9e954dd09a809c9306869b517794870ce3fb412e11531d7fd8379bc22b06a6a4

Sharing

Copy URL Twitter E-mail

General

Target

9e954dd09a809c9306869b517794870ce3fb412e11531d7fd8379bc22b06a6a4
Size

8.3MB
MD5

076e2e3e2bac5eb94da7142a6d5f4e81
SHA1

d4fd60319cbcfe35528426860100ba6b3c80b274
SHA256

9e954dd09a809c9306869b517794870ce3fb412e11531d7fd8379bc22b06a6a4
SHA512

d33a92c0325f7c66779a4d0eb2aa0722caaeed9ef37075a2fb07534980f7396395b7bd83febd60704327497bd987a011d9a5fca2f10c2a1d55b75a10b159254e
SSDEEP

196608:kh2AXrbZzPuyZ/USFy6Na4vK5Ko5A0tOOtLQt+lCO:nAXrFKylUtYnSzIOt++P

Score

5^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack002/$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe	upx
static1/unpack002/$TEMP/WinNTSetup/Tools/x86/BOOTICEx86.exe	upx
static1/unpack005/$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe	upx
static1/unpack007/Tools/x64/BootICE/BOOTICEx64.exe	upx

Unsigned PE 53 IoCs

Checks for missing Authenticode signature.

resource
unpack001/WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64,v4.2.5-x86.exe
unpack002/$PLUGINSDIR/System.dll
unpack002/$TEMP/WinNTSetup/Tools/imdisk/cpl/amd64/imdisk.cpl
unpack002/$TEMP/WinNTSetup/Tools/nativevhdboot_x64.dll
unpack002/$TEMP/WinNTSetup/Tools/nativevhdboot_x86.dll
unpack002/$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe
unpack002/$TEMP/WinNTSetup/Tools/x64/MSSTMake.exe
unpack002/$TEMP/WinNTSetup/Tools/x64/WIMHost.exe
unpack002/$TEMP/WinNTSetup/Tools/x64/wimlib.dll
unpack002/$TEMP/WinNTSetup/Tools/x64/wimlib/libwim-15.dll
unpack002/$TEMP/WinNTSetup/Tools/x86/BOOTICEx86.exe
unpack002/$TEMP/WinNTSetup/Tools/x86/MSSTMake.exe
unpack002/$TEMP/WinNTSetup/Tools/x86/bcdboot.exe
unpack002/$TEMP/WinNTSetup/Tools/x86/bcdedit.exe
unpack002/$TEMP/WinNTSetup/Tools/x86/diskcopy.dll
unpack002/$TEMP/WinNTSetup/Tools/x86/wimlib/libwim-15.dll
unpack002/$TEMP/WinNTSetup/WinNTSetup_x64.exe
unpack002/$TEMP/WinNTSetup/WinNTSetup_x86.exe
unpack002/$TEMP/WinNTSetup/_DeltaPatchWinXP/xdelta3.exe
unpack001/WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64.exe
unpack005/$PLUGINSDIR/System.dll
unpack005/$TEMP/WinNTSetup/Tools/imdisk/cpl/amd64/imdisk.cpl
unpack005/$TEMP/WinNTSetup/Tools/nativevhdboot_x64.dll
unpack005/$TEMP/WinNTSetup/Tools/nativevhdboot_x86.dll
unpack005/$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe
unpack005/$TEMP/WinNTSetup/Tools/x64/MSSTMake.exe
unpack005/$TEMP/WinNTSetup/Tools/x64/WIMHost.exe
unpack005/$TEMP/WinNTSetup/Tools/x64/wimlib.dll
unpack005/$TEMP/WinNTSetup/Tools/x64/wimlib/libwim-15.dll
unpack005/$TEMP/WinNTSetup/WinNTSetup_x64.exe
unpack007/Lang/1028.dll
unpack007/Lang/1031.dll
unpack007/Lang/1036.dll
unpack007/Lang/1040.dll
unpack007/Lang/1042.dll
unpack007/Lang/1046.dll
unpack007/Lang/1049.dll
unpack007/Lang/1055.dll
unpack007/Lang/1058.dll
unpack007/Lang/2052.dll
unpack007/Lang/2058.dll
unpack007/Tools/imdisk/cpl/amd64/imdisk.cpl
unpack007/Tools/nativevhdboot_x64.dll
unpack007/Tools/nativevhdboot_x86.dll
unpack007/Tools/x64/BootICE/BOOTICE.dll
unpack007/Tools/x64/BootICE/BOOTICEx64.exe
unpack007/Tools/x64/BootICE/Lang/1031.dll
unpack007/Tools/x64/BootICE/Lang/1033.dll
unpack007/Tools/x64/BootICE/Lang/1049.dll
unpack007/Tools/x64/MSSTMake.exe
unpack007/Tools/x64/WIMHost.exe
unpack007/Tools/x64/wimlib.dll
unpack007/WinNTSetup_x64.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
static1/unpack001/WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64,v4.2.5-x86.exe	nsis_installer_1
static1/unpack001/WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64,v4.2.5-x86.exe	nsis_installer_2
static1/unpack001/WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64.exe	nsis_installer_1
static1/unpack001/WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64.exe	nsis_installer_2

Files

9e954dd09a809c9306869b517794870ce3fb412e11531d7fd8379bc22b06a6a4
.zip
WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64,v4.2.5-x86.exe
.exe windows:4 windows x86 arch:x86

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetFileAttributesA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileTime
GetFileAttributesA
SetCurrentDirectoryA
MoveFileA
GetFullPathNameA
GetShortPathNameA
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MulDiv
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA

user32

GetSystemMenu
SetClassLongA
EnableMenuItem
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ScreenToClient
GetWindowRect
GetDlgItem
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
LoadImageA
CreateDialogParamA
SetTimer
SetWindowTextA
SetForegroundWindow
ShowWindow
SetWindowLongA
SendMessageTimeoutA
FindWindowExA
IsWindow
AppendMenuA
TrackPopupMenu
CreatePopupMenu
DrawTextA
EndPaint
DestroyWindow
wsprintfA
PostQuitMessage

gdi32

SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor

shell32

SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA

advapi32

AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_AddMasked
ord17
ImageList_Destroy

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

8c8a576201f68de1a3f26fc723b9f30f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MultiByteToWideChar
GlobalFree
GlobalSize
lstrcpynA
lstrcpyA
GetProcAddress
VirtualFree
FreeLibrary
lstrlenA
LoadLibraryA
GetModuleHandleA
GlobalAlloc
WideCharToMultiByte
VirtualAlloc
VirtualProtect
GetLastError

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 867B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 636B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Compact/WimBootCompress.ini
$TEMP/WinNTSetup/DISM/Sample.ini
$TEMP/WinNTSetup/Diskpart/BIOS.txt
$TEMP/WinNTSetup/Diskpart/UEFI.txt
.vbs
$TEMP/WinNTSetup/Diskpart/XP_legacy/BIOS.txt
$TEMP/WinNTSetup/MinWin/Default/AntiLog.ini
$TEMP/WinNTSetup/MinWin/Default/AntiLog.reg
$TEMP/WinNTSetup/MinWin/Default/Options.ini
$TEMP/WinNTSetup/MinWin/Default/Reg/Explorer_LaunchTo.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/GameDVR.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/Remove_Gallery.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/Restore_Photo_Viewer_Windows_10.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/ShippedWithReserves.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/StuckRects3-Win10-200X.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/SysTray_ClassicVolumeControl.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/SysTray_Network_Flyout.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/Taskbar.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/UserSignedIn.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Active Setup.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Defender.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Defender.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/DrvStore_Inf.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Edge.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Edge.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Fonts.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Installed.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Languages.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Media.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/NetFX.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/NetFX_Keep.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/OneDrive.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/ProgramFiles.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Speech.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/SySWoW.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/System32-DLL.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/System32.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WMP.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WSearch.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/WUAU.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/WUAU.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WinSAT.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Windows.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Windows11.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WindowsApps.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WindowsPowerShell.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/XBOX.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/XBOX.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/XPS.txt
$TEMP/WinNTSetup/MinWin/Default/Services.ini
$TEMP/WinNTSetup/MinWin/Default/Tasks.ini
$TEMP/WinNTSetup/MinWin/Default/WinSxS.ini
$TEMP/WinNTSetup/MinWin/ReadMe.txt
$TEMP/WinNTSetup/MinWin/ReadMechs.txt
$TEMP/WinNTSetup/Tools/CATTrim.ini
$TEMP/WinNTSetup/Tools/Compact/WimBootCompress.ini
$TEMP/WinNTSetup/Tools/MergeIDE_2600.ini
$TEMP/WinNTSetup/Tools/MergeIDE_7600.ini
$TEMP/WinNTSetup/Tools/MergeIDE_9200.ini
$TEMP/WinNTSetup/Tools/MinWin/Default/AntiLog.ini
$TEMP/WinNTSetup/Tools/MinWin/Default/AntiLog.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Reg/GameDVR.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Reg/Restore_Photo_Viewer_Windows_10.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Reg/StuckRects3-Win10-200X.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Reg/SysTray_ClassicVolumeControl.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Reg/SysTray_Network_Flyout.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Reg/UserSignedIn.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Active Setup.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Defender.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Defender.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/DrvStore_Inf.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Edge.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Edge.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Fonts.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Installed.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Languages.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Media.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/NetFX.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/OneDrive.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/ProgramFiles.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Speech.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/SySWoW.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/System32-DLL.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/System32.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/WMP.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/WSearch.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/WUAU.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/WUAU.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/WinSAT.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/Windows.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/WindowsApps.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/WindowsPowerShell.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/XBOX.reg
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/XBOX.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Remove/XPS.txt
$TEMP/WinNTSetup/Tools/MinWin/Default/Services.ini
$TEMP/WinNTSetup/Tools/MinWin/Default/Tasks.ini
$TEMP/WinNTSetup/Tools/MinWin/Default/WinSxS.ini
$TEMP/WinNTSetup/Tools/WimBootCompress.ini
$TEMP/WinNTSetup/Tools/WimScript/WimScript.ini
$TEMP/WinNTSetup/Tools/Win10Builds.ini
$TEMP/WinNTSetup/Tools/Win7USB3/ReadMe.txt
$TEMP/WinNTSetup/Tools/Win7USBBoot.ini
$TEMP/WinNTSetup/Tools/WinNTSetup_iso.cmd
$TEMP/WinNTSetup/Tools/diskpart/BIOS.txt
$TEMP/WinNTSetup/Tools/diskpart/Disk0_bios.txt
$TEMP/WinNTSetup/Tools/diskpart/Disk0_uefi.txt
.vbs
$TEMP/WinNTSetup/Tools/diskpart/UEFI.txt
.vbs
$TEMP/WinNTSetup/Tools/diskpart/XP_legacy/BIOS.txt
$TEMP/WinNTSetup/Tools/diskpart/XP_legacy/Disk0_bios.txt
$TEMP/WinNTSetup/Tools/diskpart/enabled=1
$TEMP/WinNTSetup/Tools/imdisk/cpl/amd64/imdisk.cpl
.dll windows:6 windows x64 arch:x64

279416a3dfe8386ca2bd447389b068d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

x:\imdisk_source\cpl\amd64\imdisk.pdb

Imports

msvcrt

malloc
wcstoul
wcsncat
_beginthreadex
??3@YAXPEAX@Z
wcstod
towupper
wcstok
??2@YAPEAX_K@Z
fwprintf
_fgetwchar
strchr
_XcptFilter
fflush
wcschr
_initterm
_amsg_exit
__C_specific_handler
fprintf
toupper
_fgetchar
free
wcsncmp
wcsrchr
wcsncpy
_snwprintf
_wcsicmp
_iob
memcpy
memset

kernel32

SetUnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetFileSize
SetFilePointer
SetEndOfFile
HeapAlloc
HeapFree
GetLogicalDrives
VirtualFree
GetProcessHeap
WaitNamedPipeW
WriteFile
Sleep
FormatMessageW
ReadFile
CreateFileW
FlushFileBuffers
GetLastError
SetLastError
VirtualAlloc
DefineDosDeviceW
LocalAlloc
CreateEventW
DeviceIoControl
CloseHandle
LocalFree
GetDriveTypeA
MultiByteToWideChar
SetCurrentDirectoryW
GetWindowsDirectoryW
HeapReAlloc
WaitForSingleObject
SetEvent
GetTickCount
QueryDosDeviceW
WaitForMultipleObjects
DeleteFileW
GetVolumeInformationW
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId

advapi32

CloseServiceHandle
OpenServiceW
RegCreateKeyW
RegQueryValueExW
RegOpenKeyW
InitializeSecurityDescriptor
RegDeleteKeyW
RegSetValueExW
RegCloseKey
RegDeleteValueW
QueryServiceStatus
StartServiceW
SetSecurityDescriptorDacl
OpenSCManagerW

user32

GetWindowTextLengthW
GetDlgItemInt
SetProcessDPIAware
TrackPopupMenu
PostMessageW
GetSubMenu
GetParent
SetFocus
GetDC
SetDlgItemInt
GetMenu
LoadIconW
GetAsyncKeyState
SetClassLongPtrW
ReleaseDC
EnableMenuItem
EndDialog
SendDlgItemMessageW
CheckDlgButton
DispatchMessageW
GetPropW
SetWindowTextW
MessageBoxW
SendMessageTimeoutW
ShowWindow
GetDlgItem
PeekMessageW
IsDialogMessageW
TranslateMessage
SetPropW
RemovePropW
IsDlgButtonChecked
DialogBoxParamW
DestroyWindow
EnableWindow
MapWindowPoints
SendMessageW
SetDlgItemTextW
GetDlgItemTextW
GetSystemMetrics
DrawMenuBar
CreateDialogParamW

shell32

ShellExecuteW
SHFormatDrive
SHChangeNotify

gdi32

GetDeviceCaps

comctl32

ImageList_Create
ImageList_ReplaceIcon

comdlg32

CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW

ntdll

RtlFreeUnicodeString
RtlNtStatusToDosError
NtClose
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlCreateUnicodeString
RtlInitUnicodeString

Exports

Exports

CPlApplet
ImDiskAdjustImageFileSize
ImDiskAllocPrintF
ImDiskBuildMBR
ImDiskChangeFlags
ImDiskCheckDriverVersion
ImDiskConsoleMessageA
ImDiskConsoleMessageW
ImDiskConvertCHSToLBA
ImDiskConvertLBAToCHS
ImDiskCreateDevice
ImDiskCreateDeviceEx
ImDiskCreateMountPoint
ImDiskExtendDevice
ImDiskFindFreeDriveLetter
ImDiskFlushWindowMessages
ImDiskForceRemoveDevice
ImDiskGetAPIFlags
ImDiskGetDeviceList
ImDiskGetDeviceListEx
ImDiskGetFormattedGeometry
ImDiskGetFormattedGeometryIndirect
ImDiskGetOffsetByFileExt
ImDiskGetPartitionInfoIndirect
ImDiskGetPartitionInfoIndirectEx
ImDiskGetPartitionInformation
ImDiskGetPartitionInformationEx
ImDiskGetPartitionTypeName
ImDiskGetRegistryAutoLoadDevices
ImDiskGetSinglePartitionInfoIndirect
ImDiskGetSinglePartitionInformation
ImDiskGetVersion
ImDiskGetVolumeSize
ImDiskImageContainsISOFS
ImDiskImageContainsISOFSIndirect
ImDiskMsgBoxPrintF
ImDiskNativePathToWin32
ImDiskNotifyRemovePending
ImDiskNotifyShellDriveLetter
ImDiskOpenDeviceByMountPoint
ImDiskOpenDeviceByName
ImDiskOpenDeviceByNumber
ImDiskOpenRefreshEvent
ImDiskQueryDevice
ImDiskReadFileHandle
ImDiskRemoveDevice
ImDiskRemoveMountPoint
ImDiskRemoveRegistrySettings
ImDiskSaveImageFile
ImDiskSaveImageFileInteractive
ImDiskSaveRegistrySettings
ImDiskSetAPIFlags
ImDiskStartService
RunDLL_MountFile
RunDLL_MountFileW
RunDLL_RemoveDevice
RunDLL_SaveImageFile

Sections

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/imdisk/cpl/i386/imdisk.cpl
.dll windows:6 windows x86 arch:x86

ea7a7ccc5fd79c1838a75212eeb78983

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

28/01/2028, 12:00

Subject

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

18/11/2009, 10:00

Not After

18/03/2019, 10:00

Subject

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

04:00:00:00:00:01:31:89:c6:4d:e1
Certificate

Issuer

CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign

Not Before

02/08/2011, 10:00

Not After

02/08/2019, 10:00

Subject

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

Issuer

CN=GlobalSign Timestamping CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

24/05/2016, 00:00

Not After

24/06/2027, 00:00

Subject

CN=GlobalSign TSA for MS Authenticode - G2,O=GMO GlobalSign Pte Ltd,C=SG

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

61:29:15:27:00:00:00:00:00:2a
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/04/2011, 19:55

Not After

15/04/2021, 20:05

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

11:21:01:0f:f2:71:77:94:5c:4e:36:c5:fc:7a:4c:98:78:8a
Certificate

Issuer

CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE

Not Before

23/02/2016, 16:22

Not After

10/02/2019, 15:13

Subject

SERIALNUMBER=969697-0400,CN=Lagerkvist Teknisk Rådgivning i Borås HB,O=Lagerkvist Teknisk Rådgivning i Borås HB,STREET=Alvestagatan 29 lgh 1502,L=Borås,ST=Västra Götalands Län,C=SE,1.3.6.1.4.1.311.60.2.1.3=#13025345,2.5.4.15=#131450726976617465204f7267616e697a6174696f6e

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

33:00:00:00:25:3a:27:38:69:0a:34:51:c1:00:00:00:00:00:25
Certificate

Issuer

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/09/2018, 21:30

Not After

06/09/2019, 21:30

Subject

CN=Microsoft Windows Hardware Compatibility Publisher,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/10/2014, 20:31

Not After

15/10/2029, 20:41

Subject

CN=Microsoft Windows Third Party Component CA 2014,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

95:ba:c6:36:5d:47:e4:84:b6:b6:2e:6a:4d:e0:c1:ea:15:6e:57:b4:08:22:08:ed:fa:cb:05:01:63:66:1a:56
Signer

Actual PE Digest

95:ba:c6:36:5d:47:e4:84:b6:b6:2e:6a:4d:e0:c1:ea:15:6e:57:b4:08:22:08:ed:fa:cb:05:01:63:66:1a:56

Digest Algorithm

sha256

PE Digest Matches

true

fc:7c:99:a3:05:b0:a2:e9:5a:14:df:b0:ff:ab:17:ee:0b:63:a5:3e
Signer

Actual PE Digest

fc:7c:99:a3:05:b0:a2:e9:5a:14:df:b0:ff:ab:17:ee:0b:63:a5:3e

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

z:\kod\imdisk\cpl\i386\imdisk.pdb

Imports

msvcrt

_fgetwchar
_iob
fprintf
fflush
_fgetchar
toupper
strchr
??2@YAPAXI@Z
_beginthreadex
wcsncat
??3@YAXPAX@Z
fwprintf
towupper
wcstok
wcstod
malloc
free
memcpy
wcsncmp
wcschr
memset
wcsncpy
wcsrchr
_wcsicmp
_snwprintf
wcstoul

kernel32

GetWindowsDirectoryW
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
RtlUnwind
SetEvent
WaitForSingleObject
GetTickCount
DeleteFileW
GetVolumeInformationW
HeapReAlloc
WaitForMultipleObjects
QueryDosDeviceW
GetDriveTypeA
SetCurrentDirectoryW
MultiByteToWideChar
VirtualAlloc
WriteFile
VirtualFree
WaitNamedPipeW
Sleep
LocalAlloc
CreateEventW
GetFileSize
SetEndOfFile
FlushFileBuffers
GetLogicalDrives
GetVersion
DefineDosDeviceW
CreateFileW
GetProcessHeap
HeapAlloc
DeviceIoControl
CloseHandle
HeapFree
SetLastError
SetFilePointer
ReadFile
GetLastError
LocalFree
FormatMessageW

advapi32

RegCloseKey
StartServiceW
CloseServiceHandle
OpenServiceW
RegOpenKeyW
RegCreateKeyW
RegQueryValueExW
RegSetValueExW
QueryServiceStatus
RegDeleteValueW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
RegDeleteKeyW
OpenSCManagerW

user32

DispatchMessageW
IsDialogMessageW
GetDlgItemInt
GetMenu
EnableMenuItem
DrawMenuBar
MapWindowPoints
GetSubMenu
TrackPopupMenu
GetAsyncKeyState
LoadIconW
SetClassLongW
GetSystemMetrics
SendMessageW
PostMessageW
GetParent
GetWindowTextLengthW
EnableWindow
TranslateMessage
SetDlgItemInt
SendDlgItemMessageW
CheckDlgButton
SetFocus
IsDlgButtonChecked
EndDialog
SetDlgItemTextW
GetDlgItemTextW
CreateDialogParamW
DestroyWindow
DialogBoxParamW
SetWindowTextW
SendMessageTimeoutW
MessageBoxW
GetPropW
ShowWindow
SetPropW
GetDlgItem
RemovePropW
PeekMessageW

shell32

SHFormatDrive
ShellExecuteW
SHChangeNotify

comctl32

ImageList_Create
ImageList_ReplaceIcon

comdlg32

GetOpenFileNameW
CommDlgExtendedError
GetSaveFileNameW

ntdll

NtOpenFile
RtlInitUnicodeString
NtClose
RtlFreeUnicodeString
RtlDosPathNameToNtPathName_U
RtlCreateUnicodeString
RtlNtStatusToDosError

Exports

Exports

CPlApplet
ImDiskAdjustImageFileSize
ImDiskAllocPrintF
ImDiskBuildMBR
ImDiskChangeFlags
ImDiskCheckDriverVersion
ImDiskConsoleMessageA
ImDiskConsoleMessageW
ImDiskConvertCHSToLBA
ImDiskConvertLBAToCHS
ImDiskCreateDevice
ImDiskCreateDeviceEx
ImDiskCreateMountPoint
ImDiskExtendDevice
ImDiskFindFreeDriveLetter
ImDiskFlushWindowMessages
ImDiskForceRemoveDevice
ImDiskGetAPIFlags
ImDiskGetDeviceList
ImDiskGetDeviceListEx
ImDiskGetFormattedGeometry
ImDiskGetFormattedGeometryIndirect
ImDiskGetOffsetByFileExt
ImDiskGetPartitionInfoIndirect
ImDiskGetPartitionInfoIndirectEx
ImDiskGetPartitionInformation
ImDiskGetPartitionInformationEx
ImDiskGetPartitionTypeName
ImDiskGetRegistryAutoLoadDevices
ImDiskGetSinglePartitionInfoIndirect
ImDiskGetSinglePartitionInformation
ImDiskGetVersion
ImDiskGetVolumeSize
ImDiskImageContainsISOFS
ImDiskImageContainsISOFSIndirect
ImDiskMsgBoxPrintF
ImDiskNativePathToWin32
ImDiskNotifyRemovePending
ImDiskNotifyShellDriveLetter
ImDiskOpenDeviceByMountPoint
ImDiskOpenDeviceByName
ImDiskOpenDeviceByNumber
ImDiskOpenRefreshEvent
ImDiskQueryDevice
ImDiskReadFileHandle
ImDiskRemoveDevice
ImDiskRemoveMountPoint
ImDiskRemoveRegistrySettings
ImDiskSaveImageFile
ImDiskSaveImageFileInteractive
ImDiskSaveRegistrySettings
ImDiskSetAPIFlags
ImDiskStartService
RunDLL_MountFile
RunDLL_MountFileW
RunDLL_RemoveDevice
RunDLL_SaveImageFile
_CPlApplet@16
_ImDiskAdjustImageFileSize@8
_ImDiskBuildMBR@20
_ImDiskChangeFlags@20
_ImDiskCheckDriverVersion@4
_ImDiskConsoleMessageA@16
_ImDiskConsoleMessageW@16
_ImDiskConvertCHSToLBA@8
_ImDiskConvertLBAToCHS@8
_ImDiskCreateDevice@28
_ImDiskCreateDeviceEx@32
_ImDiskCreateMountPoint@8
_ImDiskExtendDevice@12
_ImDiskFindFreeDriveLetter@0
_ImDiskFlushWindowMessages@4
_ImDiskForceRemoveDevice@8
_ImDiskGetAPIFlags@0
_ImDiskGetDeviceList@0
_ImDiskGetDeviceListEx@8
_ImDiskGetFormattedGeometry@12
_ImDiskGetFormattedGeometryIndirect@16
_ImDiskGetOffsetByFileExt@8
_ImDiskGetPartitionInfoIndirect@20
_ImDiskGetPartitionInfoIndirectEx@24
_ImDiskGetPartitionInformation@16
_ImDiskGetPartitionInformationEx@20
_ImDiskGetPartitionTypeName@12
_ImDiskGetRegistryAutoLoadDevices@4
_ImDiskGetSinglePartitionInfoIndirect@24
_ImDiskGetSinglePartitionInformation@20
_ImDiskGetVersion@8
_ImDiskGetVolumeSize@8
_ImDiskImageContainsISOFS@8
_ImDiskImageContainsISOFSIndirect@12
_ImDiskNativePathToWin32@4
_ImDiskNotifyRemovePending@8
_ImDiskNotifyShellDriveLetter@8
_ImDiskOpenDeviceByMountPoint@8
_ImDiskOpenDeviceByName@8
_ImDiskOpenDeviceByNumber@8
_ImDiskOpenRefreshEvent@4
_ImDiskQueryDevice@12
_ImDiskReadFileHandle@24
_ImDiskRemoveDevice@12
_ImDiskRemoveMountPoint@4
_ImDiskRemoveRegistrySettings@4
_ImDiskSaveImageFile@16
_ImDiskSaveImageFileInteractive@16
_ImDiskSaveRegistrySettings@4
_ImDiskSetAPIFlags@8
_ImDiskStartService@4
_RunDLL_MountFile@16
_RunDLL_MountFileW@16
_RunDLL_RemoveDevice@16
_RunDLL_SaveImageFile@16

Sections

.text
Size: 58KB - Virtual size: 58KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 38KB - Virtual size: 37KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/imdisk/sys/amd64/imdisk.sys
.sys windows:6 windows x64 arch:x64

ca1b7a99c1db8c685051151b20cecfd0

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

05/05/2015, 00:00

Not After

31/12/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

17/01/2013, 15:30

Not After

18/03/2016, 12:43

Subject

CN=Lagerkvist Teknisk Radgivning i Boras HB,O=Lagerkvist Teknisk Radgivning i Boras HB,ST=-,C=SE,1.2.840.113549.1.9.1=#0c10696e666f406c74722d646174612e7365

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b
Signer

Actual PE Digest

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

z:\kod\imdisk\sys\amd64\imdisk.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ZwCreateEvent
IoDeleteSymbolicLink
ExFreePoolWithTag
_snwprintf
RtlSetDaclSecurityDescriptor
RtlInitUnicodeString
IoDeleteDevice
KeSetEvent
RtlAppendUnicodeToString
KeInitializeEvent
KeDelayExecutionThread
PsCreateSystemThread
ZwQueryValueKey
IoCreateUnprotectedSymbolicLink
ExEventObjectType
ZwClose
ObReferenceObjectByHandle
KeWaitForSingleObject
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
ObReferenceObjectByPointer
DbgPrint
RtlCreateSecurityDescriptor
KePulseEvent
ZwOpenKey
KeClearEvent
KeReadStateEvent
IoBuildSynchronousFsdRequest
ZwReadFile
IoGetRelatedDeviceObject
IoCancelIrp
KeWaitForMultipleObjects
IofCallDriver
ZwFsControlFile
KeReleaseInStackQueuedSpinLock
_wcsnicmp
ZwMapViewOfSection
KeAcquireInStackQueuedSpinLock
ZwSetInformationFile
SeCreateClientSecurity
IoFileObjectType
ZwWaitForSingleObject
ZwCreateFile
SeImpersonateClient
ZwFreeVirtualMemory
RtlAppendUnicodeStringToString
ZwDeviceIoControlFile
ZwQueryInformationFile
ZwOpenSection
SeTokenType
ZwAllocateVirtualMemory
IoBuildDeviceIoControlRequest
NtWriteFile
KeSetPriorityThread
NtFsControlFile
MmMapLockedPagesSpecifyCache
PsTerminateSystemThread
IofCompleteRequest
NtReadFile
SeSinglePrivilegeCheck
IoFreeMdl
IoFreeIrp
IoAllocateIrp
MmUnlockPages
ZwOpenEvent
ZwUnmapViewOfSection
KeBugCheckEx

Sections

.text
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/imdisk/sys/i386/imdisk.sys
.sys windows:6 windows x86 arch:x86

0f7dd87f79d112f5be926ddd046011c3

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

05/05/2015, 00:00

Not After

31/12/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

17/01/2013, 15:30

Not After

18/03/2016, 12:43

Subject

CN=Lagerkvist Teknisk Radgivning i Boras HB,O=Lagerkvist Teknisk Radgivning i Boras HB,ST=-,C=SE,1.2.840.113549.1.9.1=#0c10696e666f406c74722d646174612e7365

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

44:77:53:04:63:95:90:dd:ac:20:ee:b4:60:4a:3c:60:4d:94:46:a9
Signer

Actual PE Digest

44:77:53:04:63:95:90:dd:ac:20:ee:b4:60:4a:3c:60:4d:94:46:a9

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

z:\kod\imdisk\sys\i386\imdisk.pdb

Imports

ntoskrnl.exe

PsCreateSystemThread
ZwQueryValueKey
RtlInitUnicodeString
_snwprintf
KeDelayExecutionThread
memcpy
IoCreateUnprotectedSymbolicLink
IoDeleteSymbolicLink
KeSetEvent
KeWaitForSingleObject
KeInitializeEvent
ObReferenceObjectByPointer
IoDeleteDevice
ObfDereferenceObject
KePulseEvent
DbgPrint
ObReferenceObjectByHandle
ExEventObjectType
ZwCreateEvent
RtlSetDaclSecurityDescriptor
RtlCreateSecurityDescriptor
IoCreateDevice
ZwOpenKey
RtlAppendUnicodeToString
RtlCopyUnicodeString
ZwReadFile
IoCancelIrp
KeReadStateEvent
KeWaitForMultipleObjects
IofCallDriver
KeClearEvent
IoBuildSynchronousFsdRequest
IoGetRelatedDeviceObject
ZwWaitForSingleObject
ZwClose
ZwQueryInformationFile
KeGetCurrentThread
ZwFreeVirtualMemory
ZwAllocateVirtualMemory
IoFileObjectType
ZwMapViewOfSection
ZwSetInformationFile
ZwFsControlFile
ZwCreateFile
ZwOpenSection
RtlAppendUnicodeStringToString
SeTokenType
SeImpersonateClient
SeCreateClientSecurity
_wcsnicmp
MmMapLockedPages
NtReadFile
NtWriteFile
NtFsControlFile
IoBuildDeviceIoControlRequest
IofCompleteRequest
ExfInterlockedRemoveHeadList
PsTerminateSystemThread
KeSetPriorityThread
ExfInterlockedInsertTailList
SeSinglePrivilegeCheck
IoFreeIrp
MmUnlockPages
IoFreeMdl
memmove
IoAllocateIrp
ZwUnmapViewOfSection
ZwOpenEvent
ExFreePool
memset
ZwDeviceIoControlFile
ExAllocatePoolWithTag

hal

KfReleaseSpinLock
KeGetCurrentIrql
KfAcquireSpinLock

Sections

.text
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 768B - Virtual size: 746B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 128B - Virtual size: 56B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

PAGE
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 896B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/nativevhdboot_x64.dll
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 868B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/nativevhdboot_x86.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 858B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

UPX0
Size: - Virtual size: 1.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 451KB - Virtual size: 452KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 37KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$TEMP/WinNTSetup/Tools/x64/MSSTMake.exe
.exe windows:5 windows x64 arch:x64

6929a6376371544b1e02fafed262c6a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileSize
lstrcmpA
MoveFileExA
lstrcpynA
ExpandEnvironmentStringsA
GetFileAttributesA
CreateDirectoryA
SetCurrentDirectoryA
FindFirstFileA
GetLastError
SetLastError
RemoveDirectoryA
CopyFileA
SetFileAttributesA
FindClose
FindNextFileA
GetCurrentDirectoryA
CloseHandle
DeleteFileA
lstrcpyA
SetFilePointer
CreateFileA
WritePrivateProfileStructA
MapViewOfFile
UnmapViewOfFile
SetConsoleTextAttribute
WritePrivateProfileSectionA
WriteFile
GetPrivateProfileIntA
WideCharToMultiByte
Sleep
ReadFile
lstrcatA
GetStdHandle
GetPrivateProfileStringA
GetLocalTime
WriteConsoleA
CreateFileMappingA
GetConsoleScreenBufferInfo
WritePrivateProfileStringA
GetPrivateProfileStructA
LoadLibraryW
lstrlenA
GetFullPathNameA
HeapSize
EnterCriticalSection
LeaveCriticalSection
GetStringTypeW
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapCreate
GetVersion
HeapSetInformation
DeleteCriticalSection
GetStartupInfoW
HeapReAlloc
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
RtlUnwindEx
GetModuleFileNameW
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
FlsGetValue
FlsSetValue
FlsFree
GetCurrentThreadId
FlsAlloc
DecodePointer
HeapFree
HeapAlloc
LCMapStringW
MultiByteToWideChar
RaiseException
RtlPcToFileHeader
GetProcAddress
GetModuleHandleW
ExitProcess

user32

CharNextA
CharUpperA

advapi32

IsTextUnicode

shlwapi

wnsprintfA
PathCombineA
PathSearchAndQualifyA
PathAddBackslashA
PathIsRelativeA
PathAppendA
PathIsDirectoryA

setupapi

SetupFindNextLine
SetupGetLineCountA
SetupDiGetActualSectionToInstallExA
SetupOpenInfFileA
SetupGetLineTextA
SetupGetFileCompressionInfoExA
SetupGetLineByIndexA
SetupGetSourceFileLocationA
SetupDecompressOrCopyFileA
SetupFindNextMatchLineA
SetupCloseInfFile
SetupGetFieldCount
SetupFindFirstLineA
SetupGetStringFieldA
SetupEnumInfSectionsA
SetupGetIntField

Sections

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/WIMHost.exe
.exe windows:6 windows x64 arch:x64

fc082dea8871a90b6609e99ca5a4a4bd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Coding\PureBasic\WinNTSetup\src\WimHost\x64\gWIMHost.pdb

Imports

msvcrt

_wcsicmp
_snwprintf
wcscpy
_wcsdup
free
calloc
wcsncpy
_wfopen
fwprintf
fclose
_wcsnicmp
wcschr
realloc
swscanf
wcscat
__wgetmainargs
wcstoul
wcsncmp
floor
wcslen
malloc
memcpy
memset
wcstok_s

kernel32

Sleep
GetModuleHandleA
ExitProcess
GetFinalPathNameByHandleW
GetFileType
RtlMoveMemory
QueryDosDeviceW
GetVolumeInformationW
GetDriveTypeW
lstrcpynW
MultiByteToWideChar
GetFileSize
SetFilePointerEx
SetLastError
GetStdHandle
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
LoadLibraryW
GetProcAddress
FreeLibrary
FormatMessageW
lstrcpyW
LocalFree
GetLocalTime
GetDateFormatW
GetTimeFormatW
GetFileAttributesW
lstrlenW
WideCharToMultiByte
WriteFile
WriteConsoleA
VirtualProtect
QueryPerformanceCounter
GetEnvironmentVariableW
GetTempPathW
lstrcatW
GetPrivateProfileIntW
FindFirstFileExW
FindNextFileW
FindClose
GetModuleFileNameW
GetLongPathNameW
OpenEventW
RegisterWaitForSingleObject
lstrcmpiW
GetCurrentProcessId
CreateDirectoryW
SetFileAttributesW
GetVolumeNameForVolumeMountPointW
RemoveDirectoryW
CloseHandle
CreateFileW
GetDiskFreeSpaceW
DeviceIoControl
GetLastError
DeleteFileW
QueryPerformanceFrequency
ReadFile
GetDiskFreeSpaceExW
SetEnvironmentVariableW
GetModuleHandleW
GetPrivateProfileSectionW

advapi32

StartServiceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetFileSecurityW
CloseServiceHandle
QueryServiceStatus
ConvertSecurityDescriptorToStringSecurityDescriptorW
ControlService
OpenServiceW
OpenSCManagerW

ntdll

RtlCreateUnicodeString
RtlUpcaseUnicodeString
RtlInitUnicodeString
RtlIsNameInExpression
RtlFreeUnicodeString
RtlGetNtVersionNumbers
RtlMultiByteToUnicodeN
RtlUpcaseUnicodeChar
RtlCreateUnicodeStringFromAsciiz
RtlNtStatusToDosError
NtWriteFile
NtReadFile
NtFsControlFile
NtQueryVolumeInformationFile
RtlAdjustPrivilege

ole32

CoCreateInstance
CoInitialize
CoUninitialize
CoInitializeSecurity
CoInitializeEx

shlwapi

PathFindFileNameW
PathCombineW
StrTrimW
StrCmpLogicalW
PathRemoveFileSpecW
PathMatchSpecW
PathRenameExtensionW
PathFileExistsW
PathFindExtensionW
StrStrIW
StrFormatByteSizeW
PathRemoveExtensionW
PathAddExtensionW
PathAddBackslashW
PathSearchAndQualifyW
StrToIntW

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bcdboot.exe
.exe windows:10 windows x64 arch:x64

249e23aef4b736bfce88d0bcb5a752f0

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:3b:f7:e9:31:a5:fe:0a:b3:5c:db:79:d2:0c:dc:84:59:f8:ce:09:7b:79:85:09:5e:d0:8c:b2:8a:6a:f4:89
Signer

Actual PE Digest

06:3b:f7:e9:31:a5:fe:0a:b3:5c:db:79:d2:0c:dc:84:59:f8:ce:09:7b:79:85:09:5e:d0:8c:b2:8a:6a:f4:89

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bcdboot.pdb

Imports

msvcrt

_wcsicmp
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
memmove
_cexit
_exit
exit
__set_app_type
_initterm
memcpy
memcmp
__wgetmainargs
_amsg_exit
_XcptFilter
fwprintf
_wsetlocale
wcscpy_s
fflush
swprintf_s
__setusermatherr
strncmp
strcpy_s
wcsnlen
wcsstr
_wcslwr
_snwscanf_s
wcsncpy_s
wcstoul
_ultow_s
wcsncmp
wcschr
_vsnwprintf_s
fclose
_wfopen_s
wcscat_s
_wcsupr
wcsrchr
_wcsnicmp
_vsnwprintf
__iob_func
memset

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

kernel32

LoadLibraryW
HeapAlloc
WriteConsoleW
GetProcAddress
GetProcessHeap
FreeLibrary
WideCharToMultiByte
GetFileType
Sleep
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
QueryDosDeviceW
GetFileSizeEx
DeviceIoControl
GetVolumePathNameW
CreateFileW
UnmapViewOfFile
GetVolumeNameForVolumeMountPointW
GetConsoleMode
CloseHandle
CreateFileMappingW
MapViewOfFile
FlushFileBuffers
GetVolumeInformationW
FindFirstFileW
FindNextFileW
GetModuleFileNameW
WriteFile
GetStdHandle
GetPrivateProfileSectionW
FindClose
GetFileAttributesW
GetConsoleOutputCP
SetFileAttributesW
MoveFileExW
HeapFree
GetLastError
GetLogicalDrives
FindFirstVolumeW
SetVolumeMountPointW
LocalFree
FindVolumeClose
DeleteVolumeMountPointW
FindNextVolumeW
LoadLibraryExW
SetLastError
CreateDirectoryW
FormatMessageW
LoadResource
FindResourceExW
LCIDToLocaleName
GetVersionExW
GetUserDefaultUILanguage
GetModuleHandleExW
GetLocaleInfoEx
GetSystemDefaultUILanguage
GetFileInformationByHandleEx
GetFileInformationByHandle
SetFileInformationByHandle
DeleteFileW
CopyFileExW
GetFullPathNameW
GetLongPathNameW
GetLocaleInfoW
LocaleNameToLCID
GetCurrentThread
SearchPathW

advapi32

EventRegister
EventUnregister
LookupPrivilegeValueW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
SetNamedSecurityInfoW
GetSecurityDescriptorControl
RegQueryValueExW
GetSecurityDescriptorOwner
OpenProcessToken
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken
GetTokenInformation
EventWriteTransfer
RegCloseKey
RegOpenKeyExW

shlwapi

PathRemoveBackslashW

ntdll

ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtOpenSymbolicLinkObject
RtlSetDaclSecurityDescriptor
NtOpenKey
NtQuerySymbolicLinkObject
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
RtlFreeSid
RtlCreateAcl
RtlCreateSecurityDescriptor
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
ZwCreateFile
ZwCreateKey
ZwQueryKey
ZwFlushKey
ZwDeleteValueKey
ZwSaveKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
ZwSetSecurityObject
ZwUnloadKey
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtOpenThreadTokenEx
RtlImpersonateSelf
ZwLoadKey
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwQuerySystemInformation
RtlAllocateHeap
LdrAccessResource
LdrFindResource_U
RtlCompareMemory
RtlFreeHeap
RtlStringFromGUID
NtSetInformationFile
RtlFreeUnicodeString
NtQuerySystemInformation
NtOpenFile
NtWaitForSingleObject
RtlNtStatusToDosError
NtQueryInformationThread
NtQueryInformationFile
NtCreateEvent
NtClose
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
NtWriteFile
RtlInitUnicodeString
RtlGUIDFromString
ZwWaitForSingleObject

Sections

.text
Size: 144KB - Virtual size: 141KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bcdedit.exe
.exe windows:10 windows x64 arch:x64

bacab27f15864af5e33e7877f3628945

Code Sign

33:00:00:04:39:f6:1f:7a:67:6d:a0:00:af:00:00:00:00:04:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

df:00:7e:bc:c1:cb:e4:b6:22:5e:39:1e:e2:65:d8:6d:ca:cb:b9:de:5a:ac:80:39:d5:a4:9b:fd:ab:71:c8:c1
Signer

Actual PE Digest

df:00:7e:bc:c1:cb:e4:b6:22:5e:39:1e:e2:65:d8:6d:ca:cb:b9:de:5a:ac:80:39:d5:a4:9b:fd:ab:71:c8:c1

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bcdedit.pdb

Imports

msvcrt

__setusermatherr
_initterm
_exit
__C_specific_handler
_fmode
_commode
?terminate@@YAXXZ
memmove
memcpy
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
towupper
iswspace
_vsnwprintf
wcsrchr
_wtol
wcschr
_ui64tow_s
_wcstoui64
wcstoul
_cexit
_wcsicmp
wcscpy_s
_wtoi
_wcsnicmp
fflush
fwprintf
__iob_func
_vsnwprintf_s
wcscat_s
_ultow_s
strcpy_s
wcsncpy_s
wcsstr
wcsnlen
_wcsupr
strncmp
_snwscanf_s
_wcslwr
_aligned_free
_aligned_malloc
free
malloc
wcsncmp
vswprintf_s
_vscwprintf
_wsetlocale
swprintf_s
memcmp
memset

ntdll

ZwClose
ZwQuerySystemInformation
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateFile
ZwCreateKey
ZwLoadKey
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
ZwDeleteValueKey
ZwSaveKey
RtlFreeSid
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
RtlCreateAcl
ZwSetSecurityObject
ZwUnloadKey
RtlCreateSecurityDescriptor
ZwSetValueKey
ZwOpenKey
LdrGetProcedureAddress
ZwQueryVolumeInformationFile
LdrGetDllHandle
ZwQueryInformationProcess
ZwDeleteFile
ZwQueryInformationFile
ZwOpenProcess
NtQuerySystemInformation
ZwAllocateUuids
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
ZwOpenMutant
RtlImpersonateSelf
NtOpenSymbolicLinkObject
NtOpenKey
NtQuerySymbolicLinkObject
NtDeviceIoControlFile
NtSetValueKey
NtQueryValueKey
NtDeleteKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtSetSecurityObject
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
NtCreateKey
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
ZwReleaseMutant
ZwQueryKey
ZwWaitForSingleObject
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtClose
NtOpenFile
RtlStringFromGUID
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
RtlCompareMemory
RtlUnicodeStringToAnsiString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlGUIDFromString
RtlInitUnicodeString
RtlIpv6StringToAddressW
RtlFreeHeap
RtlNtStatusToDosError
RtlAllocateHeap
ZwOpenFile

kernel32

FormatMessageW
GetLocaleInfoEx
GetLocaleInfoW
LocalFree
GetVolumeNameForVolumeMountPointW
Sleep
GetSystemDefaultUILanguage
LCIDToLocaleName
GetUserDefaultUILanguage

api-ms-win-core-libraryloader-l1-1-0

FindResourceExW
LoadResource
GetProcAddress
GetModuleHandleW
FreeLibrary
GetModuleFileNameW
LoadLibraryExW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP
GetConsoleMode
WriteConsoleW

api-ms-win-core-file-l1-1-0

WriteFile
ReadFile
GetFileSizeEx
GetFileType
QueryDosDeviceW
CreateFileW
SetEndOfFile
SetFilePointerEx
FlushFileBuffers
GetFinalPathNameByHandleW

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
GetStdHandle

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TlsFree
TlsGetValue
TlsAlloc
TerminateProcess
GetCurrentProcess
TlsSetValue
GetCurrentThreadId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
EnterCriticalSection

api-ms-win-security-base-l1-1-0

GetAce
GetSecurityDescriptorLength
GetSidSubAuthority
GetSidLengthRequired
IsValidSecurityDescriptor
DestroyPrivateObjectSecurity
SetSecurityDescriptorGroup
MakeSelfRelativeSD
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSecurityDescriptor
GetSecurityDescriptorControl
InitializeSid
SetSecurityDescriptorOwner
IsValidSid
InitializeAcl
SetSecurityDescriptorDacl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce

cryptsp

CryptGenRandom
CryptReleaseContext
CryptAcquireContextA

advapi32

RegCloseKey
RegQueryValueExW
RegOpenKeyExW

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
MapViewOfFile
CreateFileMappingW

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateHiveEx
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORFlushHive
ORGetKeySecurity
ORGetValue
ORGetVirtualFlags
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORQueryInfoKeyEx
ORQueryInfoKeyValueEx
ORRenameKey
ORSaveHive
ORSaveHiveEx
ORSaveHiveToHandle
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 188KB - Virtual size: 185KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECMRC
Size: 4KB - Virtual size: 130B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 156KB - Virtual size: 152KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bootsect.exe
.exe windows:10 windows x64 arch:x64

269bc7caa667e7cadaea81a91368ae56

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ae:92:02:df:a9:27:e4:e2:39:62:64:74:2b:52:7d:a2:f0:c1:2c:8e:5b:ef:01:b3:50:57:1c:53:f5:85:2f:02
Signer

Actual PE Digest

ae:92:02:df:a9:27:e4:e2:39:62:64:74:2b:52:7d:a2:f0:c1:2c:8e:5b:ef:01:b3:50:57:1c:53:f5:85:2f:02

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bootsect.pdb

Imports

msvcrt

?terminate@@YAXXZ
_amsg_exit
_XcptFilter
__setusermatherr
__getmainargs
iswxdigit
_vsnwprintf
_wcsnicmp
memcpy
_stricmp
swprintf_s
__set_app_type
isalpha
exit
_exit
_cexit
__C_specific_handler
_fmode
_initterm
wcsncmp
_snwscanf_s
_wcslwr
wcsstr
wcsnlen
memset
wcscpy_s
_commode
_wcsicmp

api-ms-win-core-file-l1-1-0

QueryDosDeviceW
SetFilePointer
CreateFileW
GetFileType
ReadFile
WriteFile

api-ms-win-core-libraryloader-l1-1-0

FindResourceExW
GetModuleHandleExW
LoadLibraryExW
FreeLibrary
LoadResource
GetModuleFileNameW
GetModuleHandleW
GetProcAddress

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtWaitForSingleObject
RtlFreeHeap
NtQueryDirectoryObject
NtCreateEvent
NtOpenDirectoryObject
NtDeviceIoControlFile
NtQuerySymbolicLinkObject
RtlAllocateHeap
NtOpenSymbolicLinkObject
NtResetEvent
NtOpenFile
NtQueryVolumeInformationFile
RtlNtStatusToDosError
NtOpenKey
RtlVirtualUnwind
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtEnumerateBootEntries
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
NtFsControlFile
NtClose
RtlInitUnicodeString
NtQuerySystemInformation

advapi32

EventUnregister
EventWriteTransfer
EventRegister
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleOutputCP
GetConsoleMode

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
SearchPathW

kernel32

LocalAlloc
LocalFree
FormatMessageW
GetLocaleInfoEx
GetLocaleInfoW
Sleep
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LCIDToLocaleName

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
TerminateProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetVersionExW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
UnmapViewOfFile
MapViewOfFile

api-ms-win-core-handle-l1-1-0

CloseHandle

Sections

.text
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/offreg.dll
.dll windows:10 windows x64 arch:x64

9fb70bcbb2c24e9538c79a79e1f5a64d

Code Sign

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:fe
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/02/2023, 20:11

Not After

31/01/2024, 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a2:eb:9a:db:50:96:0b:26:5c:e2:b0:ee:c9:76:82:bc:3d:c3:66:6b:bd:de:98:c5:29:c0:75:2d:a6:e7:6b:d0
Signer

Actual PE Digest

a2:eb:9a:db:50:96:0b:26:5c:e2:b0:ee:c9:76:82:bc:3d:c3:66:6b:bd:de:98:c5:29:c0:75:2d:a6:e7:6b:d0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

offreg.pdb

Imports

msvcrt

_amsg_exit
free
malloc
_initterm
__C_specific_handler
memmove
_XcptFilter
_wcsnicmp
wcsncpy_s
wcscat_s
wcsnlen
_aligned_malloc
_aligned_free
qsort
_wcsicmp
memcpy
memcmp
memset

kernel32

FlushFileBuffers
CloseHandle
CreateFileW
SetEndOfFile
WriteFile
GetFileSizeEx
ReadFile
GetFinalPathNameByHandleW
TlsSetValue
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
TlsFree
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
SetFilePointerEx
GetModuleHandleW
DeleteCriticalSection
GetProcAddress
GetLastError
LeaveCriticalSection
EnterCriticalSection

advapi32

GetAce
GetSidSubAuthority
GetSidLengthRequired
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSid
IsValidSid
InitializeAcl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
GetSecurityDescriptorControl
IsValidSecurityDescriptor
InitializeSecurityDescriptor
MakeSelfRelativeSD
SetSecurityDescriptorGroup
DestroyPrivateObjectSecurity
GetSecurityDescriptorLength

ntdll

RtlInitUnicodeString
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateHiveEx
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORFlushHive
ORGetKeySecurity
ORGetValue
ORGetVersion
ORGetVirtualFlags
ORMergeHives
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORQueryInfoKeyEx
ORQueryInfoKeyValueEx
ORRenameKey
ORSaveHive
ORSaveHiveEx
ORSaveHiveToHandle
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 60KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECMRC
Size: 4KB - Virtual size: 130B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimgapi.dll
.dll windows:10 windows x64 arch:x64

24fc8bb3c932b67f7f6e5cf14c4c953c

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e7:88:5f:6f:34:f0:89:07:dc:50:ec:cd:ad:01:52:f3:ad:82:1e:dd:d8:8c:90:3b:79:5a:d9:f9:95:0c:f8:db
Signer

Actual PE Digest

e7:88:5f:6f:34:f0:89:07:dc:50:ec:cd:ad:01:52:f3:ad:82:1e:dd:d8:8c:90:3b:79:5a:d9:f9:95:0c:f8:db

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

wimgapi.pdb

Imports

msvcrt

_XcptFilter
swscanf_s
_wtoi
_vsnwprintf
wcsstr
memmove
_onexit
wcsnlen
__dllonexit
_wcsnicmp
_unlock
_lock
__C_specific_handler
wcsncmp
_initterm
strncpy_s
malloc
free
memcpy_s
_amsg_exit
_strnicmp
towupper
towlower
memcpy
memcmp
_callnewh
_vscwprintf
_purecall
iswspace
memmove_s
strcpy_s
_wcslwr
_wcsrev
wcschr
qsort
_wcsupr
wcstoul
wcstok_s
_wcstoi64
_wcsicmp
wcsrchr
memset

kernel32

GetLastError
CompareStringW
HeapFree
GetProcessHeap
SetLastError
DeleteFileW
CreateFileW
GetFileInformationByHandle
CloseHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetDriveTypeW
RemoveDirectoryW
GetCurrentDirectoryW
GetLongPathNameW
SetFileInformationByHandle
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
SetFilePointerEx
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
WriteFile
SetEndOfFile
CreateEventW
LockFileEx
UnlockFileEx
GetFileSizeEx
DeviceIoControl
HeapReAlloc
GetHandleInformation
WaitForSingleObject
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
ReleaseMutex
WideCharToMultiByte
GetFileInformationByHandleEx
GetVolumePathNamesForVolumeNameW
LoadLibraryW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
InitializeCriticalSectionAndSpinCount
QueryPerformanceCounter
OpenProcess
GetCurrentProcessId
SetFileAttributesW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetFullPathNameW
GetVolumeInformationW
DuplicateHandle
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
DisableThreadLibraryCalls
OpenEventW
Sleep
ExpandEnvironmentStringsW
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
GetPrivateProfileSectionW
GetModuleHandleW
WaitForMultipleObjects
ReleaseSemaphore
SetEvent
CreateSemaphoreW
CreateThread
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCIDToLocaleName
CopyFileExW
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
WaitForMultipleObjectsEx
ResetEvent
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetTickCount
GetLogicalDriveStringsW
Wow64DisableWow64FsRedirection
CreateProcessW
GetExitCodeProcess
Wow64RevertWow64FsRedirection
CreateSemaphoreExW
MultiByteToWideChar

bcrypt

BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptOpenAlgorithmProvider

fltlib

FilterAttach
FilterConnectCommunicationPort
FilterLoad
FilterSendMessage

cabinet

ord22
ord20
ord23

advapi32

GetSecurityDescriptorSacl
RegDeleteKeyExW
AdjustTokenPrivileges
SetThreadToken
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegQueryValueExW
ReadEncryptedFileRaw
CloseEncryptedFileRaw
WriteEncryptedFileRaw
OpenEncryptedFileRawW
GetAclInformation
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
AddAccessAllowedAceEx
RevertToSelf
GetSecurityDescriptorLength
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW

version

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

user32

CharUpperW

ntdll

RtlInitializeResource
RtlAcquireResourceExclusive
RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
NtQuerySecurityObject
RtlRaiseStatus
RtlDosPathNameToNtPathName_U_WithStatus
RtlInitializeCriticalSection
DbgPrintEx
NtUnloadKey2
RtlReAllocateHeap
NtYieldExecution
RtlDowncaseUnicodeChar
RtlGetVersion
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
RtlGetLastNtStatus
NtSetInformationFile
RtlSetIoCompletionCallback
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError
NtSetEaFile

rpcrt4

UuidToStringW
I_RpcMapWin32Status
RpcStringBindingComposeW
RpcStringFreeW
UuidFromStringW
NdrClientCall3
UuidCreate
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcBindingFree

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMExtractImagePathByWimHandle
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMGetWimFileSize
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMLoadOSInformation
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadFileEx
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetCachedSigningLevel
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry
WIMWriteFileWithIntegrity

Sections

.text
Size: 624KB - Virtual size: 623KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 712B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimlib.dll
.dll windows:4 windows x64 arch:x64

91ac1c219b128fd269b4a1137bdbc40a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

kernel32

CloseHandle
CreateFileW
CreateThread
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetDiskFreeSpaceExW
GetEnvironmentVariableA
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
ReadFile
SetEndOfFile
SetFilePointer
SetFilePointerEx
SetLastError
Sleep
SleepConditionVariableCS
TlsGetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_close
_errno
_fdopen
_fstat64
_get_osfhandle
_gmtime64
_initterm
_lock
_lseeki64
_open_osfhandle
_telli64
_unlock
_waccess
_wassert
_wcserror_s
_wcsicmp
_wgetenv
_wmkdir
_wopen
_wstat64
_wtempnam
_wunlink
abort
calloc
fclose
feof
fflush
fgetwc
fputc
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
iswctype
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
putc
qsort
realloc
strchr
strerror
strlen
strncmp
towlower
ungetwc
vfprintf
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

user32

wsprintfW

Exports

Exports

sha1_final
sha1_init
sha1_update
wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_image_path
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_free_memory
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_load_text_file
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_read_image_file
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 339KB - Virtual size: 338KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 130KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 644B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimlib/libwim-15.dll
.dll windows:6 windows x64 arch:x64

280f435e0e43af52cb30cc89787f17b7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

Imports

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_close
_errno
_fdopen
_fstat64
_get_osfhandle
_gmtime64
_initterm
_lock
_lseeki64
_open_osfhandle
_telli64
_unlock
_waccess
_wassert
_wcserror_s
_wcsicmp
_wgetenv
_wmkdir
_wopen
_wstat64
_wtempnam
_wunlink
abort
calloc
fclose
feof
fflush
fgetwc
fputc
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
iswctype
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
putc
qsort
realloc
strchr
strerror
strlen
strncmp
towlower
ungetwc
vfprintf
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

user32

wsprintfW

kernel32

CloseHandle
CreateFileW
CreateThread
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetDiskFreeSpaceExW
GetEnvironmentVariableA
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
ReadFile
SetEndOfFile
SetFilePointer
SetFilePointerEx
SetLastError
Sleep
SleepConditionVariableCS
TlsGetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile

Exports

Exports

wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 363KB - Virtual size: 363KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.buildid
Size: 512B - Virtual size: 53B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/BOOTICEx86.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

UPX0
Size: - Virtual size: 1004KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 409KB - Virtual size: 412KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 37KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$TEMP/WinNTSetup/Tools/x86/DISM/dismapi.dll
.dll windows:10 windows x86 arch:x86

107ce9721a19c5dda3986b1f154b5537

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

63:ce:03:fc:8a:04:05:28:c2:82:32:1a:79:18:10:13:85:2a:cf:03:44:99:50:4b:6b:a0:8a:53:08:05:95:73
Signer

Actual PE Digest

63:ce:03:fc:8a:04:05:28:c2:82:32:1a:79:18:10:13:85:2a:cf:03:44:99:50:4b:6b:a0:8a:53:08:05:95:73

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

DismApi.pdb

Imports

msvcrt

feof
fgetws
_wfopen
wcstok_s
fclose
iswctype
toupper
strrchr
_wcslwr_s
towlower
wcsstr
wcsrchr
_vsnwprintf
_wcsnicmp
memmove
realloc
_errno
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UAE@XZ
_except_handler4_common
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
??0exception@@QAE@XZ
wcscpy_s
_vscprintf
vsprintf_s
calloc
_vsnprintf
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ
??0exception@@QAE@ABQBD@Z
iswspace
swscanf_s
_wtoi
memcpy
memcmp
_ftol2
wcschr
_wcstoui64
wcstoul
_purecall
_wcsicmp
iswalpha
malloc
free
vswprintf_s
_vscwprintf
memmove_s
memcpy_s
__CxxFrameHandler3
memset

advapi32

AddAccessAllowedAce
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegQueryValueExW
EqualSid
EventUnregister
EventProviderEnabled
EventRegister
EventWriteTransfer
FreeSid
OpenProcessToken
AllocateAndInitializeSid
OpenThreadToken
GetTokenInformation
CheckTokenMembership
InitializeAcl
SetSecurityDescriptorDacl
RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceEvent
UnregisterTraceGuids
GetLengthSid
InitializeSecurityDescriptor

kernel32

FormatMessageA
CreateFileMappingW
MapViewOfFile
TlsFree
TlsGetValue
GetVersionExW
GetProcAddress
GetModuleHandleW
InitializeCriticalSection
DeleteCriticalSection
RaiseException
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
GetCurrentProcessId
SizeofResource
LockResource
LoadResource
FindResourceExW
GetSystemInfo
GetLastError
GetCommandLineW
GetFileAttributesW
IsWow64Process
GetCurrentProcess
LoadLibraryExW
FreeLibrary
OutputDebugStringW
WaitForMultipleObjectsEx
WaitForSingleObject
FormatMessageW
LocalFree
FileTimeToLocalFileTime
FileTimeToSystemTime
CompareStringW
HeapFree
GetProcessHeap
GetModuleFileNameW
GetThreadUILanguage
VirtualQuery
GetModuleHandleExW
WideCharToMultiByte
HeapSize
HeapReAlloc
HeapAlloc
HeapDestroy
GetEnvironmentVariableW
MultiByteToWideChar
Sleep
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
GetModuleFileNameA
WriteFile
CreateMutexW
CreateMutexA
ReleaseMutex
GetVersion
CreateFileA
GetCurrentThread
FlushFileBuffers
CopyFileExW
DeleteFileW
SetFileInformationByHandle
GetFileInformationByHandle
SetFileAttributesW
FindClose
DeviceIoControl
FindNextFileW
FindFirstFileW
GetFileInformationByHandleEx
SetLastError
CloseHandle
CreateFileW
SetFilePointer
GetFullPathNameW
ReadFile
GetSystemWindowsDirectoryW
DeleteFileA
CreateFileMappingA
DebugBreak
LocalAlloc
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetWindowsDirectoryW
ExitProcess
GetFileSize
GetLocalTime
TlsAlloc
UnmapViewOfFile
TlsSetValue
MoveFileExW
GetLocaleInfoEx
GetSystemTime
GetTimeFormatEx
SetErrorMode
CreateEventW
ResumeThread
DuplicateHandle
GetTempFileNameW
ResetEvent
IsDebuggerPresent
CreateDirectoryW
GetFileSizeEx
ExpandEnvironmentStringsW
SearchPathW
SetEvent
OutputDebugStringA
CreateThread

ole32

StringFromGUID2
CoSetProxyBlanket
CoCreateInstance
CoUninitialize
CoInitializeEx

user32

CharLowerBuffW

oleaut32

SysAllocString
SysStringLen
VariantTimeToSystemTime
SystemTimeToVariantTime
SysAllocStringLen
VarBstrCat
SysFreeString
SysStringByteLen
VarBstrCmp
LoadTypeLi
LoadRegTypeLi
VariantClear
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayGetElemsize
SafeArrayGetDim
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayAccessData
SafeArrayCreate
GetErrorInfo
SysAllocStringByteLen

ntdll

RtlRaiseStatus
NtOpenFile
NtYieldExecution
NtQueryInformationFile
RtlExpandEnvironmentStrings
NtClose
RtlReAllocateHeap
NtReadFile
RtlInitUnicodeString
NtWriteFile
RtlFreeHeap
RtlAllocateHeap
RtlDosPathNameToNtPathName_U_WithStatus
NtSetInformationFile
RtlNtStatusToDosError
RtlGetVersion
NtWaitForSingleObject

version

GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW

Exports

Exports

DismAddCapability
DismAddDriver
DismAddPackage
DismApplyUnattend
DismCheckImageHealth
DismCleanupMountpoints
DismCloseSession
DismCommitImage
DismDelete
DismDisableFeature
DismEnableFeature
DismGetCapabilities
DismGetCapabilityInfo
DismGetDriverInfo
DismGetDrivers
DismGetFeatureInfo
DismGetFeatureParent
DismGetFeatures
DismGetImageInfo
DismGetLastErrorMessage
DismGetMountedImageInfo
DismGetPackageInfo
DismGetPackageInfoEx
DismGetPackages
DismGetReservedStorageState
DismInitialize
DismMountImage
DismOpenSession
DismRemountImage
DismRemoveCapability
DismRemoveDriver
DismRemovePackage
DismRestoreImageHealth
DismSetReservedStorageState
DismShutdown
DismUnmountImage
_DismAddCapabilityEx
_DismAddDriverEx
_DismAddPackage2
_DismAddPackageFamilyToUninstallBlocklist
_DismAddProvisionedAppxPackage
_DismApplyCustomDataImage
_DismApplyFfuImage
_DismApplyProvisioningPackage
_DismCleanImage
_DismEnableDisableFeature
_DismExportDriver
_DismExportSource
_DismExportSourceEx
_DismGetCapabilitiesEx
_DismGetCapabilityInfoEx
_DismGetCurrentEdition
_DismGetDriversEx
_DismGetEffectiveSystemUILanguage
_DismGetFeaturesEx
_DismGetInstallLanguage
_DismGetKCacheBinaryValue
_DismGetKCacheDwordValue
_DismGetKCacheStringValue
_DismGetLastCBSSessionID
_DismGetNonRemovableAppsPolicy
_DismGetOSUninstallWindow
_DismGetOsInfo
_DismGetProductKeyInfo
_DismGetProvisionedAppxPackages
_DismGetProvisioningPackageInfo
_DismGetRegistryMountPoint
_DismGetStateFromCBSSessionID
_DismGetTargetCompositionEditions
_DismGetTargetEditions
_DismGetTargetVirtualEditions
_DismGetUsedSpace
_DismInitiateOSUninstall
_DismOptimizeImage
_DismOptimizeProvisionedAppxPackages
_DismRemoveOSUninstall
_DismRemovePackageFamilyFromUninstallBlocklist
_DismRemoveProvisionedAppxPackage
_DismRemoveProvisionedAppxPackageAllUsers
_DismRevertPendingActions
_DismSetAllIntlSettings
_DismSetAppXProvisionedDataFile
_DismSetEdition
_DismSetEdition2
_DismSetFirstBootCommandLine
_DismSetMachineName
_DismSetOSUninstallWindow
_DismSetProductKey
_DismSetSkuIntlDefaults
_DismSplitFfuImage
_DismStage
_DismSysprepCleanup
_DismSysprepGeneralize
_DismSysprepSpecialize
_DismValidateProductKey

Sections

.text
Size: 663KB - Virtual size: 663KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 41KB - Virtual size: 41KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/DISM/dismcore.dll
.dll regsvr32 windows:10 windows x86 arch:x86

781403e0783e7a55126d8c38e7e30b39

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0f:b3:d7:ec:ed:e9:32:4d:b2:a4:df:6c:5e:5f:22:02:84:7d:ed:62:99:75:27:5d:3c:4a:5d:25:ec:1b:2c:33
Signer

Actual PE Digest

0f:b3:d7:ec:ed:e9:32:4d:b2:a4:df:6c:5e:5f:22:02:84:7d:ed:62:99:75:27:5d:3c:4a:5d:25:ec:1b:2c:33

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

DismCore.pdb

Imports

msvcrt

_wtoi
swscanf_s
_vscprintf
vsprintf_s
iswalpha
_vsnwprintf
_wcsnicmp
wcsncmp
wcsstr
towlower
_vsnprintf
strrchr
toupper
memmove
fclose
__dllonexit
_unlock
_lock
realloc
_errno
??1type_info@@UAE@XZ
_except_handler4_common
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
wcsncpy_s
wcscat_s
calloc
memmove_s
memcpy_s
_purecall
_wcsicmp
wcsrchr
wcschr
vswprintf_s
_vscwprintf
wcscpy_s
wcstok_s
_wfopen
fgetws
feof
_onexit
malloc
_resetstkoflw
free
iswctype
__CxxFrameHandler3
memcpy
memcmp
_ftol2
memset

advapi32

AdjustTokenPrivileges
EventWriteTransfer
EventRegister
EventProviderEnabled
EventUnregister
SetSecurityDescriptorDacl
EqualSid
InitializeSecurityDescriptor
InitializeAcl
GetLengthSid
AddAccessAllowedAce
RegQueryValueExW
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
ConvertStringSecurityDescriptorToSecurityDescriptorW
ConvertSidToStringSidW
GetTokenInformation
OpenProcessToken
OpenThreadToken
RegCloseKey
RegQueryInfoKeyW
RegOpenKeyExW

kernel32

CreateFileW
CloseHandle
InitializeCriticalSection
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringW
MultiByteToWideChar
GetTempPathW
GetModuleHandleExW
FreeLibrary
SetEvent
GetModuleFileNameW
GetModuleHandleW
Wow64DisableWow64FsRedirection
CopyFileExW
Wow64RevertWow64FsRedirection
CreateEventW
GetNativeSystemInfo
HeapFree
GetProcessHeap
WaitForSingleObject
TerminateProcess
WideCharToMultiByte
SizeofResource
LockResource
LoadResource
FindResourceExW
DisableThreadLibraryCalls
GetThreadLocale
SetThreadLocale
RaiseException
GetProcAddress
LoadLibraryExW
HeapSize
HeapReAlloc
HeapAlloc
HeapDestroy
CompareStringW
GetEnvironmentVariableW
Sleep
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
WakeAllConditionVariable
SleepConditionVariableSRW
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
GetLastError
GetSystemTimeAsFileTime
GetTickCount
OutputDebugStringA
GetFileAttributesW
GetSystemInfo
ExpandEnvironmentStringsW
GetSystemWindowsDirectoryW
FormatMessageW
DebugBreak
CreateFileMappingA
DeleteFileW
CreateFileA
GetVersion
ReleaseMutex
GetSystemDirectoryW
MoveFileExW
FindClose
FindNextFileW
FindFirstFileW
QueryDosDeviceW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
GetFileInformationByHandle
CreateDirectoryW
LocalFree
GetCurrentThread
GetFullPathNameW
GetTempFileNameW
SetThreadUILanguage
CreateMutexA
CreateMutexW
WriteFile
GetModuleFileNameA
VirtualQuery
FormatMessageA
TlsFree
TlsGetValue
ExitProcess
GetFileSize
GetLocalTime
TlsAlloc
TlsSetValue
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
GetVersionExW
LocalAlloc
SetLastError
SearchPathW
SetFilePointer
ReadFile
GetFileSizeEx
GetWindowsDirectoryW
IsDebuggerPresent
FlushFileBuffers
GetFileInformationByHandleEx
DeviceIoControl
SetFileAttributesW
SetFileInformationByHandle
GetCurrentDirectoryW
GetDriveTypeW
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
CreateProcessW
GetExitCodeProcess
DuplicateHandle
QueryPerformanceCounter
DeleteFileA

ole32

CoRegisterPSClsid
CoRegisterClassObject
CoRevokeClassObject
CoSetProxyBlanket
CoCreateGuid
StringFromCLSID
CoTaskMemFree
ProgIDFromCLSID
StringFromGUID2
CoCreateInstance

user32

LoadStringW
CharNextW

oleaut32

SysAllocString
SysAllocStringByteLen
SysAllocStringLen
SysFreeString
VariantTimeToSystemTime
VariantInit
VariantClear
SysStringLen
LoadRegTypeLi
LoadTypeLi
SetErrorInfo
CreateErrorInfo
GetErrorInfo
UnRegisterTypeLi
RegisterTypeLi
SysStringByteLen
SystemTimeToVariantTime
LoadTypeLibEx

version

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

ntdll

RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError
NtSetInformationFile

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 193KB - Virtual size: 193KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 6KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 93KB - Virtual size: 92KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/DISM/dismcoreps.dll
.dll regsvr32 windows:10 windows x86 arch:x86

9008fbb4297eda8bc58ac66d1b3b5368

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

8d:1d:82:c1:d0:4f:a5:a1:5c:f4:0b:cb:1c:3e:dd:a1:a6:9b:51:8b:be:0e:eb:c2:70:26:ad:3b:35:19:90:a4
Signer

Actual PE Digest

8d:1d:82:c1:d0:4f:a5:a1:5c:f4:0b:cb:1c:3e:dd:a1:a6:9b:51:8b:be:0e:eb:c2:70:26:ad:3b:35:19:90:a4

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

DismCorePS.pdb

Imports

msvcrt

_XcptFilter
_initterm
malloc
free
_amsg_exit
_except_handler4_common
memcmp

oleaut32

BSTR_UserUnmarshal
BSTR_UserFree
BSTR_UserSize
LPSAFEARRAY_UserSize
LPSAFEARRAY_UserFree
LPSAFEARRAY_UserUnmarshal
LPSAFEARRAY_UserMarshal
BSTR_UserMarshal

rpcrt4

NdrDllUnregisterProxy
NdrDllRegisterProxy
NdrDllGetClassObject
NdrDllCanUnloadNow
NdrCStdStubBuffer_Release
CStdStubBuffer_Invoke
NdrStubForwardingFunction
NdrCStdStubBuffer2_Release
IUnknown_AddRef_Proxy
CStdStubBuffer_DebugServerQueryInterface
NdrOleFree
CStdStubBuffer_AddRef
IUnknown_Release_Proxy
CStdStubBuffer_CountRefs
CStdStubBuffer_QueryInterface
NdrOleAllocate
CStdStubBuffer_DebugServerRelease
CStdStubBuffer_Disconnect
IUnknown_QueryInterface_Proxy
CStdStubBuffer_IsIIDSupported
CStdStubBuffer_Connect
NdrStubCall2

kernel32

TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
DisableThreadLibraryCalls

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllGetDismInterfaces
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 14KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/DISM/dismprov.dll
.dll regsvr32 windows:10 windows x86 arch:x86

f3d077ea9cd800390100f1d211ec378f

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

32:cf:0a:09:53:10:41:41:49:1b:2d:42:67:a7:4e:b6:d3:81:de:cc:b3:a8:3e:14:be:76:c7:43:2e:a4:fa:fc
Signer

Actual PE Digest

32:cf:0a:09:53:10:41:41:49:1b:2d:42:67:a7:4e:b6:d3:81:de:cc:b3:a8:3e:14:be:76:c7:43:2e:a4:fa:fc

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

DISMProv.pdb

Imports

msvcrt

swscanf_s
_wtoi
towlower
fclose
_vscprintf
vsprintf_s
_vsnprintf
wcstok_s
_wfopen
fgetws
feof
__RTDynamicCast
memcmp
memcpy
_wcsnicmp
wcschr
memmove
_onexit
__dllonexit
_unlock
_lock
realloc
_errno
??1type_info@@UAE@XZ
_except_handler4_common
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
wcscat_s
wcscpy_s
calloc
??0exception@@QAE@XZ
memmove_s
??0exception@@QAE@ABQBD@Z
??1exception@@UAE@XZ
?what@exception@@UBEPBDXZ
??0exception@@QAE@ABV0@@Z
wcsrchr
_purecall
vswprintf_s
_vscwprintf
memcpy_s
free
malloc
wcsncpy_s
_vsnwprintf
_wcsicmp
__CxxFrameHandler3
strrchr
toupper
iswctype
memset

ntdll

RtlFreeHeap
RtlAllocateHeap

oleaut32

SysStringLen
LoadRegTypeLi
LoadTypeLi
VariantClear
SysAllocStringLen
RegisterTypeLi
SystemTimeToVariantTime
UnRegisterTypeLi
SysAllocString
SysAllocStringByteLen
SysStringByteLen
SysFreeString
VariantTimeToSystemTime
VarUI4FromStr

advapi32

InitializeSecurityDescriptor
FreeSid
CheckTokenMembership
AllocateAndInitializeSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
RegQueryValueExW
RegDeleteValueW
RegCreateKeyExW
RegSetValueExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
RegCloseKey
AddAccessAllowedAce
GetLengthSid
InitializeAcl
EventRegister
EqualSid
SetSecurityDescriptorDacl
EventUnregister
EventWriteTransfer
EventProviderEnabled

kernel32

TlsSetValue
UnmapViewOfFile
TlsAlloc
GetLocalTime
GetFileSize
ExitProcess
TlsGetValue
TlsFree
FormatMessageA
CreateFileMappingW
MapViewOfFile
VirtualQuery
GetModuleFileNameA
WriteFile
SetFilePointer
CreateMutexW
CreateMutexA
ReleaseMutex
GetVersion
CreateFileA
DeleteFileA
CreateFileMappingA
DebugBreak
LocalAlloc
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
GetFileSizeEx
GetWindowsDirectoryW
IsDebuggerPresent
FlushFileBuffers
CreateFileW
GetLastError
CloseHandle
InitializeCriticalSection
DeleteCriticalSection
FreeLibrary
GetProcAddress
LoadLibraryExW
GetModuleHandleW
lstrcmpiW
LeaveCriticalSection
RaiseException
EnterCriticalSection
MultiByteToWideChar
SizeofResource
LoadResource
FindResourceExW
GetModuleFileNameW
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringW
GetModuleHandleExW
CompareStringW
LockResource
DisableThreadLibraryCalls
GetThreadLocale
SetThreadLocale
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
GetEnvironmentVariableW
WideCharToMultiByte
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
OutputDebugStringA
SetLastError
DeviceIoControl
GetFileAttributesW
DeleteFileW
GetFullPathNameW
ExpandEnvironmentStringsW
WaitForSingleObject
FormatMessageW
LocalFree
GetTempFileNameW
GetCurrentThread

ole32

CoRegisterPSClsid
CoCreateInstance
CoRegisterClassObject
CoUnmarshalInterface
CoMarshalInterThreadInterfaceInStream
CoTaskMemAlloc
CoTaskMemRealloc
CoTaskMemFree
StringFromGUID2
CoRevokeClassObject

user32

CharNextW

version

GetFileVersionInfoExW
VerQueryValueW
GetFileVersionInfoSizeExW

Exports

Exports

DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 149KB - Virtual size: 149KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 7KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/DISM/folderprovider.dll
.dll regsvr32 windows:10 windows x86 arch:x86

1314d6c49fde988ebd7bc4250e0478c7

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a3:43:7f:17:70:96:a5:c1:f2:21:b6:80:10:54:7d:84:7d:b6:05:ca:de:bc:2d:99:e5:42:de:1c:4d:5d:c2:a8
Signer

Actual PE Digest

a3:43:7f:17:70:96:a5:c1:f2:21:b6:80:10:54:7d:84:7d:b6:05:ca:de:bc:2d:99:e5:42:de:1c:4d:5d:c2:a8

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

FolderProvider.pdb

Imports

msvcrt

wcschr
_wcsnicmp
memcmp
??1type_info@@UAE@XZ
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
?terminate@@YAXXZ
_initterm
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
?what@exception@@UBEPBDXZ
??1exception@@UAE@XZ
??0exception@@QAE@ABV0@@Z
??0exception@@QAE@XZ
malloc
memmove_s
memcpy_s
_purecall
vswprintf_s
_vscwprintf
wcsncpy_s
wcscat_s
free
wcscpy_s
__CxxFrameHandler3

advapi32

RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey

kernel32

SetLastError
GetFileAttributesW
DisableThreadLibraryCalls
GetThreadLocale
SetThreadLocale
DeleteCriticalSection
GetLastError
GetModuleFileNameW
GetProcAddress
GetModuleHandleW
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCurrentThreadId
GetCurrentProcessId
OutputDebugStringW
HeapSize
HeapReAlloc
HeapFree
HeapAlloc
GetProcessHeap
HeapDestroy
Sleep
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetTickCount
GetFullPathNameW
LoadLibraryExW

ole32

CoCreateInstance
StringFromGUID2

user32

CharNextW

oleaut32

RegisterTypeLi
SysStringLen
LoadTypeLi
SysAllocStringByteLen
LoadRegTypeLi
SysAllocStringLen
SysAllocString
UnRegisterTypeLi
SysStringByteLen
SysFreeString

ntdll

RtlFreeHeap
RtlAllocateHeap

Exports

Exports

DLLGetDISMProviderCLSID
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer

Sections

.text
Size: 29KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/DISM/wofadk.sys
.sys windows:10 windows x86 arch:x86

3210bb7db9e3473b887a43e6ceeffd9f

Code Sign

33:00:00:00:9d:42:68:ee:31:1c:d7:56:bd:00:00:00:00:00:9d
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

30/03/2016, 19:21

Not After

30/06/2017, 19:21

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:148C-C4B9-2066,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:ef:d8:87:2e:35:a3:82:8a:2f:00:00:00:00:00:ef
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd
Signer

Actual PE Digest

18:7f:d3:0e:4c:01:e4:be:71:5a:c9:09:6f:6f:8f:a7:da:6a:24:23:8b:c0:7a:a5:30:d4:21:b5:b9:ae:e9:fd

Digest Algorithm

sha256

PE Digest Matches

true

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f
Signer

Actual PE Digest

82:73:62:db:b3:e8:28:7e:3b:74:41:57:ea:9e:7e:56:db:e3:ae:1f

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

wofadk.pdb

Imports

ntoskrnl.exe

ZwClose
SeLockSubjectContext
ZwQueryValueKey
SeUnlockSubjectContext
SeReleaseSubjectContext
RtlEnumerateGenericTableAvl
ExAcquireRundownProtection
RtlLookupElementGenericTableAvl
RtlFreeUnicodeString
SeTokenIsAdmin
RtlDeleteElementGenericTableAvl
RtlAppendUnicodeStringToString
KeDelayExecutionThread
ExRundownCompleted
EtwRegister
MmGetSystemRoutineAddress
PsGetProcessImageFileName
ObDereferenceObjectDeferDelete
EtwUnregister
EtwWriteTransfer
IoGetCurrentProcess
ProbeForRead
FsRtlValidateReparsePointBuffer
TmCurrentTransaction
RtlCompareMemory
RtlInitUnicodeString
KeQueryPriorityThread
KeGetCurrentThread
MmMapViewOfSection
ExDeleteLookasideListEx
ZwDeviceIoControlFile
EtwEventEnabled
RtlCheckRegistryKey
ZwCreateSection
ZwQueryInformationThread
RtlSetBit
ExQueueWorkItem
RtlAreBitsSet
PsInitialSystemProcess
ZwOpenKey
IoGetDeviceObjectPointer
RtlRunOnceExecuteOnce
KeStackAttachProcess
KeSetEvent
KdRefreshDebuggerNotPresent
ZwSetInformationThread
ObReferenceObjectByHandle
MmUnmapViewOfSection
RtlFindNextForwardRunClear
EtwWrite
IofCallDriver
RtlInitializeBitMap
ZwOpenFile
ExInitializeLookasideListEx
RtlTestBit
KeWaitForSingleObject
KeSetPriorityThread
KeUnstackDetachProcess
_i64tow_s
RtlClearAllBits
IoAllocateWorkItem
RtlAppendUnicodeToString
_wcsicmp
RtlCreateSystemVolumeInformationFolder
IoQueueWorkItemEx
IoFreeWorkItem
KeAllocateCalloutStackEx
IoGetRelatedDeviceObject
ExDeleteNPagedLookasideList
KeFreeCalloutStack
ExInitializeNPagedLookasideList
KeInitializeMutex
KeReleaseMutex
KeAreAllApcsDisabled
KeInitializeDpc
KeInitializeTimerEx
RtlQueryRegistryValues
KeCancelTimer
KeFlushQueuedDpcs
KeSetCoalescableTimer
KeQueryActiveProcessorCountEx
SeCaptureSubjectContext
RtlInitializeGenericTableAvl
ExInitializePagedLookasideList
RtlGetVersion
IoWMIRegistrationControl
MmIsThisAnNtAsSystem
IoBuildDeviceIoControlRequest
KeBugCheckEx
RtlEqualUnicodeString
memmove
MmMapLockedPagesSpecifyCache
ProbeForWrite
InterlockedPopEntrySList
ExReleaseRundownProtection
InterlockedPushEntrySList
ObfReferenceObject
RtlCompareUnicodeString
ExInitializeRundownProtection
KeLeaveCriticalRegion
ExReleaseFastMutexUnsafe
KeExpandKernelStackAndCalloutEx
KeInitializeEvent
ExFreePoolWithTag
ExAllocatePoolWithTag
ExDeletePagedLookasideList
RtlCopyUnicodeString
ExReInitializeRundownProtection
ExWaitForRundownProtectionRelease
ObfDereferenceObject
KeEnterCriticalRegion
ExAcquireFastMutexUnsafe
swprintf_s
_vsnwprintf
ZwQuerySystemInformation
ZwQuerySymbolicLinkObject
ZwOpenSymbolicLinkObject
wcscpy_s
wcschr
_wcsnicmp
wcsrchr
_alldiv
_alldvrm
_allmul
_allrem
_aulldiv
memcpy
memset
_alloca_probe
RtlUnwind

hal

KeGetCurrentIrql
ExAcquireFastMutex
ExReleaseFastMutex

fltmgr.sys

FltQueryInformationFile
FltFreeGenericWorkItem
FltQueueGenericWorkItem
FltIsOperationSynchronous
FltSetIoPriorityHintIntoCallbackData
FltPerformAsynchronousIo
FltAllocateGenericWorkItem
FltInitializePushLock
FltDeletePushLock
FltFlushBuffers
FltAllocateDeferredIoWorkItem
FltQueueDeferredIoWorkItem
FltFreePoolAlignedWithTag
FltDeviceIoControlFile
FltReadFile
FltOpenVolume
FltFreeDeferredIoWorkItem
FltAllocatePoolAlignedWithTag
FltAcquirePushLockShared
FltIsIoCanceled
FltCompletePendedPreOperation
FltAcquirePushLockExclusive
FltGetIoPriorityHintFromCallbackData
FltReleasePushLock
FltInitExtraCreateParameterLookasideList
FltStartFiltering
FltGetRoutineAddress
FltRegisterFilter
FltGetVolumeFromFileObject
FltCreateFileEx
FltWriteFile
FltUntagFile
FltGetFileNameInformationUnsafe
FltParseFileNameInformation
FltEnumerateInstances
FltAttachVolume
FltGetFilterFromName
FltTagFile
FltIsDirectory
FltSetInformationFile
FltObjectDereference
FltPerformSynchronousIo
FltLockUserBuffer
FltAllocateCallbackDataEx
FltFreeCallbackData
FltAllocateExtraCreateParameterList
FltInsertExtraCreateParameter
FltCancelFileOpen
FltDeleteStreamContext
FltReissueSynchronousIo
FltReleaseFileNameInformation
FltFsControlFile
FltGetEcpListFromCallbackData
FltGetFileNameInformation
FltEnlistInTransaction
FltSetEcpListIntoCallbackData
FltFindExtraCreateParameter
FltAllocateExtraCreateParameterFromLookasideList
FltSetCallbackDataDirty
FltSetStreamContext
FltSetTransactionContext
FltReferenceContext
FltGetTransactionContext
FltSetStreamHandleContext
FltSetFileContext
FltDeleteInstanceContext
FltGetInstanceContext
FltUnregisterFilter
FltAllocateContext
FltGetVolumeProperties
FltQueryDirectoryFile
FltGetVolumeGuidName
FltReleaseContext
FltDeleteExtraCreateParameterLookasideList
FltGetStreamHandleContext
FltGetStreamContext
FltSetInstanceContext
FltClose
FltGetDiskDeviceObject
FltQueryVolumeInformationFile

cng.sys

BCryptCreateHash
BCryptHashData
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptFinishHash
BCryptOpenAlgorithmProvider
BCryptGetProperty

Sections

.text
Size: 58KB - Virtual size: 57KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 512B - Virtual size: 152B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGER32C
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 80KB - Virtual size: 79KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 512B - Virtual size: 464B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/MSSTMake.exe
.exe windows:5 windows x86 arch:x86

48a058d36054eaa7198119524bd92efd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetFileSize
lstrcmpA
MoveFileExA
lstrcpynA
ExpandEnvironmentStringsA
GetFileAttributesA
CreateDirectoryA
SetCurrentDirectoryA
FindFirstFileA
GetLastError
SetLastError
RemoveDirectoryA
CopyFileA
SetFileAttributesA
FindClose
FindNextFileA
GetCurrentDirectoryA
CloseHandle
DeleteFileA
lstrcpyA
SetFilePointer
CreateFileA
WritePrivateProfileStructA
MapViewOfFile
UnmapViewOfFile
SetConsoleTextAttribute
WritePrivateProfileSectionA
WriteFile
GetPrivateProfileIntA
WideCharToMultiByte
Sleep
ReadFile
lstrcatA
GetStdHandle
GetPrivateProfileStringA
GetLocalTime
WriteConsoleA
CreateFileMappingA
GetConsoleScreenBufferInfo
WritePrivateProfileStringA
GetPrivateProfileStructA
RtlUnwind
LoadLibraryW
lstrlenA
GetFullPathNameA
HeapSize
EnterCriticalSection
LeaveCriticalSection
GetStringTypeW
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapCreate
DeleteCriticalSection
GetStartupInfoW
HeapReAlloc
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
GetModuleFileNameW
ExitProcess
GetCommandLineA
HeapSetInformation
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
IsProcessorFeaturePresent
GetCPInfo
InterlockedIncrement
InterlockedDecrement
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
TlsAlloc
TlsGetValue
TlsSetValue
DecodePointer
TlsFree
GetModuleHandleW
GetCurrentThreadId
GetProcAddress
HeapFree
HeapAlloc
LCMapStringW
MultiByteToWideChar
RaiseException

user32

CharNextA
CharUpperA

advapi32

IsTextUnicode

shlwapi

wnsprintfA
PathCombineA
PathSearchAndQualifyA
PathAddBackslashA
PathIsRelativeA
PathAppendA
PathIsDirectoryA

setupapi

SetupFindNextLine
SetupGetLineCountA
SetupDiGetActualSectionToInstallExA
SetupOpenInfFileA
SetupGetLineTextA
SetupGetFileCompressionInfoExA
SetupGetLineByIndexA
SetupGetSourceFileLocationA
SetupDecompressOrCopyFileA
SetupFindNextMatchLineA
SetupCloseInfFile
SetupGetFieldCount
SetupFindFirstLineA
SetupGetStringFieldA
SetupEnumInfSectionsA
SetupGetIntField

Sections

.text
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 23KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 77KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/bcdboot.exe
.exe windows:6 windows x86 arch:x86

c906340b0f9d047ba62d155fd056aa46

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bcdboot.pdb

Imports

kernel32

Sleep
InterlockedExchange
GetFileType
GetProcAddress
GetStdHandle
GetConsoleOutputCP
GetModuleFileNameW
WriteConsoleW
FormatMessageW
GetConsoleMode
LoadLibraryW
WideCharToMultiByte
WriteFile
GetProcessHeap
HeapFree
HeapAlloc
FreeLibrary
SetLastError
GetLastError
OutputDebugStringA
SetUnhandledExceptionFilter
GetModuleHandleA
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
LoadLibraryExW
GetVolumePathNameW
QueryDosDeviceW
LocalFree
MapViewOfFile
UnmapViewOfFile
GetCurrentThread
CreateFileW
GetFileSizeEx
CreateFileMappingW
CloseHandle
FindFirstFileW
GetFileAttributesW
FindClose
FindNextFileW
SetFileAttributesW
GetVolumeInformationW
GetLocaleInfoW
GetFullPathNameW
CopyFileExW
GetModuleHandleW
DeviceIoControl
GetFileInformationByHandle
CreateDirectoryW
GetVersionExW
InterlockedCompareExchange
GetUserDefaultUILanguage
LoadResource
FindResourceExW
GetSystemDefaultUILanguage
SearchPathW

msvcrt

strncmp
bsearch
wcsstr
wcstoul
wcschr
fflush
fwprintf
_vsnwprintf
wcsncmp
_wcsnicmp
memcmp
ungetc
_lseeki64
_write
_isatty
realloc
__pioinfo
__badioinfo
_read
wcstombs
iswctype
ferror
malloc
wctomb
_itoa
_snprintf
_iob
__mb_cur_max
mbtowc
localeconv
free
calloc
_fileno
isleadbyte
isxdigit
isdigit
_controlfp
?terminate@@YAXXZ
memset
memcpy
_initterm
__setusermatherr
__p__fmode
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_errno
_wcsupr
_wcslwr
_wsetlocale
_wcsicmp
wcsrchr

imagehlp

CheckSumMappedFile

shlwapi

PathRemoveBackslashW

ntdll

NtResetEvent
NtQueryValueKey
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
NtOpenKey
ZwResetEvent
ZwOpenSymbolicLinkObject
LdrGetDllHandle
LdrGetProcedureAddress
RtlGetVersion
RtlInitAnsiString
ZwQuerySymbolicLinkObject
ZwAllocateUuids
RtlSetOwnerSecurityDescriptor
ZwOpenKey
ZwQueryKey
RtlCreateSecurityDescriptor
RtlLengthSid
ZwEnumerateKey
RtlAllocateAndInitializeSid
ZwLoadKey
RtlAddAccessAllowedAceEx
ZwSetSecurityObject
RtlLengthSecurityDescriptor
ZwQueryValueKey
ZwCreateFile
ZwOpenProcessTokenEx
ZwSaveKey
ZwAdjustPrivilegesToken
ZwSetValueKey
ZwDeleteValueKey
RtlSetDaclSecurityDescriptor
RtlFreeSid
ZwQueryAttributesFile
RtlCreateAcl
ZwOpenThreadTokenEx
ZwCreateKey
ZwUnloadKey
ZwDeviceIoControlFile
ZwWaitForSingleObject
ZwCreateEvent
ZwOpenFile
ZwClose
RtlFreeUnicodeString
ZwQuerySystemInformation
RtlStringFromGUID
NtSetInformationFile
RtlAllocateHeap
RtlFreeHeap
LdrFindResource_U
LdrAccessResource
NtQuerySystemInformation
NtOpenFile
RtlImageNtHeader
NtOpenProcess
NtCreateEvent
NtClose
NtSetInformationThread
NtWaitForSingleObject
NtQueryInformationProcess
NtQueryInformationFile
NtQueryInformationThread
NtDeviceIoControlFile
RtlCompareMemory
RtlNtStatusToDosError
RtlUnwind
RtlGUIDFromString
RtlInitUnicodeString
ZwDeleteKey

advapi32

OpenThreadToken
GetTokenInformation
GetSecurityDescriptorControl
SetNamedSecurityInfoW
LookupPrivilegeValueW
GetSecurityDescriptorOwner
ConvertStringSecurityDescriptorToSecurityDescriptorW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
ConvertSidToStringSidW
GetSecurityDescriptorGroup
GetSecurityDescriptorDacl
RegCloseKey
RegOpenKeyExW
OpenProcessToken
RegQueryValueExW

Sections

.text
Size: 129KB - Virtual size: 128KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/bcdedit.exe
.exe windows:6 windows x86 arch:x86

98bb82864dea82e538c650e095b6d2fd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bcdedit.pdb

Imports

advapi32

CryptAcquireContextA
CryptGenRandom
CryptReleaseContext
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

kernel32

GetFileType
GetConsoleMode
WriteConsoleW
GetConsoleOutputCP
WideCharToMultiByte
WriteFile
CreateFileW
CloseHandle
DeviceIoControl
FormatMessageW
LocalFree
GetModuleFileNameW
LoadLibraryExW
GetProcAddress
FreeLibrary
GetStdHandle
UnmapViewOfFile
MapViewOfFile
SearchPathW
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleA
OutputDebugStringA
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
InterlockedCompareExchange
InterlockedExchange
Sleep
QueryDosDeviceW
GetLastError
SetLastError
FindResourceExW
LoadResource
GetLocaleInfoW
GetVersionExW
CreateFileMappingW
GetUserDefaultUILanguage
GetSystemDefaultUILanguage

msvcrt

__p__fmode
__setusermatherr
_initterm
memcpy
memset
memmove
?terminate@@YAXXZ
_controlfp
_cexit
isdigit
isxdigit
isleadbyte
_fileno
calloc
free
localeconv
mbtowc
__mb_cur_max
_iob
_snprintf
_itoa
wctomb
malloc
ferror
iswctype
wcstombs
_read
__badioinfo
__pioinfo
realloc
_isatty
_write
_lseeki64
ungetc
bsearch
wcsncmp
strncmp
wcsstr
wcsrchr
memcmp
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
__p__commode
_XcptFilter
_errno
_wcsupr
_wcslwr
_wsetlocale
towupper
iswspace
_vsnwprintf
wcschr
_wcstoui64
wcstoul
_wcsnicmp
_wcsicmp

ntdll

RtlUnwind
NtClose
NtOpenFile
RtlStringFromGUID
RtlGUIDFromString
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
RtlCompareMemory
RtlAllocateHeap
RtlFreeHeap
RtlNtStatusToDosError
ZwClose
ZwOpenFile
ZwQuerySystemInformation
ZwCreateEvent
ZwWaitForSingleObject
ZwDeviceIoControlFile
ZwUnloadKey
ZwCreateKey
ZwOpenThreadTokenEx
RtlCreateAcl
ZwQueryAttributesFile
RtlFreeSid
RtlSetDaclSecurityDescriptor
ZwDeleteValueKey
ZwSetValueKey
ZwAdjustPrivilegesToken
ZwSaveKey
ZwOpenProcessTokenEx
ZwCreateFile
ZwQueryValueKey
RtlLengthSecurityDescriptor
ZwSetSecurityObject
RtlAddAccessAllowedAceEx
ZwLoadKey
RtlAllocateAndInitializeSid
ZwDeleteKey
ZwEnumerateKey
RtlLengthSid
RtlCreateSecurityDescriptor
ZwQueryKey
ZwOpenKey
RtlSetOwnerSecurityDescriptor
ZwQuerySymbolicLinkObject
RtlInitAnsiString
RtlGetVersion
LdrGetProcedureAddress
LdrGetDllHandle
ZwOpenSymbolicLinkObject
ZwQueryVolumeInformationFile
ZwDeleteFile
ZwResetEvent
ZwQueryInformationFile
NtQuerySystemInformation
ZwAllocateUuids
NtOpenKey
NtDeviceIoControlFile
NtOpenSymbolicLinkObject
NtQuerySymbolicLinkObject
NtWaitForSingleObject
NtCreateEvent
NtQueryValueKey
NtSetValueKey
NtResetEvent
NtCreateKey
NtSetSecurityObject
NtDeleteKey
RtlInitUnicodeString

Sections

.text
Size: 158KB - Virtual size: 158KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 146KB - Virtual size: 146KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/bootsect.exe
.exe windows:6 windows x86 arch:x86

508edcdab39b6d405f380c675485337d

Code Sign

61:19:cc:93:00:01:00:00:00:66
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10/10/2011, 20:32

Not After

10/01/2013, 20:32

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0d:af:8d:00:00:00:00:00:28
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

20/02/2012, 21:36

Not After

20/05/2013, 21:46

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:05:49:55:00:00:00:00:00:0b
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

10/10/2011, 20:45

Not After

10/01/2013, 20:55

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

d1:64:c7:35:c0:48:aa:47:21:cb:c3:25:cd:bb:55:89:93:57:9f:a7:f6:2c:d1:4d:c2:95:25:d6:a6:7d:6b:0e
Signer

Actual PE Digest

d1:64:c7:35:c0:48:aa:47:21:cb:c3:25:cd:bb:55:89:93:57:9f:a7:f6:2c:d1:4d:c2:95:25:d6:a6:7d:6b:0e

Digest Algorithm

sha256

PE Digest Matches

true

95:30:80:d2:0c:65:da:49:e2:5e:61:80:91:d2:73:81:69:b0:2f:7a
Signer

Actual PE Digest

95:30:80:d2:0c:65:da:49:e2:5e:61:80:91:d2:73:81:69:b0:2f:7a

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

bootsect.pdb

Imports

kernel32

QueryDosDeviceW
WideCharToMultiByte
GetConsoleMode
FormatMessageW
WriteConsoleW
GetModuleFileNameW
GetConsoleOutputCP
GetStdHandle
LocalAlloc
GetFileType
LocalFree
GetLastError
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
GetModuleHandleA
SetUnhandledExceptionFilter
OutputDebugStringA
InterlockedCompareExchange
InterlockedExchange
Sleep
ReadFile
WriteFile
SetFilePointer
SearchPathW
MapViewOfFile
UnmapViewOfFile
GetSystemDefaultUILanguage
FindResourceExW
FreeLibrary
LoadResource
LoadLibraryExW
GetLocaleInfoW
GetVersionExW
CreateFileW
SetLastError
CreateFileMappingW
GetUserDefaultUILanguage
CloseHandle

msvcrt

__p__fmode
__setusermatherr
_initterm
memcpy
memset
_cexit
free
malloc
iswctype
?terminate@@YAXXZ
_controlfp
isdigit
isxdigit
isleadbyte
_fileno
calloc
localeconv
mbtowc
_snprintf
_itoa
wctomb
ferror
wcstombs
_read
__badioinfo
__pioinfo
realloc
_isatty
_write
_lseeki64
ungetc
wcsstr
bsearch
wcsncmp
_exit
exit
__set_app_type
__getmainargs
_amsg_exit
__p__commode
_XcptFilter
_iob
__mb_cur_max
_errno
_wcslwr
iswxdigit
_vsnwprintf
isalpha
_wcsnicmp
_wcsicmp
_stricmp

ntdll

RtlUnwind
NtResetEvent
NtCreateEvent
NtOpenDirectoryObject
RtlAllocateHeap
NtQueryDirectoryObject
NtWaitForSingleObject
NtQuerySymbolicLinkObject
NtOpenSymbolicLinkObject
RtlFreeHeap
NtDeviceIoControlFile
NtOpenFile
NtClose
RtlNtStatusToDosError
NtQueryVolumeInformationFile
NtFsControlFile
RtlInitUnicodeString
NtQuerySystemInformation
NtOpenKey
NtQueryValueKey

advapi32

RegQueryValueExW
RegCloseKey
RegOpenKeyExW

Sections

.text
Size: 52KB - Virtual size: 51KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 23KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/diskcopy.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Exports

Exports

Dummy

Sections

.text
Size: 16B - Virtual size: 10B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 192B - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/offreg.dll
.dll windows:10 windows x86 arch:x86

ad426ae57d7e4c8957cc7e834102236e

Code Sign

33:00:00:02:cf:6d:2c:c5:7c:aa:65:a6:d8:00:00:00:00:02:cf
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/05/2019, 21:25

Not After

02/05/2020, 21:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a6:de:46:14:ed:4b:42:50:1d:43:69:f0:1c:2c:24:a3:54:88:e8:2e:29:ff:38:71:f4:1c:b8:cb:4d:27:59:0e
Signer

Actual PE Digest

a6:de:46:14:ed:4b:42:50:1d:43:69:f0:1c:2c:24:a3:54:88:e8:2e:29:ff:38:71:f4:1c:b8:cb:4d:27:59:0e

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

offreg.pdb

Imports

msvcrt

_amsg_exit
free
malloc
_initterm
memmove
_XcptFilter
_wcsicmp
qsort
_aligned_free
_wcsnicmp
wcsncpy_s
wcscat_s
wcsnlen
_except_handler4_common
_aligned_malloc
memcpy
memcmp
memset

kernel32

FlushFileBuffers
CloseHandle
CreateFileW
WriteFile
GetFileSizeEx
ReadFile
GetFinalPathNameByHandleW
TlsSetValue
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
TlsFree
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
GetModuleHandleW
DeleteCriticalSection
GetProcAddress
GetLastError
LeaveCriticalSection
EnterCriticalSection

advapi32

GetAce
GetSidSubAuthority
GetSidLengthRequired
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSid
IsValidSid
InitializeAcl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
GetSecurityDescriptorControl
IsValidSecurityDescriptor
InitializeSecurityDescriptor
MakeSelfRelativeSD
SetSecurityDescriptorGroup
DestroyPrivateObjectSecurity
GetSecurityDescriptorLength

ntdll

RtlInitUnicodeString
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORGetKeySecurity
ORGetValue
ORGetVersion
ORGetVirtualFlags
ORMergeHives
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORRenameKey
ORSaveHive
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 47KB - Virtual size: 47KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 940B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1024B - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/wimgapi.dll
.dll windows:10 windows x86 arch:x86

ede04c9300b03910e43b53259e31bfde

Code Sign

33:00:00:00:b5:ac:7d:6d:87:6b:26:11:47:00:00:00:00:00:b5
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

07/09/2016, 17:58

Not After

07/09/2018, 17:58

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:B8EC-30A4-7144,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:40:96:a9:ee:70:56:fe:cc:07:00:01:00:00:01:40
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

18/08/2016, 20:17

Not After

02/11/2017, 20:17

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:01:4f:e7:c6:62:c9:46:f4:a9:7f:00:00:00:00:01:4f
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

17/11/2016, 21:59

Not After

17/02/2018, 21:59

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

b4:93:d0:73:34:c4:72:a1:6d:92:11:b8:c0:e7:8c:6e:62:a0:12:85:06:ff:21:78:00:87:d4:79:03:15:1b:28
Signer

Actual PE Digest

b4:93:d0:73:34:c4:72:a1:6d:92:11:b8:c0:e7:8c:6e:62:a0:12:85:06:ff:21:78:00:87:d4:79:03:15:1b:28

Digest Algorithm

sha256

PE Digest Matches

true

c4:59:a4:ba:22:a1:c6:73:85:91:50:52:ec:52:42:3e:96:4d:9f:b7
Signer

Actual PE Digest

c4:59:a4:ba:22:a1:c6:73:85:91:50:52:ec:52:42:3e:96:4d:9f:b7

Digest Algorithm

sha1

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

wimgapi.pdb

Imports

msvcrt

memcpy
memcmp
_callnewh
bsearch
_vscwprintf
_purecall
_strcmpi
_wcstoi64
wcstoul
_wcsupr
qsort
wcschr
_wcsrev
iswspace
_wcslwr
_snwprintf_s
towlower
towupper
memmove
_strnicmp
memcpy_s
strcpy_s
wcsncmp
_wcsnicmp
wcsnlen
wcsstr
_vsnwprintf
_wtoi
swscanf_s
wcsrchr
_wcsicmp
_onexit
__dllonexit
_unlock
_lock
_except_handler4_common
_initterm
memmove_s
malloc
free
_amsg_exit
_XcptFilter
memset

kernel32

GetPrivateProfileSectionW
OpenEventW
SetEvent
WaitForMultipleObjects
TlsSetValue
TlsGetValue
TlsFree
TlsAlloc
DuplicateHandle
GetVolumeInformationW
GetProcAddress
FreeLibrary
LoadLibraryExW
GetFinalPathNameByHandleW
GlobalMemoryStatusEx
SetFileAttributesW
GetVolumeInformationByHandleW
CreateSemaphoreW
InitializeCriticalSectionAndSpinCount
OpenProcess
CreateThread
CopyFileExW
WaitForMultipleObjectsEx
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetLogicalDriveStringsW
CreateProcessW
GetExitCodeProcess
CreateSemaphoreExW
MultiByteToWideChar
DosDateTimeToFileTime
LocalFileTimeToFileTime
SetFileTime
GetVolumePathNameW
GetVolumeNameForVolumeMountPointW
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetTickCount
GetLastError
GetHandleInformation
SetLastError
SetFilePointerEx
CloseHandle
SetEndOfFile
CompareStringW
HeapFree
GetProcessHeap
DeleteFileW
CreateFileW
GetFileInformationByHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetSystemTimeAsFileTime
GetCurrentThreadId
GetDriveTypeW
RemoveDirectoryW
GetCurrentProcessId
QueryPerformanceCounter
Sleep
DisableThreadLibraryCalls
LoadLibraryW
DeviceIoControl
WriteFile
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetVolumePathNamesForVolumeNameW
GetFileSizeEx
GetFullPathNameW
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
CreateEventW
LockFileEx
UnlockFileEx
HeapReAlloc
GetModuleHandleW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
WaitForSingleObject
ReleaseMutex
WideCharToMultiByte
ReleaseSemaphore
GetCurrentThread

bcrypt

BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider

fltlib

FilterLoad
FilterAttach

cabinet

ord23
ord22
ord20

ntdll

RtlGetVersion
DbgPrintEx
NtYieldExecution
RtlRaiseStatus
RtlReAllocateHeap
RtlDeleteCriticalSection
RtlInitializeCriticalSection
RtlDosPathNameToNtPathName_U_WithStatus
RtlDeleteResource
RtlReleaseResource
RtlAcquireResourceShared
RtlAcquireResourceExclusive
RtlInitializeResource
NtSetEaFile
RtlInitUnicodeString
NtQuerySecurityObject
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlGetLastNtStatus
NtSetInformationFile
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError

advapi32

GetAclInformation
GetSecurityDescriptorLength
GetSecurityDescriptorControl
GetSecurityDescriptorSacl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
AllocateAndInitializeSid
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW
RegDeleteKeyExW
OpenThreadToken
OpenProcessToken
AdjustTokenPrivileges
WriteEncryptedFileRaw
GetTokenInformation
SetThreadToken
GetLengthSid
InitializeAcl
AddAccessAllowedAce
EqualSid
SetSecurityDescriptorDacl
RegQueryValueExW
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
CloseEncryptedFileRaw
ReadEncryptedFileRaw
OpenEncryptedFileRawW
FreeSid
GetSecurityInfo
RevertToSelf
AddAccessAllowedAceEx
InitializeSecurityDescriptor

version

VerQueryValueW
GetFileVersionInfoExW
GetFileVersionInfoSizeExW

user32

CharUpperW

rpcrt4

RpcBindingFree
RpcBindingSetAuthInfoW
RpcBindingFromStringBindingW
RpcStringBindingComposeW
UuidCreate
I_RpcMapWin32Status
UuidToStringW
RpcStringFreeW
UuidFromStringW
NdrClientCall2

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry

Sections

.text
Size: 530KB - Virtual size: 530KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 19KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x86/wimlib/libwim-15.dll
.dll windows:4 windows x86 arch:x86

4a80020f21cdd123ccef12e689ed3afe

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

kernel32

AddVectoredExceptionHandler
CloseHandle
CreateEventA
CreateFileW
CreateSemaphoreA
DeleteCriticalSection
DeleteFileW
DeviceIoControl
DuplicateHandle
EnterCriticalSection
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
GetDiskFreeSpaceExW
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetHandleInformation
GetLastError
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessAffinityMask
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetThreadContext
GetThreadPriority
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeCriticalSection
IsDBCSLeadByteEx
IsDebuggerPresent
IsWow64Process
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
OutputDebugStringA
RaiseException
ReadFile
ReleaseSemaphore
RemoveVectoredExceptionHandler
ResetEvent
ResumeThread
SetEndOfFile
SetEvent
SetFilePointer
SetFilePointerEx
SetLastError
SetProcessAffinityMask
SetThreadContext
SetThreadPriority
Sleep
SuspendThread
TlsAlloc
TlsGetValue
TlsSetValue
TryEnterCriticalSection
VirtualProtect
VirtualQuery
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteFile

msvcrt

__mb_cur_max
_amsg_exit
_assert
_beginthreadex
_endthreadex
_errno
_fstat64
_get_osfhandle
_gmtime64
_initterm
_iob
_lock
_lseeki64
_open_osfhandle
_setjmp3
fwprintf
_telli64
_ultoa
_unlock
_waccess
_wcsicmp
_wfopen
_wgetenv
_wmkdir
_wopen
_wtempnam
_wunlink
abort
atoi
calloc
exit
fclose
feof
ferror
fflush
fgetwc
fopen
fputc
fputwc
fputws
fread
free
fwrite
getc
getenv
islower
isspace
isupper
iswctype
isxdigit
localeconv
malloc
mbstowcs
memchr
memcmp
memcpy
memmove
memset
putc
qsort
rand
realloc
setlocale
srand
strcat
strchr
strcmp
strcpy
strerror
strlen
strncmp
strncpy
strtol
strtoul
tolower
toupper
towlower
ungetc
ungetwc
vfprintf
time
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstombs
wcstoul
_wstat
_wstat64
_stat
longjmp
_write
_strdup
_read
_getcwd
_fdopen
_close

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

user32

wsprintfW

Exports

Exports

wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 583KB - Virtual size: 582KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 832B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 118KB - Virtual size: 118KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

/4
Size: 97KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 131KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 48B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 8B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Unattend/Win10_x32.xml
$TEMP/WinNTSetup/Unattend/Win10_x64.xml
$TEMP/WinNTSetup/Unattend/Win7-11-Select.xml
$TEMP/WinNTSetup/WimScript/WimScript.ini
$TEMP/WinNTSetup/WinNTSetup.ini.txt
$TEMP/WinNTSetup/WinNTSetup_x64.exe
.exe windows:6 windows x64 arch:x64

5812eb0ba263f239f68349549bad328d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Coding\PureBasic\WinNTSetup\WinNTSetup_x64.pdb

Imports

kernel32

ReadProcessMemory
GetLocalTime
GetTimeFormatW
WritePrivateProfileStringW
LocaleNameToLCID
GetLocaleInfoW
GetPrivateProfileSectionW
AttachConsole
AllocConsole
ReadConsoleOutputW
SetEndOfFile
SetFileValidData
CreateEventW
SetFilePointer
GetTickCount
SetVolumeMountPointW
WideCharToMultiByte
WriteConsoleA
FindFirstFileNameW
FindNextFileNameW
FindResourceExW
SizeofResource
LockResource
FreeResource
GetDiskFreeSpaceW
SetLastError
RemoveDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetDateFormatW
LCIDToLocaleName
GetVolumeNameForVolumeMountPointW
GetWindowsDirectoryW
SetThreadExecutionState
OpenProcess
GetProcessId
FlushFileBuffers
GlobalMemoryStatusEx
FileTimeToSystemTime
WritePrivateProfileSectionW
GetFileTime
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
SystemTimeToTzSpecificLocalTime
GetTempFileNameW
WriteConsoleW
RtlCompareMemory
lstrcatW
lstrcpynW
MultiByteToWideChar
RtlMoveMemory
lstrlenA
FindVolumeClose
FindNextVolumeW
GetDiskFreeSpaceExW
GetVolumeInformationW
GetVolumePathNamesForVolumeNameW
lstrcmpW
FindFirstVolumeW
SetErrorMode
GetPrivateProfileStringW
GetSystemInfo
K32GetModuleInformation
SetDllDirectoryW
SetFileAttributesW
UnregisterWait
RegisterWaitForSingleObject
DeleteCriticalSection
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapSize
GetVersionExW
HeapReAlloc
GetExitCodeProcess
PeekNamedPipe
CreateProcessW
CreatePipe
DuplicateHandle
HeapFree
HeapAlloc
CreateThread
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetPrivateProfileIntW
GetEnvironmentVariableW
GetNativeSystemInfo
GetCurrentThread
GetLogicalProcessorInformation
GetLogicalDrives
QueryDosDeviceW
GetDriveTypeW
GetLogicalDriveStringsW
CreateDirectoryW
Sleep
FormatMessageW
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
SetFilePointerEx
GetFileSizeEx
lstrlenW
GetFinalPathNameByHandleW
lstrcmpiW
lstrcpyW
ReadFile
MoveFileW
FindFirstFileW
SetConsoleTextAttribute
GetConsoleWindow
SetConsoleCursorPosition
DeviceIoControl
GetFullPathNameW
SetConsoleCursorInfo
SetConsoleCtrlHandler
SetConsoleTitleW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetCurrentProcessId
GetCurrentThreadId
lstrcmpA
GetFileAttributesW
SetEvent
CopyFileW
EndUpdateResourceW
UpdateResourceW
CreateFileW
EnumResourceNamesW
BeginUpdateResourceW
WriteFile
VirtualProtect
DefineDosDeviceW
DeleteFileW
WaitForSingleObject
FindClose
FindNextFileW
FindFirstFileExW
MulDiv
RtlZeroMemory
QueryPerformanceFrequency
LoadResource
FindResourceW
SetEnvironmentVariableW
FreeLibrary
LoadLibraryExW
QueryPerformanceCounter
GetConsoleScreenBufferInfo
QueryFullProcessImageNameW
GetFileType
GetStdHandle
ExitProcess
HeapDestroy
GetProcAddress
LoadLibraryW
LocalFree
LocalAlloc
GetLastError
GetCurrentProcess
GetUserDefaultLocaleName
GetUserDefaultLCID
GetSystemWindowsDirectoryW
GetModuleFileNameW
GetLongPathNameW
GetTempPathW
HeapCreate
GetModuleHandleW
SetFileTime
SystemTimeToFileTime
GetSystemTime
UnmapViewOfFile
CloseHandle
MapViewOfFile
CreateFileMappingW
GetFileSize
GetCommandLineW

user32

EnumChildWindows
LockWindowUpdate
GetComboBoxInfo
FindWindowExW
SetWindowPos
GetClientRect
IsWindowEnabled
GetSysColorBrush
GetPropW
FrameRect
WindowFromDC
GetClassLongPtrW
CallNextHookEx
DrawTextW
MapWindowPoints
GetUpdateRect
SetRect
InflateRect
GetDC
ReleaseDC
GetClassInfoExW
RegisterWindowMessageW
GetSystemMetrics
SystemParametersInfoW
GetIconInfo
DestroyIcon
CreateIconIndirect
SetPropW
GetWindowLongPtrW
SetWindowLongPtrW
SendMessageW
CreatePopupMenu
InsertMenuW
ValidateRect
SetMenuDefaultItem
SetClassLongPtrW
AppendMenuW
IsChild
DefFrameProcW
GetFocus
AdjustWindowRectEx
UnregisterClassW
RegisterClassW
TranslateAcceleratorW
MsgWaitForMultipleObjects
PeekMessageW
DispatchMessageW
TranslateMessage
GetMessageW
IsZoomed
GetMenu
DestroyAcceleratorTable
CreateAcceleratorTableW
LoadIconW
SetActiveWindow
DrawFrameControl
GetScrollPos
RegisterClassExW
SetScrollPos
GetWindowDC
GetAsyncKeyState
GetWindowLongW
DrawStateW
ReleaseCapture
SetCapture
GetWindowTextLengthW
RedrawWindow
IntersectRect
EnableWindow
DestroyWindow
SetMenuItemInfoW
GetSysColor
DefWindowProcW
BeginPaint
CopyRect
FillRect
EndPaint
CharUpperW
EnableMenuItem
CharLowerW
EnumDisplayDevicesW
EnumWindows
ShowWindow
EnumDisplaySettingsW
EnumDisplaySettingsExW
ChangeDisplaySettingsW
GetDisplayConfigBufferSizes
QueryDisplayConfig
DisplayConfigGetDeviceInfo
DisplayConfigSetDeviceInfo
GetWindowRect
GetWindow
SetParent
DestroyMenu
GetKeyState
MessageBoxIndirectW
SetForegroundWindow
KillTimer
CheckMenuRadioItem
GetActiveWindow
GetDlgItem
UnhookWindowsHookEx
SetWindowsHookExW
CallWindowProcW
DrawIconEx
RemovePropW
GetDoubleClickTime
GetWindowThreadProcessId
IsWindowVisible
SetRectEmpty
MoveWindow
LoadCursorW
SetCursor
IsIconic
GetForegroundWindow
CopyImage
ClientToScreen
MessageBoxW
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
DestroyCursor
GetDlgCtrlID
FindWindowW
GetClassNameW
CheckMenuItem
GetSystemMenu
CreateWindowExW
InvalidateRect
SetTimer
SetWindowPlacement
GetWindowPlacement
UpdateWindow
SetFocus
PostMessageW
SetWindowTextW
GetMessagePos
MessageBeep
FlashWindowEx
WindowFromPoint
ScreenToClient
RealChildWindowFromPoint
TrackPopupMenu
GetClassWord
GetParent
GetWindowTextW
LoadStringW
SetWindowCompositionAttribute

gdi32

CreateFontIndirectW
CreateDIBSection
CreateCompatibleBitmap
GetObjectW
DeleteObject
CreateSolidBrush
GetDeviceCaps
GetTextExtentPoint32W
CreateCompatibleDC
CreateFontW
GdiAlphaBlend
DeleteDC
CreateRectRgn
FrameRgn
ExtTextOutW
CreatePen
SelectObject
SetTextColor
MoveToEx
LineTo
EnumFontFamiliesW
SetStretchBltMode
AddFontResourceW
GetStockObject
CreatePatternBrush
SetViewportOrgEx
OffsetViewportOrgEx
GetObjectType
ExcludeClipRect
CreateDCW
CreateRectRgnIndirect
GetClipRgn
SelectClipRgn
ExtSelectClipRgn
StretchBlt
SetBrushOrgEx
CreateBitmap
GetDIBits
SetPixel
SetBkColor
Rectangle
SetBkMode
GetTextMetricsW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

DuplicateTokenEx
RegEnumKeyExW
ControlService
SetNamedSecurityInfoW
IsValidSecurityDescriptor
GetFileSecurityW
SetFileSecurityW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegQueryValueW
RegLoadKeyW
RegUnLoadKeyW
RegQueryInfoKeyW
CreateProcessAsUserW
CreateProcessWithTokenW
QueryServiceStatus
StartServiceW
RegEnumValueW
RegCreateKeyW
OpenServiceW
IsWellKnownSid
SetThreadToken
RevertToSelf
CloseServiceHandle
CreateServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
OpenProcessToken
GetTokenInformation
SetEntriesInAclW
RegOpenKeyW
RegQueryValueExW
RegCloseKey

comctl32

ImageList_Replace
ImageList_AddMasked
ord412
ImageList_GetImageCount
ImageList_Draw
ImageList_Add
ImageList_DrawEx
ImageList_GetIconSize
ord413
CreateToolbarEx
InitCommonControlsEx
ImageList_Remove
ord381
ImageList_Destroy
ImageList_GetIcon
ImageList_Merge
ImageList_ReplaceIcon
ImageList_Create
ord410

oleaut32

SafeArrayUnlock
SysFreeString
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
SafeArrayLock

ntdll

RtlAdjustPrivilege
NtQuerySystemInformation
RtlCreateUnicodeString
RtlUpcaseUnicodeString
RtlCreateUnicodeStringFromAsciiz
RtlIsNameInExpression
RtlFreeUnicodeString
RtlGetProcessHeaps
RtlAllocateHeap
RtlDosPathNameToNtPathName_U
NtOpenFile
NtClose
RtlFreeHeap
NtShutdownSystem
RtlGetVersion
RtlGetNtVersionNumbers
NtQueryVolumeInformationFile
NtQueryInformationProcess
RtlInitUnicodeString
NtOpenDirectoryObject
NtQueryDirectoryObject
RtlComputeCrc32
RtlGetLastNtStatus
RtlNtStatusToDosError
RtlRandom
NtCreatePagingFile
NtReadFile
NtTranslateFilePath
NtQueryInformationFile
NtFsControlFile
__chkstk

shell32

SHCreateShellItem
SHGetStockIconInfo
SHFormatDrive
SHBrowseForFolderW
SHGetDesktopFolder
SHParseDisplayName
StrStrIW
ShellExecuteW
ShellExecuteExW
SHGetImageList
SHGetFileInfoW
SHGetPathFromIDListW
SHDefExtractIconW
SHFileOperationW

ole32

RevokeDragDrop
StringFromGUID2
CoTaskMemFree
CreateStreamOnHGlobal
CLSIDFromString
CoCreateInstance
CoInitialize
CoCreateGuid

shlwapi

StrCmpLogicalW
PathCompactPathW
PathGetArgsW
StrStrNIW
PathCompactPathExW
PathParseIconLocationW
PathRemoveExtensionW
StrTrimW
PathIsNetworkPathW
StrToIntExW
PathSearchAndQualifyW
PathCombineW
SHCreateStreamOnFileW
SHCreateStreamOnFileEx
StrTrimA
PathIsDirectoryW
PathStripToRootW
PathRemoveBackslashW
StrToIntW
StrFormatByteSizeW
PathRemoveFileSpecW
PathIsRelativeW
PathFindFileNameW
PathMatchSpecW
PathFindExtensionW
PathFileExistsW
PathAddBackslashW

cfgmgr32

CM_Get_Device_IDW
CM_Get_Parent

rpcrt4

UuidCreate

setupapi

SetupOpenInfFileW
SetupIterateCabinetW
SetupDiGetDeviceRegistryPropertyW
SetupDiOpenDevRegKey
SetupGetStringFieldW
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupFindFirstLineW
SetupGetLineCountW
SetupGetLineByIndexW
SetupGetFieldCount
SetupDecompressOrCopyFileW
SetupGetBinaryField
SetupGetMultiSzFieldW
SetupGetIntField
SetupEnumInfSectionsW
SetupDiGetDeviceInstanceIdW
SetupCloseInfFile

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

uxtheme

BeginBufferedPaint
DrawThemeText
BufferedPaintSetAlpha
EndBufferedPaint
BufferedPaintInit
OpenThemeData
SetWindowTheme
DrawThemeBackground
DrawThemeTextEx
GetThemePartSize
GetThemeFont
GetThemeInt

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

msvcrt

_strnicmp
fputc
fputs
wcstod
sqrt
_wcsdup
ceil
wcstol
_time64
wcschr
fseek
_localtime64
wcstoul
wcsstr
_gmtime64
memmove
floor
tolower
_mktime64
_itow
_wtoi
fread
fclose
strlen
realloc
strrchr
strchr
fgets
_wfopen
_wstati64
_wtol
_wsystem
malloc
wcscpy
swscanf
wcstok_s
wcslen
__wgetmainargs
wcsncmp
_vsnwprintf
wcsncpy
_wcsnicmp
wcscmp
wcscat
strstr
_wcsicmp
free
calloc
_snwprintf
memset
memcmp
memcpy
_stricmp
wcsspn

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesW
WTSEnumerateSessionsW

virtdisk

GetVirtualDiskInformation
GetVirtualDiskOperationProgress
CreateVirtualDisk
GetStorageDependencyInformation
AttachVirtualDisk
DetachVirtualDisk
GetVirtualDiskPhysicalPath
OpenVirtualDisk

fltlib

FilterLoad
FilterAttach

Sections

.text
Size: 707KB - Virtual size: 706KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 172KB - Virtual size: 4.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 137KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/WinNTSetup_x86.exe
.exe windows:5 windows x86 arch:x86

e2e288d3bc8ddb6faf3602a6b2f6361a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcrt

__wgetmainargs
_snwprintf
_stricmp
_strnicmp
_wcsicmp
_wcsnicmp
calloc
ceil
floor
free
gmtime
malloc
memcmp
memcpy
memset
mktime
strcmp
strrchr
strstr
swscanf
wcscat
wcschr
_vsnwprintf
localtime
_wtoi
tolower
sprintf
_wcsdup
memmove
wcstol
wcstok
wcstod
wcsstr
wcsrchr
wcsncpy
wcsncmp
wcslen
wcscpy
wcscmp

kernel32

GetPrivateProfileSectionW
GetPrivateProfileStringW
GetProcAddress
GetStdHandle
GetSystemInfo
GetSystemTime
GetTempFileNameW
GetTempPathW
GetTimeFormatW
GetUserDefaultLCID
GetVolumeInformationW
GetVolumeNameForVolumeMountPointW
GetVolumePathNamesForVolumeNameW
GetWindowsDirectoryW
GlobalAlloc
GlobalFree
GlobalLock
GlobalMemoryStatusEx
GlobalUnlock
HeapCreate
HeapDestroy
LoadLibraryExW
LoadLibraryW
LoadResource
LocalFileTimeToFileTime
LocalFree
LockResource
MapViewOfFile
MoveFileW
MultiByteToWideChar
OpenProcess
Process32FirstW
Process32NextW
QueryDosDeviceW
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFile
ReadProcessMemory
SetConsoleCtrlHandler
SetConsoleCursorPosition
SetCurrentDirectoryW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetErrorMode
SetFileAttributesW
SetFilePointer
SetFilePointerEx
SetFileTime
SetFileValidData
SizeofResource
Sleep
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
UnmapViewOfFile
UpdateResourceW
VirtualProtect
WideCharToMultiByte
WriteConsoleW
WriteFile
WritePrivateProfileSectionW
WritePrivateProfileStringW
lstrlenA
CreateSemaphoreA
WaitForMultipleObjects
ReleaseSemaphore
GetCurrentThread
InterlockedCompareExchange
InterlockedExchange
DeleteCriticalSection
TlsFree
FindFirstFileW
HeapSize
LoadLibraryA
HeapReAlloc
TlsSetValue
TlsGetValue
TlsAlloc
GetTickCount
CreatePipe
DuplicateHandle
GetCurrentProcess
HeapFree
HeapAlloc
PeekNamedPipe
InitializeCriticalSection
WaitForSingleObject
LeaveCriticalSection
EnterCriticalSection
CreateThread
SetLastError
AttachConsole
BeginUpdateResourceW
CloseHandle
CopyFileW
CreateDirectoryW
CreateFileMappingW
CreateFileW
CreateProcessW
CreateToolhelp32Snapshot
DefineDosDeviceW
DeleteFileW
DeviceIoControl
DosDateTimeToFileTime
EndUpdateResourceW
EnumResourceNamesW
ExitProcess
FindClose
FindFirstFileExW
FindNextFileW
FindResourceExW
FindResourceW
FlushFileBuffers
FormatMessageW
FreeLibrary
FreeResource
GetCommandLineW
GetConsoleScreenBufferInfo
GetConsoleWindow
GetCurrentDirectoryW
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatW
GetDiskFreeSpaceExW
GetDriveTypeW
GetEnvironmentVariableW
GetExitCodeProcess
GetFileAttributesW
GetFileSize
GetFileSizeEx
GetFirmwareEnvironmentVariableW
GetLastError
GetLocalTime
GetLogicalDriveStringsW
GetLogicalDrives
GetLogicalProcessorInformation
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleW
GetNativeSystemInfo
GetPrivateProfileIntW

user32

TrackPopupMenu
UnhookWindowsHookEx
UpdateWindow
ValidateRect
TrackMouseEvent
SystemParametersInfoW
ShowWindow
SetWindowTextW
GetSysColor
GetPropW
GetParent
GetMessagePos
GetIconInfo
GetDoubleClickTime
GetDlgCtrlID
GetDC
SetWindowsHookExW
GetComboBoxInfo
GetSysColorBrush
GetSystemMenu
WindowFromPoint
SetWindowLongW
SetTimer
SetRectEmpty
SetRect
SetPropW
SetMenuItemInfoW
SetForegroundWindow
SetFocus
SetCursor
SetClipboardData
SetClassLongW
RegisterWindowMessageW
GetKeyState
IsChild
DefFrameProcW
TranslateAcceleratorW
GetSystemMetrics
GetUpdateRect
GetWindow
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowThreadProcessId
InflateRect
InsertMenuW
InvalidateRect
IsIconic
IsWindowEnabled
IsWindowVisible
KillTimer
LoadCursorW
LoadIconW
LoadImageW
LoadStringW
MapWindowPoints
MessageBeep
MessageBoxIndirectW
MessageBoxW
MsgWaitForMultipleObjects
PeekMessageW
DispatchMessageW
TranslateMessage
GetMessageW
GetMenu
AdjustWindowRectEx
UnregisterClassW
RegisterClassW
IsZoomed
SetActiveWindow
DestroyAcceleratorTable
CreateAcceleratorTableW
SetWindowPos
DrawFrameControl
GetScrollPos
MoveWindow
OffsetRect
OpenClipboard
PostMessageW
ReleaseDC
RemovePropW
SendMessageW
GetClientRect
GetClassNameW
GetClassLongW
GetAncestor
GetActiveWindow
FrameRect
FlashWindowEx
FindWindowW
FillRect
EnumWindows
EnumChildWindows
EndPaint
EmptyClipboard
DrawTextW
DrawIconEx
DestroyIcon
DestroyCursor
CreateWindowExW
CreatePopupMenu
CopyRect
CloseClipboard
CheckMenuItem
CharUpperW
CharLowerW
CallWindowProcW
CallNextHookEx
BeginPaint
AppendMenuW
GetWindowTextW
GetWindowTextLengthW
GetFocus
DrawStateW
DefWindowProcW
RegisterClassExW
RedrawWindow
EnableWindow
GetWindowDC
SetScrollPos
DestroyWindow
SetCapture
ReleaseCapture
ScreenToClient
IntersectRect

gdi32

GetObjectW
ExcludeClipRect
CreateBrushIndirect
CreateDCW
StretchBlt
CreatePen
SelectClipRgn
MoveToEx
GetObjectA
CreateRectRgnIndirect
GetClipRgn
ExtSelectClipRgn
CreateBitmap
GetDIBits
SetPixel
GetObjectType
LineTo
SetTextColor
SetStretchBltMode
SetBkMode
SetBkColor
SelectObject
GetTextMetricsW
GetTextExtentPoint32W
GetStockObject
GetDeviceCaps
GdiAlphaBlend
ExtTextOutW
DeleteObject
DeleteDC
CreateSolidBrush
CreateFontIndirectW
CreateDIBSection
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
AddFontResourceW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

RegOpenKeyExW
SaferCloseLevel
SaferComputeTokenFromLevel
SaferCreateLevel
SetFileSecurityW
AllocateAndInitializeSid
CheckTokenMembership
CloseServiceHandle
ControlService
CreateProcessAsUserW
CreateServiceW
FreeSid
GetFileSecurityW
OpenSCManagerW
OpenServiceW
QueryServiceStatus
RegCloseKey
RegCreateKeyExW
RegCreateKeyW
RegEnumKeyExW
RegEnumValueW
RegUnLoadKeyW
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExW
StartServiceW

comctl32

InitCommonControlsEx
ImageList_ReplaceIcon
ImageList_GetIconSize
ImageList_GetIcon
ImageList_Draw
ImageList_Create
ord413
CreateToolbarEx
ord410
ImageList_Destroy
ImageList_Add
ImageList_Replace
ImageList_AddMasked
ImageList_Remove

shell32

SHBrowseForFolderW
ShellExecuteExW
ShellExecuteW
SHGetPathFromIDListW
SHGetDesktopFolder
SHFormatDrive
SHFileOperationW
SHExtractIconsW
SHParseDisplayName
SHCreateShellItem

ole32

CoInitialize
CoCreateInstance
RevokeDragDrop
StringFromGUID2
CoUninitialize
CoTaskMemFree
CoInitializeSecurity
CoInitializeEx

shlwapi

PathIsDirectoryW
PathIsRelativeW
PathMatchSpecW
PathRemoveBackslashW
PathRemoveExtensionW
PathRemoveFileSpecW
StrToIntExW
StrToIntW
PathFindExtensionW
StrTrimW
PathFileExistsW
PathCompactPathW
PathAddBackslashW

crypt32

CryptBinaryToStringW

ntdll

NtUnmapViewOfSection
NtCreatePagingFile
RtlInitUnicodeString
RtlGetVersion
RtlGetNtVersionNumbers
RtlComputeCrc32
RtlAdjustPrivilege
NtFsControlFile
NtShutdownSystem
NtSetInformationFile
NtQuerySystemInformation
NtQueryInformationProcess
NtQueryInformationFile
NtOpenSection
NtOpenFile
NtMapViewOfSection
NtClose

setupapi

SetupDiGetDeviceRegistryPropertyW
SetupDiGetDeviceInterfaceDetailW
SetupDiGetClassDevsW
SetupDiEnumDeviceInterfaces
SetupDiEnumDeviceInfo
SetupDiDestroyDeviceInfoList
SetupDecompressOrCopyFileW
SetupCloseInfFile
CM_Get_Parent
CM_Get_Device_IDW
SetupEnumInfSectionsW
SetupFindFirstLineW
SetupGetBinaryField
SetupGetFieldCount
SetupGetIntField
SetupGetLineByIndexW
SetupGetLineCountW
SetupGetMultiSzFieldW
SetupGetStringFieldW
SetupOpenInfFileW
SetupIterateCabinetW

uxtheme

SetWindowTheme
DrawThemeBackground
DrawThemeText
GetThemeFont
GetThemeInt
GetThemePartSize
OpenThemeData

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

Sections

.text
Size: 507KB - Virtual size: 507KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

'.text'
Size: 512B - Virtual size: 21B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 14KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 77KB - Virtual size: 4.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 169KB - Virtual size: 172KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/_DeltaPatchWinXP/FixWinXP.cmd
$TEMP/WinNTSetup/_DeltaPatchWinXP/x64_bcdboot.exe.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x64_bcdedit.exe.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x64_bootsect.exe.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x64_libwim-15.dll.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x64_wimgapi.dll.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x86_bcdboot.exe.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x86_bcdedit.exe.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x86_bootsect.exe.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/x86_wimgapi.dll.xdelta
$TEMP/WinNTSetup/_DeltaPatchWinXP/xdelta3.exe
.exe windows:5 windows x86 arch:x86

0055967b2af3458f7824f48b5ccb31d4

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

C:\Users\jmacd\Documents\GitHub\xdelta-devel\xdelta3\Release\xdelta3.pdb

Imports

kernel32

CreateFileA
SystemTimeToFileTime
SetFilePointerEx
VirtualFree
FormatMessageA
WriteFile
ReadFile
GetFileSizeEx
GetStartupInfoA
GetStdHandle
GetLastError
VirtualAlloc
GetLocalTime
GetFileType
CloseHandle
HeapFree
HeapAlloc
EnterCriticalSection
LeaveCriticalSection
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
GetDriveTypeA
FindFirstFileExA
GetCommandLineA
HeapSetInformation
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
GetProcAddress
GetModuleHandleW
ExitProcess
DecodePointer
EncodePointer
HeapCreate
GetModuleFileNameW
Sleep
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
SetHandleCount
InitializeCriticalSectionAndSpinCount
GetStartupInfoW
DeleteCriticalSection
WideCharToMultiByte
GetConsoleCP
GetConsoleMode
FlushFileBuffers
RtlUnwind
MultiByteToWideChar
GetFullPathNameA
GetFileInformationByHandle
PeekNamedPipe
GetCurrentDirectoryW
GetModuleFileNameA
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
IsProcessorFeaturePresent
LoadLibraryW
SetFilePointer
HeapReAlloc
LCMapStringW
GetStringTypeW
WriteConsoleW
SetStdHandle
CompareStringW
SetEnvironmentVariableA
GetDriveTypeW
SetEndOfFile
GetProcessHeap
GetTimeZoneInformation
HeapSize
CreateFileW
DeleteFileA
RaiseException

Sections

.text
Size: 235KB - Virtual size: 235KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 54KB - Virtual size: 54KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 436B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
WinNTSetup 5.3.5.2/WinNTSetup-5.3.5.2-x64.exe
.exe windows:4 windows x86 arch:x86

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SetEnvironmentVariableA
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
Sleep
GetTickCount
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
lstrlenA
GetVersion
SetErrorMode
lstrcpynA
ExitProcess
SetFileAttributesA
GlobalLock
CreateThread
GetLastError
CreateDirectoryA
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
WriteFile
lstrcpyA
MoveFileExA
lstrcatA
GetSystemDirectoryA
GetProcAddress
GetExitCodeProcess
WaitForSingleObject
CompareFileTime
SetFileTime
GetFileAttributesA
SetCurrentDirectoryA
MoveFileA
GetFullPathNameA
GetShortPathNameA
SearchPathA
CloseHandle
lstrcmpiA
GlobalUnlock
GetDiskFreeSpaceA
lstrcmpA
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
GetPrivateProfileStringA
WritePrivateProfileStringA
MulDiv
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA

user32

GetSystemMenu
SetClassLongA
EnableMenuItem
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
ScreenToClient
GetWindowRect
GetDlgItem
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
GetDC
ReleaseDC
EnableWindow
InvalidateRect
SendMessageA
DefWindowProcA
BeginPaint
GetClientRect
FillRect
EndDialog
RegisterClassA
SystemParametersInfoA
CreateWindowExA
GetClassInfoA
DialogBoxParamA
CharNextA
ExitWindowsEx
LoadImageA
CreateDialogParamA
SetTimer
SetWindowTextA
SetForegroundWindow
ShowWindow
SetWindowLongA
SendMessageTimeoutA
FindWindowExA
IsWindow
AppendMenuA
TrackPopupMenu
CreatePopupMenu
DrawTextA
EndPaint
DestroyWindow
wsprintfA
PostQuitMessage

gdi32

SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor

shell32

SHGetSpecialFolderLocation
ShellExecuteExA
SHGetPathFromIDListA
SHBrowseForFolderA
SHGetFileInfoA
SHFileOperationA

advapi32

AdjustTokenPrivileges
RegCreateKeyExA
RegOpenKeyExA
SetFileSecurityA
OpenProcessToken
LookupPrivilegeValueA
RegEnumValueA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegSetValueExA
RegQueryValueExA
RegEnumKeyA

comctl32

ImageList_Create
ImageList_AddMasked
ord17
ImageList_Destroy

ole32

OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance

Sections

.text
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 106KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.ndata
Size: - Virtual size: 36KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 7KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$PLUGINSDIR/System.dll
.dll windows:4 windows x86 arch:x86

8c8a576201f68de1a3f26fc723b9f30f

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

MultiByteToWideChar
GlobalFree
GlobalSize
lstrcpynA
lstrcpyA
GetProcAddress
VirtualFree
FreeLibrary
lstrlenA
LoadLibraryA
GetModuleHandleA
GlobalAlloc
WideCharToMultiByte
VirtualAlloc
VirtualProtect
GetLastError

user32

wsprintfA

ole32

StringFromGUID2
CLSIDFromString

Exports

Exports

Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc

Sections

.text
Size: 8KB - Virtual size: 7KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1024B - Virtual size: 867B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 104B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 636B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Compact/WimBootCompress.ini
$TEMP/WinNTSetup/DISM/Sample.ini
$TEMP/WinNTSetup/Diskpart/BIOS.txt
$TEMP/WinNTSetup/Diskpart/UEFI.txt
.vbs
$TEMP/WinNTSetup/Diskpart/XP_legacy/BIOS.txt
$TEMP/WinNTSetup/MinWin/Default/AntiLog.ini
$TEMP/WinNTSetup/MinWin/Default/AntiLog.reg
$TEMP/WinNTSetup/MinWin/Default/Options.ini
$TEMP/WinNTSetup/MinWin/Default/Reg/Explorer_LaunchTo.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/GameDVR.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/Remove_Gallery.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/Restore_Photo_Viewer_Windows_10.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/ShippedWithReserves.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/StuckRects3-Win10-200X.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/SysTray_ClassicVolumeControl.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/SysTray_Network_Flyout.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/Taskbar.reg
$TEMP/WinNTSetup/MinWin/Default/Reg/UserSignedIn.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Active Setup.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Defender.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Defender.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/DrvStore_Inf.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Edge.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/Edge.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Fonts.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Installed.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Languages.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Media.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/NetFX.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/NetFX_Keep.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/OneDrive.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/ProgramFiles.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Speech.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/SySWoW.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/System32-DLL.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/System32.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WMP.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WSearch.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/WUAU.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/WUAU.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WinSAT.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Windows.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/Windows11.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WindowsApps.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/WindowsPowerShell.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/XBOX.reg
$TEMP/WinNTSetup/MinWin/Default/Remove/XBOX.txt
$TEMP/WinNTSetup/MinWin/Default/Remove/XPS.txt
$TEMP/WinNTSetup/MinWin/Default/Services.ini
$TEMP/WinNTSetup/MinWin/Default/Tasks.ini
$TEMP/WinNTSetup/MinWin/Default/WinSxS.ini
$TEMP/WinNTSetup/MinWin/ReadMe.txt
$TEMP/WinNTSetup/MinWin/ReadMechs.txt
$TEMP/WinNTSetup/Tools/CATTrim.ini
$TEMP/WinNTSetup/Tools/MergeIDE_2600.ini
$TEMP/WinNTSetup/Tools/MergeIDE_7600.ini
$TEMP/WinNTSetup/Tools/MergeIDE_9200.ini
$TEMP/WinNTSetup/Tools/Win10Builds.ini
$TEMP/WinNTSetup/Tools/Win7USB3/ReadMe.txt
$TEMP/WinNTSetup/Tools/Win7USBBoot.ini
$TEMP/WinNTSetup/Tools/imdisk/cpl/amd64/imdisk.cpl
.dll windows:6 windows x64 arch:x64

279416a3dfe8386ca2bd447389b068d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

x:\imdisk_source\cpl\amd64\imdisk.pdb

Imports

msvcrt

malloc
wcstoul
wcsncat
_beginthreadex
??3@YAXPEAX@Z
wcstod
towupper
wcstok
??2@YAPEAX_K@Z
fwprintf
_fgetwchar
strchr
_XcptFilter
fflush
wcschr
_initterm
_amsg_exit
__C_specific_handler
fprintf
toupper
_fgetchar
free
wcsncmp
wcsrchr
wcsncpy
_snwprintf
_wcsicmp
_iob
memcpy
memset

kernel32

SetUnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetFileSize
SetFilePointer
SetEndOfFile
HeapAlloc
HeapFree
GetLogicalDrives
VirtualFree
GetProcessHeap
WaitNamedPipeW
WriteFile
Sleep
FormatMessageW
ReadFile
CreateFileW
FlushFileBuffers
GetLastError
SetLastError
VirtualAlloc
DefineDosDeviceW
LocalAlloc
CreateEventW
DeviceIoControl
CloseHandle
LocalFree
GetDriveTypeA
MultiByteToWideChar
SetCurrentDirectoryW
GetWindowsDirectoryW
HeapReAlloc
WaitForSingleObject
SetEvent
GetTickCount
QueryDosDeviceW
WaitForMultipleObjects
DeleteFileW
GetVolumeInformationW
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId

advapi32

CloseServiceHandle
OpenServiceW
RegCreateKeyW
RegQueryValueExW
RegOpenKeyW
InitializeSecurityDescriptor
RegDeleteKeyW
RegSetValueExW
RegCloseKey
RegDeleteValueW
QueryServiceStatus
StartServiceW
SetSecurityDescriptorDacl
OpenSCManagerW

user32

GetWindowTextLengthW
GetDlgItemInt
SetProcessDPIAware
TrackPopupMenu
PostMessageW
GetSubMenu
GetParent
SetFocus
GetDC
SetDlgItemInt
GetMenu
LoadIconW
GetAsyncKeyState
SetClassLongPtrW
ReleaseDC
EnableMenuItem
EndDialog
SendDlgItemMessageW
CheckDlgButton
DispatchMessageW
GetPropW
SetWindowTextW
MessageBoxW
SendMessageTimeoutW
ShowWindow
GetDlgItem
PeekMessageW
IsDialogMessageW
TranslateMessage
SetPropW
RemovePropW
IsDlgButtonChecked
DialogBoxParamW
DestroyWindow
EnableWindow
MapWindowPoints
SendMessageW
SetDlgItemTextW
GetDlgItemTextW
GetSystemMetrics
DrawMenuBar
CreateDialogParamW

shell32

ShellExecuteW
SHFormatDrive
SHChangeNotify

gdi32

GetDeviceCaps

comctl32

ImageList_Create
ImageList_ReplaceIcon

comdlg32

CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW

ntdll

RtlFreeUnicodeString
RtlNtStatusToDosError
NtClose
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlCreateUnicodeString
RtlInitUnicodeString

Exports

Exports

CPlApplet
ImDiskAdjustImageFileSize
ImDiskAllocPrintF
ImDiskBuildMBR
ImDiskChangeFlags
ImDiskCheckDriverVersion
ImDiskConsoleMessageA
ImDiskConsoleMessageW
ImDiskConvertCHSToLBA
ImDiskConvertLBAToCHS
ImDiskCreateDevice
ImDiskCreateDeviceEx
ImDiskCreateMountPoint
ImDiskExtendDevice
ImDiskFindFreeDriveLetter
ImDiskFlushWindowMessages
ImDiskForceRemoveDevice
ImDiskGetAPIFlags
ImDiskGetDeviceList
ImDiskGetDeviceListEx
ImDiskGetFormattedGeometry
ImDiskGetFormattedGeometryIndirect
ImDiskGetOffsetByFileExt
ImDiskGetPartitionInfoIndirect
ImDiskGetPartitionInfoIndirectEx
ImDiskGetPartitionInformation
ImDiskGetPartitionInformationEx
ImDiskGetPartitionTypeName
ImDiskGetRegistryAutoLoadDevices
ImDiskGetSinglePartitionInfoIndirect
ImDiskGetSinglePartitionInformation
ImDiskGetVersion
ImDiskGetVolumeSize
ImDiskImageContainsISOFS
ImDiskImageContainsISOFSIndirect
ImDiskMsgBoxPrintF
ImDiskNativePathToWin32
ImDiskNotifyRemovePending
ImDiskNotifyShellDriveLetter
ImDiskOpenDeviceByMountPoint
ImDiskOpenDeviceByName
ImDiskOpenDeviceByNumber
ImDiskOpenRefreshEvent
ImDiskQueryDevice
ImDiskReadFileHandle
ImDiskRemoveDevice
ImDiskRemoveMountPoint
ImDiskRemoveRegistrySettings
ImDiskSaveImageFile
ImDiskSaveImageFileInteractive
ImDiskSaveRegistrySettings
ImDiskSetAPIFlags
ImDiskStartService
RunDLL_MountFile
RunDLL_MountFileW
RunDLL_RemoveDevice
RunDLL_SaveImageFile

Sections

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/imdisk/sys/amd64/imdisk.sys
.sys windows:6 windows x64 arch:x64

ca1b7a99c1db8c685051151b20cecfd0

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

05/05/2015, 00:00

Not After

31/12/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

17/01/2013, 15:30

Not After

18/03/2016, 12:43

Subject

CN=Lagerkvist Teknisk Radgivning i Boras HB,O=Lagerkvist Teknisk Radgivning i Boras HB,ST=-,C=SE,1.2.840.113549.1.9.1=#0c10696e666f406c74722d646174612e7365

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b
Signer

Actual PE Digest

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

z:\kod\imdisk\sys\amd64\imdisk.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ZwCreateEvent
IoDeleteSymbolicLink
ExFreePoolWithTag
_snwprintf
RtlSetDaclSecurityDescriptor
RtlInitUnicodeString
IoDeleteDevice
KeSetEvent
RtlAppendUnicodeToString
KeInitializeEvent
KeDelayExecutionThread
PsCreateSystemThread
ZwQueryValueKey
IoCreateUnprotectedSymbolicLink
ExEventObjectType
ZwClose
ObReferenceObjectByHandle
KeWaitForSingleObject
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
ObReferenceObjectByPointer
DbgPrint
RtlCreateSecurityDescriptor
KePulseEvent
ZwOpenKey
KeClearEvent
KeReadStateEvent
IoBuildSynchronousFsdRequest
ZwReadFile
IoGetRelatedDeviceObject
IoCancelIrp
KeWaitForMultipleObjects
IofCallDriver
ZwFsControlFile
KeReleaseInStackQueuedSpinLock
_wcsnicmp
ZwMapViewOfSection
KeAcquireInStackQueuedSpinLock
ZwSetInformationFile
SeCreateClientSecurity
IoFileObjectType
ZwWaitForSingleObject
ZwCreateFile
SeImpersonateClient
ZwFreeVirtualMemory
RtlAppendUnicodeStringToString
ZwDeviceIoControlFile
ZwQueryInformationFile
ZwOpenSection
SeTokenType
ZwAllocateVirtualMemory
IoBuildDeviceIoControlRequest
NtWriteFile
KeSetPriorityThread
NtFsControlFile
MmMapLockedPagesSpecifyCache
PsTerminateSystemThread
IofCompleteRequest
NtReadFile
SeSinglePrivilegeCheck
IoFreeMdl
IoFreeIrp
IoAllocateIrp
MmUnlockPages
ZwOpenEvent
ZwUnmapViewOfSection
KeBugCheckEx

Sections

.text
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/nativevhdboot_x64.dll
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 868B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/nativevhdboot_x86.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 858B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/BootICE/BOOTICEx64.exe
.exe windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

UPX0
Size: - Virtual size: 1.0MB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 451KB - Virtual size: 452KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 37KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
$TEMP/WinNTSetup/Tools/x64/MSSTMake.exe
.exe windows:5 windows x64 arch:x64

6929a6376371544b1e02fafed262c6a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileSize
lstrcmpA
MoveFileExA
lstrcpynA
ExpandEnvironmentStringsA
GetFileAttributesA
CreateDirectoryA
SetCurrentDirectoryA
FindFirstFileA
GetLastError
SetLastError
RemoveDirectoryA
CopyFileA
SetFileAttributesA
FindClose
FindNextFileA
GetCurrentDirectoryA
CloseHandle
DeleteFileA
lstrcpyA
SetFilePointer
CreateFileA
WritePrivateProfileStructA
MapViewOfFile
UnmapViewOfFile
SetConsoleTextAttribute
WritePrivateProfileSectionA
WriteFile
GetPrivateProfileIntA
WideCharToMultiByte
Sleep
ReadFile
lstrcatA
GetStdHandle
GetPrivateProfileStringA
GetLocalTime
WriteConsoleA
CreateFileMappingA
GetConsoleScreenBufferInfo
WritePrivateProfileStringA
GetPrivateProfileStructA
LoadLibraryW
lstrlenA
GetFullPathNameA
HeapSize
EnterCriticalSection
LeaveCriticalSection
GetStringTypeW
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapCreate
GetVersion
HeapSetInformation
DeleteCriticalSection
GetStartupInfoW
HeapReAlloc
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
RtlUnwindEx
GetModuleFileNameW
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
FlsGetValue
FlsSetValue
FlsFree
GetCurrentThreadId
FlsAlloc
DecodePointer
HeapFree
HeapAlloc
LCMapStringW
MultiByteToWideChar
RaiseException
RtlPcToFileHeader
GetProcAddress
GetModuleHandleW
ExitProcess

user32

CharNextA
CharUpperA

advapi32

IsTextUnicode

shlwapi

wnsprintfA
PathCombineA
PathSearchAndQualifyA
PathAddBackslashA
PathIsRelativeA
PathAppendA
PathIsDirectoryA

setupapi

SetupFindNextLine
SetupGetLineCountA
SetupDiGetActualSectionToInstallExA
SetupOpenInfFileA
SetupGetLineTextA
SetupGetFileCompressionInfoExA
SetupGetLineByIndexA
SetupGetSourceFileLocationA
SetupDecompressOrCopyFileA
SetupFindNextMatchLineA
SetupCloseInfFile
SetupGetFieldCount
SetupFindFirstLineA
SetupGetStringFieldA
SetupEnumInfSectionsA
SetupGetIntField

Sections

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/WIMHost.exe
.exe windows:6 windows x64 arch:x64

fc082dea8871a90b6609e99ca5a4a4bd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Coding\PureBasic\WinNTSetup\src\WimHost\x64\gWIMHost.pdb

Imports

msvcrt

_wcsicmp
_snwprintf
wcscpy
_wcsdup
free
calloc
wcsncpy
_wfopen
fwprintf
fclose
_wcsnicmp
wcschr
realloc
swscanf
wcscat
__wgetmainargs
wcstoul
wcsncmp
floor
wcslen
malloc
memcpy
memset
wcstok_s

kernel32

Sleep
GetModuleHandleA
ExitProcess
GetFinalPathNameByHandleW
GetFileType
RtlMoveMemory
QueryDosDeviceW
GetVolumeInformationW
GetDriveTypeW
lstrcpynW
MultiByteToWideChar
GetFileSize
SetFilePointerEx
SetLastError
GetStdHandle
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
LoadLibraryW
GetProcAddress
FreeLibrary
FormatMessageW
lstrcpyW
LocalFree
GetLocalTime
GetDateFormatW
GetTimeFormatW
GetFileAttributesW
lstrlenW
WideCharToMultiByte
WriteFile
WriteConsoleA
VirtualProtect
QueryPerformanceCounter
GetEnvironmentVariableW
GetTempPathW
lstrcatW
GetPrivateProfileIntW
FindFirstFileExW
FindNextFileW
FindClose
GetModuleFileNameW
GetLongPathNameW
OpenEventW
RegisterWaitForSingleObject
lstrcmpiW
GetCurrentProcessId
CreateDirectoryW
SetFileAttributesW
GetVolumeNameForVolumeMountPointW
RemoveDirectoryW
CloseHandle
CreateFileW
GetDiskFreeSpaceW
DeviceIoControl
GetLastError
DeleteFileW
QueryPerformanceFrequency
ReadFile
GetDiskFreeSpaceExW
SetEnvironmentVariableW
GetModuleHandleW
GetPrivateProfileSectionW

advapi32

StartServiceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetFileSecurityW
CloseServiceHandle
QueryServiceStatus
ConvertSecurityDescriptorToStringSecurityDescriptorW
ControlService
OpenServiceW
OpenSCManagerW

ntdll

RtlCreateUnicodeString
RtlUpcaseUnicodeString
RtlInitUnicodeString
RtlIsNameInExpression
RtlFreeUnicodeString
RtlGetNtVersionNumbers
RtlMultiByteToUnicodeN
RtlUpcaseUnicodeChar
RtlCreateUnicodeStringFromAsciiz
RtlNtStatusToDosError
NtWriteFile
NtReadFile
NtFsControlFile
NtQueryVolumeInformationFile
RtlAdjustPrivilege

ole32

CoCreateInstance
CoInitialize
CoUninitialize
CoInitializeSecurity
CoInitializeEx

shlwapi

PathFindFileNameW
PathCombineW
StrTrimW
StrCmpLogicalW
PathRemoveFileSpecW
PathMatchSpecW
PathRenameExtensionW
PathFileExistsW
PathFindExtensionW
StrStrIW
StrFormatByteSizeW
PathRemoveExtensionW
PathAddExtensionW
PathAddBackslashW
PathSearchAndQualifyW
StrToIntW

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bcdboot.exe
.exe windows:10 windows x64 arch:x64

249e23aef4b736bfce88d0bcb5a752f0

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

06:3b:f7:e9:31:a5:fe:0a:b3:5c:db:79:d2:0c:dc:84:59:f8:ce:09:7b:79:85:09:5e:d0:8c:b2:8a:6a:f4:89
Signer

Actual PE Digest

06:3b:f7:e9:31:a5:fe:0a:b3:5c:db:79:d2:0c:dc:84:59:f8:ce:09:7b:79:85:09:5e:d0:8c:b2:8a:6a:f4:89

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bcdboot.pdb

Imports

msvcrt

_wcsicmp
?terminate@@YAXXZ
_commode
_fmode
__C_specific_handler
memmove
_cexit
_exit
exit
__set_app_type
_initterm
memcpy
memcmp
__wgetmainargs
_amsg_exit
_XcptFilter
fwprintf
_wsetlocale
wcscpy_s
fflush
swprintf_s
__setusermatherr
strncmp
strcpy_s
wcsnlen
wcsstr
_wcslwr
_snwscanf_s
wcsncpy_s
wcstoul
_ultow_s
wcsncmp
wcschr
_vsnwprintf_s
fclose
_wfopen_s
wcscat_s
_wcsupr
wcsrchr
_wcsnicmp
_vsnwprintf
__iob_func
memset

rpcrt4

UuidCreate

imagehlp

CheckSumMappedFile

kernel32

LoadLibraryW
HeapAlloc
WriteConsoleW
GetProcAddress
GetProcessHeap
FreeLibrary
WideCharToMultiByte
GetFileType
Sleep
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetModuleHandleW
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
QueryDosDeviceW
GetFileSizeEx
DeviceIoControl
GetVolumePathNameW
CreateFileW
UnmapViewOfFile
GetVolumeNameForVolumeMountPointW
GetConsoleMode
CloseHandle
CreateFileMappingW
MapViewOfFile
FlushFileBuffers
GetVolumeInformationW
FindFirstFileW
FindNextFileW
GetModuleFileNameW
WriteFile
GetStdHandle
GetPrivateProfileSectionW
FindClose
GetFileAttributesW
GetConsoleOutputCP
SetFileAttributesW
MoveFileExW
HeapFree
GetLastError
GetLogicalDrives
FindFirstVolumeW
SetVolumeMountPointW
LocalFree
FindVolumeClose
DeleteVolumeMountPointW
FindNextVolumeW
LoadLibraryExW
SetLastError
CreateDirectoryW
FormatMessageW
LoadResource
FindResourceExW
LCIDToLocaleName
GetVersionExW
GetUserDefaultUILanguage
GetModuleHandleExW
GetLocaleInfoEx
GetSystemDefaultUILanguage
GetFileInformationByHandleEx
GetFileInformationByHandle
SetFileInformationByHandle
DeleteFileW
CopyFileExW
GetFullPathNameW
GetLongPathNameW
GetLocaleInfoW
LocaleNameToLCID
GetCurrentThread
SearchPathW

advapi32

EventRegister
EventUnregister
LookupPrivilegeValueW
GetSecurityDescriptorSacl
AdjustTokenPrivileges
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
SetNamedSecurityInfoW
GetSecurityDescriptorControl
RegQueryValueExW
GetSecurityDescriptorOwner
OpenProcessToken
ConvertSidToStringSidW
ConvertStringSecurityDescriptorToSecurityDescriptorW
OpenThreadToken
GetTokenInformation
EventWriteTransfer
RegCloseKey
RegOpenKeyExW

shlwapi

PathRemoveBackslashW

ntdll

ZwReleaseMutant
ZwOpenFile
ZwOpenMutant
ZwClose
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
NtOpenSymbolicLinkObject
RtlSetDaclSecurityDescriptor
NtOpenKey
NtQuerySymbolicLinkObject
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
RtlFreeSid
RtlCreateAcl
RtlCreateSecurityDescriptor
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
ZwCreateFile
ZwCreateKey
ZwQueryKey
ZwFlushKey
ZwDeleteValueKey
ZwSaveKey
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
ZwSetSecurityObject
ZwUnloadKey
ZwSetValueKey
ZwOpenKey
ZwAllocateUuids
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
LdrGetProcedureAddress
LdrGetDllHandle
ZwQueryInformationProcess
RtlInitAnsiString
ZwQueryInformationFile
ZwOpenProcess
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtOpenThreadTokenEx
RtlImpersonateSelf
ZwLoadKey
ZwQueryAttributesFile
RtlAppendUnicodeToString
ZwQuerySystemInformation
RtlAllocateHeap
LdrAccessResource
LdrFindResource_U
RtlCompareMemory
RtlFreeHeap
RtlStringFromGUID
NtSetInformationFile
RtlFreeUnicodeString
NtQuerySystemInformation
NtOpenFile
NtWaitForSingleObject
RtlNtStatusToDosError
NtQueryInformationThread
NtQueryInformationFile
NtCreateEvent
NtClose
RtlImageNtHeader
NtDeviceIoControlFile
NtSetInformationThread
NtReadFile
NtOpenProcess
NtQueryInformationProcess
NtWriteFile
RtlInitUnicodeString
RtlGUIDFromString
ZwWaitForSingleObject

Sections

.text
Size: 144KB - Virtual size: 141KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 76KB - Virtual size: 73KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 184B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bcdedit.exe
.exe windows:10 windows x64 arch:x64

bacab27f15864af5e33e7877f3628945

Code Sign

33:00:00:04:39:f6:1f:7a:67:6d:a0:00:af:00:00:00:00:04:39
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

df:00:7e:bc:c1:cb:e4:b6:22:5e:39:1e:e2:65:d8:6d:ca:cb:b9:de:5a:ac:80:39:d5:a4:9b:fd:ab:71:c8:c1
Signer

Actual PE Digest

df:00:7e:bc:c1:cb:e4:b6:22:5e:39:1e:e2:65:d8:6d:ca:cb:b9:de:5a:ac:80:39:d5:a4:9b:fd:ab:71:c8:c1

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bcdedit.pdb

Imports

msvcrt

__setusermatherr
_initterm
_exit
__C_specific_handler
_fmode
_commode
?terminate@@YAXXZ
memmove
memcpy
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
towupper
iswspace
_vsnwprintf
wcsrchr
_wtol
wcschr
_ui64tow_s
_wcstoui64
wcstoul
_cexit
_wcsicmp
wcscpy_s
_wtoi
_wcsnicmp
fflush
fwprintf
__iob_func
_vsnwprintf_s
wcscat_s
_ultow_s
strcpy_s
wcsncpy_s
wcsstr
wcsnlen
_wcsupr
strncmp
_snwscanf_s
_wcslwr
_aligned_free
_aligned_malloc
free
malloc
wcsncmp
vswprintf_s
_vscwprintf
_wsetlocale
swprintf_s
memcmp
memset

ntdll

ZwClose
ZwQuerySystemInformation
RtlAppendUnicodeToString
ZwQueryAttributesFile
ZwQuerySymbolicLinkObject
ZwDeviceIoControlFile
ZwQueryDirectoryObject
ZwOpenSymbolicLinkObject
ZwOpenDirectoryObject
RtlLengthSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetDaclSecurityDescriptor
ZwCreateFile
ZwCreateKey
ZwLoadKey
RtlAddAccessAllowedAceEx
RtlAllocateAndInitializeSid
RtlLengthSid
ZwDeleteValueKey
ZwSaveKey
RtlFreeSid
ZwDeleteKey
ZwEnumerateKey
ZwQueryValueKey
RtlCreateAcl
ZwSetSecurityObject
ZwUnloadKey
RtlCreateSecurityDescriptor
ZwSetValueKey
ZwOpenKey
LdrGetProcedureAddress
ZwQueryVolumeInformationFile
LdrGetDllHandle
ZwQueryInformationProcess
ZwDeleteFile
ZwQueryInformationFile
ZwOpenProcess
NtQuerySystemInformation
ZwAllocateUuids
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
ZwOpenMutant
RtlImpersonateSelf
NtOpenSymbolicLinkObject
NtOpenKey
NtQuerySymbolicLinkObject
NtDeviceIoControlFile
NtSetValueKey
NtQueryValueKey
NtDeleteKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtSetSecurityObject
NtTranslateFilePath
NtOpenDirectoryObject
NtQueryDirectoryObject
NtEnumerateBootEntries
NtCreateKey
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
ZwReleaseMutant
ZwQueryKey
ZwWaitForSingleObject
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
NtClose
NtOpenFile
RtlStringFromGUID
RtlDosPathNameToNtPathName_U
RtlFreeUnicodeString
RtlCompareMemory
RtlUnicodeStringToAnsiString
RtlAnsiStringToUnicodeString
RtlInitAnsiString
RtlGUIDFromString
RtlInitUnicodeString
RtlIpv6StringToAddressW
RtlFreeHeap
RtlNtStatusToDosError
RtlAllocateHeap
ZwOpenFile

kernel32

FormatMessageW
GetLocaleInfoEx
GetLocaleInfoW
LocalFree
GetVolumeNameForVolumeMountPointW
Sleep
GetSystemDefaultUILanguage
LCIDToLocaleName
GetUserDefaultUILanguage

api-ms-win-core-libraryloader-l1-1-0

FindResourceExW
LoadResource
GetProcAddress
GetModuleHandleW
FreeLibrary
GetModuleFileNameW
LoadLibraryExW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-console-l1-1-0

GetConsoleOutputCP
GetConsoleMode
WriteConsoleW

api-ms-win-core-file-l1-1-0

WriteFile
ReadFile
GetFileSizeEx
GetFileType
QueryDosDeviceW
CreateFileW
SetEndOfFile
SetFilePointerEx
FlushFileBuffers
GetFinalPathNameByHandleW

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
GetStdHandle

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-io-l1-1-0

DeviceIoControl

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
TlsFree
TlsGetValue
TlsAlloc
TerminateProcess
GetCurrentProcess
TlsSetValue
GetCurrentThreadId

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetTickCount
GetSystemTimeAsFileTime

api-ms-win-core-synch-l1-1-0

DeleteCriticalSection
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
EnterCriticalSection

api-ms-win-security-base-l1-1-0

GetAce
GetSecurityDescriptorLength
GetSidSubAuthority
GetSidLengthRequired
IsValidSecurityDescriptor
DestroyPrivateObjectSecurity
SetSecurityDescriptorGroup
MakeSelfRelativeSD
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSecurityDescriptor
GetSecurityDescriptorControl
InitializeSid
SetSecurityDescriptorOwner
IsValidSid
InitializeAcl
SetSecurityDescriptorDacl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce

cryptsp

CryptGenRandom
CryptReleaseContext
CryptAcquireContextA

advapi32

RegCloseKey
RegQueryValueExW
RegOpenKeyExW

api-ms-win-core-memory-l1-1-0

UnmapViewOfFile
MapViewOfFile
CreateFileMappingW

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateHiveEx
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORFlushHive
ORGetKeySecurity
ORGetValue
ORGetVirtualFlags
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORQueryInfoKeyEx
ORQueryInfoKeyValueEx
ORRenameKey
ORSaveHive
ORSaveHiveEx
ORSaveHiveToHandle
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 188KB - Virtual size: 185KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECMRC
Size: 4KB - Virtual size: 130B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 100KB - Virtual size: 97KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 156KB - Virtual size: 152KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/bootsect.exe
.exe windows:10 windows x64 arch:x64

269bc7caa667e7cadaea81a91368ae56

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ae:92:02:df:a9:27:e4:e2:39:62:64:74:2b:52:7d:a2:f0:c1:2c:8e:5b:ef:01:b3:50:57:1c:53:f5:85:2f:02
Signer

Actual PE Digest

ae:92:02:df:a9:27:e4:e2:39:62:64:74:2b:52:7d:a2:f0:c1:2c:8e:5b:ef:01:b3:50:57:1c:53:f5:85:2f:02

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

bootsect.pdb

Imports

msvcrt

?terminate@@YAXXZ
_amsg_exit
_XcptFilter
__setusermatherr
__getmainargs
iswxdigit
_vsnwprintf
_wcsnicmp
memcpy
_stricmp
swprintf_s
__set_app_type
isalpha
exit
_exit
_cexit
__C_specific_handler
_fmode
_initterm
wcsncmp
_snwscanf_s
_wcslwr
wcsstr
wcsnlen
memset
wcscpy_s
_commode
_wcsicmp

api-ms-win-core-file-l1-1-0

QueryDosDeviceW
SetFilePointer
CreateFileW
GetFileType
ReadFile
WriteFile

api-ms-win-core-libraryloader-l1-1-0

FindResourceExW
GetModuleHandleExW
LoadLibraryExW
FreeLibrary
LoadResource
GetModuleFileNameW
GetModuleHandleW
GetProcAddress

ntdll

RtlLookupFunctionEntry
RtlCaptureContext
NtWaitForSingleObject
RtlFreeHeap
NtQueryDirectoryObject
NtCreateEvent
NtOpenDirectoryObject
NtDeviceIoControlFile
NtQuerySymbolicLinkObject
RtlAllocateHeap
NtOpenSymbolicLinkObject
NtResetEvent
NtOpenFile
NtQueryVolumeInformationFile
RtlNtStatusToDosError
NtOpenKey
RtlVirtualUnwind
NtQueryValueKey
NtQueryBootEntryOrder
NtQueryBootOptions
NtTranslateFilePath
NtEnumerateBootEntries
NtAdjustPrivilegesToken
NtOpenProcessTokenEx
NtSetInformationThread
NtOpenThreadTokenEx
RtlImpersonateSelf
NtFsControlFile
NtClose
RtlInitUnicodeString
NtQuerySystemInformation

advapi32

EventUnregister
EventWriteTransfer
EventRegister
RegOpenKeyExW
RegCloseKey
RegQueryValueExW

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter

api-ms-win-core-console-l1-1-0

WriteConsoleW
GetConsoleOutputCP
GetConsoleMode

api-ms-win-core-processenvironment-l1-1-0

GetStdHandle
SearchPathW

kernel32

LocalAlloc
LocalFree
FormatMessageW
GetLocaleInfoEx
GetLocaleInfoW
Sleep
GetSystemDefaultUILanguage
GetUserDefaultUILanguage
LCIDToLocaleName

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThreadId
GetCurrentProcess
TerminateProcess

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetVersionExW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
UnmapViewOfFile
MapViewOfFile

api-ms-win-core-handle-l1-1-0

CloseHandle

Sections

.text
Size: 32KB - Virtual size: 28KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 28KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 192B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/offreg.dll
.dll windows:10 windows x64 arch:x64

9fb70bcbb2c24e9538c79a79e1f5a64d

Code Sign

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:fe
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/02/2023, 20:11

Not After

31/01/2024, 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a2:eb:9a:db:50:96:0b:26:5c:e2:b0:ee:c9:76:82:bc:3d:c3:66:6b:bd:de:98:c5:29:c0:75:2d:a6:e7:6b:d0
Signer

Actual PE Digest

a2:eb:9a:db:50:96:0b:26:5c:e2:b0:ee:c9:76:82:bc:3d:c3:66:6b:bd:de:98:c5:29:c0:75:2d:a6:e7:6b:d0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

offreg.pdb

Imports

msvcrt

_amsg_exit
free
malloc
_initterm
__C_specific_handler
memmove
_XcptFilter
_wcsnicmp
wcsncpy_s
wcscat_s
wcsnlen
_aligned_malloc
_aligned_free
qsort
_wcsicmp
memcpy
memcmp
memset

kernel32

FlushFileBuffers
CloseHandle
CreateFileW
SetEndOfFile
WriteFile
GetFileSizeEx
ReadFile
GetFinalPathNameByHandleW
TlsSetValue
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
TlsFree
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
SetFilePointerEx
GetModuleHandleW
DeleteCriticalSection
GetProcAddress
GetLastError
LeaveCriticalSection
EnterCriticalSection

advapi32

GetAce
GetSidSubAuthority
GetSidLengthRequired
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSid
IsValidSid
InitializeAcl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
GetSecurityDescriptorControl
IsValidSecurityDescriptor
InitializeSecurityDescriptor
MakeSelfRelativeSD
SetSecurityDescriptorGroup
DestroyPrivateObjectSecurity
GetSecurityDescriptorLength

ntdll

RtlInitUnicodeString
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateHiveEx
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORFlushHive
ORGetKeySecurity
ORGetValue
ORGetVersion
ORGetVirtualFlags
ORMergeHives
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORQueryInfoKeyEx
ORQueryInfoKeyValueEx
ORRenameKey
ORSaveHive
ORSaveHiveEx
ORSaveHiveToHandle
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 60KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECMRC
Size: 4KB - Virtual size: 130B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimgapi.dll
.dll windows:10 windows x64 arch:x64

24fc8bb3c932b67f7f6e5cf14c4c953c

Code Sign

33:00:00:04:3a:75:e5:2f:9e:0b:29:98:1e:00:00:00:00:04:3a
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

02/09/2021, 18:25

Not After

01/09/2022, 18:25

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

e7:88:5f:6f:34:f0:89:07:dc:50:ec:cd:ad:01:52:f3:ad:82:1e:dd:d8:8c:90:3b:79:5a:d9:f9:95:0c:f8:db
Signer

Actual PE Digest

e7:88:5f:6f:34:f0:89:07:dc:50:ec:cd:ad:01:52:f3:ad:82:1e:dd:d8:8c:90:3b:79:5a:d9:f9:95:0c:f8:db

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP
IMAGE_FILE_NET_RUN_FROM_SWAP
IMAGE_FILE_DLL

PDB Paths

wimgapi.pdb

Imports

msvcrt

_XcptFilter
swscanf_s
_wtoi
_vsnwprintf
wcsstr
memmove
_onexit
wcsnlen
__dllonexit
_wcsnicmp
_unlock
_lock
__C_specific_handler
wcsncmp
_initterm
strncpy_s
malloc
free
memcpy_s
_amsg_exit
_strnicmp
towupper
towlower
memcpy
memcmp
_callnewh
_vscwprintf
_purecall
iswspace
memmove_s
strcpy_s
_wcslwr
_wcsrev
wcschr
qsort
_wcsupr
wcstoul
wcstok_s
_wcstoi64
_wcsicmp
wcsrchr
memset

kernel32

GetLastError
CompareStringW
HeapFree
GetProcessHeap
SetLastError
DeleteFileW
CreateFileW
GetFileInformationByHandle
CloseHandle
LocalAlloc
HeapAlloc
GetSystemDirectoryW
LocalFree
GetDriveTypeW
RemoveDirectoryW
GetCurrentDirectoryW
GetLongPathNameW
SetFileInformationByHandle
GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
GetTempPathW
GetTempFileNameW
GetFileSize
SetFilePointer
ReadFile
SetFilePointerEx
DeleteCriticalSection
GetSystemInfo
InitializeCriticalSection
SetThreadIdealProcessor
GetCurrentThread
GetEnvironmentVariableW
GetOverlappedResult
EnterCriticalSection
LeaveCriticalSection
FlushFileBuffers
CreateDirectoryW
WriteFile
SetEndOfFile
CreateEventW
LockFileEx
UnlockFileEx
GetFileSizeEx
DeviceIoControl
HeapReAlloc
GetHandleInformation
WaitForSingleObject
CreateMutexW
GetModuleHandleExW
GetModuleFileNameW
FormatMessageW
ReleaseMutex
WideCharToMultiByte
GetFileInformationByHandleEx
GetVolumePathNamesForVolumeNameW
LoadLibraryW
GetVolumeNameForVolumeMountPointW
GetVolumePathNameW
InitializeCriticalSectionAndSpinCount
QueryPerformanceCounter
OpenProcess
GetCurrentProcessId
SetFileAttributesW
GlobalMemoryStatusEx
GetFinalPathNameByHandleW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetFullPathNameW
GetVolumeInformationW
DuplicateHandle
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
DisableThreadLibraryCalls
OpenEventW
Sleep
ExpandEnvironmentStringsW
GetCurrentThreadId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
GetPrivateProfileSectionW
GetModuleHandleW
WaitForMultipleObjects
ReleaseSemaphore
SetEvent
CreateSemaphoreW
CreateThread
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
LCIDToLocaleName
CopyFileExW
SetFileTime
LocalFileTimeToFileTime
DosDateTimeToFileTime
WaitForMultipleObjectsEx
ResetEvent
CreateFileMappingW
MapViewOfFile
UnmapViewOfFile
GetTickCount
GetLogicalDriveStringsW
Wow64DisableWow64FsRedirection
CreateProcessW
GetExitCodeProcess
Wow64RevertWow64FsRedirection
CreateSemaphoreExW
MultiByteToWideChar

bcrypt

BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptDestroyHash
BCryptCloseAlgorithmProvider
BCryptGetProperty
BCryptOpenAlgorithmProvider

fltlib

FilterAttach
FilterConnectCommunicationPort
FilterLoad
FilterSendMessage

cabinet

ord22
ord20
ord23

advapi32

GetSecurityDescriptorSacl
RegDeleteKeyExW
AdjustTokenPrivileges
SetThreadToken
RegEnumKeyExW
RegEnumValueW
RegQueryInfoKeyW
RegQueryValueExW
ReadEncryptedFileRaw
CloseEncryptedFileRaw
WriteEncryptedFileRaw
OpenEncryptedFileRawW
GetAclInformation
GetSecurityDescriptorControl
GetSecurityDescriptorDacl
GetSecurityDescriptorGroup
GetSecurityDescriptorOwner
AddAccessAllowedAceEx
RevertToSelf
GetSecurityDescriptorLength
GetSecurityInfo
FreeSid
SetSecurityDescriptorDacl
EqualSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetTokenInformation
OpenProcessToken
OpenThreadToken
AllocateAndInitializeSid
InitializeSecurityDescriptor
RegUnLoadKeyW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegCreateKeyExW
RegLoadKeyW
RegCloseKey
RegOpenKeyExW

version

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

user32

CharUpperW

ntdll

RtlInitializeResource
RtlAcquireResourceExclusive
RtlAcquireResourceShared
RtlReleaseResource
RtlDeleteResource
NtQuerySecurityObject
RtlRaiseStatus
RtlDosPathNameToNtPathName_U_WithStatus
RtlInitializeCriticalSection
DbgPrintEx
NtUnloadKey2
RtlReAllocateHeap
NtYieldExecution
RtlDowncaseUnicodeChar
RtlGetVersion
NtSetSecurityObject
RtlFindAceByType
RtlSetControlSecurityDescriptor
RtlInitUnicodeString
RtlImpersonateSelf
NtQueryVolumeInformationFile
NtCreateFile
NtQueryEaFile
NtQueryInformationProcess
NtQueryInformationFile
RtlGetLastNtStatus
NtSetInformationFile
RtlSetIoCompletionCallback
RtlFreeHeap
NtClose
NtQueryDirectoryFile
RtlAllocateHeap
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlAdjustPrivilege
RtlNtStatusToDosError
NtSetEaFile

rpcrt4

UuidToStringW
I_RpcMapWin32Status
RpcStringBindingComposeW
RpcStringFreeW
UuidFromStringW
NdrClientCall3
UuidCreate
RpcBindingFromStringBindingW
RpcBindingSetAuthInfoW
RpcBindingFree

Exports

Exports

DllCanUnloadNow
DllMain
WIMAddImagePath
WIMAddImagePaths
WIMAddWimbootEntry
WIMApplyImage
WIMCaptureImage
WIMCloseHandle
WIMCommitImageHandle
WIMCopyFile
WIMCreateFile
WIMCreateImageFile
WIMCreateWofCompressedFile
WIMDeleteImage
WIMDeleteImageMounts
WIMEnumImageFiles
WIMExportImage
WIMExtractImageDirectory
WIMExtractImagePath
WIMExtractImagePathByWimHandle
WIMFindFirstImageFile
WIMFindNextImageFile
WIMGetAttributes
WIMGetImageCount
WIMGetImageInformation
WIMGetMessageCallbackCount
WIMGetMountedImageHandle
WIMGetMountedImageInfo
WIMGetMountedImageInfoFromHandle
WIMGetMountedImages
WIMGetWIMBootEntries
WIMGetWIMBootWIMPath
WIMGetWimFileSize
WIMInitFileIOCallbacks
WIMInitializeWofDriver
WIMIsCurrentSystemWimboot
WIMIsReferenceWim
WIMLoadImage
WIMLoadOSInformation
WIMMountImage
WIMMountImageHandle
WIMProcessCustomImage
WIMReadFileEx
WIMReadImageFile
WIMRedirectFolderBeforeApply
WIMRegisterLogFile
WIMRegisterMessageCallback
WIMRemountImage
WIMSetBootImage
WIMSetCachedSigningLevel
WIMSetFileIOCallbackTemporaryPath
WIMSetImageInformation
WIMSetImageUserSpecifiedCreationTime
WIMSetReferenceFile
WIMSetTemporaryPath
WIMSetWimGuid
WIMSingleInstanceFile
WIMSplitFile
WIMUnmountImage
WIMUnmountImageHandle
WIMUnregisterLogFile
WIMUnregisterMessageCallback
WIMUpdateWIMBootEntry
WIMWriteFileWithIntegrity

Sections

.text
Size: 624KB - Virtual size: 623KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 120KB - Virtual size: 117KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 16KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 16KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 712B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimlib.dll
.dll windows:4 windows x64 arch:x64

91ac1c219b128fd269b4a1137bdbc40a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

kernel32

CloseHandle
CreateFileW
CreateThread
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetDiskFreeSpaceExW
GetEnvironmentVariableA
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
ReadFile
SetEndOfFile
SetFilePointer
SetFilePointerEx
SetLastError
Sleep
SleepConditionVariableCS
TlsGetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_close
_errno
_fdopen
_fstat64
_get_osfhandle
_gmtime64
_initterm
_lock
_lseeki64
_open_osfhandle
_telli64
_unlock
_waccess
_wassert
_wcserror_s
_wcsicmp
_wgetenv
_wmkdir
_wopen
_wstat64
_wtempnam
_wunlink
abort
calloc
fclose
feof
fflush
fgetwc
fputc
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
iswctype
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
putc
qsort
realloc
strchr
strerror
strlen
strncmp
towlower
ungetwc
vfprintf
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

user32

wsprintfW

Exports

Exports

sha1_final
sha1_init
sha1_update
wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_image_path
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_free_memory
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_load_text_file
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_read_image_file
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 339KB - Virtual size: 338KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 130KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 644B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Tools/x64/wimlib/libwim-15.dll
.dll windows:6 windows x64 arch:x64

280f435e0e43af52cb30cc89787f17b7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

Imports

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_close
_errno
_fdopen
_fstat64
_get_osfhandle
_gmtime64
_initterm
_lock
_lseeki64
_open_osfhandle
_telli64
_unlock
_waccess
_wassert
_wcserror_s
_wcsicmp
_wgetenv
_wmkdir
_wopen
_wstat64
_wtempnam
_wunlink
abort
calloc
fclose
feof
fflush
fgetwc
fputc
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
iswctype
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
putc
qsort
realloc
strchr
strerror
strlen
strncmp
towlower
ungetwc
vfprintf
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

user32

wsprintfW

kernel32

CloseHandle
CreateFileW
CreateThread
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetDiskFreeSpaceExW
GetEnvironmentVariableA
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
ReadFile
SetEndOfFile
SetFilePointer
SetFilePointerEx
SetLastError
Sleep
SleepConditionVariableCS
TlsGetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile

Exports

Exports

wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 363KB - Virtual size: 363KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 98KB - Virtual size: 98KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.buildid
Size: 512B - Virtual size: 53B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 131KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.00cfg
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 620B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
$TEMP/WinNTSetup/Unattend/Win10_x32.xml
$TEMP/WinNTSetup/Unattend/Win10_x64.xml
$TEMP/WinNTSetup/Unattend/Win7-11-Select.xml
$TEMP/WinNTSetup/WimScript/WimScript.ini
$TEMP/WinNTSetup/WinNTSetup.ini.txt
$TEMP/WinNTSetup/WinNTSetup_x64.exe
.exe windows:6 windows x64 arch:x64

5812eb0ba263f239f68349549bad328d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Coding\PureBasic\WinNTSetup\WinNTSetup_x64.pdb

Imports

kernel32

ReadProcessMemory
GetLocalTime
GetTimeFormatW
WritePrivateProfileStringW
LocaleNameToLCID
GetLocaleInfoW
GetPrivateProfileSectionW
AttachConsole
AllocConsole
ReadConsoleOutputW
SetEndOfFile
SetFileValidData
CreateEventW
SetFilePointer
GetTickCount
SetVolumeMountPointW
WideCharToMultiByte
WriteConsoleA
FindFirstFileNameW
FindNextFileNameW
FindResourceExW
SizeofResource
LockResource
FreeResource
GetDiskFreeSpaceW
SetLastError
RemoveDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetDateFormatW
LCIDToLocaleName
GetVolumeNameForVolumeMountPointW
GetWindowsDirectoryW
SetThreadExecutionState
OpenProcess
GetProcessId
FlushFileBuffers
GlobalMemoryStatusEx
FileTimeToSystemTime
WritePrivateProfileSectionW
GetFileTime
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
SystemTimeToTzSpecificLocalTime
GetTempFileNameW
WriteConsoleW
RtlCompareMemory
lstrcatW
lstrcpynW
MultiByteToWideChar
RtlMoveMemory
lstrlenA
FindVolumeClose
FindNextVolumeW
GetDiskFreeSpaceExW
GetVolumeInformationW
GetVolumePathNamesForVolumeNameW
lstrcmpW
FindFirstVolumeW
SetErrorMode
GetPrivateProfileStringW
GetSystemInfo
K32GetModuleInformation
SetDllDirectoryW
SetFileAttributesW
UnregisterWait
RegisterWaitForSingleObject
DeleteCriticalSection
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapSize
GetVersionExW
HeapReAlloc
GetExitCodeProcess
PeekNamedPipe
CreateProcessW
CreatePipe
DuplicateHandle
HeapFree
HeapAlloc
CreateThread
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetPrivateProfileIntW
GetEnvironmentVariableW
GetNativeSystemInfo
GetCurrentThread
GetLogicalProcessorInformation
GetLogicalDrives
QueryDosDeviceW
GetDriveTypeW
GetLogicalDriveStringsW
CreateDirectoryW
Sleep
FormatMessageW
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
SetFilePointerEx
GetFileSizeEx
lstrlenW
GetFinalPathNameByHandleW
lstrcmpiW
lstrcpyW
ReadFile
MoveFileW
FindFirstFileW
SetConsoleTextAttribute
GetConsoleWindow
SetConsoleCursorPosition
DeviceIoControl
GetFullPathNameW
SetConsoleCursorInfo
SetConsoleCtrlHandler
SetConsoleTitleW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetCurrentProcessId
GetCurrentThreadId
lstrcmpA
GetFileAttributesW
SetEvent
CopyFileW
EndUpdateResourceW
UpdateResourceW
CreateFileW
EnumResourceNamesW
BeginUpdateResourceW
WriteFile
VirtualProtect
DefineDosDeviceW
DeleteFileW
WaitForSingleObject
FindClose
FindNextFileW
FindFirstFileExW
MulDiv
RtlZeroMemory
QueryPerformanceFrequency
LoadResource
FindResourceW
SetEnvironmentVariableW
FreeLibrary
LoadLibraryExW
QueryPerformanceCounter
GetConsoleScreenBufferInfo
QueryFullProcessImageNameW
GetFileType
GetStdHandle
ExitProcess
HeapDestroy
GetProcAddress
LoadLibraryW
LocalFree
LocalAlloc
GetLastError
GetCurrentProcess
GetUserDefaultLocaleName
GetUserDefaultLCID
GetSystemWindowsDirectoryW
GetModuleFileNameW
GetLongPathNameW
GetTempPathW
HeapCreate
GetModuleHandleW
SetFileTime
SystemTimeToFileTime
GetSystemTime
UnmapViewOfFile
CloseHandle
MapViewOfFile
CreateFileMappingW
GetFileSize
GetCommandLineW

user32

EnumChildWindows
LockWindowUpdate
GetComboBoxInfo
FindWindowExW
SetWindowPos
GetClientRect
IsWindowEnabled
GetSysColorBrush
GetPropW
FrameRect
WindowFromDC
GetClassLongPtrW
CallNextHookEx
DrawTextW
MapWindowPoints
GetUpdateRect
SetRect
InflateRect
GetDC
ReleaseDC
GetClassInfoExW
RegisterWindowMessageW
GetSystemMetrics
SystemParametersInfoW
GetIconInfo
DestroyIcon
CreateIconIndirect
SetPropW
GetWindowLongPtrW
SetWindowLongPtrW
SendMessageW
CreatePopupMenu
InsertMenuW
ValidateRect
SetMenuDefaultItem
SetClassLongPtrW
AppendMenuW
IsChild
DefFrameProcW
GetFocus
AdjustWindowRectEx
UnregisterClassW
RegisterClassW
TranslateAcceleratorW
MsgWaitForMultipleObjects
PeekMessageW
DispatchMessageW
TranslateMessage
GetMessageW
IsZoomed
GetMenu
DestroyAcceleratorTable
CreateAcceleratorTableW
LoadIconW
SetActiveWindow
DrawFrameControl
GetScrollPos
RegisterClassExW
SetScrollPos
GetWindowDC
GetAsyncKeyState
GetWindowLongW
DrawStateW
ReleaseCapture
SetCapture
GetWindowTextLengthW
RedrawWindow
IntersectRect
EnableWindow
DestroyWindow
SetMenuItemInfoW
GetSysColor
DefWindowProcW
BeginPaint
CopyRect
FillRect
EndPaint
CharUpperW
EnableMenuItem
CharLowerW
EnumDisplayDevicesW
EnumWindows
ShowWindow
EnumDisplaySettingsW
EnumDisplaySettingsExW
ChangeDisplaySettingsW
GetDisplayConfigBufferSizes
QueryDisplayConfig
DisplayConfigGetDeviceInfo
DisplayConfigSetDeviceInfo
GetWindowRect
GetWindow
SetParent
DestroyMenu
GetKeyState
MessageBoxIndirectW
SetForegroundWindow
KillTimer
CheckMenuRadioItem
GetActiveWindow
GetDlgItem
UnhookWindowsHookEx
SetWindowsHookExW
CallWindowProcW
DrawIconEx
RemovePropW
GetDoubleClickTime
GetWindowThreadProcessId
IsWindowVisible
SetRectEmpty
MoveWindow
LoadCursorW
SetCursor
IsIconic
GetForegroundWindow
CopyImage
ClientToScreen
MessageBoxW
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
DestroyCursor
GetDlgCtrlID
FindWindowW
GetClassNameW
CheckMenuItem
GetSystemMenu
CreateWindowExW
InvalidateRect
SetTimer
SetWindowPlacement
GetWindowPlacement
UpdateWindow
SetFocus
PostMessageW
SetWindowTextW
GetMessagePos
MessageBeep
FlashWindowEx
WindowFromPoint
ScreenToClient
RealChildWindowFromPoint
TrackPopupMenu
GetClassWord
GetParent
GetWindowTextW
LoadStringW
SetWindowCompositionAttribute

gdi32

CreateFontIndirectW
CreateDIBSection
CreateCompatibleBitmap
GetObjectW
DeleteObject
CreateSolidBrush
GetDeviceCaps
GetTextExtentPoint32W
CreateCompatibleDC
CreateFontW
GdiAlphaBlend
DeleteDC
CreateRectRgn
FrameRgn
ExtTextOutW
CreatePen
SelectObject
SetTextColor
MoveToEx
LineTo
EnumFontFamiliesW
SetStretchBltMode
AddFontResourceW
GetStockObject
CreatePatternBrush
SetViewportOrgEx
OffsetViewportOrgEx
GetObjectType
ExcludeClipRect
CreateDCW
CreateRectRgnIndirect
GetClipRgn
SelectClipRgn
ExtSelectClipRgn
StretchBlt
SetBrushOrgEx
CreateBitmap
GetDIBits
SetPixel
SetBkColor
Rectangle
SetBkMode
GetTextMetricsW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

DuplicateTokenEx
RegEnumKeyExW
ControlService
SetNamedSecurityInfoW
IsValidSecurityDescriptor
GetFileSecurityW
SetFileSecurityW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegQueryValueW
RegLoadKeyW
RegUnLoadKeyW
RegQueryInfoKeyW
CreateProcessAsUserW
CreateProcessWithTokenW
QueryServiceStatus
StartServiceW
RegEnumValueW
RegCreateKeyW
OpenServiceW
IsWellKnownSid
SetThreadToken
RevertToSelf
CloseServiceHandle
CreateServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
OpenProcessToken
GetTokenInformation
SetEntriesInAclW
RegOpenKeyW
RegQueryValueExW
RegCloseKey

comctl32

ImageList_Replace
ImageList_AddMasked
ord412
ImageList_GetImageCount
ImageList_Draw
ImageList_Add
ImageList_DrawEx
ImageList_GetIconSize
ord413
CreateToolbarEx
InitCommonControlsEx
ImageList_Remove
ord381
ImageList_Destroy
ImageList_GetIcon
ImageList_Merge
ImageList_ReplaceIcon
ImageList_Create
ord410

oleaut32

SafeArrayUnlock
SysFreeString
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
SafeArrayLock

ntdll

RtlAdjustPrivilege
NtQuerySystemInformation
RtlCreateUnicodeString
RtlUpcaseUnicodeString
RtlCreateUnicodeStringFromAsciiz
RtlIsNameInExpression
RtlFreeUnicodeString
RtlGetProcessHeaps
RtlAllocateHeap
RtlDosPathNameToNtPathName_U
NtOpenFile
NtClose
RtlFreeHeap
NtShutdownSystem
RtlGetVersion
RtlGetNtVersionNumbers
NtQueryVolumeInformationFile
NtQueryInformationProcess
RtlInitUnicodeString
NtOpenDirectoryObject
NtQueryDirectoryObject
RtlComputeCrc32
RtlGetLastNtStatus
RtlNtStatusToDosError
RtlRandom
NtCreatePagingFile
NtReadFile
NtTranslateFilePath
NtQueryInformationFile
NtFsControlFile
__chkstk

shell32

SHCreateShellItem
SHGetStockIconInfo
SHFormatDrive
SHBrowseForFolderW
SHGetDesktopFolder
SHParseDisplayName
StrStrIW
ShellExecuteW
ShellExecuteExW
SHGetImageList
SHGetFileInfoW
SHGetPathFromIDListW
SHDefExtractIconW
SHFileOperationW

ole32

RevokeDragDrop
StringFromGUID2
CoTaskMemFree
CreateStreamOnHGlobal
CLSIDFromString
CoCreateInstance
CoInitialize
CoCreateGuid

shlwapi

StrCmpLogicalW
PathCompactPathW
PathGetArgsW
StrStrNIW
PathCompactPathExW
PathParseIconLocationW
PathRemoveExtensionW
StrTrimW
PathIsNetworkPathW
StrToIntExW
PathSearchAndQualifyW
PathCombineW
SHCreateStreamOnFileW
SHCreateStreamOnFileEx
StrTrimA
PathIsDirectoryW
PathStripToRootW
PathRemoveBackslashW
StrToIntW
StrFormatByteSizeW
PathRemoveFileSpecW
PathIsRelativeW
PathFindFileNameW
PathMatchSpecW
PathFindExtensionW
PathFileExistsW
PathAddBackslashW

cfgmgr32

CM_Get_Device_IDW
CM_Get_Parent

rpcrt4

UuidCreate

setupapi

SetupOpenInfFileW
SetupIterateCabinetW
SetupDiGetDeviceRegistryPropertyW
SetupDiOpenDevRegKey
SetupGetStringFieldW
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupFindFirstLineW
SetupGetLineCountW
SetupGetLineByIndexW
SetupGetFieldCount
SetupDecompressOrCopyFileW
SetupGetBinaryField
SetupGetMultiSzFieldW
SetupGetIntField
SetupEnumInfSectionsW
SetupDiGetDeviceInstanceIdW
SetupCloseInfFile

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

uxtheme

BeginBufferedPaint
DrawThemeText
BufferedPaintSetAlpha
EndBufferedPaint
BufferedPaintInit
OpenThemeData
SetWindowTheme
DrawThemeBackground
DrawThemeTextEx
GetThemePartSize
GetThemeFont
GetThemeInt

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

msvcrt

_strnicmp
fputc
fputs
wcstod
sqrt
_wcsdup
ceil
wcstol
_time64
wcschr
fseek
_localtime64
wcstoul
wcsstr
_gmtime64
memmove
floor
tolower
_mktime64
_itow
_wtoi
fread
fclose
strlen
realloc
strrchr
strchr
fgets
_wfopen
_wstati64
_wtol
_wsystem
malloc
wcscpy
swscanf
wcstok_s
wcslen
__wgetmainargs
wcsncmp
_vsnwprintf
wcsncpy
_wcsnicmp
wcscmp
wcscat
strstr
_wcsicmp
free
calloc
_snwprintf
memset
memcmp
memcpy
_stricmp
wcsspn

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesW
WTSEnumerateSessionsW

virtdisk

GetVirtualDiskInformation
GetVirtualDiskOperationProgress
CreateVirtualDisk
GetStorageDependencyInformation
AttachVirtualDisk
DetachVirtualDisk
GetVirtualDiskPhysicalPath
OpenVirtualDisk

fltlib

FilterLoad
FilterAttach

Sections

.text
Size: 707KB - Virtual size: 706KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 172KB - Virtual size: 4.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 137KB - Virtual size: 140KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
WinNTSetup 5.3.5.2/WinNTSetup_v5352.rar
.rar
Changelog.txt
Compact/WimBootCompress.ini
DISM/Sample.ini
Diskpart/BIOS.txt
Diskpart/UEFI.txt
.vbs
Diskpart/XP_legacy/BIOS.txt
Lang/1028.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/1031.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 45KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/1036.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/1040.dll
.dll windows:4 windows x86 arch:x86

6a4041370c121d4f288ee4d92bfe9499

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

msvcrt

memset

kernel32

HeapCreate
HeapDestroy
GetModuleHandleA

Exports

Exports

dummy

Sections

.code
Size: 512B - Virtual size: 102B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.text
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 69B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 204B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Lang/1042.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 21KB - Virtual size: 24KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/1046.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/1049.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 43KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/1055.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 44KB - Virtual size: 44KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/1058.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 33KB - Virtual size: 32KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/2052.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 22KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Lang/2058.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 44KB - Virtual size: 43KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
MinWin/Default/AntiLog.ini
MinWin/Default/AntiLog.reg
MinWin/Default/Options.ini
MinWin/Default/Reg/Explorer_LaunchTo.reg
MinWin/Default/Reg/GameDVR.reg
MinWin/Default/Reg/Remove_Gallery.reg
MinWin/Default/Reg/Restore_Photo_Viewer_Windows_10.reg
MinWin/Default/Reg/ShippedWithReserves.reg
MinWin/Default/Reg/StuckRects3-Win10-200X.reg
MinWin/Default/Reg/SysTray_ClassicVolumeControl.reg
MinWin/Default/Reg/SysTray_Network_Flyout.reg
MinWin/Default/Reg/Taskbar.reg
MinWin/Default/Reg/UserSignedIn.reg
MinWin/Default/Remove/Active Setup.reg
MinWin/Default/Remove/Defender.reg
MinWin/Default/Remove/Defender.txt
MinWin/Default/Remove/DrvStore_Inf.txt
MinWin/Default/Remove/Edge.reg
MinWin/Default/Remove/Edge.txt
MinWin/Default/Remove/Fonts.txt
MinWin/Default/Remove/Installed.txt
MinWin/Default/Remove/Languages.txt
MinWin/Default/Remove/Media.txt
MinWin/Default/Remove/NetFX.txt
MinWin/Default/Remove/NetFX_Keep.txt
MinWin/Default/Remove/OneDrive.txt
MinWin/Default/Remove/ProgramFiles.txt
MinWin/Default/Remove/Speech.txt
MinWin/Default/Remove/SySWoW.txt
MinWin/Default/Remove/System32-DLL.txt
MinWin/Default/Remove/System32.txt
MinWin/Default/Remove/WMP.txt
MinWin/Default/Remove/WSearch.reg
MinWin/Default/Remove/WUAU.reg
MinWin/Default/Remove/WUAU.txt
MinWin/Default/Remove/WinSAT.txt
MinWin/Default/Remove/Windows.txt
MinWin/Default/Remove/Windows11.txt
MinWin/Default/Remove/WindowsApps.txt
MinWin/Default/Remove/WindowsPowerShell.txt
MinWin/Default/Remove/XBOX.reg
MinWin/Default/Remove/XBOX.txt
MinWin/Default/Remove/XPS.txt
MinWin/Default/Services.ini
MinWin/Default/Tasks.ini
MinWin/Default/WinSxS.ini
MinWin/ReadMe.txt
MinWin/ReadMechs.txt
Tools/CATTrim.ini
Tools/MergeIDE_2600.ini
Tools/MergeIDE_7600.ini
Tools/MergeIDE_9200.ini
Tools/Win10Builds.ini
Tools/Win7USB3/ReadMe.txt
Tools/Win7USBBoot.ini
Tools/arm64/WIMHost.exe
Tools/arm64/wimlib.dll
Tools/imdisk/cpl/amd64/imdisk.cpl
.dll windows:6 windows x64 arch:x64

279416a3dfe8386ca2bd447389b068d7

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

x:\imdisk_source\cpl\amd64\imdisk.pdb

Imports

msvcrt

malloc
wcstoul
wcsncat
_beginthreadex
??3@YAXPEAX@Z
wcstod
towupper
wcstok
??2@YAPEAX_K@Z
fwprintf
_fgetwchar
strchr
_XcptFilter
fflush
wcschr
_initterm
_amsg_exit
__C_specific_handler
fprintf
toupper
_fgetchar
free
wcsncmp
wcsrchr
wcsncpy
_snwprintf
_wcsicmp
_iob
memcpy
memset

kernel32

SetUnhandledExceptionFilter
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
UnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
GetSystemTimeAsFileTime
GetFileSize
SetFilePointer
SetEndOfFile
HeapAlloc
HeapFree
GetLogicalDrives
VirtualFree
GetProcessHeap
WaitNamedPipeW
WriteFile
Sleep
FormatMessageW
ReadFile
CreateFileW
FlushFileBuffers
GetLastError
SetLastError
VirtualAlloc
DefineDosDeviceW
LocalAlloc
CreateEventW
DeviceIoControl
CloseHandle
LocalFree
GetDriveTypeA
MultiByteToWideChar
SetCurrentDirectoryW
GetWindowsDirectoryW
HeapReAlloc
WaitForSingleObject
SetEvent
GetTickCount
QueryDosDeviceW
WaitForMultipleObjects
DeleteFileW
GetVolumeInformationW
QueryPerformanceCounter
GetCurrentThreadId
GetCurrentProcessId

advapi32

CloseServiceHandle
OpenServiceW
RegCreateKeyW
RegQueryValueExW
RegOpenKeyW
InitializeSecurityDescriptor
RegDeleteKeyW
RegSetValueExW
RegCloseKey
RegDeleteValueW
QueryServiceStatus
StartServiceW
SetSecurityDescriptorDacl
OpenSCManagerW

user32

GetWindowTextLengthW
GetDlgItemInt
SetProcessDPIAware
TrackPopupMenu
PostMessageW
GetSubMenu
GetParent
SetFocus
GetDC
SetDlgItemInt
GetMenu
LoadIconW
GetAsyncKeyState
SetClassLongPtrW
ReleaseDC
EnableMenuItem
EndDialog
SendDlgItemMessageW
CheckDlgButton
DispatchMessageW
GetPropW
SetWindowTextW
MessageBoxW
SendMessageTimeoutW
ShowWindow
GetDlgItem
PeekMessageW
IsDialogMessageW
TranslateMessage
SetPropW
RemovePropW
IsDlgButtonChecked
DialogBoxParamW
DestroyWindow
EnableWindow
MapWindowPoints
SendMessageW
SetDlgItemTextW
GetDlgItemTextW
GetSystemMetrics
DrawMenuBar
CreateDialogParamW

shell32

ShellExecuteW
SHFormatDrive
SHChangeNotify

gdi32

GetDeviceCaps

comctl32

ImageList_Create
ImageList_ReplaceIcon

comdlg32

CommDlgExtendedError
GetSaveFileNameW
GetOpenFileNameW

ntdll

RtlFreeUnicodeString
RtlNtStatusToDosError
NtClose
NtOpenFile
RtlDosPathNameToNtPathName_U
RtlCreateUnicodeString
RtlInitUnicodeString

Exports

Exports

CPlApplet
ImDiskAdjustImageFileSize
ImDiskAllocPrintF
ImDiskBuildMBR
ImDiskChangeFlags
ImDiskCheckDriverVersion
ImDiskConsoleMessageA
ImDiskConsoleMessageW
ImDiskConvertCHSToLBA
ImDiskConvertLBAToCHS
ImDiskCreateDevice
ImDiskCreateDeviceEx
ImDiskCreateMountPoint
ImDiskExtendDevice
ImDiskFindFreeDriveLetter
ImDiskFlushWindowMessages
ImDiskForceRemoveDevice
ImDiskGetAPIFlags
ImDiskGetDeviceList
ImDiskGetDeviceListEx
ImDiskGetFormattedGeometry
ImDiskGetFormattedGeometryIndirect
ImDiskGetOffsetByFileExt
ImDiskGetPartitionInfoIndirect
ImDiskGetPartitionInfoIndirectEx
ImDiskGetPartitionInformation
ImDiskGetPartitionInformationEx
ImDiskGetPartitionTypeName
ImDiskGetRegistryAutoLoadDevices
ImDiskGetSinglePartitionInfoIndirect
ImDiskGetSinglePartitionInformation
ImDiskGetVersion
ImDiskGetVolumeSize
ImDiskImageContainsISOFS
ImDiskImageContainsISOFSIndirect
ImDiskMsgBoxPrintF
ImDiskNativePathToWin32
ImDiskNotifyRemovePending
ImDiskNotifyShellDriveLetter
ImDiskOpenDeviceByMountPoint
ImDiskOpenDeviceByName
ImDiskOpenDeviceByNumber
ImDiskOpenRefreshEvent
ImDiskQueryDevice
ImDiskReadFileHandle
ImDiskRemoveDevice
ImDiskRemoveMountPoint
ImDiskRemoveRegistrySettings
ImDiskSaveImageFile
ImDiskSaveImageFileInteractive
ImDiskSaveRegistrySettings
ImDiskSetAPIFlags
ImDiskStartService
RunDLL_MountFile
RunDLL_MountFileW
RunDLL_RemoveDevice
RunDLL_SaveImageFile

Sections

.text
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 39KB - Virtual size: 38KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Tools/imdisk/sys/amd64/imdisk.sys
.sys windows:6 windows x64 arch:x64

ca1b7a99c1db8c685051151b20cecfd0

Code Sign

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

Issuer

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Not Before

13/04/2011, 10:00

Not After

13/04/2019, 10:00

Subject

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

05/05/2015, 00:00

Not After

31/12/2015, 23:59

Subject

CN=COMODO Time Stamping Signer,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

Issuer

CN=GlobalSign CodeSigning CA - G2,O=GlobalSign nv-sa,C=BE

Not Before

17/01/2013, 15:30

Not After

18/03/2016, 12:43

Subject

CN=Lagerkvist Teknisk Radgivning i Boras HB,O=Lagerkvist Teknisk Radgivning i Boras HB,ST=-,C=SE,1.2.840.113549.1.9.1=#0c10696e666f406c74722d646174612e7365

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

61:0b:7f:6b:00:00:00:00:00:19
Certificate

Issuer

CN=Microsoft Code Verification Root,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

23/05/2006, 17:00

Not After

23/05/2016, 17:10

Subject

CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b
Signer

Actual PE Digest

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

z:\kod\imdisk\sys\amd64\imdisk.pdb

Imports

ntoskrnl.exe

ExAllocatePoolWithTag
ZwCreateEvent
IoDeleteSymbolicLink
ExFreePoolWithTag
_snwprintf
RtlSetDaclSecurityDescriptor
RtlInitUnicodeString
IoDeleteDevice
KeSetEvent
RtlAppendUnicodeToString
KeInitializeEvent
KeDelayExecutionThread
PsCreateSystemThread
ZwQueryValueKey
IoCreateUnprotectedSymbolicLink
ExEventObjectType
ZwClose
ObReferenceObjectByHandle
KeWaitForSingleObject
RtlCopyUnicodeString
ObfDereferenceObject
IoCreateDevice
ObReferenceObjectByPointer
DbgPrint
RtlCreateSecurityDescriptor
KePulseEvent
ZwOpenKey
KeClearEvent
KeReadStateEvent
IoBuildSynchronousFsdRequest
ZwReadFile
IoGetRelatedDeviceObject
IoCancelIrp
KeWaitForMultipleObjects
IofCallDriver
ZwFsControlFile
KeReleaseInStackQueuedSpinLock
_wcsnicmp
ZwMapViewOfSection
KeAcquireInStackQueuedSpinLock
ZwSetInformationFile
SeCreateClientSecurity
IoFileObjectType
ZwWaitForSingleObject
ZwCreateFile
SeImpersonateClient
ZwFreeVirtualMemory
RtlAppendUnicodeStringToString
ZwDeviceIoControlFile
ZwQueryInformationFile
ZwOpenSection
SeTokenType
ZwAllocateVirtualMemory
IoBuildDeviceIoControlRequest
NtWriteFile
KeSetPriorityThread
NtFsControlFile
MmMapLockedPagesSpecifyCache
PsTerminateSystemThread
IofCompleteRequest
NtReadFile
SeSinglePrivilegeCheck
IoFreeMdl
IoFreeIrp
IoAllocateIrp
MmUnlockPages
ZwOpenEvent
ZwUnmapViewOfSection
KeBugCheckEx

Sections

.text
Size: 18KB - Virtual size: 17KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 360B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

PAGE
Size: 11KB - Virtual size: 10KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

INIT
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1024B - Virtual size: 872B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Tools/nativevhdboot_x64.dll
.dll windows:6 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 868B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Tools/nativevhdboot_x86.dll
.dll windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.text
Size: 1024B - Virtual size: 858B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Tools/x64/BootICE/BOOTICE.dll
.dll windows:6 windows x64 arch:x64

2e3635a46294c7adb09ec2fd4485c4cc

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

msvcrt

wcslen
wcscat
_wcsicmp
wcscmp
_snwprintf
calloc
free
setlocale
wcscpy
memcpy
memset

kernel32

VirtualAlloc
SetLastError
RtlZeroMemory
lstrcmpW
SizeofResource
LoadResource
FindResourceW
VirtualProtect
GetLongPathNameW
GetCurrentThreadId
LoadLibraryW
LoadLibraryExW
GetUserDefaultLCID
GetPrivateProfileIntW
GetModuleFileNameW
GetProcAddress
GetModuleHandleW
GetSystemInfo
MulDiv
VirtualQuery

user32

EndPaint
GetParent
GetClassLongPtrW
GetComboBoxInfo
CallWindowProcW
DefWindowProcW
IsWindowEnabled
GetSysColorBrush
CopyImage
DestroyIcon
GetUpdateRect
SetRect
FrameRect
TrackMouseEvent
CopyRect
InflateRect
SetTimer
ValidateRect
GetWindowDC
ClientToScreen
GetWindowRect
DrawTextExW
RemovePropW
WindowFromDC
GetClassWord
CallNextHookEx
GetAncestor
LoadMenuA
BeginPaint
GetWindowLongPtrW
FillRect
GetClientRect
DrawMenuBar
ModifyMenuW
GetMenuStringW
GetMenuItemCount
SetMenuInfo
GetMenu
FindWindowExW
SetWindowLongPtrW
EnumChildWindows
GetClassNameW
SendMessageA
GetDlgItem
SetPropW
GetPropW
UnhookWindowsHookEx
SetWindowsHookExW
RegisterWindowMessageW
GetSystemMetrics
SendMessageW
ReleaseDC
GetDC
SystemParametersInfoW
DrawTextW
GetSysColor
MapWindowPoints
InvalidateRect
SetWindowCompositionAttribute
SetWindowPos

gdi32

GetDeviceCaps
SelectObject
GetObjectW
CreateFontW
GetTextMetricsW
DeleteObject
CreateSolidBrush
CreateFontIndirectW
SetBkMode
SetBkColor
SetTextColor
CreatePen
MoveToEx
LineTo
CreateCompatibleDC
CreateCompatibleBitmap
BitBlt
DeleteDC
GetTextExtentPoint32W
CreateDIBSection
Rectangle
GetStockObject
GdiAlphaBlend
SetStretchBltMode

comctl32

ImageList_GetIcon
ord410
ImageList_ReplaceIcon
ImageList_Destroy
ImageList_Create
ImageList_GetImageCount
ImageList_GetIconSize
ord413
ImageList_DrawEx
ImageList_Draw

ntdll

RtlGetNtVersionNumbers
RtlCreateUnicodeString
RtlFreeUnicodeString
RtlIsNameInExpression
RtlCreateUnicodeStringFromAsciiz
RtlUpcaseUnicodeString

ole32

CoCreateInstance
CoInitialize

shlwapi

PathRemoveFileSpecW
PathFileExistsW

uxtheme

SetWindowTheme
GetThemeInt
OpenThemeData
BufferedPaintInit
BeginBufferedPaint
GetThemePartSize
DrawThemeBackground
BufferedPaintSetAlpha
DrawThemeText
EndBufferedPaint
DrawThemeTextEx

Exports

Exports

PathCombineA
PathFileExistsA
PathFindExtensionA
PathRemoveExtensionA
PathRemoveFileSpecA
SHCopyKeyA
SHDeleteKeyA
StrStrA
StrStrIA
StrToInt64ExA
StrToIntA

Sections

.text
Size: 33KB - Virtual size: 33KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 16KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 440B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Tools/x64/BootICE/BOOTICEx64.exe
.exe windows:5 windows x64 arch:x64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

UPX0
Size: - Virtual size: 896KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

UPX1
Size: 412KB - Virtual size: 412KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 37KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Tools/x64/BootICE/BootICE.ini
Tools/x64/BootICE/Lang/1031.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 68KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Tools/x64/BootICE/Lang/1033.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 59KB - Virtual size: 60KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Tools/x64/BootICE/Lang/1049.dll
.dll windows:6 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Sections

.rsrc
Size: 69KB - Virtual size: 72KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Tools/x64/DISM/ReadMe.txt
Tools/x64/MSSTMake.exe
.exe windows:5 windows x64 arch:x64

6929a6376371544b1e02fafed262c6a8

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

GetFileSize
lstrcmpA
MoveFileExA
lstrcpynA
ExpandEnvironmentStringsA
GetFileAttributesA
CreateDirectoryA
SetCurrentDirectoryA
FindFirstFileA
GetLastError
SetLastError
RemoveDirectoryA
CopyFileA
SetFileAttributesA
FindClose
FindNextFileA
GetCurrentDirectoryA
CloseHandle
DeleteFileA
lstrcpyA
SetFilePointer
CreateFileA
WritePrivateProfileStructA
MapViewOfFile
UnmapViewOfFile
SetConsoleTextAttribute
WritePrivateProfileSectionA
WriteFile
GetPrivateProfileIntA
WideCharToMultiByte
Sleep
ReadFile
lstrcatA
GetStdHandle
GetPrivateProfileStringA
GetLocalTime
WriteConsoleA
CreateFileMappingA
GetConsoleScreenBufferInfo
WritePrivateProfileStringA
GetPrivateProfileStructA
LoadLibraryW
lstrlenA
GetFullPathNameA
HeapSize
EnterCriticalSection
LeaveCriticalSection
GetStringTypeW
GetSystemTimeAsFileTime
GetCurrentProcessId
GetTickCount
QueryPerformanceCounter
HeapCreate
GetVersion
HeapSetInformation
DeleteCriticalSection
GetStartupInfoW
HeapReAlloc
GetFileType
InitializeCriticalSectionAndSpinCount
SetHandleCount
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetModuleFileNameA
RtlUnwindEx
GetModuleFileNameW
GetCommandLineA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
EncodePointer
FlsGetValue
FlsSetValue
FlsFree
GetCurrentThreadId
FlsAlloc
DecodePointer
HeapFree
HeapAlloc
LCMapStringW
MultiByteToWideChar
RaiseException
RtlPcToFileHeader
GetProcAddress
GetModuleHandleW
ExitProcess

user32

CharNextA
CharUpperA

advapi32

IsTextUnicode

shlwapi

wnsprintfA
PathCombineA
PathSearchAndQualifyA
PathAddBackslashA
PathIsRelativeA
PathAppendA
PathIsDirectoryA

setupapi

SetupFindNextLine
SetupGetLineCountA
SetupDiGetActualSectionToInstallExA
SetupOpenInfFileA
SetupGetLineTextA
SetupGetFileCompressionInfoExA
SetupGetLineByIndexA
SetupGetSourceFileLocationA
SetupDecompressOrCopyFileA
SetupFindNextMatchLineA
SetupCloseInfFile
SetupGetFieldCount
SetupFindFirstLineA
SetupGetStringFieldA
SetupEnumInfSectionsA
SetupGetIntField

Sections

.text
Size: 60KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 28KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 79KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 17KB - Virtual size: 17KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Tools/x64/WIMHost.exe
.exe windows:6 windows x64 arch:x64

fc082dea8871a90b6609e99ca5a4a4bd

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Coding\PureBasic\WinNTSetup\src\WimHost\x64\gWIMHost.pdb

Imports

msvcrt

_wcsicmp
_snwprintf
wcscpy
_wcsdup
free
calloc
wcsncpy
_wfopen
fwprintf
fclose
_wcsnicmp
wcschr
realloc
swscanf
wcscat
__wgetmainargs
wcstoul
wcsncmp
floor
wcslen
malloc
memcpy
memset
wcstok_s

kernel32

Sleep
GetModuleHandleA
ExitProcess
GetFinalPathNameByHandleW
GetFileType
RtlMoveMemory
QueryDosDeviceW
GetVolumeInformationW
GetDriveTypeW
lstrcpynW
MultiByteToWideChar
GetFileSize
SetFilePointerEx
SetLastError
GetStdHandle
GetConsoleScreenBufferInfo
SetConsoleCursorPosition
LoadLibraryW
GetProcAddress
FreeLibrary
FormatMessageW
lstrcpyW
LocalFree
GetLocalTime
GetDateFormatW
GetTimeFormatW
GetFileAttributesW
lstrlenW
WideCharToMultiByte
WriteFile
WriteConsoleA
VirtualProtect
QueryPerformanceCounter
GetEnvironmentVariableW
GetTempPathW
lstrcatW
GetPrivateProfileIntW
FindFirstFileExW
FindNextFileW
FindClose
GetModuleFileNameW
GetLongPathNameW
OpenEventW
RegisterWaitForSingleObject
lstrcmpiW
GetCurrentProcessId
CreateDirectoryW
SetFileAttributesW
GetVolumeNameForVolumeMountPointW
RemoveDirectoryW
CloseHandle
CreateFileW
GetDiskFreeSpaceW
DeviceIoControl
GetLastError
DeleteFileW
QueryPerformanceFrequency
ReadFile
GetDiskFreeSpaceExW
SetEnvironmentVariableW
GetModuleHandleW
GetPrivateProfileSectionW

advapi32

StartServiceW
ConvertStringSecurityDescriptorToSecurityDescriptorW
SetFileSecurityW
CloseServiceHandle
QueryServiceStatus
ConvertSecurityDescriptorToStringSecurityDescriptorW
ControlService
OpenServiceW
OpenSCManagerW

ntdll

RtlCreateUnicodeString
RtlUpcaseUnicodeString
RtlInitUnicodeString
RtlIsNameInExpression
RtlFreeUnicodeString
RtlGetNtVersionNumbers
RtlMultiByteToUnicodeN
RtlUpcaseUnicodeChar
RtlCreateUnicodeStringFromAsciiz
RtlNtStatusToDosError
NtWriteFile
NtReadFile
NtFsControlFile
NtQueryVolumeInformationFile
RtlAdjustPrivilege

ole32

CoCreateInstance
CoInitialize
CoUninitialize
CoInitializeSecurity
CoInitializeEx

shlwapi

PathFindFileNameW
PathCombineW
StrTrimW
StrCmpLogicalW
PathRemoveFileSpecW
PathMatchSpecW
PathRenameExtensionW
PathFileExistsW
PathFindExtensionW
StrStrIW
StrFormatByteSizeW
PathRemoveExtensionW
PathAddExtensionW
PathAddBackslashW
PathSearchAndQualifyW
StrToIntW

Sections

.text
Size: 62KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 9KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Tools/x64/offreg.dll
.dll windows:10 windows x64 arch:x64

9fb70bcbb2c24e9538c79a79e1f5a64d

Code Sign

33:00:00:04:fe:59:ca:b7:e6:2a:a5:22:c1:00:00:00:00:04:fe
Certificate

Issuer

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/02/2023, 20:11

Not After

31/01/2024, 20:11

Subject

CN=Microsoft Corporation,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0c:52:4c:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

06/07/2010, 20:40

Not After

06/07/2025, 20:50

Subject

CN=Microsoft Code Signing PCA 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a2:eb:9a:db:50:96:0b:26:5c:e2:b0:ee:c9:76:82:bc:3d:c3:66:6b:bd:de:98:c5:29:c0:75:2d:a6:e7:6b:d0
Signer

Actual PE Digest

a2:eb:9a:db:50:96:0b:26:5c:e2:b0:ee:c9:76:82:bc:3d:c3:66:6b:bd:de:98:c5:29:c0:75:2d:a6:e7:6b:d0

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

offreg.pdb

Imports

msvcrt

_amsg_exit
free
malloc
_initterm
__C_specific_handler
memmove
_XcptFilter
_wcsnicmp
wcsncpy_s
wcscat_s
wcsnlen
_aligned_malloc
_aligned_free
qsort
_wcsicmp
memcpy
memcmp
memset

kernel32

FlushFileBuffers
CloseHandle
CreateFileW
SetEndOfFile
WriteFile
GetFileSizeEx
ReadFile
GetFinalPathNameByHandleW
TlsSetValue
TerminateProcess
GetCurrentProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext
GetTickCount
GetSystemTimeAsFileTime
GetCurrentThreadId
GetCurrentProcessId
QueryPerformanceCounter
Sleep
TlsFree
TlsGetValue
TlsAlloc
InitializeCriticalSectionAndSpinCount
SetFilePointerEx
GetModuleHandleW
DeleteCriticalSection
GetProcAddress
GetLastError
LeaveCriticalSection
EnterCriticalSection

advapi32

GetAce
GetSidSubAuthority
GetSidLengthRequired
CreatePrivateObjectSecurityWithMultipleInheritance
InitializeSid
IsValidSid
InitializeAcl
SetPrivateObjectSecurityEx
GetLengthSid
AddAccessAllowedAce
SetSecurityDescriptorDacl
SetSecurityDescriptorOwner
GetSecurityDescriptorControl
IsValidSecurityDescriptor
InitializeSecurityDescriptor
MakeSelfRelativeSD
SetSecurityDescriptorGroup
DestroyPrivateObjectSecurity
GetSecurityDescriptorLength

ntdll

RtlInitUnicodeString
RtlUpcaseUnicodeChar
RtlRunOnceComplete
RtlRunOnceBeginInitialize
RtlFindNextForwardRunClear
RtlNumberOfSetBits
RtlInitializeSRWLock
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlFreeHeap
RtlAllocateHeap
RtlNtStatusToDosError

Exports

Exports

ORCloseHive
ORCloseKey
ORCreateHive
ORCreateHiveEx
ORCreateKey
ORDeleteKey
ORDeleteValue
OREnumKey
OREnumValue
ORFlushHive
ORGetKeySecurity
ORGetValue
ORGetVersion
ORGetVirtualFlags
ORMergeHives
OROpenHive
OROpenHiveByHandle
OROpenKey
ORQueryInfoKey
ORQueryInfoKeyEx
ORQueryInfoKeyValueEx
ORRenameKey
ORSaveHive
ORSaveHiveEx
ORSaveHiveToHandle
ORSetKeySecurity
ORSetValue
ORSetVirtualFlags

Sections

.text
Size: 60KB - Virtual size: 56KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGE
Size: 12KB - Virtual size: 9KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

PAGECMRC
Size: 4KB - Virtual size: 130B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 12KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 1016B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 44B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Tools/x64/wimlib.dll
.dll windows:4 windows x64 arch:x64

91ac1c219b128fd269b4a1137bdbc40a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DEBUG_STRIPPED
IMAGE_FILE_DLL

Imports

advapi32

AdjustTokenPrivileges
CloseEncryptedFileRaw
LookupPrivilegeValueW
OpenEncryptedFileRawW
OpenProcessToken
ReadEncryptedFileRaw
RegCloseKey
RegCreateKeyExW
RegFlushKey
RegLoadKeyW
RegSetValueExW
RegUnLoadKeyW
SystemFunction036
WriteEncryptedFileRaw

kernel32

CloseHandle
CreateFileW
CreateThread
DeleteCriticalSection
DeleteFileW
DeviceIoControl
EnterCriticalSection
FindClose
FindFirstFileW
FindFirstVolumeW
FindNextFileW
FindNextVolumeW
FindVolumeClose
FlushFileBuffers
FormatMessageW
FreeLibrary
GetCurrentProcess
GetDiskFreeSpaceExW
GetEnvironmentVariableA
GetFileInformationByHandle
GetFileSizeEx
GetFileType
GetFullPathNameW
GetLastError
GetModuleHandleW
GetProcAddress
GetProcessHeap
GetSystemInfo
GetSystemTimeAsFileTime
GetVolumeInformationW
GlobalMemoryStatusEx
HeapAlloc
HeapFree
InitializeConditionVariable
InitializeCriticalSection
IsDBCSLeadByteEx
LeaveCriticalSection
LoadLibraryW
MoveFileExW
MoveFileW
MultiByteToWideChar
ReadFile
SetEndOfFile
SetFilePointer
SetFilePointerEx
SetLastError
Sleep
SleepConditionVariableCS
TlsGetValue
VirtualProtect
VirtualQuery
WaitForSingleObject
WakeAllConditionVariable
WakeConditionVariable
WideCharToMultiByte
WriteFile

msvcrt

___lc_codepage_func
___mb_cur_max_func
__iob_func
_amsg_exit
_close
_errno
_fdopen
_fstat64
_get_osfhandle
_gmtime64
_initterm
_lock
_lseeki64
_open_osfhandle
_telli64
_unlock
_waccess
_wassert
_wcserror_s
_wcsicmp
_wgetenv
_wmkdir
_wopen
_wstat64
_wtempnam
_wunlink
abort
calloc
fclose
feof
fflush
fgetwc
fputc
fputwc
fputws
fread
free
fwprintf
fwrite
getenv
iswctype
localeconv
malloc
memchr
memcmp
memcpy
memmove
memset
putc
qsort
realloc
strchr
strerror
strlen
strncmp
towlower
ungetwc
vfprintf
wcschr
wcscmp
wcscpy
wcsftime
wcslen
wcsncmp
wcspbrk
wcsrchr
wcsstr
wcstol
wcstoul

ntdll

NtClose
NtCreateFile
NtFsControlFile
NtOpenFile
NtOpenSymbolicLinkObject
NtQueryDirectoryFile
NtQueryEaFile
NtQueryInformationFile
NtQuerySecurityObject
NtQueryVolumeInformationFile
NtReadFile
NtSetEaFile
NtSetInformationFile
NtSetSecurityObject
NtWaitForSingleObject
NtWriteFile
RtlDosPathNameToNtPathName_U
RtlInitUnicodeString
RtlNtStatusToDosError

user32

wsprintfW

Exports

Exports

sha1_final
sha1_init
sha1_update
wimlib_add_empty_image
wimlib_add_image
wimlib_add_image_multisource
wimlib_add_tree
wimlib_compress
wimlib_create_compressor
wimlib_create_decompressor
wimlib_create_new_wim
wimlib_decompress
wimlib_delete_image
wimlib_delete_path
wimlib_export_image
wimlib_extract_image
wimlib_extract_image_from_pipe
wimlib_extract_image_from_pipe_with_progress
wimlib_extract_image_path
wimlib_extract_pathlist
wimlib_extract_paths
wimlib_extract_xml_data
wimlib_free
wimlib_free_compressor
wimlib_free_decompressor
wimlib_free_memory
wimlib_get_compression_type_string
wimlib_get_compressor_needed_memory
wimlib_get_error_string
wimlib_get_image_description
wimlib_get_image_name
wimlib_get_image_property
wimlib_get_version
wimlib_get_version_string
wimlib_get_wim_info
wimlib_get_xml_data
wimlib_global_cleanup
wimlib_global_init
wimlib_image_name_in_use
wimlib_iterate_dir_tree
wimlib_iterate_lookup_table
wimlib_join
wimlib_join_with_progress
wimlib_load_text_file
wimlib_mount_image
wimlib_open_wim
wimlib_open_wim_with_progress
wimlib_overwrite
wimlib_print_available_images
wimlib_print_header
wimlib_read_image_file
wimlib_reference_resource_files
wimlib_reference_resources
wimlib_reference_template_image
wimlib_register_progress_function
wimlib_rename_path
wimlib_resolve_image
wimlib_set_default_compression_level
wimlib_set_error_file
wimlib_set_error_file_by_name
wimlib_set_image_descripton
wimlib_set_image_flags
wimlib_set_image_name
wimlib_set_image_property
wimlib_set_memory_allocator
wimlib_set_output_chunk_size
wimlib_set_output_compression_type
wimlib_set_output_pack_chunk_size
wimlib_set_output_pack_compression_type
wimlib_set_print_errors
wimlib_set_wim_info
wimlib_split
wimlib_unmount_image
wimlib_unmount_image_with_progress
wimlib_update_image
wimlib_verify_wim
wimlib_write
wimlib_write_to_fd

Sections

.text
Size: 339KB - Virtual size: 338KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 720B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.pdata
Size: 10KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.xdata
Size: 13KB - Virtual size: 13KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.bss
Size: - Virtual size: 130KB

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.edata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.idata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.CRT
Size: 512B - Virtual size: 88B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 16B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 644B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Tools/x86/DISM/ReadMe.txt
Unattend/Win7-11-Select.xml
WimScript/WimScript.ini
WinNTSetup.ini.txt
WinNTSetup_x64.exe
.exe windows:6 windows x64 arch:x64

5812eb0ba263f239f68349549bad328d

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

D:\Coding\PureBasic\WinNTSetup\WinNTSetup_x64.pdb

Imports

kernel32

ReadProcessMemory
GetLocalTime
GetTimeFormatW
WritePrivateProfileStringW
LocaleNameToLCID
GetLocaleInfoW
GetPrivateProfileSectionW
AttachConsole
AllocConsole
ReadConsoleOutputW
SetEndOfFile
SetFileValidData
CreateEventW
SetFilePointer
GetTickCount
SetVolumeMountPointW
WideCharToMultiByte
WriteConsoleA
FindFirstFileNameW
FindNextFileNameW
FindResourceExW
SizeofResource
LockResource
FreeResource
GetDiskFreeSpaceW
SetLastError
RemoveDirectoryW
GetCurrentDirectoryW
SetCurrentDirectoryW
GetDateFormatW
LCIDToLocaleName
GetVolumeNameForVolumeMountPointW
GetWindowsDirectoryW
SetThreadExecutionState
OpenProcess
GetProcessId
FlushFileBuffers
GlobalMemoryStatusEx
FileTimeToSystemTime
WritePrivateProfileSectionW
GetFileTime
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
SystemTimeToTzSpecificLocalTime
GetTempFileNameW
WriteConsoleW
RtlCompareMemory
lstrcatW
lstrcpynW
MultiByteToWideChar
RtlMoveMemory
lstrlenA
FindVolumeClose
FindNextVolumeW
GetDiskFreeSpaceExW
GetVolumeInformationW
GetVolumePathNamesForVolumeNameW
lstrcmpW
FindFirstVolumeW
SetErrorMode
GetPrivateProfileStringW
GetSystemInfo
K32GetModuleInformation
SetDllDirectoryW
SetFileAttributesW
UnregisterWait
RegisterWaitForSingleObject
DeleteCriticalSection
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
HeapSize
GetVersionExW
HeapReAlloc
GetExitCodeProcess
PeekNamedPipe
CreateProcessW
CreatePipe
DuplicateHandle
HeapFree
HeapAlloc
CreateThread
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
GetPrivateProfileIntW
GetEnvironmentVariableW
GetNativeSystemInfo
GetCurrentThread
GetLogicalProcessorInformation
GetLogicalDrives
QueryDosDeviceW
GetDriveTypeW
GetLogicalDriveStringsW
CreateDirectoryW
Sleep
FormatMessageW
SetFirmwareEnvironmentVariableW
GetFirmwareEnvironmentVariableW
SetFilePointerEx
GetFileSizeEx
lstrlenW
GetFinalPathNameByHandleW
lstrcmpiW
lstrcpyW
ReadFile
MoveFileW
FindFirstFileW
SetConsoleTextAttribute
GetConsoleWindow
SetConsoleCursorPosition
DeviceIoControl
GetFullPathNameW
SetConsoleCursorInfo
SetConsoleCtrlHandler
SetConsoleTitleW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
GetCurrentProcessId
GetCurrentThreadId
lstrcmpA
GetFileAttributesW
SetEvent
CopyFileW
EndUpdateResourceW
UpdateResourceW
CreateFileW
EnumResourceNamesW
BeginUpdateResourceW
WriteFile
VirtualProtect
DefineDosDeviceW
DeleteFileW
WaitForSingleObject
FindClose
FindNextFileW
FindFirstFileExW
MulDiv
RtlZeroMemory
QueryPerformanceFrequency
LoadResource
FindResourceW
SetEnvironmentVariableW
FreeLibrary
LoadLibraryExW
QueryPerformanceCounter
GetConsoleScreenBufferInfo
QueryFullProcessImageNameW
GetFileType
GetStdHandle
ExitProcess
HeapDestroy
GetProcAddress
LoadLibraryW
LocalFree
LocalAlloc
GetLastError
GetCurrentProcess
GetUserDefaultLocaleName
GetUserDefaultLCID
GetSystemWindowsDirectoryW
GetModuleFileNameW
GetLongPathNameW
GetTempPathW
HeapCreate
GetModuleHandleW
SetFileTime
SystemTimeToFileTime
GetSystemTime
UnmapViewOfFile
CloseHandle
MapViewOfFile
CreateFileMappingW
GetFileSize
GetCommandLineW

user32

EnumChildWindows
LockWindowUpdate
GetComboBoxInfo
FindWindowExW
SetWindowPos
GetClientRect
IsWindowEnabled
GetSysColorBrush
GetPropW
FrameRect
WindowFromDC
GetClassLongPtrW
CallNextHookEx
DrawTextW
MapWindowPoints
GetUpdateRect
SetRect
InflateRect
GetDC
ReleaseDC
GetClassInfoExW
RegisterWindowMessageW
GetSystemMetrics
SystemParametersInfoW
GetIconInfo
DestroyIcon
CreateIconIndirect
SetPropW
GetWindowLongPtrW
SetWindowLongPtrW
SendMessageW
CreatePopupMenu
InsertMenuW
ValidateRect
SetMenuDefaultItem
SetClassLongPtrW
AppendMenuW
IsChild
DefFrameProcW
GetFocus
AdjustWindowRectEx
UnregisterClassW
RegisterClassW
TranslateAcceleratorW
MsgWaitForMultipleObjects
PeekMessageW
DispatchMessageW
TranslateMessage
GetMessageW
IsZoomed
GetMenu
DestroyAcceleratorTable
CreateAcceleratorTableW
LoadIconW
SetActiveWindow
DrawFrameControl
GetScrollPos
RegisterClassExW
SetScrollPos
GetWindowDC
GetAsyncKeyState
GetWindowLongW
DrawStateW
ReleaseCapture
SetCapture
GetWindowTextLengthW
RedrawWindow
IntersectRect
EnableWindow
DestroyWindow
SetMenuItemInfoW
GetSysColor
DefWindowProcW
BeginPaint
CopyRect
FillRect
EndPaint
CharUpperW
EnableMenuItem
CharLowerW
EnumDisplayDevicesW
EnumWindows
ShowWindow
EnumDisplaySettingsW
EnumDisplaySettingsExW
ChangeDisplaySettingsW
GetDisplayConfigBufferSizes
QueryDisplayConfig
DisplayConfigGetDeviceInfo
DisplayConfigSetDeviceInfo
GetWindowRect
GetWindow
SetParent
DestroyMenu
GetKeyState
MessageBoxIndirectW
SetForegroundWindow
KillTimer
CheckMenuRadioItem
GetActiveWindow
GetDlgItem
UnhookWindowsHookEx
SetWindowsHookExW
CallWindowProcW
DrawIconEx
RemovePropW
GetDoubleClickTime
GetWindowThreadProcessId
IsWindowVisible
SetRectEmpty
MoveWindow
LoadCursorW
SetCursor
IsIconic
GetForegroundWindow
CopyImage
ClientToScreen
MessageBoxW
OpenClipboard
EmptyClipboard
SetClipboardData
CloseClipboard
DestroyCursor
GetDlgCtrlID
FindWindowW
GetClassNameW
CheckMenuItem
GetSystemMenu
CreateWindowExW
InvalidateRect
SetTimer
SetWindowPlacement
GetWindowPlacement
UpdateWindow
SetFocus
PostMessageW
SetWindowTextW
GetMessagePos
MessageBeep
FlashWindowEx
WindowFromPoint
ScreenToClient
RealChildWindowFromPoint
TrackPopupMenu
GetClassWord
GetParent
GetWindowTextW
LoadStringW
SetWindowCompositionAttribute

gdi32

CreateFontIndirectW
CreateDIBSection
CreateCompatibleBitmap
GetObjectW
DeleteObject
CreateSolidBrush
GetDeviceCaps
GetTextExtentPoint32W
CreateCompatibleDC
CreateFontW
GdiAlphaBlend
DeleteDC
CreateRectRgn
FrameRgn
ExtTextOutW
CreatePen
SelectObject
SetTextColor
MoveToEx
LineTo
EnumFontFamiliesW
SetStretchBltMode
AddFontResourceW
GetStockObject
CreatePatternBrush
SetViewportOrgEx
OffsetViewportOrgEx
GetObjectType
ExcludeClipRect
CreateDCW
CreateRectRgnIndirect
GetClipRgn
SelectClipRgn
ExtSelectClipRgn
StretchBlt
SetBrushOrgEx
CreateBitmap
GetDIBits
SetPixel
SetBkColor
Rectangle
SetBkMode
GetTextMetricsW

comdlg32

GetSaveFileNameW
GetOpenFileNameW

advapi32

DuplicateTokenEx
RegEnumKeyExW
ControlService
SetNamedSecurityInfoW
IsValidSecurityDescriptor
GetFileSecurityW
SetFileSecurityW
ConvertStringSecurityDescriptorToSecurityDescriptorW
RegQueryValueW
RegLoadKeyW
RegUnLoadKeyW
RegQueryInfoKeyW
CreateProcessAsUserW
CreateProcessWithTokenW
QueryServiceStatus
StartServiceW
RegEnumValueW
RegCreateKeyW
OpenServiceW
IsWellKnownSid
SetThreadToken
RevertToSelf
CloseServiceHandle
CreateServiceW
OpenSCManagerW
CheckTokenMembership
AllocateAndInitializeSid
RegSetValueExW
RegCreateKeyExW
RegOpenKeyExW
OpenProcessToken
GetTokenInformation
SetEntriesInAclW
RegOpenKeyW
RegQueryValueExW
RegCloseKey

comctl32

ImageList_Replace
ImageList_AddMasked
ord412
ImageList_GetImageCount
ImageList_Draw
ImageList_Add
ImageList_DrawEx
ImageList_GetIconSize
ord413
CreateToolbarEx
InitCommonControlsEx
ImageList_Remove
ord381
ImageList_Destroy
ImageList_GetIcon
ImageList_Merge
ImageList_ReplaceIcon
ImageList_Create
ord410

oleaut32

SafeArrayUnlock
SysFreeString
SafeArrayDestroy
VariantClear
SysAllocString
SafeArrayCreate
SafeArrayLock

ntdll

RtlAdjustPrivilege
NtQuerySystemInformation
RtlCreateUnicodeString
RtlUpcaseUnicodeString
RtlCreateUnicodeStringFromAsciiz
RtlIsNameInExpression
RtlFreeUnicodeString
RtlGetProcessHeaps
RtlAllocateHeap
RtlDosPathNameToNtPathName_U
NtOpenFile
NtClose
RtlFreeHeap
NtShutdownSystem
RtlGetVersion
RtlGetNtVersionNumbers
NtQueryVolumeInformationFile
NtQueryInformationProcess
RtlInitUnicodeString
NtOpenDirectoryObject
NtQueryDirectoryObject
RtlComputeCrc32
RtlGetLastNtStatus
RtlNtStatusToDosError
RtlRandom
NtCreatePagingFile
NtReadFile
NtTranslateFilePath
NtQueryInformationFile
NtFsControlFile
__chkstk

shell32

SHCreateShellItem
SHGetStockIconInfo
SHFormatDrive
SHBrowseForFolderW
SHGetDesktopFolder
SHParseDisplayName
StrStrIW
ShellExecuteW
ShellExecuteExW
SHGetImageList
SHGetFileInfoW
SHGetPathFromIDListW
SHDefExtractIconW
SHFileOperationW

ole32

RevokeDragDrop
StringFromGUID2
CoTaskMemFree
CreateStreamOnHGlobal
CLSIDFromString
CoCreateInstance
CoInitialize
CoCreateGuid

shlwapi

StrCmpLogicalW
PathCompactPathW
PathGetArgsW
StrStrNIW
PathCompactPathExW
PathParseIconLocationW
PathRemoveExtensionW
StrTrimW
PathIsNetworkPathW
StrToIntExW
PathSearchAndQualifyW
PathCombineW
SHCreateStreamOnFileW
SHCreateStreamOnFileEx
StrTrimA
PathIsDirectoryW
PathStripToRootW
PathRemoveBackslashW
StrToIntW
StrFormatByteSizeW
PathRemoveFileSpecW
PathIsRelativeW
PathFindFileNameW
PathMatchSpecW
PathFindExtensionW
PathFileExistsW
PathAddBackslashW

cfgmgr32

CM_Get_Device_IDW
CM_Get_Parent

rpcrt4

UuidCreate

setupapi

SetupOpenInfFileW
SetupIterateCabinetW
SetupDiGetDeviceRegistryPropertyW
SetupDiOpenDevRegKey
SetupGetStringFieldW
SetupDiGetDeviceInterfaceDetailW
SetupDiEnumDeviceInterfaces
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInfo
SetupDiGetClassDevsW
SetupFindFirstLineW
SetupGetLineCountW
SetupGetLineByIndexW
SetupGetFieldCount
SetupDecompressOrCopyFileW
SetupGetBinaryField
SetupGetMultiSzFieldW
SetupGetIntField
SetupEnumInfSectionsW
SetupDiGetDeviceInstanceIdW
SetupCloseInfFile

userenv

CreateEnvironmentBlock
DestroyEnvironmentBlock

uxtheme

BeginBufferedPaint
DrawThemeText
BufferedPaintSetAlpha
EndBufferedPaint
BufferedPaintInit
OpenThemeData
SetWindowTheme
DrawThemeBackground
DrawThemeTextEx
GetThemePartSize
GetThemeFont
GetThemeInt

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

msvcrt

_strnicmp
fputc
fputs
wcstod
sqrt
_wcsdup
ceil
wcstol
_time64
wcschr
fseek
_localtime64
wcstoul
wcsstr
_gmtime64
memmove
floor
tolower
_mktime64
_itow
_wtoi
fread
fclose
strlen
realloc
strrchr
strchr
fgets
_wfopen
_wstati64
_wtol
_wsystem
malloc
wcscpy
swscanf
wcstok_s
wcslen
__wgetmainargs
wcsncmp
_vsnwprintf
wcsncpy
_wcsnicmp
wcscmp
wcscat
strstr
_wcsicmp
free
calloc
_snwprintf
memset
memcmp
memcpy
_stricmp
wcsspn

wtsapi32

WTSFreeMemory
WTSEnumerateProcessesW
WTSEnumerateSessionsW

virtdisk

GetVirtualDiskInformation
GetVirtualDiskOperationProgress
CreateVirtualDisk
GetStorageDependencyInformation
AttachVirtualDisk
DetachVirtualDisk
GetVirtualDiskPhysicalPath
OpenVirtualDisk

fltlib

FilterLoad
FilterAttach

Sections

.text
Size: 707KB - Virtual size: 706KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 172KB - Virtual size: 4.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 157KB - Virtual size: 156KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7c2c71dfce9a27650634dc8b1ca03bf0

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

gdi32

shell32

advapi32

comctl32

ole32

Sections

.text Size: 24KB - Virtual size: 24KB

.rdata Size: 5KB - Virtual size: 4KB

.data Size: 1024B - Virtual size: 106KB

.ndata Size: - Virtual size: 36KB

.rsrc Size: 7KB - Virtual size: 6KB

8c8a576201f68de1a3f26fc723b9f30f

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

ole32

Exports

Exports

Sections

.text Size: 8KB - Virtual size: 7KB

.rdata Size: 1024B - Virtual size: 867B

.data Size: 512B - Virtual size: 104B

.reloc Size: 1024B - Virtual size: 636B

279416a3dfe8386ca2bd447389b068d7

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

kernel32

advapi32

user32

shell32

gdi32

comctl32

comdlg32

ntdll

Exports

Exports

Sections

.text Size: 70KB - Virtual size: 70KB

.data Size: 512B - Virtual size: 1KB

.pdata Size: 2KB - Virtual size: 1KB

.rsrc Size: 39KB - Virtual size: 38KB

.reloc Size: 512B - Virtual size: 60B

ea7a7ccc5fd79c1838a75212eeb78983

Code Sign

04:00:00:00:00:01:2f:4e:e1:52:d7Certificate

Key Usages

04:00:00:00:00:01:25:07:1d:f9:afCertificate

Key Usages

04:00:00:00:00:01:31:89:c6:4d:e1Certificate

Extended Key Usages

Key Usages

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14Certificate

Extended Key Usages

Key Usages

61:29:15:27:00:00:00:00:00:2aCertificate

Key Usages

11:21:01:0f:f2:71:77:94:5c:4e:36:c5:fc:7a:4c:98:78:8aCertificate

Extended Key Usages

Key Usages

33:00:00:00:25:3a:27:38:69:0a:34:51:c1:00:00:00:00:00:25Certificate

Extended Key Usages

.text
Size: 24KB - Virtual size: 24KB

.rdata
Size: 5KB - Virtual size: 4KB

.data
Size: 1024B - Virtual size: 106KB

.ndata
Size: - Virtual size: 36KB

.rsrc
Size: 7KB - Virtual size: 6KB

.text
Size: 8KB - Virtual size: 7KB

.rdata
Size: 1024B - Virtual size: 867B

.data
Size: 512B - Virtual size: 104B

.reloc
Size: 1024B - Virtual size: 636B

.text
Size: 70KB - Virtual size: 70KB

.data
Size: 512B - Virtual size: 1KB

.pdata
Size: 2KB - Virtual size: 1KB

.rsrc
Size: 39KB - Virtual size: 38KB

.reloc
Size: 512B - Virtual size: 60B

04:00:00:00:00:01:2f:4e:e1:52:d7
Certificate

04:00:00:00:00:01:25:07:1d:f9:af
Certificate

04:00:00:00:00:01:31:89:c6:4d:e1
Certificate

11:21:d6:99:a7:64:97:3e:f1:f8:42:7e:e9:19:cc:53:41:14
Certificate

61:29:15:27:00:00:00:00:00:2a
Certificate

11:21:01:0f:f2:71:77:94:5c:4e:36:c5:fc:7a:4c:98:78:8a
Certificate

33:00:00:00:25:3a:27:38:69:0a:34:51:c1:00:00:00:00:00:25
Certificate

33:00:00:00:0d:69:0d:5d:78:93:d0:76:df:00:00:00:00:00:0d
Certificate

95:ba:c6:36:5d:47:e4:84:b6:b6:2e:6a:4d:e0:c1:ea:15:6e:57:b4:08:22:08:ed:fa:cb:05:01:63:66:1a:56
Signer

fc:7c:99:a3:05:b0:a2:e9:5a:14:df:b0:ff:ab:17:ee:0b:63:a5:3e
Signer

.text
Size: 58KB - Virtual size: 58KB

.data
Size: 1024B - Virtual size: 1KB

.rsrc
Size: 38KB - Virtual size: 37KB

.reloc
Size: 4KB - Virtual size: 3KB

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

5c:42:5e:bf:54:48:19:7c:ad:73:70:15:5e:09:9d:b5:dd:f6:67:8b
Signer

.text
Size: 18KB - Virtual size: 17KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 512B - Virtual size: 360B

.pdata
Size: 1KB - Virtual size: 1KB

PAGE
Size: 11KB - Virtual size: 10KB

INIT
Size: 6KB - Virtual size: 5KB

.rsrc
Size: 1024B - Virtual size: 872B

04:00:00:00:00:01:2f:4e:e1:35:5c
Certificate

9f:ea:c8:11:b0:f1:62:47:a5:fc:20:d8:05:23:ac:e6
Certificate

11:21:42:a1:2c:75:7c:ec:88:72:b6:e2:03:ec:d4:ea:64:91
Certificate

61:0b:7f:6b:00:00:00:00:00:19
Certificate

44:77:53:04:63:95:90:dd:ac:20:ee:b4:60:4a:3c:60:4d:94:46:a9
Signer