MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
SHA3-384 hash: 76d40dee745550238b69252431a8e599a340f586150df88130dc501ef5efdf6741dacd1317ac0afd8b88fba125e05e13
SHA1 hash: c314f9456c872d8495165153fc6c34d7025f7783
MD5 hash: 569e9ca4ee3c75384b8ddffa20783409
humanhash: dakota-beryllium-illinois-winner
File name:Sunny.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'392'901 bytes
First seen:2025-07-20 15:27:02 UTC
Last seen:2025-07-25 14:38:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:ezZ1tmFgNciu+cPinNSckOkmdeN/OKvOcq5mVtsx9965Tgnp1iJc4BaHtG3a96uP:eZm1iu+DUckOcIfnT7965TYp1R4UYa9H
TLSH T1D95533E2A62164BFE05244F6733C45733379680F1FD8D6D625BD826AB4360D92638FD1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 60e0bafabad8fa28 (1 x Rhadamanthys)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
21
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Sunny.exe
Verdict:
Malicious activity
Analysis date:
2025-07-19 17:42:48 UTC
Tags:
auto-sch autoit auto-startup rhadamanthys shellcode
Link:
https://app.any.run/tasks/87f115ea-30e4-49da-be4b-b8605b256608

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15951/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687d0ae584b37dd61eefee3e
Tags:
autoit emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a file to the %temp% directory
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Running batch commands
DNS request
Sending a custom TCP request
Possible injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/687d0ae17bc45bdee1b25397/reports/0c5cb0c8-83b8-4977-9cd6-f082c535e15f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/586d4c7d-546c-48ca-bb1e-3db30756e38d
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1740544
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1740544 Sample: Sunny.exe Startdate: 20/07/2025 Architecture: WINDOWS Score: 100 80 jRxgRccqvtrAiwkElmuPTjuSiopvD.jRxgRccqvtrAiwkElmuPTjuSiopvD 2->80 82 vault-360-nexus.com 2->82 84 18 other IPs or domains 2->84 116 Found malware configuration 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 Yara detected RHADAMANTHYS Stealer 2->120 122 7 other signatures 2->122 10 Sunny.exe 32 2->10         started        13 wscript.exe 1 2->13         started        16 wscript.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 file5 72 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 10->72 dropped 20 cmd.exe 4 10->20         started        24 OpenWith.exe 10->24         started        134 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->134 27 VirtuKoala.com 13->27         started        29 VirtuKoala.com 16->29         started        signatures6 process7 dnsIp8 70 C:\Users\user\AppData\Local\...behaviorgraphuitars.com, PE32 20->70 dropped 124 Uses ping.exe to sleep 20->124 126 Drops PE files with a suspicious file extension 20->126 128 Uses schtasks.exe or at.exe to add and modify task schedules 20->128 130 Uses ping.exe to check the status of other devices and networks 20->130 31 Guitars.com 4 20->31         started        35 extrac32.exe 15 20->35         started        37 conhost.exe 20->37         started        42 6 other processes 20->42 92 185.141.216.203, 49692, 8181 GSWIFTTR Turkey 24->92 94 cloudflare-dns.com 104.16.248.249, 443, 49691 CLOUDFLARENETUS United States 24->94 96 vault-360-nexus.com 24->96 132 Switches to a custom stack to bypass stack traces 24->132 39 OpenWith.exe 24->39         started        file9 signatures10 process11 dnsIp12 76 C:\Users\user\AppData\...\VirtuKoala.com, PE32 31->76 dropped 78 C:\Users\user\AppData\Local\...\VirtuKoala.js, ASCII 31->78 dropped 104 Drops PE files with a suspicious file extension 31->104 106 Switches to a custom stack to bypass stack traces 31->106 44 cmd.exe 2 31->44         started        47 cmd.exe 1 31->47         started        49 WerFault.exe 31->49         started        86 ntp.time.nl 94.198.159.10, 123, 49811 SIDNNL Netherlands 39->86 88 twc.trafficmanager.net 168.61.215.74, 123, 49811 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 39->88 90 5 other IPs or domains 39->90 108 Early bird code injection technique detected 39->108 110 Tries to harvest and steal browser information (history, passwords, etc) 39->110 112 Maps a DLL or memory area into another process 39->112 114 Queues an APC in another process (thread injection) 39->114 51 chrome.exe 39->51         started        53 msedge.exe 39->53         started        55 chrome.exe 39->55         started        file13 signatures14 process15 file16 74 C:\Users\user\AppData\...\VirtuKoala.url, MS 44->74 dropped 57 conhost.exe 44->57         started        59 conhost.exe 47->59         started        61 schtasks.exe 1 47->61         started        63 chrome.exe 51->63         started        66 chrome.exe 51->66         started        68 msedge.exe 53->68         started        process17 dnsIp18 98 googlehosted.l.googleusercontent.com 142.250.64.65, 443, 49702, 49703 GOOGLEUS United States 63->98 100 127.0.0.1 unknown unknown 63->100 102 clients2.googleusercontent.com 63->102
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt Executable NSIS Installer PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/569e9ca4ee3c75384b8ddffa20783409
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd/
Verdict:
Malicious
Threat:
Trojan.Runner/Darkgate
Link:
https://tip.neiki.dev/file/065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-07-18 19:58:44 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
17 of 36 (47.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azn6ijvcypgryudygc4chudjf77vidmlpwltlee3vfcayshd5lgq._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery execution persistence stealer
Link:
https://tria.ge/reports/250720-sv1l3s1k17/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Drops startup file
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/05e6c3ba-3ef4-4ca3-8f84-e4f56c2d588d
Unpacked files
SH256 hash:
065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
MD5 hash:
569e9ca4ee3c75384b8ddffa20783409
SHA1 hash:
c314f9456c872d8495165153fc6c34d7025f7783
Link:
https://www.unpac.me/results/f8e2d167-fe35-4942-8af3-0949eff3b63d/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/f8e2d167-fe35-4942-8af3-0949eff3b63d/
SH256 hash:
222e0cdbe022be9bb3b4ea0943036d1c8b78f29f093963a74b063737d8893709
MD5 hash:
0e6cd048a76adde6c723f8a4e01dcc6f
SHA1 hash:
6221eae90b2fac479c60c6a68785ae63bd2c806e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/f8e2d167-fe35-4942-8af3-0949eff3b63d/
Parent samples :
51c317b6902b8eba36bfe0d3fd37ea678db221c01dfe9fa449ed2c901e82ae29
f72ff7d169c4c0a940667127f37701dac14b0d84374ad6e43e85ffcc726a68b3
4b47faff7b263f41d793c672180137082540566b36fc09edad7b989e69b48d99
dd5691dd8c38d6c0d5958373603fffc3e0bec43b279f1a49154ba0dec3d5deee
6d75b4922025d7859a1a5722b621b2f24de54a1a5329d0c8781839bf6255a717
33635d2e6d00ec50497def4568a33bf742a396e322498997b9524d9f2e0f38e1
6920efd832e31f0ff94436c4242f00443dc3d3df4511a6fbaa8b899767bdb001
e10dfec034a6b02f742d6ad433eb8093dcae1146c4a6770de6d6d2d5b72e2098
64d6d6f8d4b8911e0f4ba9030382ca1664d7eba8775d00544d56e2dc336208da
9252554a1b23a6176d96112dc681cbcc770ca5f145997400cdece5c1857fbcd2
badbf65775ddf265a3dd2eeb5dae28d29b13158a0a5f153bc6b80320eaae9766
d4961daaa5ad74ff738009724a37c620f29b77466128c6f9904e980a27e477db
e0a7d335923c17e8aa3a9d2a2470eab4c0c702fee4bc7ac68b8132ea3a8e9be7
cb6f2bac0167f527d2bbf2e80c1f85b0a213036ee46580a41a8df84cb3ba3682
cae777f6d88874325a18a95690fbf16b3d2ef3a3eea9872a66f9276681532321
2006e4294f495b50c83fc3af87da570cca4ba734dd070a39d216788d275ef14d
06eb897938487b4f61c9700dc16e25c588e384f0d2b1494282ed15f43c72f379
361947959afaf7e693744d24b2c6255f15d52cf5cacc8327688a6ec99c39de67
e2c59fe0739496885e68ca445bd9bca98d7ebcd4eaebdd23372458310a2b67cf
7b5d27a8c83193458095b40fec18fd1a2b210c37b98a04f457d6cb00e738abff
a23fccf55b1723554101f8fb4e1edb642fc10b751da75aff77998bff533f4c68
e248994d1e415aeb2ec170f513316130788bbb05545e5fb9f662d64f3103195b
0199f546f8bf01c87988e2842af69b624988c0f59040f4a15121e835e2c977e3
065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd
d91fe8b3fa9a25a1ea150e318a454184c43c624052115d8e678f9b77cfc08c36
f3320e52f9ff893c6cbf220d7f4a9dddfdaaad64c1d60b7b267d22d7a078def1
1f3c77c33691626963a381711d31b2479d0aed92508e3f89a7ce88eeae49a522
0551b0aeb48adf90e5bab83569d46c866d78b2b7606c8abea03071266a4865d9
40e3105cd34d54cacd7e2559e19f1fa28e6e9ee2a09bec6a5a083262f334fa14
31c73da21862c01ecb0756a853404ea93ddf1db86ce2a6cb52ccd0ce1cfd01c3
ad8d2d36547bb6c3fd44a137948dae585b9c66f7f3e6c36adcb0fd1f6a130a37
628035c14718c064036edf3cd0fe349007bc37d22cca740f4880e2cde3a78bc7
8bbb9d145a516df1da43ecaa97efa6fd0ec63a2f7a7de4d378bf3c71282041fb
3f6af0243792dc32b9264f6001302cb782f0a98042cef498b87ea73441e0895a
6b715e8feeb3258e7b087ec2f6a49c421cfadc55af15a9cd157a6e6c34186d4d
ca96fc2d143f1c95db784f29912f41591d19db4ba92f525df7c4fa65e46f27b8
d2e01156051ad7112d93eb59632df9e67c20f32c09ace834e21746bef13dfd7e
125edb38ce9edda52a7ccace6d5d7adfd37b7e9ebfd38cf7dd072c16124bc1c3
280c766b56a8d5ae804d40c9f916593fb1b834e7b31ecf84cf85b6f28b866bad
e8f406637b174c38a8ab6a53011e3582a43d6d2beccf3c88dc843f00e6681803
e1df25e08b0d4abbfa0ff2762a8a653bb07be8feb79333a1049ed0afb68f6b2f
f1edf22002a14f6e9051114c1fe39e4d001fac227ac66789568d6cf958b104ea
445c2b7e309849a87a14d0cc4973101a774dfaaccfb39956f5d7dd664709bbc0
f9665f6f71dd641d32333f2a69609c7d6117b9901b38df9e72f0f8303192e491
08f5b86c67cd29b0ee69b4e5cb1a519c88e8bc0b529dd31cd153984a81146998
b889976d25b916ea716f7508bc9cf3139c313c29df36cf59d0a1d7bb57232585
9461f71f1624999d38d8b565c7e87a118371abfa11bb53005a800add90ff2653
53e9cb85656943c6be73087b3b43ee170f241f28638709dc5c272c890e7d663d
f8dca22fefddd91121473797629afad8182ed265d4556e48e443b1d804b8e731
782be5b43d925282bd13bf7e1505f2adc2044128cc2c222c16c44659797a97f3
63d7760f91c7129bb067776bac96ca7e7eac65f288e8a98d62a51272740a81d8
e7b70294a3acb6b76bac1cc1c3a7f01bbf5bb873c7bec447b1d516c5b2f16370
4669c2df4877615a620c08b298739d883aa874c8a8e97de3c9dc99dc34dd757c
61d434c485bcadf7a99049d0a9deba8755a37f572ad36fa7d713ce5e055d7d43
4f74c9436d6e306fee66bc786f8a4c373a7d268a60e14c51fad83b0c17e9faaa
7ef04f3a1e80ad5f4b04aae62765e89a0ac5ec8c91b0b23dbc76ca43abc227ff
0c5eae2dff6ef68137771eac539f48a2805cb18b637940783eb83e47b4a7431e
67031bdb411115a4b2fa222617c0064ac5294c28b9aa7e38fa5a84fb23548d4d
049c6830765643461e9eb7da0ae99df6046b700cd7f70572c2cd8e0053eb71a2
434d2ab1d62b64593ddb18c2b4f72947d2e78aee2c3dc4acb6d700fdcf3ae02e
23b7f89dbe25730939afb4bae4ebc99f86107b09c9842e65a51e2a7eee698a80
bd9855bea0fb4610f17220b381493b4155525c28ee9fe832fd698d78b8d9a864
cfe1a1f491591e88446d3c980f7b5d90c618946f4b5359c71f6eadda9e6eef42
d87fb4f7c8d5023adeb8d1203fa083c683e1875451a02c717b8d1b5f63215a53
dc1743c2975b3779937a38f5b5119f73c05b97fda2a453e99291521602f5c22d
a89086ac12f022d02b464b8a7493a2cb48bd043e38fa0371eac607f0f4dee5b8
a6613babd861b08bb41cf07083a4e71fba2121652d800974f14fd222bec2ef47
98cb76f26bd16bd8566285da0516f7736a5fdbcdc6129ec3a0f38bc09db6fc13
1144f6c33d9ca7c1b9b23fa1bf8d64b441f10cd1d0a35638827771cc9df5d2d3
98032e7110937432f683fe27e8eb942e885010e468d5bfacaa63fda8e63ef8f3
c666625bcef1fb5597f949257f37664390427322959c483cd16027db33db4bb7
7a24c4f86f94cd9d79aa543c58e6c079795ffedf981ebf63dd91f01532e56e01
b7fccdb3313848b8d6002a580781065ab7e8356b5f327b056aa6c9ebf7e76ae4
99b66d8309edba2ad061e5274a148288012f93a05839a99ff071fea6fe16d2a5
7b232254d4b4be67111e92f5c2e34bc331403393c2d019b31e256ca7d798cd08
b24514c4d862a8ec284f1e3b80ce7394dd68ea69b0ea3867526467a8086eba74
afa7b8bdf56270a87c326a46d11cb9ddd3880c3bbe711079753223ed01c4343b
9bfbf455319d2708851fc80207b23758debf9d2e27e79a37eab61bdce97ec77f
7d535ced79cd715cc19958b60bf36c8c1767512badbe52cd5de772794343f891
39f9313b61a51d858cd6c87914ab9750133d81901595ee83d8f722bf21bf16eb
377dbb4bb7cab67ba00659c9086ab22fe8d2adf0e8c6f23b98f456e9b62519eb
84e0c2a0b99db9bc662e25f6e33308732db054d2c2110335dcf50573d6452e03
1e53be9313b624ca36e549021df95a17b8b63e09dfe1f16813b21c8d6ce954dc
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/f8e2d167-fe35-4942-8af3-0949eff3b63d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/065be426a2c3cd1c507830b823d0692fff540d8b7d9735909ba9440c48e3eacd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15951/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments