c65db79c06ec34cb508a58de5ffaac09baaf857e2d8b9ee84fdf424bc893e395

Sharing

Copy URL

Twitter E-mail

General

Target

c65db79c06ec34cb508a58de5ffaac09baaf857e2d8b9ee84fdf424bc893e395
Size

420KB
MD5

412a93d899b070fa9c9d50aba888dac9
SHA1

725bd4c811dd6f778e1826ca541ce07d29a58d45
SHA256

c65db79c06ec34cb508a58de5ffaac09baaf857e2d8b9ee84fdf424bc893e395
SHA512

b75f0360f4a0d9819404a923cff19f195b10189b8c65f95daa87a7b2d9bd5bf550d14ad33cc68d86f4ac3f317258d589794985d1a07c8601d3e5a49edf314097
SSDEEP

6144:yQ6X3bJtmz+djj+ftcqG+XsmMsqSGve8b4yAMHbsYkhUj6un7gA6jDDokoOimGe8:76XvZmftc6cB/becchOn8Do5O//mV

Score

N/A

Malware Config

Signatures

Files

c65db79c06ec34cb508a58de5ffaac09baaf857e2d8b9ee84fdf424bc893e395
.rar
amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_10.0.22621.1_en-us_9159509e128e5a0f/netlogon.dll.mui
.dll windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.rdata
Size: 512B - Virtual size: 224B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 11KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..k-transformers-core_31bf3856ad364e35_10.0.22621.1_none_cdc9665fc92f3e34/PrimitiveTransformers.dll
.dll windows x64

f1eb699179f75ef115609a7295722f37

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

66:d6:01:4e:18:1c:0c:40:b3:86:a7:e2:e9:df:e5:a3:0b:18:c1:80:34:fe:54:82:00:61:85:2c:16:b1:53:52
Signer

Actual PE Digest

66:d6:01:4e:18:1c:0c:40:b3:86:a7:e2:e9:df:e5:a3:0b:18:c1:80:34:fe:54:82:00:61:85:2c:16:b1:53:52

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__C_specific_handler
memcpy
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
memcmp
memset

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

ntdll

RtlRaiseStatus

wcp

?RtlTraceFormat_PCULONG@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCLUNICODE_STRING_AsLiteralString@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlSplitLUnicodeString
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
RtlHashLUnicodeString
RtlReallocateLUnicodeString
RtlDecodeUtf16LE
RtlFreeLBlob
RtlAllocateLBlob
RtlDuplicateLUnicodeString
RtlCombineNtPathSegments
RtlSplitNtPath
RtlFreeLUnicodeString
RtlReportErrorOrigination
ConvertNtStatusToHResult
?GetNtRegistryPathParameter@Rtl@Transformers@WCP@Windows@@YAJKPEAUICSITransformerServices@@AEBU_LUNICODE_STRING@@PEAV?$Auto@U_LUNICODE_STRING@@@4@PEAKK@Z
?GetLUnicodeParameter@Rtl@Transformers@WCP@Windows@@YAJKPEAUICSITransformerServices@@AEBU_LUNICODE_STRING@@PEAV?$Auto@U_LUNICODE_STRING@@@4@PEAK@Z
?GetNtFilePathParameter@Rtl@Transformers@WCP@Windows@@YAJKPEAUICSITransformerServices@@AEBU_LUNICODE_STRING@@PEAV?$Auto@U_LUNICODE_STRING@@@4@PEAKK@Z

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 56KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 168B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..l-classextension-v2_31bf3856ad364e35_10.0.22621.1_none_9f774da15d91b69c/SerCx2.sys
.exe windows x64

3abd6362fd1c22f094e090fca82765d2

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6a:14:6d:36:9c:02:56:e2:63:43:59:aa:b0:0c:e1:a0:50:5e:1a:13:70:39:05:25:5e:a8:be:c1:89:2b:48:60
Signer

Actual PE Digest

6a:14:6d:36:9c:02:56:e2:63:43:59:aa:b0:0c:e1:a0:50:5e:1a:13:70:39:05:25:5e:a8:be:c1:89:2b:48:60

