explorer[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

explorer.exe
Size

4.5MB
MD5

8ddda1b3ddd83942e8b8624f9487ec0d
SHA1

7d811b6c688c52735bc819c5e348396d676f6e6e
SHA256

abc4dc9fb57311a16668bf8a6f7d1bcac162b172690762715e2559c3a0837307
SHA512

f2ad71f43e0f7f94dc087646652b51bf61093e0fe764e61110060f2bb32a241cb56cc0c33d6b6d5333221c2d18eb8e762d92c34643a9fa51eb541650112f80c9
SSDEEP

98304:rvSG5pxVLCJl31FonIv/moRRHCd6iEMfMBDLW7J9+h+sA4/Cxx1zkSmUtjt0I9rK:rvSG5pxVLCJl31FonS/moRRHziEMfQSs

Score

1^/10

Malware Config

Signatures

Files

explorer.exe
.exe windows:10 windows x86

055fd190f0655165f71e9bcf78d75f0c

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

ca:6b:e0:27:c1:c6:ce:2b:c4:5b:44:0c:ec:6d:2a:7a:22:7b:fd:a1:fc:27:a8:5b:b1:40:96:81:47:91:2d:a3
Signer

Actual PE Digest

ca:6b:e0:27:c1:c6:ce:2b:c4:5b:44:0c:ec:6d:2a:7a:22:7b:fd:a1:fc:27:a8:5b:b1:40:96:81:47:91:2d:a3

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

msvcp_win

?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
?_Xinvalid_argument@std@@YAXPBD@Z
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IAE@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG0@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAE_JPBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEXABVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEPAV12@PAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JXZ
?tolower@?$ctype@G@std@@QBEPBGPAGPBG@Z
?tolower@?$ctype@G@std@@QBEGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
??Bid@locale@std@@QAEIXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??0facet@locale@std@@IAE@I@Z
??1facet@locale@std@@MAE@XZ
??0_Lockit@std@@QAE@H@Z
??0_Locinfo@std@@QAE@PBD@Z
?c_str@?$_Yarn@D@std@@QBEPBDXZ
??1_Lockit@std@@QAE@XZ
??1_Locinfo@std@@QAE@XZ
?is@?$ctype@G@std@@QBE_NFG@Z
?_Getcat@?$ctype@G@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?_Incref@facet@locale@std@@UAEXXZ
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UAE@XZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAE@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UAE@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QBE_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEXXZ
?width@ios_base@std@@QBE_JXZ
?flags@ios_base@std@@QBEHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGG@Z
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEGXZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPBD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?width@ios_base@std@@QAE_J_J@Z
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
_Thrd_yield
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPAX@Z
?__ExceptionPtrDestroy@@YAXPAX@Z
?__ExceptionPtrAssign@@YAXPAXPBX@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QAEXH_N@Z
?__ExceptionPtrCopy@@YAXPAXPBX@Z
_Mtx_unlock
?__ExceptionPtrCurrentException@@YAXPAX@Z
?__ExceptionPtrRethrow@@YAXPBX@Z
?__ExceptionPtrCopyException@@YAXPAXPBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Mtx_lock
_Thrd_join
_Thrd_id
?_Xlength_error@std@@YAXPBD@Z
_Cnd_do_broadcast_at_thread_exit
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ

api-ms-win-crt-runtime-l1-1-0

_c_exit
_initterm_e
_initterm
_set_error_mode
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

strncmp
memset
wcsncmp
wcscspn

api-ms-win-crt-time-l1-1-0

_time32

api-ms-win-crt-private-l1-1-0

_o_ceil
_o_exit
_o_floor
_o_free
_o_iswspace
_o_lround
_o_lroundf
_o_malloc
_o_memcpy_s
_o_realloc
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
_o_wcstoll
__current_exception
__current_exception_context
_except_handler4_common
_o__wtoi
_o__wcsnicmp
_o__wcslwr_s
_o__wcsicmp
memmove
_o_abort
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o__register_onexit_function
_o__recalloc
_o__purecall
_o__mktime32
_o__ltow_s
_o__localtime32
_o__itow_s
_o__itoa_s
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime32
_o__crt_atexit
_o__controlfp_s
_o__configure_wide_argv
_o__configthreadlocale
_o__CIsqrt
_o__CIpow
_o__CIfmod
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler3
_CxxThrowException
memcmp
memcpy

aepic

PicRetrieveFileInfo
PicFreeFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

