explorer[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

explorer.exe
Size

4.9MB
MD5

ce8416c5f87a2ddb3bad27b379aace8f
SHA1

131e2d41a679e57e2da7ad83e96b252a86e74dda
SHA256

97a60dfab3b2dec8ce736befdee7efbc22e21de1a5614b719e0b52af99ddb090
SHA512

2bb848b6fb5297e3ed0dcf83bc4c613ead7ff0aa314c93d3c94a1df11c1c909f0ad5c0da57bd2b3375e8625c38b922c345142acd8b89d82cfaa8ef382e11471e
SSDEEP

49152:hiu1Hxs4FD98qaVRAXPkT03bPxkRNjZFpkjse1ITOk+CuqoURKmnnN5XAWpPWXwE:hZG3IXdqF/tN4FnlZBbw8a0sC5

Score

1^/10

Malware Config

Signatures

Files

explorer.exe
.exe windows x64

9c765fc46e0b4a71e6c5c0057ee916e5

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a7:40:98:fd:08:ad:1e:f6:e8:49:f6:57:28:16:21:e4:3c:f1:54:09:da:6b:a7:e9:29:78:93:2c:d6:73:c1:ad
Signer

Actual PE Digest

a7:40:98:fd:08:ad:1e:f6:e8:49:f6:57:28:16:21:e4:3c:f1:54:09:da:6b:a7:e9:29:78:93:2c:d6:73:c1:ad

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
_Thrd_yield
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPEAX@Z
?width@ios_base@std@@QEAA_J_J@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Thrd_id
_Mtx_unlock
_Cnd_do_broadcast_at_thread_exit
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
_Mtx_lock
?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_set_error_mode
_register_thread_local_exe_atexit_callback
_c_exit
_initterm
_initterm_e

api-ms-win-crt-string-l1-1-0

memset
wcscmp
wcscspn
wcsncmp
strncmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-private-l1-1-0

_o_floor
_o_floorf
_o_fmod
_o_free
_o_iswspace
_o_lround
_o_lroundf
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_sqrt
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3
_o_abort
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__wtoi
memmove
_o__set_app_type
_o__register_onexit_function
_o__recalloc
_o__purecall
_o__mktime64
_o__wcsnicmp
_o__wcslwr_s
_o__wcsicmp
_o__ltow_s
_o__localtime64
_o_exit
_o_ceilf
_o_ceil
_o__itow_s
_o__itoa_s
_o__seh_filter_exe
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler4
_CxxThrowException
__C_specific_handler_noexcept
memcmp
memcpy

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

QueryInformationJobObject
CreateJobObjectW
AssignProcessToJobObject
SetInformationJobObject
OpenJobObjectW

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

PathIsURLW
UrlUnescapeW
HashData

api-ms-win-core-windowserrorreporting-l1-1-1

WerRegisterCustomMetadata
WerUnregisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevationEnabled
CheckElevation

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetBoolUSValueW
SHRegGetUSValueW

api-ms-win-core-com-private-l1-1-0

CoRevokeInitializeSpy
CoRegisterMessageFilter
CoRegisterInitializeSpy

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW
ReleaseActCtx
DeactivateActCtx
ActivateActCtx

ntdll

NtQueryInformationProcess
NtQueryWnfStateData
WinSqmAddToStream
RtlGetVersion
ZwQuerySystemInformation
ZwQueryValueKey
ZwOpenKey
ZwClose
RtlReAllocateHeap
ZwEnumerateValueKey
ZwCreateFile
NtQueryInformationFile
RtlAppendUnicodeToString
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
NtSetInformationProcess
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
RtlInitString
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlVerifyVersionInfo
RtlInitUnicodeString
NtOpenFile
NtDeviceIoControlFile
RtlCaptureContext
NtClose
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind
strchr
memmove_s
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
wcschr
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
WinSqmIsOptedIn
NtOpenProcessToken
NtQueryInformationToken
NtOpenThreadToken
RtlAppendUnicodeStringToString
wcsspn
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlNtStatusToDosErrorNoTeb
NtSetThreadExecutionState
NtPowerInformation
VerSetConditionMask
RtlQueryResourcePolicy
RtlQueryUnbiasedInterruptTime
NtQuerySystemInformation
RtlGetNtSystemRoot

