explorer[.]exe

Resubmissions

23/11/2023, 16:53

231123-vegv5sag84 1

Sharing

Copy URL Twitter E-mail

General

Target

explorer.exe
Size

4.8MB
MD5

390286bdebdb7f2347c9d17c89566f90
SHA1

5c6b4610ee539698cc1ec3f877381b67add8a822
SHA256

82bac4c586713def95a862bdd2c7e9300cbb54d7fb4553fb118d0824499cc044
SHA512

d8c87e32884737ab372bfea8e4ba999288e7733a9fc8bf377aa673a5f19ec7254c58a205544d33f8f1ebbef408c6cd857161243883b6d737c500a380c944e10d
SSDEEP

49152:ewzquQf8wIWjulew7IG/LBg4YWaG9q97T3BA56GlDiDEmERaDvhHlSS+9ow+96Ny:eRQCfvsEKfIbw8a0sY

Score

1^/10

Malware Config

Signatures

Files

explorer.exe
.exe windows:10 windows x64 arch:x64

d4f5dbed35754e9ab00b33c1d7392c24

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

05/05/2022, 19:23

Not After

04/05/2023, 19:23

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:f7:5e:02:79:57:b6:f5:08:52:56:46:2d:dd:e2:35:21:d0:a9:f2:b0:67:8d:4c:e5:df:06:54:f7:0b:74:09
Signer

Actual PE Digest

07:f7:5e:02:79:57:b6:f5:08:52:56:46:2d:dd:e2:35:21:d0:a9:f2:b0:67:8d:4c:e5:df:06:54:f7:0b:74:09

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
_Thrd_yield
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?width@ios_base@std@@QEAA_J_J@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
_Mtx_unlock
_Mtx_lock
?_Xout_of_range@std@@YAXPEBD@Z
??Bid@locale@std@@QEAA_KXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_alloc@std@@YAXXZ
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
?_Xlength_error@std@@YAXPEBD@Z
_Thrd_join
_Thrd_id
_Cnd_do_broadcast_at_thread_exit

api-ms-win-crt-runtime-l1-1-0

_set_error_mode
_register_thread_local_exe_atexit_callback
_initterm
_c_exit
_initterm_e

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-string-l1-1-0

strncmp
memset
wcsncmp
wcscmp
wcscspn

api-ms-win-crt-private-l1-1-0

_o_exit
_o_floor
_o_floorf
_o_fmod
_o_free
_o_iswspace
_o_lround
_o_lroundf
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_sqrt
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3
_o__wtoi
_o__invalid_parameter_noinfo_noreturn
_o__wcsnicmp
_o__wcslwr_s
_o__wcsicmp
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o_ceilf
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o__register_onexit_function
_o__recalloc
_o_ceil
_o__purecall
_o__mktime64
_o_abort
_o__ltow_s
_o__get_wide_winmain_command_line
_o__get_errno
_o__localtime64
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o__itow_s
_o__itoa_s
_o___p__commode
wcschr
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler4
_CxxThrowException
__C_specific_handler_noexcept
memcmp
memcpy
memmove

aepic

PicRetrieveFileInfo
PicFreeFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

OpenJobObjectW
QueryInformationJobObject
AssignProcessToJobObject
SetInformationJobObject
CreateJobObjectW

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

UrlUnescapeW
PathIsURLW
HashData

api-ms-win-core-windowserrorreporting-l1-1-1

WerRegisterCustomMetadata
WerUnregisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetBoolUSValueW
SHRegGetUSValueW

api-ms-win-core-com-private-l1-1-0

CoRegisterMessageFilter
CoRevokeInitializeSpy
CoRegisterInitializeSpy

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

DeactivateActCtx
ReleaseActCtx
ActivateActCtx
CreateActCtxW

ntdll

RtlQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
NtClose
RtlCaptureContext
NtDeviceIoControlFile
NtOpenFile
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
RtlVerifyVersionInfo
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
RtlInitString
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlInitUnicodeString
NtQueryWnfStateData
NtSetInformationProcess
NtQueryInformationProcess
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlLookupFunctionEntry
RtlVirtualUnwind
RtlAppendUnicodeToString
strchr
memmove_s
RtlDosPathNameToNtPathName_U_WithStatus
NtQueryInformationFile
ZwCreateFile
RtlAppendUnicodeStringToString
RtlFreeUnicodeString
ZwEnumerateValueKey
RtlReAllocateHeap
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
NtOpenProcessToken
ZwClose
WinSqmAddToStream
WinSqmIsOptedIn
NtQueryInformationToken
NtOpenThreadToken
wcsspn
ZwOpenKey
RtlRunOnceExecuteOnce
ZwQueryValueKey
ZwQuerySystemInformation
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlGetVersion
RtlQueryResourcePolicy
RtlNtStatusToDosErrorNoTeb
NtSetThreadExecutionState
NtPowerInformation
VerSetConditionMask
RtlNtStatusToDosError

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
LoadResource
GetModuleHandleA
LoadLibraryExW
FreeLibrary
GetModuleFileNameA
GetModuleHandleExW
FindResourceExW
GetModuleHandleW
GetModuleFileNameW
SizeofResource
FindStringOrdinal
GetProcAddress
LockResource

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceComplete
Sleep
InitOnceExecuteOnce

api-ms-win-core-synch-l1-1-0

InitializeCriticalSection
CreateSemaphoreExW
OpenMutexW
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
CreateMutexW
InitializeSRWLock
WaitForMultipleObjectsEx
ReleaseSRWLockShared
ResetEvent
CreateEventExW
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
CreateEventW
SleepEx
EnterCriticalSection
ReleaseSRWLockExclusive
TryEnterCriticalSection
SetEvent
ReleaseMutex
InitializeCriticalSectionAndSpinCount
WaitForSingleObject
OpenEventW
InitializeCriticalSectionEx
LeaveCriticalSection
ReleaseSemaphore

api-ms-win-core-heap-l1-1-0

HeapAlloc
HeapFree
GetProcessHeap

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetLastError
GetLastError
UnhandledExceptionFilter
SetErrorMode
SetUnhandledExceptionFilter

api-ms-win-core-file-l1-1-0

GetFileAttributesW
FindFirstFileW
FindNextFileW
FindClose
CreateFileW
DeleteFileW
GetLongPathNameW
WriteFile

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventActivityIdControl
EventWriteTransfer
EventUnregister
EventEnabled
EventWrite
EventSetInformation

api-ms-win-core-threadpool-l1-2-0

CloseThreadpoolTimer
SetThreadpoolTimer
CreateThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CreateThreadpoolWait
SetThreadpoolWait
CreateThreadpoolWork
WaitForThreadpoolWaitCallbacks
SubmitThreadpoolWork
TrySubmitThreadpoolCallback
CloseThreadpoolWait

api-ms-win-core-processthreads-l1-1-0

GetCurrentProcessId
GetCurrentThread
OpenProcessToken
QueueUserAPC
TlsSetValue
TerminateProcess
GetCurrentThreadId
DeleteProcThreadAttributeList
GetCurrentProcess
UpdateProcThreadAttribute
ProcessIdToSessionId
GetThreadPriority
CreateProcessW
SetThreadPriority
InitializeProcThreadAttributeList
TlsAlloc
TlsGetValue
OpenThread
TlsFree
GetProcessId
ResumeThread
GetPriorityClass
SetThreadPriorityBoost
SetPriorityClass
GetStartupInfoW
ExitProcess
OpenThreadToken
GetExitCodeProcess
SetProcessShutdownParameters
CreateThread

api-ms-win-core-localization-l1-2-0

GetCalendarInfoW
FormatMessageW
GetLocaleInfoEx
GetThreadUILanguage
GetLocaleInfoW

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
OutputDebugStringW
DebugBreak

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

oleaut32

SafeArrayUnaccessData
SafeArrayDestroy
VariantInit
SafeArrayCreate
SysAllocString
SysStringLen
VariantClear
SafeArrayAccessData
VarUI4FromStr
SysAllocStringByteLen
SysFreeString

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask
SHTaskPoolGetUniqueContext

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

CoFreeUnusedLibraries
CoCreateFreeThreadedMarshaler
CoUninitialize
CoGetApartmentType
CoCancelCall
CoDisableCallCancellation
CoEnableCallCancellation
CoWaitForMultipleHandles
CoInitializeSecurity
CoTaskMemFree
CoCreateInstance
CoInitializeEx
CoGetCallContext
CoSetProxyBlanket
StringFromCLSID
CLSIDFromString
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CoCreateGuid
CoRegisterClassObject
IIDFromString
StringFromIID
CoRevokeClassObject
CoReleaseMarshalData
CoGetStdMarshalEx
StringFromGUID2
CoGetMalloc
PropVariantClear
CoGetObjectContext
CoTaskMemRealloc
CoTaskMemAlloc
CreateStreamOnHGlobal

