60691927c1d8b5b623796af41fdf6770_JaffaCakes118

Sharing

Copy URL

Twitter E-mail

General

Target

60691927c1d8b5b623796af41fdf6770_JaffaCakes118
Size

4.0MB
MD5

60691927c1d8b5b623796af41fdf6770
SHA1

d54ec68fe521a8e74bd9c61958491316e4cc6e9d
SHA256

17d980266604850fe3f5a0c83809b9169acf2698b53d55127fa230a50137f92e
SHA512

ca8cdf5018cdff8e13036fccd326beba9c4932dba39b3395e96e3452462b951411afd33610aa23521b1a22076b2895fb7e1d77e7f95fb6f9ef60743bab58ebf8
SSDEEP

98304:ojahQJlepQK/PS2eiAohIbZns2XMzaxTZ3Ybt8UF7L4Xh:oO6epz3S2ey2bZs2xIt8UIh

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack002/bin/bfi.exe	upx

Unsigned PE 11 IoCs

Checks for missing Authenticode signature.

resource
unpack001/files/7zr.exe
unpack001/files/aria2c.exe
unpack002/bin/7z.dll
unpack002/bin/7z.exe
unpack002/bin/bfi.exe
unpack003/out.upx
unpack002/bin/bin64/libwim-15.dll
unpack002/bin/bin64/wimlib-imagex.exe
unpack002/bin/libwim-15.dll
unpack002/bin/offlinereg.exe
unpack002/bin/wimlib-imagex.exe

Files

60691927c1d8b5b623796af41fdf6770_JaffaCakes118
.zip
ConvertConfig.ini
aria2_download_linux.sh
.sh linux
aria2_download_windows.cmd
.cmd .vbs
files/7zr.exe
.exe windows:4 windows x86 arch:x86

eae62d826e46e5b549dcb388a46c0f3b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

oleaut32

VariantCopy
SysAllocStringLen
SysAllocString
SysFreeString
SysStringLen
VariantClear

user32

CharUpperW

advapi32

SetFileSecurityW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
GetFileSecurityW

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
__p___initenv
exit
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_except_handler3
_beginthreadex
realloc
strlen
memset
wcscmp
wcsstr
strcmp
memmove
fputs
fputc
fflush
fgetc
fclose
_iob
free
_CxxThrowException
malloc
memcmp
_purecall
memcpy
__CxxFrameHandler
_isatty
_fileno

kernel32

ReleaseSemaphore
InitializeCriticalSection
ResetEvent
SetEvent
WaitForSingleObject
CreateSemaphoreW
MoveFileW
InterlockedIncrement
VirtualFree
VirtualAlloc
QueryPerformanceCounter
SetConsoleMode
GetConsoleMode
GetVersionExW
SetFileApisToOEM
GetCommandLineW
GetConsoleScreenBufferInfo
SetConsoleCtrlHandler
DeleteCriticalSection
IsProcessorFeaturePresent
EnterCriticalSection
LeaveCriticalSection
GetProcessTimes
OpenEventW
OpenFileMappingW
MapViewOfFile
UnmapViewOfFile
SetProcessAffinityMask
WaitForMultipleObjects
GetStdHandle
GetSystemTimeAsFileTime
FileTimeToDosDateTime
GlobalMemoryStatus
GetSystemInfo
GetProcessAffinityMask
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareFileTime
GetCurrentProcess
GetDiskFreeSpaceW
GetFileInformationByHandle
SetEndOfFile
WriteFile
ReadFile
DeviceIoControl
SetFilePointer
GetLastError
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
LoadLibraryW
GetModuleFileNameW
LocalFree
FormatMessageW
CloseHandle
SetFileTime
CreateFileW
SetFileAttributesW
RemoveDirectoryW
GetFileSize
GetProcAddress
GetModuleHandleW
CreateDirectoryW
DeleteFileW
SetLastError
SetCurrentDirectoryW
GetCurrentDirectoryW
GetTempPathW
GetCurrentProcessId
GetTickCount
GetCurrentThreadId
FindClose
FindFirstFileW
FindNextFileW
GetModuleHandleA
GetFileAttributesW
GetLogicalDriveStringsW
CreateEventW

Sections

.text
Size: 424KB - Virtual size: 424KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 62KB - Virtual size: 61KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
files/aria2c.exe
.exe windows:4 windows x86 arch:x86

573d03ab431ea72a3cd881ac0aeabbd0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

advapi32

AdjustTokenPrivileges
CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
GetTokenInformation
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegEnumKeyExA
RegOpenKeyExA
RegQueryValueExA

bcrypt

BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptDecrypt
BCryptDestroyHash
BCryptDestroyKey
BCryptEncrypt
BCryptFinishHash
BCryptGenRandom
BCryptGetProperty
BCryptHashData
BCryptImportKey
BCryptImportKeyPair
BCryptOpenAlgorithmProvider
BCryptSetProperty
BCryptSignHash
BCryptVerifySignature

crypt32

CertCloseStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CryptDecodeObjectEx
PFXImportCertStore
PFXIsPFXBlob

iphlpapi

GetAdaptersAddresses

kernel32

AreFileApisANSI
CloseHandle
CreateFileA
CreateFileMappingA
CreateFileMappingW
CreateFileW
CreateMutexW
CreateProcessW
CreateSemaphoreW
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeviceIoControl
EnterCriticalSection
ExpandEnvironmentStringsA
FlushFileBuffers
FlushViewOfFile
FormatMessageA
FormatMessageW
FreeLibrary
GetCommandLineW
GetConsoleMode
GetConsoleScreenBufferInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetFileAttributesA
GetFileAttributesExW
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFullPathNameA
GetFullPathNameW
GetLastError
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetSystemDirectoryA
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTempPathA
GetTempPathW
GetTickCount
GetTimeZoneInformation
GetVersionExA
GetVersionExW
GetWindowsDirectoryA
HeapAlloc
HeapCompact
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LocalFree
LockFile
LockFileEx
MapViewOfFile
MoveFileExW
MultiByteToWideChar
OpenProcess
OutputDebugStringA
OutputDebugStringW
QueryPerformanceCounter
ReadFile
ReleaseSemaphore
SetConsoleCtrlHandler
SetConsoleTextAttribute
SetEndOfFile
SetFilePointer
SetFilePointerEx
SetFileTime
SetFileValidData
SetLastError
SetUnhandledExceptionFilter
Sleep
SystemTimeToFileTime
TerminateProcess
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
UnlockFile
UnlockFileEx
UnmapViewOfFile
VirtualProtect
VirtualQuery
WaitForSingleObject
WaitForSingleObjectEx
WideCharToMultiByte
WriteConsoleW
WriteFile

msvcrt

___mb_cur_max_func
__doserrno
__getmainargs
__initenv
__lconv_init
__p___argv
__p__acmdln
__p__fmode
__pioinfo
__set_app_type
__setusermatherr
_amsg_exit
_beginthreadex
_cexit
_commit
_endthreadex
_errno
_exit
_filelengthi64
_fileno
_fstat64
_initterm
_iob
_lock
_lseeki64
_onexit
_setmode
_stricmp
_strnicmp
_unlock
_vsnprintf
_wfopen
_wfsopen
_wgetcwd
_wgetenv
_wmkdir
_wopen
_write
_wrmdir
_wsopen
_wstati64
_wunlink
abort
asctime
atoi
calloc
exit
fclose
feof
ferror
fflush
fgetpos
fgets
fopen
fprintf
fputc
fputs
fread
free
fsetpos
fwprintf
fwrite
getc
getenv
getwc
islower
isspace
isupper
iswctype
isxdigit
ldiv
localeconv
log10
malloc
memchr
memcmp
memcpy
memmove
memset
localtime
gmtime
perror
putc
putwc
qsort
raise
rand
realloc
rewind
setlocale
setvbuf
signal
sprintf
strchr
strcmp
strcoll
strcpy
strcspn
strerror
strftime
strlen
strncat
strncmp
strncpy
strpbrk
strrchr
strtol
strtoul
strxfrm
time
tolower
towlower
towupper
ungetc
ungetwc
vfprintf
time
wcscoll
wcscpy
wcsftime
wcslen
wcstombs
wcsxfrm
_snwprintf
_tzname
_write
_tzset
_strnicmp
_strdup
_read
_open
_lseek
_isatty
_fileno
_fdopen
_dup
_close

secur32

AcceptSecurityContext
AcquireCredentialsHandleW
ApplyControlToken
DecryptMessage
DeleteSecurityContext
EncryptMessage
FreeContextBuffer
FreeCredentialsHandle
InitializeSecurityContextA
QueryContextAttributesA

shell32

CommandLineToArgvW

user32

MessageBoxW

ws2_32

WSASend
freeaddrinfo
getaddrinfo
gethostname
getnameinfo
getservbyport
inet_addr

wsock32

WSACleanup
WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
getpeername
getsockname
getsockopt
htonl
htons
ioctlsocket
listen
ntohl
ntohs
recv
recvfrom
select
send
sendto
setsockopt
shutdown
socket

Sections

.text
Size: 4.3MB - Virtual size: 4.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 471KB - Virtual size: 471KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 12KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
files/convert.sh
.sh .js linux polyglot
files/convert_config_linux
files/convert_ve_plugin
.sh linux
files/uup-converter-wimlib.7z
.7z
ConvertConfig.ini
ReadMe.html
UUPs/.README
bin/7z.dll
.dll windows:4 windows x86 arch:x86

622eae4411b119bf4ca7bee4fa1391c8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

oleaut32

SysAllocStringByteLen
SysAllocStringLen
SysAllocString
SysFreeString
SysStringLen
VariantCopy
VariantClear

user32

CharPrevExA
CharUpperW

msvcrt

_adjust_fdiv
_initterm
_onexit
__dllonexit
?terminate@@YAXXZ
??1type_info@@UAE@XZ
_except_handler3
_beginthreadex
strchr
strcat
strcpy
memset
realloc
free
malloc
strlen
wcscmp
strcmp
strstr
_CxxThrowException
memmove
memcpy
memcmp
_purecall
__CxxFrameHandler

kernel32

CreateDirectoryW
InitializeCriticalSection
ReleaseSemaphore
CreateSemaphoreW
ResetEvent
SetEvent
CreateEventW
WaitForSingleObject
InterlockedIncrement
VirtualFree
VirtualAlloc
LoadLibraryW
FreeLibrary
QueryPerformanceCounter
FileTimeToLocalFileTime
DeleteCriticalSection
GetVersionExW
LocalFileTimeToFileTime
WaitForMultipleObjects
EnterCriticalSection
LeaveCriticalSection
GetSystemTimeAsFileTime
FileTimeToDosDateTime
DosDateTimeToFileTime
GlobalMemoryStatus
GetSystemInfo
GetCurrentProcess
GetProcessAffinityMask
CompareFileTime
WriteFile
ReadFile
GetFileAttributesW
GetLastError
MultiByteToWideChar
WideCharToMultiByte
CloseHandle
CreateFileW
SetFileAttributesW
GetProcAddress
GetModuleHandleW
DeleteFileW
SetLastError
GetTempPathW
GetCurrentProcessId
GetTickCount
GetCurrentThreadId
FindClose
FindFirstFileW
GetModuleHandleA

Exports

Exports

CreateDecoder
CreateEncoder
CreateObject
GetHandlerProperty
GetHandlerProperty2
GetHashers
GetIsArc
GetMethodProperty
GetNumberOfFormats
GetNumberOfMethods
SetCaseSensitive
SetCodecs
SetLargePageMode

Sections

.text
Size: 864KB - Virtual size: 863KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 117KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 95KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 35KB - Virtual size: 35KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/7z.exe
.exe windows:4 windows x86 arch:x86

c2674610547987e150ca76c2c9c784a0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

Imports

oleaut32

VariantCopy
SysAllocStringLen
SysFreeString
SysStringByteLen
SysStringLen
VariantClear
SysAllocString

user32

CharUpperW

advapi32

OpenProcessToken
GetFileSecurityW
SetFileSecurityW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
AdjustTokenPrivileges
LookupPrivilegeValueW

msvcrt

_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
__p___initenv
exit
_XcptFilter
_exit
_onexit
__dllonexit
??1type_info@@UAE@XZ
?terminate@@YAXXZ
_except_handler3
_beginthreadex
memcmp
_purecall
strlen
memset
wcscmp
wcsstr
strcmp
memmove
fputs
fputc
fflush
fgetc
fclose
_iob
free
_CxxThrowException
malloc
memcpy
__CxxFrameHandler
_isatty
_fileno

kernel32

CreateEventW
SetEvent
InitializeCriticalSection
VirtualFree
CloseHandle
VirtualAlloc
SetConsoleMode
GetConsoleMode
GetVersionExW
SetFileApisToOEM
GetCommandLineW
GetConsoleScreenBufferInfo
SetConsoleCtrlHandler
DeleteCriticalSection
IsProcessorFeaturePresent
EnterCriticalSection
LeaveCriticalSection
GetProcessTimes
OpenEventW
OpenFileMappingW
MapViewOfFile
UnmapViewOfFile
SetProcessAffinityMask
GetStdHandle
GetSystemTimeAsFileTime
FileTimeToDosDateTime
GlobalMemoryStatus
GetSystemInfo
GetProcessAffinityMask
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareFileTime
GetCurrentProcess
GetDiskFreeSpaceW
GetFileInformationByHandle
SetEndOfFile
WriteFile
ReadFile
DeviceIoControl
SetFilePointer
GetFileSize
GetLogicalDriveStringsW
GetLastError
MultiByteToWideChar
WideCharToMultiByte
FreeLibrary
LoadLibraryExW
LoadLibraryW
GetModuleFileNameW
LocalFree
FormatMessageW
SetFileTime
CreateFileW
SetFileAttributesW
RemoveDirectoryW
MoveFileW
GetProcAddress
GetModuleHandleW
CreateDirectoryW
DeleteFileW
SetLastError
SetCurrentDirectoryW
GetCurrentDirectoryW
GetTempPathW
GetCurrentProcessId
GetTickCount
GetCurrentThreadId
FindClose
FindFirstFileW
FindNextFileW
GetModuleHandleA
GetFileAttributesW
WaitForSingleObject

Sections

.text
Size: 220KB - Virtual size: 220KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 46KB - Virtual size: 46KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.sxdata
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/Updates.bat
bin/bcdedit.exe
.exe windows:10 windows x86 arch:x86

0591ec8002f106a8a5f4caff08971211

Code Sign

33:00:00:00:6f:65:2d:58:6d:07:11:46:28:00:00:00:00:00:6f
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

20/03/2015, 17:32

Not After

20/06/2016, 17:32

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

01/10/2014, 18:06

Not After

01/01/2016, 18:06

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6c:06:0b:cd:a4:4b:f4:68:54:d7:ee:09:af:f7:50:08:bd:72:69:f8:02:d9:d6:2d:8a:d2:92:85:2b:15:54:b3
Signer

Actual PE Digest

6c:06:0b:cd:a4:4b:f4:68:54:d7:ee:09:af:f7:50:08:bd:72:69:f8:02:d9:d6:2d:8a:d2:92:85:2b:15:54:b3

Digest Algorithm

sha256

PE Digest Matches

true

b3:52:cd:a8:de:ac:4a:9f:18:f3:84:ff:75:55:92:a3:22:95:13:65
Signer

Actual PE Digest

b3:52:cd:a8:de:ac:4a:9f:18:f3:84:ff:75:55:92:a3:22:95:13:65

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bcdedit.pdb

Imports

advapi32

CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
GetSidLengthRequired
IsValidSid
AddAccessAllowedAce
InitializeAcl
GetAce
CreatePrivateObjectSecurityWithMultipleInheritance
SetPrivateObjectSecurityEx
GetSidSubAuthority
MakeSelfRelativeSD
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
GetSecurityDescriptorControl
SetSecurityDescriptorGroup
IsValidSecurityDescriptor
DestroyPrivateObjectSecurity
GetSecurityDescriptorLength
GetLengthSid
RegQueryValueExW
RegOpenKeyExW
RegCloseKey
InitializeSid

kernel32

FindResourceExW
GetSystemDefaultUILanguage
UnmapViewOfFile
MapViewOfFile
SearchPathW
TlsSetValue
TlsFree
TlsAlloc
InitializeCriticalSectionAndSpinCount
GetProcessHeap
HeapFree
HeapAlloc
TlsGetValue
GetFileSizeEx
LoadResource
ReadFile
SetFilePointerEx
SetEndOfFile
DeleteCriticalSection
LoadLibraryExA
EnterCriticalSection
LeaveCriticalSection
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleA
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
GetLocaleInfoW
GetVersionExW
CreateFileMappingW
GetUserDefaultUILanguage
SetLastError
FreeLibrary
GetProcAddress
LoadLibraryExW
GetModuleFileNameW
LocalFree
FormatMessageW
DeviceIoControl
CloseHandle
CreateFileW
WriteFile
WideCharToMultiByte
GetConsoleOutputCP
WriteConsoleW
GetConsoleMode
GetFileType
GetStdHandle
QueryDosDeviceW
GetVolumeNameForVolumeMountPointW
GetLastError
FlushFileBuffers

msvcrt

memset
memcmp
memcpy
bsearch
wcsncmp
_aligned_malloc
_aligned_free
malloc
free
_snwscanf_s
_wcslwr
_wcsupr
_except_handler4_common
_controlfp
?terminate@@YAXXZ
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_wsetlocale
towupper
iswspace
_vsnwprintf
swprintf_s
wcschr
wcscpy_s
_ui64tow_s
_wcstoui64
wcstoul
_wcsnicmp
_wcsicmp
memmove
wcscat_s
_ultow_s
wcsncpy_s
wcsrchr
wcsstr
strncmp
wcsnlen

ntdll

RtlNtStatusToDosError
RtlFreeHeap
RtlAllocateHeap
RtlCompareMemory
RtlFreeUnicodeString
RtlInitUnicodeString
RtlDosPathNameToNtPathName_U
RtlGUIDFromString
RtlStringFromGUID
ZwOpenMutant
ZwReleaseMutant
ZwWaitForSingleObject
ZwClose
ZwOpenFile
NtOpenFile
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwUnloadKey
ZwCreateKey
RtlCreateAcl
RtlFreeSid
RtlSetDaclSecurityDescriptor
ZwDeleteValueKey
ZwSetValueKey
ZwSaveKey
ZwCreateFile
ZwQueryValueKey
RtlLengthSecurityDescriptor
ZwSetSecurityObject
RtlAddAccessAllowedAceEx
ZwLoadKey
RtlAllocateAndInitializeSid
ZwDeleteKey
ZwEnumerateKey
RtlLengthSid
RtlCreateSecurityDescriptor
ZwQueryKey
ZwOpenKey
RtlSetOwnerSecurityDescriptor
RtlInitAnsiString
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryVolumeInformationFile
ZwDeleteFile
ZwQueryInformationFile
NtOpenProcessTokenEx
NtSetInformationThread
RtlImpersonateSelf
NtOpenThreadTokenEx
NtAdjustPrivilegesToken
ZwCreateEvent
ZwQuerySymbolicLinkObject
RtlGetVersion
ZwOpenSymbolicLinkObject
ZwDeviceIoControlFile
ZwResetEvent
NtQuerySystemInformation
ZwAllocateUuids
NtOpenKey
NtDeviceIoControlFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtWaitForSingleObject
NtCreateEvent
NtQueryValueKey
NtSetValueKey
NtResetEvent
NtQueryBootEntryOrder
NtTranslateFilePath
NtCreateKey
NtQueryDirectoryObject
NtOpenDirectoryObject
NtEnumerateBootEntries
NtSetSecurityObject
NtDeleteKey
RtlUpcaseUnicodeChar
NtClose
ZwQuerySystemInformation

Exports

Exports

_ORCloseHive@4
_ORCloseKey@4
_ORCreateHive@4
_ORCreateKey@28
_ORDeleteKey@8
_ORDeleteValue@8
_OREnumKey@28
_OREnumValue@28
_ORFlushHive@4
_ORGetKeySecurity@16
_ORGetValue@24
_ORGetVirtualFlags@8
_OROpenHive@8
_OROpenHiveByHandle@8
_OROpenHiveInternal@16
_OROpenKey@12
_ORQueryInfoKey@44
_ORQueryInfoKeyEx@16
_ORSaveHive@16
_ORSetKeySecurity@12
_ORSetValue@20
_ORSetVirtualFlags@8

Sections

.text
Size: 185KB - Virtual size: 184KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 151KB - Virtual size: 151KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/bfi.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 108KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 89KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX2
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
out.upx
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 132KB - Virtual size: 129KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
bin/bin64/libwim-15.dll
.dll windows:4 windows x64 arch:x64

538fc77d4a74ee72537e7bdd62b25332

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

kernel32

AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateFileW
CreateSemaphoreA
DeleteCriticalSection
DeleteFileW
DeviceIoControl
DuplicateHandle
EnterCriticalSection
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDiskFreeSpaceExW
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetHandleInformation
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetTickCount
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeCriticalSection
IsDBCSLeadByteEx
IsDebuggerPresent
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
OutputDebugStringA
QueryPerformanceCounter
RaiseException
ReadFile
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetEndOfFile
SetEvent
SetFilePointer
SetFilePointerEx
SetLastError
SetProcessAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteFile
__C_specific_handler

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_beginthreadex
_endthreadex
_errno
_exit
_fstat64
_get_osfhandle
_gmtime64
_initterm
_lock
_lseeki64
_open_osfhandle
_setjmp
_snwprintf
_stat64
fwprintf
_telli64
_time64
_ultoa
_unlock
_vsnprintf
_waccess
_wcsicmp
_wfopen
_wgetenv
_wmkdir
_wopen
_wstat64
_wtempnam
_wunlink
abort
calloc
exit
fclose
feof
ferror
fflush
fgetwc
fopen
fprintf
fputc
fputs
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
islower
isspace
isupper
iswctype
localeconv
longjmp
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
printf
putc
qsort
raise
rand
realloc
signal
srand
sscanf
strcat
strchr
strcmp
strcpy
strerror
strlen
strncmp
strncpy
toupper
towlower
ungetwc
vfprintf
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul
_wstat
_write
_strdup
_read
_getcwd
_fdopen
_close

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

user32

MessageBoxW
wsprintfW

Exports

Exports

wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 552KB - Virtual size: 550KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 120KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 134KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 928B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/bin64/wimlib-imagex.exe
.exe windows:4 windows x64 arch:x64

42338fb0ec18ea55abd3d040c027d736

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

libwim-15

wimlib_add_image_multisource
wimlib_create_new_wim
wimlib_delete_image
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_get_compression_type_string
wimlib_get_error_string
wimlib_get_image_property
wimlib_get_version_string
wimlib_get_wim_info
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join_with_progress
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_image_property
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

advapi32

ConvertSecurityDescriptorToStringSecurityDescriptorW

kernel32

DeleteCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleW
GetProcAddress
GetStartupInfoW
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LocalFree
MultiByteToWideChar
QueryPerformanceCounter
RtlAddFunctionTable
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WideCharToMultiByte

msvcrt

__C_specific_handler
___lc_codepage_func
___mb_cur_max_func
__iob_func
__lconv_init
__set_app_type
__setusermatherr
__wgetmainargs
__winitenv
_amsg_exit
_cexit
_errno
_fmode
_fpreset
_gmtime64
_initterm
_lock
_onexit
_putws
_setmode
fwprintf
_unlock
_wcmdln
_wcserror
_wcsicmp
_wfopen
_wgetenv
_wstat64
abort
calloc
exit
fclose
feof
ferror
fflush
fprintf
fputc
fputwc
fputws
fread
free
fwrite
getenv
iswctype
localeconv
malloc
memcpy
memmove
realloc
signal
strerror
strlen
strncmp
vfprintf
wcscat
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcsrchr
wcstoul
_wcsdup
_isatty

Sections

.text
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 384B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 5KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
bin/bootmui.txt
bin/bootwim.txt
bin/cdimage.exe
.exe windows:10 windows x86 arch:x86

1e51fc9ceb483eef5a26d8632464b381

Code Sign

33:00:00:01:b2:4a:37:c6:c9:7e:01:68:86:00:01:00:00:01:b2
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:11

Not After

26/07/2019, 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:02:39:b2:b4:e8:2a:22:34:49:2f:00:00:00:00:02:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

12/07/2018, 20:07

Not After

08/08/2019, 20:07

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3e:db:c2:e6:bf:ab:bb:2f:46:64:7a:43:fd:1c:ae:e7:74:33:cc:e3:7d:4e:c4:fc:c5:52:c9:f8:dc:56:14:00
Signer

Actual PE Digest

3e:db:c2:e6:bf:ab:bb:2f:46:64:7a:43:fd:1c:ae:e7:74:33:cc:e3:7d:4e:c4:fc:c5:52:c9:f8:dc:56:14:00

Digest Algorithm

sha256

PE Digest Matches

true

23:48:9b:c2:e8:af:e3:73:28:ca:9c:a1:b0:a0:1d:1a:52:7a:cc:fb
Signer

Actual PE Digest

23:48:9b:c2:e8:af:e3:73:28:ca:9c:a1:b0:a0:1d:1a:52:7a:cc:fb

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

OSCDIMG.pdb

Imports

kernel32

GetVersionExA
SetErrorMode
GetSystemTime
SystemTimeToFileTime
SetFileApisToANSI
SetFileApisToOEM
GetTimeZoneInformation
GetFullPathNameA
GetFullPathNameW
lstrlenW
FindFirstFileW
FindFirstFileA
FindClose
GetLongPathNameW
GetLastError
GetLongPathNameA
HeapFree
CreateFileW
CreateFileA
CloseHandle
WaitForSingleObject
SetEvent
FileTimeToSystemTime
DeleteFileA
MultiByteToWideChar
WideCharToMultiByte
GetFileSize
ReadFile
GetFileTime
GetFileInformationByHandle
FindNextFileA
FindNextFileW
GetOverlappedResult
SetEndOfFile
SetFilePointer
CreateEventA
WriteFile
SetLastError
EnterCriticalSection
LeaveCriticalSection
GetCurrentProcess
GetModuleHandleA
GetProcessWorkingSetSize
SetProcessWorkingSetSize
InitializeCriticalSection
VirtualFree
SetConsoleCtrlHandler
ExitProcess
FormatMessageA
GetProcessHeap
HeapAlloc
VirtualAlloc
VirtualLock
ResetEvent
GetProcAddress
ReleaseSemaphore
CreateThread
WaitForMultipleObjects
SetThreadPriority
CreateSemaphoreA
GetDiskFreeSpaceA
GetDiskFreeSpaceW
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep

msvcrt

sprintf_s
wprintf
wcsrchr
_wcsicmp
strrchr
_stricmp
wcscpy_s
wcstok
wcscat_s
strtok
_wfopen
fgetws
feof
fclose
fopen
fgets
swprintf_s
_strnicmp
_strtoui64
strtoul
tolower
atoi
srand
time
vfprintf
_ultoa
rand
_wcsnicmp
_XcptFilter
__p__commode
_amsg_exit
__getmainargs
__set_app_type
_exit
_cexit
__p__fmode
__setusermatherr
_initterm
_except_handler4_common
?terminate@@YAXXZ
_controlfp
memcpy
wcschr
_strupr
wcsncmp
strcat_s
strcpy_s
exit
printf
fflush
fprintf
strchr
__iob_func
memcmp
memset

Sections

.text
Size: 92KB - Virtual size: 91KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 264KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/imagex.exe
.exe windows:10 windows x86 arch:x86

6816108faf77a6c11f4b9ffc7bae891f

Code Sign

33:00:00:00:c8:47:22:9d:a3:0d:ca:c0:58:00:00:00:00:00:c8
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/09/2016, 17:58

Not After

07/09/2018, 17:58

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:98FD-C61E-E641,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/08/2016, 20:17

Not After

02/11/2017, 20:17

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:01:4f:e7:c6:62:c9:46:f4:a9:7f:00:00:00:00:01:4f
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17/11/2016, 21:59

Not After

17/02/2018, 21:59

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:c9:0c:a3:10:28:64:07:22:71:32:f6:f5:7d:4c:f8:00:36:dd:d5:0f:f1:ce:d0:09:54:dc:4d:b7:e3:e9:1b
Signer

Actual PE Digest

61:c9:0c:a3:10:28:64:07:22:71:32:f6:f5:7d:4c:f8:00:36:dd:d5:0f:f1:ce:d0:09:54:dc:4d:b7:e3:e9:1b

Digest Algorithm

sha256

PE Digest Matches

true

8b:bc:9b:e8:61:73:33:98:ac:ab:d0:0d:13:29:14:8f:9c:bc:1d:09
Signer

Actual PE Digest

8b:bc:9b:e8:61:73:33:98:ac:ab:d0:0d:13:29:14:8f:9c:bc:1d:09

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP

PDB Paths

imagex.pdb

Imports

msvcrt

_lock
_except_handler4_common
memmove_s
_strcmpi
wcstoul
_unlock
_wcsupr
_snwprintf_s
qsort
_wcsrev
_wcslwr
_strnicmp
__dllonexit
strcpy_s
_wcstoi64
_controlfp
?terminate@@YAXXZ
_initterm
__setusermatherr
__p__fmode
_onexit
_exit
wcsstr
wcsncmp
wcsnlen
exit
__set_app_type
swscanf_s
towupper
_wcsnicmp
wcschr
_vscwprintf
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_wtoi
wcsrchr
_wtol
fflush
memmove
_wcsicmp
__iob_func
memcpy
memcmp
printf
iswspace
_purecall
malloc
_callnewh
_cexit
bsearch
free
memcpy_s
memset
_vsnwprintf

ntdll

DbgPrintEx
NtYieldExecution
RtlRaiseStatus
RtlReAllocateHeap
RtlDeleteCriticalSection
RtlInitializeCriticalSection
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
RtlInitUnicodeString
NtQuerySecurityObject
RtlImpersonateSelf
NtSetEaFile
NtCreateFile
NtQueryEaFile
NtQueryVolumeInformationFile
NtQueryInformationProcess
NtQueryInformationFile
RtlAdjustPrivilege
NtClose
NtQueryDirectoryFile
NtOpenFile
RtlDosPathNameToNtPathName_U
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
RtlFreeHeap
RtlAllocateHeap
NtSetInformationFile
RtlNtStatusToDosError
RtlGetVersion

kernel32

MapViewOfFile
CreateFileMappingW
lstrcmpW
CreateSemaphoreW
GetDriveTypeW
GetTempFileNameW
DeleteFileW
GetTempPathW
GetLogicalDrives
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
UnmapViewOfFile
GetModuleHandleA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
WaitForMultipleObjects
ReleaseSemaphore
GetPrivateProfileSectionW
DuplicateHandle
UnlockFileEx
LockFileEx
GetVolumeInformationByHandleW
GetSystemWindowsDirectoryW
GlobalMemoryStatusEx
TerminateProcess
FindClose
GetFinalPathNameByHandleW
GetVolumeInformationW
InitializeCriticalSectionAndSpinCount
CreateEventW
OpenProcess
ReleaseMutex
LocalAlloc
GetModuleHandleExW
CreateMutexW
HeapReAlloc
RemoveDirectoryW
SetFilePointer
GetFileSize
GetCurrentThread
SetThreadIdealProcessor
GetSystemInfo
DeleteCriticalSection
GetOverlappedResult
ReadFile
SetEndOfFile
SetFilePointerEx
GetFileSizeEx
GetHandleInformation
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
CreateDirectoryW
HeapAlloc
GetProcessHeap
WideCharToMultiByte
GetLastError
WriteFile
GetConsoleMode
GetConsoleScreenBufferInfo
WriteConsoleW
SetConsoleCursorPosition
GetStdHandle
InitializeCriticalSection
FlushFileBuffers
CopyFileExW
GetFileInformationByHandle
SetFileAttributesW
CreateFileW
DeviceIoControl
GetCurrentDirectoryW
LoadLibraryExW
FindNextFileW
GetVolumePathNamesForVolumeNameW
LoadLibraryW
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
MultiByteToWideChar
CreateSemaphoreExW
GetExitCodeProcess
CreateProcessW
GetLogicalDriveStringsW
FindFirstFileW
FreeLibrary
GetModuleHandleW
SetConsoleCtrlHandler
GetModuleFileNameW
WaitForMultipleObjectsEx
GetFullPathNameW
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
GetTickCount64
GetSystemDirectoryW
GetFileAttributesW
CompareStringW
GetCommandLineW
SetLastError
GetEnvironmentVariableW
LocalFree
WaitForSingleObject
OpenEventW
FormatMessageW
HeapFree
SetEvent
EnterCriticalSection
LeaveCriticalSection
CloseHandle
CreateThread
GetProcAddress
FillConsoleOutputCharacterW

user32

CharPrevW
LoadStringW
CharNextW
CharUpperW

shlwapi

PathMatchSpecW
StrStrIW

setupapi

SetupFindFirstLineW
SetupOpenInfFileW
SetupCloseInfFile
SetupFindNextLine
SetupGetLineTextW

rpcrt4

UuidFromStringW
RpcStringFreeW
UuidToStringW
RpcBindingFree
RpcBindingSetAuthInfoW
RpcBindingFromStringBindingW
UuidCreate
I_RpcMapWin32Status
NdrClientCall2
RpcStringBindingComposeW

fltlib

FilterLoad
FilterAttach

cabinet

ord22
ord20
ord23

advapi32

GetSecurityInfo
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenThreadToken
InitializeSecurityDescriptor
RegUnLoadKeyW
RegLoadKeyW
GetAclInformation
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
RegCloseKey
RegDeleteKeyExW
RegFlushKey
RegCreateKeyExW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegDeleteValueW
RegEnumValueW
RegQueryValueExW
AdjustTokenPrivileges
AllocateAndInitializeSid
OpenProcessToken
FreeSid
CheckTokenMembership
OpenEncryptedFileRawW
WriteEncryptedFileRaw
CloseEncryptedFileRaw
RevertToSelf
ReadEncryptedFileRaw
RegQueryInfoKeyW
SetThreadToken
AddAccessAllowedAceEx

version

GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW

bcrypt

BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptFinishHash

Sections

.text
Size: 536KB - Virtual size: 536KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 51KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/libwim-15.dll
.dll windows:4 windows x86 arch:x86

cf5ab950207c09b4f2086ec848eb2677

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

kernel32

AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateFileW
CreateSemaphoreA
DeleteCriticalSection
DeleteFileW
DeviceIoControl
DuplicateHandle
EnterCriticalSection
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetDiskFreeSpaceExW
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetHandleInformation
GetLastError
GetModuleFileNameW
GetModuleHandleW
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetTickCount
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeCriticalSection
IsDBCSLeadByteEx
IsDebuggerPresent
IsWow64Process
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
OutputDebugStringA
QueryPerformanceCounter
RaiseException
ReadFile
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
SetEndOfFile
SetEvent
SetFilePointer
SetFilePointerEx
SetLastError
SetProcessAffinityMask
SetThreadContext
SetThreadPriority
SetUnhandledExceptionFilter
Sleep
SuspendThread
TerminateProcess
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteFile

msvcrt

___mb_cur_max_func
_amsg_exit
_beginthreadex
_endthreadex
_errno
_exit
_fstat64
_get_osfhandle
_gmtime64
_initterm
_iob
_lock
_lseeki64
_open_osfhandle
_setjmp3
_telli64
_ultoa
_unlock
_vsnprintf
_waccess
_wcsicmp
_wfopen
_wgetenv
_wmkdir
_wopen
_wstat64
fwprintf
_wtempnam
_wunlink
abort
atoi
calloc
exit
fclose
feof
ferror
fflush
fgetwc
fopen
fprintf
fputc
fputs
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
islower
isspace
isupper
iswctype
localeconv
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
printf
putc
qsort
raise
rand
realloc
setlocale
srand
sscanf
strcat
strchr
strcmp
strcpy
strerror
strlen
strncmp
strncpy
toupper
towlower
ungetwc
vfprintf
time
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul
_wstat
_stat
_snwprintf
longjmp
_write
_strdup
_read
_getcwd
_fdopen
_close

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

user32

MessageBoxW
wsprintfW

Exports

Exports

wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 553KB - Virtual size: 553KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 828B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 114KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 132KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/offlinereg.exe
.exe windows:4 windows x86 arch:x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 95KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 2KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 12B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
bin/offreg.dll
.dll windows:6 windows x86 arch:x86

7f06a5f1ddbdb3daa4bd9e267b9e1f4c

Code Sign

61:04:b3:f5:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

25/07/2008, 19:13

Not After

25/07/2011, 19:23

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:9E78-864B-039D,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

61:15:23:0f:00:00:00:00:00:0a
Certificate

Issuer

CN=Microsoft Windows Verification PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/12/2009, 21:57

Not After

07/03/2011, 21:57

Subject

CN=Microsoft Windows,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:07:02:dc:00:00:00:00:00:0b
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

15/09/2005, 21:55

Not After

15/03/2016, 22:05

Subject

CN=Microsoft Windows Verification PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment
KeyUsageCertSign
KeyUsageCRLSign

13:3f:33:a4:99:03:ab:e0:5c:63:75:f6:fe:c4:d9:6b:4d:c1:a9:d5
Signer

Actual PE Digest

13:3f:33:a4:99:03:ab:e0:5c:63:75:f6:fe:c4:d9:6b:4d:c1:a9:d5

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

offreg.pdb

Imports

msvcrt

_wcsicmp
_aligned_malloc
_aligned_free
towupper
_wcsnicmp
memmove
memcpy
memset
_amsg_exit
_initterm
free
malloc
_XcptFilter

kernel32

DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
FreeLibrary
GetProcAddress
GetLastError
LoadLibraryA
TlsFree
TlsAlloc
TlsGetValue
InitializeCriticalSectionAndSpinCount
HeapFree
HeapAlloc
GetProcessHeap
CreateFileW
CloseHandle
ReadFile
WriteFile
GetFileSizeEx
FlushFileBuffers
GetCurrentProcessId
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
InterlockedExchange
Sleep
InterlockedCompareExchange
RtlUnwind
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
TlsSetValue
GetSystemTimeAsFileTime
TerminateProcess

advapi32

InitializeSid
DestroyPrivateObjectSecurity
IsValidSecurityDescriptor
GetSecurityDescriptorControl
MakeSelfRelativeSD
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
SetPrivateObjectSecurityEx
CreatePrivateObjectSecurityWithMultipleInheritance
GetAce
AddAccessAllowedAce
InitializeAcl
GetLengthSid
IsValidSid
GetSidLengthRequired
GetSecurityDescriptorLength
GetSidSubAuthority

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORGetKeySecurity
ORGetValue
ORGetVersion
ORGetVirtualFlags
OROpenHive
OROpenKey
ORQueryInfoKey
ORSaveHive
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 27KB - Virtual size: 26KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1008B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
bin/wimlib-imagex.exe
.exe windows:4 windows x86 arch:x86

e882503764465dbaaee6c2a5e5884e4a

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED

Imports

libwim-15

wimlib_add_image_multisource
wimlib_create_new_wim
wimlib_delete_image
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_get_compression_type_string
wimlib_get_error_string
wimlib_get_image_property
wimlib_get_version_string
wimlib_get_wim_info
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join_with_progress
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_image_property
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

advapi32

ConvertSecurityDescriptorToStringSecurityDescriptorW

kernel32

DeleteCriticalSection
EnterCriticalSection
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetLastError
GetModuleHandleW
GetProcAddress
GetStartupInfoW
GetSystemTimeAsFileTime
GetTickCount
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LocalFree
MultiByteToWideChar
QueryPerformanceCounter
SetUnhandledExceptionFilter
Sleep
TerminateProcess
TlsGetValue
UnhandledExceptionFilter
VirtualProtect
VirtualQuery
WideCharToMultiByte

msvcrt

___mb_cur_max_func
__lconv_init
__p__fmode
__p__wcmdln
__set_app_type
__setusermatherr
__wgetmainargs
__winitenv
_amsg_exit
_cexit
_errno
_fmode
_fpreset
_gmtime64
_initterm
_iob
_lock
_onexit
_putws
_setmode
_unlock
_wcserror
_wcsicmp
_wfopen
_wgetenv
_wstat64
fwprintf
abort
atoi
calloc
exit
fclose
feof
ferror
fflush
fprintf
fputc
fputwc
fputws
fread
free
fwrite
getenv
iswctype
localeconv
malloc
memcpy
memmove
realloc
setlocale
signal
strchr
strerror
strlen
strncmp
vfprintf
wcscat
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcsrchr
wcstoul
_wcsdup
_isatty

Sections

.text
Size: 83KB - Virtual size: 82KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 34KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 52B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
convert-UUP.cmd
.cmd .vbs
create_virtual_editions.cmd
.cmd .vbs
multi_arch_iso.cmd
.wsf .vbs polyglot

Sharing

General

Malware Config

Signatures

Files

eae62d826e46e5b549dcb388a46c0f3b

Headers

DLL Characteristics

File Characteristics

Imports

oleaut32

user32

advapi32

msvcrt

kernel32

Sections

.text Size: 424KB - Virtual size: 424KB

.rdata Size: 62KB - Virtual size: 61KB

.data Size: 1KB - Virtual size: 26KB

.sxdata Size: 512B - Virtual size: 4B

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 20KB - Virtual size: 19KB

573d03ab431ea72a3cd881ac0aeabbd0

Headers

DLL Characteristics

File Characteristics

Imports

advapi32

bcrypt

crypt32

iphlpapi

kernel32

msvcrt

secur32

shell32

user32

ws2_32

wsock32

Sections

.text Size: 4.3MB - Virtual size: 4.3MB

.data Size: 14KB - Virtual size: 14KB

.rdata Size: 471KB - Virtual size: 471KB

.bss Size: - Virtual size: 12KB

.idata Size: 9KB - Virtual size: 8KB

.CRT Size: 512B - Virtual size: 52B

.tls Size: 512B - Virtual size: 8B

622eae4411b119bf4ca7bee4fa1391c8

Headers

DLL Characteristics

File Characteristics

Imports

oleaut32

user32

msvcrt

kernel32

Exports

Exports

Sections

.text Size: 864KB - Virtual size: 863KB

.rdata Size: 117KB - Virtual size: 116KB

.data Size: 1KB - Virtual size: 33KB

.sxdata Size: 512B - Virtual size: 4B

.rsrc Size: 95KB - Virtual size: 94KB

.reloc Size: 35KB - Virtual size: 35KB

c2674610547987e150ca76c2c9c784a0

Headers

DLL Characteristics

File Characteristics

Imports

oleaut32

user32

advapi32

msvcrt

kernel32

Sections

.text Size: 220KB - Virtual size: 220KB

.rdata Size: 46KB - Virtual size: 46KB

.data Size: 1KB - Virtual size: 9KB

.sxdata Size: 512B - Virtual size: 4B

.rsrc Size: 2KB - Virtual size: 1KB

.text
Size: 424KB - Virtual size: 424KB

.rdata
Size: 62KB - Virtual size: 61KB

.data
Size: 1KB - Virtual size: 26KB

.sxdata
Size: 512B - Virtual size: 4B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 20KB - Virtual size: 19KB

.text
Size: 4.3MB - Virtual size: 4.3MB

.data
Size: 14KB - Virtual size: 14KB

.rdata
Size: 471KB - Virtual size: 471KB

.bss
Size: - Virtual size: 12KB

.idata
Size: 9KB - Virtual size: 8KB

.CRT
Size: 512B - Virtual size: 52B

.tls
Size: 512B - Virtual size: 8B

.text
Size: 864KB - Virtual size: 863KB

.rdata
Size: 117KB - Virtual size: 116KB

.data
Size: 1KB - Virtual size: 33KB

.sxdata
Size: 512B - Virtual size: 4B

.rsrc
Size: 95KB - Virtual size: 94KB

.reloc
Size: 35KB - Virtual size: 35KB

.text
Size: 220KB - Virtual size: 220KB

.rdata
Size: 46KB - Virtual size: 46KB

.data
Size: 1KB - Virtual size: 9KB

.sxdata
Size: 512B - Virtual size: 4B

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 14KB - Virtual size: 13KB

33:00:00:00:6f:65:2d:58:6d:07:11:46:28:00:00:00:00:00:6f
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:7b:a2:81:0b:87:11:ab:e7:fc:00:00:00:00:00:7b
Certificate

61:0c:52:4c:00:00:00:00:00:03
Certificate

6c:06:0b:cd:a4:4b:f4:68:54:d7:ee:09:af:f7:50:08:bd:72:69:f8:02:d9:d6:2d:8a:d2:92:85:2b:15:54:b3
Signer

b3:52:cd:a8:de:ac:4a:9f:18:f3:84:ff:75:55:92:a3:22:95:13:65
Signer

.text
Size: 185KB - Virtual size: 184KB

PAGE
Size: 2KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 1KB

.idata
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 151KB - Virtual size: 151KB

.reloc
Size: 8KB - Virtual size: 7KB

UPX0
Size: - Virtual size: 108KB

UPX1
Size: 89KB - Virtual size: 92KB

UPX2
Size: 512B - Virtual size: 4KB

.text
Size: 132KB - Virtual size: 129KB

.rdata
Size: 20KB - Virtual size: 17KB

.data
Size: 32KB - Virtual size: 36KB

.text
Size: 552KB - Virtual size: 550KB

.data
Size: 2KB - Virtual size: 1KB

.rdata
Size: 120KB - Virtual size: 120KB

.pdata
Size: 23KB - Virtual size: 22KB

.xdata
Size: 24KB - Virtual size: 23KB

.bss
Size: - Virtual size: 134KB

.edata
Size: 2KB - Virtual size: 2KB

.idata
Size: 8KB - Virtual size: 8KB