DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
services.exe
Resource
win7-20231215-en
windows7-x64
0 signatures
150 seconds
Behavioral task
behavioral2
Sample
services.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
0 signatures
150 seconds
General
-
Target
34eb39f4bf5754971288dfc311d7cc1cf08aebd694a9f3de8fadc77265fea27b.rar
-
Size
289KB
-
MD5
e645f43b5f19c457711bfe5372385068
-
SHA1
f8e315ac8ca8d889478d4558c62cb29688537e48
-
SHA256
34eb39f4bf5754971288dfc311d7cc1cf08aebd694a9f3de8fadc77265fea27b
-
SHA512
d61ca5e2c9257a6232084fcdc101fb7e6b5dfbbe9e9ea668bd508c3ce9fdc833d7ceea13b3096222c19b721ac23be81dae068c779b0ec52f8c7cb5127a03a878
-
SSDEEP
6144:pkxZOJh952sMp/Yo1uEut+Pprs2Vf+3GfuJwKF28:pk6952f/Bois2KUu2KF28
Score
3/10
Malware Config
Signatures
-
Unsigned PE 3 IoCs
Checks for missing Authenticode signature.
resource unpack001/NCProv.dll unpack001/esscli.dll unpack001/services.exe
Files
-
34eb39f4bf5754971288dfc311d7cc1cf08aebd694a9f3de8fadc77265fea27b.rar.rar
-
NCProv.dll.dll regsvr32 windows:10 windows x64 arch:x64
d0ab97ab340a73f2d8cb18bc94ea9a45
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
Imports
msvcrt
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
__C_specific_handler
_initterm
free
_amsg_exit
_XcptFilter
__CxxFrameHandler3
_CxxThrowException
_wcsupr
??0exception@@QEAA@XZ
wcsstr
_purecall
memcpy
_vsnwprintf
memmove_s
memcpy_s
??0exception@@QEAA@AEBQEBD@Z
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
realloc
malloc
memset
atl
ord18
ord15
ord21
ord16
ord32
ord23
ord57
oleaut32
SafeArrayDestroy
SafeArrayCreate
VariantClear
VariantInit
SysAllocString
SysFreeString
SysStringLen
kernel32
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
GetSystemTimeAsFileTime
OutputDebugStringA
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
Sleep
WriteFile
GetTickCount
GetProcAddress
FreeLibrary
DelayLoadFailureHook
GetModuleHandleW
LoadLibraryExA
GetProcessHeap
UnhandledExceptionFilter
ResetEvent
OpenEventW
DisconnectNamedPipe
LeaveCriticalSection
InitializeCriticalSection
DeleteCriticalSection
SetEvent
WaitForSingleObject
CloseHandle
CreateEventW
GetLastError
CreateThread
ConnectNamedPipe
CreateNamedPipeW
LocalFree
WaitForMultipleObjectsEx
GetOverlappedResult
ReadFileEx
DisableThreadLibraryCalls
EnterCriticalSection
advapi32
ConvertStringSecurityDescriptorToSecurityDescriptorW
ntdll
EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
EtwTraceMessage
wbemcomn2
?Next@CAbstractQl1Parser@@MEAAHH@Z
?WbemMemFree@CWin32DefaultArena@@SAHPEAX@Z
?WbemMemAlloc@CWin32DefaultArena@@SAPEAX_K@Z
?Parse@QL1_Parser@@QEAAHPEAPEAUQL_LEVEL_1_RPN_EXPRESSION@@@Z
??0QL1_Parser@@QEAA@PEAVCGenLexSource@@@Z
??1QL_LEVEL_1_RPN_EXPRESSION@@QEAA@XZ
??1QL1_Parser@@UEAA@XZ
GetMemLogObject
?Write@CMemoryLog@@QEAAXJ@Z
?WbemHeapInitialize@CWin32DefaultArena@@SAHPEAX@Z
_ThrowMemoryException_
Exports
Exports
Sections
.text Size: 42KB - Virtual size: 41KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 18KB - Virtual size: 17KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.didat Size: 512B - Virtual size: 32B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 8KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 344B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
esscli.dll.dll regsvr32 windows:10 windows x64 arch:x64
8b5d9d3f824b0a697470cfba4025d8a3
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL
Imports
msvcrt
memcpy
memcmp
sscanf_s
atol
iswspace
_onexit
__dllonexit
_vsnprintf
_unlock
_lock
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
__C_specific_handler
_initterm
malloc
free
_amsg_exit
_XcptFilter
__CxxFrameHandler3
_CxxThrowException
_vsnwprintf
?what@exception@@UEBAPEBDXZ
wcschr
fprintf
??0exception@@QEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBQEBD@Z
memmove_s
memcpy_s
_purecall
memset
oleaut32
VariantClear
SysAllocString
SysFreeString
VariantInit
VariantChangeType
VariantCopy
kernel32
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetCurrentThreadId
QueryPerformanceCounter
OutputDebugStringA
LCMapStringW
RtlVirtualUnwind
VirtualFree
VirtualAlloc
VirtualQuery
RtlLookupFunctionEntry
EnterCriticalSection
LeaveCriticalSection
CloseHandle
Sleep
GetCurrentProcessId
RtlCaptureContext
GetModuleHandleW
GetVersion
HeapReAlloc
HeapFree
GetProcessHeap
HeapAlloc
GetLastError
CreateEventW
CreateThread
SetEvent
WaitForSingleObject
DisableThreadLibraryCalls
GetModuleFileNameW
DebugBreak
WaitForMultipleObjectsEx
ResetEvent
SetLastError
FreeLibrary
LoadLibraryExW
GetProcAddress
GetSystemTimeAsFileTime
ole32
CoReleaseMarshalData
CoMarshalInterThreadInterfaceInStream
CoInitializeEx
CoCreateInstance
CoUninitialize
StringFromGUID2
CoUnmarshalInterface
CoGetCallContext
CoMarshalInterface
CoGetInterfaceAndReleaseStream
CoTaskMemFree
CoGetMarshalSizeMax
ntdll
RtlLengthSecurityDescriptor
RtlFreeSid
RtlEqualSid
RtlLengthSid
wbemcomn2
?Unqueue@CFlexQueue@@QEAAPEAXXZ
??0CFlexArray@@QEAA@AEAV0@@Z
??4CPropertyName@@QEAAXAEBV0@@Z
??0WString@@QEAA@XZ
??1CLike@@QEAA@XZ
ReadUI64
ReadI64
??0WString@@QEAA@PEAGH@Z
??0WString@@QEAA@PEBG@Z
?Add@CWStringArray@@QEAAHPEBG@Z
?GetStringAt@CPropertyName@@QEBAPEBGJ@Z
?EnsureExtent@CFlexArray@@QEAAHH@Z
?RemoveAt@CFlexArray@@QEAAHH@Z
?AddElement@CPropertyName@@QEAAXPEBG@Z
??1CVar@@QEAA@XZ
??4WString@@QEAAAEAV0@PEBG@Z
?Match@CLike@@QEAA_NPEBG@Z
?SetExpression@CLike@@QEAAXPEBGG@Z
?UnbindPtr@WString@@QEAAPEAGXZ
??0QL1_Parser@@QEAA@PEAVCGenLexSource@@@Z
??1QL1_Parser@@UEAA@XZ
?Parse@QL1_Parser@@QEAAHPEAPEAUQL_LEVEL_1_RPN_EXPRESSION@@@Z
ChangeVariantToCIMTYPE
??8CPropertyName@@QEAAHAEBU_tag_WbemPropertyName@@@Z
??1QL_LEVEL_1_RPN_EXPRESSION@@QEAA@XZ
??1CPropertyName@@QEAA@XZ
??0CPropertyName@@QEAA@XZ
??1WString@@QEAA@XZ
??0WString@@QEAA@AEBV0@@Z
??0CVar@@QEAA@XZ
??0QL_LEVEL_1_RPN_EXPRESSION@@QEAA@XZ
?AddToken@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXAEBUQL_LEVEL_1_TOKEN@@@Z
??0QL_LEVEL_1_TOKEN@@QEAA@XZ
?Empty@CWStringArray@@QEAAXXZ
?Union@CWStringArray@@SAXAEAV1@00@Z
??4CWStringArray@@QEAAAEAV0@AEAV0@@Z
?FindStr@CWStringArray@@QEAAHPEBGH@Z
?AddProperty@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBVCPropertyName@@@Z
?SetClassName@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXPEBG@Z
?GetText@QL_LEVEL_1_RPN_EXPRESSION@@QEAAPEAGXZ
NormalizeCimDateTime
??0CDateTimeParser@@QEAA@PEBG@Z
??1CDateTimeParser@@QEAA@XZ
?FillDMTF@CDateTimeParser@@QEAAHPEAG_K@Z
?UnbindPtr@CFlexArray@@QEAAPEAPEAXXZ
?SetVariant@CVar@@QEAAHPEAUtagVARIANT@@H@Z
?IsDataNull@CVar@@QEAAHXZ
?ChangeTypeTo@CVar@@QEAAHG@Z
?GetText@QL_LEVEL_1_TOKEN@@QEAAPEAGXZ
??0CLike@@QEAA@PEBGG@Z
?Enter@CWbemCriticalSection@@QEAAHK@Z
?Leave@CWbemCriticalSection@@QEAAXXZ
??0CWbemCriticalSection@@QEAA@XZ
??1CWbemCriticalSection@@QEAA@XZ
??0CNtSid@@QEAA@W4SidType@0@@Z
??1CNtSid@@QEAA@XZ
??_7CUnkInternal@@6B@
?InternalRelease@CUnkInternal@@QEAAKXZ
?Release@CUnkInternal@@UEAAKXZ
?AddRef@CUnkInternal@@UEAAKXZ
?QueryInterface@CUnkInternal@@UEAAJAEBU_GUID@@PEAPEAX@Z
??1CUnkInternal@@UEAA@XZ
??0CUnkInternal@@QEAA@PEAVCLifeControl@@@Z
??0CStaticCritSec@@QEAA@XZ
??1CStaticCritSec@@QEAA@XZ
?anyFailure@CStaticCritSec@@SAHXZ
?Empty@CFlexArray@@QEAAXXZ
?SetAt@CFlexArray@@QEAAXHPEAX@Z
??ACFlexArray@@QEAAAEAPEAXH@Z
??1CFlexArray@@QEAA@XZ
??0CFlexArray@@QEAA@HH@Z
?GetAt@CFlexArray@@QEBAPEAXH@Z
??1QL_LEVEL_1_TOKEN@@QEAA@XZ
??0QL_LEVEL_1_TOKEN@@QEAA@AEBU0@@Z
?Enqueue@CFlexQueue@@QEAA_NPEAX@Z
??1CFlexQueue@@QEAA@XZ
??0CFlexQueue@@QEAA@H@Z
GetMemLogObject
?Write@CMemoryLog@@QEAAXJ@Z
?WbemMemFree@CWin32DefaultArena@@SAHPEAX@Z
?WbemMemAlloc@CWin32DefaultArena@@SAPEAX_K@Z
??4CFlexArray@@QEAAAEAV0@AEAV0@@Z
??1CWStringArray@@QEAA@XZ
??0CWStringArray@@QEAA@HH@Z
??0CPropertyName@@QEAA@AEBV0@@Z
??4CLike@@QEAAAEAV0@AEBV0@@Z
?Empty@CPropertyName@@QEAAXXZ
??ACFlexArray@@QEBAPEAXH@Z
?InsertAt@CFlexArray@@QEAAHHPEAX@Z
_ThrowMemoryException_
??0CCritSec@@QEAA@XZ
??1CCritSec@@QEAA@XZ
??0CInCritSec@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z
??1CInCritSec@@QEAA@XZ
?Add@CFlexArray@@QEAAHPEAX@Z
?GetQueueSize@CFlexQueue@@QEBAHXZ
?SetDMTF@CWbemTime@@QEAAHPEBG@Z
?CopyDataFrom@CFlexArray@@QEAAHAEBV1@@Z
fastprox
?SetFromUnicode@CCompressedString@@QEAAXPEBG@Z
?GetLength@CCompressedString@@QEBAHXZ
?ComputeNecessarySpace@CCompressedString@@SAHPEBG@Z
?CompareNoCase@CCompressedString@@QEBAHAEBV1@@Z
??0CInternalString@@QEAA@PEBG@Z
?CreateWStringCopy@CCompressedString@@QEBA?AVWString@@XZ
??BCInternalString@@QEBA?AVWString@@XZ
?CheapCompare@CCompressedString@@QEBAHAEBV1@@Z
?CreateBSTRCopy@CCompressedString@@QEBAPEAGXZ
??4CInternalString@@QEAAAEAV0@AEBV0@@Z
??0CInternalString@@QEAA@AEBV0@@Z
?GetParentAtIndex@CWbemObject@@QEAAPEAVCCompressedString@@H@Z
?AcquireCompressedString@CInternalString@@QEAAXPEAVCCompressedString@@@Z
??1CInternalString@@QEAA@XZ
?GetVARTYPE@CType@@SAGK@Z
WbemStringCopy
Exports
Exports
??0CClassInfoArray@@QEAA@XZ
??0CClassInformation@@QEAA@AEBU0@@Z
??0CClassInformation@@QEAA@XZ
??0CContextMetaData@@QEAA@PEAVCMetaData@@PEAUIWbemContext@@@Z
??0CEvalNode@@QEAA@AEBV0@@Z
??0CEvalNode@@QEAA@XZ
??0CEvalTree@@QEAA@AEBV0@@Z
??0CEvalTree@@QEAA@XZ
??0CMetaData@@QEAA@AEBV0@@Z
??0CMetaData@@QEAA@XZ
??0CObjectInfo@@QEAA@XZ
??0CPropertyProjectionFilter@@QEAA@AEBV0@@Z
??0CPropertyProjectionFilter@@QEAA@XZ
??0CReuseMemoryManager@@QEAA@_K0@Z
??0CSortedArray@@QEAA@AEAV0@@Z
??0CSortedArray@@QEAA@HH@Z
??0CSortedArray@@QEAA@IPEA_K@Z
??0CStandardMetaData@@QEAA@AEBV0@@Z
??0CStandardMetaData@@QEAA@PEAUIWbemServices@@@Z
??0CTempMemoryManager@@QEAA@XZ
??0CTimeKeeper@@QEAA@XZ
??1CClassInfoArray@@QEAA@XZ
??1CClassInformation@@QEAA@XZ
??1CContextMetaData@@QEAA@XZ
??1CEvalNode@@UEAA@XZ
??1CEvalTree@@QEAA@XZ
??1CMetaData@@UEAA@XZ
??1CObjectInfo@@QEAA@XZ
??1CPropertyProjectionFilter@@QEAA@XZ
??1CReuseMemoryManager@@QEAA@XZ
??1CSortedArray@@QEAA@XZ
??1CStandardMetaData@@UEAA@XZ
??1CTempMemoryManager@@QEAA@XZ
??1CTimeKeeper@@QEAA@XZ
??4CClassInfoArray@@QEAA_NAEAV0@@Z
??4CClassInformation@@QEAAAEAU0@AEBU0@@Z
??4CContextMetaData@@QEAAAEAV0@AEBV0@@Z
??4CEvalTree@@QEAAXAEBV0@@Z
??4CMetaData@@QEAAAEAV0@AEBV0@@Z
??4CObjectInfo@@QEAAAEAV0@AEBV0@@Z
??4CPropertyProjectionFilter@@QEAAAEAV0@AEBV0@@Z
??4CQueryAnalyser@@QEAAAEAV0@$$QEAV0@@Z
??4CQueryAnalyser@@QEAAAEAV0@AEBV0@@Z
??4CReuseMemoryManager@@QEAAAEAV0@AEBV0@@Z
??4CSortedArray@@QEAAXAEBV0@@Z
??4CStandardMetaData@@QEAAAEAV0@AEBV0@@Z
??4CTempMemoryManager@@QEAAAEAV0@AEBV0@@Z
??4CTimeKeeper@@QEAAAEAV0@$$QEAV0@@Z
??4CTimeKeeper@@QEAAAEAV0@AEBV0@@Z
??_7CEvalNode@@6B@
??_7CMetaData@@6B@
??_7CPropertyProjectionFilter@@6B@
??_7CStandardMetaData@@6B@
??_FCSortedArray@@QEAAXXZ
?Add@CSortedArray@@QEAAH_K@Z
?AddClass@CClassInfoArray@@QEAA_NPEAUCClassInformation@@@Z
?AddDataFrom@CSortedArray@@QEAAJAEBV1@@Z
?AddDataFrom@CSortedArray@@QEAAJPEB_KI@Z
?AddProperty@CPropertyProjectionFilter@@QEAA_NAEBVCPropertyName@@@Z
?AddRef@CMetaData@@UEAAKXZ
?Allocate@CReuseMemoryManager@@QEAAPEAXXZ
?Allocate@CTempMemoryManager@@QEAAPEAX_K@Z
?AndDefiniteClassArrays@CQueryAnalyser@@KAJPEAVCClassInfoArray@@00@Z
?AndPossibleClassArrays@CQueryAnalyser@@KAJPEAVCClassInfoArray@@00@Z
?AndQueryExpressions@CQueryAnalyser@@KAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@00@Z
?AppendQueryExpression@CQueryAnalyser@@KAXPEAUQL_LEVEL_1_RPN_EXPRESSION@@0@Z
?ApplyPredicate@CEvalTree@@QEAAJPEAVCLeafPredicate@@@Z
?BuildFromToken@CEvalTree@@SAJPEAVCContextMetaData@@AEAVCImplicationList@@AEAUQL_LEVEL_1_TOKEN@@PEAPEAVCEvalNode@@@Z
?BuildTwoPropFromToken@CEvalTree@@SAJPEAVCContextMetaData@@AEAVCImplicationList@@AEAUQL_LEVEL_1_TOKEN@@PEAPEAVCEvalNode@@@Z
?CanPointToClass@CQueryAnalyser@@SAJPEAUIWbemClassObject@@PEBG1PEAVCContextMetaData@@@Z
?Clear@CClassInfoArray@@QEAAXXZ
?Clear@CEvalTree@@QEAA_NXZ
?Clear@CObjectInfo@@QEAAXXZ
?Clear@CReuseMemoryManager@@QEAAXXZ
?Clear@CStandardMetaData@@QEAAXXZ
?Clear@CTempMemoryManager@@QEAAXXZ
?CloneNode@CEvalNode@@SAPEAV1@PEBV1@@Z
?Combine@CEvalTree@@SAJPEAVCEvalNode@@0HPEAVCContextMetaData@@AEAVCImplicationList@@_N3PEAPEAV2@@Z
?CombineLeafWithBranch@CEvalTree@@KAJPEAVCValueNode@@PEAVCBranchingNode@@HPEAVCContextMetaData@@AEAVCImplicationList@@_N4PEAPEAVCEvalNode@@@Z
?CombineWith@CEvalTree@@QEAAJAEAV1@PEAVCContextMetaData@@HJ@Z
?Compare@CEvalTree@@SAHPEAVCEvalNode@@0@Z
?Compare@CSortedArray@@QEAAHAEAV1@@Z
?CompareRequestedToProvided@CQueryAnalyser@@SAHAEAVCClassInfoArray@@0@Z
?CopyDataFrom@CSortedArray@@QEAAJAEBV1@@Z
?CopyDataFrom@CSortedArray@@QEAAJPEB_KI@Z
?CopyTo@CSortedArray@@QEAAIPEA_KI@Z
?CreateFromConjunction@CEvalTree@@SAJPEAVCContextMetaData@@AEAVCImplicationList@@PEAVCConjunction@@PEAPEAVCEvalNode@@@Z
?CreateFromDNF@CEvalTree@@QEAAJPEAVCContextMetaData@@AEAVCImplicationList@@PEAVCDNFExpression@@PEAPEAVCEvalNode@@@Z
?CreateFromQuery@CEvalTree@@QEAAJPEAVCContextMetaData@@PEAUQL_LEVEL_1_RPN_EXPRESSION@@JJ@Z
?CreateFromQuery@CEvalTree@@QEAAJPEAVCContextMetaData@@PEBGHPEAUQL_LEVEL_1_TOKEN@@JJ@Z
?CreateFromQuery@CEvalTree@@QEAAJPEAVCContextMetaData@@PEBGJJ@Z
?CreateProjection@CEvalTree@@QEAAJAEAV1@PEAVCContextMetaData@@PEAVCProjectionFilter@@W4EProjectionType@@_N@Z
?DecorateObject@CTimeKeeper@@QEAA_NPEAU_IWmiObject@@@Z
?Empty@CSortedArray@@QEAAXXZ
?Evaluate@CEvalTree@@QEAAJPEAUIWbemObjectAccess@@AEAVCSortedArray@@@Z
?Evaluate@CEvalTree@@SAJAEAVCObjectInfo@@PEAVCEvalNode@@AEAVCSortedArray@@@Z
?Find@CSortedArray@@QEAAI_K@Z
?Free@CReuseMemoryManager@@QEAAXPEAX@Z
?Free@CTempMemoryManager@@QEAAXPEAX_K@Z
?GetAccessMask@@YAJPEAXPEAU_ACL@@PEAK@Z
?GetArrayPtr@CSortedArray@@QEAAPEA_KXZ
?GetAt@CSortedArray@@QEAA_KH@Z
?GetClass@CClassInfoArray@@QEAAPEAUCClassInformation@@H@Z
?GetClass@CContextMetaData@@QEAAJPEBGPEAPEAU_IWmiObject@@@Z
?GetClass@CMetaData@@UEAAJPEBGPEAUIWbemContext@@PEAPEAUIWbemClassObject@@@Z
?GetClass@CStandardMetaData@@UEAAJPEBGPEAUIWbemContext@@PEAPEAU_IWmiObject@@@Z
?GetDefiniteInstanceClasses@CQueryAnalyser@@SAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@AEAPEAVCClassInfoArray@@@Z
?GetInstanceClasses@CQueryAnalyser@@KAJAEAUQL_LEVEL_1_TOKEN@@AEAVCClassInfoArray@@@Z
?GetLength@CObjectInfo@@QEAAJXZ
?GetLimitingQueryForInstanceClass@CQueryAnalyser@@SAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@AEAUCClassInformation@@AEAPEAG@Z
?GetNecessaryQueryForClass@CQueryAnalyser@@SAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@PEAUIWbemClassObject@@AEAVCWStringArray@@AEAPEAU2@@Z
?GetNecessaryQueryForProperty@CQueryAnalyser@@SAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@AEAVCPropertyName@@AEAPEAU2@@Z
?GetNumClasses@CClassInfoArray@@QEAAHXZ
?GetObjectAt@CObjectInfo@@QEAAPEAU_IWmiObject@@J@Z
?GetPossibleInstanceClasses@CQueryAnalyser@@SAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@AEAPEAVCClassInfoArray@@@Z
?GetPropertiesThatMustDiffer@CQueryAnalyser@@KAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@AEAUCClassInformation@@AEAVCWStringArray@@@Z
?GetType@CEvalNode@@SAHPEAV1@@Z
?InnerCombine@CEvalTree@@KAJPEAVCEvalNode@@0HPEAVCContextMetaData@@AEAVCImplicationList@@_N3PEAPEAV2@@Z
?Insert@CSortedArray@@QEAAX_K@Z
?IsAllFalse@CEvalNode@@SA_NPEAV1@@Z
?IsAllFalse@CEvalNode@@UEAA_NXZ
?IsFalse@CEvalTree@@QEAA_NXZ
?IsInSet@CPropertyProjectionFilter@@UEAA_NPEAVCEvalNode@@@Z
?IsInvalid@CEvalNode@@SA_NPEAV1@@Z
?IsInvalid@CEvalNode@@UEAA_NXZ
?IsLimited@CClassInfoArray@@QEAAHXZ
?IsMergeAdvisable@CEvalTree@@SAJPEAVCEvalNode@@0AEAVCImplicationList@@@Z
?IsNoop@CEvalNode@@SA_NPEAV1@H@Z
?IsNoop@CEvalNode@@UEAA_NH@Z
?IsPropertyInClass@CQueryAnalyser@@KAHAEAVCPropertyName@@PEAUIWbemClassObject@@AEAVCWStringArray@@@Z
?IsTokenAboutClass@CQueryAnalyser@@KAHAEAUQL_LEVEL_1_TOKEN@@PEAUIWbemClassObject@@AEAVCWStringArray@@@Z
?IsTokenAboutProperty@CQueryAnalyser@@KAHAEAUQL_LEVEL_1_TOKEN@@AEAVCPropertyName@@@Z
?IsUserAdministrator@@YAJPEAX@Z
?IsUserInGroup@@YAJPEAX0@Z
?IsValid@CEvalTree@@QEAA_NXZ
?NegateDefiniteClassArray@CQueryAnalyser@@KAJPEAVCClassInfoArray@@0@Z
?NegatePossibleClassArray@CQueryAnalyser@@KAJPEAVCClassInfoArray@@0@Z
?NegateQueryExpression@CQueryAnalyser@@KAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@0@Z
?Optimize@CEvalNode@@UEAAJPEAVCContextMetaData@@PEAPEAV1@@Z
?Optimize@CEvalTree@@QEAAJPEAVCContextMetaData@@@Z
?OrDefiniteClassArrays@CQueryAnalyser@@KAJPEAVCClassInfoArray@@00@Z
?OrPossibleClassArrays@CQueryAnalyser@@KAJPEAVCClassInfoArray@@00@Z
?OrQueryExpressions@CQueryAnalyser@@KAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@00@Z
?PrintOffset@CEvalNode@@SAXPEAU_iobuf@@H@Z
?Project@CEvalTree@@SAJPEAVCContextMetaData@@AEAVCImplicationList@@PEAVCEvalNode@@PEAVCProjectionFilter@@W4EProjectionType@@_NPEAPEAV4@@Z
?QueryInterface@CMetaData@@UEAAJAEBU_GUID@@PEAPEAX@Z
?Rebase@CEvalTree@@QEAAX_K@Z
?Rebase@CSortedArray@@QEAAX_K@Z
?Release@CMetaData@@UEAAKXZ
?Remove@CSortedArray@@QEAA_N_K@Z
?RemoveClass@CClassInfoArray@@QEAAXH@Z
?RemoveIndex@CEvalTree@@QEAAJH@Z
?RoundUp@CTempMemoryManager@@IEAA_K_K@Z
?SetBool@CEvalTree@@QEAA_NH@Z
?SetLength@CObjectInfo@@QEAA_NJ@Z
?SetLimited@CClassInfoArray@@QEAAXH@Z
?SetObjectAt@CObjectInfo@@QEAAXJPEAU_IWmiObject@@@Z
?SetOne@CClassInfoArray@@QEAA_NPEBGH@Z
?SetSize@CSortedArray@@QEAAXH@Z
?SimplifyQueryForChild@CQueryAnalyser@@SAJPEAUQL_LEVEL_1_RPN_EXPRESSION@@PEBGPEAUIWbemClassObject@@PEAVCContextMetaData@@AEAPEAU2@@Z
?SimplifyTokenForChild@CQueryAnalyser@@KAHAEAUQL_LEVEL_1_TOKEN@@PEBGPEAUIWbemClassObject@@PEAVCContextMetaData@@@Z
?Size@CSortedArray@@QEBAHXZ
?UnbindPtr@CSortedArray@@QEAAPEA_KXZ
?UtilizeGuarantee@CEvalTree@@QEAAJAEAV1@PEAVCContextMetaData@@@Z
?ValidateSQLDateTime@CQueryAnalyser@@KAHPEBG@Z
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
Sections
.text Size: 259KB - Virtual size: 259KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 102KB - Virtual size: 102KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1024B - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 11KB - Virtual size: 11KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 1024B - Virtual size: 984B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 3KB - Virtual size: 2KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
services.exe.exe windows:6 windows x64 arch:x64
99f403a8d271c481e1abdb2a65909791
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Imports
msvcrt
_cexit
_exit
_XcptFilter
__C_specific_handler
_initterm
_amsg_exit
__setusermatherr
exit
_fmode
__set_app_type
?terminate@@YAXXZ
_commode
memset
memcpy
_ltow
wcscspn
__getmainargs
_ltow_s
wcschr
_wcslwr
_ultow_s
time
wcsrchr
_vsnwprintf
_wcsnicmp
wcstoul
wcsstr
_wcsicmp
_wtol
wcsncmp
_ultow
rpcrt4
UuidCreate
UuidCreateNil
UuidEqual
RpcServerUnsubscribeForNotification
RpcServerSubscribeForNotification
RpcBindingVectorFree
RpcServerRegisterAuthInfoW
RpcServerInqDefaultPrincNameW
RpcEpRegisterW
RpcStringFreeW
RpcStringBindingParseW
RpcBindingToStringBindingW
RpcServerInqBindings
RpcServerUseProtseqW
RpcServerUseProtseqEpW
I_RpcMapWin32Status
RpcServerInqCallAttributesW
RpcAsyncCompleteCall
RpcRevertToSelf
RpcImpersonateClient
RpcServerInqBindingHandle
I_RpcBindingInqLocalClientPID
I_RpcSessionStrictContextHandle
I_RpcBindingIsClientLocal
NdrServerCall2
NdrAsyncServerCall
UuidFromStringW
RpcBindingFree
RpcServerInqCallAttributesA
RpcServerRegisterIfEx
RpcAsyncAbortCall
sspicli
LogonUserExExW
ntdll
RtlLengthSid
EtwTraceMessage
NtTraceControl
RtlSetLastWin32Error
EtwGetTraceLoggerHandle
RtlInitializeCriticalSection
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
NtOpenThread
NtQueueApcThread
RtlQueueApcWow64Thread
EvtIntReportEventAndSourceAsync
EtwEventWrite
EtwEventRegister
RtlUnhandledExceptionFilter
RtlFreeHeap
NtSetEvent
NtSetInformationProcess
NtOpenProcessToken
RtlSetProcessIsCritical
NtQueryInformationFile
NtSetInformationFile
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
NtWaitForSingleObject
NtQueryDirectoryFile
NtDeleteFile
RtlCopyUnicodeString
NtFilterToken
NtQueryInformationToken
NtSetInformationThread
NtAdjustPrivilegesToken
NtDuplicateToken
NtAccessCheckAndAuditAlarm
NtAccessCheck
NtPrivilegeObjectAuditAlarm
NtPrivilegeCheck
RtlMapGenericMask
RtlSetSecurityObject
NtOpenThreadToken
RtlValidRelativeSecurityDescriptor
RtlQuerySecurityObject
RtlSubAuthoritySid
WinSqmAddToStream
RtlSetControlSecurityDescriptor
NtDeleteKey
NtEnumerateKey
NtDeleteValueKey
NtSetValueKey
NtQueryValueKey
NtOpenKey
NtCreateKey
RtlLengthSecurityDescriptor
RtlValidSecurityDescriptor
RtlSetEnvironmentVariable
RtlConvertExclusiveToShared
RtlConvertSharedToExclusive
RtlCreateServiceSid
RtlRegisterWait
RtlEqualUnicodeString
RtlGetNtProductType
RtlCopySid
NtUnloadDriver
RtlCompareUnicodeString
NtQueryDirectoryObject
NtOpenDirectoryObject
NtLoadDriver
DbgPrintEx
RtlAdjustPrivilege
RtlExpandEnvironmentStrings_U
RtlInitializeSRWLock
NtOpenFile
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
RtlReleaseSRWLockShared
NtDeleteObjectAuditAlarm
RtlAcquireSRWLockShared
NtFlushKey
RtlAreAllAccessesGranted
NtCloseObjectAuditAlarm
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlDeregisterWait
RtlAcquireResourceShared
RtlInitializeResource
RtlQueueWorkItem
RtlDeleteSecurityObject
RtlReleaseResource
RtlAcquireResourceExclusive
RtlCopyLuid
NtQueryKey
NtShutdownSystem
NtInitializeRegistry
NtSetSystemEnvironmentValue
RtlInitUnicodeString
NtClose
RtlNtStatusToDosError
NtQuerySystemInformation
RtlNtStatusToDosErrorNoTeb
RtlLengthRequiredSid
RtlAddAce
RtlCreateAcl
RtlSetDaclSecurityDescriptor
RtlNewSecurityObject
RtlSetGroupSecurityDescriptor
RtlSetSaclSecurityDescriptor
RtlAllocateHeap
RtlInitializeSid
RtlSubAuthorityCountSid
RtlCreateSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlUnicodeStringToAnsiString
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
EtwRegisterTraceGuidsW
RtlUnicodeStringToInteger
profapi
ord101
ord102
ord105
ord106
api-ms-win-security-lsalookup-l1-1-0
LsaLookupTranslateSids
LsaLookupFreeMemory
LsaLookupClose
LsaLookupManageSidNameMapping
LsaLookupGetDomainInfo
LsaLookupTranslateNames
LsaLookupOpenLocalPolicy
api-ms-win-security-sddl-l1-1-0
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertSidToStringSidW
cryptbase
SystemFunction029
SystemFunction005
api-ms-win-core-errorhandling-l1-1-0
GetLastError
SetLastError
SetUnhandledExceptionFilter
SetErrorMode
UnhandledExceptionFilter
api-ms-win-core-file-l1-1-0
SetFileInformationByHandle
CreateDirectoryW
FindFirstFileW
CreateFileW
FindClose
FindNextFileW
api-ms-win-core-handle-l1-1-0
DuplicateHandle
CloseHandle
api-ms-win-core-heap-l1-1-0
HeapAlloc
HeapFree
HeapCreate
HeapSetInformation
api-ms-win-core-io-l1-1-0
DeviceIoControl
api-ms-win-core-libraryloader-l1-1-0
GetModuleHandleW
GetProcAddress
LoadLibraryExW
FreeLibrary
LoadStringW
api-ms-win-core-localregistry-l1-1-0
RegOpenKeyExW
RegQueryValueExW
RegCloseKey
RegNotifyChangeKeyValue
RegSetKeySecurity
RegGetKeySecurity
RegLoadMUIStringW
RegCreateKeyExW
RegSetValueExW
api-ms-win-core-misc-l1-1-0
LocalAlloc
LocalFree
Sleep
IsWow64Process
lstrlenW
api-ms-win-core-processenvironment-l1-1-0
GetEnvironmentVariableW
ExpandEnvironmentStringsW
api-ms-win-core-processthreads-l1-1-0
CreateThread
CreateProcessW
TerminateProcess
GetCurrentThreadId
GetProcessId
OpenThreadToken
GetCurrentThread
GetCurrentProcess
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
CreateProcessAsUserW
ResumeThread
OpenProcessToken
GetCurrentProcessId
SetProcessShutdownParameters
ExitThread
SetThreadPriority
GetProcessTimes
api-ms-win-core-profile-l1-1-0
QueryPerformanceCounter
api-ms-win-core-string-l1-1-0
CompareStringW
api-ms-win-core-synch-l1-1-0
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
WaitForSingleObject
SetEvent
CreateEventW
WaitForMultipleObjectsEx
ResetEvent
OpenEventW
OpenProcess
api-ms-win-core-sysinfo-l1-1-0
GetTickCount
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetComputerNameExW
GetVersionExW
GetSystemTime
api-ms-win-security-base-l1-1-0
GetSecurityDescriptorDacl
SetSecurityDescriptorOwner
InitializeSecurityDescriptor
EqualSid
AdjustTokenPrivileges
RevertToSelf
ImpersonateLoggedOnUser
CopySid
GetLengthSid
CheckTokenMembership
GetTokenInformation
InitializeAcl
AddAce
SetSecurityDescriptorDacl
AllocateLocallyUniqueId
AllocateAndInitializeSid
FreeSid
GetKernelObjectSecurity
SetKernelObjectSecurity
AddAccessAllowedAce
SetTokenInformation
Sections
.text Size: 243KB - Virtual size: 242KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 39KB - Virtual size: 38KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 6KB - Virtual size: 5KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.pdata Size: 11KB - Virtual size: 10KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.rsrc Size: 19KB - Virtual size: 18KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 1024B - Virtual size: 544B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