9149f635096571cd67a82a2efa113c819b8b9005e4f29d6f0d6eb26bb15ed41c[.]zip[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

9149f635096571cd67a82a2efa113c819b8b9005e4f29d6f0d6eb26bb15ed41c.zip.zip
Size

3.5MB
MD5

cde3c10e89be522da48eadfc0cedfa1f
SHA1

ddd22eb69fb2d63d0eab290673927ff8af41b69a
SHA256

e44c0ce0b7ad5b292fe8dd3bd3a2e59a2ee0cdc46c9ef4ab40ce2501fa33ed3b
SHA512

5f3a9023152173e48a1a636bf53a2694d3cf0546707d2f99c16404d6a9580fd22fa9437ff9e70898015cc630add1a7b5da3fb3b1780fce0708f25cafee6bba89
SSDEEP

98304:B9NgG6QJ4YB78M5AqDH7DT1pNMn6EiDK6Emklw0vQGIglQ:X3WqDH7tpNsBK/l

Score

3^/10

Malware Config

Signatures

Unsigned PE 9 IoCs

Checks for missing Authenticode signature.

resource
unpack002/Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.amd64.dll
unpack002/Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.x86.dll
unpack002/Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/PluginRes.dll
unpack002/Config/amd64/CBSHost.dll
unpack002/Config/amd64/NCleaner.dll
unpack002/Config/x86/CBSHost.dll
unpack002/Config/x86/NCleaner.dll
unpack002/Dism++x64.exe
unpack002/Dism++x86.exe

Files

9149f635096571cd67a82a2efa113c819b8b9005e4f29d6f0d6eb26bb15ed41c.zip.zip
.zip

Password: infected
9149f635096571cd67a82a2efa113c819b8b9005e4f29d6f0d6eb26bb15ed41c.zip
.zip
Config/Data.zip
.zip
Data.xml
.xml
Config/Languages/bg.zip
.zip
bg.xml
.xml
Config/Languages/cs.zip
.zip
cs.xml
.xml
Config/Languages/de.zip
.zip
de.xml
.xml
Config/Languages/en.zip
.zip
en.xml
.xml
Config/Languages/es.zip
.zip
es.xml
.xml
Config/Languages/fr.zip
.zip
fr.xml
.xml
Config/Languages/hu.zip
.zip
Config/Languages/it.zip
.zip
Config/Languages/ja.zip
.zip
Config/Languages/ko.zip
.zip
Config/Languages/pl-PL.zip
.zip
Config/Languages/pt.zip
.zip
Config/Languages/ru.zip
.zip
Config/Languages/tr.zip
.zip
Config/Languages/zh-Hans.zip
.zip
Config/Languages/zh-Hant.zip
.zip
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.amd64.dll
.dll windows:6 windows x64

d537b1fa5ce68d431ed93bfa507936e5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

GetLastError
GetSystemTimeAsFileTime
IsWow64Process
FreeLibrary
GetProcAddress
LoadLibraryExW
HeapDestroy
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
RaiseException
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
DeleteCriticalSection
InitializeCriticalSectionEx
FindFirstFileW
FindClose
CreateDirectoryW
CreateFileW
CloseHandle
GetFileSize
ReadFile
WriteFile
SetEndOfFile
FindNextFileW
GetModuleFileNameW
MoveFileW
SystemTimeToFileTime
LocalFileTimeToFileTime
FileTimeToLocalFileTime
FileTimeToSystemTime
WritePrivateProfileStringW
VirtualProtect
SetLastError
VirtualFree
GetCurrentProcess
VirtualAlloc
LoadLibraryExA
GetCurrentThreadId
SuspendThread
ResumeThread
GetCurrentThread
GetThreadContext
GetModuleHandleW
FlushInstructionCache
SetThreadContext
VirtualQuery
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
CreateThread
WaitForSingleObject
CreateProcessW
OpenProcess
GetCurrentProcessId
TerminateProcess
ExitProcess
LoadLibraryW
VirtualAllocEx
GetExitCodeThread
WritePrivateProfileSectionW
GetModuleHandleExW
GetPrivateProfileSectionW
GetPrivateProfileSectionNamesW
GetSystemDirectoryW
GetPrivateProfileStringW
DeleteFileW
DecodePointer
ReadProcessMemory
GetExitCodeProcess
GetTickCount64
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
EncodePointer
InterlockedFlushSList
OutputDebugStringW
IsDebuggerPresent
GetSystemInfo

ntdll

NtOpenFile
RtlAdjustPrivilege
NtClose
NtReadVirtualMemory
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
NtCreateThreadEx
NtWriteVirtualMemory
NtQueryInformationProcess

msvcrt

?terminate@@YAXXZ
__CppXcptFilter
__CxxFrameHandler3
??3@YAXPEAX@Z
memcpy
_errno
memset
memmove
wcslen
vswprintf_s
_vscwprintf
??_U@YAPEAX_K@Z
??_V@YAXPEAX@Z
free
wcsnlen
swscanf
wcsrchr
__C_specific_handler
??2@YAPEAX_K@Z
wcsncpy_s
memcmp
wcstoul
_beginthreadex
_purecall
_wcsicmp
strlen
wcschr
malloc
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
_CxxThrowException
_cexit
_initterm
_initterm_e
__getmainargs
atexit
_invalid_parameter
__dllonexit
_lock
_unlock

Exports

Exports

DismCreateInstance2
ViewExplorerW

Sections

.text
Size: 71KB - Virtual size: 71KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.arm64.dll
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.x86.dll
.dll windows:6 windows x86

54beb43eb6d5cc5ab4e52600ae43aa97

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetLastError
SetLastError
GetSystemTimeAsFileTime
GetNativeSystemInfo
IsWow64Process
FreeLibrary
GetProcAddress
LoadLibraryExW
HeapDestroy
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
RaiseException
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
DeleteCriticalSection
InitializeCriticalSectionEx
FindFirstFileW
FindClose
CreateDirectoryW
CreateFileW
CloseHandle
GetFileSize
ReadFile
WriteFile
SetEndOfFile
FindNextFileW
GetModuleFileNameW
MoveFileW
SystemTimeToFileTime
LocalFileTimeToFileTime
FileTimeToLocalFileTime
FileTimeToSystemTime
WritePrivateProfileStringW
VirtualProtect
VirtualFree
GetCurrentProcess
VirtualAlloc
LoadLibraryExA
GetCurrentThreadId
SuspendThread
ResumeThread
GetCurrentThread
GetThreadContext
GetModuleHandleW
FlushInstructionCache
SetThreadContext
VirtualQuery
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
CreateThread
WaitForSingleObject
CreateProcessW
OpenProcess
GetCurrentProcessId
TerminateProcess
ExitProcess
LoadLibraryW
VirtualAllocEx
GetExitCodeThread
WritePrivateProfileSectionW
GetModuleHandleExW
GetPrivateProfileSectionW
GetPrivateProfileSectionNamesW
GetSystemDirectoryW
GetPrivateProfileStringW
DeleteFileW
DecodePointer
GetExitCodeProcess
IsDebuggerPresent
InterlockedFlushSList
GetTickCount64
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
IsProcessorFeaturePresent
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
OutputDebugStringW
EncodePointer
GetSystemInfo

ntdll

NtOpenFile
RtlAdjustPrivilege
NtClose
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
NtCreateThreadEx
NtWriteVirtualMemory
NtQueryInformationProcess

msvcrt

_except_handler3
?terminate@@YAXXZ
__CppXcptFilter
__CxxFrameHandler3
__dllonexit
??3@YAXPAX@Z
memcpy
_errno
memset
memmove
wcslen
vswprintf_s
_vscwprintf
??_U@YAPAXI@Z
??_V@YAXPAX@Z
free
wcsnlen
swscanf
wcsrchr
??2@YAPAXI@Z
wcsncpy_s
memcmp
wcstoul
_beginthreadex
_purecall
_wcsicmp
wcschr
malloc
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
_CxxThrowException
_cexit
_except_handler4_common
__getmainargs
atexit
_initterm
_initterm_e
_invalid_parameter
_lock
_unlock

Exports

Exports

DismCreateInstance2
ViewExplorerW

Sections

.text
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.detourc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/PluginRes.dll
.dll windows:6 windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rdata
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 628KB - Virtual size: 628KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Config/UpdateInfo.zip
.zip
Config/amd64/CBSHost.dll
.dll windows:6 windows x64

ab58d63cfd91a5abc472a97929f26301

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

FindNextFileW
FindClose
LoadLibraryW
CreateProcessW
WaitForMultipleObjects
VirtualProtect
OpenProcess
GetCurrentProcessId
ExitProcess
CreateThread
OpenEventW
DuplicateHandle
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW
SetDllDirectoryW
GetLocalTime
CopyFileW
InitializeCriticalSectionEx
UnmapViewOfFile
MultiByteToWideChar
FindResourceExW
CreateHardLinkTransactedW
DeleteFileTransactedW
MoveFileExW
DeleteCriticalSection
CreateFileMappingW
MapViewOfFile
GetExitCodeProcess
AreFileApisANSI
RtlUnwindEx
VirtualQuery
InterlockedFlushSList
FindFirstFileW
GetTickCount64
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
FindResourceW
LoadResource
LockResource
SizeofResource
GlobalMemoryStatusEx
GetModuleFileNameW
CreateDirectoryW
GetCurrentThreadId
GetTickCount
GetCurrentProcess
LocalFree
GetProcessHeap
HeapSize
HeapDestroy
LoadLibraryExW
GetProcAddress
GetModuleHandleW
FreeLibrary
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetSystemInfo
TerminateProcess
CreateEventW
WaitForSingleObject
SetEvent
InitOnceExecuteOnce
HeapFree
HeapReAlloc
HeapAlloc
SetLastError
GetLastError
RaiseException
CloseHandle
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LeaveCriticalSection
EnterCriticalSection
OutputDebugStringW
IsDebuggerPresent
DeleteFileW
VirtualAlloc
VirtualFree
WriteFile
ReadFile
InitializeSListHead
GetFileSize
CreateFileW
EncodePointer

user32

TranslateMessage
DispatchMessageW
PostThreadMessageW
GetMessageW

advapi32

OpenProcessToken
InitializeSid
RegSetValueExW
RegGetValueW
RegDeleteValueW
RegFlushKey
RegCreateKeyExW
RegLoadKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegUnLoadKeyW
RegEnumValueW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetSidLengthRequired
GetTokenInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetSecurityDescriptorGroup
GetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorOwner
GetAclInformation
AddAce
InitializeAcl
IsValidSid
GetLengthSid
ConvertSidToStringSidW
CopySid
GetSidSubAuthority

shell32

SHGetSpecialFolderPathW
CommandLineToArgvW
ord680

ole32

CoInitializeEx
CoGetMalloc
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree

msvcrt

swscanf
sscanf
_vscwprintf
__dllonexit
__CxxFrameHandler3
abort
__CppXcptFilter
?terminate@@YAXXZ
??8type_info@@QEBAHAEBV0@@Z
memset
vswprintf_s
memcpy
_errno
memmove
wcslen
wcsnlen
free
malloc
??2@YAPEAX_K@Z
memcmp
_wcsicmp
strlen
wcstoul
wcscpy
bsearch
wcsrchr
calloc
??0exception@@QEAA@AEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
wcscmp
_purecall
??_V@YAXPEAX@Z
??_U@YAPEAX_K@Z
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
_CxxThrowException
_cexit
__C_specific_handler
_initterm
_initterm_e
_amsg_exit
__getmainargs
atexit
__DestructExceptionObject
_invalid_parameter
_lock
_unlock
??3@YAXPEAX@Z

shlwapi

PathSkipRootW
StrStrW
PathFindExtensionW
StrCmpW
StrCpyW
PathIsDirectoryEmptyW
PathFindFileNameW
StrCmpNW
StrChrW
StrStrIA
SHCreateStreamOnFileW
StrCatW
StrStrA
StrRChrW
StrCmpIW
StrCmpNIW

ntdll

NtQueryInformationProcess
NtOpenFile
NtCreateFile
RtlNtStatusToDosError
NtQueryInformationFile
RtlGetLastNtStatus
RtlAdjustPrivilege
NtClose
RtlImageNtHeader
NtWriteFile
NtDeleteKey
NtSetInformationFile
RtlFreeUnicodeString
ZwQueryDirectoryFile
RtlDosPathNameToNtPathName_U

cfgmgr32

CM_Locate_DevNodeW
CM_Reenumerate_DevNode

setupapi

SetupDiGetClassDescriptionW
SetupDiDestroyDeviceInfoList
SetupDiGetDevicePropertyW
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupUninstallOEMInfW

version

VerQueryValueW

Exports

Exports

CbsCreateTempDirectory2
CreateCbsHostHelper
DismGetScratchDir
DismWriteLog
GetConfig
RunCbsHostW

Sections

.text
Size: 113KB - Virtual size: 113KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/NCleaner.dll
.dll windows:6 windows x64

782d91e12c2a1d0eb23a7854f8ac9e2e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
CreateEventExW
FindNextFileW
FindFirstFileW
FindClose
GetFileInformationByHandleEx
QueryPerformanceCounter
GetTickCount64
SetFileInformationByHandle
GetProcessHeap
GetCurrentProcess
InterlockedFlushSList
GetSystemDirectoryW
GetSystemTimeAsFileTime
TerminateProcess
InitOnceExecuteOnce
HeapFree
HeapAlloc
RtlUnwindEx
InitializeSListHead
GetCurrentThreadId
GetCurrentProcessId
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SetLastError
GetLastError
RaiseException
EncodePointer
CloseHandle
CreateFileW

advapi32

RegEnumKeyW
RegDeleteTreeW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW

ole32

CLSIDFromString
IIDFromString
CoCreateInstance

msvcrt

memmove
wcslen
wcscpy_s
_wcsnicmp
_wcsicmp
??0exception@@QEAA@AEBQEBD@Z
_CxxThrowException
_cexit
__C_specific_handler
?what@exception@@UEBAPEBDXZ
_initterm_e
_errno
_amsg_exit
__getmainargs
towupper
atexit
abort
__DestructExceptionObject
free
_invalid_parameter
malloc
_lock
_unlock
__dllonexit
__CxxFrameHandler3
?terminate@@YAXXZ
??3@YAXPEAX@Z
__CppXcptFilter
??8type_info@@QEBAHAEBV0@@Z
??0exception@@QEAA@AEBV0@@Z
memset
memcpy
wcscat_s
??2@YAPEAX_K@Z
??1exception@@UEAA@XZ
_swprintf_c
_vscwprintf
_vsnwprintf_s
_initterm

dism++x64.exe

DismGetAllUsersAppx
DismRegOpenKeyEx
DismWriteLog
DismGetSystemInfoBySession
DismRemoveAppx
DismFreeMemory

shlwapi

PathFileExistsW
PathFindExtensionW
PathFindFileNameW

Exports

Exports

NCCorruptedAppXOnlineCleanup
NCDOCacheOnlineCleanup
NCInstallerFolderCleanup
NCPackageCacheFolderCleanup
NCSRPointOnlineCleanup
NCVSPackageCacheCleanup
NCWinEventLogOnlineCleanup

Sections

.text
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/bcdboot.exe
.exe windows:10 windows x64

9517567887d29e8a932036effb134d66

Code Sign

33:00:00:00:8b:4c:06:71:0c:20:2c:df:3b:00:00:00:00:00:8b
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/10/2015, 18:14

Not After

07/01/2017, 18:14

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:728D-C45F-F9EB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:06

Not After

01/01/2016, 18:06

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8
Signer

Actual PE Digest

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8

Digest Algorithm

sha256

PE Digest Matches

true

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47
Signer

Actual PE Digest

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileType
GetProcAddress
GetStdHandle
GetConsoleOutputCP
GetModuleFileNameW
WriteConsoleW
FormatMessageW
GetConsoleMode
LoadLibraryW
WideCharToMultiByte
WriteFile
GetProcessHeap
HeapFree
HeapAlloc
FreeLibrary
SetLastError
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryExW
GetVolumePathNameW
QueryDosDeviceW
LocalFree
MapViewOfFile
UnmapViewOfFile
GetCurrentThread
CreateFileW
GetFileSizeEx
CreateFileMappingW
CloseHandle
GetVolumeNameForVolumeMountPointW
FindFirstFileW
MoveFileExW
GetFileAttributesW
GetUserDefaultUILanguage
GetVersionExW
LoadResource
FindResourceExW
GetSystemDefaultUILanguage
SearchPathW
CreateDirectoryW
GetFileInformationByHandle
DeviceIoControl
CopyFileExW
GetFullPathNameW
GetLocaleInfoW
GetVolumeInformationW
SetFileAttributesW
GetPrivateProfileSectionW
FindNextFileW
FindClose
GetLastError

msvcrt

wcstoul
wcscat_s
_ultow_s
wcsncpy_s
wcsstr
_wcslwr
memset
_snwscanf_s
strncmp
wcsncmp
bsearch
__iob_func
memcmp
memcpy
wcschr
_vsnwprintf_s
fflush
fwprintf
_vsnwprintf
wcsnlen
wcsrchr
memmove
_wcsupr
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
wcscpy_s
_wsetlocale
_wcsicmp
swprintf_s
_wcsnicmp

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

shlwapi

PathRemoveBackslashW

ntdll

NtEnumerateBootEntries
NtOpenDirectoryObject
NtQueryDirectoryObject
NtTranslateFilePath
NtResetEvent
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtOpenKey
ZwResetEvent
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
ZwCreateEvent
NtAdjustPrivilegesToken
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenProcessTokenEx
LdrGetDllHandle
LdrGetProcedureAddress
RtlInitAnsiString
ZwAllocateUuids
RtlSetOwnerSecurityDescriptor
ZwOpenKey
ZwQueryKey
RtlCreateSecurityDescriptor
RtlLengthSid
ZwEnumerateKey
ZwDeleteKey
RtlAllocateAndInitializeSid
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwSetSecurityObject
RtlLengthSecurityDescriptor
ZwQueryValueKey
ZwCreateFile
ZwSaveKey
ZwSetValueKey
ZwDeleteValueKey
RtlSetDaclSecurityDescriptor
RtlFreeSid
RtlCreateAcl
ZwCreateKey
ZwUnloadKey
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwOpenFile
ZwClose
ZwWaitForSingleObject
ZwReleaseMutant
ZwOpenMutant
ZwQuerySystemInformation
NtSetInformationFile
RtlAllocateHeap
RtlFreeHeap
LdrFindResource_U
LdrAccessResource
NtQuerySystemInformation
NtOpenFile
RtlImageNtHeader
NtOpenProcess
NtCreateEvent
NtClose
NtSetInformationThread
NtWaitForSingleObject
NtQueryInformationProcess
NtQueryInformationFile
NtQueryInformationThread
NtDeviceIoControlFile
RtlCompareMemory
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlStringFromGUID
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlGUIDFromString
RtlInitUnicodeString
NtQueryBootEntryOrder

advapi32

OpenThreadToken
GetTokenInformation
GetSecurityDescriptorControl
SetNamedSecurityInfoW
LookupPrivilegeValueW
GetSecurityDescriptorOwner
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
ConvertSidToStringSidW
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
OpenProcessToken

Sections

.text
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/wimgapi.dll
.dll windows:10 windows x64

99cad9eebdfce9908b60d30f37ed90ef

Code Sign

33:00:00:02:39:b2:b4:e8:2a:22:34:49:2f:00:00:00:00:02:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:07

Not After

08/08/2019, 20:07

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:aa:65:13:0d:4d:71:ab:db:65:0c:57:cb:42:4c:94:11:33:f9:41:42:10:f4:25:a4:15:97:9d:3d:00:34:dc
Signer

Actual PE Digest

01:aa:65:13:0d:4d:71:ab:db:65:0c:57:cb:42:4c:94:11:33:f9:41:42:10:f4:25:a4:15:97:9d:3d:00:34:dc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

msvcrt

_wcsnicmp
wcsnlen
wcsstr
_vsnwprintf
_wtoi
swscanf_s
wcsrchr
_wcstoi64
_wcsicmp
strcpy_s
wcsncmp
memmove
_onexit
__dllonexit
_unlock
_lock
strncpy_s
_initterm
malloc
free
_amsg_exit
memcpy_s
_wcsupr
memcpy
memcmp
_callnewh
bsearch
_purecall
iswspace
memmove_s
_vscwprintf
_strnicmp
towupper
towlower
_wcslwr
_wcsrev
qsort
wcschr
_XcptFilter
wcstok_s
__C_specific_handler
wcstoul
memset

kernel32

MultiByteToWideChar
DosDateTimeToFileTime
CreateSemaphoreExW
SetFileTime
GetLastError
GetHandleInformation
SetLastError
SetFilePointerEx
CloseHandle
SetEndOfFile
CompareStringW
HeapFree
GetProcessHeap
DeleteFileW
CreateFileW
GetFileInformationByHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetModuleHandleW
GetDriveTypeW
RemoveDirectoryW
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
GetCurrentDirectoryW
DeviceIoControl
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetFileSizeEx
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
CreateEventW
LockFileEx
UnlockFileEx
HeapReAlloc
WaitForSingleObject
ExpandEnvironmentStringsW
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
ReleaseMutex
WideCharToMultiByte
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
OpenProcess
InitializeCriticalSectionAndSpinCount
GetCurrentProcessId
GetVolumeInformationByHandleW
SetFileAttributesW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetFullPathNameW
GetExitCodeProcess
DuplicateHandle
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
QueryPerformanceCounter
Sleep
OpenEventW
GetPrivateProfileSectionW
WaitForMultipleObjects
ReleaseSemaphore
SetEvent
CreateSemaphoreW
CreateThread
DisableThreadLibraryCalls
LoadLibraryW
GetVolumePathNamesForVolumeNameW
LocalFileTimeToFileTime
CopyFileExW
CreateProcessW
GetLogicalDriveStringsW
GetVolumeInformationW
WaitForMultipleObjectsEx
ResetEvent
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile

bcrypt

BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

fltlib

FilterAttach
FilterLoad

cabinet

ord22
ord20
ord23

advapi32

RegUnLoadKeyW
RegQueryValueExW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
CloseEncryptedFileRaw
AdjustTokenPrivileges
ReadEncryptedFileRaw
OpenEncryptedFileRawW
AddAccessAllowedAceEx
RevertToSelf
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
GetAclInformation
GetSecurityDescriptorLength
RegDeleteKeyExW
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
SetThreadToken
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW
WriteEncryptedFileRaw

version

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

user32

CharUpperW

ntdll

RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
RtlDosPathNameToNtPathName_U_WithStatus
RtlGetVersion
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlAcquireResourceExclusive
RtlRaiseStatus
NtYieldExecution
DbgPrintEx
RtlReAllocateHeap
RtlDowncaseUnicodeChar
NtSetEaFile
NtQuerySecurityObject
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
NtSetInformationFile
RtlSetIoCompletionCallback
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError
RtlInitializeResource

rpcrt4

I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW
NdrClientCall3
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcBindingFree
UuidCreate

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadFileEx
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry
WIMWriteFileWithIntegrity

Sections

.text
Size: 591KB - Virtual size: 591KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/wofadk.sys
.sys windows:10 windows x64

aeb3dedf4ffda3ee8d592f156ef96a17

Code Sign

33:00:00:00:9b:e0:74:37:cb:3d:4d:8d:2e:00:00:00:00:00:9b
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:728D-C45F-F9EB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:ef:d8:87:2e:35:a3:82:8a:2f:00:00:00:00:00:ef
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c0:aa:06:12:86:1e:cf:f1:fe:46:c5:13:3c:7f:27:b8:d2:3c:30:23:b4:2a:d1:35:17:93:5f:1c:01:e2:3f:0c
Signer

Actual PE Digest

c0:aa:06:12:86:1e:cf:f1:fe:46:c5:13:3c:7f:27:b8:d2:3c:30:23:b4:2a:d1:35:17:93:5f:1c:01:e2:3f:0c

Digest Algorithm

sha256

PE Digest Matches

true

44:af:b2:cb:8e:4b:64:da:fb:a3:36:4c:1e:ba:91:55:7b:c9:e9:0e
Signer

Actual PE Digest

44:af:b2:cb:8e:4b:64:da:fb:a3:36:4c:1e:ba:91:55:7b:c9:e9:0e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ZwClose
SeLockSubjectContext
ZwQueryValueKey
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlEnumerateGenericTableAvl
ExAcquireRundownProtection
RtlLookupElementGenericTableAvl
RtlFreeUnicodeString
SeTokenIsAdmin
RtlDeleteElementGenericTableAvl
RtlAppendUnicodeStringToString
KeDelayExecutionThread
ExRundownCompleted
EtwRegister
MmGetSystemRoutineAddress
ObDereferenceObjectDeferDelete
PsGetProcessImageFileName
EtwUnregister
EtwWriteTransfer
IoGetCurrentProcess
ProbeForRead
FsRtlValidateReparsePointBuffer
TmCurrentTransaction
RtlCompareMemory
RtlInitUnicodeString
RtlEqualUnicodeString
MmMapLockedPagesSpecifyCache
KeQueryPriorityThread
MmMapViewOfSection
ExDeleteLookasideListEx
ZwDeviceIoControlFile
EtwEventEnabled
RtlCheckRegistryKey
ZwCreateSection
ZwQueryInformationThread
RtlSetBit
ExQueueWorkItem
RtlAreBitsSet
ZwOpenKey
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
RtlRunOnceExecuteOnce
KeStackAttachProcess
KeSetEvent
KdRefreshDebuggerNotPresent
ZwSetInformationThread
ObReferenceObjectByHandle
swprintf_s
MmUnmapViewOfSection
RtlFindNextForwardRunClear
EtwWrite
IofCallDriver
RtlInitializeBitMap
ZwOpenFile
ExInitializeLookasideListEx
RtlTestBit
KeWaitForSingleObject
KeSetPriorityThread
KeUnstackDetachProcess
_i64tow_s
RtlClearAllBits
IoAllocateWorkItem
RtlAppendUnicodeToString
_wcsicmp
RtlCreateSystemVolumeInformationFolder
IoQueueWorkItemEx
IoFreeWorkItem
KeAllocateCalloutStackEx
IoGetRelatedDeviceObject
ExDeleteNPagedLookasideList
KeFreeCalloutStack
ExInitializeNPagedLookasideList
KeInitializeMutex
KeReleaseMutex
KeAreAllApcsDisabled
KeInitializeDpc
KeInitializeTimerEx
RtlQueryRegistryValues
KeCancelTimer
KeFlushQueuedDpcs
KeSetCoalescableTimer
KeQueryActiveProcessorCountEx
SeCaptureSubjectContext
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
RtlGetVersion
IoWMIRegistrationControl
MmIsThisAnNtAsSystem
KeBugCheckEx
PsInitialSystemProcess
ProbeForWrite
ExReleaseRundownProtection
ExAcquireFastMutex
ObfReferenceObject
ExQueryDepthSList
ExpInterlockedPushEntrySList
ExReleaseFastMutex
ExpInterlockedPopEntrySList
RtlCompareUnicodeString
ExInitializeRundownProtection
KeLeaveCriticalRegion
ExReleaseFastMutexUnsafe
KeExpandKernelStackAndCalloutEx
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
ExDeletePagedLookasideList
RtlCopyUnicodeString
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
ObfDereferenceObject
KeEnterCriticalRegion
ExAcquireFastMutexUnsafe
_vsnwprintf
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
wcscpy_s
wcschr
_wcsnicmp
wcsrchr
__C_specific_handler
__chkstk

fltmgr.sys

FltParseFileNameInformation
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltIsOperationSynchronous
FltSetIoPriorityHintIntoCallbackData
FltPerformAsynchronousIo
FltAllocateGenericWorkItem
FltInitializePushLock
FltDeletePushLock
FltFlushBuffers
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltFreePoolAlignedWithTag
FltDeviceIoControlFile
FltReadFile
FltOpenVolume
FltFreeDeferredIoWorkItem
FltAllocatePoolAlignedWithTag
FltAcquirePushLockShared
FltIsIoCanceled
FltCompletePendedPreOperation
FltAcquirePushLockExclusive
FltGetIoPriorityHintFromCallbackData
FltReleasePushLock
FltInitExtraCreateParameterLookasideList
FltStartFiltering
FltGetRoutineAddress
FltRegisterFilter
FltGetVolumeFromFileObject
FltCreateFileEx
FltWriteFile
FltQueryInformationFile
FltUntagFile
FltGetFileNameInformationUnsafe
FltEnumerateInstances
FltAttachVolume
FltGetFilterFromName
FltTagFile
FltIsDirectory
FltSetInformationFile
FltObjectDereference
FltPerformSynchronousIo
FltLockUserBuffer
FltAllocateCallbackDataEx
FltFreeCallbackData
FltAllocateExtraCreateParameterList
FltInsertExtraCreateParameter
FltCancelFileOpen
FltDeleteStreamContext
FltReissueSynchronousIo
FltReleaseFileNameInformation
FltFsControlFile
FltGetEcpListFromCallbackData
FltGetFileNameInformation
FltEnlistInTransaction
FltSetEcpListIntoCallbackData
FltFindExtraCreateParameter
FltAllocateExtraCreateParameterFromLookasideList
FltSetCallbackDataDirty
FltSetStreamContext
FltSetTransactionContext
FltReferenceContext
FltGetTransactionContext
FltGetInstanceContext
FltUnregisterFilter
FltAllocateContext
FltGetVolumeProperties
FltQueryDirectoryFile
FltGetVolumeGuidName
FltReleaseContext
FltDeleteExtraCreateParameterLookasideList
FltGetStreamHandleContext
FltGetStreamContext
FltSetInstanceContext
FltClose
FltGetDiskDeviceObject
FltDeleteInstanceContext
FltSetFileContext
FltSetStreamHandleContext
FltQueryVolumeInformationFile

cng.sys

BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

GFIDS
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/arm64/CBSHost.dll
Config/arm64/NCleaner.dll
Config/default.ui.zip
.zip
Config/x86/CBSHost.dll
.dll windows:6 windows x86

020376ce054cd7e5a50717110995303d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

DeleteFileW
FindNextFileW
FindClose
LoadLibraryW
CreateProcessW
WaitForMultipleObjects
VirtualProtect
ExitProcess
OpenProcess
GetCurrentProcessId
CreateThread
OpenEventW
DuplicateHandle
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW
SetDllDirectoryW
GetLocalTime
CopyFileW
InitializeCriticalSectionEx
FindResourceW
MultiByteToWideChar
CreateHardLinkTransactedW
DeleteFileTransactedW
MoveFileExW
DeleteCriticalSection
CreateFileMappingW
MapViewOfFile
GetExitCodeProcess
AreFileApisANSI
VirtualFree
InitializeSListHead
GetTickCount64
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
LoadResource
LockResource
SizeofResource
GlobalMemoryStatusEx
GetModuleFileNameW
CreateDirectoryW
GetCurrentThreadId
GetTickCount
GetCurrentProcess
LocalFree
GetProcessHeap
HeapSize
HeapDestroy
LoadLibraryExW
GetProcAddress
GetModuleHandleW
FreeLibrary
IsWow64Process
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetSystemInfo
TerminateProcess
CreateEventW
WaitForSingleObject
SetEvent
InitOnceExecuteOnce
HeapFree
HeapReAlloc
HeapAlloc
SetLastError
GetLastError
RaiseException
CloseHandle
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LeaveCriticalSection
EnterCriticalSection
OutputDebugStringW
IsDebuggerPresent
FindFirstFileW
WriteFile
VirtualAlloc
ReadFile
GetFileSize
InterlockedFlushSList
FindResourceExW
UnmapViewOfFile
CreateFileW
VirtualQuery

user32

PostThreadMessageW
TranslateMessage
GetMessageW
DispatchMessageW

advapi32

OpenProcessToken
InitializeSid
RegGetValueW
RegDeleteValueW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegCreateKeyExW
RegEnumKeyW
RegQueryInfoKeyW
RegUnLoadKeyW
RegEnumValueW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetSidLengthRequired
GetTokenInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetSecurityDescriptorGroup
GetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorOwner
GetAclInformation
AddAce
InitializeAcl
IsValidSid
GetLengthSid
ConvertSidToStringSidW
CopySid
GetSidSubAuthority

shell32

ord680
SHGetSpecialFolderPathW
CommandLineToArgvW

ole32

CoCreateInstance
CoTaskMemFree
CoInitializeSecurity
CoGetMalloc
CoInitializeEx

msvcrt

_vscwprintf
sscanf
swscanf
_unlock
_lock
__dllonexit
__CxxFrameHandler3
vswprintf_s
?terminate@@YAXXZ
__CppXcptFilter
memset
??3@YAXPAX@Z
memcpy
_errno
memmove
wcslen
wcsnlen
free
malloc
??2@YAPAXI@Z
memcmp
_wcsicmp
strlen
wcstoul
wcscpy
bsearch
wcsrchr
calloc
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
wcscmp
_purecall
??_V@YAXPAX@Z
??_U@YAPAXI@Z
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
_cexit
_initterm
_initterm_e
_except_handler4_common
__getmainargs
atexit
__DestructExceptionObject
_invalid_parameter

shlwapi

StrChrW
StrCatW
SHCreateStreamOnFileW
PathSkipRootW
StrCpyW
StrCmpNW
StrCmpW
StrStrIA
StrStrA
StrRChrW
StrCmpNIW
StrStrW
PathFindExtensionW
StrStrIW
ord437
PathFindFileNameW
StrCmpIW
PathIsDirectoryEmptyW

ntdll

NtSetInformationFile
NtQueryInformationProcess
NtWriteFile
NtDeleteKey
NtOpenFile
NtCreateFile
RtlNtStatusToDosError
NtQueryInformationFile
RtlGetLastNtStatus
RtlAdjustPrivilege
NtClose
RtlImageNtHeader
ZwQueryDirectoryFile
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U

cfgmgr32

CM_Locate_DevNodeW
CM_Reenumerate_DevNode

setupapi

SetupDiGetClassDescriptionW
SetupDiDestroyDeviceInfoList
SetupUninstallOEMInfW
SetupDiGetClassDevsW
SetupDiEnumDeviceInfo
SetupDiGetDevicePropertyW

version

VerQueryValueW

Exports

Exports

CbsCreateTempDirectory2
CreateCbsHostHelper
DismGetScratchDir
DismWriteLog
GetConfig
RunCbsHostW

Sections

.text
Size: 73KB - Virtual size: 72KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/NCleaner.dll
.dll windows:6 windows x86

0173fad127ecef034148254d5317bc14

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
CreateEventExW
FindNextFileW
FindFirstFileW
FindClose
GetFileInformationByHandleEx
QueryPerformanceCounter
GetTickCount64
SetFileInformationByHandle
GetProcessHeap
GetCurrentProcess
InitializeSListHead
GetSystemDirectoryW
GetSystemTimeAsFileTime
TerminateProcess
InitOnceExecuteOnce
HeapFree
HeapAlloc
GetCurrentThreadId
GetCurrentProcessId
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
SetLastError
GetLastError
CloseHandle
InterlockedFlushSList
CreateFileW

advapi32

RegEnumKeyW
RegDeleteTreeW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW

ole32

CLSIDFromString
IIDFromString
CoCreateInstance

msvcrt

?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??2@YAPAXI@Z
wcscat_s
towupper
memcpy
memmove
wcslen
wcscpy_s
_wcsnicmp
__CxxFrameHandler3
??0exception@@QAE@ABQBD@Z
_CxxThrowException
_cexit
_initterm
_initterm_e
memset
_except_handler4_common
__getmainargs
atexit
__DestructExceptionObject
free
_invalid_parameter
malloc
_lock
_unlock
__dllonexit
?terminate@@YAXXZ
??3@YAXPAX@Z
__CppXcptFilter
??0exception@@QAE@ABV0@@Z
_swprintf_c
_vscwprintf
_vsnwprintf_s
_wcsicmp

dism++x86.exe

DismGetAllUsersAppx
DismRegOpenKeyEx
DismWriteLog
DismGetSystemInfoBySession
DismRemoveAppx
DismFreeMemory

shlwapi

PathFindFileNameW
PathFindExtensionW
PathFileExistsW

Exports

Exports

NCCorruptedAppXOnlineCleanup
NCDOCacheOnlineCleanup
NCInstallerFolderCleanup
NCPackageCacheFolderCleanup
NCSRPointOnlineCleanup
NCVSPackageCacheCleanup
NCWinEventLogOnlineCleanup

Sections

.text
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/bcdboot.exe
.exe windows:10 windows x86

a6faca78f3a0e9fb9cf5b9d15ded6a9a

Code Sign

33:00:00:00:8e:a8:19:d7:3f:36:8b:7a:40:00:00:00:00:00:8e
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/10/2015, 18:14

Not After

07/01/2017, 18:14

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:06

Not After

01/01/2016, 18:06

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

82:c7:68:5a:cc:9c:de:a4:99:b8:a2:94:da:83:9b:50:ec:98:75:7c:82:61:9b:e3:72:85:76:82:7e:1c:14:37
Signer

Actual PE Digest

82:c7:68:5a:cc:9c:de:a4:99:b8:a2:94:da:83:9b:50:ec:98:75:7c:82:61:9b:e3:72:85:76:82:7e:1c:14:37

Digest Algorithm

sha256

PE Digest Matches

true

eb:52:20:5d:e1:0c:7a:b3:dc:00:32:58:87:34:b3:3f:52:6d:39:b4
Signer

Actual PE Digest

eb:52:20:5d:e1:0c:7a:b3:dc:00:32:58:87:34:b3:3f:52:6d:39:b4

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
UnhandledExceptionFilter
GetFileType
GetProcAddress
GetStdHandle
GetConsoleOutputCP
GetModuleFileNameW
WriteConsoleW
FormatMessageW
GetConsoleMode
LoadLibraryW
WideCharToMultiByte
WriteFile
GetProcessHeap
HeapFree
HeapAlloc
FreeLibrary
SetLastError
GetLastError
GetCurrentProcess
TerminateProcess
GetModuleHandleA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryExW
GetVolumePathNameW
QueryDosDeviceW
LocalFree
MapViewOfFile
UnmapViewOfFile
GetCurrentThread
CreateFileW
GetFileSizeEx
CreateFileMappingW
CloseHandle
GetVolumeNameForVolumeMountPointW
FindFirstFileW
MoveFileExW
GetFileAttributesW
FindClose
GetUserDefaultUILanguage
GetVersionExW
LoadResource
FindResourceExW
GetSystemDefaultUILanguage
SearchPathW
CreateDirectoryW
GetFileInformationByHandle
DeviceIoControl
GetModuleHandleW
CopyFileExW
GetFullPathNameW
GetLocaleInfoW
GetVolumeInformationW
SetFileAttributesW
GetPrivateProfileSectionW
FindNextFileW
SetUnhandledExceptionFilter

msvcrt

wcstoul
wcscat_s
_ultow_s
wcsncpy_s
wcsstr
memset
_wcslwr
_snwscanf_s
strncmp
wcsncmp
bsearch
__iob_func
memcmp
memcpy
wcschr
_vsnwprintf_s
fflush
fwprintf
_vsnwprintf
wcsnlen
wcsrchr
memmove
_wcsupr
_except_handler4_common
_controlfp
?terminate@@YAXXZ
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
wcscpy_s
_wsetlocale
_wcsicmp
swprintf_s
_wcsnicmp

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

shlwapi

PathRemoveBackslashW

ntdll

NtEnumerateBootEntries
NtOpenDirectoryObject
NtQueryDirectoryObject
NtQueryBootEntryOrder
NtResetEvent
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtOpenKey
ZwResetEvent
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
RtlGetVersion
ZwQuerySymbolicLinkObject
ZwCreateEvent
NtAdjustPrivilegesToken
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenProcessTokenEx
LdrGetDllHandle
LdrGetProcedureAddress
RtlInitAnsiString
ZwAllocateUuids
RtlSetOwnerSecurityDescriptor
ZwOpenKey
ZwQueryKey
RtlCreateSecurityDescriptor
RtlLengthSid
ZwEnumerateKey
ZwDeleteKey
RtlAllocateAndInitializeSid
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwSetSecurityObject
RtlLengthSecurityDescriptor
ZwQueryValueKey
ZwCreateFile
ZwSaveKey
ZwSetValueKey
ZwDeleteValueKey
RtlSetDaclSecurityDescriptor
RtlFreeSid
RtlCreateAcl
ZwCreateKey
ZwUnloadKey
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwOpenFile
ZwClose
ZwWaitForSingleObject
ZwReleaseMutant
ZwOpenMutant
ZwQuerySystemInformation
NtSetInformationFile
RtlAllocateHeap
RtlFreeHeap
LdrFindResource_U
LdrAccessResource
NtQuerySystemInformation
NtOpenFile
RtlImageNtHeader
NtOpenProcess
NtCreateEvent
NtClose
NtSetInformationThread
NtWaitForSingleObject
NtQueryInformationProcess
NtQueryInformationFile
NtQueryInformationThread
NtDeviceIoControlFile
RtlCompareMemory
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlStringFromGUID
RtlGUIDFromString
RtlInitUnicodeString
NtTranslateFilePath

advapi32

OpenThreadToken
GetTokenInformation
GetSecurityDescriptorControl
SetNamedSecurityInfoW
LookupPrivilegeValueW
GetSecurityDescriptorOwner
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
ConvertSidToStringSidW
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
RegCloseKey
RegOpenKeyExW
OpenProcessToken
RegQueryValueExW

Sections

.text
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/wimgapi.dll
.dll windows:10 windows x86

d913ef7993bd90aa4eb5f9bb86c868e8

Code Sign

33:00:00:02:39:b2:b4:e8:2a:22:34:49:2f:00:00:00:00:02:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:07

Not After

08/08/2019, 20:07

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8a:54:ba:9a:d2:4b:f8:68:2e:06:45:18:d9:be:4f:38:7b:b3:b7:30:bc:8c:fc:73:4e:fb:c3:14:59:b4:97:1a
Signer

Actual PE Digest

8a:54:ba:9a:d2:4b:f8:68:2e:06:45:18:d9:be:4f:38:7b:b3:b7:30:bc:8c:fc:73:4e:fb:c3:14:59:b4:97:1a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

msvcrt

_wcsnicmp
wcsnlen
wcsstr
_vsnwprintf
_wtoi
swscanf_s
wcsrchr
_wcstoi64
_wcsicmp
strcpy_s
wcsncmp
memmove
_onexit
__dllonexit
_unlock
_lock
strncpy_s
_initterm
malloc
free
_amsg_exit
memcpy_s
_wcsupr
memcpy
memcmp
_callnewh
bsearch
_purecall
iswspace
memmove_s
_vscwprintf
_strnicmp
towupper
towlower
_wcslwr
_wcsrev
qsort
wcschr
_XcptFilter
wcstok_s
_except_handler4_common
wcstoul
memset

kernel32

DosDateTimeToFileTime
GetLastError
GetHandleInformation
SetLastError
SetFilePointerEx
CloseHandle
SetEndOfFile
CompareStringW
HeapFree
GetProcessHeap
DeleteFileW
CreateFileW
GetFileInformationByHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
LocalFileTimeToFileTime
SetFileTime
GetDriveTypeW
RemoveDirectoryW
GetModuleHandleW
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
GetCurrentDirectoryW
DeviceIoControl
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetFileSizeEx
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
CreateEventW
CreateSemaphoreExW
UnlockFileEx
HeapReAlloc
WaitForSingleObject
ExpandEnvironmentStringsW
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
ReleaseMutex
WideCharToMultiByte
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
OpenProcess
InitializeCriticalSectionAndSpinCount
QueryPerformanceCounter
GetVolumeInformationByHandleW
SetFileAttributesW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetFullPathNameW
GetVolumeInformationW
GetExitCodeProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
Sleep
DisableThreadLibraryCalls
OpenEventW
GetPrivateProfileSectionW
WaitForMultipleObjects
ReleaseSemaphore
SetEvent
CreateSemaphoreW
CreateThread
LoadLibraryW
GetVolumePathNamesForVolumeNameW
LockFileEx
MultiByteToWideChar
CopyFileExW
CreateProcessW
GetLogicalDriveStringsW
DuplicateHandle
WaitForMultipleObjectsEx
ResetEvent
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile

bcrypt

BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

fltlib

FilterAttach
FilterLoad

cabinet

ord22
ord20
ord23

advapi32

SetThreadToken
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
CloseEncryptedFileRaw
ReadEncryptedFileRaw
AdjustTokenPrivileges
OpenEncryptedFileRawW
AddAccessAllowedAceEx
RevertToSelf
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegDeleteKeyExW
GetAclInformation
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW
WriteEncryptedFileRaw
RegQueryValueExW

version

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

user32

CharUpperW

ntdll

RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
RtlDosPathNameToNtPathName_U_WithStatus
RtlGetVersion
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlAcquireResourceExclusive
RtlRaiseStatus
NtYieldExecution
DbgPrintEx
RtlReAllocateHeap
RtlDowncaseUnicodeChar
NtSetEaFile
NtQuerySecurityObject
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
NtSetInformationFile
RtlSetIoCompletionCallback
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError
RtlInitializeResource

rpcrt4

I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW
NdrClientCall2
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcBindingFree
UuidCreate

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadFileEx
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry
WIMWriteFileWithIntegrity

Sections

.text
Size: 544KB - Virtual size: 543KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/wofadk.sys
.sys windows:10 windows x86

3210bb7db9e3473b887a43e6ceeffd9f

Code Sign

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:148C-C4B9-2066,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:ef:d8:87:2e:35:a3:82:8a:2f:00:00:00:00:00:ef
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd
Signer

Actual PE Digest

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd

Digest Algorithm

sha256

PE Digest Matches

true

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f
Signer

Actual PE Digest

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ZwClose
SeLockSubjectContext
ZwQueryValueKey
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlEnumerateGenericTableAvl
ExAcquireRundownProtection
RtlLookupElementGenericTableAvl
RtlFreeUnicodeString
SeTokenIsAdmin
RtlDeleteElementGenericTableAvl
RtlAppendUnicodeStringToString
KeDelayExecutionThread
ExRundownCompleted
EtwRegister
MmGetSystemRoutineAddress
PsGetProcessImageFileName
ObDereferenceObjectDeferDelete
EtwUnregister
EtwWriteTransfer
IoGetCurrentProcess
ProbeForRead
FsRtlValidateReparsePointBuffer
TmCurrentTransaction
RtlCompareMemory
RtlInitUnicodeString
KeQueryPriorityThread
KeGetCurrentThread
MmMapViewOfSection
ExDeleteLookasideListEx
ZwDeviceIoControlFile
EtwEventEnabled
RtlCheckRegistryKey
ZwCreateSection
ZwQueryInformationThread
RtlSetBit
ExQueueWorkItem
RtlAreBitsSet
PsInitialSystemProcess
ZwOpenKey
IoGetDeviceObjectPointer
RtlRunOnceExecuteOnce
KeStackAttachProcess
KeSetEvent
KdRefreshDebuggerNotPresent
ZwSetInformationThread
ObReferenceObjectByHandle
MmUnmapViewOfSection
RtlFindNextForwardRunClear
EtwWrite
IofCallDriver
RtlInitializeBitMap
ZwOpenFile
ExInitializeLookasideListEx
RtlTestBit
KeWaitForSingleObject
KeSetPriorityThread
KeUnstackDetachProcess
_i64tow_s
RtlClearAllBits
IoAllocateWorkItem
RtlAppendUnicodeToString
_wcsicmp
RtlCreateSystemVolumeInformationFolder
IoQueueWorkItemEx
IoFreeWorkItem
KeAllocateCalloutStackEx
IoGetRelatedDeviceObject
ExDeleteNPagedLookasideList
KeFreeCalloutStack
ExInitializeNPagedLookasideList
KeInitializeMutex
KeReleaseMutex
KeAreAllApcsDisabled
KeInitializeDpc
KeInitializeTimerEx
RtlQueryRegistryValues
KeCancelTimer
KeFlushQueuedDpcs
KeSetCoalescableTimer
KeQueryActiveProcessorCountEx
SeCaptureSubjectContext
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
RtlGetVersion
IoWMIRegistrationControl
MmIsThisAnNtAsSystem
IoBuildDeviceIoControlRequest
KeBugCheckEx
RtlEqualUnicodeString
memmove
MmMapLockedPagesSpecifyCache
ProbeForWrite
InterlockedPopEntrySList
ExReleaseRundownProtection
InterlockedPushEntrySList
ObfReferenceObject
RtlCompareUnicodeString
ExInitializeRundownProtection
KeLeaveCriticalRegion
ExReleaseFastMutexUnsafe
KeExpandKernelStackAndCalloutEx
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
ExDeletePagedLookasideList
RtlCopyUnicodeString
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
ObfDereferenceObject
KeEnterCriticalRegion
ExAcquireFastMutexUnsafe
swprintf_s
_vsnwprintf
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
wcscpy_s
wcschr
_wcsnicmp
wcsrchr
_alldiv
_alldvrm
_allmul
_allrem
_aulldiv
memcpy
memset
_alloca_probe
RtlUnwind

hal

KeGetCurrentIrql
ExAcquireFastMutex
ExReleaseFastMutex

fltmgr.sys

FltQueryInformationFile
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltIsOperationSynchronous
FltSetIoPriorityHintIntoCallbackData
FltPerformAsynchronousIo
FltAllocateGenericWorkItem
FltInitializePushLock
FltDeletePushLock
FltFlushBuffers
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltFreePoolAlignedWithTag
FltDeviceIoControlFile
FltReadFile
FltOpenVolume
FltFreeDeferredIoWorkItem
FltAllocatePoolAlignedWithTag
FltAcquirePushLockShared
FltIsIoCanceled
FltCompletePendedPreOperation
FltAcquirePushLockExclusive
FltGetIoPriorityHintFromCallbackData
FltReleasePushLock
FltInitExtraCreateParameterLookasideList
FltStartFiltering
FltGetRoutineAddress
FltRegisterFilter
FltGetVolumeFromFileObject
FltCreateFileEx
FltWriteFile
FltUntagFile
FltGetFileNameInformationUnsafe
FltParseFileNameInformation
FltEnumerateInstances
FltAttachVolume
FltGetFilterFromName
FltTagFile
FltIsDirectory
FltSetInformationFile
FltObjectDereference
FltPerformSynchronousIo
FltLockUserBuffer
FltAllocateCallbackDataEx
FltFreeCallbackData
FltAllocateExtraCreateParameterList
FltInsertExtraCreateParameter
FltCancelFileOpen
FltDeleteStreamContext
FltReissueSynchronousIo
FltReleaseFileNameInformation
FltFsControlFile
FltGetEcpListFromCallbackData
FltGetFileNameInformation
FltEnlistInTransaction
FltSetEcpListIntoCallbackData
FltFindExtraCreateParameter
FltAllocateExtraCreateParameterFromLookasideList
FltSetCallbackDataDirty
FltSetStreamContext
FltSetTransactionContext
FltReferenceContext
FltGetTransactionContext
FltSetStreamHandleContext
FltSetFileContext
FltDeleteInstanceContext
FltGetInstanceContext
FltUnregisterFilter
FltAllocateContext
FltGetVolumeProperties
FltQueryDirectoryFile
FltGetVolumeGuidName
FltReleaseContext
FltDeleteExtraCreateParameterLookasideList
FltGetStreamHandleContext
FltGetStreamContext
FltSetInstanceContext
FltClose
FltGetDiskDeviceObject
FltQueryVolumeInformationFile

cng.sys

BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptGetProperty

Sections

.text
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGER32C
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Dism++ARM64.exe
Dism++x64.exe
.exe windows:6 windows x64

0e2b4d340d92d27f2d2be071df293ec3

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

HeapReAlloc
HeapFree
InitOnceExecuteOnce
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
Sleep
TerminateProcess
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemDirectoryW
IsWow64Process
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
GetCurrentThreadId
HeapDestroy
HeapSize
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
WritePrivateProfileSectionW
GetFileAttributesW
DeviceIoControl
GetVolumePathNameW
GetVolumeInformationByHandleW
GetModuleFileNameW
GetEnvironmentVariableW
UnmapViewOfFile
MoveFileExW
DeleteFileW
GetNativeSystemInfo
GlobalMemoryStatusEx
GetUserDefaultLCID
LCIDToLocaleName
GetThreadLocale
GetLocaleInfoEx
CreateProcessW
GetWindowsDirectoryW
FindClose
FindFirstFileW
FindNextFileW
IsValidLocaleName
MoveFileW
CreateDirectoryW
GetVolumeInformationW
SetVolumeLabelW
RemoveDirectoryW
DeleteCriticalSection
GetTickCount
CreateFileMappingW
MapViewOfFile
LocalFree
GetCurrentProcess
ReadFile
WriteFile
SetFilePointer
GetTempPathA
GetTempFileNameA
DeleteFileA
GetFileInformationByHandle
FileTimeToLocalFileTime
FileTimeToDosDateTime
lstrcpyA
lstrcpynA
ReleaseMutex
ReleaseSRWLockShared
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
InitializeSRWLock
AcquireSRWLockExclusive
AcquireSRWLockShared
VirtualFreeEx
VirtualAllocEx
HeapAlloc
WaitForMultipleObjects
ExpandEnvironmentStringsW
SetFilePointerEx
GetFileSizeEx
SetEnvironmentVariableW
GetVolumeNameForVolumeMountPointW
CreateMutexW
GetFullPathNameW
lstrcmpiA
CopyFileW
GetFileSize
GetLocaleInfoW
GetExitCodeProcess
lstrcmpA
SystemTimeToFileTime
GetExitCodeThread
EnumUILanguagesW
CopyFileExW
FreeResource
SetThreadUILanguage
SetThreadLocale
LocaleNameToLCID
OpenProcess
DecodePointer
VirtualProtect
GetDiskFreeSpaceExW
GetCurrentProcessId
VirtualQuery
GetProcessId
GetSystemTime
LoadLibraryW
FormatMessageW
GetLongPathNameW
GetTempPathW
MultiByteToWideChar
WideCharToMultiByte
GetDriveTypeW
SetFileAttributesW
ProcessIdToSessionId
GetShortPathNameW
GetLocalTime
GetStartupInfoW
WritePrivateProfileStringW
GetModuleHandleExW
GetDiskFreeSpaceW
GetPrivateProfileSectionW
GetVersionExW
GetPrivateProfileStringW
LocalFileTimeToFileTime
GetCurrentDirectoryW
DosDateTimeToFileTime
MulDiv
GetTickCount64
TerminateThread
GetQueuedCompletionStatus
PostQueuedCompletionStatus
GlobalAlloc
GlobalLock
GlobalUnlock
CreateIoCompletionPort
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
OutputDebugStringW
IsDebuggerPresent
LoadLibraryExA
VirtualFree
VirtualAlloc
FlushInstructionCache
InterlockedPushEntrySList
SetErrorMode
SetLastError
GetLastError
RaiseException
CloseHandle
DuplicateHandle
CreateFileW
InterlockedPopEntrySList
InitializeSListHead
EncodePointer
AreFileApisANSI
RtlUnwindEx

msvcrt

vswprintf_s
_vscwprintf
swscanf
sscanf
vsprintf_s
_vscprintf
swprintf_s
_msize
?terminate@@YAXXZ
_XcptFilter
_commode
abort
_wcmdln
??8type_info@@QEBAHAEBV0@@Z
memset
??3@YAXPEAX@Z
_purecall
??2@YAPEAX_K@Z
wcsnlen
memcpy
_errno
wcstoul
wcsncpy_s
wcslen
memmove
memcmp
_wcsnicmp
wcschr
towupper
??_V@YAXPEAX@Z
??_U@YAPEAX_K@Z
wcsftime
_localtime64_s
_time64
_wcstoui64
_wcsicmp
_beginthreadex
_wcslwr_s
bsearch
free
malloc
strlen
strnlen
_mktime64
wcscpy
wcstol
_strtoui64
realloc
strcmp
strtoul
strtol
_wtoi
isdigit
??0exception@@QEAA@AEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
_wcsupr_s
wcsrchr
wcsstr
_mbschr
_mbslwr_s
iswspace
wcscmp
wcscpy_s
_mbscmp
__C_specific_handler
calloc
abs
toupper
wcsncpy
_itow
wcstod
wcscat
_strcmpi
qsort_s
_lrotl
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
_CxxThrowException
__CxxFrameHandler3
__setusermatherr
_initterm
_initterm_e
exit
_exit
_set_fmode
_c_exit
_amsg_exit
__wgetmainargs
atexit
_strlwr
__DestructExceptionObject
_invalid_parameter
_lock
_unlock
__dllonexit
__set_app_type
_cexit

comctl32

ord17
PropertySheetW
DestroyPropertySheetPage
CreatePropertySheetPageW
ord345
InitCommonControlsEx
_TrackMouseEvent

ntdll

NtCreateFile
NtQueryVolumeInformationFile
RtlGetLastNtStatus
RtlImageNtHeader
NtReadFile
ZwClose
RtlInitUnicodeString
NtWriteFile
ZwQuerySymbolicLinkObject
RtlImageRvaToVa
NtDeleteKey
ZwEnumerateBootEntries
ZwQueryBootEntryOrder
RtlNtStatusToDosError
RtlAdjustPrivilege
ZwOpenSymbolicLinkObject
NtQueryInformationProcess
LdrVerifyImageMatchesChecksum
NtShutdownSystem
NtQueryInformationFile
RtlComputeCrc32
NtSetInformationFile
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
NtClose
ZwQueryDirectoryFile
NtOpenFile
NtReadVirtualMemory
NtTranslateFilePath
NtQuerySystemInformation
ZwAddBootEntry
ZwSetBootEntryOrder
NtWriteVirtualMemory

Exports

Exports

BcdGetCurrentEntryIdentifier
BcdGetFirmwareBootDevice
BcdGetFirmwareType
BcdGetSystemPartition
BcdIsWinPEBoot
BcdOpenStore
DismAddDriver
DismAddPackage
DismAppAssociationsDefaultExport
DismAppAssociationsDefaultImport
DismAppAssociationsDefaultRemove
DismAppAssociationsExport
DismAppAssociationsImport
DismAppAssociationsRemove
DismApplyDPI
DismApplyImage
DismAppxsCleanup
DismCaptureImage
DismCommitImage
DismCompactOs
DismComponentCleanup
DismCreateInterface
DismDeleteImage
DismDriverCleanup
DismExpandEnvironmentStrings
DismExportImage
DismFormatMessage
DismFreeMemory
DismGetAllUsersAppx
DismGetCapabilities
DismGetDrivers
DismGetFeatures
DismGetFileFilter
DismGetImageFileInfo
DismGetMountedImages
DismGetPackages
DismGetProvisionedAppxs
DismGetScratchDir
DismGetServices
DismGetSystemInfoByPath
DismGetSystemInfoBySession
DismHardLinkMerge
DismIsNoviceMode
DismMountImage
DismMultiLanguage
DismRegOpenKey
DismRegOpenKeyEx
DismRemoveAppx
DismRemoveCapability
DismRemoveDriver
DismRemovePackage
DismRemoveProvisionedAppx
DismRemoveService
DismRestoreHealth
DismScanHealth
DismSetBootImage
DismSetImageFileInfo
DismSetServiceStart
DismUnmountImage
DismWriteLog
IbsSetFirstBootCommandLine
WinREConfig2

Sections

.text
Size: 767KB - Virtual size: 767KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 192KB - Virtual size: 192KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Dism++x86.exe
.exe windows:6 windows x86

c55982f912950cb44c769a88c842b38f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapReAlloc
HeapFree
InitOnceExecuteOnce
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
Sleep
TerminateProcess
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetNativeSystemInfo
IsWow64Process
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
GetCurrentThreadId
HeapDestroy
HeapSize
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
WritePrivateProfileSectionW
GetFileAttributesW
DeviceIoControl
GetVolumePathNameW
GetVolumeInformationByHandleW
GetModuleFileNameW
GetEnvironmentVariableW
UnmapViewOfFile
MoveFileExW
DeleteFileW
GlobalMemoryStatusEx
GetUserDefaultLCID
LCIDToLocaleName
GetThreadLocale
GetLocaleInfoEx
CreateProcessW
GetWindowsDirectoryW
FindClose
FindFirstFileW
FindNextFileW
IsValidLocaleName
MoveFileW
CreateDirectoryW
GetVolumeInformationW
SetVolumeLabelW
RemoveDirectoryW
DeleteCriticalSection
GetTickCount
CreateFileMappingW
MapViewOfFile
LocalFree
GetCurrentProcess
ReadFile
WriteFile
SetFilePointer
GetTempPathA
GetTempFileNameA
DeleteFileA
GetFileInformationByHandle
FileTimeToLocalFileTime
FileTimeToDosDateTime
lstrcpyA
lstrcpynA
ReleaseMutex
ReleaseSRWLockShared
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
InitializeSRWLock
AcquireSRWLockExclusive
AcquireSRWLockShared
VirtualFreeEx
VirtualAllocEx
HeapAlloc
WaitForMultipleObjects
ExpandEnvironmentStringsW
SetFilePointerEx
GetFileSizeEx
SetEnvironmentVariableW
GetVolumeNameForVolumeMountPointW
CreateMutexW
GetFullPathNameW
lstrcmpiA
CopyFileW
GetFileSize
GetLocaleInfoW
GetExitCodeProcess
lstrcmpA
SystemTimeToFileTime
GetExitCodeThread
EnumUILanguagesW
CopyFileExW
FreeResource
SetThreadUILanguage
SetThreadLocale
LocaleNameToLCID
OpenProcess
DecodePointer
VirtualProtect
GetDiskFreeSpaceExW
GetCurrentProcessId
VirtualQuery
GetProcessId
GetSystemTime
LoadLibraryW
FormatMessageW
GetLongPathNameW
GetTempPathW
MultiByteToWideChar
WideCharToMultiByte
GetDriveTypeW
SetFileAttributesW
ProcessIdToSessionId
GetShortPathNameW
GetLocalTime
GetStartupInfoW
WritePrivateProfileStringW
GetModuleHandleExW
GetDiskFreeSpaceW
GetPrivateProfileSectionW
GetVersionExW
GetPrivateProfileStringW
LocalFileTimeToFileTime
GetCurrentDirectoryW
DosDateTimeToFileTime
MulDiv
GetTickCount64
TerminateThread
GetQueuedCompletionStatus
PostQueuedCompletionStatus
GlobalAlloc
GlobalLock
GlobalUnlock
CreateIoCompletionPort
EncodePointer
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
FlushInstructionCache
IsProcessorFeaturePresent
VirtualAlloc
VirtualFree
LoadLibraryExA
IsDebuggerPresent
OutputDebugStringW
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
QueryPerformanceCounter
SetErrorMode
SetLastError
GetLastError
RaiseException
CloseHandle
DuplicateHandle
CreateFileW
AreFileApisANSI

msvcrt

_ftol2_sse
_ftol2
swprintf_s
_vscprintf
vsprintf_s
sscanf
swscanf
_vscwprintf
vswprintf_s
_except_handler3
_msize
?terminate@@YAXXZ
_XcptFilter
abort
_wcmdln
__set_app_type
__dllonexit
memset
??3@YAXPAX@Z
_purecall
??2@YAPAXI@Z
wcsnlen
memcpy
_errno
wcstoul
wcsncpy_s
wcslen
memmove
memcmp
_wcsnicmp
wcschr
towupper
??_V@YAXPAX@Z
??_U@YAPAXI@Z
wcsftime
_localtime64_s
_time64
_wcstoui64
_wcsicmp
_beginthreadex
_wcslwr_s
bsearch
free
malloc
strlen
strnlen
_mktime64
wcscpy
wcstol
_strtoui64
realloc
strcmp
strtoul
strtol
_wtoi
isdigit
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
_wcsupr_s
wcsrchr
wcsstr
_mbschr
_mbslwr_s
iswspace
wcscmp
wcscpy_s
_mbscmp
calloc
abs
toupper
wcsncpy
_itow
wcstod
wcscat
_strcmpi
qsort_s
_lrotl
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
_cexit
__CxxFrameHandler3
_amsg_exit
_except_handler4_common
__wgetmainargs
atexit
__setusermatherr
_initterm
_initterm_e
exit
_exit
_set_fmode
_c_exit
__p__commode
_controlfp_s
_strlwr
__DestructExceptionObject
_invalid_parameter
_lock
_unlock

comctl32

ord17
PropertySheetW
DestroyPropertySheetPage
CreatePropertySheetPageW
ord345
InitCommonControlsEx
_TrackMouseEvent

ntdll

ZwClose
NtCreateFile
NtQueryVolumeInformationFile
RtlGetLastNtStatus
RtlImageNtHeader
NtReadFile
ZwOpenSymbolicLinkObject
RtlInitUnicodeString
NtWriteFile
ZwQuerySymbolicLinkObject
RtlImageRvaToVa
NtDeleteKey
NtQueryInformationProcess
LdrVerifyImageMatchesChecksum
NtShutdownSystem
ZwAddBootEntry
RtlComputeCrc32
NtSetInformationFile
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
NtClose
ZwQueryDirectoryFile
NtOpenFile
NtReadVirtualMemory
NtWriteVirtualMemory
NtQuerySystemInformation
ZwSetBootEntryOrder
NtTranslateFilePath
ZwEnumerateBootEntries
ZwQueryBootEntryOrder
RtlNtStatusToDosError
RtlAdjustPrivilege
NtQueryInformationFile

Exports

Exports

BcdGetCurrentEntryIdentifier
BcdGetFirmwareBootDevice
BcdGetFirmwareType
BcdGetSystemPartition
BcdIsWinPEBoot
BcdOpenStore
DismAddDriver
DismAddPackage
DismAppAssociationsDefaultExport
DismAppAssociationsDefaultImport
DismAppAssociationsDefaultRemove
DismAppAssociationsExport
DismAppAssociationsImport
DismAppAssociationsRemove
DismApplyDPI
DismApplyImage
DismAppxsCleanup
DismCaptureImage
DismCommitImage
DismCompactOs
DismComponentCleanup
DismCreateInterface
DismDeleteImage
DismDriverCleanup
DismExpandEnvironmentStrings
DismExportImage
DismFormatMessage
DismFreeMemory
DismGetAllUsersAppx
DismGetCapabilities
DismGetDrivers
DismGetFeatures
DismGetFileFilter
DismGetImageFileInfo
DismGetMountedImages
DismGetPackages
DismGetProvisionedAppxs
DismGetScratchDir
DismGetServices
DismGetSystemInfoByPath
DismGetSystemInfoBySession
DismHardLinkMerge
DismIsNoviceMode
DismMountImage
DismMultiLanguage
DismRegOpenKey
DismRegOpenKeyEx
DismRemoveAppx
DismRemoveCapability
DismRemoveDriver
DismRemovePackage
DismRemoveProvisionedAppx
DismRemoveService
DismRestoreHealth
DismScanHealth
DismSetBootImage
DismSetImageFileInfo
DismSetServiceStart
DismUnmountImage
DismWriteLog
IbsSetFirstBootCommandLine
WinREConfig2

Sections

.text
Size: 527KB - Virtual size: 527KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 147KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 45KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
What's New(Public).txt

Sharing

General

Malware Config

Signatures

Files

Password: infected

d537b1fa5ce68d431ed93bfa507936e5

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ntdll

msvcrt

Exports

Exports

Sections

.text Size: 71KB - Virtual size: 71KB

.rdata Size: 38KB - Virtual size: 37KB

.data Size: 1024B - Virtual size: 4KB

.pdata Size: 3KB - Virtual size: 3KB

.detourc Size: 8KB - Virtual size: 8KB

.detourd Size: 512B - Virtual size: 24B

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 2KB - Virtual size: 1KB

54beb43eb6d5cc5ab4e52600ae43aa97

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ntdll

msvcrt

Exports

Exports

Sections

.text Size: 48KB - Virtual size: 48KB

.rdata Size: 31KB - Virtual size: 31KB

.data Size: 1024B - Virtual size: 2KB

.detourc Size: 4KB - Virtual size: 4KB

.detourd Size: 512B - Virtual size: 12B

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 5KB - Virtual size: 5KB

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 512B - Virtual size: 376B

.rsrc Size: 628KB - Virtual size: 628KB

ab58d63cfd91a5abc472a97929f26301

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

msvcrt

shlwapi

ntdll

cfgmgr32

setupapi

version

Exports

Exports

Sections

.text Size: 113KB - Virtual size: 113KB

.rdata Size: 45KB - Virtual size: 45KB

.data Size: 3KB - Virtual size: 4KB

.pdata Size: 5KB - Virtual size: 4KB

.rsrc Size: 1024B - Virtual size: 832B

.reloc Size: 1KB - Virtual size: 1KB

782d91e12c2a1d0eb23a7854f8ac9e2e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

.text
Size: 71KB - Virtual size: 71KB

.rdata
Size: 38KB - Virtual size: 37KB

.data
Size: 1024B - Virtual size: 4KB

.pdata
Size: 3KB - Virtual size: 3KB

.detourc
Size: 8KB - Virtual size: 8KB

.detourd
Size: 512B - Virtual size: 24B

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 2KB - Virtual size: 1KB

.text
Size: 48KB - Virtual size: 48KB

.rdata
Size: 31KB - Virtual size: 31KB

.data
Size: 1024B - Virtual size: 2KB

.detourc
Size: 4KB - Virtual size: 4KB

.detourd
Size: 512B - Virtual size: 12B

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 5KB - Virtual size: 5KB

.rdata
Size: 512B - Virtual size: 376B

.rsrc
Size: 628KB - Virtual size: 628KB

.text
Size: 113KB - Virtual size: 113KB

.rdata
Size: 45KB - Virtual size: 45KB

.data
Size: 3KB - Virtual size: 4KB

.pdata
Size: 5KB - Virtual size: 4KB

.rsrc
Size: 1024B - Virtual size: 832B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 35KB - Virtual size: 35KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 984B

.reloc
Size: 512B - Virtual size: 144B

33:00:00:00:8b:4c:06:71:0c:20:2c:df:3b:00:00:00:00:00:8b
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8
Signer

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47
Signer

.text
Size: 100KB - Virtual size: 99KB

.rdata
Size: 59KB - Virtual size: 59KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 2KB - Virtual size: 1KB

33:00:00:02:39:b2:b4:e8:2a:22:34:49:2f:00:00:00:00:02:39
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

01:aa:65:13:0d:4d:71:ab:db:65:0c:57:cb:42:4c:94:11:33:f9:41:42:10:f4:25:a4:15:97:9d:3d:00:34:dc
Signer