fe4fca6d8ab08ba1fa02fc179a01be3a

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_NATIVE
Compilation Date 2012-Jul-26 02:33:40
Detected languages English - United States
Debug artifacts win32k.pdb
CompanyName Microsoft Corporation
FileDescription Multi-User Win32 Driver
FileVersion 6.2.9200.16384 (win8_rtm.120725-1247)
InternalName win32k.sys
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename win32k.sys
ProductName Microsoft® Windows® Operating System
ProductVersion 6.2.9200.16384

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Suspicious Strings found in the binary may indicate undesirable behavior: May have dropper capabilities:
  • CurrentControlSet\Services
Info Cryptographic algorithms detected in the binary: Uses constants related to MD5
Suspicious The PE is possibly packed. Unusual section name found: .kbdfall
Unusual section name found: PAGE
Section INIT is both writable and executable.
Malicious The PE contains functions mostly used by malware. Functions which can be used for anti-debugging purposes:
  • ZwQuerySystemInformation
  • DbgPrint
 Uses Windows's Native API:
  • ZwAllocateVirtualMemory
  • ZwFreeVirtualMemory
  • ZwSetEvent
  • ZwQueryInformationToken
  • ZwClose
  • ZwCreateDirectoryObject
  • ZwOpenKey
  • ZwCreateEvent
  • ZwQueryValueKey
  • ZwQueryInformationProcess
  • ZwTerminateProcess
  • ZwOpenProcess
  • ZwPowerInformation
  • ZwQueryDefaultLocale
  • ZwQueryKey
  • ZwSetDefaultLocale
  • ZwSetDefaultUILanguage
  • ZwQueryDefaultUILanguage
  • ZwDeviceIoControlFile
  • ZwSetInformationThread
  • ZwSetInformationProcess
  • ZwDuplicateObject
  • ZwSetSecurityObject
  • ZwOpenThreadTokenEx
  • ZwOpenProcessTokenEx
  • ZwOpenDirectoryObject
  • ZwQueryObject
  • ZwSetSystemInformation
  • ZwYieldExecution
  • ZwUpdateWnfStateData
  • ZwEnumerateValueKey
  • ZwSetValueKey
  • ZwQueryInformationFile
  • ZwReadFile
  • ZwOpenSymbolicLinkObject
  • ZwQuerySymbolicLinkObject
  • ZwCreateFile
  • ZwCreateKey
  • NtClose
  • ZwCancelIoFile
  • ZwOpenFile
  • ZwQueryLicenseValue
  • ZwQuerySystemInformation
  • ZwEnumerateKey
  • ZwOpenEvent
  • ZwAlpcSendWaitReceivePort
  • ZwAlpcConnectPort
  • ZwWaitForSingleObject
  • ZwDeleteKey
  • ZwWaitForMultipleObjects
  • ZwClearEvent
  • ZwDeleteFile
  • ZwQueryVolumeInformationFile
  • ZwSetInformationFile
  • ZwCreateSection
  • ZwUnmapViewOfSection
  • ZwMapViewOfSection
  • ZwResetEvent
  • ZwSecureConnectPort
  • ZwLoadDriver
  • ZwUnloadDriver
 Functions related to the privilege level:
  • ZwOpenProcessTokenEx
Safe VirusTotal score: 0/71 (Scanned on 2020-07-13 23:22:50) All the AVs think this file is safe.

Hashes

MD5 fe4fca6d8ab08ba1fa02fc179a01be3a
SHA1 4ca3a5ca098e6ac413ed67a01779de63010e6033
SHA256 4f6cf79559b9870e96ca85ffb96ef961776562f4ed85862450a07800d38cd449
SHA3 492fcbe4a9b1fac6e9b3fc06faffd08ca4fe77aef73ad277595b2b98b061b97e
SSDeep 98304:Rd3u6Y/Zz8aw6UOCAU+s4fUd0tM1/KPPZBU7iC:RU6QZzlCAUtsFq1/X7i
Imports Hash 61549659569d4083cd2a6a54e5cbe027

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0xf0

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 9
TimeDateStamp 2012-Jul-26 02:33:40
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 10.2
SizeOfCode 0x2e5a00
SizeOfInitializedData 0x67a00
SizeOfUninitializedData 0
AddressOfEntryPoint 0x00189ADA (Section: .text)
BaseOfCode 0x1000
BaseOfData 0x2e5000
ImageBase 0x10000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.2
ImageVersion 6.2
SubsystemVersion 6.2
Win32VersionValue 0
SizeOfImage 0x351000
SizeOfHeaders 0x400
Checksum 0x34bc9a
Subsystem IMAGE_SUBSYSTEM_NATIVE
SizeofStackReserve 0x40000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 3c0d339ec6fd8575198e6548c4016790
SHA1 27d15722056d5e28114ae69f62f066d3b3b03049
SHA256 d36cda78b1ec91a995f897ccae42d721978541ba0f949ead9b57aa5ac8b29906
SHA3 c7c1d8fcffce89a217bc2f9aebb2b34f50c5469463a687e8c23e8094b96e5e4b
VirtualSize 0x2ddb57
VirtualAddress 0x1000
SizeOfRawData 0x2ddc00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 6.64306

.rdata

MD5 5042304fa1e313475914f0fe40bca048
SHA1 ab1b7c90cce617014b29005cec913b9f6836d145
SHA256 a79cfe19a32b3fa5e236eea777d7d1501d5faa526eb9ce6e60579078e84fab38
SHA3 49abfb2846f8373f3212cfc1aaa7b71facbba2f0a32a927cedfc9e331cc640e6
VirtualSize 0x12c14
VirtualAddress 0x2df000
SizeOfRawData 0x12e00
PointerToRawData 0x2de000
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
Entropy 5.24125

.data

MD5 72f0a490c54c0e282850a5156f4c0ece
SHA1 e6075f332a5a5b4a34414ae1ab8fdb486b34a04e
SHA256 ad8b531a1b556a1128eda662fbafc56b01fb1559128ed5a4edf8ea4368e7c365
SHA3 5d730680b7954be5aae59fa7af49a603ec6db580592073e6094a492798fc87cb
VirtualSize 0x1af00
VirtualAddress 0x2f2000
SizeOfRawData 0xc600
PointerToRawData 0x2f0e00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 5.6092

.kbdfall

MD5 d5bc62b151873276773ef1131e6a5a59
SHA1 fce4e05dbd585b0e9ce539d32c1895b78a671af7
SHA256 0422ebd4875aee29b160a79882ad71c02bd67d5f996ad653bf493685f5686a27
SHA3 8fee76cf481e911356759a0ca2f327fada275608e6924d69db86e37c87a7a771
VirtualSize 0x638
VirtualAddress 0x30d000
SizeOfRawData 0x800
PointerToRawData 0x2fd400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_NOT_PAGED
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 3.73687

PAGE

MD5 fbae53b8639b5c470ef89314c9259355
SHA1 4062c39c21368777c341bed45dbc2267e1a61bf8
SHA256 aaaa31eb1b142b34585734a1a8b1f5064d7dd129a440c67ed2e653b53805b9ca
SHA3 b762581cf19e4d9eff51da2573c5d1a635eb9416bada3bcc6851cf945cfb604c
VirtualSize 0x56a
VirtualAddress 0x30e000
SizeOfRawData 0x600
PointerToRawData 0x2fdc00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 5.54986

.edata

MD5 8c47f1a48143d5be3b401663e81f258f
SHA1 2886fc5e99a67deaebda0abb7fc6f8d22b5069da
SHA256 09629de6dbf70923d6ecc8e4de7a77b2945aca30dfaea0e2b24fd18aee57a22a
SHA3 c3df06118f139197d8467e4e3d0320eede97e6fb83ac6d76bc2562282ac38d6c
VirtualSize 0x1e60
VirtualAddress 0x30f000
SizeOfRawData 0x2000
PointerToRawData 0x2fe200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.81611

INIT

MD5 8f417e1aa4f90dc658098a6ad28120ac
SHA1 4fa6ef51cd0ec4318c2b99af9acc02f4ba115c81
SHA256 543395de65df4b66d5368065fac57ac75ed400c89b2c6351a9fc93466cd3a58b
SHA3 c5dc213e048a451ad913703289e7b76c2ecfb98bd05b2fa06e348fa62512efcd
VirtualSize 0x77ca
VirtualAddress 0x311000
SizeOfRawData 0x7800
PointerToRawData 0x300200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 6.42514

.rsrc

MD5 617e7c1d98b3708974e4a658fe678825
SHA1 f786fcc3c5773da4fcc7876ac659dac5cba1133d
SHA256 277c58e93eefda57196631830aed63fb87fbb0d8568d2f2427c580c6845307cf
SHA3 813c59e974a98d7c81277dbbdb265ce219b5ce85af2508405690b36f2bccb26e
VirtualSize 0x18878
VirtualAddress 0x319000
SizeOfRawData 0x18a00
PointerToRawData 0x307a00
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 3.87131

.reloc

MD5 f60293f79bcedd9d8d539851ae630363
SHA1 5f61d078de3f1d4af8e2244d999acb3c95d34b2e
SHA256 6adb330b014f49e153f62c4eab220fc87b036694131071f9b83961147ecb9b46
SHA3 09449d50a0ed7f7bde4b85c74d59355cc8b922b1ff1bde7149d018a37b09807a
VirtualSize 0x1e9f0
VirtualAddress 0x332000
SizeOfRawData 0x1ea00
PointerToRawData 0x320400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 6.80837

Imports

ntoskrnl.exe memset
_chkstk
memcpy
PsGetCurrentThreadWin32Thread
ExAllocatePoolWithQuotaTag
ObfDereferenceObject
PsGetCurrentProcessId
ObfReferenceObject
PsSetProcessWin32Process
PsGetThreadWin32Thread
ExEnterCriticalRegionAndAcquireFastMutexUnsafe
PsReferenceKernelStack
ExReleaseFastMutexUnsafeAndLeaveCriticalRegion
PsSetThreadWin32Thread
memcmp
PsDereferenceKernelStack
PsGetCurrentProcess
ExRaiseDatatypeMisalignment
ExFreePool
ExRaiseStatus
ProbeForWrite
ObReferenceObjectByHandle
ExRaiseAccessViolation
RtlInitUnicodeString
ZwAllocateVirtualMemory
SeCaptureSecurityDescriptor
RtlNtStatusToDosError
ZwFreeVirtualMemory
SeReleaseSecurityDescriptor
RtlEqualUnicodeString
ObQueryNameInfo
ObOpenObjectByPointer
ExDesktopObjectType
ObCloseHandle
RtlCopyUnicodeString
PsGetCurrentProcessWin32Process
PsProcessType
PsGetProcessSessionId
ExQueryFastCacheDevLicense
PsGetProcessDebugPort
PsGetProcessPeb
RtlAreAnyAccessesGranted
PsLookupProcessByProcessId
PsJobType
ExEnterCriticalRegionAndAcquireResourceExclusive
PsGetJobLock
PsGetJobUIRestrictionsClass
ExAllocatePoolWithTag
ExReleaseResourceAndLeaveCriticalRegion
RtlIntegerToUnicodeString
RtlIntegerToUnicode
PsGetThreadProcessId
PsGetThreadId
SeCreateClientSecurity
KeGetCurrentThread
SeTokenType
PsDereferencePrimaryToken
PsDereferenceImpersonationToken
InterlockedExchange
ExEventObjectType
PsGetThreadProcess
KeEnterCriticalRegion
KeLeaveCriticalRegion
KeWaitForSingleObject
ZwSetEvent
RtlQueryElevationFlags
ZwQueryInformationToken
ZwClose
EtwWrite
SeTokenObjectType
PsReferencePrimaryToken
RtlQueryPackageIdentity
KeInitializeEvent
ObDeleteCapturedInsertInfo
MmCreateSection
MmMapViewInSessionSpace
MmUnmapViewInSessionSpace
ExInitializeResourceLite
ExDeleteResourceLite
ZwCreateDirectoryObject
RtlUnicodeStringToInteger
MmMapViewOfSection
ZwOpenKey
KeBugCheckEx
ZwCreateEvent
RtlDeleteRegistryValue
RtlQueryRegistryValues
RtlCompareUnicodeString
NlsMbCodePageTag
NlsAnsiCodePage
ZwQueryValueKey
ExWindowStationObjectType
ExIsResourceAcquiredExclusiveLite
PsIsSystemThread
SeSinglePrivilegeCheck
InterlockedCompareExchange
PsIsProtectedProcess
PsAcquireProcessExitSynchronization
KeStackAttachProcess
KeUnstackDetachProcess
PsReleaseProcessExitSynchronization
SeQueryInformationToken
PsQueryProcessAttributesByToken
RtlImageNtHeader
PsGetProcessSectionBaseAddress
RtlCompareMemory
RtlConvertSidToUnicodeString
ZwQueryInformationProcess
RtlFreeUnicodeString
PsGetProcessJob
PsGetProcessWin32WindowStation
KeSetEvent
PsGetProcessInheritedFromUniqueProcessId
SeQueryAuthenticationIdToken
PsSetProcessWindowStation
PsGetThreadSessionId
PsLookupThreadByThreadId
KeClearEvent
KeQuerySystemTime
PsGetProcessCreateTimeQuadPart
ZwTerminateProcess
PsGetProcessId
InterlockedPopEntrySList
InterlockedPushEntrySList
ExDeletePagedLookasideList
RtlInitializeBitMap
KeSetKernelStackSwapEnable
RtlFreeHeap
PsGetProcessCommonJob
ExInitializePagedLookasideList
KeWaitForMultipleObjects
PsIsThreadTerminating
PsGetCurrentProcessSessionId
ZwOpenProcess
PsReleaseProcessWakeCounter
PsGetProcessExitStatus
PsGetProcessExitProcessCalled
ObReferenceObjectByPointer
RtlInitAnsiString
PsGetProcessImageFileName
RtlAnsiStringToUnicodeString
PsThreadType
ExQueryFastCacheAppOrigin
ZwPowerInformation
KeCancelTimer
RtlDestroyAtomTable
RtlDestroyHeap
EtwUnregister
KeRemoveSystemServiceTable
MmUserProbeAddress
KeAddSystemServiceTable
PsEstablishWin32Callouts
DbgkLkmdRegisterCallback
EtwRegister
MmPageEntireDriver
KeQueryInterruptTime
ExInitializeRundownProtection
IoCreateDriver
RtlGetIntegerAtom
KeDelayExecutionThread
ZwQueryDefaultLocale
InterlockedDecrement
ZwQueryKey
ZwSetDefaultLocale
ZwSetDefaultUILanguage
ZwQueryDefaultUILanguage
ExRaiseHardError
ExIsResourceAcquiredSharedLite
ExEnterPriorityRegionAndAcquireResourceExclusive
PsEnterPriorityRegion
ExEnterPriorityRegionAndAcquireResourceShared
ExEnterCriticalRegionAndAcquireResourceShared
ExReleaseResourceAndLeavePriorityRegion
PsLeavePriorityRegion
KeInitializeApc
KeInsertQueueApc
KeReleaseSemaphore
IoGetRelatedDeviceObject
KeInitializeTimerEx
ZwDeviceIoControlFile
KeResetEvent
RtlAllocateHeap
PsGetCurrentThreadId
InitSafeBootMode
KeTickCount
KeQueryTimeIncrement
ZwSetInformationThread
ZwSetInformationProcess
ObCheckCreateObjectAccess
ObCreateObject
ObGetObjectSecurity
ObAssignSecurity
ObReleaseObjectSecurity
RtlMapGenericMask
KeAttachProcess
KeDetachProcess
ObOpenObjectByName
PsIsSystemProcess
MmUnmapViewOfSection
PsGetProcessSessionIdEx
KePulseEvent
ObFindHandleForObject
RtlSetBits
RtlClearBits
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
ZwDuplicateObject
RtlLengthRequiredSid
RtlSubAuthoritySid
RtlInitializeSid
ZwSetSecurityObject
RtlLengthSid
RtlCopySid
ExFreePoolWithTag
RtlCreateAcl
RtlAddAce
RtlSetDaclSecurityDescriptor
RtlSetSaclSecurityDescriptor
RtlSetOwnerSecurityDescriptor
RtlSetGroupSecurityDescriptor
SeExports
ObReferenceObjectByName
RtlAreAllAccessesGranted
SeCreateAccessState
ObCheckObjectAccess
SeDeleteAccessState
SeCaptureSubjectContext
SeLockSubjectContext
SePrivilegeCheck
SePrivilegeObjectAuditAlarm
SeUnlockSubjectContext
SeReleaseSubjectContext
ObGetObjectType
ObSetHandleAttributes
ZwOpenThreadTokenEx
ZwOpenProcessTokenEx
PsReferenceImpersonationToken
SeTokenIsRestricted
KeInitializeSemaphore
LpcRequestPort
LpcRequestWaitReplyPort
RtlCreateAtomTable
RtlAddAtomToAtomTable
RtlPinAtomInAtomTable
ZwOpenDirectoryObject
ExAcquireRundownProtection
ObInsertObject
SeAssignSecurity
ObSetSecurityDescriptorInfo
SeDeassignSecurity
ExReleaseRundownProtection
IoQueryDeviceDescription
KeSaveFloatingPointState
KeRestoreFloatingPointState
PoSetUserPresent
PoLatencySensitivityHint
ExWaitForRundownProtectionRelease
ExRundownCompleted
PsCreateSystemThread
ZwQueryObject
IoWMIOpenBlock
IoWMIQueryAllData
KeInitializeTimer
PoRequestShutdownEvent
KeTestAlertThread
IoDriverObjectType
RtlCheckTokenMembership
LpcPortObjectType
ZwSetSystemInformation
PsGetThreadFreezeCount
ZwYieldExecution
RtlUnicodeStringToAnsiString
RtlIntegerToChar
PsChargeProcessWakeCounter
PsGetProcessPriorityClass
PsSetProcessPriorityClass
PsSetProcessPriorityByClass
IoGetDeviceObjectPointer
IoBuildDeviceIoControlRequest
IofCallDriver
ZwUpdateWnfStateData
IoAllocateErrorLogEntry
IoWriteErrorLogEntry
InterlockedIncrement
IoGetStackLimits
RtlMultiByteToUnicodeN
MmSystemRangeStart
ZwEnumerateValueKey
KeSetPriorityThread
RtlUnicodeToMultiByteN
RtlGetThreadLangIdByIndex
KeSetTimer
KeSetCoalescableTimer
KeAlertThread
RtlFormatCurrentUserKeyPath
ZwSetValueKey
ExGetExclusiveWaiterCount
ExGetSharedWaiterCount
ExAllocatePoolWithTagPriority
NlsOemCodePage
RtlCreateAtomTableEx
RtlAddAtomToAtomTableEx
RtlLookupAtomInAtomTable
RtlDeleteAtomFromAtomTable
RtlQueryAtomInAtomTable
ZwQueryInformationFile
ZwReadFile
ZwOpenSymbolicLinkObject
ZwQuerySymbolicLinkObject
IoFileObjectType
ObQueryNameString
ZwCreateFile
SeImpersonateClientEx
ZwCreateKey
NtClose
EtwEventEnabled
RtlMultiByteToUnicodeSize
RtlUnicodeToMultiByteSize
KeUserModeCallback
IoUnregisterPlugPlayNotification
IoRegisterPlugPlayNotification
RtlWalkFrameChain
IoWMIHandleToInstanceName
IoWMIQuerySingleInstance
ZwCancelIoFile
IoBuildSynchronousFsdRequest
ZwOpenFile
IoOpenDeviceRegistryKey
_purecall
MmSectionObjectType
IoGetDevicePropertyData
ZwQueryLicenseValue
ZwQuerySystemInformation
RtlAddAccessAllowedAce
MmCommitSessionMappedView
RtlCreateHeap
ExCompositionSurfaceObjectType
IoInvalidateDeviceRelations
RtlOpenCurrentUser
PoUserShutdownInitiated
PsGetCurrentThreadProcessId
PoUserShutdownCancelled
RtlFindMessage
RtlStringFromGUID
RtlGUIDFromString
RtlAnsiCharToUnicodeChar
RtlWriteRegistryValue
ZwEnumerateKey
ZwOpenEvent
ZwAlpcSendWaitReceivePort
ZwAlpcConnectPort
ZwWaitForSingleObject
ZwDeleteKey
DbgPrint
RtlInitializeGenericTable
ExAcquireResourceExclusiveLite
ExReleaseResourceLite
ExAcquireResourceSharedLite
RtlLookupElementGenericTable
RtlInsertElementGenericTable
RtlDeleteElementGenericTable
RtlEnumerateGenericTableWithoutSplaying
ExfAcquirePushLockExclusive
ExfTryToWakePushLock
InterlockedExchangeAdd
ExInterlockedFlushSList
ExfAcquirePushLockShared
ExfReleasePushLockShared
RtlEnumerateGenericTable
ExSemaphoreObjectType
ExSystemExceptionFilter
ZwWaitForMultipleObjects
RtlNumberGenericTableElements
RtlGetElementGenericTable
ZwClearEvent
MmGetSystemRoutineAddress
ExAcquireSharedStarveExclusive
KeInitializeGuardedMutex
KeAcquireGuardedMutex
KeReleaseGuardedMutex
PsGetCurrentThreadTeb
DbgPrintEx
vsprintf_s
MmSecureVirtualMemory
MmUnsecureVirtualMemory
RtlInsertElementGenericTableAvl
RtlLookupElementGenericTableAvl
RtlDeleteElementGenericTableAvl
ExSystemTimeToLocalTime
RtlFillMemoryUlong
ExIsProcessorFeaturePresent
KeExpandKernelStackAndCallout
RtlTimeToTimeFields
KeReadStateEvent
swprintf_s
RtlUnicodeToCustomCPN
RtlInitCodePageTable
RtlGetDefaultCodePage
ZwDeleteFile
RtlCustomCPToUnicodeN
LdrResFindResource
LdrResFindResourceDirectory
KeReleaseMutex
RtlFindClearBits
RtlClearAllBits
RtlEqualSid
strncmp
toupper
wcsncpy_s
IoGetAttachedDeviceReference
IoGetDeviceProperty
wcscpy_s
IoGetDeviceInterfaces
IoOpenDeviceInterfaceRegistryKey
IoCreateFile
MmHighestUserAddress
PsGetCurrentThreadProcess
IoSetThreadHardErrorMode
ZwQueryVolumeInformationFile
ZwSetInformationFile
ZwCreateSection
RtlPrefixString
KeAreApcsDisabled
ObDuplicateObject
PsGetCurrentThreadPreviousMode
ZwUnmapViewOfSection
MmMapViewInSessionSpaceEx
PsGetCurrentThreadWin32ThreadAndEnterCriticalRegion
RtlInitializeGenericTableAvl
ZwMapViewOfSection
RtlEnumerateGenericTableAvl
RtlCreateRegistryKey
wcscspn
wcsspn
MmQuerySystemSize
RtlCaptureStackBackTrace
MmPrefetchVirtualAddresses
RtlGetNtGlobalFlags
LpcRequestWaitReplyPortEx
RtlAppendStringToString
wcscat_s
ZwResetEvent
KeInitializeMutex
RtlUpcaseUnicodeString
RtlExtendedLargeIntegerDivide
ZwSecureConnectPort
IoQueueThreadIrp
IoBuildAsynchronousFsdRequest
RtlFindMostSignificantBit
IoUnregisterPlugPlayNotificationEx
MmIsVerifierEnabled
MmAddVerifierThunks
RtlRandom
RtlCreateSecurityDescriptor
PsGetProcessWin32Process
_aullshr
_aulldiv
_allshr
_allshl
_allmul
_alldvrm
_alldiv
ZwLoadDriver
ZwUnloadDriver
KdDebuggerEnabled
KeIsAttachedProcess
RtlUnwind
msrpc.sys RpcAsyncCancelCall
RpcAsyncCompleteCall
RpcBindingCreateW
NdrAsyncClientCall
I_RpcGetCompleteAndFreeRoutine
RpcBindingUnbind
RpcBindingBind
RpcAsyncInitializeHandle
I_RpcExceptionFilter
RpcBindingFree
RpcBindingCopy
watchdog.sys SMgrRegisterGdiCallout
WdDiagNotifyUser
WdLogEvent5_WdLowResource
WdLogNewEntry5_WdLowResource
WdLogEvent5_WdTrace
WdLogNewEntry5_WdTrace
WdLogEvent5_WdEvent
WdLogNewEntry5_WdEvent
WdLogEvent5_WdWarning
WdLogNewEntry5_WdWarning
WdLogEvent5_WdAssertion
WdLogNewEntry5_WdAssertion
WdInitialize
WdLogEvent5_WdError
WdLogNewEntry5_WdError
SMgrNotifySessionChange
HIDPARSE.SYS HidP_GetUsagesEx
HidP_GetUsages
HidP_SetUsageValue
HidP_SetUsages
HidP_GetSpecificValueCaps
HidP_GetCollectionDescription
HidP_GetCaps
HidP_GetLinkCollectionNodes
HidP_FreeCollectionDescription
HidP_GetSpecificButtonCaps
HidP_GetUsageValueArray
HidP_MaxUsageListLength
HidP_GetUsageValue
cng.sys SystemPrng
BCryptOpenAlgorithmProvider
BCryptGetProperty
BCryptCreateHash
BCryptHashData
BCryptFinishHash
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptImportKeyPair
BCryptVerifySignature
BCryptDestroyKey
HAL.dll KeQueryPerformanceCounter

Delayed Imports

FLOATOBJ_AddFloatObj

Ordinal 1
Address 0x225c0d

FLOATOBJ_DivFloatObj

Ordinal 2
Address 0x225ae2

FLOATOBJ_MulFloatObj

Ordinal 3
Address 0x225b29

FLOATOBJ_SubFloatObj

Ordinal 4
Address 0x225b9b

BRUSHOBJ_hGetColorTransform

Ordinal 5
Address 0x225f3e

BRUSHOBJ_pvAllocRbrush

Ordinal 6
Address 0x2261a1

BRUSHOBJ_pvGetRbrush

Ordinal 7
Address 0x2260a7

BRUSHOBJ_ulGetBrushColor

Ordinal 8
Address 0x146fe

CLIPOBJ_GetRgn

Ordinal 9
Address 0x226242

CLIPOBJ_bEnum

Ordinal 10
Address 0xeda35

CLIPOBJ_cEnumStart

Ordinal 11
Address 0xeda53

CLIPOBJ_ppoGetPath

Ordinal 12
Address 0x2263cf

EngAcquireFastMutex

Ordinal 13
Address 0x2269fb

EngAcquireSemaphore

Ordinal 14
Address 0x163fcb

EngAcquireSemaphoreNoWait

Ordinal 15
Address 0x826b9

EngAcquireSemaphoreShared

Ordinal 16
Address 0x226a3b

EngAcquireSemaphoreSharedNoWait

Ordinal 17
Address 0xbb82

EngAllocMem

Ordinal 18
Address 0xf0c06

EngAllocPrivateUserMem

Ordinal 19
Address 0x22885e

EngAllocSectionMem

Ordinal 20
Address 0x2266ac

EngAllocUserMem

Ordinal 21
Address 0x226a65

EngAlphaBlend

Ordinal 22
Address 0x135035

EngAssociateSurface

Ordinal 23
Address 0x80905

EngBitBlt

Ordinal 24
Address 0x135fdc

EngBugCheckEx

Ordinal 25
Address 0x310c3f
ForwardName NTOSKRNL.KeBugCheckEx

EngCTGetCurrentGamma

Ordinal 26
Address 0xd5fd2

EngCTGetGammaTable

Ordinal 27
Address 0xcfa40

EngCheckAbort

Ordinal 28
Address 0x22c172

EngClearEvent

Ordinal 29
Address 0x22cf49

EngCombineRgn

Ordinal 30
Address 0x82679

EngComputeGlyphSet

Ordinal 31
Address 0x67ca3

EngControlSprites

Ordinal 32
Address 0x2345e9

EngCopyBits

Ordinal 33
Address 0x10eae2

EngCopyRgn

Ordinal 34
Address 0x22d29b

EngCreateBitmap

Ordinal 35
Address 0x7ebaa

EngCreateClip

Ordinal 36
Address 0x2357d9

EngCreateDeviceBitmap

Ordinal 37
Address 0x37d8

EngCreateDeviceSurface

Ordinal 38
Address 0x80ae5

EngCreateDriverObj

Ordinal 39
Address 0x235b96

EngCreateEvent

Ordinal 40
Address 0x22d08d

EngCreateFastMutex

Ordinal 41
Address 0x226a31

EngCreatePalette

Ordinal 42
Address 0x7eaf1

EngCreatePath

Ordinal 43
Address 0x2360fb

EngCreateRectRgn

Ordinal 44
Address 0x82860

EngCreateRedirectionDeviceBitmap

Ordinal 45
Address 0x109c9d

EngCreateSemaphore

Ordinal 46
Address 0xfcaf2

EngCreateWnd

Ordinal 47
Address 0x23638a

EngDebugBreak

Ordinal 48
Address 0x310c55
ForwardName NTOSKRNL.DbgBreakPoint

EngDebugPrint

Ordinal 49
Address 0x226889

EngDeleteClip

Ordinal 50
Address 0x18bba8

EngDeleteDriverObj

Ordinal 51
Address 0x235a6b

EngDeleteEvent

Ordinal 52
Address 0x22d066

EngDeleteFastMutex

Ordinal 53
Address 0x226a12

EngDeleteFile

Ordinal 54
Address 0x22d31f

EngDeletePalette

Ordinal 55
Address 0x85f7a

EngDeletePath

Ordinal 56
Address 0x2360d6

EngDeleteRgn

Ordinal 57
Address 0x85a74

EngDeleteSafeSemaphore

Ordinal 58
Address 0x22690c

EngDeleteSemaphore

Ordinal 59
Address 0xf19ff

EngDeleteSurface

Ordinal 60
Address 0x85bca

EngDeleteWnd

Ordinal 61
Address 0x236356

EngDeviceIoControl

Ordinal 62
Address 0x226788

EngDitherColor

Ordinal 63
Address 0x237aae

EngDxIoctl

Ordinal 64
Address 0x2287ae

EngEnumForms

Ordinal 65
Address 0x237bc8

EngEqualRgn

Ordinal 66
Address 0x22d0d5

EngEraseSurface

Ordinal 67
Address 0x91ee6

EngFileIoControl

Ordinal 68
Address 0x237c60

EngFileWrite

Ordinal 69
Address 0x237c9f

EngFillPath

Ordinal 70
Address 0x47b64

EngFindImageProcAddress

Ordinal 71
Address 0x23b632

EngFindResource

Ordinal 72
Address 0x22d568

EngFntCacheAlloc

Ordinal 73
Address 0x1850a8

EngFntCacheFault

Ordinal 74
Address 0x23d44e

EngFntCacheLookUp

Ordinal 75
Address 0x19e229

EngFreeMem

Ordinal 76
Address 0xf0cf6

EngFreeModule

Ordinal 77
Address 0x23d516

EngFreePrivateUserMem

Ordinal 78
Address 0x2287ca

EngFreeSectionMem

Ordinal 79
Address 0x226675

EngFreeUserMem

Ordinal 80
Address 0x7924b

EngGetCurrentCodePage

Ordinal 81
Address 0x22d374

EngGetCurrentProcessId

Ordinal 82
Address 0x310c6c
ForwardName NTOSKRNL.PsGetCurrentProcessId

EngGetCurrentThreadId

Ordinal 83
Address 0x310c8b
ForwardName NTOSKRNL.PsGetCurrentThreadId

EngGetDriverName

Ordinal 84
Address 0x23e189

EngGetFileChangeTime

Ordinal 85
Address 0x22d597

EngGetFilePath

Ordinal 86
Address 0x22d673

EngGetForm

Ordinal 87
Address 0x237bc8

EngGetLastError

Ordinal 88
Address 0x2268f1

EngGetPrinter

Ordinal 89
Address 0x237bd9

EngGetPrinterData

Ordinal 90
Address 0x237bb6

EngGetPrinterDataFileName

Ordinal 91
Address 0x23e1a6

EngGetPrinterDriver

Ordinal 92
Address 0x237bc8

EngGetProcessHandle

Ordinal 93
Address 0xdd2ae

EngGetRgnBox

Ordinal 94
Address 0x22d2d7

EngGetRgnData

Ordinal 95
Address 0x82638

EngGetTickCount

Ordinal 96
Address 0x237ccc

EngGetType1FontList

Ordinal 97
Address 0x237bc8

EngGradientFill

Ordinal 98
Address 0xd1e50

EngHangNotification

Ordinal 99
Address 0x23b4bd

EngInitializeSafeSemaphore

Ordinal 100
Address 0x226961

EngIntersectRgn

Ordinal 101
Address 0x22d24f

EngIsCddDeviceBitmap

Ordinal 102
Address 0x226b31

EngIsSemaphoreOwned

Ordinal 103
Address 0x97b6c

EngIsSemaphoreOwnedByCurrentThread

Ordinal 104
Address 0xf102a

EngIsSemaphoreSharedByCurrentThread

Ordinal 105
Address 0x8265c

EngLineTo

Ordinal 106
Address 0x3329e

EngLoadImage

Ordinal 107
Address 0x23b73b

EngLoadModule

Ordinal 108
Address 0x23d5b6

EngLoadModuleForWrite

Ordinal 109
Address 0x23d5ce

EngLockDirectDrawSurface

Ordinal 110
Address 0x228893

EngLockDriverObj

Ordinal 111
Address 0x235b70

EngLockSurface

Ordinal 112
Address 0xf5413

EngLpkInstalled

Ordinal 113
Address 0x187cf3

EngMapEvent

Ordinal 114
Address 0x22cfe9

EngMapFile

Ordinal 115
Address 0x23e084

EngMapFontFile

Ordinal 116
Address 0x23d860

EngMapFontFileFD

Ordinal 117
Address 0x2d79c

EngMapModule

Ordinal 118
Address 0x23d4fa

EngMapSection

Ordinal 119
Address 0x2265e3

EngMarkBandingSurface

Ordinal 120
Address 0xf346

EngModifySurface

Ordinal 121
Address 0xfcaff

EngMovePointer

Ordinal 122
Address 0x23ffff

EngMulDiv

Ordinal 123
Address 0x12010a

EngMultiByteToUnicodeN

Ordinal 124
Address 0x226777

EngMultiByteToWideChar

Ordinal 125
Address 0x22d784

EngNineGrid

Ordinal 126
Address 0x1490d5

EngOffsetRgn

Ordinal 127
Address 0x22d2fb

EngPaint

Ordinal 128
Address 0xa5689

EngPlgBlt

Ordinal 129
Address 0x21c05

EngProbeForRead

Ordinal 130
Address 0x226831

EngProbeForReadAndWrite

Ordinal 131
Address 0x310ca9
ForwardName NTOSKRNL.ProbeForWrite

EngQueryDeviceAttribute

Ordinal 132
Address 0x23e1bd

EngQueryLocalTime

Ordinal 133
Address 0x22bdbb

EngQueryPalette

Ordinal 134
Address 0x235c09

EngQueryPerformanceCounter

Ordinal 135
Address 0x226748

EngQueryPerformanceFrequency

Ordinal 136
Address 0x226737

EngQuerySystemAttribute

Ordinal 137
Address 0x226496

EngQueryW32kCddInterface

Ordinal 138
Address 0x8289f

EngReadStateEvent

Ordinal 139
Address 0x22cf30

EngRectInRgn

Ordinal 140
Address 0x22d147

EngReleaseFastMutex

Ordinal 141
Address 0x2269e4

EngReleaseSemaphore

Ordinal 142
Address 0x163fef

EngRestoreFloatingPointState

Ordinal 143
Address 0x22653f

EngSaveFloatingPointState

Ordinal 144
Address 0x22656f

EngSecureMem

Ordinal 145
Address 0x226815

EngSetEvent

Ordinal 146
Address 0x22cf62

EngSetLastError

Ordinal 147
Address 0xe5d21

EngSetPointerShape

Ordinal 148
Address 0x19b4ef

EngSetPointerTag

Ordinal 149
Address 0x2418db

EngSetPrinterData

Ordinal 150
Address 0x237ba4

EngSetRectRgn

Ordinal 151
Address 0x97b31

EngSort

Ordinal 152
Address 0x241a76

EngStretchBlt

Ordinal 153
Address 0xe3a5c

EngStretchBltROP

Ordinal 154
Address 0x4bc22

EngStrokeAndFillPath

Ordinal 155
Address 0x7777

EngStrokePath

Ordinal 156
Address 0x49ea3

EngSubtractRgn

Ordinal 157
Address 0x22d203

EngTextOut

Ordinal 158
Address 0x172628

EngTransparentBlt

Ordinal 159
Address 0x7f2e8

EngUnicodeToMultiByteN

Ordinal 160
Address 0x226766

EngUnionRgn

Ordinal 161
Address 0x22d1b7

EngUnloadImage

Ordinal 162
Address 0x23b61a

EngUnlockDirectDrawSurface

Ordinal 163
Address 0x228893

EngUnlockDriverObj

Ordinal 164
Address 0x235b36

EngUnlockSurface

Ordinal 165
Address 0xf10bc

EngUnmapEvent

Ordinal 166
Address 0x22cfb8

EngUnmapFile

Ordinal 167
Address 0x23e0dd

EngUnmapFontFile

Ordinal 168
Address 0x23d7f5

EngUnmapFontFileFD

Ordinal 169
Address 0xb2124

EngUnsecureMem

Ordinal 170
Address 0x310cc0
ForwardName NTOSKRNL.MmUnsecureVirtualMemory

EngUpdateDeviceSurface

Ordinal 171
Address 0x7de74

EngWaitForSingleObject

Ordinal 172
Address 0x22cf7f

EngWideCharToMultiByte

Ordinal 173
Address 0x188d01

EngWritePrinter

Ordinal 174
Address 0x237b93

EngXorRgn

Ordinal 175
Address 0x22d16b

FLOATOBJ_Add

Ordinal 176
Address 0x225c0d

FLOATOBJ_AddFloat

Ordinal 177
Address 0x225c54

FLOATOBJ_AddLong

Ordinal 178
Address 0x225c29

FLOATOBJ_Div

Ordinal 179
Address 0x225ae2

FLOATOBJ_DivFloat

Ordinal 180
Address 0x225afe

FLOATOBJ_DivLong

Ordinal 181
Address 0x3e8f8

FLOATOBJ_Equal

Ordinal 182
Address 0x225a00

FLOATOBJ_EqualLong

Ordinal 183
Address 0x225a94

FLOATOBJ_GetFloat

Ordinal 184
Address 0x225c9f

FLOATOBJ_GetLong

Ordinal 185
Address 0x225c7f

FLOATOBJ_GreaterThan

Ordinal 186
Address 0x2259e7

FLOATOBJ_GreaterThanLong

Ordinal 187
Address 0x225a48

FLOATOBJ_LessThan

Ordinal 188
Address 0x2259ce

FLOATOBJ_LessThanLong

Ordinal 189
Address 0x225a10

FLOATOBJ_Mul

Ordinal 190
Address 0x225b29

FLOATOBJ_MulFloat

Ordinal 191
Address 0x225b70

FLOATOBJ_MulLong

Ordinal 192
Address 0x225b45

FLOATOBJ_Neg

Ordinal 193
Address 0x225acc

FLOATOBJ_SetFloat

Ordinal 194
Address 0x225cc8

FLOATOBJ_SetLong

Ordinal 195
Address 0x225caf

FLOATOBJ_Sub

Ordinal 196
Address 0x225b9b

FLOATOBJ_SubFloat

Ordinal 197
Address 0x225be2

FLOATOBJ_SubLong

Ordinal 198
Address 0x225bb7

FONTOBJ_cGetAllGlyphHandles

Ordinal 199
Address 0x245df1

FONTOBJ_cGetGlyphs

Ordinal 200
Address 0x245d36

FONTOBJ_pQueryGlyphAttrs

Ordinal 201
Address 0x245ed0

FONTOBJ_pfdg

Ordinal 202
Address 0x245eb9

FONTOBJ_pifi

Ordinal 203
Address 0x151c7

FONTOBJ_pjOpenTypeTablePointer

Ordinal 204
Address 0x245e23

FONTOBJ_pvTrueTypeFontFile

Ordinal 205
Address 0x245cf1

FONTOBJ_pwszFontFilePaths

Ordinal 206
Address 0x245e66

FONTOBJ_pxoGetXform

Ordinal 207
Address 0x245d90

FONTOBJ_vGetInfo

Ordinal 208
Address 0x245da6

HT_ComputeRGBGammaTable

Ordinal 209
Address 0x21b965

HT_Get8BPPFormatPalette

Ordinal 210
Address 0x21b88e

HT_Get8BPPMaskPalette

Ordinal 211
Address 0x97de

HeapVidMemAllocAligned

Ordinal 212
Address 0x2287e1

PALOBJ_cGetColors

Ordinal 213
Address 0x24686f

PATHOBJ_bCloseFigure

Ordinal 214
Address 0x235f2d

PATHOBJ_bEnum

Ordinal 215
Address 0x1073d0

PATHOBJ_bEnumClipLines

Ordinal 216
Address 0x246977

PATHOBJ_bMoveTo

Ordinal 217
Address 0x235f43

PATHOBJ_bPolyBezierTo

Ordinal 218
Address 0x235eeb

PATHOBJ_bPolyLineTo

Ordinal 219
Address 0x235f0b

PATHOBJ_vEnumStart

Ordinal 220
Address 0x2361b7

PATHOBJ_vEnumStartClipLines

Ordinal 221
Address 0x24699b

PATHOBJ_vGetBounds

Ordinal 222
Address 0x49565

RtlAnsiCharToUnicodeChar

Ordinal 223
Address 0x310ce1
ForwardName NTOSKRNL.RtlAnsiCharToUnicodeChar

RtlMultiByteToUnicodeN

Ordinal 224
Address 0x310d03
ForwardName NTOSKRNL.RtlMultiByteToUnicodeN

RtlRaiseException

Ordinal 225
Address 0x310d23
ForwardName NTOSKRNL.RtlRaiseException

RtlUnicodeToMultiByteN

Ordinal 226
Address 0x310d3e
ForwardName NTOSKRNL.RtlUnicodeToMultiByteN

RtlUnicodeToMultiByteSize

Ordinal 227
Address 0x310d5e
ForwardName NTOSKRNL.RtlUnicodeToMultiByteSize

RtlUnwind

Ordinal 228
Address 0x310d81
ForwardName NTOSKRNL.RtlUnwind

RtlUpcaseUnicodeChar

Ordinal 229
Address 0x310d94
ForwardName NTOSKRNL.RtlUpcaseUnicodeChar

RtlUpcaseUnicodeToMultiByteN

Ordinal 230
Address 0x310db2
ForwardName NTOSKRNL.RtlUpcaseUnicodeToMultiByteN

STROBJ_bEnum

Ordinal 231
Address 0x4cb40

STROBJ_bEnumPositionsOnly

Ordinal 232
Address 0x247f13

STROBJ_bGetAdvanceWidths

Ordinal 233
Address 0x247e43

STROBJ_dwGetCodePage

Ordinal 234
Address 0x24302b

STROBJ_fxBreakExtra

Ordinal 235
Address 0x24443b

STROBJ_fxCharacterExtra

Ordinal 236
Address 0x24441a

STROBJ_vEnumStart

Ordinal 237
Address 0x247e2a

VidMemFree

Ordinal 238
Address 0x1935f4

WNDOBJ_bEnum

Ordinal 239
Address 0xeda35

WNDOBJ_cEnumStart

Ordinal 240
Address 0x2362b0

WNDOBJ_vSetConsumer

Ordinal 241
Address 0x23628e

XFORMOBJ_bApplyXform

Ordinal 242
Address 0x225d30

XFORMOBJ_iGetFloatObjXform

Ordinal 243
Address 0x225ce1

XFORMOBJ_iGetXform

Ordinal 244
Address 0x8c02e

XLATEOBJ_cGetPalette

Ordinal 245
Address 0x247f4c

XLATEOBJ_hGetColorTransform

Ordinal 246
Address 0x248001

XLATEOBJ_iXlate

Ordinal 247
Address 0x9eb90

XLATEOBJ_piVector

Ordinal 248
Address 0x247fed

_abnormal_termination

Ordinal 249
Address 0x310dd8
ForwardName NTOSKRNL._abnormal_termination

_except_handler2

Ordinal 250
Address 0x310df7
ForwardName NTOSKRNL._except_handler2

_global_unwind2

Ordinal 251
Address 0x310e11
ForwardName NTOSKRNL._global_unwind2

_itoa

Ordinal 252
Address 0x310e2a
ForwardName NTOSKRNL._itoa

_itow

Ordinal 253
Address 0x310e39
ForwardName NTOSKRNL._itow

_local_unwind2

Ordinal 254
Address 0x310e48
ForwardName NTOSKRNL._local_unwind2

1

Type MUI
Language English - United States
Codepage UNKNOWN
Size 0xf8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.76192
MD5 c02eeb23576aa0f22cfc214f48503004
SHA1 cebab3cdbb9d5fa39c69ab3699dcc4aa654d58e0
SHA256 18c6eccebf32ff86ee1ee296f42b9408daa3892f2ae174622884c699ee0b3dbc
SHA3 96d7739ca370ac88a9981281d812c61ddcbc9ea5480ebd35f85aa978f7ef37fc

1 (#2)

Type WEVT_TEMPLATE
Language English - United States
Codepage UNKNOWN
Size 0x14a42
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.88356
MD5 532fbc9c38c9fbf79e347fdd8510d6f0
SHA1 ea2a00963b2b1ef9f157bd1a2fb088d784bd8767
SHA256 82e567aa63ec31c5751ad6d29fbea40dcf30c4de55bb97cfbfe166a26190cd81
SHA3 fa9d998c3ab49e501ca131fa70a7bcaf2f3b4449819d8e8ff1dfc57adc96c901

1 (#3)

Type RT_STRING
Language English - United States
Codepage UNKNOWN
Size 0x188
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.6878
MD5 6c7a56260ea30b64d59c6fd4b6edba33
SHA1 080d19d5e98dd29132f0b1ef58d7cfbc2d540b3c
SHA256 2951a1d0cc889f2a9a82bf693eb0c200233670ea48209473bd1af20f22769795
SHA3 d36781214266c2bf4c32fe31a76b26a494a57e4feeede00b6211f2b79f308d7b

2

Type RT_STRING
Language English - United States
Codepage UNKNOWN
Size 0x70
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.71791
MD5 ac76d47c2dc9e3f5261104f619cfaa41
SHA1 34c81fb5fd7d3551fba4b3e77658527446d24d37
SHA256 8990f06600853145caa490e8f4235e9c92ddc898069c037594bb1b855972101c
SHA3 bdcfd66c22a07ca7b2ab37e61005b32e6ac04d57d9e5383c40373f7e64607b58

1 (#4)

Type RT_MESSAGETABLE
Language English - United States
Codepage UNKNOWN
Size 0x35d8
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.48101
MD5 b832a113d2b9264f25c958aff038a12f
SHA1 3dcda70305b5921019a8512d59c401ffd6770a84
SHA256 8266cc2d2914e8590dc58cac33970af16f50fe1cf536c49df7963a0540bb776e
SHA3 063e14b6f32ff39d5a775aa5511ebe733c8feb0d96fac3bfdcb865d42e1a9b9c

1 (#5)

Type RT_VERSION
Language English - United States
Codepage UNKNOWN
Size 0x394
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.58803
MD5 6555d70154b39573a83f6e96e4a74fca
SHA1 4688ab2ee0f3b3142803605da61789fc614dd1dd
SHA256 d02343099b4c4118c1cb6cc00cc3d1803122f0b84b81f8cc97fe90b403d81660
SHA3 260b9cdbac9b193a9046f4ccdd9823e2926f6e4ed189dd4f4f94cbe0343fa9b9

String Table contents

0:Western
2:Symbol
77:Mac
128:Japanese
129:Hangul
130:Hangul(Johab)
134:CHINESE_GB2312
136:CHINESE_BIG5
161:Greek
162:Turkish
163:Vietnamese
177:Hebrew
178:Arabic
186:Baltic
204:Cyrillic
222:Thai
238:Central European
255:OEM/DOS
256:Other

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 6.2.9200.16384
ProductVersion 6.2.9200.16384
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DRV
FileSubtype VFT2_DRV_SYSTEM
Language English - United States
CompanyName Microsoft Corporation
FileDescription Multi-User Win32 Driver
FileVersion (#2) 6.2.9200.16384 (win8_rtm.120725-1247)
InternalName win32k.sys
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename win32k.sys
ProductName Microsoft® Windows® Operating System
ProductVersion (#2) 6.2.9200.16384
Resource LangID English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2012-Jul-26 02:33:40
Version 0.0
SizeofData 35
AddressOfRawData 0x2deb34
PointerToRawData 0x2ddf34
Referenced File win32k.pdb

IMAGE_DEBUG_TYPE_RESERVED

Characteristics 0
TimeDateStamp 2012-Jul-26 02:33:40
Version 565.30117
SizeofData 8
AddressOfRawData 0x2deb2c
PointerToRawData 0x2ddf2c

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x303718
SEHandlerTable 0x2f7020
SEHandlerCount 3

RICH Header

XOR Key 0x2e0f0899
Unmarked objects 0
Total imports 537
185 (30716) 13
189 (30716) 9
188 (30716) 28
184 (30716) 1
187 (30716) 18
197 (30716) 460
183 (30716) 1
186 (30716) 1

Errors