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ObGetObjectSecurity
ObSetSecurityObjectByPointer
ObReleaseObjectSecurity
_vsnprintf
IofCompleteRequest
IoSetCompletionRoutineEx
ExQueryWnfStateData
PsAttachSiloToCurrentThread
PsGetHostSilo
PsDetachSiloFromCurrentThread
RtlCompareMemory
strncmp
RtlMultiByteToUnicodeN
IoSetDeviceInterfacePropertyData
IoFreeIrp
IoAllocateIrp
PoRegisterPowerSettingCallback
EtwWriteTransfer
KeInitializeEvent
KeSetEvent
KeResetEvent
KeWaitForSingleObject
RtlEqualUnicodeString
RtlUnicodeStringToInteger
DbgPrint
KdRefreshDebuggerNotPresent
KeGetCurrentIrql
EtwActivityIdControl
IoGetDevicePropertyData
IoGetActivityIdIrp
IoSetActivityIdIrp
_vsnwprintf
EtwRegister
ExSubscribeWnfStateChange
ExUnsubscribeWnfStateChange
PoUnregisterPowerSettingCallback
KeQueryDpcWatchdogInformation
ExFreePoolWithTag
ExAllocatePool2
IoReuseIrp
EtwUnregister
DbgPrintEx
RtlCopyUnicodeString
KeAcquireSpinLockRaiseToDpc
KeReleaseSpinLock
KeInitializeSpinLock
IoWMIRegistrationControl
MmGetSystemRoutineAddress
IoCancelIrp
RtlInitUnicodeString

wdfldr.sys

WdfVersionBindClass
WdfLdrQueryInterface
WdfVersionUnbind
WdfRegisterClassLibrary
WdfVersionUnbindClass
WdfVersionBind

wpprecorder.sys

WppAutoLogStop
WppAutoLogStart
imp_WppRecorderReplay
WppAutoLogTrace
imp_WppRecorderLogDelete
imp_WppRecorderLogCreate

Sections

.text
Size: 104KB - Virtual size: 103KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

fothk
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 54B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

GFIDS
Size: 4KB - Virtual size: 628B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.22621.1_none_3ddbd50e0239e38c/desktop.ini
amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.22621.1_none_77314adb26035708/desktop.ini
amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.22621.1_none_e57b8f371b57b5b0/desktop.ini
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/ConfigureIEOptionalComponentsAI.dll
.dll windows x64

253223832214817555afb773fe3bfa51

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

12:42:2a:71:02:a6:5a:1c:23:7d:14:24:4b:c8:3e:f4:f9:28:14:d5:af:3c:f4:e9:01:27:54:b6:d6:08:19:e3
Signer

Actual PE Digest

12:42:2a:71:02:a6:5a:1c:23:7d:14:24:4b:c8:3e:f4:f9:28:14:d5:af:3c:f4:e9:01:27:54:b6:d6:08:19:e3

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

__C_specific_handler
memcmp
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
_purecall
memcpy
memset

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrStrIW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
TerminateProcess
GetCurrentProcess
GetCurrentProcessId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

wcp

RtlFreeLUnicodeString
RtlReportErrorOrigination
ConvertNtStatusToHResult
RtlFreeLBlob
?RtlTraceFormat_PCWSTR@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlDuplicateNullTerminatedStringToLUnicodeString
RtlCombineNtPathSegments
?RtlTraceFormat_PCWSTR_AsLiteralString@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlGetFacilityTracingFlags@Rtl@WCP@Windows@@YAKPEAU_RTL_TRACING_FACILITY@123@@Z
?RtlTraceFormat_PCbool@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCULONG@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCLUNICODE_STRING@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z

powrprof

PowerGetActiveScheme
PowerSetActiveScheme

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 612B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 132B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/FeatureSettingsOverride.dll
.dll windows x64

1579f21f512fa7ea8dd86380a5832866

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a0:6d:f9:e5:09:74:98:5c:8c:0c:b4:64:bc:4a:a6:b0:88:33:5f:46:16:de:90:e8:c9:8c:63:c8:48:60:eb:7b
Signer

Actual PE Digest

a0:6d:f9:e5:09:74:98:5c:8c:0c:b4:64:bc:4a:a6:b0:88:33:5f:46:16:de:90:e8:c9:8c:63:c8:48:60:eb:7b

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memcmp
_wcsicmp
_amsg_exit
_XcptFilter
_callnewh
malloc
free
__C_specific_handler
_wtoi
_initterm
memset

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
TerminateProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

wcp

RtlFreeLBlob
RtlFreeLUnicodeString
RtlDuplicateLUnicodeString
RtlReportErrorOrigination
ConvertNtStatusToHResult
?RtlTraceFormat_PCULONG@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlCompareLUnicodeStrings
RtlSplitLUnicodeString
RtlConcatenateLUnicodeStrings
RtlInitLUnicodeStringFromNullTerminatedString
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
?RtlTraceFormat_PCHRESULT@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlUpcaseUCSCharacter
?RtlTraceFormat_PCLUNICODE_STRING_AsLiteralString@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 516B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/IEFileInstallAI.dll
.dll windows x64

d2b39f1d071f2c58bc0905fc006d7976

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f9:92:28:97:71:f4:7b:f0:bd:04:00:84:de:9b:95:1a:d6:8e:5b:88:bd:79:b2:da:a1:96:41:fb:2b:21:b3:9f
Signer

Actual PE Digest

f9:92:28:97:71:f4:7b:f0:bd:04:00:84:de:9b:95:1a:d6:8e:5b:88:bd:79:b2:da:a1:96:41:fb:2b:21:b3:9f

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memcmp
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
_purecall
__C_specific_handler
_vsnwprintf
_wcsicmp
memset

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-core-kernel32-legacy-l1-1-0

MoveFileW
CopyFileW

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegSetValueExW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-file-l1-1-0

DeleteFileW
GetTempFileNameW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-security-base-l1-1-0

SetFileSecurityW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

ntdll

RtlRaiseStatus

wcp

RtlReallocateLUnicodeString
RtlReportErrorOrigination
?RtlTraceFormat_PCBOOLEAN@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCLUNICODE_STRING@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
ConvertNtStatusToHResult
RtlInitLUnicodeStringFromNullTerminatedString
?RtlTraceFormat_PCWSTR@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
?RtlGetFacilityTracingFlags@Rtl@WCP@Windows@@YAKPEAU_RTL_TRACING_FACILITY@123@@Z
RtlCombineNtPathSegments
RtlFreeLUnicodeString

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 80B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/PrintAdvancedInstaller.dll
.dll windows x64

c41cc9c0f10a75c10e504d088eb50da3

Code Sign

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a0:00:88:9f:2d:8e:1d:27:72:10:48:ac:35:d8:30:2c:6e:91:83:9d:9c:d0:4a:11:cc:ed:a2:48:53:ed:11:d1
Signer

Actual PE Digest

a0:00:88:9f:2d:8e:1d:27:72:10:48:ac:35:d8:30:2c:6e:91:83:9d:9c:d0:4a:11:cc:ed:a2:48:53:ed:11:d1

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

??1type_info@@UEAA@XZ
?terminate@@YAXXZ
__C_specific_handler
memmove_s
memcpy
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
memcpy_s
_vsnprintf_s
memcmp
memset
_onexit
__dllonexit
_unlock
_lock
__CxxFrameHandler3
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
_wcsicmp
_wcsnicmp
_vsnwprintf
_purecall
_CxxThrowException
wcscmp

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-libraryloader-l1-1-0

GetModuleFileNameW
GetModuleFileNameA
GetModuleHandleExW
GetModuleHandleW
FreeLibrary
GetProcAddress
DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

ReleaseMutex
WaitForSingleObject
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
LeaveCriticalSection
ReleaseSemaphore
CreateSemaphoreExW
DeleteCriticalSection
CreateEventW
AcquireSRWLockExclusive
WaitForSingleObjectEx
AcquireSRWLockShared
OpenSemaphoreW
ReleaseSRWLockShared
EnterCriticalSection
CreateMutexExW
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy
HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-service-management-l1-1-0

