locinfo@std@@QEBA?AU_Cvtvec@@XZ, ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAA@PEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, _Xtime_get_ticks, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, _Mtx_init_in_situ, _Cnd_timedwait, _Cnd_init_in_situ, ?widen@?$ctype@_W@std@@QEBA_WD@Z, _Cnd_destroy_in_situ, _Cnd_signal, _Mtx_current_owns
api-ms-win-crt-runtime-l1-1-0.dll	_initterm, _c_exit, _register_thread_local_exe_atexit_callback, _initterm_e
api-ms-win-crt-private-l1-1-0.dll	_o__seh_filter_exe, _o__set_app_type, _o__set_fmode, _o__set_new_mode, _o__strnicmp, _o__ui64toa_s, _o__ui64tow_s, _o__unlock_file, _o__wcsicmp, _o__wcsnicmp, _o__wcstod_l, _o__wgetenv_s, _o__wmakepath_s, _o__write, _o__wsopen_s, _o__wsplitpath_s, _o__wtoi, _o__wtoi64, _o_bsearch, _o_calloc, _o_exit, _o_fclose, _o_fflush, _o_fgetc, _o_fgetpos, _o_fputc, _o_fread, _o_free, _o_fsetpos, _o_fwrite, _o_isalpha, _o_isdigit, _o_isspace, _o_iswalpha, _o_iswspace, _o_isxdigit, _o_malloc, _o_pow, _o_qsort, _o_rand, _o_realloc, _o_setvbuf, _o_strerror, _o_strftime, memmove, _o_terminate, _o_tolower, _o_towlower, _o_ungetc, _o_wcscpy_s, _o_wcsftime, _o_wcsncpy_s, _o_wcstok_s, _o_wcstol, _o__register_onexit_function, _o_wcstombs, _o_wcstoul, __C_specific_handler, __CxxFrameHandler3, _CxxThrowException, _o__purecall, _o__malloc_base, _o__lseeki64, _o__lock_file, _o__localtime64, _o__itoa_s, wcschr, _o__isctype_l, _o__invalid_parameter_noinfo_noreturn, _o__invalid_parameter_noinfo, _o__initialize_wide_environment, _o__initialize_onexit_table, _o__i64tow_s, _o__i64toa_s, _o__gmtime64_s, _o__get_stream_buffer_pointers, _o__get_initial_wide_environment, _o__fseeki64, _o__free_locale, _o__free_base, _o__exit, _o__errno, _o__crt_atexit, _o__create_locale, _o__configure_wide_argv, _o__configthreadlocale, _o__close, _o__cexit, _o__callnewh, _o__beginthreadex, _o__atodbl, _o___stdio_common_vswprintf_s, _o___stdio_common_vswprintf, _o___stdio_common_vsprintf_s, _o___stdio_common_vsprintf, _o___stdio_common_vsnwprintf_s, _o___stdio_common_vsnprintf_s, _o___stdio_common_vfprintf, _o___std_type_info_name, _o___std_exception_destroy, _o___std_exception_copy, _o___pctype_func, __std_type_info_hash, strchr, __std_type_info_compare, __RTtypeid, wcsrchr, _o___p__commode, _o___p___wargv, _o___p___argc, _o___acrt_iob_func, __std_terminate, __CxxFrameHandler4, __RTDynamicCast, memchr, memcmp, memcpy
api-ms-win-crt-string-l1-1-0.dll	wcscmp, wcsncmp, strncmp, strnlen, wcsnlen, memset
api-ms-win-core-libraryloader-l1-2-0.dll	GetModuleHandleW, GetModuleHandleExW, GetModuleHandleA, FreeLibrary, GetProcAddress, LoadLibraryExW, GetModuleFileNameA
api-ms-win-core-synch-l1-1-0.dll	InitializeCriticalSectionEx, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, ReleaseSRWLockShared, AcquireSRWLockShared, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, TryEnterCriticalSection, SetEvent, ReleaseSemaphore, ResetEvent, CreateEventExW, CreateSemaphoreExW, CreateMutexExW, CreateEventW, EnterCriticalSection, OpenSemaphoreW, WaitForSingleObjectEx, WaitForSingleObject, ReleaseMutex, InitializeCriticalSection
