File metadata / forensic tool. fmd = File Metadata
Currently supports parsing Windows LNK files, PE, Mach-O, and Elf binaries.
https://practicalsecurityanalytics.com/threat-hunting-with-function-imports/ https://resources.infosecinstitute.com/topic/malware-researchers-handbook/ http://www.hacktohell.org/2012/04/analysing-pe-files.html https://tstillz.medium.com/basic-static-analysis-part-1-9c24497790b6 https://upload.wikimedia.org/wikipedia/commons/1/1b/Portable_Executable_32_bit_Structure_in_SVG_fixed.svg https://0xrick.github.io/win-internals/pe5/
See: https://github.com/frank2 https://github.com/lilopkins/lnk-rs https://docs.rs/fuzzyhash/latest/fuzzyhash/ https://dfir.science/2017/07/How-To-Fuzzy-Hashing-with-SSDEEP-(similarity-matching).html
https://windowsir.blogspot.com/2025/09/ransomware-artifacts.html
To compile; install Rust and the MSVC 32 and/or 64 bit environment:
x32: cargo build --release --target i686-pc-windows-msvc
x64: cargo build --release --target x86_64-pc-windows-msvc
Linux x64: sudo apt update && sudo apt install mingw-w64
rustup target add x86_64-pc-windows-gnu
cargo build --release --target x86_64-pc-windows-gnu
Authors: Brian Kellogg
Jason Langston
License: MIT
Purpose: Pull various file metadata.
Usage:
fmd [--pretty | -p] ([--strings|-s] #) <file path> ([--depth | -d] #) ([--jobs | -j] #)
fmd --pretty --depth 3 --extensions 'exe,dll,pif,ps1,bat,com'
fmd --pretty --depth 3 --extensions 'not:exe,dll,pif,ps1,bat,com'
fmd --pretty --jobs 4 --depth 3 <directory>
This will process all files in the directory tree up to 3 levels deep
using 4 threads in parallel.
Options:
-d, --depth # If passed a directory, recurse into all subdirectories
to the specified subdirectory depth
-e, --extensions * Quoted list of comma seperated extensions
- Any extensions not in the list will be ignored
-h, --help Show this help message
-i, --int_mtypes Only analyze files that are more interesting mime types
-j, --jobs # Number of threads to use for parallel file analysis
- When > 1, files are analyzed concurrently
- Defaults to the number of (CPU cores - 1)
-m, --maxsize # Max file size in bytes to perform content analysis on
- Any file larger than this will not have the following run:
hashing, entropy, mime type, strings, PE analysis
-p, --pretty Pretty print JSON
-s, --strings # Look for strings of length # or longer
If just passed a directory, only the contents of that directory will be processed.
- i.e. no subdirectories will be processed.
fmd.exe <directory> --depth 1
- This will work exactly as if the '--depth' 1 option was not specified.
Mimetypes are determined by examining a file's contents.
- Interesting mime types:
application/vnd.android.package-archive
application/vnd.microsoft.portable-executable
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/x-binary
application/x-csh
application/x-debian-package
application/x-dosexec
application/x-dynamic-link-library
application/x-executable
application/x-gtar
application/x-java-archive
application/x-jar
application/x-macbinary
application/x-mac-package
application/x-mach-o
application/x-mach-binary
application/x-ms-application
application/x-ms-dos-executable
application/x-ms-download
application/x-ms-wizard
application/x-pkcs12
application/x-pkcs7-cert
application/x-rpm
application/x-shellscript
application/x-tar
application/x-elf
application/x-sharedlib
application/x-mac-package
application/x-nuscript
application/x-nushell
application/wasm
application/hta
application/mac-binary
application/macbinary
application/octet-stream
text/javascript
text/x-shellscript
text/x-nushell
NOTE:
If passed a directory, all files in that directory will be analyzed.
Harvesting $FILE_NAME timestamps can only be done by running this tool elevated.
The 'run_as_admin' field shows if the tool was run elevated.
Harvesting Alternate Data Stream (ADS) information can only be done by running
this tool elevated. ADS information is acquired by directly accessing the NTFS which
requires elevation.
'runtime_env' stores information on the device that this tool was run on.
PE Sections:
- 'total_sections' reports how many PE sections are found after the PE headers.
- 'total_raw_bytes' cumulative size in bytes of all raw, on disk, sections.
- 'total_virt_bytes' cumulative size in bytes of all virtual, in memory, sections.
- if 'total_virt_bytes' is much larger than 'total_raw_bytes', this can indicate
a packed binary.
Certain forensic information can only be harvested when the file is analyzed on
the filesystem of origin.
- e.g. timestamps and alternate data streams are lost when the file is moved
off of the filesystem of origin.
{
"runtime_env": {
"timestamp": "2025-09-07T13:27:08.779338800+00:00",
"device_type": "Windows 10.0.26100 (Workstation)",
"run_as_admin": true
},
"path": "C:\\Users\\thefl\\Downloads\\RunAsService.exe",
"directory": "C:\\Users\\thefl\\Downloads",
"filename": "RunAsService.exe",
"extension": "exe",
"bytes": 23552,
"mime_type": "application/vnd.microsoft.portable-executable",
"is_hidden": false,
"is_link": false,
"link": {
"rel_path": "",
"abs_path": "",
"arguments": "",
"working_dir": "",
"icon_location": "",
"hotkey": "",
"comment": "",
"show_command": "",
"flags": ""
},
"timestamps": {
"access_fn": "2025-09-07T13:21:58.059",
"access_si": "2025-09-07T13:27:08.305",
"create_fn": "2025-09-07T13:21:57.540",
"create_si": "2025-09-07T13:21:57.540",
"modify_fn": "2025-09-07T13:21:58.059",
"modify_si": "2025-09-07T13:27:02.470",
"mft_record": "2025-09-07T13:21:58.059"
},
"entropy": 4.623817,
"hashes": {
"md5": "4b92bd03d0c1e1f793ed1b499534211b",
"sha1": "2574c324fe47119fcd91708451257db00ce4684b",
"sha256": "09fafb5296afed2324c773acf178552045933995e60c2b81cd66400ccf46a00e",
"ssdeep": "384:rcuNDlF9VtDZsb10+zMKMU4MjnNJcCWT80T2:rcuZlWb1irMJcUX"
},
"ads": [
{
"name": "",
"bytes": 23552,
"first_256_bytes": "MZ�.\u0003...\u0004...��..�.......@...................................�...\u000e\u001f�\u000e.�\t�!�\u0001L�!This program cannot be run in DOS mode.\r\r\n$.......PE..L\u0001\u0003.B��Y........�.\u0002\u0001\u000b\u00010..P...\n......�o... ...�....@.. ...\u0002..\u0004.......\u0004........�...\u0002......\u0003.@�..\u0010..\u0010....\u0010..\u0010......\u0010.........."
},
{
"name": "evil",
"bytes": 25,
"first_256_bytes": "\"This is very evil!!!\" \r\n"
},
{
"name": "SmartScreen",
"bytes": 7,
"first_256_bytes": "Anaheim"
},
{
"name": "Zone.Identifier",
"bytes": 132,
"first_256_bytes": "[ZoneTransfer]\r\nZoneId=3\r\nReferrerUrl=http://runasservice.com/Download/\r\nHostUrl=http://runasservice.com/Download/RunAsService.exe\r\n"
}
],
"binary": {
"binary_info": {
"format": "Pe",
"arch": "X86",
"is_64": false,
"is_dotnet": true,
"is_lib": false,
"entry_point": "0x6fbe",
"elf_info": {
"os_abi": "",
"abi_version": 0,
"file_type": "",
"object_version": 0
},
"macho_info": {
"file_type": "",
"flags": "",
"cpu_subtype": "",
"ncmds": 0,
"sizeofcmds": 0
},
"pe_info": {
"timestamps": {
"compile": "2017-10-05T22:25:06",
"debug": ""
},
"product_version": "1.0.0.0",
"original_filename": "RunAsService.exe",
"file_description": "ServiceInstaller",
"file_version": "1.0.0.0",
"product_name": "ServiceInstaller",
"company_name": "Microsoft",
"internal_name": "RunAsService.exe",
"legal_copyright": "Copyright © Microsoft 2011",
"linker": {
"major_version": 48,
"minor_version": 0
}
}
},
"sections": {
"total_sections": 3,
"total_raw_bytes": 23040,
"total_virt_bytes": 22320,
"sections": [
{
"name": ".text",
"entropy": 4.7316236,
"md5": "5b1cc17d6f1a0bcffda1bc6f451c14a0",
"ssdeep": "192:Pu/f5epBk4pkW8KUnm9VtD0wsbNL0+zM+LMU4MjnNVWcA/4bsJji+v:PcuNDlF9VtDZsb10+zMKMU4MjnNJc",
"virt_address": "0x2000",
"raw_size": 20480,
"virt_size": 20420,
"elf_comment_or_note_content": null
},
{
"name": ".rsrc",
"entropy": 4.3263397,
"md5": "8b4b0e26afa8d786659a9cedf2f6db46",
"ssdeep": "24:eGDR4QymZWBFhZhNmCkWXUcnY3agPN8qPt/dq3ojZ8PAlEbNFjMyiipW3:e4imZWBFhlopa4FPtlq3ojZ8JbNtmMa",
"virt_address": "0x8000",
"raw_size": 2048,
"virt_size": 1888,
"elf_comment_or_note_content": null
},
{
"name": ".reloc",
"entropy": 0.081539415,
"md5": "e310468da4f5b84f36265d8270c41588",
"ssdeep": "3:0:",
"virt_address": "0xa000",
"raw_size": 512,
"virt_size": 12,
"elf_comment_or_note_content": null
}
]
},
"imports": {
"hashes": {
"md5": "f34d5f2d4577ed6d9ceec516c1f5a744",
"md5_sorted": "f34d5f2d4577ed6d9ceec516c1f5a744",
"ssdeep": "3:rGsLdAIEK:tf",
"ssdeep_sorted": "3:rGsLdAIEK:tf"
},
"lib_count": 1,
"func_count": 1,
"imports": [
{
"lib": "mscoree.dll",
"count": 1,
"names": [
{
"name": "_CorExeMain",
"more_interesting": null,
"info": ""
}
]
}
]
},
"exports": {
"hashes": {
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"md5_sorted": "",
"ssdeep": "3::",
"ssdeep_sorted": ""
},
"count": 0,
"names": []
}
},
"strings": []
}
{
"runtime_env": {
"timestamp": "2023-01-12T00:28:57.871971300+00:00",
"device_type": "Windows 10.0.22621 (Workstation)",
"run_as_admin": true
},
"path": "C:\\Users\\thefl\\Downloads\\SharpHound.exe.lnk",
"directory": "C:\\Users\\thefl\\Downloads",
"filename": "SharpHound.exe.lnk",
"extension": "lnk",
"bytes": 1446,
"mime_type": "application/octet-stream",
"is_hidden": false,
"is_link": true,
"link": {
"rel_path": "",
"abs_path": "E:\\shared\\SharpHound.exe",
"arguments": "-blah \"hi there\"",
"working_dir": "E:\\shared",
"icon_location": "E:\\shared\\SharpHound.exe",
"hotkey": "NO_MODIFIER-NoKeyAssigned",
"comment": "not evil, please just run me",
"show_command": "ShowNormal",
"flags": "HAS_LINK_TARGET_ID_LIST | HAS_LINK_INFO | HAS_WORKING_DIR | HAS_ARGUMENTS | HAS_ICON_LOCATION | IS_UNICODE | ENABLE_TARGET_METADATA"
},
"timestamps": {
"access_fn": "2023-01-11T15:23:46.799",
"access_si": "2023-01-12T00:26:43.962",
"create_fn": "2023-01-11T15:23:46.790",
"create_si": "2023-01-11T15:23:46.790",
"modify_fn": "2023-01-11T15:23:46.793",
"modify_si": "2023-01-11T16:25:01.945",
"mft_record": "2023-01-11T15:23:46.801"
},
"entropy": 4.3651047,
"hashes": {
"md5": "fc751be8019b136611299843b174da3f",
"sha1": "301ef23cfbba2e105ad1fb7e23290c72d9720d4d",
"sha256": "58dd16a28e5b7edee3ee2ed5a2159135ef53b70ca31f6a2fdf3513cdf10068cc",
"ssdeep": "24:8GC8aWsnLnN5/yLkZmdyDkNQ1DHdz4/LFtVMwLs2cXpoHs/dmn7:8G/SnLeyDH1DgGpGIc"
},
"ads": [
{
"name": "",
"bytes": 1446,
"first_256_bytes": "L...\u0001\u0014\u0002.....�......F�.\b. ...�Y\u001a�,\u0016�\u0001fr\u001f��%�\u0001.��~v��\u0001.\f\u0010.....\u0001...............�.\u0014.\u001fP�O� �:i\u0010��\b.+00�\u0019./E:\\...................T.1.....)VE\r0.shared..>.\t.\u0004.ヨU�\u0014+V�z....�.....\u0004...............'�\u0012\u0001s.h.a.r.e.d...\u0016.j.2..\f\u0010.\u0003U�� .SHARPH~1.EXE..N.\t.\u0004.ヨU\\�+V�z...."
}
],
"binary": {
"is_64": false,
"is_dotnet": false,
"is_lib": false,
"entry_point": "",
"pe_info": {
"product_version": "",
"original_filename": "",
"file_description": "",
"file_version": "",
"product_name": "",
"company_name": "",
"internal_name": "",
"legal_copyright": ""
},
"timestamps": {
"compile": "",
"debug": ""
},
"linker": {
"major_version": 0,
"minor_version": 0
},
"sections": {
"total_sections": 0,
"total_raw_bytes": 0,
"total_virt_bytes": 0,
"sections": []
},
"imports": {
"hashes": {
"md5": "",
"md5_sorted": "",
"ssdeep": "",
"ssdeep_sorted": ""
},
"lib_count": 0,
"func_count": 0,
"imports": []
},
"exports": {
"hashes": {
"md5": "",
"ssdeep": ""
},
"count": 0,
"names": []
}
},
"strings": []
}
{
"runtime_env": {
"timestamp": "2023-07-09T01:49:31.335784100+00:00",
"device_type": "Windows 6.1.7601 (Workstation)",
"run_as_admin": true
},
"path": "Z:\\home\\flakes\\code\\fmd\\target\\x86_64-pc-windows-gnu\\release\\fmd.exe",
"directory": "Z:\\home\\flakes\\code\\fmd\\target\\x86_64-pc-windows-gnu\\release",
"filename": "fmd.exe",
"extension": "exe",
"bytes": 937472,
"mime_type": "application/x-ms-dos-executable",
"is_hidden": false,
"is_link": false,
"link": {
"rel_path": "",
"abs_path": "",
"arguments": "",
"working_dir": "",
"icon_location": "",
"hotkey": "",
"comment": "",
"show_command": "",
"flags": "",
"drive_type": "",
"drive_serial_number": "",
"volume_label": ""
},
"timestamps": {
"access_fn": "",
"access_si": "2023-07-09T01:49:28.692",
"create_fn": "",
"create_si": "2023-07-09T01:49:28.712",
"modify_fn": "",
"modify_si": "2023-07-09T01:49:28.712",
"mft_record": ""
},
"entropy": 6.3931646,
"hashes": {
"md5": "ff04377b4f96a02929413c0730d5519f",
"sha1": "4877b7e5b8337bd21b35f25458efbcc96d87ae1e",
"sha256": "0ca3a0ecb9d5bd50ea2a91b6ff74911852ff8f64d3139f1088c341112fde215b",
"ssdeep": "12288:4kcvW5abSZfkuAfgz3e7wq7ZMjUEDBrLqMJPDgbZZl/jI:4kc+5akAfgzLzDNqAkbR"
},
"ads": [],
"binary": {
"is_64": true,
"is_dotnet": false,
"is_lib": false,
"entry_point": "0x14f0",
"pe_info": {
"product_version": "",
"original_filename": "",
"file_description": "",
"file_version": "",
"product_name": "",
"company_name": "",
"internal_name": "",
"legal_copyright": ""
},
"timestamps": {
"compile": "2023-07-09T01:49:28",
"debug": ""
},
"linker": {
"major_version": 2,
"minor_version": 38
},
"sections": {
"total_sections": 10,
"total_raw_bytes": 936448,
"total_virt_bytes": 934808,
"sections": [
{
"name": ".text",
"entropy": 6.175901,
"md5": "2d2dab284ac60a22f26c167fb45532f0",
"ssdeep": "12288:pkcvW5abSZfkuAfgz3e7wq7ZMjUEDBrLqMJPDgbZZ:pkc+5akAfgzLzDNqAkb",
"virt_address": "0x1000",
"raw_size": 698880,
"virt_size": 698680,
},
{
"name": ".data",
"entropy": 1.107906,
"md5": "053fbc14f1d805d6be0f91556e81982b",
"ssdeep": "3:flBqllmls+tll+l/lXRhoEvhElFJlAElFe/FveKE/3Rt//tfl:ylMs+IhzEMTA11",
"virt_address": "0xac000",
"raw_size": 512,
"virt_size": 288,
},
{
"name": ".rdata",
"entropy": 5.803681,
"md5": "01a231ddfe4a802dbef0797e5b64f1b1",
"ssdeep": "1536:90lTdjRT/7jDp25WMX/LXGsybVfRseqOPZm48LFjlfvOXMwQGK6jv9eys+F6d9pQ:8TDvonX/KsypRm4KGLkt8oC",
"virt_address": "0xad000",
"raw_size": 194048,
"virt_size": 193808,
},
{
"name": ".pdata",
"entropy": 5.793641,
"md5": "a06ff8b0ed30d0d6073c5938c61c0f06",
"ssdeep": "192:L8KVwGF9JhD1osV5V60xvIpbWH6Ix0WSFn5C+xX4QXrfjfnceVuf+u:L9VwkFxH80Z8HbB4QX/fnru2",
"virt_address": "0xdd000",
"raw_size": 12800,
"virt_size": 12312,
},
{
"name": ".xdata",
"entropy": 5.1570663,
"md5": "1d433c2abf0c52dbbe6d2d1e7562e7bb",
"ssdeep": "384:Y7Ae2cV1IND9Sc0APLRtRPWElGj9o0U+:y2qgTZn",
"virt_address": "0xe1000",
"raw_size": 18944,
"virt_size": 18932,
},
{
"name": ".bss",
"entropy": 0.0,
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"ssdeep": "3::",
"virt_address": "0xe6000",
"raw_size": 0,
"virt_size": 1120,
},
{
"name": ".idata",
"entropy": 4.3447256,
"md5": "e2a534477d84a4aa71a97a5d2f25f4e3",
"ssdeep": "96:NwFZ909wFZ90MQx21cqmkQWY8JXXvyP/mfnWBM+AzCkz:WFj0mFj0jx217mkTJJK/mfnWe+AOkz",
"virt_address": "0xe7000",
"raw_size": 5120,
"virt_size": 4648,
},
{
"name": ".CRT",
"entropy": 0.5435276,
"md5": "e33e9bf6b29463f68af58eaf2cae587c",
"ssdeep": "3:TlgqlNs/voqsVk:TlgN/4O",
"virt_address": "0xe9000",
"raw_size": 512,
"virt_size": 120,
},
{
"name": ".tls",
"entropy": 0.0,
"md5": "bf619eac0cdf3f68d496ea9344137e8b",
"ssdeep": "3::",
"virt_address": "0xea000",
"raw_size": 512,
"virt_size": 16,
},
{
"name": ".reloc",
"entropy": 5.375736,
"md5": "c59313c669c6dd2a9da789a8fd50dd5c",
"ssdeep": "96:YWX3DKenhKenGv61cEsZ39CH1VKnoJ3rZ/mW2w0mMntnG/GEcnnzy:Ymee4eI61chCVVKEJmW2VG/GFnzy",
"virt_address": "0xeb000",
"raw_size": 5120,
"virt_size": 4884,
}
]
},
"imports": {
"hashes": {
"md5": "93bc9d9897e4e465d4287edf79c2eeb8",
"md5_sorted": "5aa3b1a3a880c918589b831414013445",
"ssdeep": "48:mbfKW5W6GHMCf9Fa4qcnboxQIOXHcAJG6qJ7k7qtD:UCW5W6GHMCfr5qcnboxQIOXHcAJGhlC4",
"ssdeep_sorted": "48:mbfdW5W6GHMCf9Fa40cnboxQIOXHcfJG6qJ7k7qtD:U1W5W6GHMCfr50cnboxQIOXHcfJGhlC4"
},
"lib_count": 5,
"func_count": 116,
"imports": [
{
"lib": "ADVAPI32.dll",
"count": 3,
"names": [
{
"name": "GetTokenInformation",
"more_interesting": false,
"info": ""
},
{
"name": "OpenProcessToken",
"more_interesting": false,
"info": ""
},
{
"name": "SystemFunction036",
"more_interesting": false,
"info": ""
}
]
},
{
"lib": "bcrypt.dll",
"count": 1,
"names": [
{
"name": "BCryptGenRandom",
"more_interesting": false,
"info": ""
}
]
},
{
"lib": "KERNEL32.dll",
"count": 78,
"names": [
{
"name": "AcquireSRWLockExclusive",
"more_interesting": false,
"info": ""
},
{
"name": "AcquireSRWLockShared",
"more_interesting": false,
"info": ""
},
{
"name": "AddVectoredExceptionHandler",
"more_interesting": false,
"info": ""
},
{
"name": "CloseHandle",
"more_interesting": false,
"info": ""
},
{
"name": "CreateFileMappingA",
"more_interesting": true,
"info": "Creates or opens a named or unnamed file mapping object for a specified file."
},
{
"name": "CreateFileW",
"more_interesting": false,
"info": ""
},
{
"name": "CreateMutexA",
"more_interesting": false,
"info": ""
},
{
"name": "CreateToolhelp32Snapshot",
"more_interesting": true,
"info": "Takes a snapshot of the specified processes, heaps,modules, and threads used by the processes."
},
{
"name": "DeleteCriticalSection",
"more_interesting": false,
"info": ""
},
{
"name": "DuplicateHandle",
"more_interesting": false,
"info": ""
},
{
"name": "EnterCriticalSection",
"more_interesting": false,
"info": ""
},
{
"name": "ExitProcess",
"more_interesting": false,
"info": ""
},
{
"name": "FindClose",
"more_interesting": false,
"info": ""
},
{
"name": "FindFirstFileW",
"more_interesting": true,
"info": "Searches a directory for a file or subdirectory with a name."
},
{
"name": "FindNextFileW",
"more_interesting": true,
"info": "Continues a file search for a previous call to the 'findfirstfile/findfirstfileex/findfirstfiletransac
ted' function."
},
{
"name": "FormatMessageW",
"more_interesting": false,
"info": ""
},
{
"name": "FreeLibrary",
"more_interesting": false,
"info": ""
},
{
"name": "GetCommandLineW",
"more_interesting": false,
"info": ""
},
{
"name": "GetConsoleMode",
"more_interesting": false,
"info": ""
},
{
"name": "GetCurrentDirectoryW",
"more_interesting": false,
"info": ""
},
{
"name": "GetCurrentProcess",
"more_interesting": false,
"info": ""
},
{
"name": "GetCurrentThread",
"more_interesting": false,
"info": ""
},
{
"name": "GetEnvironmentVariableW",
"more_interesting": false,
"info": ""
},
{
"name": "GetFileInformationByHandle",
"more_interesting": false,
"info": ""
},
{
"name": "GetFileInformationByHandleEx",
"more_interesting": false,
"info": ""
},
{
"name": "GetFinalPathNameByHandleW",
"more_interesting": false,
"info": ""
},
{
"name": "GetFullPathNameW",
"more_interesting": false,
"info": ""
},
{
"name": "GetLastError",
"more_interesting": false,
"info": ""
},
{
"name": "GetModuleFileNameW",
"more_interesting": true,
"info": "Retrieves the fully qualified path for the file that contains the specified module."
},
{
"name": "GetModuleHandleA",
"more_interesting": true,
"info": "Retrieves a module handle for the specified module."
},
{
"name": "GetModuleHandleW",
"more_interesting": true,
"info": "Retrieves a module handle for the specified module."
},
{
"name": "GetProcAddress",
"more_interesting": false,
"info": ""
},
{
"name": "GetProcessHeap",
"more_interesting": false,
"info": ""
},
{
"name": "GetStartupInfoA",
"more_interesting": true,
"info": "Retrieves the contents of the STARTUPINFO structure that was specified when the calling process was cr
eated."
},
{
"name": "GetStdHandle",
"more_interesting": false,
"info": ""
},
{
"name": "GetSystemTimeAsFileTime",
"more_interesting": false,
"info": ""
},
{
"name": "HeapAlloc",
"more_interesting": false,
"info": ""
},
{
"name": "HeapFree",
"more_interesting": false,
"info": ""
},
{
"name": "HeapReAlloc",
"more_interesting": false,
"info": ""
},
{
"name": "InitOnceBeginInitialize",
"more_interesting": false,
"info": ""
},
{
"name": "InitOnceComplete",
"more_interesting": false,
"info": ""
},
{
"name": "InitializeCriticalSection",
"more_interesting": false,
"info": ""
},
{
"name": "LeaveCriticalSection",
"more_interesting": false,
"info": ""
},
{
"name": "LoadLibraryA",
"more_interesting": true,
"info": "Loads the specified module into the address space of the calling process."
},
{
"name": "LoadLibraryExW",
"more_interesting": true,
"info": "Loads the specified module into the address space of the calling process."
},
{
"name": "MapViewOfFile",
"more_interesting": false,
"info": ""
},
{
"name": "Module32FirstW",
"more_interesting": false,
"info": ""
},
{
"name": "Module32NextW",
"more_interesting": false,
"info": ""
},
{
"name": "MultiByteToWideChar",
"more_interesting": false,
"info": ""
},
{
"name": "QueryPerformanceCounter",
"more_interesting": false,
"info": ""
},
{
"name": "QueryPerformanceFrequency",
"more_interesting": false,
"info": ""
},
{
"name": "RaiseException",
"more_interesting": false,
"info": ""
},
{
"name": "ReleaseMutex",
"more_interesting": false,
"info": ""
},
{
"name": "ReleaseSRWLockExclusive",
"more_interesting": false,
"info": ""
},
{
"name": "ReleaseSRWLockShared",
"more_interesting": false,
"info": ""
},
{
"name": "RtlCaptureContext",
"more_interesting": false,
"info": ""
},
{
"name": "RtlLookupFunctionEntry",
"more_interesting": false,
"info": ""
},
{
"name": "RtlUnwindEx",
"more_interesting": false,
"info": ""
},
{
"name": "RtlVirtualUnwind",
"more_interesting": false,
"info": ""
},
{
"name": "SetFilePointerEx",
"more_interesting": false,
"info": ""
},
{
"name": "SetLastError",
"more_interesting": false,
"info": ""
},
{
"name": "SetThreadStackGuarantee",
"more_interesting": false,
"info": ""
},
{
"name": "SetUnhandledExceptionFilter",
"more_interesting": false,
"info": ""
},
{
"name": "Sleep",
"more_interesting": false,
"info": ""
},
{
"name": "SystemTimeToFileTime",
"more_interesting": false,
"info": ""
},
{
"name": "SystemTimeToTzSpecificLocalTime",
"more_interesting": false,
"info": ""
},
{
"name": "TlsAlloc",
"more_interesting": false,
"info": ""
},
{
"name": "TlsFree",
"more_interesting": false,
"info": ""
},
{
"name": "TlsGetValue",
"more_interesting": false,
"info": ""
},
{
"name": "TlsSetValue",
"more_interesting": false,
"info": ""
},
{
"name": "TryAcquireSRWLockExclusive",
"more_interesting": false,
"info": ""
},
{
"name": "UnmapViewOfFile",
"more_interesting": false,
"info": ""
},
{
"name": "VirtualProtect",
"more_interesting": false,
"info": ""
},
{
"name": "VirtualQuery",
"more_interesting": false,
"info": ""
},
{
"name": "WaitForSingleObject",
"more_interesting": false,
"info": ""
},
{
"name": "WaitForSingleObjectEx",
"more_interesting": false,
"info": ""
},
{
"name": "WriteConsoleW",
"more_interesting": false,
"info": ""
},
{
"name": "__C_specific_handler",
"more_interesting": false,
"info": ""
}
]
},
{
"lib": "msvcrt.dll",
"count": 31,
"names": [
{
"name": "__getmainargs",
"more_interesting": false,
"info": ""
},
{
"name": "__initenv",
"more_interesting": false,
"info": ""
},
{
"name": "__iob_func",
"more_interesting": false,
"info": ""
},
{
"name": "__lconv_init",
"more_interesting": false,
"info": ""
},
{
"name": "__set_app_type",
"more_interesting": false,
"info": ""
},
{
"name": "__setusermatherr",
"more_interesting": false,
"info": ""
},
{
"name": "_acmdln",
"more_interesting": false,
"info": ""
},
{
"name": "_amsg_exit",
"more_interesting": false,
"info": ""
},
{
"name": "_cexit",
"more_interesting": false,
"info": ""
},
{
"name": "_commode",
"more_interesting": false,
"info": ""
},
{
"name": "_errno",
"more_interesting": false,
"info": ""
},
{
"name": "_fmode",
"more_interesting": false,
"info": ""
},
{
"name": "_fpreset",
"more_interesting": false,
"info": ""
},
{
"name": "_initterm",
"more_interesting": false,
"info": ""
},
{
"name": "_onexit",
"more_interesting": false,
"info": ""
},
{
"name": "abort",
"more_interesting": false,
"info": ""
},
{
"name": "calloc",
"more_interesting": false,
"info": ""
},
{
"name": "exit",
"more_interesting": false,
"info": ""
},
{
"name": "fprintf",
"more_interesting": false,
"info": ""
},
{
"name": "free",
"more_interesting": false,
"info": ""
},
{
"name": "fwrite",
"more_interesting": false,
"info": ""
},
{
"name": "logf",
"more_interesting": false,
"info": ""
},
{
"name": "malloc",
"more_interesting": false,
"info": ""
},
{
"name": "memcmp",
"more_interesting": false,
"info": ""
},
{
"name": "memcpy",
"more_interesting": false,
"info": ""
},
{
"name": "memmove",
"more_interesting": false,
"info": ""
},
{
"name": "memset",
"more_interesting": false,
"info": ""
},
{
"name": "signal",
"more_interesting": false,
"info": ""
},
{
"name": "strlen",
"more_interesting": false,
"info": ""
},
{
"name": "strncmp",
"more_interesting": false,
"info": ""
},
{
"name": "vfprintf",
"more_interesting": false,
"info": ""
}
]
},
{
"lib": "ntdll.dll",
"count": 3,
"names": [
{
"name": "NtReadFile",
"more_interesting": false,
"info": ""
},
{
"name": "NtWriteFile",
"more_interesting": false,
"info": ""
},
{
"name": "RtlNtStatusToDosError",
"more_interesting": false,
"info": ""
}
]
}
]
},
"exports": {
"hashes": {
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"ssdeep": "3::"
},
"count": 0,
"names": []
}
},
"strings": []
}