procheat[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

procheat.zip
Size

1.2MB
MD5

687919cc08820569eac3216b30f56d76
SHA1

1d8a4cb2ab84e870e0ed2eae9cbc90376d3f9790
SHA256

7c6b64c216ea135073aef5c27f770030a091c99244fdb540597d163d49d510aa
SHA512

f1179f973ba559404673f6133c2c111e9bb20ae84236c74358b80e3e3547e8c1f2c84acb6b10dead5e7817220c739a05d334a7c1b8bfba621f4700055178e826
SSDEEP

24576:2dYEol4fxuwAfiCpp6fXMFmGl3peYeDYzq7tz8DWB0jClXvqyyzaxHA6GAPiFRj:tcobi+8fMX90wq7tzEm0jClXCbaxgZ9

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/msxml3.dll

Files

procheat.zip
.zip
kernel32.dll
.dll windows x64

f9f97e60cfcd78be051d9570c88ffb6f

Code Sign

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

27/03/2019, 19:21

Not After

27/03/2020, 19:21

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3d:00:7b:b1:dd:13:1e:fa:32:c0:b2:e0:71:1b:4a:97:6a:e6:46:69:bf:a9:38:f8:c5:1d:bf:73:84:e0:57:6d
Signer

Actual PE Digest

3d:00:7b:b1:dd:13:1e:fa:32:c0:b2:e0:71:1b:4a:97:6a:e6:46:69:bf:a9:38:f8:c5:1d:bf:73:84:e0:57:6d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

api-ms-win-core-rtlsupport-l1-1-0

RtlInstallFunctionTableCallback
RtlLookupFunctionEntry
RtlDeleteFunctionTable
RtlUnwindEx
RtlVirtualUnwind
RtlRaiseException
RtlRestoreContext
RtlCompareMemory
RtlAddFunctionTable
RtlPcToFileHeader
RtlUnwind
RtlCaptureStackBackTrace
RtlCaptureContext

ntdll

RtlSizeHeap
RtlLCIDToCultureName
RtlUnicodeStringToInteger
_wcslwr
RtlGetUILanguageInfo
EtwEventEnabled
RtlpConvertLCIDsToCultureNames
NtEnumerateKey
RtlIntegerToUnicodeString
RtlTimeToTimeFields
RtlTimeFieldsToTime
RtlUnhandledExceptionFilter
NtTerminateProcess
wcsncmp
wcsncpy
LdrFindResourceEx_U
RtlReadThreadProfilingData
RtlQueryThreadProfiling
RtlDisableThreadProfiling
RtlNtStatusToDosErrorNoTeb
RtlEnableThreadProfiling
NtMapUserPhysicalPagesScatter
RtlDecodeSystemPointer
bsearch
RtlComputeImportTableHash
RtlFindActivationContextSectionGuid
RtlQueryActivationContextApplicationSettings
RtlSubAuthorityCountSid
LdrResFindResourceDirectory
RtlQueryInformationActivationContext
RtlSetThreadPreferredUILanguages
RtlMultiAppendUnicodeStringBuffer
swprintf_s
RtlImageNtHeaderEx
NtMapViewOfSection
NtCreateSection
RtlDosPathNameToNtPathName_U_WithStatus
RtlGetActiveActivationContext
RtlDeactivateActivationContext
TpAllocPool
TpSetPoolMinThreads
TpSetPoolStackInformation
TpAllocWait
NtDeleteValueKey
NtSetValueKey
towlower
NtQueryInstallUILanguage
EtwEventUnregister
EtwEventWrite
EtwEventRegister
RtlExpandEnvironmentStrings_U
RtlPublishWnfStateData
RtlpConvertCultureNamesToLCIDs
NtQueryLicenseValue
_wtol
memmove_s
RtlGUIDFromString
sin
RtlActivateActivationContext
RtlZombifyActivationContext
RtlReleaseActivationContext
RtlAddRefActivationContext
RtlCreateActivationContext
RtlGetLengthWithoutLastFullDosOrNtPathElement
RtlpApplyLengthFunction
RtlGetFullPathName_U
RtlDoesFileExists_U
RtlDetermineDosPathNameType_U
RtlpEnsureBufferSize
DbgPrintEx
NtUnmapViewOfSection
RtlQueryPackageClaims
tolower
atol
toupper
isdigit
NtQueryInformationThread
RtlEnterUmsSchedulingMode
RtlCreateUmsThreadContext
RtlDeleteUmsThreadContext
RtlSetUmsThreadInformation
RtlQueryUmsThreadInformation
RtlGetNextUmsListItem
RtlGetCurrentUmsThread
RtlDeleteUmsCompletionList
RtlUmsThreadYield
TpAllocTimer
RtlGetUmsCompletionListEvent
RtlDequeueUmsCompletionListItems
RtlSetLastWin32ErrorAndNtStatusFromNtStatus
RtlCreateUmsCompletionList
RtlDestroyEnvironment
RtlCreateEnvironmentEx
RtlCreateEnvironment
NtQueryEvent
RtlCreateUnicodeString
NtRaiseHardError
RtlFreeAnsiString
RtlFreeOemString
RtlGetCurrentDirectory_U
wcsrchr
_wcsnicmp
RtlUnicodeStringToOemString
NtQueryVolumeInformationFile
CsrFreeCaptureBuffer
CsrAllocateMessagePointer
CsrAllocateCaptureBuffer
RtlEqualUnicodeString
RtlUnicodeStringToAnsiString
RtlWow64SuspendThread
RtlWow64SetThreadContext
RtlWow64GetThreadContext
RtlExitUserThread
RtlAddIntegrityLabelToBoundaryDescriptor
RtlQueryProtectedPolicy
NtReplacePartitionUnit
RtlCompareUnicodeString
RtlExitUserProcess
RtlInitUnicodeStringEx
RtlQueryPackageIdentity
EtwEventWriteNoRegistration
RtlWow64LogMessageInEventLogger
LdrUnloadDll
LdrGetProcedureAddress
LdrLoadDll
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
RtlFormatCurrentUserKeyPath
NtQueryValueKey
RtlEqualSid
RtlSubAuthoritySid
RtlInitializeSid
NtQueryInformationToken
NtOpenProcessToken
NtSetInformationThread
NtOpenThreadToken
RtlReleaseSRWLockExclusive
RtlQueryRegistryValuesEx
NtOpenKey
RtlAcquireSRWLockExclusive
RtlAnsiStringToUnicodeString
RtlxAnsiStringToUnicodeSize
RtlInitAnsiStringEx
NtIsSystemResumeAutomatic
NtInitiatePowerAction
RtlIsNameLegalDOS8Dot3
RtlGetCurrentProcessorNumberEx
NtWaitForSingleObject
NtCreateEvent
RtlSetSearchPathMode
LdrGetDllDirectory
RtlUnlockHeap
RtlGetUserInfoHeap
RtlLockHeap
RtlDeregisterSecureMemoryCacheCallback
RtlRegisterSecureMemoryCacheCallback
RtlCompactHeap
NtFsControlFile
NtOpenFile
NtClose
LdrAddRefDll
NtQueryInformationFile
NtSetInformationFile
wcscpy_s
RtlGetActiveConsoleId
RtlDeactivateActivationContextUnsafeFast
RtlActivateActivationContextUnsafeFast
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlWow64GetThreadSelectorEntry
NtSetInformationDebugObject
DbgUiGetThreadDebugObject
DbgUiIssueRemoteBreakin
NtSetSystemInformation
NtQueryInformationProcess
RtlSetCurrentTransaction
RtlGetCurrentTransaction
RtlSetLastWin32Error
CsrClientCallServer
LdrDisableThreadCalloutsForDll
RtlGetSuiteMask
LdrQueryImageFileExecutionOptions
RtlInitUnicodeString
_vsnwprintf
RtlSetProtectedPolicy
LdrSetDllManifestProber
TpAllocIoCompletion
TpQueryPoolStackInformation
TpSimpleTryPost
TpAllocCleanupGroup
TpCallbackMayRunLong
RtlExecuteUmsThread
TpAllocWork
CsrVerifyRegion
RtlCharToInteger
RtlInitAnsiString
RtlUpcaseUnicodeChar
RtlUnicodeToMultiByteSize
RtlCreateAtomTable
RtlDestroyAtomTable
RtlAddAtomToAtomTable
NtAddAtomEx
RtlLookupAtomInAtomTable
NtFindAtom
RtlDeleteAtomFromAtomTable
NtDeleteAtom
RtlQueryAtomInAtomTable
NtQueryInformationAtom
NtCreateKey
NtFlushKey
_memicmp
wcscspn
wcsncpy_s
RtlEnterCriticalSection
RtlLeaveCriticalSection
RtlxUnicodeStringToAnsiSize
RtlDnsHostNameToComputerName
RtlCreateUnicodeStringFromAsciiz
RtlPrefixString
wcsstr
wcschr
NtCreateFile
NtQueryInformationJobObject
NtCreateJobObject
NtOpenJobObject
NtAssignProcessToJobObject
NtTerminateJobObject
RtlAcquirePrivilege
NtSetInformationJobObject
RtlReleasePrivilege
NtCreateJobSet
NtQueryEaFile
NtQuerySecurityObject
RtlLengthSecurityDescriptor
NtSetEaFile
NtSetSecurityObject
NtSetInformationProcess
RtlQueryElevationFlags
NtQuerySection
LdrOpenImageFileOptionsKey
LdrQueryImageFileKeyOption
RtlRaiseStatus
strncpy_s
CsrCaptureMessageString
RtlGetLongestNtPathLength
RtlUnicodeToMultiByteN
RtlMultiByteToUnicodeN
RtlMultiByteToUnicodeSize
RtlPrefixUnicodeString
NtEnumerateValueKey
RtlCopyUnicodeString
RtlDosPathNameToNtPathName_U
NtLockFile
NtUnlockFile
NtAllocateVirtualMemory
NtReadFile
RtlIsTextUnicode
NtWriteFile
NtFreeVirtualMemory
RtlEqualString
RtlDosPathNameToRelativeNtPathName_U
RtlReleaseRelativeName
RtlRegisterWait
RtlDeregisterWait
RtlSetIoCompletionCallback
NtQueryVirtualMemory
RtlImageDirectoryEntryToData
NtProtectVirtualMemory
RtlCreateBoundaryDescriptor
RtlGetThreadErrorMode
NtCreateMailslotFile
RtlDestroyQueryDebugBuffer
RtlCreateQueryDebugBuffer
RtlQueryProcessDebugInformation
NtQueryDirectoryFile
strcpy_s
RtlFindActivationContextSectionString
LdrSetDllDirectory
RtlSwitchedVVI
LdrFindResource_U
NtGetDevicePowerState
NtPowerInformation
NtQueryWnfStateData
NtSetThreadExecutionState
RtlInitString
NtQuerySystemEnvironmentValueEx
NtSetSystemEnvironmentValueEx
NtSetVolumeInformationFile
NtDeviceIoControlFile
RtlIsValidHandle
RtlSetUserValueHeap
RtlReAllocateHeap
RtlAllocateHandle
RtlFreeHandle
RtlQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfStateChangeNotification
strchr
RtlOemStringToUnicodeString
RtlSetEnvironmentStrings
RtlAllocateAndInitializeSid
RtlFreeSid
NtQueryFullAttributesFile
NtQueryAttributesFile
strrchr
RtlQueryEnvironmentVariable_U
wcscat_s
TpCaptureCaller
RtlWow64EnableFsRedirection
_stricmp
NtQueryTimerResolution
NtSetTimerResolution
RtlConvertSidToUnicodeString
RtlGetAppContainerSidType
RtlQueryEnvironmentVariable
RtlGetAppContainerParent
RtlSetEnvironmentVariable
CsrCaptureMessageMultiUnicodeStringsInPlace
wcsnlen
strcat_s
strnlen
NlsMbCodePageTag
RtlRunOnceExecuteOnce
RtlInitializeCriticalSection
RtlGetThreadPreferredUILanguages
NtReadVirtualMemory
LdrResSearchResource
_strnicmp
strncmp
RtlTryAcquirePebLock
RtlReleasePebLock
RtlEncodeSystemPointer
RtlGetNtSystemRoot
NtWaitForMultipleObjects
NtClearEvent
RtlWerpReportException
DbgPrint
RtlGetDeviceFamilyInfoEnum
RtlHashUnicodeString
NtApphelpCacheControl
RtlGetFullPathName_UEx
ZwClose
ZwOpenFile
ZwOpenKey
ZwEnumerateKey
ZwQueryValueKey
ZwCreateFile
ZwQueryInformationFile
ZwCreateSection
ZwQueryDirectoryFile
RtlNtPathNameToDosPathName
RtlGetNativeSystemInformation
ZwQuerySystemInformation
ZwUnmapViewOfSection
ZwMapViewOfSection
VerSetConditionMask
RtlVerifyVersionInfo
RtlGetVersion
RtlGetCurrentServiceSessionId
RtlSetThreadPoolStartFunc
RtlImageNtHeader
NtQuerySystemInformation
RtlFreeHeap
RtlSetDaclSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlCreateSecurityDescriptor
RtlAddAccessAllowedAce
RtlCreateAcl
RtlAllocateHeap
_wcsicmp
__C_specific_handler
memmove
_local_unwind
cos
floor
memcmp
memcpy
memset
wcscmp

kernelbase

PrivCopyFileExW
AppXReleaseAppXContext
AreFileApisANSI
CreateProcessInternalA
CreateProcessInternalW
CreateProcessAsUserW
CreateProcessAsUserA
EnumLanguageGroupLocalesW
BaseFormatObjectAttributes
GetVolumeNameForVolumeMountPointW
lstrcmpW
lstrcmpiW
GetRegistryExtensionFlags
KernelBaseGetGlobalData
GlobalFree
LoadStringBaseExW
GetUnicodeStringToEightBitStringRoutine
GetUnicodeStringToEightBitSizeRoutine
CompareStringA
GetNamedPipeAttribute
PackageIdFromFullName
GetPackageFullName
GetCurrentPackageFullName
ClosePackageInfo
AppXGetOSMaxVersionTested
GetPackageTargetPlatformProperty
GetTargetPlatformContext
OpenPackageInfoByFullNameForUser
AppXPreCreationExtension
EnumSystemLanguageGroupsW
AppContainerFreeMemory
AppContainerLookupMoniker
BasepNotifyTrackingService
MoveFileWithProgressTransactedW
BasepAdjustObjectAttributesForPrivateNamespace
GetEightBitStringToUnicodeStringRoutine
GetStringTableEntry
CheckGroupPolicyEnabled
OpenRegKey
InternalLcidToName
NlsIsUserDefaultLocale
GetPtrCalDataArray
GetUserOverrideString
GetPtrCalData
Internal_EnumCalendarInfo
Internal_EnumLanguageGroupLocales
Internal_EnumSystemCodePages
Internal_EnumDateFormats
Internal_EnumUILanguages
Internal_EnumSystemLanguageGroups
NlsValidateLocale
Internal_EnumTimeFormats
GetNamedLocaleHashNode
GetUserOverrideWord
GetLocaleInfoHelper
GetCalendar
BaseDllFreeResourceId
BaseDllMapResourceIdW
CheckAllowDecryptedRemoteDestinationPolicy
EnumSystemLocalesEx
NotifyMountMgr
LCIDToLocaleName
GetUserDefaultLocaleName
GetSystemDefaultLocaleName
GetEraNameCountedString
FatalAppExitW
FatalAppExitA
lstrlenW
lstrlenA
lstrcpynW
lstrcpynA
Sleep
SetFileApisToOEM
SetFileApisToANSI
PulseEvent
MapViewOfFileExNuma
LocalUnlock
LocalReAlloc
LocalLock
LocalAlloc
HeapSummary
GlobalAlloc
GetUserDefaultUILanguage
GetSystemDefaultUILanguage
GetStringTypeA
GetProcAddressForCaller
BaseGetNamedObjectDirectory
EnumUILanguagesW
AppXPostSuccessExtension

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
GetThreadId
GetThreadPriority
GetThreadPriorityBoost
OpenThread
ProcessIdToSessionId
QueueUserAPC
ResumeThread
SetPriorityClass
SetProcessShutdownParameters
GetProcessId
GetProcessIdOfThread
GetPriorityClass
GetExitCodeThread
TerminateProcess
SetThreadPriority
SetThreadPriorityBoost
SetThreadStackGuarantee
SuspendThread
SwitchToThread
GetProcessTimes
TerminateThread
TlsAlloc
TlsFree
CreateRemoteThreadEx
DeleteProcThreadAttributeList
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
CreateRemoteThread
CreateProcessW
CreateProcessA
GetExitCodeProcess
GetProcessVersion
QueryProcessAffinityUpdateMode
SetProcessAffinityUpdateMode
TlsSetValue
GetCurrentProcess
GetCurrentProcessId
OpenProcessToken

api-ms-win-core-processthreads-l1-1-3

GetProcessInformation
GetProcessShutdownParameters
SetThreadIdealProcessor
SetProcessInformation

api-ms-win-core-processthreads-l1-1-2

GetSystemTimes
GetThreadInformation
GetProcessPriorityBoost
SetThreadInformation
SetProcessPriorityBoost
GetThreadIOPendingFlag

api-ms-win-core-processthreads-l1-1-1

OpenProcess
SetThreadIdealProcessorEx
GetProcessMitigationPolicy
GetThreadTimes
GetProcessHandleCount
SetProcessMitigationPolicy
GetThreadContext
GetThreadIdealProcessorEx
IsProcessorFeaturePresent
FlushInstructionCache
SetThreadContext

api-ms-win-core-registry-l1-1-0

RegLoadKeyA
RegGetValueA
RegLoadAppKeyW
RegUnLoadKeyW
RegUnLoadKeyA
RegSetValueExW
RegSetValueExA
RegSetKeySecurity
RegSaveKeyExW
RegSaveKeyExA
RegRestoreKeyW
RegRestoreKeyA
RegQueryValueExW
RegQueryValueExA
RegQueryInfoKeyW
RegQueryInfoKeyA
RegOpenUserClassesRoot
RegOpenKeyExA
RegOpenCurrentUser
RegNotifyChangeKeyValue
RegLoadMUIStringW
RegLoadMUIStringA
RegOpenKeyExW
RegGetValueW
RegCloseKey
RegCopyTreeW
RegCreateKeyExA
RegCreateKeyExW
RegGetKeySecurity
RegFlushKey
RegEnumValueW
RegEnumValueA
RegEnumKeyExW
RegEnumKeyExA
RegDeleteKeyExA
RegDisablePredefinedCacheEx
RegDeleteValueW
RegDeleteValueA
RegDeleteKeyExW
RegDeleteTreeA
RegDeleteTreeW
RegLoadKeyW

api-ms-win-core-heap-l1-1-0

HeapUnlock
HeapValidate
HeapWalk
HeapQueryInformation
HeapLock
HeapDestroy
HeapAlloc
HeapCreate
HeapCompact
HeapReAlloc
GetProcessHeaps
HeapFree
GetProcessHeap
HeapSetInformation

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-memory-l1-1-1

ResetWriteWatch
GetWriteWatch
VirtualUnlock
GetSystemFileCacheSize
CreateFileMappingNumaW
GetProcessWorkingSetSizeEx
SetSystemFileCacheSize
SetProcessWorkingSetSizeEx
GetLargePageMinimum
QueryMemoryResourceNotification
CreateMemoryResourceNotification
VirtualLock

api-ms-win-core-memory-l1-1-0

VirtualQueryEx
VirtualQuery
VirtualProtectEx
VirtualProtect
MapViewOfFileEx
VirtualFreeEx
VirtualFree
VirtualAllocEx
VirtualAlloc
UnmapViewOfFile
ReadProcessMemory
FlushViewOfFile
OpenFileMappingW
MapViewOfFile
CreateFileMappingW
WriteProcessMemory

api-ms-win-core-memory-l1-1-2

RegisterBadMemoryNotification
GetMemoryErrorHandlingCapabilities
UnregisterBadMemoryNotification
AllocateUserPhysicalPages
AllocateUserPhysicalPagesNuma
FreeUserPhysicalPages
MapUserPhysicalPages
VirtualAllocExNuma

api-ms-win-core-handle-l1-1-0

DuplicateHandle
GetHandleInformation
SetHandleInformation
CloseHandle

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionEx
ReleaseSemaphore
LeaveCriticalSection
EnterCriticalSection
ReleaseMutex
OpenWaitableTimerW
OpenSemaphoreW
CancelWaitableTimer
CreateEventA
CreateEventExA
OpenMutexW
OpenEventW
WaitForSingleObjectEx
WaitForSingleObject
WaitForMultipleObjectsEx
SleepEx
SetWaitableTimer
DeleteCriticalSection
InitializeCriticalSection
CreateEventExW
CreateEventW
CreateMutexA
CreateMutexExA
CreateMutexExW
CreateMutexW
CreateSemaphoreExW
SetEvent
CreateWaitableTimerExW
InitializeCriticalSectionAndSpinCount
OpenEventA
ResetEvent

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects
CreateSemaphoreW

api-ms-win-core-synch-l1-2-0

InitializeSynchronizationBarrier
DeleteSynchronizationBarrier
InitOnceExecuteOnce
EnterSynchronizationBarrier
SignalObjectAndWait

api-ms-win-core-file-l1-1-0

FindFirstFileW
SetFileValidData
FindFirstFileExW
FindFirstFileExA
FindFirstFileA
FindFirstChangeNotificationW
FindFirstChangeNotificationA
FindCloseChangeNotification
FindClose
FileTimeToLocalFileTime
DeleteVolumeMountPointW
DeleteFileW
FindFirstVolumeW
DefineDosDeviceW
CreateFileW
CreateFileA
SetFileTime
CreateDirectoryW
CreateDirectoryA
FindNextFileW
FindNextVolumeW
FindVolumeClose
UnlockFile
FlushFileBuffers
FindNextChangeNotification
GetDiskFreeSpaceExW
GetDiskFreeSpaceA
FindNextFileA
DeleteFileA
GetFileAttributesW
GetDiskFreeSpaceW
GetFileInformationByHandle
GetDriveTypeA
GetDriveTypeW
GetFileSize
GetFileAttributesExW
GetFileSizeEx
GetFileTime
GetFileType
GetFinalPathNameByHandleA
GetFinalPathNameByHandleW
GetFullPathNameA
GetFullPathNameW
GetLogicalDriveStringsW
SetFilePointerEx
GetTempFileNameW
SetFilePointer
CompareFileTime
GetFileAttributesA
GetVolumeInformationByHandleW
GetVolumeInformationW
GetVolumePathNameW
UnlockFileEx
LocalFileTimeToFileTime
LockFile
LockFileEx
QueryDosDeviceW
ReadFile
ReadFileEx
ReadFileScatter
RemoveDirectoryA
RemoveDirectoryW
SetEndOfFile
SetFileAttributesA
SetFileAttributesW
SetFileInformationByHandle
WriteFile
WriteFileEx
WriteFileGather
GetFileAttributesExA
GetDiskFreeSpaceExA

api-ms-win-core-file-l1-2-0

GetTempPathW
CreateFile2
GetVolumePathNamesForVolumeNameW

api-ms-win-core-file-l1-2-2

GetVolumeInformationA
GetTempPathA
FindFirstStreamW
FindNextFileNameW
GetTempFileNameA
FindFirstFileNameW

api-ms-win-core-file-l1-2-1

GetCompressedFileSizeA
SetFileIoOverlappedRange
GetCompressedFileSizeW

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-io-l1-1-0

DeviceIoControl
CancelIoEx
CreateIoCompletionPort
PostQueuedCompletionStatus
GetQueuedCompletionStatusEx
GetQueuedCompletionStatus
GetOverlappedResult

api-ms-win-core-io-l1-1-1

CancelIo
CancelSynchronousIo

api-ms-win-core-job-l1-1-0

IsProcessInJob

api-ms-win-core-threadpool-legacy-l1-1-0

ChangeTimerQueueTimer
UnregisterWaitEx
DeleteTimerQueueTimer
QueueUserWorkItem
DeleteTimerQueueEx
CreateTimerQueue
CreateTimerQueueTimer

api-ms-win-core-threadpool-private-l1-1-0

RegisterWaitForSingleObjectEx

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-libraryloader-l1-2-2

EnumResourceNamesW

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
GetModuleHandleExA
GetModuleHandleW
LoadResource
GetModuleHandleExW
LoadLibraryExA
LoadLibraryExW
LockResource
FreeLibrary
EnumResourceTypesExW
EnumResourceTypesExA
EnumResourceNamesExA
EnumResourceLanguagesExW
EnumResourceLanguagesExA
DisableThreadLibraryCalls
EnumResourceNamesExW
FindResourceExW
FindStringOrdinal
FreeLibraryAndExitThread
FreeResource
GetModuleFileNameA
GetModuleFileNameW
GetProcAddress
GetModuleHandleA

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW
LoadLibraryA

api-ms-win-core-libraryloader-l2-1-0

LoadPackagedLibrary

api-ms-win-core-namedpipe-l1-2-2

CallNamedPipeW

api-ms-win-core-namedpipe-l1-1-0

SetNamedPipeHandleState
TransactNamedPipe
PeekNamedPipe
DisconnectNamedPipe
CreatePipe
WaitNamedPipeW
CreateNamedPipeW
ConnectNamedPipe
GetNamedPipeClientComputerNameW

api-ms-win-core-namedpipe-l1-2-1

GetNamedPipeHandleStateW

api-ms-win-core-datetime-l1-1-0

GetDateFormatA
GetDateFormatW
GetTimeFormatW
GetTimeFormatA

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-datetime-l1-1-2

GetDurationFormatEx

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo
SetSystemTime
GetSystemTimePreciseAsFileTime
EnumSystemFirmwareTables
GetSystemFirmwareTable
SetComputerNameExW
GetProductInfo

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
SetLocalTime
GlobalMemoryStatusEx
GetLogicalProcessorInformation
GetWindowsDirectoryW
GetWindowsDirectoryA
GetLogicalProcessorInformationEx
GetVersionExA
GetVersion
GetComputerNameExA
GetComputerNameExW
GetLocalTime
GetSystemInfo
GetSystemTime
GetSystemTimeAdjustment
GetVersionExW
GetSystemTimeAsFileTime

api-ms-win-core-sysinfo-l1-2-3

SetComputerNameW
SetComputerNameA
SetComputerNameExA

api-ms-win-core-sysinfo-l1-2-1

SetComputerNameEx2W
GetPhysicallyInstalledSystemMemory
DnsHostnameToComputerNameExW

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
GetTimeZoneInformationForYear
GetDynamicTimeZoneInformation
SetDynamicTimeZoneInformation
SetTimeZoneInformation
FileTimeToSystemTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
GetTimeZoneInformation

api-ms-win-core-localization-l1-2-0

IsValidLanguageGroup
IsValidLocale
SetProcessPreferredUILanguages
IsValidCodePage
GetUILanguageInfo
GetUserPreferredUILanguages
IdnToAscii
IdnToUnicode
IsValidLocaleName
LCMapStringEx
LocaleNameToLCID
ResolveLocaleName
LCMapStringA
GetThreadPreferredUILanguages
GetSystemPreferredUILanguages
GetThreadUILanguage
GetNLSVersionEx
GetLocaleInfoEx
GetFileMUIPath
GetFileMUIInfo
LCMapStringW
FindNLSStringEx
SetCalendarInfoW
IsNLSDefinedString
IsDBCSLeadByteEx
IsDBCSLeadByte
GetUserDefaultLCID
SetThreadLocale
ConvertDefaultLocale
VerLanguageNameW
VerLanguageNameA
SetLocaleInfoW
GetUserDefaultLangID
GetThreadLocale
GetSystemDefaultLCID
GetSystemDefaultLangID
GetProcessPreferredUILanguages
GetCalendarInfoEx
GetCalendarInfoW
EnumSystemLocalesA
EnumSystemLocalesW
FindNLSString
FormatMessageA
FormatMessageW
GetACP
GetCPInfo
GetCPInfoExW
GetNLSVersion
IsValidNLSVersion
SetThreadPreferredUILanguages
SetThreadUILanguage
GetLocaleInfoA
GetLocaleInfoW
GetOEMCP

api-ms-win-core-processsnapshot-l1-1-0

PssWalkMarkerSeekToBeginning
PssWalkMarkerSetPosition
PssWalkMarkerGetPosition
PssWalkMarkerFree
PssWalkMarkerCreate
PssCaptureSnapshot
PssFreeSnapshot
PssQuerySnapshot
PssWalkSnapshot
PssDuplicateSnapshot

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
SetStdHandleEx
GetStdHandle
GetEnvironmentVariableA
SetEnvironmentStringsW
GetEnvironmentStringsW
ExpandEnvironmentStringsA
GetCurrentDirectoryA
GetCommandLineW
GetCommandLineA
SetCurrentDirectoryW
SetCurrentDirectoryA
GetEnvironmentStrings
SetEnvironmentVariableA
SetEnvironmentVariableW
FreeEnvironmentStringsA
SearchPathW
GetCurrentDirectoryW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentVariableW

api-ms-win-core-processenvironment-l1-2-0

SearchPathA
NeedCurrentDirectoryForExePathA
NeedCurrentDirectoryForExePathW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringOrdinal
CompareStringEx
WideCharToMultiByte
CompareStringW
GetStringTypeW
GetStringTypeExW
FoldStringW

api-ms-win-core-debug-l1-1-1

ContinueDebugEvent
DebugActiveProcessStop
WaitForDebugEvent
CheckRemoteDebuggerPresent
DebugActiveProcess

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringA
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

SetErrorMode
RaiseException
GetErrorMode
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
GetLastError

api-ms-win-core-errorhandling-l1-1-3

SetThreadErrorMode
GetThreadErrorMode

api-ms-win-core-fibers-l1-1-0

FlsAlloc
FlsGetValue
FlsSetValue
FlsFree

api-ms-win-core-util-l1-1-0

Beep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter
QueryPerformanceFrequency

api-ms-win-security-base-l1-1-0

AccessCheck
AllocateAndInitializeSid
FreeSid
EqualSid
DuplicateToken

api-ms-win-security-base-l1-2-0

AddScopedPolicyIDAce
AddResourceAttributeAce
SetCachedSigningLevel
GetCachedSigningLevel
GetAppContainerAce
CheckTokenCapability
CheckTokenMembershipEx

api-ms-win-security-appcontainer-l1-1-0

GetAppContainerNamedObjectPath

api-ms-win-core-comm-l1-1-0

PurgeComm
GetCommTimeouts
GetCommState
GetCommProperties
SetCommBreak
SetCommConfig
SetCommMask
SetCommState
SetCommTimeouts
SetupComm
TransmitCommChar
WaitCommEvent
GetCommModemStatus
GetCommMask
GetCommConfig
EscapeCommFunction
ClearCommError
ClearCommBreak

api-ms-win-core-realtime-l1-1-0

QueryIdleProcessorCycleTime
QueryUnbiasedInterruptTime
QueryProcessCycleTime
QueryIdleProcessorCycleTimeEx
QueryThreadCycleTime

api-ms-win-core-wow64-l1-1-1

GetSystemWow64Directory2W
IsWow64Process2
GetSystemWow64DirectoryW
GetSystemWow64DirectoryA

api-ms-win-core-wow64-l1-1-0

IsWow64Process
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection

api-ms-win-core-systemtopology-l1-1-1

GetNumaProximityNodeEx

api-ms-win-core-systemtopology-l1-1-0

GetNumaNodeProcessorMaskEx
GetNumaHighestNodeNumber

api-ms-win-core-processtopology-l1-1-0

GetProcessGroupAffinity
GetThreadGroupAffinity
SetThreadGroupAffinity

api-ms-win-core-namespace-l1-1-0

ClosePrivateNamespace
CreateBoundaryDescriptorW
OpenPrivateNamespaceW
CreatePrivateNamespaceW
AddSIDToBoundaryDescriptor
DeleteBoundaryDescriptor

api-ms-win-core-file-l2-1-2

CreateHardLinkA
CopyFileW

api-ms-win-core-file-l2-1-0

ReadDirectoryChangesW
ReOpenFile
CreateHardLinkW
CreateSymbolicLinkW
GetFileInformationByHandleEx
CreateDirectoryExW
MoveFileWithProgressW
MoveFileExW
ReplaceFileW
CopyFileExW
CopyFile2

api-ms-win-core-file-l2-1-3

ReadDirectoryChangesExW

api-ms-win-core-file-l2-1-1

OpenFileById

api-ms-win-core-xstate-l2-1-0

CopyContext
InitializeContext
LocateXStateFeature
GetXStateFeaturesMask
GetEnabledXStateFeatures
SetXStateFeaturesMask

api-ms-win-core-xstate-l2-1-1

InitializeContext2

api-ms-win-core-localization-l2-1-0

EnumDateFormatsExW
EnumCalendarInfoExEx
EnumTimeFormatsW
EnumDateFormatsExEx
EnumTimeFormatsEx
GetCurrencyFormatEx
GetNumberFormatEx
EnumSystemCodePagesW
EnumDateFormatsW
EnumCalendarInfoW
EnumCalendarInfoExW

api-ms-win-core-normalization-l1-1-0

NormalizeString
IsNormalizedString
IdnToNameprepUnicode
GetStringScripts
VerifyScripts

api-ms-win-core-fibers-l2-1-0

SwitchToFiber
CreateFiber
ConvertThreadToFiber
ConvertFiberToThread
DeleteFiber

api-ms-win-core-fibers-l2-1-1

CreateFiberEx
ConvertThreadToFiberEx

api-ms-win-core-localization-private-l1-1-0

NlsGetCacheUpdateCount
NlsWriteEtwEvent
NlsEventDataDescCreate
NlsUpdateLocale
NlsCheckPolicy
NlsUpdateSystemLocale

api-ms-win-core-sidebyside-l1-1-0

QueryActCtxSettingsW
QueryActCtxW
GetCurrentActCtx
FindActCtxSectionStringW
FindActCtxSectionGuid
DeactivateActCtx
CreateActCtxW
ZombifyActCtx
AddRefActCtx
ActivateActCtx
ReleaseActCtx

api-ms-win-core-appcompat-l1-1-0

BaseCheckAppcompatCache
BaseCheckAppcompatCacheEx
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
BaseDumpAppcompatCache
BaseFlushAppcompatCache
BaseUpdateAppcompatCache

api-ms-win-core-windowserrorreporting-l1-1-0

WerRegisterMemoryBlock
WerUnregisterMemoryBlock
GetApplicationRecoveryCallback
GetApplicationRestartSettings
WerUnregisterRuntimeExceptionModule
WerRegisterFile
WerUnregisterFile
WerRegisterRuntimeExceptionModule

api-ms-win-core-windowserrorreporting-l1-1-1

WerUnregisterCustomMetadata
WerUnregisterExcludedMemoryBlock
WerRegisterCustomMetadata
WerUnregisterAdditionalProcess
WerRegisterAdditionalProcess
WerRegisterExcludedMemoryBlock

api-ms-win-core-windowserrorreporting-l1-1-2

WerUnregisterAppLocalDump
WerRegisterAppLocalDump

api-ms-win-core-console-l1-1-0

AllocConsole
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetNumberOfConsoleInputEvents
ReadConsoleA
ReadConsoleInputA
ReadConsoleInputW
ReadConsoleW
SetConsoleCtrlHandler
SetConsoleMode
WriteConsoleA
WriteConsoleW

api-ms-win-core-console-l1-2-0

AttachConsole
FreeConsole
PeekConsoleInputA
PeekConsoleInputW

api-ms-win-core-console-l1-2-1

ResizePseudoConsole
CreatePseudoConsole
ClosePseudoConsole

api-ms-win-core-console-l2-1-0

GetConsoleCursorInfo
SetConsoleScreenBufferInfoEx
FillConsoleOutputAttribute
GenerateConsoleCtrlEvent
SetConsoleOutputCP
GetConsoleScreenBufferInfo
GetConsoleScreenBufferInfoEx
SetConsoleCursorPosition
FlushConsoleInputBuffer
FillConsoleOutputCharacterW
CreateConsoleScreenBuffer
GetLargestConsoleWindowSize
SetConsoleCursorInfo
ReadConsoleOutputA
ReadConsoleOutputAttribute
ReadConsoleOutputCharacterA
ReadConsoleOutputCharacterW
ReadConsoleOutputW
ScrollConsoleScreenBufferA
ScrollConsoleScreenBufferW
SetConsoleActiveScreenBuffer
SetConsoleScreenBufferSize
SetConsoleTextAttribute
SetConsoleWindowInfo
WriteConsoleInputA
WriteConsoleInputW
FillConsoleOutputCharacterA
WriteConsoleOutputA
WriteConsoleOutputW
WriteConsoleOutputCharacterW
WriteConsoleOutputCharacterA
WriteConsoleOutputAttribute
SetConsoleCP

api-ms-win-core-console-l2-2-0

GetConsoleTitleW
GetConsoleOriginalTitleW
GetConsoleOriginalTitleA
SetConsoleTitleW
SetConsoleTitleA
GetConsoleTitleA

api-ms-win-core-console-l3-2-0

ExpungeConsoleCommandHistoryA
AddConsoleAliasW
GetConsoleAliasA
GetConsoleAliasExesA
AddConsoleAliasA
ExpungeConsoleCommandHistoryW
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleAliasW
GetConsoleAliasesA
GetConsoleAliasesLengthA
SetCurrentConsoleFontEx
SetConsoleNumberOfCommandsW
SetConsoleNumberOfCommandsA
SetConsoleHistoryInfo
SetConsoleDisplayMode
GetNumberOfConsoleMouseButtons
GetCurrentConsoleFontEx
GetCurrentConsoleFont
GetConsoleWindow
GetConsoleSelectionInfo
GetConsoleProcessList
GetConsoleHistoryInfo
GetConsoleFontSize
GetConsoleDisplayMode
GetConsoleCommandHistoryW
GetConsoleCommandHistoryLengthW
GetConsoleCommandHistoryLengthA
GetConsoleCommandHistoryA
GetConsoleAliasesW
GetConsoleAliasesLengthW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW
K32GetProcessImageFileNameW
K32EnumPageFilesW
K32GetPerformanceInfo
K32GetProcessMemoryInfo
K32EnumProcessModules
K32GetWsChanges
K32GetDeviceDriverFileNameW
K32GetDeviceDriverBaseNameW
K32EnumDeviceDrivers
K32GetWsChangesEx
K32EnumProcessModulesEx
K32GetModuleBaseNameW
K32GetModuleFileNameExW
K32GetModuleInformation
K32EmptyWorkingSet
K32QueryWorkingSet
K32EnumProcesses
K32GetMappedFileNameW
K32QueryWorkingSetEx
K32InitializeProcessForWsWatch

api-ms-win-core-psapi-ansi-l1-1-0

K32EnumPageFilesA
K32GetModuleBaseNameA
K32GetProcessImageFileNameA
K32GetDeviceDriverBaseNameA
K32GetModuleFileNameExA
K32GetMappedFileNameA
QueryFullProcessImageNameA
K32GetDeviceDriverFileNameA

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventUnregister
EventSetInformation

api-ms-win-core-appcompat-l1-1-1

BaseFreeAppCompatDataForProcess
BaseReadAppCompatDataForProcess

Exports

Exports

AcquireSRWLockExclusive
AcquireSRWLockShared
ActivateActCtx
ActivateActCtxWorker
AddAtomA
AddAtomW
AddConsoleAliasA
AddConsoleAliasW
AddDllDirectory
AddIntegrityLabelToBoundaryDescriptor
AddLocalAlternateComputerNameA
AddLocalAlternateComputerNameW
AddRefActCtx
AddRefActCtxWorker
AddResourceAttributeAce
AddSIDToBoundaryDescriptor
AddScopedPolicyIDAce
AddSecureMemoryCacheCallback
AddVectoredContinueHandler
AddVectoredExceptionHandler
AdjustCalendarDate
AllocConsole
AllocateUserPhysicalPages
AllocateUserPhysicalPagesNuma
AppPolicyGetClrCompat
AppPolicyGetCreateFileAccess
AppPolicyGetLifecycleManagement
AppPolicyGetMediaFoundationCodecLoading
AppPolicyGetProcessTerminationMethod
AppPolicyGetShowDeveloperDiagnostic
AppPolicyGetThreadInitializationType
AppPolicyGetWindowingModel
AppXGetOSMaxVersionTested
ApplicationRecoveryFinished
ApplicationRecoveryInProgress
AreFileApisANSI
AssignProcessToJobObject
AttachConsole
BackupRead
BackupSeek
BackupWrite
BaseCheckAppcompatCache
BaseCheckAppcompatCacheEx
BaseCheckAppcompatCacheExWorker
BaseCheckAppcompatCacheWorker
BaseCheckElevation
BaseCleanupAppcompatCacheSupport
BaseCleanupAppcompatCacheSupportWorker
BaseDestroyVDMEnvironment
BaseDllReadWriteIniFile
BaseDumpAppcompatCache
BaseDumpAppcompatCacheWorker
BaseElevationPostProcessing
BaseFlushAppcompatCache
BaseFlushAppcompatCacheWorker
BaseFormatObjectAttributes
BaseFormatTimeOut
BaseFreeAppCompatDataForProcessWorker
BaseGenerateAppCompatData
BaseGetNamedObjectDirectory
BaseInitAppcompatCacheSupport
BaseInitAppcompatCacheSupportWorker
BaseIsAppcompatInfrastructureDisabled
BaseIsAppcompatInfrastructureDisabledWorker
BaseIsDosApplication
BaseQueryModuleData
BaseReadAppCompatDataForProcessWorker
BaseSetLastNTError
BaseThreadInitThunk
BaseUpdateAppcompatCache
BaseUpdateAppcompatCacheWorker
BaseUpdateVDMEntry
BaseVerifyUnicodeString
BaseWriteErrorElevationRequiredEvent
Basep8BitStringToDynamicUnicodeString
BasepAllocateActivationContextActivationBlock
BasepAnsiStringToDynamicUnicodeString
BasepAppContainerEnvironmentExtension
BasepAppXExtension
BasepCheckAppCompat
BasepCheckWebBladeHashes
BasepCheckWinSaferRestrictions
BasepConstructSxsCreateProcessMessage
BasepCopyEncryption
BasepFreeActivationContextActivationBlock
BasepFreeAppCompatData
BasepGetAppCompatData
BasepGetComputerNameFromNtPath
BasepGetExeArchType
BasepInitAppCompatData
BasepIsProcessAllowed
BasepMapModuleHandle
BasepNotifyLoadStringResource
BasepPostSuccessAppXExtension
BasepProcessInvalidImage
BasepQueryAppCompat
BasepQueryModuleChpeSettings
BasepReleaseAppXContext
BasepReleaseSxsCreateProcessUtilityStruct
BasepReportFault
BasepSetFileEncryptionCompression
Beep
BeginUpdateResourceA
BeginUpdateResourceW
BindIoCompletionCallback
BuildCommDCBA
BuildCommDCBAndTimeoutsA
BuildCommDCBAndTimeoutsW
BuildCommDCBW
CallNamedPipeA
CallNamedPipeW
CallbackMayRunLong
CancelDeviceWakeupRequest
CancelIo
CancelIoEx
CancelSynchronousIo
CancelThreadpoolIo
CancelTimerQueueTimer
CancelWaitableTimer
CeipIsOptedIn
ChangeTimerQueueTimer
CheckAllowDecryptedRemoteDestinationPolicy
CheckElevation
CheckElevationEnabled
CheckForReadOnlyResource
CheckForReadOnlyResourceFilter
CheckNameLegalDOS8Dot3A
CheckNameLegalDOS8Dot3W
CheckRemoteDebuggerPresent
CheckTokenCapability
CheckTokenMembershipEx
ClearCommBreak
ClearCommError
CloseConsoleHandle
CloseHandle
ClosePackageInfo
ClosePrivateNamespace
CloseProfileUserMapping
ClosePseudoConsole
CloseState
CloseThreadpool
CloseThreadpoolCleanupGroup
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolIo
CloseThreadpoolTimer
CloseThreadpoolWait
CloseThreadpoolWork
CmdBatNotification
CommConfigDialogA
CommConfigDialogW
CompareCalendarDates
CompareFileTime
CompareStringA
CompareStringEx
CompareStringOrdinal
CompareStringW
ConnectNamedPipe
ConsoleMenuControl
ContinueDebugEvent
ConvertCalDateTimeToSystemTime
ConvertDefaultLocale
ConvertFiberToThread
ConvertNLSDayOfWeekToWin32DayOfWeek
ConvertSystemTimeToCalDateTime
ConvertThreadToFiber
ConvertThreadToFiberEx
CopyContext
CopyFile2
CopyFileA
CopyFileExA
CopyFileExW
CopyFileTransactedA
CopyFileTransactedW
CopyFileW
CopyLZFile
CreateActCtxA
CreateActCtxW
CreateActCtxWWorker
CreateBoundaryDescriptorA
CreateBoundaryDescriptorW
CreateConsoleScreenBuffer
CreateDirectoryA
CreateDirectoryExA
CreateDirectoryExW
CreateDirectoryTransactedA
CreateDirectoryTransactedW
CreateDirectoryW
CreateEnclave
CreateEventA
CreateEventExA
CreateEventExW
CreateEventW
CreateFiber
CreateFiberEx
CreateFile2
CreateFileA
CreateFileMappingA
CreateFileMappingFromApp
CreateFileMappingNumaA
CreateFileMappingNumaW
CreateFileMappingW
CreateFileTransactedA
CreateFileTransactedW
CreateFileW
CreateHardLinkA
CreateHardLinkTransactedA
CreateHardLinkTransactedW
CreateHardLinkW
CreateIoCompletionPort
CreateJobObjectA
CreateJobObjectW
CreateJobSet
CreateMailslotA
CreateMailslotW
CreateMemoryResourceNotification
CreateMutexA
CreateMutexExA
CreateMutexExW
CreateMutexW
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
CreatePrivateNamespaceA
CreatePrivateNamespaceW
CreateProcessA
CreateProcessAsUserA
CreateProcessAsUserW
CreateProcessInternalA
CreateProcessInternalW
CreateProcessW
CreatePseudoConsole
CreateRemoteThread
CreateRemoteThreadEx
CreateSemaphoreA
CreateSemaphoreExA
CreateSemaphoreExW
CreateSemaphoreW
CreateSymbolicLinkA
CreateSymbolicLinkTransactedA
CreateSymbolicLinkTransactedW
CreateSymbolicLinkW
CreateTapePartition
CreateThread
CreateThreadpool
CreateThreadpoolCleanupGroup
CreateThreadpoolIo
CreateThreadpoolTimer
CreateThreadpoolWait
CreateThreadpoolWork
CreateTimerQueue
CreateTimerQueueTimer
CreateToolhelp32Snapshot
CreateUmsCompletionList
CreateUmsThreadContext
CreateWaitableTimerA
CreateWaitableTimerExA
CreateWaitableTimerExW
CreateWaitableTimerW
CtrlRoutine
DeactivateActCtx
DeactivateActCtxWorker
DebugActiveProcess
DebugActiveProcessStop
DebugBreak
DebugBreakProcess
DebugSetProcessKillOnExit
DecodePointer
DecodeSystemPointer
DefineDosDeviceA
DefineDosDeviceW
DelayLoadFailureHook
DeleteAtom
DeleteBoundaryDescriptor
DeleteCriticalSection
DeleteFiber
DeleteFileA
DeleteFileTransactedA
DeleteFileTransactedW
DeleteFileW
DeleteProcThreadAttributeList
DeleteSynchronizationBarrier
DeleteTimerQueue
DeleteTimerQueueEx
DeleteTimerQueueTimer
DeleteUmsCompletionList
DeleteUmsThreadContext
DeleteVolumeMountPointA
DeleteVolumeMountPointW
DequeueUmsCompletionListItems
DeviceIoControl
DisableThreadLibraryCalls
DisableThreadProfiling
DisassociateCurrentThreadFromCallback
DiscardVirtualMemory
DisconnectNamedPipe
DnsHostnameToComputerNameA
DnsHostnameToComputerNameExW
DnsHostnameToComputerNameW
DosDateTimeToFileTime
DosPathToSessionPathA
DosPathToSessionPathW
DuplicateConsoleHandle
DuplicateEncryptionInfoFileExt
DuplicateHandle
EnableThreadProfiling
EncodePointer
EncodeSystemPointer
EndUpdateResourceA
EndUpdateResourceW
EnterCriticalSection
EnterSynchronizationBarrier
EnterUmsSchedulingMode
EnumCalendarInfoA
EnumCalendarInfoExA
EnumCalendarInfoExEx
EnumCalendarInfoExW
EnumCalendarInfoW
EnumDateFormatsA
EnumDateFormatsExA
EnumDateFormatsExEx
EnumDateFormatsExW
EnumDateFormatsW
EnumLanguageGroupLocalesA
EnumLanguageGroupLocalesW
EnumResourceLanguagesA
EnumResourceLanguagesExA
EnumResourceLanguagesExW
EnumResourceLanguagesW
EnumResourceNamesA
EnumResourceNamesExA
EnumResourceNamesExW
EnumResourceNamesW
EnumResourceTypesA
EnumResourceTypesExA
EnumResourceTypesExW
EnumResourceTypesW
EnumSystemCodePagesA
EnumSystemCodePagesW
EnumSystemFirmwareTables
EnumSystemGeoID
EnumSystemGeoNames
EnumSystemLanguageGroupsA
EnumSystemLanguageGroupsW
EnumSystemLocalesA
EnumSystemLocalesEx
EnumSystemLocalesW
EnumTimeFormatsA
EnumTimeFormatsEx
EnumTimeFormatsW
EnumUILanguagesA
EnumUILanguagesW
EnumerateLocalComputerNamesA
EnumerateLocalComputerNamesW
EraseTape
EscapeCommFunction
ExecuteUmsThread
ExitProcess
ExitThread
ExitVDM
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
ExpungeConsoleCommandHistoryA
ExpungeConsoleCommandHistoryW
FatalAppExitA
FatalAppExitW
FatalExit
FileTimeToDosDateTime
FileTimeToLocalFileTime
FileTimeToSystemTime
FillConsoleOutputAttribute
FillConsoleOutputCharacterA
FillConsoleOutputCharacterW
FindActCtxSectionGuid
FindActCtxSectionGuidWorker
FindActCtxSectionStringA
FindActCtxSectionStringW
FindActCtxSectionStringWWorker
FindAtomA
FindAtomW
FindClose
FindCloseChangeNotification
FindFirstChangeNotificationA
FindFirstChangeNotificationW
FindFirstFileA
FindFirstFileExA
FindFirstFileExW
FindFirstFileNameTransactedW
FindFirstFileNameW
FindFirstFileTransactedA
FindFirstFileTransactedW
FindFirstFileW
FindFirstStreamTransactedW
FindFirstStreamW
FindFirstVolumeA
FindFirstVolumeMountPointA
FindFirstVolumeMountPointW
FindFirstVolumeW
FindNLSString
FindNLSStringEx
FindNextChangeNotification
FindNextFileA
FindNextFileNameW
FindNextFileW
FindNextStreamW
FindNextVolumeA
FindNextVolumeMountPointA
FindNextVolumeMountPointW
FindNextVolumeW
FindPackagesByPackageFamily
FindResourceA
FindResourceExA
FindResourceExW
FindResourceW
FindStringOrdinal
FindVolumeClose
FindVolumeMountPointClose
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushConsoleInputBuffer
FlushFileBuffers
FlushInstructionCache
FlushProcessWriteBuffers
FlushViewOfFile
FoldStringA
FoldStringW
FormatApplicationUserModelId
FormatMessageA
FormatMessageW
FreeConsole
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeLibraryAndExitThread
FreeLibraryWhenCallbackReturns
FreeMemoryJobObject
FreeResource
FreeUserPhysicalPages
GenerateConsoleCtrlEvent
GetACP
GetActiveProcessorCount
GetActiveProcessorGroupCount
GetAppContainerAce
GetAppContainerNamedObjectPath
GetApplicationRecoveryCallback
GetApplicationRecoveryCallbackWorker
GetApplicationRestartSettings
GetApplicationRestartSettingsWorker
GetApplicationUserModelId
GetAtomNameA
GetAtomNameW
GetBinaryType
GetBinaryTypeA
GetBinaryTypeW
GetCPInfo
GetCPInfoExA
GetCPInfoExW
GetCachedSigningLevel
GetCalendarDateFormat
GetCalendarDateFormatEx
GetCalendarDaysInMonth
GetCalendarDifferenceInDays
GetCalendarInfoA
GetCalendarInfoEx
GetCalendarInfoW
GetCalendarMonthsInYear
GetCalendarSupportedDateRange
GetCalendarWeekNumber
GetComPlusPackageInstallStatus
GetCommConfig
GetCommMask
GetCommModemStatus
GetCommProperties
GetCommState
GetCommTimeouts
GetCommandLineA
GetCommandLineW
GetCompressedFileSizeA
GetCompressedFileSizeTransactedA
GetCompressedFileSizeTransactedW
GetCompressedFileSizeW
GetComputerNameA
GetComputerNameExA
GetComputerNameExW
GetComputerNameW
GetConsoleAliasA
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleAliasW
GetConsoleAliasesA
GetConsoleAliasesLengthA
GetConsoleAliasesLengthW
GetConsoleAliasesW
GetConsoleCP
GetConsoleCharType
GetConsoleCommandHistoryA
GetConsoleCommandHistoryLengthA

