explorer[.]exe

Resubmissions

17-08-2023 12:00

230817-n6e3ashb69 1

17-08-2023 11:59

230817-n5wnnahb68 1

Sharing

Copy URL

Twitter E-mail

General

Target

explorer.exe
Size

4.8MB
MD5

5c7805894b39ba7aaa9c53d013ae92c2
SHA1

b4f089ec1627b1333078df2bafb3b4e9c77dcf88
SHA256

e89840322edaf4a7855ab296bc298add055c6d6910edc6c93ac866eb264e74a3
SHA512

af153689b6215e8646775aef6833939efc2dd48d55aacce35a9ed0bcedd0b8c24c32dc454d97b8e1141de5ab375f3576083f3da4520ca32326ad035006bf98ed
SSDEEP

49152:HAPwTykBQUso1RiXF/a8R/2LjWpeEdgZf0QrffUnjA0ASePAIm3Zq+d4pfhyhqsl:gS8OIuO/TNZengEObw8a0snPk

Score

1^/10

Malware Config

Signatures

Files

explorer.exe
.exe windows x64

0e7bb0830bdb6737eedb4d5307c69bbd

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03-02-2023 00:05

Not After

01-02-2024 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

5a:11:68:ab:e9:2d:76:42:c2:03:ba:3a:fd:ff:3a:bb:5b:a3:3c:ae:9a:42:c0:17:2c:d2:e1:db:9c:64:de:0d
Signer

Actual PE Digest

5a:11:68:ab:e9:2d:76:42:c2:03:ba:3a:fd:ff:3a:bb:5b:a3:3c:ae:9a:42:c0:17:2c:d2:e1:db:9c:64:de:0d

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
_Thrd_yield
?width@ios_base@std@@QEAA_J_J@Z
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Mtx_unlock
_Thrd_join
_Thrd_id
_Mtx_lock
?_Xlength_error@std@@YAXPEBD@Z
_Cnd_do_broadcast_at_thread_exit

api-ms-win-crt-runtime-l1-1-0

_c_exit
_initterm_e
_initterm
_set_error_mode
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

wcscspn
strncmp
wcscmp
memset
wcsncmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-private-l1-1-0

_o_exit
_o_floor
_o_floorf
_o_fmod
_o_free
_o_iswspace
_o_lround
_o_lroundf
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_sqrt
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3
_o__wcsnicmp
_o__wcslwr_s
_o__wcsicmp
memmove
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o_abort
_o__register_onexit_function
_o__recalloc
_o__purecall
_o__mktime64
_o__wtoi
_o_ceilf
_o_ceil
_o__ltow_s
_o__localtime64
_o__itow_s
_o__itoa_s
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcschr
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler4
_CxxThrowException
__C_specific_handler_noexcept
memcmp
memcpy

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

CreateJobObjectW
AssignProcessToJobObject
SetInformationJobObject
OpenJobObjectW
QueryInformationJobObject

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

UrlUnescapeW
HashData
PathIsURLW

api-ms-win-core-windowserrorreporting-l1-1-1

WerUnregisterCustomMetadata
WerRegisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetUSValueW
SHRegGetBoolUSValueW

api-ms-win-core-com-private-l1-1-0

CoRevokeInitializeSpy
CoRegisterMessageFilter
CoRegisterInitializeSpy

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW
ReleaseActCtx
ActivateActCtx
DeactivateActCtx

ntdll

NtSetInformationProcess
WinSqmIsOptedIn
RtlGetVersion
ZwQuerySystemInformation
ZwQueryValueKey
ZwOpenKey
ZwClose
RtlReAllocateHeap
ZwEnumerateValueKey
ZwCreateFile
NtQueryInformationFile
RtlAppendUnicodeToString
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
RtlVerifyVersionInfo
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
RtlInitString
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
NtQueryInformationProcess
NtQueryWnfStateData
RtlInitUnicodeString
NtOpenFile
NtDeviceIoControlFile
RtlCaptureContext
NtClose
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind
strchr
memmove_s
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
RtlAllocateHeap
RtlFreeHeap
RtlGetNtSystemRoot
RtlCompareUnicodeString
NtOpenProcessToken
NtQueryInformationToken
RtlAppendUnicodeStringToString
NtOpenThreadToken
wcsspn
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlNtStatusToDosErrorNoTeb
NtSetThreadExecutionState
NtPowerInformation
VerSetConditionMask
RtlQueryResourcePolicy
RtlQueryUnbiasedInterruptTime
NtQuerySystemInformation
WinSqmAddToStream

