ReAgent.dll
Description: Microsoft Windows Recovery Agent DLL
Authors: © Microsoft Corporation. All rights reserved.
Version: 10.0.19041.6456
Architecture: 64-bit
Operating System: Windows NT
SHA256: 34eac81456d279102526876a722176b5
File Size: 1.1 MB
Uploaded At: Dec. 1, 2025, 7:37 a.m.
Views: 7
Security Warning
This file has been flagged as potentially dangerous.
Reason: Detected potentially dangerous functions used for process injection: OpenProcess
Exported Functions
- WinRE_Specialize (Ordinal: 1, Address: 0x155a0)
- WinRE_Specialize_Offline (Ordinal: 2, Address: 0x15640)
- WinReClearOemImagePath (Ordinal: 3, Address: 0x18f70)
- WinReRestoreConfigAfterPBR (Ordinal: 4, Address: 0x20b30)
- WinRECheckGuid (Ordinal: 5, Address: 0x1aac0)
- WinREUseNewPBRImage (Ordinal: 6, Address: 0x1abd0)
- WinRE_Generalize (Ordinal: 7, Address: 0x1af50)
- WinReAddTrustedBootApp (Ordinal: 8, Address: 0x1afa0)
- WinReClearBootApp (Ordinal: 9, Address: 0x1b060)
- WinReClearError (Ordinal: 10, Address: 0xe550)
- WinReConfigureTask (Ordinal: 11, Address: 0x1b100)
- WinReCopyDiagnosticFiles (Ordinal: 12, Address: 0x1b600)
- WinReCopyLogFilesToRamdisk (Ordinal: 13, Address: 0x22340)
- WinReCreateLogInstance (Ordinal: 14, Address: 0x223e0)
- WinReCreateLogInstanceEx (Ordinal: 15, Address: 0x22420)
- WinReDeleteLogFiles (Ordinal: 16, Address: 0x22570)
- WinReGetConfig (Ordinal: 17, Address: 0xe560)
- WinReGetCustomization (Ordinal: 18, Address: 0x1b6b0)
- WinReGetError (Ordinal: 19, Address: 0xec70)
- WinReGetLogDirPath (Ordinal: 20, Address: 0x22680)
- WinReGetTrustedBootApps (Ordinal: 21, Address: 0x1bab0)
- WinReGetWIMInfo (Ordinal: 22, Address: 0x1bb60)
- WinReHashBootApp (Ordinal: 23, Address: 0x1bda0)
- WinReHashWimFile (Ordinal: 24, Address: 0x1be50)
- WinReInitiateOfflineScanning (Ordinal: 25, Address: 0x1bee0)
- WinReInstall (Ordinal: 26, Address: 0x161e0)
- WinReInstallOnTargetOS (Ordinal: 27, Address: 0x16290)
- WinReIsInstalledOnSystemPartition (Ordinal: 28, Address: 0x1c2d0)
- WinReIsWimBootEnabled (Ordinal: 29, Address: 0x1c830)
- WinReIsWinPE (Ordinal: 30, Address: 0xec80)
- WinReOobeInstall (Ordinal: 31, Address: 0x1c8d0)
- WinReOpenLogInstance (Ordinal: 32, Address: 0x229b0)
- WinRePostBCDRepair (Ordinal: 33, Address: 0x1cad0)
- WinReQueueRecoveryBoot (Ordinal: 34, Address: 0x1cea0)
- WinReReinstall (Ordinal: 35, Address: 0x163b0)
- WinReRemoveTrustedBootApp (Ordinal: 36, Address: 0x1d020)
- WinReRepair (Ordinal: 37, Address: 0x1d0d0)
- WinReRestoreLogFiles (Ordinal: 38, Address: 0x22c50)
- WinReSetBootApp (Ordinal: 39, Address: 0x1d610)
- WinReSetConfig (Ordinal: 40, Address: 0x1d6c0)
- WinReSetCustomization (Ordinal: 41, Address: 0x1ddb0)
- WinReSetError (Ordinal: 42, Address: 0xec90)
- WinReSetNarratorScheduled (Ordinal: 43, Address: 0x1e150)
- WinReSetRecoveryAction (Ordinal: 44, Address: 0x1e350)
- WinReSetTriggerFile (Ordinal: 45, Address: 0x22cf0)
- WinReSetupBackupWinRE (Ordinal: 46, Address: 0x24770)
- WinReSetupCheckWinRE (Ordinal: 47, Address: 0x256d0)
- WinReSetupInstall (Ordinal: 48, Address: 0x164e0)
- WinReSetupMigrateData (Ordinal: 49, Address: 0x25860)
- WinReSetupRemoveWinRE (Ordinal: 50, Address: 0x25d20)
- WinReSetupRestoreWinREEx (Ordinal: 51, Address: 0x25f00)
- WinReSetupSetImage (Ordinal: 52, Address: 0x26030)
- WinReUnInstall (Ordinal: 53, Address: 0x1e740)
- WinReUpdateLogInstance (Ordinal: 54, Address: 0x22fa0)
- WinReValidateRecoveryWim (Ordinal: 55, Address: 0x1e7f0)
- WinReValidateWimFile (Ordinal: 56, Address: 0x1ed30)
- winreFindInstallMedia (Ordinal: 57, Address: 0x26df0)
- winreGetBinaryArch (Ordinal: 58, Address: 0x28050)
Imported DLLs & Functions
ADVAPI32.dll
- AddAccessAllowedAceEx (Address: 0x1800c2c90)
- AdjustTokenPrivileges (Address: 0x1800c2cb0)
- AllocateAndInitializeSid (Address: 0x1800c2ca8)
- CloseEncryptedFileRaw (Address: 0x1800c2c08)
- ConvertStringSecurityDescriptorToSecurityDescriptorW (Address: 0x1800c2c80)
- CryptAcquireContextW (Address: 0x1800c2d10)
- CryptCreateHash (Address: 0x1800c2d08)
- CryptDestroyHash (Address: 0x1800c2cf0)
- CryptGetHashParam (Address: 0x1800c2cf8)
- CryptHashData (Address: 0x1800c2d00)
- CryptReleaseContext (Address: 0x1800c2d18)
- DuplicateTokenEx (Address: 0x1800c2d50)
- EventRegister (Address: 0x1800c2c78)
- EventUnregister (Address: 0x1800c2c70)
- EventWrite (Address: 0x1800c2d60)
- EventWriteTransfer (Address: 0x1800c2c68)
- FreeSid (Address: 0x1800c2be8)
- GetAclInformation (Address: 0x1800c2c28)
- GetLengthSid (Address: 0x1800c2ca0)
- GetSecurityDescriptorControl (Address: 0x1800c2c38)
- GetSecurityDescriptorDacl (Address: 0x1800c2c48)
- GetSecurityDescriptorGroup (Address: 0x1800c2c50)
- GetSecurityDescriptorLength (Address: 0x1800c2c30)
- GetSecurityDescriptorOwner (Address: 0x1800c2c58)
- GetSecurityDescriptorSacl (Address: 0x1800c2c40)
- InitializeAcl (Address: 0x1800c2c98)
- InitiateSystemShutdownExW (Address: 0x1800c2cd0)
- LookupPrivilegeValueW (Address: 0x1800c2cb8)
- OpenEncryptedFileRawW (Address: 0x1800c2c18)
- OpenProcessToken (Address: 0x1800c2cc0)
- OpenThreadToken (Address: 0x1800c2c20)
- RegCloseKey (Address: 0x1800c2d38)
- RegCreateKeyExW (Address: 0x1800c2cd8)
- RegDeleteKeyExW (Address: 0x1800c2d68)
- RegDeleteKeyW (Address: 0x1800c2cc8)
- RegDeleteTreeW (Address: 0x1800c2bf0)
- RegDeleteValueW (Address: 0x1800c2d28)
- RegEnumValueW (Address: 0x1800c2c60)
- RegGetValueW (Address: 0x1800c2d20)
- RegLoadKeyW (Address: 0x1800c2ce8)
- RegOpenKeyExW (Address: 0x1800c2d48)
- RegQueryValueExW (Address: 0x1800c2d40)
- RegSetValueExW (Address: 0x1800c2d30)
- RegUnLoadKeyW (Address: 0x1800c2ce0)
- RevertToSelf (Address: 0x1800c2c00)
- SetNamedSecurityInfoW (Address: 0x1800c2c88)
- SetThreadToken (Address: 0x1800c2d58)
- TraceMessage (Address: 0x1800c2bf8)
- WriteEncryptedFileRaw (Address: 0x1800c2c10)
bcrypt.dll
- BCryptCloseAlgorithmProvider (Address: 0x1800c32a8)
- BCryptCreateHash (Address: 0x1800c32a0)
- BCryptDestroyHash (Address: 0x1800c32b0)
- BCryptFinishHash (Address: 0x1800c32b8)
- BCryptGetProperty (Address: 0x1800c32c0)
- BCryptHashData (Address: 0x1800c3290)
- BCryptOpenAlgorithmProvider (Address: 0x1800c3298)
Cabinet.dll
- (Address: 0x1800c2d78)
- (Address: 0x1800c2d80)
- (Address: 0x1800c2d88)
imagehlp.dll
- ImageNtHeader (Address: 0x1800c32d0)
KERNEL32.dll
- AcquireSRWLockExclusive (Address: 0x1800c2e28)
- AcquireSRWLockShared (Address: 0x1800c2e38)
- CloseHandle (Address: 0x1800c2e50)
- CloseThreadpoolTimer (Address: 0x1800c2e78)
- CompareStringW (Address: 0x1800c2fd8)
- CopyFileExW (Address: 0x1800c2fb0)
- CopyFileW (Address: 0x1800c2ed8)
- CreateDirectoryW (Address: 0x1800c2ed0)
- CreateEventW (Address: 0x1800c30b8)
- CreateFileMappingW (Address: 0x1800c3028)
- CreateFileW (Address: 0x1800c2ec8)
- CreateMutexExW (Address: 0x1800c2f40)
- CreateProcessW (Address: 0x1800c3168)
- CreateSemaphoreExW (Address: 0x1800c2f50)
- CreateSemaphoreW (Address: 0x1800c3118)
- CreateThread (Address: 0x1800c3120)
- CreateThreadpoolTimer (Address: 0x1800c2eb0)
- DebugBreak (Address: 0x1800c2df8)
- DeleteCriticalSection (Address: 0x1800c2e98)
- DeleteFileW (Address: 0x1800c2f98)
- DeviceIoControl (Address: 0x1800c2ef8)
- DosDateTimeToFileTime (Address: 0x1800c3148)
- DuplicateHandle (Address: 0x1800c30f8)
- EnterCriticalSection (Address: 0x1800c2e88)
- ExpandEnvironmentStringsW (Address: 0x1800c2db0)
- FindClose (Address: 0x1800c2ff0)
- FindFirstFileW (Address: 0x1800c2fe0)
- FindFirstVolumeW (Address: 0x1800c2f00)
- FindNextFileW (Address: 0x1800c2fe8)
- FindNextVolumeW (Address: 0x1800c2f18)
- FindVolumeClose (Address: 0x1800c2f20)
- FlushFileBuffers (Address: 0x1800c2f80)
- FormatMessageW (Address: 0x1800c2dc8)
- FreeLibrary (Address: 0x1800c3020)
- GetCurrentDirectoryW (Address: 0x1800c2db8)
- GetCurrentProcess (Address: 0x1800c3210)
- GetCurrentProcessId (Address: 0x1800c31e0)
- GetCurrentThread (Address: 0x1800c3080)
- GetCurrentThreadId (Address: 0x1800c31e8)
- GetDiskFreeSpaceExW (Address: 0x1800c2f10)
- GetDriveTypeW (Address: 0x1800c2f08)
- GetEnvironmentVariableW (Address: 0x1800c3058)
- GetExitCodeProcess (Address: 0x1800c3170)
- GetFileAttributesExW (Address: 0x1800c2ee8)
- GetFileAttributesW (Address: 0x1800c2f28)
- GetFileInformationByHandle (Address: 0x1800c3008)
- GetFileInformationByHandleEx (Address: 0x1800c2da8)
- GetFileSize (Address: 0x1800c2f60)
- GetFileSizeEx (Address: 0x1800c2fc8)
- GetFinalPathNameByHandleW (Address: 0x1800c30b0)
- GetFirmwareEnvironmentVariableW (Address: 0x1800c3040)
- GetFullPathNameW (Address: 0x1800c2f30)
- GetHandleInformation (Address: 0x1800c3048)
- GetLastError (Address: 0x1800c2e10)
- GetLongPathNameW (Address: 0x1800c2dc0)
- GetModuleFileNameA (Address: 0x1800c2df0)
- GetModuleFileNameW (Address: 0x1800c30e0)
- GetModuleHandleExW (Address: 0x1800c2de8)
- GetModuleHandleW (Address: 0x1800c2e00)
- GetOverlappedResult (Address: 0x1800c3060)
- GetPrivateProfileSectionW (Address: 0x1800c3100)
- GetPrivateProfileStringW (Address: 0x1800c3000)
- GetProcAddress (Address: 0x1800c2e08)
- GetProcessHeap (Address: 0x1800c2dd8)
- GetSystemDirectoryW (Address: 0x1800c2ee0)
- GetSystemInfo (Address: 0x1800c3070)
- GetSystemTimeAsFileTime (Address: 0x1800c31f0)
- GetSystemWindowsDirectoryW (Address: 0x1800c2fb8)
- GetTempPathW (Address: 0x1800c2fc0)
- GetTickCount (Address: 0x1800c31f8)
- GetTickCount64 (Address: 0x1800c2fd0)
- GetVersionExW (Address: 0x1800c2fa8)
- GetVolumeInformationByHandleW (Address: 0x1800c3128)
- GetVolumeInformationW (Address: 0x1800c30a8)
- GetVolumeNameForVolumeMountPointW (Address: 0x1800c2ef0)
- GetVolumePathNamesForVolumeNameW (Address: 0x1800c2ff8)
- GetVolumePathNameW (Address: 0x1800c2f38)
- GetWindowsDirectoryW (Address: 0x1800c2ec0)
- GlobalMemoryStatusEx (Address: 0x1800c31b0)
- HeapAlloc (Address: 0x1800c2dd0)
- HeapFree (Address: 0x1800c2de0)
- HeapReAlloc (Address: 0x1800c3098)
- InitializeCriticalSection (Address: 0x1800c3090)
- InitializeCriticalSectionAndSpinCount (Address: 0x1800c30c0)
- InitializeCriticalSectionEx (Address: 0x1800c2e90)
- IsDebuggerPresent (Address: 0x1800c2e18)
- LeaveCriticalSection (Address: 0x1800c2f48)
- LoadLibraryExA (Address: 0x1800c2d98)
- LoadLibraryExW (Address: 0x1800c3018)
- LoadLibraryW (Address: 0x1800c3160)
- LocalAlloc (Address: 0x1800c30d8)
- LocalFileTimeToFileTime (Address: 0x1800c3150)
- LocalFree (Address: 0x1800c3068)
- LockFileEx (Address: 0x1800c30c8)
- MapViewOfFile (Address: 0x1800c3030)
- MoveFileExW (Address: 0x1800c2f88)
- MultiByteToWideChar (Address: 0x1800c2f58)
- OpenProcess (Address: 0x1800c30f0)
- OpenSemaphoreW (Address: 0x1800c2ea8)
- OutputDebugStringW (Address: 0x1800c2e20)
- QueryPerformanceCounter (Address: 0x1800c31d8)
- RaiseException (Address: 0x1800c2fa0)
- ReadFile (Address: 0x1800c2f68)
- ReleaseMutex (Address: 0x1800c2e60)
- ReleaseSemaphore (Address: 0x1800c2e58)
- ReleaseSRWLockExclusive (Address: 0x1800c2e30)
- ReleaseSRWLockShared (Address: 0x1800c2e40)
- RemoveDirectoryW (Address: 0x1800c3198)
- ResetEvent (Address: 0x1800c3140)
- SetEndOfFile (Address: 0x1800c2f70)
- SetEvent (Address: 0x1800c3110)
- SetFileAttributesW (Address: 0x1800c31a8)
- SetFileInformationByHandle (Address: 0x1800c30a0)
- SetFilePointer (Address: 0x1800c3088)
- SetFilePointerEx (Address: 0x1800c3050)
- SetFileTime (Address: 0x1800c3158)
- SetFirmwareEnvironmentVariableW (Address: 0x1800c3010)
- SetLastError (Address: 0x1800c2e48)
- SetThreadIdealProcessor (Address: 0x1800c3078)
- SetThreadpoolTimer (Address: 0x1800c2e68)
- SetUnhandledExceptionFilter (Address: 0x1800c3208)
- SetVolumeMountPointW (Address: 0x1800c3178)
- Sleep (Address: 0x1800c31d0)
- SleepConditionVariableSRW (Address: 0x1800c3190)
- TerminateProcess (Address: 0x1800c3218)
- TlsAlloc (Address: 0x1800c31b8)
- TlsFree (Address: 0x1800c31c8)
- TlsGetValue (Address: 0x1800c2eb8)
- TlsSetValue (Address: 0x1800c31c0)
- UnhandledExceptionFilter (Address: 0x1800c3200)
- UnlockFileEx (Address: 0x1800c30d0)
- UnmapViewOfFile (Address: 0x1800c3038)
- VirtualAlloc (Address: 0x1800c2f90)
- VirtualFree (Address: 0x1800c31a0)
- VirtualProtect (Address: 0x1800c2da0)
- VirtualQuery (Address: 0x1800c3180)
- WaitForMultipleObjects (Address: 0x1800c3108)
- WaitForMultipleObjectsEx (Address: 0x1800c3138)
- WaitForSingleObject (Address: 0x1800c2ea0)
- WaitForSingleObjectEx (Address: 0x1800c2e80)
- WaitForThreadpoolTimerCallbacks (Address: 0x1800c2e70)
- WakeAllConditionVariable (Address: 0x1800c3188)
- WideCharToMultiByte (Address: 0x1800c30e8)
- WriteFile (Address: 0x1800c2f78)
- WritePrivateProfileStringW (Address: 0x1800c3130)
msvcrt.dll
- __C_specific_handler (Address: 0x1800c32e0)
- __CxxFrameHandler3 (Address: 0x1800c3388)
- __dllonexit (Address: 0x1800c3308)
- _amsg_exit (Address: 0x1800c32f8)
- _atoi64 (Address: 0x1800c3380)
- _callnewh (Address: 0x1800c3400)
- _CxxThrowException (Address: 0x1800c3350)
- _initterm (Address: 0x1800c32f0)
- _lock (Address: 0x1800c32e8)
- _onexit (Address: 0x1800c3310)
- _purecall (Address: 0x1800c33d0)
- _snwscanf_s (Address: 0x1800c3498)
- _ultow_s (Address: 0x1800c3488)
- _unlock (Address: 0x1800c3300)
- _vscwprintf (Address: 0x1800c33c0)
- _vsnprintf (Address: 0x1800c3378)
- _vsnprintf_s (Address: 0x1800c33a0)
- _vsnwprintf (Address: 0x1800c3390)
- _vsnwprintf_s (Address: 0x1800c3490)
- _wcsicmp (Address: 0x1800c33d8)
- _wcslwr (Address: 0x1800c3438)
- _wcsnicmp (Address: 0x1800c33e8)
- _wcsupr (Address: 0x1800c3458)
- _wtoi64 (Address: 0x1800c3358)
- _XcptFilter (Address: 0x1800c33f8)
- ??0exception@@QEAA@AEBQEBD@Z (Address: 0x1800c3360)
- ??0exception@@QEAA@AEBV0@@Z (Address: 0x1800c33b8)
- ??0exception@@QEAA@XZ (Address: 0x1800c33a8)
- ??1exception@@UEAA@XZ (Address: 0x1800c33b0)
- ??1type_info@@UEAA@XZ (Address: 0x1800c3340)
- ?terminate@@YAXXZ (Address: 0x1800c3348)
- ?what@exception@@UEBAPEBDXZ (Address: 0x1800c3370)
- atol (Address: 0x1800c3410)
- free (Address: 0x1800c33f0)
- iswspace (Address: 0x1800c3468)
- malloc (Address: 0x1800c3408)
