MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
SHA3-384 hash: 4de2eee042970055521ca5ae3876b7af5267ffdccb767fbda45a8a20a7c69e0419299fca8691185e26c1da2d644031e4
SHA1 hash: 8e50066f45e2cb4827da4313e764fdae8669411a
MD5 hash: 5298db7bfc6a857c39a87dd4d0ac7d87
humanhash: princess-ceiling-utah-twenty
File name:NETGATE Spy Emergency.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:4'481'314 bytes
First seen:2024-10-19 14:16:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 40ab50289f7ef5fae60801f88d4541fc (59 x ValleyRAT, 49 x Gh0stRAT, 41 x OffLoader)
ssdeep 98304:5wREisaU2lvzk1JDIuTmNNwcKi5rkTs0+9:bisaU2lvzUD16Dou
Threatray 113 similar samples on MalwareBazaar
TLSH T19926D022F7C59422FC5F0632876AE28575FB69210362A9DB42D4A9BCCF341D01EBE753
TrID 39.3% (.EXE) Inno Setup installer (107240/4/30)
21.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.7% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.8% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika pebin
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter NDA0E
Tags:Amadey AutoIT DarkGate exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
488
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
themoph.tar
Verdict:
Malicious activity
Analysis date:
2024-10-18 21:37:40 UTC
Tags:
arch-exec amadey botnet stealer rdp
Link:
https://app.any.run/tasks/04217268-ad13-4b77-a86e-173741d349a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
MiscreantPunch.SingleXOR.EXE.230.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6712d52334f884d15c8ce383
Tags:
Powershell Autoit Emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Restart of the analyzed sample
Searching for the window
Moving a file to the %temp% subdirectory
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/36a3526b-cdde-444d-af0d-a8fdd1f5799f
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1537776
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates autostart registry keys with suspicious names
Found malware configuration
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1537776 Sample: NETGATE Spy Emergency.exe Startdate: 19/10/2024 Architecture: WINDOWS Score: 96 94 Suricata IDS alerts for network traffic 2->94 96 Found malware configuration 2->96 98 Yara detected Amadeys stealer DLL 2->98 100 4 other signatures 2->100 12 NETGATE Spy Emergency.exe 2 2->12         started        15 AutoIt3.exe 2->15         started        18 AutoIt3.exe 2->18         started        process3 file4 76 C:\Users\user\...76ETGATE Spy Emergency.tmp, PE32 12->76 dropped 20 NETGATE Spy Emergency.tmp 3 4 12->20         started        114 Contains functionality to start a terminal service 15->114 23 MSBuild.exe 15->23         started        26 MSBuild.exe 18->26         started        signatures5 process6 file7 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->74 dropped 28 NETGATE Spy Emergency.exe 2 20->28         started        102 Contains functionality to start a terminal service 23->102 signatures8 process9 file10 78 C:\Users\user\...78ETGATE Spy Emergency.tmp, PE32 28->78 dropped 31 NETGATE Spy Emergency.tmp 5 25 28->31         started        process11 file12 82 C:\Users\user\AppData\...balaka.exe (copy), PE32 31->82 dropped 84 C:\Users\user\...\libssl-1_1.dll (copy), PE32 31->84 dropped 86 C:\Users\user\AppData\Local\...\is-VFUR8.tmp, PE32 31->86 dropped 88 36 other files (none is malicious) 31->88 dropped 34 Ebalaka.exe 2 31->34         started        36 cmd.exe 1 31->36         started        38 cmd.exe 1 31->38         started        40 4 other processes 31->40 process13 process14 42 cmd.exe 1 34->42         started        45 conhost.exe 36->45         started        55 2 other processes 36->55 47 conhost.exe 38->47         started        57 2 other processes 38->57 49 conhost.exe 40->49         started        51 conhost.exe 40->51         started        53 conhost.exe 40->53         started        59 9 other processes 40->59 signatures15 106 Uses ping.exe to sleep 42->106 108 Uses ping.exe to check the status of other devices and networks 42->108 61 Ebalaka.exe 1 4 42->61         started        65 PING.EXE 1 42->65         started        68 conhost.exe 42->68         started        process16 dnsIp17 80 C:\hbhaaec\AutoIt3.exe, PE32 61->80 dropped 110 Contains functionality to start a terminal service 61->110 112 Creates autostart registry keys with suspicious names 61->112 70 MSBuild.exe 12 61->70         started        90 127.0.0.1 unknown unknown 65->90 file18 signatures19 process20 dnsIp21 92 152.89.198.124, 49966, 49982, 49984 NEXTVISIONGB United Kingdom 70->92 104 Contains functionality to inject code into remote processes 70->104 signatures22
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d/
Threat name:
Win32.Trojan.DarkGate
Create hunting rule
Status:
Malicious
First seen:
2024-10-17 19:34:26 UTC
File Type:
PE (Exe)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qivxg6u5wxvnccxmq2ru722xcqpehrlhtnrazyyzduzvtf5d6rgq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
darkgate
Create hunting rule
Similar samples:
5659f401e9c479d51bf256092e8d7b0c00abc6286e7f3b2d7f527995a145593d
Amadey
9edbe8d6aee72e51c4d49d259faf757c71470e2036cb72d151d19512fbb0ddce
Amadey
bb870923c6ac61383177d3bb41726ea290a29a4a762fd681dec3d4f6cc19ed93
Amadey
e11dc8d2e7fba91857df6a38c6e64ad491a9271b9f0bfda937680dd0da453665
Amadey
eaa5582959770d5fa7fc18fa15d6e6aedec88b7503b8d16df3dd82626fab57d9
Amadey
error
Amadey
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
Amadey
+ 103 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey botnet:322a8d discovery persistence trojan
Link:
https://tria.ge/reports/241019-rlpmsazgle/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Amadey
Malware Config
C2 Extraction:
http://152.89.198.124
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4039aa91-fb01-49ac-bba2-287516e5940f
Unpacked files
SH256 hash:
8815541c53295cc1609851668503085a6189dff5c9db1dd7104481a8bde8d331
MD5 hash:
ef31f2ef38d3a6cc530b28ea74ac8bd1
SHA1 hash:
8dfcc82d180d8ef446f7891213efda1bb395fde8
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
f7cb5d3347d5a13b8bcce06821ba75043fce87f298131e23155753b56a48297e
MD5 hash:
49c9af5961980346905239d9988cd041
SHA1 hash:
d679539617cf74ec04d75f450ef93d94abecac28
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
f989de398e969df49c108ef53f5e152eb35f7a7d0e19974aa9f24a995e5c9e11
MD5 hash:
fb887fed29c62e516005fadb6838d521
SHA1 hash:
c1b783800f33aed8f67953e0816c1792e976c62a
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
0ebae37459eb25ef518c47c454e6af81b076d0fdc5fed1674806551259435584
MD5 hash:
e795f694529fc430e0b0e25884e6a24e
SHA1 hash:
6c86a0bd746f55fd731a30f378e5f21c4fb2e2b7
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
d50963d7b4f67e41fd7d50caf4d662b04688b66799f7aff7bcc632ede8d7f5f5
MD5 hash:
47a4bc68217b92ca3582224f1024e51f
SHA1 hash:
82258353279aa318b7a6208a9566b05a2f4961fc
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
3d205605ed371704d2de5fa0511fb4ad2f791c81e5781ed3c4464881efd8523b
MD5 hash:
b42f3df73d062dcf7c61eb3e455fe1c6
SHA1 hash:
cdba01951de434f36b9100c7db2316bd0728abac
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
b13cd1341057c9d41e54da288ff4e491970a2fcf24ce0395b0ddb19f709b73f9
MD5 hash:
843fa7bbb58f9c01498341bcbba66c22
SHA1 hash:
baa1bc6157fb0e6392bc65c2b74d65e6481e539f
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
9c836d27a9fd11eeaca943153040d19ddf5e5a82aabd4e838929c71afd37d182
MD5 hash:
8932ec8beeeb7e6f9a9a6351bdbb39e2
SHA1 hash:
24f11190b2c876b09204df6cf7f34f7e37767f9e
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
cd1b70e44fcdf746a40ebd8dc028b6b91e8759362cfa9d79bc02bbc50d10d896
MD5 hash:
d1ef3ac0691175e3aa6631e328aaee1c
SHA1 hash:
72674755a67decf82ebfdea16a3900e28e976c1c
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
ed383bc5365e2d9ff18c0867d4e2f8682ced6e45b0875b55cfcfb7bc87e6b301
MD5 hash:
a99dafdd0eb1668ae60d4898338dbed3
SHA1 hash:
504687e909f0730e3c4db6ee14578b055e99743d
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
701a1578e6b043021ea72f1ed693f92ff0219096a1011563e8bf0a1f0a2840da
MD5 hash:
b1c910cfdf6117fc45473c7c83756b95
SHA1 hash:
4a62c92a507c9100cfb2fff7238e2a1ba02f5d15
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
3f61c83e3dcbe7f03195efcbabd9fd1ca75ee6359828e45733a53cc1fb1183f6
MD5 hash:
e162b53ff1f872345471989d20374f36
SHA1 hash:
232c1427096188e791ab0db44bf309cbefe20413
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
60ca3e0aca22df8f03594d32f7ebf7f9a544ff3e07366aae95ba19483cdb98b1
MD5 hash:
476fa601902b6c018da8c6ff0cbbf6ba
SHA1 hash:
64c11d3ead36423b53e66954c393b6374f5fe841
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
bf4cfae8bb4e8dce63bdd25dc45fdd02e3529bae3d0bd5e2d00a6d4479e1f06f
MD5 hash:
1bdea5fef3c5a84cbe246a6d78d03c17
SHA1 hash:
53d78a10c699fbf940c1a21f2108e2dc304f196d
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
1c51a6692f8d4eedf3fde28ed7a94cb41fdfd39d96c9a230c17958d713215eac
MD5 hash:
9416676d65f821608b4d381dcff7bec6
SHA1 hash:
a39e5f7a812a169162362cf9abf4d5e1c970cecb
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
d043b50ca15ca801aaa825f39073d4a54d186e12ce36abb6f72651c726133192
MD5 hash:
d02bd3adaa95436f32e28eaeee20bee0
SHA1 hash:
9d6bd84cd81e0f09934a1b08ce794fb08cd8dc81
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
8c46aa56afe592d1b740b8b243df054d5c04d4e008edf04a5638efe4475a704c
MD5 hash:
824581f9f267165b7561388925f69d3a
SHA1 hash:
7afb22841d598a54b403bb44bc533dcded1c007a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
Parent samples :
822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
8c46aa56afe592d1b740b8b243df054d5c04d4e008edf04a5638efe4475a704c
SH256 hash:
a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
MD5 hash:
c0a883f68cecd67c63bd67b28201ffc5
SHA1 hash:
6bf9a3a8918729fe2718d44c22f9d24d78f10a2e
Detections:
win_darkgate_w1
Create hunting rule
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
Parent samples :
822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
SH256 hash:
678359c47ac8bbbd30d02b4a3663a7b644d24b40255dd1029cc1b1fc0d454fd6
MD5 hash:
d3b55e81d22181faac45025fa324fbb6
SHA1 hash:
46dd39a49d024acc0a659b8e26014fa29dcc7e5e
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
Parent samples :
822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
59ae8d923ec039ce1f269ac6bd85486842f399d9e027bf113c53628410bad6bc
810cb4d332ade84e4bb0a4d952180ccb4e5428e19445f9f5d71cd57a7030cf2b
debc847630bcb249642a771c7c1559f847abd436bd93b83d2ce2bb41a55ea364
5d5e2231b8a8febafd04afef45760857c1a601b91dfb0c7c81881c9eadcf0e8a
9fe86d6c49079c5c47955ea7b2c04a1b9e16340b88799fc02bceaee4e4f3e99e
SH256 hash:
48d91cd358e37d57e43a58c992b5454f2a249e924ac2a13293e4105c102608a7
MD5 hash:
4e1d7df7612e1efb030592c5ae992bde
SHA1 hash:
1df24c667f581e49a7b3cb92db6263b5039eb9cb
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
4668efc64bdc143ccf7fdb7ffe15472a7746394f935989dd75ec5ca204a2415b
MD5 hash:
901e5427453f62f2573239b397f51a27
SHA1 hash:
5b1cb06f09f936962989318c0cdd38d5e33b158f
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
5fd231b2cbb4f97fb7f182aacf2cb982627cedde2a9f4075511fabab63e1db37
MD5 hash:
e3651bb2eaba79eafce4d9053c1710e4
SHA1 hash:
6fd262c6e7f096692c9f51904d7f949a3c7bdb31
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
SH256 hash:
822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d
MD5 hash:
5298db7bfc6a857c39a87dd4d0ac7d87
SHA1 hash:
8e50066f45e2cb4827da4313e764fdae8669411a
Link:
https://www.unpac.me/results/9f7193f3-e3af-415a-ba29-5c51cbc0b6e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_MSDOS_Stub_Message
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed MSDOS stub message
Reference:https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

tar 00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054

Amadey

Executable exe 822b737a9db5ead10aec86a34feb57141e43c5679b620ce3191d335997a3f44d

(this sample)

DarkGate

Executable exe a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd

  
Dropped by
SHA256 00283f31ab994fb21115ac05c76f31a4554de053cac7a3a070bc69341b91c054
  
URLhaus
https://urlhaus.abuse.ch/url/3242741/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3242977/
  
URLhaus
https://urlhaus.abuse.ch/url/3242978/
  
URLhaus
https://urlhaus.abuse.ch/url/3242979/
  
URLhaus
https://urlhaus.abuse.ch/url/3242989/
  
URLhaus
https://urlhaus.abuse.ch/url/3242990/
  
Dropping
SHA256 a560e6a44971daf538ef7d5847f43d36810b30327b41966c048ce49be16f96bd
  
Dropping
MD5 c0a883f68cecd67c63bd67b28201ffc5
  
Dropping
SHA256 8c46aa56afe592d1b740b8b243df054d5c04d4e008edf04a5638efe4475a704c
  
Dropping
MD5 824581f9f267165b7561388925f69d3a
  
Dropped by
MD5 a741b652004cc3adcbc9cd821a87ecc8

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::ConvertSidToStringSidW
advapi32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
advapi32.dll::EqualSid
advapi32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessW
advapi32.dll::OpenProcessToken
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryExW
kernel32.dll::LoadLibraryW
kernel32.dll::GetDriveTypeW
kernel32.dll::GetVolumeInformationW
kernel32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryW
kernel32.dll::CreateFileW
kernel32.dll::DeleteFileW
kernel32.dll::GetWindowsDirectoryW
kernel32.dll::GetSystemDirectoryW
kernel32.dll::GetFileAttributesW
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExW
advapi32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageW
user32.dll::CreateWindowExW

Comments