QueryInformationJobObject
AssignProcessToJobObject
OpenJobObjectW
CreateJobObjectW
SetInformationJobObject

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

HashData
PathIsURLW
UrlUnescapeW

api-ms-win-core-windowserrorreporting-l1-1-1

WerUnregisterCustomMetadata
WerRegisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetBoolUSValueW
SHRegGetUSValueW

api-ms-win-core-com-private-l1-1-0

CoRegisterInitializeSpy
CoRevokeInitializeSpy
CoRegisterMessageFilter

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

ActivateActCtx
ReleaseActCtx
DeactivateActCtx
CreateActCtxW

ntdll

WinSqmAddToStream
RtlGetVersion
ZwQuerySystemInformation
ZwQueryValueKey
ZwOpenKey
ZwClose
RtlReAllocateHeap
ZwEnumerateValueKey
ZwCreateFile
NtQueryInformationFile
RtlAppendUnicodeToString
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
RtlVerifyVersionInfo
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
RtlInitString
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
NtQueryInformationProcess
WinSqmIsOptedIn
NtQueryWnfStateData
RtlInitUnicodeString
NtOpenFile
NtDeviceIoControlFile
NtClose
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosError
strchr
memmove_s
RtlAppendUnicodeStringToString
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
wcschr
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
NtOpenProcessToken
NtQueryInformationToken
NtOpenThreadToken
wcsspn
RtlRunOnceExecuteOnce
RtlGetNtSystemRoot
RtlNtStatusToDosErrorNoTeb
RtlCopyUnicodeString
RtlUpcaseUnicodeString
NtSetThreadExecutionState
NtPowerInformation
VerSetConditionMask
RtlQueryResourcePolicy
RtlQueryUnbiasedInterruptTime
NtQuerySystemInformation
NtSetInformationProcess

api-ms-win-core-libraryloader-l1-2-0

FindResourceExW
FreeLibrary
LockResource
GetModuleHandleW
LoadLibraryExW
LoadStringW
GetModuleHandleExW
SizeofResource
GetModuleHandleA
FindStringOrdinal
GetProcAddress
LoadResource
GetModuleFileNameW
GetModuleFileNameA

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceComplete
InitOnceExecuteOnce
InitOnceBeginInitialize

api-ms-win-core-synch-l1-1-0

CreateSemaphoreExW
CreateMutexW
WaitForSingleObject
InitializeSRWLock
ReleaseMutex
EnterCriticalSection
CreateEventW
SetEvent
InitializeCriticalSectionEx
ReleaseSemaphore
OpenEventW
CreateMutexExW
AcquireSRWLockShared
DeleteCriticalSection
TryEnterCriticalSection
InitializeCriticalSection
ReleaseSRWLockExclusive
CreateEventExW
InitializeCriticalSectionAndSpinCount
ResetEvent
WaitForMultipleObjectsEx
AcquireSRWLockExclusive
WaitForSingleObjectEx
OpenSemaphoreW
SleepEx
LeaveCriticalSection
OpenMutexW
ReleaseSRWLockShared

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
HeapSetInformation
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetLastError
SetUnhandledExceptionFilter
SetErrorMode
RaiseException
UnhandledExceptionFilter

api-ms-win-core-file-l1-1-0

GetLongPathNameW
FindNextFileW
FindFirstFileW
GetFileAttributesW
WriteFile
DeleteFileW
FindClose
CreateFileW
CompareFileTime

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventWriteTransfer
EventActivityIdControl
EventRegister
EventEnabled
EventUnregister
EventSetInformation

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
WaitForThreadpoolWaitCallbacks
SubmitThreadpoolWork
SetThreadpoolWait
CreateThreadpoolWait
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolWork
TrySubmitThreadpoolCallback
CloseThreadpoolWait
SetThreadpoolTimer

api-ms-win-core-processthreads-l1-1-0

TlsSetValue
UpdateProcThreadAttribute
ExitProcess
SetProcessShutdownParameters
InitializeProcThreadAttributeList
CreateProcessW
QueueUserAPC
TlsGetValue
CreateThread
SetThreadPriorityBoost
GetThreadPriority
TlsFree
SetPriorityClass
GetPriorityClass
ProcessIdToSessionId
ResumeThread
SetThreadPriority
GetCurrentProcessId
GetCurrentThreadId
OpenThread
GetProcessId
TerminateProcess
GetExitCodeProcess
GetStartupInfoW
TlsAlloc
DeleteProcThreadAttributeList
OpenProcessToken
GetCurrentThread
OpenThreadToken
GetCurrentProcess

api-ms-win-core-localization-l1-2-0

GetGeoInfoW
GetLocaleInfoW
GetLocaleInfoEx
GetCalendarInfoW
GetThreadUILanguage
FormatMessageW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

oleaut32

SafeArrayCreate
SafeArrayAccessData
VariantClear
SafeArrayUnaccessData
SafeArrayDestroy
VarUI4FromStr
SysFreeString
SysStringLen
SysAllocString
VariantInit
SysAllocStringByteLen

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolGetUniqueContext
SHTaskPoolQueueTask

api-ms-win-shcore-sysinfo-l1-1-0

IsOS
SetCurrentProcessExplicitAppUserModelID

api-ms-win-core-com-l1-1-0

CoTaskMemRealloc
CoSetProxyBlanket
CoTaskMemAlloc
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CoGetMalloc
CoRevokeClassObject
CoReleaseMarshalData
PropVariantClear
CoInitializeEx
CoRegisterClassObject
CoCreateFreeThreadedMarshaler
IIDFromString
CreateStreamOnHGlobal
CoGetApartmentType
CoGetCallContext
CoCreateInstance
CoWaitForMultipleHandles
CoCancelCall
CoDisableCallCancellation
CoEnableCallCancellation
StringFromGUID2
CLSIDFromString
CoTaskMemFree
StringFromIID
CoGetObjectContext
CoCreateGuid
StringFromCLSID
CoGetStdMarshalEx
CoInitializeSecurity
CoFreeUnusedLibraries
CoUninitialize

api-ms-win-core-shlwapi-obsolete-l1-1-0

QISearch
StrCmpNICW
StrCmpICW
StrCmpW
StrChrIW
StrToIntW
StrChrW
StrCmpNIW
StrCmpICA
StrCmpIW

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegCreateKeyExW
RegSetValueExW
RegEnumValueW
RegOpenKeyExW
RegOpenCurrentUser
RegCloseKey
RegDeleteTreeW
RegDeleteKeyExW
RegQueryValueExW
RegLoadMUIStringW
RegDeleteValueW
RegQueryInfoKeyW
RegGetValueW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_GetSite
IUnknown_QueryService
IUnknown_Set
IUnknown_SetSite

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
GlobalFree
GlobalAlloc
LocalReAlloc

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
OpenProcess
GetProcessMitigationPolicy

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetTickCount
GetVersionExW
GetSystemTime
GetLocalTime
GetWindowsDirectoryW
GetSystemTimeAsFileTime
GetSystemDirectoryW

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
SearchPathW
GetEnvironmentVariableW
GetCurrentDirectoryW
ExpandEnvironmentStringsW
SetEnvironmentVariableW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathRemoveFileSpecW
PathIsFileSpecW
PathGetDriveNumberW
PathCombineW
PathFileExistsW
PathRemoveBlanksW
PathFindFileNameW
PathGetArgsW
PathParseIconLocationW
SHExpandEnvironmentStringsW
PathQuoteSpacesW
PathFindExtensionW
PathCommonPrefixW

api-ms-win-shcore-registry-l1-1-0

SHQueryInfoKeyW
SHDeleteKeyW
SHGetValueW
SHSetValueW
SHEnumKeyExW
SHDeleteValueW
SHRegGetValueW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
WideCharToMultiByte
CompareStringOrdinal
CompareStringW

api-ms-win-core-winrt-string-l1-1-0

WindowsPromoteStringBuffer
WindowsCompareStringOrdinal
WindowsCreateString
WindowsDeleteStringBuffer
WindowsSubstringWithSpecifiedLength
WindowsPreallocateStringBuffer
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0

SHSetThreadRef
SetProcessReference
SHCreateThreadRef
SHCreateThread
SHGetThreadRef

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-security-base-l1-1-0

GetSecurityDescriptorDacl
AddAce
InitializeAcl
GetTokenInformation
CreateWellKnownSid
CheckTokenMembership
DuplicateToken
DeleteAce
SetKernelObjectSecurity
GetAce
GetAclInformation
EqualSid
AllocateAndInitializeSid
IsValidSid
GetLengthSid
FreeSid
MakeAbsoluteSD
CopySid

api-ms-win-core-psapi-l1-1-0

K32EnumProcesses
K32EnumProcessModules
K32GetModuleBaseNameW
QueryFullProcessImageNameW
K32GetModuleFileNameExW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableFlags
UnregisterTraceGuids
GetTraceEnableLevel
TraceMessage

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-processthreads-l1-1-3

SetProcessInformation
SetThreadDescription

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoActivateInstance
RoInitialize
RoGetActivationFactory

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoTransformError
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchAddExtension
PathAllocCombine
PathCchRemoveFileSpec
PathCchCombine
PathCchAppend

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalUnlock
GlobalLock

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenW

api-ms-win-core-memory-l1-1-0

VirtualAlloc
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
MapViewOfFile
VirtualFree
VirtualProtect

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

IStream_Read
SHCreateStreamOnFileEx
IStream_Write
IStream_Reset
SHCreateMemStream
SHCreateStreamOnFileW
SHOpenRegStream2W

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
UnregisterWaitEx
DeleteTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo
GetProductInfo

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

DeriveAppContainerSidFromAppContainerName
GetProfileType

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
GetTimeZoneInformation
GetDynamicTimeZoneInformation
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-kernel32-legacy-l1-1-0

GetSystemPowerStatus
RegisterWaitForSingleObject
GetComputerNameW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

NotifyServiceStatusChangeW
QueryServiceConfigW

api-ms-win-core-io-l1-1-0

DeviceIoControl
GetQueuedCompletionStatus
CreateIoCompletionPort

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

ord244
GetDpiForMonitor

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

CallNtPowerInformation
GetPwrCapabilities

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

SHCreateWorkerWindowW
ord635
AssocQueryStringW
SHPinDllOfCLSID
ord544
ShellMessageBoxW
ord197
SHIsChildOrSelf
ord478
StrRetToBufW
ord479
ord481
ord165
StrRetToStrW
IUnknown_GetWindow
ord279
ord509
PathRemoveArgsW
ord292

api-ms-win-ntuser-sysparams-l1-1-0

EnumDisplayMonitors
GetSystemMetrics
SystemParametersInfoW
QueryDisplayConfig
GetMonitorInfoW
GetDisplayConfigBufferSizes
EnumDisplayDevicesW

api-ms-win-ntuser-rectangle-l1-1-0

OffsetRect
SubtractRect
UnionRect
CopyRect
IntersectRect
SetRectEmpty
PtInRect
EqualRect
SetRect
InflateRect
IsRectEmpty

api-ms-win-rtcore-ntuser-winevent-l1-1-0

NotifyWinEvent
UnhookWinEvent
SetWinEventHook

api-ms-win-shell-namespace-l1-1-0

SHBindToParent
SHParseDisplayName
ILGetSize
ILCloneFirst
ILCombine
SHCreateItemFromParsingName
ILClone
SHCreateItemFromIDList
SHBindToObject
SHGetIDListFromObject
ILFindLastID
SHGetNameFromIDList
ILIsParent
SHBindToFolderIDListParent
ILIsEqual
ILRemoveLastID
ILFree

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerInfo
GetPointerDevices
GetCurrentInputMessageSource
GetPointerType
EnableMouseInPointer

api-ms-win-storage-exports-internal-l1-1-0

SHGetFolderPathEx
SHGetKnownFolderIDList
GetThreadFlags
SetThreadFlags

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects

api-ms-win-appmodel-runtime-l1-1-0

GetPackagesByPackageFamily
GetPackageFullName

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

CreateWindowInBand
GetWindowBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

UnregisterPowerSettingNotification
RegisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHChangeNotifyRegister
SHHandleUpdateImage
SHChangeNotifyDeregister
SHChangeNotifyRegisterThread
SHChangeNotification_Unlock
SHChangeNotification_Lock

propsys

PSCreateMemoryPropertyStore
PropVariantToBoolean
PSPropertyBag_WriteStr
PSGetPropertyFromPropertyStorage
PropVariantToUInt32
InitVariantFromResource
InitVariantFromGUIDAsString
PSPropertyBag_WriteDWORD
PropVariantToStringAlloc

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

ParseApplicationUserModelId
FindPackagesByPackageFamily

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

SelectObject
CreateCompatibleDC
DeleteDC
CreateFontIndirectW
SetTextColor
GetCurrentObject
Rectangle
SetStretchBltMode
GetClipBox
ExcludeClipRect
GetStockObject
SetTextAlign
StretchBlt
GetDeviceCaps
GetObjectW
CreateRectRgn
SetRectRgn
OffsetRgn
CombineRgn
SelectClipRgn
DeleteObject
GetClipRgn
GetOutlineTextMetricsW
GetGlyphOutlineW
CreateRectRgnIndirect
GetTextExtentPoint32W
ExtTextOutW
GetTextMetricsW

kernel32

SetProcessDEPPolicy
IsBadWritePtr
GetModuleHandleExA
HeapSize
HeapDestroy
HeapReAlloc

api-ms-win-core-rtlsupport-l1-2-0

RtlCompareMemory

wininet

InternetCrackUrlW

shcore

ord190
ord121
ord123
ord174
SHUnicodeToAnsi
ord1
ord192
ord183
ord126
ord109
ord162
ord191
ord187
ord186
ord184
ord141
ord142
ord200

shell32

ord134
ord22
ord743
ord907
ord43
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord906
ord850
ord895
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
SHEvaluateSystemCommandTemplate
ord244
ExtractIconExW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ShellExecuteW
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord733
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord95
ord885
ord723
ord680
ord172
ord181

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

ord138
GetThemeInt
IsThemePartDefined
IsThemeActive
GetWindowTheme
BufferedPaintSetAlpha
GetBufferedPaintBits
IsCompositionActive
GetThemeColor
DrawThemeTextEx
ord126
BufferedPaintUnInit
GetThemePartSize
SetWindowTheme
EndBufferedPaint
GetThemeFont
OpenThemeDataForDpi
GetThemeMetric
ord86
IsAppThemed
BeginBufferedPaint
DrawThemeBackground
GetThemeBackgroundExtent
DrawThemeParentBackground
GetThemeBool
GetThemeMargins
CloseThemeData
OpenThemeData
BufferedPaintInit

dwmapi

DwmSetWindowAttribute
ord139
DwmRegisterThumbnail
ord138
ord141
ord140
ord113
DwmEnableBlurBehindWindow
DwmGetWindowAttribute
ord159
DwmQueryThumbnailSourceSize
ord124
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
ord114
DwmIsCompositionEnabled

user32

TrackMouseEvent
SetCapture
GetCapture
ReleaseCapture
GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
GetCursorFrameInfo
AdjustWindowRect
GetDpiForWindow
SetWindowCompositionAttribute
SetGestureConfig
LoadImageW
CheckMenuItem
EnableMenuItem
RemoveMenu
SetMenuDefaultItem
TrackPopupMenuEx
GetSysColor
GetCaretBlinkTime
InjectKeyboardInput
MapVirtualKeyExW
InjectMouseInput
LockWorkStation
TileWindows
CascadeWindows
HungWindowFromGhostWindow
LoadIconW
IsIconic
GetKeyState
ExitWindowsEx
GetSystemMetricsForDpi
AdjustWindowRectEx
GetDC
ReleaseDC
CreatePopupMenu
GetMenuDefaultItem
DestroyMenu
LoadCursorW
SetCursor
SetMenuItemInfoW
MonitorFromWindow
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
TranslateAcceleratorW
ord2611
MonitorFromRect
GetGuiResources
CopyImage
SendInput
SetDesktopColorTransform
UnregisterClassA
IsHungAppWindow
ord2574
SwitchToThisWindow
DeleteMenu
DestroyIcon
DrawTextW
LoadMenuW
ord2005
EndDialog
GetSubMenu
CreateIconIndirect
GetMenuItemCount
GetMenuItemInfoW
MonitorFromPoint
ReplyMessage
SendDlgItemMessageW
GetAsyncKeyState
ModifyMenuW
GetSystemMenu
GetSysColorBrush
SetLayeredWindowAttributes
GetIconInfoExW
GetIconInfo
GetClassWord
GetClassLongW
GetLastActivePopup
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
InsertMenuW
BringWindowToTop
ord2573
GhostWindowFromHungWindow
EndTask
IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
DrawTextExW
UnregisterHotKey
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
UpdateLayeredWindow
ord2521
DrawIconEx
RegisterHotKey
UnregisterClassW
ord2522
WindowFromDC
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
FillRect

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW
PowerCreateRequest
PowerSetRequest

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StopTraceW
EnableTraceEx2
StartTraceW

api-ms-win-core-job-l1-1-0

IsProcessInJob

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFree
NdrClientCall2

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-appmodel-unlock-l1-1-0

IsDeveloperModeEnabled

api-ms-win-core-biptcltapi-l1-1-7

BiPtEnumerateWorkItemsForPackageName
BiPtQueryWorkItem
BiPtAssociateApplicationEntryPoint
BiPtFreeMemory

api-ms-win-rtcore-ntuser-shell-l1-1-0

GetShellWindow

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

GetErrorInfo
SetErrorInfo

Exports

Exports

g_trayTriageBlock

Sections

.text
Size: 3.1MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 8KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 40KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 134KB - Virtual size: 133KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

055fd190f0655165f71e9bcf78d75f0c

Code Sign

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

ca:6b:e0:27:c1:c6:ce:2b:c4:5b:44:0c:ec:6d:2a:7a:22:7b:fd:a1:fc:27:a8:5b:b1:40:96:81:47:91:2d:a3Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-registry-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

33:00:00:04:15:82:95:a1:a3:d8:2e:28:57:00:00:00:00:04:15
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

ca:6b:e0:27:c1:c6:ce:2b:c4:5b:44:0c:ec:6d:2a:7a:22:7b:fd:a1:fc:27:a8:5b:b1:40:96:81:47:91:2d:a3
Signer