9d9bade2470fc8bf40e8895560d49a10_NeikiAnalytics[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

9d9bade2470fc8bf40e8895560d49a10_NeikiAnalytics.exe
Size

2.7MB
MD5

9d9bade2470fc8bf40e8895560d49a10
SHA1

ad003c495ba23474c3c1f9edc9bbe451f4b164a5
SHA256

d24e262e8d6d8dc9f49640a17ffcaf66adbc7a2a20744530884d08c367a5245a
SHA512

ad8b7a9ba28fb5c9eb9b62dd799b4dc71bdf39f66777149fbbb2449836350e101a1344396229fcd2cf32509ab274e4e38a267dd870eb51d46a4b4eac3a7470c7
SSDEEP

49152:CCtPuDLhiJk5N6kFQITuxEFmqtgatR0GF7RIlVTJMuHxX:n2Jz+guxGmqtgatRF7Cld

Score

3^/10

Malware Config

Signatures

Unsigned PE 20 IoCs

Checks for missing Authenticode signature.

resource
9d9bade2470fc8bf40e8895560d49a10_NeikiAnalytics.exe
unpack001/$PLUGINSDIR/System.dll
unpack001/$TEMP/WinNTSetup/Lang/1028.dll
unpack001/$TEMP/WinNTSetup/Lang/1031.dll
unpack001/$TEMP/WinNTSetup/Lang/1036.dll
unpack001/$TEMP/WinNTSetup/Lang/1040.dll
unpack001/$TEMP/WinNTSetup/Lang/1042.dll
unpack001/$TEMP/WinNTSetup/Lang/1046.dll
unpack001/$TEMP/WinNTSetup/Lang/1049.dll
unpack001/$TEMP/WinNTSetup/Lang/1055.dll
unpack001/$TEMP/WinNTSetup/Lang/1058.dll
unpack001/$TEMP/WinNTSetup/Lang/2052.dll
unpack001/$TEMP/WinNTSetup/Lang/2058.dll
unpack001/$TEMP/WinNTSetup/Tools/imdisk/cpl/amd64/imdisk.cpl
unpack001/$TEMP/WinNTSetup/Tools/nativevhdboot_x64.dll
unpack001/$TEMP/WinNTSetup/Tools/nativevhdboot_x86.dll
unpack001/$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe
unpack001/$TEMP/WinNTSetup/Tools/x64/MSSTMake.exe
unpack001/$TEMP/WinNTSetup/Tools/x64/wimlib/libwim-15.dll
unpack001/$TEMP/WinNTSetup/WinNTSetup_x64.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
sample	nsis_installer_1
sample	nsis_installer_2

Files

9d9bade2470fc8bf40e8895560d49a10_NeikiAnalytics.exe
.exe windows:4 windows x86 arch:x86

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetFileAttributesA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileTime
GetFileAttributesA
SetCurrentDirectoryA
MoveFileA
GetFullPathNameA
GetShortPathNameA
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MulDiv
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA

user32

GetSystemMenu
SetClassLongA
EnableMenuItem
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ScreenToClient
GetWindowRect
GetDlgItem
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
LoadImageA
CreateDialogParamA
SetTimer
SetWindowTextA
SetForegroundWindow
ShowWindow
SetWindowLongA
SendMessageTimeoutA
FindWindowExA
IsWindow
AppendMenuA
TrackPopupMenu
CreatePopupMenu
DrawTextA
EndPaint
DestroyWindow
wsprintfA
PostQuitMessage

gdi32

SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor

shell32

SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA

advapi32

AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_AddMasked
ord17
ImageList_Destroy

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 89KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

8c8a576201f68de1a3f26fc723b9f30f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MultiByteToWideChar
GlobalFree
GlobalSize
lstrcpynA
lstrcpyA
GetProcAddress
VirtualFree
FreeLibrary
lstrlenA
LoadLibraryA
GetModuleHandleA
GlobalAlloc
WideCharToMultiByte
VirtualAlloc
VirtualProtect
GetLastError

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 867B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 636B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Changelog.txt
$TEMP/WinNTSetup/Compact/WimBootCompress.ini
$TEMP/WinNTSetup/DISM/Sample.ini
$TEMP/WinNTSetup/Diskpart/BIOS.txt
$TEMP/WinNTSetup/Diskpart/UEFI.txt
.vbs
$TEMP/WinNTSetup/Diskpart/XP_legacy/BIOS.txt
$TEMP/WinNTSetup/Lang/1028.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1031.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 44KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1036.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1040.dll
.dll windows:4 windows x86 arch:x86

6a4041370c121d4f288ee4d92bfe9499

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

memset

kernel32

HeapCreate
HeapDestroy
GetModuleHandleA

Exports

Exports

dummy

Sections

.code
Size: 512B - Virtual size: 102B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 69B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 204B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 43KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1042.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 21KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1046.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1049.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 42KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1055.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/1058.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/2052.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Lang/2058.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/MinWin/Default/AntiLog.ini
$TEMP/WinNTSetup/MinWin/Default/AntiLog.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/GameDVR.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/Restore_Photo_Viewer_Windows_10.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/StuckRects3-Win10-200X.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/SysTray_ClassicVolumeControl.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/SysTray_Network_Flyout.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/UserSignedIn.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Active Setup.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Defender.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Defender.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/DrvStore_Inf.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Edge.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Edge.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Fonts.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Installed.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Languages.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Media.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/NetFX.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/NetFX_Keep.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/OneDrive.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/ProgramFiles.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Speech.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/SySWoW.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/System32-DLL.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/System32.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WMP.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WSearch.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/WUAU.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/WUAU.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WinSAT.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Windows.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Windows11.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WindowsApps.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WindowsPowerShell.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/XBOX.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/XBOX.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/XPS.txt
$TEMP/WinNTSetup/MinWin/Default/Services.ini
$TEMP/WinNTSetup/MinWin/Default/Tasks.ini
$TEMP/WinNTSetup/MinWin/Default/WinSxS.ini
$TEMP/WinNTSetup/MinWin/ReadMe.txt
$TEMP/WinNTSetup/Tools/CATTrim.ini
$TEMP/WinNTSetup/Tools/MergeIDE_2600.ini
$TEMP/WinNTSetup/Tools/MergeIDE_7600.ini
$TEMP/WinNTSetup/Tools/MergeIDE_9200.ini
$TEMP/WinNTSetup/Tools/Win10Builds.ini
$TEMP/WinNTSetup/Tools/Win7USB3/ReadMe.txt
$TEMP/WinNTSetup/Tools/Win7USBBoot.ini
$TEMP/WinNTSetup/Tools/imdisk/cpl/amd64/imdisk.cpl
.dll windows:6 windows x64 arch:x64

279416a3dfe8386ca2bd447389b068d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

x:\imdisk_source\cpl\amd64\imdisk.pdb

Imports

msvcrt

malloc
wcstoul
wcsncat
_beginthreadex
??3@YAXPEAX@Z
wcstod
towupper
wcstok
??2@YAPEAX_K@Z
fwprintf
_fgetwchar
strchr
_XcptFilter
fflush
wcschr
_initterm
_amsg_exit
__C_specific_handler
fprintf
toupper
_fgetchar
free
wcsncmp
wcsrchr
wcsncpy
_snwprintf
_wcsicmp
_iob
memcpy
memset

kernel32

SetUnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetFileSize
SetFilePointer
SetEndOfFile
HeapAlloc
HeapFree
GetLogicalDrives
VirtualFree
GetProcessHeap
WaitNamedPipeW
WriteFile
Sleep
FormatMessageW
ReadFile
CreateFileW
FlushFileBuffers
GetLastError
SetLastError
VirtualAlloc
DefineDosDeviceW
LocalAlloc
CreateEventW
DeviceIoControl
CloseHandle
LocalFree
GetDriveTypeA
MultiByteToWideChar
SetCurrentDirectoryW
GetWindowsDirectoryW
HeapReAlloc
WaitForSingleObject
SetEvent
GetTickCount
QueryDosDeviceW
WaitForMultipleObjects
DeleteFileW
GetVolumeInformationW
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId

advapi32

CloseServiceHandle
OpenServiceW
RegCreateKeyW
RegQueryValueExW
RegOpenKeyW
InitializeSecurityDescriptor
RegDeleteKeyW
RegSetValueExW
RegCloseKey
RegDeleteValueW
QueryServiceStatus
StartServiceW
SetSecurityDescriptorDacl
OpenSCManagerW

user32

GetWindowTextLengthW
GetDlgItemInt
SetProcessDPIAware
TrackPopupMenu
PostMessageW
GetSubMenu
GetParent
SetFocus
GetDC
SetDlgItemInt
GetMenu
LoadIconW
GetAsyncKeyState
SetClassLongPtrW
ReleaseDC
EnableMenuItem
EndDialog
SendDlgItemMessageW
CheckDlgButton
DispatchMessageW
GetPropW
SetWindowTextW
MessageBoxW
SendMessageTimeoutW
ShowWindow
GetDlgItem
PeekMessageW
IsDialogMessageW
TranslateMessage
SetPropW
RemovePropW
IsDlgButtonChecked
DialogBoxParamW
DestroyWindow
EnableWindow
MapWindowPoints
SendMessageW
SetDlgItemTextW
GetDlgItemTextW
GetSystemMetrics
DrawMenuBar
CreateDialogParamW

shell32

ShellExecuteW
SHFormatDrive
SHChangeNotify

gdi32

GetDeviceCaps

comctl32

ImageList_Create
ImageList_ReplaceIcon

comdlg32

CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW

ntdll

RtlFreeUnicodeString
RtlNtStatusToDosError
NtClose
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlCreateUnicodeString
RtlInitUnicodeString

Exports

Exports

CPlApplet
ImDiskAdjustImageFileSize
ImDiskAllocPrintF
ImDiskBuildMBR
ImDiskChangeFlags
ImDiskCheckDriverVersion
ImDiskConsoleMessageA
ImDiskConsoleMessageW
ImDiskConvertCHSToLBA
ImDiskConvertLBAToCHS
ImDiskCreateDevice
ImDiskCreateDeviceEx
ImDiskCreateMountPoint
ImDiskExtendDevice
ImDiskFindFreeDriveLetter
ImDiskFlushWindowMessages
ImDiskForceRemoveDevice
ImDiskGetAPIFlags
ImDiskGetDeviceList
ImDiskGetDeviceListEx
ImDiskGetFormattedGeometry
ImDiskGetFormattedGeometryIndirect
ImDiskGetOffsetByFileExt
ImDiskGetPartitionInfoIndirect
ImDiskGetPartitionInfoIndirectEx
ImDiskGetPartitionInformation
ImDiskGetPartitionInformationEx
ImDiskGetPartitionTypeName
ImDiskGetRegistryAutoLoadDevices
ImDiskGetSinglePartitionInfoIndirect
ImDiskGetSinglePartitionInformation
ImDiskGetVersion
ImDiskGetVolumeSize
ImDiskImageContainsISOFS
ImDiskImageContainsISOFSIndirect
ImDiskMsgBoxPrintF
ImDiskNativePathToWin32
ImDiskNotifyRemovePending
ImDiskNotifyShellDriveLetter
ImDiskOpenDeviceByMountPoint
ImDiskOpenDeviceByName
ImDiskOpenDeviceByNumber
ImDiskOpenRefreshEvent
ImDiskQueryDevice
ImDiskReadFileHandle
ImDiskRemoveDevice
ImDiskRemoveMountPoint
ImDiskRemoveRegistrySettings
ImDiskSaveImageFile
ImDiskSaveImageFileInteractive
ImDiskSaveRegistrySettings
ImDiskSetAPIFlags
ImDiskStartService
RunDLL_MountFile
RunDLL_MountFileW
RunDLL_RemoveDevice
RunDLL_SaveImageFile

