MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XWorm


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7
SHA3-384 hash: 07b8f5d7ceff34de72d17da280abff9204b0a40da23e3df8f5f843f0dd15bfa7e19f5e2ab625c08495cf4e963ed7bece
SHA1 hash: 409b27e710fc547dbebf3e7ad52a3b866ea14575
MD5 hash: fb01f9672ee54b072a9d1c43f23fdabb
humanhash: network-asparagus-equal-harry
File name:FB01F9672EE54B072A9D1C43F23FDABB.exe
Download: download sample
Signature XWorm
Create hunting rule
File size:4'966'400 bytes
First seen:2025-08-01 22:00:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:XA3pVEzolE8B9YzNBRYtb7xHz/9nRv9KNKVZFzRu:XAVpn9MKb95AKVZ5Ru
TLSH T1D936330EF9981152F89503F0DE774BD31B66BEB2AB668B62111F2F0D08F12F891B4795
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe xworm


Avatar
abuse_ch
XWorm C2:
192.121.102.225:66

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.121.102.225:66 https://threatfox.abuse.ch/ioc/1563227/

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
FB01F9672EE54B072A9D1C43F23FDABB.exe
Verdict:
Malicious activity
Analysis date:
2025-08-01 22:01:57 UTC
Tags:
lumma stealer amadey botnet loader auto redline rdp arch-exec
Link:
https://app.any.run/tasks/9bc293db-dd0b-4fe3-adf9-b52cbf3f7d38

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18383/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688d39360b4775fb2134d549
Tags:
autorun autoit emotet delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Launching a service
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm CAB crypt explorer installer lolbin microsoft_visual_cc nanocore obfuscated packed packed packer_detected rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/688d393573b8ef6f4afa86dc/reports/94b7cce3-a1cb-4d69-9873-03ce7b8f8ca3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a5d2f01-6bb8-4c8e-bab5-11a8e9e03fcf
Result
Threat name:
Amadey, LummaC Stealer, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1748826
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Powershell decode and execute
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1748826 Sample: 144I8hJS4V.exe Startdate: 02/08/2025 Architecture: WINDOWS Score: 100 126 severhi.lol 2->126 128 paramkc.lat 2->128 130 14 other IPs or domains 2->130 148 Suricata IDS alerts for network traffic 2->148 150 Found malware configuration 2->150 152 Malicious sample detected (through community Yara rule) 2->152 154 21 other signatures 2->154 12 144I8hJS4V.exe 1 4 2->12         started        15 zotUvx0B.exe 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 file5 120 C:\Users\user\AppData\Local\...\2a7137.exe, PE32 12->120 dropped 122 C:\Users\user\AppData\Local\...\1p77l5.exe, PE32 12->122 dropped 20 2a7137.exe 7 12->20         started        24 1p77l5.exe 12->24         started        196 Binary is likely a compiled AutoIt script file 15->196 27 cmd.exe 15->27         started        29 EKU7bzea.exe 15->29         started        31 cmd.exe 15->31         started        33 cmd.exe 15->33         started        signatures6 process7 dnsIp8 98 C:\ihl7kCp\zotUvx0B.exe, PE32 20->98 dropped 100 C:\ihl7kCp\YqEFFPrV.exe, PE32 20->100 dropped 102 C:\ihl7kCp\3KPHli8Y.exe, PE32 20->102 dropped 166 Multi AV Scanner detection for dropped file 20->166 35 cmd.exe 1 20->35         started        132 steamcommunity.com 23.54.187.178, 443, 49719 AKAMAI-ASUS United States 24->132 168 Antivirus detection for dropped file 24->168 170 Detected unpacking (changes PE section rights) 24->170 172 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->172 178 4 other signatures 24->178 174 Suspicious powershell command line found 27->174 38 powershell.exe 27->38         started        40 conhost.exe 27->40         started        176 Contains functionality to start a terminal service 29->176 42 conhost.exe 31->42         started        44 3KPHli8Y.exe 31->44         started        46 conhost.exe 33->46         started        48 schtasks.exe 33->48         started        file9 signatures10 process11 signatures12 156 Suspicious powershell command line found 35->156 158 Uses cmd line tools excessively to alter registry or file data 35->158 160 Bypasses PowerShell execution policy 35->160 164 2 other signatures 35->164 50 zotUvx0B.exe 35->50         started        53 YqEFFPrV.exe 15 35->53         started        56 conhost.exe 35->56         started        162 Loading BitLocker PowerShell Module 38->162 process13 file14 140 Multi AV Scanner detection for dropped file 50->140 142 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->142 144 Binary is likely a compiled AutoIt script file 50->144 146 Found API chain indicative of sandbox detection 50->146 58 EKU7bzea.exe 5 63 50->58         started        63 cmd.exe 50->63         started        65 cmd.exe 1 50->65         started        67 cmd.exe 1 50->67         started        104 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 53->104 dropped 106 C:\Users\user\AppData\Local\...\cecho.exe, PE32 53->106 dropped 108 C:\Users\user\AppData\Local\...108SudoLG.exe, PE32+ 53->108 dropped 110 2 other malicious files 53->110 dropped 69 cmd.exe 53->69         started        signatures15 process16 dnsIp17 134 94.154.35.25, 49720, 49722, 49725 SELECTELRU Ukraine 58->134 136 45.141.233.196, 49723, 49726, 49728 ASDETUKhttpwwwheficedcomGB Bulgaria 58->136 112 C:\Users\user\AppData\Local\...\1wbVZkk.exe, PE32 58->112 dropped 114 C:\Users\user\AppData\Local\...\MbNtG6U.exe, PE32+ 58->114 dropped 116 C:\Users\user\AppData\Local\...\ls1FDZl.exe, PE32+ 58->116 dropped 118 27 other malicious files 58->118 dropped 186 Multi AV Scanner detection for dropped file 58->186 188 Suspicious powershell command line found 58->188 190 Contains functionality to start a terminal service 58->190 192 Creates multiple autostart registry keys 58->192 71 cmd.exe 58->71         started        74 powershell.exe 63->74         started        76 conhost.exe 63->76         started        78 3KPHli8Y.exe 2 65->78         started        81 conhost.exe 65->81         started        83 conhost.exe 67->83         started        85 schtasks.exe 67->85         started        194 Uses cmd line tools excessively to alter registry or file data 69->194 87 cmd.exe 69->87         started        89 26 other processes 69->89 file18 signatures19 process20 file21 180 Suspicious powershell command line found 71->180 91 powershell.exe 71->91         started        94 conhost.exe 71->94         started        182 Found suspicious powershell code related to unpacking or dynamic code loading 74->182 184 Loading BitLocker PowerShell Module 74->184 124 C:\ihl7kCpKU7bzea.exe, PE32 78->124 dropped 96 tasklist.exe 87->96         started        signatures22 process23 dnsIp24 138 winsupport.work 196.251.118.157, 80 xneeloZA Seychelles 91->138
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/fb01f9672ee54b072a9d1c43f23fdabb
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-26 23:10:51 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7733czzoct3t6h3fjyneu6tadt6232yucb7blsg36s7h4n5d3dq._file
Verdict:
malicious
Label(s):
admintool_nsudo
Create hunting rule
amadey
Create hunting rule
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
lummastealer
Create hunting rule
Similar samples:
error
XWorm
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:cyber_stealer family:donutloader family:gcleaner family:lumma family:vidar botnet:fbf543 defense_evasion discovery execution loader persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/250801-1xc8kavrw7/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Checks system information in the registry
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Obfuscated Files or Information: Command Obfuscation
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
CyberStealer
Cyber_stealer family
Detect Vidar Stealer
Detects CyberStealer
Detects DonutLoader
Disables service(s)
DonutLoader
Donutloader family
GCleaner
Gcleaner family
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Malware Config
C2 Extraction:
https://thinkrz.lol/xkad/api
https://integkr.pics/zman
https://aspecqo.top/towp
https://paramkc.lat/zayw
https://severhi.lol/xahb/api
https://emapsho.fun/azmn
https://firiaer.fun/aoiw
https://emageuv.fun/xiza
https://orekcee.fun/xowp
https://bittsgly.my/atop/api
https://mastwin.in/qsaz/api
https://precisionbiomeds.com/ikg
https://physicianusepeptides.com/opu
https://vishneviyjazz.ru/neco/api
https://htsfhtdrjbyy1bgxbv.cfd/vcd
https://xurekodip.com/qpdl
https://utvp1.net/zkaj
https://orienderi.com/xori
https://mocadia.com/iuew
https://t.me/reusmey
https://nucleji.my/ituw/api
https://t.me/RONALDOORMESSSSI
https://dravq.asia/wixj/api
https://cezgroup.contact/xlak/api
https://stockwises.eu/xiut/api
http://94.154.35.25
https://paxrobot.digital/webpanel/
185.156.73.98
45.91.200.135
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0 PowerShell
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/315e231e-3fe4-45a3-8f99-6e5d80d18277
Unpacked files
SH256 hash:
07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7
MD5 hash:
fb01f9672ee54b072a9d1c43f23fdabb
SHA1 hash:
409b27e710fc547dbebf3e7ad52a3b866ea14575
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
633b7c1e9fd966454d5daf0696af36de958bcd93d3de7f090b41974316cce30d
MD5 hash:
4f27e8d560ba6d65f0515e7b3c3a5a8e
SHA1 hash:
e7d706a436aeb782f0f624891d0e71b817081edc
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
f4e3820606a064b3a0da9edec7b8c1827b6867ada00e111b215970960bb82dfe
MD5 hash:
45a779fa84fb3f5c78dafc6a79c8e2e5
SHA1 hash:
496d10e87acee575fe995b4f7b42fb5dedbfc3c0
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
7e0d1c784c08be18982dd2bb406a0c517cb0f1c764939825d52eaf99b1ca7e0d
MD5 hash:
34f349d2d687e0d49aad84d91cadccbd
SHA1 hash:
b784b6901b9189f41f39e594251f3cb59d3dc2c0
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
c2dc4c3e9acfc7c140e6521afa9c8d37e06cd741e4595ec015c3453a8298ff05
MD5 hash:
b3b3f9c8562b7b713a1b8e1f669b16bb
SHA1 hash:
237de5c4cf8b7066e58a05f26c7dc87d9d0c0647
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
4ae04ff1dc8d1302e0f3ca582f27bf29d04d46f50c4f7edaa84ccc46188ff7b0
MD5 hash:
dbeae22294097d9efcdb1899760ca3ec
SHA1 hash:
4b5cd45ee60f92833d23f872259b0c2df484509a
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
dd37ee3d3441250276b6836d69b990482c31af7a71f1affc62c6525ca337e966
MD5 hash:
99bbb20f7af20cdcbf9d8d96862a5a86
SHA1 hash:
aeca225aa4c8df06bd4594e0e6088c20962b491e
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/18fd4330-bb93-49ab-8c07-0f67b0bda6d4/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/07ffbd8b3970/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/07ffbd8b3970a7b9f8fb2a70d253d300e7ed6f58a083f0ae46dfa5f3f1bd1ec7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18383/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments