trigger[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

trigger.exe
Size

4.7MB
MD5

926ef38d94a9c43a6c281623312a3213
SHA1

85ac0eca490767ab828a235cd492e27a634534e7
SHA256

bb685679d071bf86c7c589a89eb6d1ff2a22efd5a6aa9e1211b7d71e1221d261
SHA512

4cd5f007e7abf080dc87e434b5965a6c66afb3cfed0556686487a2f3d29094b7f27e6330194d38170dbb37503feebdb657c86b5d1afdcc14bbe5c0b3996c8850
SSDEEP

49152:QlxZNhG7w8WL0LcTnAaDjbe01pxcFn0aVNKZbAaIAS4ev3kcCEbUsmCMBuuA8Iy6:aT/oZJXY6Gpr+0Aa0J

Score

1^/10

Malware Config

Signatures

Files

trigger.exe
.exe windows x64

7b944204c5a2c46a50f7538a8505bb8f

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

15/12/2020, 21:29

Not After

02/12/2021, 21:29

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

56:62:1a:45:1c:c2:69:ae:e3:a8:2c:a1:82:2a:78:cb:21:58:29:a2:64:c4:e4:f4:29:58:19:7f:3e:c0:b9:5e
Signer

Actual PE Digest

56:62:1a:45:1c:c2:69:ae:e3:a8:2c:a1:82:2a:78:cb:21:58:29:a2:64:c4:e4:f4:29:58:19:7f:3e:c0:b9:5e

Digest Algorithm

sha256

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?width@ios_base@std@@QEAA_J_J@Z
_Thrd_yield
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Mtx_unlock
?_Xlength_error@std@@YAXPEBD@Z
_Thrd_id
_Mtx_lock
_Cnd_do_broadcast_at_thread_exit

api-ms-win-crt-runtime-l1-1-0

_c_exit
_initterm_e
_initterm
_register_thread_local_exe_atexit_callback
_set_error_mode

api-ms-win-crt-string-l1-1-0

memset
strncmp
wcscspn
wcsncmp
wcscmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-private-l1-1-0

_o_exit
_o_floor
_o_floorf
_o_fmod
_o_free
_o_iswspace
_o_lroundf
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_sqrt
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3
memmove
_o_ceilf
_o_ceil
_o_abort
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o__localtime64
_o__register_onexit_function
_o__recalloc
_o__wcsnicmp
_o__itow_s
_o__purecall
_o__itoa_s
_o__wcsicmp
_o__mktime64
_o__wtoi
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcschr
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler4
_CxxThrowException
__C_specific_handler_noexcept
memcmp
memcpy

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

AssignProcessToJobObject
SetInformationJobObject
CreateJobObjectW
QueryInformationJobObject

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

UrlUnescapeW
PathIsURLW
HashData

api-ms-win-core-windowserrorreporting-l1-1-1

WerUnregisterCustomMetadata
WerRegisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetBoolUSValueW
SHRegGetUSValueW

api-ms-win-core-com-private-l1-1-0

CoRegisterMessageFilter
CoRevokeInitializeSpy
CoRegisterInitializeSpy

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

ActivateActCtx
ReleaseActCtx
CreateActCtxW
DeactivateActCtx

ntdll

ZwQuerySystemInformation
RtlInitUnicodeString
ZwQueryValueKey
ZwOpenKey
ZwClose
RtlReAllocateHeap
RtlAppendUnicodeToString
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
ZwCreateFile
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
RtlVerifyVersionInfo
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlGetVersion
RtlInitString
NtQueryInformationProcess
NtSetInformationProcess
NtQueryWnfStateData
RtlCaptureContext
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind
strchr
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
NtOpenProcessToken
NtQueryInformationToken
NtClose
RtlAppendUnicodeStringToString
NtOpenThreadToken
wcsspn
WinSqmAddToStreamEx
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlNtStatusToDosErrorNoTeb
NtSetThreadExecutionState
VerSetConditionMask
RtlQueryResourcePolicy
WinSqmSetDWORD
WinSqmIsOptedIn

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
FindStringOrdinal
FindResourceExW
GetModuleHandleW
LoadLibraryExW
GetProcAddress
SizeofResource
LoadResource
LoadStringW
LockResource
GetModuleHandleA
GetModuleHandleExW
GetModuleFileNameA
GetModuleFileNameW

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
Sleep
InitOnceExecuteOnce
InitOnceComplete

api-ms-win-core-synch-l1-1-0

EnterCriticalSection
CreateSemaphoreExW
SetEvent
CreateEventW
WaitForSingleObject
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
OpenMutexW
InitializeCriticalSectionEx
CreateEventExW
InitializeSRWLock
ReleaseSRWLockShared
WaitForMultipleObjectsEx
OpenEventW
InitializeCriticalSection
ReleaseMutex
ReleaseSRWLockExclusive
LeaveCriticalSection
InitializeCriticalSectionAndSpinCount
CreateMutexW
ReleaseSemaphore
CreateMutexExW
ResetEvent
SleepEx
TryEnterCriticalSection
AcquireSRWLockShared
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetErrorMode
GetLastError
UnhandledExceptionFilter
RaiseException
SetUnhandledExceptionFilter
SetLastError

api-ms-win-core-file-l1-1-0

DeleteFileW
WriteFile
CompareFileTime
FileTimeToLocalFileTime
GetLongPathNameW
GetFileAttributesW
FindClose
CreateFileW
FindFirstFileW
FindNextFileW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventRegister
EventUnregister
EventActivityIdControl
EventWrite
EventSetInformation
EventEnabled

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegEnumKeyExW
RegDeleteValueW
RegEnumValueW
RegGetValueW
RegDeleteKeyExW
RegQueryValueExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
RegOpenCurrentUser
RegSetValueExW

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
SubmitThreadpoolWork
CreateThreadpoolTimer
CreateThreadpoolWork
CloseThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
CreateThreadpoolWait
TrySubmitThreadpoolCallback

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
SetProcessShutdownParameters
CreateThread
QueueUserAPC
SetThreadPriority
SetPriorityClass
TlsSetValue
ResumeThread
OpenThread
CreateProcessW
TlsAlloc
ProcessIdToSessionId
GetThreadPriority
OpenProcessToken
GetCurrentThread
OpenThreadToken
GetCurrentProcess
TlsGetValue
TlsFree
ExitProcess
TerminateProcess
GetCurrentProcessId
SetThreadPriorityBoost
GetCurrentThreadId
GetExitCodeProcess
GetPriorityClass
GetProcessId

api-ms-win-core-localization-l1-2-0

GetLocaleInfoW
FormatMessageW
GetCalendarInfoW
GetThreadUILanguage
GetLocaleInfoEx

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

oleaut32

SysAllocString
SysStringLen
SafeArrayDestroy
VariantInit
VariantClear
VarUI4FromStr
SafeArrayUnaccessData
SafeArrayCreate
SysFreeString
SafeArrayAccessData
SysAllocStringByteLen

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask
SHTaskPoolGetUniqueContext

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

CreateStreamOnHGlobal
CoGetInterfaceAndReleaseStream
PropVariantClear
StringFromGUID2
StringFromIID
CoCreateGuid
CoSetProxyBlanket
CoGetObjectContext
CoFreeUnusedLibraries
CoReleaseMarshalData
CoCreateFreeThreadedMarshaler
CLSIDFromString
CoGetApartmentType
CoWaitForMultipleHandles
IIDFromString
CoGetCallContext
CoInitializeSecurity
CoEnableCallCancellation
CoMarshalInterThreadInterfaceInStream
CoDisableCallCancellation
CoCancelCall
CoTaskMemFree
StringFromCLSID
CoGetStdMarshalEx
CoCreateInstance
CoRegisterClassObject
CoRevokeClassObject
CoTaskMemRealloc
CoTaskMemAlloc
CoGetMalloc
CoInitializeEx
CoUninitialize

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrCmpICW
StrToIntW
StrChrW
StrCmpNIW
QISearch
StrCmpIW
StrCmpW
StrCmpNICW
StrCmpICA
StrChrIW

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW
SHStrDupW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_Set
IUnknown_QueryService
IUnknown_SetSite
IUnknown_GetSite

api-ms-win-core-heap-l2-1-0

LocalFree
LocalReAlloc
LocalAlloc
GlobalAlloc
GlobalFree

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetTickCount
GetSystemTime
GetWindowsDirectoryW
GetTickCount64
GetLocalTime
GetSystemDirectoryW
GetSystemTimeAsFileTime

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
GetCommandLineW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindFileNameW
PathCommonPrefixW
PathFindExtensionW
PathRemoveBlanksW
PathGetDriveNumberW
PathFileExistsW
PathIsFileSpecW
PathCombineW
PathQuoteSpacesW
SHExpandEnvironmentStringsW
PathGetArgsW
PathParseIconLocationW
PathRemoveFileSpecW

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsSubstringWithSpecifiedLength
WindowsCompareStringOrdinal
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoActivateInstance
RoGetActivationFactory
RoInitialize

api-ms-win-shcore-registry-l1-1-0

SHGetValueW
SHDeleteValueW
SHQueryInfoKeyW
SHSetValueW
SHEnumKeyExW
SHDeleteKeyW
SHRegGetValueW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringOrdinal
WideCharToMultiByte
CompareStringW

api-ms-win-shcore-thread-l1-1-0

SHSetThreadRef
SHCreateThreadRef
SHGetThreadRef
SHCreateThread
SetProcessReference

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-security-base-l1-1-0

CheckTokenMembership
GetAclInformation
SetKernelObjectSecurity
GetAce
DeleteAce
InitializeAcl
AddAce
DuplicateToken
GetLengthSid
GetTokenInformation
CreateWellKnownSid
MakeAbsoluteSD
EqualSid
CopySid
IsValidSid

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW
QueryFullProcessImageNameW

api-ms-win-core-version-l1-1-0

VerQueryValueW
GetFileVersionInfoSizeExW
GetFileVersionInfoExW

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceLoggerHandle
RegisterTraceGuidsW
GetTraceEnableFlags
GetTraceEnableLevel
UnregisterTraceGuids

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW
RegSetKeyValueW

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoTransformError
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchRemoveFileSpec
PathCchAppend
PathAllocCombine
PathCchAddExtension
PathCchCombine

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalUnlock
GlobalLock

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrcmpiW

api-ms-win-core-memory-l1-1-0

CreateFileMappingW
VirtualFree
VirtualProtect
VirtualAlloc
OpenFileMappingW
UnmapViewOfFile
MapViewOfFile

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription
SetProcessInformation

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

SHCreateStreamOnFileEx
IStream_Write
IStream_Read
SHCreateMemStream
IStream_Reset
SHCreateStreamOnFileW
SHOpenRegStream2W

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
DeleteTimerQueueTimer
CreateTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

DeriveAppContainerSidFromAppContainerName
GetProfileType

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
GetTimeZoneInformation
GetDynamicTimeZoneInformation
SystemTimeToFileTime

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
GetSystemPowerStatus
RegisterWaitForSingleObject

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

NotifyServiceStatusChangeW
QueryServiceConfigW

api-ms-win-core-io-l1-1-0

GetQueuedCompletionStatus
CreateIoCompletionPort

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

ord244
GetDpiForMonitor

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

GetPwrCapabilities
PowerDeterminePlatformRoleEx
CallNtPowerInformation

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

AssocQueryStringW
ord509
ord479
PathRemoveArgsW
SHCreateWorkerWindowW
ord478
ord279
ShellMessageBoxW
ord481
ord635
ord165
SHPinDllOfCLSID
SHIsChildOrSelf
ord544
ord292
StrRetToBufW
IUnknown_GetWindow
StrRetToStrW
ord197

api-ms-win-ntuser-sysparams-l1-1-0

GetMonitorInfoW
GetSystemMetrics
SystemParametersInfoW
EnumDisplayMonitors
QueryDisplayConfig
GetDisplayConfigBufferSizes
EnumDisplayDevicesW

api-ms-win-ntuser-rectangle-l1-1-0

SetRectEmpty
InflateRect
IsRectEmpty
SetRect
PtInRect
EqualRect
CopyRect
SubtractRect
OffsetRect
IntersectRect
UnionRect

api-ms-win-rtcore-ntuser-winevent-l1-1-0

UnhookWinEvent
NotifyWinEvent
SetWinEventHook

api-ms-win-shell-namespace-l1-1-0

SHBindToFolderIDListParent
ILClone
SHParseDisplayName
ILFree
SHCreateItemFromIDList
SHGetIDListFromObject
SHCreateItemFromParsingName
ILIsEqual
SHGetNameFromIDList
ILRemoveLastID
ILGetSize
ILIsParent
ILCloneFirst
SHBindToObject
ILCombine
ILFindLastID
SHBindToParent

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerDevices
EnableMouseInPointer
GetPointerType
GetPointerInfo
GetCurrentInputMessageSource

api-ms-win-storage-exports-internal-l1-1-0

GetThreadFlags
SHGetKnownFolderIDList
SetThreadFlags
SHGetFolderPathEx

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects

api-ms-win-appmodel-runtime-l1-1-0

GetPackagesByPackageFamily
GetPackageFullName

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

GetWindowBand
CreateWindowInBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

UnregisterPowerSettingNotification
RegisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHChangeNotification_Unlock
SHChangeNotification_Lock
SHChangeNotifyDeregister
SHChangeNotifyRegisterThread
SHChangeNotifyRegister
SHHandleUpdateImage

propsys

InitVariantFromResource
PropVariantToBoolean
PSCreateMemoryPropertyStore
PSGetPropertyFromPropertyStorage
InitVariantFromGUIDAsString
PSPropertyBag_WriteStr
PropVariantToUInt32
PSPropertyBag_WriteDWORD
PropVariantToStringAlloc

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

FindPackagesByPackageFamily
ParseApplicationUserModelId

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

GetStockObject
GetDeviceCaps
CreateRectRgn
SetRectRgn
OffsetRgn
CombineRgn
DeleteObject
GetObjectW
DeleteDC
CreateCompatibleDC
SelectObject
GetClipBox
CreateFontIndirectW
SetTextColor
SetTextAlign
GetTextMetricsW
ExtTextOutW
GetTextExtentPoint32W
CreateRectRgnIndirect
GetGlyphOutlineW
GetOutlineTextMetricsW
GetClipRgn
SelectClipRgn
GetCurrentObject
StretchBlt
ExcludeClipRect
SetStretchBltMode
Rectangle

kernel32

IsBadWritePtr
GetModuleHandleExA

wininet

InternetCrackUrlW

shcore

ord162
ord191
ord141
ord123
ord190
ord121
ord174
ord187
ord186
ord109
ord126
ord213
ord184
ord142
ord183
ord210
ord192
ord1
SHUnicodeToAnsi
ord200

shell32

ord792
ord727
ord162
SHAppBarMessage
ord894
ord906
ord895
ShellExecuteW
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
SHEvaluateSystemCommandTemplate
ord181
ord244
Shell_GetCachedImageIndexW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ord91
ord254
ord54
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord733
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord790
ord43
ord907
ord743
ord172
ord680
ord723
ord885
ord95
ord850
ord134
ord22
ExtractIconExW
SHEnableServiceObject

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

OpenThemeDataForDpi
GetThemeMargins
OpenThemeData
GetThemeBool
ord138
BufferedPaintSetAlpha
ord126
GetThemePartSize
GetThemeBackgroundExtent
GetBufferedPaintBits
GetThemeInt
GetThemeColor
GetThemeMetric
SetWindowTheme
GetWindowTheme
BufferedPaintUnInit
EndBufferedPaint
BeginBufferedPaint
DrawThemeParentBackground
IsThemeActive
CloseThemeData
BufferedPaintInit
ord86
GetThemeFont
IsAppThemed
IsCompositionActive
DrawThemeTextEx
DrawThemeBackground

dwmapi

ord138
ord141
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
ord140
DwmGetWindowAttribute
DwmSetWindowAttribute
ord159
DwmIsCompositionEnabled
DwmEnableBlurBehindWindow
DwmRegisterThumbnail
DwmQueryThumbnailSourceSize
ord124
ord139
ord114
ord113

user32

SetWindowCompositionAttribute
SetGestureConfig
LoadImageW
EndDialog
SendDlgItemMessageW
GetDpiForWindow
UnregisterHotKey
GetLastActivePopup
AdjustWindowRect
GetCursorFrameInfo
GetLastInputInfo
CopyIcon
CalculatePopupWindowPosition
GetDoubleClickTime
ReleaseCapture
GetCapture
SetCapture
PostThreadMessageW
UnregisterClassA
TrackMouseEvent
ord2005
SetCursor
SetMenuItemInfoW
DefWindowProcA
GetSystemMetricsForDpi
DrawIconEx
IsWindowUnicode
LoadAcceleratorsW
DestroyIcon
CopyImage
GetSysColor
ExitWindowsEx
GetKeyState
ChangeWindowMessageFilterEx
LoadIconW
HungWindowFromGhostWindow
CascadeWindows
AdjustWindowRectEx
CheckMenuItem
EnableMenuItem
RemoveMenu
SetMenuDefaultItem
TranslateAcceleratorW
TileWindows
TrackPopupMenuEx
DeleteMenu
FillRect
DrawTextW
LoadMenuW
GetSubMenu
GetDC
CreateIconIndirect
GetMenuItemCount
GetMenuItemInfoW
MonitorFromPoint
ReplyMessage
GetAsyncKeyState
ModifyMenuW
GetSystemMenu
GetSysColorBrush
SwitchToThisWindow
ReleaseDC
SetLayeredWindowAttributes
GhostWindowFromHungWindow
GetIconInfoExW
GetIconInfo
GetClassWord
GetClassLongW
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
InsertMenuW
BringWindowToTop
ord2573
EndTask
ord2611
IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
DrawTextExW
MonitorFromWindow
IsProcessDPIAware
IsIconic
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
UpdateLayeredWindow
ord2521
UnregisterClassW
ord2522
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
CreatePopupMenu
GetMenuDefaultItem
DestroyMenu
LoadCursorW
LockWorkStation
InjectMouseInput
MapVirtualKeyExW
InjectKeyboardInput
GetCaretBlinkTime
ord2574
IsHungAppWindow
GetGuiResources
MonitorFromRect
RegisterHotKey

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

PowerSetRequest
VerifyVersionInfoW
PowerCreateRequest

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StopTraceW
EnableTraceEx2
StartTraceW

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
RpcStringFreeW
RpcBindingFree
NdrClientCall3
RpcBindingSetAuthInfoExW
I_RpcExceptionFilter

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtEnumerateWorkItemsForPackageName
BiPtFreeMemory
BiPtQueryWorkItem
BiPtAssociateApplicationEntryPoint

netapi32

NetGetAadJoinInformation
NetFreeAadJoinInformation

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

SetErrorInfo
GetErrorInfo

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 664KB - Virtual size: 663KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 8KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 132KB - Virtual size: 130KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

7b944204c5a2c46a50f7538a8505bb8f

Code Sign

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:edCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

56:62:1a:45:1c:c2:69:ae:e3:a8:2c:a1:82:2a:78:cb:21:58:29:a2:64:c4:e4:f4:29:58:19:7f:3e:c0:b9:5eSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

33:00:00:02:ed:2c:45:e4:c1:45:cf:48:44:00:00:00:00:02:ed
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

56:62:1a:45:1c:c2:69:ae:e3:a8:2c:a1:82:2a:78:cb:21:58:29:a2:64:c4:e4:f4:29:58:19:7f:3e:c0:b9:5e
Signer