Sections

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/imdisk/sys/amd64/imdisk.sys
.sys windows:6 windows x64 arch:x64

ca1b7a99c1db8c685051151b20cecfd0

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

05/05/2015, 00:00

Not After

31/12/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

17/01/2013, 15:30

Not After

18/03/2016, 12:43

Subject

CN=Lagerkvist Teknisk Radgivning i Boras HB,O=Lagerkvist Teknisk Radgivning i Boras HB,ST=-,C=SE,1.2.840.113549.1.9.1=#0c10696e666f406c74722d646174612e7365

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b
Signer

Actual PE Digest

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

z:\kod\imdisk\sys\amd64\imdisk.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ZwCreateEvent
IoDeleteSymbolicLink
ExFreePoolWithTag
_snwprintf
RtlSetDaclSecurityDescriptor
RtlInitUnicodeString
IoDeleteDevice
KeSetEvent
RtlAppendUnicodeToString
KeInitializeEvent
KeDelayExecutionThread
PsCreateSystemThread
ZwQueryValueKey
IoCreateUnprotectedSymbolicLink
ExEventObjectType
ZwClose
ObReferenceObjectByHandle
KeWaitForSingleObject
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
ObReferenceObjectByPointer
DbgPrint
RtlCreateSecurityDescriptor
KePulseEvent
ZwOpenKey
KeClearEvent
KeReadStateEvent
IoBuildSynchronousFsdRequest
ZwReadFile
IoGetRelatedDeviceObject
IoCancelIrp
KeWaitForMultipleObjects
IofCallDriver
ZwFsControlFile
KeReleaseInStackQueuedSpinLock
_wcsnicmp
ZwMapViewOfSection
KeAcquireInStackQueuedSpinLock
ZwSetInformationFile
SeCreateClientSecurity
IoFileObjectType
ZwWaitForSingleObject
ZwCreateFile
SeImpersonateClient
ZwFreeVirtualMemory
RtlAppendUnicodeStringToString
ZwDeviceIoControlFile
ZwQueryInformationFile
ZwOpenSection
SeTokenType
ZwAllocateVirtualMemory
IoBuildDeviceIoControlRequest
NtWriteFile
KeSetPriorityThread
NtFsControlFile
MmMapLockedPagesSpecifyCache
PsTerminateSystemThread
IofCompleteRequest
NtReadFile
SeSinglePrivilegeCheck
IoFreeMdl
IoFreeIrp
IoAllocateIrp
MmUnlockPages
ZwOpenEvent
ZwUnmapViewOfSection
KeBugCheckEx

Sections

.text
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/nativevhdboot_x64.dll
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 868B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/nativevhdboot_x86.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 858B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe
.exe windows:6 windows x64 arch:x64

319b0d21f3ca70cb96ac176f55e8b0bb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED

Imports

kernel32

GetModuleHandleA
GetProcAddress

advapi32

FreeSid

comctl32

ImageList_Create

comdlg32

ChooseFontA

gdi32

LineTo

ole32

CoCreateGuid

rpcrt4

UuidFromStringA

setupapi

SetupDiGetClassDevsA

shell32

DragFinish

shlwapi

StrStrA

user32

GetDC

Sections

.MPRESS1
Size: 420KB - Virtual size: 1.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.MPRESS2
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 32KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$TEMP/WinNTSetup/Tools/x64/DISM/ReadMe.txt
$TEMP/WinNTSetup/Tools/x64/DISM/dismapi.dll
.dll windows:10 windows x64 arch:x64

ae3f7dd39dc453580a0993b611df7af2

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

59:ff:4e:52:5a:e4:c6:15:65:bb:41:4f:bd:f7:94:a7:6f:c9:1f:07:e6:36:7f:f3:9e:0f:00:7d:18:2a:b4:54
Signer

Actual PE Digest

59:ff:4e:52:5a:e4:c6:15:65:bb:41:4f:bd:f7:94:a7:6f:c9:1f:07:e6:36:7f:f3:9e:0f:00:7d:18:2a:b4:54

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

DismApi.pdb

Imports

msvcrt

wcsstr
wcsncmp
wcsrchr
_vsnwprintf
towlower
_snwscanf_s
fclose
wcstok_s
_wfopen
_wcslwr_s
strrchr
_wcsnicmp
iswctype
memcmp
memset
realloc
_errno
fgetws
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_callnewh
wcscpy_s
_wcstoui64
wcstoul
iswspace
swscanf_s
_wtoi
wcschr
iswalpha
_wcsicmp
_purecall
_vscprintf
feof
??1type_info@@UEAA@XZ
vsprintf_s
calloc
_vsnprintf
malloc
free
vswprintf_s
_vscwprintf
memmove_s
memcpy_s
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler3
??3@YAXPEAX@Z
wcscmp

advapi32

RegOpenKeyExW
RegQueryValueExW
AllocateAndInitializeSid
OpenProcessToken
FreeSid
CheckTokenMembership
RegCreateKeyExW
RegDeleteKeyExW
RegCloseKey
OpenThreadToken
GetTokenInformation
AddAccessAllowedAce
EqualSid
RegSetValueExW
InitializeAcl
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceEvent
UnregisterTraceGuids
GetLengthSid

kernel32

GetSystemTime
MoveFileExW
GetTimeFormatEx
GetLocaleInfoEx
TlsSetValue
UnmapViewOfFile
TlsAlloc
GetLocalTime
GetFileSize
ExitProcess
TlsGetValue
SetErrorMode
GetVersionExW
GetProcAddress
GetModuleHandleW
InitializeCriticalSection
DeleteCriticalSection
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
GetCurrentProcessId
SizeofResource
LockResource
LoadResource
FindResourceExW
OutputDebugStringW
GetThreadUILanguage
OutputDebugStringA
GetModuleHandleExW
GetLastError
GetModuleFileNameW
FreeLibrary
WideCharToMultiByte
LoadLibraryExW
HeapFree
GetProcessHeap
MultiByteToWideChar
WaitForMultipleObjectsEx
TlsFree
FormatMessageW
LocalFree
GetSystemInfo
GetCommandLineW
GetFileAttributesW
IsWow64Process
GetCurrentProcess
CompareStringW
FileTimeToLocalFileTime
FileTimeToSystemTime
HeapSize
HeapReAlloc
HeapAlloc
GetEnvironmentVariableW
Sleep
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
CreateDirectoryW
CreateEventW
ResumeThread
DuplicateHandle
GetCurrentThread
GetTempFileNameW
ResetEvent
CreateThread
SetEvent
CloseHandle
CreateFileW
SetFilePointer
GetFullPathNameW
ReadFile
GetSystemWindowsDirectoryW
FormatMessageA
CreateFileMappingW
MapViewOfFile
VirtualQuery
GetModuleFileNameA
WriteFile
CreateMutexW
CreateMutexA
ReleaseMutex
GetVersion
CreateFileA
DeleteFileA
CreateFileMappingA
ExpandEnvironmentStringsW
GetFileSizeEx
FlushFileBuffers
CopyFileExW
DeleteFileW
SetFileInformationByHandle
GetFileInformationByHandle
SetFileAttributesW
FindClose
DeviceIoControl
FindNextFileW
FindFirstFileW
GetFileInformationByHandleEx
DebugBreak
GetModuleHandleExA
GetWindowsDirectoryW
IsDebuggerPresent
SetLastError
GetLongPathNameW
GetFinalPathNameByHandleW
SearchPathW
WaitForSingleObject
HeapDestroy

ole32

CoInitializeEx
CoUninitialize
CoCreateInstance
CoSetProxyBlanket
StringFromGUID2

user32

CharLowerBuffW

oleaut32

VarBstrCmp
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetElemsize
SafeArrayGetDim
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
VariantTimeToSystemTime
LoadTypeLi
LoadRegTypeLi
SysStringLen
SafeArrayCreate
SysAllocStringByteLen
SysStringByteLen
GetErrorInfo
SysAllocString
SysFreeString
VariantClear
SysAllocStringLen
VarBstrCat
SystemTimeToVariantTime

ntdll

RtlInitUnicodeString
NtReadFile
RtlReAllocateHeap
NtClose
RtlExpandEnvironmentStrings
NtQueryInformationFile
NtWaitForSingleObject
NtOpenFile
NtWriteFile
NtYieldExecution
DbgPrintEx
RtlDowncaseUnicodeChar
RtlRaiseStatus
RtlAllocateHeap
RtlGetVersion
NtSetInformationFile
RtlDosPathNameToNtPathName_U_WithStatus
RtlNtStatusToDosError
RtlFreeHeap

version

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

Exports

Exports

DismAddCapability
DismAddDriver
DismAddPackage
DismAddProvisionedAppxPackage
DismApplyUnattend
DismCheckImageHealth
DismCleanupMountpoints
DismCloseSession
DismCommitImage
DismDelete
DismDisableFeature
DismEnableFeature
DismGetCapabilities
DismGetCapabilityInfo
DismGetDriverInfo
DismGetDrivers
DismGetFeatureInfo
DismGetFeatureParent
DismGetFeatures
DismGetImageInfo
DismGetLastErrorMessage
DismGetMountedImageInfo
DismGetPackageInfo
DismGetPackageInfoEx
DismGetPackages
DismGetProvisionedAppxPackages
DismGetReservedStorageState
DismInitialize
DismMountImage
DismOpenSession
DismRemountImage
DismRemoveCapability
DismRemoveDriver
DismRemovePackage
DismRemoveProvisionedAppxPackage
DismRestoreImageHealth
DismSetReservedStorageState
DismShutdown
DismUnmountImage
_DismAddAppxPackageFamilyToUninstallBlocklist
_DismAddCapabilityEx
_DismAddDriverEx
_DismAddPackageEx
_DismAddPackageFamilyToUninstallBlocklist
_DismAddProvisionedAppSharedPackageContainer
_DismAddProvisionedAppxPackage
_DismApplyCustomDataImage
_DismApplyFfuImage
_DismApplyProvisioningPackage
_DismCaptureSoftwareInventory
_DismCleanImage
_DismEnableDisableFeature
_DismExportDriver
_DismExportSource
_DismExportSourceEx
_DismGetCapabilitiesEx
_DismGetCapabilityInfoEx
_DismGetCurrentEdition
_DismGetDriversEx
_DismGetEffectiveSystemUILanguage
_DismGetFeaturesEx
_DismGetInstallLanguage
_DismGetKCacheBinaryValue
_DismGetKCacheDwordValue
_DismGetKCacheStringValue
_DismGetLastCBSSessionID
_DismGetNonRemovableAppsPolicy
_DismGetNonRemovableAppxAppsPolicy
_DismGetOSUninstallWindow
_DismGetOsInfo
_DismGetPackageInfoEx
_DismGetProductKeyInfo
_DismGetProvisionedAppSharedPackageContainers
_DismGetProvisionedAppxPackages
_DismGetProvisioningPackageInfo
_DismGetRegistryMountPoint
_DismGetStateFromCBSSessionID
_DismGetTargetCompositionEditions
_DismGetTargetEditions
_DismGetTargetVirtualEditions
_DismGetTemplateAbsolutePath
_DismGetTemplateString
_DismGetUsedSpace
_DismInitiateOSUninstall
_DismOpenSessionEx
_DismOptimizeImage
_DismOptimizeProvisionedAppxPackages
_DismRemoveAppxPackageFamilyFromUninstallBlocklist
_DismRemoveCapabilityEx
_DismRemoveOSUninstall
_DismRemovePackageEx
_DismRemovePackageFamilyFromUninstallBlocklist
_DismRemoveProvisionedAppSharedPackageContainer
_DismRemoveProvisionedAppxPackage
_DismRemoveProvisionedAppxPackageAllUsers
_DismRevertPendingActions
_DismSetAllIntlSettings
_DismSetAppXProvisionedDataFile
_DismSetAppxProvisionedDataFile
_DismSetEdition
_DismSetEdition2
_DismSetFirstBootCommandLine
_DismSetMachineName
_DismSetOSUninstallWindow
_DismSetProductKey
_DismSetSkuIntlDefaults
_DismSetTemplateString
_DismSplitFfuImage
_DismStage
_DismSysprepCleanup
_DismSysprepGeneralize
_DismSysprepSpecialize
_DismValidateProductKey

Sections

.text
Size: 748KB - Virtual size: 744KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 364KB - Virtual size: 360KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 24KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/DISM/dismcore.dll
.dll regsvr32 windows:10 windows x64 arch:x64

27187dea752c955a3a1632f4e38f0341

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

97:91:5a:81:f7:8c:03:65:d6:ba:66:9a:18:22:90:17:37:4b:64:cb:d5:ae:a0:42:5f:97:54:3c:27:15:a2:d1
Signer

Actual PE Digest

97:91:5a:81:f7:8c:03:65:d6:ba:66:9a:18:22:90:17:37:4b:64:cb:d5:ae:a0:42:5f:97:54:3c:27:15:a2:d1

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

DismCore.pdb

Imports

msvcrt

_vsnprintf
strrchr
fclose
wcstok_s
_wtoi
towlower
swscanf_s
_vscprintf
vsprintf_s
wcsstr
wcsncmp
_wcsnicmp
_vsnwprintf
iswctype
_wfopen
fgetws
feof
iswalpha
memcmp
_onexit
__dllonexit
_unlock
_lock
realloc
_errno
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_callnewh
wcsncpy_s
wcscat_s
calloc
memmove_s
memcpy_s
_purecall
_wcsicmp
wcsrchr
wcschr
vswprintf_s
_vscwprintf
wcscpy_s
malloc
_resetstkoflw
free
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler3
??3@YAXPEAX@Z
memset

advapi32

AdjustTokenPrivileges
SetSecurityDescriptorDacl
EqualSid
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AddAccessAllowedAce
RegQueryValueExW
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
GetTokenInformation
OpenProcessToken
OpenThreadToken
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey

kernel32

WriteFile
GetModuleFileNameA
VirtualQuery
FormatMessageA
CreateMutexA
ReleaseMutex
GetVersion
CreateMutexW
GetLastError
SetThreadUILanguage
CreateFileW
CloseHandle
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringW
MultiByteToWideChar
GetTempPathW
GetModuleHandleExW
FreeLibrary
Wow64RevertWow64FsRedirection
SetEvent
GetModuleFileNameW
GetModuleHandleW
GetNativeSystemInfo
Wow64DisableWow64FsRedirection
CopyFileExW
CreateEventW
HeapFree
GetProcessHeap
WaitForSingleObject
TerminateProcess
WideCharToMultiByte
SizeofResource
LockResource
LoadResource
FindResourceExW
DisableThreadLibraryCalls
GetThreadLocale
SetThreadLocale
RaiseException
GetProcAddress
LoadLibraryExW
HeapSize
HeapReAlloc
HeapAlloc
HeapDestroy
CompareStringW
GetEnvironmentVariableW
Sleep
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CreateFileA
SleepConditionVariableSRW
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
OutputDebugStringA
TlsFree
TlsGetValue
ExitProcess
GetFileSize
GetLocalTime
TlsAlloc
TlsSetValue
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetVersionExW
SetLastError
SearchPathW
SetFilePointer
ReadFile
DuplicateHandle
GetFileAttributesW
GetSystemDirectoryW
GetSystemInfo
ExpandEnvironmentStringsW
GetSystemWindowsDirectoryW
VirtualProtect
FormatMessageW
SetFileAttributesW
MoveFileExW
GetSystemTime
FindClose
FindNextFileW
FindFirstFileW
QueryDosDeviceW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
GetFileInformationByHandle
CreateDirectoryW
LocalFree
GetCurrentThread
GetFullPathNameW
GetTempFileNameW
DeleteFileA
DeleteFileW
CreateFileMappingA
DebugBreak
GetModuleHandleExA
GetFileSizeEx
GetWindowsDirectoryW
IsDebuggerPresent
FlushFileBuffers
GetFileInformationByHandleEx
DeviceIoControl
SetFileInformationByHandle
GetLongPathNameW
GetFinalPathNameByHandleW
GetCurrentDirectoryW
GetDriveTypeW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
CreateProcessW
GetExitCodeProcess
WakeAllConditionVariable
LoadLibraryExA

ole32

CoCreateGuid
StringFromCLSID
CoTaskMemFree
ProgIDFromCLSID
StringFromGUID2
CoCreateInstance
CoRegisterClassObject
CoRevokeClassObject
CoSetProxyBlanket
CoRegisterPSClsid

user32

LoadStringW
CharNextW

oleaut32

LoadTypeLibEx
VariantTimeToSystemTime
SystemTimeToVariantTime
SysFreeString
SysStringByteLen
SysAllocStringByteLen
SysAllocString
SysAllocStringLen
VariantInit
VariantClear
SysStringLen
LoadRegTypeLi
LoadTypeLi
SetErrorInfo
CreateErrorInfo
GetErrorInfo
UnRegisterTypeLi
RegisterTypeLi

version

VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

ntdll

RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError
NtSetInformationFile

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 216KB - Virtual size: 214KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 112KB - Virtual size: 108KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 100KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/DISM/dismcoreps.dll
.dll regsvr32 windows:10 windows x64 arch:x64

70198dcb51b0ecd285a581030c4f37a8

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b1:69:e0:f2:d7:55:f0:cc:64:71:fd:ad:b6:82:df:73:54:80:9a:dd:11:2e:b8:e2:84:7e:94:c1:46:7c:8d:b7
Signer

Actual PE Digest

b1:69:e0:f2:d7:55:f0:cc:64:71:fd:ad:b6:82:df:73:54:80:9a:dd:11:2e:b8:e2:84:7e:94:c1:46:7c:8d:b7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

DismCorePS.pdb

Imports

msvcrt

_XcptFilter
_initterm
malloc
free
_amsg_exit
__C_specific_handler
memcmp

oleaut32

BSTR_UserUnmarshal64
BSTR_UserUnmarshal
BSTR_UserMarshal
BSTR_UserFree64
BSTR_UserFree
BSTR_UserSize
BSTR_UserMarshal64
LPSAFEARRAY_UserSize
LPSAFEARRAY_UserFree
LPSAFEARRAY_UserUnmarshal
LPSAFEARRAY_UserFree64
LPSAFEARRAY_UserMarshal64
LPSAFEARRAY_UserUnmarshal64
LPSAFEARRAY_UserMarshal
LPSAFEARRAY_UserSize64
BSTR_UserSize64

rpcrt4

NdrDllRegisterProxy
NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
NdrDllUnregisterProxy
NdrCStdStubBuffer2_Release
NdrStubForwardingFunction
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerQueryInterface
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
CStdStubBuffer_CountRefs
CStdStubBuffer_QueryInterface
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
IUnknown_QueryInterface_Proxy
NdrStubCall3
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Connect
CStdStubBuffer_Invoke

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

kernel32

GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
DisableThreadLibraryCalls
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllGetDismInterfaces
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 124KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 516B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 16KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/DISM/dismprov.dll
.dll regsvr32 windows:10 windows x64 arch:x64

b9969869b790787f4992adb0a5004f06

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

85:eb:4d:02:88:77:45:63:71:ca:7b:f9:5a:95:02:e5:3a:f0:29:51:da:8f:04:61:6c:da:73:1e:f7:3b:82:69
Signer

Actual PE Digest

85:eb:4d:02:88:77:45:63:71:ca:7b:f9:5a:95:02:e5:3a:f0:29:51:da:8f:04:61:6c:da:73:1e:f7:3b:82:69

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

DISMProv.pdb

Imports

msvcrt

memcmp
_onexit
__dllonexit
_unlock
_lock
strrchr
_errno
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_initterm
feof
fgetws
_wfopen
wcstok_s
fclose
iswctype
_wcsicmp
_vsnwprintf
wcschr
_wcsnicmp
wcsncmp
_vsnprintf
vsprintf_s
_vscprintf
swscanf_s
_wtoi
towlower
_amsg_exit
_XcptFilter
memmove
__RTDynamicCast
realloc
memcpy
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_callnewh
wcscat_s
wcscpy_s
wcsrchr
memmove_s
_purecall
vswprintf_s
_vscwprintf
memcpy_s
free
malloc
wcsncpy_s
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler3
??3@YAXPEAX@Z
memset

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlAllocateHeap
RtlFreeHeap

oleaut32

VariantClear
LoadTypeLi
LoadRegTypeLi
SysStringLen
SysAllocStringLen
UnRegisterTypeLi
SysAllocString
SysAllocStringByteLen
SysStringByteLen
SysFreeString
VariantTimeToSystemTime
RegisterTypeLi
SystemTimeToVariantTime
VarUI4FromStr

advapi32

FreeSid
CheckTokenMembership
AllocateAndInitializeSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
RegQueryValueExW
SetSecurityDescriptorDacl
EqualSid
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AddAccessAllowedAce
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey

kernel32

IsDebuggerPresent
GetCurrentThread
GetTempFileNameW
LocalFree
FormatMessageW
WaitForSingleObject
ExpandEnvironmentStringsW
GetWindowsDirectoryW
GetFileSizeEx
GetModuleHandleExA
DebugBreak
CreateFileMappingA
DeleteFileA
CreateFileA
GetVersion
ReleaseMutex
TlsSetValue
UnmapViewOfFile
TlsAlloc
GetLocalTime
GetFileSize
ExitProcess
TlsGetValue
TlsFree
FormatMessageA
CreateFileMappingW
MapViewOfFile
VirtualQuery
GetModuleFileNameA
WriteFile
SetFilePointer
CreateMutexW
CreateFileW
GetLastError
CloseHandle
InitializeCriticalSection
DeleteCriticalSection
FreeLibrary
GetProcAddress
LoadLibraryExW
GetModuleHandleW
lstrcmpiW
LeaveCriticalSection
RaiseException
EnterCriticalSection
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringW
GetModuleHandleExW
LockResource
CompareStringW
DisableThreadLibraryCalls
GetThreadLocale
SetThreadLocale
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
GetEnvironmentVariableW
WideCharToMultiByte
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
OutputDebugStringA
SetLastError
DeviceIoControl
GetFileAttributesW
DeleteFileW
FlushFileBuffers
GetFullPathNameW
CreateMutexA

ole32

CoTaskMemRealloc
CoTaskMemAlloc
CoMarshalInterThreadInterfaceInStream
CoUnmarshalInterface
StringFromGUID2
CoCreateInstance
CoRegisterPSClsid
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemFree

user32

CharNextW

version

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 156KB - Virtual size: 153KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 92KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/DISM/folderprovider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

bc5b90969edd4db30a52eea7341f792a

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

10:46:d1:e3:f0:68:49:a6:fa:97:34:96:0c:43:ad:bc:e7:06:65:3d:77:f4:c6:9c:1b:03:bd:08:ab:09:5c:c7
Signer

Actual PE Digest

10:46:d1:e3:f0:68:49:a6:fa:97:34:96:0c:43:ad:bc:e7:06:65:3d:77:f4:c6:9c:1b:03:bd:08:ab:09:5c:c7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

FolderProvider.pdb

Imports

msvcrt

wcsncmp
_wcsnicmp
wcschr
memcmp
??3@YAXPEAX@Z
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
memmove
memcpy
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_callnewh
malloc
memmove_s
memcpy_s
_purecall
vswprintf_s
_vscwprintf
wcsncpy_s
wcscat_s
free
wcscpy_s
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler3
??1type_info@@UEAA@XZ

ntdll

RtlAllocateHeap
RtlFreeHeap
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

advapi32

RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey

kernel32

SetLastError
GetFileAttributesW
GetFullPathNameW
DisableThreadLibraryCalls
GetThreadLocale
SetThreadLocale
DeleteCriticalSection
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetLastError
GetModuleFileNameW
GetProcAddress
LoadLibraryExW
GetModuleHandleW
InitializeCriticalSection
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringW
SizeofResource
LockResource
LoadResource
FindResourceExW
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount

ole32

CoCreateInstance
StringFromGUID2

user32

CharNextW

oleaut32

UnRegisterTypeLi
SysAllocStringLen
LoadRegTypeLi
SysAllocStringByteLen
SysStringByteLen
SysStringLen
RegisterTypeLi
LoadTypeLi
SysFreeString
SysAllocString

Exports

Exports

DLLGetDISMProviderCLSID
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 36KB - Virtual size: 32KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 860B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/DISM/logprovider.dll
.dll regsvr32 windows:10 windows x64 arch:x64

b3e702b34c1d9c7a2145fd0d9f293f42

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

05:33:d2:7c:25:12:8a:e8:b8:c8:b6:e0:d3:f1:6d:7b:c5:f2:d0:53:71:02:66:6e:eb:3d:8a:9b:fd:ae:9e:e7
Signer

Actual PE Digest

05:33:d2:7c:25:12:8a:e8:b8:c8:b6:e0:d3:f1:6d:7b:c5:f2:d0:53:71:02:66:6e:eb:3d:8a:9b:fd:ae:9e:e7

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

LogProvider.pdb

Imports

msvcrt

_XcptFilter
memmove
memcpy
_CxxThrowException
?what@exception@@UEBAPEBDXZ
??1exception@@UEAA@XZ
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBQEBD@Z
_initterm
_callnewh
malloc
calloc
memmove_s
memcpy_s
?terminate@@YAXXZ
_lock
_unlock
__dllonexit
_onexit
??1type_info@@UEAA@XZ
_amsg_exit
wcsrchr
vsprintf_s
_vscprintf
_vsnwprintf
swscanf_s
wcsncmp
_wcsnicmp
_wcsicmp
wcschr
towlower
strrchr
iswctype
fclose
_wtoi
wcstok_s
_wfopen
fgetws
feof
memcmp
_purecall
vswprintf_s
_vscwprintf
_vsnprintf
wcsncpy_s
wcscat_s
free
wcscpy_s
__C_specific_handler
??_V@YAXPEAX@Z
__CxxFrameHandler3
??3@YAXPEAX@Z
memset

ntdll

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlFreeHeap
RtlAllocateHeap

oleaut32

SysAllocStringLen
CreateErrorInfo
SetErrorInfo
LoadRegTypeLi
SysStringLen
RegisterTypeLi
LoadTypeLi
SysAllocString
UnRegisterTypeLi
SystemTimeToVariantTime
VariantTimeToSystemTime
SysFreeString

advapi32

SetSecurityDescriptorDacl
EqualSid
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AddAccessAllowedAce
OpenThreadToken
GetTokenInformation
OpenProcessToken
RegQueryValueExW
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey

kernel32

IsDebuggerPresent
GetWindowsDirectoryW
GetFileSizeEx
GetModuleHandleExA
DebugBreak
CreateFileMappingA
DeleteFileA
GetVersion
ReleaseMutex
CreateMutexA
CreateMutexW
SetFilePointer
WriteFile
GetModuleFileNameA
FlushFileBuffers
DeleteFileW
DeviceIoControl
SetLastError
GetFileAttributesW
FreeLibrary
SearchPathW
GetVersionExW
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
VirtualQuery
FormatMessageA
TlsFree
TlsGetValue
ExitProcess
GetFileSize
TlsSetValue
TlsAlloc
CreateFileA
GetSystemTimeAsFileTime
DisableThreadLibraryCalls
GetThreadLocale
SetThreadLocale
DeleteCriticalSection
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetLastError
GetModuleFileNameW
GetProcAddress
LoadLibraryExW
GetModuleHandleW
InitializeCriticalSection
SetThreadUILanguage
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringW
HeapAlloc
GetProcessHeap
OutputDebugStringA
HeapFree
CreateDirectoryW
WideCharToMultiByte
SizeofResource
LockResource
LoadResource
FindResourceExW
HeapSize
HeapReAlloc
HeapDestroy
GetEnvironmentVariableW
MultiByteToWideChar
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetTickCount
CreateFileW
CloseHandle
FormatMessageW
LocalFree
GetSystemWindowsDirectoryW
ExpandEnvironmentStringsW
GetTempFileNameW
GetFullPathNameW
GetCurrentThread
WaitForSingleObject
GetLocalTime

ole32

CoCreateInstance
CoTaskMemFree
ProgIDFromCLSID
StringFromGUID2

user32

LoadStringW
CharNextW

Exports

Exports

DLLGetDISMProviderCLSID
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 96KB - Virtual size: 95KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 47KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/DISM/wofadk.sys
.sys windows:10 windows x64 arch:x64

aeb3dedf4ffda3ee8d592f156ef96a17

Code Sign

33:00:00:00:9b:e0:74:37:cb:3d:4d:8d:2e:00:00:00:00:00:9b
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:728D-C45F-F9EB,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:ef:d8:87:2e:35:a3:82:8a:2f:00:00:00:00:00:ef
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c0:aa:06:12:86:1e:cf:f1:fe:46:c5:13:3c:7f:27:b8:d2:3c:30:23:b4:2a:d1:35:17:93:5f:1c:01:e2:3f:0c
Signer

Actual PE Digest

c0:aa:06:12:86:1e:cf:f1:fe:46:c5:13:3c:7f:27:b8:d2:3c:30:23:b4:2a:d1:35:17:93:5f:1c:01:e2:3f:0c

Digest Algorithm

sha256

PE Digest Matches

true

44:af:b2:cb:8e:4b:64:da:fb:a3:36:4c:1e:ba:91:55:7b:c9:e9:0e
Signer

Actual PE Digest

44:af:b2:cb:8e:4b:64:da:fb:a3:36:4c:1e:ba:91:55:7b:c9:e9:0e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

wofadk.pdb

Imports

ntoskrnl.exe

ZwClose
SeLockSubjectContext
ZwQueryValueKey
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlEnumerateGenericTableAvl
ExAcquireRundownProtection
RtlLookupElementGenericTableAvl
RtlFreeUnicodeString
SeTokenIsAdmin
RtlDeleteElementGenericTableAvl
RtlAppendUnicodeStringToString
KeDelayExecutionThread
ExRundownCompleted
EtwRegister
MmGetSystemRoutineAddress
ObDereferenceObjectDeferDelete
PsGetProcessImageFileName
EtwUnregister
EtwWriteTransfer
IoGetCurrentProcess
ProbeForRead
FsRtlValidateReparsePointBuffer
TmCurrentTransaction
RtlCompareMemory
RtlInitUnicodeString
RtlEqualUnicodeString
MmMapLockedPagesSpecifyCache
KeQueryPriorityThread
MmMapViewOfSection
ExDeleteLookasideListEx
ZwDeviceIoControlFile
EtwEventEnabled
RtlCheckRegistryKey
ZwCreateSection
ZwQueryInformationThread
RtlSetBit
ExQueueWorkItem
RtlAreBitsSet
ZwOpenKey
IoBuildDeviceIoControlRequest
IoGetDeviceObjectPointer
RtlRunOnceExecuteOnce
KeStackAttachProcess
KeSetEvent
KdRefreshDebuggerNotPresent
ZwSetInformationThread
ObReferenceObjectByHandle
swprintf_s
MmUnmapViewOfSection
RtlFindNextForwardRunClear
EtwWrite
IofCallDriver
RtlInitializeBitMap
ZwOpenFile
ExInitializeLookasideListEx
RtlTestBit
KeWaitForSingleObject
KeSetPriorityThread
KeUnstackDetachProcess
_i64tow_s
RtlClearAllBits
IoAllocateWorkItem
RtlAppendUnicodeToString
_wcsicmp
RtlCreateSystemVolumeInformationFolder
IoQueueWorkItemEx
IoFreeWorkItem
KeAllocateCalloutStackEx
IoGetRelatedDeviceObject
ExDeleteNPagedLookasideList
KeFreeCalloutStack
ExInitializeNPagedLookasideList
KeInitializeMutex
KeReleaseMutex
KeAreAllApcsDisabled
KeInitializeDpc
KeInitializeTimerEx
RtlQueryRegistryValues
KeCancelTimer
KeFlushQueuedDpcs
KeSetCoalescableTimer
KeQueryActiveProcessorCountEx
SeCaptureSubjectContext
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
RtlGetVersion
IoWMIRegistrationControl
MmIsThisAnNtAsSystem
KeBugCheckEx
PsInitialSystemProcess
ProbeForWrite
ExReleaseRundownProtection
ExAcquireFastMutex
ObfReferenceObject
ExQueryDepthSList
ExpInterlockedPushEntrySList
ExReleaseFastMutex
ExpInterlockedPopEntrySList
RtlCompareUnicodeString
ExInitializeRundownProtection
KeLeaveCriticalRegion
ExReleaseFastMutexUnsafe
KeExpandKernelStackAndCalloutEx
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
ExDeletePagedLookasideList
RtlCopyUnicodeString
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
ObfDereferenceObject
KeEnterCriticalRegion
ExAcquireFastMutexUnsafe
_vsnwprintf
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
wcscpy_s
wcschr
_wcsnicmp
wcsrchr
__C_specific_handler
__chkstk

fltmgr.sys

FltParseFileNameInformation
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltIsOperationSynchronous
FltSetIoPriorityHintIntoCallbackData
FltPerformAsynchronousIo
FltAllocateGenericWorkItem
FltInitializePushLock
FltDeletePushLock
FltFlushBuffers
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltFreePoolAlignedWithTag
FltDeviceIoControlFile
FltReadFile
FltOpenVolume
FltFreeDeferredIoWorkItem
FltAllocatePoolAlignedWithTag
FltAcquirePushLockShared
FltIsIoCanceled
FltCompletePendedPreOperation
FltAcquirePushLockExclusive
FltGetIoPriorityHintFromCallbackData
FltReleasePushLock
FltInitExtraCreateParameterLookasideList
FltStartFiltering
FltGetRoutineAddress
FltRegisterFilter
FltGetVolumeFromFileObject
FltCreateFileEx
FltWriteFile
FltQueryInformationFile
FltUntagFile
FltGetFileNameInformationUnsafe
FltEnumerateInstances
FltAttachVolume
FltGetFilterFromName
FltTagFile
FltIsDirectory
FltSetInformationFile
FltObjectDereference
FltPerformSynchronousIo
FltLockUserBuffer
FltAllocateCallbackDataEx
FltFreeCallbackData
FltAllocateExtraCreateParameterList
FltInsertExtraCreateParameter
FltCancelFileOpen
FltDeleteStreamContext
FltReissueSynchronousIo
FltReleaseFileNameInformation
FltFsControlFile
FltGetEcpListFromCallbackData
FltGetFileNameInformation
FltEnlistInTransaction
FltSetEcpListIntoCallbackData
FltFindExtraCreateParameter
FltAllocateExtraCreateParameterFromLookasideList
FltSetCallbackDataDirty
FltSetStreamContext
FltSetTransactionContext
FltReferenceContext
FltGetTransactionContext
FltGetInstanceContext
FltUnregisterFilter
FltAllocateContext
FltGetVolumeProperties
FltQueryDirectoryFile
FltGetVolumeGuidName
FltReleaseContext
FltDeleteExtraCreateParameterLookasideList
FltGetStreamHandleContext
FltGetStreamContext
FltSetInstanceContext
FltClose
FltGetDiskDeviceObject
FltDeleteInstanceContext
FltSetFileContext
FltSetStreamHandleContext
FltQueryVolumeInformationFile

cng.sys

BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider

Sections

.text
Size: 73KB - Virtual size: 73KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 13KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 93KB - Virtual size: 93KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

GFIDS
Size: 512B - Virtual size: 504B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 144B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/MSSTMake.exe
.exe windows:5 windows x64 arch:x64

6929a6376371544b1e02fafed262c6a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileSize
lstrcmpA
MoveFileExA
lstrcpynA
ExpandEnvironmentStringsA
GetFileAttributesA
CreateDirectoryA
SetCurrentDirectoryA
FindFirstFileA
GetLastError
SetLastError
RemoveDirectoryA
CopyFileA
SetFileAttributesA
FindClose
FindNextFileA
GetCurrentDirectoryA
CloseHandle
DeleteFileA
lstrcpyA
SetFilePointer
CreateFileA
WritePrivateProfileStructA
MapViewOfFile
UnmapViewOfFile
SetConsoleTextAttribute
WritePrivateProfileSectionA
WriteFile
GetPrivateProfileIntA
WideCharToMultiByte
Sleep
ReadFile
lstrcatA
GetStdHandle
GetPrivateProfileStringA
GetLocalTime
WriteConsoleA
CreateFileMappingA
GetConsoleScreenBufferInfo
WritePrivateProfileStringA
GetPrivateProfileStructA
LoadLibraryW
lstrlenA
GetFullPathNameA
HeapSize
EnterCriticalSection
LeaveCriticalSection
GetStringTypeW
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapCreate
GetVersion
HeapSetInformation
DeleteCriticalSection
GetStartupInfoW
HeapReAlloc
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
RtlUnwindEx
GetModuleFileNameW
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
FlsGetValue
FlsSetValue
FlsFree
GetCurrentThreadId
FlsAlloc
DecodePointer
HeapFree
HeapAlloc
LCMapStringW
MultiByteToWideChar
RaiseException
RtlPcToFileHeader
GetProcAddress
GetModuleHandleW
ExitProcess

user32

CharNextA
CharUpperA

advapi32

IsTextUnicode

shlwapi

wnsprintfA
PathCombineA
PathSearchAndQualifyA
PathAddBackslashA
PathIsRelativeA
PathAppendA
PathIsDirectoryA

setupapi

SetupFindNextLine
SetupGetLineCountA
SetupDiGetActualSectionToInstallExA
SetupOpenInfFileA
SetupGetLineTextA
SetupGetFileCompressionInfoExA
SetupGetLineByIndexA
SetupGetSourceFileLocationA
SetupDecompressOrCopyFileA
SetupFindNextMatchLineA
SetupCloseInfFile
SetupGetFieldCount
SetupFindFirstLineA
SetupGetStringFieldA
SetupEnumInfSectionsA
SetupGetIntField

Sections

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bcdboot.exe
.exe windows:10 windows x64 arch:x64

249e23aef4b736bfce88d0bcb5a752f0

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:3b:f7:e9:31:a5:fe:0a:b3:5c:db:79:d2:0c:dc:84:59:f8:ce:09:7b:79:85:09:5e:d0:8c:b2:8a:6a:f4:89
Signer

Actual PE Digest

06:3b:f7:e9:31:a5:fe:0a:b3:5c:db:79:d2:0c:dc:84:59:f8:ce:09:7b:79:85:09:5e:d0:8c:b2:8a:6a:f4:89

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bcdboot.pdb

Imports

msvcrt

_wcsicmp
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
memmove
_cexit
_exit
exit
__set_app_type
_initterm
memcpy
memcmp
__wgetmainargs
_amsg_exit
_XcptFilter
fwprintf
_wsetlocale
wcscpy_s
fflush
swprintf_s
__setusermatherr
strncmp
strcpy_s
wcsnlen
wcsstr
_wcslwr
_snwscanf_s
wcsncpy_s
wcstoul
_ultow_s
wcsncmp
wcschr
_vsnwprintf_s
fclose
_wfopen_s
wcscat_s
_wcsupr
wcsrchr
_wcsnicmp
_vsnwprintf
__iob_func
memset

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

kernel32

LoadLibraryW
HeapAlloc
WriteConsoleW
GetProcAddress
GetProcessHeap
FreeLibrary
WideCharToMultiByte
GetFileType
Sleep
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
QueryDosDeviceW
GetFileSizeEx
DeviceIoControl
GetVolumePathNameW
CreateFileW
UnmapViewOfFile
GetVolumeNameForVolumeMountPointW
GetConsoleMode
CloseHandle
CreateFileMappingW
MapViewOfFile
FlushFileBuffers
GetVolumeInformationW
FindFirstFileW
FindNextFileW
GetModuleFileNameW
WriteFile
GetStdHandle
GetPrivateProfileSectionW
FindClose
GetFileAttributesW
GetConsoleOutputCP
SetFileAttributesW
MoveFileExW
HeapFree
GetLastError
GetLogicalDrives
FindFirstVolumeW
SetVolumeMountPointW
LocalFree
FindVolumeClose
DeleteVolumeMountPointW
FindNextVolumeW
LoadLibraryExW
SetLastError
CreateDirectoryW
FormatMessageW
LoadResource
FindResourceExW
LCIDToLocaleName
GetVersionExW
GetUserDefaultUILanguage
GetModuleHandleExW
GetLocaleInfoEx
GetSystemDefaultUILanguage
GetFileInformationByHandleEx
GetFileInformationByHandle
SetFileInformationByHandle
DeleteFileW
CopyFileExW
GetFullPathNameW
GetLongPathNameW
GetLocaleInfoW
LocaleNameToLCID
GetCurrentThread
SearchPathW

advapi32

EventRegister
EventUnregister
LookupPrivilegeValueW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
SetNamedSecurityInfoW
GetSecurityDescriptorControl
RegQueryValueExW
GetSecurityDescriptorOwner
OpenProcessToken
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken
GetTokenInformation
EventWriteTransfer
RegCloseKey
RegOpenKeyExW

shlwapi

PathRemoveBackslashW

ntdll

ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtOpenSymbolicLinkObject
RtlSetDaclSecurityDescriptor
NtOpenKey
NtQuerySymbolicLinkObject
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
RtlFreeSid
RtlCreateAcl
RtlCreateSecurityDescriptor
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
ZwCreateFile
ZwCreateKey
ZwQueryKey
ZwFlushKey
ZwDeleteValueKey
ZwSaveKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
ZwSetSecurityObject
ZwUnloadKey
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtOpenThreadTokenEx
RtlImpersonateSelf
ZwLoadKey
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwQuerySystemInformation
RtlAllocateHeap
LdrAccessResource
LdrFindResource_U
RtlCompareMemory
RtlFreeHeap
RtlStringFromGUID
NtSetInformationFile
RtlFreeUnicodeString
NtQuerySystemInformation
NtOpenFile
NtWaitForSingleObject
RtlNtStatusToDosError
NtQueryInformationThread
NtQueryInformationFile
NtCreateEvent
NtClose
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
NtWriteFile
RtlInitUnicodeString
RtlGUIDFromString
ZwWaitForSingleObject

Sections

.text
Size: 144KB - Virtual size: 141KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bcdedit.exe
.exe windows:10 windows x64 arch:x64

bacab27f15864af5e33e7877f3628945

Code Sign

33:00:00:04:39:f6:1f:7a:67:6d:a0:00:af:00:00:00:00:04:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

df:00:7e:bc:c1:cb:e4:b6:22:5e:39:1e:e2:65:d8:6d:ca:cb:b9:de:5a:ac:80:39:d5:a4:9b:fd:ab:71:c8:c1
Signer

Actual PE Digest

df:00:7e:bc:c1:cb:e4:b6:22:5e:39:1e:e2:65:d8:6d:ca:cb:b9:de:5a:ac:80:39:d5:a4:9b:fd:ab:71:c8:c1

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bcdedit.pdb

Imports

msvcrt

__setusermatherr
_initterm
_exit
__C_specific_handler
_fmode
_commode
?terminate@@YAXXZ
memmove
memcpy
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
towupper
iswspace
_vsnwprintf
wcsrchr
_wtol
wcschr
_ui64tow_s
_wcstoui64
wcstoul
_cexit
_wcsicmp
wcscpy_s
_wtoi
_wcsnicmp
fflush
fwprintf
__iob_func
_vsnwprintf_s
wcscat_s
_ultow_s
strcpy_s
wcsncpy_s
wcsstr
wcsnlen
_wcsupr
strncmp
_snwscanf_s
_wcslwr
_aligned_free
_aligned_malloc
free
malloc
wcsncmp
vswprintf_s
_vscwprintf
_wsetlocale
swprintf_s
memcmp
memset

ntdll

ZwClose
ZwQuerySystemInformation
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateFile
ZwCreateKey
ZwLoadKey
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
ZwDeleteValueKey
ZwSaveKey
RtlFreeSid
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
RtlCreateAcl
ZwSetSecurityObject
ZwUnloadKey
RtlCreateSecurityDescriptor
ZwSetValueKey
ZwOpenKey
LdrGetProcedureAddress
ZwQueryVolumeInformationFile
LdrGetDllHandle
ZwQueryInformationProcess
ZwDeleteFile
ZwQueryInformationFile
ZwOpenProcess
NtQuerySystemInformation
ZwAllocateUuids
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
ZwOpenMutant
RtlImpersonateSelf
NtOpenSymbolicLinkObject
NtOpenKey
NtQuerySymbolicLinkObject
NtDeviceIoControlFile
NtSetValueKey
NtQueryValueKey
NtDeleteKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtSetSecurityObject
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
NtCreateKey
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
ZwReleaseMutant
ZwQueryKey
ZwWaitForSingleObject
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtClose
NtOpenFile
RtlStringFromGUID
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
RtlCompareMemory
RtlUnicodeStringToAnsiString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlGUIDFromString
RtlInitUnicodeString
RtlIpv6StringToAddressW
RtlFreeHeap
RtlNtStatusToDosError
RtlAllocateHeap
ZwOpenFile

kernel32

FormatMessageW
GetLocaleInfoEx
GetLocaleInfoW
LocalFree
GetVolumeNameForVolumeMountPointW
Sleep
GetSystemDefaultUILanguage
LCIDToLocaleName
GetUserDefaultUILanguage

api-ms-win-core-libraryloader-l1-1-0

FindResourceExW
LoadResource
GetProcAddress
GetModuleHandleW
FreeLibrary
GetModuleFileNameW
LoadLibraryExW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP
GetConsoleMode
WriteConsoleW

api-ms-win-core-file-l1-1-0

WriteFile
ReadFile
GetFileSizeEx
GetFileType
QueryDosDeviceW
CreateFileW
SetEndOfFile
SetFilePointerEx
FlushFileBuffers
GetFinalPathNameByHandleW

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
GetStdHandle

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TlsFree
TlsGetValue
TlsAlloc
TerminateProcess
GetCurrentProcess
TlsSetValue
GetCurrentThreadId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
EnterCriticalSection

api-ms-win-security-base-l1-1-0

GetAce
GetSecurityDescriptorLength
GetSidSubAuthority
GetSidLengthRequired
IsValidSecurityDescriptor
DestroyPrivateObjectSecurity
SetSecurityDescriptorGroup
MakeSelfRelativeSD
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSecurityDescriptor
GetSecurityDescriptorControl
InitializeSid
SetSecurityDescriptorOwner
IsValidSid
InitializeAcl
SetSecurityDescriptorDacl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce

cryptsp

CryptGenRandom
CryptReleaseContext
CryptAcquireContextA

advapi32

RegCloseKey
RegQueryValueExW
RegOpenKeyExW

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
MapViewOfFile
CreateFileMappingW

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateHiveEx
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORFlushHive
ORGetKeySecurity
ORGetValue
ORGetVirtualFlags
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORQueryInfoKeyEx
ORQueryInfoKeyValueEx
ORRenameKey
ORSaveHive
ORSaveHiveEx
ORSaveHiveToHandle
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 188KB - Virtual size: 185KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECMRC
Size: 4KB - Virtual size: 130B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 156KB - Virtual size: 152KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bootsect.exe
.exe windows:10 windows x64 arch:x64

197b5f5cf02964bf07b3a72286de3102

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8e:91:fe:32:e0:17:91:b3:86:1d:26:cc:9b:42:c4:cf:56:49:49:85:d0:0d:ad:3e:a2:38:96:42:03:fb:17:59
Signer

Actual PE Digest

8e:91:fe:32:e0:17:91:b3:86:1d:26:cc:9b:42:c4:cf:56:49:49:85:d0:0d:ad:3e:a2:38:96:42:03:fb:17:59

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bootsect.pdb

Imports

msvcrt

?terminate@@YAXXZ
_amsg_exit
_XcptFilter
__setusermatherr
__getmainargs
iswxdigit
_vsnwprintf
_wcsnicmp
memcpy
_stricmp
swprintf_s
__set_app_type
isalpha
exit
_exit
_cexit
__C_specific_handler
_fmode
_initterm
wcsncmp
_snwscanf_s
_wcslwr
wcsstr
wcsnlen
memset
wcscpy_s
_commode
_wcsicmp

api-ms-win-core-file-l1-1-0

QueryDosDeviceW
SetFilePointer
CreateFileW
GetFileType
ReadFile
WriteFile

api-ms-win-core-libraryloader-l1-1-0

FindResourceExW
GetModuleHandleExW
LoadLibraryExW
FreeLibrary
LoadResource
GetModuleFileNameW
GetModuleHandleW
GetProcAddress

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtWaitForSingleObject
RtlFreeHeap
NtQueryDirectoryObject
NtCreateEvent
NtOpenDirectoryObject
NtDeviceIoControlFile
NtQuerySymbolicLinkObject
RtlAllocateHeap
NtOpenSymbolicLinkObject
NtResetEvent
NtOpenFile
NtQueryVolumeInformationFile
RtlNtStatusToDosError
NtOpenKey
RtlVirtualUnwind
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtEnumerateBootEntries
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
NtFsControlFile
NtClose
RtlInitUnicodeString
NtQuerySystemInformation

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventWriteTransfer
EventRegister

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleOutputCP
GetConsoleMode

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
SearchPathW

api-ms-win-core-heap-obsolete-l1-1-0

LocalAlloc
LocalFree

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetLocaleInfoEx
GetLocaleInfoW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
TerminateProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetVersionExW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCloseKey
RegQueryValueExW

api-ms-win-core-localization-obsolete-l1-1-0

GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LCIDToLocaleName

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
UnmapViewOfFile
MapViewOfFile

api-ms-win-core-handle-l1-1-0

CloseHandle

Sections

.text
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/offreg.dll
.dll windows:10 windows x64 arch:x64

9fb70bcbb2c24e9538c79a79e1f5a64d

Code Sign

33:00:00:04:39:f6:1f:7a:67:6d:a0:00:af:00:00:00:00:04:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

13:d0:54:5c:02:97:84:3c:f8:83:4d:82:40:2a:bd:0e:c9:44:f8:b9:7e:7c:a9:04:b3:9c:61:48:d6:37:76:62
Signer

Actual PE Digest

13:d0:54:5c:02:97:84:3c:f8:83:4d:82:40:2a:bd:0e:c9:44:f8:b9:7e:7c:a9:04:b3:9c:61:48:d6:37:76:62

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

offreg.pdb

Imports

msvcrt

_amsg_exit
free
malloc
_initterm
__C_specific_handler
memmove
_XcptFilter
_wcsnicmp
wcsncpy_s
wcscat_s
wcsnlen
_aligned_malloc
_aligned_free
qsort
_wcsicmp
memcpy
memcmp
memset

kernel32

FlushFileBuffers
CloseHandle
CreateFileW
SetEndOfFile
WriteFile
GetFileSizeEx
ReadFile
GetFinalPathNameByHandleW
TlsSetValue
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
TlsFree
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
SetFilePointerEx
GetModuleHandleW
DeleteCriticalSection
GetProcAddress
GetLastError
LeaveCriticalSection
EnterCriticalSection

advapi32

GetAce
GetSidSubAuthority
GetSidLengthRequired
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSid
IsValidSid
InitializeAcl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
GetSecurityDescriptorControl
IsValidSecurityDescriptor
InitializeSecurityDescriptor
MakeSelfRelativeSD
SetSecurityDescriptorGroup
DestroyPrivateObjectSecurity
GetSecurityDescriptorLength

ntdll

RtlInitUnicodeString
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateHiveEx
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORFlushHive
ORGetKeySecurity
ORGetValue
ORGetVersion
ORGetVirtualFlags
ORMergeHives
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORQueryInfoKeyEx
ORQueryInfoKeyValueEx
ORRenameKey
ORSaveHive
ORSaveHiveEx
ORSaveHiveToHandle
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 60KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECMRC
Size: 4KB - Virtual size: 130B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimgapi.dll
.dll windows:10 windows x64 arch:x64

24fc8bb3c932b67f7f6e5cf14c4c953c

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e7:88:5f:6f:34:f0:89:07:dc:50:ec:cd:ad:01:52:f3:ad:82:1e:dd:d8:8c:90:3b:79:5a:d9:f9:95:0c:f8:db
Signer

Actual PE Digest

e7:88:5f:6f:34:f0:89:07:dc:50:ec:cd:ad:01:52:f3:ad:82:1e:dd:d8:8c:90:3b:79:5a:d9:f9:95:0c:f8:db

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

wimgapi.pdb

Imports

msvcrt

_XcptFilter
swscanf_s
_wtoi
_vsnwprintf
wcsstr
memmove
_onexit
wcsnlen
__dllonexit
_wcsnicmp
_unlock
_lock
__C_specific_handler
wcsncmp
_initterm
strncpy_s
malloc
free
memcpy_s
_amsg_exit
_strnicmp
towupper
towlower
memcpy
memcmp
_callnewh
_vscwprintf
_purecall
iswspace
memmove_s
strcpy_s
_wcslwr
_wcsrev
wcschr
qsort
_wcsupr
wcstoul
wcstok_s
_wcstoi64
_wcsicmp
wcsrchr
memset

kernel32

GetLastError
CompareStringW
HeapFree
GetProcessHeap
SetLastError
DeleteFileW
CreateFileW
GetFileInformationByHandle
CloseHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetDriveTypeW
RemoveDirectoryW
GetCurrentDirectoryW
GetLongPathNameW
SetFileInformationByHandle
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
SetFilePointerEx
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
WriteFile
SetEndOfFile
CreateEventW
LockFileEx
UnlockFileEx
GetFileSizeEx
DeviceIoControl
HeapReAlloc
GetHandleInformation
WaitForSingleObject
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
ReleaseMutex
WideCharToMultiByte
GetFileInformationByHandleEx
GetVolumePathNamesForVolumeNameW
LoadLibraryW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
InitializeCriticalSectionAndSpinCount
QueryPerformanceCounter
OpenProcess
GetCurrentProcessId
SetFileAttributesW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetFullPathNameW
GetVolumeInformationW
DuplicateHandle
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
DisableThreadLibraryCalls
OpenEventW
Sleep
ExpandEnvironmentStringsW
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
GetPrivateProfileSectionW
GetModuleHandleW
WaitForMultipleObjects
ReleaseSemaphore
SetEvent
CreateSemaphoreW
CreateThread
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCIDToLocaleName
CopyFileExW
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
WaitForMultipleObjectsEx
ResetEvent
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetTickCount
GetLogicalDriveStringsW
Wow64DisableWow64FsRedirection
CreateProcessW
GetExitCodeProcess
Wow64RevertWow64FsRedirection
CreateSemaphoreExW
MultiByteToWideChar

bcrypt

BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptOpenAlgorithmProvider

fltlib

FilterAttach
FilterConnectCommunicationPort
FilterLoad
FilterSendMessage

cabinet

ord22
ord20
ord23

advapi32

GetSecurityDescriptorSacl
RegDeleteKeyExW
AdjustTokenPrivileges
SetThreadToken
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegQueryValueExW
ReadEncryptedFileRaw
CloseEncryptedFileRaw
WriteEncryptedFileRaw
OpenEncryptedFileRawW
GetAclInformation
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
AddAccessAllowedAceEx
RevertToSelf
GetSecurityDescriptorLength
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW

version

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

user32

CharUpperW

ntdll

RtlInitializeResource
RtlAcquireResourceExclusive
RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
NtQuerySecurityObject
RtlRaiseStatus
RtlDosPathNameToNtPathName_U_WithStatus
RtlInitializeCriticalSection
DbgPrintEx
NtUnloadKey2
RtlReAllocateHeap
NtYieldExecution
RtlDowncaseUnicodeChar
RtlGetVersion
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
RtlGetLastNtStatus
NtSetInformationFile
RtlSetIoCompletionCallback
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError
NtSetEaFile

rpcrt4

UuidToStringW
I_RpcMapWin32Status
RpcStringBindingComposeW
RpcStringFreeW
UuidFromStringW
NdrClientCall3
UuidCreate
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcBindingFree

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMExtractImagePathByWimHandle
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMGetWimFileSize
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMLoadOSInformation
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadFileEx
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetCachedSigningLevel
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry
WIMWriteFileWithIntegrity

Sections

.text
Size: 624KB - Virtual size: 623KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 712B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimlib/ReadMe.txt
$TEMP/WinNTSetup/Tools/x64/wimlib/libwim-15.dll
.dll windows:6 windows x64 arch:x64

280f435e0e43af52cb30cc89787f17b7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

Imports

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_close
_errno
_fdopen
_fstat64
_get_osfhandle
_gmtime64
_initterm
_lock
_lseeki64
_open_osfhandle
_telli64
_unlock
_waccess
_wassert
_wcserror_s
_wcsicmp
_wgetenv
_wmkdir
_wopen
_wstat64
_wtempnam
_wunlink
abort
calloc
fclose
feof
fflush
fgetwc
fputc
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
iswctype
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
putc
qsort
realloc
strchr
strerror
strlen
strncmp
towlower
ungetwc
vfprintf
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

user32

wsprintfW

kernel32

CloseHandle
CreateFileW
CreateThread
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetDiskFreeSpaceExW
GetEnvironmentVariableA
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
ReadFile
SetEndOfFile
SetFilePointer
SetFilePointerEx
SetLastError
Sleep
SleepConditionVariableCS
TlsGetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile

Exports

Exports

wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 363KB - Virtual size: 363KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.buildid
Size: 512B - Virtual size: 53B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/DISM/ReadMe.txt
$TEMP/WinNTSetup/Tools/x86/DISM/wofadk.sys
.sys windows:10 windows x86 arch:x86

3210bb7db9e3473b887a43e6ceeffd9f

Code Sign

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:148C-C4B9-2066,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:ef:d8:87:2e:35:a3:82:8a:2f:00:00:00:00:00:ef
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd
Signer

Actual PE Digest

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd

Digest Algorithm

sha256

PE Digest Matches

true

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f
Signer

Actual PE Digest

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

wofadk.pdb

Imports

ntoskrnl.exe

ZwClose
SeLockSubjectContext
ZwQueryValueKey
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlEnumerateGenericTableAvl
ExAcquireRundownProtection
RtlLookupElementGenericTableAvl
RtlFreeUnicodeString
SeTokenIsAdmin
RtlDeleteElementGenericTableAvl
RtlAppendUnicodeStringToString
KeDelayExecutionThread
ExRundownCompleted
EtwRegister
MmGetSystemRoutineAddress
PsGetProcessImageFileName
ObDereferenceObjectDeferDelete
EtwUnregister
EtwWriteTransfer
IoGetCurrentProcess
ProbeForRead
FsRtlValidateReparsePointBuffer
TmCurrentTransaction
RtlCompareMemory
RtlInitUnicodeString
KeQueryPriorityThread
KeGetCurrentThread
MmMapViewOfSection
ExDeleteLookasideListEx
ZwDeviceIoControlFile
EtwEventEnabled
RtlCheckRegistryKey
ZwCreateSection
ZwQueryInformationThread
RtlSetBit
ExQueueWorkItem
RtlAreBitsSet
PsInitialSystemProcess
ZwOpenKey
IoGetDeviceObjectPointer
RtlRunOnceExecuteOnce
KeStackAttachProcess
KeSetEvent
KdRefreshDebuggerNotPresent
ZwSetInformationThread
ObReferenceObjectByHandle
MmUnmapViewOfSection
RtlFindNextForwardRunClear
EtwWrite
IofCallDriver
RtlInitializeBitMap
ZwOpenFile
ExInitializeLookasideListEx
RtlTestBit
KeWaitForSingleObject
KeSetPriorityThread
KeUnstackDetachProcess
_i64tow_s
RtlClearAllBits
IoAllocateWorkItem
RtlAppendUnicodeToString
_wcsicmp
RtlCreateSystemVolumeInformationFolder
IoQueueWorkItemEx
IoFreeWorkItem
KeAllocateCalloutStackEx
IoGetRelatedDeviceObject
ExDeleteNPagedLookasideList
KeFreeCalloutStack
ExInitializeNPagedLookasideList
KeInitializeMutex
KeReleaseMutex
KeAreAllApcsDisabled
KeInitializeDpc
KeInitializeTimerEx
RtlQueryRegistryValues
KeCancelTimer
KeFlushQueuedDpcs
KeSetCoalescableTimer
KeQueryActiveProcessorCountEx
SeCaptureSubjectContext
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
RtlGetVersion
IoWMIRegistrationControl
MmIsThisAnNtAsSystem
IoBuildDeviceIoControlRequest
KeBugCheckEx
RtlEqualUnicodeString
memmove
MmMapLockedPagesSpecifyCache
ProbeForWrite
InterlockedPopEntrySList
ExReleaseRundownProtection
InterlockedPushEntrySList
ObfReferenceObject
RtlCompareUnicodeString
ExInitializeRundownProtection
KeLeaveCriticalRegion
ExReleaseFastMutexUnsafe
KeExpandKernelStackAndCalloutEx
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
ExDeletePagedLookasideList
RtlCopyUnicodeString
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
ObfDereferenceObject
KeEnterCriticalRegion
ExAcquireFastMutexUnsafe
swprintf_s
_vsnwprintf
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
wcscpy_s
wcschr
_wcsnicmp
wcsrchr
_alldiv
_alldvrm
_allmul
_allrem
_aulldiv
memcpy
memset
_alloca_probe
RtlUnwind

hal

KeGetCurrentIrql
ExAcquireFastMutex
ExReleaseFastMutex

fltmgr.sys

FltQueryInformationFile
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltIsOperationSynchronous
FltSetIoPriorityHintIntoCallbackData
FltPerformAsynchronousIo
FltAllocateGenericWorkItem
FltInitializePushLock
FltDeletePushLock
FltFlushBuffers
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltFreePoolAlignedWithTag
FltDeviceIoControlFile
FltReadFile
FltOpenVolume
FltFreeDeferredIoWorkItem
FltAllocatePoolAlignedWithTag
FltAcquirePushLockShared
FltIsIoCanceled
FltCompletePendedPreOperation
FltAcquirePushLockExclusive
FltGetIoPriorityHintFromCallbackData
FltReleasePushLock
FltInitExtraCreateParameterLookasideList
FltStartFiltering
FltGetRoutineAddress
FltRegisterFilter
FltGetVolumeFromFileObject
FltCreateFileEx
FltWriteFile
FltUntagFile
FltGetFileNameInformationUnsafe
FltParseFileNameInformation
FltEnumerateInstances
FltAttachVolume
FltGetFilterFromName
FltTagFile
FltIsDirectory
FltSetInformationFile
FltObjectDereference
FltPerformSynchronousIo
FltLockUserBuffer
FltAllocateCallbackDataEx
FltFreeCallbackData
FltAllocateExtraCreateParameterList
FltInsertExtraCreateParameter
FltCancelFileOpen
FltDeleteStreamContext
FltReissueSynchronousIo
FltReleaseFileNameInformation
FltFsControlFile
FltGetEcpListFromCallbackData
FltGetFileNameInformation
FltEnlistInTransaction
FltSetEcpListIntoCallbackData
FltFindExtraCreateParameter
FltAllocateExtraCreateParameterFromLookasideList
FltSetCallbackDataDirty
FltSetStreamContext
FltSetTransactionContext
FltReferenceContext
FltGetTransactionContext
FltSetStreamHandleContext
FltSetFileContext
FltDeleteInstanceContext
FltGetInstanceContext
FltUnregisterFilter
FltAllocateContext
FltGetVolumeProperties
FltQueryDirectoryFile
FltGetVolumeGuidName
FltReleaseContext
FltDeleteExtraCreateParameterLookasideList
FltGetStreamHandleContext
FltGetStreamContext
FltSetInstanceContext
FltClose
FltGetDiskDeviceObject
FltQueryVolumeInformationFile

cng.sys

BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptGetProperty

Sections

.text
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGER32C
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Unattend/Win7-11-Select.xml
$TEMP/WinNTSetup/WimScript/WimScript.ini
$TEMP/WinNTSetup/WinNTSetup.ini
$TEMP/WinNTSetup/WinNTSetup.ini.txt
$TEMP/WinNTSetup/WinNTSetup_mru.txt
$TEMP/WinNTSetup/WinNTSetup_x64.exe
.exe windows:6 windows x64 arch:x64

6de6f7cd4ee057fb7a790855547c9fe1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcrt

_stricmp
sqrt
wcstod
_wstati64
wcschr
wcstok_s
calloc
memset
memcmp
memcpy
wcslen
ceil
_strnicmp
wcstol
_time64
realloc
wcsspn
_localtime64
floor
wcstoul
strrchr
wcsncpy
_wcsnicmp
wcscmp
wcscat
_snwprintf
strstr
_wcsicmp
_wcsdup
free
_wtol
_wsystem
malloc
wcscpy
swscanf
__wgetmainargs
wcsncmp
memmove
tolower
_mktime64
_itow
_wtoi
_vsnwprintf
wcsrchr
wcsstr
_gmtime64
wcstok

kernel32

FindNextVolumeW
FindVolumeClose
lstrlenA
RtlMoveMemory
MultiByteToWideChar
lstrcmpW
lstrcpynW
SetConsoleTextAttribute
lstrcpyW
lstrcmpiW
GetFinalPathNameByHandleW
lstrlenW
GetSystemWindowsDirectoryW
GetFileSizeEx
SetFilePointerEx
ReadFile
GetFirmwareEnvironmentVariableW
SetFirmwareEnvironmentVariableW
FormatMessageW
Sleep
CreateDirectoryW
GetLogicalDriveStringsW
GetDriveTypeW
GetLogicalProcessorInformation
GetCurrentThread
SetFileAttributesW
GetNativeSystemInfo
GetEnvironmentVariableW
GetPrivateProfileIntW
SetDllDirectoryW
GetSystemInfo
GetPrivateProfileStringW
SetErrorMode
lstrcatW
RtlCompareMemory
WriteConsoleW
OpenProcess
QueryFullProcessImageNameW
ReadProcessMemory
GetLocalTime
GetTimeFormatW
WritePrivateProfileStringW
GetPrivateProfileSectionW
AttachConsole
AllocConsole
ReadConsoleOutputW
SetEndOfFile
SetFileValidData
CreateEventW
SetFilePointer
GetTickCount
SetVolumeMountPointW
WideCharToMultiByte
WriteConsoleA
FindFirstFileNameW
FindNextFileNameW
RemoveDirectoryW
FindFirstFileW
FindResourceExW
SizeofResource
LockResource
FreeResource
GetLogicalDrives
GetDiskFreeSpaceW
GetVolumeNameForVolumeMountPointW
MoveFileW
SetLastError
GetCurrentDirectoryW
SetCurrentDirectoryW
GetDateFormatW
LCIDToLocaleName
SetThreadExecutionState
GetCommandLineW
GetProcessId
FlushFileBuffers
DosDateTimeToFileTime
LocalFileTimeToFileTime
GlobalMemoryStatusEx
SetStdHandle
WritePrivateProfileSectionW
GetFileTime
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
SystemTimeToTzSpecificLocalTime
GetTempFileNameW
UnregisterWait
RegisterWaitForSingleObject
DeleteCriticalSection
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapSize
GetVersionExW
HeapReAlloc
GetExitCodeProcess
PeekNamedPipe
CreateProcessW
CreatePipe
DuplicateHandle
HeapFree
HeapAlloc
CreateThread
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
CreateFileW
GetFileSize
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
CloseHandle
GetSystemTime
SystemTimeToFileTime
SetFileTime
GetModuleHandleW
HeapCreate
GetTempPathW
GetLongPathNameW
GetModuleFileNameW
GetWindowsDirectoryW
GetUserDefaultLCID
GetUserDefaultLocaleName
GetCurrentProcess
GetLastError
LocalAlloc
LocalFree
HeapDestroy
ExitProcess
GetStdHandle
GetFileType
GetConsoleScreenBufferInfo
QueryPerformanceCounter
LoadLibraryExW
FreeLibrary
SetEnvironmentVariableW
FindResourceW
LoadResource
QueryPerformanceFrequency
RtlZeroMemory
LoadLibraryW
MulDiv
FindFirstFileExW
FindNextFileW
FindClose
WaitForSingleObject
DefineDosDeviceW
VirtualProtect
WriteFile
BeginUpdateResourceW
EnumResourceNamesW
UpdateResourceW
EndUpdateResourceW
CopyFileW
DeleteFileW
GetFileAttributesW
lstrcmpA
GetProcAddress
GetCurrentThreadId
GetCurrentProcessId
CreateToolhelp32Snapshot
Process32FirstW
Process32NextW
SetConsoleTitleW
SetConsoleCtrlHandler
SetConsoleCursorInfo
GetFullPathNameW
DeviceIoControl
SetConsoleCursorPosition
GetConsoleWindow
K32GetModuleInformation
FindFirstVolumeW
QueryDosDeviceW
GetVolumePathNamesForVolumeNameW
GetVolumeInformationW
GetDiskFreeSpaceExW

user32

GetPropW
GetDlgItem
UnhookWindowsHookEx
SetWindowsHookExW
MessageBoxW
LoadStringW
GetWindowTextW
GetParent
GetClassWord
TrackPopupMenu
RealChildWindowFromPoint
ScreenToClient
WindowFromPoint
FlashWindowEx
MessageBeep
GetMessagePos
SetWindowTextW
PostMessageW
SetFocus
UpdateWindow
GetWindowPlacement
SetWindowPlacement
SetTimer
InvalidateRect
CreateWindowExW
GetSystemMenu
GetSysColor
SetMenuDefaultItem
CheckMenuRadioItem
AppendMenuW
SetMenuItemInfoW
GetSysColorBrush
IsWindowEnabled
GetClientRect
SetWindowPos
FindWindowExW
GetComboBoxInfo
LockWindowUpdate
EnumChildWindows
SetClassLongPtrW
DefWindowProcW
BeginPaint
FillRect
DrawTextW
EndPaint
CopyRect
CharUpperW
EnableMenuItem
CharLowerW
EnumDisplayDevicesW
EnumWindows
ShowWindow
EnumDisplaySettingsW
SetWindowCompositionAttribute
EnumDisplaySettingsExW
ChangeDisplaySettingsW
GetDisplayConfigBufferSizes
QueryDisplayConfig
DisplayConfigGetDeviceInfo
DisplayConfigSetDeviceInfo
GetWindowRect
GetWindow
SetParent
IsChild
DefFrameProcW
GetFocus
AdjustWindowRectEx
UnregisterClassW
RegisterClassW
TranslateAcceleratorW
MsgWaitForMultipleObjects
PeekMessageW
DispatchMessageW
TranslateMessage
GetMessageW
IsZoomed
GetMenu
DestroyAcceleratorTable
CreateAcceleratorTableW
SetActiveWindow
DrawFrameControl
GetScrollPos
RegisterClassExW
SetScrollPos
GetWindowDC
GetAsyncKeyState
GetWindowLongW
DrawStateW
ReleaseCapture
SetCapture
GetWindowTextLengthW
RedrawWindow
IntersectRect
EnableWindow
DestroyWindow
GetDC
ReleaseDC
GetClassInfoExW
RegisterWindowMessageW
GetSystemMetrics
SystemParametersInfoW
GetIconInfo
DestroyIcon
LoadImageW
CreateIconIndirect
SetPropW
GetWindowLongPtrW
SetWindowLongPtrW
SendMessageW
DestroyMenu
CreatePopupMenu
InsertMenuW
GetKeyState
MessageBoxIndirectW
SetForegroundWindow
KillTimer
GetActiveWindow
WindowFromDC
GetClassLongPtrW
CallNextHookEx
MapWindowPoints
GetUpdateRect
SetRect
GetClassNameW
FindWindowW
GetDlgCtrlID
DestroyCursor
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ClientToScreen
CopyImage
GetForegroundWindow
IsIconic
SetCursor
LoadCursorW
MoveWindow
SetRectEmpty
LoadIconW
IsWindowVisible
GetWindowThreadProcessId
GetDoubleClickTime
RemovePropW
DrawIconEx
CallWindowProcW
ValidateRect
InflateRect
FrameRect
CheckMenuItem

gdi32

OffsetViewportOrgEx
CreatePatternBrush
ExcludeClipRect
CreateDCW
StretchBlt
CreateBitmap
GetDIBits
SetPixel
GetStockObject
GetObjectType
SetViewportOrgEx
LineTo
MoveToEx
Rectangle
CreatePen
ExtTextOutW
FrameRgn
CreateRectRgn
GdiAlphaBlend
SetStretchBltMode
GetTextExtentPoint32W
AddFontResourceW
GetTextMetricsW
EnumFontFamiliesW
DeleteDC
BitBlt
SelectObject
CreateCompatibleDC
SetTextColor
SetBkColor
SetBkMode
CreateFontW
CreateFontIndirectW
CreateDIBSection
CreateCompatibleBitmap
GetObjectW
DeleteObject
CreateSolidBrush
GetDeviceCaps

comdlg32

GetOpenFileNameW
GetSaveFileNameW

advapi32

CloseServiceHandle
OpenServiceW
OpenProcessToken
GetTokenInformation
SetEntriesInAclW
ConvertSecurityDescriptorToStringSecurityDescriptorW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegOpenKeyW
RegQueryValueExW
RegCloseKey
RegOpenKeyExW
RegSetValueExW
ConvertSidToStringSidW
CryptAcquireContextW
CryptCreateHash
CryptHashData
CryptGetHashParam
CryptDestroyHash
CryptReleaseContext
RegDeleteKeyW
RegCreateKeyExW
OpenSCManagerW
RegCreateKeyW
SetNamedSecurityInfoW
RegEnumValueW
ControlService
StartServiceW
QueryServiceStatus
CreateServiceW
RegQueryValueW
RegLoadKeyW
RegUnLoadKeyW
RegQueryInfoKeyW
SetFileSecurityW
GetFileSecurityW
IsValidSecurityDescriptor
RegEnumKeyExW

comctl32

ImageList_Remove
ImageList_GetIcon
ImageList_Destroy
InitCommonControlsEx
CreateToolbarEx
ImageList_Create
ord413
ImageList_GetIconSize
ImageList_DrawEx
ImageList_Draw
ImageList_GetImageCount
ImageList_ReplaceIcon
ord410
ImageList_Merge
ImageList_Replace
ImageList_AddMasked
ImageList_Add

oleaut32

SysAllocString
SafeArrayDestroy
SysFreeString
SafeArrayUnlock
VariantClear
SafeArrayLock
SafeArrayCreate

ntdll

RtlUpcaseUnicodeString
NtTranslateFilePath
NtReadFile
NtWriteFile
RtlNtStatusToDosError
NtSetInformationFile
NtCreatePagingFile
RtlCreateUnicodeString
RtlFreeUnicodeString
RtlIsNameInExpression
RtlAdjustPrivilege
NtQuerySystemInformation
RtlGetProcessHeaps
RtlAllocateHeap
RtlDosPathNameToNtPathName_U
NtOpenFile
NtClose
RtlFreeHeap
RtlGetNtVersionNumbers
NtShutdownSystem
RtlGetVersion
NtQueryVolumeInformationFile
NtQueryInformationProcess
RtlInitUnicodeString
NtOpenDirectoryObject
NtQueryDirectoryObject
RtlComputeCrc32
RtlRandom
NtFsControlFile
NtQueryInformationFile

shell32

SHExtractIconsW
SHGetFileInfoW
SHGetImageList
ShellExecuteExW
ShellExecuteW
SHChangeNotify
ILCreateFromPath
ILFree
StrStrIW
SHParseDisplayName
SHCreateShellItem
SHGetDesktopFolder
SHBrowseForFolderW
SHGetPathFromIDListW
SHFileOperationW
SHTestTokenMembership
SHFormatDrive
SHGetStockIconInfo

ole32

CoCreateInstance
CLSIDFromString
StringFromGUID2
CreateStreamOnHGlobal
CoTaskMemFree
CoCreateGuid
CoInitializeEx
CoInitializeSecurity
RevokeDragDrop
CoInitialize
CoUninitialize

shlwapi

StrFormatByteSizeW
PathRemoveFileSpecW
PathIsRelativeW
PathFindFileNameW
PathMatchSpecW
PathFindExtensionW
PathFileExistsW
PathAddBackslashW
PathRemoveBackslashW
PathStripToRootW
PathIsDirectoryW
PathSearchAndQualifyW
SHCreateStreamOnFileEx
SHCreateStreamOnFileW
PathCombineW
StrToIntExW
StrTrimW
PathRemoveExtensionW
PathCompactPathW
PathGetArgsW
PathParseIconLocationW
PathCompactPathExW
StrStrNIW
StrCmpLogicalW
StrToIntW

cfgmgr32

CM_Get_Parent
CM_Get_Device_IDW

crypt32

CryptBinaryToStringW

setupapi

SetupIterateCabinetW
SetupDiGetDeviceRegistryPropertyW
SetupFindFirstLineW
SetupGetStringFieldW
SetupDiGetClassDevsW
SetupDiEnumDeviceInfo
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailW
SetupDiGetDeviceInstanceIdW
SetupOpenInfFileW
SetupEnumInfSectionsW
SetupGetIntField
SetupGetMultiSzFieldW
SetupGetBinaryField
SetupGetFieldCount
SetupGetLineByIndexW
SetupGetLineCountW
SetupDecompressOrCopyFileW
SetupCloseInfFile
SetupDiOpenDevRegKey

uxtheme

BufferedPaintInit
SetWindowTheme
GetThemeInt
DrawThemeBackground
DrawThemeText
GetThemeFont
EndBufferedPaint
BufferedPaintSetAlpha
GetThemePartSize
BeginBufferedPaint
DrawThemeTextEx
OpenThemeData

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

tools\x64\offreg

ORCloseHive
OROpenHive
ORGetValue
ORQueryInfoKey
OREnumKey
OROpenKey
ORCloseKey
ORDeleteValue
ORSetValue
ORSaveHive
ORCreateKey
ORDeleteKey
ORCreateHive

virtdisk

DetachVirtualDisk
GetVirtualDiskPhysicalPath
AttachVirtualDisk
OpenVirtualDisk
GetVirtualDiskOperationProgress
CreateVirtualDisk
GetStorageDependencyInformation
GetVirtualDiskInformation

cabinet

ord22
ord20
ord23

fltlib

FilterAttach
FilterLoad

Sections

.text
Size: 784KB - Virtual size: 783KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 169KB - Virtual size: 4.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 137KB - Virtual size: 137KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

Sections

.text Size: 24KB - Virtual size: 24KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 106KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 89KB - Virtual size: 89KB

8c8a576201f68de1a3f26fc723b9f30f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 867B

.data Size: 512B - Virtual size: 104B

.reloc Size: 1024B - Virtual size: 636B

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 15KB - Virtual size: 14KB

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 44KB - Virtual size: 48KB

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 41KB - Virtual size: 40KB

6a4041370c121d4f288ee4d92bfe9499

Headers

File Characteristics

Imports

msvcrt

kernel32

Exports

Exports

Sections

.code Size: 512B - Virtual size: 102B

.text Size: 512B - Virtual size: 24B

.rdata Size: 512B - Virtual size: 69B

.data Size: 512B - Virtual size: 204B

.rsrc Size: 43KB - Virtual size: 43KB

.reloc Size: 512B - Virtual size: 32B

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 21KB - Virtual size: 24KB

Headers

DLL Characteristics

File Characteristics

Sections

.rsrc Size: 42KB - Virtual size: 42KB

Headers

DLL Characteristics

.text
Size: 24KB - Virtual size: 24KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 106KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 89KB - Virtual size: 89KB

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 867B

.data
Size: 512B - Virtual size: 104B

.reloc
Size: 1024B - Virtual size: 636B

.rsrc
Size: 15KB - Virtual size: 14KB

.rsrc
Size: 44KB - Virtual size: 48KB

.rsrc
Size: 41KB - Virtual size: 40KB

.code
Size: 512B - Virtual size: 102B

.text
Size: 512B - Virtual size: 24B

.rdata
Size: 512B - Virtual size: 69B

.data
Size: 512B - Virtual size: 204B

.rsrc
Size: 43KB - Virtual size: 43KB

.reloc
Size: 512B - Virtual size: 32B

.rsrc
Size: 21KB - Virtual size: 24KB

.rsrc
Size: 42KB - Virtual size: 42KB

.rsrc
Size: 42KB - Virtual size: 44KB

.rsrc
Size: 41KB - Virtual size: 40KB

.rsrc
Size: 33KB - Virtual size: 32KB

.rsrc
Size: 22KB - Virtual size: 21KB

.rsrc
Size: 44KB - Virtual size: 43KB

.text
Size: 70KB - Virtual size: 70KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 39KB - Virtual size: 38KB

.reloc
Size: 512B - Virtual size: 60B

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b
Signer