api-ms-win-core-heap-l1-1-0.dll	HeapDestroy, GetProcessHeap, HeapSize, HeapFree, HeapAlloc, HeapReAlloc
api-ms-win-core-errorhandling-l1-1-0.dll	UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetLastError, SetLastError, RaiseException
api-ms-win-core-processthreads-l1-1-0.dll	CreateThread, TerminateProcess, SetThreadPriority, GetCurrentProcessId, GetCurrentProcess, SwitchToThread, GetCurrentThread, GetCurrentThreadId, GetExitCodeProcess, GetProcessId
api-ms-win-core-localization-l1-2-0.dll	FormatMessageW, GetUserPreferredUILanguages, GetSystemPreferredUILanguages
api-ms-win-core-debug-l1-1-0.dll	OutputDebugStringW, DebugBreak, IsDebuggerPresent
api-ms-win-core-handle-l1-1-0.dll	CloseHandle, SetHandleInformation
api-ms-win-eventing-provider-l1-1-0.dll	EventSetInformation, EventRegister, EventActivityIdControl, EventWriteTransfer, EventUnregister
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, SleepConditionVariableCS, WakeByAddressSingle, InitOnceBeginInitialize, WakeConditionVariable, InitializeConditionVariable, InitOnceComplete
api-ms-win-core-threadpool-l1-2-0.dll	CloseThreadpoolTimer, CloseThreadpoolWork, SetThreadpoolWait, WaitForThreadpoolWaitCallbacks, IsThreadpoolTimerSet, CreateThreadpool, SetThreadpoolTimer, SetThreadpoolThreadMaximum, TrySubmitThreadpoolCallback, CloseThreadpool, WaitForThreadpoolTimerCallbacks, CreateThreadpoolWait, CreateThreadpoolTimer, CloseThreadpoolWait, SubmitThreadpoolWork, SetThreadpoolThreadMinimum, CreateThreadpoolWork
api-ms-win-core-registry-l1-1-0.dll	RegCreateKeyExW, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExW, RegNotifyChangeKeyValue, RegOpenKeyExW, RegEnumKeyExW, RegSetValueExW, RegGetValueW
api-ms-win-core-kernel32-legacy-l1-1-0.dll	UnregisterWait, GetComputerNameW, RegisterWaitForSingleObject
api-ms-win-service-core-l1-1-0.dll	RegisterServiceCtrlHandlerExW, SetServiceStatus, StartServiceCtrlDispatcherW
api-ms-win-oobe-notification-l1-1-0.dll	UnregisterWaitUntilOOBECompleted, RegisterWaitUntilOOBECompleted
api-ms-win-core-rtlsupport-l1-1-0.dll	RtlLookupFunctionEntry, RtlCaptureContext, RtlVirtualUnwind
api-ms-win-core-processthreads-l1-1-1.dll	IsProcessorFeaturePresent
api-ms-win-core-profile-l1-1-0.dll	QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll	GetSystemTimeAsFileTime, GetSystemTime, GetTickCount64, GetSystemDirectoryW, GetSystemInfo
api-ms-win-core-interlocked-l1-1-0.dll	InitializeSListHead, InterlockedPushEntrySList
api-ms-win-core-com-l1-1-0.dll	CoIncrementMTAUsage, CoGetObjectContext
USER32.dll	RegisterDeviceNotificationW, UnregisterDeviceNotification
WS2_32.dll	GetNameInfoW, InetNtopW, WSAGetLastError, WSAStartup, WSACleanup
api-ms-win-core-path-l1-1-0.dll	PathCchCombine
ntdll.dll	ZwQueryEaFile, NtOpenFile, RtlInitUnicodeString, RtlCreateUnicodeString, NtDeleteValueKey, RtlFreeUnicodeString, VerSetConditionMask, NtQuerySystemInformation, RtlIpv4AddressToStringExW, RtlNtStatusToDosError, RtlQueryImageMitigationPolicy, NtSetInformationProcess, NtQueryInformationProcess, RtlIpv6AddressToStringExW, RtlIpv4AddressToStringW, NtDeleteKey, RtlUnsubscribeWnfNotificationWaitForCompletion, RtlSubscribeWnfStateChangeNotification, NtQueryWnfStateData, RtlEthernetStringToAddressW, RtlIpv6AddressToStringW, RtlIpv4StringToAddressExW
RPCRT4.dll	RpcExceptionFilter, RpcBindingFromStringBindingW, RpcStringBindingComposeW, RpcBindingFree, UuidCompare, UuidHash, UuidFromStringW, UuidCreate, RpcStringFreeW, UuidToStringW, NdrClientCall3
bcrypt.dll	BCryptDestroyKey, BCryptDestroyHash, BCryptCloseAlgorithmProvider, BCryptFinishHash, BCryptOpenAlgorithmProvider, BCryptHashData, BCryptCreateHash, BCryptGetProperty, BCryptVerifySignature
KERNEL32.dll	CompareFileTime, DeleteFileW, SetFilePointerEx, MoveFileExW, CopyFileW, GetPackageFullName, FlushFileBuffers, QueryPerformanceFrequency, GetEnvironmentVariableW, WideCharToMultiByte, SetProcessMitigationPolicy, DuplicateHandle, ReadProcessMemory, GetProcessTimes, CancelIo, UnregisterWaitEx, GetOverlappedResultEx, GetFileSize, InitializeProcThreadAttributeList, UpdateProcThreadAttribute, DeleteProcThreadAttributeList, GetFileInformationByHandle, WerRegisterCustomMetadata, GetFileSizeEx, GetFileAttributesW, FindClose, GetDriveTypeW, FindNextVolumeW, GetVolumePathNamesForVolumeNameW, FindVolumeClose, FindNextFileW, WriteFile, RemoveDirectoryW, SetEndOfFile, MultiByteToWideChar, GetVolumeNameForVolumeMountPointW, K32GetMappedFileNameW, WTSGetActiveConsoleSessionId, InstallELAMCertificateInfo, CreateDirectoryW, ReadFile, GetFileInformationByHandleEx, CreateFileW, DeviceIoControl, FindFirstVolumeW, GetVolumeInformationW, QueryDosDeviceW, QueryFullProcessImageNameW, Process32FirstW, Process32NextW, CreateToolhelp32Snapshot, OpenProcess, VerifyVersionInfoW, GetVersionExW, GetProcessMitigationPolicy, GetProductInfo, GetTempFileNameW, LocalFree, GetWindowsDirectoryW, GetComputerNameExW, GetTempPathW, GetModuleFileNameW, ExpandEnvironmentStringsW, GetLongPathNameW, GetLogicalDrives, FindFirstFileW, Sleep
ADVAPI32.dll	QueryServiceConfig2W, GetSecurityDescriptorLength, StopTraceW, AuditSetSystemPolicy, ChangeServiceConfig2W, QueryServiceConfigW, RevertToSelf, ImpersonateLoggedOnUser, LogonUserW, CreateRestrictedToken, LookupAccountSidW, LookupAccountNameW, GetSidSubAuthorityCount, ConvertSidToStringSidW, GetTokenInformation, FreeSid, CreateProcessAsUserW, LookupPrivilegeValueW, AdjustTokenPrivileges, EqualSid, GetSidSubAuthority, ChangeServiceConfigW, ConvertStringSidToSidW, IsValidSid, OpenProcessToken, GetLengthSid, DuplicateTokenEx, DestroyPrivateObjectSecurity, ConvertStringSecurityDescriptorToSecurityDescriptorW
USERENV.dll	CreateEnvironmentBlock, ExpandEnvironmentStringsForUserW, DestroyEnvironmentBlock, CreateAppContainerProfile, DeleteAppContainerProfile, GetProfilesDirectoryW, GetAllUsersProfileDirectoryW
api-ms-win-security-isolatedcontainer-l1-1-1.dll	IsProcessInWDAGContainer
Wldp.dll	WldpQueryWindowsLockdownMode
msi.dll
winipcfile.dll
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeExW, GetFileVersionInfoSizeW
urlmon.dll	FindMimeFromData
NETAPI32.dll	NetGetJoinInformation, NetFreeAadJoinInformation, NetGetAadJoinInformation, NetApiBufferFree, NetUserEnum
TelLib.dll	TelLib_EventWrite, TelLib_SetNetworkActivityCallback, TelLib_SetDiskActivityCallback, TelLib_SetUploadFailedCallback, TelLib_SetAgentConnectivityCallback, TelLib_Initialize2, TelLib_Initialize, TelLib_SetBandwidthExceededChangedCallback, TelLib_SetCustomRequestFieldCallback, TelLib_Cleanup, TelLib_ForceUpload, TelLib_SetDailyUploadQuota, TelLib_SetDiskQuota, TelLib_SetProxyInfo, TelLib_SetUploadUrls, TelLib_SetTenantToken, TelLib_SetBatteryState, TelLib_SetNetworkState, TelLib_SetConnectedStandby, TelLib_SetTimerValue, TelLib_SetGeneralQuietMode
api-ms-win-crt-time-l1-1-0.dll	_time64
IPHLPAPI.DLL	NotifyUnicastIpAddressChange, GetUnicastIpAddressTable, CancelMibChangeNotify2, GetUnicastIpAddressEntry, FreeMibTable, GetIfEntry2, NotifyIpInterfaceChange, GetAdaptersAddresses, GetIpNetTable2
api-ms-win-core-version-private-l1-1-0.dll	GetFileVersionInfoByHandle
api-ms-win-core-shlwapi-legacy-l1-1-0.dll	PathFindFileNameW, PathFileExistsW, PathFindExtensionW
api-ms-win-core-xstate-l2-1-0.dll	GetEnabledXStateFeatures
CRYPT32.dll	CryptBinaryToStringW, CertCreateSelfSignCertificate, CertStrToNameW, CryptUnprotectMemory, CertCreateCertificateContext, CryptDecodeObjectEx, CryptImportPublicKeyInfoEx2, CryptBinaryToStringA, CertGetCertificateContextProperty, CertFreeCertificateContext, CertVerifyCertificateChainPolicy, CertGetNameStringW, CertGetCertificateChain, CryptStringToBinaryW, CertFindExtension, CryptImportPublicKeyInfo, CertOpenStore, CertFindCertificateInStore, CertFreeCertificateChain, CertAddCertificateContextToStore, CertCloseStore
api-ms-win-power-setting-l1-1-0.dll	PowerSettingUnregisterNotification, PowerSettingRegisterNotification
api-ms-win-power-base-l1-1-0.dll	PowerUnregisterSuspendResumeNotification, PowerRegisterSuspendResumeNotification
api-ms-win-core-io-l1-1-0.dll	CreateIoCompletionPort, GetQueuedCompletionStatus, GetOverlappedResult
api-ms-win-core-job-l2-1-0.dll	QueryInformationJobObject, AssignProcessToJobObject, SetInformationJobObject, CreateJobObjectW
api-ms-win-core-job-l1-1-0.dll	IsProcessInJob
api-ms-win-core-libraryloader-l1-2-1.dll	LoadLibraryW
api-ms-win-core-realtime-l1-1-0.dll	QueryThreadCycleTime, QueryProcessCycleTime
api-ms-win-eventing-controller-l1-1-0.dll	EventAccessRemove, StartTraceW, EnableTraceEx2, EventAccessControl, ControlTraceW, EnumerateTraceGuidsEx
api-ms-win-eventing-consumer-l1-1-0.dll	ProcessTrace, CloseTrace, OpenTraceW
api-ms-win-core-synch-l1-2-1.dll	WaitForMultipleObjects
api-ms-win-core-file-l1-1-0.dll	LocalFileTimeToFileTime, FindFirstFileExW, GetDiskFreeSpaceExW, GetFileTime, SetFilePointer
api-ms-win-eventing-tdh-l1-1-0.dll	TdhGetPropertySize, TdhGetProperty, TdhGetEventInformation
api-ms-win-core-memory-l1-1-0.dll	VirtualQueryEx, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW
SspiCli.dll	GetUserNameExW
api-ms-win-security-base-l1-1-0.dll	IsWellKnownSid, SetTokenInformation
api-ms-win-core-timezone-l1-1-0.dll	FileTimeToSystemTime, SystemTimeToFileTime, GetTimeZoneInformation
api-ms-win-core-heap-l2-1-0.dll	GlobalFree, LocalAlloc
