apphelp[.]dll | Triage

Sharing

Copy URL Twitter E-mail

General

Target

apphelp.dll
Size

624KB
MD5

0a044f3b2538e48e4ccca93f175a8bb2
SHA1

e4f4afb9ca6ab44efe9b4ef9b6323a979b6af397
SHA256

258dc55056413d6d2be9dcde5c8d9165a9e1471a8afb4ac7a14a15dcab77537d
SHA512

6dccb2e39b10ce0a4cd354f3c64dddbacb054936cfcd060c0f4aecca6ec05ea2118ce028389f63d1112548c15f6f39bb1256541b163c342e8710b81315100bfc
SSDEEP

12288:03UaWqLKOgjN1fYkNu12qW6rZyJfzgUgt7hKWjVHO5G:oWqLETZNj6rZqfgt7JVHO5G

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
apphelp.dll

Files

apphelp.dll
.dll windows:10 windows x86 arch:x86

217d755b86469e195085dc4439908dc9

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

PDB Paths

apphelp.pdb

Imports

ntdll

RtlDosPathNameToNtPathName_U
RtlRunOnceExecuteOnce
NtCreateKey
NtSetInformationKey
NtDeleteKey
ZwQueryKey
ZwEnumerateValueKey
RtlUnicodeStringToInteger
ZwSetValueKey
RtlSetEnvironmentVariable
RtlFreeAnsiString
RtlWow64GetProcessMachines
LdrFindEntryForAddress
RtlInitializeCriticalSection
RtlDeleteCriticalSection
_wtoi
strrchr
_stricmp
_vsnprintf
RtlExpandEnvironmentStrings_U
RtlLeaveCriticalSection
RtlEnterCriticalSection
RtlCaptureStackBackTrace
_vscwprintf
LdrInitShimEngineDynamic
strtok_s
NtQueryInformationProcess
strchr
atol
SbSelectProcedure
_strnicmp
RtlSubAuthorityCountSid
RtlSubAuthoritySid
RtlCreateServiceSid
RtlNtStatusToDosError
RtlEqualSid
RtlGetDaclSecurityDescriptor
RtlIdentifierAuthoritySid
RtlGetNtSystemRoot
EtwEventWriteNoRegistration
NtQueryAttributesFile
NtQueryObject
_wcsupr_s
RtlAddVectoredExceptionHandler
strcpy_s
_strlwr
strstr
_wcslwr
RtlAllocateAndInitializeSid
RtlCheckTokenMembership
RtlFreeSid
LdrLoadDll
sprintf_s
sscanf_s
LdrGetProcedureAddressEx
LdrGetProcedureAddress
RtlLengthRequiredSid
NtOpenFile
NtQuerySecurityObject
RtlGetOwnerSecurityDescriptor
RtlCompareMemory
NtProtectVirtualMemory
RtlInitializeSRWLock
LdrEnumerateLoadedModules
RtlAcquireSRWLockExclusive
RtlReleaseSRWLockExclusive
NtDeleteValueKey
RtlReleaseSRWLockShared
RtlUnwind
NtSetValueKey
RtlDoesFileExists_U
RtlCreateUnicodeString
RtlGetFileMUIPath
NtQueryInformationFile
RtlGetVersion
wcsspn
qsort
NtWriteFile
ZwQuerySystemTime
NtQueryValueKey
NtReadFile
RtlDestroyEnvironment
RtlSizeHeap
RtlSetEnvironmentVar
RtlCreateEnvironmentEx
NtCreateFile
swprintf_s
NtApphelpCacheControl
RtlImageDirectoryEntryToData
strncmp
RtlVerifyVersionInfo
VerSetConditionMask
LdrResSearchResource
RtlTimeToTimeFields
ZwMapViewOfSection
ZwUnmapViewOfSection
ZwQuerySystemInformation
RtlGetNativeSystemInformation
RtlQueryEnvironmentVariable_U
RtlNtPathNameToDosPathName
RtlpEnsureBufferSize
ZwQueryDirectoryFile
RtlReAllocateHeap
wcsncmp
RtlSecondsSince1970ToTime
ZwSetInformationProcess
ZwQueryInformationProcess
ZwCreateSection
ZwQueryInformationFile
ZwCreateFile
RtlGetFullPathName_UEx
ZwCreateKey
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
ZwOpenFile
RtlDosPathNameToNtPathName_U_WithStatus
ZwClose
ZwQueryInformationToken
ZwOpenProcessToken
wcscat_s
wcscpy_s
RtlAppendUnicodeStringToString
wcschr
toupper
RtlUpcaseUnicodeChar
RtlUnicodeStringToAnsiString
RtlUpcaseUnicodeString
RtlInitAnsiString
RtlAnsiStringToUnicodeString
RtlxAnsiStringToUnicodeSize
RtlInitString
RtlInitUnicodeString
RtlGUIDFromString
NtClose
LdrGetDllHandle
RtlAcquireSRWLockShared
wcsstr
_wcsicmp
EtwEventRegister
EtwEventEnabled
EtwEventUnregister
memmove
NtOpenKey
RtlCaptureContext
wcsrchr
EtwEventWrite
_vsnwprintf
RtlInitAnsiStringEx
_wcsnicmp
RtlFreeHeap
RtlFreeUnicodeString
RtlDuplicateUnicodeString
RtlStringFromGUID
RtlAppendUnicodeToString
RtlCopyUnicodeString
RtlAllocateHeap
RtlFormatCurrentUserKeyPath
RtlTryEnterCriticalSection
RtlEqualString
RtlMultiByteToUnicodeN
RtlInitUnicodeStringEx
memcmp
memcpy
memset

api-ms-win-core-appcompat-l1-1-1

BaseReadAppCompatDataForProcess
BaseFreeAppCompatDataForProcess

api-ms-win-core-appcompat-l1-1-0

BaseIsAppcompatInfrastructureDisabled
BaseFlushAppcompatCache

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-file-l1-1-0

GetFileAttributesW
WriteFile
GetLongPathNameW
GetFinalPathNameByHandleW
FindFirstFileW
SetFilePointer
FindNextFileW
GetDriveTypeW
FindClose
CreateFileW
DeleteFileW

api-ms-win-core-processthreads-l1-1-1

OpenProcess

api-ms-win-core-processthreads-l1-1-0

TerminateProcess
GetCurrentProcess
GetProcessTimes
GetCurrentProcessId
GetCurrentThreadId
CreateProcessW
CreateThread
ProcessIdToSessionId

api-ms-win-core-errorhandling-l1-1-0

SetUnhandledExceptionFilter
SetLastError
GetLastError
UnhandledExceptionFilter

api-ms-win-core-sysinfo-l1-1-0

GetTickCount
GetSystemTimeAsFileTime
GetTickCount64
GetSystemWindowsDirectoryW
GetSystemDirectoryW

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-eventing-provider-l1-1-0

EventWriteTransfer
EventSetInformation
EventUnregister
EventRegister

kernel32

LocalFree
LocalAlloc
CreateToolhelp32Snapshot
Thread32First
Thread32Next
Wow64RevertWow64FsRedirection
Wow64DisableWow64FsRedirection
IsWow64Process
PackageIdFromFullName
GetPackageFullName

api-ms-win-security-base-l1-1-0

AllocateAndInitializeSid
GetAce
GetAclInformation
GetSecurityDescriptorDacl
EqualSid

api-ms-win-core-registry-l1-1-0

RegGetKeySecurity
RegCloseKey

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-core-synch-l1-1-0

WaitForSingleObject
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
SetWaitableTimer
CreateWaitableTimerExW
InitializeCriticalSection
DeleteCriticalSection
OpenMutexW

api-ms-win-core-synch-l1-2-0

Sleep

api-ms-win-core-libraryloader-l1-2-0

GetModuleHandleExW
SizeofResource
LockResource
LoadResource
DisableThreadLibraryCalls
GetModuleFileNameW
LoadLibraryExW
FreeLibrary
GetProcAddress
GetModuleHandleW

api-ms-win-core-libraryloader-l1-2-1

FindResourceW

api-ms-win-core-processenvironment-l1-1-0

SetEnvironmentVariableW
GetEnvironmentVariableW
FreeEnvironmentStringsW
GetCurrentDirectoryW
GetEnvironmentStringsW
ExpandEnvironmentStringsW

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-localization-l1-2-0

IsDBCSLeadByte
VerLanguageNameW

api-ms-win-core-debug-l1-1-0

OutputDebugStringA
DebugBreak

api-ms-win-core-string-l1-1-0

WideCharToMultiByte

Exports

Exports

AllowPermLayer
ApphelpCheckExe
ApphelpCheckIME
ApphelpCheckInstallShieldPackage
ApphelpCheckModule
ApphelpCheckMsiPackage
ApphelpCheckRunApp
ApphelpCheckRunAppEx
ApphelpCheckShellObject
ApphelpChpeModSettingsFromQueryResult
ApphelpCreateAppcompatData
ApphelpFixMsiPackage
ApphelpFixMsiPackageExe
ApphelpFreeFileAttributes
ApphelpGetFileAttributes
ApphelpGetMsiProperties
ApphelpGetNTVDMInfo
ApphelpGetShimDebugLevel
ApphelpIsPortMonAllowed
ApphelpParseModuleData
ApphelpQueryModuleData
ApphelpQueryModuleDataEx
ApphelpShowDialog
ApphelpUpdateCacheEntry
DWM8And16Bit_ChangeDisplaySettingsExW_CallOut
DWM8And16Bit_DirectDrawCreateEx_CallOut
DWM8And16Bit_DirectDrawCreate_CallOut
DWM8And16Bit_EnumDisplaySettingsExW_CallOut
DWM8And16Bit_IsShimApplied_CallOut
DWM8And16Bit_RestoreDisplayMode_CallOut
GetPermLayers
SE_AddHookset
SE_CALLBACK_AddHook
SE_CALLBACK_Lookup
SE_COM_AddHook
SE_COM_AddServer
SE_COM_HookInterface
SE_COM_HookObject
SE_COM_Lookup
SE_DllLoaded
SE_DllUnloaded
SE_DynamicShim
SE_GetHookAPIs
SE_GetMaxShimCount
SE_GetProcAddressForCaller
SE_GetProcAddressIgnoreIncExc
SE_GetProcAddressLoad
SE_GetShimCount
SE_GetShimId
SE_InitializeEngine
SE_InstallAfterInit
SE_InstallBeforeInit
SE_IsShimDll
SE_LdrEntryRemoved
SE_LdrResolveDllName
SE_LookupAddress
SE_LookupCaller
SE_ProcessDying
SE_ShimDPF
SE_ShimDllLoaded
SE_WINRT_AddHook
SE_WINRT_HookObject
SdbAddLayerTagRefToQuery
SdbApphelpNotify
SdbApphelpNotifyEx
SdbApphelpNotifyEx2
SdbBeginWriteListTag
SdbBuildCompatEnvVariables
SdbCloseApphelpInformation
SdbCloseDatabase
SdbCloseDatabaseWrite
SdbCloseLocalDatabase
SdbCommitIndexes
SdbCreateDatabase
SdbCreateHelpCenterURL
SdbCreateMsiTransformFile
SdbDeclareIndex
SdbDeletePermLayerKeys
SdbDumpSearchPathPartCaches
SdbEndWriteListTag
SdbEnumMsiTransforms
SdbEscapeApphelpURL
SdbFindCustomActionForPackage
SdbFindFirstDWORDIndexedTag
SdbFindFirstGUIDIndexedTag
SdbFindFirstMsiPackage
SdbFindFirstMsiPackage_Str
SdbFindFirstNamedTag
SdbFindFirstStringIndexedTag
SdbFindFirstTag
SdbFindFirstTagRef
SdbFindMsiPackageByID
SdbFindNextDWORDIndexedTag
SdbFindNextGUIDIndexedTag
SdbFindNextMsiPackage
SdbFindNextStringIndexedTag
SdbFindNextTag
SdbFindNextTagRef
SdbFormatAttribute
SdbFreeDatabaseInformation
SdbFreeFileAttributes
SdbFreeFileInfo
SdbFreeFlagInfo
SdbGUIDFromString
SdbGUIDToString
SdbGetAppCompatDataSize
SdbGetAppPatchDir
SdbGetBinaryTagData
SdbGetDatabaseGUID
SdbGetDatabaseID
SdbGetDatabaseInformation
SdbGetDatabaseInformationByName
SdbGetDatabaseMatch
SdbGetDatabaseVersion
SdbGetDllPath
SdbGetEntryFlags
SdbGetFileAttributes
SdbGetFileImageType
SdbGetFileImageTypeEx
SdbGetFileInfo
SdbGetFirstChild
SdbGetImageType
SdbGetIndex
SdbGetItemFromItemRef
SdbGetLayerName
SdbGetLayerTagRef
SdbGetLocalPDB
SdbGetMatchingExe
SdbGetMsiPackageInformation
SdbGetNamedLayer
SdbGetNextChild
SdbGetNthUserSdb
SdbGetPDBFromGUID
SdbGetPathCustomSdb
SdbGetPathSystemSdb
SdbGetPermLayerKeys
SdbGetShowDebugInfoOption
SdbGetShowDebugInfoOptionValue
SdbGetStandardDatabaseGUID
SdbGetStringTagPtr
SdbGetTagDataSize
SdbGetTagFromTagID
SdbGrabMatchingInfo
SdbGrabMatchingInfoEx
SdbInitDatabase
SdbInitDatabaseEx
SdbIsDbRuntimePlatformSupportedOnHost
SdbIsNullGUID
SdbIsStandardDatabase
SdbIsTagrefFromLocalDB
SdbIsTagrefFromMainDB
SdbLoadString
SdbMakeIndexKeyFromString
SdbOpenApphelpDetailsDatabase
SdbOpenApphelpDetailsDatabaseSP
SdbOpenApphelpInformation
SdbOpenApphelpInformationByID
SdbOpenApphelpResourceFile
SdbOpenDatabase
SdbOpenDbFromGuid
SdbOpenLocalDatabase
SdbPackAppCompatData
SdbQueryApphelpInformation
SdbQueryBlockUpgrade
SdbQueryContext
SdbQueryData
SdbQueryDataEx
SdbQueryDataExTagID
SdbQueryFlagInfo
SdbQueryFlagMask
SdbQueryName
SdbQueryReinstallUpgrade
SdbReadApphelpData
SdbReadApphelpDetailsData
SdbReadBYTETag
SdbReadBYTETagRef
SdbReadBinaryTag
SdbReadDWORDTag
SdbReadDWORDTagRef
SdbReadEntryInformation
SdbReadMsiTransformInfo
SdbReadPatchBits
SdbReadQWORDTag
SdbReadQWORDTagRef
SdbReadStringTag
SdbReadStringTagRef
SdbReadWORDTag
SdbReadWORDTagRef
SdbRegisterDatabase
SdbRegisterDatabaseEx
SdbReleaseDatabase
SdbReleaseMatchingExe
SdbResolveDatabase
SdbSetApphelpDebugParameters
SdbSetEntryFlags
SdbSetImageType
SdbSetPermLayerKeys
SdbShowApphelpDialog
SdbShowApphelpFromQuery
SdbStartIndexing
SdbStopIndexing
SdbStringDuplicate
SdbStringReplace
SdbStringReplaceArray
SdbTagIDToTagRef
SdbTagRefToTagID
SdbTagToString
SdbUnpackAppCompatData
SdbUnpackQueryResult
SdbUnregisterDatabase
SdbWriteBYTETag
SdbWriteBinaryTag
SdbWriteBinaryTagFromFile
SdbWriteDWORDTag
SdbWriteNULLTag
SdbWriteQWORDTag
SdbWriteStringRefTag
SdbWriteStringTag
SdbWriteStringTagDirect
SdbWriteWORDTag
SetPermLayerState
SetPermLayerStateEx
SetPermLayers
ShimDbgPrint
ShimDumpCache
ShimFlushCache

Sections

.text
Size: 496KB - Virtual size: 495KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.data
Size: 5KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 9KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 90KB - Virtual size: 89KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 23KB - Virtual size: 22KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

217d755b86469e195085dc4439908dc9

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

ntdll

api-ms-win-core-appcompat-l1-1-1

api-ms-win-core-appcompat-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-eventing-provider-l1-1-0

kernel32

api-ms-win-security-base-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-core-file-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-string-l1-1-0

Exports

Exports

Sections

.text Size: 496KB - Virtual size: 495KB

.data Size: 5KB - Virtual size: 7KB

.idata Size: 9KB - Virtual size: 8KB

.rsrc Size: 90KB - Virtual size: 89KB

.reloc Size: 23KB - Virtual size: 22KB

.text
Size: 496KB - Virtual size: 495KB

.data
Size: 5KB - Virtual size: 7KB

.idata
Size: 9KB - Virtual size: 8KB

.rsrc
Size: 90KB - Virtual size: 89KB

.reloc
Size: 23KB - Virtual size: 22KB