- memcmp (Address: 0x1800c3338)
- memcpy (Address: 0x1800c3330)
- memcpy_s (Address: 0x1800c3398)
- memmove (Address: 0x1800c3328)
- memmove_s (Address: 0x1800c33c8)
- memset (Address: 0x1800c3320)
- qsort (Address: 0x1800c3440)
- strcmp (Address: 0x1800c3318)
- strcpy_s (Address: 0x1800c3450)
- strncmp (Address: 0x1800c34a0)
- swprintf_s (Address: 0x1800c3480)
- swscanf_s (Address: 0x1800c3418)
- towupper (Address: 0x1800c3448)
- wcscat_s (Address: 0x1800c3478)
- wcschr (Address: 0x1800c33e0)
- wcscmp (Address: 0x1800c34b0)
- wcscpy_s (Address: 0x1800c3470)
- wcsncmp (Address: 0x1800c3420)
- wcsnlen (Address: 0x1800c3428)
- wcsrchr (Address: 0x1800c3368)
- wcsstr (Address: 0x1800c3430)
- wcstoul (Address: 0x1800c3460)
- wprintf (Address: 0x1800c34a8)
ntdll.dll
- DbgPrintEx (Address: 0x1800c3708)
- LdrGetDllHandle (Address: 0x1800c3600)
- LdrGetProcedureAddress (Address: 0x1800c35f8)
- NtAdjustPrivilegesToken (Address: 0x1800c3650)
- NtClose (Address: 0x1800c34f0)
- NtCreateFile (Address: 0x1800c3748)
- NtDeviceIoControlFile (Address: 0x1800c3688)
- NtEnumerateBootEntries (Address: 0x1800c36c0)
- NtOpenDirectoryObject (Address: 0x1800c36b0)
- NtOpenFile (Address: 0x1800c3778)
- NtOpenKey (Address: 0x1800c3678)
- NtOpenProcessTokenEx (Address: 0x1800c3658)
- NtOpenSymbolicLinkObject (Address: 0x1800c3670)
- NtOpenThreadTokenEx (Address: 0x1800c3668)
- NtQueryBootEntryOrder (Address: 0x1800c3698)
- NtQueryBootOptions (Address: 0x1800c36a0)
- NtQueryDirectoryObject (Address: 0x1800c36b8)
- NtQueryInformationFile (Address: 0x1800c3768)
- NtQueryInformationProcess (Address: 0x1800c3758)
- NtQuerySymbolicLinkObject (Address: 0x1800c3680)
- NtQuerySystemInformation (Address: 0x1800c34f8)
- NtQueryValueKey (Address: 0x1800c3690)
- NtQueryVolumeInformationFile (Address: 0x1800c3760)
- NtSetEaFile (Address: 0x1800c3740)
- NtSetInformationFile (Address: 0x1800c3750)
- NtSetInformationThread (Address: 0x1800c3660)
- NtSetSecurityObject (Address: 0x1800c3788)
- NtTranslateFilePath (Address: 0x1800c36a8)
- NtYieldExecution (Address: 0x1800c36d0)
- RtlAcquireResourceExclusive (Address: 0x1800c3728)
- RtlAcquireResourceShared (Address: 0x1800c3720)
- RtlAddAccessAllowedAceEx (Address: 0x1800c3580)
- RtlAdjustPrivilege (Address: 0x1800c36e0)
- RtlAllocateAndInitializeSid (Address: 0x1800c3588)
- RtlAllocateHeap (Address: 0x1800c3770)
- RtlAppendUnicodeToString (Address: 0x1800c3548)
- RtlCaptureContext (Address: 0x1800c34c0)
- RtlCompareMemory (Address: 0x1800c36c8)
- RtlCreateAcl (Address: 0x1800c35c0)
- RtlCreateSecurityDescriptor (Address: 0x1800c35d8)
- RtlDeleteResource (Address: 0x1800c3710)
- RtlDosPathNameToNtPathName_U (Address: 0x1800c3780)
- RtlFindAceByType (Address: 0x1800c3790)
- RtlFreeHeap (Address: 0x1800c36e8)
- RtlFreeSid (Address: 0x1800c35a0)
- RtlFreeUnicodeString (Address: 0x1800c3508)
- RtlGetLastNtStatus (Address: 0x1800c36f0)
- RtlGUIDFromString (Address: 0x1800c34e0)
- RtlImpersonateSelf (Address: 0x1800c3738)
- RtlInitAnsiString (Address: 0x1800c3610)
- RtlInitializeResource (Address: 0x1800c3730)
- RtlInitUnicodeString (Address: 0x1800c36d8)
- RtlLengthSecurityDescriptor (Address: 0x1800c3558)
- RtlLengthSid (Address: 0x1800c3590)
- RtlLookupFunctionEntry (Address: 0x1800c34c8)
- RtlNtStatusToDosError (Address: 0x1800c34d8)
- RtlRaiseStatus (Address: 0x1800c34e8)
- RtlReAllocateHeap (Address: 0x1800c3700)
- RtlReleaseResource (Address: 0x1800c3718)
- RtlSetControlSecurityDescriptor (Address: 0x1800c36f8)
- RtlSetDaclSecurityDescriptor (Address: 0x1800c3568)
- RtlSetOwnerSecurityDescriptor (Address: 0x1800c3560)
- RtlStringFromGUID (Address: 0x1800c3510)
- RtlVirtualUnwind (Address: 0x1800c34d0)
- ZwAllocateUuids (Address: 0x1800c35f0)
- ZwClose (Address: 0x1800c3540)
- ZwCreateKey (Address: 0x1800c3570)
- ZwDeleteKey (Address: 0x1800c35a8)
- ZwDeleteValueKey (Address: 0x1800c3598)
- ZwDeviceIoControlFile (Address: 0x1800c3630)
- ZwEnumerateKey (Address: 0x1800c35b0)
- ZwLoadKey (Address: 0x1800c3578)
- ZwOpenDirectoryObject (Address: 0x1800c3648)
- ZwOpenFile (Address: 0x1800c3530)
- ZwOpenKey (Address: 0x1800c35e8)
- ZwOpenMutant (Address: 0x1800c3538)
- ZwOpenProcess (Address: 0x1800c3620)
- ZwOpenSymbolicLinkObject (Address: 0x1800c3640)
- ZwQueryAttributesFile (Address: 0x1800c3550)
- ZwQueryDirectoryObject (Address: 0x1800c3638)
- ZwQueryInformationFile (Address: 0x1800c3618)
- ZwQueryInformationProcess (Address: 0x1800c3608)
- ZwQueryKey (Address: 0x1800c3520)
- ZwQuerySymbolicLinkObject (Address: 0x1800c3628)
- ZwQuerySystemInformation (Address: 0x1800c3500)
- ZwQueryValueKey (Address: 0x1800c35b8)
- ZwReleaseMutant (Address: 0x1800c3528)
- ZwSetSecurityObject (Address: 0x1800c35c8)
- ZwSetValueKey (Address: 0x1800c35e0)
- ZwUnloadKey (Address: 0x1800c35d0)
- ZwWaitForSingleObject (Address: 0x1800c3518)
ole32.dll
- CLSIDFromString (Address: 0x1800c37c0)
- CoCreateGuid (Address: 0x1800c37c8)
- CoCreateInstance (Address: 0x1800c37a8)
- CoInitialize (Address: 0x1800c37d0)
- CoInitializeEx (Address: 0x1800c37a0)
- CoTaskMemFree (Address: 0x1800c37d8)
- CoUninitialize (Address: 0x1800c37b0)
- StringFromCLSID (Address: 0x1800c37b8)
OLEAUT32.dll
- SysAllocString (Address: 0x1800c3238)
- SysFreeString (Address: 0x1800c3228)
- VariantClear (Address: 0x1800c3230)
- VariantInit (Address: 0x1800c3240)
RPCRT4.dll
- RpcStringFreeW (Address: 0x1800c3258)
- UuidCompare (Address: 0x1800c3260)
- UuidCreate (Address: 0x1800c3268)
- UuidToStringW (Address: 0x1800c3250)
USER32.dll
- CharUpperW (Address: 0x1800c3280)
- LoadStringW (Address: 0x1800c3278)