greysec/litterbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
litterbox/Utils/malapi.json
T
BlackSnufkin 927cf2b049 LitterBox v3.0.1
2025-05-21 01:24:06 -07:00

1 line
77 KiB
JSON
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{"Anti-Debugging":{"CheckRemoteDebuggerPresent":{"description":"CheckRemoteDebuggerPresent is used to check if a debugger is being used. This function is commonly used by malware for anti-debugging techniques.","dll":"Kernel32.dll"},"CountClipboardFormats":{"description":"CountClipboardFormats is used to determine whether victim's clipboard was empty. A kind of Anti-debugging technique to determine if the system could be a sandbox.","dll":"User32.dll"},"CreateToolhelp32Snapshot":{"description":"CreateToolhelp32Snapshot is used to enumerate processes, threads, and modules. This function is commonly used by malware to enumerate processes before process injection.","dll":"Kernel32.dll"},"ExitWindowsEx":{"description":"ExitWindowsEx is used to log off an interactive user, shuts down the system, or shuts down and restarts the system. This function is commonly used by malware as an anti-debugging technique.","dll":"User32.dll"},"FindWindowA":{"description":"FindWindowA is used to get a handle to the top-level window whose class name and window name match the specified strings. This function is commonly used by malware as an anti-debugging technique.","dll":"User32.dll"},"FindWindowExA":{"description":"FindWindowExA is used to get a handle to the top-level window whose class name and window name match the specified strings. This function is commonly used by malware as an anti-debugging technique.","dll":"User32.dll"},"GetComputerNameA":{"description":"GetComputerNameA is used to retrieve the computer name. This is commonly used by malware for anti-debugging purposes.","dll":"Kernel32.dll"},"GetForegroundWindow":{"description":"GetForegroundWindow is used to get a handle to the foreground window (the window with which the user is currently working). This function is commonly used by keyloggers and spyware to determine which window is being utilized at the moment by the user.","dll":"User32.dll"},"GetLogicalProcessorInformation":{"description":"GetLogicalProcessorInformation is used to retrieve information about logical processors and related hardware. The function is used by malware for anti-debugging purposes.","dll":"Kernel32.dll"},"GetLogicalProcessorInformationEx":{"description":"GetLogicalProcessorInformationEx is used to retrieve information about logical processors and related hardware. The function is used by malware for anti-debugging purposes.","dll":"Kernel32.dll"},"GetNativeSystemInfo":{"description":"GetNativeSystemInfo is used to retrieve information about the current system to an application running under WOW64. If the function is called from a 64-bit application, or on a 64-bit system that does not have an Intel64 or x64 processor (such as ARM64), it is equivalent to the GetSystemInfo function.","dll":"Kernel32.dll"},"GetSystemTime":{"description":"GetSystemTime is used to retrieve the current system date and time in Coordinated Universal Time (UTC) format. This function is commonly used by malware for anti-debugging.","dll":"Kernel32.dll"},"GetSystemTimeAsFileTime":{"description":"Retrieves the current system date and time. The information is in Coordinated Universal Time (UTC) format. This function is commonly used by malware for anti-debugging.","dll":"Kernel32.dll"},"GetTickCount":{"description":"GetTickCount is used to retrieve the number of milliseconds since bootup. This function is used by malware for anti-debugging purposes.","dll":"Kernel32.dll"},"GetTickCount64":{"description":"GetTickCount64 is used to retrieve the number of milliseconds that have elapsed since the system was started. This function is used by malware for anti-debugging purposes by checking how long the system uptime is.","dll":"Kernel32.dll"},"GetUserNameA":{"description":"GetUserNameA is used to retrieve the username associated with the current thread. This function is used by malware for anti-debugging purposes.","dll":"Advapi32.dll"},"IsDebuggerPresent":{"description":"IsDebuggerPresent is used to determine whether the calling process is being debugged by a user-mode debugger.","dll":"Kernel32.dll"},"NtQueryInformationProcess":{"description":"NtQueryInformationProcess is used to retrieve information about a specified process.","dll":"Ntdll.dll"},"OutputDebugStringA":{"description":"OutputDebugStringA sends a string to the debugger for display. This function can be used as an anti-debugging technique.","dll":"Kernel32.dll"},"QueryPerformanceCounter":{"description":"QueryPerformanceCounter is used to retrieve the frequency of the performance counter. This function is commonly used by malware for anti-debugging purposes. The malware will measure the time before and after an operation, if the time exceeds taken expected time, the malware will terminate or activate a benign function.","dll":"Kernel32.dll"},"QueryPerformanceFrequency":{"description":"QueryPerformanceFrequency is used to retrieve the frequency of the performance counter. This function is commonly used by malware for anti-debugging purposes. The malware will measure the time before and after an operation, if the time exceeds taken expected time, the malware will terminate or activate a benign function.","dll":"Kernel32.dll"},"RtlGetVersion":{"description":"RtlGetVersion is used to enumerate OS basic information properties such Windows and build versions.","dll":"NtosKrnl.lib"},"Sleep":{"description":"Sleep is used to suspend the execution of the current thread for a set time. This function is commonly used for time-based evasion by adding delays in the code.","dll":"Kernel32.dll"},"SleepEx":{"description":"SleepEx is used to suspend the execution of the current thread for a set time. This function is commonly used for time-based evasion by adding delays in the code.","dll":"Kernel32.dll"}},"Enumeration":{"CreateToolhelp32Snapshot":{"description":"CreateToolhelp32Snapshot is used to enumerate processes, threads, and modules. This function is commonly used by malware to enumerate processes before process injection.","dll":"Kernel32.dll"},"EnumDesktopWindows":{"description":"EnumDesktopWindows is used to enumerate all top-level windows associated with the specified desktop. This function is commonly used for enumeration purposes.","dll":"User32.dll"},"EnumDeviceDrivers":{"description":"EnumDeviceDrivers is used to enumerate drivers in the machine. This function is commonly used with kernel malware or for enumeration purposes.","dll":"Kernel32.dll"},"EnumProcessModules":{"description":"EnumProcessModules is used to enumerate the loaded modules (executables and DLLs) for a given process. Malware enumerates through modules when doing injection.","dll":"Kernel32.dll"},"EnumProcessModulesEx":{"description":"EnumProcessModulesEx is used to enumerate the loaded modules (executables and DLLs) for a given process. Malware enumerates through modules when doing injection.","dll":"Kernel32.dll"},"EnumProcesses":{"description":"EnumProcesses is used to enumerate processes in the machine. Process enumeration is often a precursor to process injection.","dll":"Kernel32.dll"},"EnumResourceTypesA":{"description":"EnumResourceTypesA is used to enumerate resource types within a binary module. Starting with Windows Vista, this is typically a language-neutral Portable Executable (LN file), and the enumeration also includes resources from one of the corresponding language-specific resource files (.mui files)—if one exists—that contain localizable language resources. It is also possible to use hModule to specify a .mui file, in which case only that file is searched for resource types. Alternately, applications can call EnumResourceTypesEx, which provides more precise control over which resource files to enumerate.","dll":"Kernel32.dll"},"EnumResourceTypesExA":{"description":"EnumResourceTypesExA is used to enumerate resource types associated with a specified binary module. The search can include both a language-neutral Portable Executable file (LN file) and its associated .mui files. Alternately, it can be limited to a single binary module of any type, or to the .mui files associated with a single LN file. The search can also be limited to a single associated .mui file that contains resources for a specific language.","dll":"Kernel32.dll"},"EnumSystemLocalesA":{"description":"EnumSystemLocalesA is used enumerate installed locale identifiers, all of the supported identifiers or alternate sort identifiers, according to which flag is passed to the API. Can be used to geofence infection campaigns or avoid infecting systems from a certain region/country. It can also be used to jump to allocated shellcode and execute it.","dll":"Kernel32.dll"},"EnumWindows":{"description":"EnumWindows is used to enumerate all top-level windows on the screen by passing the handle to each window, in turn, to an application-defined callback function. This function is commonly used for enumeration purposes.","dll":"User32.dll"},"FindFirstFileA":{"description":"FindFirstFileA is used to search through a directory and enumerate the filesystem.","dll":"Kernel32.dll"},"FindFirstUrlCacheEntryA":{"description":"FindFirstUrlCacheEntryA is used to begin the enumeration of the Internet cache.","dll":"Wininet.dll"},"FindNextFileA":{"description":"FindNextFileA is used to search through a directory and enumerate the filesystem.","dll":"Kernel32.dll"},"FindNextUrlCacheEntryA":{"description":"FindNextUrlCacheEntryA is used to retrieve the next entry in the Internet cache.","dll":"Wininet.dll"},"GetAdaptersInfo":{"description":"GetAdaptersInfo is used to obtain information about the network adapters on the system. This function is commonly used by malware for enumeration purposes.","dll":"Iphlpapi.dll"},"GetComputerNameA":{"description":"GetComputerNameA is used to retrieve the computer name. This is commonly used by malware for anti-debugging purposes.","dll":"Kernel32.dll"},"GetCurrentHwProfileA":{"description":"GetCurrentHwProfileA is used to retrieve information about the current hardware profile for the local computer. This function is commonly used by malware to anti-debugging purposes.","dll":"Advapi32.dll"},"GetCurrentProcess":{"description":"GetCurrentProcess is used to retrieve a handle for the current process.","dll":"Kernel32.dll"},"GetCurrentProcessId":{"description":"GetCurrentProcessId is used to retrieve the process identifier of the calling process.","dll":"Kernel32.dll"},"GetCurrentThread":{"description":"GetCurrentThread is used to retrieve a handle for the calling thread.","dll":"Kernel32.dll"},"GetCurrentThreadId":{"description":"GetCurrentThreadId is used to retrieve the thread identifier of the calling thread.","dll":"Kernel32.dll"},"GetDriveTypeA":{"description":"GetDriveTypeA is used to determine whether a disk drive is a removable / fixed / CD-ROM / RAM disk or network drive.","dll":"Kernel32.dll"},"GetFileAttributesA":{"description":"GetFileAttributesA is used to retrieve file system attributes for a specified file or directory.","dll":"Kernel32.dll"},"GetFileTime":{"description":"GetFileTime is used to retrieve the date and time that a file or directory was created, last accessed, and last modified.","dll":"Kernel32.dll"},"GetIpNetTable":{"description":"The GetIpNetTable function retrieves the IPv4 to physical address mapping table. Could be used to identify hosts & mounted drives tracking ARP entries.","dll":"Iphlpapi.dll"},"GetLogicalDrives":{"description":"GetLogicalDrives is used to retrieve a bitmask representing the currently available disk drives. This function can be used to emumerate all drives / mounted drives.","dll":"Kernel32.dll"},"GetLogicalProcessorInformation":{"description":"GetLogicalProcessorInformation is used to retrieve information about logical processors and related hardware. The function is used by malware for anti-debugging purposes.","dll":"Kernel32.dll"},"GetLogicalProcessorInformationEx":{"description":"GetLogicalProcessorInformationEx is used to retrieve information about logical processors and related hardware. The function is used by malware for anti-debugging purposes.","dll":"Kernel32.dll"},"GetModuleBaseNameA":{"description":"GetModuleBaseNameA is used to retrieve the base name of a specified module.","dll":"Kernel32.dll"},"GetNativeSystemInfo":{"description":"GetNativeSystemInfo is used to retrieve information about the current system to an application running under WOW64. If the function is called from a 64-bit application, or on a 64-bit system that does not have an Intel64 or x64 processor (such as ARM64), it is equivalent to the GetSystemInfo function.","dll":"Kernel32.dll"},"GetProcessId":{"description":"GetProcessId is used to retrieve the process identifier of the specified process.","dll":"Kernel32.dll"},"GetProcessIdOfThread":{"description":"GetProcessIdOfThread is used to retrieve the process identifier of the process associated with the specified thread.","dll":"Kernel32.dll"},"GetSystemDefaultLangId":{"description":"GetSystemDefaultLangId is used to retrieve the language identifier for the system. This function is used by malware that wish to infect specific locales or simply wish to gather statistics on areas of infection.","dll":"Kernel32.dll"},"GetSystemDirectoryA":{"description":"GetSystemDirectoryA retrieve the path of the system directory.","dll":"Kernel32.dll"},"GetSystemTime":{"description":"GetSystemTime is used to retrieve the current system date and time in Coordinated Universal Time (UTC) format. This function is commonly used by malware for anti-debugging.","dll":"Kernel32.dll"},"GetSystemTimeAsFileTime":{"description":"Retrieves the current system date and time. The information is in Coordinated Universal Time (UTC) format. This function is commonly used by malware for anti-debugging.","dll":"Kernel32.dll"},"GetThreadId":{"description":"GetThreadId is used to retrieve the thread identifier of the specified thread.","dll":"Kernel32.dll"},"GetThreadInformation":{"description":"GetThreadInformation is used to retrieve information about the specified thread.","dll":"Kernel32.dll"},"GetThreadLocale":{"description":"GetThreadLocale is used to retrieve the locale identifier of the current thread. Can be used alongside other language and/or locale APIs to geofence infections","dll":"Kernel32.dll"},"GetUserNameA":{"description":"GetUserNameA is used to retrieve the username associated with the current thread. This function is used by malware for anti-debugging purposes.","dll":"Advapi32.dll"},"GetVersionExA":{"description":"GetVersionExA is a classic method used to retrieve the Windows version.","dll":"Kernel32.dll"},"GetWindowsDirectoryA":{"description":"GetWindowsDirectoryA is used to retreive the path to the Windows directory. This function may be used by malware retrieve the Windows path for additional installations.","dll":"Kernel32.dll"},"IsWoW64Process":{"description":"IsWow64Process is used by a 32-bit process to determine if it is running on a 64-bit operating system.","dll":"Kernel32.dll"},"LookupAccountNameA":{"description":"LookupAccountNameA is used to accept the name of a system and an account as input. It retrieves a security identifier (SID) for the account and the name of the domain on which the account was found.","dll":"Advapi32.dll"},"LookupPrivilegeValueA":{"description":"LookupPrivilegeValueA is used to retrieve the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name. This function is commonly used by malware in process injection or token stealing.","dll":"Advapi32.dll"},"Module32First":{"description":"Module32First is used as part of CreateToolHelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"Module32Next":{"description":"Module32Next is used as part of CreateToolHelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"NetShareCheck":{"description":"NetShareCheck is used to check whether or not a server is sharing a device.","dll":"Netapi32.dll"},"NetShareEnum":{"description":"NetShareEnum is used to retrieve information about each shared resource on a server.","dll":"Netapi32.dll"},"NetShareGetInfo":{"description":"NetShareGetInfo is used to retrieves information about a particular shared resource on a server.","dll":"Netapi32.dll"},"NtQueryDirectoryFile":{"description":"NtQueryDirectoryFile is used to retrieve information about a directory. This function can be used for enumeration purposes.","dll":"Ntdll.dll"},"NtQueryInformationProcess":{"description":"NtQueryInformationProcess is used to retrieve information about a specified process.","dll":"Ntdll.dll"},"NtQuerySystemEnvironmentValueEx":{"description":"NtQuerySystemEnvironmentValueEx is used to locate a specified system environment variable and return its value.","dll":"Ntdll.dll"},"PathFileExistsA":{"description":"PathFileExistsA is used to determine whether a path to a file system object such as a file or folder is valid. This function is used by malware to enumerate files and installed programs (e.g. AV solutions).","dll":"Shlwapi.dll"},"Process32First":{"description":"Process32First is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"Process32Next":{"description":"Process32Next is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"ReadFile":{"description":"","dll":"Unknown"},"ReadProcessMemory":{"description":"ReadProcessMemory can be used to read the memory of a remote process.","dll":"Kernel32.dll"},"RegEnumKeyA":{"description":"RegEnumKeyA is used to enumerate the subkeys of the specified open registry key. The function retrieves the name of one subkey each time it is called.","dll":"Advapi32.dll"},"RegEnumKeyExA":{"description":"RegEnumKeyExA is used to enumerate the subkeys of the specified open registry key.","dll":"Advapi32.dll"},"RegEnumValueA":{"description":"RegEnumValueA is used to enumerate the values for the specified open registry key","dll":"Advapi32.dll"},"RegQueryInfoKeyA":{"description":"RegQueryInfoKeyA is used to retrieves information about the specified registry key.","dll":"Advapi32.dll"},"RegQueryMultipleValuesA":{"description":"RegQueryMultipleValuesA is used to retrieve the type and data for a list of value names associated with an open registry key.","dll":"Advapi32.dll"},"RegQueryValueExA":{"description":"RegQueryValueExA is used to retrieve the type and data for the specified value name associated with an open registry key.","dll":"Advapi32.dll"},"RtlGetVersion":{"description":"RtlGetVersion is used to enumerate OS basic information properties such Windows and build versions.","dll":"NtosKrnl.lib"},"SearchPathA":{"description":"SearchPathA is used to search for a specified file in a specified path.","dll":"Kernel32.dll"},"Thread32First":{"description":"Thread32First is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"Thread32Next":{"description":"Thread32Next is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"VirtualQueryEx":{"description":"VirtualQueryEx is used to retrieve information about a range of pages within the virtual address space of a specified process. This function is commonly used by malware to enumerate an external process.","dll":"Kernel32.dll"},"WNetAddConnection2A":{"description":"The WNetAddConnection2A function makes a connection to a network resource and can redirect a local device to the network resource. The WNetAddConnection2 function supersedes the WNetAddConnection function.","dll":"Mpr.dll"},"WNetAddConnectionA":{"description":"The WNetAddConnectionA function enables the calling application to connect a local device to a network resource. A successful connection is persistent, meaning that the system automatically restores the connection during subsequent logon operations.","dll":"Mpr.dll"},"WNetCloseEnum":{"description":"The WNetCloseEnum function ends a network resource enumeration started by a call to the WNetOpenEnum function.","dll":"Mpr.dll"},"WNetEnumResourceA":{"description":"The WNetEnumResourceA function continues an enumeration of network resources that was started by a call to the WNetOpenEnum function.","dll":"Mpr.dll"}},"Evasion":{"CreateFileMappingA":{"description":"CreateFileMappingA creates a handle to a file mapping that loads a file into memory and makes it accessible via memory addresses. Launchers, loaders, and injectors use this function to read and modify PE files.","dll":"Kernel32.dll"},"CreateProcessInternal":{"description":"CreateProcessInternal is an undocumented API for process creation. According to Windows Internals, CreateProcess and CreateProcessAsUser actually lead to this API, which is responsible for starting the process creation in user land. Eventually it calls NtCreateUserProcess for the kernel land operations. This API is commonly used for spawning a suspended process to be hollowed/injected.","dll":"Kernel32.dll"},"CreateTimerQueueTimer":{"description":"CreateTimerQueueTimer is used to create a timer-queue timer. This function is commonly used by malware for time-based evasion.","dll":"Kernel32.dll"},"CreateWaitableTimer":{"description":"CreateWaitableTimer is used to create a delay timer. This function is used by malware for time-based evasion.","dll":"Kernel32.dll"},"CreateWindowExA":{"description":"CreateWindowExA is used to create an overlapped, pop-up, or child window with an extended window style. This function is commonly used by malware to create invisible windows or for evasion purposes.","dll":"User32.dll"},"CryptProtectData":{"description":"CryptProtectData can be leveraged to create a malicious artifact for encrypting the file system (Ransomware), effectively evading typical detection methods.More information is available: https://github.com/CarlosG13/Data-Protection-API-DPAPI-For-Impact---Ransomware","dll":"Crypt32.dll"},"DeleteFileA":{"description":"DeleteFileA is used to delete an existing file. This function is used by malware to hide its tracks or tamper with an application.","dll":"Kernel32.dll"},"DuplicateToken":{"description":"The DuplicateToken function creates a new access token that duplicates one already in existence.","dll":"Advapi32.dll"},"EnumSystemLocalesA":{"description":"EnumSystemLocalesA is used enumerate installed locale identifiers, all of the supported identifiers or alternate sort identifiers, according to which flag is passed to the API. Can be used to geofence infection campaigns or avoid infecting systems from a certain region/country. It can also be used to jump to allocated shellcode and execute it.","dll":"Kernel32.dll"},"GetModuleHandleA":{"description":"GetModuleHandleW is used to retrieve a module handle for the specified module. The module must have been loaded by the calling process. This function is often used along with GetProcAddress to dynamically retrieve the address of a function for evasion purposes.","dll":"Kernel32.dll"},"GetProcAddress":{"description":"GetProcAddress is used to get the memory address of a function in a DLL. This is often used by malware for obfuscation and evasion purposes to avoid having to call the function directly.","dll":"Kernel32.dll"},"IcmpSendEcho":{"description":"IcmpSendEcho is used to send an IPv4 ICMP echo request and returns any echo response replies. The call returns when the time-out has expired or the reply buffer is filled. This function is used by malware for time-evasion purposes by specifying a large timeout value.","dll":"Iphlpapi.dll"},"ImpersonateLoggedOnUser":{"description":"The ImpersonateLoggedOnUser function lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.","dll":"Advapi32.dll"},"LoadLibraryA":{"description":"LoadLibraryA is used to load a specified module into the address space of the calling process. Malware commonly use this to load DLLs dynamically for evasion purposes.","dll":"Kernel32.dll"},"LoadLibraryExA":{"description":"LoadLibraryExA is used to load a specified module into the address space of the calling process. Malware commonly use this to load DLLs dynamically for evasion purposes.","dll":"Kernel32.dll"},"LoadResource":{"description":"LoadResource is used to load a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files.","dll":"Kernel32.dll"},"LockResource":{"description":"LockResource is used with FindResource(), LoadResource() and SizeOfResource() usually to work with embedded executables into the .rsrc section (droppers)","dll":"Kernel32.dll"},"NtDelayExecution":{"description":"NtDelayExecution is used to suspend execution, similiar to the Sleep() API function. This function can be used by malware for evasion purposes.","dll":"Ntdll.dll"},"NtWaitForMultipleObjects":{"description":"NtWaitForMultipleObjects is used to wait until one or all of the specified objects are in the signaled state or the time-out interval elapses. This function is commonly used by malware for evasion purposes","dll":"Ntdll.dll"},"NtWaitForSingleObject":{"description":"NtWaitForSingleObject is used to wait until the specified object is in the signaled state or the time-out interval elapses. This function is commonly used by malware for evasion purposes.","dll":"Ntdll.dll"},"RegisterHotKey":{"description":"RegisterHotKey is used to create a system wide hotkey. This function is commonly used by spyware or keyloggers to recieve a notification when a certain combination of keys are pressed.","dll":"User32.dll"},"Select":{"description":"Select is used to determine the status of one or more sockets, waiting if necessary, to perform synchronous I/O. This function is used by malware for time-based evasion by setting a large timeout number.","dll":"Ws2_32.dll"},"SetEnvironmentVariableA":{"description":"SetEnvironmentVariableA sets the contents of the specified environment variable for the current process. Setting custom envrinoment variables can be used for obfuscation and evasion purposes.","dll":"Kernel32.dll"},"SetFileAttributesA":{"description":"SetFileAttributesA is used to set attributes of a file or directory. This function is commonly used by malware to make a file or directory hidden.","dll":"Kernel32.dll"},"SetFileTime":{"description":"SetFileTime sets the date and time that the specified file or directory was created, last accessed, or last modified. This function is often used by malware to conceal malicious activity.","dll":"Kernel32.dll"},"SetThreadToken":{"description":"The SetThreadToken function assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.","dll":"Advapi32.dll"},"SetTimer":{"description":"SetTimer is used to create a timer with the specified time-out value. This function is commonly used by malware for time-based evasion","dll":"User32.dll"},"SetWaitableTimer":{"description":"SetWaitableTimer is used to activate the specified waitable timer. This function is commonly used by malware for time-based evasion.","dll":"Kernel32.dll"},"SizeOfResource":{"description":"SizeOfResource checks and retrieves the size of given resource. Usually found in droppers","dll":"Kernel32.dll"},"Sleep":{"description":"Sleep is used to suspend the execution of the current thread for a set time. This function is commonly used for time-based evasion by adding delays in the code.","dll":"Kernel32.dll"},"SleepEx":{"description":"SleepEx is used to suspend the execution of the current thread for a set time. This function is commonly used for time-based evasion by adding delays in the code.","dll":"Kernel32.dll"},"TimeGetTime":{"description":"TimeGetTime is used to retrieve the system time, in milliseconds. The system time is the time elapsed since Windows was started.","dll":"Winmm.dll"},"UuidFromStringA":{"description":"UuidFromStringA is used to convert a string to a UUID. This function can be abused to both decode data and write it to memory without using common functions such as memcpy or WriteProcessMemory.","dll":"Rpcrt4.dll"},"WaitForMultipleObjects":{"description":"WaitForMultipleObjects is used to wait until one or all of the specified objects are in the signaled state or the time-out interval elapses. This function is commonly used to allow time for shellcode to execute or for time-based evasion.","dll":"Kernel32.dll"},"WaitForMultipleObjectsEx":{"description":"WaitForMultipleObjectsEx is used to wait until one or all of the specified objects are in the signaled state or the time-out interval elapses. This function is commonly used to allow time for shellcode to execute or for time-based evasion.","dll":"Kernel32.dll"},"WaitForSingleObject":{"description":"WaitForSingleObject is used to delay the execution of an object. This function is commonly used to allow time for shellcode being executed within a thread to run. It is also used for time-based evasion.","dll":"Kernel32.dll"},"WaitForSingleObjectEx":{"description":"WaitForSingleObjectEx is used to delay the execution of an object. This function is commonly used to allow time for shellcode being executed within a thread to run. It is also used for time-based evasion.","dll":"Kernel32.dll"},"timeSetEvent":{"description":"timeSetEvent is used to start a specified timer event. This function is obselete but is still used by malware for time-based evasion.","dll":"Winmm.dll"}},"Helper":{"BringWindowToTop":{"description":"BringWindowToTop is used for bringing the specified window to the top of the Z order.","dll":"User32.dll"},"CallWindowProcA":{"description":"CallWindowProcA is used to pass message information to the specified window procedure.","dll":"User32.dll"},"ConnectNamedPipe":{"description":"ConnectNamedPipe is used to create a server pipe for interprocess communication that will wait for a client pipe to connect. This function can be used to simplify connectivity to a C2 server.","dll":"Kernel32.dll"},"ControlService":{"description":"ControlService is used to start, stop, modify, or send a signal to a running service. This function is commonly used by malware went it requires interaction with a service for malicious purposes.","dll":"Advapi32.dll"},"ControlServiceExA":{"description":"ControlServiceExA is used to start, stop, modify, or send a signal to a running service. This function is commonly used by malware went it requires interaction with a service for malicious purposes.","dll":"Advapi32.dll"},"CopyFile2":{"description":"CopyFile2 is used to copy an existing file to a new file.","dll":"Kernel32.dll"},"CopyFileA":{"description":"CopyFileA is used to copy an existing file to a new file.","dll":"Kernel32.dll"},"CopyFileExA":{"description":"CopyFileExA is used to copy an existing file to a new file.","dll":"Kernel32.dll"},"CreateFile2":{"description":"CreateFile2 is used to create a new file or opens an existing file.","dll":"Kernel32.dll"},"CreateFileA":{"description":"CreateFileA is used to create a new file or opens an existing file.","dll":"Kernel32.dll"},"CreateMutexA":{"description":"CreateMutexA is used to create a new mutex object. Mutexs are often used by malware to prevent the reinfection of a system with the same or different malware variant.","dll":"Kernel32.dll"},"CreateMutexExA":{"description":"CreateMutexExA is used to create a new mutex object. Mutexs are often used by malware to prevent the reinfection of a system with the same or different malware variant.","dll":"Kernel32.dll"},"CreatePipe":{"description":"CreatePipe is used to create an anonymous pipe and returns handles to the read and write ends of the pipe. Could be used to add a sub-process for execution via cmd.","dll":"Kernel32.dll"},"CreateServiceA":{"description":"CreateServiceA is used to create a service object and adds it to the specified service control manager database. This function is commonly used by malware for persistence.","dll":"Advapi32.dll"},"DeleteService":{"description":"DeleteService is used to mark the specified service for deletion from the service control manager database.","dll":"Advapi32.dll"},"DeviceIoControl":{"description":"DeviceIoControl is used to send a control message from user space to a device driver. DeviceIoControl is popular with kernel malware because it is an easy, flexible way to pass information between user space and kernel space.","dll":"Kernel32.dll"},"DrawTextExA":{"description":"DrawTextExA is used to draw formatted text in the specified rectangle. This function has been used by ransomware for writing ransom notes.","dll":"User32.dll"},"FindClose":{"description":"FindClose is used to close a file search handle.","dll":"Kernel32.dll"},"FindResourceA":{"description":"FindResourceA is used to find a resource in an executable or loaded DLL. Malware sometimes uses resources to store strings, configuration information, or other malicious files. If you see this function used, check for a .rsrc section in the malwares PE header.","dll":"Kernel32.dll"},"FindResourceExA":{"description":"FindResourceExA is used to find a resource in an executable or loaded DLL. Malware sometimes uses resources to store strings, configuration information, or other malicious files. If you see this function used, check for a .rsrc section in the malwares PE header.","dll":"Kernel32.dll"},"GetDesktopWindow":{"description":"GetDesktopWindow is used to get a handle to the desktop window that covers the entire screen.","dll":"User32.dll"},"GetDriveTypeA":{"description":"GetDriveTypeA is used to determine whether a disk drive is a removable / fixed / CD-ROM / RAM disk or network drive.","dll":"Kernel32.dll"},"GetIpNetTable":{"description":"The GetIpNetTable function retrieves the IPv4 to physical address mapping table. Could be used to identify hosts & mounted drives tracking ARP entries.","dll":"Iphlpapi.dll"},"GetLogicalDrives":{"description":"GetLogicalDrives is used to retrieve a bitmask representing the currently available disk drives. This function can be used to emumerate all drives / mounted drives.","dll":"Kernel32.dll"},"GetModuleBaseNameA":{"description":"GetModuleBaseNameA is used to retrieve the base name of a specified module.","dll":"Kernel32.dll"},"GetModuleFileNameA":{"description":"GetModuleFileNameA is used to return the filename of a module that is loaded in the current process. Malware can use this function to modify or copy files in the currently running process.","dll":"Kernel32.dll"},"GetModuleFileNameExA":{"description":"GetModuleFileNameExA is used to return the filename of a module that is loaded in the current process. Malware can use this function to modify or copy files in the currently running process.","dll":"Kernel32.dll"},"GetTempFileNameA":{"description":"GetTempFileNameA is used to create a name for a temporary file. If a unique file name is generated, an empty file is created and the handle to it is released; otherwise, only a file name is generated.","dll":"Kernel32.dll"},"GetTempPathA":{"description":"GetTempPathA is used to retrieve the path of the directory designated for temporary files. This is often used by malware when it requires a location for additional installations.","dll":"Kernel32.dll"},"ImpersonateLoggedOnUser":{"description":"The ImpersonateLoggedOnUser function lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.","dll":"Advapi32.dll"},"IsWoW64Process":{"description":"IsWow64Process is used by a 32-bit process to determine if it is running on a 64-bit operating system.","dll":"Kernel32.dll"},"LockResource":{"description":"LockResource is used with FindResource(), LoadResource() and SizeOfResource() usually to work with embedded executables into the .rsrc section (droppers)","dll":"Kernel32.dll"},"MoveFileA":{"description":"MoveFileA is used to move an existing file or a directory, including its children.","dll":"Kernel32.dll"},"MoveFileExA":{"description":"MoveFileExA is used to move an existing file or a directory, including its children.","dll":"Kernel32.dll"},"NetShareAdd":{"description":"NetShareAdd is used to share a server resource.","dll":"Netapi32.dll"},"NetShareSetInfo":{"description":"NetShareSetInfo is used to set the parameters of a shared resource.","dll":"Netapi32.dll"},"NtClose":{"description":"NtClose is used to close an open handle.","dll":"Ntdll.dll"},"NtCreateFile":{"description":"NtCreateFile is used to create a new file or directory, or opens an existing file, device, directory, or volume.","dll":"Ntdll.dll"},"NtDeleteKey":{"description":"NtDeleteKey is used to delete a registry key.","dll":"Ntdll.dll"},"NtDeleteValueKey":{"description":"NtDeleteValueKey is used to delete a registry key value.","dll":"Ntdll.dll"},"NtMakeTemporaryObject":{"description":"NtMakeTemporaryObject is used to change the attributes of an object to make it temporary.","dll":"Ntdll.dll"},"NtQueryTimer":{"description":"NtQueryTimer is used to query a timer's attributes.","dll":"Ntdll.dll"},"NtResumeProcess":{"description":"NtResumeProcess is used to resume a suspended process","dll":"ntdll.dll"},"NtSetContextThread":{"description":"NtSetContextThread is used to set the usermode context of the specified thread.","dll":"Ntdll.dll"},"NtSetInformationProcess":{"description":"NtSetInformationProcess is used to modify information about a process such making it a critical process.","dll":"Ntdll.dll"},"NtSetInformationThread":{"description":"NtSetInformationThread is used to set the priority of a thread.","dll":"Ntdll.dll"},"NtSetSystemEnvironmentValueEx":{"description":"NtSetSystemEnvironmentValueEx is used to set a system environment variable.","dll":"Ntdll.dll"},"NtSetValueKey":{"description":"NtSetValueKey is used to create or replace a registry value.","dll":"Ntdll.dll"},"NtShutdownSystem":{"description":"NtShutdownSystem is used to shutdown the system.","dll":"Ntdll.dll"},"NtTerminateProcess":{"description":"NtTerminateProcess is used to terminate a process and all its threads.","dll":"Ntdll.dll"},"NtTerminateThread":{"description":"NtTerminateThread is used to terminate a thread.","dll":"Ntdll.dll"},"OpenClipboard":{"description":"OpenClipboard is used to get a handle on the clipboard.","dll":"User32.dll"},"OpenSCManagerA":{"description":"OpenSCManagerA is used to open a handle to the service control manager. This function is commonly used when a malware intends to interact with a service.","dll":"Advapi32.dll"},"OpenServiceA":{"description":"OpenServiceA is used to open an existing service.","dll":"Advapi32.dll"},"PeekNamedPipe":{"description":"Used to copy data from a named pipe without removing data from the pipe. This function has been used by exploits targeting SMB vulnerabilities.","dll":"Kernel32.dll"},"RegCloseKey":{"description":"RegCloseKey is used to close a handle to the specified registry key.","dll":"Advapi32.dll"},"RegConnectRegistryA":{"description":"RegConnectRegistryA is used to establish a connection to a predefined registry key on another computer.","dll":"Advapi32.dll"},"RegCopyTreeA":{"description":"RegCopyTreeA is used to copy the specified registry key, along with its values and subkeys, to the specified destination key.","dll":"Advapi32.dll"},"RegCreateKeyA":{"description":"RegCreateKeyA is used to create a specified registry key. If the key already exists, the function opens it.","dll":"Advapi32.dll"},"RegCreateKeyExA":{"description":"RegCreateKeyExA is used to create a specified registry key. If the key already exists, the function opens it.","dll":"Advapi32.dll"},"RegCreateKeyTransactedA":{"description":"RegCreateKeyTransactedA is used to create the specified registry key and associates it with a transaction. If the key already exists, the function opens it.","dll":"Advapi32.dll"},"RegDeleteKeyA":{"description":"RegDeleteKeyA is used to delete a subkey and its values from the specified platform-specific view of the registry.","dll":"Advapi32.dll"},"RegDeleteKeyExA":{"description":"RegDeleteKeyExA is used to delete a subkey and its values from the specified platform-specific view of the registry.","dll":"Advapi32.dll"},"RegDeleteKeyTransactedA":{"description":"RegDeleteKeyTransactedA is used to delete a subkey and its values from the specified platform-specific view of the registry as a transacted operation.","dll":"Advapi32.dll"},"RegDeleteKeyValueA":{"description":"RegDeleteKeyValueA is used to remove the specified value from the specified registry key and subkey.","dll":"Advapi32.dll"},"RegDeleteTreeA":{"description":"RegDeleteTreeA is used to delete the subkeys and values of the specified key recursively.","dll":"Advapi32.dll"},"RegDeleteValueA":{"description":"RegDeleteValueA is used to remove a named value from the specified registry key.","dll":"Advapi32.dll"},"RegEnumKeyA":{"description":"RegEnumKeyA is used to enumerate the subkeys of the specified open registry key. The function retrieves the name of one subkey each time it is called.","dll":"Advapi32.dll"},"RegEnumKeyExA":{"description":"RegEnumKeyExA is used to enumerate the subkeys of the specified open registry key.","dll":"Advapi32.dll"},"RegEnumValueA":{"description":"RegEnumValueA is used to enumerate the values for the specified open registry key","dll":"Advapi32.dll"},"RegFlushKey":{"description":"RegFlushKey is used to write all the attributes of the specified open registry key into the registry.","dll":"Advapi32.dll"},"RegGetKeySecurity":{"description":"RegGetKeySecurity is used to retrieve a copy of the security descriptor protecting the specified open registry key.","dll":"Advapi32.dll"},"RegGetValueA":{"description":"RegGetValueA is used to retrieve the type and data for the specified registry value.","dll":"Advapi32.dll"},"RegLoadKeyA":{"description":"RegLoadKeyA is used to create a subkey under HKEY_USERS or HKEY_LOCAL_MACHINE and loads the data from the specified registry hive into that subkey.","dll":"Advapi32.dll"},"RegLoadMUIStringA":{"description":"RegLoadMUIStringA is used to load the specified string from the specified key and subkey.","dll":"Advapi32.dll"},"RegOpenCurrentUser":{"description":"RegOpenCurrentUser is used to retrieve a handle to the HKEY_CURRENT_USER key for the user the current thread is impersonating.","dll":"Advapi32.dll"},"RegOpenKeyA":{"description":"RegOpenKeyA is used to open a specified registry key.","dll":"Advapi32.dll"},"RegOpenKeyExA":{"description":"RegOpenKeyExA is used to open a specified registry key.","dll":"Advapi32.dll"},"RegOpenKeyTransactedA":{"description":"RegOpenKeyTransactedA is used to open the specified registry key and associates it with a transaction","dll":"Advapi32.dll"},"RegOpenUserClassesRoot":{"description":"RegOpenUserClassesRoot is used to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user.","dll":"Advapi32.dll"},"RegOverridePredefKey":{"description":"RegOverridePredefKey is used to map a predefined registry key to the specified registry key.","dll":"Advapi32.dll"},"RegReplaceKeyA":{"description":"RegReplaceKeyA is used to replace the file backing a registry key and all its subkeys with another file, so that when the system is next started, the key and subkeys will have the values stored in the new file.","dll":"Advapi32.dll"},"RegRestoreKeyA":{"description":"RegRestoreKeyA is used to read the registry information in a specified file and copies it over the specified key.","dll":"Advapi32.dll"},"RegSaveKeyA":{"description":"RegSaveKeyA is used to save the specified key and all of its subkeys and values to a registry file, in the specified format.","dll":"Advapi32.dll"},"RegSaveKeyExA":{"description":"RegSaveKeyExA is used to save the specified key and all of its subkeys and values to a registry file, in the specified format.","dll":"Advapi32.dll"},"RegSetKeySecurity":{"description":"RegSetKeySecurity is used to set the security of an open registry key.","dll":"Advapi32.dll"},"RegSetKeyValueA":{"description":"RegSetKeyValueA is used to set a value for a given registry key.","dll":"Advapi32.dll"},"RegSetValueExA":{"description":"RegSetValueExA is used to set a value and type for a given registry key.","dll":"Advapi32.dll"},"RegUnLoadKeyA":{"description":"RegUnLoadKeyA is used to unload the specified registry key and its subkeys from the registry.","dll":"Advapi32.dll"},"RtlSetProcessIsCritical":{"description":"RtlSetProcessIsCritical is used to set a process to a system critical status. This function is used by malware to prevent the process from being terminated.","dll":"Ntdll.dll"},"SetClipboardData":{"description":"SetClipboardData is used to place data on the clipboard in a specified clipboard format.","dll":"User32.dll"},"SetCurrentDirectory":{"description":"SetCurrentDirectory is used to change the current directory for the current process.","dll":"Kernel32.dll"},"SetFocus":{"description":"SetFocus is used to set the keyboard focus to the specified window","dll":"User32.dll"},"SetForegroundWindow":{"description":"SetForegroundWindow is used for bring the thread that created the specified window into the foreground and activates the window","dll":"User32.dll"},"SetThreadPriority":{"description":"SetThreadPriority is used to set the priority value for the specified thread. This value, together with the priority class of the thread's process, determines the thread's base priority level.","dll":"Kernel32.dll"},"SetThreadToken":{"description":"The SetThreadToken function assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.","dll":"Advapi32.dll"},"SetWindowLongA":{"description":"SetWindowLongA is used to changes an attribute of a specified window.","dll":"User32.dll"},"SetWindowLongPtrA":{"description":"SetWindowLongPtrA is used to changes an attribute of a specified window.","dll":"User32.dll"},"ShowWindow":{"description":"ShowWindow is used to set the specified window's show state.","dll":"User32.dll"},"SizeOfResource":{"description":"SizeOfResource checks and retrieves the size of given resource. Usually found in droppers","dll":"Kernel32.dll"},"StartServiceA":{"description":"StartServiceA is used to start a service.","dll":"Advapi32.dll"},"StartServiceCtrlDispatcherA":{"description":"StartServiceCtrlDispatcherA is used by a service to connect the main thread of the process to the service control manager.","dll":"Advapi32.dll"},"TerminateProcess":{"description":"TerminateProcess is used to terminate a process.","dll":"Kernel32.dll"},"TerminateThread":{"description":"TerminateThread is used to terminate a thread.","dll":"Kernel32.dll"},"UnmapViewOfFile":{"description":"UnmapViewOfFile is used to unmap a mapped view of a file from the calling process's address space.","dll":"Kernel32.dll"},"UuidFromStringA":{"description":"UuidFromStringA is used to convert a string to a UUID. This function can be abused to both decode data and write it to memory without using common functions such as memcpy or WriteProcessMemory.","dll":"Rpcrt4.dll"},"WNetAddConnection2A":{"description":"The WNetAddConnection2A function makes a connection to a network resource and can redirect a local device to the network resource. The WNetAddConnection2 function supersedes the WNetAddConnection function.","dll":"Mpr.dll"},"WNetEnumResourceA":{"description":"The WNetEnumResourceA function continues an enumeration of network resources that was started by a call to the WNetOpenEnum function.","dll":"Mpr.dll"},"WNetOpenEnumA":{"description":"The WNetOpenEnumA function starts an enumeration of network resources or existing connections. You can continue the enumeration by calling the WNetEnumResource function.","dll":"Mpr.dll"},"WriteFile":{"description":"WriteFile is used to write data to the specified file or input/output (I/O) device.","dll":"Kernel32.dll"},"lstrcatA":{"description":"lstrcatA is used to append one string to another.","dll":"Kernel32.dll"}},"Injection":{"AdjustTokenPrivileges":{"description":"AdjustTokenPrivileges is used to enable or disable specific access privileges. Malware that performs process injection often calls this function to gain additional permissions.","dll":"Advapi32.dll"},"CreateFileMappingA":{"description":"CreateFileMappingA creates a handle to a file mapping that loads a file into memory and makes it accessible via memory addresses. Launchers, loaders, and injectors use this function to read and modify PE files.","dll":"Kernel32.dll"},"CreateProcessA":{"description":"CreateProcessA is used to create a process. This function is used by malware in several process injection attacks such as process hollowing.","dll":"Kernel32.dll"},"CreateProcessAsUserA":{"description":"CreateProcessAsUserA is used to create a new process and its primary thread.","dll":"Advapi32.dll"},"CreateProcessInternal":{"description":"CreateProcessInternal is an undocumented API for process creation. According to Windows Internals, CreateProcess and CreateProcessAsUser actually lead to this API, which is responsible for starting the process creation in user land. Eventually it calls NtCreateUserProcess for the kernel land operations. This API is commonly used for spawning a suspended process to be hollowed/injected.","dll":"Kernel32.dll"},"CreateProcessWithTokenW":{"description":"CreateProcessWithTokenW is used to create a new process and its primary thread.","dll":"Advapi32.dll"},"CreateRemoteThread":{"description":"CreateRemoteThread is used to create a thread that runs in the virtual address space of another process.","dll":"Kernel32.dll"},"CreateRemoteThreadEx":{"description":"CreateRemoteThreadEx is used to create a thread that runs in the virtual address space of another process.","dll":"Kernel32.dll"},"CreateThread":{"description":"CreateThread is used to create a thread to execute within the virtual address space of the calling process. This function is commonly used for shellcode execution.","dll":"Kernel32.dll"},"DebugActiveProcessStop":{"description":"DebugActiveProcessStop stops the debugger from debugging the specified process.","dll":"Kernel32.dll"},"DuplicateToken":{"description":"The DuplicateToken function creates a new access token that duplicates one already in existence.","dll":"Advapi32.dll"},"EnumSystemLocalesA":{"description":"EnumSystemLocalesA is used enumerate installed locale identifiers, all of the supported identifiers or alternate sort identifiers, according to which flag is passed to the API. Can be used to geofence infection campaigns or avoid infecting systems from a certain region/country. It can also be used to jump to allocated shellcode and execute it.","dll":"Kernel32.dll"},"GetModuleHandleA":{"description":"GetModuleHandleW is used to retrieve a module handle for the specified module. The module must have been loaded by the calling process. This function is often used along with GetProcAddress to dynamically retrieve the address of a function for evasion purposes.","dll":"Kernel32.dll"},"GetProcAddress":{"description":"GetProcAddress is used to get the memory address of a function in a DLL. This is often used by malware for obfuscation and evasion purposes to avoid having to call the function directly.","dll":"Kernel32.dll"},"GetProcessHeap":{"description":"GetProcessHeap is used to retrieve a handle to the default heap of the calling process.","dll":"Kernel32.dll"},"GetProcessHeaps":{"description":"GetProcessHeaps is used to return the number of active heaps and retrieves handles to all of the active heaps for the calling process.","dll":"Kernel32.dll"},"GetThreadContext":{"description":"GetThreadContext is used to retrieve a thread's context. This is often used as part of process injection techniques.","dll":"Kernel32.dll"},"GlobalAlloc":{"description":"GlobalAlloc is used to allocate the specified number of bytes from the heap.","dll":"Kernel32.dll"},"HeapAlloc":{"description":"HeapAlloc is used to allocate a block of memory from a heap.","dll":"Kernel32.dll"},"HeapCreate":{"description":"HeapCreate is used to allocate heap memory that can be used by the calling process.","dll":"Kernel32.dll"},"HeapReAlloc":{"description":"HeapReAlloc is used to reallocate a block of memory from a heap.","dll":"Kernel32.dll"},"KeInsertQueueApc":{"description":"KeInsertQueueApc is responsible for attaching an initialized APC to the APC queue of its target thread","dll":"Kernel32.dll"},"LdrLoadDll":{"description":"LdrLoadDll is used instead of LoadLibrary to load modules.","dll":"Ntdll.dll"},"LoadLibraryA":{"description":"LoadLibraryA is used to load a specified module into the address space of the calling process. Malware commonly use this to load DLLs dynamically for evasion purposes.","dll":"Kernel32.dll"},"LoadLibraryExA":{"description":"LoadLibraryExA is used to load a specified module into the address space of the calling process. Malware commonly use this to load DLLs dynamically for evasion purposes.","dll":"Kernel32.dll"},"LocalAlloc":{"description":"LocalAlloc is used for heap allocation and manipulation.","dll":"Kernel32.dll"},"MapViewOfFile":{"description":"MapViewOfFile is used for heap allocation and manipulation.","dll":"Kernel32.dll"},"MapViewOfFile2":{"description":"MapViewOfFile2 is used for heap allocation and manipulation.","dll":"Kernel32.dll"},"MapViewOfFile3":{"description":"MapViewOfFile3 is used for heap allocation and manipulation.","dll":"Kernel32.dll"},"MapViewOfFileEx":{"description":"MapViewOfFileEx is used for heap allocation and manipulation.","dll":"Kernel32.dll"},"NtAdjustPrivilegesToken":{"description":"NtAdjustPrivilegesToken is used to modify state of avaiable token's privileges. This function is often used by malware that performs process injection often calls this function to gain additional permissions.","dll":"Ntdll.dll"},"NtAllocateVirtualMemory":{"description":"NtAllocateVirtualMemoy is used to reserve, commit, or both, a region of pages within the user-mode virtual address space of a specified process.","dll":"Ntdll.dll"},"NtContinue":{"description":"NtContinue is used to resume the execution of a thread.","dll":"Ntdll.dll"},"NtCreateProcess":{"description":"NtCreateProcess is used to create a new process.","dll":"Ntdll.dll"},"NtCreateProcessEx":{"description":"NtCreateProcessEx is used to create a new process.","dll":"Ntdll.dll"},"NtCreateSection":{"description":"NtCreateSection is used to create a new section object.","dll":"Ntdll.dll"},"NtCreateThread":{"description":"NtCreateThread is used to create a new thread.","dll":"Ntdll.dll"},"NtCreateThreadEx":{"description":"NtCreateThreadEx is used to create a new thread.","dll":"Ntdll.dll"},"NtCreateUserProcess":{"description":"NtCreateUserProcess is used to create a new process.","dll":"Ntdll.dll"},"NtDuplicateObject":{"description":"NtDuplicateObject is used to create a handle that is a duplicate of the specified source handle. Malware can use this function to obtain the necessary access rights to a process via duplicating its handle, and subsequently kill a process or inject into it.","dll":"Ntdll.dll"},"NtMapViewOfSection":{"description":"NtMapViewOfSection is used to map a view of a section into the virtual address space of a subject process. This function is used by malware as part of process injection.","dll":"Ntdll.dll"},"NtOpenProcess":{"description":"NtOpenProcess is used to get a handle on a process. This function is commonly used as part of process injection.","dll":"Ntdll.dll"},"NtOpenThread":{"description":"NtOpenThread is used to get a handle on a thread. This function is commonly used as part of process injection.","dll":"Ntdll.dll"},"NtProtectVirtualMemory":{"description":"NtProtectVirtualMemory is used to interact with and modify memory regions.","dll":"Ntdll.dll"},"NtQueueApcThread":{"description":"NtQueueApcThread is used to execute code for a different thread. This function is commonly used as part of process injection.","dll":"Ntdll.dll"},"NtQueueApcThreadEx":{"description":"NtQueueApcThreadEx is used to execute code for a different thread. This function is commonly used as part of process injection.","dll":"Ntdll.dll"},"NtQueueApcThreadEx2":{"description":"NtQueueApcThreadEx2 is a new system call that allows to pass both UserApcFlags and MemoryReserveHandle.","dll":"Ntdll.dll"},"NtReadVirtualMemory":{"description":"NtReadVirtualMemory is used to copy data in the specified address range from the address space of the specified process into the specified buffer of the current process","dll":"Ntdll.dll"},"NtReadVirtualMemoryEx":{"description":"NtReadVirtualMemoryEx is used to copy data in the specified address range from the address space of the specified process into the specified buffer of the current process","dll":"Ntdll.dll"},"NtResumeProcess":{"description":"NtResumeProcess is used to resume a suspended process","dll":"ntdll.dll"},"NtResumeThread":{"description":"NtResumeThread is used to resume a suspended thread.","dll":"Ntdll.dll"},"NtSuspendProcess":{"description":"NtSuspendProcess is used to suspend the target process","dll":"ntdll.dll"},"NtUnmapViewOfSection":{"description":"NtUnmapViewOfSection is used to unmap a view of a section from the virtual address space of a subject process.","dll":"Ntdll.dll"},"NtWaitForMultipleObjects":{"description":"NtWaitForMultipleObjects is used to wait until one or all of the specified objects are in the signaled state or the time-out interval elapses. This function is commonly used by malware for evasion purposes","dll":"Ntdll.dll"},"NtWaitForSingleObject":{"description":"NtWaitForSingleObject is used to wait until the specified object is in the signaled state or the time-out interval elapses. This function is commonly used by malware for evasion purposes.","dll":"Ntdll.dll"},"NtWriteVirtualMemory":{"description":"NtWriteVirtualMemory is used to copy the specified address range from the current process into the specified address range of the specified process.","dll":"Ntdll.dll"},"OpenFileMappingA":{"description":"OpenFileMappingA is used to open a named file mapping object.","dll":"Kernel32.dll"},"OpenProcess":{"description":"OpenProcess is used to get a handle on a process. This function is commonly used by malware during process injection.","dll":"Kernel32.dll"},"OpenProcessToken":{"description":"OpenProcessToken is used to open the access token associated with a process.","dll":"Advapi32.dll"},"OpenThread":{"description":"OpenThread is used to get a handle on a specified thread. It is commonly seen in process injection techniques.","dll":"Kernel32.dll"},"Process32First":{"description":"Process32First is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"Process32Next":{"description":"Process32Next is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"QueueUserAPC":{"description":"QueueUserAPC is used to execute code for a different thread. This function is commonly used as part of process injection.","dll":"Kernel32.dll"},"ReadProcessMemory":{"description":"ReadProcessMemory can be used to read the memory of a remote process.","dll":"Kernel32.dll"},"ResumeThread":{"description":"ResumeThread is used to resume a specified thread often times as part of process injection.","dll":"Kernel32.dll"},"RtlCopyMemory":{"description":"RtlCopyMemory is used to copy the contents of a source memory block to a destination memory block.","dll":"Ntdll.dll"},"RtlCreateHeap":{"description":"RtlCreateHeap is used to create a heap object that can be used by the calling process.","dll":"Ntdll.dll"},"RtlMoveMemory":{"description":"RtlMoveMemory is used to copy the contents of a source memory block to a destination memory block, and supports overlapping source and destination memory blocks.","dll":"Ntdll.dll"},"SetProcessDEPPolicy":{"description":"SetProcessDEPPolicy is used to override the default DEP policy. Malware will use this function to allow data execution.","dll":"Kernel32.dll"},"SetPropA":{"description":"SetPropA is used to add a new entry or changes an existing entry in the property list of the specified window. This function is commonly used by malware to register a property and wait for its invocation to execute malicious commands.","dll":"User32.dll"},"SetThreadContext":{"description":"SetThreadContext is used to modify a thread's context. This is often used as part of process injection techniques.","dll":"Kernel32.dll"},"SuspendThread":{"description":"SuspendThread is used to suspend a specified thread often times as part of process injection or to tamper with a legitimate application.","dll":"Kernel32.dll"},"Thread32First":{"description":"Thread32First is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"Thread32Next":{"description":"Thread32Next is used as part of CreateToolhelp32Snapshot for enumeration purposes.","dll":"Kernel32.dll"},"Toolhelp32ReadProcessMemory":{"description":"Toolhelp32ReadProcessMemory can be used to read the memory of other processes.","dll":"Kernel32.dll"},"UuidFromStringA":{"description":"UuidFromStringA is used to convert a string to a UUID. This function can be abused to both decode data and write it to memory without using common functions such as memcpy or WriteProcessMemory.","dll":"Rpcrt4.dll"},"VirtualAlloc":{"description":"VirtualAlloc is often used by malware to allocate memory as part of process injection.","dll":"Kernel32.dll"},"VirtualAlloc2":{"description":"VirtualAlloc2 is used to reserve or changes the state of a region of pages in the virtual address space of a specified process.","dll":"Kernel32.dll"},"VirtualAlloc2FromApp":{"description":"VirtualAlloc2FromApp is used to reserve or changes the state of a region of pages in the virtual address space of the calling process.","dll":"Kernel32.dll"},"VirtualAllocEx":{"description":"VirtualAllocEx is often used by malware to allocate memory in a remote process as part of process injection.","dll":"Kernel32.dll"},"VirtualAllocExNuma":{"description":"VirtualAllocExNuma is used to reserve or changes the state of a region of pages in the virtual address space of a specified process.","dll":"Kernel32.dll"},"VirtualAllocFromApp":{"description":"VirtualAllocFromApp is used to reserve or changes the state of a region of pages in the virtual address space of the calling process.","dll":"Kernel32.dll"},"VirtualProtect":{"description":"VirtualProtect is often used by malware to modify memory protection (often to allow write or execution).","dll":"Kernel32.dll"},"VirtualProtectEx":{"description":"VirtualProtectEx is often used by malware to modify memory protection in a remote process (often to allow write or execution).","dll":"Kernel32.dll"},"VirtualProtectFromApp":{"description":"VirtualProtectFromApp is used to change the protection on a region of committed pages in the virtual address space of the calling process.","dll":"Kernel32.dll"},"WaitForMultipleObjects":{"description":"WaitForMultipleObjects is used to wait until one or all of the specified objects are in the signaled state or the time-out interval elapses. This function is commonly used to allow time for shellcode to execute or for time-based evasion.","dll":"Kernel32.dll"},"WaitForMultipleObjectsEx":{"description":"WaitForMultipleObjectsEx is used to wait until one or all of the specified objects are in the signaled state or the time-out interval elapses. This function is commonly used to allow time for shellcode to execute or for time-based evasion.","dll":"Kernel32.dll"},"WaitForSingleObject":{"description":"WaitForSingleObject is used to delay the execution of an object. This function is commonly used to allow time for shellcode being executed within a thread to run. It is also used for time-based evasion.","dll":"Kernel32.dll"},"WaitForSingleObjectEx":{"description":"WaitForSingleObjectEx is used to delay the execution of an object. This function is commonly used to allow time for shellcode being executed within a thread to run. It is also used for time-based evasion.","dll":"Kernel32.dll"},"Wow64SetThreadContext":{"description":"Wow64SetThreadContext is used to set the context for the specified thread. This function can be used by malware as part of a process hollowing attack.","dll":"Kernel32.dll"},"WriteProcessMemory":{"description":"Writing data into a specified region of memory. This function is often used by malware as part of process injection to inject malicious code into a specified process.","dll":"Kernel32.dll"}},"Internet":{"Accept":{"description":"Accept is used to permit an incoming connection attempt on a socket.","dll":"Ws2_32.dll"},"Bind":{"description":"Bind is used to associates a local address with a socket.","dll":"Ws2_32.dll"},"Closesocket":{"description":"Closesocket is used to close an existing socket.","dll":"Ws2_32.dll"},"Connect":{"description":"Connect is used to establish a connection to a specified socket.","dll":"Ws2_32.dll"},"DnsQueryEx":{"description":"DnsQueryEx is used to send a DNS query. This may be used for communications over a DNS tunnel.","dll":"Dnsapi.dll"},"DnsQuery_A":{"description":"DnsQuery_A is used to send a DNS query. This may be used for communications over a DNS tunnel.","dll":"Dnsapi.dll"},"FindFirstUrlCacheEntryA":{"description":"FindFirstUrlCacheEntryA is used to begin the enumeration of the Internet cache.","dll":"Wininet.dll"},"FindNextUrlCacheEntryA":{"description":"FindNextUrlCacheEntryA is used to retrieve the next entry in the Internet cache.","dll":"Wininet.dll"},"FtpPutFileA":{"description":"FtpPutFileA is used to upload a file to a server via FTP.","dll":"Wininet.dll"},"Gethostbyname":{"description":"gethostbyname is used to retrieve host information corresponding to a host name from a host database.","dll":"Ws2_32.dll"},"Gethostname":{"description":"gethostname is used to retrieve the standard host name for the local computer.","dll":"Ws2_32.dll"},"HttpAddRequestHeaders":{"description":"HttpAddRequestHeaders adds HTTP request headers to forge custom request handle","dll":"Wininet.dll"},"HttpOpenRequestA":{"description":"HttpOpenRequestA is used to create a HTTP request.","dll":"Wininet.dll"},"HttpSendRequestA":{"description":"HttpSendRequestA is used to send a HTTP request to a server.","dll":"Wininet.dll"},"HttpSendRequestExA":{"description":"HttpSendRequestExA is used to send a HTTP request to a server","dll":"Wininet.dll"},"Inet_addr":{"description":"inet_addr is used to convert a string containing an IPv4 dotted-decimal address into a proper address for the IN_ADDR structure.","dll":"Ws2_32.dll"},"InternetCloseHandle":{"description":"InternetCloseHandle is used to close an internet handle.","dll":"Wininet.dll"},"InternetConnectA":{"description":"InternetConnectA is used to open a File Transfer Protocol (FTP) or HTTP session for a given site.","dll":"Wininet.dll"},"InternetOpenA":{"description":"InternetOpenA is used to initialize the use of WinINet functions.","dll":"Wininet.dll"},"InternetOpenUrlA":{"description":"InternetOpenUrlA is used to open a resource specified by a complete FTP or HTTP URL.","dll":"Wininet.dll"},"InternetReadFile":{"description":"InternetReadFile is used to read data from a handle opened by the InternetOpenUrl, FtpOpenFile, or HttpOpenRequest function.","dll":"Wininet.dll"},"InternetReadFileExA":{"description":"InternetReadFileExA is used to read data from a handle opened by the InternetOpenUrl or HttpOpenRequest function.","dll":"Wininet.dll"},"InternetSetOptionA":{"description":"InternetSetOptionA is used to set an Internet option.","dll":"Wininet.dll"},"InternetWriteFile":{"description":"InternetWriteFile is used to write data to an open Internet file.","dll":"Wininet.dll"},"Listen":{"description":"Listen is used to place a socket in a state in which it is listening for an incoming connection.","dll":"Ws2_32.dll"},"Recv":{"description":"Recv is used to receive data from a connected socket or a bound connectionless socket.","dll":"Ws2_32.dll"},"Send":{"description":"Send is used to send data on a connected socket.","dll":"Ws2_32.dll"},"ShellExecuteA":{"description":"ShellExecuteA is used to perform an operation on a specified file.","dll":"Shell32.dll"},"ShellExecuteExA":{"description":"ShellExecuteExA is used to perform an operation on a specified file.","dll":"Shell32.dll"},"Socket":{"description":"socket is used create a socket that is bound to a specific transport service provider.","dll":"Ws2_32.dll"},"URLDownloadToCacheFile":{"description":"URLDownloadToCacheFile is used to download data to the Internet cache and returns the file name of the cache location for retrieving the bits.","dll":"Urlmon.dll"},"URLDownloadToFile":{"description":"URLDownloadToFile is used to download bits from the Internet and saves them to a file.","dll":"Urlmon.dll"},"URLOpenBlockingStream":{"description":"URLOpenBlockingStream is used to create a blocking type stream object from a URL and downloads the data from the Internet.","dll":"Urlmon.dll"},"URLOpenStream":{"description":"URLOpenStream is used to create a push type stream object from a URL.","dll":"Urlmon.dll"},"WNetOpenEnumA":{"description":"The WNetOpenEnumA function starts an enumeration of network resources or existing connections. You can continue the enumeration by calling the WNetEnumResource function.","dll":"Mpr.dll"},"WSACleanup":{"description":"WSACleanup is used to terminate the use of the Winsock 2 DLL. This function is commonly used by malware upon successfully utilizing the Winsock 2 functions.","dll":"Ws2_32.dll"},"WSAIoctl":{"description":"WSAIoctl Can be used to retrieve and set socket mode. E.g.: Put NIC in 'Promiscuous Mode'","dll":"ws2_32.dll"},"WSASocketA":{"description":"WSASocketA is used to create a socket that is bound to a specific transport-service provider.","dll":"Ws2_32.dll"},"WSAStartup":{"description":"WSAStartup is used to initiate use of the Winsock DLL by a process.","dll":"Ws2_32.dll"},"WinExec":{"description":"WinExec is used to allow the execution of an application.","dll":"Kernel32.dll"},"ioctlsocket":{"description":"ioctlsocket takes control of the I/O mode of a socket in any state","dll":"Ws2_32.lib"}},"Ransomware":{"CryptAcquireContextA":{"description":"CryptAcquireContextA is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP)","dll":"Advapi32.dll"},"CryptBinaryToString":{"description":"The CryptBinaryToString function is used to convert an array of bytes into a formatted string.","dll":"Crypt32.dll"},"CryptCreateHash":{"description":"CryptCreateHash is used to create a hash.","dll":"Advapi32.dll"},"CryptDecrypt":{"description":"CryptDecrypt is used to decrypt data.","dll":"Advapi32.dll"},"CryptDeriveKey":{"description":"CryptDeriveKey is used to create encryption keys.","dll":"Advapi32.dll"},"CryptDestroyHash":{"description":"The CryptDestroyHash function destroys the hash object referenced by the hHash parameter. After a hash object has been destroyed, it can no longer be used.","dll":"Crypt32.dll"},"CryptDestroyKey":{"description":"CryptDestroyKey is used to destroy previously generated encryption keys.","dll":"Advapi32.dll"},"CryptEncrypt":{"description":"CryptEncrypt is used to encrypt data.","dll":"Advapi32.dll"},"CryptGenRandom":{"description":"CryptGenRandom is used to fill a buffer with cryptographically random bytes.","dll":"Advapi32.dll"},"CryptGetHashParam":{"description":"CryptGetHashParam","dll":"Advapi32.dll"},"CryptHashData":{"description":"CryptHashData is used to create a hash.","dll":"Advapi32.dll"},"CryptProtectData":{"description":"CryptProtectData can be leveraged to create a malicious artifact for encrypting the file system (Ransomware), effectively evading typical detection methods.More information is available: https://github.com/CarlosG13/Data-Protection-API-DPAPI-For-Impact---Ransomware","dll":"Crypt32.dll"},"CryptReleaseContext":{"description":"The CryptReleaseContext function is used to release the handle of a cryptographic service provider (CSP) and a key container.","dll":"Crypt32.dll"},"CryptSetKeyParam":{"description":"CryptSetKeyParam is used to customize various aspects of a session key's operations.","dll":"Advapi32.dll"},"CryptStringToBinary":{"description":"The CryptStringToBinary function is used to convert a formatted string into an array of bytes.","dll":"Crypt32.dll"},"DecryptFileA":{"description":"DecryptFileA is used to decrypt an encrypted file or directory.","dll":"Advapi32.dll"},"EncryptFileA":{"description":"EncryptFileA is used to encrypt a file or directory.","dll":"Advapi32.dll"},"EnumSystemLocalesA":{"description":"EnumSystemLocalesA is used enumerate installed locale identifiers, all of the supported identifiers or alternate sort identifiers, according to which flag is passed to the API. Can be used to geofence infection campaigns or avoid infecting systems from a certain region/country. It can also be used to jump to allocated shellcode and execute it.","dll":"Kernel32.dll"},"FlushEfsCache":{"description":"FlushEfsCache is used to flush EFS data from memory. This is used by EFS ransomware post-encryption to cause the files and folder to become unreadable.","dll":"Advapi32.dll"},"GetDriveTypeA":{"description":"GetDriveTypeA is used to determine whether a disk drive is a removable / fixed / CD-ROM / RAM disk or network drive.","dll":"Kernel32.dll"},"GetLogicalDrives":{"description":"GetLogicalDrives is used to retrieve a bitmask representing the currently available disk drives. This function can be used to emumerate all drives / mounted drives.","dll":"Kernel32.dll"}},"Spying":{"AttachThreadInput":{"description":"AttachThreadInput is used to attach the input processing from one thread to another so that the second thread receives input events such as keyboard and mouse events. This function is commonly used by keyloggers.","dll":"User32.dll"},"BitBlt":{"description":"BitBlt is used to copy graphic data from one device to another. Spyware sometimes uses this function to capture screenshots.","dll":"Gdi32.dll"},"CallNextHookEx":{"description":"CallNextHookEx is used within code that is hooking an event set by SetWindowsHookEx. CallNextHookEx calls the next hook in the chain. This function is commonly used by keyloggers.","dll":"User32.dll"},"GetAsyncKeyState":{"description":"GetAsyncKeyState is used to determine when a specific key is pressed. This function is commonly used by keyloggers.","dll":"User32.dll"},"GetClipboardData":{"description":"GetClipboardData is used to retrieve copied data residing in the clipboard.","dll":"User32.dll"},"GetDC":{"description":"GetDC is used to retrieve a handle to a device context (DC) for the client area of a specified window or for the entire screen. This function is commonly used by spyware for taking screenshots.","dll":"User32.dll"},"GetDCEx":{"description":"GetDCEx is used to retrieve a handle to a device context (DC) for the client area of a specified window or for the entire screen. This function is commonly used by spyware for taking screenshots.","dll":"User32.dll"},"GetForegroundWindow":{"description":"GetForegroundWindow is used to get a handle to the foreground window (the window with which the user is currently working). This function is commonly used by keyloggers and spyware to determine which window is being utilized at the moment by the user.","dll":"User32.dll"},"GetKeyState":{"description":"GetKeyState is used to retrieve the status of the specified virtual key. This function is commonly used by keyloggers.","dll":"User32.dll"},"GetKeyboardState":{"description":"GetKeyboardState is used to copy the status of the 256 virtual keys to the specified buffer. This function is commonly used by keyloggers.","dll":"User32.dll"},"GetKeynameTextA":{"description":"The GetKeynameTextA function is used to retrieve a string that represents the name of a key.","dll":"User32.dll"},"GetMessageA":{"description":"GetMessageA is used to retrieve a message from the calling thread's message queue. This function is commonly used by keyloggers.","dll":"User32.dll"},"GetRawInputData":{"description":"GetRawInputData is used to retrieve the raw input data from a specified device. This function is commonly used by keyloggers.","dll":"User32.dll"},"GetWindowDC":{"description":"GetWindowDC is used to retrieve the device context (DC) for the entire window, including title bar, menus, and scroll bars. This function is commonly used by spyware and keyloggers to capture screenshots.","dll":"User32.dll"},"MapVirtualKeyA":{"description":"MapVirtualKeyA is used to map a virtual-key code into a scan code or character value, or translates a scan code into a virtual-key code. This function is commonly used by spyware and keyloggers.","dll":"User32.dll"},"MapVirtualKeyExA":{"description":"MapVirtualKeyExA is used to map a virtual-key code into a scan code or character value, or translates a scan code into a virtual-key code. This function is commonly used by spyware and keyloggers.","dll":"User32.dll"},"PeekMessageA":{"description":"PeekMessageA is used to check for incoming sent messages, checks the thread message queue for a posted message, and retrieves the message (if any exist).","dll":"User32.dll"},"PostMessageA":{"description":"PostMessageA is used to post a message in the message queue associated with the thread that created the specified window and returns without waiting for the thread to process the message.","dll":"User32.dll"},"PostThreadMessageA":{"description":"PostThreadMessageA is used to post a message to the message queue of the specified thread.","dll":"User32.dll"},"RegisterHotKey":{"description":"RegisterHotKey is used to create a system wide hotkey. This function is commonly used by spyware or keyloggers to recieve a notification when a certain combination of keys are pressed.","dll":"User32.dll"},"RegisterRawInputDevices":{"description":"RegisterRawInputDevices is used to register the devices that supply raw input.","dll":"User32.dll"},"SendMessageA":{"description":"SendMessageA is used to send the specified message to a window or windows.","dll":"User32.dll"},"SendMessageCallbackA":{"description":"SendMessageCallbackA is used to send the specified message to a window or windows.","dll":"User32.dll"},"SendMessageTimeoutA":{"description":"SendMessageTimeoutA is used to send the specified message to a window or windows.","dll":"User32.dll"},"SendNotifyMessageA":{"description":"SendNotifyMessageA is used to send the specified message to a window or windows.","dll":"User32.dll"},"SetWinEventHook":{"description":"SetWinEventHook is used to set an event hook function for a range of events.","dll":"User32.dll"},"SetWindowsHookExA":{"description":"SetWindowsHookExA is used to install an application-defined hook procedure into a hook chain. This function is commonly used by keyloggers.","dll":"User32.dll"},"StretchBlt":{"description":"StretchBlt is used to copy graphic data from one device to another. Spyware sometimes uses this function to capture screenshots.","dll":"Gdi32.dll"},"UnhookWindowsHookEx":{"description":"UnhookWindowsHookEx is used to remove a hook procedure installed in a hook chain by the SetWindowsHookEx function.","dll":"User32.dll"}}}
Reference in New Issue View Git Blame Copy Permalink