explorer[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

explorer.exe
Size

5.0MB
MD5

f797eaf92a57128071e4a95fb2b2c27d
SHA1

a2bd0aaa11603f8d0e28a3cdfc0552b1df37c3c9
SHA256

9d22623cdcb0d78219f21b7beb29931378376724acbac9153aa3dae960c18c05
SHA512

4ab9a82c0c214acc1a11981f0f337a0d2ed5b44c12c085b81f58f350b1389bcd9b52ffd7fad9864208f2841d678998df0588f103e9b7a1784282e1e1ff61560e
SSDEEP

49152:UdBY/K/8ws8yK6s9nsbr8VvnKaXVIHW5GAh2JINMx7NYdN+hGsurnxUL/7mULMJY:UFtAJS3XZoEnMcbw8a0sp

Score

1^/10

Malware Config

Signatures

Files

explorer.exe
.exe windows:10 windows x64 arch:x64

548e4dba5d3fda1cf5de865459651254

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/02/2023, 00:05

Not After

01/02/2024, 00:05

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

52:5d:6a:41:ae:f8:f8:02:87:26:95:61:3a:4d:00:1d:ea:ed:95:51:5d:21:70:e7:3a:e5:09:68:0e:b7:6c:81
Signer

Actual PE Digest

52:5d:6a:41:ae:f8:f8:02:87:26:95:61:3a:4d:00:1d:ea:ed:95:51:5d:21:70:e7:3a:e5:09:68:0e:b7:6c:81

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

explorer.pdb

Imports

msvcp_win

?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
?_Xinvalid_argument@std@@YAXPEBD@Z
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QEAA@PEAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXPEAG0@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAA@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAA_JPEBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAXAEBVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAPEAV12@PEAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JXZ
?tolower@?$ctype@G@std@@QEBAPEBGPEAGPEBG@Z
?tolower@?$ctype@G@std@@QEBAGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAA_JPEBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QEBA?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
??Bid@locale@std@@QEAA_KXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ
??0facet@locale@std@@IEAA@_K@Z
??1facet@locale@std@@MEAA@XZ
??0_Lockit@std@@QEAA@H@Z
??0_Locinfo@std@@QEAA@PEBD@Z
?c_str@?$_Yarn@D@std@@QEBAPEBDXZ
??1_Lockit@std@@QEAA@XZ
??1_Locinfo@std@@QEAA@XZ
?is@?$ctype@G@std@@QEBA_NFG@Z
?_Getcat@?$ctype@G@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z
?_Incref@facet@locale@std@@UEAAXXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Decref@facet@locale@std@@UEAAPEAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAA@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEBAPEAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UEAA@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAAEAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UEAAXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QEBA_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MEAAHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QEAAXXZ
?width@ios_base@std@@QEBA_JXZ
?flags@ios_base@std@@QEBAHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IEAAPEAGXZ
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QEAAGG@Z
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAPEAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPEBD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QEBAGXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ
?width@ios_base@std@@QEAA_J_J@Z
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
_Thrd_yield
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPEAX@Z
?__ExceptionPtrDestroy@@YAXPEAX@Z
?__ExceptionPtrAssign@@YAXPEAXPEBX@Z
?__ExceptionPtrCopy@@YAXPEAXPEBX@Z
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QEAAXH_N@Z
?__ExceptionPtrCurrentException@@YAXPEAX@Z
?__ExceptionPtrRethrow@@YAXPEBX@Z
?__ExceptionPtrCopyException@@YAXPEAXPEBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Mtx_unlock
_Thrd_id
_Cnd_do_broadcast_at_thread_exit
?_Init@locale@std@@CAPEAV_Locimp@12@_N@Z
_Mtx_lock
?_Xlength_error@std@@YAXPEBD@Z

api-ms-win-crt-runtime-l1-1-0

_register_thread_local_exe_atexit_callback
_set_error_mode
_initterm
_c_exit
_initterm_e

api-ms-win-crt-string-l1-1-0

wcscspn
wcsncmp
memset
wcscmp
strncmp

api-ms-win-crt-time-l1-1-0

_time64

api-ms-win-crt-private-l1-1-0

_o_floor
_o_floorf
_o_fmod
_o_free
_o_iswspace
_o_lround
_o_lroundf
_o_malloc
_o_memcpy_s
_o_pow
_o_realloc
_o_sqrt
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
_o_wcstoll
__C_specific_handler
__current_exception
__current_exception_context
__CxxFrameHandler3
_o__register_onexit_function
_o__recalloc
_o_ceil
_o__purecall
_o__mktime64
_o__wtoi
memmove
_o_exit
_o__wcsnicmp
_o__wcslwr_s
_o__wcsicmp
_o__ltow_s
_o__localtime64
_o__itow_s
_o_abort
_o__itoa_s
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime64
_o__crt_atexit
_o__configure_wide_argv
_o__configthreadlocale
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler4
_o_ceilf
_CxxThrowException
__C_specific_handler_noexcept
memcmp
memcpy

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

QueryInformationJobObject
OpenJobObjectW
AssignProcessToJobObject
CreateJobObjectW
SetInformationJobObject

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

HashData
PathIsURLW
UrlUnescapeW

api-ms-win-core-windowserrorreporting-l1-1-1

WerUnregisterCustomMetadata
WerRegisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetBoolUSValueW
SHRegGetUSValueW

api-ms-win-core-com-private-l1-1-0

CoRevokeInitializeSpy
CoRegisterMessageFilter
CoRegisterInitializeSpy

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW
DeactivateActCtx
ReleaseActCtx
ActivateActCtx

ntdll

NtQueryInformationProcess
NtQueryWnfStateData
WinSqmAddToStream
RtlGetVersion
ZwQuerySystemInformation
ZwQueryValueKey
ZwOpenKey
ZwClose
RtlReAllocateHeap
ZwEnumerateValueKey
ZwCreateFile
NtQueryInformationFile
RtlAppendUnicodeToString
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
NtSetInformationProcess
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
RtlInitString
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlVerifyVersionInfo
RtlInitUnicodeString
NtOpenFile
NtDeviceIoControlFile
RtlCaptureContext
NtClose
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosError
RtlLookupFunctionEntry
RtlVirtualUnwind
strchr
memmove_s
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
wcschr
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
WinSqmIsOptedIn
NtOpenProcessToken
NtQueryInformationToken
NtOpenThreadToken
RtlAppendUnicodeStringToString
wcsspn
RtlRunOnceExecuteOnce
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlNtStatusToDosErrorNoTeb
NtSetThreadExecutionState
NtPowerInformation
VerSetConditionMask
RtlQueryResourcePolicy
RtlQueryUnbiasedInterruptTime
NtQuerySystemInformation
RtlGetNtSystemRoot

api-ms-win-core-libraryloader-l1-2-0

SizeofResource
FindStringOrdinal
GetModuleFileNameA
FindResourceExW
LoadLibraryExW
LoadResource
LockResource
GetModuleHandleA
FreeLibrary
GetProcAddress
LoadStringW
GetModuleHandleExW
GetModuleFileNameW
GetModuleHandleW

api-ms-win-core-synch-l1-2-0

Sleep
InitOnceBeginInitialize
InitOnceExecuteOnce
InitOnceComplete

api-ms-win-core-synch-l1-1-0

OpenMutexW
ReleaseSemaphore
LeaveCriticalSection
ResetEvent
CreateMutexW
InitializeCriticalSectionEx
InitializeCriticalSectionAndSpinCount
CreateEventExW
WaitForSingleObject
TryEnterCriticalSection
EnterCriticalSection
ReleaseMutex
CreateSemaphoreExW
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
OpenEventW
WaitForSingleObjectEx
WaitForMultipleObjectsEx
OpenSemaphoreW
SetEvent
CreateEventW
InitializeSRWLock
ReleaseSRWLockShared
CreateMutexExW
InitializeCriticalSection
SleepEx
AcquireSRWLockShared
DeleteCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

SetLastError
GetLastError
SetErrorMode
UnhandledExceptionFilter
SetUnhandledExceptionFilter
RaiseException

api-ms-win-core-file-l1-1-0

WriteFile
GetFileAttributesW
CreateFileW
GetLongPathNameW
DeleteFileW
FindClose
FindNextFileW
CompareFileTime
FindFirstFileW

api-ms-win-eventing-provider-l1-1-0

EventRegister
EventWriteTransfer
EventUnregister
EventActivityIdControl
EventEnabled
EventWrite
EventSetInformation

api-ms-win-core-threadpool-l1-2-0

SetThreadpoolTimer
WaitForThreadpoolTimerCallbacks
CloseThreadpoolTimer
CreateThreadpoolTimer
CreateThreadpoolWork
CreateThreadpoolWait
SetThreadpoolWait
WaitForThreadpoolWaitCallbacks
CloseThreadpoolWait
SubmitThreadpoolWork
TrySubmitThreadpoolCallback

api-ms-win-core-processthreads-l1-1-0

SetThreadPriorityBoost
SetProcessShutdownParameters
ExitProcess
InitializeProcThreadAttributeList
CreateThread
OpenThread
SetPriorityClass
OpenProcessToken
SetThreadPriority
GetPriorityClass
ResumeThread
ProcessIdToSessionId
UpdateProcThreadAttribute
GetProcessId
TlsFree
TlsGetValue
TlsAlloc
CreateProcessW
GetCurrentProcess
TlsSetValue
QueueUserAPC
GetStartupInfoW
TerminateProcess
GetExitCodeProcess
OpenThreadToken
GetCurrentProcessId
GetThreadPriority
DeleteProcThreadAttributeList
GetCurrentThreadId
GetCurrentThread

api-ms-win-core-localization-l1-2-0

GetGeoInfoW
FormatMessageW
GetLocaleInfoEx
GetCalendarInfoW
GetLocaleInfoW
GetThreadUILanguage

api-ms-win-core-debug-l1-1-0

DebugBreak
IsDebuggerPresent
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

CloseHandle
DuplicateHandle

oleaut32

VariantClear
SafeArrayAccessData
SysStringLen
VarUI4FromStr
SafeArrayCreate
SysFreeString
SysAllocString
SafeArrayUnaccessData
SafeArrayDestroy
SysAllocStringByteLen
VariantInit

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolQueueTask
SHTaskPoolGetUniqueContext

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

CoCreateInstance
CoRegisterClassObject
CoUninitialize
CoGetCallContext
StringFromCLSID
CoTaskMemFree
CoInitializeEx
CoMarshalInterThreadInterfaceInStream
CoGetInterfaceAndReleaseStream
CoGetMalloc
CoRevokeClassObject
IIDFromString
CoTaskMemAlloc
CoGetStdMarshalEx
CoCancelCall
CoDisableCallCancellation
CoEnableCallCancellation
CLSIDFromString
CoInitializeSecurity
CoTaskMemRealloc
CoWaitForMultipleHandles
CoCreateGuid
CoGetApartmentType
StringFromIID
StringFromGUID2
CreateStreamOnHGlobal
CoCreateFreeThreadedMarshaler
CoReleaseMarshalData
PropVariantClear
CoSetProxyBlanket
CoFreeUnusedLibraries
CoGetObjectContext

api-ms-win-core-shlwapi-obsolete-l1-1-0

StrCmpW
StrCmpNICW
StrToIntW
StrChrIW
StrCmpICA
StrCmpIW
QISearch
StrCmpNIW
StrCmpICW
StrChrW

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-registry-l1-1-0

RegDeleteTreeW
RegOpenCurrentUser
RegQueryInfoKeyW
RegQueryValueExW
RegCreateKeyExW
RegGetValueW
RegOpenKeyExW
RegLoadMUIStringW
RegDeleteValueW
RegEnumKeyExW
RegEnumValueW
RegDeleteKeyExW
RegSetValueExW
RegCloseKey

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_SetSite
IUnknown_QueryService
IUnknown_GetSite
IUnknown_Set

api-ms-win-core-heap-l2-1-0

LocalReAlloc
GlobalAlloc
GlobalFree
LocalAlloc
LocalFree

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
OpenProcess
IsProcessorFeaturePresent

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetVersionExW
GetWindowsDirectoryW
GetLocalTime
GetSystemTimeAsFileTime
GetTickCount
GetTickCount64
GetSystemTime

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-processenvironment-l1-1-0

SearchPathW
GetCurrentDirectoryW
GetCommandLineW
ExpandEnvironmentStringsW
GetEnvironmentVariableW
SetEnvironmentVariableW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathCommonPrefixW
PathQuoteSpacesW
PathRemoveFileSpecW
PathFileExistsW
PathFindFileNameW
PathFindExtensionW
SHExpandEnvironmentStringsW
PathParseIconLocationW
PathCombineW
PathRemoveBlanksW
PathIsFileSpecW
PathGetDriveNumberW
PathGetArgsW

api-ms-win-shcore-registry-l1-1-0

SHQueryInfoKeyW
SHRegGetValueW
SHDeleteValueW
SHEnumKeyExW
SHSetValueW
SHGetValueW
SHDeleteKeyW

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte
MultiByteToWideChar
CompareStringOrdinal

api-ms-win-core-winrt-string-l1-1-0

WindowsCompareStringOrdinal
WindowsPromoteStringBuffer
WindowsCreateString
WindowsDeleteStringBuffer
WindowsSubstringWithSpecifiedLength
WindowsPreallocateStringBuffer
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0

SHSetThreadRef
SHGetThreadRef
SHCreateThreadRef
SetProcessReference
SHCreateThread

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-security-base-l1-1-0

DeleteAce
GetAce
CreateWellKnownSid
GetAclInformation
InitializeAcl
MakeAbsoluteSD
DuplicateToken
EqualSid
FreeSid
AllocateAndInitializeSid
AddAce
SetKernelObjectSecurity
GetSecurityDescriptorDacl
IsValidSid
GetLengthSid
CheckTokenMembership
GetTokenInformation
CopySid

api-ms-win-core-psapi-l1-1-0

K32EnumProcesses
QueryFullProcessImageNameW
K32EnumProcessModules
K32GetModuleFileNameExW
K32GetModuleBaseNameW

api-ms-win-core-version-l1-1-0

GetFileVersionInfoExW
GetFileVersionInfoSizeExW
VerQueryValueW

api-ms-win-eventing-classicprovider-l1-1-0

TraceMessage
GetTraceLoggerHandle
UnregisterTraceGuids
GetTraceEnableLevel
RegisterTraceGuidsW
GetTraceEnableFlags

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-processthreads-l1-1-3

SetProcessInformation
SetThreadDescription

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-winrt-l1-1-0

RoActivateInstance
RoInitialize
RoUninitialize
RoGetActivationFactory

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoOriginateError
RoTransformError
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchAddExtension
PathCchAppend
PathCchCombine
PathAllocCombine
PathCchRemoveFileSpec

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalLock
GlobalUnlock

api-ms-win-core-string-obsolete-l1-1-0

lstrlenW
lstrcmpiW

api-ms-win-core-memory-l1-1-0

MapViewOfFile
UnmapViewOfFile
VirtualAlloc
VirtualFree
CreateFileMappingW
VirtualProtect
OpenFileMappingW

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-stream-l1-1-0

SHCreateMemStream
SHCreateStreamOnFileEx
IStream_Read
SHOpenRegStream2W
SHCreateStreamOnFileW
IStream_Write
IStream_Reset

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

CreateTimerQueueTimer
UnregisterWaitEx
DeleteTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetNativeSystemInfo
GetProductInfo

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

GetProfileType
DeriveAppContainerSidFromAppContainerName

api-ms-win-core-timezone-l1-1-0

FileTimeToSystemTime
GetTimeZoneInformation
GetDynamicTimeZoneInformation
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
GetSystemPowerStatus
RegisterWaitForSingleObject

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharLowerBuffW
CharNextW

api-ms-win-service-management-l2-1-0

NotifyServiceStatusChangeW
QueryServiceConfigW

api-ms-win-core-io-l1-1-0

DeviceIoControl
CreateIoCompletionPort
GetQueuedCompletionStatus

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor
ord244

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

GetPwrCapabilities
CallNtPowerInformation

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

ord544
ord292
ord635
ord165
ord509
ShellMessageBoxW
StrRetToBufW
StrRetToStrW
SHIsChildOrSelf
ord279
SHPinDllOfCLSID
ord481
ord479
IUnknown_GetWindow
AssocQueryStringW
ord197
PathRemoveArgsW
ord478
SHCreateWorkerWindowW

api-ms-win-ntuser-sysparams-l1-1-0

EnumDisplayMonitors
GetMonitorInfoW
QueryDisplayConfig
SystemParametersInfoW
GetSystemMetrics
EnumDisplayDevicesW
GetDisplayConfigBufferSizes

api-ms-win-ntuser-rectangle-l1-1-0

PtInRect
CopyRect
UnionRect
SetRect
InflateRect
EqualRect
SubtractRect
OffsetRect
IntersectRect
SetRectEmpty
IsRectEmpty

api-ms-win-rtcore-ntuser-winevent-l1-1-0

SetWinEventHook
NotifyWinEvent
UnhookWinEvent

api-ms-win-shell-namespace-l1-1-0

ILFindLastID
ILIsParent
ILGetSize
ILCloneFirst
ILCombine
ILFree
ILIsEqual
SHGetNameFromIDList
SHGetIDListFromObject
SHBindToParent
SHBindToObject
ILRemoveLastID
ILClone
SHParseDisplayName
SHCreateItemFromParsingName
SHCreateItemFromIDList
SHBindToFolderIDListParent

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

EnableMouseInPointer
GetPointerType
GetPointerDevices
GetCurrentInputMessageSource
GetPointerInfo

api-ms-win-storage-exports-internal-l1-1-0

SetThreadFlags
GetThreadFlags
SHGetKnownFolderIDList
SHGetFolderPathEx

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects

api-ms-win-appmodel-runtime-l1-1-0

GetPackageFullName
GetPackagesByPackageFamily

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

CreateWindowInBand
GetWindowBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

RegisterPowerSettingNotification
UnregisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHChangeNotifyDeregister
SHChangeNotification_Unlock
SHChangeNotification_Lock
SHChangeNotifyRegisterThread
SHHandleUpdateImage
SHChangeNotifyRegister

propsys

PSGetPropertyFromPropertyStorage
PropVariantToBoolean
PSPropertyBag_WriteStr
PropVariantToUInt32
PSPropertyBag_WriteDWORD
InitVariantFromResource
InitVariantFromGUIDAsString
PropVariantToStringAlloc
PSCreateMemoryPropertyStore

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

ParseApplicationUserModelId
FindPackagesByPackageFamily

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

CreateCompatibleDC
SelectObject
GetClipBox
GetCurrentObject
DeleteDC
SelectClipRgn
GetClipRgn
GetOutlineTextMetricsW
GetObjectW
DeleteObject
CombineRgn
GetGlyphOutlineW
CreateRectRgnIndirect
Rectangle
SetStretchBltMode
ExcludeClipRect
StretchBlt
OffsetRgn
GetDeviceCaps
GetStockObject
CreateRectRgn
SetRectRgn
GetTextExtentPoint32W
ExtTextOutW
GetTextMetricsW
SetTextAlign
SetTextColor
CreateFontIndirectW

kernel32

IsBadWritePtr
RtlCompareMemory
HeapSize
HeapReAlloc
GetModuleHandleExA
HeapDestroy

wininet

InternetCrackUrlW

shcore

ord192
ord210
ord1
ord183
ord213
ord126
ord109
ord174
ord121
ord190
ord123
ord162
SHUnicodeToAnsi
ord187
ord191
ord141
ord142
ord200
ord184
ord186

shell32

ord743
ord907
ord43
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord906
ord181
ord895
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord866
SHEvaluateSystemCommandTemplate
ord244
ExtractIconExW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ShellExecuteW
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord733
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord134
ord22
ord850
ord95
ord885
ord723
ord680
ord172
ord764

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
PathIsRelativeW
AssocCreate

uxtheme

IsCompositionActive
DrawThemeTextEx
GetThemeFont
ord86
DrawThemeBackground
GetThemeBackgroundExtent
DrawThemeParentBackground
CloseThemeData
BufferedPaintInit
IsThemePartDefined
GetThemeBool
OpenThemeData
OpenThemeDataForDpi
GetThemeMargins
ord138
BufferedPaintSetAlpha
ord126
GetThemePartSize
IsThemeActive
BeginBufferedPaint
GetBufferedPaintBits
GetThemeInt
EndBufferedPaint
BufferedPaintUnInit
GetWindowTheme
IsAppThemed
SetWindowTheme
GetThemeColor
GetThemeMetric

dwmapi

ord141
ord138
ord139
ord140
DwmSetWindowAttribute
DwmGetWindowAttribute
DwmIsCompositionEnabled
ord159
DwmRegisterThumbnail
DwmQueryThumbnailSourceSize
ord124
DwmUpdateThumbnailProperties
DwmUnregisterThumbnail
ord114
DwmEnableBlurBehindWindow
ord113

user32

GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
GetCursorFrameInfo
AdjustWindowRect
GetDpiForWindow
SetWindowCompositionAttribute
SetGestureConfig
LoadImageW
CheckMenuItem
EnableMenuItem
RemoveMenu
SetMenuDefaultItem
TrackPopupMenuEx
SetCapture
TrackMouseEvent
DestroyIcon
CopyImage
GetSysColor
GetCaretBlinkTime
InjectKeyboardInput
MapVirtualKeyExW
ReleaseCapture
LockWorkStation
TileWindows
CascadeWindows
HungWindowFromGhostWindow
LoadIconW
IsIconic
GetKeyState
ExitWindowsEx
EndDialog
AdjustWindowRectEx
GetDC
ReleaseDC
CreatePopupMenu
GetMenuDefaultItem
DestroyMenu
LoadCursorW
SetCursor
SetMenuItemInfoW
MonitorFromWindow
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ChangeWindowMessageFilterEx
ord2005
InjectMouseInput
GetCapture
SendInput
SetDesktopColorTransform
UnregisterClassA
DeleteMenu
FillRect
DrawTextW
LoadMenuW
GetSubMenu
CreateIconIndirect
GetSystemMetricsForDpi
GetMenuItemInfoW
MonitorFromPoint
ReplyMessage
TranslateAcceleratorW
GetAsyncKeyState
ModifyMenuW
GetSystemMenu
GetSysColorBrush
SetLayeredWindowAttributes
GetIconInfoExW
GetIconInfo
GetClassWord
GetClassLongW
ord2611
MonitorFromRect
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
InsertMenuW
BringWindowToTop
ord2573
GhostWindowFromHungWindow
EndTask
IsTopLevelWindow
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
DrawTextExW
GetGuiResources
IsProcessDPIAware
SetThreadDpiAwarenessContext
GetWindowCompositionAttribute
GetWindowProcessHandle
GetClassLongPtrW
UpdateLayeredWindow
ord2521
IsHungAppWindow
UnregisterClassW
ord2522
WindowFromDC
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
ord2574
SwitchToThisWindow
GetLastActivePopup
DrawIconEx
UnregisterHotKey
RegisterHotKey
GetMenuItemCount
SendDlgItemMessageW

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

VerifyVersionInfoW
PowerCreateRequest
PowerSetRequest

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StopTraceW
StartTraceW
EnableTraceEx2

api-ms-win-core-job-l1-1-0

IsProcessInJob

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
RpcStringFreeW
RpcBindingFree
NdrClientCall3

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-appmodel-unlock-l1-1-0

IsDeveloperModeEnabled

api-ms-win-core-biptcltapi-l1-1-7

BiPtFreeMemory
BiPtEnumerateWorkItemsForPackageName
BiPtAssociateApplicationEntryPoint
BiPtQueryWorkItem

api-ms-win-rtcore-ntuser-shell-l1-1-0

GetShellWindow

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

GetErrorInfo
SetErrorInfo

Exports

Exports

g_trayTriageBlock

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 672KB - Virtual size: 668KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 12KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 124KB - Virtual size: 122KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 4KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 20KB - Virtual size: 19KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

548e4dba5d3fda1cf5de865459651254

Code Sign

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

52:5d:6a:41:ae:f8:f8:02:87:26:95:61:3a:4d:00:1d:ea:ed:95:51:5d:21:70:e7:3a:e5:09:68:0e:b7:6c:81Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-registry-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

33:00:00:04:13:31:bc:19:88:07:a9:07:74:00:00:00:00:04:13
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

52:5d:6a:41:ae:f8:f8:02:87:26:95:61:3a:4d:00:1d:ea:ed:95:51:5d:21:70:e7:3a:e5:09:68:0e:b7:6c:81
Signer