WINHTTP.dll	WinHttpConnect, WinHttpSetOption, WinHttpQueryHeaders, WinHttpSetStatusCallback, WinHttpGetDefaultProxyConfiguration, WinHttpOpen, WinHttpSendRequest, WinHttpGetProxyForUrl, WinHttpCloseHandle, WinHttpQueryDataAvailable, WinHttpReadData, WinHttpOpenRequest, WinHttpGetIEProxyConfigForCurrentUser, WinHttpSetTimeouts, WinHttpAddRequestHeaders, WinHttpWriteData, WinHttpQueryOption, WinHttpQueryAuthSchemes, WinHttpSetCredentials, WinHttpReceiveResponse
OLEAUT32.dll	VariantClear, VariantInit, SafeArrayGetUBound, SafeArrayGetLBound, SysFreeString, SafeArrayGetVartype, SysAllocStringLen, SysStringLen, SysAllocString, SysAllocStringByteLen, SysStringByteLen, SafeArrayLock, SafeArrayUnlock, SafeArrayCopy, SafeArrayDestroy
api-ms-win-core-datetime-l1-1-0.dll	GetDateFormatW
api-ms-win-core-winrt-l1-1-0.dll	RoGetActivationFactory, RoActivateInstance
api-ms-win-core-winrt-string-l1-1-0.dll	WindowsPromoteStringBuffer, WindowsDeleteStringBuffer, WindowsPreallocateStringBuffer, WindowsDeleteString, WindowsCreateStringReference, WindowsCreateString, WindowsIsStringEmpty, WindowsGetStringRawBuffer
Cabinet.dll
api-ms-win-security-cryptoapi-l1-1-0.dll	CryptReleaseContext, CryptHashData, CryptCreateHash, CryptVerifySignatureW, CryptAcquireContextW, CryptDestroyKey, CryptDestroyHash
api-ms-win-service-winsvc-l1-1-0.dll	QueryServiceStatus, ControlService
api-ms-win-service-management-l1-1-0.dll	CloseServiceHandle, OpenServiceW, OpenSCManagerW, StartServiceW
api-ms-win-core-kernel32-legacy-l1-1-1.dll	GetFirmwareType
api-ms-win-core-psapi-l1-1-0.dll	K32EnumProcessModules, K32GetProcessMemoryInfo
api-ms-win-core-namedpipe-l1-1-0.dll	CreatePipe
ncrypt.dll	NCryptFreeObject, NCryptFinalizeKey, NCryptSignHash, NCryptOpenStorageProvider, NCryptOpenKey, NCryptVerifySignature, NCryptCreatePersistedKey, NCryptSetProperty
api-ms-win-core-apiquery-l1-1-0.dll	ApiSetQueryApiSetPresence
DEVOBJ.dll	DevObjCreateDeviceInfoList, DevObjGetClassDevs, DevObjDestroyDeviceInfoList, DevObjEnumDeviceInterfaces, DevObjGetDeviceInterfaceDetail
api-ms-win-core-delayload-l1-1-1.dll	ResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dll	DelayLoadFailureHook
api-ms-win-core-string-l1-1-0.dll	CompareStringW
SHLWAPI.dll	PathIsDirectoryEmptyW, PathIsDirectoryW
DNSAPI.dll	DnsQuery_W, DnsFree, DnsGetCacheDataTable
wevtapi.dll	EvtCreateRenderContext, EvtQuery, EvtClose, EvtSubscribe, EvtNext, EvtRender
MSSECUSER.dll	SecGetProcessInfo, SecWriteFileHashEA, SecGetCiInformation, SecRequestOplock, SecSetConfiguration, SecSetProcessInfo, SecWriteFileDlpEA, SecUninitializeDriver, SecIsKernelIntegrityEnabled, SecDeleteSessionFilter, SecCreateSessionFilter, SecClearRegistryOperations, SecSetRegistryOperations, SecGetFileHashes, SecUnregisterConsumer, SecRegisterConsumer, SecSetFileMonitorOperations, SecSetDlpConfiguration
api-ms-win-crt-stdio-l1-1-0.dll	_open, _wopen
api-ms-win-security-trustee-l1-1-0.dll	BuildSecurityDescriptorW
fwpuclnt.dll	FwpmTransactionBegin0, FwpmProviderDeleteByKey0, FwpmFilterAdd0, FwpmEngineClose0, FwpmGetAppIdFromFileName0, FwpmFilterEnum0, FwpmEngineOpen0, FwpmFilterDestroyEnumHandle0, FwpmSubLayerDeleteByKey0, FwpmFreeMemory0, FwpmSubLayerGetByKey0, FwpmSubLayerAdd0, FwpmTransactionCommit0, FwpmProviderGetByKey0, FwpmProviderAdd0, FwpmFilterCreateEnumHandle0, FwpmFilterDeleteByKey0
api-ms-win-core-winrt-error-l1-1-0.dll	SetRestrictedErrorInfo, RoTransformError, GetRestrictedErrorInfo
api-ms-win-core-winrt-error-l1-1-1.dll	RoOriginateLanguageException
api-ms-win-core-sysinfo-l1-2-0.dll	GetSystemTimePreciseAsFileTime
api-ms-win-core-com-l1-1-1.dll	RoGetAgileReference
api-ms-win-crt-math-l1-1-0.dll	ceilf

Exports

Name	Ordinal	Address
adler32	1	0x140385b90
adler32_combine	2	0x140385ba0
adler32_z	3	0x140385c90
crc32	4	0x140386850
crc32_combine	5	0x140386860
crc32_z	6	0x140386c80
deflate	7	0x140382c00
deflateBound	8	0x140383590
deflateCopy	9	0x1403836a0
deflateEnd	10	0x1403838d0
deflateGetDictionary	11	0x1403839b0
deflateInit2_	12	0x140383a30
deflateInit_	13	0x140383ce0
deflateParams	14	0x140383d20
deflatePending	15	0x140383e90
deflatePrime	16	0x140383ee0
deflateReset	17	0x140383f90
deflateResetKeep	18	0x140383fd0
deflateSetDictionary	19	0x140384070
deflateSetHeader	20	0x140384260
deflateTune	21	0x140384300
get_crc_table	22	0x140386ca0
gzbuffer	23	0x14037fcb0
gzclearerr	24	0x14037fcf0
gzclose_w	25	0x1403805e0
gzdopen	26	0x14037fd30
gzeof	27	0x14037fdc0
gzerror	28	0x14037fde0
gzflush	29	0x1403806d0
gzfwrite	30	0x140380740
gzoffset	31	0x14037fe30
gzoffset64	32	0x14037fe60
gzopen	33	0x14037fed0
gzopen64	34	0x14037fed0
gzopen_w	35	0x14037fef0
gzprintf	36	0x1403807c0
gzputc	37	0x1403807f0
gzputs	38	0x1403808b0
gzrewind	39	0x14037ff10
gzseek	40	0x14037ff70
gzseek64	41	0x14037ffa0
gzsetparams	42	0x140380910
gztell	43	0x1403800f0
gztell64	44	0x140380120
gzvprintf	45	0x1403809d0
gzwrite	46	0x140380b10
inflate	47	0x140380b60
inflateCodesUsed	48	0x140382140
inflateCopy	49	0x140382180
inflateEnd	50	0x140382330
inflateGetDictionary	51	0x140382390
inflateGetHeader	52	0x140382420
inflateInit2_	53	0x140382460
inflateInit_	54	0x140382550
inflateMark	55	0x140382570
inflatePrime	56	0x1403825d0
inflateReset	57	0x140382640
inflateReset2	58	0x140382680
inflateResetKeep	59	0x140382720
inflateSetDictionary	60	0x1403827b0
inflateSync	61	0x1403828b0
inflateSyncPoint	62	0x1403829d0
inflateUndermine	63	0x140382a10
inflateValidate	64	0x140382a50
zError	65	0x140385b10
zlibCompileFlags	66	0x140385b70
zlibVersion	67	0x140385b80

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• MsSense.exe
• conhost.exe

Click to jump to process

Click to jump to process

Behavior

• MsSense.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	07:55:33
Start date:	20/10/2022
Path:	C:\Users\user\Desktop\MsSense.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\MsSense.exe
Imagebase:	0x7ff673590000
File size:	6254368 bytes
MD5 hash:	407EF0D901D7C8FD97CBE89787FD339F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	07:55:34
Start date:	20/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Tactics:	Credential Access, Discovery
Data Sources:	Host network interface, Netflow/Enclave netflow, Network device logs, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MsSense.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: MsSense.exePID: 2388, Parent PID: 3452

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Windows Analysis Report
MsSense.exe