MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14
SHA3-384 hash: e69022623428dd6df21ef57cfeb5e89a53fec7d4d00ddef3abd6e54e12b70fc23d8955872bc72edfc60105c22633bf82
SHA1 hash: e165282495177ceb0e552cc01bec72d88d504176
MD5 hash: ed34b7a547986bb25d01db427c72c9e5
humanhash: fifteen-texas-juliet-kilo
File name:ed34b7a547986bb25d01db427c72c9e5.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:2'221'568 bytes
First seen:2025-04-22 05:40:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:IlIWqD9jj0WZyYWzRcB81bqiyPe1awmCG9NWGpcKgNmsy:H5ZvHZ89qZPc4Uy
Threatray 1 similar samples on MalwareBazaar
TLSH T124A5335776F48132E871437119B24783277E3D149A78874B334BA8BF28B6AA275B131B
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
516
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ed34b7a547986bb25d01db427c72c9e5.exe
Verdict:
Malicious activity
Analysis date:
2025-04-22 05:43:58 UTC
Tags:
lumma stealer amadey botnet telegram loader vidar auto-reg credentialflusher rdp auto-sch gcleaner arch-exec auto generic auto-startup autoit github remote xworm rhadamanthys fileshare
Link:
https://app.any.run/tasks/bfdfeb09-3b84-4500-8233-7b9df019e8de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/3354/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68072db2280f5f89a0d3241b
Tags:
vmdetect autorun autoit emotet
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa309d48-3a16-4371-a1c7-411218152374
Result
Threat name:
Amadey, LockBit ransomware, LummaC Steal
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1670772
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes the wallpaper picture
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops script or batch files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found potential ransomware demand text
Found ransom note / readme
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Drops script at startup location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: PUA - NSudo Execution
Sigma detected: Suspicious Invoke-WebRequest Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses cmd line tools excessively to alter registry or file data
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LockBit ransomware
Yara detected LummaC Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670772 Sample: 5VPZNNjklZ.exe Startdate: 22/04/2025 Architecture: WINDOWS Score: 100 133 starofliught.top 2->133 135 quilltayle.live 2->135 137 62 other IPs or domains 2->137 177 Suricata IDS alerts for network traffic 2->177 179 Found malware configuration 2->179 181 Malicious sample detected (through community Yara rule) 2->181 183 29 other signatures 2->183 13 5VPZNNjklZ.exe 1 4 2->13         started        16 cmd.exe 2->16         started        19 namez.exe 2->19         started        21 2 other processes 2->21 signatures3 process4 file5 129 C:\Users\user\AppData\Local\...\2w9003.exe, PE32 13->129 dropped 131 C:\Users\user\AppData\Local\...\1q82P9.exe, PE32 13->131 dropped 23 1q82P9.exe 4 13->23         started        27 2w9003.exe 1 13->27         started        171 Suspicious powershell command line found 16->171 173 Encrypted powershell cmdline option found 16->173 30 conhost.exe 16->30         started        32 powershell.exe 16->32         started        175 Contains functionality to start a terminal service 19->175 signatures6 process7 dnsIp8 123 C:\Users\user\AppData\Local\...\namez.exe, PE32 23->123 dropped 231 Multi AV Scanner detection for dropped file 23->231 233 Contains functionality to start a terminal service 23->233 235 Contains functionality to inject code into remote processes 23->235 34 namez.exe 5 70 23->34         started        155 clarmodq.top 104.21.85.126, 443, 49711, 49715 CLOUDFLARENETUS United States 27->155 125 C:\...behaviorgraphVX79RCUIRCMLRVSFE930O6ULAONPFJ.exe, PE32 27->125 dropped 237 Detected unpacking (changes PE section rights) 27->237 239 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->239 241 Query firmware table information (likely to detect VMs) 27->241 243 7 other signatures 27->243 39 GVX79RCUIRCMLRVSFE930O6ULAONPFJ.exe 27->39         started        file9 signatures10 process11 dnsIp12 139 185.215.113.59, 49710, 49712, 49722 WHOLESALECONNECTIONSNL Portugal 34->139 141 185.215.113.41, 49716, 49725, 49733 WHOLESALECONNECTIONSNL Portugal 34->141 143 185.39.17.162, 49784, 80 RU-TAGNET-ASRU Russian Federation 34->143 107 C:\Users\user\AppData\Local\...\LAc2heq.exe, PE32+ 34->107 dropped 109 C:\Users\user\AppData\Local\...\eZp5zCz.exe, PE32+ 34->109 dropped 111 C:\Users\user\AppData\...\f972ca5676.exe, PE32 34->111 dropped 113 31 other malicious files 34->113 dropped 185 Multi AV Scanner detection for dropped file 34->185 187 Contains functionality to start a terminal service 34->187 189 Creates multiple autostart registry keys 34->189 191 Writes many files with high entropy 34->191 41 eZp5zCz.exe 34->41         started        44 BZ1M8AV.exe 34->44         started        46 f0c153c215.exe 34->46         started        49 5 other processes 34->49 file13 signatures14 process15 dnsIp16 245 Multi AV Scanner detection for dropped file 41->245 247 Writes to foreign memory regions 41->247 265 2 other signatures 41->265 52 MSBuild.exe 37 1002 41->52         started        249 Creates multiple autostart registry keys 44->249 251 Adds a directory exclusion to Windows Defender 44->251 56 cmd.exe 44->56         started        58 hbehcuhhpie.exe 44->58         started        61 cmd.exe 44->61         started        63 conhost.exe 44->63         started        163 turkeytzq.live 104.21.49.220, 443, 49736, 49737 CLOUDFLARENETUS United States 46->163 253 Detected unpacking (changes PE section rights) 46->253 255 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->255 257 Query firmware table information (likely to detect VMs) 46->257 267 8 other signatures 46->267 165 qr.ap.4t.com 116.202.5.148, 443, 49781, 49783 HETZNER-ASDE Germany 49->165 167 starofliught.top 104.21.5.146, 443, 49757, 49762 CLOUDFLARENETUS United States 49->167 169 127.0.0.1 unknown unknown 49->169 99 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 49->99 dropped 101 C:\Users\user\AppData\Local\...\cecho.exe, PE32 49->101 dropped 103 C:\Users\user\AppData\Local\...103SudoLG.exe, PE32+ 49->103 dropped 105 4 other malicious files 49->105 dropped 259 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->259 261 Tries to detect sandboxes and other dynamic analysis tools (window names) 49->261 263 Drops script or batch files to the startup folder 49->263 269 5 other signatures 49->269 65 cmd.exe 49->65         started        67 dhDtKXL.exe 49->67         started        file17 signatures18 process19 dnsIp20 115 {1AC14E77-02E7-4E5...tepad_exe.JaGl8xLNG, DOS 52->115 dropped 117 C:\Users\user\...\IndexedDB.edb.JaGl8xLNG, COM 52->117 dropped 119 C:\Users\user\...\settings.dat.JaGl8xLNG, DOS 52->119 dropped 121 146 other malicious files 52->121 dropped 193 Found potential ransomware demand text 52->193 195 Found Tor onion address 52->195 197 Contains functionality to detect hardware virtualization (CPUID execution measurement) 52->197 215 6 other signatures 52->215 69 splwow64.exe 52->69         started        199 Suspicious powershell command line found 56->199 201 Encrypted powershell cmdline option found 56->201 203 Bypasses PowerShell execution policy 56->203 205 Adds a directory exclusion to Windows Defender 56->205 72 powershell.exe 56->72         started        145 t.me 149.154.167.99, 443, 49765, 49778 TELEGRAMRU United Kingdom 58->145 147 porcupineq.digital 104.21.56.106, 443, 49769, 49771 CLOUDFLARENETUS United States 58->147 207 Query firmware table information (likely to detect VMs) 58->207 209 Tries to harvest and steal ftp login credentials 58->209 211 Tries to harvest and steal browser information (history, passwords, etc) 58->211 217 3 other signatures 58->217 74 powershell.exe 61->74         started        213 Uses cmd line tools excessively to alter registry or file data 65->213 78 cmd.exe 65->78         started        80 conhost.exe 65->80         started        82 chrome.exe 67->82         started        file21 signatures22 process23 dnsIp24 219 Found potential ransomware demand text 69->219 221 Found Tor onion address 69->221 223 Found suspicious powershell code related to unpacking or dynamic code loading 72->223 225 Loading BitLocker PowerShell Module 72->225 227 Powershell drops PE file 72->227 84 WmiPrvSE.exe 72->84         started        149 github.com 140.82.113.3, 443, 49760 GITHUBUS United States 74->149 151 raw.githubusercontent.com 185.199.110.133, 443, 49761 FASTLYUS Netherlands 74->151 127 C:\Users\user\AppData\...\hbehcuhhpie.exe, PE32 74->127 dropped 229 Uses cmd line tools excessively to alter registry or file data 78->229 86 reg.exe 78->86         started        88 conhost.exe 78->88         started        90 chcp.com 78->90         started        95 2 other processes 78->95 153 192.168.2.4, 443, 49708, 49710 unknown unknown 82->153 92 chrome.exe 82->92         started        file25 signatures26 process27 dnsIp28 97 Conhost.exe 86->97         started        157 www.google.com 142.250.69.4 GOOGLEUS United States 92->157 159 dcs-public-edge-usw2-219535174.us-west-2.elb.amazonaws.com 54.200.244.65 AMAZON-02US United States 92->159 161 16 other IPs or domains 92->161 process29
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14/
Threat name:
Win32.Trojan.Whispergate
Create hunting rule
Status:
Malicious
First seen:
2025-04-19 19:12:00 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwe7tflh3vmyqcp2ebkxos37dd6dm5wgkr7q2med4gjpcgnsz4ka._file
Verdict:
malicious
Label(s):
darkvisionrat
Create hunting rule
amadey
Create hunting rule
lummastealer
Create hunting rule
admintool_putty
Create hunting rule
Similar samples:
error
Amadey
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:darkvision family:healer family:lockbit family:lumma family:rhadamanthys family:vidar family:xworm botnet:8ac6b9 bootkit collection credential_access defense_evasion discovery dropper evasion execution persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/250422-gdf1kavzes/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
GoLang User-Agent
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
AutoIT Executable
Drops file in System32 directory
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Windows security modification
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (695) files with added filename extension
Healer
Healer family
Lockbit
Lockbit family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xworm
Xworm family
Amadey
Amadey family
DarkVision Rat
Darkvision family
Detect Vidar Stealer
Detect Xworm Payload
Detects Healer an antivirus disabler dropper
Detects Rhadamanthys payload
Malware Config
C2 Extraction:
http://185.215.113.59
https://clarmodq.top/qoxo
https://piratetwrath.run/ytus
https://ychangeaie.top/geps
https://quilltayle.live/gksi
https://liftally.top/xasj
https://nighetwhisper.top/lekd
https://salaccgfa.top/gsooz
https://ekzestmodp.top/zeda
https://starofliught.top/wozd
https://meerkaty.digital/sagf
https://changeaie.top/geps
https://ssalaccgfa.top/gsooz
https://zestmodp.top/zeda
https://jawdedmirror.run/ewqd
https://lonfgshadow.live/xawi
https://3liftally.top/xasj
https://.nighetwhisper.top/lekd
https://owlflright.digital/qopy
https://nchangeaie.top/geps
https://7salaccgfa.top/gsooz
https://kpiratetwrath.run/ytus
https://xzestmodp.top/zeda
https://dstarofliught.top/wozd
https://shootef.world/api
https://wsalaccgfa.top/gsooz
https://uzestmodp.top/zeda
https://v0salaccgfa.top/gsooz
https://vporcupineq.digital/gsoz
https://hemispherexz.top/xapp
https://equatorf.run/reiq
https://latitudert.live/teui
https://longitudde.digital/wizu
https://climatologfy.top/kbud
82.29.67.160
epicskillforge.com:7000
Dropper Extraction:
http://185.39.17.162/testmine/random.exe
Verdict:
Malicious
Tags:
stealer redline
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/249a2cae-156e-44c1-b8f6-930e01064e7e
Unpacked files
SH256 hash:
cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14
MD5 hash:
ed34b7a547986bb25d01db427c72c9e5
SHA1 hash:
e165282495177ceb0e552cc01bec72d88d504176
Link:
https://www.unpac.me/results/efa99e4a-96d9-4635-876e-94e815fba368/
SH256 hash:
a808eaa08f4afbfffcf2e7fa602d7d6cf624f49017c1b9ef9c72a3b6ae2f9d9b
MD5 hash:
82cbcbf04c3993488d0a52e985bc91b3
SHA1 hash:
f3c9d5ca889d7082c630802b176ddc6d1e40240a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/efa99e4a-96d9-4635-876e-94e815fba368/
SH256 hash:
8a44875441a0ac67622e4460ed4123da3551a050b8e97ff8e5b498a9d9736b7d
MD5 hash:
2b9547cbe273a2f0c7074136ffdafdc9
SHA1 hash:
d877afdf6c26153382d30db129ea8c5201e9cf3d
Link:
https://www.unpac.me/results/efa99e4a-96d9-4635-876e-94e815fba368/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd89f99567dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd89f99567dd598809fa2055774b7f18fc3676c6547f0d3083e192f119b2cf14

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ICMLuaUtil_UACMe_M41
Create hunting rule
Author:Marius 'f0wL' Genheimer <hello@dissectingmalwa.re>
Description:A Yara rule for UACMe Method 41 -> ICMLuaUtil Elevated COM interface
Reference:https://github.com/hfiref0x/UACME
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/3354/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments