apphelp[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

apphelp.dll
Size

624KB
MD5

29ca4d6d1a9e62366eea02fa36100e17
SHA1

94486fafa162ef1f25ed34a2049f9b136817b401
SHA256

0072c9544d5896ff113f23e83074e03f1fa578c7cb0bf0fc541374ac170912e9
SHA512

326800873f90e541565da372123d12ad8b3c2f67124d3be513b1de201abf26f181934b64e0774bc5881f55cee7e3936289b0f9fe76252b317d5a1912cce005b3
SSDEEP

12288:Am+LyLZUj4povD3JBrZ8LCQQZvKt3KWjVHO5T+I:MLyL0HJBrZ8PQFKtvVHO5iI

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
apphelp.dll

Files

apphelp.dll
.dll windows:10 windows x86 arch:x86

092a231d0e73be4300a8d22ae3181b48

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

apphelp.pdb

Imports

ntdll

NtCreateKey
NtSetInformationKey
NtDeleteKey
ZwQueryKey
ZwEnumerateValueKey
RtlUnicodeStringToInteger
ZwSetValueKey
RtlSetEnvironmentVariable
RtlFreeAnsiString
RtlWow64GetProcessMachines
LdrFindEntryForAddress
RtlInitializeCriticalSection
RtlDeleteCriticalSection
_wtoi
strrchr
_stricmp
_vsnprintf
RtlTryEnterCriticalSection
LdrGetDllHandle
RtlEnterCriticalSection
RtlCaptureStackBackTrace
RtlInitAnsiStringEx
NtQueryInformationFile
strtok_s
NtQueryInformationProcess
strchr
atol
SbSelectProcedure
_strnicmp
RtlSubAuthorityCountSid
RtlSubAuthoritySid
RtlCreateServiceSid
RtlNtStatusToDosError
RtlEqualSid
RtlGetDaclSecurityDescriptor
RtlIdentifierAuthoritySid
RtlGetNtSystemRoot
EtwEventWriteNoRegistration
NtQueryAttributesFile
NtQueryObject
_wcsupr_s
RtlAddVectoredExceptionHandler
strcpy_s
_strlwr
strstr
_wcslwr
RtlAllocateAndInitializeSid
RtlCheckTokenMembership
RtlFreeSid
LdrLoadDll
sprintf_s
sscanf_s
LdrGetProcedureAddressEx
LdrGetProcedureAddress
RtlLengthRequiredSid
NtOpenFile
NtQuerySecurityObject
RtlGetOwnerSecurityDescriptor
RtlCompareMemory
NtProtectVirtualMemory
RtlInitializeSRWLock
LdrEnumerateLoadedModules
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockShared
RtlReleaseSRWLockShared
RtlDosPathNameToNtPathName_U
RtlGetVersion
NtDeleteValueKey
NtSetValueKey
RtlDoesFileExists_U
RtlCreateUnicodeString
RtlRunOnceExecuteOnce
RtlGetFileMUIPath
_vscwprintf
wcsspn
qsort
NtClose
NtWriteFile
ZwQuerySystemTime
NtReadFile
RtlDestroyEnvironment
RtlSizeHeap
RtlSetEnvironmentVar
RtlCreateEnvironmentEx
NtCreateFile
swprintf_s
NtApphelpCacheControl
RtlImageDirectoryEntryToData
strncmp
RtlVerifyVersionInfo
VerSetConditionMask
LdrResSearchResource
RtlTimeToTimeFields
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwQuerySystemInformation
RtlGetNativeSystemInformation
RtlQueryEnvironmentVariable_U
RtlNtPathNameToDosPathName
RtlpEnsureBufferSize
ZwQueryDirectoryFile
RtlReAllocateHeap
wcsncmp
RtlSecondsSince1970ToTime
ZwSetInformationProcess
ZwQueryInformationProcess
ZwCreateSection
ZwQueryInformationFile
ZwCreateFile
RtlGetFullPathName_UEx
ZwCreateKey
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
ZwOpenFile
RtlDosPathNameToNtPathName_U_WithStatus
ZwClose
ZwQueryInformationToken
ZwOpenProcessToken
wcscat_s
wcscpy_s
RtlAppendUnicodeStringToString
wcschr
toupper
RtlUpcaseUnicodeChar
RtlUnicodeStringToAnsiString
RtlUpcaseUnicodeString
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlxAnsiStringToUnicodeSize
RtlInitString
RtlInitUnicodeString
RtlGUIDFromString
wcsstr
_wcsicmp
RtlUnwind
EtwEventRegister
EtwEventEnabled
EtwEventUnregister
_wcsnicmp
RtlExpandEnvironmentStrings_U
_vsnwprintf
memmove
RtlCaptureContext
wcsrchr
LdrInitShimEngineDynamic
EtwEventWrite
NtQueryValueKey
NtOpenKey
RtlFreeHeap
RtlFreeUnicodeString
RtlDuplicateUnicodeString
RtlStringFromGUID
RtlAppendUnicodeToString
RtlCopyUnicodeString
RtlAllocateHeap
RtlFormatCurrentUserKeyPath
RtlLeaveCriticalSection
RtlEqualString
RtlMultiByteToUnicodeN
RtlInitUnicodeStringEx
memcmp
memcpy
memset

api-ms-win-core-appcompat-l1-1-1

BaseFreeAppCompatDataForProcess
BaseReadAppCompatDataForProcess

api-ms-win-core-appcompat-l1-1-0

BaseIsAppcompatInfrastructureDisabled
BaseFlushAppcompatCache

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l1-1-0

GetFileAttributesW
GetLongPathNameW
CreateFileW
SetFilePointer
GetFinalPathNameByHandleW
GetDriveTypeW
FindFirstFileW
WriteFile
FindNextFileW
FindClose
DeleteFileW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-processthreads-l1-1-0

GetCurrentThreadId
TerminateProcess
GetCurrentProcess
GetProcessTimes
GetCurrentProcessId
CreateThread
CreateProcessW
ProcessIdToSessionId

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
UnhandledExceptionFilter
GetLastError

api-ms-win-core-sysinfo-l1-1-0

GetSystemDirectoryW
GetTickCount
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryW
GetTickCount64

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventRegister

kernel32

GetOverlappedResult
CancelIo
LocalFree
LocalAlloc
CreateToolhelp32Snapshot
Thread32First
Thread32Next
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
IsWow64Process
PackageIdFromFullName
GetPackageFullName

api-ms-win-security-base-l1-1-0

EqualSid
GetAce
GetAclInformation
GetSecurityDescriptorDacl
AllocateAndInitializeSid

api-ms-win-core-registry-l1-1-0

RegGetKeySecurity
RegCloseKey

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
SetWaitableTimer
CreateWaitableTimerExW
InitializeCriticalSection
DeleteCriticalSection
OpenMutexW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
DisableThreadLibraryCalls
SizeofResource
GetModuleHandleW
LockResource
LoadResource
GetModuleFileNameW
GetProcAddress
LoadLibraryExW
FreeLibrary

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-processenvironment-l1-1-0

GetEnvironmentVariableW
GetCurrentDirectoryW
FreeEnvironmentStringsW
ExpandEnvironmentStringsW
GetEnvironmentStringsW
SetEnvironmentVariableW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-localization-l1-2-0

IsDBCSLeadByte
VerLanguageNameW

api-ms-win-core-debug-l1-1-0

DebugBreak
OutputDebugStringA

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

Exports

Exports

AllowPermLayer
ApphelpCheckExe
ApphelpCheckIME
ApphelpCheckInstallShieldPackage
ApphelpCheckModule
ApphelpCheckMsiPackage
ApphelpCheckRunApp
ApphelpCheckRunAppEx
ApphelpCheckShellObject
ApphelpChpeModSettingsFromQueryResult
ApphelpCreateAppcompatData
ApphelpFixMsiPackage
ApphelpFixMsiPackageExe
ApphelpFreeFileAttributes
ApphelpGetFileAttributes
ApphelpGetMsiProperties
ApphelpGetNTVDMInfo
ApphelpGetShimDebugLevel
ApphelpIsPortMonAllowed
ApphelpParseModuleData
ApphelpQueryModuleData
ApphelpQueryModuleDataEx
ApphelpShowDialog
ApphelpUpdateCacheEntry
DWM8And16Bit_ChangeDisplaySettingsExW_CallOut
DWM8And16Bit_DirectDrawCreateEx_CallOut
DWM8And16Bit_DirectDrawCreate_CallOut
DWM8And16Bit_EnumDisplaySettingsExW_CallOut
DWM8And16Bit_IsShimApplied_CallOut
DWM8And16Bit_RestoreDisplayMode_CallOut
GetPermLayers
SE_AddHookset
SE_CALLBACK_AddHook
SE_CALLBACK_Lookup
SE_COM_AddHook
SE_COM_AddServer
SE_COM_HookInterface
SE_COM_HookObject
SE_COM_Lookup
SE_DllLoaded
SE_DllUnloaded
SE_DynamicShim
SE_GetHookAPIs
SE_GetMaxShimCount
SE_GetProcAddressForCaller
SE_GetProcAddressIgnoreIncExc
SE_GetProcAddressLoad
SE_GetShimCount
SE_GetShimId
SE_InitializeEngine
SE_InstallAfterInit
SE_InstallBeforeInit
SE_IsShimDll
SE_LdrEntryRemoved
SE_LdrResolveDllName
SE_LookupAddress
SE_LookupCaller
SE_ProcessDying
SE_ShimDPF
SE_ShimDllLoaded
SE_WINRT_AddHook
SE_WINRT_HookObject
SdbAddLayerTagRefToQuery
SdbApphelpNotify
SdbApphelpNotifyEx
SdbApphelpNotifyEx2
SdbBeginWriteListTag
SdbBuildCompatEnvVariables
SdbCloseApphelpInformation
SdbCloseDatabase
SdbCloseDatabaseWrite
SdbCloseLocalDatabase
SdbCommitIndexes
SdbCreateDatabase
SdbCreateHelpCenterURL
SdbCreateMsiTransformFile
SdbDeclareIndex
SdbDeletePermLayerKeys
SdbDumpSearchPathPartCaches
SdbEndWriteListTag
SdbEnumMsiTransforms
SdbEscapeApphelpURL
SdbFindCustomActionForPackage
SdbFindFirstDWORDIndexedTag
SdbFindFirstGUIDIndexedTag
SdbFindFirstMsiPackage
SdbFindFirstMsiPackage_Str
SdbFindFirstNamedTag
SdbFindFirstStringIndexedTag
SdbFindFirstTag
SdbFindFirstTagRef
SdbFindMsiPackageByID
SdbFindNextDWORDIndexedTag
SdbFindNextGUIDIndexedTag
SdbFindNextMsiPackage
SdbFindNextStringIndexedTag
SdbFindNextTag
SdbFindNextTagRef
SdbFormatAttribute
SdbFreeDatabaseInformation
SdbFreeFileAttributes
SdbFreeFileInfo
SdbFreeFlagInfo
SdbGUIDFromString
SdbGUIDToString
SdbGetAppCompatDataSize
SdbGetAppPatchDir
SdbGetBinaryTagData
SdbGetDatabaseGUID
SdbGetDatabaseID
SdbGetDatabaseInformation
SdbGetDatabaseInformationByName
SdbGetDatabaseMatch
SdbGetDatabaseVersion
SdbGetDllPath
SdbGetEntryFlags
SdbGetFileAttributes
SdbGetFileImageType
SdbGetFileImageTypeEx
SdbGetFileInfo
SdbGetFirstChild
SdbGetImageType
SdbGetIndex
SdbGetItemFromItemRef
SdbGetLayerName
SdbGetLayerTagRef
SdbGetLocalPDB
SdbGetMatchingExe
SdbGetMsiPackageInformation
SdbGetNamedLayer
SdbGetNextChild
SdbGetNthUserSdb
SdbGetPDBFromGUID
SdbGetPathCustomSdb
SdbGetPathSystemSdb
SdbGetPermLayerKeys
SdbGetShowDebugInfoOption
SdbGetShowDebugInfoOptionValue
SdbGetStandardDatabaseGUID
SdbGetStringTagPtr
SdbGetTagDataSize
SdbGetTagFromTagID
SdbGrabMatchingInfo
SdbGrabMatchingInfoEx
SdbInitDatabase
SdbInitDatabaseEx
SdbIsDbRuntimePlatformSupportedOnHost
SdbIsNullGUID
SdbIsStandardDatabase
SdbIsTagrefFromLocalDB
SdbIsTagrefFromMainDB
SdbLoadString
SdbMakeIndexKeyFromString
SdbOpenApphelpDetailsDatabase
SdbOpenApphelpDetailsDatabaseSP
SdbOpenApphelpInformation
SdbOpenApphelpInformationByID
SdbOpenApphelpResourceFile
SdbOpenDatabase
SdbOpenDbFromGuid
SdbOpenLocalDatabase
SdbPackAppCompatData
SdbQueryApphelpInformation
SdbQueryBlockUpgrade
SdbQueryContext
SdbQueryData
SdbQueryDataEx
SdbQueryDataExTagID
SdbQueryFlagInfo
SdbQueryFlagMask
SdbQueryName
SdbQueryReinstallUpgrade
SdbReadApphelpData
SdbReadApphelpDetailsData
SdbReadBYTETag
SdbReadBYTETagRef
SdbReadBinaryTag
SdbReadDWORDTag
SdbReadDWORDTagRef
SdbReadEntryInformation
SdbReadMsiTransformInfo
SdbReadPatchBits
SdbReadQWORDTag
SdbReadQWORDTagRef
SdbReadStringTag
SdbReadStringTagRef
SdbReadWORDTag
SdbReadWORDTagRef
SdbRegisterDatabase
SdbRegisterDatabaseEx
SdbReleaseDatabase
SdbReleaseMatchingExe
SdbResolveDatabase
SdbSetApphelpDebugParameters
SdbSetEntryFlags
SdbSetImageType
SdbSetPermLayerKeys
SdbShowApphelpDialog
SdbShowApphelpFromQuery
SdbStartIndexing
SdbStopIndexing
SdbStringDuplicate
SdbStringReplace
SdbStringReplaceArray
SdbTagIDToTagRef
SdbTagRefToTagID
SdbTagToString
SdbUnpackAppCompatData
SdbUnpackQueryResult
SdbUnregisterDatabase
SdbWriteBYTETag
SdbWriteBinaryTag
SdbWriteBinaryTagFromFile
SdbWriteDWORDTag
SdbWriteNULLTag
SdbWriteQWORDTag
SdbWriteStringRefTag
SdbWriteStringTag
SdbWriteStringTagDirect
SdbWriteWORDTag
SetPermLayerState
SetPermLayerStateEx
SetPermLayers
ShimDbgPrint
ShimDumpCache
ShimFlushCache

Sections

.text
Size: 496KB - Virtual size: 495KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

092a231d0e73be4300a8d22ae3181b48

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-appcompat-l1-1-1

api-ms-win-core-appcompat-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-eventing-provider-l1-1-0

kernel32

api-ms-win-security-base-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-string-l1-1-0

Exports

Exports

Sections

.text Size: 496KB - Virtual size: 495KB

.data Size: 5KB - Virtual size: 7KB

.idata Size: 9KB - Virtual size: 8KB

.rsrc Size: 90KB - Virtual size: 89KB

.reloc Size: 23KB - Virtual size: 22KB

.text
Size: 496KB - Virtual size: 495KB

.data
Size: 5KB - Virtual size: 7KB

.idata
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 90KB - Virtual size: 89KB

.reloc
Size: 23KB - Virtual size: 22KB