MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


QuasarRAT


Vendor detections: 19


Intelligence 19 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
SHA3-384 hash: f95962913b1c9614a331f0167942bfa9aba02b1c41c5228fc748ed984b73b048d0da822218c94e4d06cc1445a8f2a458
SHA1 hash: 405f3f9da7c1800d0b19959a1ec55ebb9abd7b62
MD5 hash: b26e63bcd9394df3938ee34463e495bb
humanhash: cat-uniform-earth-lactose
File name:adbce.exe
Download: download sample
Signature QuasarRAT
Create hunting rule
File size:2'113'184 bytes
First seen:2024-08-29 18:12:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYw:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Ye
Threatray 13 similar samples on MalwareBazaar
TLSH T1B2A5BE41A3DC82A1CE6A4372BA36DB219B777C692634F70E1ED83D7A3E723521518353
TrID 53.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
15.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
9.8% (.EXE) Win64 Executable (generic) (10523/12/4)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter adm1n_usa32
Tags:AZORult exe QuasarRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
RO RO
Vendor Threat Intelligence
Malware family:
quasar
Create hunting rule
ID:
1
File name:
adbce.exe
Verdict:
Malicious activity
Analysis date:
2024-08-29 18:11:33 UTC
Tags:
rat quasar sinkhole stealer azorult evasion
Link:
https://app.any.run/tasks/6878ccda-1ac7-44dc-9ccf-d07a37eafd63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Miner-7086570-0
Create hunting rule

Win.Packed.Autoit-7640561-0
Create hunting rule

Win.Malware.Carberp-9796259-0
Create hunting rule

Win.Packed.Generic-9830106-0
Create hunting rule

Win.Packed.QuasarRAT-10012744-0
Create hunting rule

Win.Malware.Generic-6623004-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Generic.vh.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d0ba31fe69a9e56049e552
Tags:
Discovery Encryption Execution Generic Infostealer Network Stealth Trojan Mokssteal
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Restart of the analyzed sample
Launching a process
Creating a process with a hidden window
Creating a file
Enabling the 'hidden' option for recently created files
Connection attempt
Sending an HTTP POST request
Sending an HTTP POST request to an infection source
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Running batch commands
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkVNC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4394b54e-b952-4983-84ea-049d979ee901
Result
Threat name:
AZORult, Quasar, Ramnit
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1501372
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains VNC / remote desktop functionality (version string found)
Detected AZORult Info Stealer
Detected Quasar RAT
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected Generic Downloader
Yara detected Quasar RAT
Yara detected Ramnit VNC Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501372 Sample: adbce.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 65 ip-api.com 2->65 67 0x21.in 2->67 69 2 other IPs or domains 2->69 77 Suricata IDS alerts for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 14 other signatures 2->83 10 adbce.exe 5 2->10         started        14 SystemPropertiesPerformance.exe 1 2->14         started        16 windef.exe 2->16         started        signatures3 process4 file5 59 C:\Users\...\SystemPropertiesPerformance.exe, PE32 10->59 dropped 61 C:\Users\user\AppData\Local\Temp\windef.exe, PE32 10->61 dropped 63 C:\Users\user\AppData\Local\Temp\vnc.exe, PE32 10->63 dropped 119 Detected AZORult Info Stealer 10->119 121 Binary is likely a compiled AutoIt script file 10->121 123 Found many strings related to Crypto-Wallets (likely being stolen) 10->123 125 Uses schtasks.exe or at.exe to add and modify task schedules 10->125 18 windef.exe 15 5 10->18         started        23 vnc.exe 10->23         started        25 adbce.exe 12 10->25         started        27 schtasks.exe 1 10->27         started        127 Antivirus detection for dropped file 14->127 129 Contains functionality to inject code into remote processes 14->129 131 Contains VNC / remote desktop functionality (version string found) 14->131 133 Injects a PE file into a foreign processes 14->133 29 vnc.exe 14->29         started        31 SystemPropertiesPerformance.exe 14->31         started        33 windef.exe 14->33         started        35 schtasks.exe 14->35         started        135 Detected Quasar RAT 16->135 signatures6 process7 dnsIp8 71 ip-api.com 208.95.112.1, 49707, 49708, 80 TUT-ASUS United States 18->71 57 C:\Users\user\AppData\Roaming\...\winsock.exe, PE32 18->57 dropped 85 Antivirus detection for dropped file 18->85 87 Multi AV Scanner detection for dropped file 18->87 89 Detected Quasar RAT 18->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->91 37 winsock.exe 14 4 18->37         started        40 schtasks.exe 1 18->40         started        93 Machine Learning detection for dropped file 23->93 95 Contains VNC / remote desktop functionality (version string found) 23->95 97 Writes to foreign memory regions 23->97 99 Switches to a custom stack to bypass stack traces 23->99 42 svchost.exe 23->42         started        73 0x21.in 44.221.84.105, 49704, 49705, 49715 AMAZON-AESUS United States 25->73 101 Binary is likely a compiled AutoIt script file 25->101 45 conhost.exe 27->45         started        103 Allocates memory in foreign processes 29->103 105 Modifies the context of a thread in another process (thread injection) 29->105 107 Maps a DLL or memory area into another process 29->107 47 svchost.exe 29->47         started        49 conhost.exe 35->49         started        file9 signatures10 process11 dnsIp12 109 Antivirus detection for dropped file 37->109 111 Multi AV Scanner detection for dropped file 37->111 113 Detected Quasar RAT 37->113 117 3 other signatures 37->117 51 schtasks.exe 37->51         started        53 conhost.exe 40->53         started        75 5.8.88.191, 443, 49706, 49709 KOMETA-ASRU Russian Federation 42->75 115 Contains VNC / remote desktop functionality (version string found) 42->115 signatures13 process14 process15 55 conhost.exe 51->55         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
Detection:
quasar
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618/
Threat name:
Win32.Trojan.MoksSteal
Create hunting rule
Status:
Malicious
First seen:
2024-08-28 00:52:14 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
32 of 38 (84.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zg77ff3efhbl6wvoxmrp6eaonmi7nzqofpiikrr7d6scukemmyma._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
QuasarRAT
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
QuasarRAT
f859bddda5d049e5449032b8a4373515a6a06cbc2019f9fc1c0c269ba4d90153
QuasarRAT
f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05
QuasarRAT
+ 3 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:azorult family:quasar botnet:ebayprofiles discovery infostealer spyware trojan
Link:
https://tria.ge/reports/240829-wtqx2avajg/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Azorult
Quasar RAT
Quasar payload
Malware Config
C2 Extraction:
5.8.88.191:443
sockartek.icu:443
http://0x21.in:8000/_az/
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f28eaa09-1e52-429e-9966-219ad749f5b2
Unpacked files
SH256 hash:
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9
MD5 hash:
b4a202e03d4135484d0e730173abcc72
SHA1 hash:
01b30014545ea526c15a60931d676f9392ea0c70
Detections:
QuasarRAT
Create hunting rule
Quasar_RAT_1
Create hunting rule
Quasar_RAT_2
Create hunting rule
Vermin_Keylogger_Jan18_1
Create hunting rule
xRAT_1
Create hunting rule
CN_disclosed_20180208_KeyLogger_1
Create hunting rule
Quasar
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
MALWARE_Win_QuasarRAT
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/f8f282da-81fb-4e76-b00a-f681e49ae5f6/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
eed4ab78bbfed9d213f8cbfc02d4e0ce3a7cd755c11563f8afbdfcd7d8646eee
MD5 hash:
1ca2b88730c44dc7ec6ae57c530d0c11
SHA1 hash:
d2705c7f663d34058e6f9a0f53ac00ead0bcb38a
Detections:
HVNC
Create hunting rule
HiddenVNC
Create hunting rule
crime_win32_hvnc_banker_gen
Create hunting rule
Link:
https://www.unpac.me/results/f8f282da-81fb-4e76-b00a-f681e49ae5f6/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
d450f677fa392721f94fddf9f54d67bacd4bb93716ad2be85acd1cfc057379f7
MD5 hash:
c15241ac2ec164aaa68f810a84a1471c
SHA1 hash:
8239a3c454419fb057cbfd879c1e9d4ba0e9515a
Detections:
HVNC
Create hunting rule
HiddenVNC
Create hunting rule
crime_win32_hvnc_banker_gen
Create hunting rule
Link:
https://www.unpac.me/results/f8f282da-81fb-4e76-b00a-f681e49ae5f6/
Parent samples :
c332f4d57dabe228b40ae4a6003b31647cb9241658b79f681680ff5f89d68be1
ecb11a3ef61c5e48bc36f4dda326720913f71eeb26161e42c46b0b01cf4e8b3d
2c6ab1efe207f8a2f8528ce232dcd1e2ff0b0dd82c5b460f51457a7bf97f60d9
877106f8412be6c602573e6ece4b51e3dd4eaa33030946b9ae785ed9d19933a4
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
3a4a38ed839a1f73825b8456fc1efa73a65a7af25ba3513472d05cfac5ecef78
SH256 hash:
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4
MD5 hash:
b8ba87ee4c3fc085a2fed0d839aadce1
SHA1 hash:
b3a2e3256406330e8b1779199bb2b9865122d766
Link:
https://www.unpac.me/results/f8f282da-81fb-4e76-b00a-f681e49ae5f6/
SH256 hash:
c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618
MD5 hash:
b26e63bcd9394df3938ee34463e495bb
SHA1 hash:
405f3f9da7c1800d0b19959a1ec55ebb9abd7b62
Detections:
QuasarRAT
Create hunting rule
malware_windows_xrat_quasarrat
Create hunting rule
AutoIT_Compiled
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
Quasar_RAT_2
Create hunting rule
Quasar
Create hunting rule
MAL_QuasarRAT_May19_1
Create hunting rule
SUSP_Imphash_Mar23_3
Create hunting rule
Quasar_RAT_1
Create hunting rule
win_quasarrat_j1
Create hunting rule
Link:
https://www.unpac.me/results/f8f282da-81fb-4e76-b00a-f681e49ae5f6/
Malware family:
QuasarRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9bff2976429/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c9bff2976429c2bf5aaebb22ff100e6b11f6e60e2bd085463f1fa42a288c6618

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_GENInfoStealer
Create hunting rule
Author:ditekSHen
Description:Detects executables containing common artifacts observed in infostealers
Rule name:malware_Quasar_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:MALWARE_Win_QuasarRAT
Create hunting rule
Author:ditekSHen
Description:QuasarRAT payload
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:MAL_QuasarRAT_May19_1
Create hunting rule
Description:Detects QuasarRAT malware
Rule name:MAL_QuasarRAT_May19_1_RID2E1E
Create hunting rule
Author:Florian Roth
Description:Detects QuasarRAT malware
Reference:https://blog.ensilo.com/uncovering-new-activity-by-apt10
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Quasar
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect QuasarRAT in memory
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_1
Create hunting rule
Author:@SOCRadar
Description:Detects Quasar RAT
Rule name:Quasar_RAT_1_RID2B54
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:Quasar_RAT_2
Create hunting rule
Description:Detects Quasar RAT
Rule name:Quasar_RAT_2_RID2B55
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:Windows_Trojan_Quasarrat_e52df647
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/6878ccda-1ac7-44dc-9ccf-d07a37eafd63

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments