5bbab96d60704854efd8246a7d9371688b9102261544827fc8884126d70bcb3b[.]zip[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

5bbab96d60704854efd8246a7d9371688b9102261544827fc8884126d70bcb3b.zip.zip
Size

3.6MB
MD5

722f787f468a1a29ec7ba924af1a5aa7
SHA1

9a295d2d90c1f42cd73105b7d0e184d30b706b9a
SHA256

18c729a46e6b909afb8a5792714057b6fb8b97d997a57e279e31d6e77c17e685
SHA512

a91d01c9ac28c0496eb5a35c7a74d8a4a908e7a2a57736d24baf9db8b186e0d2e2bbf38553b5ed862c141d6c3cc2ac935ef1c47f1d1bbd50a280e8e95b40c93b
SSDEEP

98304:/e3Jey+poG77auSU3lMjWwN4eihG8JB/mXeIdpANDV:/ex+pX77arU1ZwNnihxLqm5

Score

3^/10

Malware Config

Signatures

Unsigned PE 9 IoCs

Checks for missing Authenticode signature.

resource
unpack002/Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.amd64.dll
unpack002/Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.x86.dll
unpack002/Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/PluginRes.dll
unpack002/Config/amd64/CBSHost.dll
unpack002/Config/amd64/NCleaner.dll
unpack002/Config/x86/CBSHost.dll
unpack002/Config/x86/NCleaner.dll
unpack002/Dism++x64.exe
unpack002/Dism++x86.exe

Files

5bbab96d60704854efd8246a7d9371688b9102261544827fc8884126d70bcb3b.zip.zip
.zip

Password: infected
5bbab96d60704854efd8246a7d9371688b9102261544827fc8884126d70bcb3b.zip
.zip
Config/Data.zip
.zip
Data.xml
.xml
Config/Languages/bg.zip
.zip
bg.xml
.xml
Config/Languages/cs.zip
.zip
cs.xml
.xml
Config/Languages/de.zip
.zip
de.xml
.xml
Config/Languages/en.zip
.zip
en.xml
.xml
Config/Languages/es.zip
.zip
es.xml
.xml
Config/Languages/fr.zip
.zip
fr.xml
.xml
Config/Languages/hu.xml
.xml
Config/Languages/hu.zip
.zip
Config/Languages/it.zip
.zip
Config/Languages/ja.zip
.zip
Config/Languages/ko.zip
.zip
Config/Languages/pl-PL.zip
.zip
Config/Languages/pt.zip
.zip
Config/Languages/ru.zip
.zip
Config/Languages/tr.zip
.zip
Config/Languages/zh-Hans.zip
.zip
Config/Languages/zh-Hant.zip
.zip
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.amd64.dll
.dll windows:6 windows x64

631990018923d1a03da1864be53c8039

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

CreateFileW
CloseHandle
RaiseException
GetLastError
SetLastError
HeapAlloc
HeapReAlloc
HeapFree
InitOnceExecuteOnce
WaitForSingleObject
Sleep
TerminateProcess
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemDirectoryW
IsWow64Process
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
HeapDestroy
HeapSize
GetProcessHeap
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
DeleteCriticalSection
InitializeCriticalSectionEx
FindFirstFileW
FindClose
CreateDirectoryW
GetFileSize
ReadFile
WriteFile
SetEndOfFile
FindNextFileW
GetModuleFileNameW
MoveFileW
SystemTimeToFileTime
LocalFileTimeToFileTime
FileTimeToLocalFileTime
FileTimeToSystemTime
WritePrivateProfileStringW
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
GetCurrentThread
CreateThread
GetFileAttributesW
SetFileAttributesW
CreateProcessW
OpenProcess
GetCurrentProcessId
ExitProcess
LoadLibraryW
VirtualAllocEx
GetExitCodeThread
ResumeThread
WritePrivateProfileSectionW
GetModuleHandleExW
GetPrivateProfileSectionW
GetPrivateProfileSectionNamesW
MultiByteToWideChar
GetPrivateProfileStringW
DeleteFileW
DecodePointer
ReadProcessMemory
GetExitCodeProcess
VirtualProtect
VirtualFree
GetCurrentProcess
VirtualAlloc
SuspendThread
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
LoadLibraryExA
InterlockedFlushSList
GetTickCount64
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
RtlUnwindEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
EncodePointer
OutputDebugStringW
IsDebuggerPresent
AreFileApisANSI

ntdll

NtOpenFile
RtlAdjustPrivilege
NtClose
NtReadVirtualMemory
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
NtCreateThreadEx
NtWriteVirtualMemory
NtQueryInformationProcess

msvcrt

swscanf
_vscwprintf
vswprintf_s
realloc
??8type_info@@QEBAHAEBV0@@Z
memset
??3@YAXPEAX@Z
memcpy
_errno
memmove
wcslen
??_U@YAPEAX_K@Z
??_V@YAXPEAX@Z
free
wcsnlen
wcsrchr
wcsncpy_s
memcmp
wcstoul
??2@YAPEAX_K@Z
_beginthreadex
??0exception@@QEAA@AEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
_purecall
_wcsicmp
strlen
__C_specific_handler
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
_CxxThrowException
_initterm
_initterm_e
_amsg_exit
__getmainargs
__DestructExceptionObject
_invalid_parameter
?terminate@@YAXXZ
__CxxFrameHandler3
_msize
abort
__CppXcptFilter

Exports

Exports

DismCreateInstance2
ViewExplorerW

Sections

.text
Size: 91KB - Virtual size: 91KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourc
Size: 26KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 64B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.arm64.dll
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/Plugin.x86.dll
.dll windows:6 windows x86

3d7868fef92048722b56c2afe9541986

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

CreateFileW
CloseHandle
RaiseException
GetLastError
SetLastError
HeapAlloc
HeapReAlloc
HeapFree
InitOnceExecuteOnce
WaitForSingleObject
Sleep
TerminateProcess
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemDirectoryW
IsWow64Process
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
HeapDestroy
HeapSize
GetProcessHeap
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
DeleteCriticalSection
InitializeCriticalSectionEx
FindFirstFileW
FindClose
CreateDirectoryW
GetFileSize
ReadFile
WriteFile
SetEndOfFile
FindNextFileW
GetModuleFileNameW
MoveFileW
SystemTimeToFileTime
LocalFileTimeToFileTime
FileTimeToLocalFileTime
FileTimeToSystemTime
WritePrivateProfileStringW
GetCurrentThreadId
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
GetCurrentThread
CreateThread
GetFileAttributesW
SetFileAttributesW
CreateProcessW
OpenProcess
GetCurrentProcessId
ExitProcess
LoadLibraryW
VirtualAllocEx
GetExitCodeThread
ResumeThread
WritePrivateProfileSectionW
GetModuleHandleExW
GetPrivateProfileSectionW
GetPrivateProfileSectionNamesW
MultiByteToWideChar
GetPrivateProfileStringW
DeleteFileW
DecodePointer
GetExitCodeProcess
VirtualProtect
VirtualFree
GetCurrentProcess
VirtualAlloc
SuspendThread
GetThreadContext
FlushInstructionCache
SetThreadContext
VirtualQuery
LoadLibraryExA
IsDebuggerPresent
InterlockedFlushSList
GetTickCount64
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
OutputDebugStringW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
IsProcessorFeaturePresent
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
EncodePointer
AreFileApisANSI

ntdll

NtOpenFile
RtlAdjustPrivilege
NtClose
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
NtCreateThreadEx
NtWriteVirtualMemory
NtQueryInformationProcess

msvcrt

_except_handler3
swscanf
_vscwprintf
vswprintf_s
realloc
?terminate@@YAXXZ
__CppXcptFilter
memset
??3@YAXPAX@Z
memcpy
_errno
memmove
wcslen
??_U@YAPAXI@Z
??_V@YAXPAX@Z
free
wcsnlen
wcsrchr
wcsncpy_s
memcmp
wcstoul
??2@YAPAXI@Z
_beginthreadex
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
_purecall
_wcsicmp
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
_amsg_exit
_except_handler4_common
__getmainargs
_initterm
_initterm_e
__DestructExceptionObject
_invalid_parameter
__CxxFrameHandler3
_msize

Exports

Exports

DismCreateInstance2
ViewExplorerW

Sections

.text
Size: 56KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.detourc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.detourd
Size: 512B - Virtual size: 36B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/Plugins/FrogPlugins_Pcn7FMvReAsVWfCQBfRJCw/PluginRes.dll
.dll windows:6 windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rdata
Size: 512B - Virtual size: 376B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 628KB - Virtual size: 628KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Config/amd64/CBSHost.dll
.dll windows:6 windows x64

604f65d7bb91eb13dad798c5b913d475

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

FindNextFileW
FindClose
LoadLibraryW
CreateProcessW
WaitForMultipleObjects
VirtualProtect
OpenProcess
GetCurrentProcessId
ExitProcess
CreateThread
OpenEventW
DuplicateHandle
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW
SetDllDirectoryW
GetLocalTime
CopyFileW
GetModuleHandleExW
InitializeCriticalSectionEx
UnmapViewOfFile
MultiByteToWideChar
GlobalMemoryStatusEx
CreateHardLinkTransactedW
DeleteFileTransactedW
MoveFileExW
DeleteCriticalSection
CreateFileMappingW
MapViewOfFile
GetExitCodeProcess
AreFileApisANSI
RtlUnwindEx
VirtualQuery
InterlockedFlushSList
FindFirstFileW
GetTickCount64
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
GetModuleFileNameW
CreateDirectoryW
GetCurrentThreadId
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
GetTickCount
GetCurrentProcess
LocalFree
GetProcessHeap
HeapSize
HeapDestroy
LoadLibraryExW
GetProcAddress
GetModuleHandleW
FreeLibrary
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetSystemInfo
TerminateProcess
Sleep
CreateEventW
WaitForSingleObject
SetEvent
InitOnceExecuteOnce
HeapFree
HeapReAlloc
HeapAlloc
SetLastError
GetLastError
RaiseException
CloseHandle
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LeaveCriticalSection
EnterCriticalSection
OutputDebugStringW
IsDebuggerPresent
DeleteFileW
VirtualAlloc
VirtualFree
WriteFile
ReadFile
InitializeSListHead
GetFileSize
CreateFileW
EncodePointer

user32

GetMessageW
TranslateMessage
DispatchMessageW
PostThreadMessageW

advapi32

OpenProcessToken
InitializeSid
RegSetValueExW
RegGetValueW
RegDeleteValueW
RegFlushKey
RegCreateKeyExW
RegLoadKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegUnLoadKeyW
RegEnumValueW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetSidLengthRequired
GetTokenInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetSecurityDescriptorGroup
GetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorOwner
GetAclInformation
AddAce
InitializeAcl
IsValidSid
GetLengthSid
ConvertSidToStringSidW
CopySid
GetSidSubAuthority

shell32

ord680
SHGetSpecialFolderPathW
CommandLineToArgvW

ole32

CoInitializeEx
CoGetMalloc
CoCreateInstance
CoInitializeSecurity
CoTaskMemFree

shlwapi

StrCmpNIW
StrStrW
StrStrA
SHCreateStreamOnFileW
StrCatW
StrStrIA
PathSkipRootW
StrChrW
StrCmpNW
PathFindFileNameW
StrRChrW
PathIsDirectoryEmptyW
PathFindExtensionW
StrCmpW
StrCpyW
StrCmpIW

ntdll

NtCreateFile
RtlNtStatusToDosError
RtlGetLastNtStatus
RtlAdjustPrivilege
NtQueryInformationFile
NtOpenFile
NtClose
RtlImageNtHeader
ZwQueryDirectoryFile
NtSetInformationFile
NtQueryInformationProcess
NtWriteFile
NtReadFile
NtDeleteKey
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString

cfgmgr32

CM_Locate_DevNodeW
CM_Reenumerate_DevNode

setupapi

SetupDiEnumDeviceInfo
SetupDiGetDevicePropertyW
SetupDiDestroyDeviceInfoList
SetupDiGetClassDescriptionW
SetupDiGetClassDevsW
SetupUninstallOEMInfW

version

VerQueryValueW

msvcrt

__CxxFrameHandler3
??8type_info@@QEBAHAEBV0@@Z
_msize
__CppXcptFilter
?terminate@@YAXXZ
realloc
swscanf
sscanf
_vscwprintf
vswprintf_s
memset
??3@YAXPEAX@Z
memcpy
_errno
memmove
abort
wcsnlen
free
malloc
??2@YAPEAX_K@Z
memcmp
_wcsicmp
strlen
wcstoul
wcscpy
bsearch
wcsrchr
calloc
??0exception@@QEAA@AEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
wcscmp
_purecall
??_V@YAXPEAX@Z
??_U@YAPEAX_K@Z
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
_CxxThrowException
__C_specific_handler
_initterm
_initterm_e
_amsg_exit
__getmainargs
__DestructExceptionObject
_invalid_parameter
wcslen

Exports

Exports

CbsCreateTempDirectory2
CreateCbsHostHelper
DismGetScratchDir
DismWriteLog
GetConfig
RunCbsHostW

Sections

.text
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 824B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/NCleaner.dll
.dll windows:6 windows x64

782d91e12c2a1d0eb23a7854f8ac9e2e

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
CreateEventExW
FindNextFileW
FindFirstFileW
FindClose
GetFileInformationByHandleEx
QueryPerformanceCounter
GetTickCount64
SetFileInformationByHandle
GetProcessHeap
GetCurrentProcess
InterlockedFlushSList
GetSystemDirectoryW
GetSystemTimeAsFileTime
TerminateProcess
InitOnceExecuteOnce
HeapFree
HeapAlloc
RtlUnwindEx
InitializeSListHead
GetCurrentThreadId
GetCurrentProcessId
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SetLastError
GetLastError
RaiseException
EncodePointer
CloseHandle
CreateFileW

advapi32

RegEnumKeyW
RegDeleteTreeW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW

ole32

CLSIDFromString
IIDFromString
CoCreateInstance

msvcrt

memmove
wcslen
wcscpy_s
_wcsnicmp
_wcsicmp
??0exception@@QEAA@AEBQEBD@Z
_CxxThrowException
_cexit
__C_specific_handler
?what@exception@@UEBAPEBDXZ
_initterm_e
_errno
_amsg_exit
__getmainargs
towupper
atexit
abort
__DestructExceptionObject
free
_invalid_parameter
malloc
_lock
_unlock
__dllonexit
__CxxFrameHandler3
?terminate@@YAXXZ
??3@YAXPEAX@Z
__CppXcptFilter
??8type_info@@QEBAHAEBV0@@Z
??0exception@@QEAA@AEBV0@@Z
memset
memcpy
wcscat_s
??2@YAPEAX_K@Z
??1exception@@UEAA@XZ
_swprintf_c
_vscwprintf
_vsnwprintf_s
_initterm

dism++x64.exe

DismGetAllUsersAppx
DismRegOpenKeyEx
DismWriteLog
DismGetSystemInfoBySession
DismRemoveAppx
DismFreeMemory

shlwapi

PathFileExistsW
PathFindExtensionW
PathFindFileNameW

Exports

Exports

NCCorruptedAppXOnlineCleanup
NCDOCacheOnlineCleanup
NCInstallerFolderCleanup
NCPackageCacheFolderCleanup
NCSRPointOnlineCleanup
NCVSPackageCacheCleanup
NCWinEventLogOnlineCleanup

Sections

.text
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/bcdboot.exe
.exe windows:10 windows x64

9517567887d29e8a932036effb134d66

Code Sign

33:00:00:00:8b:4c:06:71:0c:20:2c:df:3b:00:00:00:00:00:8b
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/10/2015, 18:14

Not After

07/01/2017, 18:14

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:728D-C45F-F9EB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:06

Not After

01/01/2016, 18:06

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8
Signer

Actual PE Digest

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8

Digest Algorithm

sha256

PE Digest Matches

true

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47
Signer

Actual PE Digest

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileType
GetProcAddress
GetStdHandle
GetConsoleOutputCP
GetModuleFileNameW
WriteConsoleW
FormatMessageW
GetConsoleMode
LoadLibraryW
WideCharToMultiByte
WriteFile
GetProcessHeap
HeapFree
HeapAlloc
FreeLibrary
SetLastError
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryExW
GetVolumePathNameW
QueryDosDeviceW
LocalFree
MapViewOfFile
UnmapViewOfFile
GetCurrentThread
CreateFileW
GetFileSizeEx
CreateFileMappingW
CloseHandle
GetVolumeNameForVolumeMountPointW
FindFirstFileW
MoveFileExW
GetFileAttributesW
GetUserDefaultUILanguage
GetVersionExW
LoadResource
FindResourceExW
GetSystemDefaultUILanguage
SearchPathW
CreateDirectoryW
GetFileInformationByHandle
DeviceIoControl
CopyFileExW
GetFullPathNameW
GetLocaleInfoW
GetVolumeInformationW
SetFileAttributesW
GetPrivateProfileSectionW
FindNextFileW
FindClose
GetLastError

msvcrt

wcstoul
wcscat_s
_ultow_s
wcsncpy_s
wcsstr
_wcslwr
memset
_snwscanf_s
strncmp
wcsncmp
bsearch
__iob_func
memcmp
memcpy
wcschr
_vsnwprintf_s
fflush
fwprintf
_vsnwprintf
wcsnlen
wcsrchr
memmove
_wcsupr
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
wcscpy_s
_wsetlocale
_wcsicmp
swprintf_s
_wcsnicmp

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

shlwapi

PathRemoveBackslashW

ntdll

NtEnumerateBootEntries
NtOpenDirectoryObject
NtQueryDirectoryObject
NtTranslateFilePath
NtResetEvent
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtOpenKey
ZwResetEvent
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
ZwCreateEvent
NtAdjustPrivilegesToken
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenProcessTokenEx
LdrGetDllHandle
LdrGetProcedureAddress
RtlInitAnsiString
ZwAllocateUuids
RtlSetOwnerSecurityDescriptor
ZwOpenKey
ZwQueryKey
RtlCreateSecurityDescriptor
RtlLengthSid
ZwEnumerateKey
ZwDeleteKey
RtlAllocateAndInitializeSid
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwSetSecurityObject
RtlLengthSecurityDescriptor
ZwQueryValueKey
ZwCreateFile
ZwSaveKey
ZwSetValueKey
ZwDeleteValueKey
RtlSetDaclSecurityDescriptor
RtlFreeSid
RtlCreateAcl
ZwCreateKey
ZwUnloadKey
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwOpenFile
ZwClose
ZwWaitForSingleObject
ZwReleaseMutant
ZwOpenMutant
ZwQuerySystemInformation
NtSetInformationFile
RtlAllocateHeap
RtlFreeHeap
LdrFindResource_U
LdrAccessResource
NtQuerySystemInformation
NtOpenFile
RtlImageNtHeader
NtOpenProcess
NtCreateEvent
NtClose
NtSetInformationThread
NtWaitForSingleObject
NtQueryInformationProcess
NtQueryInformationFile
NtQueryInformationThread
NtDeviceIoControlFile
RtlCompareMemory
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlStringFromGUID
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
RtlGUIDFromString
RtlInitUnicodeString
NtQueryBootEntryOrder

advapi32

OpenThreadToken
GetTokenInformation
GetSecurityDescriptorControl
SetNamedSecurityInfoW
LookupPrivilegeValueW
GetSecurityDescriptorOwner
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
ConvertSidToStringSidW
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
OpenProcessToken

Sections

.text
Size: 100KB - Virtual size: 99KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 59KB - Virtual size: 59KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/wimgapi.dll
.dll windows:10 windows x64

99cad9eebdfce9908b60d30f37ed90ef

Code Sign

33:00:00:02:39:b2:b4:e8:2a:22:34:49:2f:00:00:00:00:02:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:07

Not After

08/08/2019, 20:07

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

01:aa:65:13:0d:4d:71:ab:db:65:0c:57:cb:42:4c:94:11:33:f9:41:42:10:f4:25:a4:15:97:9d:3d:00:34:dc
Signer

Actual PE Digest

01:aa:65:13:0d:4d:71:ab:db:65:0c:57:cb:42:4c:94:11:33:f9:41:42:10:f4:25:a4:15:97:9d:3d:00:34:dc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

msvcrt

_wcsnicmp
wcsnlen
wcsstr
_vsnwprintf
_wtoi
swscanf_s
wcsrchr
_wcstoi64
_wcsicmp
strcpy_s
wcsncmp
memmove
_onexit
__dllonexit
_unlock
_lock
strncpy_s
_initterm
malloc
free
_amsg_exit
memcpy_s
_wcsupr
memcpy
memcmp
_callnewh
bsearch
_purecall
iswspace
memmove_s
_vscwprintf
_strnicmp
towupper
towlower
_wcslwr
_wcsrev
qsort
wcschr
_XcptFilter
wcstok_s
__C_specific_handler
wcstoul
memset

kernel32

MultiByteToWideChar
DosDateTimeToFileTime
CreateSemaphoreExW
SetFileTime
GetLastError
GetHandleInformation
SetLastError
SetFilePointerEx
CloseHandle
SetEndOfFile
CompareStringW
HeapFree
GetProcessHeap
DeleteFileW
CreateFileW
GetFileInformationByHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetModuleHandleW
GetDriveTypeW
RemoveDirectoryW
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
GetCurrentDirectoryW
DeviceIoControl
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetFileSizeEx
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
CreateEventW
LockFileEx
UnlockFileEx
HeapReAlloc
WaitForSingleObject
ExpandEnvironmentStringsW
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
ReleaseMutex
WideCharToMultiByte
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
OpenProcess
InitializeCriticalSectionAndSpinCount
GetCurrentProcessId
GetVolumeInformationByHandleW
SetFileAttributesW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetFullPathNameW
GetExitCodeProcess
DuplicateHandle
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
QueryPerformanceCounter
Sleep
OpenEventW
GetPrivateProfileSectionW
WaitForMultipleObjects
ReleaseSemaphore
SetEvent
CreateSemaphoreW
CreateThread
DisableThreadLibraryCalls
LoadLibraryW
GetVolumePathNamesForVolumeNameW
LocalFileTimeToFileTime
CopyFileExW
CreateProcessW
GetLogicalDriveStringsW
GetVolumeInformationW
WaitForMultipleObjectsEx
ResetEvent
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile

bcrypt

BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

fltlib

FilterAttach
FilterLoad

cabinet

ord22
ord20
ord23

advapi32

RegUnLoadKeyW
RegQueryValueExW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
CloseEncryptedFileRaw
AdjustTokenPrivileges
ReadEncryptedFileRaw
OpenEncryptedFileRawW
AddAccessAllowedAceEx
RevertToSelf
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
GetAclInformation
GetSecurityDescriptorLength
RegDeleteKeyExW
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
SetThreadToken
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW
WriteEncryptedFileRaw

version

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

user32

CharUpperW

ntdll

RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
RtlDosPathNameToNtPathName_U_WithStatus
RtlGetVersion
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlAcquireResourceExclusive
RtlRaiseStatus
NtYieldExecution
DbgPrintEx
RtlReAllocateHeap
RtlDowncaseUnicodeChar
NtSetEaFile
NtQuerySecurityObject
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
NtSetInformationFile
RtlSetIoCompletionCallback
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError
RtlInitializeResource

rpcrt4

I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW
NdrClientCall3
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcBindingFree
UuidCreate

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadFileEx
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry
WIMWriteFileWithIntegrity

Sections

.text
Size: 591KB - Virtual size: 591KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/amd64/wofadk.sys
.sys windows:10 windows x64

aeb3dedf4ffda3ee8d592f156ef96a17

Code Sign

33:00:00:00:9b:e0:74:37:cb:3d:4d:8d:2e:00:00:00:00:00:9b
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:728D-C45F-F9EB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:ef:d8:87:2e:35:a3:82:8a:2f:00:00:00:00:00:ef
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c0:aa:06:12:86:1e:cf:f1:fe:46:c5:13:3c:7f:27:b8:d2:3c:30:23:b4:2a:d1:35:17:93:5f:1c:01:e2:3f:0c
Signer

Actual PE Digest

c0:aa:06:12:86:1e:cf:f1:fe:46:c5:13:3c:7f:27:b8:d2:3c:30:23:b4:2a:d1:35:17:93:5f:1c:01:e2:3f:0c

Digest Algorithm

sha256

PE Digest Matches

true

44:af:b2:cb:8e:4b:64:da:fb:a3:36:4c:1e:ba:91:55:7b:c9:e9:0e
Signer

Actual PE Digest

44:af:b2:cb:8e:4b:64:da:fb:a3:36:4c:1e:ba:91:55:7b:c9:e9:0e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntoskrnl.exe

ZwClose
SeLockSubjectContext
ZwQueryValueKey
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlEnumerateGenericTableAvl
ExAcquireRundownProtection
RtlLookupElementGenericTableAvl
RtlFreeUnicodeString
SeTokenIsAdmin
RtlDeleteElementGenericTableAvl
RtlAppendUnicodeStringToString
KeDelayExecutionThread
ExRundownCompleted
EtwRegister
MmGetSystemRoutineAddress
ObDereferenceObjectDeferDelete
PsGetProcessImageFileName
EtwUnregister
EtwWriteTransfer
IoGetCurrentProcess
ProbeForRead
FsRtlValidateReparsePointBuffer
TmCurrentTransaction
RtlCompareMemory
RtlInitUnicodeString
RtlEqualUnicodeString
MmMapLockedPagesSpecifyCache
KeQueryPriorityThread
MmMapViewOfSection
ExDeleteLookasideListEx
ZwDeviceIoControlFile
EtwEventEnabled
RtlCheckRegistryKey
ZwCreateSection
ZwQueryInformationThread
RtlSetBit
ExQueueWorkItem
RtlAreBitsSet
ZwOpenKey
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
RtlRunOnceExecuteOnce
KeStackAttachProcess
KeSetEvent
KdRefreshDebuggerNotPresent
ZwSetInformationThread
ObReferenceObjectByHandle
swprintf_s
MmUnmapViewOfSection
RtlFindNextForwardRunClear
EtwWrite
IofCallDriver
RtlInitializeBitMap
ZwOpenFile
ExInitializeLookasideListEx
RtlTestBit
KeWaitForSingleObject
KeSetPriorityThread
KeUnstackDetachProcess
_i64tow_s
RtlClearAllBits
IoAllocateWorkItem
RtlAppendUnicodeToString
_wcsicmp
RtlCreateSystemVolumeInformationFolder
IoQueueWorkItemEx
IoFreeWorkItem
KeAllocateCalloutStackEx
IoGetRelatedDeviceObject
ExDeleteNPagedLookasideList
KeFreeCalloutStack
ExInitializeNPagedLookasideList
KeInitializeMutex
KeReleaseMutex
KeAreAllApcsDisabled
KeInitializeDpc
KeInitializeTimerEx
RtlQueryRegistryValues
KeCancelTimer
KeFlushQueuedDpcs
KeSetCoalescableTimer
KeQueryActiveProcessorCountEx
SeCaptureSubjectContext
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
RtlGetVersion
IoWMIRegistrationControl
MmIsThisAnNtAsSystem
KeBugCheckEx
PsInitialSystemProcess
ProbeForWrite
ExReleaseRundownProtection
ExAcquireFastMutex
ObfReferenceObject
ExQueryDepthSList
ExpInterlockedPushEntrySList
ExReleaseFastMutex
ExpInterlockedPopEntrySList
RtlCompareUnicodeString
ExInitializeRundownProtection
KeLeaveCriticalRegion
ExReleaseFastMutexUnsafe
KeExpandKernelStackAndCalloutEx
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
ExDeletePagedLookasideList
RtlCopyUnicodeString
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
ObfDereferenceObject
KeEnterCriticalRegion
ExAcquireFastMutexUnsafe
_vsnwprintf
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
wcscpy_s
wcschr
_wcsnicmp
wcsrchr
__C_specific_handler
__chkstk

fltmgr.sys

FltParseFileNameInformation
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltIsOperationSynchronous
FltSetIoPriorityHintIntoCallbackData
FltPerformAsynchronousIo
FltAllocateGenericWorkItem
FltInitializePushLock
FltDeletePushLock
FltFlushBuffers
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltFreePoolAlignedWithTag
FltDeviceIoControlFile
FltReadFile
FltOpenVolume
FltFreeDeferredIoWorkItem
FltAllocatePoolAlignedWithTag
FltAcquirePushLockShared
FltIsIoCanceled
FltCompletePendedPreOperation
FltAcquirePushLockExclusive
FltGetIoPriorityHintFromCallbackData
FltReleasePushLock
FltInitExtraCreateParameterLookasideList
FltStartFiltering
FltGetRoutineAddress
FltRegisterFilter
FltGetVolumeFromFileObject
FltCreateFileEx
FltWriteFile
FltQueryInformationFile
FltUntagFile
FltGetFileNameInformationUnsafe
FltEnumerateInstances
FltAttachVolume
FltGetFilterFromName
FltTagFile
FltIsDirectory
FltSetInformationFile
FltObjectDereference
FltPerformSynchronousIo
FltLockUserBuffer
FltAllocateCallbackDataEx
FltFreeCallbackData
FltAllocateExtraCreateParameterList
FltInsertExtraCreateParameter
FltCancelFileOpen
FltDeleteStreamContext
FltReissueSynchronousIo
FltReleaseFileNameInformation
FltFsControlFile
FltGetEcpListFromCallbackData
FltGetFileNameInformation
FltEnlistInTransaction
FltSetEcpListIntoCallbackData
FltFindExtraCreateParameter
FltAllocateExtraCreateParameterFromLookasideList
FltSetCallbackDataDirty
FltSetStreamContext
FltSetTransactionContext
FltReferenceContext
FltGetTransactionContext
FltGetInstanceContext
FltUnregisterFilter
FltAllocateContext
FltGetVolumeProperties
FltQueryDirectoryFile
FltGetVolumeGuidName
FltReleaseContext
FltDeleteExtraCreateParameterLookasideList
FltGetStreamHandleContext
FltGetStreamContext
FltSetInstanceContext
FltClose
FltGetDiskDeviceObject
FltDeleteInstanceContext
FltSetFileContext
FltSetStreamHandleContext
FltQueryVolumeInformationFile

cng.sys

BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

GFIDS
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/arm64/CBSHost.dll
Config/arm64/NCleaner.dll
Config/default.ui.zip
.zip
Config/x86/CBSHost.dll
.dll windows:6 windows x86

22d854c753b91ff832cc76d8016fa7ea

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

DeleteFileW
FindNextFileW
FindClose
LoadLibraryW
CreateProcessW
WaitForMultipleObjects
VirtualProtect
ExitProcess
OpenProcess
GetCurrentProcessId
CreateThread
OpenEventW
DuplicateHandle
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetEnvironmentVariableW
SetDllDirectoryW
GetLocalTime
CopyFileW
GetModuleHandleExW
InitializeCriticalSectionEx
GetModuleFileNameW
MultiByteToWideChar
CreateHardLinkTransactedW
DeleteFileTransactedW
MoveFileExW
DeleteCriticalSection
CreateFileMappingW
MapViewOfFile
GetExitCodeProcess
AreFileApisANSI
VirtualFree
InitializeSListHead
GetTickCount64
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
CreateDirectoryW
GetCurrentThreadId
FindResourceExW
FindResourceW
LoadResource
LockResource
SizeofResource
GetTickCount
GetCurrentProcess
LocalFree
GetProcessHeap
HeapSize
HeapDestroy
LoadLibraryExW
GetProcAddress
GetModuleHandleW
FreeLibrary
IsWow64Process
GetSystemDirectoryW
GetSystemTimeAsFileTime
GetSystemInfo
TerminateProcess
Sleep
CreateEventW
WaitForSingleObject
SetEvent
InitOnceExecuteOnce
HeapFree
HeapReAlloc
HeapAlloc
SetLastError
GetLastError
RaiseException
CloseHandle
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
LeaveCriticalSection
EnterCriticalSection
OutputDebugStringW
IsDebuggerPresent
FindFirstFileW
WriteFile
VirtualAlloc
ReadFile
GetFileSize
InterlockedFlushSList
GlobalMemoryStatusEx
UnmapViewOfFile
CreateFileW
VirtualQuery

user32

TranslateMessage
DispatchMessageW
PostThreadMessageW
GetMessageW

advapi32

OpenProcessToken
InitializeSid
RegGetValueW
RegDeleteValueW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegCreateKeyExW
RegEnumKeyW
RegQueryInfoKeyW
RegUnLoadKeyW
RegEnumValueW
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
GetSidLengthRequired
GetTokenInformation
InitializeSecurityDescriptor
MakeAbsoluteSD
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
SetSecurityDescriptorGroup
GetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorOwner
GetAclInformation
AddAce
InitializeAcl
IsValidSid
GetLengthSid
ConvertSidToStringSidW
CopySid
GetSidSubAuthority

shell32

SHGetSpecialFolderPathW
CommandLineToArgvW
ord680

ole32

CoCreateInstance
CoGetMalloc
CoInitializeSecurity
CoInitializeEx
CoTaskMemFree

shlwapi

PathSkipRootW
StrStrW
PathFindExtensionW
StrCmpW
StrCpyW
PathIsDirectoryEmptyW
PathFindFileNameW
ord437
StrStrIA
SHCreateStreamOnFileW
StrCatW
StrChrW
StrCmpNW
StrStrA
StrCmpIW
StrRChrW
StrCmpNIW
StrStrIW

ntdll

ZwQueryDirectoryFile
RtlImageNtHeader
NtClose
RtlAdjustPrivilege
RtlGetLastNtStatus
NtQueryInformationFile
NtCreateFile
NtOpenFile
NtReadFile
RtlNtStatusToDosError
NtSetInformationFile
NtQueryInformationProcess
RtlFreeUnicodeString
NtWriteFile
NtDeleteKey
RtlDosPathNameToNtPathName_U

cfgmgr32

CM_Locate_DevNodeW
CM_Reenumerate_DevNode

setupapi

SetupDiGetClassDescriptionW
SetupDiDestroyDeviceInfoList
SetupDiGetDevicePropertyW
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupUninstallOEMInfW

version

VerQueryValueW

msvcrt

swscanf
sscanf
_vscwprintf
vswprintf_s
realloc
?terminate@@YAXXZ
__CppXcptFilter
_msize
__CxxFrameHandler3
__DestructExceptionObject
memset
??3@YAXPAX@Z
memcpy
_errno
memmove
wcslen
wcsnlen
free
malloc
??2@YAPAXI@Z
memcmp
_wcsicmp
strlen
wcstoul
wcscpy
wcsrchr
calloc
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
wcscmp
_purecall
??_V@YAXPAX@Z
??_U@YAPAXI@Z
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
_initterm
_initterm_e
_amsg_exit
_except_handler4_common
__getmainargs
bsearch
_invalid_parameter

Exports

Exports

CbsCreateTempDirectory2
CreateCbsHostHelper
DismGetScratchDir
DismWriteLog
GetConfig
RunCbsHostW

Sections

.text
Size: 75KB - Virtual size: 75KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 37KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 824B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/NCleaner.dll
.dll windows:6 windows x86

0173fad127ecef034148254d5317bc14

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
CreateEventExW
FindNextFileW
FindFirstFileW
FindClose
GetFileInformationByHandleEx
QueryPerformanceCounter
GetTickCount64
SetFileInformationByHandle
GetProcessHeap
GetCurrentProcess
InitializeSListHead
GetSystemDirectoryW
GetSystemTimeAsFileTime
TerminateProcess
InitOnceExecuteOnce
HeapFree
HeapAlloc
GetCurrentThreadId
GetCurrentProcessId
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
IsDebuggerPresent
SetLastError
GetLastError
CloseHandle
InterlockedFlushSList
CreateFileW

advapi32

RegEnumKeyW
RegDeleteTreeW
RegCloseKey
RegQueryValueExW
RegOpenKeyExW
RegCreateKeyExW

ole32

CLSIDFromString
IIDFromString
CoCreateInstance

msvcrt

?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??2@YAPAXI@Z
wcscat_s
towupper
memcpy
memmove
wcslen
wcscpy_s
_wcsnicmp
__CxxFrameHandler3
??0exception@@QAE@ABQBD@Z
_CxxThrowException
_cexit
_initterm
_initterm_e
memset
_except_handler4_common
__getmainargs
atexit
__DestructExceptionObject
free
_invalid_parameter
malloc
_lock
_unlock
__dllonexit
?terminate@@YAXXZ
??3@YAXPAX@Z
__CppXcptFilter
??0exception@@QAE@ABV0@@Z
_swprintf_c
_vscwprintf
_vsnwprintf_s
_wcsicmp

dism++x86.exe

DismGetAllUsersAppx
DismRegOpenKeyEx
DismWriteLog
DismGetSystemInfoBySession
DismRemoveAppx
DismFreeMemory

shlwapi

PathFindFileNameW
PathFindExtensionW
PathFileExistsW

Exports

Exports

NCCorruptedAppXOnlineCleanup
NCDOCacheOnlineCleanup
NCInstallerFolderCleanup
NCPackageCacheFolderCleanup
NCSRPointOnlineCleanup
NCVSPackageCacheCleanup
NCWinEventLogOnlineCleanup

Sections

.text
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/bcdboot.exe
.exe windows:10 windows x86

a6faca78f3a0e9fb9cf5b9d15ded6a9a

Code Sign

33:00:00:00:8e:a8:19:d7:3f:36:8b:7a:40:00:00:00:00:00:8e
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/10/2015, 18:14

Not After

07/01/2017, 18:14

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:06

Not After

01/01/2016, 18:06

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

82:c7:68:5a:cc:9c:de:a4:99:b8:a2:94:da:83:9b:50:ec:98:75:7c:82:61:9b:e3:72:85:76:82:7e:1c:14:37
Signer

Actual PE Digest

82:c7:68:5a:cc:9c:de:a4:99:b8:a2:94:da:83:9b:50:ec:98:75:7c:82:61:9b:e3:72:85:76:82:7e:1c:14:37

Digest Algorithm

sha256

PE Digest Matches

true

eb:52:20:5d:e1:0c:7a:b3:dc:00:32:58:87:34:b3:3f:52:6d:39:b4
Signer

Actual PE Digest

eb:52:20:5d:e1:0c:7a:b3:dc:00:32:58:87:34:b3:3f:52:6d:39:b4

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

Sleep
UnhandledExceptionFilter
GetFileType
GetProcAddress
GetStdHandle
GetConsoleOutputCP
GetModuleFileNameW
WriteConsoleW
FormatMessageW
GetConsoleMode
LoadLibraryW
WideCharToMultiByte
WriteFile
GetProcessHeap
HeapFree
HeapAlloc
FreeLibrary
SetLastError
GetLastError
GetCurrentProcess
TerminateProcess
GetModuleHandleA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryExW
GetVolumePathNameW
QueryDosDeviceW
LocalFree
MapViewOfFile
UnmapViewOfFile
GetCurrentThread
CreateFileW
GetFileSizeEx
CreateFileMappingW
CloseHandle
GetVolumeNameForVolumeMountPointW
FindFirstFileW
MoveFileExW
GetFileAttributesW
FindClose
GetUserDefaultUILanguage
GetVersionExW
LoadResource
FindResourceExW
GetSystemDefaultUILanguage
SearchPathW
CreateDirectoryW
GetFileInformationByHandle
DeviceIoControl
GetModuleHandleW
CopyFileExW
GetFullPathNameW
GetLocaleInfoW
GetVolumeInformationW
SetFileAttributesW
GetPrivateProfileSectionW
FindNextFileW
SetUnhandledExceptionFilter

msvcrt

wcstoul
wcscat_s
_ultow_s
wcsncpy_s
wcsstr
memset
_wcslwr
_snwscanf_s
strncmp
wcsncmp
bsearch
__iob_func
memcmp
memcpy
wcschr
_vsnwprintf_s
fflush
fwprintf
_vsnwprintf
wcsnlen
wcsrchr
memmove
_wcsupr
_except_handler4_common
_controlfp
?terminate@@YAXXZ
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
wcscpy_s
_wsetlocale
_wcsicmp
swprintf_s
_wcsnicmp

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

shlwapi

PathRemoveBackslashW

ntdll

NtEnumerateBootEntries
NtOpenDirectoryObject
NtQueryDirectoryObject
NtQueryBootEntryOrder
NtResetEvent
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtOpenKey
ZwResetEvent
ZwDeviceIoControlFile
ZwOpenSymbolicLinkObject
RtlGetVersion
ZwQuerySymbolicLinkObject
ZwCreateEvent
NtAdjustPrivilegesToken
NtOpenThreadTokenEx
RtlImpersonateSelf
NtOpenProcessTokenEx
LdrGetDllHandle
LdrGetProcedureAddress
RtlInitAnsiString
ZwAllocateUuids
RtlSetOwnerSecurityDescriptor
ZwOpenKey
ZwQueryKey
RtlCreateSecurityDescriptor
RtlLengthSid
ZwEnumerateKey
ZwDeleteKey
RtlAllocateAndInitializeSid
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwSetSecurityObject
RtlLengthSecurityDescriptor
ZwQueryValueKey
ZwCreateFile
ZwSaveKey
ZwSetValueKey
ZwDeleteValueKey
RtlSetDaclSecurityDescriptor
RtlFreeSid
RtlCreateAcl
ZwCreateKey
ZwUnloadKey
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwOpenFile
ZwClose
ZwWaitForSingleObject
ZwReleaseMutant
ZwOpenMutant
ZwQuerySystemInformation
NtSetInformationFile
RtlAllocateHeap
RtlFreeHeap
LdrFindResource_U
LdrAccessResource
NtQuerySystemInformation
NtOpenFile
RtlImageNtHeader
NtOpenProcess
NtCreateEvent
NtClose
NtSetInformationThread
NtWaitForSingleObject
NtQueryInformationProcess
NtQueryInformationFile
NtQueryInformationThread
NtDeviceIoControlFile
RtlCompareMemory
RtlNtStatusToDosError
RtlFreeUnicodeString
RtlStringFromGUID
RtlGUIDFromString
RtlInitUnicodeString
NtTranslateFilePath

advapi32

OpenThreadToken
GetTokenInformation
GetSecurityDescriptorControl
SetNamedSecurityInfoW
LookupPrivilegeValueW
GetSecurityDescriptorOwner
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
ConvertSidToStringSidW
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
RegCloseKey
RegOpenKeyExW
OpenProcessToken
RegQueryValueExW

Sections

.text
Size: 122KB - Virtual size: 122KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/wimgapi.dll
.dll windows:10 windows x86

d913ef7993bd90aa4eb5f9bb86c868e8

Code Sign

33:00:00:02:39:b2:b4:e8:2a:22:34:49:2f:00:00:00:00:02:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:07

Not After

08/08/2019, 20:07

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8a:54:ba:9a:d2:4b:f8:68:2e:06:45:18:d9:be:4f:38:7b:b3:b7:30:bc:8c:fc:73:4e:fb:c3:14:59:b4:97:1a
Signer

Actual PE Digest

8a:54:ba:9a:d2:4b:f8:68:2e:06:45:18:d9:be:4f:38:7b:b3:b7:30:bc:8c:fc:73:4e:fb:c3:14:59:b4:97:1a

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

Imports

msvcrt

_wcsnicmp
wcsnlen
wcsstr
_vsnwprintf
_wtoi
swscanf_s
wcsrchr
_wcstoi64
_wcsicmp
strcpy_s
wcsncmp
memmove
_onexit
__dllonexit
_unlock
_lock
strncpy_s
_initterm
malloc
free
_amsg_exit
memcpy_s
_wcsupr
memcpy
memcmp
_callnewh
bsearch
_purecall
iswspace
memmove_s
_vscwprintf
_strnicmp
towupper
towlower
_wcslwr
_wcsrev
qsort
wcschr
_XcptFilter
wcstok_s
_except_handler4_common
wcstoul
memset

kernel32

DosDateTimeToFileTime
GetLastError
GetHandleInformation
SetLastError
SetFilePointerEx
CloseHandle
SetEndOfFile
CompareStringW
HeapFree
GetProcessHeap
DeleteFileW
CreateFileW
GetFileInformationByHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
LocalFileTimeToFileTime
SetFileTime
GetDriveTypeW
RemoveDirectoryW
GetModuleHandleW
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
GetCurrentDirectoryW
DeviceIoControl
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetFileSizeEx
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
CreateEventW
CreateSemaphoreExW
UnlockFileEx
HeapReAlloc
WaitForSingleObject
ExpandEnvironmentStringsW
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
ReleaseMutex
WideCharToMultiByte
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
OpenProcess
InitializeCriticalSectionAndSpinCount
QueryPerformanceCounter
GetVolumeInformationByHandleW
SetFileAttributesW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetFullPathNameW
GetVolumeInformationW
GetExitCodeProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
Sleep
DisableThreadLibraryCalls
OpenEventW
GetPrivateProfileSectionW
WaitForMultipleObjects
ReleaseSemaphore
SetEvent
CreateSemaphoreW
CreateThread
LoadLibraryW
GetVolumePathNamesForVolumeNameW
LockFileEx
MultiByteToWideChar
CopyFileExW
CreateProcessW
GetLogicalDriveStringsW
DuplicateHandle
WaitForMultipleObjectsEx
ResetEvent
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile

bcrypt

BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGetProperty
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptOpenAlgorithmProvider

fltlib

FilterAttach
FilterLoad

cabinet

ord22
ord20
ord23

advapi32

SetThreadToken
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
CloseEncryptedFileRaw
ReadEncryptedFileRaw
AdjustTokenPrivileges
OpenEncryptedFileRawW
AddAccessAllowedAceEx
RevertToSelf
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegDeleteKeyExW
GetAclInformation
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW
WriteEncryptedFileRaw
RegQueryValueExW

version

GetFileVersionInfoSizeExW
VerQueryValueW
GetFileVersionInfoExW

user32

CharUpperW

ntdll

RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
RtlDosPathNameToNtPathName_U_WithStatus
RtlGetVersion
RtlInitializeCriticalSection
RtlDeleteCriticalSection
RtlAcquireResourceExclusive
RtlRaiseStatus
NtYieldExecution
DbgPrintEx
RtlReAllocateHeap
RtlDowncaseUnicodeChar
NtSetEaFile
NtQuerySecurityObject
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
NtSetInformationFile
RtlSetIoCompletionCallback
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError
RtlInitializeResource

rpcrt4

I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW
NdrClientCall2
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcBindingFree
UuidCreate

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadFileEx
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry
WIMWriteFileWithIntegrity

Sections

.text
Size: 544KB - Virtual size: 543KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Config/x86/wofadk.sys
.sys windows:10 windows x86

3210bb7db9e3473b887a43e6ceeffd9f

Code Sign

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:148C-C4B9-2066,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:ef:d8:87:2e:35:a3:82:8a:2f:00:00:00:00:00:ef
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd
Signer

Actual PE Digest

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd

Digest Algorithm

sha256

PE Digest Matches

true

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f
Signer

Actual PE Digest

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

ZwClose
SeLockSubjectContext
ZwQueryValueKey
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlEnumerateGenericTableAvl
ExAcquireRundownProtection
RtlLookupElementGenericTableAvl
RtlFreeUnicodeString
SeTokenIsAdmin
RtlDeleteElementGenericTableAvl
RtlAppendUnicodeStringToString
KeDelayExecutionThread
ExRundownCompleted
EtwRegister
MmGetSystemRoutineAddress
PsGetProcessImageFileName
ObDereferenceObjectDeferDelete
EtwUnregister
EtwWriteTransfer
IoGetCurrentProcess
ProbeForRead
FsRtlValidateReparsePointBuffer
TmCurrentTransaction
RtlCompareMemory
RtlInitUnicodeString
KeQueryPriorityThread
KeGetCurrentThread
MmMapViewOfSection
ExDeleteLookasideListEx
ZwDeviceIoControlFile
EtwEventEnabled
RtlCheckRegistryKey
ZwCreateSection
ZwQueryInformationThread
RtlSetBit
ExQueueWorkItem
RtlAreBitsSet
PsInitialSystemProcess
ZwOpenKey
IoGetDeviceObjectPointer
RtlRunOnceExecuteOnce
KeStackAttachProcess
KeSetEvent
KdRefreshDebuggerNotPresent
ZwSetInformationThread
ObReferenceObjectByHandle
MmUnmapViewOfSection
RtlFindNextForwardRunClear
EtwWrite
IofCallDriver
RtlInitializeBitMap
ZwOpenFile
ExInitializeLookasideListEx
RtlTestBit
KeWaitForSingleObject
KeSetPriorityThread
KeUnstackDetachProcess
_i64tow_s
RtlClearAllBits
IoAllocateWorkItem
RtlAppendUnicodeToString
_wcsicmp
RtlCreateSystemVolumeInformationFolder
IoQueueWorkItemEx
IoFreeWorkItem
KeAllocateCalloutStackEx
IoGetRelatedDeviceObject
ExDeleteNPagedLookasideList
KeFreeCalloutStack
ExInitializeNPagedLookasideList
KeInitializeMutex
KeReleaseMutex
KeAreAllApcsDisabled
KeInitializeDpc
KeInitializeTimerEx
RtlQueryRegistryValues
KeCancelTimer
KeFlushQueuedDpcs
KeSetCoalescableTimer
KeQueryActiveProcessorCountEx
SeCaptureSubjectContext
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
RtlGetVersion
IoWMIRegistrationControl
MmIsThisAnNtAsSystem
IoBuildDeviceIoControlRequest
KeBugCheckEx
RtlEqualUnicodeString
memmove
MmMapLockedPagesSpecifyCache
ProbeForWrite
InterlockedPopEntrySList
ExReleaseRundownProtection
InterlockedPushEntrySList
ObfReferenceObject
RtlCompareUnicodeString
ExInitializeRundownProtection
KeLeaveCriticalRegion
ExReleaseFastMutexUnsafe
KeExpandKernelStackAndCalloutEx
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
ExDeletePagedLookasideList
RtlCopyUnicodeString
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
ObfDereferenceObject
KeEnterCriticalRegion
ExAcquireFastMutexUnsafe
swprintf_s
_vsnwprintf
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
wcscpy_s
wcschr
_wcsnicmp
wcsrchr
_alldiv
_alldvrm
_allmul
_allrem
_aulldiv
memcpy
memset
_alloca_probe
RtlUnwind

hal

KeGetCurrentIrql
ExAcquireFastMutex
ExReleaseFastMutex

fltmgr.sys

FltQueryInformationFile
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltIsOperationSynchronous
FltSetIoPriorityHintIntoCallbackData
FltPerformAsynchronousIo
FltAllocateGenericWorkItem
FltInitializePushLock
FltDeletePushLock
FltFlushBuffers
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltFreePoolAlignedWithTag
FltDeviceIoControlFile
FltReadFile
FltOpenVolume
FltFreeDeferredIoWorkItem
FltAllocatePoolAlignedWithTag
FltAcquirePushLockShared
FltIsIoCanceled
FltCompletePendedPreOperation
FltAcquirePushLockExclusive
FltGetIoPriorityHintFromCallbackData
FltReleasePushLock
FltInitExtraCreateParameterLookasideList
FltStartFiltering
FltGetRoutineAddress
FltRegisterFilter
FltGetVolumeFromFileObject
FltCreateFileEx
FltWriteFile
FltUntagFile
FltGetFileNameInformationUnsafe
FltParseFileNameInformation
FltEnumerateInstances
FltAttachVolume
FltGetFilterFromName
FltTagFile
FltIsDirectory
FltSetInformationFile
FltObjectDereference
FltPerformSynchronousIo
FltLockUserBuffer
FltAllocateCallbackDataEx
FltFreeCallbackData
FltAllocateExtraCreateParameterList
FltInsertExtraCreateParameter
FltCancelFileOpen
FltDeleteStreamContext
FltReissueSynchronousIo
FltReleaseFileNameInformation
FltFsControlFile
FltGetEcpListFromCallbackData
FltGetFileNameInformation
FltEnlistInTransaction
FltSetEcpListIntoCallbackData
FltFindExtraCreateParameter
FltAllocateExtraCreateParameterFromLookasideList
FltSetCallbackDataDirty
FltSetStreamContext
FltSetTransactionContext
FltReferenceContext
FltGetTransactionContext
FltSetStreamHandleContext
FltSetFileContext
FltDeleteInstanceContext
FltGetInstanceContext
FltUnregisterFilter
FltAllocateContext
FltGetVolumeProperties
FltQueryDirectoryFile
FltGetVolumeGuidName
FltReleaseContext
FltDeleteExtraCreateParameterLookasideList
FltGetStreamHandleContext
FltGetStreamContext
FltSetInstanceContext
FltClose
FltGetDiskDeviceObject
FltQueryVolumeInformationFile

cng.sys

BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptGetProperty

Sections

.text
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGER32C
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Dism++ARM64.exe
Dism++x64.exe
.exe windows:6 windows x64

d1e008c8cf1935eb6666ee1a9be8a2a5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

HeapReAlloc
HeapFree
InitOnceExecuteOnce
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
Sleep
TerminateProcess
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemDirectoryW
IsWow64Process
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
GetCurrentThreadId
HeapDestroy
HeapSize
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
WritePrivateProfileSectionW
GetFileAttributesW
DeviceIoControl
GetVolumePathNameW
GetVolumeInformationByHandleW
GetModuleFileNameW
GetEnvironmentVariableW
UnmapViewOfFile
MoveFileExW
DeleteFileW
GetNativeSystemInfo
GlobalMemoryStatusEx
GetUserDefaultLCID
LCIDToLocaleName
GetThreadLocale
GetLocaleInfoEx
CreateProcessW
GetWindowsDirectoryW
FindClose
FindFirstFileW
FindNextFileW
IsValidLocaleName
MoveFileW
CreateDirectoryW
GetVolumeInformationW
SetVolumeLabelW
RemoveDirectoryW
DeleteCriticalSection
GetTickCount
CreateFileMappingW
MapViewOfFile
LocalFree
GetCurrentProcess
ReadFile
WriteFile
SetFilePointer
GetTempPathA
GetTempFileNameA
DeleteFileA
GetFileInformationByHandle
FileTimeToLocalFileTime
FileTimeToDosDateTime
lstrcpyA
lstrcpynA
ReleaseMutex
HeapAlloc
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
InitializeSRWLock
AcquireSRWLockExclusive
AcquireSRWLockShared
VirtualFreeEx
VirtualAllocEx
DuplicateHandle
WaitForMultipleObjects
ExpandEnvironmentStringsW
SetFilePointerEx
GetFileSizeEx
SetEnvironmentVariableW
GetVolumeNameForVolumeMountPointW
CreateMutexW
GetFullPathNameW
lstrcmpiA
CopyFileW
GetFileSize
GetLocaleInfoW
GetExitCodeProcess
WideCharToMultiByte
lstrcmpA
SystemTimeToFileTime
GetExitCodeThread
EnumUILanguagesW
CopyFileExW
FreeResource
SetThreadUILanguage
SetThreadLocale
LocaleNameToLCID
OpenProcess
DecodePointer
VirtualProtect
GetDiskFreeSpaceExW
GetCurrentProcessId
VirtualQuery
GetProcessId
GetSystemTime
LoadLibraryW
FormatMessageW
GetLongPathNameW
GetTempPathW
MultiByteToWideChar
GetDriveTypeW
SetFileAttributesW
ProcessIdToSessionId
GetShortPathNameW
GetLocalTime
GetStartupInfoW
WritePrivateProfileStringW
GetModuleHandleExW
GetDiskFreeSpaceW
GetPrivateProfileSectionW
GetVersionExW
GetPrivateProfileStringW
LocalFileTimeToFileTime
GetCurrentDirectoryW
DosDateTimeToFileTime
MulDiv
GetTickCount64
TerminateThread
GetQueuedCompletionStatus
PostQueuedCompletionStatus
GlobalAlloc
GlobalLock
GlobalUnlock
CreateIoCompletionPort
ExitProcess
SetErrorMode
SetLastError
GetLastError
RaiseException
CloseHandle
ReleaseSRWLockShared
CreateFileW
QueryPerformanceCounter
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
SleepConditionVariableSRW
WakeAllConditionVariable
OutputDebugStringW
IsDebuggerPresent
LoadLibraryExA
VirtualFree
VirtualAlloc
FlushInstructionCache
InterlockedPushEntrySList
InterlockedPopEntrySList
InitializeSListHead
EncodePointer
AreFileApisANSI
RtlUnwindEx

comctl32

ord17
PropertySheetW
DestroyPropertySheetPage
CreatePropertySheetPageW
ord345
InitCommonControlsEx
_TrackMouseEvent

ntdll

ZwClose
NtCreateFile
NtQueryVolumeInformationFile
RtlGetLastNtStatus
LdrVerifyImageMatchesChecksum
NtShutdownSystem
NtReadFile
NtQueryInformationFile
RtlComputeCrc32
NtSetInformationFile
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
NtClose
ZwQueryDirectoryFile
NtOpenFile
NtReadVirtualMemory
NtDeleteKey
NtQuerySystemInformation
ZwAddBootEntry
ZwSetBootEntryOrder
NtTranslateFilePath
ZwEnumerateBootEntries
ZwQueryBootEntryOrder
RtlNtStatusToDosError
RtlAdjustPrivilege
RtlImageNtHeader
ZwOpenSymbolicLinkObject
RtlInitUnicodeString
NtWriteFile
ZwQuerySymbolicLinkObject
RtlImageRvaToVa
NtWriteVirtualMemory
NtQueryInformationProcess

msvcrt

??8type_info@@QEBAHAEBV0@@Z
memset
??3@YAXPEAX@Z
_purecall
??2@YAPEAX_K@Z
wcsnlen
memcpy
_errno
wcstoul
wcsncpy_s
wcslen
memmove
memcmp
_wcsnicmp
wcschr
towupper
??_V@YAXPEAX@Z
??_U@YAPEAX_K@Z
wcsftime
_localtime64_s
_time64
_wcstoui64
_wcsicmp
_beginthreadex
_wcslwr_s
bsearch
free
malloc
strlen
strnlen
_mktime64
wcscpy
wcstol
_strtoui64
realloc
strcmp
strtoul
strtol
_wtoi
isdigit
??0exception@@QEAA@AEBV0@@Z
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
_wcsupr_s
wcsrchr
wcsstr
_mbschr
_mbslwr_s
iswspace
wcscmp
wcscpy_s
_mbscmp
__C_specific_handler
calloc
abs
toupper
wcsncpy
_itow
wcstod
wcscat
_strcmpi
qsort_s
_lrotl
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
_CxxThrowException
__CxxFrameHandler3
__setusermatherr
_initterm
_initterm_e
_set_fmode
_amsg_exit
__wgetmainargs
_strlwr
__DestructExceptionObject
_invalid_parameter
_msize
__set_app_type
_wcmdln
abort
_commode
_XcptFilter
?terminate@@YAXXZ
vswprintf_s
_vscwprintf
swscanf
sscanf
vsprintf_s
_vscprintf
swprintf_s

Exports

Exports

BcdGetCurrentEntryIdentifier
BcdGetFirmwareBootDevice
BcdGetFirmwareType
BcdGetSystemPartition
BcdIsWinPEBoot
BcdOpenStore
DismAddDriver
DismAddPackage
DismAppAssociationsDefaultExport
DismAppAssociationsDefaultImport
DismAppAssociationsDefaultRemove
DismAppAssociationsExport
DismAppAssociationsImport
DismAppAssociationsRemove
DismApplyDPI
DismApplyImage
DismAppxsCleanup
DismCaptureImage
DismCommitImage
DismCompactOs
DismComponentCleanup
DismCreateInterface
DismDeleteImage
DismDriverCleanup
DismExpandEnvironmentStrings
DismExportImage
DismFormatMessage
DismFreeMemory
DismGetAllUsersAppx
DismGetCapabilities
DismGetDrivers
DismGetFeatures
DismGetFileFilter
DismGetImageFileInfo
DismGetMountedImages
DismGetPackages
DismGetProvisionedAppxs
DismGetScratchDir
DismGetServices
DismGetSystemInfoByPath
DismGetSystemInfoBySession
DismHardLinkMerge
DismIsNoviceMode
DismMountImage
DismMultiLanguage
DismRegOpenKey
DismRegOpenKeyEx
DismRemoveAppx
DismRemoveCapability
DismRemoveDriver
DismRemovePackage
DismRemoveProvisionedAppx
DismRemoveService
DismRestoreHealth
DismScanHealth
DismSetBootImage
DismSetImageFileInfo
DismSetServiceStart
DismUnmountImage
DismWriteLog
IbsSetFirstBootCommandLine
WinREConfig2

Sections

.text
Size: 775KB - Virtual size: 774KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 193KB - Virtual size: 193KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 25KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Dism++x86.exe
.exe windows:6 windows x86

361f7e4bd354f199bd8959dc3b1fc9bd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

HeapReAlloc
HeapFree
InitOnceExecuteOnce
SetEvent
ResetEvent
WaitForSingleObject
CreateEventW
Sleep
TerminateProcess
GetSystemInfo
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetNativeSystemInfo
IsWow64Process
FreeLibrary
GetModuleHandleW
GetProcAddress
LoadLibraryExW
GetCurrentThreadId
HeapDestroy
HeapSize
GetProcessHeap
EnterCriticalSection
LeaveCriticalSection
VerifyVersionInfoW
VerSetConditionMask
SizeofResource
LockResource
LoadResource
FindResourceW
FindResourceExW
WritePrivateProfileSectionW
GetFileAttributesW
DeviceIoControl
GetVolumePathNameW
GetVolumeInformationByHandleW
GetModuleFileNameW
GetEnvironmentVariableW
UnmapViewOfFile
MoveFileExW
DeleteFileW
GlobalMemoryStatusEx
GetUserDefaultLCID
LCIDToLocaleName
GetThreadLocale
GetLocaleInfoEx
CreateProcessW
GetWindowsDirectoryW
FindClose
FindFirstFileW
FindNextFileW
IsValidLocaleName
MoveFileW
CreateDirectoryW
GetVolumeInformationW
SetVolumeLabelW
RemoveDirectoryW
DeleteCriticalSection
GetTickCount
CreateFileMappingW
MapViewOfFile
LocalFree
GetCurrentProcess
ReadFile
WriteFile
SetFilePointer
GetTempPathA
GetTempFileNameA
DeleteFileA
GetFileInformationByHandle
FileTimeToLocalFileTime
FileTimeToDosDateTime
lstrcpyA
lstrcpynA
ReleaseMutex
HeapAlloc
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
InitializeSRWLock
AcquireSRWLockExclusive
AcquireSRWLockShared
VirtualFreeEx
VirtualAllocEx
DuplicateHandle
WaitForMultipleObjects
ExpandEnvironmentStringsW
SetFilePointerEx
GetFileSizeEx
SetEnvironmentVariableW
GetVolumeNameForVolumeMountPointW
CreateMutexW
GetFullPathNameW
lstrcmpiA
CopyFileW
GetFileSize
GetLocaleInfoW
GetExitCodeProcess
WideCharToMultiByte
lstrcmpA
SystemTimeToFileTime
GetExitCodeThread
EnumUILanguagesW
CopyFileExW
FreeResource
SetThreadUILanguage
SetThreadLocale
LocaleNameToLCID
OpenProcess
DecodePointer
VirtualProtect
GetDiskFreeSpaceExW
GetCurrentProcessId
VirtualQuery
GetProcessId
GetSystemTime
LoadLibraryW
FormatMessageW
GetLongPathNameW
GetTempPathW
MultiByteToWideChar
GetDriveTypeW
SetFileAttributesW
ProcessIdToSessionId
GetShortPathNameW
GetLocalTime
GetStartupInfoW
WritePrivateProfileStringW
GetModuleHandleExW
GetDiskFreeSpaceW
GetPrivateProfileSectionW
GetVersionExW
GetPrivateProfileStringW
LocalFileTimeToFileTime
GetCurrentDirectoryW
DosDateTimeToFileTime
MulDiv
GetTickCount64
TerminateThread
GetQueuedCompletionStatus
PostQueuedCompletionStatus
GlobalAlloc
GlobalLock
GlobalUnlock
CreateIoCompletionPort
EncodePointer
SetErrorMode
SetLastError
GetLastError
RaiseException
CloseHandle
ReleaseSRWLockShared
CreateFileW
InitializeSListHead
InterlockedPopEntrySList
InterlockedPushEntrySList
FlushInstructionCache
IsProcessorFeaturePresent
VirtualAlloc
VirtualFree
LoadLibraryExA
IsDebuggerPresent
OutputDebugStringW
WakeAllConditionVariable
ExitProcess
QueryPerformanceCounter
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SleepConditionVariableSRW
AreFileApisANSI

comctl32

ord17
PropertySheetW
DestroyPropertySheetPage
CreatePropertySheetPageW
ord345
InitCommonControlsEx
_TrackMouseEvent

ntdll

RtlAdjustPrivilege
ZwClose
NtCreateFile
NtQueryVolumeInformationFile
RtlGetLastNtStatus
RtlImageNtHeader
ZwOpenSymbolicLinkObject
RtlInitUnicodeString
NtWriteFile
ZwQuerySymbolicLinkObject
RtlImageRvaToVa
NtDeleteKey
NtQueryInformationProcess
NtShutdownSystem
NtReadFile
NtQueryInformationFile
RtlComputeCrc32
NtSetInformationFile
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
NtClose
ZwQueryDirectoryFile
NtOpenFile
NtReadVirtualMemory
NtWriteVirtualMemory
NtQuerySystemInformation
ZwAddBootEntry
ZwSetBootEntryOrder
NtTranslateFilePath
ZwEnumerateBootEntries
ZwQueryBootEntryOrder
RtlNtStatusToDosError
LdrVerifyImageMatchesChecksum

msvcrt

_ftol2_sse
_except_handler3
_ftol2
memset
??3@YAXPAX@Z
_purecall
??2@YAPAXI@Z
wcsnlen
memcpy
_errno
wcstoul
wcsncpy_s
wcslen
memmove
memcmp
_wcsnicmp
wcschr
towupper
??_V@YAXPAX@Z
??_U@YAPAXI@Z
wcsftime
_localtime64_s
_time64
_wcstoui64
_wcsicmp
_beginthreadex
_wcslwr_s
bsearch
free
malloc
strlen
strnlen
_mktime64
wcscpy
wcstol
_strtoui64
realloc
strcmp
strtoul
strtol
_wtoi
isdigit
??0exception@@QAE@ABV0@@Z
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
_wcsupr_s
wcsrchr
wcsstr
_mbschr
_mbslwr_s
iswspace
wcscmp
wcscpy_s
_mbscmp
calloc
abs
toupper
wcsncpy
_itow
wcstod
wcscat
_strcmpi
qsort_s
_lrotl
??0exception@@QAE@XZ
??0exception@@QAE@ABQBD@Z
_CxxThrowException
__CxxFrameHandler3
_amsg_exit
_except_handler4_common
__wgetmainargs
__setusermatherr
_initterm
_initterm_e
_set_fmode
__p__commode
_controlfp_s
_strlwr
__DestructExceptionObject
_invalid_parameter
_msize
__set_app_type
_wcmdln
abort
_XcptFilter
?terminate@@YAXXZ
vswprintf_s
_vscwprintf
swscanf
sscanf
vsprintf_s
_vscprintf
swprintf_s

Exports

Exports

BcdGetCurrentEntryIdentifier
BcdGetFirmwareBootDevice
BcdGetFirmwareType
BcdGetSystemPartition
BcdIsWinPEBoot
BcdOpenStore
DismAddDriver
DismAddPackage
DismAppAssociationsDefaultExport
DismAppAssociationsDefaultImport
DismAppAssociationsDefaultRemove
DismAppAssociationsExport
DismAppAssociationsImport
DismAppAssociationsRemove
DismApplyDPI
DismApplyImage
DismAppxsCleanup
DismCaptureImage
DismCommitImage
DismCompactOs
DismComponentCleanup
DismCreateInterface
DismDeleteImage
DismDriverCleanup
DismExpandEnvironmentStrings
DismExportImage
DismFormatMessage
DismFreeMemory
DismGetAllUsersAppx
DismGetCapabilities
DismGetDrivers
DismGetFeatures
DismGetFileFilter
DismGetImageFileInfo
DismGetMountedImages
DismGetPackages
DismGetProvisionedAppxs
DismGetScratchDir
DismGetServices
DismGetSystemInfoByPath
DismGetSystemInfoBySession
DismHardLinkMerge
DismIsNoviceMode
DismMountImage
DismMultiLanguage
DismRegOpenKey
DismRegOpenKeyEx
DismRemoveAppx
DismRemoveCapability
DismRemoveDriver
DismRemovePackage
DismRemoveProvisionedAppx
DismRemoveService
DismRestoreHealth
DismScanHealth
DismSetBootImage
DismSetImageFileInfo
DismSetServiceStart
DismUnmountImage
DismWriteLog
IbsSetFirstBootCommandLine
WinREConfig2

Sections

.text
Size: 533KB - Virtual size: 533KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 148KB - Virtual size: 147KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
ReadMe for NCleaner.txt
What's New(Public).txt

Sharing

General

Malware Config

Signatures

Files

Password: infected

631990018923d1a03da1864be53c8039

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ntdll

msvcrt

Exports

Exports

Sections

.text Size: 91KB - Virtual size: 91KB

.rdata Size: 40KB - Virtual size: 39KB

.data Size: 1KB - Virtual size: 3KB

.pdata Size: 5KB - Virtual size: 4KB

.detourc Size: 26KB - Virtual size: 26KB

.detourd Size: 512B - Virtual size: 64B

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 4KB - Virtual size: 3KB

3d7868fef92048722b56c2afe9541986

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

ntdll

msvcrt

Exports

Exports

Sections

.text Size: 56KB - Virtual size: 56KB

.rdata Size: 32KB - Virtual size: 31KB

.data Size: 1024B - Virtual size: 2KB

.detourc Size: 14KB - Virtual size: 13KB

.detourd Size: 512B - Virtual size: 36B

.rsrc Size: 3KB - Virtual size: 3KB

.reloc Size: 8KB - Virtual size: 7KB

Headers

DLL Characteristics

File Characteristics

Sections

.rdata Size: 512B - Virtual size: 376B

.rsrc Size: 628KB - Virtual size: 628KB

604f65d7bb91eb13dad798c5b913d475

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

shlwapi

ntdll

cfgmgr32

setupapi

version

msvcrt

Exports

Exports

Sections

.text Size: 117KB - Virtual size: 116KB

.rdata Size: 46KB - Virtual size: 46KB

.data Size: 3KB - Virtual size: 4KB

.pdata Size: 5KB - Virtual size: 5KB

.rsrc Size: 1024B - Virtual size: 824B

.reloc Size: 1KB - Virtual size: 1KB

782d91e12c2a1d0eb23a7854f8ac9e2e

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

.text
Size: 91KB - Virtual size: 91KB

.rdata
Size: 40KB - Virtual size: 39KB

.data
Size: 1KB - Virtual size: 3KB

.pdata
Size: 5KB - Virtual size: 4KB

.detourc
Size: 26KB - Virtual size: 26KB

.detourd
Size: 512B - Virtual size: 64B

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 56KB - Virtual size: 56KB

.rdata
Size: 32KB - Virtual size: 31KB

.data
Size: 1024B - Virtual size: 2KB

.detourc
Size: 14KB - Virtual size: 13KB

.detourd
Size: 512B - Virtual size: 36B

.rsrc
Size: 3KB - Virtual size: 3KB

.reloc
Size: 8KB - Virtual size: 7KB

.rdata
Size: 512B - Virtual size: 376B

.rsrc
Size: 628KB - Virtual size: 628KB

.text
Size: 117KB - Virtual size: 116KB

.rdata
Size: 46KB - Virtual size: 46KB

.data
Size: 3KB - Virtual size: 4KB

.pdata
Size: 5KB - Virtual size: 5KB

.rsrc
Size: 1024B - Virtual size: 824B

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 35KB - Virtual size: 35KB

.rdata
Size: 14KB - Virtual size: 13KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 1024B - Virtual size: 984B

.reloc
Size: 512B - Virtual size: 144B

33:00:00:00:8b:4c:06:71:0c:20:2c:df:3b:00:00:00:00:00:8b
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

fb:a7:99:34:e2:e1:f6:2f:53:40:4e:6f:d9:5c:a8:e7:23:08:b8:a5:d5:b7:8d:18:4f:36:e7:4a:46:bd:d6:e8
Signer

f7:c9:86:65:dc:20:24:34:7e:41:c8:9d:60:ae:91:2c:38:1c:d2:47
Signer

.text
Size: 100KB - Virtual size: 99KB

.rdata
Size: 59KB - Virtual size: 59KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 3KB - Virtual size: 3KB

.rsrc
Size: 6KB - Virtual size: 6KB

.reloc
Size: 2KB - Virtual size: 1KB

33:00:00:02:39:b2:b4:e8:2a:22:34:49:2f:00:00:00:00:02:39
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

01:aa:65:13:0d:4d:71:ab:db:65:0c:57:cb:42:4c:94:11:33:f9:41:42:10:f4:25:a4:15:97:9d:3d:00:34:dc
Signer