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrChrIW
StrCmpNIW
StrToIntW
StrCmpW
QISearch
StrCmpNICW
StrCmpIW
StrCmpICA
StrChrW
StrCmpICW

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-registry-l1-1-0

RegLoadMUIStringW
RegDeleteTreeW
RegEnumKeyExW
RegDeleteKeyExW
RegQueryValueExW
RegCreateKeyExW
RegOpenCurrentUser
RegSetValueExW
RegGetValueW
RegEnumValueW
RegDeleteValueW
RegCloseKey
RegQueryInfoKeyW
RegOpenKeyExW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_QueryService
IUnknown_GetSite
IUnknown_SetSite
IUnknown_Set

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree
GlobalFree
LocalReAlloc
GlobalAlloc

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetSystemTime
GetSystemTimeAsFileTime
GetLocalTime
GetWindowsDirectoryW
GetTickCount64
GetVersionExW

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
GetCommandLineW
GetCurrentDirectoryW
ExpandEnvironmentStringsW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathFindExtensionW
PathGetDriveNumberW
PathFileExistsW
PathQuoteSpacesW
PathGetArgsW
PathFindFileNameW
PathRemoveBlanksW
PathCommonPrefixW
SHExpandEnvironmentStringsW
PathCombineW
PathIsFileSpecW
PathRemoveFileSpecW
PathParseIconLocationW

api-ms-win-shcore-registry-l1-1-0

SHDeleteValueW
SHRegGetValueW
SHDeleteKeyW
SHGetValueW
SHSetValueW
SHEnumKeyExW
SHQueryInfoKeyW

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte
MultiByteToWideChar
CompareStringOrdinal

api-ms-win-core-winrt-string-l1-1-0

WindowsCompareStringOrdinal
WindowsSubstringWithSpecifiedLength
WindowsCreateString
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0

SHGetThreadRef
SetProcessReference
SHSetThreadRef
SHCreateThread
SHCreateThreadRef

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-security-base-l1-1-0

SetKernelObjectSecurity
EqualSid
GetAce
DeleteAce
InitializeAcl
AddAce
FreeSid
AllocateAndInitializeSid
CreateWellKnownSid
CheckTokenMembership
DuplicateToken
MakeAbsoluteSD
GetTokenInformation
CopySid
GetLengthSid
IsValidSid
GetAclInformation
GetSecurityDescriptorDacl

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW
K32EnumProcessModules
QueryFullProcessImageNameW
K32EnumProcesses
K32GetModuleBaseNameW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-eventing-classicprovider-l1-1-0

RegisterTraceGuidsW
GetTraceEnableLevel
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
UnregisterTraceGuids

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription
SetProcessInformation

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-winrt-l1-1-0

RoUninitialize
RoInitialize
RoActivateInstance
RoGetActivationFactory

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchRemoveFileSpec
PathCchCombine
PathCchAppend
PathCchAddExtension
PathAllocCombine

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenW

api-ms-win-core-memory-l1-1-0

MapViewOfFile
CreateFileMappingW
UnmapViewOfFile
VirtualFree
VirtualProtect
VirtualAlloc
OpenFileMappingW

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

IStream_Reset
SHOpenRegStream2W
IStream_Write
SHCreateMemStream
SHCreateStreamOnFileEx
SHCreateStreamOnFileW
IStream_Read

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
UnregisterWaitEx
DeleteTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

DeriveAppContainerSidFromAppContainerName
GetProfileType

api-ms-win-core-timezone-l1-1-0

SystemTimeToTzSpecificLocalTime
FileTimeToSystemTime
GetTimeZoneInformation
GetDynamicTimeZoneInformation
SystemTimeToFileTime

api-ms-win-core-kernel32-legacy-l1-1-0

RegisterWaitForSingleObject
GetComputerNameW
GetSystemPowerStatus

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

NotifyServiceStatusChangeW
QueryServiceConfigW

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort
GetQueuedCompletionStatus

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor
ord244

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

CallNtPowerInformation
GetPwrCapabilities

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

StrRetToBufW
SHIsChildOrSelf
ord197
ord479
ord292
SHPinDllOfCLSID
ord279
ord165
IUnknown_GetWindow
StrRetToStrW
ord544
PathRemoveArgsW
AssocQueryStringW
ord478
ShellMessageBoxW
ord509
ord635
SHCreateWorkerWindowW
ord481

api-ms-win-ntuser-sysparams-l1-1-0

EnumDisplayMonitors
QueryDisplayConfig
GetSystemMetrics
GetDisplayConfigBufferSizes
SystemParametersInfoW
GetMonitorInfoW
EnumDisplayDevicesW

api-ms-win-ntuser-rectangle-l1-1-0

IntersectRect
InflateRect
OffsetRect
IsRectEmpty
EqualRect
UnionRect
SubtractRect
SetRectEmpty
PtInRect
SetRect
CopyRect

api-ms-win-rtcore-ntuser-winevent-l1-1-0

SetWinEventHook
NotifyWinEvent
UnhookWinEvent

api-ms-win-shell-namespace-l1-1-0

SHBindToParent
SHParseDisplayName
SHGetNameFromIDList
SHGetIDListFromObject
ILCloneFirst
ILCombine
ILGetSize
SHCreateItemFromIDList
SHBindToFolderIDListParent
ILIsParent
SHCreateItemFromParsingName
ILRemoveLastID
ILIsEqual
SHBindToObject
ILFindLastID
ILClone
ILFree

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

EnableMouseInPointer
GetPointerType
GetCurrentInputMessageSource
GetPointerDevices
GetPointerInfo

api-ms-win-storage-exports-internal-l1-1-0

SHGetKnownFolderIDList
SHGetFolderPathEx
GetThreadFlags
SetThreadFlags

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx

api-ms-win-appmodel-runtime-l1-1-0

GetPackageFullName
GetPackagesByPackageFamily

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

GetWindowBand
CreateWindowInBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

UnregisterPowerSettingNotification
RegisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHChangeNotifyRegister
SHHandleUpdateImage
SHChangeNotifyDeregister
SHChangeNotifyRegisterThread
SHChangeNotification_Unlock
SHChangeNotification_Lock

propsys

PropVariantToBoolean
PSCreateMemoryPropertyStore
PSGetPropertyFromPropertyStorage
InitVariantFromGUIDAsString
InitVariantFromResource
PSPropertyBag_WriteStr
PropVariantToStringAlloc
PropVariantToUInt32
PSPropertyBag_WriteDWORD

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

ParseApplicationUserModelId
FindPackagesByPackageFamily

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

SetTextAlign
GetTextMetricsW
ExtTextOutW
GetTextExtentPoint32W
CreateRectRgnIndirect
GetGlyphOutlineW
GetOutlineTextMetricsW
GetClipRgn
SelectClipRgn
CreateFontIndirectW
SelectObject
CreateCompatibleDC
DeleteDC
GetObjectW
DeleteObject
CombineRgn
OffsetRgn
SetRectRgn
CreateRectRgn
GetStockObject
GetDeviceCaps
SetTextColor
GetCurrentObject
GetClipBox
Rectangle
SetStretchBltMode
ExcludeClipRect
StretchBlt

kernel32

HeapDestroy
HeapReAlloc
HeapSize
GetModuleHandleExA
IsBadWritePtr
RtlCompareMemory

wininet

InternetCrackUrlW

shcore

ord142
ord200
ord184
ord186
ord187
ord123
ord190
ord191
ord121
ord174
ord109
ord126
ord213
ord183
ord210
ord192
ord1
SHUnicodeToAnsi
ord141
ord162

shell32

ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord733
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord896
ShellExecuteExW
ord245
ord61
ord89
ord190
ord85
ord100
SHAddToRecentDocs
SHEnableServiceObject
ord54
ord254
DuplicateIcon
SHGetStockIconInfo
ord6
Shell_NotifyIconGetRect
Shell_NotifyIconW
ord137
ord132
ord244
SHEvaluateSystemCommandTemplate
ord866
ord764
SHGetPropertyStoreForWindow
SHGetLocalizedName
ShellExecuteW
ord895
ord906
ord894
SHAppBarMessage
ord162
ord727
ord792
ord790
Shell_GetCachedImageIndexW
ord899
ord43
ord134
ord172
ord680
ord723
ord22
ord907
ord885
ord95
ord850
ord743
ord200
ord91
ExtractIconExW
ord181

shlwapi

AssocCreate
ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW

uxtheme

IsAppThemed
IsCompositionActive
DrawThemeTextEx
IsThemePartDefined
GetThemeFont
GetThemeBackgroundExtent
GetThemeBool
OpenThemeData
OpenThemeDataForDpi
GetThemeMargins
ord138
BufferedPaintSetAlpha
ord126
GetThemePartSize
IsThemeActive
GetBufferedPaintBits
GetThemeInt
GetThemeColor
GetThemeMetric
SetWindowTheme
GetWindowTheme
BufferedPaintUnInit
EndBufferedPaint
BeginBufferedPaint
BufferedPaintInit
CloseThemeData
DrawThemeParentBackground
DrawThemeBackground
ord86

dwmapi

ord114
ord113
DwmRegisterThumbnail
DwmSetWindowAttribute
ord139
ord138
ord141
ord140
DwmGetWindowAttribute
ord159
DwmQueryThumbnailSourceSize
ord124
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
DwmEnableBlurBehindWindow
DwmIsCompositionEnabled

user32

SetScrollInfo
GetMenuState
IsTopLevelWindow
EndTask
GhostWindowFromHungWindow
ord2573
BringWindowToTop
InsertMenuW
ShowWindowAsync
GetCursorInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
GetPhysicalCursorPos
GetClassLongW
DrawTextExW
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
UpdateLayeredWindow
ord2521
UnregisterClassW
ord2522
GetClassWord
WindowFromDC
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
GetIconInfo
GetLastActivePopup
GetIconInfoExW
SetLayeredWindowAttributes
GetSysColorBrush
GetSystemMenu
GetAsyncKeyState
UnregisterHotKey
RegisterHotKey
SendDlgItemMessageW
EndDialog
ReplyMessage
MonitorFromPoint
GetMenuItemInfoW
GetMenuItemCount
ExitWindowsEx
CreateIconIndirect
GetSubMenu
LoadMenuW
GetKeyState
DrawTextW
FillRect
DeleteMenu
TrackPopupMenuEx
SetMenuDefaultItem
RemoveMenu
EnableMenuItem
CheckMenuItem
LoadImageW
SetGestureConfig
AdjustWindowRectEx
GetDC
ReleaseDC
CreatePopupMenu
IsIconic
LoadIconW
GetSystemMetricsForDpi
ord2005
HungWindowFromGhostWindow
CascadeWindows
TileWindows
LockWorkStation
InjectMouseInput
MapVirtualKeyExW
TrackMouseEvent
SetCapture
GetCapture
InjectKeyboardInput
GetCaretBlinkTime
ReleaseCapture
GetSysColor
CopyImage
GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
GetCursorFrameInfo
AdjustWindowRect
GetMenuDefaultItem
DestroyMenu
SendInput
SetDesktopColorTransform
UnregisterClassA
LoadCursorW
SetCursor
SetMenuItemInfoW
MonitorFromWindow
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
TranslateAcceleratorW
ord2611
GetDpiForWindow
MonitorFromRect
GetGuiResources
GetScrollInfo
ord2574
IsHungAppWindow
ModifyMenuW
SetWindowCompositionAttribute
DestroyIcon
DrawIconEx
SwitchToThisWindow

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW
PowerSetRequest
PowerCreateRequest

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

EnableTraceEx2
StopTraceW
StartTraceW

api-ms-win-core-job-l1-1-0

IsProcessInJob

rpcrt4

RpcBindingFree
NdrClientCall3
RpcStringFreeW
RpcBindingSetAuthInfoExW
I_RpcExceptionFilter
RpcStringBindingComposeW
RpcBindingFromStringBindingW

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtQueryWorkItem
BiPtEnumerateWorkItemsForPackageName
BiPtFreeMemory
BiPtAssociateApplicationEntryPoint

api-ms-win-rtcore-ntuser-shell-l1-1-0

GetShellWindow

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

GetErrorInfo
SetErrorInfo

Exports

Exports

g_trayTriageBlock

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 644KB - Virtual size: 642KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 116KB - Virtual size: 114KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

d4f5dbed35754e9ab00b33c1d7392c24

Code Sign

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8dCertificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

07:f7:5e:02:79:57:b6:f5:08:52:56:46:2d:dd:e2:35:21:d0:a9:f2:b0:67:8d:4c:e5:df:06:54:f7:0b:74:09Signer

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-registry-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

33:00:00:03:8d:b0:bf:e1:b0:ca:33:b3:d4:00:00:00:00:03:8d
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

07:f7:5e:02:79:57:b6:f5:08:52:56:46:2d:dd:e2:35:21:d0:a9:f2:b0:67:8d:4c:e5:df:06:54:f7:0b:74:09
Signer