b6674bd5e7755d6b4e16b218b3b72946_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

b6674bd5e7755d6b4e16b218b3b72946_JaffaCakes118
Size

8.8MB
MD5

b6674bd5e7755d6b4e16b218b3b72946
SHA1

b674672c270296bfc12d355b539f39165d4f70f4
SHA256

77ecc7a30c5a9f0f3c1cdc6e2de6cc85ec204bb735fbfcdad33e1352a1d3a5b8
SHA512

609a2d8008e432500dd02d023de18304a2af33d8505485796f41e2b93cebd95971677b46277d3a9e58789d9527b24ba5c8d37a0659769f898e069b94eab1514a
SSDEEP

196608:pfiX+yYiVHrG+NhI4tcTv8Wh+Vl+kLulM4x28LOZR9VHHwtYIl1Nq:mg+rGglCv/h+Vl+1F28LOvH7qk

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack002/F31_F41/mountt12.exe

Files

b6674bd5e7755d6b4e16b218b3b72946_JaffaCakes118
.rar
一键恢复4.65.0.iso
.iso
F31_F41/0A02.ROM
F31_F41/DM_t12.ROM
F31_F41/HDTOOL.EXE
F31_F41/HPATOOL.EXE
F31_F41/HSETUP.EXE
F31_F41/MSETUP.EXE
F31_F41/PWIN98.IMA
F31_F41/R4TOOL.EXE
F31_F41/SETUP.TXT
F31_F41/backup.bat
F31_F41/delete.bat
F31_F41/hpaload.rom
F31_F41/leosld.bin
F31_F41/mountt12.exe
.exe windows:4 windows x86 arch:x86

8cbd3270bca5d082489bffecc96c04b6

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

lstrlenW
VerifyVersionInfoW
VerSetConditionMask
SetVolumeMountPointW
GetVolumeNameForVolumeMountPointW
CloseHandle
DeviceIoControl
CreateFileW
lstrcpynW
DefineDosDeviceW
SetLastError
QueryDosDeviceW
DeleteVolumeMountPointW
ReadFile
SetFilePointer
GetLastError
lstrcmpiW
GetSystemTimeAsFileTime
GetCurrentProcessId
HeapFree
HeapSize
HeapAlloc
GetModuleHandleA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
ExitProcess
GetProcAddress
TerminateProcess
GetCurrentProcess
WriteFile
GetStdHandle
GetModuleFileNameA
UnhandledExceptionFilter
GetModuleFileNameW
FreeEnvironmentStringsA
MultiByteToWideChar
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineA
GetCommandLineW
SetHandleCount
GetFileType
GetStartupInfoA
LoadLibraryA
RtlUnwind
InterlockedExchange
VirtualQuery
SetStdHandle
WideCharToMultiByte
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
FlushFileBuffers

user32

IsCharAlphaW

Sections

.text
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
F31_F41/rr.bin
F31_F41/setup12g.BAT
F31_F41/setup13g.BAT
F31_F41/setup15g.BAT
F31_F41/setup6g.BAT
F31_F41/u-text.com
[BOOT]/Boot-1.44M.img
help.txt
联想“一键恢复5.0”安装手册（v1.1）.pdf
.pdf
一键恢复5.0用户手册.pdf
.pdf
联想一键恢复(WINDOWS)/ClientRegist.dll
.dll windows:4 windows x86 arch:x86

9cac0264641da005d5a3e9cd9b3ab623

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a9:11:e9:7b:47:92:52:6d:e3:c6:3d:7a:cb:42:8c:81:79:51:56:7e
Signer

Actual PE Digest

a9:11:e9:7b:47:92:52:6d:e3:c6:3d:7a:cb:42:8c:81:79:51:56:7e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

universal

GetDiskSerial

enc

_DesDecrypt@8
_SplDecrypt@8
_SplEncrypt@8

wininet

InternetErrorDlg
HttpQueryInfoA
HttpSendRequestA
InternetReadFile
InternetConnectA
InternetOpenA
InternetCloseHandle
HttpOpenRequestA

mfc42

ord924
ord1200
ord1199
ord1247
ord5500
ord641
ord2818
ord540
ord2915
ord2514
ord860
ord6467
ord941
ord926
ord858
ord4129
ord825
ord815
ord535
ord5265
ord4853
ord4998
ord6052
ord2764
ord1775
ord4407
ord5241
ord2385
ord5163
ord6374
ord4353
ord5280
ord3798
ord4837
ord4441
ord4277
ord4078
ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord4627
ord4425
ord3597
ord324
ord3738
ord561
ord2289
ord2370
ord4234
ord1105
ord4224
ord6334
ord2642
ord3092
ord4376
ord6199
ord5710
ord4278
ord1158
ord939
ord1168
ord2763
ord5683
ord1997
ord5300
ord6407
ord798
ord5194
ord533
ord5572
ord2614
ord823
ord922
ord2919
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord800
ord537
ord4424
ord4622
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5714
ord5289
ord5307
ord4698
ord4079
ord2725
ord5302
ord4710
ord2648
ord2055
ord2808
ord1197
ord1570
ord269
ord826
ord600
ord1578
ord1116
ord1176
ord1253
ord1255
ord1182
ord1577
ord1243
ord1575
ord342

msvcrt

vsprintf
_EH_prolog
fopen
fclose
strchr
atoi
free
isalpha
isdigit
realloc
malloc
rand
_mbscmp
atol
_strdup
__dllonexit
_onexit
_initterm
_adjust_fdiv
??1type_info@@UAE@XZ
__CxxFrameHandler
_strupr

kernel32

LocalAlloc
GetVersionExA
GetLocalTime
GetModuleFileNameA
lstrcpynA
SetEvent
CreateEventA
GetPrivateProfileSectionA
GetPrivateProfileStringA
LocalFree

user32

EnableWindow
GetDesktopWindow
PostMessageA

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCreateKeyExA
RegFlushKey
RegCloseKey

Exports

Exports

CheckRegist
RegistOnLine

Sections

.text
Size: 20KB - Virtual size: 16KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/HARDDISK.VXD
联想一键恢复(WINDOWS)/HZK16
联想一键恢复(WINDOWS)/NTDISK.SYS
.sys windows:5 windows x86 arch:x86

0872f815e2988901086b6641a9bc46e9

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a8:ee:93:1a:3d:3c:e6:24:a1:a0:f5:55:fd:49:44:47:31:aa:9b:64
Signer

Actual PE Digest

a8:ee:93:1a:3d:3c:e6:24:a1:a0:f5:55:fd:49:44:47:31:aa:9b:64

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2006\muldrv\mulkmd\objfre_wnet_x86\i386\ntdisk.pdb

Imports

ntoskrnl.exe

KeBugCheckEx
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
IoBuildDeviceIoControlRequest
KeSetEvent
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
ZwClose
RtlInitUnicodeString
IoAttachDeviceToDeviceStack
IoCreateDevice
sprintf
PoCallDriver
PoStartNextPowerIrp
ZwMapViewOfSection
ObReferenceObjectByHandle
ZwOpenSection
ZwUnmapViewOfSection
IoFreeIrp
IoFreeMdl
MmUnlockPages
IoBuildAsynchronousFsdRequest
_allmul
IoBuildPartialMdl
IoAllocateMdl
IoAllocateIrp
_alldiv
MmMapLockedPagesSpecifyCache
KeTickCount
ExAllocatePoolWithTag
DbgPrint
ExFreePoolWithTag

hal

ExReleaseFastMutex
HalTranslateBusAddress
ExAcquireFastMutex

Sections

.text
Size: 11KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 270B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 1002B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/SAM16.DLL
联想一键恢复(WINDOWS)/SAM32.DLL
.dll windows:4 windows x86 arch:x86

7e1b5554f316f8be001b2cfa76c82cd9

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0b:7d:d9:81:7a:d7:2c:c7:d5:33:95:9d:7d:7d:81:6d:25:ed:6a:66
Signer

Actual PE Digest

0b:7d:d9:81:7a:d7:2c:c7:d5:33:95:9d:7d:7d:81:6d:25:ed:6a:66

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetModuleFileNameA
SMapLS_IP_EBP_8
ThunkConnect32
SUnMapLS_IP_EBP_24
SUnMapLS_IP_EBP_8
WideCharToMultiByte
GetEnvironmentStrings
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
HeapDestroy
HeapCreate
VirtualFree
HeapFree
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
SMapLS_IP_EBP_24
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetOEMCP
GetEnvironmentStringsW
WriteFile
HeapAlloc
VirtualAlloc
HeapReAlloc
IsBadWritePtr
GetCPInfo
LCMapStringA
GetProcAddress
LoadLibraryA
MultiByteToWideChar
GetStringTypeW
LCMapStringW
GetStringTypeA
RtlUnwind
GetModuleFileNameA
SMapLS_IP_EBP_8
ThunkConnect32
SUnMapLS_IP_EBP_24
SUnMapLS_IP_EBP_8
WideCharToMultiByte
GetEnvironmentStrings
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
HeapDestroy
HeapCreate
VirtualFree
HeapFree
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
SMapLS_IP_EBP_24
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetOEMCP
GetEnvironmentStringsW
WriteFile
HeapAlloc
VirtualAlloc
HeapReAlloc
IsBadWritePtr
GetCPInfo
LCMapStringA
GetProcAddress
LoadLibraryA
MultiByteToWideChar
GetStringTypeW
LCMapStringW
GetStringTypeA
RtlUnwind

user32

MessageBoxA

Exports

Exports

DisableNetAdapter
GetDiskInfo
readwriteblocktohd
samsys_ThunkData32

Sections

.text
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/SAMDISK.VXD
联想一键恢复(WINDOWS)/SAMSYS.vxd
联想一键恢复(WINDOWS)/SamIo.dll
.dll windows:4 windows x86 arch:x86

e51d8262e4adc5b4255220028a5e67d0

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

19:89:49:07:e4:e3:6e:96:cf:a5:50:2c:54:5b:05:10:a4:02:9c:a0
Signer

Actual PE Digest

19:89:49:07:e4:e3:6e:96:cf:a5:50:2c:54:5b:05:10:a4:02:9c:a0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetVersionExA
GetProcAddress
GetCurrentProcess
CreateFileA
CloseHandle
DeviceIoControl
GetModuleHandleA
GetModuleFileNameA
GetLastError
GetCommandLineA
GetVersion
HeapFree
HeapAlloc
ExitProcess
TerminateProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
TlsGetValue
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
DeleteCriticalSection
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
HeapDestroy
HeapCreate
VirtualFree
WriteFile
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
VirtualAlloc
HeapReAlloc
GetCPInfo
GetACP
GetOEMCP
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
RtlUnwind

advapi32

StartServiceA
OpenServiceA
DeleteService
OpenSCManagerA
CreateServiceA
CloseServiceHandle
ControlService

Exports

Exports

GetPhysLong
GetPortVal
InitializeWinIo
InstallWinIoDriver
MapPhysToLin
RemoveWinIoDriver
SetPhysLong
SetPortVal
ShutdownWinIo
UnmapPhysicalMemory
_GetPhysLong2@8
_MapPhysToLin2@12
_UnmapPhysicalMemory2@8

Sections

.text
Size: 16KB - Virtual size: 13KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 912B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/SamIo.sys
.sys windows:5 windows x86 arch:x86

172b54da983eaa27abf08d8ed525b840

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d9:ea:c4:5c:33:66:1b:88:52:b5:d9:52:ee:33:7b:d9:ac:f5:20:ae
Signer

Actual PE Digest

d9:ea:c4:5c:33:66:1b:88:52:b5:d9:52:ee:33:7b:d9:ac:f5:20:ae

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

ntoskrnl.exe

RtlInitUnicodeString
IoCreateDevice
MmAllocateNonCachedMemory
MmFreeNonCachedMemory
Ke386SetIoAccessMap
IoCreateSymbolicLink
IofCompleteRequest
Ke386IoSetAccessProcess
IoDeleteSymbolicLink
ZwClose
ZwMapViewOfSection
ObReferenceObjectByHandle
ZwOpenSection
ZwUnmapViewOfSection
IoDeleteDevice
IoGetCurrentProcess

hal

HalTranslateBusAddress

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 192B - Virtual size: 164B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 32B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 544B - Virtual size: 536B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 128B - Virtual size: 108B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/SamPMon.sys
.sys windows:5 windows x86 arch:x86

7ab8db32af6f2461ef7d2355cec0cd8c

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

fd:b6:45:10:c6:26:73:72:30:df:b0:eb:2a:02:cc:0d:47:93:1c:e8
Signer

Actual PE Digest

fd:b6:45:10:c6:26:73:72:30:df:b0:eb:2a:02:cc:0d:47:93:1c:e8

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2006\multiwin\pmonkern\objfre_wnet_x86\i386\sampmon.pdb

Imports

ntoskrnl.exe

strncmp
IoGetCurrentProcess
KeClearEvent
KeWaitForSingleObject
IoCreateNotificationEvent
RtlInitUnicodeString
KeInitializeEvent
KeSetPriorityThread
KeGetCurrentThread
IofCompleteRequest
KeSetEvent
PsLookupProcessByProcessId
PsSetCreateProcessNotifyRoutine
IoDeleteSymbolicLink
IoDeleteDevice
PsCreateSystemThread
IoCreateSymbolicLink
IoCreateDevice
KeTickCount

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 195B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 20B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 592B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 190B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/deldir
.exe windows:4 windows x86 arch:x86

6e0a1c5ba72d2f43a814e20800bed769

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

23:3c:3a:7a:d7:ac:fa:09:53:0e:dd:96:e5:f3:53:a4:a4:7b:9f:5f
Signer

Actual PE Digest

23:3c:3a:7a:d7:ac:fa:09:53:0e:dd:96:e5:f3:53:a4:a4:7b:9f:5f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

TerminateProcess
GetStartupInfoA
GetCommandLineA
HeapFree
HeapAlloc
RaiseException
HeapReAlloc
HeapSize
GetACP
GetTimeZoneInformation
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
HeapDestroy
ExitProcess
VirtualFree
VirtualAlloc
IsBadWritePtr
GetDriveTypeA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
SetStdHandle
CompareStringA
CompareStringW
SetEnvironmentVariableA
RtlUnwind
GetProfileStringA
GetFileTime
GetFileSize
GetFileAttributesA
GetTickCount
GetFullPathNameA
GetVolumeInformationA
SetEndOfFile
UnlockFile
LockFile
FlushFileBuffers
SetFilePointer
WriteFile
ReadFile
CreateFileA
GetCurrentProcess
DuplicateHandle
SetErrorMode
GetOEMCP
GetCPInfo
SizeofResource
GetThreadLocale
FileTimeToLocalFileTime
FileTimeToSystemTime
GetProcessVersion
GetCurrentDirectoryA
WritePrivateProfileStringA
GlobalFlags
lstrcpynA
TlsGetValue
LocalReAlloc
TlsSetValue
EnterCriticalSection
GlobalReAlloc
LeaveCriticalSection
TlsFree
GlobalHandle
DeleteCriticalSection
TlsAlloc
InitializeCriticalSection
LocalAlloc
MulDiv
LoadLibraryA
FreeLibrary
GetVersion
lstrcatA
GlobalGetAtomNameA
GlobalAddAtomA
GlobalFindAtomA
GetModuleHandleA
GetProcAddress
GlobalUnlock
FindResourceA
LoadResource
LockResource
GlobalFree
FormatMessageA
LocalFree
MultiByteToWideChar
WideCharToMultiByte
lstrlenA
InterlockedDecrement
InterlockedIncrement
FindNextFileA
lstrcpyA
FindFirstFileA
GetLastError
SetLastError
FindClose
CloseHandle
GetModuleFileNameA
GlobalLock
GlobalAlloc
GlobalDeleteAtom
lstrcmpA
lstrcmpiA
GetCurrentThread
GetCurrentThreadId
Sleep
DeleteFileA
HeapCreate
RemoveDirectoryA

user32

MessageBeep
InvalidateRect
CharUpperA
InflateRect
RegisterClipboardFormatA
PostThreadMessageA
AdjustWindowRectEx
ScreenToClient
CopyRect
GetTopWindow
IsChild
GetCapture
WinHelpA
wsprintfA
GetClassInfoA
RegisterClassA
GetMenu
GetMenuItemCount
GetSubMenu
GetMenuItemID
GetWindowTextLengthA
GetWindowTextA
GetDlgCtrlID
DefWindowProcA
CreateWindowExA
GetClassLongA
SetPropA
UnhookWindowsHookEx
GetPropA
CallWindowProcA
RemovePropA
GetMessageTime
GetMessagePos
GetNextDlgGroupItem
SetForegroundWindow
PtInRect
RegisterWindowMessageA
OffsetRect
IntersectRect
SystemParametersInfoA
GetWindowPlacement
GetWindowRect
EndDialog
SetActiveWindow
IsWindow
CreateDialogIndirectParamA
DestroyWindow
GetDlgItem
MapDialogRect
SetWindowPos
GetWindow
GetMenuCheckMarkDimensions
LoadBitmapA
GetMenuState
ModifyMenuA
SetMenuItemBitmaps
CheckMenuItem
EnableMenuItem
GetFocus
GetNextDlgTabItem
GetMessageA
TranslateMessage
DispatchMessageA
GetActiveWindow
GetKeyState
CallNextHookEx
ValidateRect
IsWindowVisible
PeekMessageA
GetCursorPos
LoadIconA
SendMessageA
UnregisterClassA
HideCaret
ShowCaret
ExcludeUpdateRgn
DrawFocusRect
SetWindowsHookExA
GetParent
GetLastActivePopup
IsWindowEnabled
GetWindowLongA
MessageBoxA
SetCursor
PostQuitMessage
PostMessageA
EnableWindow
IsIconic
GetSystemMetrics
SetRect
CopyAcceleratorTableA
CharNextA
GetSysColorBrush
GetForegroundWindow
GetClientRect
DrawIcon
DefDlgProcA
IsWindowUnicode
GetClassNameA
GetDesktopWindow
LoadCursorA
GrayStringA
DrawTextA
TabbedTextOutA
EndPaint
BeginPaint
GetWindowDC
ReleaseDC
GetDC
ClientToScreen
DestroyMenu
LoadStringA
ShowWindow
MoveWindow
SetWindowTextA
IsDialogMessageA
SetFocus
UpdateWindow
SetWindowContextHelpId
SendDlgItemMessageA
MapWindowPoints
SetWindowLongA
GetSysColor

gdi32

SetMapMode
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
SetWindowExtEx
ScaleWindowExtEx
IntersectClipRect
DeleteObject
GetDeviceCaps
GetViewportExtEx
GetWindowExtEx
CreateSolidBrush
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
GetTextColor
GetBkColor
DPtoLP
LPtoDP
GetMapMode
PatBlt
SetBkMode
GetStockObject
SelectObject
RestoreDC
SaveDC
DeleteDC
GetObjectA
SetBkColor
SetTextColor
GetClipBox
CreateDIBitmap
GetTextExtentPointA
BitBlt
CreateCompatibleDC
CreateBitmap

comdlg32

GetFileTitleA

winspool.drv

ClosePrinter
DocumentPropertiesA
OpenPrinterA

advapi32

RegCloseKey
RegSetValueExA
RegOpenKeyExA
RegCreateKeyExA

comctl32

ord17

oledlg

ord8

ole32

CoFreeUnusedLibraries
OleInitialize
CoTaskMemAlloc
CoTaskMemFree
CreateILockBytesOnHGlobal
StgCreateDocfileOnILockBytes
StgOpenStorageOnILockBytes
CoGetClassObject
CLSIDFromString
CLSIDFromProgID
CoRegisterMessageFilter
CoRevokeClassObject
OleFlushClipboard
OleIsCurrentClipboard
OleUninitialize

olepro32

ord253

oleaut32

VariantTimeToSystemTime
SysAllocStringLen
SysFreeString
VariantCopy
VariantChangeType
SysAllocString
SysAllocStringByteLen
SysStringLen
VariantClear

Sections

.text
Size: 132KB - Virtual size: 130KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 33KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/diskop.dll
.dll windows:4 windows x86 arch:x86

d372cb0a8aee3409b05503d1266827b0

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

51:56:78:a1:94:38:8d:9a:97:36:61:3b:7d:d5:3f:17:bf:7c:8e:e3
Signer

Actual PE Digest

51:56:78:a1:94:38:8d:9a:97:36:61:3b:7d:d5:3f:17:bf:7c:8e:e3

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

windisk

ExRwLogicalDisk
ExFlushDisk
ExRWDisk
ExGetDiskInfo

mfc42

ord1200
ord1168
ord1253
ord342
ord823
ord1182
ord825
ord5572
ord2915
ord4278
ord800
ord858
ord5710
ord2763
ord926
ord4204
ord537
ord540
ord2614
ord533
ord5194
ord798
ord2818
ord924
ord6407
ord2808
ord1997
ord860
ord5683
ord4129

msvcrt

sprintf
__CxxFrameHandler
fclose
fopen
vsprintf
_except_handler3
?terminate@@YAXXZ
free
_initterm
malloc
_adjust_fdiv
__dllonexit
_onexit
_stricmp

kernel32

FormatMessageA
GetVersionExA
OutputDebugStringA
GetModuleFileNameA
GetFileSize
GetModuleHandleA
GetProcAddress
WaitForSingleObject
WideCharToMultiByte
GetShortPathNameA
GetLocalTime
GetDriveTypeA
GetLogicalDriveStringsA
GetLastError
DeviceIoControl
CreateFileA
CloseHandle

user32

wsprintfA
MessageBoxA

advapi32

RegCreateKeyExA
RegFlushKey
RegCloseKey
RegOpenKeyExA
RegQueryValueExA

Exports

Exports

??0CDiskIO@@QAE@H@Z
??0CExt@@QAE@ABV0@@Z
??0CExt@@QAE@PAVCDiskIO@@H@Z
??0CFAT16@@QAE@PAVCDiskIO@@H@Z
??0CFAT32@@QAE@PAVCDiskIO@@H@Z
??0CNTFS@@QAE@PAVCDiskIO@@H@Z
??0CNTpart@@QAE@PAVCDiskIO@@H@Z
??0CPartition@@QAE@PAVCDiskIO@@H@Z
??1CDiskIO@@QAE@XZ
??1CExt@@UAE@XZ
??1CFAT16@@QAE@XZ
??1CFAT32@@QAE@XZ
??1CNTFS@@QAE@XZ
??1CNTpart@@QAE@XZ
??1CPartition@@QAE@XZ
??4CDiskIO@@QAEAAV0@ABV0@@Z
??4CExt@@QAEAAV0@ABV0@@Z
??4CFAT16@@QAEAAV0@ABV0@@Z
??4CFAT32@@QAEAAV0@ABV0@@Z
??4CNTFS@@QAEAAV0@ABV0@@Z
??4CNTpart@@QAEAAV0@ABV0@@Z
??4CPartition@@QAEAAV0@ABV0@@Z
??_7CExt@@6B@
?CheckMFTFixup@CNTFS@@IAEKPAEK@Z
?ClusterVal@CFAT16@@QAEKK@Z
?ClusterVal@CFAT32@@QAEKK@Z
?ClusterVal@CNTFS@@QAEKK@Z
?ClusterVal@CNTpart@@QAEKK@Z
?ClusterVal@CPartition@@QAEKK@Z
?CreateContiFile@CFAT32@@QAEHPADKAAK@Z
?CreateSpecFile@CFAT32@@AAEHKKPADPAUFAT32SDirStr@@@Z
?DefragFile@CNTpart@@QAEHPADAAK@Z
?FindFile@CFAT32@@AAEHKPADPAUFAT32SDirStr@@@Z
?FindFreeBlock@CFAT32@@AAEKK@Z
?FindFreeBlock@CNTpart@@QAEKK@Z
?FlushDiskBuf@CFAT32@@QAEXXZ
?FlushDiskBuf@CNTpart@@QAEXXZ
?FreePtrMem@CNTFS@@AAEXXZ
?GetBlockUse@CExt@@QAEHI@Z
?GetDirRuns@CNTFS@@IAEKPAE0@Z
?GetFileRuns@CNTFS@@IAEKPAE0@Z
?GetLogicDriveInfo_98@CDiskIO@@QAEHEPAUDRIVE_MAP_INFO@@@Z
?GetLogicDriveInfo_Nt@CDiskIO@@QAEHDPAK0@Z
?GetMFTFileRuns@CNTFS@@IAEKAAUtag_MFTHEAD@@PAE@Z
?GetMFTHead@CNTFS@@IAEKPAUtag_MFTHEAD@@AA_K@Z
?GetMFTRecord@CNTFS@@IAEKPAEKPAD@Z
?GetNamefromMFTAttr@CNTFS@@IAEKPAEPADI@Z
?GetPartionStart@CDiskIO@@QAEHDAAK0@Z
?GetPartitionLetter@CDiskIO@@QAEXXZ
?GetPartitionNum@CDiskIO@@QAEHXZ
?GetPartitions@CDiskIO@@AAEHXZ
?GetRootFilePos@CFAT32@@QAEHPADPAKPAEI@Z
?GetRootFilePos@CNTFS@@QAEHPADPAKPAEI@Z
?GetRunsAllSize@CNTFS@@IAE_KPAEI@Z
?GetTotalSectors@CDiskIO@@QAEKXZ
?GetValidSectors@CFAT32@@QAEKXZ
?GetValidSectors@CNTpart@@QAEKXZ
?InitDiskInfo@CDiskIO@@QAEHXZ
?Initial@CExt@@QAEHXZ
?Initial@CFAT16@@QAEHXZ
?Initial@CFAT32@@QAEHXZ
?Initial@CNTFS@@QAEHXZ
?Initial@CNTpart@@QAEHXZ
?ListRootDirectory@CNTFS@@QAEKXZ
?MakeMemberFormRuns@CNTFS@@IAEXPAEAA_JAA_K@Z
?MoveCluster@CNTpart@@AAEHPAX_K1K@Z
?OpenVolume@CNTpart@@AAEHD@Z
?ParseExtendPartition@CDiskIO@@AAEEPAUSTRUCT_PARTITION@@EKE@Z
?ParseMasterPartition@CDiskIO@@AAEEPAUSTRUCT_PARTITION@@EKE@Z
?ReadCluster@CFAT32@@QAEKKGPAE@Z
?ReadDirRunstoMem@CNTFS@@IAEKPAE0@Z
?ReadSector@CDiskIO@@QAEKKGPAE@Z
?ReadSector@CPartition@@QAEKKGPAE@Z
?SearchFileFromRoot@CNTFS@@IAEKPADPAE@Z
?SearchRootDirectory@CNTFS@@IAEKXZ
?VerifyPartition@CDiskIO@@AAEHPAUSTRUCT_PARTITION@@KE@Z
?WriteCluster@CFAT32@@QAEKEKGPAE@Z
?WriteClusterVal@CFAT32@@QAEHKK@Z
?WriteSector@CDiskIO@@QAEKKGPAE@Z
?WriteSector@CPartition@@QAEKEKGPAE@Z

Sections

.text
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/enc.dll
.dll windows:4 windows x86 arch:x86

11a34fbb95321a9cb8e4e4e0fd9ef7a9

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4c:a5:d6:14:b6:8c:dd:3d:90:7c:04:b3:c2:7b:75:50:4d:52:dd:9f
Signer

Actual PE Digest

4c:a5:d6:14:b6:8c:dd:3d:90:7c:04:b3:c2:7b:75:50:4d:52:dd:9f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

HeapDestroy
GetVersion
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
ExitProcess
GetCPInfo
GetACP
GetOEMCP
WideCharToMultiByte
MultiByteToWideChar
LCMapStringA
LCMapStringW
TerminateProcess
GetCurrentProcess
GetCurrentThreadId
TlsSetValue
TlsAlloc
TlsFree
SetLastError
TlsGetValue
GetLastError
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
GetCommandLineA
HeapCreate
VirtualFree
HeapFree
WriteFile
SetFilePointer
InterlockedDecrement
InterlockedIncrement
HeapAlloc
GetStringTypeA
GetStringTypeW
RtlUnwind
VirtualAlloc
HeapReAlloc
GetProcAddress
LoadLibraryA
SetStdHandle
FlushFileBuffers
CloseHandle

Exports

Exports

_DesDecrypt@8
_DesEncrypt@8
_SplDecrypt@8
_SplEncrypt@8

Sections

.text
Size: 24KB - Virtual size: 21KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/eprom.dat
联想一键恢复(WINDOWS)/font.dat
联想一键恢复(WINDOWS)/graph.dat
联想一键恢复(WINDOWS)/graph.pic
联想一键恢复(WINDOWS)/hpaload.rom
联想一键恢复(WINDOWS)/language/bmp.ini
.ps1
联想一键恢复(WINDOWS)/language/image/INFO.ICO
联想一键恢复(WINDOWS)/language/image/MENULEFT.bmp
联想一键恢复(WINDOWS)/language/image/Thumbs.db
联想一键恢复(WINDOWS)/language/image/copy.bmp
联想一键恢复(WINDOWS)/language/image/last.bmp
联想一键恢复(WINDOWS)/language/image/license.bmp
联想一键恢复(WINDOWS)/language/image/option.bmp
联想一键恢复(WINDOWS)/language/image/reboot.bmp
联想一键恢复(WINDOWS)/language/image/t_left.bmp
联想一键恢复(WINDOWS)/language/image/t_operate.bmp
联想一键恢复(WINDOWS)/language/image/t_reboot.bmp
联想一键恢复(WINDOWS)/language/image/t_setting.bmp
联想一键恢复(WINDOWS)/language/image/t_uninsave.bmp
联想一键恢复(WINDOWS)/language/image/trayicon.ico
联想一键恢复(WINDOWS)/language/image/type.bmp
联想一键恢复(WINDOWS)/language/image/un-left.bmp
联想一键恢复(WINDOWS)/language/image/viewset.bmp
联想一键恢复(WINDOWS)/language/license.txt
联想一键恢复(WINDOWS)/language/string.ini
.ps1
联想一键恢复(WINDOWS)/loadtray.exe
.exe windows:4 windows x86 arch:x86

a52a4fa205346be7d42818a0fd8e74ef

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

56:5f:a6:40:51:be:78:1d:7e:fa:e2:cc:c5:8b:3a:97:59:44:ee:4a
Signer

Actual PE Digest

56:5f:a6:40:51:be:78:1d:7e:fa:e2:cc:c5:8b:3a:97:59:44:ee:4a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

mfc42

ord4441
ord2648
ord2055
ord6376
ord3749
ord5065
ord1727
ord5261
ord2446
ord2124
ord5277
ord4627
ord4425
ord3597
ord324
ord641
ord4234
ord1168
ord540
ord2379
ord755
ord470
ord537
ord4424
ord4129
ord5683
ord860
ord4837
ord2614
ord4622
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5714
ord5289
ord5307
ord4698
ord4079
ord2725
ord5302
ord5300
ord3346
ord2396
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4710
ord4998
ord4853
ord4376
ord5265
ord1134
ord2621
ord924
ord800
ord815
ord825
ord561
ord1200
ord3738
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord858
ord4673
ord1576

msvcrt

_setmbcp
__CxxFrameHandler
_except_handler3
__dllonexit
_controlfp
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
_onexit

kernel32

GetModuleHandleA
GetVersionExA
GetModuleFileNameA
GetStartupInfoA

user32

DrawIcon
GetClientRect
SendMessageA
IsIconic
EnableWindow
GetSystemMetrics

advapi32

RegCloseKey
RegFlushKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA

shell32

ShellExecuteA

Sections

.text
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/mfc42.dll
.dll regsvr32 windows:4 windows x86 arch:x86

f9a6d48b4db89541699313524a5cdd4a

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

3d:ff:30:58:2b:fa:f4:89:f3:e3:e6:d3:c1:d1:70:14:00:71:d3:d0
Signer

Actual PE Digest

3d:ff:30:58:2b:fa:f4:89:f3:e3:e6:d3:c1:d1:70:14:00:71:d3:d0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

_initterm
?terminate@@YAXXZ
_except_handler3
_adjust_fdiv
_onexit
__dllonexit
??1type_info@@UAE@XZ
_mbsnbicmp
wcsncpy
wcscpy
_ltoa
_ultoa
swprintf
_itoa
modf
ceil
fabs
floor
labs
_ftol
_splitpath
_fullpath
atol
__p___argc
__CxxFrameHandler
memcpy
__p___argv
_beginthreadex
_endthreadex
_strdup
_mbsdec
_expand
strtod
strtol
strtoul
abs
calloc
_msize
_purecall
strftime
_mbctype
localtime
time
mktime
_ismbcspace
atoi
_ismbcdigit
_mbsnbcmp
sprintf
strlen
_mbclen
vsprintf
_mbsrchr
_mbscspn
_mbsspn
_mbsstr
_mbsrev
_mbslwr
_mbsupr
_mbspbrk
_mbschr
wcslen
_mbscmp
realloc
fclose
fflush
fseek
ftell
fgets
fputs
fwrite
fread
clearerr
_open_osfhandle
_fdopen
__doserrno
_get_osfhandle
memset
_mbsinc
abort
free
malloc
memcmp
memmove
gmtime
_CxxThrowException
strcpy
strcmp

kernel32

lstrcpyA
FindFirstFileA
GetVolumeInformationA
MultiByteToWideChar
FindClose
GetThreadLocale
lstrcmpiA
GetShortPathNameA
GetModuleFileNameA
GlobalSize
GlobalLock
GlobalAlloc
GlobalReAlloc
GlobalUnlock
GlobalFree
GetFileAttributesA
GetFileSize
GetFileTime
LocalFileTimeToFileTime
SystemTimeToFileTime
SetFileTime
SetFileAttributesA
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte
LocalFree
FormatMessageA
FileTimeToSystemTime
FileTimeToLocalFileTime
GetCPInfo
GetOEMCP
LocalAlloc
InitializeCriticalSection
TlsAlloc
DeleteCriticalSection
GlobalHandle
TlsFree
LeaveCriticalSection
EnterCriticalSection
TlsSetValue
LocalReAlloc
TlsGetValue
WaitForSingleObject
CreateSemaphoreA
DeleteFileA
LoadLibraryA
ReleaseMutex
CreateEventA
InterlockedExchange
GetModuleHandleA
GlobalDeleteAtom
GlobalFindAtomA
GlobalAddAtomA
GlobalGetAtomNameA
GetCurrentThreadId
lstrcatA
GetVersion
LockResource
LoadResource
FindResourceA
FreeLibrary
MulDiv
GetProfileIntA
VirtualProtect
FindResourceExA
SizeofResource
GetProcessVersion
GlobalFlags
GetTempFileNameA
GetDiskFreeSpaceA
LocalUnlock
LocalLock
GetTempPathA
SearchPathA
SetEvent
ResumeThread
SetThreadPriority
SuspendThread
GetCurrentThread
SetErrorMode
GetPrivateProfileIntA
GetPrivateProfileStringA
WritePrivateProfileStringA
GetCurrentDirectoryA
FindNextFileA
GetTickCount
lstrlenW
CopyFileA
lstrcpyW
GetUserDefaultLCID
IsDBCSLeadByte
GetSystemDirectoryA
GetProcAddress
UnlockFile
MoveFileA
SetEndOfFile
FlushFileBuffers
LockFile
CloseHandle
ReadFile
SetFilePointer
WriteFile
DuplicateHandle
CreateFileA
GetCurrentProcess
lstrlenA
lstrcmpA
OutputDebugStringA
IsBadStringPtrA
IsBadReadPtr
IsBadWritePtr
GetLastError
IsBadStringPtrW
lstrcpynA
ReleaseSemaphore
SetLastError
CreateMutexA
GetFullPathNameA
GetStringTypeExA
WaitForMultipleObjects
RaiseException

gdi32

CreatePen
CreatePatternBrush
GetPolyFillMode
EnumFontFamiliesA
GetPixel
CreatePalette
GetPaletteEntries
RealizePalette
OffsetRgn
SetBrushOrgEx
CreateMetaFileA
CopyMetaFileA
LPtoDP
SetAbortProc
StartPage
EndPage
EndDoc
AbortDoc
DPtoLP
CombineRgn
SetRectRgn
GetMapMode
CreateDIBPatternBrushPt
CreateHatchBrush
ExtCreatePen
PlayMetaFile
EnumMetaFile
GetObjectType
PlayMetaFileRecord
ExtSelectClipRgn
SelectClipPath
CreateRectRgn
GetClipRgn
PolyBezierTo
SetColorAdjustment
PolylineTo
PolyDraw
SetArcDirection
ArcTo
SetMapperFlags
SetTextCharacterExtra
SetTextJustification
SetTextAlign
LineTo
OffsetClipRgn
ExcludeClipRect
SelectClipRgn
OffsetWindowOrgEx
SetStretchBltMode
SetROP2
SetPolyFillMode
SetBkMode
SelectPalette
StartDocA
EnumFontFamiliesExA
CreateDCA
CreateRectRgnIndirect
Rectangle
UnrealizeObject
PatBlt
CreateBitmap
TextOutA
CloseMetaFile
DeleteMetaFile
RectVisible
PtVisible
IntersectClipRect
GetViewportOrgEx
GetWindowOrgEx
SetWindowOrgEx
GetDeviceCaps
Escape
GetCurrentPositionEx
MoveToEx
ScaleWindowExtEx
SetWindowExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
SetMapMode
GetTextFaceA
GetWindowExtEx
GetViewportExtEx
GetROP2
GetBkMode
GetNearestColor
GetBkColor
GetTextColor
SaveDC
GetStockObject
RestoreDC
GetCharWidthA
DeleteObject
CreateFontA
StretchDIBits
DeleteDC
CreateCompatibleBitmap
GetTextExtentPoint32A
ExtTextOutA
CreateSolidBrush
BitBlt
CreateFontIndirectA
CreateCompatibleDC
GetTextMetricsA
GetObjectA
SelectObject
SetTextColor
GetClipBox
SetBkColor
GetStretchBltMode
GetTextAlign

user32

SetCapture
UnhookWindowsHookEx
MsgWaitForMultipleObjects
GetWindowRect
GetWindowPlacement
IsIconic
SystemParametersInfoA
IntersectRect
OffsetRect
RegisterWindowMessageA
SetWindowPos
SetWindowLongA
GetWindowLongA
GetWindow
SendMessageA
SetForegroundWindow
GetForegroundWindow
GetLastActivePopup
GetMessagePos
GetMessageTime
DefWindowProcA
RemovePropA
CallWindowProcA
GetPropA
SetPropA
GetClassLongA
CallNextHookEx
SetWindowsHookExA
CreateWindowExA
DestroyWindow
GetKeyState
GetDlgCtrlID
GetWindowTextA
GetWindowTextLengthA
GetDlgItem
SetWindowPlacement
TrackPopupMenu
GetMenuItemID
GetSubMenu
GetMenuItemCount
GetMenu
RegisterClassA
GetClassInfoA
WinHelpA
GetCapture
GetParent
IsChild
MessageBoxA
GetTopWindow
SetScrollPos
GetScrollPos
SetScrollRange
EnableWindow
GetScrollRange
ShowScrollBar
SetScrollInfo
GetScrollInfo
ScrollWindow
IsWindowVisible
EndDeferWindowPos
CopyRect
BeginDeferWindowPos
GetClientRect
DeferWindowPos
EqualRect
ScreenToClient
AdjustWindowRectEx
SetFocus
IsWindow
SetActiveWindow
GetFocus
DispatchMessageA
PeekMessageA
GetSysColor
MapWindowPoints
SendDlgItemMessageA
UpdateWindow
PostMessageA
LoadIconA
SetRectEmpty
LoadAcceleratorsA
TranslateAcceleratorA
ReleaseCapture
SetCursor
IsWindowEnabled
GetDesktopWindow
ShowWindow
GetActiveWindow
DestroyMenu
LoadMenuA
SetMenu
ReuseDDElParam
UnpackDDElParam
InvalidateRect
BringWindowToTop
CharToOemA
OemToCharA
GetSystemMetrics
GetCursorPos
GetWindowThreadProcessId
WindowFromPoint
ClientToScreen
TranslateMessage
GetMessageA
DefFrameProcA
TranslateMDISysAccel
DrawMenuBar
DefMDIChildProcA
RedrawWindow
LoadBitmapA
InflateRect
PtInRect
ReleaseDC
InvertRect
GetWindowDC
FillRect
SetTimer
KillTimer
SetRect
GetDC
IsZoomed
SetParent
IsRectEmpty
AppendMenuA
DeleteMenu
GetSystemMenu
GetDCEx
LockWindowUpdate
GetTabbedTextExtentA
DrawTextA
GrayStringA
UnionRect
DrawFocusRect
CreateDialogIndirectParamA
EndDialog
GetNextDlgTabItem
wvsprintfA
GetAsyncKeyState
MapDialogRect
GetDialogBaseUnits
BeginPaint
EndPaint
TabbedTextOutA
GetSysColorBrush
GetClassNameA
SetWindowTextA
CheckDlgButton
CheckRadioButton
GetDlgItemInt
GetDlgItemTextA
SetDlgItemInt
SetDlgItemTextA
IsDlgButtonChecked
ScrollWindowEx
IsDialogMessageA
MoveWindow
EnableMenuItem
CheckMenuItem
SetMenuItemBitmaps
ModifyMenuA
GetMenuState
GetMenuCheckMarkDimensions
DestroyIcon
SetCursorPos
DestroyCursor
FindWindowA
IsClipboardFormatAvailable
MessageBeep
RemoveMenu
ValidateRect
PostQuitMessage
UnregisterClassA
ShowOwnedPopups
InsertMenuA
GetMenuStringA
RegisterClipboardFormatA
CopyAcceleratorTableA
InSendMessage
PostThreadMessageA
CreateMenu
WindowFromDC
CountClipboardFormats
SetWindowContextHelpId
CharNextA
GetNextDlgGroupItem
ClipCursor
DrawEdge
EnumChildWindows
InvalidateRgn
FrameRect
LoadStringA
LoadCursorA
WaitMessage
CharUpperA
wsprintfA

Exports

Exports

?classCCachedDataPathProperty@CCachedDataPathProperty@@2UCRuntimeClass@@B
?classCDataPathProperty@CDataPathProperty@@2UCRuntimeClass@@B
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 624KB - Virtual size: 620KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 224KB - Virtual size: 221KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 68KB - Virtual size: 67KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/msvcp60.dll
.dll windows:4 windows x86 arch:x86

1b1839992700df52b049b87961a724e3

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d9:5b:3e:94:b0:c5:07:74:60:65:20:a9:3b:96:64:2a:03:3f:53:d0
Signer

Actual PE Digest

d9:5b:3e:94:b0:c5:07:74:60:65:20:a9:3b:96:64:2a:03:3f:53:d0

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

memmove
__CxxFrameHandler
free
localeconv
_Gettnames
_Getdays
_Getmonths
__mb_cur_max
atan2
cos
exp
ldexp
log
pow
sin
sqrt
??2@YAPAXI@Z
strtoul
_errno
strtol
sprintf
strcspn
fclose
fwrite
fputc
ungetc
fgetc
fgetpos
fseek
fsetpos
setvbuf
memchr
memset
ungetwc
fgetwc
_Strftime
fopen
_iob
setlocale
malloc
realloc
__crtCompareStringA
__lc_collate_cp
_unlock
__lc_handle
_lock
__setlc_active
__unguarded_readlc_active
__crtLCMapStringA
__lc_codepage
towlower
towupper
strcmp
_pctype
_isctype
_ftol
strtod
??1type_info@@UAE@XZ
_except_handler3
?terminate@@YAXXZ
__dllonexit
_onexit
_initterm
_adjust_fdiv
memcmp
memcpy
strlen
_CxxThrowException
wcslen
??4exception@@QAEAAV0@ABV0@@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
fflush
?what@exception@@UBEPBDXZ
fputwc

kernel32

DisableThreadLibraryCalls
MultiByteToWideChar
DeleteCriticalSection
InterlockedExchange
LeaveCriticalSection
Sleep
EnterCriticalSection
InitializeCriticalSection
InterlockedIncrement
InterlockedDecrement
WideCharToMultiByte

Exports

Exports

??0?$_Complex_base@M@std@@QAE@ABM0@Z
??0?$_Complex_base@N@std@@QAE@ABN0@Z
??0?$_Complex_base@O@std@@QAE@ABO0@Z
??0?$_Mpunct@D@std@@QAE@ABV_Locinfo@1@I_N@Z
??0?$_Mpunct@D@std@@QAE@I_N@Z
??0?$_Mpunct@G@std@@QAE@ABV_Locinfo@1@I_N@Z
??0?$_Mpunct@G@std@@QAE@I_N@Z
??0?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAE@PAU_iobuf@@@Z
??0?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAE@W4_Uninitialized@1@@Z
??0?$basic_filebuf@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_filebuf@GU?$char_traits@G@std@@@std@@QAE@PAU_iobuf@@@Z
??0?$basic_filebuf@GU?$char_traits@G@std@@@std@@QAE@W4_Uninitialized@1@@Z
??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@XZ
??0?$basic_fstream@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_fstream@GU?$char_traits@G@std@@@std@@QAE@PBDH@Z
??0?$basic_fstream@GU?$char_traits@G@std@@@std@@QAE@XZ
??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@XZ
??0?$basic_ifstream@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_ifstream@GU?$char_traits@G@std@@@std@@QAE@PBDH@Z
??0?$basic_ifstream@GU?$char_traits@G@std@@@std@@QAE@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_ios@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IAE@XZ
??0?$basic_ios@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@W4_Uninitialized@1@@Z
??0?$basic_istream@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_istream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N@Z
??0?$basic_istream@GU?$char_traits@G@std@@@std@@QAE@W4_Uninitialized@1@@Z
??0?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@H@Z
??0?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
??0?$basic_istringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??0?$basic_istringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@1@H@Z
??0?$basic_istringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@H@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z
??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@XZ
??0?$basic_ofstream@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_ofstream@GU?$char_traits@G@std@@@std@@QAE@PBDH@Z
??0?$basic_ofstream@GU?$char_traits@G@std@@@std@@QAE@XZ
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N1@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@W4_Uninitialized@1@@Z
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@_N1@Z
??0?$basic_ostream@GU?$char_traits@G@std@@@std@@QAE@W4_Uninitialized@1@@Z
??0?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@H@Z
??0?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
??0?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??0?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@1@H@Z
??0?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@H@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@W4_Uninitialized@1@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE@ABV01@@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@W4_Uninitialized@1@@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@XZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@IIABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBD0ABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@IIABV?$allocator@G@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$allocator@G@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@IGABV?$allocator@G@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBG0ABV?$allocator@G@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z
??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGIABV?$allocator@G@1@@Z
??0?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@H@Z
??0?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
??0?$basic_stringbuf@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??0?$basic_stringbuf@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@1@H@Z
??0?$basic_stringbuf@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@H@Z
??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@H@Z
??0?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
??0?$basic_stringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z
??0?$basic_stringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@1@H@Z
??0?$basic_stringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@H@Z
??0?$codecvt@DDH@std@@QAE@ABV_Locinfo@1@I@Z
??0?$codecvt@DDH@std@@QAE@I@Z
??0?$codecvt@GDH@std@@QAE@ABV_Locinfo@1@I@Z
??0?$codecvt@GDH@std@@QAE@I@Z
??0?$collate@D@std@@QAE@ABV_Locinfo@1@I@Z
??0?$collate@D@std@@QAE@I@Z
??0?$collate@G@std@@QAE@ABV_Locinfo@1@I@Z
??0?$collate@G@std@@QAE@I@Z
??0?$complex@M@std@@QAE@ABM0@Z
??0?$complex@M@std@@QAE@ABV?$complex@N@1@@Z
??0?$complex@M@std@@QAE@ABV?$complex@O@1@@Z
??0?$complex@N@std@@QAE@ABN0@Z
??0?$complex@N@std@@QAE@ABV?$complex@M@1@@Z
??0?$complex@N@std@@QAE@ABV?$complex@O@1@@Z
??0?$complex@O@std@@QAE@ABO0@Z
??0?$complex@O@std@@QAE@ABV?$complex@M@1@@Z
??0?$complex@O@std@@QAE@ABV?$complex@N@1@@Z
??0?$ctype@D@std@@QAE@ABV_Locinfo@1@I@Z
??0?$ctype@D@std@@QAE@PBF_NI@Z
??0?$ctype@G@std@@QAE@ABV_Locinfo@1@I@Z
??0?$ctype@G@std@@QAE@I@Z
??0?$messages@D@std@@QAE@ABV_Locinfo@1@I@Z
??0?$messages@D@std@@QAE@I@Z
??0?$messages@G@std@@QAE@ABV_Locinfo@1@I@Z
??0?$messages@G@std@@QAE@I@Z
??0?$money_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$money_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@I@Z
??0?$money_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$money_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@I@Z
??0?$money_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$money_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@I@Z
??0?$money_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$money_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@I@Z
??0?$moneypunct@D$00@std@@QAE@ABV_Locinfo@1@I@Z
??0?$moneypunct@D$00@std@@QAE@I@Z
??0?$moneypunct@D$0A@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$moneypunct@D$0A@@std@@QAE@I@Z
??0?$moneypunct@G$00@std@@QAE@ABV_Locinfo@1@I@Z
??0?$moneypunct@G$00@std@@QAE@I@Z
??0?$moneypunct@G$0A@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$moneypunct@G$0A@@std@@QAE@I@Z
??0?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@I@Z
??0?$num_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$num_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@I@Z
??0?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@I@Z
??0?$num_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$num_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@I@Z
??0?$numpunct@D@std@@QAE@ABV_Locinfo@1@I@Z
??0?$numpunct@D@std@@QAE@I@Z
??0?$numpunct@G@std@@QAE@ABV_Locinfo@1@I@Z
??0?$numpunct@G@std@@QAE@I@Z
??0?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@I@Z
??0?$time_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$time_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@I@Z
??0?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@QAE@I@Z
??0?$time_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@ABV_Locinfo@1@I@Z
??0?$time_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@QAE@I@Z
??0Init@ios_base@std@@QAE@XZ
??0_Locinfo@std@@QAE@ABV01@@Z
??0_Locinfo@std@@QAE@HPBD@Z
??0_Locinfo@std@@QAE@PBD@Z
??0_Lockit@std@@QAE@XZ
??0_Timevec@std@@QAE@ABV01@@Z
??0_Timevec@std@@QAE@PAX@Z
??0_Winit@std@@QAE@XZ
??0__non_rtti_object@std@@QAE@ABV01@@Z
??0__non_rtti_object@std@@QAE@PBD@Z
??0bad_alloc@std@@QAE@ABV01@@Z
??0bad_alloc@std@@QAE@PBD@Z
??0bad_cast@std@@QAE@ABV01@@Z
??0bad_cast@std@@QAE@PBD@Z
??0bad_exception@std@@QAE@ABV01@@Z
??0bad_exception@std@@QAE@PBD@Z
??0bad_typeid@std@@QAE@ABV01@@Z
??0bad_typeid@std@@QAE@PBD@Z
??0codecvt_base@std@@QAE@I@Z
??0ctype_base@std@@QAE@I@Z
??0domain_error@std@@QAE@ABV01@@Z
??0domain_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0facet@locale@std@@IAE@I@Z
??0ios_base@std@@IAE@XZ
??0ios_base@std@@QAE@ABV01@@Z
??0length_error@std@@QAE@ABV01@@Z
??0length_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0locale@std@@AAE@PAV_Locimp@01@@Z
??0locale@std@@QAE@ABV01@0H@Z
??0locale@std@@QAE@ABV01@@Z
??0locale@std@@QAE@ABV01@PBDH@Z
??0locale@std@@QAE@PBDH@Z
??0locale@std@@QAE@W4_Uninitialized@1@@Z
??0locale@std@@QAE@XZ
??0logic_error@std@@QAE@ABV01@@Z
??0logic_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0messages_base@std@@QAE@I@Z
??0money_base@std@@QAE@I@Z
??0ostrstream@std@@QAE@PADHH@Z
??0out_of_range@std@@QAE@ABV01@@Z
??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0overflow_error@std@@QAE@ABV01@@Z
??0overflow_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0range_error@std@@QAE@ABV01@@Z
??0range_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0runtime_error@std@@QAE@ABV01@@Z
??0runtime_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0strstream@std@@QAE@PADHH@Z
??0time_base@std@@QAE@I@Z
??0underflow_error@std@@QAE@ABV01@@Z
??0underflow_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??1?$_Mpunct@D@std@@UAE@XZ
??1?$_Mpunct@G@std@@UAE@XZ
??1?$basic_filebuf@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_filebuf@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_fstream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_fstream@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_ifstream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ifstream@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_istream@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ
??1?$basic_istringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@UAE@XZ
??1?$basic_ofstream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ofstream@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ostream@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ
??1?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@UAE@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAE@XZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ
??1?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ
??1?$basic_stringbuf@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@UAE@XZ
??1?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ
??1?$basic_stringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@UAE@XZ
??1?$codecvt@DDH@std@@UAE@XZ
??1?$codecvt@GDH@std@@UAE@XZ
??1?$collate@D@std@@UAE@XZ
??1?$collate@G@std@@UAE@XZ
??1?$ctype@D@std@@UAE@XZ
??1?$ctype@G@std@@UAE@XZ
??1?$messages@D@std@@UAE@XZ
??1?$messages@G@std@@UAE@XZ
??1?$money_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@UAE@XZ
??1?$money_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@UAE@XZ
??1?$money_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@UAE@XZ
??1?$money_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@UAE@XZ
??1?$moneypunct@D$00@std@@UAE@XZ
??1?$moneypunct@D$0A@@std@@UAE@XZ
??1?$moneypunct@G$00@std@@UAE@XZ
??1?$moneypunct@G$0A@@std@@UAE@XZ
??1?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@UAE@XZ
??1?$num_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@UAE@XZ
??1?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@UAE@XZ
??1?$num_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@UAE@XZ
??1?$numpunct@D@std@@UAE@XZ
??1?$numpunct@G@std@@UAE@XZ
??1?$time_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@UAE@XZ
??1?$time_get@GV?$istreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@UAE@XZ
??1?$time_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@UAE@XZ
??1?$time_put@GV?$ostreambuf_iterator@GU?$char_traits@G@std@@@std@@@std@@UAE@XZ
??1Init@ios_base@std@@QAE@XZ
??1_Locinfo@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
??1_Timevec@std@@QAE@XZ
??1_Winit@std@@QAE@XZ
??1__non_rtti_object@std@@UAE@XZ
??1bad_alloc@std@@UAE@XZ
??1bad_cast@std@@UAE@XZ
??1bad_exception@std@@UAE@XZ
??1bad_typeid@std@@UAE@XZ
??1codecvt_base@std@@UAE@XZ
??1ctype_base@std@@UAE@XZ
??1domain_error@std@@UAE@XZ
??1facet@locale@std@@UAE@XZ
??1ios_base@std@@UAE@XZ
??1istrstream@std@@UAE@XZ
??1length_error@std@@UAE@XZ
??1locale@std@@QAE@XZ
??1logic_error@std@@UAE@XZ
??1messages_base@std@@UAE@XZ
??1money_base@std@@UAE@XZ
??1ostrstream@std@@UAE@XZ
??1out_of_range@std@@UAE@XZ
??1overflow_error@std@@UAE@XZ
??1range_error@std@@UAE@XZ
??1runtime_error@std@@UAE@XZ
??1strstream@std@@UAE@XZ
??1strstreambuf@std@@UAE@XZ
??1time_base@std@@UAE@XZ
??1underflow_error@std@@UAE@XZ
??4?$_Complex_base@M@std@@QAEAAV01@ABV01@@Z
??4?$_Complex_base@N@std@@QAEAAV01@ABV01@@Z
??4?$_Complex_base@O@std@@QAEAAV01@ABV01@@Z
??4?$_Ctr@M@std@@QAEAAV01@ABV01@@Z
??4?$_Ctr@N@std@@QAEAAV01@ABV01@@Z
??4?$_Ctr@O@std@@QAEAAV01@ABV01@@Z
??4?$allocator@X@std@@QAEAAV01@ABV01@@Z
??4?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_filebuf@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_fstream@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ifstream@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ios@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ios@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_iostream@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_iostream@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_istringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ofstream@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_ostringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z
??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@G@Z
??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@PBG@Z
??4?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_stringbuf@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z
??4?$basic_stringstream@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z
??4?$char_traits@D@std@@QAEAAU01@ABU01@@Z
??4?$char_traits@G@std@@QAEAAU01@ABU01@@Z
??4?$complex@M@std@@QAEAAV01@ABM@Z
??4?$complex@M@std@@QAEAAV01@ABV01@@Z
??4?$complex@N@std@@QAEAAV01@ABN@Z
??4?$complex@N@std@@QAEAAV01@ABV01@@Z
??4?$complex@O@std@@QAEAAV01@ABO@Z
??4?$complex@O@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@C@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@D@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@E@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@F@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@G@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@H@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@I@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@J@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@K@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@M@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@N@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@O@std@@QAEAAV01@ABV01@@Z
??4?$numeric_limits@_N@std@@QAEAAV01@ABV01@@Z
??4Init@ios_base@std@@QAEAAV012@ABV012@@Z
??4_Locinfo@std@@QAEAAV01@ABV01@@Z
??4_Lockit@std@@QAEAAV01@ABV01@@Z
??4_Num_base@std@@QAEAAU01@ABU01@@Z
??4_Num_float_base@std@@QAEAAU01@ABU01@@Z
??4_Num_int_base@std@@QAEAAU01@ABU01@@Z
??4_Timevec@std@@QAEAAV01@ABV01@@Z
??4_Winit@std@@QAEAAV01@ABV01@@Z
??4__non_rtti_object@std@@QAEAAV01@ABV01@@Z
??4bad_alloc@std@@QAEAAV01@ABV01@@Z
??4bad_cast@std@@QAEAAV01@ABV01@@Z
??4bad_exception@std@@QAEAAV01@ABV01@@Z
??4bad_typeid@std@@QAEAAV01@ABV01@@Z
??4domain_error@std@@QAEAAV01@ABV01@@Z
??4id@locale@std@@QAEAAV012@ABV012@@Z
??4ios_base@std@@QAEAAV01@ABV01@@Z
??4length_error@std@@QAEAAV01@ABV01@@Z
??4locale@std@@QAEAAV01@ABV01@@Z
??4logic_error@std@@QAEAAV01@ABV01@@Z
??4out_of_range@std@@QAEAAV01@ABV01@@Z
??4overflow_error@std@@QAEAAV01@ABV01@@Z
??4range_error@std@@QAEAAV01@ABV01@@Z
??4runtime_error@std@@QAEAAV01@ABV01@@Z
??4underflow_error@std@@QAEAAV01@ABV01@@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAF@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAG@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAH@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAI@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAJ@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAK@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAM@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAN@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAO@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAPAX@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AA_N@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV?$basic_ios@DU?$char_traits@D@std@@@1@AAV21@@Z@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAF@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAG@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAH@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAI@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAJ@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAK@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAM@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAN@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAO@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AAPAX@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@AA_N@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAV?$basic_ios@GU?$char_traits@G@std@@@1@AAV21@@Z@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??5?$basic_istream@GU?$char_traits@G@std@@@std@@QAEAAV01@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAC@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAD@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAE@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAV?$complex@M@0@@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAV?$complex@N@0@@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@AAV?$complex@O@0@@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@PAC@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@PAD@Z
??5std@@YAAAV?$basic_istream@DU?$char_traits@D@std@@@0@AAV10@PAE@Z
??5std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@0@AAV10@AAG@Z
??5std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@0@AAV10@AAV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z
??5std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@0@AAV10@AAV?$complex@M@0@@Z
??5std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@0@AAV10@AAV?$complex@N@0@@Z
??5std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@0@AAV10@AAV?$complex@O@0@@Z
??5std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@0@AAV10@PAF@Z
??5std@@YAAAV?$basic_istream@GU?$char_traits@G@std@@@0@AAV10@PAG@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@F@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@G@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@I@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@J@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@K@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@M@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@N@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@O@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV?$basic_ios@DU?$char_traits@D@std@@@1@AAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PBX@Z
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@F@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@G@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@H@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@I@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@J@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@K@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@M@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@N@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@O@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAV?$basic_ios@GU?$char_traits@G@std@@@1@AAV21@@Z@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@PBX@Z
??6?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV01@_N@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$complex@M@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$complex@N@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$complex@O@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@C@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@D@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@E@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBC@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBE@Z
??6std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@ABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z
??6std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@ABV?$complex@M@0@@Z
??6std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@ABV?$complex@N@0@@Z
??6std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@ABV?$complex@O@0@@Z
??6std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@G@Z
??6std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@PBF@Z
??6std@@YAAAV?$basic_ostream@GU?$char_traits@G@std@@@0@AAV10@PBG@Z
??7ios_base@std@@QBE_NXZ
??8locale@std@@QBE_NABV01@@Z
??8std@@YA_NABMABV?$complex@M@0@@Z
??8std@@YA_NABNABV?$complex@N@0@@Z
??8std@@YA_NABOABV?$complex@O@0@@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z
??8std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
??8std@@YA_NABV?$complex@M@0@0@Z
??8std@@YA_NABV?$complex@M@0@ABM@Z
??8std@@YA_NABV?$complex@N@0@0@Z
??8std@@YA_NABV?$complex@N@0@ABN@Z
??8std@@YA_NABV?$complex@O@0@0@Z
??8std@@YA_NABV?$complex@O@0@ABO@Z
??8std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??8std@@YA_NPBGABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@@Z
??9locale@std@@QBE_NABV01@@Z
??9std@@YA_NABMABV?$complex@M@0@@Z
??9std@@YA_NABNABV?$complex@N@0@@Z
??9std@@YA_NABOABV?$complex@O@0@@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@0@Z
??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z
??9std@@YA_NABV?$complex@M@0@0@Z
??9std@@YA_NABV?$complex@M@0@ABM@Z

Sections

.text
Size: 168KB - Virtual size: 166KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 192KB - Virtual size: 188KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 936B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/multitray.exe
.exe windows:4 windows x86 arch:x86

68dfa4576637a1a4cb616759fa4a47c4

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ce:1c:d5:30:83:ca:6a:d2:38:4c:2f:de:87:88:04:3b:1a:6c:0b:7b
Signer

Actual PE Digest

ce:1c:d5:30:83:ca:6a:d2:38:4c:2f:de:87:88:04:3b:1a:6c:0b:7b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

windisk

ExFlushPartNt
ExDetectProtect
ExRWDisk
ExRWDiskAbs

diskop

?Initial@CNTFS@@QAEHXZ
??1CDiskIO@@QAE@XZ
?GetRootFilePos@CFAT32@@QAEHPADPAKPAEI@Z
?GetPartitionLetter@CDiskIO@@QAEXXZ
?InitDiskInfo@CDiskIO@@QAEHXZ
?CreateContiFile@CFAT32@@QAEHPADKAAK@Z
??0CNTpart@@QAE@PAVCDiskIO@@H@Z
?Initial@CNTpart@@QAEHXZ
??1CNTpart@@QAE@XZ
?DefragFile@CNTpart@@QAEHPADAAK@Z
?FlushDiskBuf@CNTpart@@QAEXXZ
?GetPartitionNum@CDiskIO@@QAEHXZ
??0CNTFS@@QAE@PAVCDiskIO@@H@Z
??1CFAT32@@QAE@XZ
?GetRootFilePos@CNTFS@@QAEHPADPAKPAEI@Z
??1CNTFS@@QAE@XZ
??0CFAT32@@QAE@PAVCDiskIO@@H@Z
?Initial@CFAT32@@QAEHXZ
??0CDiskIO@@QAE@H@Z

pmondll

PMON_StopMon
PMON_StartMon

samio

InstallWinIoDriver

mfc42

ord3172
ord5653
ord4420
ord4953
ord4858
ord2399
ord4387
ord3454
ord3198
ord6080
ord6175
ord4623
ord4426
ord338
ord652
ord4823
ord1945
ord4273
ord4589
ord4588
ord4899
ord4370
ord4892
ord5076
ord4341
ord4349
ord4723
ord4890
ord4531
ord4545
ord4543
ord4526
ord4529
ord4524
ord4964
ord4961
ord4108
ord5240
ord3748
ord1726
ord4432
ord560
ord813
ord5260
ord2301
ord2776
ord1768
ord4683
ord1842
ord4242
ord2723
ord2390
ord3059
ord5100
ord5103
ord4467
ord4303
ord3350
ord5012
ord975
ord5472
ord3403
ord2879
ord2878
ord4151
ord4077
ord5237
ord5282
ord2649
ord1665
ord4436
ord4427
ord674
ord366
ord5577
ord5252
ord4499
ord4220
ord2584
ord3654
ord2438
ord6270
ord2863
ord1644
ord1146
ord6605
ord4413
ord2289
ord5981
ord6197
ord6380
ord2971
ord5759
ord6192
ord5756
ord6186
ord4330
ord6189
ord5873
ord5794
ord5678
ord5736
ord5579
ord5571
ord6061
ord5864
ord3596
ord6194
ord6021
ord4133
ord4297
ord5787
ord4287
ord926
ord1175
ord4243
ord4278
ord6007
ord3286
ord2614
ord4129
ord5683
ord1997
ord2808
ord6407
ord798
ord5194
ord533
ord668
ord2763
ord2770
ord5710
ord356
ord2764
ord922
ord2919
ord3702
ord501
ord773
ord5607
ord1083
ord1746
ord5740
ord5243
ord2542
ord2510
ord6336
ord3065
ord3058
ord4696
ord4238
ord1825
ord3092
ord2725
ord1134
ord2621
ord6117
ord4159
ord2092
ord815
ord561
ord3738
ord4622
ord5714
ord5289
ord5307
ord4698
ord4079
ord5302
ord5300
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord1576
ord4486
ord6375
ord4274
ord4610
ord4612
ord609
ord3574
ord4396
ord2575
ord6172
ord5789
ord4284
ord4123
ord2086
ord2642
ord2370
ord860
ord289
ord613
ord2859
ord2379
ord470
ord755
ord4275
ord6215
ord1168
ord4299
ord2452
ord562
ord816
ord3874
ord5875
ord6880
ord2754
ord3573
ord3744
ord2864
ord3619
ord323
ord1640
ord1641
ord5785
ord640
ord3571
ord2414
ord3663
ord3626
ord818
ord3742
ord823
ord6453
ord4376
ord4224
ord4853
ord4710
ord2860
ord6199
ord6334
ord4234
ord2302
ord324
ord567
ord641
ord795
ord3597
ord4425
ord4627
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord2514
ord4998
ord5265
ord3721
ord4424
ord3402
ord5290
ord1776
ord6055
ord536
ord825
ord924
ord2915
ord4204
ord535
ord941
ord5572
ord540
ord2818
ord939
ord858
ord1200
ord800
ord537
ord4457

msvcrt

_stricmp
_setmbcp
??1type_info@@UAE@XZ
_controlfp
__set_app_type
__p__fmode
__p__commode
__setusermatherr
_initterm
__getmainargs
_acmdln
_adjust_fdiv
exit
_XcptFilter
_exit
_onexit
__dllonexit
_except_handler3
_mbsicmp
_mbsrchr
_mbslwr
sprintf
vsprintf
_ismbcdigit
_CIpow
_ftol
atoi
__p___argc
__p___argv
free
_strdup
fwrite
fclose
_mbscmp
__CxxFrameHandler
toupper
fopen
fread
memset
strcmp
_EH_prolog
strncpy
memcpy
strlen
malloc
strcat
strcpy
strncmp
realloc
floor
ceil
sin
cos
acos
_purecall
remove
_CxxThrowException
strtoul
calloc

kernel32

lstrcatA
VirtualQuery
lstrcpynA
SetErrorMode
SetUnhandledExceptionFilter
FormatMessageA
LoadLibraryA
FreeLibrary
CreateToolhelp32Snapshot
Process32First
Process32Next
GetCurrentThread
LocalAlloc
LocalFree
GetVersionExA
CreateMutexA
ReleaseMutex
OutputDebugStringA
GetModuleFileNameA
lstrcmpA
lstrlenA
GlobalMemoryStatus
lstrcpyA
WinExec
lstrcmpiA
GetCurrentThreadId
GetModuleHandleA
GetProcAddress
GetCurrentProcess
FlushInstructionCache
GetLastError
Sleep
GetComputerNameA
GetLocalTime
CreateFileA
GetFileSize
GetSystemDirectoryA
GetTickCount
CreateEventA
SetEvent
WaitForSingleObject
CreateThread
MulDiv
GetSystemTime
GetSystemInfo
GetCurrentProcessId
WriteProcessMemory
SetLastError
VirtualProtect
GetWindowsDirectoryA
HeapAlloc
GetTempPathA
GetTempFileNameA
GetVersion
FindResourceA
LoadResource
LockResource
SizeofResource
DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
LeaveCriticalSection
GetPrivateProfileSectionA
GetPrivateProfileStringA
DeviceIoControl
GetStartupInfoA
HeapFree
DeleteFileA
GetProcessHeap
CloseHandle

user32

ClientToScreen
CopyRect
IsRectEmpty
InvalidateRect
SetTimer
KillTimer
DestroyIcon
GetDC
OffsetRect
DrawIconEx
GetIconInfo
GetSysColor
SystemParametersInfoA
GetCursorPos
EnableWindow
SendMessageA
MessageBoxA
GetClientRect
GetWindowRect
DrawFrameControl
SetRectEmpty
RedrawWindow
SetWindowRgn
RegisterClassExA
GetSysColorBrush
LoadCursorA
ReleaseCapture
GetCapture
SetCapture
LoadImageA
SetWindowsHookExA
UnhookWindowsHookEx
GetSystemMetrics
GetWindowPlacement
IsIconic
IntersectRect
GetMenuState
GetPropA
GetClassNameA
GetActiveWindow
GetWindowLongA
IsWindow
DispatchMessageA
GetMessageA
DefWindowProcA
CallWindowProcA
SetWindowLongA
SetPropA
RemovePropA
SetWindowPos
GetWindowDC
ShowWindow
IsZoomed
GetWindow
GetWindowInfo
SetMenu
GetMenu
GetKeyState
CreateWindowExA
UnregisterClassA
EndPaint
BeginPaint
DrawEdge
DestroyWindow
IsWindowVisible
ScreenToClient
LockWindowUpdate
GetDesktopWindow
GetMenuItemInfoA
InsertMenuItemA
CreatePopupMenu
GetMenuItemCount
DestroyMenu
EnableMenuItem
GetSystemMenu
GetClassLongA
EnableScrollBar
GetScrollInfo
GetScrollPos
GetScrollRange
SetScrollInfo
SetScrollPos
SetScrollRange
ShowScrollBar
CharUpperBuffA
GetWindowTextA
IsWindowEnabled
DrawStateA
EnumChildWindows
SetFocus
GetFocus
SetRect
SetWindowWord
GetWindowWord
DrawIcon
ValidateRect
GetMenuItemID
IsMenu
DrawMenuBar
CharLowerA
CharUpperA
DestroyCursor
LoadStringA
CopyIcon
MapWindowPoints
GetMessagePos
DrawTextExA
CreateIconIndirect
PtInRect
EqualRect
InflateRect
CallNextHookEx
PostMessageA
UpdateWindow
GetWindowThreadProcessId
EnumWindows
MoveWindow
FindWindowA
SetForegroundWindow
ModifyMenuA
GetSubMenu
LoadMenuA
FillRect
TabbedTextOutA
DrawTextA
GrayStringA
GetParent
ExitWindowsEx
wsprintfA
ReleaseDC

gdi32

LPtoDP
GetMapMode
DPtoLP
Pie
BitBlt
CreateFontA
CreateRectRgn
CombineRgn
CreateSolidBrush
OffsetRgn
GetStockObject
CreateFontIndirectA
CreateCompatibleDC
CreateCompatibleBitmap
StretchBlt
DeleteObject
GetObjectA
GetViewportExtEx
GetWindowExtEx
PtVisible
RectVisible
TextOutA
ExtTextOutA
Escape
CreateRectRgnIndirect
CreateDIBSection
SetDIBitsToDevice
SetStretchBltMode
ExtSelectClipRgn
StretchDIBits
PtInRegion
ExcludeClipRect
GetPixel
LineTo
MoveToEx
CreatePen
SelectClipRgn
GetClipRgn
GetTextExtentPoint32A
IntersectClipRect
GetRgnBox
GetTextMetricsA
UnrealizeObject
PatBlt
SetBrushOrgEx
CreatePatternBrush
GetBkColor
SaveDC
RestoreDC
CreateDIBitmap
Polygon
GetDeviceCaps
SelectPalette
RealizePalette
CreateBitmap
SetBkColor
CreateICA
GetDIBits
DeleteDC
GetRegionData
ExtCreateRegion
GetTextExtentPointA
SetTextColor
SelectObject
SetBkMode
GetClipBox

advapi32

RegSetValueExA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
FreeSid
RevertToSelf
AccessCheck
IsValidSecurityDescriptor
SetSecurityDescriptorOwner
RegCloseKey
RegFlushKey
RegCreateKeyExA
ImpersonateSelf
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
GetLengthSid
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
RegQueryValueExA
RegOpenKeyExA

shell32

ExtractIconExA
Shell_NotifyIconA
ShellExecuteA

comctl32

ImageList_GetIcon
ImageList_GetImageCount
ImageList_Draw
ImageList_GetIconSize
_TrackMouseEvent
ImageList_DrawEx
ImageList_Destroy

imagehlp

SymFunctionTableAccess
SymGetSymFromAddr
SymGetModuleBase
StackWalk
SymInitialize
ImageDirectoryEntryToData
SymCleanup

msvcirt

??_Dofstream@@QAEXXZ
??1ofstream@@UAE@XZ
?close@ofstream@@QAEXXZ
?write@ostream@@QAEAAV1@PBDH@Z
?open@ofstream@@QAEXPBDHH@Z
?openprot@filebuf@@2HB
??0ofstream@@QAE@XZ
?endl@@YAAAVostream@@AAV1@@Z
??0exception@@QAE@ABV0@@Z
??1ios@@UAE@XZ

msvcp60

??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Xran@std@@YAXXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??Mstd@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??0logic_error@std@@QAE@ABV01@@Z
??0out_of_range@std@@QAE@ABV01@@Z
??1out_of_range@std@@UAE@XZ
??_7out_of_range@std@@6B@
??0logic_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z

Sections

.text
Size: 320KB - Virtual size: 319KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 52KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 88KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 172KB - Virtual size: 171KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/ntdisk64.sys
.sys windows:5 windows x64 arch:x64

be566d39b30da9a5927a178bd772388b

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

14:2b:f6:d8:51:91:a8:7d:1a:80:07:6e:45:77:89:ae:47:3f:0c:ea
Signer

Actual PE Digest

14:2b:f6:d8:51:91:a8:7d:1a:80:07:6e:45:77:89:ae:47:3f:0c:ea

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2006\muldrv\mulkmd\objfre_wnet_AMD64\amd64\ntdisk.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
sprintf
KeBugCheckEx
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
IoBuildDeviceIoControlRequest
KeSetEvent
RtlCopyMemory
IofCompleteRequest
IoDeleteDevice
IoDetachDevice
RtlZeroMemory
ZwClose
RtlInitUnicodeString
IoAttachDeviceToDeviceStack
ExFreePoolWithTag
PoCallDriver
PoStartNextPowerIrp
ZwMapViewOfSection
ObReferenceObjectByHandle
ZwOpenSection
ZwUnmapViewOfSection
IoFreeIrp
IoFreeMdl
MmUnlockPages
IoBuildAsynchronousFsdRequest
IoBuildPartialMdl
IoAllocateMdl
IoAllocateIrp
ExReleaseFastMutex
ExAcquireFastMutex
MmMapLockedPagesSpecifyCache
IoCreateDevice
DbgPrint

hal

HalTranslateBusAddress

Sections

.text
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 648B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/otpboot.dat
联想一键恢复(WINDOWS)/pmondll.dll
.dll windows:4 windows x86 arch:x86

8287d769b53374d368e1e3c6129a6cc1

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

28:98:3c:51:fe:6c:89:58:ca:66:22:66:27:1e:f2:ed:ed:42:dd:ff
Signer

Actual PE Digest

28:98:3c:51:fe:6c:89:58:ca:66:22:66:27:1e:f2:ed:ed:42:dd:ff

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord801
ord823
ord541
ord1200
ord537
ord535
ord2915
ord4204
ord800
ord858
ord540
ord533
ord798
ord922
ord2764
ord924
ord3789
ord2818
ord5710
ord4129
ord6883
ord2614
ord1168
ord1253
ord342
ord1182
ord5683
ord860
ord1997
ord2808
ord6407
ord5194
ord825

msvcrt

vsprintf
_adjust_fdiv
malloc
_initterm
free
_onexit
__dllonexit
__CxxFrameHandler
_strupr
_purecall
_beginthreadex
_endthreadex
_mbsrchr
_except_handler3
fclose
fopen

kernel32

GetModuleHandleA
FormatMessageA
GetCurrentProcess
OutputDebugStringA
GetOverlappedResult
OpenEventA
ReleaseMutex
CreateMutexA
WaitForMultipleObjects
ResetEvent
WaitForSingleObject
GetLastError
GetModuleFileNameA
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetLocalTime
GetCurrentThread
ExitProcess
GetVersionExA
CloseHandle
DeviceIoControl
CreateFileA
GetProcAddress
LoadLibraryA
FreeLibrary
SetEvent
Sleep
CreateEventA

user32

IsWindowVisible
GetWindow
GetWindowTextA
GetWindowThreadProcessId
EnumWindows
wsprintfA
PostMessageA
MessageBoxA

advapi32

RegQueryValueExA
RegOpenKeyExA
RegCreateKeyExA
RegFlushKey
RegCloseKey
CreateServiceA
OpenServiceA
StartServiceA
DeleteService
QueryServiceStatus
CloseServiceHandle
OpenSCManagerA

Exports

Exports

PMON_StartMon
PMON_StopMon

Sections

.text
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/procspy.ini
联想一键恢复(WINDOWS)/reschk
联想一键恢复(WINDOWS)/runlog.txt
联想一键恢复(WINDOWS)/safnt.sys
.sys windows:5 windows x86 arch:x86

c7d418c23698f5f1eae02cbb32b3c8ce

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a2:56:f7:8d:80:69:1b:29:fb:31:b8:7e:d9:6a:0a:02:4a:34:a0:9b
Signer

Actual PE Digest

a2:56:f7:8d:80:69:1b:29:fb:31:b8:7e:d9:6a:0a:02:4a:34:a0:9b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2006\filesystem\safnt\objfre_wnet_x86\i386\safnt.pdb

Imports

ntoskrnl.exe

RtlAnsiStringToUnicodeString
sprintf
RtlInitUnicodeString
strncmp
IoGetCurrentProcess
PsGetCurrentProcessId
strncpy
ObfDereferenceObject
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
IoBuildDeviceIoControlRequest
RtlFreeUnicodeString
IoGetDeviceObjectPointer
RtlInitAnsiString
ZwClose
IoDeleteDevice
wcslen
IoCreateDevice
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
IoFileObjectType
ZwCreateFile
RtlAppendUnicodeToString
ExFreePoolWithTag
wcsstr
_wcsupr
ExAllocatePoolWithTag
_strupr
IofCompleteRequest
DbgPrint
IoRegisterBootDriverReinitialization
IoDetachDevice
KeTickCount
KeBugCheckEx
IoAttachDeviceToDeviceStack
memmove

hal

KeGetCurrentIrql

Sections

.text
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 272B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 128B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 382B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/safnt64.sys
.sys windows:5 windows x64 arch:x64

7eeecd4f338598202b72679b43d4be5e

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

31:0f:f8:10:d4:e2:6d:91:5e:5d:c9:95:18:c0:de:bf:6b:8c:b0:54
Signer

Actual PE Digest

31:0f:f8:10:d4:e2:6d:91:5e:5d:c9:95:18:c0:de:bf:6b:8c:b0:54

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2006\filesystem\safnt\objfre_wnet_AMD64\amd64\safnt.pdb

Imports

ntoskrnl.exe

RtlMoveMemory
wcslen
RtlAnsiStringToUnicodeString
sprintf
RtlCopyMemory
KeGetCurrentIrql
RtlInitUnicodeString
strncmp
IoGetCurrentProcess
PsGetCurrentProcessId
strncpy
KeWaitForSingleObject
IofCallDriver
KeInitializeEvent
ObfDereferenceObject
IoBuildDeviceIoControlRequest
RtlFreeUnicodeString
IoGetDeviceObjectPointer
RtlInitAnsiString
IoDeleteDevice
IoAttachDeviceToDeviceStack
ZwClose
IoCreateDevice
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
IoFileObjectType
ZwCreateFile
RtlAppendUnicodeToString
ExFreePoolWithTag
wcsstr
_wcsupr
RtlZeroMemory
ExAllocatePoolWithTag
_strupr
IofCompleteRequest
DbgPrint
IoRegisterBootDriverReinitialization
IoDetachDevice

Sections

.text
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 808B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 432B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 880B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/samio64.sys
.sys windows:5 windows x64 arch:x64

3e7b9b4b477563fa8513bdbab0c32edf

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

58:10:f0:9d:be:88:ab:4c:73:fd:96:26:78:d0:71:d7:56:f3:dc:60
Signer

Actual PE Digest

58:10:f0:9d:be:88:ab:4c:73:fd:96:26:78:d0:71:d7:56:f3:dc:60

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2006\mytools\samio\Source\Drv\NT\amd64\SamIo.pdb

Imports

ntoskrnl.exe

RtlInitUnicodeString
ZwClose
ZwMapViewOfSection
ObReferenceObjectByHandle
IoDeleteSymbolicLink
ZwUnmapViewOfSection
IofCompleteRequest
IoCreateSymbolicLink
IoCreateDevice
ZwOpenSection
IoDeleteDevice

hal

HalTranslateBusAddress

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 288B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 454B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
联想一键恢复(WINDOWS)/sampmon64.sys
.sys windows:5 windows x64 arch:x64

4a8371b56fb884d17504dd2597eb687e

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c9:28:94:38:56:8e:f9:32:08:fd:ba:af:91:77:61:16:69:6c:d4:bd
Signer

Actual PE Digest

c9:28:94:38:56:8e:f9:32:08:fd:ba:af:91:77:61:16:69:6c:d4:bd

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2006\multiwin\pmonkern\objfre_wnet_AMD64\amd64\sampmon.pdb

Imports

ntoskrnl.exe

strncmp
IoGetCurrentProcess
KeClearEvent
KeWaitForSingleObject
IoCreateNotificationEvent
RtlInitUnicodeString
KeInitializeEvent
KeSetPriorityThread
KeGetCurrentThread
IofCompleteRequest
KeSetEvent
PsLookupProcessByProcessId
PsSetCreateProcessNotifyRoutine
IoDeleteSymbolicLink
IoDeleteDevice
PsCreateSystemThread
IoCreateSymbolicLink
IoCreateDevice

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 368B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 96B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 602B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/samsys.sys
.sys windows:5 windows x86 arch:x86

1772253c72eb0079b652e61e6c5bcee3

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d4:d9:d5:b8:15:9e:18:44:46:bd:3b:f9:81:d8:50:6f:8f:1c:57:af
Signer

Actual PE Digest

d4:d9:d5:b8:15:9e:18:44:46:bd:3b:f9:81:d8:50:6f:8f:1c:57:af

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2007\driver\samsys\objfre_wnet_x86\i386\samsys.pdb

Imports

ntoskrnl.exe

IoGetLowerDeviceObject
wcscmp
_wcsupr
ObQueryNameString
RtlFreeUnicodeString
ObfDereferenceObject
IoGetDeviceObjectPointer
RtlAnsiStringToUnicodeString
RtlInitAnsiString
sprintf
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
IofCompleteRequest
IoDeleteDevice
IoDeleteSymbolicLink
KeSetEvent
IoFreeIrp
IoFreeMdl
MmUnlockPages
KeWaitForSingleObject
IofCallDriver
IoBuildAsynchronousFsdRequest
KeInitializeEvent
_allmul
KeTickCount
KeBugCheckEx

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 222B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

INIT
Size: 1024B - Virtual size: 734B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/samsys64.sys
.sys windows:5 windows x64 arch:x64

bba115408f19c2966de4577f25ab8e95

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a2:03:fd:86:c4:b5:67:81:0c:c4:33:9d:08:3f:86:7a:31:42:ee:40
Signer

Actual PE Digest

a2:03:fd:86:c4:b5:67:81:0c:c4:33:9d:08:3f:86:7a:31:42:ee:40

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

F:\work2007\driver\samsys\objfre_wnet_AMD64\amd64\samsys.pdb

Imports

ntoskrnl.exe

IoGetLowerDeviceObject
wcscmp
_wcsupr
ObQueryNameString
RtlZeroMemory
RtlCopyMemory
RtlFreeUnicodeString
ObfDereferenceObject
IoGetDeviceObjectPointer
RtlAnsiStringToUnicodeString
RtlInitAnsiString
sprintf
IoCreateSymbolicLink
IoCreateDevice
RtlInitUnicodeString
IofCompleteRequest
IoDeleteDevice
IoDeleteSymbolicLink
KeSetEvent
IoFreeIrp
IoFreeMdl
MmUnlockPages
KeWaitForSingleObject
IofCallDriver
IoBuildAsynchronousFsdRequest
KeInitializeEvent

Sections

.text
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 512B - Virtual size: 84B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 1024B - Virtual size: 782B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/setup.exe
.exe windows:4 windows x86 arch:x86

1834aa64a5a23825498170ffd1fb58fc

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

4a:16:60:d8:73:24:f7:6b:49:b1:4d:0f:e5:ce:58:e4:b6:70:28:e2
Signer

Actual PE Digest

4a:16:60:d8:73:24:f7:6b:49:b1:4d:0f:e5:ce:58:e4:b6:70:28:e2

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

windisk

ExDetectProtect
ExRWDisk

diskop

?GetTotalSectors@CDiskIO@@QAEKXZ
?InitDiskInfo@CDiskIO@@QAEHXZ
??1CDiskIO@@QAE@XZ
??0CDiskIO@@QAE@H@Z
?GetPartitionNum@CDiskIO@@QAEHXZ

universal

ExGetPhyDriveInfoInNT
ExDrvGetPhyDriveInfoIn9x

mfc42

ord1980
ord2770
ord356
ord4278
ord5465
ord2919
ord3811
ord548
ord6662
ord5194
ord6407
ord2808
ord1997
ord5683
ord470
ord755
ord2725
ord1134
ord2621
ord815
ord561
ord3738
ord4622
ord5714
ord5289
ord5307
ord4698
ord4079
ord5302
ord5300
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord2614
ord2763
ord2379
ord3301
ord3998
ord6907
ord6888
ord6905
ord4224
ord6675
ord3996
ord5856
ord2289
ord609
ord693
ord3640
ord3370
ord4402
ord2582
ord3574
ord4396
ord2575
ord4476
ord3797
ord2414
ord3626
ord3663
ord3573
ord3619
ord2775
ord2761
ord2645
ord1081
ord6453
ord4287
ord6880
ord6197
ord415
ord715
ord5981
ord354
ord5186
ord665
ord823
ord3318
ord1979
ord2358
ord6883
ord4129
ord5710
ord3789
ord926
ord2764
ord798
ord533
ord6215
ord3744
ord4123
ord2086
ord4710
ord4234
ord324
ord641
ord4376
ord5280
ord1168
ord6199
ord535
ord541
ord924
ord537
ord922
ord939
ord2915
ord5572
ord941
ord801
ord1200
ord2818
ord6334
ord858
ord1105
ord2864
ord3092
ord1576
ord2642
ord2302
ord2370
ord825
ord567
ord860
ord765
ord795
ord3698
ord4424
ord4627
ord4080
ord3079
ord3825
ord3831
ord3830
ord3402
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5290
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1776
ord4078
ord6055
ord3597
ord4425
ord1775
ord6052
ord2514
ord4998
ord4853
ord5265
ord3721
ord800
ord540
ord668

msvcrt

realloc
floor
_ftol
ceil
sin
cos
acos
_purecall
remove
_CxxThrowException
strtoul
??0exception@@QAE@ABV0@@Z
calloc
_strupr
_stricmp
_setmbcp
??1type_info@@UAE@XZ
strcpy
toupper
__CxxFrameHandler
strcat
malloc
free
strlen
memcpy
strncpy
_EH_prolog
strcmp
memset
atoi
fwrite
fclose
fopen
_splitpath
fprintf
vsprintf
sprintf
_mbscmp
__p___argv
__p___argc
_except_handler3
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
fread

kernel32

GetPrivateProfileSectionA
lstrcpyA
lstrcatA
VirtualQuery
lstrcpynA
SetErrorMode
SetUnhandledExceptionFilter
lstrlenA
GetModuleHandleA
LoadLibraryA
GetProcAddress
FreeLibrary
GetCurrentThread
LocalAlloc
LocalFree
GetCurrentProcess
CreateDirectoryA
GetVersionExA
CreateMutexA
ReleaseMutex
GetModuleFileNameA
CloseHandle
lstrcmpiA
GetFileAttributesA
WaitForSingleObject
CreateEventA
GetLogicalDrives
GetDriveTypeA
FindFirstFileA
FindClose
GetPrivateProfileStringA
FileTimeToSystemTime
FindNextFileA
WinExec
GetDiskFreeSpaceExA
GetWindowsDirectoryA
MultiByteToWideChar
GlobalMemoryStatus
GetLocalTime
GetSystemDirectoryA
SetFileAttributesA
CopyFileA
Sleep
GetShortPathNameA
GetLastError
SetEvent
WriteProcessMemory
GetCurrentProcessId
GetSystemInfo
GetSystemTime
MulDiv
CreateThread
GetTickCount
HeapFree
GetProcessHeap
HeapAlloc
GetTempPathA
GetTempFileNameA
GetVersion
FindResourceA
LoadResource
LockResource
SizeofResource
DeleteCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetStartupInfoA
SetLastError
VirtualProtect
FileTimeToLocalFileTime
LeaveCriticalSection
lstrcmpA
GetCurrentThreadId
FlushInstructionCache

user32

MoveWindow
IsZoomed
GetWindow
GetWindowInfo
RedrawWindow
OffsetRect
SetMenu
GetMenu
GetKeyState
CreateWindowExA
RegisterClassExA
LoadCursorA
SetTimer
SetForegroundWindow
KillTimer
PtInRect
ClientToScreen
EndPaint
BeginPaint
DrawTextA
FillRect
DrawEdge
DestroyWindow
ReleaseCapture
SetCapture
GetCursorPos
IsWindowVisible
ScreenToClient
LockWindowUpdate
GetDesktopWindow
GetMenuItemInfoA
InsertMenuItemA
CreatePopupMenu
GetMenuItemCount
DestroyMenu
EnableMenuItem
DrawIconEx
GetClassLongA
InflateRect
EnableScrollBar
GetScrollInfo
GetScrollPos
GetScrollRange
SetScrollInfo
SetScrollPos
SetScrollRange
ShowScrollBar
GetDC
GetIconInfo
CharUpperBuffA
GetWindowTextA
DrawFrameControl
IsWindowEnabled
DestroyIcon
DrawStateA
EnumChildWindows
ShowWindow
SetRect
SetWindowWord
GetWindowWord
IntersectRect
ValidateRect
GetSubMenu
GetMenuItemID
GetWindowPlacement
SystemParametersInfoA
EqualRect
IsMenu
DrawMenuBar
CharLowerA
CharUpperA
DestroyCursor
LoadStringA
CopyIcon
CopyRect
MapWindowPoints
GetMessagePos
GetCapture
DrawTextExA
CreateIconIndirect
DrawIcon
GetSystemMenu
MessageBoxA
GetWindowRect
InvalidateRect
GetFocus
GetNextDlgTabItem
UpdateWindow
EnableWindow
GetClientRect
LoadImageA
SendMessageA
GetParent
PostMessageA
CallWindowProcA
DefWindowProcA
GetSysColorBrush
GetSysColor
GetMessageA
DispatchMessageA
IsWindow
SetWindowsHookExA
GetWindowLongA
GetActiveWindow
GetClassNameA
GetPropA
GetMenuState
CallNextHookEx
GetSystemMetrics
IsIconic
ReleaseDC
GetWindowDC
SetWindowRgn
SetWindowPos
RemovePropA
SetPropA
SetFocus
SetWindowLongA
IsRectEmpty

gdi32

CreateCompatibleDC
CreateCompatibleBitmap
GetDeviceCaps
SelectPalette
RealizePalette
CreateBitmap
PtInRegion
ExcludeClipRect
GetPixel
LineTo
MoveToEx
StretchBlt
CreatePen
SelectClipRgn
GetClipRgn
TextOutA
GetTextExtentPoint32A
IntersectClipRect
GetRgnBox
GetTextMetricsA
UnrealizeObject
PatBlt
SetBrushOrgEx
CreatePatternBrush
ExtTextOutA
Polygon
RestoreDC
StretchDIBits
CreateDIBitmap
CreateDIBSection
SetDIBitsToDevice
SetStretchBltMode
ExtSelectClipRgn
GetClipBox
RectVisible
SaveDC
GetObjectA
CreateFontIndirectA
SetBkColor
CreateICA
GetDIBits
DeleteDC
GetRegionData
DeleteObject
CombineRgn
CreateRectRgn
OffsetRgn
CreateRectRgnIndirect
BitBlt
GetStockObject
SetBkMode
SelectObject
SetTextColor
CreateSolidBrush
GetTextExtentPointA
ExtCreateRegion

advapi32

FreeSid
OpenProcessToken
RevertToSelf
AccessCheck
IsValidSecurityDescriptor
SetSecurityDescriptorOwner
SetSecurityDescriptorGroup
SetSecurityDescriptorDacl
AddAccessAllowedAce
InitializeAcl
GetLengthSid
InitializeSecurityDescriptor
AllocateAndInitializeSid
OpenThreadToken
ImpersonateSelf
RegCloseKey
RegFlushKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA

shell32

ExtractIconExA
ShellExecuteA
SHBrowseForFolderA
SHGetSpecialFolderLocation
SHGetPathFromIDListA
SHChangeNotify

ole32

CoInitialize
CoCreateInstance
CoUninitialize

msvcirt

??_Dofstream@@QAEXXZ
?endl@@YAAAVostream@@AAV1@@Z
??0ofstream@@QAE@XZ
?openprot@filebuf@@2HB
?open@ofstream@@QAEXPBDHH@Z
?write@ostream@@QAEAAV1@PBDH@Z
?close@ofstream@@QAEXXZ
??1ofstream@@UAE@XZ
??1ios@@UAE@XZ

imagehlp

ImageDirectoryEntryToData
SymInitialize
StackWalk
SymGetModuleBase
SymFunctionTableAccess
SymGetSymFromAddr
SymCleanup

msvcp60

?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
?_Xran@std@@YAXXZ
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??0logic_error@std@@QAE@ABV01@@Z
??0out_of_range@std@@QAE@ABV01@@Z
??1out_of_range@std@@UAE@XZ
??_7out_of_range@std@@6B@
??0logic_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
??Mstd@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ

comctl32

ImageList_GetImageCount
ImageList_Destroy
ImageList_GetIcon
ImageList_Draw
_TrackMouseEvent
ImageList_GetIconSize
ImageList_DrawEx

Sections

.text
Size: 304KB - Virtual size: 300KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 48KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 90KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 796KB - Virtual size: 795KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/setup.ini
联想一键恢复(WINDOWS)/uninstall.exe
.exe windows:4 windows x86 arch:x86

258f6e20afd4e0d17824f8919cddd6fd

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

63:e5:0b:de:58:bf:2f:69:64:da:08:61:93:37:14:fa:be:f4:cf:6c
Signer

Actual PE Digest

63:e5:0b:de:58:bf:2f:69:64:da:08:61:93:37:14:fa:be:f4:cf:6c

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetWindowsDirectoryA
FlushInstructionCache
VirtualProtect
SetLastError
WriteProcessMemory
GetSystemInfo
GetSystemTime
MulDiv
CreateThread
WaitForSingleObject
SetEvent
CreateEventA
GetTickCount
GlobalAlloc
GlobalLock
GlobalUnlock
HeapFree
GetProcessHeap
HeapAlloc
GetVersion
FindResourceA
LoadResource
LockResource
SizeofResource
GetStartupInfoA
GetCurrentThreadId
lstrcmpA
LeaveCriticalSection
InitializeCriticalSection
EnterCriticalSection
GetPrivateProfileStringA
GetPrivateProfileSectionA
GetCurrentDirectoryA
lstrcpyA
lstrcatA
VirtualQuery
lstrcpynA
SetErrorMode
SetUnhandledExceptionFilter
GetModuleHandleA
FormatMessageA
TerminateProcess
CreateToolhelp32Snapshot
Process32First
Process32Next
GetCurrentThread
LocalAlloc
LocalFree
GetCurrentProcess
GetVersionExA
CreateMutexA
ReleaseMutex
OutputDebugStringA
GetLocalTime
lstrlenA
GetFileAttributesA
DeleteCriticalSection
SetFileAttributesA
CreateDirectoryA
LoadLibraryA
GetProcAddress
FreeLibrary
lstrcmpiA
GetModuleFileNameA
GetTempPathA
GetTempFileNameA
CopyFileA
GetCurrentProcessId
OpenProcess
CreateProcessA
GetShortPathNameA
CreateFileA
GetLastError
DeviceIoControl
CloseHandle
GetSystemDirectoryA
RemoveDirectoryA
DeleteFileA
Sleep

mfc42

ord2919
ord5465
ord4278
ord2764
ord5710
ord2763
ord6662
ord533
ord5194
ord798
ord2818
ord6407
ord2808
ord1997
ord6883
ord2452
ord1641
ord2614
ord6215
ord1105
ord6334
ord470
ord755
ord2863
ord4160
ord3092
ord2642
ord6199
ord2302
ord2370
ord567
ord1146
ord3721
ord3402
ord5290
ord1776
ord6055
ord3698
ord4234
ord324
ord3597
ord4425
ord4627
ord5277
ord2124
ord2446
ord5261
ord1727
ord5065
ord3749
ord6376
ord2055
ord2648
ord4441
ord4837
ord3798
ord5280
ord4353
ord6374
ord5163
ord2385
ord5241
ord4407
ord1775
ord4078
ord6052
ord4710
ord4998
ord4853
ord4376
ord5265
ord3178
ord922
ord5683
ord4277
ord6663
ord4129
ord2725
ord1134
ord1168
ord2621
ord1200
ord924
ord2915
ord5572
ord2514
ord765
ord795
ord641
ord815
ord825
ord561
ord3738
ord4424
ord4622
ord4080
ord3079
ord3825
ord1576
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5714
ord5289
ord5307
ord4698
ord4079
ord5302
ord5300
ord3346
ord2396
ord5199
ord1089
ord3922
ord5731
ord2512
ord2554
ord4486
ord6375
ord4274
ord4673
ord823
ord860
ord939
ord356
ord540
ord858
ord941
ord2770
ord2781
ord4058
ord3181
ord1980
ord668
ord537
ord535
ord800
ord2379

msvcrt

ceil
div
sin
cos
acos
_purecall
remove
memcmp
_CxxThrowException
atoi
strtoul
memmove
abs
calloc
_wfopen
fflush
fputc
getc
_stricmp
_setmbcp
??1type_info@@UAE@XZ
__CxxFrameHandler
__p___argv
__p___argc
fclose
fread
fsetpos
fopen
vsprintf
sprintf
_mbslwr
_mbsrchr
_mbsicmp
_except_handler3
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_controlfp
memset
strcmp
_EH_prolog
strncpy
memcpy
strlen
free
malloc
fwrite
strcat
strcpy
toupper
strncmp
realloc
ftell
fseek
floor
_mbscmp
_ftol

user32

GetCursorPos
IsWindowVisible
ScreenToClient
LockWindowUpdate
GetDesktopWindow
GetMenuItemInfoA
InsertMenuItemA
DrawTextA
GetMenuItemCount
DestroyMenu
EnableMenuItem
DrawIconEx
GetClassLongA
InflateRect
EnableScrollBar
GetScrollInfo
GetScrollPos
GetScrollRange
SetScrollInfo
SetScrollPos
SetScrollRange
ShowScrollBar
GetDC
GetIconInfo
GetCursor
CharUpperBuffA
GetWindowTextA
BeginPaint
IsWindowEnabled
DestroyIcon
DrawStateA
EnumChildWindows
SetFocus
GetFocus
SetRect
SetWindowWord
GetWindowWord
SetCapture
ValidateRect
GetSubMenu
GetMenuItemID
GetWindowPlacement
SystemParametersInfoA
EqualRect
IsMenu
DrawMenuBar
CharLowerA
CharUpperA
DestroyCursor
LoadStringA
SetCursor
CopyIcon
CopyRect
MapWindowPoints
GetMessagePos
GetCapture
DrawTextExA
CreateIconIndirect
EndPaint
ClientToScreen
PtInRect
KillTimer
InvalidateRect
SetForegroundWindow
UpdateWindow
UnregisterClassA
LoadCursorA
RegisterClassExA
CreateWindowExA
GetKeyState
CopyAcceleratorTableA
GetMenu
SetMenu
OffsetRect
IsRectEmpty
ReleaseCapture
DestroyWindow
DrawEdge
IntersectRect
ExitWindowsEx
EnableWindow
GetWindowLongA
SetWindowLongA
SetTimer
IsIconic
GetSystemMetrics
DrawIcon
GetSystemMenu
AppendMenuA
LoadImageA
LoadIconA
FindWindowExA
GetClientRect
SendMessageA
MessageBoxA
wsprintfA
PostMessageA
GetWindowInfo
GetWindow
IsZoomed
MoveWindow
ShowWindow
ReleaseDC
GetWindowDC
GetWindowRect
SetWindowRgn
SetWindowPos
RemovePropA
SetPropA
RedrawWindow
CallWindowProcA
DefWindowProcA
GetSysColorBrush
GetSysColor
GetMessageA
FillRect
DispatchMessageA
IsWindow
UnhookWindowsHookEx
SetWindowsHookExA
GetParent
GetActiveWindow
GetClassNameA
GetPropA
GetMenuState
CallNextHookEx
DrawFrameControl
CreatePopupMenu

gdi32

CreateCompatibleDC
CreateCompatibleBitmap
GetDeviceCaps
CreateFontIndirectA
GetObjectA
StretchDIBits
PtInRegion
ExcludeClipRect
GetPixel
SetPixel
LineTo
MoveToEx
Rectangle
CreatePen
SelectClipRgn
GetClipRgn
TextOutA
GetTextExtentPoint32A
IntersectClipRect
GetDCOrgEx
GetRgnBox
GetTextMetricsA
UnrealizeObject
PatBlt
SetBrushOrgEx
CreatePatternBrush
ExtTextOutA
StretchBlt
Polygon
RestoreDC
SaveDC
CreateDIBitmap
CreateDIBSection
DeleteObject
CombineRgn
CreateRectRgn
OffsetRgn
CreateRectRgnIndirect
BitBlt
GetStockObject
SetBkMode
SelectObject
SetTextColor
CreateSolidBrush
GetTextExtentPointA
ExtCreateRegion
GetRegionData
DeleteDC
GetDIBits
CreateICA
GetClipBox
ExtSelectClipRgn
SetStretchBltMode
SetDIBitsToDevice
SelectPalette
RealizePalette
CreateBitmap
SetBkColor
RectVisible

advapi32

RegOpenKeyExA
OpenServiceA
OpenSCManagerA
DeleteService
ControlService
ImpersonateSelf
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
GetLengthSid
RegQueryValueA
InitializeAcl
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
IsValidSecurityDescriptor
AccessCheck
RevertToSelf
FreeSid
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
RegEnumKeyExA
RegSetValueExA
RegQueryInfoKeyA
RegQueryValueExA
CloseServiceHandle
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegFlushKey
RegCloseKey

shell32

ExtractIconExA
SHGetSpecialFolderLocation
ShellExecuteA
SHGetPathFromIDListA

imagehlp

SymGetSymFromAddr
SymFunctionTableAccess
SymGetModuleBase
StackWalk
SymInitialize
ImageDirectoryEntryToData
SymCleanup

msvcirt

??1ios@@UAE@XZ
??0exception@@QAE@ABV0@@Z
?endl@@YAAAVostream@@AAV1@@Z
??0ofstream@@QAE@XZ
?openprot@filebuf@@2HB
?open@ofstream@@QAEXPBDHH@Z
?write@ostream@@QAEAAV1@PBDH@Z
?close@ofstream@@QAEXXZ
??1ofstream@@UAE@XZ
??_Dofstream@@QAEXXZ

msvcp60

??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
?_Xran@std@@YAXXZ
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
?find_first_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z
?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z
??0logic_error@std@@QAE@ABV01@@Z
??0out_of_range@std@@QAE@ABV01@@Z
??1out_of_range@std@@UAE@XZ
??_7out_of_range@std@@6B@
??0logic_error@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z
?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
??1_Lockit@std@@QAE@XZ
??0_Lockit@std@@QAE@XZ
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
??Mstd@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB

comctl32

ImageList_AddMasked
ImageList_Remove
ImageList_GetImageCount
ImageList_Destroy
ImageList_GetIcon
ImageList_Draw
_TrackMouseEvent
ImageList_GetIconSize
ImageList_DrawEx
ImageList_Create

Sections

.text
Size: 356KB - Virtual size: 354KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 83KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 120KB - Virtual size: 116KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/universal.dll
.dll windows:4 windows x86 arch:x86

c6917a43ec7f471fb3ae2d0ca4c91627

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

47:48:a4:a6:24:0b:a7:eb:2e:7d:42:a0:7c:0b:56:e8:fc:6f:55:99
Signer

Actual PE Digest

47:48:a4:a6:24:0b:a7:eb:2e:7d:42:a0:7c:0b:56:e8:fc:6f:55:99

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord2614
ord858
ord1200
ord5714
ord5289
ord5300
ord3346
ord2396
ord5199
ord1089
ord1570
ord1243
ord3922
ord5731
ord2512
ord825
ord2554
ord4486
ord6375
ord4274
ord860
ord941
ord5683
ord4129
ord540
ord2725
ord3953
ord815
ord561
ord3738
ord4424
ord4622
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord4698
ord4079
ord1116
ord1176
ord1575
ord5307
ord5302
ord537
ord2764
ord939
ord535
ord800
ord2915
ord823
ord1197
ord1253
ord1255
ord6467
ord1578
ord600
ord826
ord269
ord342
ord1182
ord1577
ord1168

msvcrt

sprintf
memmove
__dllonexit
_onexit
free
_initterm
malloc
_adjust_fdiv
??1type_info@@UAE@XZ
__CxxFrameHandler
_mbscmp
_EH_prolog

kernel32

LocalAlloc
LocalFree
GetVersionExA
GetModuleFileNameA
GetShortPathNameA
CloseHandle
GlobalAlloc
DeviceIoControl
GlobalFree
CreateFileA

advapi32

RegCloseKey
RegFlushKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA

iphlpapi

GetAdaptersInfo

Exports

Exports

ExDrvGetPhyDriveInfoIn9x
ExGetPhyDriveInfoInNT
GetDiskSerial
GetDiskTypeFace

Sections

.text
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 944B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/usbdog.dll
.dll windows:4 windows x86 arch:x86

97c1e83aaf572f56063320c2cb82af45

Code Sign

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

51:13:31:96:aa:5b:9b:71:8d:01:c3:54:a2:ac:1c:e8:7a:2f:24:df
Signer

Actual PE Digest

51:13:31:96:aa:5b:9b:71:8d:01:c3:54:a2:ac:1c:e8:7a:2f:24:df

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

hid

HidP_GetCaps
HidD_GetAttributes
HidD_GetHidGuid
HidD_SetNumInputBuffers
HidD_GetNumInputBuffers
HidD_FreePreparsedData
HidD_GetManufacturerString
HidD_GetPreparsedData
HidD_FlushQueue

setupapi

SetupDiGetClassDevsA
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetailA
SetupDiDestroyDeviceInfoList

mfc42

ord823
ord858
ord825
ord800
ord860
ord540
ord535
ord940
ord665
ord2820
ord3811
ord1979
ord6385
ord5442
ord5186
ord354
ord2915
ord1168
ord1253
ord342
ord1182

msvcrt

_adjust_fdiv
rand
free
malloc
_mbscmp
_except_handler3
?terminate@@YAXXZ
_initterm
__CxxFrameHandler

kernel32

WriteFile
ReadFile
CreateFileA
CloseHandle

Exports

Exports

??0HIDDOG@@QAE@ABV0@@Z
??0HIDDOG@@QAE@XZ
??1HIDDOG@@UAE@XZ
??4HIDDOG@@QAEAAV0@ABV0@@Z
??_7HIDDOG@@6B@
?Addnoise@HIDDOG@@IAEHHHE@Z
?CompareStr@HIDDOG@@IAE_NPAG@Z
?GetDeviceCapabilities@HIDDOG@@IAEXXZ
?InitBuffer@HIDDOG@@IAE_NXZ
?InitVendorInformation@HIDDOG@@IAEHXZ
?Judgedog@HIDDOG@@IAE_NXZ
?Movedata@HIDDOG@@IAEXEE@Z
?ReadDataByte@HIDDOG@@IAEHHPAE@Z
?ReadDogByte@HIDDOG@@IAE_NG@Z
?ReadDogDword@HIDDOG@@IAEKH@Z
?ReadDogWord@HIDDOG@@IAEKH@Z
?ReadFreeDataByte@HIDDOG@@QAEHHPAE@Z
?ReadOneByte@HIDDOG@@IAE_NXZ
?ReadUserDataByte@HIDDOG@@QAEHHPAE@Z
?ReadUserInformation@HIDDOG@@IAEHHPAE@Z
?ReadVendorArea@HIDDOG@@IAEHHHPAE@Z
?ReadVendorDataByte@HIDDOG@@IAEHHPAE@Z
?ReadVendorInformation@HIDDOG@@QAEHHPAE@Z
?VerifyDog@HIDDOG@@QAEHXZ
?WriteDataByte@HIDDOG@@IAEHHE@Z
?WriteDevice@HIDDOG@@IAE_NXZ
?WriteDogByte@HIDDOG@@IAEHGE@Z
?WriteDogDword@HIDDOG@@IAEHHK@Z
?WriteDogWord@HIDDOG@@IAEHHG@Z
?WriteFreeDataByte@HIDDOG@@QAEHHE@Z
?WriteUserDataByte@HIDDOG@@QAEHHE@Z
?WriteUserInformation@HIDDOG@@IAEHHPAE@Z
?WriteVendorArea@HIDDOG@@IAEHHHPAE@Z
?WriteVendorDataByte@HIDDOG@@IAEHHE@Z

Sections

.text
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 180B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 344B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
联想一键恢复(WINDOWS)/windisk.dll
.dll windows:4 windows x86 arch:x86

a72cb320db2ce95cabeca15e8658b4c7

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

Issuer

CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA

Not Before

04/12/2003, 00:00

Not After

03/12/2013, 23:59

Subject

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

Issuer

CN=VeriSign Time Stamping Services CA,O=VeriSign\, Inc.,C=US

Not Before

04/12/2003, 00:00

Not After

03/12/2008, 23:59

Subject

CN=VeriSign Time Stamping Services Signer,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

Issuer

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Not Before

16/07/2004, 00:00

Not After

15/07/2014, 23:59

Subject

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageClientAuth
ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

Issuer

CN=VeriSign Class 3 Code Signing 2004 CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)04,O=VeriSign\, Inc.,C=US

Not Before

15/12/2006, 00:00

Not After

15/12/2007, 23:59

Subject

CN=Xi'an Saming Technology Co.\, Ltd.,OU=Digital ID Class 3 - Microsoft Software Validation v2,O=Xi'an Saming Technology Co.\, Ltd.,ST=Shannxi,C=CN

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0c:12:06:00:00:00:00:00:1b
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:01

Not After

23/05/2016, 17:11

Subject

OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

cf:42:61:e5:8a:0b:94:f8:50:c0:63:64:d9:a7:17:a8:26:36:dd:a9
Signer

Actual PE Digest

cf:42:61:e5:8a:0b:94:f8:50:c0:63:64:d9:a7:17:a8:26:36:dd:a9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

mfc42

ord1176
ord1575
ord1168
ord1577
ord1182
ord342
ord3346
ord1197
ord1570
ord1253
ord2614
ord6467
ord1578
ord600
ord826
ord269
ord2396
ord5199
ord1116
ord1089
ord5300
ord5572
ord533
ord5194
ord798
ord2818
ord924
ord6407
ord2808
ord1997
ord2915
ord2725
ord3953
ord815
ord561
ord3738
ord4424
ord4622
ord4080
ord3079
ord3825
ord3831
ord3830
ord2976
ord3081
ord2985
ord3262
ord3136
ord4465
ord3259
ord3147
ord2982
ord5714
ord5289
ord5307
ord4698
ord3922
ord5731
ord2512
ord2554
ord4079
ord5302
ord1255
ord4486
ord6375
ord4274
ord540
ord823
ord825
ord537
ord860
ord941
ord5683
ord4129
ord858
ord800
ord1243
ord1200

msvcrt

sprintf
__CxxFrameHandler
_adjust_fdiv
malloc
_initterm
free
_onexit
__dllonexit
_EH_prolog
??1type_info@@UAE@XZ
vsprintf
fopen
fclose

kernel32

GetModuleHandleA
FormatMessageA
LocalAlloc
LocalFree
GetCurrentProcess
GetVersionExA
GetWindowsDirectoryA
GetLocalTime
GetLastError
FlushFileBuffers
GetLogicalDrives
LoadLibraryA
GetProcAddress
FreeLibrary
GetTempPathA
CopyFileA
Sleep
GetModuleFileNameA
GetShortPathNameA
SetFilePointer
ReadFile
CloseHandle
CreateFileA
DeviceIoControl
WriteFile

user32

MessageBoxA
wsprintfA

advapi32

RegFlushKey
RegCloseKey
DeleteService
ControlService
OpenServiceA
StartServiceA
OpenSCManagerA
CreateServiceA
CloseServiceHandle
RegOpenKeyExA
RegQueryValueExA
RegCreateKeyExA

Exports

Exports

ExDetectProtect
ExFlushDisk
ExFlushPartNt
ExGetDiskInfo
ExRWDisk
ExRWDiskAbs
ExRWDiskAbs_H
ExRwLogicalDisk

Sections

.text
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 4KB - Virtual size: 896B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

8cbd3270bca5d082489bffecc96c04b6

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

Sections

.text Size: 21KB - Virtual size: 20KB

.rdata Size: 6KB - Virtual size: 6KB

.data Size: 1KB - Virtual size: 6KB

9cac0264641da005d5a3e9cd9b3ab623

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aaCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

a9:11:e9:7b:47:92:52:6d:e3:c6:3d:7a:cb:42:8c:81:79:51:56:7eSigner

Headers

File Characteristics

Imports

universal

enc

wininet

mfc42

msvcrt

kernel32

user32

advapi32

Exports

Exports

Sections

.text Size: 20KB - Virtual size: 16KB

.rdata Size: 8KB - Virtual size: 4KB

.data Size: 4KB - Virtual size: 5KB

.rsrc Size: 8KB - Virtual size: 6KB

.reloc Size: 4KB - Virtual size: 3KB

0872f815e2988901086b6641a9bc46e9

Code Sign

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4Certificate

Extended Key Usages

Key Usages

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88Certificate

Extended Key Usages

Key Usages

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2Certificate

Extended Key Usages

Key Usages

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aaCertificate

Extended Key Usages

Key Usages

61:0c:12:06:00:00:00:00:00:1bCertificate

Key Usages

a8:ee:93:1a:3d:3c:e6:24:a1:a0:f5:55:fd:49:44:47:31:aa:9b:64Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntoskrnl.exe

hal

Sections

.text Size: 11KB - Virtual size: 11KB

.rdata Size: 512B - Virtual size: 270B

.data Size: 512B - Virtual size: 3KB

.text
Size: 21KB - Virtual size: 20KB

.rdata
Size: 6KB - Virtual size: 6KB

.data
Size: 1KB - Virtual size: 6KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

a9:11:e9:7b:47:92:52:6d:e3:c6:3d:7a:cb:42:8c:81:79:51:56:7e
Signer

.text
Size: 20KB - Virtual size: 16KB

.rdata
Size: 8KB - Virtual size: 4KB

.data
Size: 4KB - Virtual size: 5KB

.rsrc
Size: 8KB - Virtual size: 6KB

.reloc
Size: 4KB - Virtual size: 3KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

a8:ee:93:1a:3d:3c:e6:24:a1:a0:f5:55:fd:49:44:47:31:aa:9b:64
Signer

.text
Size: 11KB - Virtual size: 11KB

.rdata
Size: 512B - Virtual size: 270B

.data
Size: 512B - Virtual size: 3KB

INIT
Size: 1024B - Virtual size: 1002B

.rsrc
Size: 1024B - Virtual size: 856B

.reloc
Size: 1KB - Virtual size: 1KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

0b:7d:d9:81:7a:d7:2c:c7:d5:33:95:9d:7d:7d:81:6d:25:ed:6a:66
Signer

.text
Size: 20KB - Virtual size: 19KB

.rdata
Size: 4KB - Virtual size: 1KB

.data
Size: 4KB - Virtual size: 4KB

.idata
Size: 4KB - Virtual size: 1KB

.reloc
Size: 4KB - Virtual size: 1KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate

41:91:a1:5a:39:78:df:cf:49:65:66:38:1d:4c:75:c2
Certificate

2d:f6:a0:ea:04:ee:72:75:b1:e6:94:fd:22:69:23:aa
Certificate

61:0c:12:06:00:00:00:00:00:1b
Certificate

19:89:49:07:e4:e3:6e:96:cf:a5:50:2c:54:5b:05:10:a4:02:9c:a0
Signer

.text
Size: 16KB - Virtual size: 13KB

.rdata
Size: 4KB - Virtual size: 2KB

.data
Size: 4KB - Virtual size: 2KB

.rsrc
Size: 4KB - Virtual size: 912B

.reloc
Size: 4KB - Virtual size: 1KB

47:bf:19:95:df:8d:52:46:43:f7:db:6d:48:0d:31:a4
Certificate

0d:e9:2b:f0:d4:d8:29:88:18:32:05:09:5e:9a:76:88
Certificate