MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stealc


Vendor detections: 18


Intelligence 18 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30
SHA3-384 hash: 58957d87ed66fce3c6818373abcc5611c5aadffea446b6800f3d3856efe92d6a59739e1aa583e852db27d3ebf50fcc47
SHA1 hash: 7b547b46572ca8580f553df2fe11024247a0a7c8
MD5 hash: 13ef8fe8386e9d1d01b6c3ad0c1c025e
humanhash: beryllium-oklahoma-north-table
File name:13ef8fe8386e9d1d01b6c3ad0c1c025e.exe
Download: download sample
Signature Stealc
Create hunting rule
File size:3'913'728 bytes
First seen:2025-02-26 18:09:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:z7Hcs51DVB/TaMcYb1j5b/s4sIUXo5E1RgbbO8ObKmM:zzc81DGMc2hLUo5ECiL
Threatray 4'437 similar samples on MalwareBazaar
TLSH T1D306339376ED85B5E92E83742C7A03A323347B416BA105E5429E5D373C232A079BF739
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10522/11/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Stealc

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
13ef8fe8386e9d1d01b6c3ad0c1c025e.exe
Verdict:
Malicious activity
Analysis date:
2025-02-26 18:16:32 UTC
Tags:
amadey botnet stealer loader lumma gcleaner auto generic rdp redline metastealer themida python evasion
Link:
https://app.any.run/tasks/fe9b6b03-066c-4f4c-8841-750860dc9f7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67bf5953a0fd713c335d0473
Tags:
vmdetect autorun emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Searching for analyzing tools
DNS request
Connection attempt
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP POST request
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd3749d9-ab13-42fb-80ed-fe28afd7988c
Result
Threat name:
Amadey, LummaC Stealer, PureLog Stealer,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1625056
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1625056 Sample: aNxQbxM1wr.exe Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 157 Found malware configuration 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 Antivirus detection for URL or domain 2->161 163 28 other signatures 2->163 10 rapes.exe 5 76 2->10         started        15 aNxQbxM1wr.exe 1 4 2->15         started        17 7b2175566c.exe 2->17         started        19 6 other processes 2->19 process3 dnsIp4 145 176.113.115.6 SELECTELRU Russian Federation 10->145 147 176.113.115.7 SELECTELRU Russian Federation 10->147 149 2 other IPs or domains 10->149 105 C:\Users\user\AppData\...\ab26501fcd.exe, PE32 10->105 dropped 107 C:\Users\user\AppData\...\135c29f62c.exe, PE32 10->107 dropped 109 C:\Users\user\AppData\...\1ce655c6e6.exe, PE32 10->109 dropped 117 21 other malicious files 10->117 dropped 195 Contains functionality to start a terminal service 10->195 197 Creates multiple autostart registry keys 10->197 199 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 10->199 21 6b5043a334.exe 10->21         started        24 0edda1caa5.exe 10->24         started        27 7b2175566c.exe 10->27         started        38 5 other processes 10->38 111 C:\Users\user\AppData\Local\...\C4O51.exe, PE32 15->111 dropped 113 C:\Users\user\AppData\Local\...\3P97i.exe, PE32 15->113 dropped 30 C4O51.exe 1 4 15->30         started        115 C:\Users\user\AppData\Local\...\1VAtDbY4e.hta, HTML 17->115 dropped 201 Binary is likely a compiled AutoIt script file 17->201 203 Creates HTA files 17->203 32 mshta.exe 17->32         started        34 cmd.exe 17->34         started        205 Suspicious powershell command line found 19->205 207 Tries to download and execute files (via powershell) 19->207 36 cmd.exe 19->36         started        40 4 other processes 19->40 file5 signatures6 process7 dnsIp8 169 Antivirus detection for dropped file 21->169 171 Detected unpacking (changes PE section rights) 21->171 173 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->173 189 7 other signatures 21->189 135 188.114.96.3 CLOUDFLARENETUS European Union 24->135 137 104.102.49.254 AKAMAI-ASUS United States 24->137 175 Query firmware table information (likely to detect VMs) 24->175 191 2 other signatures 24->191 119 C:\Users\user\AppData\Local\...\wvquAoZZn.hta, HTML 27->119 dropped 177 Binary is likely a compiled AutoIt script file 27->177 179 Creates HTA files 27->179 53 2 other processes 27->53 121 C:\Users\user\AppData\Local\...\2N2602.exe, PE32 30->121 dropped 123 C:\Users\user\AppData\Local\...\1J19x2.exe, PE32 30->123 dropped 181 Multi AV Scanner detection for dropped file 30->181 42 2N2602.exe 13 30->42         started        47 1J19x2.exe 4 30->47         started        183 Suspicious powershell command line found 32->183 185 Tries to download and execute files (via powershell) 32->185 49 powershell.exe 32->49         started        55 2 other processes 34->55 125 C:\Temp\bWpmN1PKB.hta, HTML 36->125 dropped 57 6 other processes 36->57 139 45.155.103.183 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 38->139 141 135.181.76.95 HETZNER-ASDE Germany 38->141 127 C:\Users\user\...\Microsoft Edge Protect.exe, PE32+ 38->127 dropped 187 Found many strings related to Crypto-Wallets (likely being stolen) 38->187 193 4 other signatures 38->193 51 cmd.exe 38->51         started        59 4 other processes 38->59 61 4 other processes 40->61 file9 signatures10 process11 dnsIp12 151 104.21.64.1 CLOUDFLARENETUS United States 42->151 153 188.114.97.3 CLOUDFLARENETUS European Union 42->153 129 C:\Users\...\BOWRDY1XMZPTJCQZI05UCMO0.exe, PE32 42->129 dropped 209 Multi AV Scanner detection for dropped file 42->209 211 Detected unpacking (changes PE section rights) 42->211 213 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->213 231 6 other signatures 42->231 131 C:\Users\user\AppData\Local\...\rapes.exe, PE32 47->131 dropped 215 Contains functionality to start a terminal service 47->215 217 Contains functionality to inject code into remote processes 47->217 63 rapes.exe 47->63         started        66 conhost.exe 49->66         started        133 C:\Temp\2BldkDZUt.hta, HTML 51->133 dropped 219 Creates HTA files 51->219 68 mshta.exe 51->68         started        70 cmd.exe 51->70         started        77 5 other processes 51->77 221 Uses schtasks.exe or at.exe to add and modify task schedules 53->221 72 powershell.exe 53->72         started        79 2 other processes 53->79 223 Suspicious powershell command line found 57->223 225 Tries to download and execute files (via powershell) 57->225 81 4 other processes 57->81 155 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 59->155 227 Query firmware table information (likely to detect VMs) 59->227 229 Tries to steal Crypto Currency Wallets 59->229 75 Conhost.exe 61->75         started        file13 signatures14 process15 dnsIp16 233 Multi AV Scanner detection for dropped file 63->233 235 Contains functionality to start a terminal service 63->235 237 Suspicious powershell command line found 68->237 239 Tries to download and execute files (via powershell) 68->239 83 powershell.exe 68->83         started        86 powershell.exe 70->86         started        143 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 72->143 241 Powershell drops PE file 72->241 88 conhost.exe 72->88         started        90 powershell.exe 77->90         started        92 powershell.exe 77->92         started        94 conhost.exe 81->94         started        96 Conhost.exe 81->96         started        signatures17 process18 file19 103 C:\Users\...\483d2fa8a0d53818306efeb32d3.exe, PE32 83->103 dropped 98 483d2fa8a0d53818306efeb32d3.exe 83->98         started        101 conhost.exe 83->101         started        process20 signatures21 165 Multi AV Scanner detection for dropped file 98->165 167 Contains functionality to start a terminal service 98->167
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-02-26 16:12:26 UTC
File Type:
PE (Exe)
Extracted files:
77
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3lwhwa6jrsv3kd4uyxo7tstqmoiyxgczfeokvwxuzn27svfevmya._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
12df5f413434f02531f88b0727b96ae8d4ed3c278fc81583dbfd4c0145b43e74
Stealc
36b9add594a4567786f897af4446dd80955572a45254502ab57c820b52022185
Stealc
5d0233280afb24d30e8cd512f4a8be4482973ff61ee0268c717b4831b07c6e01
Stealc
87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f
Stealc
a00ed97f90da21d37aa31b844c2f7cde66c7cae5a70ad60310d7f1f671360c16
Stealc
ed1f2d955de698f60b8624feb3d07891bf1903411dbccc65e41befce2fac3194
Stealc
error
Stealc
f71076e0c55d22eebaa094191d996299de7c0cb9f1bbde65a3b935ebeb0d0a3f
Stealc
+ 4'427 additional samples on MalwareBazaar
Result
Malware family:
stealc
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:gcleaner family:healer family:lumma family:redline family:stealc botnet:092155 botnet:reno botnet:testproliv defense_evasion discovery dropper evasion infostealer loader persistence spyware stealer trojan
Link:
https://tria.ge/reports/250226-wrje6symt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Detects Healer an antivirus disabler dropper
GCleaner
Gcleaner family
Healer
Healer family
Lumma Stealer, LummaC
Lumma family
Modifies Windows Defender DisableAntiSpyware settings
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender TamperProtection settings
Modifies Windows Defender notification settings
RedLine
RedLine payload
Redline family
Stealc
Stealc family
Malware Config
C2 Extraction:
http://176.113.115.6
http://185.215.113.115
45.155.103.183:1488
https://collapimga.fun/api
https://strawpeasaen.fun/api
Verdict:
Malicious
Tags:
stealer redline Win.Malware.Generic-10033391-0 c2 lumma_stealer lumma
YARA:
detect_Redline_Stealer
Link:
https://app.threat.zone/submission/ec033680-9dcb-4089-a17f-08e6e0509954
Unpacked files
SH256 hash:
36e036c924e7f58c925617713baa67389192b96f20bdcaf59211aaffbe6de649
MD5 hash:
c3b9758bc702f2999d68de35c63cdf70
SHA1 hash:
3c7b5411be1a67fa50997ceee07446c6b62715fe
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/7a7a389c-303c-4123-98eb-6440c9577e0f/
SH256 hash:
650747b0b50d6aeb8864de9a083771a367c79f521ab8311f3795681cd1dc3ec5
MD5 hash:
c3c9e58d2fdaa66b53de835c540e5865
SHA1 hash:
9eb1960677a23e33170d08b4e45a7c0df1a5c4e6
Link:
https://www.unpac.me/results/7a7a389c-303c-4123-98eb-6440c9577e0f/
SH256 hash:
e7234d884bd2d1ff1b0ddfc26c5f30f7f22a3cbcf6ce468f17ae3eca6f77a8ec
MD5 hash:
f2d01da34b4324ce4f45ca7f68c55cec
SHA1 hash:
b866f0adbbd51a7aad16a489329de1e8903d2430
Detections:
win_stealc_a0
Create hunting rule
win_stealc_w0
Create hunting rule
stealc
Create hunting rule
Link:
https://www.unpac.me/results/7a7a389c-303c-4123-98eb-6440c9577e0f/
SH256 hash:
fe674dea7f07e1e0320496f3ce1b42b0e7f3b406b2b482ebcd06bbaee14865d6
MD5 hash:
86cd46f57887bb06b0908e4e082f09e4
SHA1 hash:
2224ebe3236a19ce11813a9a58ac417e38efdc98
Link:
https://www.unpac.me/results/7a7a389c-303c-4123-98eb-6440c9577e0f/
SH256 hash:
daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30
MD5 hash:
13ef8fe8386e9d1d01b6c3ad0c1c025e
SHA1 hash:
7b547b46572ca8580f553df2fe11024247a0a7c8
Link:
https://www.unpac.me/results/7a7a389c-303c-4123-98eb-6440c9577e0f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/daec7b03c98c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:infostealer_win_stealc_standalone
Create hunting rule
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/
Rule name:malware_Stealc_str
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:Stealc infostealer
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Stealc
Create hunting rule
Author:kevoreilly
Description:Stealc Payload
Rule name:Stealer_Stealc
Create hunting rule
Author:Still
Description:attempts to match instructions/strings found in Stealc
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:Windows_Generic_Threat_2bba6bae
Create hunting rule
Author:Elastic Security
Rule name:win_stealc_w0
Create hunting rule
Author:crep1x
Description:Find standalone Stealc sample based on decryption routine or characteristic strings
Reference:https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Stealc

Executable exe daec7b03c98cabb50f94c5ddf9ca7063918b9859291caadaf4cb75f954a4ab30

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3439494/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments