MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MimiKatz


Vendor detections: 14


Intelligence 14 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
SHA3-384 hash: 5fab9c8b4e9ebf6a994804be46aa862de084dce6d3e384d1cbce670df743e90b3de1c2936a6ddc633e1a87b0d387303c
SHA1 hash: ea872c3ecd14e55ec4b013278aed286b0da9e1ed
MD5 hash: 791a88d0cafa95f8fa4a548f242f032a
humanhash: four-mango-nineteen-mexico
File name:794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
Download: download sample
Signature MimiKatz
Create hunting rule
File size:1'269'760 bytes
First seen:2024-11-18 13:05:20 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 6718574bfa82ab04bcaf82fa9136fc6c (6 x MimiKatz)
ssdeep 24576:wTuZCN0qRwoDFGMmtci8l8cq1PXv0uM5GrkQPXHMtR1tD1bqtT6RqK0Xcda:PgZrLsT6a
Threatray 120 similar samples on MalwareBazaar
TLSH T1C9455B43E2764CA3D7D80034DC6AE7B677347A1C97F786737280EDDAB5A22907D2421A
TrID 33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
21.3% (.EXE) Win64 Executable (generic) (10522/11/4)
13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter JAMESWT_WT
Tags:103-45-64-91 dll mimikatz

Intelligence

File Origin
# of uploads :
1
# of downloads :
425
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Gh0stRAT-7696262-0
Create hunting rule

Win.Trojan.Zegost-9763840-0
Create hunting rule

Win.Trojan.Magania-9773343-0
Create hunting rule

Win.Dropper.Gh0stRAT-9856137-0
Create hunting rule

Win.Trojan.Razy-9938962-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673b3cf180d21948b032708f
Tags:
zegost farfli madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Creating a file
Modifying a system executable file
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd evasive explorer hidden keylogger lolbin microsoft_visual_cc mimikatz overlay packed rat rundll32 schtasks
Link:
https://www.filescan.io/uploads/673b3bd7cf518b05e0bffb7e/reports/562344c1-4bac-4b2e-b527-23543df1c156/overview
Verdict:
Malicious
Labled as:
KillMBR.A.Generic
Link:
https://www.hybrid-analysis.com/sample/794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e50feae5-4149-4784-b19d-adba336af56e
Result
Threat name:
GhostRat, Mimikatz, Nitol
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1557663
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Checks if browser processes are running
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Yara detected GhostRat
Yara detected Mimikatz
Yara detected Nitol
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1557663 Sample: V6bBcEdp5a.dll Startdate: 18/11/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 6 other signatures 2->46 9 loaddll32.exe 1 2->9         started        process3 signatures4 48 Found evasive API chain (may stop execution after checking mutex) 9->48 50 Contains functionality to automate explorer (e.g. start an application) 9->50 52 Contains functionality to infect the boot sector 9->52 54 4 other signatures 9->54 12 rundll32.exe 1 9->12         started        15 cmd.exe 1 9->15         started        17 conhost.exe 9->17         started        process5 signatures6 56 Found evasive API chain (may stop execution after checking mutex) 12->56 58 Contains functionality to automate explorer (e.g. start an application) 12->58 60 Contains functionality to infect the boot sector 12->60 62 3 other signatures 12->62 19 cmd.exe 2 12->19         started        21 cmd.exe 12->21         started        23 rundll32.exe 1 15->23         started        process7 file8 26 conhost.exe 19->26         started        28 conhost.exe 21->28         started        38 C:\Users\Public\Documents\MM\svchos1.exe, PE32 23->38 dropped 30 cmd.exe 23->30         started        32 cmd.exe 23->32         started        process9 process10 34 conhost.exe 30->34         started        36 conhost.exe 32->36         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69/
Threat name:
Win32.Downloader.GhostRAT
Create hunting rule
Status:
Malicious
First seen:
2024-11-09 11:59:02 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
27 of 38 (71.05%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfhmetri6y2rzgwsybaqdv3u5f3d6t2ejt5xyfo2pausfrxqpzuq._file
Verdict:
malicious
Label(s):
gh0strat
Create hunting rule
Similar samples:
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
MimiKatz
5cc140e5dc2a73a4e5f3c1f728257b3a8398e7523a44c449c58efc347fbc9a91
MimiKatz
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
MimiKatz
7b3863ca9121435fcc8f0c4bdd7dfe0592aa2be0ec8a09da2166a4c0d17e5632
MimiKatz
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
MimiKatz
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
MimiKatz
error
MimiKatz
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
MimiKatz
+ 110 additional samples on MalwareBazaar
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox discovery rootkit
Link:
https://tria.ge/reports/241118-qb3wzsxaqd/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
6cce28b275d5ec20992bb13790976caf434ab46ddbfd5cfd431d33424943122b
MD5 hash:
4e34c068e764ad0ff0cb58bc4f143197
SHA1 hash:
1a392a469fc8c65d80055c1a7aaee27bf5ebe7c4
Detections:
Hidden
Create hunting rule
cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/2f8aa92a-99e0-41de-b596-e8a10811be81/
Parent samples :
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
cac7320c0c27c473855ed825988a8c091c9d7fb822f4b9eff946861ee1eb8f47
MD5 hash:
0d92b5f7a0f338472d59c5f2208475a3
SHA1 hash:
088d253bb23f6222dcaf06f7a2430e3a059a35e7
Detections:
Hidden
Create hunting rule
cert_blocklist_5f78149eb4f75eb17404a8143aaeaed7
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Link:
https://www.unpac.me/results/2f8aa92a-99e0-41de-b596-e8a10811be81/
Parent samples :
364b087a1916c5f13675449a4470763adebd4977fc21ea2169d8d67b11e83ba7
089f7f88c1d64dcebf1042f481f17a7fb1fe6fc095cb5c9e10bbcb3f36a629ab
acb615b72532d8020f1fa9afa65c44bd67caa1ec83f39f4b029287e70c344d0b
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
3730e600a60fed05d20e23e9340e37e5f5f072e6d4801150326ff4e2a4fdb4c5
d3af6e62ef3ce968da90beb9be44b04948b996c3dda893ba425a1147eb7696ad
765e42948327b849c172f8c70617af6007e7f126c17bb56f490c10e12aa20492
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
fe8954c55b06912419f62ae4c04e19ba8d16a8d5098c28dfcc3c6ef04a154f49
ad7a76c684f1bd1910142d97a01fd6373a05872a0aefd213cf85e891428fdcc7
e65ce5d4d20836181fbc041ca28853c89946013e1ab7fcd7e0bb58442f274e0d
6d74ed0eda4cf7f7edb2f8982cc706e84a402008fc74f442d898da7d6be05143
0fca043ce6592269f8463ec4c803eabb3d09ff412401521090513e8310463fdb
179dab5fc5a32307466541f88cfc1992cb96664218711f6d525586976c9d44ad
f17af5296ff826f4199381574dccb3dcb8a5deeb811e40929f95c722ab70aeb7
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
1d83bdba4198a28193b93de0f88fa79bb7ff17249b54654c07cb11a27e708644
d8162221ce6d607b5fe77565f53c5310bfaff050b0c26abe2ca9b9ebdb9ad51f
cebf76deabb47efe7ad3769c0586815d1d45e2ef9718057de77abb46b554f6f4
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
48956128660f7a745aa918eac38e5baacdae1bc0809503f2a2c3f2b79507e3ff
f036b3031238597750e077c2d03b2bc41d089f9db461244059db8485fac28e63
57eff460128e65204d46aa5a0012f8ba4758fa76a74d9dabe5d4b4b0bd1b11cc
613a829a972efe001e9f1a4e067b560db96acd44161d91d6daf5d6489f686938
94beb32181e321ef10e85ee652f1ef1e602c252d6c7d4593c556a6bfcec1d4f0
fda844b16b91a38417af25d13bd0992c3344de12ebcd0283732a3e0a6e91811d
bef42fdae71eff14767b54c660a42d7ab6fedf56ce74f8faa304a0e1b526fe4a
a2b98d6820777aaacdb0646a2836b3ebc809b3fe9eef65d201e2ff343580721c
0cb5c8e6987f74a213353851dc12b7b3a08130fd5ebb18f4455c659e8f46442f
b9d338ff7f7d63d28c765007e9e150b3c30a9acac1e16bfd0317d375b4fc6166
df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
76a236349c0820e4dfba81e3382e50833ee238452c0c271d6a0cf83b4fcca235
1b6b8aa0a500b965193144be54ffe030e84f8e2936c3e92d4a2b05a8759944d3
2090bdae4d49cc0a20526b8d57c5928500eadab334764b89810e0b08f907308a
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
00c1314504b05c7fc7cc7280405f31165b9722c704520afef26aa88ff566b871
1fe21e70078942fa8dc7bccb5362e86b0e6340c533eb8e01b59e34a0dd61bd05
580e6c64ba71bf32dc63c34204dc48d17ff8de949c916f101e89472222b41a88
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
c0839998e41d029efd4bb304440cd029acf32ce8f541be6f813c5c4d935e9350
1f8cdb119164550161cddba78f7d30f36cd3304dc4c127c37b15d3030b743b4b
SH256 hash:
794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69
MD5 hash:
791a88d0cafa95f8fa4a548f242f032a
SHA1 hash:
ea872c3ecd14e55ec4b013278aed286b0da9e1ed
Link:
https://www.unpac.me/results/2f8aa92a-99e0-41de-b596-e8a10811be81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/794ec24e28f6351c9ad2c04101d774e9763f4f444cfb7c15da782922c6f07e69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Armadillov1xxv2xx
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Hidden
Create hunting rule
Author:@bartblaze
Description:Identifies Hidden Windows driver, used by malware such as PurpleFox.
Reference:https://github.com/JKornev/hidden
Rule name:INDICATOR_SUSPICIOUS_EXE_ClearMyTracksByProcess
Create hunting rule
Author:ditekSHen
Description:Detects executables calling ClearMyTracksByProcess
Rule name:INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
Author:ditekSHen
Description:Detects the Hidden public rootkit
Rule name:MALWARE_Win_FatalRAT
Create hunting rule
Author:ditekSHen
Description:Detects FatalRAT
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:Mimikatz_Strings
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Mimikatz strings
Reference:not set
Rule name:Mimikatz_Strings_RID2DA0
Create hunting rule
Author:Florian Roth
Description:Detects Mimikatz strings
Reference:not set
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for malicious import combination that ransomware mostly use(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringA
WINMM.dll::waveInGetNumDevs
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExA
SHELL32.dll::ShellExecuteA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WININET.dll::InternetCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::AttachConsole
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleProcessList
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::MoveFileA
KERNEL32.dll::GetWindowsDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA
ADVAPI32.dll::GetUserNameA
ADVAPI32.dll::LookupAccountSidA
ADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::WSAIoctl
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfigA
ADVAPI32.dll::ControlService
ADVAPI32.dll::OpenSCManagerA
ADVAPI32.dll::OpenServiceA
ADVAPI32.dll::QueryServiceConfig2A
ADVAPI32.dll::QueryServiceConfigA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::EmptyClipboard
USER32.dll::FindWindowA
USER32.dll::OpenClipboard
USER32.dll::OpenInputDesktop

Comments