explorer[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

explorer.exe
Size

5.3MB
MD5

02280f4613e3d8eb6579d79ab7a182ca
SHA1

f25e92edc0cab5e7446a302863802f3879b27bd9
SHA256

81d8ea67d17bf48524c82d576f8ddaddb37a218d0566fd7f0aab8b8fbd03f193
SHA512

6e272bff5ec67bff338b4e4cddd3785a5ba1a6c335794694ef327b7123b512095b5b5d3906bcd68faf65598b19b10fe61d3e3d555365448894a4c397a08f979f
SSDEEP

49152:9nt8dGQkhnciqbQsS9LkGqClsZ2Hju8jlTNPI0XAmwraNffkizY1WgDGJHK2nl+U:9uKTvpBIADttkixx+skOw8a0cD5v+

Score

1^/10

Malware Config

Signatures

Files

explorer.exe
.exe windows:10 windows x64 arch:x64

d9331de21d79b248bbfdf28f82fe85e1

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

f7:9b:3d:d3:bb:85:0e:18:42:ae:c2:f8:b5:38:dc:86:52:42:36:4c:ea:33:e0:ae:27:d6:94:e6:16:f9:54:ba
Signer

Actual PE Digest

f7:9b:3d:d3:bb:85:0e:18:42:ae:c2:f8:b5:38:dc:86:52:42:36:4c:ea:33:e0:ae:27:d6:94:e6:16:f9:54:ba

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

msvcp_win

?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Thrd_id
_Cnd_do_broadcast_at_thread_exit
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?_Xbad_alloc@std@@YAXXZ
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?_Xout_of_range@std@@YAXPEBD@Z
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?width@ios_base@std@@QEAA_J_J@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
_Mtx_init_in_situ
_Xtime_get_ticks
_Mtx_unlock
_Mtx_lock
_Mtx_destroy_in_situ
?_Xinvalid_argument@std@@YAXPEBD@Z
?_Xlength_error@std@@YAXPEBD@Z
?id@?$collate@G@std@@2V0locale@2@A

api-ms-win-crt-runtime-l1-1-0

_initterm
_initterm_e
_register_thread_local_exe_atexit_callback
_c_exit
_set_error_mode

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-string-l1-1-0

wcsncmp
memset
wcscmp
wcscspn
strncmp

api-ms-win-crt-private-l1-1-0

_o_iswalnum
_o_iswspace
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_roundf
_o_sqrt
_o_terminate
_o_toupper
_o_towlower
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
_o_wcstoll
__C_specific_handler
__CxxFrameHandler3
_o__wtoi
memmove
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o_free
_o__register_onexit_function
_o__recalloc
_o__purecall
_o__mktime64
_o_floor
_o_exit
_o__wcsnicmp
_o_ceil
_o__localtime64
_o__wcsicmp
_o_bsearch
_o__itow_s
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswscanf
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcsstr
__std_terminate
__CxxFrameHandler4
_CxxThrowException
memcmp
memcpy

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

SetInformationJobObject
AssignProcessToJobObject
QueryInformationJobObject
CreateJobObjectW

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

HashData
UrlUnescapeW
PathIsURLW

api-ms-win-core-kernel32-private-l1-1-0

CheckElevationEnabled
CheckElevation

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetUSValueW
SHRegGetBoolUSValueW

api-ms-win-core-com-private-l1-1-0

CoRegisterMessageFilter

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

ReleaseActCtx
ActivateActCtx
CreateActCtxW
DeactivateActCtx

ntdll

RtlGetVersion
RtlInitString
ZwQuerySystemInformation
RtlInitUnicodeString
RtlUpcaseUnicodeChar
RtlGetNativeSystemInformation
ZwQueryDirectoryFile
RtlpEnsureBufferSize
RtlNtPathNameToDosPathName
ZwEnumerateKey
RtlInitUnicodeStringEx
RtlFormatCurrentUserKeyPath
ZwCreateFile
ZwQueryInformationFile
ZwCreateSection
ZwQueryInformationProcess
ZwSetInformationProcess
RtlxAnsiStringToUnicodeSize
RtlAnsiStringToUnicodeString
ZwUnmapViewOfSection
ZwMapViewOfSection
LdrResSearchResource
RtlVerifyVersionInfo
RtlImageDirectoryEntryToData
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
wcsspn
RtlQueryResourcePolicy
NtOpenThreadToken
NtClose
NtQueryInformationToken
NtOpenProcessToken
RtlCompareUnicodeString
RtlFreeHeap
RtlAllocateHeap
wcschr
ZwOpenFile
wcsrchr
strchr
RtlVirtualUnwind
RtlLookupFunctionEntry
RtlPublishWnfStateData
ZwQueryValueKey
NtSetSystemInformation
RtlFlushHeaps
NtQueryWnfStateData
RtlSubscribeWnfStateChangeNotification
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlQueryWnfStateData
ZwOpenKey
RtlNtStatusToDosError
RtlCaptureContext
RtlGetDeviceFamilyInfoEnum
NtSetInformationProcess
NtQueryInformationProcess
ZwClose
RtlReAllocateHeap
RtlAppendUnicodeToString
RtlAppendUnicodeStringToString
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlIsStateSeparationEnabled
RtlDosPathNameToNtPathName_U_WithStatus
RtlNtStatusToDosErrorNoTeb
RtlFreeUnicodeString
NtSetThreadExecutionState
VerSetConditionMask
WinSqmSetDWORD
WinSqmIsOptedIn
WinSqmAddToStreamEx

api-ms-win-core-libraryloader-l1-2-0

FindResourceExW
GetModuleHandleExW
FindStringOrdinal
LoadResource
LoadStringW
FreeLibrary
LockResource
GetProcAddress
LoadLibraryExW
GetModuleFileNameW
GetModuleHandleW
SizeofResource
GetModuleFileNameA
GetModuleHandleA

api-ms-win-core-synch-l1-2-0

InitOnceBeginInitialize
InitOnceExecuteOnce
InitOnceComplete
Sleep

api-ms-win-core-synch-l1-1-0

CreateEventW
SetEvent
OpenEventW
InitializeSRWLock
WaitForMultipleObjectsEx
InitializeCriticalSection
OpenMutexW
DeleteCriticalSection
AcquireSRWLockShared
CreateMutexExW
ReleaseSRWLockShared
OpenSemaphoreW
WaitForSingleObjectEx
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
ReleaseMutex
WaitForSingleObject
InitializeCriticalSectionEx
LeaveCriticalSection
TryEnterCriticalSection
ReleaseSemaphore
EnterCriticalSection
CreateSemaphoreExW
InitializeCriticalSectionAndSpinCount
ResetEvent
CreateMutexW
SleepEx
TryAcquireSRWLockExclusive
CreateEventExW

api-ms-win-core-heap-l1-1-0

HeapAlloc
GetProcessHeap
HeapFree

api-ms-win-core-errorhandling-l1-1-0

GetLastError
RaiseException
SetLastError
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetErrorMode

api-ms-win-core-file-l1-1-0

GetLongPathNameW
CompareFileTime
FindNextFileW
FindFirstFileW
GetFileAttributesW
DeleteFileW
WriteFile
CreateFileW
FindClose

api-ms-win-eventing-provider-l1-1-0

EventWrite
EventRegister
EventWriteTransfer
EventSetInformation
EventEnabled
EventActivityIdControl
EventUnregister
EventProviderEnabled

api-ms-win-core-registry-l1-1-0

RegSetValueExW
RegQueryValueExW
RegDeleteValueW
RegOpenCurrentUser
RegCreateKeyExW
RegEnumKeyExW
RegGetValueW
RegNotifyChangeKeyValue
RegQueryInfoKeyW
RegDeleteTreeW
RegOpenKeyExW
RegEnumValueW
RegCloseKey
RegDeleteKeyExW

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolWaitCallbacks
SetThreadpoolWait
CloseThreadpoolWait
WaitForThreadpoolTimerCallbacks
CreateThreadpoolWait
CloseThreadpoolTimer
TrySubmitThreadpoolCallback
CreateThreadpoolWork
SetThreadpoolTimer
CreateThreadpoolTimer
SubmitThreadpoolWork

api-ms-win-core-processthreads-l1-1-0

QueueUserAPC
SetProcessShutdownParameters
GetCurrentProcessId
ResumeThread
ExitProcess
GetStartupInfoW
GetPriorityClass
SetThreadPriorityBoost
SetPriorityClass
SetThreadPriority
CreateProcessW
TerminateProcess
OpenThread
ProcessIdToSessionId
GetExitCodeProcess
OpenProcessToken
GetCurrentThread
GetThreadPriority
GetProcessId
OpenThreadToken
GetCurrentProcess
GetCurrentThreadId
CreateThread

api-ms-win-core-localization-l1-2-0

GetUserDefaultLangID
GetThreadUILanguage
GetGeoInfoW
GetCalendarInfoW
GetLocaleInfoW
FormatMessageW
GetLocaleInfoEx
GetUserDefaultLocaleName

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

oleaut32

VariantInit
VarUI4FromStr
SysStringLen
SafeArrayAccessData
SafeArrayCreate
SysAllocString
SafeArrayUnaccessData
SafeArrayDestroy
VariantClear
SysFreeString
SysAllocStringByteLen

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolGetUniqueContext
SHTaskPoolQueueTask

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

IIDFromString
StringFromIID
CoGetObjectContext
CoTaskMemFree
StringFromGUID2
CoReleaseMarshalData
CoTaskMemRealloc
CoGetInterfaceAndReleaseStream
CoCreateGuid
CoDisableCallCancellation
CoGetCallContext
CoTaskMemAlloc
CoCancelCall
CoUninitialize
CoInitializeEx
CoSetProxyBlanket
CoCreateInstance
CoGetStdMarshalEx
CoRegisterClassObject
CoEnableCallCancellation
CoInitializeSecurity
CLSIDFromString
CoWaitForMultipleHandles
CoGetApartmentType
CoMarshalInterThreadInterfaceInStream
CoCreateFreeThreadedMarshaler
CreateStreamOnHGlobal
CoGetMalloc
CoRevokeClassObject
CoFreeUnusedLibraries
PropVariantClear
CoIncrementMTAUsage

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrRChrW
StrStrIW
QISearch
StrChrW
StrCmpIW
StrCmpW
StrChrIW
StrToIntW
StrCmpNICW
StrCmpNIW
StrCmpICA
StrCmpICW

api-ms-win-shcore-obsolete-l1-1-0

CommandLineToArgvW
SHStrDupW

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_QueryService
IUnknown_Set
IUnknown_GetSite
IUnknown_SetSite

api-ms-win-core-heap-l2-1-0

LocalFree
LocalReAlloc
LocalAlloc
GlobalFree
GlobalAlloc

api-ms-win-core-processthreads-l1-1-1

IsProcessorFeaturePresent
GetProcessMitigationPolicy
OpenProcess

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetLocalTime
GetSystemTime
GetTickCount
GetWindowsDirectoryW
GetLogicalProcessorInformation
GetSystemTimeAsFileTime
GetSystemDirectoryW
GetVersionExW

api-ms-win-core-datetime-l1-1-1

GetTimeFormatEx
GetDateFormatEx

api-ms-win-core-processenvironment-l1-1-0

ExpandEnvironmentStringsW
GetCurrentDirectoryW
SearchPathW
GetCommandLineW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathRemoveFileSpecW
PathFindFileNameW
SHExpandEnvironmentStringsW
PathGetDriveNumberW
PathIsFileSpecW
PathGetArgsW
PathRemoveBlanksW
PathParseIconLocationW
PathQuoteSpacesW
PathCombineW
PathFileExistsW
PathCommonPrefixW
PathFindExtensionW

api-ms-win-core-winrt-string-l1-1-0

WindowsPromoteStringBuffer
WindowsDeleteStringBuffer
WindowsDeleteString
WindowsGetStringLen
WindowsCreateStringReference
WindowsCreateString
WindowsCompareStringOrdinal
WindowsDuplicateString
WindowsSubstringWithSpecifiedLength
WindowsGetStringRawBuffer
WindowsPreallocateStringBuffer

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoGetActivationFactory
RoUninitialize
RoInitialize

api-ms-win-shcore-registry-l1-1-0

SHGetValueW
SHEnumKeyExW
SHSetValueW
SHDeleteValueW
SHQueryInfoKeyW
SHRegGetValueW
SHDeleteKeyW

api-ms-win-core-string-l1-1-0

MultiByteToWideChar
CompareStringW
WideCharToMultiByte
CompareStringOrdinal

api-ms-win-shcore-thread-l1-1-0

SHCreateThread
SHSetThreadRef
SHGetThreadRef
SetProcessReference
SHCreateThreadRef

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenW

api-ms-win-security-base-l1-1-0

CopySid
DuplicateToken
IsValidSid
GetLengthSid
GetTokenInformation
EqualSid
GetAclInformation
CheckTokenMembership
MakeAbsoluteSD
GetAce
DeleteAce
InitializeAcl
SetKernelObjectSecurity
AddAce
CreateWellKnownSid

api-ms-win-eventing-classicprovider-l1-1-0

UnregisterTraceGuids
GetTraceEnableFlags
GetTraceLoggerHandle
TraceMessage
GetTraceEnableLevel
RegisterTraceGuidsW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-libraryloader-l1-2-1

LoadLibraryW
FindResourceW

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-errorhandling-l1-1-1

RemoveVectoredExceptionHandler

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW
RegDeleteKeyValueW

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateError
GetRestrictedErrorInfo
RoFailFastWithErrorContext
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo
RoOriginateLanguageException

api-ms-win-core-path-l1-1-0

PathCchCombine
PathCchAppend
PathCchAddExtension
PathAllocCombine
PathCchRemoveFileSpec

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock

api-ms-win-core-processthreads-l1-1-3

SetProcessInformation
SetThreadDescription

api-ms-win-core-memory-l1-1-0

OpenFileMappingW
VirtualAlloc
VirtualFree
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
VirtualProtect

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

IStream_Write
SHCreateStreamOnFileEx
IStream_Reset
SHCreateMemStream
IStream_Read
SHOpenRegStream2W
SHCreateStreamOnFileW

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-psapi-l1-1-0

QueryFullProcessImageNameW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
DeleteTimerQueueTimer
ChangeTimerQueueTimer
UnregisterWaitEx

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetOsSafeBootMode

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

DeriveAppContainerSidFromAppContainerName
GetProfileType

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
GetTimeZoneInformation
GetDynamicTimeZoneInformation
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-kernel32-legacy-l1-1-0

GetSystemPowerStatus
RegisterWaitForSingleObject
GetComputerNameW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InitializeSListHead
InterlockedPushEntrySList

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharNextW
CharLowerBuffW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW

api-ms-win-core-io-l1-1-0

GetQueuedCompletionStatus
CreateIoCompletionPort

api-ms-win-core-sysinfo-l1-2-1

GetPhysicallyInstalledSystemMemory

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor
ord244

iphlpapi

GetNetworkConnectivityHint

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

PowerDeterminePlatformRoleEx
GetPwrCapabilities
CallNtPowerInformation

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

ord292
ord197
ord509
SHCreateWorkerWindowW
SHPinDllOfCLSID
ShellMessageBoxW
ord479
AssocQueryStringW
ord279
ord165
ord481
SHIsChildOrSelf
PathRemoveArgsW
StrRetToStrW
ord478
ord544
ord635
StrRetToBufW
IUnknown_GetWindow

api-ms-win-ntuser-sysparams-l1-1-0

SystemParametersInfoW
GetDisplayConfigBufferSizes
GetMonitorInfoW
QueryDisplayConfig
EnumDisplayMonitors
EnumDisplayDevicesW
GetSystemMetrics

api-ms-win-ntuser-rectangle-l1-1-0

SetRect
EqualRect
UnionRect
CopyRect
InflateRect
SubtractRect
OffsetRect
PtInRect
IsRectEmpty
IntersectRect
SetRectEmpty

api-ms-win-rtcore-ntuser-winevent-l1-1-0

SetWinEventHook
NotifyWinEvent
UnhookWinEvent

api-ms-win-shell-namespace-l1-1-0

SHGetIDListFromObject
ILCombine
ILFindLastID
ILGetSize
SHBindToObject
SHBindToFolderIDListParent
SHCreateItemFromIDList
ILFree
ILRemoveLastID
SHParseDisplayName
SHBindToParent
ILIsParent
SHCreateItemFromParsingName
ILClone
SHGetNameFromIDList
ILCloneFirst
ILIsEqual

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

GetPointerInfo
GetCurrentInputMessageSource
GetPointerDevices
EnableMouseInPointer
GetPointerType

api-ms-win-storage-exports-internal-l1-1-0

SHGetKnownFolderIDList
SHGetFolderPathEx
GetThreadFlags
SetThreadFlags

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx

api-ms-win-appmodel-runtime-l1-1-0

GetPackagesByPackageFamily
GetPackageFullName

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-rtcore-ntuser-private-l1-1-0

CreateWindowInBand
GetWindowBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

RegisterPowerSettingNotification
UnregisterPowerSettingNotification

propsys

InitVariantFromResource
InitVariantFromGUIDAsString
PropVariantToStringAlloc
PropVariantToUInt32
PSPropertyBag_WriteStr
PropVariantToBoolean
PSGetPropertyFromPropertyStorage
PSCreateMemoryPropertyStore
PSPropertyBag_WriteDWORD

coremessaging

CreateDispatcherQueueController

urlmon

URLOpenBlockingStreamW

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

FindPackagesByPackageFamily
ParseApplicationUserModelId

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

GetTextExtentPoint32W
GetStockObject
GetTextMetricsW
SetTextAlign
SetTextColor
CreateFontIndirectW
GetClipBox
SelectObject
CreateCompatibleDC
DeleteDC
CreateRectRgnIndirect
GetObjectW
GetGlyphOutlineW
GetOutlineTextMetricsW
Rectangle
SetStretchBltMode
ExcludeClipRect
StretchBlt
GetClipRgn
CombineRgn
OffsetRgn
SetRectRgn
CreateRectRgn
GetDeviceCaps
DeleteObject
SelectClipRgn
ExtTextOutW
GetCurrentObject

kernel32

IsBadWritePtr

rpcrt4

RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFree
NdrClientCall3
UuidFromStringW
RpcBindingFromStringBindingW

wininet

InternetCrackUrlW

shcore

ord123
ord190
ord174
ord187
ord162
ord109
SHUnicodeToAnsi
ord126
ord213
ord184
ord183
ord142
ord210
ord1
ord121
ord192
ord200
ord186

shell32

ord680
ord723
ord885
ord95
ord743
ord907
ord43
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord193
ord906
ord895
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
SHEvaluateSystemCommandTemplate
ord181
ord244
ExtractIconExW
ShellExecuteW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord2
SHFileOperationW
ord4
SHGetPathFromIDListW
ord645
ord644
ord753
ord733
SHChangeNotifyRegisterThread
DragQueryFileW
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord172
ord134
ord22
ord850
ord711

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

GetThemeBool
OpenThemeData
OpenThemeDataForDpi
GetThemeMargins
ord138
BufferedPaintSetAlpha
GetThemePartSize
IsThemeActive
GetBufferedPaintBits
GetThemeInt
GetThemeBackgroundExtent
GetThemeColor
GetThemeMetric
SetWindowTheme
GetWindowTheme
ord126
BufferedPaintUnInit
EndBufferedPaint
BeginBufferedPaint
BufferedPaintInit
CloseThemeData
DrawThemeParentBackground
DrawThemeBackground
ord86
GetThemeFont
DrawThemeTextEx
IsCompositionActive
IsAppThemed

dwmapi

ord141
DwmEnableBlurBehindWindow
ord138
ord140
DwmGetWindowAttribute
ord159
ord139
DwmIsCompositionEnabled
ord113
DwmQueryThumbnailSourceSize
DwmRegisterThumbnail
ord124
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
ord114
DwmSetWindowAttribute

user32

IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
SetLayeredWindowAttributes
DrawTextExW
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
UpdateLayeredWindow
ord2521
GetIconInfoExW
GhostWindowFromHungWindow
GetSysColorBrush
GetSystemMenu
ModifyMenuW
GetAsyncKeyState
ReplyMessage
MonitorFromPoint
AdjustWindowRectEx
GetDC
ReleaseDC
MonitorFromWindow
IsIconic
CreatePopupMenu
GetMenuDefaultItem
DestroyMenu
LoadCursorW
SetCursor
SetMenuItemInfoW
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
TranslateAcceleratorW
ord2611
MonitorFromRect
GetGuiResources
IsHungAppWindow
ord2574
SwitchToThisWindow
GetLastActivePopup
UnregisterHotKey
RegisterHotKey
SendDlgItemMessageW
EndDialog
ord2573
GetKeyState
LoadIconW
HungWindowFromGhostWindow
CascadeWindows
TileWindows
LockWorkStation
InjectMouseInput
MapVirtualKeyExW
UnregisterClassW
ord2522
GetMenuInfo
SetMenuInfo
InjectKeyboardInput
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
GetCaretBlinkTime
GetSysColor
CopyImage
DestroyIcon
DrawIconEx
GetSystemMetricsForDpi
GetIconInfo
ord2005
TrackMouseEvent
SetCapture
GetCapture
GetClassWord
ReleaseCapture
GetClassLongW
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
InsertMenuW
GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
AdjustWindowRect
GetDpiForWindow
SetWindowCompositionAttribute
EndTask
BringWindowToTop
SetGestureConfig
UnregisterClassA
LoadImageW
PostThreadMessageW
CheckMenuItem
EnableMenuItem
RemoveMenu
ExitWindowsEx
SetMenuDefaultItem
TrackPopupMenuEx
DeleteMenu
FillRect
DrawTextW
LoadMenuW
GetSubMenu
CreateIconIndirect
GetMenuItemCount
GetMenuItemInfoW

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW
PowerCreateRequest
PowerSetRequest

api-ms-win-security-isolatedcontainer-l1-1-1

IsProcessInWDAGContainer

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-synch-l1-2-1

WaitForMultipleObjects

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StartTraceW
StopTraceW
EnableTraceEx2

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtQueryWorkItem
BiPtAssociateApplicationEntryPoint
BiPtEnumerateWorkItemsForPackageName
BiPtFreeMemory

api-ms-win-crt-math-l1-1-0

ceilf
floorf

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 737KB - Virtual size: 736KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 11KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 131KB - Virtual size: 130KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.4MB - Virtual size: 1.4MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 21KB - Virtual size: 20KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

d9331de21d79b248bbfdf28f82fe85e1

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

f7:9b:3d:d3:bb:85:0e:18:42:ae:c2:f8:b5:38:dc:86:52:42:36:4c:ea:33:e0:ae:27:d6:94:e6:16:f9:54:baSigner

Headers

DLL Characteristics

File Characteristics

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-core-winrt-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-string-obsolete-l1-1-0

api-ms-win-security-base-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-string-l2-1-1

api-ms-win-core-errorhandling-l1-1-1

api-ms-win-core-registry-l1-1-1

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

api-ms-win-core-heap-obsolete-l1-1-0

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-memory-l1-1-0

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

f7:9b:3d:d3:bb:85:0e:18:42:ae:c2:f8:b5:38:dc:86:52:42:36:4c:ea:33:e0:ae:27:d6:94:e6:16:f9:54:ba
Signer