Sections

.text
Size: 466KB - Virtual size: 465KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 198KB - Virtual size: 197KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 21KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 588B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
msxml3.dll
.dll regsvr32 windows x64

2e1d1e35c17be5497d2de33f06dc41b4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

memset
_initterm
malloc
_vsnwprintf
free
memmove
memcpy
wcschr
fmod
floor
ceil
wcsncmp
_amsg_exit
_XcptFilter
_onexit
__dllonexit
_unlock
_lock
_resetstkoflw
__C_specific_handler
memmove_s
wcsrchr
_purecall
memcpy_s
bsearch
memcmp
wcscmp

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExW
LoadResource
GetModuleFileNameW
GetModuleFileNameA
LockResource
FreeLibrary
GetProcAddress
FindResourceExW
SizeofResource
GetModuleHandleExW
GetModuleHandleW

api-ms-win-core-synch-l1-1-0

ReleaseSemaphore
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionEx
WaitForSingleObject
ReleaseMutex
ReleaseSRWLockExclusive
CreateEventW
AcquireSRWLockExclusive
WaitForSingleObjectEx
InitializeCriticalSection
TryEnterCriticalSection
ResetEvent
CreateSemaphoreExW
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
OpenSemaphoreW
ReleaseSRWLockShared
SetEvent

api-ms-win-core-heap-l1-1-0

HeapCreate
HeapAlloc
HeapDestroy
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter
SetLastError

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

CreateThread
TerminateProcess
SetThreadPriority
TlsGetValue
GetCurrentProcess
SetThreadToken
ResumeThread
GetCurrentProcessId
GetCurrentThreadId
SuspendThread
SwitchToThread
TlsFree
TlsSetValue
OpenThreadToken
GetCurrentThread
TlsAlloc

api-ms-win-core-localization-l1-2-0

GetCPInfo
GetThreadLocale
GetUserDefaultLCID
FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlVirtualUnwind
RtlLookupFunctionEntry

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetVersionExW
GetSystemTimeAsFileTime
GetTickCount
GetSystemInfo

api-ms-win-core-com-l1-1-0

CoInitializeEx
CoCreateInstance
CreateStreamOnHGlobal
CoUninitialize
CoTaskMemAlloc
CoCreateGuid
CLSIDFromProgID
CoTaskMemFree
CoCreateFreeThreadedMarshaler

api-ms-win-core-processthreads-l1-1-1

GetThreadContext

api-ms-win-core-memory-l1-1-0

VirtualAlloc
VirtualFree
VirtualQuery

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringW

api-ms-win-core-string-l2-1-0

CharUpperBuffW
CharLowerW
CharUpperW
IsCharAlphaW
IsCharUpperW

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegCloseKey
RegOpenKeyExW

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
FileTimeToSystemTime

bcrypt

BCryptCreateHash
BCryptGenRandom
BCryptGetProperty
BCryptOpenAlgorithmProvider
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptHashData
BCryptFinishHash

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-core-heap-l2-1-0

LocalAlloc
GlobalAlloc
LocalFree

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-file-l1-1-0

GetFileType
CreateFileW
SetEndOfFile
WriteFile
FlushFileBuffers
ReadFile

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW
PathSearchAndQualifyW
PathFindExtensionW

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrCmpNIW
StrToIntW
StrCmpW

api-ms-win-core-url-l1-1-0

UrlUnescapeW
PathIsURLW
UrlGetLocationW
UrlCanonicalizeW
UrlCreateFromPathW
PathCreateFromUrlW
UrlIsW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

ntdll

RtlFindClearBits
RtlClearBit
NtQuerySystemInformation
NtQuerySecurityPolicy
WinSqmSetDWORD
RtlInitializeBitMap
RtlFindClearBitsAndSet

api-ms-win-security-base-l1-1-0

RevertToSelf

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 273KB - Virtual size: 272KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 446KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 792B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 94KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

f9f97e60cfcd78be051d9570c88ffb6f

Code Sign

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

3d:00:7b:b1:dd:13:1e:fa:32:c0:b2:e0:71:1b:4a:97:6a:e6:46:69:bf:a9:38:f8:c5:1d:bf:73:84:e0:57:6dSigner

Headers

DLL Characteristics

File Characteristics

Imports

api-ms-win-core-rtlsupport-l1-1-0

ntdll

kernelbase

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-processthreads-l1-1-2

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-registry-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-memory-l1-1-1

api-ms-win-core-memory-l1-1-0

api-ms-win-core-memory-l1-1-2

api-ms-win-core-handle-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-file-l1-2-2

api-ms-win-core-file-l1-2-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-io-l1-1-0

api-ms-win-core-io-l1-1-1

api-ms-win-core-job-l1-1-0

api-ms-win-core-threadpool-legacy-l1-1-0

api-ms-win-core-threadpool-private-l1-1-0

api-ms-win-core-largeinteger-l1-1-0

api-ms-win-core-libraryloader-l1-2-2

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-libraryloader-l2-1-0

api-ms-win-core-namedpipe-l1-2-2

api-ms-win-core-namedpipe-l1-1-0

api-ms-win-core-namedpipe-l1-2-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-datetime-l1-1-2

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-sysinfo-l1-2-3

api-ms-win-core-sysinfo-l1-2-1

api-ms-win-core-timezone-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-processsnapshot-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processenvironment-l1-2-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-debug-l1-1-1

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-errorhandling-l1-1-3

api-ms-win-core-fibers-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-security-base-l1-2-0

api-ms-win-security-appcontainer-l1-1-0

api-ms-win-core-comm-l1-1-0

api-ms-win-core-realtime-l1-1-0

api-ms-win-core-wow64-l1-1-1

api-ms-win-core-wow64-l1-1-0

api-ms-win-core-systemtopology-l1-1-1

api-ms-win-core-systemtopology-l1-1-0

33:00:00:02:29:e8:93:3c:c4:14:fa:f5:7c:00:00:00:00:02:29
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

3d:00:7b:b1:dd:13:1e:fa:32:c0:b2:e0:71:1b:4a:97:6a:e6:46:69:bf:a9:38:f8:c5:1d:bf:73:84:e0:57:6d
Signer

.text
Size: 466KB - Virtual size: 465KB

.rdata
Size: 198KB - Virtual size: 197KB

.data
Size: 1KB - Virtual size: 4KB

.pdata
Size: 21KB - Virtual size: 21KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 588B