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleA
FindResourceExW
LoadStringW
GetModuleHandleW
LockResource
SizeofResource
GetProcAddress
LoadLibraryExW
GetModuleFileNameA
GetModuleHandleExW
FreeLibrary
FindStringOrdinal
GetModuleFileNameW
LoadResource

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceBeginInitialize
InitOnceExecuteOnce
InitOnceComplete

api-ms-win-core-synch-l1-1-0

OpenEventW
CreateSemaphoreExW
SetEvent
CreateEventW
EnterCriticalSection
ReleaseSemaphore
CreateMutexW
SleepEx
WaitForSingleObject
ReleaseMutex
DeleteCriticalSection
InitializeSRWLock
InitializeCriticalSectionEx
LeaveCriticalSection
InitializeCriticalSection
WaitForMultipleObjectsEx
TryEnterCriticalSection
WaitForSingleObjectEx
OpenMutexW
ResetEvent
ReleaseSRWLockExclusive
InitializeCriticalSectionAndSpinCount
AcquireSRWLockShared
CreateMutexExW
ReleaseSRWLockShared
OpenSemaphoreW
CreateEventExW
AcquireSRWLockExclusive

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetErrorMode
RaiseException
UnhandledExceptionFilter
SetLastError
SetUnhandledExceptionFilter

api-ms-win-core-file-l1-1-0

GetLongPathNameW
DeleteFileW
CompareFileTime
WriteFile
FindClose
FindNextFileW
FindFirstFileW
GetFileAttributesW
CreateFileW

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventActivityIdControl
EventRegister
EventWrite
EventUnregister
EventEnabled

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
CreateThreadpoolWork
CloseThreadpoolTimer
SubmitThreadpoolWork
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
CreateThreadpoolTimer
SetThreadpoolWait
SetThreadpoolTimer
CreateThreadpoolWait
TrySubmitThreadpoolCallback

api-ms-win-core-processthreads-l1-1-0

CreateProcessW
TlsFree
InitializeProcThreadAttributeList
TlsAlloc
UpdateProcThreadAttribute
TlsSetValue
QueueUserAPC
GetStartupInfoW
DeleteProcThreadAttributeList
ExitProcess
SetProcessShutdownParameters
ProcessIdToSessionId
GetExitCodeProcess
OpenProcessToken
GetCurrentThread
OpenThreadToken
GetCurrentThreadId
GetCurrentProcess
CreateThread
SetPriorityClass
GetPriorityClass
ResumeThread
GetProcessId
SetThreadPriorityBoost
TerminateProcess
TlsGetValue
GetThreadPriority
OpenThread
SetThreadPriority
GetCurrentProcessId

api-ms-win-core-localization-l1-2-0

GetLocaleInfoW
GetThreadUILanguage
GetCalendarInfoW
FormatMessageW
GetLocaleInfoEx

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

oleaut32

VariantInit
SysStringLen
SysAllocString
SysFreeString
SafeArrayAccessData
VariantClear
SafeArrayCreate
SafeArrayUnaccessData
VarUI4FromStr
SysAllocStringByteLen
SafeArrayDestroy

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask
SHTaskPoolGetUniqueContext

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

CoGetInterfaceAndReleaseStream
CLSIDFromString
CoRegisterClassObject
CoRevokeClassObject
CoGetObjectContext
CoFreeUnusedLibraries
CoReleaseMarshalData
CoCreateInstance
CoTaskMemFree
PropVariantClear
CoSetProxyBlanket
CoTaskMemRealloc
CoTaskMemAlloc
CoGetMalloc
CoInitializeEx
CoUninitialize
CoGetStdMarshalEx
CoCreateGuid
CoMarshalInterThreadInterfaceInStream
CoEnableCallCancellation
CoGetCallContext
StringFromIID
IIDFromString
CreateStreamOnHGlobal
StringFromCLSID
CoDisableCallCancellation
CoCancelCall
CoInitializeSecurity
StringFromGUID2
CoWaitForMultipleHandles
CoGetApartmentType
CoCreateFreeThreadedMarshaler

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrCmpIW
StrCmpNIW
StrCmpW
StrCmpNICW
StrChrW
StrToIntW
StrCmpICA
StrCmpICW
QISearch
StrChrIW

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegDeleteValueW
RegGetValueW
RegQueryInfoKeyW
RegOpenKeyExW
RegDeleteKeyExW
RegEnumKeyExW
RegOpenCurrentUser
RegCloseKey
RegEnumValueW
RegLoadMUIStringW
RegCreateKeyExW
RegDeleteTreeW
RegQueryValueExW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_SetSite
IUnknown_QueryService
IUnknown_Set
IUnknown_GetSite

api-ms-win-core-heap-l2-1-0

LocalFree
LocalReAlloc
GlobalAlloc
GlobalFree
LocalAlloc

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
GetProcessMitigationPolicy
OpenProcess

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetWindowsDirectoryW
GetSystemDirectoryW
GetVersionExW
GetSystemTime
GetLocalTime
GetTickCount64

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
GetCurrentDirectoryW
SearchPathW
ExpandEnvironmentStringsW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathIsFileSpecW
PathCombineW
PathRemoveBlanksW
SHExpandEnvironmentStringsW
PathQuoteSpacesW
PathParseIconLocationW
PathGetArgsW
PathFindExtensionW
PathRemoveFileSpecW
PathGetDriveNumberW
PathFileExistsW
PathFindFileNameW
PathCommonPrefixW

api-ms-win-shcore-registry-l1-1-0

SHQueryInfoKeyW
SHDeleteValueW
SHDeleteKeyW
SHRegGetValueW
SHSetValueW
SHEnumKeyExW
SHGetValueW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringOrdinal
CompareStringW
WideCharToMultiByte

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteStringBuffer
WindowsCompareStringOrdinal
WindowsCreateString
WindowsPreallocateStringBuffer
WindowsPromoteStringBuffer
WindowsSubstringWithSpecifiedLength
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0

SHSetThreadRef
SetProcessReference
SHCreateThread
SHGetThreadRef
SHCreateThreadRef

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-security-base-l1-1-0

GetLengthSid
GetSecurityDescriptorDacl
IsValidSid
GetTokenInformation
AllocateAndInitializeSid
EqualSid
SetKernelObjectSecurity
FreeSid
GetAclInformation
GetAce
DeleteAce
InitializeAcl
AddAce
CreateWellKnownSid
CheckTokenMembership
CopySid
DuplicateToken
MakeAbsoluteSD

api-ms-win-core-psapi-l1-1-0

K32GetModuleBaseNameW
K32EnumProcesses
K32EnumProcessModules
K32GetModuleFileNameExW
QueryFullProcessImageNameW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-eventing-classicprovider-l1-1-0

GetTraceEnableLevel
UnregisterTraceGuids
RegisterTraceGuidsW
GetTraceEnableFlags
TraceMessage
GetTraceLoggerHandle

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription
SetProcessInformation

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoUninitialize
RoInitialize
RoActivateInstance

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
RoOriginateError

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchAppend
PathCchRemoveFileSpec
PathAllocCombine
PathCchAddExtension
PathCchCombine

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrcmpiW

api-ms-win-core-memory-l1-1-0

VirtualFree
VirtualAlloc
MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
VirtualProtect
OpenFileMappingW

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

SHOpenRegStream2W
IStream_Read
SHCreateStreamOnFileW
SHCreateStreamOnFileEx
IStream_Write
SHCreateMemStream
IStream_Reset

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

DeleteTimerQueueTimer
UnregisterWaitEx
CreateTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetNativeSystemInfo

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

GetProfileType
DeriveAppContainerSidFromAppContainerName

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime
SystemTimeToFileTime
GetTimeZoneInformation
GetDynamicTimeZoneInformation

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
RegisterWaitForSingleObject
GetSystemPowerStatus

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort
DeviceIoControl
GetQueuedCompletionStatus

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

ord244
GetDpiForMonitor

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

GetPwrCapabilities
CallNtPowerInformation

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

ord165
ord197
StrRetToStrW
ord509
IUnknown_GetWindow
SHIsChildOrSelf
StrRetToBufW
ord292
ShellMessageBoxW
ord279
ord478
SHCreateWorkerWindowW
ord635
ord479
SHPinDllOfCLSID
PathRemoveArgsW
ord544
ord481
AssocQueryStringW

api-ms-win-ntuser-sysparams-l1-1-0

GetSystemMetrics
EnumDisplayDevicesW
SystemParametersInfoW
EnumDisplayMonitors
GetMonitorInfoW
QueryDisplayConfig
GetDisplayConfigBufferSizes

api-ms-win-ntuser-rectangle-l1-1-0

SubtractRect
OffsetRect
CopyRect
IntersectRect
EqualRect
UnionRect
SetRectEmpty
PtInRect
InflateRect
IsRectEmpty
SetRect

api-ms-win-rtcore-ntuser-winevent-l1-1-0

UnhookWinEvent
SetWinEventHook
NotifyWinEvent

api-ms-win-shell-namespace-l1-1-0

ILCloneFirst
ILCombine
ILIsEqual
SHGetNameFromIDList
SHBindToParent
SHBindToObject
SHGetIDListFromObject
ILClone
ILRemoveLastID
ILGetSize
SHBindToFolderIDListParent
SHCreateItemFromIDList
SHParseDisplayName
ILFree
ILFindLastID
SHCreateItemFromParsingName
ILIsParent

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerDevices
GetPointerInfo
GetCurrentInputMessageSource
EnableMouseInPointer
GetPointerType

api-ms-win-storage-exports-internal-l1-1-0

SetThreadFlags
GetThreadFlags
SHGetFolderPathEx
SHGetKnownFolderIDList

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects

api-ms-win-appmodel-runtime-l1-1-0

GetPackageFullName
GetPackagesByPackageFamily

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

CreateWindowInBand
GetWindowBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

RegisterPowerSettingNotification
UnregisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHHandleUpdateImage
SHChangeNotifyRegisterThread
SHChangeNotifyRegister
SHChangeNotifyDeregister
SHChangeNotification_Lock
SHChangeNotification_Unlock

propsys

PropVariantToStringAlloc
PSPropertyBag_WriteDWORD
PropVariantToUInt32
PSPropertyBag_WriteStr
PropVariantToBoolean
PSCreateMemoryPropertyStore
PSGetPropertyFromPropertyStorage
InitVariantFromResource
InitVariantFromGUIDAsString

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

FindPackagesByPackageFamily
ParseApplicationUserModelId

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

ExtTextOutW
CreateRectRgnIndirect
GetGlyphOutlineW
GetTextMetricsW
SetTextAlign
StretchBlt
ExcludeClipRect
GetTextExtentPoint32W
SetStretchBltMode
SetTextColor
CreateFontIndirectW
Rectangle
GetClipBox
SelectObject
CreateCompatibleDC
DeleteDC
GetObjectW
DeleteObject
GetDeviceCaps
GetStockObject
CreateRectRgn
GetOutlineTextMetricsW
GetClipRgn
SetRectRgn
GetCurrentObject
CombineRgn
OffsetRgn
SelectClipRgn

kernel32

GetModuleHandleExA
HeapSize
IsBadWritePtr
RtlCompareMemory
HeapReAlloc
HeapDestroy

wininet

InternetCrackUrlW

shcore

ord1
SHUnicodeToAnsi
ord192
ord210
ord183
ord213
ord126
ord109
ord174
ord121
ord162
ord190
ord123
ord191
ord187
ord141
ord142
ord200
ord184
ord186

shell32

ord743
ord907
ord43
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord906
ord181
ord895
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
SHEvaluateSystemCommandTemplate
ord244
ExtractIconExW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord733
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord134
ord22
ord850
ord95
ord885
ord723
ord680
ord172
ShellExecuteW

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

GetThemeMetric
IsAppThemed
IsCompositionActive
DrawThemeTextEx
GetThemeFont
IsThemePartDefined
ord86
DrawThemeBackground
DrawThemeParentBackground
GetWindowTheme
CloseThemeData
GetBufferedPaintBits
GetThemeBackgroundExtent
GetThemeBool
OpenThemeData
OpenThemeDataForDpi
GetThemeMargins
ord138
BufferedPaintSetAlpha
ord126
GetThemePartSize
IsThemeActive
SetWindowTheme
BufferedPaintInit
BufferedPaintUnInit
EndBufferedPaint
GetThemeColor
BeginBufferedPaint
GetThemeInt

dwmapi

DwmIsCompositionEnabled
DwmEnableBlurBehindWindow
ord113
DwmRegisterThumbnail
ord139
ord138
ord141
ord140
ord114
DwmGetWindowAttribute
ord159
DwmQueryThumbnailSourceSize
ord124
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
DwmSetWindowAttribute

user32

GetCapture
ReleaseCapture
GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
GetCursorFrameInfo
AdjustWindowRect
GetDpiForWindow
SetWindowCompositionAttribute
SetGestureConfig
LoadImageW
CheckMenuItem
EnableMenuItem
RemoveMenu
SetMenuDefaultItem
TrackPopupMenuEx
DestroyIcon
CopyImage
GetSysColor
GetCaretBlinkTime
InjectKeyboardInput
MapVirtualKeyExW
InjectMouseInput
LockWorkStation
TileWindows
CascadeWindows
HungWindowFromGhostWindow
LoadIconW
IsIconic
GetKeyState
ExitWindowsEx
EndDialog
AdjustWindowRectEx
GetDC
ReleaseDC
CreatePopupMenu
GetMenuDefaultItem
DestroyMenu
SetCapture
SetCursor
SetMenuItemInfoW
MonitorFromWindow
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
TranslateAcceleratorW
ord2611
ord2005
SendInput
SetDesktopColorTransform
UnregisterClassA
DeleteMenu
FillRect
DrawTextW
LoadMenuW
MonitorFromRect
GetGuiResources
GetSystemMetricsForDpi
CreateIconIndirect
GetMenuItemCount
GetMenuItemInfoW
MonitorFromPoint
ReplyMessage
IsHungAppWindow
GetAsyncKeyState
ModifyMenuW
GetSystemMenu
GetSysColorBrush
SetLayeredWindowAttributes
GetIconInfoExW
GetIconInfo
GetClassWord
GetClassLongW
LoadCursorW
TrackMouseEvent
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
InsertMenuW
BringWindowToTop
ord2573
GhostWindowFromHungWindow
EndTask
IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
DrawTextExW
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
UpdateLayeredWindow
ord2521
ord2574
SwitchToThisWindow
UnregisterClassW
ord2522
WindowFromDC
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
GetLastActivePopup
UnregisterHotKey
RegisterHotKey
DrawIconEx
GetSubMenu
SendDlgItemMessageW

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

PowerCreateRequest
PowerSetRequest
VerifyVersionInfoW

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StartTraceW
StopTraceW
EnableTraceEx2

api-ms-win-core-job-l1-1-0

IsProcessInJob

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFree
NdrClientCall3

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtFreeMemory
BiPtAssociateApplicationEntryPoint
BiPtQueryWorkItem
BiPtEnumerateWorkItemsForPackageName

api-ms-win-rtcore-ntuser-shell-l1-1-0

GetShellWindow

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

GetErrorInfo
SetErrorInfo

Exports

Exports

g_trayTriageBlock

Sections

.text
Size: 2.9MB - Virtual size: 2.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 656KB - Virtual size: 653KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 116KB - Virtual size: 115KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

9c765fc46e0b4a71e6c5c0057ee916e5

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

a7:40:98:fd:08:ad:1e:f6:e8:49:f6:57:28:16:21:e4:3c:f1:54:09:da:6b:a7:e9:29:78:93:2c:d6:73:c1:adSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-registry-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a7:40:98:fd:08:ad:1e:f6:e8:49:f6:57:28:16:21:e4:3c:f1:54:09:da:6b:a7:e9:29:78:93:2c:d6:73:c1:ad
Signer