OpenServiceW
CloseServiceHandle
OpenSCManagerW

api-ms-win-service-management-l2-1-0

QueryServiceStatusEx

api-ms-win-core-com-l1-1-0

CoUninitialize
CoCreateInstance
CoInitializeEx

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegGetValueW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegNotifyChangeKeyValue
RegDeleteValueW
RegCloseKey

api-ms-win-core-string-l1-1-0

CompareStringW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetTickCount
GetSystemTimeAsFileTime
GetVersionExW

api-ms-win-core-file-l1-1-0

FindClose
FindFirstFileW
DeleteFileW
FindNextFileW

api-ms-win-core-shlwapi-obsolete-l1-1-0

SHLoadIndirectString

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentProcessId
TerminateProcess
GetCurrentThreadId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

oleaut32

SysFreeString
SysAllocString
SysStringLen
VariantClear

ntdll

RtlRaiseStatus

wcp

?RtlTraceFormat_PCHRESULT@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlInitLUnicodeStringFromNullTerminatedString
ConvertNtStatusToHResult
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
?RtlTraceFormat_PCWSTR@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCSTR@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlReportErrorOrigination
?RtlTraceFormat_PCULONG@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z

setupapi

SetupGetInfDriverStoreLocationW

winspool.drv

DeletePrinterDriverExW
DeletePrinter
EnumPrinterDriversW
AddPrinterW
EnumPrintProcessorsW
ClosePrinter
SetPrinterDataW
OpenPrinterW
UploadPrinterDriverPackageW
InstallPrinterDriverFromPackageW
AddMonitorW
DeletePrinterDriverPackageW
DeleteMonitorW
EnumPortsW
GetPrinterW
EnumPrintersW
SetPrinterW

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-kernel32-legacy-l1-1-0

LoadLibraryW

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CloseThreadpoolTimer
SetThreadpoolTimer

shell32

SHGetSpecialFolderLocation
SHGetMalloc
SHChangeNotify

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler
InstallLocalFaxPrinter
UninstallLocalFaxPrinter

Sections

.text
Size: 84KB - Virtual size: 80KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/SetIEInstalledDateAI.dll
.dll windows x64

6c07cd933131f2e1a1cd5b6e96d2bf1b

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bf:9b:5d:d1:c7:a6:72:44:6b:cf:73:83:35:e0:d6:1c:9f:46:82:92:c9:0b:30:5f:13:6d:e8:4d:fb:c6:1f:a8
Signer

Actual PE Digest

bf:9b:5d:d1:c7:a6:72:44:6b:cf:73:83:35:e0:d6:1c:9f:46:82:92:c9:0b:30:5f:13:6d:e8:4d:fb:c6:1f:a8

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memcmp
__C_specific_handler
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
_purecall
memset

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter

wcp

?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
?RtlGetFacilityTracingFlags@Rtl@WCP@Windows@@YAKPEAU_RTL_TRACING_FACILITY@123@@Z
?RtlTraceFormat_PCLARGE_INTEGER_AsReadableTime@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
ConvertNtStatusToHResult
RtlReportErrorOrigination

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 432B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/bcdeditai.dll
.dll windows x64

400cdd879dd9e049b237a2b0897de178

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

58:b2:ae:32:52:61:90:a0:6a:54:0c:76:a4:f3:b4:d0:ce:94:cc:64:ac:1a:ad:53:5b:c4:fd:0b:58:48:50:08
Signer

Actual PE Digest

58:b2:ae:32:52:61:90:a0:6a:54:0c:76:a4:f3:b4:d0:ce:94:cc:64:ac:1a:ad:53:5b:c4:fd:0b:58:48:50:08

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
_amsg_exit
_XcptFilter
_callnewh
free
__C_specific_handler
memcmp
malloc
memset

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TerminateProcess
GetCurrentThreadId
GetCurrentProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

wcp

RtlReportErrorOrigination

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 420B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 152KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/msdtcadvancedinstaller.dll
.dll windows x64

f1d8ac32bdb117e92769c0c01453f3a7

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b2:2e:f3:74:ac:25:10:96:06:3d:4d:5c:85:fb:72:a5:36:9b:e9:3e:f5:f1:de:27:e7:83:2a:10:a0:83:d9:17
Signer

Actual PE Digest

b2:2e:f3:74:ac:25:10:96:06:3d:4d:5c:85:fb:72:a5:36:9b:e9:3e:f5:f1:de:27:e7:83:2a:10:a0:83:d9:17

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
__C_specific_handler
_vsnprintf_s
_lock
__dllonexit
_onexit
memmove
_wcsnicmp
memcpy
memcmp
_unlock
memset

api-ms-win-service-management-l1-1-0

CloseServiceHandle
StartServiceW
OpenSCManagerW
OpenServiceW

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetLastError

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus
ControlService

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-service-core-l1-1-1

EnumDependentServicesW

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorDacl

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetLocalTime
GetTickCount

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
TerminateProcess

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

ntdll

RtlFreeHeap

wcp

RtlFreeLBlob
RtlFreeLUnicodeString
ConvertNtStatusToHResult
?RtlTraceFormat_PCLUTF8_STRING@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlReallocateLBlob
RtlAppendUcsCharacterToLUnicodeString
RtlAppendLUnicodeStringToLUnicodeString
RtlAllocateLUnicodeString
RtlConcatenateLUnicodeStrings
ConvertHResultToNtStatus
?RtlTraceFormat_PCNTSTATUS@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlEqualLUnicodeStringPrefix
RtlSplitLUnicodeString
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
RtlDuplicateLUnicodeString
RtlDuplicateCountedStringToLUnicodeString
?RtlTraceFormat_PCLUNICODE_STRING@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlEqualLUnicodeStrings
RtlDuplicateLUtf8StringToLUnicodeString
RtlInitLUnicodeStringFromNullTerminatedString
?RtlTraceFormat_PCULONG@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlReportErrorOrigination
RtlConvertWin32FilePathToNtFilePath
RtlUpcaseUCSCharacter
?RtlGetFacilityTracingFlags@Rtl@WCP@Windows@@YAKPEAU_RTL_TRACING_FACILITY@123@@Z
RtlCreateMicrodom

rpcrt4

UuidToStringW
UuidCreate
RpcStringFreeW

bcrypt

BCryptExportKey
BCryptDestroyKey
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptSetProperty
BCryptGenRandom
BCryptOpenAlgorithmProvider

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 36KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 948B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 176B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/netfxconfig.dll
.dll windows x64

9bea482e16db38db57df5dda1ebcd9a1

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0a:c6:0d:47:51:15:6a:74:2f:07:13:3f:26:42:dd:07:fd:0c:9c:88:39:2c:04:42:bc:60:7a:2e:6f:b6:c9:b6
Signer

Actual PE Digest

0a:c6:0d:47:51:15:6a:74:2f:07:13:3f:26:42:dd:07:fd:0c:9c:88:39:2c:04:42:bc:60:7a:2e:6f:b6:c9:b6

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memset
_initterm
_amsg_exit
memcmp
_XcptFilter
_callnewh
malloc
free
__C_specific_handler
wcscmp

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls
GetProcAddress

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
InitializeCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-kernel32-legacy-l1-1-0

LoadLibraryW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

wcp

ConvertNtStatusToHResult
RtlReportErrorOrigination
RtlInitLUnicodeStringFromNullTerminatedString
ConvertHResultToNtStatus
RtlFreeLBlob

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 516B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/peerdistai.dll
.dll windows x64

3711dd75cf921348cfcbddf13be7aa9c

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

7e:5c:73:91:60:ef:ff:9c:a6:ad:ac:93:39:c8:09:c5:b0:1d:5f:cd:23:33:3e:5d:ff:1e:06:25:9d:ab:96:09
Signer

Actual PE Digest

7e:5c:73:91:60:ef:ff:9c:a6:ad:ac:93:39:c8:09:c5:b0:1d:5f:cd:23:33:3e:5d:ff:1e:06:25:9d:ab:96:09

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memcpy
_vsnwprintf
memcmp
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
__C_specific_handler
_purecall
_wcsnicmp
wcsnlen
memset

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcessId
TerminateProcess
GetCurrentProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

wcp

RtlFreeLUnicodeString
ConvertNtStatusToHResult
?RtlTraceFormat_PCWSTR@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCHRESULT@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
RtlFreeLBlob
RtlInitLUnicodeStringFromNullTerminatedString
RtlUpcaseUCSCharacter
RtlEqualLUnicodeStrings
RtlDuplicateLUnicodeString
?RtlGetFacilityTracingFlags@Rtl@WCP@Windows@@YAKPEAU_RTL_TRACING_FACILITY@123@@Z
RtlConvertWin32FilePathToNtFilePath
RtlReportErrorOrigination