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleA
FindStringOrdinal
GetModuleHandleW
GetProcAddress
GetModuleFileNameA
FreeLibrary
FindResourceExW
LoadResource
LockResource
LoadLibraryExW
GetModuleHandleExW
LoadStringW
GetModuleFileNameW
SizeofResource

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceComplete
InitOnceExecuteOnce
Sleep

api-ms-win-core-synch-l1-1-0

AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
ReleaseSRWLockShared
AcquireSRWLockShared
DeleteCriticalSection
CreateMutexW
ReleaseSRWLockExclusive
WaitForMultipleObjectsEx
ReleaseMutex
InitializeSRWLock
WaitForSingleObject
CreateEventW
InitializeCriticalSectionEx
OpenEventW
LeaveCriticalSection
CreateEventExW
InitializeCriticalSectionAndSpinCount
ResetEvent
OpenMutexW
SleepEx
ReleaseSemaphore
TryEnterCriticalSection
EnterCriticalSection
InitializeCriticalSection
CreateSemaphoreExW
SetEvent
CreateMutexExW

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

SetLastError
UnhandledExceptionFilter
SetErrorMode
SetUnhandledExceptionFilter
RaiseException
GetLastError

api-ms-win-core-file-l1-1-0

DeleteFileW
GetFileAttributesW
CreateFileW
FindFirstFileW
FindClose
WriteFile
FindNextFileW
GetLongPathNameW

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventUnregister
EventSetInformation
EventRegister
EventActivityIdControl
EventWriteTransfer
EventEnabled

api-ms-win-core-threadpool-l1-2-0

SubmitThreadpoolWork
CreateThreadpoolWork
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SetThreadpoolTimer
CloseThreadpoolWait
CreateThreadpoolTimer
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWait
SetThreadpoolWait
TrySubmitThreadpoolCallback

api-ms-win-core-processthreads-l1-1-0

OpenThread
OpenProcessToken
GetCurrentThread
OpenThreadToken
GetCurrentProcess
GetProcessId
TlsFree
GetExitCodeProcess
SetProcessShutdownParameters
GetThreadPriority
SetThreadPriorityBoost
ResumeThread
GetCurrentThreadId
SetThreadPriority
ProcessIdToSessionId
ExitProcess
GetPriorityClass
TerminateProcess
SetPriorityClass
CreateThread
GetStartupInfoW
DeleteProcThreadAttributeList
TlsAlloc
UpdateProcThreadAttribute
CreateProcessW
QueueUserAPC
InitializeProcThreadAttributeList
TlsSetValue
GetCurrentProcessId
TlsGetValue

api-ms-win-core-localization-l1-2-0

FormatMessageW
GetLocaleInfoEx
GetCalendarInfoW
GetLocaleInfoW
GetThreadUILanguage

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

oleaut32

SysStringLen
SysAllocString
VariantClear
SafeArrayDestroy
VariantInit
SafeArrayAccessData
SafeArrayCreate
SafeArrayUnaccessData
VarUI4FromStr
SysAllocStringByteLen
SysFreeString

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolGetUniqueContext
SHTaskPoolQueueTask

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

CoTaskMemFree
CoSetProxyBlanket
StringFromCLSID
CoTaskMemAlloc
CoUninitialize
CoInitializeSecurity
CoWaitForMultipleHandles
CoGetApartmentType
CoGetStdMarshalEx
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoFreeUnusedLibraries
CoGetObjectContext
CoInitializeEx
CoRegisterClassObject
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
PropVariantClear
CreateStreamOnHGlobal
CoGetCallContext
StringFromGUID2
StringFromIID
CoCreateGuid
CLSIDFromString
CoEnableCallCancellation
CoDisableCallCancellation
CoCancelCall
CoGetMalloc
IIDFromString
CoReleaseMarshalData
CoRevokeClassObject
CoTaskMemRealloc

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrCmpICA
QISearch
StrCmpNIW
StrCmpIW
StrCmpNICW
StrChrW
StrToIntW
StrCmpICW
StrChrIW
StrCmpW

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-registry-l1-1-0

RegCloseKey
RegCreateKeyExW
RegDeleteKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegSetValueExW
RegEnumValueW
RegDeleteValueW
RegQueryValueExW
RegDeleteTreeW
RegQueryInfoKeyW
RegOpenCurrentUser
RegGetValueW
RegLoadMUIStringW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_SetSite
IUnknown_QueryService
IUnknown_Set
IUnknown_GetSite

api-ms-win-core-heap-l2-1-0

GlobalFree
GlobalAlloc
LocalAlloc
LocalFree
LocalReAlloc

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess
GetProcessMitigationPolicy

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetVersionExW
GetSystemTimeAsFileTime
GetTickCount
GetSystemTime
GetLocalTime
GetTickCount64
GetWindowsDirectoryW
GetSystemDirectoryW

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCurrentDirectoryW
GetCommandLineW
SearchPathW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindExtensionW
PathRemoveFileSpecW
PathFindFileNameW
PathIsFileSpecW
PathCombineW
PathQuoteSpacesW
PathCommonPrefixW
PathGetDriveNumberW
PathParseIconLocationW
PathFileExistsW
PathRemoveBlanksW
PathGetArgsW
SHExpandEnvironmentStringsW

api-ms-win-shcore-registry-l1-1-0

SHEnumKeyExW
SHSetValueW
SHQueryInfoKeyW
SHRegGetValueW
SHGetValueW
SHDeleteValueW
SHDeleteKeyW

api-ms-win-core-string-l1-1-0

WideCharToMultiByte
CompareStringOrdinal
MultiByteToWideChar
CompareStringW

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateString
WindowsCompareStringOrdinal
WindowsSubstringWithSpecifiedLength
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0

SHCreateThread
SHGetThreadRef
SHSetThreadRef
SHCreateThreadRef
SetProcessReference

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-security-base-l1-1-0

DeleteAce
InitializeAcl
DuplicateToken
GetAce
CheckTokenMembership
MakeAbsoluteSD
IsValidSid
SetKernelObjectSecurity
FreeSid
CreateWellKnownSid
AllocateAndInitializeSid
AddAce
GetLengthSid
CopySid
EqualSid
GetAclInformation
GetTokenInformation
GetSecurityDescriptorDacl

api-ms-win-core-psapi-l1-1-0

K32EnumProcessModules
K32EnumProcesses
QueryFullProcessImageNameW
K32GetModuleFileNameExW
K32GetModuleBaseNameW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
UnregisterTraceGuids
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
TraceMessage

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription
SetProcessInformation

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoInitialize
RoActivateInstance
RoGetActivationFactory

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

SetRestrictedErrorInfo
RoOriginateError

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchAddExtension
PathCchCombine
PathAllocCombine
PathCchAppend
PathCchRemoveFileSpec

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalUnlock
GlobalLock

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenW

api-ms-win-core-memory-l1-1-0

VirtualProtect
UnmapViewOfFile
OpenFileMappingW
CreateFileMappingW
VirtualFree
VirtualAlloc
MapViewOfFile

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

IStream_Reset
SHCreateStreamOnFileEx
IStream_Read
SHCreateMemStream
SHCreateStreamOnFileW
IStream_Write
SHOpenRegStream2W

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
CreateTimerQueueTimer
DeleteTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo
GetProductInfo

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

GetProfileType
DeriveAppContainerSidFromAppContainerName

api-ms-win-core-timezone-l1-1-0

GetTimeZoneInformation
SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
SystemTimeToFileTime
GetDynamicTimeZoneInformation

api-ms-win-core-kernel32-legacy-l1-1-0

GetSystemPowerStatus
GetComputerNameW
RegisterWaitForSingleObject

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW

api-ms-win-core-io-l1-1-0

DeviceIoControl
CreateIoCompletionPort
GetQueuedCompletionStatus

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor
ord244

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

CallNtPowerInformation
GetPwrCapabilities

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

ord509
SHPinDllOfCLSID
AssocQueryStringW
ord197
SHIsChildOrSelf
ord478
StrRetToBufW
ord479
ord481
ord165
StrRetToStrW
ord544
PathRemoveArgsW
ord292
IUnknown_GetWindow
SHCreateWorkerWindowW
ord279
ShellMessageBoxW
ord635

api-ms-win-ntuser-sysparams-l1-1-0

GetDisplayConfigBufferSizes
SystemParametersInfoW
QueryDisplayConfig
GetMonitorInfoW
GetSystemMetrics
EnumDisplayMonitors
EnumDisplayDevicesW

api-ms-win-ntuser-rectangle-l1-1-0

SetRect
SetRectEmpty
IntersectRect
CopyRect
OffsetRect
PtInRect
IsRectEmpty
InflateRect
SubtractRect
EqualRect
UnionRect

api-ms-win-rtcore-ntuser-winevent-l1-1-0

NotifyWinEvent
UnhookWinEvent
SetWinEventHook

api-ms-win-shell-namespace-l1-1-0

SHBindToObject
ILCombine
SHCreateItemFromIDList
ILClone
ILIsEqual
SHGetIDListFromObject
SHCreateItemFromParsingName
ILIsParent
ILFree
ILFindLastID
ILGetSize
ILCloneFirst
ILRemoveLastID
SHBindToParent
SHParseDisplayName
SHBindToFolderIDListParent
SHGetNameFromIDList

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerType
GetPointerInfo
GetPointerDevices
GetCurrentInputMessageSource
EnableMouseInPointer

api-ms-win-storage-exports-internal-l1-1-0

SHGetFolderPathEx
GetThreadFlags
SetThreadFlags
SHGetKnownFolderIDList

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects

api-ms-win-appmodel-runtime-l1-1-0

GetPackageFullName
GetPackagesByPackageFamily

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

GetWindowBand
CreateWindowInBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

UnregisterPowerSettingNotification
RegisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHChangeNotifyDeregister
SHChangeNotification_Lock
SHHandleUpdateImage
SHChangeNotifyRegister
SHChangeNotifyRegisterThread
SHChangeNotification_Unlock

propsys

PropVariantToStringAlloc
PSPropertyBag_WriteDWORD
PropVariantToUInt32
PSPropertyBag_WriteStr
PropVariantToBoolean
PSCreateMemoryPropertyStore
PSGetPropertyFromPropertyStorage
InitVariantFromResource
InitVariantFromGUIDAsString

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

FindPackagesByPackageFamily
ParseApplicationUserModelId

wtsapi32

WTSRegisterSessionNotification
WTSUnRegisterSessionNotification

gdi32

ExtTextOutW
GetTextExtentPoint32W
CreateRectRgnIndirect
SetTextAlign
SetTextColor
StretchBlt
ExcludeClipRect
GetTextMetricsW
CreateFontIndirectW
GetClipBox
GetCurrentObject
SelectObject
CreateCompatibleDC
DeleteDC
GetObjectW
DeleteObject
CombineRgn
GetDeviceCaps
GetStockObject
CreateRectRgn
SetRectRgn
SetStretchBltMode
Rectangle
OffsetRgn
SelectClipRgn
GetGlyphOutlineW
GetOutlineTextMetricsW
GetClipRgn

kernel32

HeapSize
GetModuleHandleExA
HeapReAlloc
IsBadWritePtr
RtlCompareMemory
HeapDestroy

wininet

InternetCrackUrlW

shcore

ord1
SHUnicodeToAnsi
ord192
ord210
ord183
ord213
ord126
ord109
ord174
ord121
ord162
ord190
ord123
ord191
ord187
ord141
ord142
ord200
ord184
ord186

shell32

ord743
ord907
ord43
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord906
ord181
ord895
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
SHEvaluateSystemCommandTemplate
ord244
ExtractIconExW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord733
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord134
ord22
ord850
ord95
ord885
ord723
ord680
ord172
ShellExecuteW

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

IsThemeActive
BufferedPaintInit
BeginBufferedPaint
CloseThemeData
DrawThemeParentBackground
GetThemePartSize
GetBufferedPaintBits
GetThemeInt
GetThemeColor
ord126
BufferedPaintUnInit
DrawThemeBackground
ord86
GetThemeFont
DrawThemeTextEx
IsCompositionActive
GetWindowTheme
IsThemePartDefined
IsAppThemed
SetWindowTheme
EndBufferedPaint
GetThemeBackgroundExtent
ord138
GetThemeMargins
OpenThemeDataForDpi
GetThemeMetric
OpenThemeData
GetThemeBool
BufferedPaintSetAlpha

dwmapi

DwmRegisterThumbnail
ord138
ord139
DwmSetWindowAttribute
ord141
ord140
DwmGetWindowAttribute
DwmIsCompositionEnabled
ord113
ord159
DwmQueryThumbnailSourceSize
ord124
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
DwmEnableBlurBehindWindow
ord114

user32

TrackMouseEvent
SetCapture
GetCapture
ReleaseCapture
GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
GetCursorFrameInfo
AdjustWindowRect
GetDpiForWindow
SetWindowCompositionAttribute
SetGestureConfig
LoadImageW
CheckMenuItem
EnableMenuItem
RemoveMenu
GetSysColor
GetCaretBlinkTime
InjectKeyboardInput
MapVirtualKeyExW
InjectMouseInput
LockWorkStation
TileWindows
CascadeWindows
HungWindowFromGhostWindow
LoadIconW
IsIconic
GetKeyState
ExitWindowsEx
EndDialog
SendDlgItemMessageW
RegisterHotKey
AdjustWindowRectEx
GetDC
ReleaseDC
CreatePopupMenu
GetMenuDefaultItem
GetSystemMetricsForDpi
LoadCursorW
SetCursor
SetMenuItemInfoW
MonitorFromWindow
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
DestroyIcon
SendInput
SetDesktopColorTransform
UnregisterClassA
TranslateAcceleratorW
SetMenuDefaultItem
TrackPopupMenuEx
DeleteMenu
FillRect
ord2611
MonitorFromRect
DrawTextW
CopyImage
GetSubMenu
CreateIconIndirect
GetMenuItemCount
GetMenuItemInfoW
ord2005
MonitorFromPoint
ReplyMessage
GetAsyncKeyState
ModifyMenuW
GetSystemMenu
GetSysColorBrush
SetLayeredWindowAttributes
GetIconInfoExW
GetIconInfo
DestroyMenu
GetClassWord
GetClassLongW
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
InsertMenuW
BringWindowToTop
ord2573
GhostWindowFromHungWindow
EndTask
IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetGuiResources
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
DrawTextExW
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
IsHungAppWindow
UpdateLayeredWindow
ord2574
ord2521
UnregisterClassW
ord2522
WindowFromDC
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
SwitchToThisWindow
UnregisterHotKey
GetLastActivePopup
DrawIconEx
LoadMenuW

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

PowerCreateRequest
VerifyVersionInfoW
PowerSetRequest

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StopTraceW
StartTraceW
EnableTraceEx2

api-ms-win-core-job-l1-1-0

IsProcessInJob

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFree
NdrClientCall3

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtAssociateApplicationEntryPoint
BiPtEnumerateWorkItemsForPackageName
BiPtQueryWorkItem
BiPtFreeMemory

api-ms-win-rtcore-ntuser-shell-l1-1-0

GetShellWindow

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

GetErrorInfo
SetErrorInfo

Exports

Exports

g_trayTriageBlock

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 648KB - Virtual size: 646KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 116KB - Virtual size: 113KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

0e7bb0830bdb6737eedb4d5307c69bbd

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

5a:11:68:ab:e9:2d:76:42:c2:03:ba:3a:fd:ff:3a:bb:5b:a3:3c:ae:9a:42:c0:17:2c:d2:e1:db:9c:64:de:0dSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-registry-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

5a:11:68:ab:e9:2d:76:42:c2:03:ba:3a:fd:ff:3a:bb:5b:a3:3c:ae:9a:42:c0:17:2c:d2:e1:db:9c:64:de:0d
Signer