eXplorer[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

eXplorer.exe
Size

4.6MB
MD5

6fc1abfbb1156ae27d955930c1924492
SHA1

fb139e04ed99a5d6202eabdd243871529d57514c
SHA256

3ae77d6e6700d1f601d50b233a3e93450e053961352a9929d1df17173c5aafc9
SHA512

e5203e5ed849cf7a631d7f89f984336b0cd8ed8c6d0dc9ed50ef40a770c7d06eaf61aeda531d0fcbf55db757f83eb54c46e43a359d83ec9e50d8b5019309850f
SSDEEP

98304:bo6A3G749/X5i1uxq09CSNk+zl7ALJEsT9Mi+F3UGbQ78Rw6sbi2yBfo9pRvZvXN:U6A3G749/X5i1uxq0gSNk+zl7W9T9Mip

Score

1^/10

Malware Config

Signatures

Files

eXplorer.exe
.exe windows:10 windows x86 arch:x86

ddfebe9e8b52cb966f0ddc5be839b101

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

Issuer

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

16/11/2023, 19:20

Not After

14/11/2024, 19:20

Subject

CN=Microsoft Windows,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:07:76:56:00:00:00:00:00:08
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2010,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

19/10/2011, 18:41

Not After

19/10/2026, 18:51

Subject

CN=Microsoft Windows Production PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a7:ce:14:95:54:03:9c:39:e0:73:91:68:f4:59:82:a6:a5:2c:3b:03:1c:26:22:e1:b8:4c:a6:76:ef:c5:ba:ce
Signer

Actual PE Digest

a7:ce:14:95:54:03:9c:39:e0:73:91:68:f4:59:82:a6:a5:2c:3b:03:1c:26:22:e1:b8:4c:a6:76:ef:c5:ba:ce

Digest Algorithm

sha256

PE Digest Matches

true

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

explorer.pdb

Imports

msvcp_win

?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?peek@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEHXZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ
?_Xbad_alloc@std@@YAXXZ
?_Xout_of_range@std@@YAXPBD@Z
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z
?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z
?_ReportUnobservedException@details@Concurrency@@YAXXZ
_Cnd_wait
?_Xinvalid_argument@std@@YAXPBD@Z
??0?$basic_iostream@GU?$char_traits@G@std@@@std@@QAE@PAV?$basic_streambuf@GU?$char_traits@G@std@@@1@@Z
??0?$basic_ios@GU?$char_traits@G@std@@@std@@IAE@XZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG00@Z
?epptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?setg@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG00@Z
?egptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?eback@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?setp@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXPAG0@Z
??0?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAE@XZ
?pbase@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?sputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAE_JPBG_J@Z
?imbue@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEXABVlocale@2@@Z
?setbuf@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEPAV12@PAG_J@Z
?xsgetn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPAG_J@Z
?uflow@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEGXZ
?showmanyc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JXZ
?tolower@?$ctype@G@std@@QBEPBGPAGPBG@Z
?tolower@?$ctype@G@std@@QBEGG@Z
?xsputn@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAE_JPBG_J@Z
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ
_Wcscoll
_Wcsxfrm
?id@?$collate@G@std@@2V0locale@2@A
??Bid@locale@std@@QAEIXZ
?id@?$ctype@G@std@@2V0locale@2@A
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ
??0facet@locale@std@@IAE@I@Z
??1facet@locale@std@@MAE@XZ
??0_Lockit@std@@QAE@H@Z
??0_Locinfo@std@@QAE@PBD@Z
?c_str@?$_Yarn@D@std@@QBEPBDXZ
??1_Lockit@std@@QAE@XZ
??1_Locinfo@std@@QAE@XZ
?is@?$ctype@G@std@@QBE_NFG@Z
?_Getcat@?$ctype@G@std@@SAIPAPBVfacet@locale@2@PBV42@@Z
?_Incref@facet@locale@std@@UAEXXZ
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z
??1?$basic_iostream@GU?$char_traits@G@std@@@std@@UAE@XZ
?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ
??1?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAE@XZ
?gbump@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEXH@Z
?pptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
?gptr@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IBEPAGXZ
??1?$basic_ios@GU?$char_traits@G@std@@@std@@UAE@XZ
?_Lock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ
?tie@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_ostream@GU?$char_traits@G@std@@@2@XZ
?flush@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEAAV12@XZ
?_Unlock@?$basic_streambuf@GU?$char_traits@G@std@@@std@@UAEXXZ
?uncaught_exception@std@@YA_NXZ
?good@ios_base@std@@QBE_NXZ
?sync@?$basic_streambuf@GU?$char_traits@G@std@@@std@@MAEHXZ
?_Osfx@?$basic_ostream@GU?$char_traits@G@std@@@std@@QAEXXZ
?width@ios_base@std@@QBE_JXZ
?flags@ios_base@std@@QBEHXZ
?_Pninc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@IAEPAGXZ
?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ
?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z
?sputc@?$basic_streambuf@GU?$char_traits@G@std@@@std@@QAEGG@Z
?rdbuf@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEPAV?$basic_streambuf@GU?$char_traits@G@std@@@2@XZ
?fill@?$basic_ios@GU?$char_traits@G@std@@@std@@QBEGXZ
?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD0@Z
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z
_Thrd_yield
?_Xbad_function_call@std@@YAXXZ
?__ExceptionPtrCreate@@YAXPAX@Z
?width@ios_base@std@@QAE_J_J@Z
?__ExceptionPtrDestroy@@YAXPAX@Z
?__ExceptionPtrAssign@@YAXPAXPBX@Z
?__ExceptionPtrCopy@@YAXPAXPBX@Z
?__ExceptionPtrCurrentException@@YAXPAX@Z
?__ExceptionPtrRethrow@@YAXPBX@Z
?__ExceptionPtrCopyException@@YAXPAXPBX1@Z
_Thrd_detach
?_Throw_C_error@std@@YAXH@Z
?_Throw_Cpp_error@std@@YAXH@Z
_Thrd_join
_Thrd_id
?setstate@?$basic_ios@GU?$char_traits@G@std@@@std@@QAEXH_N@Z
_Cnd_do_broadcast_at_thread_exit
_Mtx_unlock
?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ
?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ
?_Xlength_error@std@@YAXPBD@Z
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
_Mtx_lock

api-ms-win-crt-runtime-l1-1-0

_c_exit
_initterm_e
_initterm
_set_error_mode
_register_thread_local_exe_atexit_callback

api-ms-win-crt-string-l1-1-0

memset
strncmp
wcsncmp
wcscspn

api-ms-win-crt-time-l1-1-0

_time32

api-ms-win-crt-private-l1-1-0

_o_ceil
_o_exit
_o_floor
_o_free
_o_iswspace
_o_lround
_o_lroundf
_o_malloc
_o_memcpy_s
_o_realloc
_o_terminate
_o_wcscat_s
_o_wcscpy_s
_o_wcsncpy_s
_o_wcstol
_o_wcstoll
__current_exception
__current_exception_context
_except_handler4_common
_o__wcsnicmp
_o__wcslwr_s
_o__wcsicmp
_CxxThrowException
_o__set_new_mode
_o__set_fmode
_o__set_errno
_o__set_app_type
_o__seh_filter_exe
_o__register_onexit_function
_o__recalloc
_o__purecall
_o__mktime32
_o__wtoi
_o__ltow_s
_o__localtime32
_o__itow_s
_o__itoa_s
_o_abort
_o__invalid_parameter_noinfo_noreturn
_o__invalid_parameter_noinfo
_o__initialize_wide_environment
_o__initialize_onexit_table
_o__get_wide_winmain_command_line
_o__get_errno
_o__exit
_o__errno
_o__difftime32
_o__crt_atexit
_o__controlfp_s
_o__configure_wide_argv
_o__configthreadlocale
_o__CIsqrt
_o__CIpow
_o__CIfmod
_o__cexit
_o__beginthreadex
_o___stdio_common_vswprintf
_o___stdio_common_vsnwprintf_s
_o___stdio_common_vsnprintf_s
_o___std_exception_destroy
_o___std_exception_copy
_o___p__commode
wcsrchr
wcsstr
__std_terminate
__CxxFrameHandler3

aepic

PicFreeFileInfo
PicRetrieveFileInfo

twinapi

ord9

api-ms-win-core-job-l2-1-0

AssignProcessToJobObject
OpenJobObjectW
CreateJobObjectW
QueryInformationJobObject
SetInformationJobObject

api-ms-win-core-windowserrorreporting-l1-1-3

RegisterApplicationRestart

api-ms-win-core-url-l1-1-0

PathIsURLW
HashData
UrlUnescapeW

api-ms-win-core-windowserrorreporting-l1-1-1

WerRegisterCustomMetadata
WerUnregisterCustomMetadata

api-ms-win-core-kernel32-private-l1-1-0

CheckElevation
CheckElevationEnabled

api-ms-win-core-registryuserspecific-l1-1-0

SHRegGetUSValueW
SHRegGetBoolUSValueW

api-ms-win-core-com-private-l1-1-0

CoRegisterMessageFilter
CoRevokeInitializeSpy
CoRegisterInitializeSpy

api-ms-win-core-atoms-l1-1-0

GlobalGetAtomNameW

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW
ReleaseActCtx
DeactivateActCtx
ActivateActCtx

ntdll

NtQueryWnfStateData
NtSetInformationProcess
NtQueryInformationProcess
NtOpenFile
NtDeviceIoControlFile
RtlGetVersion
ZwQuerySystemInformation
ZwQueryValueKey
ZwOpenKey
ZwClose
RtlReAllocateHeap
ZwEnumerateValueKey
ZwCreateFile
NtQueryInformationFile
RtlAppendUnicodeToString
RtlAnsiStringToUnicodeString
RtlImageDirectoryEntryToData
ZwUnmapViewOfSection
RtlNtPathNameToDosPathName
RtlUpcaseUnicodeChar
ZwCreateSection
RtlxAnsiStringToUnicodeSize
ZwQueryInformationProcess
RtlpEnsureBufferSize
RtlGetNativeSystemInformation
RtlVerifyVersionInfo
ZwQueryDirectoryFile
ZwSetInformationProcess
RtlInitUnicodeStringEx
ZwMapViewOfSection
RtlFormatCurrentUserKeyPath
ZwEnumerateKey
RtlInitString
ZwOpenFile
ZwQueryInformationFile
LdrResSearchResource
RtlReleaseSRWLockShared
RtlAcquireSRWLockShared
RtlReleaseSRWLockExclusive
RtlAcquireSRWLockExclusive
RtlInitUnicodeString
RtlUnsubscribeWnfNotificationWaitForCompletion
RtlSubscribeWnfStateChangeNotification
RtlQueryWnfStateData
RtlFlushHeaps
NtSetSystemInformation
RtlPublishWnfStateData
RtlGetDeviceFamilyInfoEnum
RtlNtStatusToDosError
strchr
memmove_s
RtlDosPathNameToNtPathName_U_WithStatus
RtlFreeUnicodeString
wcschr
RtlAllocateHeap
RtlFreeHeap
RtlCompareUnicodeString
RtlAppendUnicodeStringToString
NtOpenProcessToken
NtQueryInformationToken
NtOpenThreadToken
wcsspn
memcpy
memmove
memcmp
RtlNtStatusToDosErrorNoTeb
NtSetThreadExecutionState
RtlRunOnceExecuteOnce
NtPowerInformation
VerSetConditionMask
RtlQueryResourcePolicy
RtlCopyUnicodeString
RtlUpcaseUnicodeString
RtlQueryUnbiasedInterruptTime
NtQuerySystemInformation
RtlGetNtSystemRoot
WinSqmIsOptedIn
NtClose
WinSqmAddToStream

api-ms-win-core-libraryloader-l1-2-0

LoadStringW
FindResourceExW
LoadLibraryExW
GetModuleHandleExW
GetModuleFileNameW
FindStringOrdinal
GetModuleFileNameA
GetModuleHandleW
LoadResource
FreeLibrary
LockResource
GetProcAddress
SizeofResource
GetModuleHandleA

api-ms-win-core-synch-l1-2-0

InitOnceComplete
Sleep
InitOnceBeginInitialize
InitOnceExecuteOnce

api-ms-win-core-synch-l1-1-0

SleepEx
CreateMutexExW
AcquireSRWLockShared
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TryEnterCriticalSection
OpenSemaphoreW
ResetEvent
InitializeCriticalSectionAndSpinCount
TryAcquireSRWLockShared
WaitForSingleObject
OpenMutexW
InitializeCriticalSectionEx
CreateMutexW
LeaveCriticalSection
ReleaseMutex
ReleaseSemaphore
EnterCriticalSection
CreateSemaphoreExW
WaitForMultipleObjectsEx
InitializeCriticalSection
InitializeSRWLock
OpenEventW
WaitForSingleObjectEx
DeleteCriticalSection
CreateEventExW
SetEvent
CreateEventW
ReleaseSRWLockShared

api-ms-win-core-heap-l1-1-0

HeapSetInformation
HeapFree
GetProcessHeap
HeapAlloc

api-ms-win-core-errorhandling-l1-1-0

RaiseException
SetLastError
GetLastError
SetUnhandledExceptionFilter
UnhandledExceptionFilter
SetErrorMode

api-ms-win-core-file-l1-1-0

GetFileAttributesW
FindClose
FindFirstFileW
DeleteFileW
CreateFileW
CompareFileTime
WriteFile
FindNextFileW
GetLongPathNameW

api-ms-win-eventing-provider-l1-1-0

EventEnabled
EventSetInformation
EventUnregister
EventRegister
EventWriteTransfer
EventActivityIdControl
EventWrite

api-ms-win-core-threadpool-l1-2-0

WaitForThreadpoolTimerCallbacks
SubmitThreadpoolWork
TrySubmitThreadpoolCallback
CloseThreadpoolTimer
CreateThreadpoolTimer
CreateThreadpoolIo
StartThreadpoolIo
CancelThreadpoolIo
WaitForThreadpoolIoCallbacks
CloseThreadpoolIo
CloseThreadpoolWait
WaitForThreadpoolWaitCallbacks
CreateThreadpoolWork
SetThreadpoolTimer
SetThreadpoolWait
CreateThreadpoolWait

api-ms-win-core-processthreads-l1-1-0

GetCurrentThread
OpenThreadToken
GetCurrentProcess
GetPriorityClass
ResumeThread
OpenThread
SetPriorityClass
GetExitCodeProcess
CreateThread
SetThreadPriority
OpenProcessToken
TerminateProcess
QueueUserAPC
DeleteProcThreadAttributeList
ProcessIdToSessionId
GetCurrentThreadId
UpdateProcThreadAttribute
InitializeProcThreadAttributeList
TlsAlloc
TlsSetValue
CreateProcessW
TlsGetValue
TlsFree
SetThreadPriorityBoost
GetStartupInfoW
ExitProcess
GetThreadPriority
SetProcessShutdownParameters
GetCurrentProcessId
GetProcessId

api-ms-win-core-localization-l1-2-0

GetLocaleInfoEx
GetCalendarInfoW
GetGeoInfoW
FormatMessageW
GetLocaleInfoW
GetThreadUILanguage

api-ms-win-core-debug-l1-1-0

IsDebuggerPresent
DebugBreak
OutputDebugStringW

api-ms-win-core-handle-l1-1-0

DuplicateHandle
CloseHandle

oleaut32

SafeArrayAccessData
SysAllocString
SafeArrayDestroy
SysStringLen
VariantInit
SysFreeString
SafeArrayUnaccessData
VariantClear
VarUI4FromStr
SysAllocStringByteLen
SafeArrayCreate

api-ms-win-shcore-taskpool-l1-1-0

SHTaskPoolGetUniqueContext
SHTaskPoolQueueTask

api-ms-win-shcore-sysinfo-l1-1-0

SetCurrentProcessExplicitAppUserModelID
IsOS

api-ms-win-core-com-l1-1-0

CoTaskMemAlloc
CoTaskMemFree
CreateStreamOnHGlobal
IIDFromString
CoGetCallContext
CoGetMalloc
CoInitializeEx
CoCancelCall
CoDisableCallCancellation
CoEnableCallCancellation
CoGetStdMarshalEx
CoCreateFreeThreadedMarshaler
CoCreateInstance
CoSetProxyBlanket
StringFromGUID2
CoGetApartmentType
CoGetObjectContext
CoReleaseMarshalData
StringFromIID
CoCreateGuid
CoUninitialize
CoWaitForMultipleHandles
CoRegisterClassObject
CLSIDFromString
CoRevokeClassObject
CoInitializeSecurity
CoFreeUnusedLibraries
CoGetInterfaceAndReleaseStream
CoTaskMemRealloc
PropVariantClear
CoMarshalInterThreadInterfaceInStream
StringFromCLSID

api-ms-win-core-shlwapi-obsolete-l1-1-0

QISearch
StrCmpW
StrCmpIW
StrChrW
StrChrIW
StrToIntW
StrCmpNICW
StrCmpICA
StrCmpICW
StrCmpNIW

api-ms-win-shcore-obsolete-l1-1-0

SHStrDupW

api-ms-win-core-registry-l1-1-0

RegCreateKeyExW
RegGetValueW
RegEnumValueW
RegQueryValueExW
RegNotifyChangeKeyValue
RegDeleteTreeW
RegDeleteKeyExW
RegEnumKeyExW
RegSetValueExW
RegOpenKeyExW
RegQueryInfoKeyW
RegDeleteValueW
RegLoadMUIStringW
RegOpenCurrentUser
RegCloseKey

api-ms-win-shcore-comhelpers-l1-1-0

IUnknown_QueryService
IUnknown_GetSite
IUnknown_Set
IUnknown_SetSite

api-ms-win-core-heap-l2-1-0

GlobalFree
LocalAlloc
GlobalAlloc
LocalReAlloc
LocalFree

api-ms-win-core-processthreads-l1-1-1

GetProcessMitigationPolicy
IsProcessorFeaturePresent
OpenProcess

api-ms-win-core-datetime-l1-1-0

GetDateFormatW

api-ms-win-core-sysinfo-l1-1-0

GetTickCount64
GetSystemDirectoryW
GetWindowsDirectoryW
GetSystemTime
GetTickCount
GetSystemTimeAsFileTime
GetLocalTime
GetVersionExW

api-ms-win-core-datetime-l1-1-1

GetDateFormatEx
GetTimeFormatEx

api-ms-win-core-processenvironment-l1-1-0

GetCurrentDirectoryW
ExpandEnvironmentStringsW
SearchPathW
SetEnvironmentVariableW
GetEnvironmentVariableW
GetCommandLineW

api-ms-win-core-shlwapi-legacy-l1-1-0

PathParseIconLocationW
PathFindExtensionW
PathQuoteSpacesW
PathGetDriveNumberW
PathFileExistsW
PathGetArgsW
PathCombineW
SHExpandEnvironmentStringsW
PathIsFileSpecW
PathCommonPrefixW
PathRemoveBlanksW
PathFindFileNameW
PathRemoveFileSpecW

api-ms-win-shcore-registry-l1-1-0

SHRegGetValueW
SHEnumKeyExW
SHSetValueW
SHGetValueW
SHDeleteKeyW
SHQueryInfoKeyW
SHDeleteValueW

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte
MultiByteToWideChar
CompareStringOrdinal

api-ms-win-core-winrt-string-l1-1-0

WindowsDeleteStringBuffer
WindowsCompareStringOrdinal
WindowsCreateString
WindowsPreallocateStringBuffer
WindowsPromoteStringBuffer
WindowsSubstringWithSpecifiedLength
WindowsGetStringRawBuffer
WindowsDeleteString
WindowsCreateStringReference
WindowsDuplicateString

api-ms-win-shcore-thread-l1-1-0

SHSetThreadRef
SHGetThreadRef
SetProcessReference
SHCreateThreadRef
SHCreateThread

api-ms-win-core-libraryloader-l1-2-1

FindResourceW
LoadLibraryW

api-ms-win-security-base-l1-1-0

MakeAbsoluteSD
CopySid
AllocateAndInitializeSid
GetLengthSid
GetAce
DeleteAce
EqualSid
InitializeAcl
DuplicateToken
CheckTokenMembership
CreateWellKnownSid
AddAce
FreeSid
IsValidSid
GetSecurityDescriptorDacl
SetKernelObjectSecurity
GetTokenInformation
GetAclInformation

api-ms-win-core-psapi-l1-1-0

K32GetModuleFileNameExW
QueryFullProcessImageNameW
K32EnumProcessModules
K32GetModuleBaseNameW
K32EnumProcesses

api-ms-win-core-version-l1-1-0

GetFileVersionInfoSizeExW
GetFileVersionInfoExW
VerQueryValueW

api-ms-win-eventing-classicprovider-l1-1-0

UnregisterTraceGuids
TraceMessage
GetTraceEnableLevel
GetTraceLoggerHandle
RegisterTraceGuidsW
GetTraceEnableFlags

api-ms-win-core-localization-obsolete-l1-2-0

GetUserDefaultUILanguage

api-ms-win-core-string-l2-1-1

SHLoadIndirectString

api-ms-win-core-processthreads-l1-1-3

SetThreadDescription
SetProcessInformation

api-ms-win-core-registry-l1-1-1

RegSetKeyValueW

api-ms-win-core-winrt-l1-1-0

RoGetActivationFactory
RoUninitialize
RoInitialize
RoActivateInstance

api-ms-win-core-com-l1-1-1

RoGetAgileReference

api-ms-win-core-winrt-error-l1-1-0

RoTransformError
RoOriginateError
SetRestrictedErrorInfo

api-ms-win-core-winrt-error-l1-1-1

RoGetMatchingRestrictedErrorInfo

api-ms-win-core-path-l1-1-0

PathCchSkipRoot
PathCchCombine
PathCchRemoveFileSpec
PathCchAddExtension
PathAllocCombine
PathCchAppend

api-ms-win-shcore-unicodeansi-l1-1-0

SHAnsiToUnicode

api-ms-win-core-heap-obsolete-l1-1-0

GlobalUnlock
GlobalLock

api-ms-win-core-string-obsolete-l1-1-0

lstrcmpiW
lstrlenW

api-ms-win-core-memory-l1-1-0

OpenFileMappingW
VirtualFree
MapViewOfFile
VirtualAlloc
VirtualProtect
CreateFileMappingW
UnmapViewOfFile

api-ms-win-core-commandlinetoargv-l1-1-0

CommandLineToArgvW

api-ms-win-core-largeinteger-l1-1-0

MulDiv

api-ms-win-shcore-scaling-l1-1-1

GetDpiForMonitor
ord244

api-ms-win-shcore-stream-l1-1-0

IStream_Reset
SHCreateStreamOnFileW
IStream_Read
IStream_Write
SHCreateStreamOnFileEx
SHOpenRegStream2W
SHCreateMemStream

api-ms-win-core-file-l1-2-0

GetTempPathW

api-ms-win-shcore-path-l1-1-0

ord170

api-ms-win-core-threadpool-legacy-l1-1-0

UnregisterWaitEx
DeleteTimerQueueTimer
CreateTimerQueueTimer
ChangeTimerQueueTimer

api-ms-win-core-sysinfo-l1-2-0

GetProductInfo
GetNativeSystemInfo
GetSystemTimePreciseAsFileTime

api-ms-win-core-localization-l1-2-3

GetUserDefaultGeoName

userenv

GetProfileType
DeriveAppContainerSidFromAppContainerName

api-ms-win-core-timezone-l1-1-0

SystemTimeToFileTime
GetDynamicTimeZoneInformation
GetTimeZoneInformation
FileTimeToSystemTime
SystemTimeToTzSpecificLocalTime

api-ms-win-core-io-l1-1-0

CreateIoCompletionPort
CancelIoEx
GetQueuedCompletionStatus
DeviceIoControl

api-ms-win-core-file-l2-1-0

ReadDirectoryChangesW

api-ms-win-core-kernel32-legacy-l1-1-0

GetComputerNameW
GetSystemPowerStatus
RegisterWaitForSingleObject

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-interlocked-l1-1-0

InterlockedPushEntrySList
InitializeSListHead

api-ms-win-stateseparation-helpers-l1-1-0

GetPersistedRegistryLocationW

api-ms-win-security-lsalookup-l2-1-0

LookupAccountNameW

api-ms-win-core-string-l2-1-0

CharLowerBuffW
CharNextW

api-ms-win-service-management-l2-1-0

QueryServiceConfigW
NotifyServiceStatusChangeW

api-ms-win-shcore-registry-l1-1-1

SHRegGetValueFromHKCUHKLM

api-ms-win-core-errorhandling-l1-1-2

RaiseFailFastException

api-ms-win-core-stringansi-l1-1-0

CharNextA

api-ms-win-power-base-l1-1-0

CallNtPowerInformation
GetPwrCapabilities

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

api-ms-win-shlwapi-winrt-storage-l1-1-1

StrRetToStrW
SHIsChildOrSelf
ord478
ord481
StrRetToBufW
AssocQueryStringW
ord544
SHPinDllOfCLSID
ord165
ord292
ord479
PathRemoveArgsW
SHCreateWorkerWindowW
ord279
ord635
ShellMessageBoxW
IUnknown_GetWindow
ord197
ord509

api-ms-win-ntuser-sysparams-l1-1-0

GetDisplayConfigBufferSizes
QueryDisplayConfig
EnumDisplayMonitors
GetSystemMetrics
GetMonitorInfoW
EnumDisplayDevicesW
SystemParametersInfoW

api-ms-win-ntuser-rectangle-l1-1-0

IntersectRect
IsRectEmpty
CopyRect
SubtractRect
UnionRect
PtInRect
OffsetRect
SetRectEmpty
EqualRect
SetRect
InflateRect

api-ms-win-rtcore-ntuser-winevent-l1-1-0

NotifyWinEvent
UnhookWinEvent
SetWinEventHook

api-ms-win-shell-namespace-l1-1-0

ILIsParent
ILCombine
ILIsEqual
SHGetNameFromIDList
ILClone
ILGetSize
ILFree
ILFindLastID
SHBindToParent
SHGetIDListFromObject
SHBindToObject
ILCloneFirst
ILRemoveLastID
SHBindToFolderIDListParent
SHParseDisplayName
SHCreateItemFromIDList
SHCreateItemFromParsingName

dxgi

DXGIDeclareAdapterRemovalSupport

api-ms-win-rtcore-ntuser-wmpointer-l1-1-0

EnableMouseInPointer
GetPointerInfo
GetPointerDevices
GetCurrentInputMessageSource
GetPointerType

api-ms-win-storage-exports-internal-l1-1-0

GetThreadFlags
SHGetKnownFolderIDList
SetThreadFlags
SHGetFolderPathEx

api-ms-win-rtcore-ntuser-synch-l1-1-0

MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx

api-ms-win-appmodel-runtime-l1-1-0

GetPackagesByPackageFamily
GetPackageFullName

api-ms-win-rtcore-ntuser-wmpointer-l1-1-2

SetWindowFeedbackSetting

api-ms-win-rtcore-ntuser-clipboard-l1-1-0

RegisterClipboardFormatW

api-ms-win-shell-dataobject-l1-1-1

DragQueryFileW

api-ms-win-rtcore-ntuser-private-l1-1-0

GetWindowBand
CreateWindowInBand

api-ms-win-rtcore-ntuser-powermanagement-l1-1-0

UnregisterPowerSettingNotification
RegisterPowerSettingNotification

api-ms-win-shell-changenotify-l1-1-1

SHChangeNotification_Unlock
SHHandleUpdateImage
SHChangeNotifyRegister
SHChangeNotifyDeregister
SHChangeNotification_Lock
SHChangeNotifyRegisterThread

propsys

PSPropertyBag_WriteStr
PropVariantToBoolean
PSCreateMemoryPropertyStore
PropVariantToUInt32
PSGetPropertyFromPropertyStorage
InitVariantFromResource
InitVariantFromGUIDAsString
PSPropertyBag_WriteDWORD
PropVariantToStringAlloc

api-ms-win-shell-changenotify-l1-1-0

SHChangeNotify

api-ms-win-shell-dataobject-l1-1-0

SHCreateDataObject

api-ms-win-appmodel-runtime-l1-1-1

ParseApplicationUserModelId
FindPackagesByPackageFamily

wtsapi32

WTSUnRegisterSessionNotification
WTSRegisterSessionNotification

gdi32

CreateRectRgnIndirect
StretchBlt
DeleteDC
CreateCompatibleDC
SelectObject
GetClipBox
GetCurrentObject
ExcludeClipRect
GetGlyphOutlineW
SetStretchBltMode
GetTextExtentPoint32W
GetDeviceCaps
GetStockObject
CreateRectRgn
SetRectRgn
OffsetRgn
CombineRgn
DeleteObject
SelectClipRgn
GetObjectW
GetClipRgn
GetOutlineTextMetricsW
ExtTextOutW
GetTextMetricsW
SetTextAlign
SetTextColor
CreateFontIndirectW
Rectangle

kernel32

SetProcessDEPPolicy
IsBadWritePtr
GetModuleHandleExA
HeapDestroy
HeapReAlloc
HeapSize

api-ms-win-core-rtlsupport-l1-2-0

RtlCompareMemory

wininet

InternetCrackUrlW

shcore

ord187
ord186
ord162
ord123
ord191
ord190
ord121
ord174
ord109
ord126
ord183
ord192
ord1
SHUnicodeToAnsi
ord141
ord142
ord200
ord184

shell32

ord907
ord43
ord723
Shell_GetCachedImageIndexW
ord790
ord792
ord727
ord162
SHAppBarMessage
ord894
ord906
ord181
ord895
SHGetLocalizedName
SHGetPropertyStoreForWindow
ord764
ord866
ord244
ExtractIconExW
ord132
ord137
Shell_NotifyIconW
Shell_NotifyIconGetRect
ord6
SHGetStockIconInfo
DuplicateIcon
ShellExecuteW
ord91
ord254
ord54
SHEnableServiceObject
ord61
ord896
SHAddToRecentDocs
ord60
SHUpdateRecycleBinIcon
ord711
SHFileOperationW
SHGetPathFromIDListW
ord753
ord733
ord67
SHCreateItemInKnownFolder
ord206
ord201
ord188
ord899
ShellExecuteExW
ord245
ord200
ord89
ord190
ord85
ord100
ord743
ord134
ord22
ord850
ord95
ord885
ord680
ord172
SHEvaluateSystemCommandTemplate

shlwapi

ord164
PathIsDirectoryW
ord413
ord548
ord163
ord467
AssocQueryKeyW
ChrCmpIW
AssocCreate
PathIsRelativeW

uxtheme

EndBufferedPaint
BufferedPaintUnInit
GetWindowTheme
SetWindowTheme
GetThemeMetric
BeginBufferedPaint
DrawThemeParentBackground
GetThemeColor
DrawThemeBackground
GetThemeInt
ord86
GetBufferedPaintBits
CloseThemeData
BufferedPaintInit
IsThemeActive
GetThemePartSize
DrawThemeTextEx
ord126
IsCompositionActive
BufferedPaintSetAlpha
ord138
GetThemeMargins
OpenThemeDataForDpi
OpenThemeData
GetThemeBool
GetThemeBackgroundExtent
IsThemePartDefined
IsAppThemed
GetThemeFont

dwmapi

ord124
ord139
DwmEnableBlurBehindWindow
DwmUnregisterThumbnail
ord113
DwmSetWindowAttribute
ord141
DwmUpdateThumbnailProperties
DwmIsCompositionEnabled
DwmQueryThumbnailSourceSize
ord159
DwmGetWindowAttribute
ord114
ord138
DwmRegisterThumbnail
ord140

user32

TrackMouseEvent
SetCapture
GetCapture
ReleaseCapture
GetDoubleClickTime
CalculatePopupWindowPosition
CopyIcon
GetLastInputInfo
GetCursorFrameInfo
AdjustWindowRect
GetDpiForWindow
SetWindowCompositionAttribute
DestroyIcon
CopyImage
GetSysColor
GetCaretBlinkTime
InjectKeyboardInput
LockWorkStation
TileWindows
CascadeWindows
HungWindowFromGhostWindow
LoadIconW
IsIconic
GetKeyState
ExitWindowsEx
EndDialog
SendDlgItemMessageW
RegisterHotKey
GetSystemMetricsForDpi
GetLastActivePopup
SwitchToThisWindow
ord2574
IsHungAppWindow
AdjustWindowRectEx
GetDC
ReleaseDC
CreatePopupMenu
GetMenuDefaultItem
DestroyMenu
LoadCursorW
SetCursor
SetMenuItemInfoW
MonitorFromWindow
MapVirtualKeyExW
SendInput
SetDesktopColorTransform
UnregisterClassA
DefWindowProcA
IsWindowUnicode
LoadAcceleratorsW
ord2005
SetGestureConfig
LoadImageW
CheckMenuItem
EnableMenuItem
UnregisterHotKey
RemoveMenu
SetMenuDefaultItem
InjectMouseInput
DeleteMenu
FillRect
DrawTextW
GetGuiResources
LoadMenuW
GetSubMenu
CreateIconIndirect
GetMenuItemCount
GetMenuItemInfoW
MonitorFromPoint
ReplyMessage
GetAsyncKeyState
ModifyMenuW
ChangeWindowMessageFilterEx
TranslateAcceleratorW
GetSystemMenu
GetSysColorBrush
SetLayeredWindowAttributes
GetIconInfoExW
GetIconInfo
GetClassWord
GetClassLongW
GetPhysicalCursorPos
GetCursorInfo
ShowWindowAsync
InsertMenuW
BringWindowToTop
ord2573
GhostWindowFromHungWindow
EndTask
IsTopLevelWindow
ord2611
GetMenuState
SetScrollInfo
GetScrollInfo
SetScrollPos
GetMenuStringW
InternalGetWindowText
GetLayeredWindowAttributes
DrawTextExW
IsProcessDPIAware
DrawIconEx
SetThreadDpiAwarenessContext
MonitorFromRect
GetWindowCompositionAttribute
GetWindowProcessHandle
UpdateLayeredWindow
ord2521
UnregisterClassW
ord2522
WindowFromDC
GetMenuInfo
SetMenuInfo
GetDpiForSystem
GetWindowDpiAwarenessContext
AreDpiAwarenessContextsEqual
CharLowerW
IsCharAlphaNumericW
TrackPopupMenuEx

sspicli

GetUserNameExW

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-localization-l1-2-2

LCIDToLocaleName

api-ms-win-core-kernel32-legacy-l1-1-1

PowerSetRequest
VerifyVersionInfoW
PowerCreateRequest

api-ms-win-oobe-notification-l1-1-0

OOBEComplete

api-ms-win-core-file-l2-1-2

CopyFileW

api-ms-win-core-kernel32-legacy-l1-1-2

SetTermsrvAppInstallMode

api-ms-win-shell-shdirectory-l1-1-0

ord292

api-ms-win-eventing-controller-l1-1-0

StartTraceW
EnableTraceEx2
StopTraceW

api-ms-win-core-job-l1-1-0

IsProcessInJob

rpcrt4

RpcBindingFromStringBindingW
RpcStringBindingComposeW
I_RpcExceptionFilter
RpcBindingSetAuthInfoExW
NdrClientCall2
RpcBindingFree
RpcStringFreeW

api-ms-win-appmodel-runtime-l1-1-3

GetStagedPackagePathByFullName2

api-ms-win-core-biptcltapi-l1-1-7

BiPtEnumerateWorkItemsForPackageName
BiPtAssociateApplicationEntryPoint
BiPtFreeMemory
BiPtQueryWorkItem

api-ms-win-appmodel-unlock-l1-1-0

IsDeveloperModeEnabled

api-ms-win-rtcore-ntuser-shell-l1-1-0

GetShellWindow

api-ms-win-ro-typeresolution-l1-1-1

RoCreatePropertySetSerializer

combase

SetErrorInfo
GetErrorInfo

Exports

Exports

g_trayTriageBlock

Sections

.text
Size: 3.2MB - Virtual size: 3.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.imrsiv
Size: - Virtual size: 4B

IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 8KB - Virtual size: 21KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 1.2MB - Virtual size: 1.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 139KB - Virtual size: 139KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

ddfebe9e8b52cb966f0ddc5be839b101

Code Sign

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60Certificate

Extended Key Usages

61:07:76:56:00:00:00:00:00:08Certificate

Key Usages

a7:ce:14:95:54:03:9c:39:e0:73:91:68:f4:59:82:a6:a5:2c:3b:03:1c:26:22:e1:b8:4c:a6:76:ef:c5:ba:ceSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcp_win

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-private-l1-1-0

aepic

twinapi

api-ms-win-core-job-l2-1-0

api-ms-win-core-windowserrorreporting-l1-1-3

api-ms-win-core-url-l1-1-0

api-ms-win-core-windowserrorreporting-l1-1-1

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-registryuserspecific-l1-1-0

api-ms-win-core-com-private-l1-1-0

api-ms-win-core-atoms-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

ntdll

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-eventing-provider-l1-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

oleaut32

api-ms-win-shcore-taskpool-l1-1-0

api-ms-win-shcore-sysinfo-l1-1-0

api-ms-win-core-com-l1-1-0

api-ms-win-core-shlwapi-obsolete-l1-1-0

api-ms-win-shcore-obsolete-l1-1-0

api-ms-win-core-registry-l1-1-0

api-ms-win-shcore-comhelpers-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-processthreads-l1-1-1

api-ms-win-core-datetime-l1-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-datetime-l1-1-1

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-shlwapi-legacy-l1-1-0

api-ms-win-shcore-registry-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-winrt-string-l1-1-0

api-ms-win-shcore-thread-l1-1-0

api-ms-win-core-libraryloader-l1-2-1

api-ms-win-security-base-l1-1-0

api-ms-win-core-psapi-l1-1-0

api-ms-win-core-version-l1-1-0

api-ms-win-eventing-classicprovider-l1-1-0

api-ms-win-core-localization-obsolete-l1-2-0

api-ms-win-core-string-l2-1-1

api-ms-win-core-processthreads-l1-1-3

api-ms-win-core-registry-l1-1-1

api-ms-win-core-winrt-l1-1-0

api-ms-win-core-com-l1-1-1

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-winrt-error-l1-1-1

api-ms-win-core-path-l1-1-0

api-ms-win-shcore-unicodeansi-l1-1-0

33:00:00:04:60:cf:42:a9:12:31:5f:6f:b3:00:00:00:00:04:60
Certificate

61:07:76:56:00:00:00:00:00:08
Certificate

a7:ce:14:95:54:03:9c:39:e0:73:91:68:f4:59:82:a6:a5:2c:3b:03:1c:26:22:e1:b8:4c:a6:76:ef:c5:ba:ce
Signer