ReAgent.dll

Description: Microsoft Windows Recovery Agent DLL

Authors: © Microsoft Corporation. All rights reserved.

Version: 10.0.19041.6456

Architecture: 64-bit

Operating System: Windows NT

SHA256: 34eac81456d279102526876a722176b5

File Size: 1.1 MB

Uploaded At: Dec. 1, 2025, 7:37 a.m.

Views: 7

Security Warning

This file has been flagged as potentially dangerous.


Reason: Detected potentially dangerous functions used for process injection: OpenProcess

Exported Functions

  • WinRE_Specialize (Ordinal: 1, Address: 0x155a0)
  • WinRE_Specialize_Offline (Ordinal: 2, Address: 0x15640)
  • WinReClearOemImagePath (Ordinal: 3, Address: 0x18f70)
  • WinReRestoreConfigAfterPBR (Ordinal: 4, Address: 0x20b30)
  • WinRECheckGuid (Ordinal: 5, Address: 0x1aac0)
  • WinREUseNewPBRImage (Ordinal: 6, Address: 0x1abd0)
  • WinRE_Generalize (Ordinal: 7, Address: 0x1af50)
  • WinReAddTrustedBootApp (Ordinal: 8, Address: 0x1afa0)
  • WinReClearBootApp (Ordinal: 9, Address: 0x1b060)
  • WinReClearError (Ordinal: 10, Address: 0xe550)
  • WinReConfigureTask (Ordinal: 11, Address: 0x1b100)
  • WinReCopyDiagnosticFiles (Ordinal: 12, Address: 0x1b600)
  • WinReCopyLogFilesToRamdisk (Ordinal: 13, Address: 0x22340)
  • WinReCreateLogInstance (Ordinal: 14, Address: 0x223e0)
  • WinReCreateLogInstanceEx (Ordinal: 15, Address: 0x22420)
  • WinReDeleteLogFiles (Ordinal: 16, Address: 0x22570)
  • WinReGetConfig (Ordinal: 17, Address: 0xe560)
  • WinReGetCustomization (Ordinal: 18, Address: 0x1b6b0)
  • WinReGetError (Ordinal: 19, Address: 0xec70)
  • WinReGetLogDirPath (Ordinal: 20, Address: 0x22680)
  • WinReGetTrustedBootApps (Ordinal: 21, Address: 0x1bab0)
  • WinReGetWIMInfo (Ordinal: 22, Address: 0x1bb60)
  • WinReHashBootApp (Ordinal: 23, Address: 0x1bda0)
  • WinReHashWimFile (Ordinal: 24, Address: 0x1be50)
  • WinReInitiateOfflineScanning (Ordinal: 25, Address: 0x1bee0)
  • WinReInstall (Ordinal: 26, Address: 0x161e0)
  • WinReInstallOnTargetOS (Ordinal: 27, Address: 0x16290)
  • WinReIsInstalledOnSystemPartition (Ordinal: 28, Address: 0x1c2d0)
  • WinReIsWimBootEnabled (Ordinal: 29, Address: 0x1c830)
  • WinReIsWinPE (Ordinal: 30, Address: 0xec80)
  • WinReOobeInstall (Ordinal: 31, Address: 0x1c8d0)
  • WinReOpenLogInstance (Ordinal: 32, Address: 0x229b0)
  • WinRePostBCDRepair (Ordinal: 33, Address: 0x1cad0)
  • WinReQueueRecoveryBoot (Ordinal: 34, Address: 0x1cea0)
  • WinReReinstall (Ordinal: 35, Address: 0x163b0)
  • WinReRemoveTrustedBootApp (Ordinal: 36, Address: 0x1d020)
  • WinReRepair (Ordinal: 37, Address: 0x1d0d0)
  • WinReRestoreLogFiles (Ordinal: 38, Address: 0x22c50)
  • WinReSetBootApp (Ordinal: 39, Address: 0x1d610)
  • WinReSetConfig (Ordinal: 40, Address: 0x1d6c0)
  • WinReSetCustomization (Ordinal: 41, Address: 0x1ddb0)
  • WinReSetError (Ordinal: 42, Address: 0xec90)
  • WinReSetNarratorScheduled (Ordinal: 43, Address: 0x1e150)
  • WinReSetRecoveryAction (Ordinal: 44, Address: 0x1e350)
  • WinReSetTriggerFile (Ordinal: 45, Address: 0x22cf0)
  • WinReSetupBackupWinRE (Ordinal: 46, Address: 0x24770)
  • WinReSetupCheckWinRE (Ordinal: 47, Address: 0x256d0)
  • WinReSetupInstall (Ordinal: 48, Address: 0x164e0)
  • WinReSetupMigrateData (Ordinal: 49, Address: 0x25860)
  • WinReSetupRemoveWinRE (Ordinal: 50, Address: 0x25d20)
  • WinReSetupRestoreWinREEx (Ordinal: 51, Address: 0x25f00)
  • WinReSetupSetImage (Ordinal: 52, Address: 0x26030)
  • WinReUnInstall (Ordinal: 53, Address: 0x1e740)
  • WinReUpdateLogInstance (Ordinal: 54, Address: 0x22fa0)
  • WinReValidateRecoveryWim (Ordinal: 55, Address: 0x1e7f0)
  • WinReValidateWimFile (Ordinal: 56, Address: 0x1ed30)
  • winreFindInstallMedia (Ordinal: 57, Address: 0x26df0)
  • winreGetBinaryArch (Ordinal: 58, Address: 0x28050)

Imported DLLs & Functions

ADVAPI32.dll
  • AddAccessAllowedAceEx (Address: 0x1800c2c90)
  • AdjustTokenPrivileges (Address: 0x1800c2cb0)
  • AllocateAndInitializeSid (Address: 0x1800c2ca8)
  • CloseEncryptedFileRaw (Address: 0x1800c2c08)
  • ConvertStringSecurityDescriptorToSecurityDescriptorW (Address: 0x1800c2c80)
  • CryptAcquireContextW (Address: 0x1800c2d10)
  • CryptCreateHash (Address: 0x1800c2d08)
  • CryptDestroyHash (Address: 0x1800c2cf0)
  • CryptGetHashParam (Address: 0x1800c2cf8)
  • CryptHashData (Address: 0x1800c2d00)
  • CryptReleaseContext (Address: 0x1800c2d18)
  • DuplicateTokenEx (Address: 0x1800c2d50)
  • EventRegister (Address: 0x1800c2c78)
  • EventUnregister (Address: 0x1800c2c70)
  • EventWrite (Address: 0x1800c2d60)
  • EventWriteTransfer (Address: 0x1800c2c68)
  • FreeSid (Address: 0x1800c2be8)
  • GetAclInformation (Address: 0x1800c2c28)
  • GetLengthSid (Address: 0x1800c2ca0)
  • GetSecurityDescriptorControl (Address: 0x1800c2c38)
  • GetSecurityDescriptorDacl (Address: 0x1800c2c48)
  • GetSecurityDescriptorGroup (Address: 0x1800c2c50)
  • GetSecurityDescriptorLength (Address: 0x1800c2c30)
  • GetSecurityDescriptorOwner (Address: 0x1800c2c58)
  • GetSecurityDescriptorSacl (Address: 0x1800c2c40)
  • InitializeAcl (Address: 0x1800c2c98)
  • InitiateSystemShutdownExW (Address: 0x1800c2cd0)
  • LookupPrivilegeValueW (Address: 0x1800c2cb8)
  • OpenEncryptedFileRawW (Address: 0x1800c2c18)
  • OpenProcessToken (Address: 0x1800c2cc0)
  • OpenThreadToken (Address: 0x1800c2c20)
  • RegCloseKey (Address: 0x1800c2d38)
  • RegCreateKeyExW (Address: 0x1800c2cd8)
  • RegDeleteKeyExW (Address: 0x1800c2d68)
  • RegDeleteKeyW (Address: 0x1800c2cc8)
  • RegDeleteTreeW (Address: 0x1800c2bf0)
  • RegDeleteValueW (Address: 0x1800c2d28)
  • RegEnumValueW (Address: 0x1800c2c60)
  • RegGetValueW (Address: 0x1800c2d20)
  • RegLoadKeyW (Address: 0x1800c2ce8)
  • RegOpenKeyExW (Address: 0x1800c2d48)
  • RegQueryValueExW (Address: 0x1800c2d40)
  • RegSetValueExW (Address: 0x1800c2d30)
  • RegUnLoadKeyW (Address: 0x1800c2ce0)
  • RevertToSelf (Address: 0x1800c2c00)
  • SetNamedSecurityInfoW (Address: 0x1800c2c88)
  • SetThreadToken (Address: 0x1800c2d58)
  • TraceMessage (Address: 0x1800c2bf8)
  • WriteEncryptedFileRaw (Address: 0x1800c2c10)
bcrypt.dll
  • BCryptCloseAlgorithmProvider (Address: 0x1800c32a8)
  • BCryptCreateHash (Address: 0x1800c32a0)
  • BCryptDestroyHash (Address: 0x1800c32b0)
  • BCryptFinishHash (Address: 0x1800c32b8)
  • BCryptGetProperty (Address: 0x1800c32c0)
  • BCryptHashData (Address: 0x1800c3290)
  • BCryptOpenAlgorithmProvider (Address: 0x1800c3298)
Cabinet.dll
  • (Address: 0x1800c2d78)
  • (Address: 0x1800c2d80)
  • (Address: 0x1800c2d88)
imagehlp.dll
  • ImageNtHeader (Address: 0x1800c32d0)
KERNEL32.dll
  • AcquireSRWLockExclusive (Address: 0x1800c2e28)
  • AcquireSRWLockShared (Address: 0x1800c2e38)
  • CloseHandle (Address: 0x1800c2e50)
  • CloseThreadpoolTimer (Address: 0x1800c2e78)
  • CompareStringW (Address: 0x1800c2fd8)
  • CopyFileExW (Address: 0x1800c2fb0)
  • CopyFileW (Address: 0x1800c2ed8)
  • CreateDirectoryW (Address: 0x1800c2ed0)
  • CreateEventW (Address: 0x1800c30b8)
  • CreateFileMappingW (Address: 0x1800c3028)
  • CreateFileW (Address: 0x1800c2ec8)
  • CreateMutexExW (Address: 0x1800c2f40)
  • CreateProcessW (Address: 0x1800c3168)
  • CreateSemaphoreExW (Address: 0x1800c2f50)
  • CreateSemaphoreW (Address: 0x1800c3118)
  • CreateThread (Address: 0x1800c3120)
  • CreateThreadpoolTimer (Address: 0x1800c2eb0)
  • DebugBreak (Address: 0x1800c2df8)
  • DeleteCriticalSection (Address: 0x1800c2e98)
  • DeleteFileW (Address: 0x1800c2f98)
  • DeviceIoControl (Address: 0x1800c2ef8)
  • DosDateTimeToFileTime (Address: 0x1800c3148)
  • DuplicateHandle (Address: 0x1800c30f8)
  • EnterCriticalSection (Address: 0x1800c2e88)
  • ExpandEnvironmentStringsW (Address: 0x1800c2db0)
  • FindClose (Address: 0x1800c2ff0)
  • FindFirstFileW (Address: 0x1800c2fe0)
  • FindFirstVolumeW (Address: 0x1800c2f00)
  • FindNextFileW (Address: 0x1800c2fe8)
  • FindNextVolumeW (Address: 0x1800c2f18)
  • FindVolumeClose (Address: 0x1800c2f20)
  • FlushFileBuffers (Address: 0x1800c2f80)
  • FormatMessageW (Address: 0x1800c2dc8)
  • FreeLibrary (Address: 0x1800c3020)
  • GetCurrentDirectoryW (Address: 0x1800c2db8)
  • GetCurrentProcess (Address: 0x1800c3210)
  • GetCurrentProcessId (Address: 0x1800c31e0)
  • GetCurrentThread (Address: 0x1800c3080)
  • GetCurrentThreadId (Address: 0x1800c31e8)
  • GetDiskFreeSpaceExW (Address: 0x1800c2f10)
  • GetDriveTypeW (Address: 0x1800c2f08)
  • GetEnvironmentVariableW (Address: 0x1800c3058)
  • GetExitCodeProcess (Address: 0x1800c3170)
  • GetFileAttributesExW (Address: 0x1800c2ee8)
  • GetFileAttributesW (Address: 0x1800c2f28)
  • GetFileInformationByHandle (Address: 0x1800c3008)
  • GetFileInformationByHandleEx (Address: 0x1800c2da8)
  • GetFileSize (Address: 0x1800c2f60)
  • GetFileSizeEx (Address: 0x1800c2fc8)
  • GetFinalPathNameByHandleW (Address: 0x1800c30b0)
  • GetFirmwareEnvironmentVariableW (Address: 0x1800c3040)
  • GetFullPathNameW (Address: 0x1800c2f30)
  • GetHandleInformation (Address: 0x1800c3048)
  • GetLastError (Address: 0x1800c2e10)
  • GetLongPathNameW (Address: 0x1800c2dc0)
  • GetModuleFileNameA (Address: 0x1800c2df0)
  • GetModuleFileNameW (Address: 0x1800c30e0)
  • GetModuleHandleExW (Address: 0x1800c2de8)
  • GetModuleHandleW (Address: 0x1800c2e00)
  • GetOverlappedResult (Address: 0x1800c3060)
  • GetPrivateProfileSectionW (Address: 0x1800c3100)
  • GetPrivateProfileStringW (Address: 0x1800c3000)
  • GetProcAddress (Address: 0x1800c2e08)
  • GetProcessHeap (Address: 0x1800c2dd8)
  • GetSystemDirectoryW (Address: 0x1800c2ee0)
  • GetSystemInfo (Address: 0x1800c3070)
  • GetSystemTimeAsFileTime (Address: 0x1800c31f0)
  • GetSystemWindowsDirectoryW (Address: 0x1800c2fb8)
  • GetTempPathW (Address: 0x1800c2fc0)
  • GetTickCount (Address: 0x1800c31f8)
  • GetTickCount64 (Address: 0x1800c2fd0)
  • GetVersionExW (Address: 0x1800c2fa8)
  • GetVolumeInformationByHandleW (Address: 0x1800c3128)
  • GetVolumeInformationW (Address: 0x1800c30a8)
  • GetVolumeNameForVolumeMountPointW (Address: 0x1800c2ef0)
  • GetVolumePathNamesForVolumeNameW (Address: 0x1800c2ff8)
  • GetVolumePathNameW (Address: 0x1800c2f38)
  • GetWindowsDirectoryW (Address: 0x1800c2ec0)
  • GlobalMemoryStatusEx (Address: 0x1800c31b0)
  • HeapAlloc (Address: 0x1800c2dd0)
  • HeapFree (Address: 0x1800c2de0)
  • HeapReAlloc (Address: 0x1800c3098)
  • InitializeCriticalSection (Address: 0x1800c3090)
  • InitializeCriticalSectionAndSpinCount (Address: 0x1800c30c0)
  • InitializeCriticalSectionEx (Address: 0x1800c2e90)
  • IsDebuggerPresent (Address: 0x1800c2e18)
  • LeaveCriticalSection (Address: 0x1800c2f48)
  • LoadLibraryExA (Address: 0x1800c2d98)
  • LoadLibraryExW (Address: 0x1800c3018)
  • LoadLibraryW (Address: 0x1800c3160)
  • LocalAlloc (Address: 0x1800c30d8)
  • LocalFileTimeToFileTime (Address: 0x1800c3150)
  • LocalFree (Address: 0x1800c3068)
  • LockFileEx (Address: 0x1800c30c8)
  • MapViewOfFile (Address: 0x1800c3030)
  • MoveFileExW (Address: 0x1800c2f88)
  • MultiByteToWideChar (Address: 0x1800c2f58)
  • OpenProcess (Address: 0x1800c30f0)
  • OpenSemaphoreW (Address: 0x1800c2ea8)
  • OutputDebugStringW (Address: 0x1800c2e20)
  • QueryPerformanceCounter (Address: 0x1800c31d8)
  • RaiseException (Address: 0x1800c2fa0)
  • ReadFile (Address: 0x1800c2f68)
  • ReleaseMutex (Address: 0x1800c2e60)
  • ReleaseSemaphore (Address: 0x1800c2e58)
  • ReleaseSRWLockExclusive (Address: 0x1800c2e30)
  • ReleaseSRWLockShared (Address: 0x1800c2e40)
  • RemoveDirectoryW (Address: 0x1800c3198)
  • ResetEvent (Address: 0x1800c3140)
  • SetEndOfFile (Address: 0x1800c2f70)
  • SetEvent (Address: 0x1800c3110)
  • SetFileAttributesW (Address: 0x1800c31a8)
  • SetFileInformationByHandle (Address: 0x1800c30a0)
  • SetFilePointer (Address: 0x1800c3088)
  • SetFilePointerEx (Address: 0x1800c3050)
  • SetFileTime (Address: 0x1800c3158)
  • SetFirmwareEnvironmentVariableW (Address: 0x1800c3010)
  • SetLastError (Address: 0x1800c2e48)
  • SetThreadIdealProcessor (Address: 0x1800c3078)
  • SetThreadpoolTimer (Address: 0x1800c2e68)
  • SetUnhandledExceptionFilter (Address: 0x1800c3208)
  • SetVolumeMountPointW (Address: 0x1800c3178)
  • Sleep (Address: 0x1800c31d0)
  • SleepConditionVariableSRW (Address: 0x1800c3190)
  • TerminateProcess (Address: 0x1800c3218)
  • TlsAlloc (Address: 0x1800c31b8)
  • TlsFree (Address: 0x1800c31c8)
  • TlsGetValue (Address: 0x1800c2eb8)
  • TlsSetValue (Address: 0x1800c31c0)
  • UnhandledExceptionFilter (Address: 0x1800c3200)
  • UnlockFileEx (Address: 0x1800c30d0)
  • UnmapViewOfFile (Address: 0x1800c3038)
  • VirtualAlloc (Address: 0x1800c2f90)
  • VirtualFree (Address: 0x1800c31a0)
  • VirtualProtect (Address: 0x1800c2da0)
  • VirtualQuery (Address: 0x1800c3180)
  • WaitForMultipleObjects (Address: 0x1800c3108)
  • WaitForMultipleObjectsEx (Address: 0x1800c3138)
  • WaitForSingleObject (Address: 0x1800c2ea0)
  • WaitForSingleObjectEx (Address: 0x1800c2e80)
  • WaitForThreadpoolTimerCallbacks (Address: 0x1800c2e70)
  • WakeAllConditionVariable (Address: 0x1800c3188)
  • WideCharToMultiByte (Address: 0x1800c30e8)
  • WriteFile (Address: 0x1800c2f78)
  • WritePrivateProfileStringW (Address: 0x1800c3130)
msvcrt.dll
  • __C_specific_handler (Address: 0x1800c32e0)
  • __CxxFrameHandler3 (Address: 0x1800c3388)
  • __dllonexit (Address: 0x1800c3308)
  • _amsg_exit (Address: 0x1800c32f8)
  • _atoi64 (Address: 0x1800c3380)
  • _callnewh (Address: 0x1800c3400)
  • _CxxThrowException (Address: 0x1800c3350)
  • _initterm (Address: 0x1800c32f0)
  • _lock (Address: 0x1800c32e8)
  • _onexit (Address: 0x1800c3310)
  • _purecall (Address: 0x1800c33d0)
  • _snwscanf_s (Address: 0x1800c3498)
  • _ultow_s (Address: 0x1800c3488)
  • _unlock (Address: 0x1800c3300)
  • _vscwprintf (Address: 0x1800c33c0)
  • _vsnprintf (Address: 0x1800c3378)
  • _vsnprintf_s (Address: 0x1800c33a0)
  • _vsnwprintf (Address: 0x1800c3390)
  • _vsnwprintf_s (Address: 0x1800c3490)
  • _wcsicmp (Address: 0x1800c33d8)
  • _wcslwr (Address: 0x1800c3438)
  • _wcsnicmp (Address: 0x1800c33e8)
  • _wcsupr (Address: 0x1800c3458)
  • _wtoi64 (Address: 0x1800c3358)
  • _XcptFilter (Address: 0x1800c33f8)
  • ??0exception@@QEAA@AEBQEBD@Z (Address: 0x1800c3360)
  • ??0exception@@QEAA@AEBV0@@Z (Address: 0x1800c33b8)
  • ??0exception@@QEAA@XZ (Address: 0x1800c33a8)
  • ??1exception@@UEAA@XZ (Address: 0x1800c33b0)
  • ??1type_info@@UEAA@XZ (Address: 0x1800c3340)
  • ?terminate@@YAXXZ (Address: 0x1800c3348)
  • ?what@exception@@UEBAPEBDXZ (Address: 0x1800c3370)
  • atol (Address: 0x1800c3410)
  • free (Address: 0x1800c33f0)
  • iswspace (Address: 0x1800c3468)
  • malloc (Address: 0x1800c3408)
  • memcmp (Address: 0x1800c3338)
  • memcpy (Address: 0x1800c3330)
  • memcpy_s (Address: 0x1800c3398)
  • memmove (Address: 0x1800c3328)
  • memmove_s (Address: 0x1800c33c8)
  • memset (Address: 0x1800c3320)
  • qsort (Address: 0x1800c3440)
  • strcmp (Address: 0x1800c3318)
  • strcpy_s (Address: 0x1800c3450)
  • strncmp (Address: 0x1800c34a0)
  • swprintf_s (Address: 0x1800c3480)
  • swscanf_s (Address: 0x1800c3418)
  • towupper (Address: 0x1800c3448)
  • wcscat_s (Address: 0x1800c3478)
  • wcschr (Address: 0x1800c33e0)
  • wcscmp (Address: 0x1800c34b0)
  • wcscpy_s (Address: 0x1800c3470)
  • wcsncmp (Address: 0x1800c3420)
  • wcsnlen (Address: 0x1800c3428)
  • wcsrchr (Address: 0x1800c3368)
  • wcsstr (Address: 0x1800c3430)
  • wcstoul (Address: 0x1800c3460)
  • wprintf (Address: 0x1800c34a8)
ntdll.dll
  • DbgPrintEx (Address: 0x1800c3708)
  • LdrGetDllHandle (Address: 0x1800c3600)
  • LdrGetProcedureAddress (Address: 0x1800c35f8)
  • NtAdjustPrivilegesToken (Address: 0x1800c3650)
  • NtClose (Address: 0x1800c34f0)
  • NtCreateFile (Address: 0x1800c3748)
  • NtDeviceIoControlFile (Address: 0x1800c3688)
  • NtEnumerateBootEntries (Address: 0x1800c36c0)
  • NtOpenDirectoryObject (Address: 0x1800c36b0)
  • NtOpenFile (Address: 0x1800c3778)
  • NtOpenKey (Address: 0x1800c3678)
  • NtOpenProcessTokenEx (Address: 0x1800c3658)
  • NtOpenSymbolicLinkObject (Address: 0x1800c3670)
  • NtOpenThreadTokenEx (Address: 0x1800c3668)
  • NtQueryBootEntryOrder (Address: 0x1800c3698)
  • NtQueryBootOptions (Address: 0x1800c36a0)
  • NtQueryDirectoryObject (Address: 0x1800c36b8)
  • NtQueryInformationFile (Address: 0x1800c3768)
  • NtQueryInformationProcess (Address: 0x1800c3758)
  • NtQuerySymbolicLinkObject (Address: 0x1800c3680)
  • NtQuerySystemInformation (Address: 0x1800c34f8)
  • NtQueryValueKey (Address: 0x1800c3690)
  • NtQueryVolumeInformationFile (Address: 0x1800c3760)
  • NtSetEaFile (Address: 0x1800c3740)
  • NtSetInformationFile (Address: 0x1800c3750)
  • NtSetInformationThread (Address: 0x1800c3660)
  • NtSetSecurityObject (Address: 0x1800c3788)
  • NtTranslateFilePath (Address: 0x1800c36a8)
  • NtYieldExecution (Address: 0x1800c36d0)
  • RtlAcquireResourceExclusive (Address: 0x1800c3728)
  • RtlAcquireResourceShared (Address: 0x1800c3720)
  • RtlAddAccessAllowedAceEx (Address: 0x1800c3580)
  • RtlAdjustPrivilege (Address: 0x1800c36e0)
  • RtlAllocateAndInitializeSid (Address: 0x1800c3588)
  • RtlAllocateHeap (Address: 0x1800c3770)
  • RtlAppendUnicodeToString (Address: 0x1800c3548)
  • RtlCaptureContext (Address: 0x1800c34c0)
  • RtlCompareMemory (Address: 0x1800c36c8)
  • RtlCreateAcl (Address: 0x1800c35c0)
  • RtlCreateSecurityDescriptor (Address: 0x1800c35d8)
  • RtlDeleteResource (Address: 0x1800c3710)
  • RtlDosPathNameToNtPathName_U (Address: 0x1800c3780)
  • RtlFindAceByType (Address: 0x1800c3790)
  • RtlFreeHeap (Address: 0x1800c36e8)
  • RtlFreeSid (Address: 0x1800c35a0)
  • RtlFreeUnicodeString (Address: 0x1800c3508)
  • RtlGetLastNtStatus (Address: 0x1800c36f0)
  • RtlGUIDFromString (Address: 0x1800c34e0)
  • RtlImpersonateSelf (Address: 0x1800c3738)
  • RtlInitAnsiString (Address: 0x1800c3610)
  • RtlInitializeResource (Address: 0x1800c3730)
  • RtlInitUnicodeString (Address: 0x1800c36d8)
  • RtlLengthSecurityDescriptor (Address: 0x1800c3558)
  • RtlLengthSid (Address: 0x1800c3590)
  • RtlLookupFunctionEntry (Address: 0x1800c34c8)
  • RtlNtStatusToDosError (Address: 0x1800c34d8)
  • RtlRaiseStatus (Address: 0x1800c34e8)
  • RtlReAllocateHeap (Address: 0x1800c3700)
  • RtlReleaseResource (Address: 0x1800c3718)
  • RtlSetControlSecurityDescriptor (Address: 0x1800c36f8)
  • RtlSetDaclSecurityDescriptor (Address: 0x1800c3568)
  • RtlSetOwnerSecurityDescriptor (Address: 0x1800c3560)
  • RtlStringFromGUID (Address: 0x1800c3510)
  • RtlVirtualUnwind (Address: 0x1800c34d0)
  • ZwAllocateUuids (Address: 0x1800c35f0)
  • ZwClose (Address: 0x1800c3540)
  • ZwCreateKey (Address: 0x1800c3570)
  • ZwDeleteKey (Address: 0x1800c35a8)
  • ZwDeleteValueKey (Address: 0x1800c3598)
  • ZwDeviceIoControlFile (Address: 0x1800c3630)
  • ZwEnumerateKey (Address: 0x1800c35b0)
  • ZwLoadKey (Address: 0x1800c3578)
  • ZwOpenDirectoryObject (Address: 0x1800c3648)
  • ZwOpenFile (Address: 0x1800c3530)
  • ZwOpenKey (Address: 0x1800c35e8)
  • ZwOpenMutant (Address: 0x1800c3538)
  • ZwOpenProcess (Address: 0x1800c3620)
  • ZwOpenSymbolicLinkObject (Address: 0x1800c3640)
  • ZwQueryAttributesFile (Address: 0x1800c3550)
  • ZwQueryDirectoryObject (Address: 0x1800c3638)
  • ZwQueryInformationFile (Address: 0x1800c3618)
  • ZwQueryInformationProcess (Address: 0x1800c3608)
  • ZwQueryKey (Address: 0x1800c3520)
  • ZwQuerySymbolicLinkObject (Address: 0x1800c3628)
  • ZwQuerySystemInformation (Address: 0x1800c3500)
  • ZwQueryValueKey (Address: 0x1800c35b8)
  • ZwReleaseMutant (Address: 0x1800c3528)
  • ZwSetSecurityObject (Address: 0x1800c35c8)
  • ZwSetValueKey (Address: 0x1800c35e0)
  • ZwUnloadKey (Address: 0x1800c35d0)
  • ZwWaitForSingleObject (Address: 0x1800c3518)
ole32.dll
  • CLSIDFromString (Address: 0x1800c37c0)
  • CoCreateGuid (Address: 0x1800c37c8)
  • CoCreateInstance (Address: 0x1800c37a8)
  • CoInitialize (Address: 0x1800c37d0)
  • CoInitializeEx (Address: 0x1800c37a0)
  • CoTaskMemFree (Address: 0x1800c37d8)
  • CoUninitialize (Address: 0x1800c37b0)
  • StringFromCLSID (Address: 0x1800c37b8)
OLEAUT32.dll
  • SysAllocString (Address: 0x1800c3238)
  • SysFreeString (Address: 0x1800c3228)
  • VariantClear (Address: 0x1800c3230)
  • VariantInit (Address: 0x1800c3240)
RPCRT4.dll
  • RpcStringFreeW (Address: 0x1800c3258)
  • UuidCompare (Address: 0x1800c3260)
  • UuidCreate (Address: 0x1800c3268)
  • UuidToStringW (Address: 0x1800c3250)
USER32.dll
  • CharUpperW (Address: 0x1800c3280)
  • LoadStringW (Address: 0x1800c3278)