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/servicemodelregai.dll
.dll windows x64

8922814e8127b65fa0bde25bc47e7ba2

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bc:ff:f5:19:c1:a1:6d:8e:da:60:a8:7c:42:13:cc:82:de:cd:5f:65:92:3d:3b:88:43:e4:1c:fd:6c:e9:93:6f
Signer

Actual PE Digest

bc:ff:f5:19:c1:a1:6d:8e:da:60:a8:7c:42:13:cc:82:de:cd:5f:65:92:3d:3b:88:43:e4:1c:fd:6c:e9:93:6f

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_wcsicmp
memmove
memcpy
memcmp
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
realloc
wcschr
wcsrchr
_wcsnicmp
wcsnlen
_purecall
__C_specific_handler
free
memset

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-libraryloader-l1-1-0

DisableThreadLibraryCalls

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy

api-ms-win-core-string-l1-1-0

MultiByteToWideChar

api-ms-win-core-com-l1-1-0

CoCreateInstance

api-ms-win-service-management-l1-1-0

OpenSCManagerW
CloseServiceHandle
StartServiceW
OpenServiceW

api-ms-win-service-winsvc-l1-1-0

ControlService
QueryServiceStatus

api-ms-win-service-management-l2-1-0

ChangeServiceConfigW
QueryServiceConfigW
ChangeServiceConfig2W

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-service-core-l1-1-1

EnumDependentServicesW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
GetCurrentThreadId
GetCurrentProcessId

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

oleaut32

VariantClear
SysAllocStringLen
SysAllocString
SysFreeString
SysStringLen

ntdll

RtlRaiseStatus

wcp

RtlAppendUcsCharacterToLUnicodeString
RtlReallocateLUnicodeString
RtlCompareLUnicodeStrings
RtlDowncaseUCSCharacter
RtlHashLUnicodeString
?RtlTraceFormat_PCLUNICODE_STRING_AsLiteralString@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCbool@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlFreeLBlob
?RtlTraceFormat_PCULONG@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCWSTR_AsLiteralString@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlFreeLUnicodeString
ConvertNtStatusToHResult
RtlReportErrorOrigination
RtlConcatenateLUnicodeStrings
?RtlGetFacilityTracingFlags@Rtl@WCP@Windows@@YAKPEAU_RTL_TRACING_FACILITY@123@@Z
?RtlTraceFormat_PCHRESULT@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceFormat_PCBOOLEAN@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlInitLUnicodeStringFromNullTerminatedString
ConvertHResultToNtStatus
?RtlTraceFormat_PCLONG@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
?RtlTraceFormat_PCWSTR@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 56KB - Virtual size: 53KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 284B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..llers-onecore-extra_31bf3856ad364e35_10.0.22621.1_none_85708ee1b6f71afc/sppinst.dll
.dll windows x64

b667e5968d570c8ce96538bcccee09d6

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

1f:48:4c:d3:c5:ed:0f:0d:4f:4c:e1:29:7d:74:a4:f1:52:b0:a7:2c:ca:82:b8:7d:9d:61:92:be:dc:af:aa:81
Signer

Actual PE Digest

1f:48:4c:d3:c5:ed:0f:0d:4f:4c:e1:29:7d:74:a4:f1:52:b0:a7:2c:ca:82:b8:7d:9d:61:92:be:dc:af:aa:81

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_initterm
__C_specific_handler
_lock
_unlock
malloc
_amsg_exit
__dllonexit
_XcptFilter
_onexit
_vsnwprintf
free
memmove
memcpy
memcmp
memset

ntdll

RtlCaptureContext
RtlRaiseStatus
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-libraryloader-l1-1-0

GetModuleHandleExW
DisableThreadLibraryCalls
GetProcAddress
LoadLibraryExW
FreeLibrary

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-util-l1-1-0

DecodePointer

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
MultiByteToWideChar

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetVersionExA
GetSystemTimeAsFileTime

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
GetCurrentProcess
GetCurrentProcessId
TerminateProcess

wcp

RtlReportErrorOrigination
?RtlIsTracingEnabled@Rtl@WCP@Windows@@YA_NPEAU_RTL_TRACING_FACILITY@123@K@Z
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
?RtlTraceFormat_PCWSTR_AsLiteralString@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler
DllGetClassObject

