MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gh0stRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
SHA3-384 hash: 1b9095ad20245c8beb4021861e5115e3a0f738260897d29e7c77229f1a89c35e3eabe03e36544aae9e1fe6fe92396a08
SHA1 hash: aad20e8bd5a606638c21e9cbd9e181106090582a
MD5 hash: 1d04f53666bd55ae3b19f395538f70f6
humanhash: blue-winter-magazine-juliet
File name:90C52141E31399449A689286FCF58C94584A75F1FD7AD3BD39B5AAC09ADFF639.exe
Download: download sample
Signature Gh0stRAT
Create hunting rule
File size:18'567'203 bytes
First seen:2024-07-24 19:02:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash eeac73be37480fd144f387e3563a0f14 (13 x Gh0stRAT, 2 x N-W0rm, 1 x XRed)
ssdeep 393216:m7UnXxdtPJqkDVofDGeg3R6Gh1CPwv3uzhlr3:OmXxNRDVobdgEGylD
TLSH T18717E032B0414461D7851130FCF2B2739F2479AF8AF5865BAF4BAED4F9B6140B6B7209
TrID 30.0% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
16.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
14.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.8% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
8.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
File icon (PE):PE icon
dhash icon 429e78e8c0a0b0c4 (1 x Gh0stRAT)
Reporter Anonymous
Tags:exe Gh0stRAT


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
310
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

PUA.Win.Packer.Aspack-29
Create hunting rule

PUA.Win.Packer.Aspack-30
Create hunting rule

Win.Trojan.Zegost-9763840-0
Create hunting rule

Win.Malware.Farfli-9832713-0
Create hunting rule

Win.Trojan.Generic-9908305-0
Create hunting rule

Win.Trojan.Razy-9938962-0
Create hunting rule

Win.Dropper.Midie-9942397-0
Create hunting rule

Win.Trojan.Generickdz-10010918-0
Create hunting rule

Win.Malware.Flystudio-10011070-0
Create hunting rule

Win.Trojan.Generickdz-10015217-0
Create hunting rule

Win.Malware.Jaik-10032515-0
Create hunting rule

Win.Trojan.Generic-6305873-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a14febae21d7902eafbc37
Tags:
Execution Generic Network Stealth Trojan Zegost
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Searching for the window
Creating a file
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Moving a file to the %temp% directory
Modifying an executable file
Creating a file in the Windows directory
Creating a process with a hidden window
Creating a file in the drivers directory
Loading a system driver
Running batch commands
DNS request
Creating a file in the %AppData% subdirectories
Connection attempt
Enabling autorun for a service
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm epmicrosoft_visual_cc evasive expand explorer farfli fingerprint flystudio iceid keylogger killav lolbin microsoft_visual_cc overlay packed packed rat rundll32 shell32
Link:
https://www.filescan.io/uploads/66a150239149fd55f99005a0/reports/81757d99-d06a-43f9-acce-4f7b24a02c5a/overview
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c532ef3c-5945-4aae-9233-71d67e720f5f
Result
Threat name:
Gh0stCringe, GhostRat, Mimikatz, Running
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480607
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Creates a Windows Service pointing to an executable in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Opens the same file many times (likely Sandbox evasion)
PE file has a writeable .text section
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Gh0stCringe
Yara detected GhostRat
Yara detected Mimikatz
Yara detected RunningRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480607 Sample: S6FxbFJNYp.exe Startdate: 24/07/2024 Architecture: WINDOWS Score: 100 63 hackerinvasion.f3322.net 2->63 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Antivirus detection for dropped file 2->71 73 12 other signatures 2->73 9 S6FxbFJNYp.exe 6 2->9         started        12 TXPlatfor.exe 2->12         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 file5 53 C:\Users\user\Desktop\HD_S6FxbFJNYp.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\Temp\R.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\Local\Temp57.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\Local\Temp\HD_X.dat, PE32 9->59 dropped 19 HD_S6FxbFJNYp.exe 10 9->19         started        23 N.exe 1 1 9->23         started        25 R.exe 3 2 9->25         started        85 Antivirus detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 89 Drops executables to the windows directory (C:\Windows) and starts them 12->89 27 TXPlatfor.exe 13 1 12->27         started        91 Checks if browser processes are running 15->91 93 Contains functionality to detect sleep reduction / modifications 15->93 61 C:\Windows\SysWOW64\Remote Data.exe, PE32 17->61 dropped 29 Remote Data.exe 17->29         started        signatures6 process7 file8 39 C:\Windows\SysWOW64\libeay32.dll, PE32 19->39 dropped 41 C:\Windows\SysWOW64\TestLF.dll, PE32 19->41 dropped 43 C:\Windows\SysWOW64\Base.dll, PE32 19->43 dropped 51 2 other malicious files 19->51 dropped 75 Antivirus detection for dropped file 19->75 77 Machine Learning detection for dropped file 19->77 45 C:\Windows\SysWOW64\TXPlatfor.exe, PE32 23->45 dropped 31 cmd.exe 1 23->31         started        47 C:\Windows\SysWOW64\4864125.txt, PE32 25->47 dropped 79 Creates a Windows Service pointing to an executable in C:\Windows 25->79 49 C:\Windows\System32\drivers\QAssist.sys, PE32+ 27->49 dropped 81 Sample is not signed and drops a device driver 27->81 83 Opens the same file many times (likely Sandbox evasion) 29->83 signatures9 process10 signatures11 95 Uses ping.exe to sleep 31->95 97 Uses ping.exe to check the status of other devices and networks 31->97 34 PING.EXE 1 31->34         started        37 conhost.exe 31->37         started        process12 dnsIp13 65 127.0.0.1 unknown unknown 34->65
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2024-04-30 06:32:00 UTC
File Type:
PE (Exe)
Extracted files:
425
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sdcscqpdcomujgtiskdpz5mmsrmeu5pr7v5nhpjzwwvmbgw76y4q._file
Verdict:
malicious
Result
Malware family:
purplefox
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:purplefox discovery persistence rat rootkit trojan upx
Link:
https://tria.ge/reports/240724-xqcfxavfnc/
Behaviour
NTFS ADS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Drivers directory
Server Software Component: Terminal Services DLL
Sets service image path in registry
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat
PurpleFox
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/162c2b98-3536-47e0-86cc-c231d0791af8
Unpacked files
SH256 hash:
fe04dd20c27d483e0ed1f07f39f2cf8f54f1e1af9ad794c9dfc4773a8fae7f60
MD5 hash:
8b1eda0bf1e445f16b910bc00b57d9b9
SHA1 hash:
5bbc680644c09a94d865c2440242a2eed1243d7f
Detections:
check_installed_software
Create hunting rule
Mimikatz_Strings
Create hunting rule
Hidden
Create hunting rule
MALWARE_Win_PCRat
Create hunting rule
INDICATOR_TOOL_RTK_HiddenRootKit
Create hunting rule
potential_termserv_dll_replacement
Create hunting rule
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
Parent samples :
d62ee92b65a34ba6023b4f16dd7b8083a14a5d6bf4d99af6e82676f9d468b656
9f61a3757f737404c25a2837ddd1ff6c14dfe394127c8a94c5c10f00dfa34811
5830e0703e93cc2d8a1ba6377650ff5f7b8cbb36d58122c613fa56930f71a88d
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
dbaedcc548579a20fab98b28992301084fe27e91460fbdb2a6e00df5e58f52fe
e119f126968b206ebfbf49923c1aac3dbe948461ff38d9f638b6cdf12ff47560
502459f1d4325d917bf46a104cbc3255c29b88a787cd9f930462cfa1002134fd
394ed5e270bb760bee2b5ffea56421afb2a22aff35d78d29da92842f606b8d53
9c0116c29d031bc42faaa5e312c7c6b99378ed115b069b2d6c2d228ae563375b
1a7fefa02913c1054e4f0e82c9de74e2fb526bd4a589e861fb4f7f57b31ef9c8
19e59830b3b6742b26575bc2b1ec3276a5d7d75a7f3c92bf0cf5762f07e9f660
SH256 hash:
8d41efd690a163c2477cc3b777bc78b78fbd9e09ecc2dfc5e76548fd248719c6
MD5 hash:
fd84c02ab8a411525cb3b6cb60392b5d
SHA1 hash:
994369e18b091ce09d98369d4e6460b29475ff02
Detections:
win_karius_g0
Create hunting rule
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
Parent samples :
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
SH256 hash:
e55aef92cc446dcfeb797f438a079966cc0dfe2f0713bb43c1faaf5d7ee318ca
MD5 hash:
623feff73e9e9bce9d45ba961f2580ca
SHA1 hash:
154cebc6a5e0c5e726cbae3ee2cf634ff85639e0
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
7418eb7b5936bfc67e749fbd20a5cae25904ae854531d8025040803270ddd9ce
MD5 hash:
4b746a0d5312728575abc076051a42f2
SHA1 hash:
40c78f9d62cb6d31a3927a70f85c398e720b7ead
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
15ce0c2c7bcf590954f6d6388897b941d4d20f2c99ffe3494a51b2c7fe8a75c7
MD5 hash:
58fab2e689be917b4361c5923504d5a7
SHA1 hash:
d12355e55004490162e833b6303e40428fd1ac31
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
ec25bd63fa5f2f74f8ac02606eccc5751975bc5b4f622303a8b3b342a72fc4a4
MD5 hash:
8b3d81f68e29ecf293521d9800c257e4
SHA1 hash:
95ba90cc9a3ec64f37ff4b189124ba8271840627
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
MD5 hash:
8dc3adf1c490211971c1e2325f1424d2
SHA1 hash:
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
aabc85a22d011405c3ce6f57589d90f5cbd709ad95df5b9de07624969201bce0
MD5 hash:
e974f11ba59df2179f05065dc89b051d
SHA1 hash:
421f69b34643405d829862334b4e339f1b996821
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
eb39ef6f2f2548ad0b5e412dc3f70089f113d9ceaf8ecbff5fe0583f3bca759e
MD5 hash:
dc8f4ca2ff63885548d1d9c6cbebc0f5
SHA1 hash:
3d6b368d3df3950dcf6b06537ffd622fb020ab32
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
a0506a4820d44c8fbb0cbc215570714f65a60fe4a7de7c62e9986ba1e0bce4bc
MD5 hash:
8e4a9dab1e4d8a8e4cbe1495841c955b
SHA1 hash:
2f21d149f324e6b12be2c2d018dbdb2cebd4d1f5
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
23462d1aba3e25cfd8ac57c54d6409cd0c7ba7a49e9d8687a18b47011e40d22b
MD5 hash:
15fd6fab205972433cfe597a13dba827
SHA1 hash:
17fdd2bac731e54b3f37b6f6db6773fe6170f3c9
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
cabec992dd72fd15d141ba2d1de760dad29344c1e204a93b15b96f8e83c783b3
MD5 hash:
df5e4b4f37d94b754c174b80491858cb
SHA1 hash:
3727af3792d2148d696492aa4d7a05ee7a20f694
Detections:
INDICATOR_EXE_Packed_ASPack
Create hunting rule
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
Parent samples :
93cf0ded4e46a85580a71a48968fcf56a14c1d25c339b2651d99994fa4ddddfc
56300ca629b9099e6bfcb4befcebee1141093eb321be81717ab02d724eaaa81a
82852a6f778c15c9f0a0ec11e5538b990753463d50fc70b14128bb42f8f80466
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
b3a6805182f053f098f6e38dc1cc5a906383b8d00cbf2f0af68377e7ebd65f22
b10e357e2c94e48cfc90656a2da338a74820814ec4b98cc70cf7af08b0a70280
SH256 hash:
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
MD5 hash:
4a36a48e58829c22381572b2040b6fe0
SHA1 hash:
f09d30e44ff7e3f20a5de307720f3ad148c6143b
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
911a4dcc3c2feca14a7f2d2eb226e526ecf98f795950e5e90c60acda5ae628fe
MD5 hash:
6b15dd06a414bae53a381c96c2512b5f
SHA1 hash:
5bff8a7419c767196f63b9d7b688b766a849a353
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
SH256 hash:
90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639
MD5 hash:
1d04f53666bd55ae3b19f395538f70f6
SHA1 hash:
aad20e8bd5a606638c21e9cbd9e181106090582a
Link:
https://www.unpac.me/results/bd10ed28-6d02-49b8-9c2e-afc4a9538f57/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_indirect_function_call_3
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_3f060b9c
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Gh0stRAT

Executable exe 90c52141e31399449a689286fcf58c94584a75f1fd7ad3bd39b5aac09adff639

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play MultimediaWINMM.dll::midiOutPrepareHeader
WINMM.dll::midiOutReset
WINMM.dll::midiOutUnprepareHeader
WINMM.dll::midiStreamClose
WINMM.dll::midiStreamOpen
WINMM.dll::midiStreamOut
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WinExec
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryValueA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuA
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowA
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA

Comments