explorer[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

explorer.exe
Size

5.1MB
MD5

8c667c6f7196bd7f81621824368d8321
SHA1

34294bea5fd55cb4716d16227f0dc59661e95300
SHA256

6a33947b40670d815b3dc7d1435fb0b432beca371fd5e05e2e5190aef337df9b
SHA512

2594e0767a3d94cb478d3b53767d04fbe4668535582e81d8ae4be3acce3f257c965a5b07b2863869664518c63d01f921354dfabdad380bf3fa7d522ab1de287a
SSDEEP

49152:qZltksUHBPd/rhcbeY9dquzJ1SXNUI7EKlkM1NyLqmgNHNqo6csgc/0jziKPTklh:gBUPpyJg3L6cDmYYw8a0cDm

Score

1^/10

Malware Config

Signatures

Files

explorer.exe
.exe windows:10 windows x64 arch:x64

6af5e52a7f35b8f4849dccb8bc4667e3

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03-02-2023 00:05

Not After

01-02-2024 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19-10-2011 18:41

Not After

19-10-2026 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

99:e5:e0:98:0f:4b:00:d5:4f:bf:e6:83:bb:2f:d9:75:4b:66:4e:2d:e3:f0:5b:9b:bb:47:9a:c3:41:18:81:9e
Signer

Actual PE Digest

99:e5:e0:98:0f:4b:00:d5:4f:bf:e6:83:bb:2f:d9:75:4b:66:4e:2d:e3:f0:5b:9b:bb:47:9a:c3:41:18:81:9e

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?_Xout_of_range@std@@YAXPEBD@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Thrd_id
_Cnd_do_broadcast_at_thread_exit
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?_Xbad_alloc@std@@YAXXZ
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?_Xbad_function_call@std@@YAXXZ
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?width@ios_base@std@@QEAA_J_J@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
_Mtx_init_in_situ
_Xtime_get_ticks
_Mtx_unlock
_Mtx_lock
_Mtx_destroy_in_situ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?id@?$collate@G@std@@2V0locale@2@A

api-ms-win-crt-runtime-l1-1-0

_c_exit
_initterm_e
_initterm
_set_error_mode
_register_thread_local_exe_atexit_callback

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-string-l1-1-0

wcsncmp
memset
wcscspn
wcscmp
strncmp

api-ms-win-crt-private-l1-1-0

_o_iswalnum
_o_iswspace
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_roundf
_o_sqrt
_o_terminate
_o_toupper
_o_towlower
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
__C_specific_handler
__CxxFrameHandler3
_o__wtoi
memmove
_o__set_new_mode
_o__set_fmode
_o_free
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o__register_onexit_function
_o__recalloc
_o__purecall
_o__mktime64
_o_floor
_o_exit
_o_ceil
_o__wcsnicmp
_o_bsearch
_o__wcsicmp
_o__localtime64
_o__itow_s
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcsstr
__std_terminate
__CxxFrameHandler4
_CxxThrowException
memcmp
memcpy

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

SetInformationJobObject
CreateJobObjectW
AssignProcessToJobObject
QueryInformationJobObject

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

UrlUnescapeW
HashData
PathIsURLW

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetUSValueW
SHRegGetBoolUSValueW

api-ms-win-core-com-private-l1-1-0

CoRegisterMessageFilter

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

DeactivateActCtx
ActivateActCtx
ReleaseActCtx
CreateActCtxW

ntdll

RtlGetVersion
RtlInitString
ZwQuerySystemInformation
RtlInitUnicodeString
RtlUpcaseUnicodeChar
RtlGetNativeSystemInformation
ZwQueryDirectoryFile
RtlpEnsureBufferSize
RtlNtPathNameToDosPathName
ZwEnumerateKey
RtlInitUnicodeStringEx
RtlFormatCurrentUserKeyPath
ZwCreateFile
ZwQueryInformationFile
ZwCreateSection
ZwQueryInformationProcess
ZwSetInformationProcess
RtlxAnsiStringToUnicodeSize
RtlAnsiStringToUnicodeString
ZwUnmapViewOfSection
ZwMapViewOfSection
LdrResSearchResource
RtlVerifyVersionInfo
RtlImageDirectoryEntryToData
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
wcsspn
RtlQueryResourcePolicy
NtOpenThreadToken
NtClose
NtQueryInformationToken
NtOpenProcessToken
RtlCompareUnicodeString
RtlFreeHeap
RtlAllocateHeap
wcschr
ZwOpenFile
wcsrchr
strchr
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlPublishWnfStateData
ZwQueryValueKey
NtSetSystemInformation
RtlFlushHeaps
NtQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlQueryWnfStateData
ZwOpenKey
RtlNtStatusToDosError
RtlCaptureContext
RtlGetDeviceFamilyInfoEnum
NtSetInformationProcess
NtQueryInformationProcess
ZwClose
RtlReAllocateHeap
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlIsStateSeparationEnabled
RtlDosPathNameToNtPathName_U_WithStatus
RtlNtStatusToDosErrorNoTeb
RtlFreeUnicodeString
NtSetThreadExecutionState
VerSetConditionMask
WinSqmSetDWORD
WinSqmIsOptedIn
WinSqmAddToStreamEx

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleA
FindResourceExW
LoadResource
SizeofResource
GetModuleFileNameW
GetModuleHandleExW
GetProcAddress
FreeLibrary
LoadLibraryExW
LoadStringW
FindStringOrdinal
LockResource
GetModuleFileNameA
GetModuleHandleW

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceBeginInitialize
InitOnceExecuteOnce
InitOnceComplete

api-ms-win-core-synch-l1-1-0

InitializeSRWLock
WaitForMultipleObjectsEx
OpenMutexW
InitializeCriticalSection
SetEvent
CreateEventW
CreateEventExW
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
TryEnterCriticalSection
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseMutex
WaitForSingleObject
InitializeCriticalSectionEx
LeaveCriticalSection
OpenEventW
ReleaseSemaphore
EnterCriticalSection
CreateSemaphoreExW
ResetEvent
TryAcquireSRWLockExclusive
InitializeCriticalSectionAndSpinCount
SleepEx
CreateMutexW
ReleaseSRWLockShared

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-0

SetLastError
SetUnhandledExceptionFilter
RaiseException
SetErrorMode
GetLastError
UnhandledExceptionFilter

api-ms-win-core-file-l1-1-0

CompareFileTime
CreateFileW
GetLongPathNameW
FindClose
FindNextFileW
FindFirstFileW
WriteFile
DeleteFileW
GetFileAttributesW

api-ms-win-eventing-provider-l1-1-0

EventActivityIdControl
EventWriteTransfer
EventSetInformation
EventRegister
EventEnabled
EventWrite
EventUnregister
EventProviderEnabled

api-ms-win-core-registry-l1-1-0

RegEnumKeyExW
RegDeleteValueW
RegOpenCurrentUser
RegQueryValueExW
RegDeleteKeyExW
RegQueryInfoKeyW
RegDeleteTreeW
RegEnumValueW
RegSetValueExW
RegNotifyChangeKeyValue
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegGetValueW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolWork
TrySubmitThreadpoolCallback
CloseThreadpoolWait
CreateThreadpoolWait
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks
SubmitThreadpoolWork
CreateThreadpoolTimer
WaitForThreadpoolWaitCallbacks
SetThreadpoolTimer
SetThreadpoolWait

api-ms-win-core-processthreads-l1-1-0

QueueUserAPC
SetProcessShutdownParameters
ResumeThread
ExitProcess
GetStartupInfoW
SetThreadPriorityBoost
GetPriorityClass
ProcessIdToSessionId
TerminateProcess
GetExitCodeProcess
SetThreadPriority
OpenProcessToken
GetCurrentThread
OpenThreadToken
GetCurrentProcess
SetPriorityClass
GetThreadPriority
GetCurrentProcessId
GetProcessId
OpenThread
GetCurrentThreadId
CreateProcessW
CreateThread

api-ms-win-core-localization-l1-2-0

GetLocaleInfoEx
GetThreadUILanguage
GetUserDefaultLangID
GetLocaleInfoW
FormatMessageW
GetUserDefaultLocaleName
GetCalendarInfoW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringW
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

oleaut32

VarUI4FromStr
VariantInit
SafeArrayAccessData
SafeArrayCreate
SysAllocString
SafeArrayUnaccessData
SafeArrayDestroy
VariantClear
SysStringLen
SysAllocStringByteLen
SysFreeString

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolGetUniqueContext
SHTaskPoolQueueTask

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

CoGetMalloc
CoCancelCall
CoReleaseMarshalData
CoRevokeClassObject
CoDisableCallCancellation
CoUninitialize
CoTaskMemFree
CoSetProxyBlanket
CoTaskMemRealloc
CoMarshalInterThreadInterfaceInStream
CoCreateGuid
CoInitializeEx
CoEnableCallCancellation
CoCreateInstance
CoGetStdMarshalEx
StringFromIID
IIDFromString
CreateStreamOnHGlobal
CoGetObjectContext
CLSIDFromString
CoInitializeSecurity
CoRegisterClassObject
CoWaitForMultipleHandles
CoGetApartmentType
CoIncrementMTAUsage
CoCreateFreeThreadedMarshaler
StringFromGUID2
CoGetInterfaceAndReleaseStream
CoTaskMemAlloc
CoFreeUnusedLibraries
PropVariantClear
CoGetCallContext

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrCmpNICW
StrRChrW
StrStrIW
StrCmpICW
StrCmpW
StrChrIW
StrToIntW
StrCmpIW
StrChrW
StrCmpNIW
QISearch
StrCmpICA

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW
CommandLineToArgvW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_GetSite
IUnknown_SetSite
IUnknown_QueryService
IUnknown_Set

api-ms-win-core-heap-l2-1-0

LocalFree
LocalAlloc
LocalReAlloc
GlobalAlloc
GlobalFree

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemDirectoryW
GetSystemTime
GetSystemTimeAsFileTime
GetVersionExW
GetLocalTime
GetTickCount64
GetLogicalProcessorInformation
GetWindowsDirectoryW

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
SearchPathW
ExpandEnvironmentStringsW
GetCurrentDirectoryW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathQuoteSpacesW
PathCombineW
PathRemoveBlanksW
PathParseIconLocationW
PathFindFileNameW
SHExpandEnvironmentStringsW
PathGetArgsW
PathFileExistsW
PathFindExtensionW
PathRemoveFileSpecW
PathGetDriveNumberW
PathCommonPrefixW
PathIsFileSpecW

api-ms-win-core-winrt-string-l1-1-0

WindowsCreateStringReference
WindowsGetStringLen
WindowsCompareStringOrdinal
WindowsDuplicateString
WindowsPreallocateStringBuffer
WindowsDeleteString
WindowsPromoteStringBuffer
WindowsDeleteStringBuffer
WindowsSubstringWithSpecifiedLength
WindowsGetStringRawBuffer
WindowsCreateString

api-ms-win-core-winrt-l1-1-0

RoInitialize
RoGetActivationFactory
RoUninitialize
RoActivateInstance

api-ms-win-shcore-registry-l1-1-0

SHDeleteKeyW
SHSetValueW
SHDeleteValueW
SHQueryInfoKeyW
SHEnumKeyExW
SHRegGetValueW
SHGetValueW

api-ms-win-core-string-l1-1-0

CompareStringW
MultiByteToWideChar
WideCharToMultiByte
CompareStringOrdinal

api-ms-win-shcore-thread-l1-1-0

SHCreateThreadRef
SHSetThreadRef
SetProcessReference
SHGetThreadRef
SHCreateThread

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenW

api-ms-win-security-base-l1-1-0

GetTokenInformation
EqualSid
GetAclInformation
GetAce
DeleteAce
InitializeAcl
CopySid
AddAce
MakeAbsoluteSD
SetKernelObjectSecurity
GetLengthSid
CreateWellKnownSid
CheckTokenMembership
DuplicateToken
IsValidSid

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceEnableFlags
RegisterTraceGuidsW
GetTraceLoggerHandle
GetTraceEnableLevel
UnregisterTraceGuids

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-errorhandling-l1-1-1

RemoveVectoredExceptionHandler

api-ms-win-core-registry-l1-1-1

RegDeleteKeyValueW
RegSetKeyValueW

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoTransformError
GetRestrictedErrorInfo
SetRestrictedErrorInfo
RoFailFastWithErrorContext

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoOriginateLanguageException

api-ms-win-core-path-l1-1-0

PathAllocCombine
PathCchCombine
PathCchRemoveFileSpec
PathCchAddExtension
PathCchAppend

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock

api-ms-win-core-processthreads-l1-1-3

SetProcessInformation
SetThreadDescription

api-ms-win-core-memory-l1-1-0

VirtualAlloc
MapViewOfFile
OpenFileMappingW
VirtualProtect
VirtualFree
CreateFileMappingW
UnmapViewOfFile

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

IStream_Read
SHCreateStreamOnFileEx
SHCreateStreamOnFileW
SHCreateMemStream
IStream_Write
SHOpenRegStream2W
IStream_Reset

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
ChangeTimerQueueTimer
CreateTimerQueueTimer
DeleteTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetOsSafeBootMode

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

DeriveAppContainerSidFromAppContainerName
GetProfileType

api-ms-win-core-timezone-l1-1-0

GetTimeZoneInformation
FileTimeToSystemTime
SystemTimeToFileTime
GetDynamicTimeZoneInformation
SystemTimeToTzSpecificLocalTime

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
RegisterWaitForSingleObject
GetSystemPowerStatus

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort
GetQueuedCompletionStatus

api-ms-win-core-sysinfo-l1-2-1

GetPhysicallyInstalledSystemMemory

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

ord244
GetDpiForMonitor

iphlpapi

GetNetworkConnectivityHint

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

CallNtPowerInformation
PowerDeterminePlatformRoleEx
GetPwrCapabilities

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

ord165
ord509
ord292
SHCreateWorkerWindowW
ShellMessageBoxW
SHPinDllOfCLSID
StrRetToStrW
ord279
PathRemoveArgsW
ord197
SHIsChildOrSelf
ord635
AssocQueryStringW
ord478
ord479
StrRetToBufW
ord481
IUnknown_GetWindow
ord544

api-ms-win-ntuser-sysparams-l1-1-0

SystemParametersInfoW
EnumDisplayMonitors
GetSystemMetrics
EnumDisplayDevicesW
GetMonitorInfoW
GetDisplayConfigBufferSizes
QueryDisplayConfig

api-ms-win-ntuser-rectangle-l1-1-0

IsRectEmpty
IntersectRect
PtInRect
SetRectEmpty
OffsetRect
SubtractRect
InflateRect
CopyRect
UnionRect
EqualRect
SetRect

api-ms-win-rtcore-ntuser-winevent-l1-1-0

SetWinEventHook
NotifyWinEvent
UnhookWinEvent

api-ms-win-shell-namespace-l1-1-0

SHCreateItemFromIDList
SHBindToObject
ILClone
SHGetIDListFromObject
ILCloneFirst
SHBindToParent
ILIsParent
SHParseDisplayName
ILCombine
ILFindLastID
ILRemoveLastID
ILFree
SHGetNameFromIDList
SHBindToFolderIDListParent
SHCreateItemFromParsingName
ILIsEqual
ILGetSize

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerType
GetPointerDevices
GetPointerInfo
GetCurrentInputMessageSource
EnableMouseInPointer

api-ms-win-storage-exports-internal-l1-1-0

SHGetFolderPathEx
SetThreadFlags
SHGetKnownFolderIDList
GetThreadFlags

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects

api-ms-win-appmodel-runtime-l1-1-0

GetPackageFullName
GetPackagesByPackageFamily

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-rtcore-ntuser-private-l1-1-0

GetWindowBand
CreateWindowInBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

UnregisterPowerSettingNotification
RegisterPowerSettingNotification

propsys

InitVariantFromResource
InitVariantFromGUIDAsString
PropVariantToStringAlloc
PSPropertyBag_WriteDWORD
PropVariantToUInt32
PSPropertyBag_WriteStr
PSGetPropertyFromPropertyStorage
PSCreateMemoryPropertyStore
PropVariantToBoolean

coremessaging

CreateDispatcherQueueController

urlmon

URLOpenBlockingStreamW

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

ParseApplicationUserModelId
FindPackagesByPackageFamily

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

GetTextExtentPoint32W
GetStockObject
GetTextMetricsW
SetTextAlign
SetTextColor
CreateFontIndirectW
GetClipBox
SelectObject
CreateCompatibleDC
DeleteDC
GetGlyphOutlineW
GetObjectW
DeleteObject
GetOutlineTextMetricsW
CombineRgn
OffsetRgn
Rectangle
SetStretchBltMode
ExcludeClipRect
StretchBlt
GetClipRgn
SetRectRgn
CreateRectRgn
GetDeviceCaps
CreateRectRgnIndirect
SelectClipRgn
ExtTextOutW
GetCurrentObject

kernel32

IsBadWritePtr

rpcrt4

RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
UuidFromStringW
RpcBindingFree
NdrClientCall3
RpcBindingFromStringBindingW

wininet

InternetCrackUrlW

shcore

ord190
ord121
ord162
ord174
ord109
ord1
ord210
ord126
ord213
ord183
ord142
ord192
ord123
ord187
SHUnicodeToAnsi
ord200
ord184
ord186

shell32

ord680
ord723
ord885
ord95
ord743
ord907
ord43
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord193
ord906
ord895
ShellExecuteW
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
SHEvaluateSystemCommandTemplate
ord181
ord244
ExtractIconExW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord2
ord711
ord4
SHGetPathFromIDListW
ord645
ord644
ord753
ord733
SHChangeNotifyRegisterThread
DragQueryFileW
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord172
ord134
ord22
ord850
SHFileOperationW

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

DrawThemeTextEx
DrawThemeParentBackground
CloseThemeData
BufferedPaintInit
BeginBufferedPaint
ord86
IsCompositionActive
GetThemeBackgroundExtent
IsAppThemed
GetThemeFont
GetThemeBool
OpenThemeData
OpenThemeDataForDpi
GetThemeMargins
ord138
EndBufferedPaint
BufferedPaintSetAlpha
ord126
GetThemePartSize
IsThemeActive
GetBufferedPaintBits
GetThemeInt
BufferedPaintUnInit
GetWindowTheme
GetThemeColor
GetThemeMetric
SetWindowTheme
DrawThemeBackground

dwmapi

ord138
ord141
DwmRegisterThumbnail
ord140
DwmGetWindowAttribute
ord159
ord113
DwmEnableBlurBehindWindow
DwmIsCompositionEnabled
DwmQueryThumbnailSourceSize
DwmSetWindowAttribute
ord124
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
ord114
ord139

user32

IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
SetLayeredWindowAttributes
DrawTextExW
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
UpdateLayeredWindow
ord2521
GetIconInfoExW
GhostWindowFromHungWindow
GetSysColorBrush
GetSystemMenu
ModifyMenuW
GetAsyncKeyState
ReplyMessage
MonitorFromPoint
GetMenuItemInfoW
AdjustWindowRectEx
GetDC
ReleaseDC
MonitorFromWindow
IsIconic
CreatePopupMenu
GetMenuDefaultItem
DestroyMenu
LoadCursorW
SetCursor
SetMenuItemInfoW
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
TranslateAcceleratorW
ord2611
MonitorFromRect
GetGuiResources
IsHungAppWindow
ord2574
SwitchToThisWindow
GetLastActivePopup
UnregisterHotKey
RegisterHotKey
SendDlgItemMessageW
EndDialog
ord2573
GetKeyState
LoadIconW
HungWindowFromGhostWindow
CascadeWindows
TileWindows
LockWorkStation
InjectMouseInput
UnregisterClassW
ord2522
GetMenuInfo
MapVirtualKeyExW
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
InjectKeyboardInput
GetCaretBlinkTime
GetSysColor
CopyImage
DestroyIcon
DrawIconEx
BringWindowToTop
GetSystemMetricsForDpi
ord2005
TrackMouseEvent
SetCapture
GetCapture
GetIconInfo
GetClassWord
GetClassLongW
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
ReleaseCapture
GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
AdjustWindowRect
GetDpiForWindow
EndTask
InsertMenuW
SetWindowCompositionAttribute
SetGestureConfig
UnregisterClassA
PostThreadMessageW
LoadImageW
CheckMenuItem
EnableMenuItem
ExitWindowsEx
RemoveMenu
SetMenuDefaultItem
TrackPopupMenuEx
DeleteMenu
FillRect
DrawTextW
LoadMenuW
GetSubMenu
CreateIconIndirect
GetMenuItemCount

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-kernel32-legacy-l1-1-1

PowerSetRequest
PowerCreateRequest
VerifyVersionInfoW

api-ms-win-security-isolatedcontainer-l1-1-1

IsProcessInWDAGContainer

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StopTraceW
EnableTraceEx2
StartTraceW

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtFreeMemory
BiPtQueryWorkItem
BiPtAssociateApplicationEntryPoint
BiPtEnumerateWorkItemsForPackageName

api-ms-win-crt-math-l1-1-0

floorf
ceilf

Sections

.text
Size: 2.8MB - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 721KB - Virtual size: 720KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 125KB - Virtual size: 124KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

6af5e52a7f35b8f4849dccb8bc4667e3

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

99:e5:e0:98:0f:4b:00:d5:4f:bf:e6:83:bb:2f:d9:75:4b:66:4e:2d:e3:f0:5b:9b:bb:47:9a:c3:41:18:81:9eSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-string-l2-1-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-memory-l1-1-0

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

99:e5:e0:98:0f:4b:00:d5:4f:bf:e6:83:bb:2f:d9:75:4b:66:4e:2d:e3:f0:5b:9b:bb:47:9a:c3:41:18:81:9e
Signer