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 804B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..ng-events-container_31bf3856ad364e35_10.0.22621.1_none_a30fdd85cafe9a21/microsoft-windows-storage-tiering-events.dll
.dll windows x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

.rdata
Size: 4KB - Virtual size: 256B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
amd64_microsoft-windows-s..ngstack-onecorebase_31bf3856ad364e35_10.0.22621.1_none_521ac17dd5a24d14/grouptrusteeai.dll
.dll windows x64

8c85e179e969bf1faf37d6b572d5141c

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8e:fd:62:ff:41:14:df:12:6d:5d:a2:3f:f6:1c:52:c7:ef:9b:19:c5:68:5e:55:a7:cf:9c:63:36:60:ce:45:c0
Signer

Actual PE Digest

8e:fd:62:ff:41:14:df:12:6d:5d:a2:3f:f6:1c:52:c7:ef:9b:19:c5:68:5e:55:a7:cf:9c:63:36:60:ce:45:c0

Digest Algorithm

sha256

PE Digest Matches

true

Signature Validations

Trusted

false

Verification

Signing Certificate

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

23-09-2022 10:35
Valid: false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_itow_s
memcpy
_initterm
_amsg_exit
_XcptFilter
_callnewh
malloc
free
__C_specific_handler
_purecall
memcmp
memset

api-ms-win-core-heap-obsolete-l1-1-0

LocalFree

api-ms-win-security-lsapolicy-l1-1-0

LsaQueryInformationPolicy
LsaOpenPolicy
LsaClose
LsaFreeMemory
LsaRemoveAccountRights
LsaAddAccountRights

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter
RaiseException
GetLastError

api-ms-win-security-base-l1-1-0

CreateWellKnownSid

api-ms-win-core-libraryloader-l1-1-0

GetProcAddress
DisableThreadLibraryCalls
LoadLibraryExA
FreeLibrary

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
AcquireSRWLockExclusive
InitializeCriticalSection
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapDestroy
GetProcessHeap
HeapAlloc

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
TerminateProcess
GetCurrentProcessId
GetCurrentThreadId

api-ms-win-core-sysinfo-l1-1-0

GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

ntdll

RtlSubAuthorityCountSid
RtlEqualUnicodeString
RtlCompareUnicodeString
RtlInitUnicodeString
RtlCopySid
RtlRaiseStatus
RtlCreateServiceSid
RtlSubAuthoritySid

wcp

GetGroupTrusteeDataCountFromManifest
DeleteTrusteeData
RtlReportErrorOrigination
?RtlGetFacilityTracingFlags@Rtl@WCP@Windows@@YAKPEAU_RTL_TRACING_FACILITY@123@@Z
RtlReallocateLUnicodeString
RtlCompareLUnicodeStrings
RtlDowncaseUCSCharacter
RtlHashLUnicodeString
?RtlTraceFormat_PCLUNICODE_STRING_AsLiteralString@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
RtlFreeLUnicodeString
ConvertNtStatusToHResult
ConvertHResultToNtStatus
GetGroupTrusteeDataFromManifest
DeleteTrusteeCapabilities
MapToPrivilegeName
MapToWellKnownSidType
?RtlTraceFormat_PCULONG_AsDecimalOnly@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z
AddTrusteeCapabilities
RtlInitLUnicodeStringFromNullTerminatedString
?RtlTraceVa@Rtl@WCP@Windows@@YAXKKPEAU_RTL_TRACING_FACILITY@123@QEBD_KPEAD@Z
RtlInitLUnicodeStringFromUnicodeString
?RtlTraceFormat_PCUNICODE_STRING@Rtl@WCP@Windows@@YAXPEAUIRtlFormattedOutputStream@13@PEBX@Z

api-ms-win-core-memory-l1-1-0

VirtualQuery
VirtualProtect

Exports

Exports

DllCanUnloadNow
DllCsiGetHandler

Sections

.text
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 708B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 512B - Virtual size: 224B

.rsrc Size: 11KB - Virtual size: 12KB

f1eb699179f75ef115609a7295722f37

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

66:d6:01:4e:18:1c:0c:40:b3:86:a7:e2:e9:df:e5:a3:0b:18:c1:80:34:fe:54:82:00:61:85:2c:16:b1:53:52Signer

Signature Validations

Verification

23-09-2022 10:35 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

msvcrt

api-ms-win-core-libraryloader-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

ntdll

wcp

Exports

Exports

Sections

.text Size: 56KB - Virtual size: 53KB

.rdata Size: 16KB - Virtual size: 12KB

.data Size: 4KB - Virtual size: 1KB

.pdata Size: 4KB - Virtual size: 1KB

.rsrc Size: 4KB - Virtual size: 1KB

.reloc Size: 4KB - Virtual size: 168B

3abd6362fd1c22f094e090fca82765d2

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

6a:14:6d:36:9c:02:56:e2:63:43:59:aa:b0:0c:e1:a0:50:5e:1a:13:70:39:05:25:5e:a8:be:c1:89:2b:48:60Signer

Signature Validations

Verification

23-09-2022 10:35 Valid: false

Headers

DLL Characteristics

File Characteristics

Imports

ntoskrnl.exe

wdfldr.sys

wpprecorder.sys

Sections

.text Size: 104KB - Virtual size: 103KB

.rdata Size: 12KB - Virtual size: 11KB

.data Size: 16KB - Virtual size: 18KB

.pdata Size: 8KB - Virtual size: 4KB

.idata Size: 4KB - Virtual size: 2KB

PAGE Size: 4KB - Virtual size: 1KB

fothk Size: 4KB - Virtual size: 4KB

INIT Size: 4KB - Virtual size: 54B

GFIDS Size: 4KB - Virtual size: 628B

.rsrc Size: 20KB - Virtual size: 18KB

.reloc Size: 4KB - Virtual size: 3KB

253223832214817555afb773fe3bfa51

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

.rdata
Size: 512B - Virtual size: 224B

.rsrc
Size: 11KB - Virtual size: 12KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

66:d6:01:4e:18:1c:0c:40:b3:86:a7:e2:e9:df:e5:a3:0b:18:c1:80:34:fe:54:82:00:61:85:2c:16:b1:53:52
Signer

23-09-2022 10:35
Valid: false

.text
Size: 56KB - Virtual size: 53KB

.rdata
Size: 16KB - Virtual size: 12KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 168B

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

6a:14:6d:36:9c:02:56:e2:63:43:59:aa:b0:0c:e1:a0:50:5e:1a:13:70:39:05:25:5e:a8:be:c1:89:2b:48:60
Signer

23-09-2022 10:35
Valid: false

.text
Size: 104KB - Virtual size: 103KB

.rdata
Size: 12KB - Virtual size: 11KB

.data
Size: 16KB - Virtual size: 18KB

.pdata
Size: 8KB - Virtual size: 4KB

.idata
Size: 4KB - Virtual size: 2KB

PAGE
Size: 4KB - Virtual size: 1KB

fothk
Size: 4KB - Virtual size: 4KB

INIT
Size: 4KB - Virtual size: 54B

GFIDS
Size: 4KB - Virtual size: 628B

.rsrc
Size: 20KB - Virtual size: 18KB

.reloc
Size: 4KB - Virtual size: 3KB

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

12:42:2a:71:02:a6:5a:1c:23:7d:14:24:4b:c8:3e:f4:f9:28:14:d5:af:3c:f4:e9:01:27:54:b6:d6:08:19:e3
Signer

23-09-2022 10:35
Valid: false

.text
Size: 28KB - Virtual size: 24KB

.rdata
Size: 20KB - Virtual size: 18KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 612B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 132B

33:00:00:03:3b:65:5f:ae:fa:db:75:e9:d6:00:00:00:00:03:3b
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a0:6d:f9:e5:09:74:98:5c:8c:0c:b4:64:bc:4a:a6:b0:88:33:5f:46:16:de:90:e8:c9:8c:63:c8:48:60:eb:7b
Signer

23-09-2022 10:35
Valid: false

.text
Size: 20KB - Virtual size: 17KB

.rdata
Size: 16KB - Virtual size: 14KB

.data
Size: 4KB - Virtual size: 1KB

.pdata
Size: 4KB - Virtual size: 516B

.rsrc
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 136B

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate