MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


HijackLoader


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3
SHA3-384 hash: 74fc24f98f237787b67f670cce85efbb85f41cfa99fb25916484296338f7ee0b2ee0fe963bfd4886026a8ac5e80ffaf5
SHA1 hash: 826f5df666d0f2d8197cb28b2a5476cf9b03a809
MD5 hash: 9b2c9027cff1884fa5be00bbd6a0fbe0
humanhash: skylark-bluebird-social-diet
File name:9b2c9027cff1884fa5be00bbd6a0fbe0.exe
Download: download sample
Signature HijackLoader
Create hunting rule
File size:8'715'818 bytes
First seen:2025-06-28 14:12:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (20 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 196608:+ppnqAr4SDIfSCs5GMK5TBBXEehOhN/YwKcrvssgeqBiZ0w+f9xKv/Doa:+ppqNSkf8GHLhOjNWFBin+f9xuDoa
Threatray 253 similar samples on MalwareBazaar
TLSH T1629633107BC4D0A8D532C932CF0E5B1556BAEFB41E10AE859BD24C20ADD39679D0BADB
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter abuse_ch
Tags:exe HIjackLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9b2c9027cff1884fa5be00bbd6a0fbe0.exe
Verdict:
Malicious activity
Analysis date:
2025-06-28 14:13:57 UTC
Tags:
hijackloader loader rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/db58fe9c-c428-4064-8e31-fa239cfe058a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/11431/
Detection(s):
SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685ff88a37c343677946a20a
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint hijackloader installer microsoft_visual_cc overlay overlay packed packer_detected
Link:
https://www.filescan.io/uploads/685ff88bd1f1eb5d81c9c1ad/reports/181c784f-9468-4da1-8e9a-295b4e6c13a1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5043294b-fcdb-46d3-ac22-4f801fde2a72
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1724650
Signature
Detected unpacking (overwrites its own PE header)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1724650 Sample: DQB8rlE516.exe Startdate: 28/06/2025 Architecture: WINDOWS Score: 100 82 Found malware configuration 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected HijackLoader 2->88 10 DQB8rlE516.exe 17 2->10         started        13 CyberScann.exe 5 2->13         started        process3 file4 60 C:\Users\user\AppData\Local\...\zpsres.US.dll, PE32 10->60 dropped 62 C:\Users\user\AppData\Local\Temp\zcl.dll, PE32 10->62 dropped 64 C:\Users\user\AppData\...\libiomp5md.dll, PE32 10->64 dropped 68 10 other malicious files 10->68 dropped 16 CyberScann.exe 16 10->16         started        66 C:\Users\user\AppData\Local\...\FEFB879.tmp, PE32+ 13->66 dropped 98 Modifies the context of a thread in another process (thread injection) 13->98 100 Maps a DLL or memory area into another process 13->100 102 Found direct / indirect Syscall (likely to bypass EDR) 13->102 20 DynamVault.exe 13->20         started        22 tcpvcon.exe 1 13->22         started        signatures5 process6 file7 46 C:\ProgramData\...\zpsres.US.dll, PE32 16->46 dropped 48 C:\ProgramData\Advancedvalid_v2\zcl.dll, PE32 16->48 dropped 50 C:\ProgramData\...\CyberScann.exe, PE32 16->50 dropped 52 10 other files (none is malicious) 16->52 dropped 78 Switches to a custom stack to bypass stack traces 16->78 80 Found direct / indirect Syscall (likely to bypass EDR) 16->80 24 CyberScann.exe 7 16->24         started        28 OpenWith.exe 20->28         started        30 conhost.exe 22->30         started        signatures8 process9 file10 54 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 24->54 dropped 56 C:\Users\user\AppData\Local\...\F145EDF.tmp, PE32+ 24->56 dropped 58 C:\ProgramData\DynamVault.exe, PE32+ 24->58 dropped 90 Modifies the context of a thread in another process (thread injection) 24->90 92 Found hidden mapped module (file has been removed from disk) 24->92 94 Maps a DLL or memory area into another process 24->94 96 2 other signatures 24->96 32 DynamVault.exe 24->32         started        35 tcpvcon.exe 1 24->35         started        37 WerFault.exe 4 28->37         started        signatures11 process12 signatures13 72 Detected unpacking (overwrites its own PE header) 32->72 74 Found direct / indirect Syscall (likely to bypass EDR) 32->74 39 OpenWith.exe 32->39         started        76 Switches to a custom stack to bypass stack traces 35->76 42 conhost.exe 35->42         started        process14 dnsIp15 70 45.156.87.102, 443, 49724, 49726 SKYLINKNL Germany 39->70 44 WerFault.exe 2 39->44         started        process16
Score:
80%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-06-18 09:59:36 UTC
File Type:
PE (Exe)
Extracted files:
250
AV detection:
22 of 36 (61.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6dndfuzegsx355emyoyp3qsmmg4ivngi3yxpxcjka6lxnhybwljq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55
HijackLoader
3a52d91b4d116a614f2a76d7fd58b88c086f28375942368c8b913796000a43db
HijackLoader
4d1ac1a96c780ac98b84e7dfbc3f3097cb1576f7541525adb6d510dfa28c0e13
HijackLoader
56654126ffcc89d8cd7ef24233064b48688572adaca5e7a320404c4088e31f9f
HijackLoader
90368efed1cb835dcb06176b71d5309dc4c46e414812013ecfc72178ba8498d3
HijackLoader
a5cf685e24e82a5ef35f4d5d34ec0be2e31922034f140fa2175bcf23d10ae9c6
HijackLoader
b29823de3ebbee8f5eaaa0628ac27bbfcdaea86281c3660fdf1c8d05b57bca36
HijackLoader
c865f24e4b9b0855b8b559fc3769239b0aa6e8d680406616a13d9a36fbbc2d30
HijackLoader
da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200
HijackLoader
error
HijackLoader
+ 243 additional samples on MalwareBazaar
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/250628-rjmemshk7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/39a5edce-668b-4133-aa2b-580a2f29d2ed
Unpacked files
SH256 hash:
f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3
MD5 hash:
9b2c9027cff1884fa5be00bbd6a0fbe0
SHA1 hash:
826f5df666d0f2d8197cb28b2a5476cf9b03a809
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
ec8f1689d820132d3ae2aba0f3f3c6c6bb79594ee7fa7abc53c4957954eb6ec9
MD5 hash:
5096d2919efa4c4c08cbb859e46b00e0
SHA1 hash:
b63b57dc5c6f1e82ed103289611be25b6a7ddd4e
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
b034cc28dc5bb576a826671b48d6c7107a64a91ecb39f7f46ee6545da62f2774
MD5 hash:
f2515032c2c8d6886c7bbdfd87b0e05b
SHA1 hash:
0e729fe469854b80f73f15c0d2c92b8b4e9d2843
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
396173e15fd07330a0b2707dd345f998b333faf8262aa5c1a1e9d2e29c5b7c69
MD5 hash:
42196d6552d63350ac14ae6560c1a96a
SHA1 hash:
3a8b85547ff871f28ec10b0e81b16d2a5ca4f35c
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
41b24ba26352d32a6bbcad2a81e4632c9dadb19ac36b6e76723890bee29bde40
MD5 hash:
1c9c8461713793d8774e7011507cbd17
SHA1 hash:
3f552793ada4d475df4670f7802204f8029de7bb
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
07cfa9e2d47327f3bab42b28c32b5d41baf9968ff3beaf10f337a672787ea251
MD5 hash:
311e8fad5d33af844749957a5c80ab6f
SHA1 hash:
5c3fd04d11e7a1065499ead99c447df412418fdc
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
b45d86090d60ca4d44da7cb2b83dfc8b4249a608854d1b4aac02b427e1792790
MD5 hash:
f11237fb285c552bb26187bcf033c30f
SHA1 hash:
6312323d60b31dd1b2a42e76b82014a450e07c5d
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
e1fc44ad409145bd80fd5047719675faa71717968ab9966ffcae8bf47056d507
MD5 hash:
893440eba5a0ec56887f3825f663bd8a
SHA1 hash:
86ef217da6b34ef4652a870415c7ef260a91a2b6
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
11a7c892bfeb38e81165a0614d65639d0b42f01ef2b2dec7abc46144316220f3
MD5 hash:
47c6a8ad0feb2eb4a0276f0f4190a365
SHA1 hash:
ccc32c54f69ed95ec5a99bc15d41b8474f124206
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
db23dab5f89c4a6a9bad627a260fcefdfbdba99138f4df6e6667c634b6abb9fa
MD5 hash:
08dd55831b057dbd1df31e570ee0afa8
SHA1 hash:
ea9b86f7d58fcda67de511f63a8bb2fae3b0fc5f
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
bd88c199605a91d1b52bc2aa6943f3f4a82c15a6b938369d0bd1ac3c9655a8b8
MD5 hash:
0f0ceaf1e05fe68d9e5d27e0b45eb29b
SHA1 hash:
f1a0e4ded6747077a62b5ac77e59e1e06a5ae768
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
8ed96c6007524e3f1e706fa1d99d20df193aa1180ea8a06a29b703fe29f36bb3
MD5 hash:
aaf81e3cea13741c75a9a8e74030faef
SHA1 hash:
fce06ff4ee3205dc891a58bec9cd2096c3f7459f
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
16fbf64dd808678661774fdf88a95366898ae36a3bff70117f57a9f1745738eb
MD5 hash:
b03abfada4636a590eb10b855d01c61d
SHA1 hash:
062dfb50baa18de8437c4c820e1b1a8d49d73992
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
221e280026b6a95cb4e412c6b49d40369ad919f7c63d5431318d6252340b0352
MD5 hash:
2bc3674252e7014ff9a5da08c22de409
SHA1 hash:
4a382242a0b2b6319999817af2e172a4d4ffbab1
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
225a40104f94dc247ea62de47f600eac74c7c6b1f5964aeebeac2670e2eea878
MD5 hash:
77b1b6b9d8ead7033f7958d6161107ef
SHA1 hash:
b8606fdf3e995663d798770a9671e395ed2fee39
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
31c4d219371336e6ecc39dcc21711eab8bb4829795fc5082ea022eefc1caa675
MD5 hash:
b89811ee66b620247c2bab874c22fe87
SHA1 hash:
7106d22a25be18fbba0858247b60943acc3463a5
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
511bb467991f5f24578beae81d945b2ae26d0aa25e8acbf4cf69a630be1904b1
MD5 hash:
8ad57c6c39e690896898d78ea6fd1a91
SHA1 hash:
b66e8bb7aa95b74dcada86c8bc4d0d11ee8cebf2
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
628b3d1725dd4d33e8e2a4052a3f91603088198c8629d6aa386a868977c49879
MD5 hash:
f5421556e732e405a0ee770239414063
SHA1 hash:
deba423235f67194e4e79d64179d48d9ae4c992b
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
70cb4ff5f30014ed63c21c94c0daaf2d9f23d1895b654d60c2daa91ab54f841b
MD5 hash:
b0114d25bde2b187335b688e2e7a4da7
SHA1 hash:
ebb8e044d9cfa201da53b2ff2782cdf1710ff0da
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
796f06c18310d4a37ea1d6c1917e7fdc6b2e739978b75aecd441ab23d4573bfe
MD5 hash:
79e1a479d9d6cc32d386cb4710d8f306
SHA1 hash:
8c8e37edf11b6a4f4c41156616c923cf40f40467
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
84931e32aa3a27bfd4bfde88412a23bffdd6cd94eeeafdf91fbc49229da48f67
MD5 hash:
7ebfda55eeb8d3b0d1d732f1aec4e8fb
SHA1 hash:
ab0fb6bf390ef8e612db351f2c15d9c1155e8dae
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
ae0839eecf95f3310c227764e55d663c81aeafcfe6b3103ded3cd63d30a44538
MD5 hash:
45c9981e160da32ed79b7ff0d09529d2
SHA1 hash:
2a4012f663189298264d0e761bc445940404392c
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49
MD5 hash:
4ba25d2cbe1587a841dcfb8c8c4a6ea6
SHA1 hash:
52693d4b5e0b55a929099b680348c3932f2c3c62
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
b8eaffa62c7a56f8f4ee579a290b1af6923c5ca632a6e9c9eb4cc5fc1768d3e8
MD5 hash:
45331ecafe0a12b168fe3ea64a128881
SHA1 hash:
eac550ff6a8e9727eb903a8463adbff89e7c66ed
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a
MD5 hash:
3e29914113ec4b968ba5eb1f6d194a0a
SHA1 hash:
557b67e372e85eb39989cb53cffd3ef1adabb9fe
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
e202f137869cce7fdea6b6cd1169f5e0b6a46cc2d89265a31f63484b0f48bb29
MD5 hash:
b429a929948dcaaa99d67c5c71783a12
SHA1 hash:
a76193d5a0dcc70520534e6700a1acc5cf800b8d
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/1cb3b434-6de3-4422-9e3c-411374c41a2a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:observer
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked observer malware samples.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_GhostPulse_caea316b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/11431/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments