x64_x32_installer__v4[.]3[.]7[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

x64_x32_installer__v4.3.7.zip
Size

33.9MB
MD5

9998e68a5f13b04dc85106f613853e47
SHA1

cd7de7683d0e6441069075e4619263062d7d9a9a
SHA256

a958b19095b8dc1e7d0bd2812c47aee116fde91568fa82b2187f1850523cca7f
SHA512

bf10c158ab89f505e7a395ab5f28ae7ed71d50bdc3252e3b3e9f48311912de97ed504845ff7f48f24ec9ef7cd0477a750c4818674c0e698f5732650cea782936
SSDEEP

786432:26ozVfGddLGUn/7kCdAMS8SE7+Hdbalx9FKKrLRCkr6g+s:Bd7Az8vDKKJ/Zj

Score

3^/10

Malware Config

Signatures

Unsigned PE 8 IoCs

Checks for missing Authenticode signature.

resource
unpack001/AppResolver/CaptureService.dll
unpack001/AppResolver/Windows.UI.FileExplorer.dll
unpack001/AppResolver/aadjcsp.dll
unpack001/vmrdvcore/VideoHandlers.dll
unpack001/vmrdvcore/vmrdvcore.dll
unpack001/vmrdvcore/wkssvc.dll
unpack001/win32spl/WiFiDisplay.dll
unpack001/win32spl/win32spl.dll

Files

x64_x32_installer__v4.3.7.zip
.zip

Password: infected
AppResolver/AppResolver.dll
.dll windows:10 windows x64 arch:x64

Password: infected

0e436b03a9170a850ade7a48204599a3

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02-09-2021 18:23

Not After

01-09-2022 18:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

6c:a5:d2:e2:b6:11:6e:26:00:33:af:bf:01:10:f8:87:22:4e:eb:79:ad:95:a0:fc:f5:95:6e:56:48:d7:5a:65
Signer

Actual PE Digest

6c:a5:d2:e2:b6:11:6e:26:00:33:af:bf:01:10:f8:87:22:4e:eb:79:ad:95:a0:fc:f5:95:6e:56:48:d7:5a:65

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AppResolver.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__itow_s
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o__set_errno
_o__ui64tow_s
_o__wcstoui64
memmove
_o__wtoi
_o_free
_o_malloc
_o_towupper
__C_specific_handler
_o__get_errno
_o__execute_onexit_table
_o__errno
_o__crt_atexit
_o__configure_narrow_argv
_o__cexit
_o__callnewh
wcschr
wcsrchr
__CxxFrameHandler3
_CxxThrowException
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf
_o___stdio_common_vsnprintf_s
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_onexit_table
_o__initialize_narrow_environment
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
__std_terminate
__CxxFrameHandler4
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

memset
wcscmp
wcsspn

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
InitOnceExecuteOnce

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsDuplicateString
WindowsCreateStringReference
WindowsStringHasEmbeddedNull
WindowsGetStringRawBuffer
WindowsIsStringEmpty
WindowsCreateString

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
EventActivityIdControl

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
RoOriginateError
SetRestrictedErrorInfo

api-ms-win-core-synch-l1-1-0

InitializeSRWLock
OpenSemaphoreW
ReleaseSemaphore
CreateSemaphoreExW
CreateMutexExW
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
WaitForSingleObjectEx
InitializeCriticalSectionEx
CreateEventExW
SetEvent
WaitForSingleObject
InitializeCriticalSection
ResetEvent
ReleaseMutex
CreateEventW
AcquireSRWLockShared
ReleaseSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
OpenEventW

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
GetProcAddress
GetModuleFileNameW
GetModuleHandleExW
DisableThreadLibraryCalls
GetModuleFileNameA

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapReAlloc
HeapAlloc

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetProcessTimes
GetCurrentProcessId
GetCurrentThreadId
ProcessIdToSessionId
OpenProcessToken
GetCurrentThread
GetCurrentProcess
TerminateProcess
OpenThreadToken

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess

api-ms-win-shell-namespace-l1-1-0

ILClone
SHCreateItemWithParent
ILCloneFirst
SHBindToParent
ILFindLastID
SHCreateItemFromIDList
ILFree
SHCreateItemFromParsingName
SHBindToFolderIDListParentEx
ILIsParent
ILIsEqual
SHParseDisplayName
ILCombine
ILGetSize
SHGetIDListFromObject
SHBindToObject

bcp47langs

GetUserLanguages

shcore

IStream_Read
IUnknown_QueryService
SHTaskPoolQueueTask
GetScaleFactorForDevice
ord109
IStream_Size
SHSetValueW
SHGetValueW
ord123
ord170
SHAnsiToUnicode
ord145
ord193
ord190
ord188
SHQueryValueExW
SHTaskPoolGetUniqueContext
ord213
IUnknown_GetSite
IUnknown_Set
ord192
SHStrDupW
ord130
ord122

windows.storage

SHGetDesktopFolder
ord942
SHGetKnownFolderPath

gdi32

GetObjectW
CreateDIBSection
CreateCompatibleDC
StretchDIBits
GdiAlphaBlend
DeleteDC
DeleteObject
SelectObject

ntdll

NtQueryInformationProcess
RtlNtStatusToDosError
RtlPublishWnfStateData
RtlFreeHeap
RtlInitUnicodeString
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlReleaseSRWLockExclusive
RtlCompareUnicodeString
RtlNtStatusToDosErrorNoTeb
NtQueryInformationToken
NtQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlAcquireSRWLockExclusive
RtlAllocateHeap

ole32

CoAllowSetForegroundWindow
CoInitializeEx
CoUninitialize
PropVariantClear
CoCreateInstance
CoTaskMemFree
CoTaskMemAlloc
CoTaskMemRealloc
CoGetMalloc
CoWaitForMultipleHandles
CoGetCallContext
StringFromGUID2
CoCreateFreeThreadedMarshaler
CoCreateGuid
RoGetAgileReference
CoMarshalInterThreadInterfaceInStream
CoReleaseMarshalData
CoGetInterfaceAndReleaseStream
CreateBindCtx
ReleaseStgMedium

shlwapi

StrDupW
StrCmpW
PathRemoveFileSpecW
AssocCreate
PathGetDriveNumberW
PathIsUNCW
PathIsRelativeW
PathIsURLW
ord487
ord219
PathCommonPrefixW
PathFindExtensionW
PathIsPrefixW
PathUnquoteSpacesW
ord156
PathRemoveBlanksW
PathGetArgsW
StrStrIW
PathParseIconLocationW
ord158
ord157
PathFindFileNameW
PathIsFileSpecW
ord154
PathFileExistsW
StrChrW
SHStrDupA
ord217
ord174
ord24
ord236
ord460
PathRemoveExtensionW
ord172

slc

SLGetWindowsInformationDWORD

user32

MonitorFromPoint
PostMessageW
FindWindowW
SetWindowLongPtrW
DefWindowProcW
GetWindowLongPtrW
SendNotifyMessageW
SetTimer
DestroyWindow
KillTimer
SetWindowTextW
InsertMenuW
CreatePopupMenu
LoadStringA
CharUpperBuffW
GetWindowThreadProcessId
CopyImage
GetSysColor
SystemParametersInfoW
CreateIconIndirect
DestroyIcon
ReleaseDC
GetDC
LoadStringW
DestroyMenu
GetMenuDefaultItem
RegisterClipboardFormatW

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-core-localization-l1-2-0

GetThreadPreferredUILanguages
GetUserDefaultLCID
FormatMessageW
GetUserGeoID

api-ms-win-core-path-l1-1-0

PathCchRemoveBackslash
PathCchFindExtension
PathCchCombine
PathCchAppend
PathCchRemoveExtension
PathAllocCombine
PathCchRemoveFileSpec

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-file-l1-1-0

CreateDirectoryW
GetLongPathNameW
CompareFileTime
DeleteFileW
GetFileSizeEx
CreateFileW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
SetThreadpoolTimer

api-ms-win-core-heap-l2-1-0

LocalReAlloc
LocalFree
LocalAlloc

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoActivateInstance

api-ms-win-core-memory-l1-1-0

MapViewOfFile
CreateFileMappingW
ReadProcessMemory
UnmapViewOfFile

api-ms-win-core-memory-l1-1-1

PrefetchVirtualMemory

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegGetValueW
RegCloseKey
RegSetValueExW
RegQueryValueExW
RegDeleteValueW
RegCreateKeyExW
RegEnumValueW
RegQueryInfoKeyW

userenv

GetProfileType

api-ms-win-core-heap-obsolete-l1-1-0

GlobalUnlock
GlobalLock

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-security-base-l1-1-0

GetFileSecurityW
GetSecurityDescriptorSacl
GetAce
GetSidSubAuthority
GetTokenInformation
DuplicateTokenEx

api-ms-win-security-capability-l1-1-0

CapabilityCheck

api-ms-win-shcore-stream-l1-1-0

SHCreateStreamOnFileW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-appmodel-runtime-l1-1-0

PackageFamilyNameFromFullName
OpenPackageInfoByFullName
GetPackageInfo
ClosePackageInfo

api-ms-win-crt-math-l1-1-0

ceilf

Exports

Exports

DllCanUnloadNow
DllGetActivationFactory
DllGetClassObject

Sections

.text
Size: 405KB - Virtual size: 404KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 111KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 656B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 16KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
AppResolver/CaptureService.dll
.dll windows:10 windows x64 arch:x64

Password: infected

602844247931d42e1fd8895d53bc7a53

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

CaptureService.pdb

Imports

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_function_call@std@@YAXXZ

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__errno
_o__execute_onexit_table
_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o___stdio_common_vswprintf
memmove
_o_ceil
_o_free
_o_malloc
_o_terminate
__C_specific_handler
__CxxFrameHandler3
_o__cexit
_CxxThrowException
_o__callnewh
_o___stdio_common_vsnprintf_s
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
_o__configure_narrow_argv
_o__crt_atexit
__std_terminate
__CxxFrameHandler4
memcpy

api-ms-win-crt-string-l1-1-0

memset

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
CoAddRefServerProcess
CoReleaseServerProcess
CoGetObjectContext
CoCreateFreeThreadedMarshaler
CoGetInterfaceAndReleaseStream
CoRegisterClassObject
CoDisconnectContext
CoCreateInstance
CoResumeClassObjects
CoDecrementMTAUsage
CoReleaseMarshalData
CoGetCallContext
CoInitializeSecurity
CoRevokeClassObject
CreateStreamOnHGlobal
CoWaitForMultipleHandles
CoMarshalInterface

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetProcAddress
GetModuleHandleW
GetModuleHandleExW
GetModuleFileNameA

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceExecuteOnce
InitOnceBeginInitialize

api-ms-win-core-synch-l1-1-0

OpenSemaphoreW
CreateSemaphoreExW
ReleaseSemaphore
WaitForSingleObject
CreateEventW
SetEvent
AcquireSRWLockShared
CreateEventExW
ReleaseSRWLockShared
CreateMutexExW
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseMutex

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
RaiseException
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-winrt-string-l1-1-0

WindowsGetStringRawBuffer
WindowsDeleteString
WindowsIsStringEmpty
WindowsStringHasEmbeddedNull
WindowsCreateString
WindowsCreateStringReference

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
OpenProcessToken
GetCurrentProcessId
GetProcessId
TerminateProcess

api-ms-win-core-winrt-l1-1-0

RoRegisterActivationFactories
RoUninitialize
RoRevokeActivationFactories
RoGetActivationFactory
RoInitialize

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateError
RoOriginateErrorW
GetRestrictedErrorInfo
SetRestrictedErrorInfo

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventSetInformation
EventRegister
EventActivityIdControl
EventWriteTransfer

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegOpenKeyExW
RegGetValueW
RegEnumKeyExW
RegCloseKey

api-ms-win-core-winrt-error-l1-1-1

IsErrorPropagationEnabled
RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolAllowThreadReuse
SHTaskPoolQueueTask

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-security-base-l1-1-0

GetTokenInformation
MakeAbsoluteSD
GetSidSubAuthorityCount
GetSidSubAuthority

api-ms-win-service-core-l1-1-0

RegisterServiceCtrlHandlerExW
SetServiceStatus

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

dcomp

DCompositionCreateDevice

policymanager

PolicyManager_GetPolicyInt

combase

ord67
ord69
ord68
ord66

Exports

Exports

ServiceMain

Sections

.text
Size: 87KB - Virtual size: 87KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 30KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
AppResolver/Windows.UI.FileExplorer.dll
.dll windows:10 windows x64 arch:x64

Password: infected

976f837abd707819a5be58be89a64d37

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

windows.ui.fileexplorer.pdb

Imports

api-ms-win-crt-private-l1-1-0

_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
_o_free
_o_iswspace
_o_malloc
_o_terminate
_o_toupper
__CxxFrameHandler4
__std_terminate
memcmp
memcpy
memmove
_o__crt_atexit
_o___stdio_common_vswprintf
_o__execute_onexit_table
_o__errno
_o___stdio_common_vsprintf_s
_o__configure_narrow_argv
_o___stdio_common_vsnprintf_s
_o__cexit
_o__callnewh
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
_CxxThrowException
__CxxFrameHandler3
__C_specific_handler

api-ms-win-crt-string-l1-1-0

wcslen
memset
wcsncmp
strlen

api-ms-win-crt-math-l1-1-0

ceilf

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e

msvcp_win

_Mtx_init_in_situ
_Mtx_destroy_in_situ
_Mtx_unlock
?_Throw_C_error@std@@YAXH@Z
_Mtx_lock
?_Xlength_error@std@@YAXPEBD@Z
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
?_Xout_of_range@std@@YAXPEBD@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoCreateFreeThreadedMarshaler
CoGetObjectContext
StringFromGUID2
CoTaskMemAlloc
CoIncrementMTAUsage
CoCreateInstance
PropVariantClear

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TerminateProcess
GetCurrentProcess
GetCurrentThreadId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceBeginInitialize
InitOnceComplete
InitOnceExecuteOnce

api-ms-win-core-url-l1-1-0

PathIsURLW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventActivityIdControl
EventProviderEnabled
EventUnregister
EventRegister

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
AcquireSRWLockShared
ReleaseSRWLockShared
WaitForSingleObjectEx
ReleaseMutex
WaitForSingleObject
InitializeCriticalSectionEx
LeaveCriticalSection
ReleaseSemaphore
EnterCriticalSection
CreateSemaphoreExW
CreateMutexExW
ReleaseSRWLockExclusive
OpenSemaphoreW
AcquireSRWLockExclusive

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

rpcrt4

UuidCreate

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
GetModuleHandleW
GetModuleFileNameW
GetModuleFileNameA
GetProcAddress
FindStringOrdinal

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringOrdinal

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCloseKey
RegGetValueW
RegQueryInfoKeyW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetTickCount64
GetTickCount

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

oleaut32

SysStringLen
VariantInit
SysAllocString
SysFreeString

api-ms-win-core-file-l1-1-0

GetFullPathNameW

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InterlockedFlushSList
InitializeSListHead
InterlockedPushEntrySList

propsys

PropVariantToUInt32

shlwapi

ord176
PathIsUNCW

shell32

SHParseDisplayName
ord850
SHCreateItemFromParsingName
ord68

oleacc

CreateStdAccessibleObject
LresultFromObject

comctl32

ord410
ord412
ord413

shcore

ord142
ord190

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

ntdll

RtlNtStatusToDosError
RtlQueryWnfStateData

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
RoTransformError
RoFailFastWithErrorContext
GetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoOriginateLanguageException

api-ms-win-core-winrt-string-l1-1-0

WindowsPreallocateStringBuffer
WindowsPromoteStringBuffer
WindowsGetStringRawBuffer
WindowsDuplicateString
WindowsDeleteString
WindowsCreateString
WindowsDeleteStringBuffer
WindowsCreateStringReference

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-com-l1-1-1

RoGetAgileReference

Exports

Exports

DllCanUnloadNow
DllGetClassObject

Sections

.text
Size: 192KB - Virtual size: 191KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 536B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
AppResolver/aadjcsp.dll
.dll windows:10 windows x64 arch:x64

Password: infected

f21820724f17b824298b4c5044c69c3a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

AADJCSP.pdb

Imports

msvcp110_win

?_Xlength_error@std@@YAXPEBD@Z
?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAPEBDH@Z
?_Xout_of_range@std@@YAXPEBD@Z
?_Xbad_alloc@std@@YAXXZ

msvcrt

memmove
memcpy
??1type_info@@UEAA@XZ
_onexit
__dllonexit
_unlock
_lock
?terminate@@YAXXZ
__C_specific_handler
_initterm
free
_amsg_exit
_XcptFilter
_callnewh
malloc
memmove_s
memcmp
memset
??0exception@@QEAA@AEBV0@@Z
??0exception@@QEAA@XZ
??1exception@@UEAA@XZ
_CxxThrowException
_purecall
??3@YAXPEAX@Z
memcpy_s
_vsnwprintf
_wcsicmp
toupper
__CxxFrameHandler3
_vsnprintf_s

aadtb

AADTBAcquireTokenEx
AADTBFreeString

dsreg

DsrIsDeviceJoined

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetModuleHandleW
GetModuleHandleExW
GetProcAddress
GetModuleFileNameA

api-ms-win-core-synch-l1-1-0

ResetEvent
OpenSemaphoreW
CreateMutexExW
WaitForSingleObjectEx
AcquireSRWLockShared
ReleaseMutex
WaitForSingleObject
DeleteCriticalSection
ReleaseSRWLockExclusive
CreateEventA
EnterCriticalSection
ReleaseSRWLockShared
ReleaseSemaphore
AcquireSRWLockExclusive
SetEvent
LeaveCriticalSection
CreateSemaphoreExW
InitializeCriticalSectionEx

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
TerminateProcess
GetCurrentProcessId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventActivityIdControl
EventRegister
EventProviderEnabled

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
Sleep

wkscli

NetGetJoinInformation

iphlpapi

CancelMibChangeNotify2
NotifyNetworkConnectivityHintChange
GetNetworkConnectivityHint

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
CoGetMalloc
CoCreateInstance
CoTaskMemFree

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer

oleaut32

VariantInit
SysFreeString
SysAllocString

netutils

NetApiBufferFree

api-ms-win-core-winrt-l1-1-0

RoInitialize

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-heap-l2-1-0

LocalAlloc

Exports

Exports

DllGetClassObject

Sections

.text
Size: 63KB - Virtual size: 63KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 24KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 984B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 552B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vmrdvcore/VideoHandlers.dll
.dll windows:10 windows x64 arch:x64

Password: infected

d8665a89cb65b8d90996d9f921641fab

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

VideoHandlers.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
memmove
_o_bsearch_s
_o_free
_o_malloc
_o_qsort
_o_realloc
_o_strncpy_s
_o_terminate
__C_specific_handler
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o__crt_atexit
_o___std_exception_copy
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o__execute_onexit_table
_o__errno
_o___stdio_common_vswprintf
__std_terminate
_CxxThrowException
__CxxFrameHandler4
_o___stdio_common_vsnprintf_s
__CxxFrameHandler3
memcpy

api-ms-win-crt-string-l1-1-0

memset
strnlen
wcsnlen
wcsncmp

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
GetProcAddress
GetModuleHandleW
DisableThreadLibraryCalls
GetModuleHandleExW
LoadLibraryExW
GetModuleFileNameA

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObject
InitializeCriticalSectionEx
CreateSemaphoreExW
ReleaseMutex
SetEvent
ResetEvent
AcquireSRWLockShared
EnterCriticalSection
LeaveCriticalSection
ReleaseSRWLockShared
DeleteCriticalSection
InitializeCriticalSection
ReleaseSemaphore
CreateEventW
CreateEventExW
CreateMutexExW
InitializeSRWLock
OpenSemaphoreW
WaitForSingleObjectEx

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetLastError
RaiseException
GetLastError
SetUnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentThreadId
GetCurrentProcessId
GetCurrentProcess
TlsSetValue
TlsGetValue
CreateThread

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventUnregister
EventWriteTransfer
EventRegister

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsCompareStringOrdinal
WindowsCreateStringReference
WindowsDeleteString
WindowsConcatString
WindowsGetStringRawBuffer

api-ms-win-core-string-l1-1-0

CompareStringOrdinal

api-ms-win-core-com-l1-1-0

CoInitializeEx
CoTaskMemFree
CoGetMalloc
CoTaskMemRealloc
CoDecrementMTAUsage
CoWaitForMultipleHandles
CoIncrementMTAUsage
CoUninitialize
CoCreateFreeThreadedMarshaler
CoTaskMemAlloc
CoCreateInstance

api-ms-win-core-rtlsupport-l1-1-0

RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-shcore-registry-l1-1-0

SHGetValueW
SHSetValueW

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoActivateInstance
RoGetActivationFactory
RoUninitialize

api-ms-win-shcore-thread-l1-1-0

SHCreateThread

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoReportFailedDelegate
IsErrorPropagationEnabled

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoTransformError

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegSetKeySecurity
RegGetValueW

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize

api-ms-win-shcore-scaling-l1-1-1

ord244

ntdll

RtlUnsubscribeWnfStateChangeNotification
NtPowerInformation
RtlSubscribeWnfStateChangeNotification

api-ms-win-power-setting-l1-1-0

PowerReadDCValue
PowerWriteDCValueIndex
PowerSetActiveScheme
PowerGetActiveScheme

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-core-featurestaging-l1-1-0

GetFeatureEnabledState
UnsubscribeFeatureStateChangeNotification
RecordFeatureUsage
SubscribeFeatureStateChangeNotification

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-storage-exports-internal-l1-1-0

SHGetKnownFolderIDList

api-ms-win-rtcore-ntuser-window-l1-1-0

TranslateMessage
SendMessageW
UnregisterClassW
DestroyWindow
GetMessageW
GetWindowRect
AllowSetForegroundWindow
PostQuitMessage
DefWindowProcW
RegisterClassExW
CreateWindowExW
DispatchMessageW

d3d11

D3D11CreateDevice

api-ms-win-ntuser-sysparams-l1-1-0

QueryDisplayConfig
GetDisplayConfigBufferSizes
EnumDisplayDevicesW
DisplayConfigGetDeviceInfo

api-ms-win-ntuser-rectangle-l1-1-0

PtInRect
IntersectRect

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

DllCanUnloadNow
GetSetting
NotifyVideoHandler

Sections

.text
Size: 141KB - Virtual size: 141KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 55KB - Virtual size: 55KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 136B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vmrdvcore/vmrdvcore.dll
.dll windows:10 windows x64 arch:x64

Password: infected

055a22c998dd9328accc6de5710f416b

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

vmrdvcore.pdb

Imports

msvcrt

_callnewh
??0exception@@QEAA@AEBQEBD@Z
swprintf_s
_purecall
_wcsicmp
??0exception@@QEAA@AEBQEBDH@Z
??0exception@@QEAA@AEBV0@@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
_CxxThrowException
??_V@YAXPEAX@Z
?terminate@@YAXXZ
??1type_info@@UEAA@XZ
_vsnwprintf
_XcptFilter
wcscspn
??3@YAXPEAX@Z
_vsnwprintf_s
wcsrchr
wcsncmp
_wcsnicmp
_wtol
wcschr
memmove
__CxxFrameHandler3
iswalpha
memcmp
_onexit
__dllonexit
_unlock
_lock
__C_specific_handler
_initterm
malloc
free
_amsg_exit
memcpy
memset

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
FreeLibrary
GetProcAddress
DisableThreadLibraryCalls
GetModuleHandleW
LoadLibraryExW

api-ms-win-core-synch-l1-2-0

SleepConditionVariableSRW
Sleep
WakeAllConditionVariable

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
CreateThread
GetExitCodeProcess
GetCurrentProcess
OpenThreadToken
GetExitCodeThread
GetCurrentThread
CreateProcessW
SuspendThread
OpenProcessToken
TerminateProcess
GetCurrentThreadId
ResumeThread

api-ms-win-core-sysinfo-l1-1-0

GetComputerNameExW
GetVersionExW
GetTickCount
GetSystemTimeAsFileTime
GetLocalTime

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlCaptureContext
RtlVirtualUnwind

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter

api-ms-win-core-synch-l1-1-0

OpenEventW
SetEvent
InitializeCriticalSectionAndSpinCount
ResetEvent
WaitForSingleObject
AcquireSRWLockExclusive
CreateEventW
ReleaseSRWLockExclusive
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
UnregisterTraceGuids
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-threadpool-l1-2-0

CallbackMayRunLong
SubmitThreadpoolWork
WaitForThreadpoolWorkCallbacks
CreateThreadpoolWork
CloseThreadpoolWork

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-com-l1-1-0

CoSetProxyBlanket
CLSIDFromString
CoUninitialize
CoInitializeEx
CoCreateGuid
CoCreateInstanceEx
StringFromGUID2
CoCreateInstance
CoTaskMemFree

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-security-lsapolicy-l1-1-0

LsaClose
LsaOpenPolicy
LsaFreeMemory
LsaQueryInformationPolicy

api-ms-win-service-management-l1-1-0

OpenSCManagerW
CloseServiceHandle
OpenServiceW
StartServiceW

netutils

NetApiBufferFree

api-ms-win-service-winsvc-l1-1-0

QueryServiceStatus

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegUnLoadKeyW
RegLoadKeyW
RegDeleteTreeW
RegCreateKeyExW
RegGetValueW
RegSetValueExW
RegCloseKey
RegDeleteValueW
RegOpenKeyExW
RegNotifyChangeKeyValue
RegEnumKeyExW

api-ms-win-core-file-l1-1-0

FindNextFileW
FindFirstFileW
FindClose
CreateFileW
WriteFile
RemoveDirectoryW
GetLongPathNameW
GetShortPathNameW
GetFileAttributesW
CreateDirectoryW
SetFileAttributesW
FindFirstVolumeW
DeleteFileW
FindNextVolumeW
FindVolumeClose
ReadFile
DeleteVolumeMountPointW

api-ms-win-shcore-registry-l1-1-0

SHGetValueW

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
MoveFileW

oleaut32

VariantClear
VariantInit
SysAllocString
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayAccessData
SafeArrayUnaccessData
SafeArrayDestroy
SafeArrayUnlock
SafeArrayCreate
SafeArrayRedim
SafeArrayLock
VarBstrCmp
VariantTimeToSystemTime
SysStringByteLen
SysStringLen
SysFreeString

userenv

DeleteProfileW
GetUserProfileDirectoryW
GetProfilesDirectoryW
RefreshPolicyEx

api-ms-win-security-lsalookup-l2-1-0

LookupAccountSidW
LookupPrivilegeValueW

iphlpapi

GetAdaptersAddresses

ws2_32

InetNtopW
WSAGetLastError

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSidToSidW

samcli

NetLocalGroupDelMembers
NetLocalGroupAddMembers

api-ms-win-security-base-l1-1-0

GetFileSecurityW
GetAce
SetSecurityDescriptorDacl
GetSecurityDescriptorDacl
CreateWellKnownSid
GetLengthSid
DeleteAce
EqualSid
AdjustTokenPrivileges
IsValidSid
SetFileSecurityW
GetAclInformation
MakeAbsoluteSD

api-ms-win-core-string-l1-1-0

CompareStringEx

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-service-management-l2-1-0

NotifyServiceStatusChangeW

xmllite

CreateXmlReader

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream

api-ms-win-security-provider-l1-1-0

SetEntriesInAclW

rpcrt4

UuidToStringW
RpcServerUseProtseqEpW
RpcServerInqBindings
RpcEpRegisterW
RpcServerRegisterAuthInfoW
RpcServerRegisterIfEx
RpcBindingVectorFree
RpcBindingInqAuthClientW
RpcBindingToStringBindingW
RpcStringBindingParseW
RpcEpUnregister
UuidCompare
RpcBindingFree
RpcStringBindingComposeW
RpcStringFreeW
RpcBindingFromStringBindingW
RpcEpResolveBinding
RpcServerUnregisterIf
RpcRaiseException
NdrServerCallAll
NdrServerCall2
RpcAsyncInitializeHandle
RpcAsyncCompleteCall
RpcAsyncCancelCall
Ndr64AsyncClientCall
UuidCreate

api-ms-win-core-kernel32-legacy-l1-1-1

SetVolumeMountPointW
VerifyVersionInfoW

api-ms-win-core-file-l2-1-0

GetFileInformationByHandleEx
MoveFileWithProgressW
CopyFileExW
CreateSymbolicLinkW

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-file-l1-2-0

GetVolumePathNamesForVolumeNameW
GetVolumeNameForVolumeMountPointW

api-ms-win-security-systemfunctions-l1-1-0

SystemFunction036

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetOverlappedResult

srvcli

NetShareGetInfo

api-ms-win-core-namedpipe-l1-1-0

CreateNamedPipeW
SetNamedPipeHandleState
ConnectNamedPipe
DisconnectNamedPipe

api-ms-win-core-io-l1-1-1

CancelIo

advapi32

LsaNtStatusToWinError

netapi32

I_NetLogonControl2

virtdisk

OpenVirtualDisk
DetachVirtualDisk
GetVirtualDiskPhysicalPath
AttachVirtualDisk

wtsapi32

WTSSendMessageW

api-ms-win-core-shutdown-l1-1-1

InitiateShutdownW

api-ms-win-core-sysinfo-l1-2-0

VerSetConditionMask

api-ms-win-core-timezone-l1-1-0

TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

VmRdvCore_CreateInstance
VmRdvCore_GetInstance
VmRdvCore_TerminateInstance

Sections

.text
Size: 305KB - Virtual size: 305KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 130KB - Virtual size: 129KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 320B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 1024B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
vmrdvcore/wkssvc.dll
.dll windows:10 windows x64 arch:x64

Password: infected

4df40003d563631ed1e3880008a18229

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

wkssvc.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__itow_s
_o__seh_filter_dll
_o__wcsicmp
_o__wcsnicmp
memmove
_o_free
_o_iswalpha
_o_malloc
_o_tolower
_o_towupper
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstoul
_o__execute_onexit_table
_o__errno
_CxxThrowException
_o__configure_narrow_argv
wcsstr
__std_terminate
__CxxFrameHandler4
_o__cexit
_o__callnewh
_o___stdio_common_vswprintf
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
__C_specific_handler
wcschr
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

memset
wcscmp
wcsspn

rpcrt4

RpcBindingVectorFree
NdrAsyncServerCall
I_RpcMapWin32Status
RpcAsyncAbortCall
RpcBindingToStringBindingW
RpcServerUseProtseqW
RpcServerUnregisterIf
RpcAsyncCompleteCall
RpcStringFreeW
NdrServerCall2
RpcStringBindingParseW
RpcServerRegisterIfEx
RpcImpersonateClient
NdrServerCallAll
RpcBindingServerFromClient
RpcServerTestCancel
RpcBindingFree
RpcEpUnregister
Ndr64AsyncServerCallAll
RpcEpRegisterW
RpcServerUnregisterIfEx
RpcServerUseProtseqEpW
RpcServerInqBindings
I_RpcExceptionFilter
RpcStringBindingComposeW
RpcServerInqCallAttributesW
RpcRevertToSelf
Ndr64AsyncClientCall
I_RpcBindingIsClientLocal
NdrClientCall3
RpcBindingSetOption
RpcAsyncInitializeHandle
RpcAsyncCancelCall
RpcBindingSetAuthInfoExW
RpcEpResolveBinding
RpcMgmtSetComTimeout
RpcBindingFromStringBindingW

api-ms-win-security-activedirectoryclient-l1-1-0

DsBindWithSpnExW
DsMakePasswordCredentialsW
DsFreeNameResultW
DsFreePasswordCredentials
DsCrackNamesW
DsFreeDomainControllerInfoW
DsGetDomainControllerInfoW
DsUnBindW

api-ms-win-core-heap-l2-1-0

LocalUnlock
LocalReAlloc
LocalFree
LocalLock
LocalAlloc

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
GetLastError
UnhandledExceptionFilter
SetLastError

ntdll

NtOpenThreadToken
RtlCopyLuid
RtlAcquireResourceShared
RtlCompareUnicodeString
WinSqmSetDWORD
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
NtCreateFile
RtlIpv6AddressToStringExW
NtQueryVolumeInformationFile
RtlIpv6StringToAddressW
RtlIpv4StringToAddressW
RtlRunDecodeUnicodeString
RtlRunEncodeUnicodeString
RtlIpv6AddressToStringW
RtlGetNtProductType
RtlInitUnicodeString
NtQueryInformationFile
RtlIpv4AddressToStringW
RtlAcquireResourceExclusive
RtlReleaseResource
RtlValidRelativeSecurityDescriptor
NtQueryInformationToken
NtOpenFile
NtFsControlFile
NtClose
RtlAdjustPrivilege
NtAccessCheckAndAuditAlarm
RtlIpv4AddressToStringExW
NtDeviceIoControlFile
RtlMapSecurityErrorToNtStatus
RtlCopySid
RtlLengthSid
RtlCreateAcl
RtlAddAce
RtlCreateSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetGroupSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlSetSaclSecurityDescriptor
NtOpenProcessToken
RtlNewSecurityObject
RtlDeleteSecurityObject
DbgPrint
RtlInitializeGenericTable
RtlNtStatusToDosError
RtlDeregisterWaitEx
RtlDeleteElementGenericTable
NtCreateEvent
RtlDeregisterWait
RtlInsertElementGenericTable
RtlLookupElementGenericTable
RtlEnumerateGenericTable
WinSqmIsOptedIn
RtlRegisterWait
RtlInitString
RtlDeleteResource
RtlInitializeResource
RtlHashUnicodeString

api-ms-win-security-base-l1-1-0

RevertToSelf
CreateWellKnownSid
PrivilegeCheck
CheckTokenMembership

netutils

NetpwPathCanonicalize
NetpwListTraverse
NetpwListCanonicalize
NetpwPathType
NetApiBufferAllocate
NetpwNameCanonicalize
NetApiBufferFree

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
LeaveCriticalSection
CreateEventW
DeleteCriticalSection
OpenEventW
ResetEvent
SetEvent
WaitForSingleObject
WaitForMultipleObjectsEx
EnterCriticalSection

api-ms-win-core-kernel32-private-l1-1-0

DosPathToSessionPathW
EnumerateLocalComputerNamesW
SetLocalPrimaryComputerNameW
RemoveLocalAlternateComputerNameW

api-ms-win-security-lsalookup-l1-1-0

LsaLookupGetDomainInfo
LsaLookupClose
LsaLookupFreeMemory
LsaLookupOpenLocalPolicy

bcrypt

BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptSetProperty
BCryptDecrypt
BCryptEncrypt
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptDestroyKey
BCryptFinishHash
BCryptHashData
BCryptCreateHash
BCryptGenerateSymmetricKey

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-kernel32-legacy-l1-1-0

DnsHostnameToComputerNameW
RegisterWaitForSingleObject
AddLocalAlternateComputerNameW

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetVersion
GetTickCount64
GetVersionExW
GetComputerNameExW
GlobalMemoryStatusEx
GetLocalTime

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
FreeLibrary
GetModuleFileNameW
GetProcAddress
GetModuleHandleW
DisableThreadLibraryCalls

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l1-1-0

DefineDosDeviceW
QueryDosDeviceW
CreateFileW

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
GetCurrentThreadId
OpenThreadToken
GetCurrentThread
CreateThread
TerminateProcess
GetCurrentProcessId
SetThreadToken

userenv

LeaveCriticalPolicySection
UnregisterGPNotification
EnterCriticalPolicySection
RegisterGPNotification

api-ms-win-core-registry-l1-1-0

RegNotifyChangeKeyValue
RegCloseKey
RegQueryInfoKeyW
RegQueryValueExW
RegOpenKeyExW
RegSetValueExW
RegDeleteKeyExW
RegGetValueW
RegCreateKeyExW
RegFlushKey
RegEnumKeyExW

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolWait
CreateThreadpoolWait
WaitForThreadpoolWaitCallbacks
CloseThreadpoolWait
CloseThreadpoolCleanupGroupMembers
CloseThreadpoolCleanupGroup
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolCleanupGroup
TrySubmitThreadpoolCallback

api-ms-win-core-rtlsupport-l1-1-0

RtlLookupFunctionEntry
RtlVirtualUnwind
RtlCaptureContext
RtlCompareMemory

api-ms-win-service-private-l1-1-0

I_ScSetServiceBitsW

api-ms-win-service-core-l1-1-0

SetServiceStatus
RegisterServiceCtrlHandlerExW

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage
RegisterTraceGuidsW
UnregisterTraceGuids

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWriteTransfer
EventUnregister

api-ms-win-core-io-l1-1-0

PostQueuedCompletionStatus
GetQueuedCompletionStatus
CreateIoCompletionPort

dsparse

DsMakeSpnW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

ServiceMain
SvchostPushServiceGlobals

Sections

.text
Size: 181KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 87KB - Virtual size: 86KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 760B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
win32spl/SecurityHealthAgent.dll
.dll regsvr32 windows:10 windows x64 arch:x64

Password: infected

8ffde2a931024fbe67b40744526c0839

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05-05-2022 19:23

Not After

04-05-2023 19:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f6:8c:80:95:4d:71:cc:0f:36:95:4b:30:ec:fd:70:3c:dc:6f:51:9b:d6:3f:b8:81:b7:ce:b2:b2:80:4a:2e:d5
Signer

Actual PE Digest

f6:8c:80:95:4d:71:cc:0f:36:95:4b:30:ec:fd:70:3c:dc:6f:51:9b:d6:3f:b8:81:b7:ce:b2:b2:80:4a:2e:d5

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

SecurityHealthAgent.pdb

Imports

msvcp_win

?_Syserror_map@std@@YAPEBDH@Z
?_Winerror_map@std@@YAHH@Z
?_Winerror_message@std@@YAKKPEADK@Z
?_Execute_once@std@@YAHAEAUonce_flag@1@P6AHPEAX1PEAPEAX@Z1@Z
?_Xlength_error@std@@YAXPEBD@Z
?snextc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGXZ
?_Ipfx@?$basic_istream@GU?$char_traits@G@std@@@std@@QEAA_N_N@Z
?widen@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGD@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?_XGetLastError@std@@YAXXZ
?__ExceptionPtrToBool@@YA_NPEBX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?_Xbad_alloc@std@@YAXXZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?sbumpc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGXZ
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?sgetc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGXZ

api-ms-win-crt-runtime-l1-1-0

_register_onexit_function
_errno
_invalid_parameter_noinfo
_invalid_parameter_noinfo_noreturn
_initterm
_initterm_e
_seh_filter_dll
_configure_narrow_argv
_initialize_narrow_environment
_initialize_onexit_table
_execute_onexit_table
_crt_atexit
terminate
_cexit

api-ms-win-crt-stdio-l1-1-0

__stdio_common_vsnwprintf_s
__stdio_common_vswprintf_s
__stdio_common_vsprintf
__stdio_common_vsprintf_s
__stdio_common_vswprintf
__stdio_common_vsnprintf_s

api-ms-win-crt-string-l1-1-0

towlower
_wcsicmp
strnlen
wcsnlen
memset
iswspace
wcscmp

api-ms-win-crt-convert-l1-1-0

_wcstod_l
_wtoi
_i64toa_s
_ui64tow_s
_i64tow_s
_ui64toa_s

api-ms-win-crt-heap-l1-1-0

free
malloc
_callnewh

api-ms-win-crt-private-l1-1-0

memcmp
__std_exception_destroy
memcpy
__std_exception_copy
_CxxThrowException
__CxxFrameHandler4
__std_type_info_destroy_list
__CxxFrameHandler3
__C_specific_handler
__std_terminate
_purecall
memmove

api-ms-win-core-libraryloader-l1-2-0

LockResource
FreeLibrary
GetModuleHandleW
LoadResource
DisableThreadLibraryCalls
SizeofResource
GetModuleFileNameA
GetModuleHandleExW
GetModuleFileNameW
GetProcAddress
LoadLibraryExW

api-ms-win-core-synch-l1-1-0

ReleaseSRWLockExclusive
AcquireSRWLockExclusive
CreateSemaphoreExW
EnterCriticalSection
ReleaseSemaphore
LeaveCriticalSection
AcquireSRWLockShared
InitializeCriticalSectionAndSpinCount
ReleaseMutex
WaitForSingleObjectEx
DeleteCriticalSection
CreateEventW
SetEvent
ReleaseSRWLockShared
OpenSemaphoreW
WaitForSingleObject
CreateMutexExW
ResetEvent
InitializeCriticalSectionEx

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
GetLastError
RaiseException
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThread
OpenThreadToken
ProcessIdToSessionId
GetCurrentProcess
TerminateProcess
OpenProcessToken
GetCurrentThreadId

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegOpenCurrentUser
RegSetValueExW
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableFlags
UnregisterTraceGuids
TraceMessage

api-ms-win-security-sddl-l1-1-0

ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
ConvertStringSidToSidW

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoSetProxyBlanket
CoRevertToSelf
CoCreateInstance
CoImpersonateClient
StringFromGUID2
StringFromCLSID

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsGetStringRawBuffer
WindowsDeleteString

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetSystemTimeAsFileTime

rpcrt4

NdrDllCanUnloadNow
NdrDllRegisterProxy
NdrDllUnregisterProxy
NdrCStdStubBuffer_Release
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerQueryInterface
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
CStdStubBuffer_CountRefs
CStdStubBuffer_QueryInterface
UuidCreate
NdrOleAllocate
NdrDllGetClassObject
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
CStdStubBuffer_Invoke
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Connect

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventRegister
EventSetInformation
EventWriteTransfer

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpW

api-ms-win-rtcore-ntuser-window-l1-1-0

GetForegroundWindow

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

ole32

ObjectStublessClient6
ObjectStublessClient5
ObjectStublessClient7
CoGetObject
ObjectStublessClient4
ObjectStublessClient3

shell32

ShellExecuteW

wldp

WldpQueryWindowsLockdownMode

ntdll

RtlNtStatusToDosError
RtlGetDeviceFamilyInfoEnum
RtlGetPersistedStateLocation

api-ms-win-crt-locale-l1-1-0

_create_locale
_free_locale
__pctype_func

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

api-ms-win-security-base-l1-1-0

FreeSid
CheckTokenMembership
InitializeAcl
GetLengthSid
CopySid
GetTokenInformation
GetSecurityDescriptorOwner
AllocateAndInitializeSid
AccessCheck
AdjustTokenPrivileges
GetSecurityDescriptorDacl

api-ms-win-core-file-l1-1-0

GetFileAttributesW
CreateFileW

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-synch-l1-2-1

CreateSemaphoreW

api-ms-win-core-registry-l2-1-0

RegDeleteKeyW

api-ms-win-security-provider-l1-1-0

GetNamedSecurityInfoW
SetEntriesInAclW
SetNamedSecurityInfoW

api-ms-win-core-synch-l1-2-0

Sleep

wintrust

CryptCATAdminCalcHashFromFileHandle
WTHelperGetProvSignerFromChain
WTHelperProvDataFromStateData
CryptCATAdminEnumCatalogFromHash
CryptCATAdminAcquireContext
CryptCATAdminReleaseCatalogContext
WinVerifyTrust
CryptCATAdminReleaseContext
CryptCATCatalogInfoFromContext

crypt32

CertVerifyCertificateChainPolicy

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-util-l1-1-0

EncodePointer

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllMain
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 264KB - Virtual size: 263KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 81KB - Virtual size: 81KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 17KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
win32spl/WiFiDisplay.dll
.dll windows:10 windows x64 arch:x64

22ea731bf4d650c96ee339f4201d44bf

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

WiFiDisplay.pdb

Imports

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_initterm

api-ms-win-crt-private-l1-1-0

_o__initialize_narrow_environment
_o__initialize_onexit_table
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__purecall
_o__register_onexit_function
_o__seh_filter_dll
memmove
_o__execute_onexit_table
_o_free
_o_isdigit
_o_malloc
_o_terminate
_o_wcscpy_s
_o_wcsncpy_s
__C_specific_handler
__CxxFrameHandler3
_CxxThrowException
_o__errno
_o__crt_atexit
_o___stdio_common_vsnprintf_s
_o__configure_narrow_argv
_o__cexit
_o__callnewh
_o__atoi64
_o___std_type_info_destroy_list
_o___std_exception_destroy
_o___std_exception_copy
__std_terminate
__CxxFrameHandler4
_o___stdio_common_vswprintf
memcmp
memcpy

api-ms-win-crt-string-l1-1-0

memset
wcscmp
wcspbrk

api-ms-win-core-libraryloader-l1-2-0

GetProcAddress
GetModuleHandleW
GetModuleFileNameA
GetModuleHandleExW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapFree

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId
CreateThread
TerminateProcess
GetCurrentProcess

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
TraceMessage
UnregisterTraceGuids

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetComputerNameExW
GetSystemTimeAsFileTime
GetTickCount64

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
ReleaseSemaphore
InitializeCriticalSectionEx
WaitForSingleObject
ReleaseMutex
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
ReleaseSRWLockShared
CreateMutexExW
AcquireSRWLockShared
CreateEventW
ResetEvent
CreateEventExW
SetEvent
CreateSemaphoreExW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolIo
WaitForThreadpoolTimerCallbacks
StartThreadpoolIo
CancelThreadpoolIo
SubmitThreadpoolWork
CreateThreadpoolWork
CloseThreadpool
SetThreadpoolThreadMinimum
SetThreadpoolThreadMaximum
CreateThreadpool
SetThreadpoolTimer
CloseThreadpoolCleanupGroupMembers
CreateThreadpoolCleanupGroup
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
CreateThreadpoolWait
CloseThreadpoolCleanupGroup
CreateThreadpoolTimer
CloseThreadpoolTimer

api-ms-win-core-handle-l1-1-0

CloseHandle

ntdll

RtlGetDeviceFamilyInfoEnum
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
NtQueryWnfStateData

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegCloseKey
RegNotifyChangeKeyValue
RegOpenKeyExW
RegGetValueW

devobj

DevObjDestroyDeviceInfoList
DevObjCreateDeviceInfoList
DevObjOpenDeviceInfo
DevObjOpenDevRegKey

api-ms-win-core-file-l1-1-0

SetFilePointer
ReadFile
CreateFileW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventRegister
EventUnregister
EventActivityIdControl

ws2_32

closesocket
connect
WSAIoctl
ntohs
shutdown
getsockname
getpeername
WSAAddressToStringW
InetPtonW
send
htons
recv
listen
WSAStartup
WSACleanup
socket
WSAGetLastError
setsockopt
bind

sspicli

InitializeSecurityContextW
AcquireCredentialsHandleW
DecryptMessage
QueryContextAttributesW
AcceptSecurityContext
EncryptMessage
FreeCredentialsHandle
DeleteSecurityContext
ImportSecurityContextW
FreeContextBuffer
ExportSecurityContext

api-ms-win-devices-query-l1-1-1

DevCreateObjectQueryEx

api-ms-win-devices-query-l1-1-0

DevGetObjects
DevCloseObjectQuery
DevFreeObjects

api-ms-win-devices-config-l1-1-1

CM_Register_Notification
CM_Unregister_Notification

dnsapi

DnsServiceFreeInstance
DnsServiceRegister
DnsServiceDeRegister
DnsServiceConstructInstance

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

iphlpapi

GetIfEntry2Ex
GetAdaptersAddresses
ConvertInterfaceLuidToGuid
GetIfTable2
FreeMibTable

api-ms-win-core-com-l1-1-0

CoCreateGuid

mswsock

AcceptEx

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte

rpcrt4

UuidFromStringW

api-ms-win-dx-d3dkmt-l1-1-1

D3DKMTNetDispQueryMiracastDisplayDeviceSupport

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Exports

Exports

CloseMiracastSession
CreateDAFProviderMiracastHelper
CreateInfraCastSourceConnector
CreateWiFiDisplayEtwProvider
IsMiracastSupportedByWlan
MiracastFreeMemory
MiracastIeDecode
MiracastIeEncode
MiracastQueryParameters
MiracastRegisterDatarateCallback
MiracastUnregisterDatarateCallback
OpenMiracastSession
VsIeProviderGetFunctionTable
WFDDisplaySinkCloseSession
WFDDisplaySinkDeInit
WFDDisplaySinkInit
WFDDisplaySinkQueryCapabilities
WFDDisplaySinkSetPersistedGroupIDList
WFDDisplaySinkSetProperty
WFDDisplaySinkStart
WFDDisplaySinkStartEx
WFDDisplaySinkStop

Sections

.text
Size: 299KB - Virtual size: 299KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 55KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 512B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1024B - Virtual size: 676B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
win32spl/win32spl.dll
.dll windows:10 windows x64 arch:x64

8b131f6c824bbfd621b1af5c1e0b0060

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

win32spl.pdb

Imports

msvcrt

wcstol
wcscpy_s
wcstoul
tolower
_wcsnicmp
_wtol
wcsnlen
wcsstr
_wcsicmp
wcsncmp
??_V@YAXPEAX@Z
_itow_s
qsort
malloc
_purecall
memmove_s
??0exception@@QEAA@AEBV0@@Z
_callnewh
_CxxThrowException
_wcstoi64
_get_errno
memcpy
??3@YAXPEAX@Z
??1exception@@UEAA@XZ
memmove
??0exception@@QEAA@AEBQEBD@Z
??0exception@@QEAA@AEBQEBDH@Z
?what@exception@@UEBAPEBDXZ
_set_errno
_wcsdup
_open
_errno
_read
_write
_close
_lseek
_wopen
_stricmp
swprintf_s
sprintf_s
wcsrchr
isdigit
isupper
??0bad_cast@@QEAA@AEBV0@@Z
??1bad_cast@@UEAA@XZ
??0bad_cast@@QEAA@PEBD@Z
localeconv
strcspn
__uncaught_exception
setlocale
___mb_cur_max_func
___lc_handle_func
___lc_codepage_func
_ismbblead
__pctype_func
calloc
islower
??8type_info@@QEBAHAEBV0@@Z
__crtLCMapStringW
__crtLCMapStringA
_wsetlocale
abort
memset
memchr
memcmp
sqrt
_XcptFilter
_amsg_exit
free
_initterm
?terminate@@YAXXZ
wcschr
_wtof
strchr
_wcslwr
__CxxFrameHandler3
iswspace
strcpy_s
wcstok_s
wcscat_s
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
??0exception@@QEAA@XZ
_vsnprintf_s
memcpy_s
_vsnwprintf
__C_specific_handler
wcscmp

ntdll

NtSetInformationThread
NtOpenThreadToken
RtlFreeHeap
RtlInitUnicodeString
NtSetInformationToken
RtlAllocateHeap
WinSqmIncrementDWORD
WinSqmAddToStreamEx
WinSqmSetDWORD
WinSqmIsOptedIn
EtwEventWrite
EtwEventEnabled
EtwEventUnregister
EtwEventRegister
RtlValidRelativeSecurityDescriptor
RtlIsThreadWithinLoaderCallout
NtFsControlFile
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
TpAllocPool
TpSetPoolMinThreads
TpSetPoolMaxThreads
NtOpenProcessToken
TpWaitForAlpcCompletion
TpReleaseIoCompletion
TpWaitForIoCompletion
TpReleaseTimer
TpWaitForTimer
RtlInitAnsiString
RtlOemStringToUnicodeString
RtlUnicodeToOemN
RtlxUnicodeStringToOemSize
NtImpersonateAnonymousToken
NtCreateFile
TpReleaseWait
TpWaitForWait
TpReleaseWork
TpWaitForWork
TpAllocAlpcCompletion
TpStartAsyncIoOperation
TpAllocIoCompletion
TpSetTimer
TpAllocTimer
TpAllocWait
TpPostWork
TpAllocWork
RtlNtStatusToDosError
TpSimpleTryPost
TpSetWait
TpCallbackMayRunLong
TpReleasePool
TpReleaseAlpcCompletion
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
VerSetConditionMask
EtwUnregisterTraceGuids
EtwRegisterTraceGuidsW
EtwGetTraceEnableFlags
EtwGetTraceEnableLevel
EtwGetTraceLoggerHandle
EtwTraceMessage
NtClose

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
RaiseException
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-file-l1-1-0

LocalFileTimeToFileTime
FindNextFileW
FindFirstFileW
RemoveDirectoryW
SetFileTime
SetFileAttributesW
FindClose
DeleteFileW
SetFilePointerEx
WriteFile
CreateFileW
ReadFile
SetEndOfFile
CreateDirectoryW
GetFileSize
GetFileAttributesW
CompareFileTime
GetFullPathNameW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapFree
HeapAlloc

api-ms-win-core-libraryloader-l1-2-0

DisableThreadLibraryCalls
GetModuleHandleW
LoadStringW
GetProcAddress
LoadLibraryExW
GetModuleHandleExW
GetModuleFileNameA
FreeLibrary

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-localization-l1-2-0

GetSystemPreferredUILanguages
FormatMessageW

api-ms-win-eventing-provider-l1-1-0

EventSetInformation
EventRegister
EventWriteTransfer
EventUnregister

rpcrt4

RpcAsyncCompleteCall
RpcSmDestroyClientContext
NdrClientCall3
RpcStringFreeW
NdrMesProcEncodeDecode3
MesEncodeIncrementalHandleCreate
MesDecodeIncrementalHandleCreate
Ndr64AsyncClientCall
RpcBindingSetObject
RpcEpResolveBinding
RpcAsyncInitializeHandle
I_RpcExceptionFilter
RpcBindingSetOption
RpcBindingSetAuthInfoExW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
MesHandleFree
RpcBindingFree

api-ms-win-core-processthreads-l1-1-0

ProcessIdToSessionId
SetThreadToken
OpenProcessToken
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
OpenThreadToken
TerminateProcess
GetCurrentThreadId
ExitProcess

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-synch-l1-1-0

AcquireSRWLockShared
ReleaseSRWLockShared
CreateSemaphoreExW
ReleaseSemaphore
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
SetEvent
CreateEventW
CreateMutexExW
InitializeCriticalSection
CreateEventExW
InitializeCriticalSectionAndSpinCount
OpenSemaphoreW
WaitForSingleObject
DeleteCriticalSection
InitializeCriticalSectionEx
EnterCriticalSection
WaitForSingleObjectEx
ReleaseMutex
LeaveCriticalSection

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolWork
WaitForThreadpoolWorkCallbacks
SubmitThreadpoolWork
IsThreadpoolTimerSet
CloseThreadpoolTimer
CreateThreadpoolTimer
CloseThreadpoolWork

api-ms-win-core-registry-l1-1-0

RegGetValueW
RegEnumValueW
RegQueryValueExW
RegQueryInfoKeyW
RegOpenKeyExW
RegOpenCurrentUser
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegDeleteValueW
RegDeleteKeyExW
RegEnumKeyExW

api-ms-win-security-base-l1-1-0

MakeSelfRelativeSD
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
FreeSid
AddAccessDeniedAceEx
CheckTokenMembership
SetTokenInformation
AddAccessAllowedAceEx
IsWellKnownSid
GetTokenInformation
DuplicateTokenEx
CopySid
CreateWellKnownSid
RevertToSelf
ImpersonateLoggedOnUser
InitializeAcl
EqualSid
GetLengthSid
GetSecurityDescriptorLength
AllocateAndInitializeSid
IsTokenRestricted
IsValidSecurityDescriptor

oleaut32

GetRecordInfoFromTypeInfo
SafeArrayCopyData
VariantCopy
LoadTypeLi
VariantCopyInd
VariantChangeType
SysAllocStringLen
BSTR_UserMarshal64
SetErrorInfo
LoadRegTypeLi
LPSAFEARRAY_UserSize64
BSTR_UserSize64
BSTR_UserFree64
LPSAFEARRAY_UserMarshal
LPSAFEARRAY_UserUnmarshal64
BSTR_UserMarshal
BSTR_UserUnmarshal
LPSAFEARRAY_UserMarshal64
LPSAFEARRAY_UserFree64
SafeArrayGetElement
SysStringLen
SafeArrayPutElement
SafeArrayGetUBound
SafeArrayDestroy
BSTR_UserSize
SafeArrayCreateVector
BSTR_UserFree
LPSAFEARRAY_UserSize
VariantClear
SysAllocString
BSTR_UserUnmarshal64
LPSAFEARRAY_UserFree
SafeArrayPtrOfIndex
SysFreeString
VariantInit
LPSAFEARRAY_UserUnmarshal

api-ms-win-core-heap-l2-1-0

LocalFree

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetSystemInfo
GetVersionExW
GetSystemTimeAsFileTime

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l1-1-0

GetStringTypeW
MultiByteToWideChar
WideCharToMultiByte

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceComplete
InitOnceBeginInitialize
SleepConditionVariableSRW
WakeAllConditionVariable

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processtopology-obsolete-l1-1-0

GetActiveProcessorCount

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-security-lsalookup-l1-1-0

LookupAccountNameLocalW
LookupAccountSidLocalW

spoolss

CacheIsNameInNodeList
IsNamedPipeRpcCall
SetJobW
GetPrinterDriverW
CallRouterFindFirstPrinterChangeNotification
SetPortW
GetJobW
GetPrinterDriverDirectoryW
GetServerPolicy
GetJobNamedPropertyValue
AllocSplStr
RouterCreatePrintAsyncNotificationChannel
SplRegisterForSessionEvents
SplUnregisterForSessionEvents
ReplyPrinterChangeNotification
PartialReplyPrinterChangeNotification
SpoolerRefreshPrinterChangeNotification
SpoolerFindClosePrinterChangeNotification
SpoolerFindFirstPrinterChangeNotification
GetPrinterW
OpenPrinter2W
AppendPrinterNotifyInfoData
RouterAllocPrinterNotifyInfo
RouterFreePrinterNotifyInfo
ReplyPrinterChangeNotificationEx
DllFreeSplStr
FreePrintPropertyValue
EnumPrintersW
MIDL_user_allocate1
MIDL_user_free1
IsNameTheLocalMachineOrAClusterSpooler
DeletePrinterConnectionW
RevertToPrinterSelf
ImpersonatePrinterClient
OpenPrinterW
ClosePrinter
DllFreeSplMem
DllAllocSplMem
CallDrvDevModeConversion
AllowRemoteCalls
GetPrinterDataW

localspl

SplAddPrinter
SplAddMonitor
SplCopyNumberOfFiles
SplEnumPrinterDrivers
SplIsCompatibleDriver
SplEnumPrinters
SplEnumPorts
SplXcvData
SplIsDriverInstalled
SplOpenPrinter
SplSetJobNamedProperty
SplDeleteJobNamedProperty
SplSetForm
SplDoesCSRPrinterDevnodeExist
SplGetDriverUpdateStatus
SplRegeneratePrintDeviceCapabilities
SplAddForm
SplDeleteForm
SplSetJobError
SplPrintSupportOperation
SplIppCreateJobOnPrinter
SplIppGetJobAttributes
SplIppSetJobAttributes
SplCloseSpooler
SplDeleteSpooler
SplCreateSpooler
SplNotifyServerStatus
SplGetPrintClassObject_4CSR
SplIsLocalDriverAvailable
SplSetDriverUpdateStatus
SplAddPrinterDriverEx
SplGetUserPropertyBag
SplSetJob
SplEnumJobs
SplDeletePrinterWithJobs
SplGetPrinter
SplSetPrinter
SplSetJobExtra
SplGetDriverDir
SplSetCSRPrinterDevnode
LocalAddForm
SplCopyFileEvent
SplLoadLibraryTheCopyFileModule
SplGetJobExtra
LocalDeleteForm
LocalEnumForms
SplEnumForms
SplGetForm
SplMonitorIsInstalled
SplGetPrintClassObject
SplDeletePrintProcCacheData
SplEnumPrintProcCacheData
SplGetLocalDevMode
SplSetPrintProcCacheData
SplGetPrintProcCacheData
SplEnumPrinterKey
SplEnumPrinterDataEx
SplEnumPrinterData
SplDeletePrinterKey
SplDeletePrinterDataEx
SplDeletePrinterData
SplSetPrinterDataEx
SplSetPrinterData
SplGetPrinterDataEx
SplGetPrinterData
SplGetPrinterDriver
SplGetPrinterDriverEx
SplResetPrinter
SplDeletePrinterIC
SplPlayGdiScriptOnPrinterIC
SplCreatePrinterIC
SplEnumJobNamedProperties
SplGetJobNamedPropertyValue
SplReportJobProcessingProgress
SplGetJob
SplScheduleJob
SplAddJob
SplAbortPrinter
LocalReadPrinter
SplWritePrinter
SplEndDocPrinter
SplEndPagePrinter
SplStartPagePrinter
SplStartDocPrinter
SplClosePrinter
SplAddCSRPrinter
SplEnableCSRPrinterDeviceInterface
SplDriverEvent

shlwapi

SHCreateStreamOnFileW

setupapi

SetupDiCreateDeviceInfoListExW
SetupDiOpenDeviceInfoW
SetupDiGetDevicePropertyW
SetupDiDestroyDeviceInfoList
CMP_WaitNoPendingInstallEvents
SetupDiCallClassInstaller
SetupDiSetClassInstallParamsW

cfgmgr32

SwDeviceSetLifetime
SwDeviceClose
SwDeviceCreate

api-ms-win-devices-query-l1-1-0

DevCloseObjectQuery
DevCreateObjectQuery
DevCreateObjectQueryFromId

api-ms-win-core-kernel32-legacy-l1-1-0

DosDateTimeToFileTime
GetComputerNameW

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW

kernelbase

LocalAlloc
LocalReAlloc
GetIsEdpEnabled

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
GetTimeZoneInformation

dsrole

DsRoleGetPrimaryDomainInformation
DsRoleFreeMemory

iphlpapi

GetAdaptersAddresses

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW
RegDeleteKeyValueW

api-ms-win-core-file-l2-1-0

MoveFileExW

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-eventlog-legacy-l1-1-0

DeregisterEventSource
RegisterEventSourceW
ReportEventW

api-ms-win-core-privateprofile-l1-1-0

GetPrivateProfileSectionW
GetPrivateProfileStringW

Exports

Exports

DllMain
InitializePrintMonitor2
InitializePrintProvidor

Sections

.text
Size: 884KB - Virtual size: 883KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 337KB - Virtual size: 337KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1024B - Virtual size: 664B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
x64_x32_installer__v4.3.7.msi
.msi

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

0e436b03a9170a850ade7a48204599a3

Code Sign

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3cCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

6c:a5:d2:e2:b6:11:6e:26:00:33:af:bf:01:10:f8:87:22:4e:eb:79:ad:95:a0:fc:f5:95:6e:56:48:d7:5a:65Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-shell-namespace-l1-1-0

bcp47langs

shcore

windows.storage

gdi32

ntdll

ole32

shlwapi

slc

user32

msvcp_win

api-ms-win-core-localization-l1-2-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-memory-l1-1-1

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-file-l2-1-2

api-ms-win-core-largeinteger-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-registry-l1-1-0

userenv

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-registry-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-security-base-l1-1-0

api-ms-win-security-capability-l1-1-0

api-ms-win-shcore-stream-l1-1-0

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-appmodel-runtime-l1-1-3

api-ms-win-appmodel-runtime-l1-1-0

api-ms-win-crt-math-l1-1-0

Exports

33:00:00:03:3c:89:c6:6a:7b:45:bb:1f:bd:00:00:00:00:03:3c
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

6c:a5:d2:e2:b6:11:6e:26:00:33:af:bf:01:10:f8:87:22:4e:eb:79:ad:95:a0:fc:f5:95:6e:56:48:d7:5a:65
Signer

.text
Size: 405KB - Virtual size: 404KB

.rdata
Size: 111KB - Virtual size: 110KB

.data
Size: 1KB - Virtual size: 4KB

.pdata
Size: 15KB - Virtual size: 14KB

.didat
Size: 1024B - Virtual size: 656B

.rsrc
Size: 16KB - Virtual size: 16KB

.reloc
Size: 4KB - Virtual size: 3KB

.text
Size: 87KB - Virtual size: 87KB

.rdata
Size: 30KB - Virtual size: 29KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 4KB

.rsrc
Size: 2KB - Virtual size: 2KB

.reloc
Size: 1KB - Virtual size: 1KB