a78e00102ec277e7b4743b7c2094fe9c6ba3ac598c143323797cc2749675215e

Sharing

Copy URL

Twitter E-mail

General

Target

a78e00102ec277e7b4743b7c2094fe9c6ba3ac598c143323797cc2749675215e
Size

1.5MB
MD5

251fd707e277d4164b2854427fb45260
SHA1

3a23f61d8957ba9d899057f28144ae5360514055
SHA256

a78e00102ec277e7b4743b7c2094fe9c6ba3ac598c143323797cc2749675215e
SHA512

c303b3e06acdc15e88ec0e679469a2bb38b988acb77ed7da58990e3f4095bf7123c73925b274b9aaa606ac728515ff9f1cf1d0b8cbd9f5461d71831921b1542c
SSDEEP

24576:H+ShU8InxEODi1pXxVT5CcwVA0r+aN4wniVR+kbOIv5rCibtkdirU0GWP1:eShAzGnxHbwVb5viVQZIxrC6qIUa9

Score

N/A

Malware Config

Signatures

Files

a78e00102ec277e7b4743b7c2094fe9c6ba3ac598c143323797cc2749675215e
.rar
新建文件夹 (3)/BOOTVID.DLL
.dll windows x64

174830160c3729cf56cae35b0101c7d5

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7a:12:a1:7b:7c:d7:ed:3f:71:45:57:82:9e:9d:69:f0:84:29:4c:a0:6c:03:04:80:85:2f:83:89:87:a2:90:36
Signer

Actual PE Digest

7a:12:a1:7b:7c:d7:ed:3f:71:45:57:82:9e:9d:69:f0:84:29:4c:a0:6c:03:04:80:85:2f:83:89:87:a2:90:36

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

09/09/2022, 12:36
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

MmMapIoSpaceEx
HalPrivateDispatchTable
MmUnmapIoSpace

Exports

Exports

VidBitBlt
VidBitBltEx
VidBufferToScreenBlt
VidCleanUp
VidDisplayString
VidDisplayStringXY
VidInitialize
VidResetDisplay
VidScreenToBufferBlt
VidSetScrollRegion
VidSetTextColor
VidSolidColorFill

Sections

.text
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 240B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.edata
Size: 512B - Virtual size: 366B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 204B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/BootMenuUX.dll
.dll windows x64

4d30b5857a7c4e7cd720c1d59bfa3e88

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

wcstoul
iswspace
_ultow_s
wcscpy_s
wcscat_s
swprintf_s
_vsnwprintf_s
_wcsupr
strncmp
_snwscanf_s
_strcmpi
_wcsnicmp
_vscwprintf
?terminate@@YAXXZ
strcpy_s
towlower
towupper
qsort
wcschr
_lock
__C_specific_handler
_unlock
_initterm
_amsg_exit
_XcptFilter
__dllonexit
_onexit
__CxxFrameHandler3
memmove
_wcslwr
memcpy_s
_callnewh
malloc
free
_purecall
qsort_s
wcsstr
wcsnlen
wcsrchr
memmove_s
_vsnwprintf
_wcsicmp
memcpy
wcsncmp
swscanf_s
memcmp
memset

bcrypt

BCryptDestroyKey
BCryptDecrypt
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptGenerateSymmetricKey
BCryptSetProperty
BCryptEncrypt

cabinet

ord23
ord22
ord20

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceExecuteOnce

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
CoTaskMemFree
PropVariantClear

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegGetValueW
RegLoadKeyW
RegCreateKeyExW
RegOpenKeyExW
RegUnLoadKeyW
RegCloseKey

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW
GetTempPathW

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemInfo
GetWindowsDirectoryW
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-errorhandling-l1-1-0

SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError
RaiseException

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle
GetHandleInformation

api-ms-win-core-string-l1-1-0

CompareStringW
CompareStringEx
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-processthreads-l1-1-0

CreateThread
TerminateProcess
GetCurrentThreadId
OpenProcessToken
GetCurrentProcessId
GetCurrentProcess

api-ms-win-core-firmware-l1-1-0

SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
LoadLibraryExW
LoadLibraryExA
GetModuleFileNameW
FreeLibrary
GetProcAddress

api-ms-win-core-localization-l1-2-0

SetThreadPreferredUILanguages
LocaleNameToLCID

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
CreateEventW
AcquireSRWLockExclusive
ReleaseSemaphore
DeleteCriticalSection
SetEvent
EnterCriticalSection
ResetEvent
InitializeCriticalSection
ReleaseSRWLockExclusive

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-file-l1-1-0

GetVolumePathNameW
SetFilePointerEx
FindClose
FindFirstFileW
SetFileTime
FindNextFileW
GetFileSize
LocalFileTimeToFileTime
SetEndOfFile
ReadFile
CreateDirectoryW
UnlockFileEx
GetFileSizeEx
LockFileEx
SetFilePointer
FlushFileBuffers
GetFileAttributesW
GetVolumeInformationW
GetFullPathNameW
WriteFile
CreateFileW
DeleteFileW
SetFileAttributesW
GetFileInformationByHandle

api-ms-win-core-heap-l1-1-0

HeapReAlloc
HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
GetCurrentDirectoryW

rpcrt4

UuidCreate
UuidToStringW
RpcStringFreeW

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetOverlappedResult

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-security-base-l1-1-0

AdjustTokenPrivileges

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-file-l2-1-0

CopyFileExW

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualProtect
CreateFileMappingW
UnmapViewOfFile
MapViewOfFile

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-registry-l2-1-0

RegEnumKeyW

api-ms-win-core-kernel32-legacy-l1-1-0

DosDateTimeToFileTime

bootux

ord8
ord4
ord7
ord6
ord2

ntdll

RtlReleasePrivilege
RtlAcquirePrivilege
RtlAdjustPrivilege
NtShutdownSystem
RtlpSetPreferredUILanguages
RtlReAllocateHeap
RtlDeleteCriticalSection
RtlInitializeCriticalSection
RtlAllocateHeap
RtlInitUnicodeString
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
RtlImpersonateSelf
ZwQuerySystemInformation
RtlGUIDFromString
RtlFreeUnicodeString
RtlStringFromGUID
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwWaitForSingleObject
ZwQueryKey
ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateKey
ZwLoadKey
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
ZwDeleteValueKey
RtlFreeSid
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
RtlCreateAcl
ZwSetSecurityObject
ZwUnloadKey
RtlCreateSecurityDescriptor
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
NtQuerySystemInformation
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
NtOpenSymbolicLinkObject
NtOpenKey
NtQuerySymbolicLinkObject
NtDeviceIoControlFile
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
RtlCopyUnicodeString
RtlpNtQueryValueKey
RtlUnicodeStringToAnsiString
RtlGetPersistedStateLocation
RtlRaiseStatus
NtYieldExecution
DbgPrintEx
RtlFreeHeap
NtOpenFile
NtClose
NtCreateFile
RtlDosPathNameToNtPathName_U
NtSetInformationFile
NtQueryInformationProcess
NtQueryInformationFile
RtlNtStatusToDosError

reagent

WinReSetRecoveryAction
WinReGetCustomization
WinReQueueRecoveryBoot
WinReGetConfig
WinReRestoreLogFiles

user32

SetSysColors
GetKeyboardLayoutNameW
SystemParametersInfoW
GetKeyboardLayout

uxtheme

ord95

kernel32

SearchPathW
FindVolumeClose
FindNextVolumeW
FindFirstVolumeW
FileTimeToSystemTime
GetModuleHandleW
CompareFileTime
CopyFileW
EnumUILanguagesW
lstrcmpiW
GetThreadPreferredUILanguages
ExpandEnvironmentStringsW
GetLocaleInfoEx
LCIDToLocaleName
RtlCompareMemory

advapi32

ConvertSidToStringSidW
RegQueryInfoKeyW
RegEnumKeyExW
EventWriteTransfer
EventUnregister
ControlTraceW
TraceMessage
SystemFunction031
SystemFunction007
RegSetKeyValueW
RegQueryValueExW
SystemFunction027

wdscore

ConstructPartialMsgVW
WdsSetupLogMessageW
CurrentIP

crypt32

CertCloseStore
CryptDecodeObjectEx
CertFreeCertificateContext
CertDuplicateCertificateContext
CertFindCertificateInStore
CryptBinaryToStringW
CertFindExtension
CertGetCertificateContextProperty
CertOpenStore

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

api-ms-win-core-string-l2-1-0

CharUpperW

Exports

Exports

CreateAdvancedOptionsButton
CreateAdvancedRecoveryToolsButtonCollection
CreateAdvancedStartupButton
CreateAdvancedStartupLaunchPage
CreateBasicResetFinalChecksPage
CreateBasicResetLandingPage
CreateBasicSystemResetButton
CreateBasicSystemResetLaunchPage
CreateBitlockerLandingPage
CreateBlackWallpaperButton
CreateBootableDeviceButtonCollection
CreateBootableOSButtonCollection
CreateCSRTFinalPage
CreateClearWallpaperPage
CreateCloudRecoveryButton
CreateDefaultOSButton
CreateDefaultOSButtonCollection
CreateDefaultOSListButton
CreateDeviceListButton
CreateDirectFactoryResetButton
CreateDownloadCloudPBRConfirmButton
CreateFactoryResetFinalChecksPage
CreateFactoryResetLandingPage
CreateFactorySystemResetButton
CreateFactorySystemResetLaunchPage
CreateFirmwareSettingsButton
CreateFiveMinuteTimeoutAction
CreateFiveSecondTimeoutAction
CreateFlightRemovalConfirmButton
CreateFlightRemovalProgressPage
CreateKeyboardLayoutButtonCollection
CreateLanguageButtonCollection
CreateOSListButton
CreateOneMinuteTimeoutAction
CreatePBRCancelButton
CreatePBRFactoryResetKeepPackagesButton
CreatePBRFactoryResetNotKeepPackagesButton
CreatePBRFinalPage
CreatePBRResetButtonCollection
CreatePBRResetPage
CreatePBRfactoryResetAllVolumesButton
CreatePBRfactoryResetBareMetalDisabled
CreatePBRfactoryResetBareMetalEnabled
CreatePBRfactoryResetCancelOperationButton
CreatePBRfactoryResetContinueChecksButton
CreatePBRfactoryResetDataEraseDisabled
CreatePBRfactoryResetDataEraseEnabled
CreatePBRfactoryResetOsOnlyButton
CreatePasswordButton
CreatePasswordPage
CreateRecoveryToolsListButton
CreateRestartButton
CreateSelectOSPage
CreateSetWallpaperPage
CreateShutdownButton
CreateSkippableSelectOSPage
CreateTenSecondTimeoutAction
CreateThirtySecondTimeoutAction
CreateTopLevelRecoveryToolsButtonCollection
CreateTopLevelRecoveryToolsPage
CreateUninstallPage
CreateUninstallQualityUpdateConfirmButton
CreateUninstallToolsButtonCollection
CreateUserNameButtonCollection
CreateUserSelectionPage
CreateWiFiConnectButton
CreateWiFiInitPage
CreateWiFiNetworkButtonCollection
CreateWinReSkipPage
CreateWinReTargetOSButtonCollection
CreateWinReTargetOSPage
CreateZeroSecondTimeoutAction
InitializePasswordDatabase
InitializeSRTSyncInterface
InitializeSyncInterface
UtilBcdCloseSystemStore
UtilGetCurrentKeyboardLayout

Sections

.text
Size: 507KB - Virtual size: 507KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 114KB - Virtual size: 113KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/BootRec.exe
.exe windows x64

f9c8e9196056e79e5f5c11196d64ee83

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

TraceMessage
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
RegUnLoadKeyW
RegLoadKeyW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
EventWrite

kernel32

SetVolumeMountPointW
GetVolumePathNamesForVolumeNameW
RtlCompareMemory
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
GetStdHandle
GetFileType
WriteConsoleW
ReadConsoleW
LocalFree
FormatMessageW
SetThreadPreferredUILanguages
HeapSetInformation
CompareStringW
GetNumberFormatW
GetLocaleInfoW
GetModuleHandleW
GetLastError
Sleep
SetUnhandledExceptionFilter
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
CloseHandle
DeviceIoControl
CreateFileW
GetFileAttributesW
GetNativeSystemInfo
GetVolumePathNameW
QueryDosDeviceW
FindFirstVolumeW
GetDriveTypeW
FindNextVolumeW
FindVolumeClose
GetDiskFreeSpaceExW
GetVolumeInformationW
LoadLibraryExW
GetProcAddress
FreeLibrary
MoveFileExW
CopyFileW
SetLastError
SetFilePointer
ReadFile
WriteFile
LCIDToLocaleName
GetWindowsDirectoryW
GetFileSize
GetVolumeNameForVolumeMountPointW

msvcrt

wcsstr
wcscpy_s
towupper
wcschr
wcstoul
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
_wcslwr
_snwscanf_s
strncmp
_wcsupr
strstr
wcsncpy_s
_vsnwprintf_s
_ultow_s
swprintf_s
wcscat_s
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
tolower
fgets
_wfopen_s
wcstol
_wcsicmp
_purecall
_wcsnicmp
wcsrchr
_XcptFilter
_callnewh
malloc
free
_vsnwprintf
_wtol
__CxxFrameHandler3
memmove
memcpy
memcmp
memcpy_s
_initterm
fclose
__setusermatherr
wprintf
__C_specific_handler
_fmode
wcsnlen
_commode
memset

user32

LoadStringW

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
NtClose
NtQueryDirectoryObject
NtOpenDirectoryObject
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
RtlFreeHeap
RtlAllocateHeap
RtlAdjustPrivilege
NtQueryDirectoryFile
RtlInitUnicodeString
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
RtlNtStatusToDosError
NtQuerySystemInformation
RtlReAllocateHeap
ZwQuerySystemInformation
RtlGUIDFromString
RtlStringFromGUID
ZwWaitForSingleObject
ZwQueryKey
ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlAppendUnicodeToString
ZwQueryAttributesFile
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateFile
ZwCreateKey
ZwLoadKey
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
ZwDeleteValueKey
ZwSaveKey
RtlFreeSid
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
RtlCreateAcl
ZwSetSecurityObject
ZwUnloadKey
RtlCreateSecurityDescriptor
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenKey
NtDeviceIoControlFile
NtOpenFile
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtEnumerateBootEntries
RtlRaiseStatus
NtYieldExecution
DbgPrintEx

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoTaskMemFree

wer

WerReportCloseHandle

version

GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW

Sections

.text
Size: 265KB - Virtual size: 264KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 60KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 13KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 960B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/BroadcastEnvChange.exe
.exe windows x64

20119aa0d6247fd72186a6ca5a5fced3

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

DeleteCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
LeaveCriticalSection
QueryPerformanceCounter
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery

msvcrt

__C_specific_handler
__getmainargs
__initenv
__iob_func
__lconv_init
__set_app_type
__setusermatherr
_acmdln
_amsg_exit
_cexit
_fmode
_initterm
_onexit
_stricmp
abort
calloc
exit
fprintf
free
fwrite
malloc
memcpy
puts
signal
strlen
strncmp
vfprintf

user32

BroadcastSystemMessageA
SendMessageTimeoutA

Sections

.text
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 208B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 1024B - Virtual size: 672B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 1024B - Virtual size: 548B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 2KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 608B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

/4
Size: 512B - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/19
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/31
Size: 512B - Virtual size: 329B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/45
Size: 1024B - Virtual size: 546B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/57
Size: 512B - Virtual size: 72B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

/70
Size: 512B - Virtual size: 155B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/BrokerLib.dll
.dll windows x64

6b30f801cacbbc981f3bd7847a9214c5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memcpy
memcmp
memmove
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
__C_specific_handler
_initterm
toupper
free
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
malloc
wcsnlen
??0exception@@QEAA@AEBQEBDH@Z
_purecall
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
??3@YAXPEAX@Z
__CxxFrameHandler3
memset

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
RtlCreateSecurityDescriptor
RtlCreateAcl
RtlWaitForWnfMetaNotification
RtlInitializeSidEx
RtlAbsoluteToSelfRelativeSD
RtlAddAccessAllowedAce
NtQueryInformationToken
RtlSetDaclSecurityDescriptor
NtCreateWnfStateName
RtlSetOwnerSecurityDescriptor
RtlLengthSecurityDescriptor
NtQueryWnfStateData
RtlInitUnicodeString
RtlQueryPackageIdentity
RtlPublishWnfStateData
RtlVirtualUnwind
RtlEqualSid
RtlStringFromGUIDEx
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlFreeHeap
RtlInitUnicodeStringEx
NtClose
RtlLengthSid
NtOpenKey
NtUpdateWnfStateData
ZwUpdateWnfStateData
RtlValidSid
NtDeleteWnfStateName
RtlSubscribeWnfStateChangeNotification
RtlInitializeSRWLock
RtlAllocateHeap
RtlUnsubscribeWnfStateChangeNotification
RtlNtStatusToDosError
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlNtStatusToDosErrorNoTeb

api-ms-win-security-base-l1-1-0

CreateWellKnownSid
GetTokenInformation
GetLengthSid
IsValidSid

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventUnregister
EventSetInformation
EventRegister
EventProviderEnabled

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableFlags
TraceMessage
UnregisterTraceGuids
GetTraceEnableLevel

api-ms-win-core-string-l1-1-0

CompareStringEx

rpcrt4

NdrServerCall2
UuidIsNil
RpcServerInqBindings
RpcEpRegisterW
RpcEpUnregister
RpcBindingVectorFree
RpcRevertToSelf
RpcImpersonateClient
RpcObjectSetType
RpcServerRegisterIf3
RpcServerUseProtseqW
NdrServerCallAll
RpcServerUnregisterIfEx
I_RpcBindingInqLocalClientPID
RpcBindingInqObject

api-ms-win-core-processthreads-l1-1-0

OpenThreadToken
GetCurrentThread
GetCurrentThreadId
GetCurrentProcess
TerminateProcess
GetCurrentProcessId

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetLastError

api-ms-win-core-synch-l1-2-0

WakeByAddressAll
Sleep
WaitOnAddress

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoTaskMemFree
CoInitializeEx
CoUninitialize

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-libraryloader-l1-2-0

GetModuleFileNameA

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-synch-l1-1-0

AcquireSRWLockExclusive
ReleaseSRWLockExclusive

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

BrBufferFree
BrCheckCallerCapabilities
BrCheckCallerCapabilities2
BrCheckCallerIsAppContainer
BrCreateBrokerInstance
BrCreateBrokerInstance2
BrCreateBrokeredEvent
BrCreateBrokeredEvent2
BrDecQuota
BrDeleteBrokerInstance
BrDeleteBrokeredEvent
BrDeleteBrokeredEvent2
BrFindBrokeredEvent
BrFindBrokeredEvent2
BrGetBrokeredAppState
BrGetBrokeredAppState2
BrGetBrokeredAppStateName
BrGetBrokeredEventInfo2
BrGetBrokeredEventState
BrGetPackageFullNameForBrokeredEvent
BrGetQuota
BrIncQuota
BrInitializeBrokerInstance
BrInitializeBrokerInstance2
BrLockBroker
BrQueryBrokeredApplicationState
BrQueryBrokeredEvents
BrQueryBrokeredEvents2
BrRegisterBrokeredEvent
BrRegisterStateChangeCallbacks
BrSendActivatorControl
BrSetBrokeredAppStateName
BrSignalBrokerEvent
BrSignalBrokerEvent2
BrSignalBrokerEvent2Ex
BrUnlockBroker
BrUnregisterBrokeredEvent

Sections

.text
Size: 153KB - Virtual size: 153KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 67KB - Virtual size: 66KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 756B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/C_037.NLS
新建文件夹 (3)/C_10000.NLS
新建文件夹 (3)/C_10001.NLS
新建文件夹 (3)/C_10002.NLS
新建文件夹 (3)/C_10003.NLS
新建文件夹 (3)/C_10004.NLS
新建文件夹 (3)/C_10005.NLS
新建文件夹 (3)/C_10006.NLS
新建文件夹 (3)/C_10007.NLS
新建文件夹 (3)/C_10008.NLS
新建文件夹 (3)/C_10010.NLS
新建文件夹 (3)/C_10017.NLS
新建文件夹 (3)/C_10021.NLS
新建文件夹 (3)/C_10029.NLS
新建文件夹 (3)/C_10079.NLS
新建文件夹 (3)/C_10081.NLS
新建文件夹 (3)/C_10082.NLS
新建文件夹 (3)/C_1026.NLS
新建文件夹 (3)/C_1047.NLS
新建文件夹 (3)/C_1140.NLS
新建文件夹 (3)/C_1141.NLS
新建文件夹 (3)/C_1142.NLS
新建文件夹 (3)/C_1143.NLS
新建文件夹 (3)/C_1144.NLS
新建文件夹 (3)/C_1145.NLS
新建文件夹 (3)/C_1146.NLS
新建文件夹 (3)/C_1147.NLS
新建文件夹 (3)/C_1148.NLS
新建文件夹 (3)/C_1149.NLS
新建文件夹 (3)/C_1250.NLS
新建文件夹 (3)/C_1251.NLS
新建文件夹 (3)/C_1252.NLS
新建文件夹 (3)/C_1253.NLS
新建文件夹 (3)/C_1254.NLS
新建文件夹 (3)/C_1255.NLS
新建文件夹 (3)/C_1256.NLS
新建文件夹 (3)/C_1257.NLS
新建文件夹 (3)/C_1258.NLS
新建文件夹 (3)/C_1361.NLS
新建文件夹 (3)/C_20000.NLS
新建文件夹 (3)/C_20001.NLS
新建文件夹 (3)/C_20002.NLS
新建文件夹 (3)/C_20003.NLS
新建文件夹 (3)/C_20004.NLS
新建文件夹 (3)/C_20005.NLS
新建文件夹 (3)/C_20105.NLS
新建文件夹 (3)/C_20106.NLS
新建文件夹 (3)/C_20107.NLS
新建文件夹 (3)/C_20108.NLS
新建文件夹 (3)/C_20127.NLS
新建文件夹 (3)/C_20261.NLS
新建文件夹 (3)/C_20269.NLS
新建文件夹 (3)/C_20273.NLS
新建文件夹 (3)/C_437.NLS
新建文件夹 (3)/C_500.NLS
新建文件夹 (3)/C_708.NLS
新建文件夹 (3)/C_720.NLS
新建文件夹 (3)/C_737.NLS
新建文件夹 (3)/C_775.NLS
新建文件夹 (3)/C_850.NLS
新建文件夹 (3)/C_852.NLS
新建文件夹 (3)/C_855.NLS
新建文件夹 (3)/C_857.NLS
新建文件夹 (3)/C_858.NLS
新建文件夹 (3)/C_860.NLS
新建文件夹 (3)/C_861.NLS
新建文件夹 (3)/C_862.NLS
新建文件夹 (3)/C_863.NLS
新建文件夹 (3)/C_864.NLS
新建文件夹 (3)/C_865.NLS
新建文件夹 (3)/C_866.NLS
新建文件夹 (3)/C_869.NLS
新建文件夹 (3)/C_870.NLS
新建文件夹 (3)/C_874.NLS
新建文件夹 (3)/C_875.NLS
新建文件夹 (3)/C_932.NLS
新建文件夹 (3)/C_936.NLS
新建文件夹 (3)/C_949.NLS
新建文件夹 (3)/C_950.NLS
新建文件夹 (3)/bootsect.exe
.exe windows x64

a26cb263b9dc97b5627f1e68caac6231

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/07/2018, 20:45

Not After

26/07/2019, 20:45

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a9:16:96:96:04:a2:44:89:72:00:b3:cb:12:6d:02:88:7d:2e:fd:c5:ce:bd:06:55:a5:99:e7:dc:40:c6:48:5f
Signer

Actual PE Digest

a9:16:96:96:04:a2:44:89:72:00:b3:cb:12:6d:02:88:7d:2e:fd:c5:ce:bd:06:55:a5:99:e7:dc:40:c6:48:5f

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

09/09/2022, 12:36
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

EventUnregister
EventRegister
EventWriteTransfer
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

kernel32

GetModuleHandleExW
SetFilePointer
GetLastError
GetProcAddress
FreeLibrary
GetConsoleOutputCP
GetStdHandle
GetModuleFileNameW
LocalAlloc
GetConsoleMode
FormatMessageW
QueryDosDeviceW
LocalFree
WideCharToMultiByte
GetFileType
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
Sleep
ReadFile
WriteFile
WriteConsoleW
SetLastError
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
GetLocaleInfoW
CreateFileW
GetVersionExW
SearchPathW
UnmapViewOfFile
CloseHandle
FindResourceExW
LoadResource
CreateFileMappingW
MapViewOfFile
LoadLibraryExW

msvcrt

_snwscanf_s
bsearch
wcsncmp
wcsstr
wcsnlen
memcpy
?terminate@@YAXXZ
_fmode
__C_specific_handler
_initterm
memset
__setusermatherr
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
iswxdigit
_vsnwprintf
_wcsnicmp
_stricmp
swprintf_s
isalpha
wcscpy_s
_wcsicmp
_wcslwr
_commode

ntdll

RtlVirtualUnwind
RtlLookupFunctionEntry
NtWaitForSingleObject
RtlFreeHeap
NtQueryDirectoryObject
NtCreateEvent
NtOpenDirectoryObject
NtDeviceIoControlFile
NtQuerySymbolicLinkObject
RtlAllocateHeap
NtOpenSymbolicLinkObject
NtResetEvent
NtOpenFile
NtQueryVolumeInformationFile
RtlNtStatusToDosError
NtFsControlFile
NtClose
RtlInitUnicodeString
NtQuerySystemInformation
RtlCaptureContext
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtEnumerateBootEntries
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenKey

Sections

.text
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/bootstr.dll
.dll windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.rdata
Size: 512B - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
新建文件夹 (3)/bootux.dll
.dll windows x64

ec664a519dc1e81871097b59bc859d9e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_lock
_initterm
malloc
sqrt
__C_specific_handler
__CxxFrameHandler3
_XcptFilter
free
memset
iscntrl
wcschr
_wtoi
_callnewh
_onexit
memcpy_s
__dllonexit
_amsg_exit
_unlock
memmove
floorf
ceil
_purecall
_vsnwprintf
wcscmp

api-ms-win-shcore-scaling-l1-1-0

GetScaleFactorForDevice

api-ms-win-shcore-thread-l1-1-0

SHCreateThread
SHGetThreadRef

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_Set

api-ms-win-shcore-stream-l1-1-0

SHCreateStreamOnFileEx

shcore

ord228

shell32

SHFileOperationW
ord47
SHGetFolderPathW

shlwapi

PathFindFileNameW
PathFileExistsW
StrToIntExW
PathFindExtensionW
StrCmpW
PathGetDriveNumberW
StrCmpIW
ord460
StrRStrIW
StrChrW
PathAppendW
PathRemoveFileSpecW

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
LoadLibraryExW
GetModuleFileNameW
LockResource
FindResourceExW
LoadResource
LoadStringW
FreeLibrary
GetModuleFileNameA
GetModuleHandleW
GetProcAddress
GetModuleHandleExW

api-ms-win-core-synch-l1-1-0

ReleaseMutex
SetEvent
WaitForSingleObject
ResetEvent
WaitForSingleObjectEx
CreateEventW
WaitForMultipleObjectsEx
CreateSemaphoreExW
OpenSemaphoreW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseSemaphore
CreateMutexExW
CreateEventExW
AcquireSRWLockShared
ReleaseSRWLockShared

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
HeapReAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
GetCurrentProcess
TerminateProcess
GetCurrentThreadId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventWriteTransfer

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
RegisterTraceGuidsW
UnregisterTraceGuids
TraceMessage
GetTraceEnableFlags
GetTraceLoggerHandle

api-ms-win-core-file-l1-1-0

GetDriveTypeW
GetFileAttributesExW
CreateDirectoryW
GetLogicalDriveStringsW
CreateFileW
WriteFile
DeleteFileW

api-ms-win-core-path-l1-1-0

PathCchAppend
PathCchCombine

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetWindowsDirectoryW

api-ms-win-core-string-l1-1-0

CompareStringEx
CompareStringOrdinal

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorDacl
GetSecurityDescriptorSacl
GetSecurityDescriptorOwner
GetSecurityDescriptorGroup

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCloseKey

api-ms-win-eventing-controller-l1-1-0

StartTraceW
EnableTraceEx2
StopTraceW

api-ms-win-core-atoms-l1-1-0

GetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

ActivateActCtx
ReleaseActCtx
CreateActCtxW
DeactivateActCtx

api-ms-win-core-threadpool-legacy-l1-1-0

QueueUserWorkItem

uiautomationcore

UiaRaiseAutomationEvent

gdi32

CreateFontIndirectW
DeleteDC
CreateCompatibleDC
SelectObject
GetDeviceCaps
CreateDIBSection
GetStockObject
StretchDIBits
GetObjectW
DeleteObject

ntdll

WinSqmSetDWORD

ole32

CoInitialize

user32

UpdateWindow
InvalidateRect
FillRect
GetClientRect
SystemParametersInfoW
TranslateMessage
RegisterWindowMessageW
FindWindowW
GetMonitorInfoW
RemovePropW
MonitorFromPoint
DispatchMessageW
GetSystemMetrics
GetMessageW
DrawTextW
SetForegroundWindow
PostQuitMessage
SetPropW
ShowWindow
GetCursorPos
ReleaseDC
MapWindowPoints
GetDC
SetCursor
LoadCursorW
MsgWaitForMultipleObjectsEx
PeekMessageW
GetAncestor
PostMessageW
IsWindow

uxtheme

GetCurrentThemeName

dui70

?UpdateTooltip@TouchHWNDElement@DirectUI@@UEAAXPEAVElement@2@@Z
?EventFromEventId@Schema@DirectUI@@SA?AW4Event@12@H@Z
?WantEvent@EventManager@DirectUI@@SA_NW4Event@Schema@2@@Z
?FWantAnyEvent@EventManager@DirectUI@@SA_NPEAVElement@2@@Z
?SetX@Element@DirectUI@@QEAAJH@Z
?GetExtent@Element@DirectUI@@QEAAPEBUtagSIZE@@PEAPEAVValue@2@@Z
?SetMargin@Element@DirectUI@@QEAAJHHHH@Z
?GetMargin@Element@DirectUI@@QEAAPEBUtagRECT@@PEAPEAVValue@2@@Z
?_Fill@Element@DirectUI@@IEAAXPEAUHDC__@@KHHHH_N@Z
?SetXMLFromResourceWithTheme@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@00@Z
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJPEBGPEAUHINSTANCE__@@1@Z
?SetRootWindowForTheming@DUIXmlParser@DirectUI@@QEAAXPEAUHWND__@@@Z
?GetSheet@DUIXmlParser@DirectUI@@QEAAJPEBGPEAPEAVValue@2@@Z
DuiCreateObject
?AdviseEventRemoved@ElementProvider@DirectUI@@UEAAJHPEAUtagSAFEARRAY@@@Z
?AdviseEventAdded@ElementProvider@DirectUI@@UEAAJHPEAUtagSAFEARRAY@@@Z
?get_FragmentRoot@ElementProvider@DirectUI@@UEAAJPEAPEAUIRawElementProviderFragmentRoot@@@Z
?SetFocus@ElementProvider@DirectUI@@UEAAJXZ
?GetEmbeddedFragmentRoots@ElementProvider@DirectUI@@UEAAJPEAPEAUtagSAFEARRAY@@@Z
?get_BoundingRectangle@ElementProvider@DirectUI@@UEAAJPEAUUiaRect@@@Z
?GetRuntimeId@ElementProvider@DirectUI@@UEAAJPEAPEAUtagSAFEARRAY@@@Z
?Navigate@ElementProvider@DirectUI@@UEAAJW4NavigateDirection@@PEAPEAUIRawElementProviderFragment@@@Z
?ShowContextMenu@ElementProvider@DirectUI@@UEAAJXZ
?get_HostRawElementProvider@ElementProvider@DirectUI@@UEAAJPEAPEAUIRawElementProviderSimple@@@Z
?GetPropertyValue@ElementProvider@DirectUI@@UEAAJHPEAUtagVARIANT@@@Z
?get_ProviderOptions@ElementProvider@DirectUI@@UEAAJPEAW4ProviderOptions@@@Z
?AddRef@ElementProvider@DirectUI@@UEAAKXZ
?QueryInterface@ElementProvider@DirectUI@@UEAAJAEBU_GUID@@PEAPEAX@Z
?TossElement@ElementProvider@DirectUI@@UEAAXXZ
?GetElement@ElementProvider@DirectUI@@UEAAPEDVElement@2@XZ
??0ElementProvider@DirectUI@@QEAA@XZ
?CreatePatternProvider@Schema@DirectUI@@SAJW4Pattern@12@PEAVElementProvider@2@PEAPEAUIUnknown@@@Z
?IsPatternSupported@ElementProxy@DirectUI@@IEAAJW4Pattern@Schema@2@PEA_N@Z
?Init@ElementProxy@DirectUI@@MEAAXPEAVElement@2@@Z
?DoMethod@ElementProxy@DirectUI@@UEAAJHPEAD@Z
?GetProperty@ElementProxy@DirectUI@@IEAAJPEAUtagVARIANT@@H@Z
??1ElementProvider@DirectUI@@UEAA@XZ
?Release@ElementProvider@DirectUI@@UEAAKXZ
?Init@ElementProvider@DirectUI@@MEAAJPEAVElement@2@PEAVInvokeHelper@2@@Z
??1AutoLock@DirectUI@@QEAA@XZ
??0AutoLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
?DoInvoke@ElementProvider@DirectUI@@IEAAJHZZ
?PatternFromPatternId@Schema@DirectUI@@SA?AW4Pattern@12@H@Z
?GetForegroundColorRef@RichText@DirectUI@@UEAAJPEAK@Z
?GetClassInfoW@RichText@DirectUI@@UEAAPEAUIClassInfo@2@XZ
?OnHosted@RichText@DirectUI@@UEAAXPEAVElement@2@@Z
?Paint@RichText@DirectUI@@UEAAXPEAUHDC__@@PEBUtagRECT@@1PEAU4@2@Z
?OnEvent@RichText@DirectUI@@UEAAXPEAUEvent@2@@Z
?OnPropertyChanged@RichText@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
??1RichText@DirectUI@@UEAA@XZ
??0RichText@DirectUI@@QEAA@XZ
?Initialize@RichText@DirectUI@@QEAAJPEAVElement@2@PEAK@Z
?SetDWriteFontCollection@RichText@DirectUI@@QEAAXPEAUIDWriteFontCollection@@@Z
?SetBackgroundColor@Element@DirectUI@@QEAAJK@Z
?SetLineSpacing@RichText@DirectUI@@QEAAJH@Z
?SetConstrainLayout@RichText@DirectUI@@QEAAJH@Z
?SetBaseline@RichText@DirectUI@@QEAAJH@Z
?GetContentAlign@Element@DirectUI@@QEAAHXZ
?SetContentAlign@Element@DirectUI@@QEAAJH@Z
?SetOverhang@Element@DirectUI@@QEAAJ_N@Z
?GetRawValue@Element@DirectUI@@QEAAPEAVValue@2@PEBUPropertyInfo@2@HPEAUUpdateCache@2@@Z
?GetElementScaledInt@Value@DirectUI@@QEAAHPEAVElement@2@@Z
?LineSpacingProp@RichText@DirectUI@@SAPEBUPropertyInfo@2@XZ
?GetContentSize@RichText@DirectUI@@UEAA?AUtagSIZE@@HHPEAVSurface@2@@Z
?CreateGraphic@Value@DirectUI@@SAPEAV12@PEBGGGPEAUHINSTANCE__@@_N2@Z
?HeightProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?GetUnset@Value@DirectUI@@SAPEAV12@XZ
?WidthProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?GetWidth@Element@DirectUI@@QEAAHXZ
?DestroyAll@Element@DirectUI@@QEAAJ_N@Z
??1AccessibleButton@DirectUI@@UEAA@XZ
?OnReceivedDialogFocus@Button@DirectUI@@UEAA_NPEAUIDialogElement@2@@Z
?OnLostDialogFocus@Button@DirectUI@@UEAA_NPEAUIDialogElement@2@@Z
?DefaultAction@Button@DirectUI@@UEAAJXZ
?OnPropertyChanged@AccessibleButton@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
??0AccessibleButton@DirectUI@@QEAA@XZ
?GetClassInfoPtr@AccessibleButton@DirectUI@@SAPEAUIClassInfo@2@XZ
?Initialize@AccessibleButton@DirectUI@@QEAAJPEAVElement@2@PEAK@Z
?Register@AccessibleButton@DirectUI@@SAJXZ
?Create@BorderLayout@DirectUI@@SAJPEAPEAVLayout@2@@Z
?Create@ModernProgressRing@DirectUI@@SAJPEAVElement@2@PEAKPEAPEAV32@@Z
?IDProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?CreateAtom@Value@DirectUI@@SAPEAV12@G@Z
?Create@FlowLayout@DirectUI@@SAJ_NIIIPEAPEAVLayout@2@@Z
?ClassProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?SetTreatRightMouseButtonAsLeft@TouchButton@DirectUI@@QEAAJ_N@Z
?SetHandleEnter@TouchButton@DirectUI@@QEAAJ_N@Z
?Create@TouchButton@DirectUI@@SAJIPEAVElement@2@PEAKPEAPEAV32@@Z
?GetHeight@Element@DirectUI@@QEAAHXZ
?PressedProp@TouchButton@DirectUI@@SAPEBUPropertyInfo@2@XZ
?Click@TouchButton@DirectUI@@SA?AVUID@@XZ
?Context@Button@DirectUI@@SA?AVUID@@XZ
?GetBoolFalse@Value@DirectUI@@SAPEAV12@XZ
GetScaleFactor
?GetBorderThickness@Element@DirectUI@@QEAAPEBUtagRECT@@PEAPEAVValue@2@@Z
?OnInput@Button@DirectUI@@UEAAXPEAUInputEvent@2@@Z
?GetPressed@Button@DirectUI@@QEAA_NXZ
?GetCaptured@Button@DirectUI@@QEAA_NXZ
?SetCaptured@Button@DirectUI@@QEAAJ_N@Z
?CreateBool@Value@DirectUI@@SAPEAV12@_N@Z
?PressedProp@Button@DirectUI@@SAPEBUPropertyInfo@2@XZ
?SetPressed@Button@DirectUI@@QEAAJ_N@Z
?GetClassInfoPtr@ModernProgressRing@DirectUI@@SAPEAUIClassInfo@2@XZ
?Create@ElementProvider@DirectUI@@SAJPEAVElement@2@PEAVInvokeHelper@2@PEAPEAV12@@Z
?Create@HWNDElementProvider@DirectUI@@SAJPEAVHWNDElement@2@PEAVInvokeHelper@2@PEAPEAV12@@Z
?Find@ElementProviderManager@DirectUI@@SAPEAVElementProvider@2@PEAVElement@2@@Z
?GetInvokeHelper@InvokeManager@DirectUI@@SAJPEAPEAVInvokeHelper@2@@Z
?SetY@Element@DirectUI@@QEAAJH@Z
?Create@VerticalFlowLayout@DirectUI@@SAJ_NIIIPEAPEAVLayout@2@@Z
?LayoutPosProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?SetAccRole@Element@DirectUI@@QEAAJH@Z
?GetAccName@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z
?SetPasswordCharacter@TouchEditBase@DirectUI@@QEAAJH@Z
?SetMaxLength@TouchEditBase@DirectUI@@QEAAJH@Z
?Create@TouchEdit2@DirectUI@@SAJPEAVElement@2@PEAKPEAPEAV32@@Z
?SetLayout@Element@DirectUI@@QEAAJPEAVLayout@2@@Z
?Create@FillLayout@DirectUI@@SAJPEAPEAVLayout@2@@Z
?SetInputScope@TouchEdit2@DirectUI@@QEAAJW4__MIDL___MIDL_itf_inputscope_0000_0000_0001@@@Z
?Enter@TouchEditBase@DirectUI@@SA?AVUID@@XZ
?Paste@TouchEditBase@DirectUI@@SA?AVUID@@XZ
?SetCaretPosition@TouchEdit2@DirectUI@@QEAAJJ@Z
?GetSelection@TouchEdit2@DirectUI@@QEAAJPEAJ0@Z
?GetEncodedContentString@Element@DirectUI@@QEAAJPEAG_K@Z
?KeyWithinProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?GetIntZero@Value@DirectUI@@SAPEAV12@XZ
?CreateInt@Value@DirectUI@@SAPEAV12@HW4DynamicScaleValue@@@Z
?SetAccDesc@Element@DirectUI@@QEAAJPEBG@Z
?SetAccName@Element@DirectUI@@QEAAJPEBG@Z
UnicodeToMultiByte
?Register@Element@DirectUI@@SAJXZ
?CreateInstance@CSafeElementProxy@@SAJPEAVElement@DirectUI@@PEAPEAV1@@Z
?GetFactory@RichText@DirectUI@@QEAAPEAUIDWriteFactory@@XZ
?Create@RichText@DirectUI@@SAJPEAVElement@2@PEAKPEAPEAV32@@Z
?GetContentString@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z
?Add@Element@DirectUI@@QEAAJPEAV12@@Z
?RemoveAll@Element@DirectUI@@QEAAJXZ
?SetEnabled@Element@DirectUI@@QEAAJ_N@Z
?IsRoot@Element@DirectUI@@QEAAHXZ
?SetActive@Element@DirectUI@@QEAAJH@Z
?ContentProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?SetContentString@Element@DirectUI@@QEAAJPEBG@Z
?SetID@Element@DirectUI@@QEAAJPEBG@Z
?BackgroundProp@Element@DirectUI@@SAPEBUPropertyInfo@2@XZ
?SetBackgroundStdColor@Element@DirectUI@@QEAAJH@Z
?Click@Button@DirectUI@@SA?AVUID@@XZ
?GetClass@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z
?GetClassInfoPtr@Element@DirectUI@@SAPEAUIClassInfo@2@XZ
?GetClassInfoW@Element@DirectUI@@UEAAPEAUIClassInfo@2@XZ
?Detach@CSafeElementProxy@@QEAAXXZ
?GetRoot@Element@DirectUI@@QEAAPEAV12@XZ
?GetClassInfoPtr@HWNDElement@DirectUI@@SAPEAUIClassInfo@2@XZ
?GetChildren@Element@DirectUI@@QEAAPEAV?$DynamicArray@PEAVElement@DirectUI@@$0A@@2@PEAPEAVValue@2@@Z
?OnPropertyChanged@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
?FireEvent@Element@DirectUI@@QEAAXPEAUEvent@2@_N1@Z
??0CritSecLock@DirectUI@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??1CritSecLock@DirectUI@@QEAA@XZ
?QueryInterface@Element@DirectUI@@UEAAJAEBU_GUID@@PEAPEAX@Z
?UpdateTooltip@Element@DirectUI@@MEAAXPEAV12@@Z
?ActivateTooltip@Element@DirectUI@@MEAAXPEAV12@K@Z
?RemoveTooltip@Element@DirectUI@@MEAAXPEAV12@@Z
?GetClassInfoPtr@TouchHWNDElement@DirectUI@@SAPEAUIClassInfo@2@XZ
?CreateString@Value@DirectUI@@SAPEAV12@PEBGPEAUHINSTANCE__@@@Z
?GetStringNull@Value@DirectUI@@SAPEAV12@XZ
??0ClassInfoBase@DirectUI@@QEAA@XZ
??1ClassInfoBase@DirectUI@@UEAA@XZ
?Initialize@ClassInfoBase@DirectUI@@QEAAJPEAUHINSTANCE__@@PEBG_NPEBQEBUPropertyInfo@2@I@Z
?Register@ClassInfoBase@DirectUI@@QEAAJXZ
?ClassExist@ClassInfoBase@DirectUI@@SA_NPEAPEAUIClassInfo@2@PEBQEBUPropertyInfo@2@IPEAU32@PEAUHINSTANCE__@@PEBG_N@Z
?AddRef@ClassInfoBase@DirectUI@@UEAAXXZ
?Release@ClassInfoBase@DirectUI@@UEAAHXZ
?EnumPropertyInfo@ClassInfoBase@DirectUI@@UEAAPEBUPropertyInfo@2@I@Z
?GetByClassIndex@ClassInfoBase@DirectUI@@UEAAPEBUPropertyInfo@2@I@Z
?GetPICount@ClassInfoBase@DirectUI@@UEBAIXZ
?GetGlobalIndex@ClassInfoBase@DirectUI@@UEBAIXZ
?GetName@ClassInfoBase@DirectUI@@UEBAPEBGXZ
?IsValidProperty@ClassInfoBase@DirectUI@@UEBA_NPEBUPropertyInfo@2@@Z
?IsSubclassOf@ClassInfoBase@DirectUI@@UEBA_NPEAUIClassInfo@2@@Z
?GetModule@ClassInfoBase@DirectUI@@UEBAPEAUHINSTANCE__@@XZ
?IsGlobal@ClassInfoBase@DirectUI@@UEBA_NXZ
?AddChild@ClassInfoBase@DirectUI@@UEAAXXZ
?RemoveChild@ClassInfoBase@DirectUI@@UEAAXXZ
?GetChildren@ClassInfoBase@DirectUI@@UEBAHXZ
?AssertPIZeroRef@ClassInfoBase@DirectUI@@UEBAXXZ
??0Element@DirectUI@@QEAA@XZ
??1Element@DirectUI@@UEAA@XZ
?Initialize@Element@DirectUI@@QEAAJIPEAV12@PEAK@Z
?GetValue@Element@DirectUI@@QEAAPEAVValue@2@P6APEBUPropertyInfo@2@XZHPEAUUpdateCache@2@@Z
?SetValue@Element@DirectUI@@QEAAJP6APEBUPropertyInfo@2@XZHPEAVValue@2@@Z
?OnGroupChanged@Element@DirectUI@@UEAAXH_N@Z
?OnInput@Element@DirectUI@@UEAAXPEAUInputEvent@2@@Z
?OnKeyFocusMoved@Element@DirectUI@@UEAAXPEAV12@0@Z
?OnDestroy@Element@DirectUI@@UEAAXXZ
?BroadcastEvent@Element@DirectUI@@QEAAXPEAUEvent@2@@Z
?OnEvent@Element@DirectUI@@UEAAXPEAUEvent@2@@Z
?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z
?RemoveListener@Element@DirectUI@@QEAAXPEAUIElementListener@2@@Z
?MessageCallback@Element@DirectUI@@UEAAIPEAUtagGMSG@@@Z
?_PostEvent@Element@DirectUI@@AEAAXPEAUEvent@2@H@Z
?GetFactoryLock@Element@DirectUI@@SAPEAU_RTL_CRITICAL_SECTION@@XZ
?GetAccessibleImpl@Element@DirectUI@@UEAAJPEAPEAUIAccessible@@@Z
?SyncDestroyWindow@NativeHWNDHost@DirectUI@@QEAAXXZ
UnInitThread
UnInitProcessPriv
?Destroy@NativeHWNDHost@DirectUI@@QEAAXXZ
??0NativeHWNDHost@DirectUI@@QEAA@XZ
?GetAccessibleImpl@HWNDElement@DirectUI@@UEAAJPEAPEAUIAccessible@@@Z
?GetWindowClassNameAndStyle@HWNDElement@DirectUI@@UEAAXPEAPEBGPEAI@Z
?CreateStyleParser@HWNDElement@DirectUI@@UEAAJPEAPEAVDUIXmlParser@2@@Z
?OnCompositionChanged@HWNDElement@DirectUI@@UEAAXXZ
?OnWmSettingChanged@HWNDElement@DirectUI@@UEAAX_K_J@Z
?OnWmThemeChanged@HWNDElement@DirectUI@@UEAAX_K_J@Z
?OnGetDlgCode@HWNDElement@DirectUI@@UEAAXPEAUtagMSG@@PEA_J@Z
?OnNoChildWithShortcutFound@HWNDElement@DirectUI@@UEAAXPEAUKeyboardEvent@2@@Z
?OnImmersiveColorSchemeChanged@HWNDElement@DirectUI@@UEAAXXZ
?OnThemeChanged@HWNDElement@DirectUI@@UEAAXPEAUThemeChangedEvent@2@@Z
?OnGroupChanged@HWNDElement@DirectUI@@UEAAXH_N@Z
?Host@NativeHWNDHost@DirectUI@@QEAAXPEAVElement@2@@Z
?GetClassInfoPtr@TouchButton@DirectUI@@SAPEAUIClassInfo@2@XZ
StrToID
?GetUiaFocusDelegate@Element@DirectUI@@UEAAPEAV12@XZ
?HandleUiaEventListener@Element@DirectUI@@UEAAXPEAUEvent@2@@Z
?HandleUiaPropertyChangingListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@@Z
?HandleUiaPropertyListener@Element@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
?HandleUiaDestroyListener@Element@DirectUI@@UEAAXXZ
?GetElementProviderImpl@Element@DirectUI@@UEAAJPEAVInvokeHelper@2@PEAPEAVElementProvider@2@@Z
?GetUIAElementProvider@Element@DirectUI@@UEAAJAEBU_GUID@@PEAPEAX@Z
?DefaultAction@Element@DirectUI@@UEAAJXZ
?OnUnHosted@Element@DirectUI@@MEAAXPEAV12@@Z
?OnHosted@Element@DirectUI@@MEAAXPEAV12@@Z
?_SelfLayoutUpdateDesiredSize@Element@DirectUI@@MEAA?AUtagSIZE@@HHPEAVSurface@2@@Z
?_SelfLayoutDoLayout@Element@DirectUI@@MEAAXHH@Z
?GetImmersiveFocusRectOffsets@Element@DirectUI@@UEAAXPEAUtagRECT@@@Z
?RemoveBehavior@Element@DirectUI@@UEAAJPEAUIDuiBehavior@@@Z
?AddBehavior@Element@DirectUI@@UEAAJPEAUIDuiBehavior@@@Z
?SetKeyFocus@Element@DirectUI@@UEAAXXZ
?EnsureVisible@Element@DirectUI@@UEAA_NHHHH@Z
?GetAdjacent@Element@DirectUI@@UEAAPEAV12@PEAV12@HPEBUNavReference@2@K@Z
?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z
?Remove@Element@DirectUI@@UEAAJPEAPEAV12@I@Z
?Insert@Element@DirectUI@@UEAAJPEAPEAV12@II@Z
?Add@Element@DirectUI@@UEAAJPEAPEAV12@I@Z
?GetContentSize@Element@DirectUI@@UEAA?AUtagSIZE@@HHPEAVSurface@2@@Z
?Paint@Element@DirectUI@@UEAAXPEAUHDC__@@PEBUtagRECT@@1PEAU4@2@Z
?OnMouseFocusMoved@Element@DirectUI@@UEAAXPEAV12@0@Z
?OnPropertyChanged@Element@DirectUI@@UEAAXPEAUPropertyInfo@2@HPEAVValue@2@1@Z
?OnPropertyChanging@Element@DirectUI@@UEAA_NPEAUPropertyInfo@2@HPEAVValue@2@1@Z
?OnPropertyChanging@Element@DirectUI@@UEAA_NPEBUPropertyInfo@2@HPEAVValue@2@1@Z
?GetContentStringAsDisplayed@Element@DirectUI@@UEAAPEBGPEAPEAVValue@2@@Z
?EndDefer@Element@DirectUI@@QEAAXK@Z
?StartDefer@Element@DirectUI@@QEAAXPEAK@Z
?Destroy@Element@DirectUI@@QEAAJ_N@Z
?Create@Element@DirectUI@@SAJIPEAV12@PEAKPEAPEAV12@@Z
?CreateElement@DUIXmlParser@DirectUI@@QEAAJPEBGPEAVElement@2@1PEAKPEAPEAV32@@Z
?SetXMLFromResource@DUIXmlParser@DirectUI@@QEAAJIPEAUHINSTANCE__@@0@Z
?Destroy@DUIXmlParser@DirectUI@@QEAAXXZ
?Create@DUIXmlParser@DirectUI@@SAJPEAPEAV12@P6APEAVValue@2@PEBGPEAX@Z2P6AX11H2@Z2@Z
?_OnUIStateChanged@TouchHWNDElement@DirectUI@@MEAAXGG@Z
??1TouchHWNDElement@DirectUI@@UEAA@XZ
??0TouchHWNDElement@DirectUI@@QEAA@XZ
?DismissIHMAsync@TouchHWNDElement@DirectUI@@QEAAJXZ
?OnDestroy@TouchHWNDElement@DirectUI@@UEAAXXZ
?IsMSAAEnabled@TouchHWNDElement@DirectUI@@UEAA_NXZ
?WndProc@TouchHWNDElement@DirectUI@@UEAA_JPEAUHWND__@@I_K_J@Z
?OnPropertyChanged@TouchHWNDElement@DirectUI@@UEAAXPEBUPropertyInfo@2@HPEAVValue@2@1@Z
?OnKeyFocusMoved@TouchHWNDElement@DirectUI@@UEAAXPEAVElement@2@0@Z
?OnEvent@TouchHWNDElement@DirectUI@@UEAAXPEAUEvent@2@@Z
?OnInput@TouchHWNDElement@DirectUI@@UEAAXPEAUInputEvent@2@@Z
?MessageCallback@TouchHWNDElement@DirectUI@@UEAAIPEAUtagGMSG@@@Z
?Initialize@TouchHWNDElement@DirectUI@@QEAAJPEAUHWND__@@_NIPEAVElement@2@PEAK@Z
?SetFlags@TouchHWNDElement@DirectUI@@QEAAJW4TouchHWNDElementFlags@2@0@Z
?GetClassInfoW@TouchHWNDElement@DirectUI@@UEAAPEAUIClassInfo@2@XZ
?RemoveTooltip@TouchHWNDElement@DirectUI@@UEAAXPEAVElement@2@@Z
?ActivateTooltip@TouchHWNDElement@DirectUI@@UEAAXPEAVElement@2@K@Z
?Initialize@NativeHWNDHost@DirectUI@@QEAAJPEBG0PEAUHWND__@@PEAUHICON__@@HHHHHHPEAUHINSTANCE__@@I@Z
?GetHWND@HWNDElement@DirectUI@@UEAAPEAUHWND__@@XZ
?CanSetFocus@HWNDElement@DirectUI@@UEAA_NXZ
?SetFont@Element@DirectUI@@QEAAJPEBG@Z
?SetAccessible@Element@DirectUI@@QEAAJ_N@Z
?SetLayoutPos@Element@DirectUI@@QEAAJH@Z
?SetHeight@Element@DirectUI@@QEAAJH@Z
?SetVisible@Element@DirectUI@@QEAAJ_N@Z
?GetKeyFocused@Element@DirectUI@@UEAA_NXZ
?GetFontQuality@Element@DirectUI@@QEAAHXZ
?GetFontWeight@Element@DirectUI@@QEAAHXZ
?GetFontSize@Element@DirectUI@@QEAAHXZ
?GetFontFace@Element@DirectUI@@QEAAPEBGPEAPEAVValue@2@@Z
?IsContentProtected@Element@DirectUI@@UEAA_NXZ
?IsRTLReading@Element@DirectUI@@UEAA_NXZ
?Release@Value@DirectUI@@QEAAXXZ
InitProcessPriv
InitThread
?CreateHostWindow@NativeHWNDHost@DirectUI@@UEAAPEAUHWND__@@KPEBG0KHHHHPEAU3@PEAUHMENU__@@PEAUHINSTANCE__@@PEAX@Z
??1NativeHWNDHost@DirectUI@@UEAA@XZ

duser

DeleteHandle
MapGadgetPoints
CreateAction
GetGadgetRect
InvalidateGadget
DUserSendEvent
InitGadgets
DUserPostEvent
DrawGadgetTree

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 111KB - Virtual size: 111KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 71KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3.6MB - Virtual size: 3.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/browcli.dll
.dll windows x64

e19ae1659910175ee4ac72ae65b5c5d5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

wcsncpy_s
_itow_s
strcpy_s
_wcsnicmp
??1type_info@@UEAA@XZ
qsort
wcscpy_s
strchr
wcscat_s
??3@YAXPEAX@Z
isdigit
memcpy
_initterm
malloc
free
_amsg_exit
_XcptFilter
_wcsicmp
__RTDynamicCast
__C_specific_handler
memset

rpcrt4

RpcBindingFromStringBindingW
NdrClientCall3
I_RpcExceptionFilter
RpcStringBindingComposeW
RpcBindingFree
RpcStringFreeW

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
FreeLibrary
GetProcAddress
DisableThreadLibraryCalls

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount
GetComputerNameExW

api-ms-win-core-synch-l1-1-0

CreateEventW
WaitForSingleObjectEx

api-ms-win-core-handle-l1-1-0

CloseHandle

ntdll

RtlInitializeResource
RtlGetLastNtStatus
RtlNtStatusToDosError
RtlInitAnsiString
RtlxUnicodeStringToOemSize
RtlUnicodeToOemN
RtlOemStringToUnicodeString
NtImpersonateAnonymousToken
NtSetInformationThread
NtFsControlFile
NtOpenThreadToken
NtCreateFile
RtlAcquireResourceExclusive
RtlReleaseResource
RtlDeleteResource
NtOpenFile
NtDeviceIoControlFile
RtlCopyUnicodeString
NtClose
RtlInitUnicodeString

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-timezone-l1-1-0

GetTimeZoneInformation

Exports

Exports

I_BrowserDebugCall
I_BrowserDebugTrace
I_BrowserQueryEmulatedDomains
I_BrowserQueryOtherDomains
I_BrowserQueryStatistics
I_BrowserResetNetlogonState
I_BrowserResetStatistics
I_BrowserServerEnum
I_BrowserSetNetlogonState
NetBrowserStatisticsGet
NetServerEnum
NetServerEnumEx

Sections

.text
Size: 36KB - Virtual size: 36KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 120B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 332B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
新建文件夹 (3)/browseui.dll
.dll windows x64

d21f89594675bbd0f8f499eaaaa143fd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
memcpy
_wcsicmp
memcmp
memset

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

Exports

Exports

DllGetVersion

Sections

.text
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 28B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

174830160c3729cf56cae35b0101c7d5

Code Sign

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

7a:12:a1:7b:7c:d7:ed:3f:71:45:57:82:9e:9d:69:f0:84:29:4c:a0:6c:03:04:80:85:2f:83:89:87:a2:90:36Signer

Signature Validations

Verification

09/09/2022, 12:36 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

Exports

Exports

Sections

.text Size: 7KB - Virtual size: 7KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 512B - Virtual size: 80B

.pdata Size: 512B - Virtual size: 240B

.edata Size: 512B - Virtual size: 366B

INIT Size: 512B - Virtual size: 204B

.rsrc Size: 1024B - Virtual size: 1008B

.reloc Size: 512B - Virtual size: 20B

4d30b5857a7c4e7cd720c1d59bfa3e88

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

bcrypt

cabinet

api-ms-win-core-synch-l1-2-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-firmware-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

rpcrt4

api-ms-win-core-io-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-file-l2-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-memory-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-registry-l2-1-0

api-ms-win-core-kernel32-legacy-l1-1-0

bootux

ntdll

reagent

user32

uxtheme

kernel32

advapi32

wdscore

crypt32

version

api-ms-win-core-string-l2-1-0

Exports

33:00:00:01:c4:22:b2:f7:9b:79:3d:ac:b2:00:00:00:00:01:c4
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

7a:12:a1:7b:7c:d7:ed:3f:71:45:57:82:9e:9d:69:f0:84:29:4c:a0:6c:03:04:80:85:2f:83:89:87:a2:90:36
Signer

09/09/2022, 12:36
Valid: false

.text
Size: 7KB - Virtual size: 7KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 512B - Virtual size: 80B

.pdata
Size: 512B - Virtual size: 240B

.edata
Size: 512B - Virtual size: 366B

INIT
Size: 512B - Virtual size: 204B

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 512B - Virtual size: 20B

.text
Size: 507KB - Virtual size: 507KB

.rdata
Size: 114KB - Virtual size: 113KB

.data
Size: 1KB - Virtual size: 6KB

.pdata
Size: 15KB - Virtual size: 14KB

.didat
Size: 512B - Virtual size: 64B

.rsrc
Size: 1024B - Virtual size: 1008B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 265KB - Virtual size: 264KB

.rdata
Size: 60KB - Virtual size: 59KB

.data
Size: 13KB - Virtual size: 15KB

.pdata
Size: 8KB - Virtual size: 7KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 960B

.text
Size: 8KB - Virtual size: 8KB

.data
Size: 512B - Virtual size: 208B

.rdata
Size: 2KB - Virtual size: 2KB

.pdata
Size: 1024B - Virtual size: 672B

.xdata
Size: 1024B - Virtual size: 548B

.bss
Size: - Virtual size: 2KB

.idata
Size: 2KB - Virtual size: 2KB

.CRT
Size: 512B - Virtual size: 104B

.tls
Size: 512B - Virtual size: 16B

.rsrc
Size: 1024B - Virtual size: 608B

/4
Size: 512B - Virtual size: 80B

/19
Size: 8KB - Virtual size: 7KB

/31
Size: 512B - Virtual size: 329B

/45
Size: 1024B - Virtual size: 546B

/57
Size: 512B - Virtual size: 72B

/70
Size: 512B - Virtual size: 155B