MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XRed


Vendor detections: 20


Intelligence 20 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
SHA3-384 hash: 8c8079800df8171af654549c6ae508109538d7fb773c7644396c365f7dc7b3be96a855a17397622345ec4bb38f1f9fe8
SHA1 hash: d82cf05c42d942d4f4bf0f5e4292563e83b97cf5
MD5 hash: 8bf7c0b458ada14ffdd73e91eecefc68
humanhash: tango-william-six-low
File name:Setup.exe
Download: download sample
Signature XRed
Create hunting rule
File size:8'018'432 bytes
First seen:2025-07-30 18:24:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 196608:WLC09WVMQhvM/xkBejoS7lYW8f+OVA6VxU+1DZOMqVn:W208/mSMjov9LVW+1DZOMK
TLSH T19E8623237FE1CD35C1282E3D5CF683277A36BF510D2915023FA51E6A8A36A94FE512C6
TrID 93.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.4% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 9269cccccccc6996 (1 x AZORult, 1 x RedLineStealer, 1 x QuasarRAT)
Reporter burger
Tags:exe xred

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-30 18:24:29 UTC
Tags:
xred backdoor auto-reg auto-sch python auto generic delphi dyndns snake keylogger
Link:
https://app.any.run/tasks/93432cf1-f137-4cc5-bcd6-641601341f8c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
R77
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17832/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Win.Trojan.Generic-9936029-0
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688a63600b4775fb2133c238
Tags:
dropper delphi micro smtp
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Moving a recently created file
Searching for the window
Sending a custom TCP request
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Modifying an executable file
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Loading a suspicious library
Forced system process termination
Setting browser functions hooks
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Infecting executable files
Unauthorized injection to a system process
Enabling autorun by creating a file
Unauthorized injection to a browser process
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi cmd fingerprint keylogger lolbin obfuscated optix packed packed packer_detected remote venomrat
Link:
https://www.filescan.io/uploads/688a635f13488cfd44e1127d/reports/fa09b3f5-88fe-433b-ba58-f545c1511e92/overview
Verdict:
Malicious
Labled as:
Trojan.DarkKomet
Link:
https://www.hybrid-analysis.com/sample/e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c98b56dc-2070-4e82-b0d9-9b5c3dc5446c
Result
Threat name:
Cobian RAT, Njrat, R77 RootKit, XRed
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1747273
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates files in the system32 config directory
Detected unpacking (creates a PE file in dynamic memory)
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found stalling execution ending in API Sleep call
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Cobian RAT
Yara detected Njrat
Yara detected R77 RootKit
Yara detected XRed
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1747273 Sample: Setup.exe Startdate: 30/07/2025 Architecture: WINDOWS Score: 100 162 freedns.afraid.org 2->162 164 xred.mooo.com 2->164 166 7 other IPs or domains 2->166 200 Suricata IDS alerts for network traffic 2->200 202 Found malware configuration 2->202 204 Malicious sample detected (through community Yara rule) 2->204 208 25 other signatures 2->208 13 Setup.exe 1 6 2->13         started        16 after.exe 2->16         started        19 tool.exe 2->19         started        22 2 other processes 2->22 signatures3 206 Uses dynamic DNS services 162->206 process4 dnsIp5 152 C:\Users\user\Desktop\._cache_Setup.exe, PE32 13->152 dropped 154 C:\ProgramData\Synaptics\Synaptics.exe, PE32 13->154 dropped 156 C:\ProgramData\Synaptics\RCX361.tmp, PE32 13->156 dropped 158 C:\...\Synaptics.exe:Zone.Identifier, ASCII 13->158 dropped 24 ._cache_Setup.exe 4 13->24         started        27 Synaptics.exe 42 13->27         started        160 C:\Users\user\AppData\...\3xj0sitv.jp4.exe, PE32+ 16->160 dropped 178 Writes to foreign memory regions 16->178 180 Allocates memory in foreign processes 16->180 182 Modifies the context of a thread in another process (thread injection) 16->182 184 Found direct / indirect Syscall (likely to bypass EDR) 16->184 31 3xj0sitv.jp4.exe 16->31         started        33 schtasks.exe 16->33         started        35 schtasks.exe 16->35         started        168 147.185.221.30, 16755 SALSGIVERUS United States 19->168 186 Changes the view of files in windows explorer (hidden files and folders) 19->186 188 Creates autostart registry keys with suspicious names 19->188 190 Injects a PE file into a foreign processes 19->190 37 schtasks.exe 19->37         started        39 schtasks.exe 19->39         started        170 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49729, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->170 file6 signatures7 process8 dnsIp9 124 C:\Users\user\AppData\Local\Temp\after.exe, PE32 24->124 dropped 126 C:\Users\user\AppData\Local\Tempxodus.exe, PE32+ 24->126 dropped 128 C:\Users\user\...\._cache_Setup.exe.log, CSV 24->128 dropped 41 after.exe 24->41         started        45 Exodus.exe 24->45         started        172 docs.google.com 142.250.68.14, 443, 49694, 49695 GOOGLEUS United States 27->172 174 drive.usercontent.google.com 142.250.68.33, 443, 49697, 49698 GOOGLEUS United States 27->174 176 freedns.afraid.org 69.42.215.252, 49699, 80 AWKNET-LLCUS United States 27->176 130 C:\Users\user\Documents\~$cache1, PE32 27->130 dropped 230 Drops PE files to the document folder of the user 27->230 132 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 31->132 dropped 134 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 31->134 dropped 136 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 31->136 dropped 138 7 other malicious files 31->138 dropped 232 Antivirus detection for dropped file 31->232 234 Multi AV Scanner detection for dropped file 31->234 236 Detected unpacking (creates a PE file in dynamic memory) 31->236 47 3xj0sitv.jp4.exe 31->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 conhost.exe 35->53         started        55 conhost.exe 37->55         started        57 conhost.exe 39->57         started        file10 signatures11 process12 file13 140 C:\Users\user\AppData\...\ht4hg45h.hz1.exe, PE32+ 41->140 dropped 222 Antivirus detection for dropped file 41->222 224 Multi AV Scanner detection for dropped file 41->224 226 Uses schtasks.exe or at.exe to add and modify task schedules 41->226 228 5 other signatures 41->228 59 ht4hg45h.hz1.exe 41->59         started        63 dllhost.exe 41->63         started        65 schtasks.exe 41->65         started        67 schtasks.exe 41->67         started        142 C:\Users\user\AppData\Local\Temp\...\tool.exe, PE32 47->142 dropped signatures14 process15 file16 144 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 59->144 dropped 146 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 59->146 dropped 148 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 59->148 dropped 150 7 other malicious files 59->150 dropped 238 Antivirus detection for dropped file 59->238 240 Multi AV Scanner detection for dropped file 59->240 69 ht4hg45h.hz1.exe 59->69         started        72 conhost.exe 59->72         started        242 Found stalling execution ending in API Sleep call 63->242 244 Writes to foreign memory regions 63->244 246 Creates a thread in another existing process (thread injection) 63->246 248 Injects a PE file into a foreign processes 63->248 74 winlogon.exe 63->74 injected 76 lsass.exe 63->76 injected 79 svchost.exe 63->79 injected 81 dwm.exe 63->81 injected 83 conhost.exe 65->83         started        85 conhost.exe 67->85         started        signatures17 process18 file19 120 C:\Users\user\AppData\Local\Temp\...\tool.exe, PE32 69->120 dropped 87 tool.exe 69->87         started        91 dllhost.exe 74->91         started        93 dllhost.exe 74->93         started        95 dllhost.exe 74->95         started        250 Creates files in the system32 config directory 76->250 252 Writes to foreign memory regions 76->252 signatures20 process21 file22 122 C:\Users\user\Svchost.exe, PE32 87->122 dropped 210 Drops PE files to the user root directory 87->210 212 Writes to foreign memory regions 87->212 214 Allocates memory in foreign processes 87->214 220 3 other signatures 87->220 97 Svchost.exe 87->97         started        100 schtasks.exe 87->100         started        102 schtasks.exe 87->102         started        216 Creates a thread in another existing process (thread injection) 91->216 218 Injects a PE file into a foreign processes 91->218 104 svchost.exe 91->104 injected 106 svchost.exe 91->106 injected 108 svchost.exe 91->108 injected 114 2 other processes 91->114 110 svchost.exe 93->110 injected 112 svchost.exe 93->112 injected signatures23 process24 signatures25 192 Writes to foreign memory regions 97->192 194 Allocates memory in foreign processes 97->194 196 Modifies the context of a thread in another process (thread injection) 97->196 198 Injects a PE file into a foreign processes 97->198 116 conhost.exe 100->116         started        118 conhost.exe 102->118         started        process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
Verdict:
Malware
YARA:
6 match(es)
Tags:
.Net ADODB.Stream Blacklist VBA Corrupted Executable Office Document PE (Portable Executable) scripting.filesystemobject SOS: 0.21 Win 32 Exe WinHttp.WinHttpRequest.5 WinHttp.WinHttpRequest.5.1 WScript.Shell x86
Link:
https://app.malva.re/file/8bf7c0b458ada14ffdd73e91eecefc68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4/
Verdict:
Malicious
Threat:
Trojan.Win32.UDP
Link:
https://tip.neiki.dev/file/e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
Threat name:
Win32.Virus.Napwhich
Create hunting rule
Status:
Malicious
First seen:
2025-07-30 18:24:28 UTC
File Type:
PE (Exe)
Extracted files:
48
AV detection:
35 of 38 (92.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kbcvo643gil2gdva2v2p5cnfnpqykhfe3ysxkq73x6433wpdg2a._file
Verdict:
malicious
Label(s):
r77rootkit
Create hunting rule
xredbackdoor
Create hunting rule
Similar samples:
error
XRed
Result
Malware family:
xred
Create hunting rule
Score:
  10/10
Tags:
family:xred backdoor bootkit defense_evasion discovery execution macro persistence pyinstaller
Link:
https://tria.ge/reports/250730-w1827at1ez/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects Pyinstaller
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Writes to the Master Boot Record (MBR)
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Sets service image path in registry
Suspicious Office macro
Suspicious use of NtCreateUserProcessOtherParentProcess
Xred
Xred family
Malware Config
C2 Extraction:
xred.mooo.com
Verdict:
Malicious
Tags:
backdoor xred_backdoor Win.Trojan.Emotet-9850453-0
YARA:
mal_xred_backdoor
Link:
https://app.threat.zone/submission/c313093b-5b96-4676-8a1e-3c5aed23a097
Unpacked files
SH256 hash:
e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
MD5 hash:
8bf7c0b458ada14ffdd73e91eecefc68
SHA1 hash:
d82cf05c42d942d4f4bf0f5e4292563e83b97cf5
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
SH256 hash:
d40dc47ab18ecd66f5b03e238d28116981a498804a7e9d4287ea26fe60b19794
MD5 hash:
b14530db3476844c703127dcbdd2d231
SHA1 hash:
897fa5a1e92f1cba2c4eea2677414ee12788e75e
Detections:
r77Rootkit
Create hunting rule
MALWARE_Win_R77
Create hunting rule
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
SH256 hash:
06d767952f2d9639395d6052203c9ba803b9bd43fb07a04d0a7a9dd8372c6e10
MD5 hash:
ef919e4c97a4899e111bdf3b4e9edd13
SHA1 hash:
b12237529845eb9dbf711f4871574aa14ef0af82
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
SH256 hash:
8fdae5b4490183c9057a684f0ac2f82dd5c8911cb2f43a54ff47a9ad6e93952a
MD5 hash:
d72fea64a05b3f7dce725352d7c1d032
SHA1 hash:
9c27e234567d237d9c495353567f2efa42e8f616
Detections:
r77RootkitStager
Create hunting rule
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
Parent samples :
8fdae5b4490183c9057a684f0ac2f82dd5c8911cb2f43a54ff47a9ad6e93952a
e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
f8913a531ebd3da8cd44c2b2e902a343beefc275c6e4e8da100faefc483d6271
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
SH256 hash:
1969884fecee712b235512f56926bbb67893da38fcffa5de1fbd3d9757017862
MD5 hash:
52df3340b222683e1ee62558dc179ca4
SHA1 hash:
ec7d829ea1733bdba7cb078276ca526fadb50782
Detections:
r77RootkitStager
Create hunting rule
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
SH256 hash:
0db9769efd5b90a3802a2b1d6fda6565ac1fbaf774e91b6485740914c3a31a39
MD5 hash:
1f02ef108c732380d393e37036b1464e
SHA1 hash:
eb68a191b73eee8c551f0763dd64b42c7527dba9
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
SH256 hash:
3b509593c23d070611452e311876e9a88ff80699f548fabaddb8830dcc319eb8
MD5 hash:
93cca2dd467d0142dd924279f78a8ccf
SHA1 hash:
eeb910831fbca9e7ee82b6feb7b2081f9c2650e0
Detections:
r77Rootkit
Create hunting rule
MALWARE_Win_R77
Create hunting rule
Link:
https://www.unpac.me/results/f15819fb-96e3-4724-93ca-ae0dba2449ba/
Parent samples :
8fdae5b4490183c9057a684f0ac2f82dd5c8911cb2f43a54ff47a9ad6e93952a
e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4
Malware family:
XRed
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2822abbdcd9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:D1S1Gv11betaD1N
Create hunting rule
Author:malware-lu
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17832/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
kernel32.dll::CloseHandle
wininet.dll::InternetCloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetDriveTypeA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CopyFileA
kernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::CreateFileMappingA
kernel32.dll::DeleteFileA
kernel32.dll::MoveFileA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegNotifyChangeKeyValue
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_SVC_APICan Manipulate Windows Servicesadvapi32.dll::OpenSCManagerA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments