CWindows[.]zip

Sharing

Copy URL Twitter E-mail

General

Target

CWindows.zip
Size

4.6MB
MD5

29dee358230ec733f66d9c2138522679
SHA1

9c4eb6534daba62e5e42d3643b72c26c549aa7dc
SHA256

a5ea69c6080e807e99cb7fa70ab995725250220151ee3e55f0811a47f4cba6e3
SHA512

e988305e36fb25dac22baf3cb415dea90f655536cec11c2a87a5f38b677569326e4a6e3bc956941c23c23600146aab026d0b53a44cfb8c71ae7f74b2d5eebe45
SSDEEP

98304:xVKiu2q9/sY/uXDSfzAgfpKDJasRiTb1SZzZ4DoornG8y7VMW:qiu5LAgxKkscb1SZdSxKqW

Score

3^/10

Malware Config

Signatures

Unsigned PE 9 IoCs

Checks for missing Authenticode signature.

resource
unpack001/HelpPane.exe
unpack001/bfsvc.exe
unpack001/hh.exe
unpack001/notepad.exe
unpack001/regedit.exe
unpack001/splwow64.exe
unpack001/twain_32.dll
unpack001/winhlp32.exe
unpack001/write.exe

Files

CWindows.zip
.zip
Core.xml
DirectX.log
DtcInstall.log
HelpPane.exe
.exe windows:10 windows x64 arch:x64

25bd8cfe71808f06ece80231211e68cb

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

helppane.pdb

Imports

advapi32

RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceEvent
RegOpenKeyW
RegQueryValueExW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
UnregisterTraceGuids
EventUnregister
EventRegister
EventSetInformation
EventWriteTransfer
RegGetValueW
EqualSid
OpenThreadToken
OpenProcessToken
GetTokenInformation
GetSidLengthRequired
InitializeSid
IsValidSid
GetSidSubAuthority
GetLengthSid
CopySid
SetEntriesInAclW

kernel32

LocalFree
CloseHandle
GetLastError
WaitForSingleObject
SetEvent
GetQueuedCompletionStatus
ResetEvent
PostQueuedCompletionStatus
GetSystemInfo
CreateIoCompletionPort
CreateEventW
ProcessIdToSessionId
GetCurrentProcessId
GetExitCodeThread
TerminateThread
LoadLibraryExW
lstrcmpiW
CreateMutexW
GetSystemDirectoryW
SetCurrentDirectoryW
HeapSetInformation
ReleaseMutex
HeapAlloc
GetProcessHeap
HeapFree
GetModuleHandleExW
GetModuleFileNameA
DebugBreak
IsDebuggerPresent
FormatMessageW
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
LockResource
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
WaitForSingleObjectEx
InitializeCriticalSectionEx
OpenSemaphoreW
CreateThreadpoolTimer
GetFileAttributesW
InitOnceComplete
InitOnceBeginInitialize
GetPackagesByPackageFamily
GetCurrentThread
CompareStringW
CreateMutexExW
CreateSemaphoreExW
CreateThread
ResumeThread
MulDiv
WaitForMultipleObjects
GetCurrentProcess
LocalAlloc
GlobalFree
GlobalAlloc
GetVersionExW
MultiByteToWideChar
LoadLibraryW
FreeLibrary
RaiseException
GetCurrentThreadId
SetLastError
GetModuleFileNameW
InitializeCriticalSection
ExpandEnvironmentStringsW
FindResourceExW
OutputDebugStringW
GetProcAddress
GetModuleHandleW
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
LoadResource
DelayLoadFailureHook
ResolveDelayLoadedAPI
SizeofResource
ReleaseSemaphore

gdi32

GetTextExtentPoint32W
SelectObject
GetDeviceCaps
GetStockObject
CreateFontIndirectW
GetObjectW
SetTextColor
SetBkMode
DeleteObject

user32

IsIconic
GetWindowPlacement
MonitorFromRect
GetMonitorInfoW
GetWindowRect
MonitorFromPoint
GetProcessDefaultLayout
GetDC
ReleaseDC
ShowWindow
GetDlgItem
CheckDlgButton
IsDlgButtonChecked
EnableWindow
EndDialog
BringWindowToTop
SetDlgItemTextW
GetDlgItemTextW
UnregisterClassA
SetCursor
LockWindowUpdate
PostQuitMessage
LoadCursorW
SystemParametersInfoW
DestroyIcon
GetSystemMetrics
DispatchMessageW
TranslateMessage
TranslateAcceleratorW
GetMessageW
LoadAcceleratorsW
CharNextW
PostMessageW
KillTimer
SetTimer
MessageBoxW
SetActiveWindow
GetKeyState
SetWindowTextW
DestroyMenu
DialogBoxParamW
TrackPopupMenuEx
ClientToScreen
EnableMenuItem
CheckMenuRadioItem
InvalidateRect
GetParent
LoadMenuW
GetSubMenu
CallWindowProcW
GetWindowLongPtrW
SetWindowLongPtrW
RegisterClassExW
GetClassInfoExW
DefWindowProcW
CreateWindowExW
SetFocus
IsWindowVisible
IsWindowEnabled
MoveWindow
AdjustWindowRectEx
GetMenu
GetWindowLongW
SetWindowPos
GetSysColorBrush
GetSysColor
IsZoomed
GetClientRect
SendMessageW

msvcp_win

?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-string-l1-1-0

wcscmp
memset

api-ms-win-crt-runtime-l1-1-0

_initterm_e
_register_thread_local_exe_atexit_callback
_c_exit
_initterm

api-ms-win-crt-private-l1-1-0

_o__configthreadlocale
_o__configure_wide_argv
_o__crt_atexit
_o__errno
_o__exit
_o__get_wide_winmain_command_line
_o__initialize_onexit_table
_o__initialize_wide_environment
_o__invalid_parameter_noinfo
_o__invalid_parameter_noinfo_noreturn
_o__itow_s
_o__cexit
_o__purecall
_o__recalloc
_o__register_onexit_function
_o__resetstkoflw
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__wcsicmp
_o__wcslwr_s
_o__wcsnicmp
_o__wtoi
_o_abort
_o_calloc
_o_exit
_o_free
_o_iswspace
_o_malloc
_o_terminate
_o_towupper
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wmemcpy_s
__current_exception
__current_exception_context
__CxxFrameHandler3
_CxxThrowException
_o__callnewh
_o__beginthreadex
_o___stdio_common_vswprintf_s
_o___stdio_common_vswprintf
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcschr
wcsstr
__C_specific_handler
__std_terminate
__CxxFrameHandler4
__C_specific_handler_noexcept
memcmp
memcpy
memmove

comctl32

ord344
ord380
ImageList_LoadImageW
InitCommonControlsEx
ord345
ImageList_Destroy

ole32

CoUninitialize
CoTaskMemAlloc
CoGetMalloc
CoInitialize
CoTaskMemFree
CoTaskMemRealloc
OleInitialize
CoInitializeSecurity
PropVariantClear
CoResumeClassObjects
CoRevokeClassObject
OleUninitialize
CoImpersonateClient
CoCreateInstance
CoRevertToSelf
CoRegisterClassObject

oleaut32

DispCallFunc
LoadTypeLi
LoadRegTypeLi
SysAllocStringLen
VariantInit
VariantClear
SysAllocString
SysFreeString
SysStringLen
SysStringByteLen
SysAllocStringByteLen
VarUI4FromStr
LoadTypeLibEx
VarBstrCat
SetErrorInfo
GetErrorInfo
VariantCopy

shell32

ShellExecuteW
SHGetPropertyStoreForWindow

shlwapi

ord2
SHStrDupW
SHRegGetValueW
ord176
SHGetValueW
UrlUnescapeW
UrlEscapeW

ntdll

NtQueryInformationToken
NtOpenProcessToken
NtOpenThreadToken
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtClose

api-ms-win-core-path-l1-1-0

PathCchAppend

api-ms-win-core-heap-l1-1-0

HeapReAlloc
HeapDestroy
HeapSize

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc

api-ms-win-core-libraryloader-l1-2-0

LoadLibraryExA

api-ms-win-core-util-l1-1-0

DecodePointer
EncodePointer

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
FlushInstructionCache
GetProcessMitigationPolicy

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead
InterlockedPopEntrySList

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetStartupInfoW

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionAndSpinCount
OpenEventW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime

api-ms-win-security-base-l1-1-0

FreeSid
SetSecurityDescriptorDacl
AllocateAndInitializeSid
InitializeSecurityDescriptor

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-localization-l1-2-0

GetUserPreferredUILanguages

Sections

.text
Size: 376KB - Virtual size: 375KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 112B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 524KB - Virtual size: 523KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
PFRO.log
Sysmon.exe
.exe windows:6 windows x64 arch:x64

a039666f8d08dd16e0909469da998438

Code Sign

33:00:00:04:50:0d:a4:5d:0a:6c:7a:8a:57:00:00:00:00:04:50
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/08/2023, 18:38

Not After

07/08/2024, 18:38

Subject

CN=Microsoft Windows Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94
Signer

Actual PE Digest

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\a\1\s\exe\x64\Public_Release\Sysmon64.pdb

Imports

tdh

TdhGetEventInformation
TdhGetEventMapInformation

userenv

ExpandEnvironmentStringsForUserW

version

GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

netapi32

NetApiBufferFree
NetServerEnum

ws2_32

ntohs
gethostbyname
WSAStartup
inet_ntoa
gethostname
htons
getnameinfo

mpr

WNetCancelConnection2W
WNetAddConnection2W

wtsapi32

WTSQuerySessionInformationW
WTSFreeMemory
WTSQueryUserToken
WTSEnumerateSessionsW

ole32

CoInitializeEx
CoUninitialize
IIDFromString
CoSetProxyBlanket
CoCreateInstance
StringFromGUID2
CoInitializeSecurity

kernel32

Module32FirstW
K32EnumProcesses
SystemTimeToFileTime
GetSystemTime
SizeofResource
LockResource
LoadResource
FindResourceW
CreateDirectoryW
GetConsoleScreenBufferInfo
lstrlenW
RemoveDirectoryW
GetTempPathW
CreateFileW
GetFileAttributesW
GetSystemDirectoryW
Process32NextW
SetEvent
DeleteFileW
Process32FirstW
GetSystemInfo
VerSetConditionMask
GetComputerNameW
CreateProcessW
VerifyVersionInfoW
GetSystemTimeAsFileTime
GetTickCount
ConnectNamedPipe
GetExitCodeProcess
ExpandEnvironmentStringsW
ProcessIdToSessionId
ExitProcess
GetCurrentProcessId
CopyFileW
ReadFile
SetConsoleCtrlHandler
GetFileSizeEx
CreateThreadpool
WaitForMultipleObjects
SetThreadPriority
SetThreadpoolThreadMinimum
CreateEventW
SetThreadpoolThreadMaximum
GetOverlappedResult
SubmitThreadpoolWork
SetUnhandledExceptionFilter
CreateThreadpoolWork
QueryDosDeviceW
GetFullPathNameW
WriteFile
GetLogicalDriveStringsW
GetWindowsDirectoryW
GetTempFileNameW
K32GetMappedFileNameW
OpenProcess
ResetEvent
QueryPerformanceCounter
CreateThread
FindFirstFileW
FindNextFileW
FindClose
LoadLibraryW
K32GetModuleBaseNameW
WideCharToMultiByte
UnmapViewOfFile
CreateFileMappingW
MapViewOfFile
TerminateProcess
SetFileAttributesW
GlobalSize
FreeConsole
GlobalLock
GlobalUnlock
GetEnabledXStateFeatures
SystemTimeToTzSpecificLocalTime
PeekNamedPipe
GetFileInformationByHandle
GetDriveTypeW
FreeLibraryAndExitThread
ResumeThread
ExitThread
GetConsoleCP
GetModuleHandleExW
SetStdHandle
TlsFree
InitializeCriticalSectionAndSpinCount
InterlockedFlushSList
InterlockedPushEntrySList
RtlPcToFileHeader
RtlUnwindEx
RaiseException
OutputDebugStringW
GetCPInfo
CompareStringEx
LCMapStringEx
GetLocaleInfoEx
EncodePointer
GetStringTypeW
FormatMessageA
InitializeSListHead
GetStartupInfoW
IsDebuggerPresent
DeviceIoControl
CloseThreadpoolWork
RtlUnwind
AcquireSRWLockShared
DecodePointer
ReleaseSRWLockShared
CreateToolhelp32Snapshot
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
InitializeCriticalSectionEx
InitializeSRWLock
GetLastError
FormatMessageW
GetDateFormatW
FreeLibrary
GetTimeFormatW
FileTimeToSystemTime
MultiByteToWideChar
TlsGetValue
DeleteCriticalSection
CloseHandle
TlsAlloc
GetCurrentThread
Sleep
DuplicateHandle
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
CreateMutexW
InitializeCriticalSection
LeaveCriticalSection
GetCurrentProcess
EnterCriticalSection
TlsSetValue
GetModuleHandleW
LocalFree
GetProcAddress
LocalAlloc
GetStdHandle
GetCommandLineW
LoadLibraryExW
GetVersionExW
SetLastError
GetFileType
GetModuleFileNameW
GetCommandLineA
GetConsoleMode
ReadConsoleW
GetConsoleOutputCP
HeapFree
HeapAlloc
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
FlushFileBuffers
SetConsoleMode
GetNumberOfConsoleInputEvents
ReadConsoleInputW
PeekConsoleInputA
SetFilePointerEx
HeapReAlloc
SetCurrentDirectoryW
GetCurrentDirectoryW
HeapSize
FindFirstFileExW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SleepConditionVariableSRW
WakeAllConditionVariable
IsProcessorFeaturePresent
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetProcessHeap
GetTimeZoneInformation
WriteConsoleW
SetEndOfFile
QueryPerformanceFrequency

user32

ChangeClipboardChain
CloseClipboard
RegisterClassW
TranslateMessage
GetClipboardData
CreateWindowExW
MessageBoxW
UnregisterClassW
InflateRect
SendMessageW
OpenClipboard
SetWindowTextW
DialogBoxIndirectParamW
LoadCursorW
SetCursor
GetDlgItem
GetSysColorBrush
GetClipboardOwner
SetClipboardViewer
GetMessageW
GetWindowThreadProcessId
DispatchMessageW
EndDialog
GetPriorityClipboardFormat
GetClipboardSequenceNumber
DefWindowProcW

gdi32

StartPage
EndDoc
GetDeviceCaps
StartDocW
EndPage
SetMapMode

comdlg32

PrintDlgW

advapi32

LookupPrivilegeValueW
RegQueryValueExW
RegOpenKeyW
RegCreateKeyW
RegOpenKeyExW
RegCloseKey
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
CryptAcquireContextW
GetAce
CryptGenRandom
IsWellKnownSid
GetSecurityDescriptorOwner
GetFileSecurityW
CreateProcessAsUserW
ConvertStringSecurityDescriptorToSecurityDescriptorW
DuplicateTokenEx
CryptReleaseContext
DeregisterEventSource
GetSidSubAuthorityCount
GetSidSubAuthority
CopySid
RegisterEventSourceW
RegNotifyChangeKeyValue
RegisterServiceCtrlHandlerExW
SetSecurityDescriptorDacl
RegDeleteKeyW
SetServiceStatus
ChangeServiceConfig2W
SetEntriesInAclW
RegCreateKeyExW
InitializeSecurityDescriptor
StartServiceCtrlDispatcherW
QueryServiceConfigW
RegDeleteValueW
QueryServiceConfig2W
LookupAccountSidW
LookupAccountNameW
RegGetValueW
AdjustTokenPrivileges
RevertToSelf
CreateServiceW
QueryServiceStatus
EqualSid
CloseServiceHandle
OpenSCManagerW
AllocateAndInitializeSid
DeleteService
ControlService
ImpersonateLoggedOnUser
LogonUserW
OpenProcessToken
FreeSid
StartServiceW
RegConnectRegistryW
OpenServiceW
GetTokenInformation
GetLengthSid
GetSecurityDescriptorLength
ReportEventW
StartTraceW
ProcessTrace
CloseTrace
ControlTraceW
OpenTraceW
EnableTraceEx2
ConvertSidToStringSidW
RegSetValueExW

oleaut32

SafeArrayGetUBound
SysAllocStringByteLen
SafeArrayDestroy
VariantInit
SysStringByteLen
SafeArrayGetElement
GetErrorInfo
SetErrorInfo
SafeArrayGetLBound
SysAllocStringLen
CreateErrorInfo
VariantClear
VariantChangeType
SafeArrayAccessData
SafeArrayUnaccessData
SysStringLen
SysFreeString
SysAllocString

crypt32

CertDuplicateCertificateContext
CryptFindOIDInfo
CertGetNameStringW
CertGetCertificateChain

secur32

LsaGetLogonSessionData
LsaFreeReturnBuffer

rpcrt4

NdrServerCall2
NdrServerCallAll
NdrClientCall3
RpcServerRegisterIfEx
RpcStringFreeW
RpcServerUseProtseqEpW
I_RpcBindingInqLocalClientPID
RpcStringBindingComposeW
RpcBindingFromStringBindingW
RpcServerUnregisterIf

Sections

.text
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 965KB - Virtual size: 964KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 20KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 97KB - Virtual size: 96KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
SysmonDrv.sys
.dll windows:6 windows x64 arch:x64

342fc705bf2a2c546e78c3e539ecd5fc

Code Sign

33:00:00:01:0b:30:c4:c6:3e:69:b2:c4:89:00:00:00:00:01:0b
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2023, 19:50

Not After

16/10/2024, 19:50

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0b:aa:c1:00:00:00:00:00:09
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/04/2012, 23:48

Not After

18/04/2027, 23:58

Subject

CN=Microsoft Windows Third Party Component CA 2012,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0c:7c:71:b8:f8:97:85:d6:4e:a8:bd:13:75:a8:56:27:65:12:7f:47:fe:5a:5a:50:54:b5:7d:ec:ab:b6:2a:5c
Signer

Actual PE Digest

0c:7c:71:b8:f8:97:85:d6:4e:a8:bd:13:75:a8:56:27:65:12:7f:47:fe:5a:5a:50:54:b5:7d:ec:ab:b6:2a:5c

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

D:\a\1\s\sys\x64\Public_Release\sysmondrv.pdb

Imports

fltmgr.sys

FltSetCallbackDataDirty
FltRegisterFilter
FltUnregisterFilter
FltStartFiltering
FltAllocatePoolAlignedWithTag
FltFreePoolAlignedWithTag
FltGetFileNameInformation
FltReleaseFileNameInformation
FltParseFileNameInformation
FltGetVolumeName
FltCreateFile
FltReadFile
FltWriteFile
FltQueryInformationFile
FltSetInformationFile
FltQuerySecurityObject
FltClose
FltAllocateContext
FltSetStreamContext
FltSetStreamHandleContext
FltDeleteContext
FltDeleteStreamHandleContext
FltGetStreamContext
FltGetStreamHandleContext
FltReleaseContext
FltGetVolumeProperties
FltQueryVolumeInformation

ntoskrnl.exe

wcsncpy
wcsstr
_wcsupr
RtlInitUnicodeString
RtlCompareUnicodeString
RtlCopyUnicodeString
RtlAppendUnicodeStringToString
RtlAppendUnicodeToString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
RtlCompareMemory
KeInitializeEvent
KeResetEvent
KeSetEvent
KeWaitForMultipleObjects
KeWaitForSingleObject
ExFreePoolWithTag
ExAcquireFastMutex
ExReleaseFastMutex
ProbeForRead
ExQueueWorkItem
ExInitializeRundownProtection
ExAcquireRundownProtection
ExReleaseRundownProtection
ExWaitForRundownProtectionRelease
IoDeleteDevice
IoGetTopLevelIrp
ObReferenceObjectByHandle
ObfReferenceObject
ObfDereferenceObject
ZwClose
ZwMapViewOfSection
ZwUnmapViewOfSection
PsGetCurrentProcessId
PsGetThreadProcessId
IoVolumeDeviceToDosName
RtlEqualSid
RtlLengthSid
RtlCopySid
RtlGetSaclSecurityDescriptor
RtlCreateAcl
RtlGetAce
RtlAddAccessAllowedAceEx
RtlGetDaclSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlGetOwnerSecurityDescriptor
IoQueryFileDosDeviceName
FsRtlCreateSectionForDataScan
_vsnwprintf
ZwQueryInformationProcess
RtlSetSaclSecurityDescriptor
RtlSetControlSecurityDescriptor
__C_specific_handler
IoFileObjectType
PsProcessType
SeExports
IoGetDeviceObjectPointer
ZwCreateFile
RtlGetVersion
KeEnterCriticalRegion
KeLeaveCriticalRegion
ExInitializeResourceLite
ExAcquireResourceSharedLite
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExDeleteResourceLite
IoAttachDeviceToDeviceStack
IoCreateDevice
IoDetachDevice
IoSetCompletionRoutineEx
PsGetProcessId
PsLookupProcessByProcessId
IoGetRequestorProcess
IoThreadToProcess
PsInitialSystemProcess
strncmp
strncpy
MmGetSystemRoutineAddress
RtlAnsiStringToUnicodeString
IoGetCurrentProcess
ZwReadFile
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
PsRemoveCreateThreadNotifyRoutine
ZwOpenProcess
KeStackAttachProcess
KeUnstackDetachProcess
PsLookupThreadByThreadId
PsIsSystemThread
ObOpenObjectByPointer
ZwWaitForSingleObject
ZwQueryInformationToken
ZwQuerySystemInformation
ZwQueryInformationThread
ZwOpenProcessToken
PsThreadType
wcsncmp
KeDelayExecutionThread
IoAllocateWorkItem
IoFreeWorkItem
IoQueueWorkItem
PsGetCurrentThreadId
CmRegisterCallback
CmUnRegisterCallback
CmSetCallbackObjectContext
ObQueryNameString
RtlQueryRegistryValues
RtlFreeUnicodeString
ExAllocatePoolWithTag
ExAcquireFastMutexUnsafe
ExReleaseFastMutexUnsafe
ExGetPreviousMode
SeCaptureSubjectContext
SeReleaseSubjectContext
PsGetVersion
IoGetBootDiskInformation
IofCallDriver
IofCompleteRequest
IoCreateSymbolicLink
IoDeleteSymbolicLink
IoCsqInitializeEx
IoCsqInsertIrpEx
IoCsqRemoveNextIrp
ZwOpenKey
ZwQueryValueKey
SePrivilegeCheck
ZwQueryInformationFile
RtlUpcaseUnicodeString
ZwQueryVolumeInformationFile
PsSetLoadImageNotifyRoutine
PsRemoveLoadImageNotifyRoutine
SeTokenType
SeCreateClientSecurity
SeImpersonateClientEx
PsDereferencePrimaryToken
PsDereferenceImpersonationToken
PsRevertToSelf
ZwDuplicateObject
RtlWalkFrameChain
MmHighestUserAddress
towlower
wcschr
wcsrchr
_wcsicmp
_wcsnicmp
_stricmp
strrchr
RtlGetEnabledExtendedFeatures
KeBugCheckEx

Sections

.text
Size: 121KB - Virtual size: 121KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 17KB - Virtual size: 16KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 10KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
WMSysPr9.prx
WindowsShell.Manifest
.xml
WindowsUpdate.log
bfsvc.exe
.exe windows:10 windows x64 arch:x64

54245422db2bc4b8b196e28748bce9fe

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bfsvc.pdb

Imports

msvcrt

_initterm
__setusermatherr
_vsnwprintf_s
_cexit
fwprintf
__C_specific_handler
swprintf_s
_wcmdln
_exit
exit
__set_app_type
wcsstr
wcschr
_snwscanf_s
_fmode
_commode
_wcslwr
_wcsicmp
wcsncmp
?terminate@@YAXXZ
wcsrchr
_wcsnicmp
wcsnlen
_vsnwprintf
memset
__wgetmainargs
__iob_func
_amsg_exit
memcmp
_XcptFilter
memcpy
fflush
wcscmp

rpcrt4

UuidCreate

bcrypt

BCryptCloseAlgorithmProvider
BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptFinishHash
BCryptOpenAlgorithmProvider

wintrust

WTHelperProvDataFromStateData
WinVerifyTrust
WTHelperGetProvSignerFromChain

crypt32

CertGetNameStringW

imagehlp

CheckSumMappedFile

ntdll

NtEnumerateBootEntries
NtQueryDirectoryObject
NtOpenDirectoryObject
NtTranslateFilePath
NtQueryBootOptions
NtQueryBootEntryOrder
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenKey
NtOpenSymbolicLinkObject
RtlImpersonateSelf
NtOpenThreadTokenEx
NtOpenProcessTokenEx
NtAdjustPrivilegesToken
RtlFreeHeap
RtlAllocateHeap
NtSetInformationFile
NtQuerySystemEnvironmentValueEx
LdrAccessResource
LdrFindResource_U
NtOpenFile
NtQueryInformationThread
NtQueryInformationFile
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
RtlNtStatusToDosError
NtClose
RtlInitUnicodeString
NtWriteFile
NtQuerySystemInformation
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCloseKey
RegQueryValueExW

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetLastError

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-processthreads-l1-1-0

OpenProcessToken
GetStartupInfoW
GetCurrentProcessId
GetCurrentThreadId
GetCurrentThread
GetCurrentProcess
SetThreadToken
TerminateProcess
OpenThreadToken

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadLibraryExW
GetModuleHandleExW
GetProcAddress
GetModuleHandleW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-file-l1-1-0

FindNextFileW
FindFirstFileW
GetVolumeInformationW
GetVolumePathNameW
CreateFileW
GetFileAttributesW
SetFileAttributesW
SetFileInformationByHandle
WriteFile
CreateDirectoryW
GetFullPathNameW
GetFileSizeEx
GetLongPathNameW
FlushFileBuffers
GetFileInformationByHandle
DeleteFileW
FindClose

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-privateprofile-l1-1-0

GetPrivateProfileSectionW

api-ms-win-core-file-l1-2-0

GetVolumeNameForVolumeMountPointW

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l2-1-0

MoveFileExW
GetFileInformationByHandleEx
CopyFileExW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventUnregister
EventRegister

api-ms-win-core-shlwapi-legacy-l1-1-0

PathRemoveBackslashW

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
MapViewOfFile
CreateFileMappingW

api-ms-win-security-base-l1-1-0

GetTokenInformation
GetSecurityDescriptorControl
DuplicateTokenEx
GetSecurityDescriptorOwner
GetSecurityDescriptorSacl
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
AdjustTokenPrivileges

api-ms-win-security-sddl-l1-1-0

ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW

api-ms-win-security-provider-l1-1-0

SetNamedSecurityInfoW

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW

Sections

.text
Size: 60KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 40KB - Virtual size: 36KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 92B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
explorer.exe
.exe windows:10 windows x64 arch:x64

ed29db09a3da7714b9f5b1fc7db4dd57

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:20

Not After

14/11/2024, 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a6:f1:46:8b:cb:75:e7:80:89:95:ae:80:c5:6f:91:f5:ee:a0:5c:da:50:7c:23:2f:4a:3d:e3:18:e8:c2:12:0d
Signer

Actual PE Digest

a6:f1:46:8b:cb:75:e7:80:89:95:ae:80:c5:6f:91:f5:ee:a0:5c:da:50:7c:23:2f:4a:3d:e3:18:e8:c2:12:0d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

explorer.pdb

Imports

msvcp_win

?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Winerror_map@std@@YAHH@Z
?_Syserror_map@std@@YAPEBDH@Z
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
?_Xinvalid_argument@std@@YAXPEBD@Z
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?flags@ios_base@std@@QEBAHXZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
_Thrd_yield
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPEAX@Z
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?width@ios_base@std@@QEAA_J_J@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Thrd_id
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
_Cnd_do_broadcast_at_thread_exit
?_Incref@facet@locale@std@@UEAAXXZ
_Mtx_lock
_Mtx_unlock
?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_c_exit
_initterm_e
_initterm
_set_error_mode
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

wcsncmp
wcscspn
memset
strncmp
wcscmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-private-l1-1-0

_o_free
_o_iswspace
_o_lround
_o_lroundf
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_sqrt
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
_o_wcstoll
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3
_o__ltow_s
_o_ceilf
_o_ceil
__C_specific_handler_noexcept
_o__localtime64
_o__wcsnicmp
_o__wcslwr_s
_o__wcsicmp
_o_fmod
_o_exit
_o__itow_s
_o__itoa_s
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o__register_onexit_function
_o__recalloc
_o__purecall
_o_abort
_o__mktime64
_o_floorf
_o_floor
_o__wtoi
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
_o____lc_codepage_func
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler4
_CxxThrowException

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

OpenJobObjectW
AssignProcessToJobObject
CreateJobObjectW
QueryInformationJobObject
SetInformationJobObject

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

PathIsURLW
HashData
UrlUnescapeW

api-ms-win-core-windowserrorreporting-l1-1-1

WerRegisterCustomMetadata
WerUnregisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetBoolUSValueW
SHRegGetUSValueW

api-ms-win-core-com-private-l1-1-0

CoRevokeInitializeSpy
CoRegisterInitializeSpy
CoRegisterMessageFilter

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

ActivateActCtx
CreateActCtxW
DeactivateActCtx
ReleaseActCtx

ntdll

NtDeviceIoControlFile
NtQueryWnfStateData
NtSetInformationProcess
NtQueryInformationProcess
RtlCaptureContext
WinSqmAddToStream
NtClose
RtlGetVersion
ZwQuerySystemInformation
ZwQueryValueKey
ZwOpenKey
ZwClose
RtlReAllocateHeap
ZwEnumerateValueKey
ZwCreateFile
NtQueryInformationFile
RtlAppendUnicodeToString
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
RtlVerifyVersionInfo
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
RtlInitString
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlInitUnicodeString
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind
strchr
memmove_s
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
wcschr
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
NtOpenProcessToken
NtQueryInformationToken
NtOpenThreadToken
wcsspn
WinSqmIsOptedIn
memcpy
memcmp
memmove
RtlAppendUnicodeStringToString
VerSetConditionMask
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlNtStatusToDosErrorNoTeb
NtSetThreadExecutionState
NtPowerInformation
RtlQueryResourcePolicy
RtlQueryUnbiasedInterruptTime
NtQuerySystemInformation
RtlGetNtSystemRoot
NtOpenFile

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
GetProcAddress
FreeLibrary
LockResource
LoadResource
LoadLibraryExW
FindResourceExW
GetModuleFileNameW
GetModuleHandleExW
GetModuleFileNameA
GetModuleHandleA
LoadStringW
GetModuleHandleW
FindStringOrdinal

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
Sleep
InitOnceExecuteOnce

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
ReleaseSRWLockShared
CreateMutexExW
ReleaseSemaphore
AcquireSRWLockShared
EnterCriticalSection
SleepEx
DeleteCriticalSection
InitializeCriticalSectionEx
OpenMutexW
OpenEventW
WaitForSingleObject
ReleaseMutex
SetEvent
TryEnterCriticalSection
CreateEventW
CreateEventExW
WaitForSingleObjectEx
InitializeSRWLock
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
ReleaseSRWLockExclusive
TryAcquireSRWLockShared
CreateSemaphoreExW
WaitForMultipleObjectsEx
AcquireSRWLockExclusive
CreateMutexW
ResetEvent
OpenSemaphoreW

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetLastError
SetUnhandledExceptionFilter
SetErrorMode
GetLastError
UnhandledExceptionFilter

api-ms-win-core-file-l1-1-0

GetFileAttributesW
GetLongPathNameW
GetFileAttributesExW
FindFirstFileW
FindNextFileW
FindClose
DeleteFileW
CompareFileTime
CreateFileW
WriteFile

api-ms-win-eventing-provider-l1-1-0

EventEnabled
EventWriteTransfer
EventRegister
EventSetInformation
EventUnregister
EventActivityIdControl
EventWrite

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
CreateThreadpoolWork
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
WaitForThreadpoolIoCallbacks
CloseThreadpoolIo
TrySubmitThreadpoolCallback
CloseThreadpoolWait
SubmitThreadpoolWork
SetThreadpoolTimer
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
CreateThreadpoolWait

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
OpenProcessToken
OpenThreadToken
GetCurrentThreadId
SetThreadPriorityBoost
GetCurrentProcess
ProcessIdToSessionId
TerminateProcess
QueueUserAPC
TlsSetValue
TlsAlloc
GetThreadPriority
CreateProcessW
GetCurrentProcessId
GetExitCodeProcess
TlsGetValue
CreateThread
SetPriorityClass
SetThreadPriority
TlsFree
GetProcessId
OpenThread
UpdateProcThreadAttribute
ResumeThread
GetPriorityClass
InitializeProcThreadAttributeList
DeleteProcThreadAttributeList
SetProcessShutdownParameters
ExitProcess
GetStartupInfoW

api-ms-win-core-localization-l1-2-0

GetGeoInfoW
FormatMessageA
GetThreadUILanguage
GetCalendarInfoW
GetLocaleInfoEx
FormatMessageW
GetLocaleInfoW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

oleaut32

SafeArrayDestroy
VarUI4FromStr
SysAllocString
SysFreeString
SafeArrayUnaccessData
SafeArrayCreate
VariantInit
VariantClear
SysStringLen
SysAllocStringByteLen
SafeArrayAccessData

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolGetUniqueContext
SHTaskPoolQueueTask

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

StringFromGUID2
StringFromIID
CoCreateGuid
CreateStreamOnHGlobal
CoSetProxyBlanket
CoFreeUnusedLibraries
CoRegisterClassObject
CoUninitialize
CoInitializeSecurity
CoInitializeEx
CoEnableCallCancellation
CoDisableCallCancellation
CoCancelCall
CoCreateFreeThreadedMarshaler
IIDFromString
CoReleaseMarshalData
CoGetInterfaceAndReleaseStream
CoMarshalInterThreadInterfaceInStream
PropVariantClear
CoGetCallContext
CoRevokeClassObject
CoGetObjectContext
CoWaitForMultipleHandles
CLSIDFromString
StringFromCLSID
CoGetApartmentType
CoTaskMemRealloc
CoTaskMemAlloc
CoGetMalloc
CoGetStdMarshalEx
CoTaskMemFree
CoCreateInstance

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrToIntW
StrChrW
StrCmpNIW
StrCmpW
StrCmpIW
StrChrIW
StrCmpNICW
QISearch
StrCmpICW
StrCmpICA

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-registry-l1-1-0

RegQueryInfoKeyW
RegDeleteKeyExW
RegDeleteTreeW
RegOpenCurrentUser
RegCloseKey
RegEnumValueW
RegSetValueExW
RegQueryValueExW
RegCreateKeyExW
RegOpenKeyExW
RegNotifyChangeKeyValue
RegDeleteValueW
RegEnumKeyExW
RegLoadMUIStringW
RegGetValueW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_SetSite
IUnknown_QueryService
IUnknown_Set
IUnknown_GetSite

api-ms-win-core-heap-l2-1-0

GlobalAlloc
GlobalFree
LocalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-processthreads-l1-1-1

OpenProcess
IsProcessorFeaturePresent
GetProcessMitigationPolicy

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetSystemDirectoryW
GetSystemTime
GetTickCount
GetWindowsDirectoryW
GetSystemTimeAsFileTime
GetVersionExW
GetLocalTime

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
ExpandEnvironmentStringsW
GetCurrentDirectoryW
GetEnvironmentVariableW
SetEnvironmentVariableW
SearchPathW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathRemoveBlanksW
PathGetArgsW
PathIsFileSpecW
PathFindFileNameW
PathCommonPrefixW
PathFindExtensionW
PathRemoveFileSpecW
PathParseIconLocationW
SHExpandEnvironmentStringsW
PathQuoteSpacesW
PathCombineW
PathGetDriveNumberW
PathFileExistsW

api-ms-win-shcore-registry-l1-1-0

SHGetValueW
SHEnumKeyExW
SHSetValueW
SHDeleteValueW
SHDeleteKeyW
SHRegGetValueW
SHQueryInfoKeyW

api-ms-win-core-string-l1-1-0

CompareStringW
MultiByteToWideChar
CompareStringOrdinal
WideCharToMultiByte

api-ms-win-core-winrt-string-l1-1-0

WindowsPromoteStringBuffer
WindowsCompareStringOrdinal
WindowsCreateString
WindowsDeleteStringBuffer
WindowsSubstringWithSpecifiedLength
WindowsPreallocateStringBuffer
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0

SHCreateThreadRef
SHSetThreadRef
SHGetThreadRef
SHCreateThread
SetProcessReference

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-security-base-l1-1-0

SetKernelObjectSecurity
EqualSid
AllocateAndInitializeSid
CreateWellKnownSid
GetTokenInformation
CopySid
FreeSid
GetSecurityDescriptorDacl
IsValidSid
DeleteAce
GetAclInformation
GetAce
MakeAbsoluteSD
GetLengthSid
InitializeAcl
AddAce
CheckTokenMembership
DuplicateToken

api-ms-win-core-psapi-l1-1-0

K32GetModuleBaseNameW
K32GetModuleFileNameExW
K32EnumProcessModules
QueryFullProcessImageNameW
K32EnumProcesses

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

api-ms-win-eventing-classicprovider-l1-1-0

UnregisterTraceGuids
RegisterTraceGuidsW
TraceMessage
GetTraceEnableFlags
GetTraceLoggerHandle
GetTraceEnableLevel

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-processthreads-l1-1-3

SetProcessInformation
SetThreadDescription

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoGetActivationFactory
RoActivateInstance
RoInitialize

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateError
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchRemoveFileSpec
PathCchAddExtension
PathCchSkipRoot
PathCchCombine
PathCchAppend
PathAllocCombine

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrcmpiW

api-ms-win-core-memory-l1-1-0

MapViewOfFile
VirtualAlloc
VirtualFree
VirtualProtect
OpenFileMappingW
CreateFileMappingW
UnmapViewOfFile

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor
ord244

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

SHOpenRegStream2W
SHCreateMemStream
SHCreateStreamOnFileW
SHCreateStreamOnFileEx
IStream_Read
IStream_Write
IStream_Reset

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
CreateTimerQueueTimer
DeleteTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetNativeSystemInfo

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

GetProfileType
DeriveAppContainerSidFromAppContainerName

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToFileTime
GetDynamicTimeZoneInformation
GetTimeZoneInformation
SystemTimeToTzSpecificLocalTime

api-ms-win-core-io-l1-1-0

GetQueuedCompletionStatus
CreateIoCompletionPort
DeviceIoControl
CancelIoEx

api-ms-win-core-file-l2-1-0

GetFileInformationByHandleEx
ReadDirectoryChangesW

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
GetSystemPowerStatus
GetComputerNameW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

GetPwrCapabilities
CallNtPowerInformation

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

ord509
ord635
ord544
AssocQueryStringW
SHCreateWorkerWindowW
ord197
SHIsChildOrSelf
SHPinDllOfCLSID
ord165
ord279
ShellMessageBoxW
StrRetToBufW
ord292
IUnknown_GetWindow
StrRetToStrW
ord478
ord479
ord481
PathRemoveArgsW

api-ms-win-ntuser-sysparams-l1-1-0

EnumDisplayDevicesW
EnumDisplayMonitors
GetMonitorInfoW
QueryDisplayConfig
SystemParametersInfoW
GetDisplayConfigBufferSizes
GetSystemMetrics

api-ms-win-ntuser-rectangle-l1-1-0

IsRectEmpty
InflateRect
CopyRect
SubtractRect
SetRect
OffsetRect
IntersectRect
EqualRect
PtInRect
SetRectEmpty
UnionRect

api-ms-win-rtcore-ntuser-winevent-l1-1-0

NotifyWinEvent
SetWinEventHook
UnhookWinEvent

api-ms-win-shell-namespace-l1-1-0

ILRemoveLastID
ILClone
SHParseDisplayName
SHBindToFolderIDListParent
ILGetSize
ILCloneFirst
ILCombine
SHCreateItemFromIDList
SHGetNameFromIDList
SHCreateItemFromParsingName
SHGetIDListFromObject
ILFree
ILIsParent
ILFindLastID
SHBindToParent
SHBindToObject
ILIsEqual

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerInfo
GetCurrentInputMessageSource
EnableMouseInPointer
GetPointerType
GetPointerDevices

api-ms-win-storage-exports-internal-l1-1-0

SHGetKnownFolderIDList
SetThreadFlags
GetThreadFlags
SHGetFolderPathEx

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects

api-ms-win-appmodel-runtime-l1-1-0

GetPackagesByPackageFamily
GetPackageFullName

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

GetWindowBand
CreateWindowInBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

UnregisterPowerSettingNotification
RegisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHChangeNotification_Unlock
SHChangeNotifyRegister
SHHandleUpdateImage
SHChangeNotification_Lock
SHChangeNotifyRegisterThread
SHChangeNotifyDeregister

propsys

InitVariantFromGUIDAsString
InitVariantFromResource
PSCreateMemoryPropertyStore
PropVariantToBoolean
PSPropertyBag_WriteStr
PropVariantToUInt32
PSPropertyBag_WriteDWORD
PropVariantToStringAlloc
PSGetPropertyFromPropertyStorage

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

ParseApplicationUserModelId
FindPackagesByPackageFamily

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

StretchBlt
ExcludeClipRect
SetStretchBltMode
Rectangle
GetCurrentObject
GetDeviceCaps
GetStockObject
SetRectRgn
OffsetRgn
CombineRgn
SelectClipRgn
DeleteObject
GetObjectW
DeleteDC
CreateCompatibleDC
SelectObject
GetClipBox
CreateFontIndirectW
CreateRectRgn
GetClipRgn
SetTextColor
SetTextAlign
GetTextMetricsW
ExtTextOutW
GetTextExtentPoint32W
CreateRectRgnIndirect
GetGlyphOutlineW
GetOutlineTextMetricsW

kernel32

GetModuleHandleExA
IsBadWritePtr
RtlCompareMemory
HeapDestroy
HeapReAlloc
HeapSize

wininet

InternetCrackUrlW

shcore

ord121
ord174
ord109
ord191
ord126
ord213
ord183
ord210
ord141
ord192
ord1
SHUnicodeToAnsi
ord187
ord123
ord190
ord162
ord142
ord200
ord184
ord186

shell32

ord172
ord743
ord907
ord43
ord680
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord906
ord181
ord895
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
SHEvaluateSystemCommandTemplate
ord244
ExtractIconExW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ShellExecuteW
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord885
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord733
ord95
ord850
ord22
ord134
ord723

shlwapi

ord467
ord164
PathIsDirectoryW
ord413
ord548
ord163
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

CloseThemeData
IsThemePartDefined
GetThemeBackgroundExtent
GetThemeBool
OpenThemeData
OpenThemeDataForDpi
GetThemeMargins
ord138
BufferedPaintSetAlpha
ord126
GetThemePartSize
IsThemeActive
GetBufferedPaintBits
GetThemeInt
GetThemeColor
GetThemeMetric
SetWindowTheme
GetWindowTheme
BufferedPaintUnInit
EndBufferedPaint
BeginBufferedPaint
BufferedPaintInit
DrawThemeParentBackground
DrawThemeBackground
ord86
GetThemeFont
DrawThemeTextEx
IsCompositionActive
IsAppThemed

dwmapi

ord113
ord140
DwmEnableBlurBehindWindow
DwmGetWindowAttribute
ord141
ord159
DwmRegisterThumbnail
ord138
ord139
DwmQueryThumbnailSourceSize
ord124
DwmIsCompositionEnabled
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
ord114
DwmSetWindowAttribute

user32

CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
GetCursorFrameInfo
AdjustWindowRect
GetDpiForWindow
SetWindowCompositionAttribute
SetGestureConfig
LoadImageW
CheckMenuItem
EnableMenuItem
GetDoubleClickTime
SetMenuDefaultItem
TrackPopupMenuEx
DeleteMenu
FillRect
DrawTextW
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
TranslateAcceleratorW
MonitorFromWindow
SetMenuItemInfoW
SetCursor
RemoveMenu
ReleaseCapture
LoadCursorW
ord2005
GetSystemMetricsForDpi
DrawIconEx
DestroyIcon
CopyImage
GetSysColor
GetCaretBlinkTime
InjectKeyboardInput
MapVirtualKeyExW
InjectMouseInput
LockWorkStation
TileWindows
GetCapture
SendInput
SetDesktopColorTransform
UnregisterClassA
ord2611
MonitorFromRect
GetGuiResources
IsHungAppWindow
ord2574
CascadeWindows
HungWindowFromGhostWindow
LoadIconW
IsIconic
DestroyMenu
LoadMenuW
GetSubMenu
CreateIconIndirect
SetCapture
GetMenuDefaultItem
CreatePopupMenu
GetMenuItemInfoW
MonitorFromPoint
ReplyMessage
GetAsyncKeyState
ModifyMenuW
GetSystemMenu
GetSysColorBrush
SetLayeredWindowAttributes
GetIconInfoExW
GetIconInfo
GetClassWord
GetClassLongW
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
SwitchToThisWindow
ReleaseDC
InsertMenuW
BringWindowToTop
ord2573
GhostWindowFromHungWindow
EndTask
IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
DrawTextExW
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetLastActivePopup
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
UpdateLayeredWindow
ord2521
UnregisterHotKey
GetDC
UnregisterClassW
ord2522
WindowFromDC
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
RegisterHotKey
GetMenuItemCount
DefWindowProcA
SendDlgItemMessageW
EndDialog
ExitWindowsEx
TrackMouseEvent
AdjustWindowRectEx
GetKeyState

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW
PowerSetRequest
PowerCreateRequest

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StopTraceW
StartTraceW
EnableTraceEx2

api-ms-win-core-job-l1-1-0

IsProcessInJob

rpcrt4

RpcStringBindingComposeW
RpcBindingFromStringBindingW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFree
NdrClientCall3

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtEnumerateWorkItemsForPackageName
BiPtFreeMemory
BiPtAssociateApplicationEntryPoint
BiPtQueryWorkItem

api-ms-win-appmodel-unlock-l1-1-0

IsDeveloperModeEnabled

api-ms-win-rtcore-ntuser-shell-l1-1-0

GetShellWindow

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

GetErrorInfo
SetErrorInfo

Exports

Exports

g_trayTriageBlock

Sections

.text
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 696KB - Virtual size: 694KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 136KB - Virtual size: 132KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 24KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
hh.exe
.exe windows:10 windows x64 arch:x64

d3d9c3e81a404e7f5c5302429636f04c

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

hh.pdb

Imports

advapi32

RegOpenKeyExW
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegQueryValueExW

kernel32

ExpandEnvironmentStringsA
LoadLibraryA
HeapSetInformation
SetProcessDEPPolicy
GetProcAddress
FreeLibrary
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetStartupInfoW
GetSystemTimeAsFileTime
Sleep
GetTickCount

msvcrt

?terminate@@YAXXZ
_fmode
_acmdln
_initterm
__setusermatherr
_ismbblead
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
_vsnprintf
_commode
__C_specific_handler
memset

Sections

.text
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 276B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
lsasetup.log
mds.lkeys
mib.bin
notepad.exe
.exe windows:10 windows x64 arch:x64

0e6bccf88f4251909d1746dba78cba57

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

notepad.pdb

Imports

gdi32

SetMapMode
SetViewportExtEx
SetWindowExtEx
LPtoDP
SetBkMode
GetTextMetricsW
TextOutW
AbortDoc
EndDoc
SetAbortProc
StartDocW
StartPage
CreateDCW
EnumFontsW
GetTextFaceW
GetDeviceCaps
DeleteDC
DeleteObject
SetBkColor
CreateSolidBrush
GetTextExtentPoint32W
SelectObject
CreateCompatibleDC
EndPage
CreateFontIndirectW

user32

PostQuitMessage
BeginPaint
EndPaint
FillRect
DrawTextW
DrawFocusRect
DefWindowProcW
TrackMouseEvent
InvalidateRect
DestroyIcon
SetThreadDpiAwarenessContext
DialogBoxParamW
LoadIconW
GetFocus
MessageBoxW
ShowWindow
SetCursor
SetActiveWindow
EnableMenuItem
IsIconic
SetFocus
MessageBeep
GetForegroundWindow
GetDlgCtrlID
SetWindowPos
RedrawWindow
GetKeyboardLayout
CharNextW
SetWinEventHook
GetMessageW
TranslateAcceleratorW
IsDialogMessageW
TranslateMessage
DispatchMessageW
UnhookWinEvent
SetWindowTextW
GetMenu
GetSubMenu
OpenClipboard
IsClipboardFormatAvailable
CloseClipboard
CheckMenuItem
SetDlgItemTextW
GetDlgItemTextW
EndDialog
SendDlgItemMessageW
SetScrollPos
UpdateWindow
GetWindowPlacement
SetWindowPlacement
CharUpperW
GetSystemMenu
LoadAcceleratorsW
SetWindowLongW
MonitorFromWindow
RegisterWindowMessageW
LoadCursorW
LoadImageW
RegisterClassExW
GetWindowLongW
PeekMessageW
GetWindowTextW
EnableWindow
CreateDialogParamW
DrawTextExW
IsWindow
CreateDialogIndirectParamW
GetPropW
SetPropW
GetDlgItem
RemovePropW
CheckDlgButton
CheckRadioButton
IsDlgButtonChecked
NotifyWinEvent
CreateWindowExW
GetWindowTextLengthW
GetClientRect
DestroyWindow
GetDpiForWindow
SystemParametersInfoForDpi
SendMessageW
MoveWindow
GetDC
LoadStringW
PostMessageW
ReleaseDC

api-ms-win-crt-string-l1-1-0

wcscmp
wcsnlen
memset

api-ms-win-crt-runtime-l1-1-0

_c_exit
_initterm_e
_initterm
_register_thread_local_exe_atexit_callback

api-ms-win-crt-private-l1-1-0

_o__get_wide_winmain_command_line
_o__initialize_onexit_table
_o__initialize_wide_environment
_o__invalid_parameter_noinfo
_o__purecall
_o__register_onexit_function
_o__seh_filter_exe
_o__set_app_type
_o__set_fmode
_o__set_new_mode
_o__wcsicmp
_o__wtol
_o_exit
_o_free
_o_iswdigit
_o_malloc
_o_terminate
__CxxFrameHandler3
__current_exception
__current_exception_context
_CxxThrowException
_o__crt_atexit
_o___stdio_common_vswprintf
_o__configure_wide_argv
_o___std_exception_destroy
_o___std_exception_copy
_o__configthreadlocale
_o___p__commode
_o__exit
_o__cexit
_o__callnewh
_o__beginthreadex
_o__errno
wcsrchr
wcschr
__C_specific_handler
memcmp
memcpy
memmove

api-ms-win-core-libraryloader-l1-2-0

LockResource
GetModuleHandleExW
FindResourceExW
LoadResource
GetModuleHandleA
GetModuleFileNameA
FreeLibrary
GetProcAddress
GetModuleHandleW
GetModuleFileNameW

api-ms-win-core-synch-l1-1-0

LeaveCriticalSection
InitializeCriticalSectionEx
WaitForSingleObject
ReleaseSemaphore
ReleaseSRWLockExclusive
EnterCriticalSection
SetEvent
CreateEventExW
AcquireSRWLockExclusive
ReleaseMutex
WaitForSingleObjectEx
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
OpenSemaphoreW
ReleaseSRWLockShared
CreateSemaphoreExW

api-ms-win-core-heap-l1-1-0

GetProcessHeap
HeapAlloc
HeapSetInformation
HeapFree

api-ms-win-core-errorhandling-l1-1-0

UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException
GetLastError
SetLastError

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolTimer
SetThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcess
OpenProcessToken
CreateProcessW
TerminateProcess
GetCurrentThreadId
GetStartupInfoW
GetCurrentProcessId

api-ms-win-core-localization-l1-2-0

FormatMessageW
FindNLSString
GetLocaleInfoW
GetACP

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoCreateInstance
CoInitializeEx
PropVariantClear
CoUninitialize
CoWaitForMultipleHandles
CoCreateGuid
CoTaskMemAlloc
CoCreateFreeThreadedMarshaler

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindExtensionW
PathIsFileSpecW
PathFileExistsW

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteString
WindowsCreateString
WindowsCreateStringReference
WindowsGetStringRawBuffer

api-ms-win-core-registry-l1-1-0

RegQueryValueExW
RegGetValueW
RegSetValueExW
RegEnumValueW
RegQueryInfoKeyW
RegCreateKeyExW
RegCloseKey
RegOpenKeyExW
RegDeleteKeyExW

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory

api-ms-win-core-heap-l2-1-0

LocalUnlock
LocalFree
LocalLock
GlobalAlloc
GlobalFree
LocalAlloc
LocalReAlloc

api-ms-win-core-file-l1-1-0

DeleteFileW
GetFileAttributesW
SetEndOfFile
GetFileAttributesExW
GetFileInformationByHandle
FindClose
FindFirstFileW
CreateFileW
ReadFile
GetDiskFreeSpaceExW
GetFullPathNameW
CreateDirectoryW
WriteFile

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-security-base-l1-1-0

GetTokenInformation

api-ms-win-core-processenvironment-l1-1-0

GetCurrentDirectoryW
GetCommandLineW
SetCurrentDirectoryW

api-ms-win-core-string-l1-1-0

FoldStringW
WideCharToMultiByte
CompareStringOrdinal
MultiByteToWideChar

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-sysinfo-l1-1-0

GetLocalTime
GetSystemTimeAsFileTime

api-ms-win-core-datetime-l1-1-0

GetDateFormatW
GetTimeFormatW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-memory-l1-1-0

MapViewOfFile
CreateFileMappingW
UnmapViewOfFile

api-ms-win-core-registry-l2-1-0

RegCreateKeyW

api-ms-win-core-heap-obsolete-l1-1-0

LocalSize
GlobalLock
GlobalUnlock

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventUnregister
EventWriteTransfer
EventSetInformation

api-ms-win-base-util-l1-1-0

IsTextUnicode

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
GetProcessMitigationPolicy

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

comctl32

ImageList_Create
ImageList_SetBkColor
ord381
ImageList_ReplaceIcon
ord410
ImageList_Draw
ImageList_GetIconSize
ord413
ImageList_Destroy
ord345
CreateStatusWindowW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 160KB - Virtual size: 159KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 44KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 248B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 124KB - Virtual size: 120KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 760B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
regedit.exe
.exe windows:10 windows x64 arch:x64

29c325da8faadf165e12486bd336238f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

regedit.pdb

Imports

gdi32

SetTextAlign
SetROP2
GetTextExtentPoint32W
Polyline
GetStockObject
StartPage
AbortDoc
EndDoc
DeleteDC
SetViewportOrgEx
SetAbortProc
StartDocW
EndPage
CreatePatternBrush
CreateBitmap
PatBlt
SelectClipRgn
GetObjectW
ExcludeClipRect
SelectObject
GetDeviceCaps
TranslateCharsetInfo
GetTextMetricsW
SetTextColor
SetBkColor
DeleteObject
CreateFontIndirectW
CreatePen
ExtTextOutW

user32

CreateCaret
EmptyClipboard
CloseClipboard
SetTimer
OpenClipboard
GetSubMenu
SetCaretPos
GetWindowLongPtrW
MessageBeep
GetSystemMetrics
EndDialog
HideCaret
SetWindowLongPtrW
SetWindowPos
GetDC
GetWindowRect
LoadMenuW
CharLowerW
GetKeyState
DefWindowProcW
RegisterClipboardFormatW
SetScrollInfo
GetWindowTextW
GetParent
IsDlgButtonChecked
GetDlgItemTextW
SendMessageW
CheckRadioButton
GetDlgItemInt
CallWindowProcW
GetWindowTextLengthW
EnableWindow
SetCursorPos
IsIconic
GetDpiForSystem
ShowCursor
RegisterClassW
UpdateWindow
DialogBoxParamW
PostQuitMessage
CheckMenuItem
GetSystemMetricsForDpi
SetWindowLongW
SetCursor
InsertMenuW
EndDeferWindowPos
DrawMenuBar
GetProcessDefaultLayout
LoadIconW
TranslateMessage
TranslateAcceleratorW
GetSysColor
SetThreadDpiAwarenessContext
SetMenuDefaultItem
SetWindowPlacement
SetMenuItemInfoW
ClientToScreen
DestroyIcon
DispatchMessageW
BeginDeferWindowPos
ShowWindow
LoadStringW
LoadAcceleratorsW
GetWindowPlacement
RegisterClassExW
SetWindowTextW
ScreenToClient
DeleteMenu
CreateWindowExW
GetDpiForWindow
InsertMenuItemW
GetMenu
GetMenuItemID
PostMessageW
GetMenuItemInfoW
DeferWindowPos
GetMessageW
GetWindowLongW
GetClientRect
CharNextW
DestroyWindow
CreateDialogParamW
CheckDlgButton
IntersectRect
GetMessagePos
ModifyMenuW
DrawAnimatedRects
SetForegroundWindow
FindWindowW
BringWindowToTop
GetLastActivePopup
PeekMessageW
IsDialogMessageW
MessageBoxW
GetWindow
CharUpperBuffW
IsCharAlphaNumericW
CharUpperW
SetRect
DrawFocusRect
GetDlgCtrlID
RedrawWindow
MapWindowPoints
SendDlgItemMessageW
MoveWindow
DestroyMenu
SetFocus
GetClipboardData
ScrollWindowEx
LoadCursorW
DestroyCaret
SetCapture
SetClipboardData
TrackPopupMenuEx
GetDlgItem
IsClipboardFormatAvailable
ShowCaret
KillTimer
EnableMenuItem
ReleaseCapture
InvalidateRect
ReleaseDC
BeginPaint
EndPaint
SetDlgItemTextW
LoadImageW

msvcrt

__CxxFrameHandler3
memmove
_onexit
__dllonexit
wcstok
_vsnwprintf
_unlock
?terminate@@YAXXZ
_commode
memset
memcmp
_fmode
_acmdln
memcpy_s
_purecall
atoi
memmove_s
_initterm
_lock
__setusermatherr
memcpy
_ismbblead
_cexit
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
_XcptFilter
free
_wcsdup
iswprint
_resetstkoflw
__C_specific_handler
wcsncmp
wcsrchr
_wcsnicmp
isspace
wcschr

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleW
FreeLibrary
GetModuleFileNameA
GetProcAddress
GetModuleHandleExW

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetACP

api-ms-win-core-heap-l2-1-0

GlobalAlloc
LocalAlloc
LocalReAlloc
LocalFree

api-ms-win-core-heap-obsolete-l1-1-0

GlobalUnlock
GlobalLock

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
IsDebuggerPresent
DebugBreak

api-ms-win-core-registry-l1-1-0

RegEnumValueW
RegOpenKeyExW
RegLoadKeyW
RegUnLoadKeyW
RegDeleteValueW
RegSetValueExA
RegSetValueExW
RegSetKeySecurity
RegQueryInfoKeyW
RegRestoreKeyW
RegEnumKeyExW
RegCloseKey
RegGetValueW
RegCreateKeyExW
RegQueryValueExW
RegFlushKey

api-ms-win-core-synch-l1-2-0

InitOnceComplete
InitOnceBeginInitialize
Sleep

api-ms-win-core-synch-l1-1-0

InitializeCriticalSectionEx
ReleaseMutex
WaitForSingleObject
ReleaseSRWLockExclusive
LeaveCriticalSection
AcquireSRWLockExclusive
ReleaseSemaphore
WaitForSingleObjectEx
EnterCriticalSection
OpenSemaphoreW
CreateMutexExW
CreateSemaphoreExW
AcquireSRWLockShared
DeleteCriticalSection
ReleaseSRWLockShared

api-ms-win-core-heap-l1-1-0

HeapFree
HeapSetInformation
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
GetLastError

api-ms-win-eventing-provider-l1-1-0

EventUnregister
EventWriteTransfer
EventSetInformation
EventRegister

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
OpenProcessToken
GetCurrentThreadId
ExitProcess
GetCurrentProcess
GetStartupInfoW
GetCurrentProcessId

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-registry-l2-1-0

RegOpenKeyW
RegCreateKeyW
RegSaveKeyW
RegConnectRegistryW
RegEnumKeyW
RegSetValueW
RegDeleteKeyW

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoInitializeEx
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringOrdinal

api-ms-win-core-path-l1-1-0

PathCchCombine
PathCchAddBackslash

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrcmpW

ntdll

RtlInitUnicodeString
RtlAllocateHeap
RtlFreeHeap
RtlCmDecodeMemIoResource
RtlIoDecodeMemIoResource
RtlFreeUnicodeString
RtlCreateUnicodeString

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
SearchPathW

api-ms-win-core-file-l1-1-0

DeleteFileW
ReadFile
GetFileSize
GetLongPathNameW
CreateFileW
SetFilePointer
WriteFile
FileTimeToLocalFileTime

api-ms-win-security-provider-l1-1-0

SetSecurityInfo
GetNamedSecurityInfoW
GetSecurityInfo
SetNamedSecurityInfoW

api-ms-win-security-base-l1-1-0

MapGenericMask
GetSecurityDescriptorOwner
SetSecurityDescriptorSacl
GetSecurityDescriptorControl
IsValidSecurityDescriptor
GetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
GetSecurityDescriptorSacl
InitializeAcl
AdjustTokenPrivileges
InitializeSecurityDescriptor
GetSidSubAuthority
GetSecurityDescriptorGroup
GetSidSubAuthorityCount
SetSecurityDescriptorDacl

api-ms-win-security-lsalookup-l2-1-0

LookupPrivilegeValueW
LookupAccountSidW

authz

AuthzAccessCheck
AuthzFreeResourceManager
AuthzFreeContext
AuthzInitializeContextFromSid
AuthzInitializeResourceManager

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW

api-ms-win-core-datetime-l1-1-0

GetTimeFormatW
GetDateFormatW

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlCaptureContext
RtlLookupFunctionEntry

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-shlwapi-obsolete-l1-1-0

QISearch
StrChrW
StrStrIW
StrToIntW
StrRChrW
StrChrIW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-core-registry-private-l1-1-0

RegRenameKey

api-ms-win-shlwapi-winrt-storage-l1-1-1

ShellMessageBoxW

comctl32

ord17
InitCommonControlsEx
ord236
ord337
ord329
ord338
ord334
ord340
ord2
ImageList_Destroy
ord4
ImageList_Create
ord384
ImageList_SetBkColor
ImageList_ReplaceIcon
ord410
ord413

ulib

??1OBJECT@@UEAA@XZ
?QueryChCount@WSTRING@@QEBAKXZ
?SetClassDescriptor@OBJECT@@IEAAXPEBVCLASS_DESCRIPTOR@@@Z
?Compare@OBJECT@@UEBAJPEBV1@@Z
?SPrintf@DSTRING@@UEAAEPEBGZZ
?NewBuf@DSTRING@@UEAAEK@Z
?Resize@DSTRING@@UEAAEK@Z
?Initialize@ARRAY@@QEAAEKK@Z
??0ARRAY@@QEAA@XZ
?DebugDump@OBJECT@@UEBAXE@Z
??0OBJECT@@IEAA@XZ
?GetWSTR@WSTRING@@QEBAPEBGXZ
?Initialize@WSTRING@@QEAAEPEBGK@Z
?Initialize@WSTRING@@QEAAEPEBV1@KK@Z
?Strcat@WSTRING@@QEAAEPEBV1@@Z
??0DSTRING@@QEAA@XZ
?SPrintfAppend@DSTRING@@UEAAEPEBGZZ
??1DSTRING@@UEAA@XZ

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

Sections

.text
Size: 192KB - Virtual size: 190KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 36KB - Virtual size: 34KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 267KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 160B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 332KB - Virtual size: 329KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 472B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
setupact.log
splwow64.exe
.exe windows:10 windows x64 arch:x64

667fd80c4ea4fc599f77be2902ac98d1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

splwow64.pdb

Imports

advapi32

TraceMessage
RegOpenKeyW
RegQueryValueExW
RegCloseKey
GetTraceLoggerHandle
GetTraceEnableLevel
GetTraceEnableFlags
RegisterTraceGuidsW
UnregisterTraceGuids
ConvertStringSecurityDescriptorToSecurityDescriptorW
RevertToSelf
GetSidSubAuthority
GetSidSubAuthorityCount
OpenThreadToken
OpenProcessToken
ConvertSidToStringSidW
GetTokenInformation

kernel32

SystemTimeToFileTime
Sleep
GetProcAddress
SetLastError
FreeLibrary
LoadLibraryExW
CreateActCtxW
ActivateActCtx
GetFullPathNameW
GetSystemDirectoryW
GetFileAttributesW
DeactivateActCtx
ReleaseActCtx
LoadLibraryW
TlsAlloc
TlsFree
GetModuleHandleW
HeapSetInformation
SetErrorMode
GetErrorMode
TlsSetValue
HeapFree
GetProcessHeap
HeapAlloc
FormatMessageW
GetCurrentThreadId
GetModuleHandleExW
GetModuleFileNameA
DebugBreak
IsDebuggerPresent
OutputDebugStringW
EnterCriticalSection
ReleaseSRWLockExclusive
AcquireSRWLockShared
ReleaseSRWLockShared
ReleaseSemaphore
ReleaseMutex
SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
WaitForSingleObjectEx
InitializeCriticalSectionEx
OpenSemaphoreW
CreateThreadpoolTimer
CreateFileW
OpenProcess
DuplicateHandle
GetCurrentProcess
CreateMutexExW
CreateSemaphoreExW
SetEvent
InitializeCriticalSectionAndSpinCount
CreateEventW
SetThreadPreferredUILanguages
LocalFree
VirtualQuery
GetSystemInfo
LoadLibraryExA
VirtualProtect
GetCurrentThread
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
WaitForSingleObject
CreateThread
ProcessIdToSessionId
GetSystemTime
GetCurrentProcessId
RaiseException
GetLastError
CloseHandle
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
AcquireSRWLockExclusive

user32

AttachThreadInput
EnumWindows
GetWindowThreadProcessId
IsWindow
GetGUIThreadInfo
EnumChildWindows

msvcrt

memcmp
?terminate@@YAXXZ
memcpy
memset
__CxxFrameHandler3
_onexit
__dllonexit
_unlock
_lock
_commode
_fmode
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_callnewh
malloc
free
memmove_s
memcpy_s
_wtol
_wcsicmp
_vsnwprintf
_purecall
__C_specific_handler
sqrt

winspool.drv

ClosePrinter
GetPrinterDataW
GetPrintOutputInfo
GetPrinterDriverW
OpenPrinterW

rpcrt4

RpcRevertToSelf
RpcImpersonateClient
RpcAsyncCompleteCall
RpcMgmtStopServerListening
RpcServerListen
NdrAsyncServerCall
NdrServerCallAll
Ndr64AsyncServerCallAll
NdrServerCall2
RpcServerUseProtseqEpW
RpcServerRegisterIf3
RpcServerInqBindings
RpcBindingVectorFree
RpcServerRegisterAuthInfoW

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoRegisterClassObject
CoUninitialize
CoInitializeEx
CoRevokeClassObject

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtReplyPort
NtAlpcOpenSenderThread
NtClose
NtCompleteConnectPort
NtAcceptConnectPort
NtCreatePort
RtlInitUnicodeString
NtReplyWaitReceivePort
RtlDeriveCapabilitySidsFromName
RtlCheckTokenCapability
TpReleasePool
TpCallbackMayRunLong
TpSetWait
TpSimpleTryPost
TpAllocWork
TpPostWork
TpAllocWait
TpAllocTimer
TpSetTimer
TpAllocIoCompletion
TpStartAsyncIoOperation
TpAllocAlpcCompletion
TpWaitForWork
RtlVirtualUnwind
TpWaitForWait
TpReleaseWait
TpWaitForTimer
TpReleaseTimer
TpWaitForIoCompletion
TpReleaseIoCompletion
TpWaitForAlpcCompletion
TpReleaseAlpcCompletion
EtwTraceMessage
EtwEventEnabled
EtwEventWrite
RtlNtStatusToDosError
ZwQueryWnfStateData
TpReleaseWork

Sections

.text
Size: 80KB - Virtual size: 78KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 60KB - Virtual size: 57KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 856B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
system.ini
twain_32.dll
.dll windows:10 windows x86 arch:x86

ddb14e5fc95c0690491e1745b60b6efe

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

twain_32.pdb

Imports

msvcrt

_chdir
strcpy_s
_getcwd
_errno
_strcmpi
_chdrive
strcat_s
sprintf_s
strncpy_s
_snprintf_s
_purecall
_ltoa
atol
free
_strnicmp
_vsnwprintf
memcpy_s
remove
_read
_close
_write
_lseek
_sopen
_locking
_vsnprintf
strncmp
_XcptFilter
_amsg_exit
_initterm
_lock
malloc
_getdrive
_unlock
__dllonexit
_onexit
_except_handler4_common
memcpy
memset

kernel32

SetLastError
GetTickCount
GetSystemTimeAsFileTime
QueryPerformanceCounter
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
Sleep
GetTempPath2A
IsDebuggerPresent
DebugBreak
GetModuleHandleW
GetProcessHeap
GetCurrentProcessId
CreateMutexExW
HeapAlloc
PowerClearRequest
OpenSemaphoreW
WaitForSingleObjectEx
InitOnceComplete
OutputDebugStringW
FormatMessageW
ReleaseMutex
GetCurrentThreadId
WaitForSingleObject
GetModuleHandleExW
ReleaseSemaphore
HeapFree
CreateSemaphoreExW
InitOnceBeginInitialize
PowerSetRequest
GetModuleFileNameA
WriteProfileStringA
GetCurrentProcess
lstrcmpiA
MultiByteToWideChar
lstrlenA
GlobalSize
GetVersion
GetLastError
GlobalFlags
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
PowerCreateRequest
CloseHandle
FindFirstFileA
FindNextFileA
FindClose
GetFileAttributesA
GetSystemDirectoryA
LoadLibraryA
GetWindowsDirectoryA
GetProcAddress
FreeLibrary
GetProfileStringA
GlobalHandle
OpenFile

user32

RegisterWindowMessageA
LoadStringA
SendMessageA
FindWindowA
PeekMessageA
DdeCmpStringHandles
DdeConnect
DdeQueryConvInfo
DdeClientTransaction
DdeDisconnect
DdeGetData
DdeGetLastError
DdeCreateStringHandleA
DdeCreateDataHandle
DdeUninitialize
DdeInitializeA
DdeFreeStringHandle
DispatchMessageA
TranslateMessage
UnhookWindowsHook
CallNextHookEx
EndDialog
DialogBoxParamA
SetFocus
SendDlgItemMessageA
SetWindowsHookA
GetDlgItem
EnableWindow
PostMessageA
IsWindow
CharUpperA

apphelp

ApphelpCheckExe

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWriteTransfer
EventSetInformation
EventUnregister

Exports

Exports

AboutDlgProc
ChooseDlgProc
DSM_Entry
InfoHook
WGDlgProc

Sections

.text
Size: 57KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
win.ini
winhlp32.exe
.exe windows:10 windows x86 arch:x86

0dfde2c713801a5c7e6dc0108384fb68

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

winhstb.pdb

Imports

advapi32

EventRegister
EventWriteTransfer
EventUnregister

kernel32

GetModuleHandleExW
RaiseException
HeapSetInformation
GetProcAddress
FreeLibrary
GetCurrentProcess
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
SetUnhandledExceptionFilter
Sleep
TerminateProcess

msvcrt

__p__fmode
_controlfp
?terminate@@YAXXZ
free
_XcptFilter
__p__commode
_amsg_exit
__setusermatherr
_initterm
_cexit
_exit
exit
__set_app_type
__getmainargs
_except_handler4_common

ole32

CoInitialize
CoUninitialize
CoCreateInstance

oleaut32

SysFreeString
SysAllocString

Sections

.text
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 992B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 3KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 424B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
write.exe
.exe windows:10 windows x64 arch:x64

90a23f469ba0443719430cba4569b220

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

write.pdb

Imports

shell32

ShellExecuteW

kernel32

TerminateProcess
GetCurrentProcess
GetStartupInfoW
HeapSetInformation
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleW
Sleep

msvcrt

_commode
?terminate@@YAXXZ
_fmode
_wcmdln
__C_specific_handler
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter

Sections

.text
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 216B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

25bd8cfe71808f06ece80231211e68cb

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

advapi32

kernel32

gdi32

user32

msvcp_win

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-private-l1-1-0

comctl32

ole32

oleaut32

shell32

shlwapi

ntdll

api-ms-win-core-path-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-memory-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-interlocked-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-core-sysinfo-l1-2-0

api-ms-win-core-localization-l1-2-0

Sections

.text Size: 376KB - Virtual size: 375KB

.rdata Size: 120KB - Virtual size: 118KB

.data Size: 16KB - Virtual size: 19KB

.pdata Size: 16KB - Virtual size: 15KB

.didat Size: 4KB - Virtual size: 112B

.rsrc Size: 524KB - Virtual size: 523KB

.reloc Size: 4KB - Virtual size: 2KB

a039666f8d08dd16e0909469da998438

Code Sign

33:00:00:04:50:0d:a4:5d:0a:6c:7a:8a:57:00:00:00:00:04:50Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

tdh

userenv

version

netapi32

ws2_32

mpr

wtsapi32

ole32

kernel32

user32

gdi32

comdlg32

advapi32

oleaut32

crypt32

secur32

rpcrt4

Sections

.text Size: 2.0MB - Virtual size: 2.0MB

.rdata Size: 965KB - Virtual size: 964KB

.text
Size: 376KB - Virtual size: 375KB

.rdata
Size: 120KB - Virtual size: 118KB

.data
Size: 16KB - Virtual size: 19KB

.pdata
Size: 16KB - Virtual size: 15KB

.didat
Size: 4KB - Virtual size: 112B

.rsrc
Size: 524KB - Virtual size: 523KB

.reloc
Size: 4KB - Virtual size: 2KB

33:00:00:04:50:0d:a4:5d:0a:6c:7a:8a:57:00:00:00:00:04:50
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

c2:31:93:8b:d7:81:93:89:94:f6:f9:6c:eb:2a:74:5b:cc:2d:81:ea:d4:e3:00:c8:32:39:65:06:90:d7:04:94
Signer

.text
Size: 2.0MB - Virtual size: 2.0MB

.rdata
Size: 965KB - Virtual size: 964KB

.data
Size: 20KB - Virtual size: 38KB

.pdata
Size: 97KB - Virtual size: 96KB

_RDATA
Size: 512B - Virtual size: 348B

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

.reloc
Size: 6KB - Virtual size: 6KB

33:00:00:01:0b:30:c4:c6:3e:69:b2:c4:89:00:00:00:00:01:0b
Certificate

61:0b:aa:c1:00:00:00:00:00:09
Certificate

0c:7c:71:b8:f8:97:85:d6:4e:a8:bd:13:75:a8:56:27:65:12:7f:47:fe:5a:5a:50:54:b5:7d:ec:ab:b6:2a:5c
Signer

.text
Size: 121KB - Virtual size: 121KB

.rdata
Size: 17KB - Virtual size: 16KB

.data
Size: 10KB - Virtual size: 13KB

.pdata
Size: 4KB - Virtual size: 3KB

INIT
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 1KB - Virtual size: 1KB

.text
Size: 60KB - Virtual size: 56KB

.rdata
Size: 40KB - Virtual size: 36KB

.data
Size: 4KB - Virtual size: 2KB

.pdata
Size: 4KB - Virtual size: 1KB

.rsrc
Size: 4KB - Virtual size: 2KB

.reloc
Size: 4KB - Virtual size: 92B