MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61b786fe71c902cfe7057c49278d4b0fbfe8d2e61db1c1883aca3ca3c431442f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61b786fe71c902cfe7057c49278d4b0fbfe8d2e61db1c1883aca3ca3c431442f
SHA3-384 hash: 990e47127c2e66336545667d182c66ea88cc9027b3f09a12a684f7fb444d1f28e406c66f7e5209c13a1a23c6f90ce597
SHA1 hash: 8e3383bff2fc39ed25cbc20d9088d3c0329372c4
MD5 hash: 426aa04664b300257326510faa553da4
humanhash: tennessee-echo-massachusetts-washington
File name:250428-fhlaeasvhz.bin
Download: download sample
Signature Amadey
Create hunting rule
File size:961'024 bytes
First seen:2025-04-28 04:58:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 24576:PqDEvCTbMWu7rQYlBQcBiT6rprG8aeFV:PTvC/MTQYxsWR7aeF
Threatray 147 similar samples on MalwareBazaar
TLSH T12B159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter UNP4CK
Tags:Amadey

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
GB GB
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
2025-04-28_426aa04664b300257326510faa553da4_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer
Verdict:
Malicious activity
Analysis date:
2025-04-28 04:55:14 UTC
Tags:
auto-sch loader amadey botnet stealer rdp auto-reg telegram stealc vidar lumma miner putty rmm-tool phishing
Link:
https://app.any.run/tasks/89889946-b466-4d20-a189-b38492e2f8ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4610/
Detection(s):
SecuriteInfo.com.AutoIt.Agent-AOQ.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680f0a32cc5fb3600cc3bd53
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Connection attempt
Sending an HTTP POST request
Connection attempt to an infection source
Enabling autorun by creating a file
Launching a file downloaded from the Internet
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit compiled-script entropy fingerprint keylogger lolbin masquerade microsoft_visual_cc mshta packed schtasks
Link:
https://www.filescan.io/uploads/680f0b1a218c4a98ade4898e/reports/5294bf08-db5d-49a8-9f2d-af56fa302031/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/61b786fe71c902cfe7057c49278d4b0fbfe8d2e61db1c1883aca3ca3c431442f
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f33b754e-2ded-4872-8a71-d38d5c6f4e94
Result
Threat name:
Amadey, LummaC Stealer, Vidar, Xmrig
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1675934
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Creates HTA files
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Drops PE files to the document folder of the user
Found API chain indicative of sandbox detection
Found malware configuration
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected Powershell download and execute
Yara detected Vidar stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675934 Sample: 250428-fhlaeasvhz.bin.exe Startdate: 28/04/2025 Architecture: WINDOWS Score: 100 149 bardcauft.run 2->149 151 xai830k.com 2->151 153 10 other IPs or domains 2->153 183 Suricata IDS alerts for network traffic 2->183 185 Found malware configuration 2->185 187 Malicious sample detected (through community Yara rule) 2->187 189 29 other signatures 2->189 14 250428-fhlaeasvhz.bin.exe 1 2->14         started        18 laren.exe 2->18         started        21 mshta.exe 1 2->21         started        23 11 other processes 2->23 signatures3 process4 dnsIp5 137 C:\Users\user\AppData\Local\...\B4MBcULrK.hta, HTML 14->137 dropped 265 Binary is likely a compiled AutoIt script file 14->265 267 Found API chain indicative of sandbox detection 14->267 269 Creates HTA files 14->269 25 mshta.exe 1 14->25         started        28 cmd.exe 1 14->28         started        155 xai830k.com 152.89.61.96 YURTEH-ASUA Ukraine 18->155 139 C:\Users\user\AppData\...\58b1cec7bd.exe, PE32 18->139 dropped 141 C:\Users\user\AppData\Local\...\win_init.exe, PE32+ 18->141 dropped 143 C:\Users\user\AppData\Local\...\random[1].exe, PE32 18->143 dropped 145 C:\Users\user\AppData\...\win_init[1].exe, PE32+ 18->145 dropped 271 Contains functionality to start a terminal service 18->271 30 58b1cec7bd.exe 18->30         started        32 win_init.exe 18->32         started        273 Suspicious powershell command line found 21->273 275 Tries to download and execute files (via powershell) 21->275 34 powershell.exe 14 16 21->34         started        157 107.167.92.130 IOFLOODUS United States 23->157 159 127.0.0.1 unknown unknown 23->159 277 Query firmware table information (likely to detect VMs) 23->277 279 Changes security center settings (notifications, updates, antivirus, firewall) 23->279 36 000001110029.exe 23->36         started        39 powershell.exe 23->39         started        41 conhost.exe 23->41         started        43 2 other processes 23->43 file6 signatures7 process8 dnsIp9 211 Suspicious powershell command line found 25->211 213 Tries to download and execute files (via powershell) 25->213 45 powershell.exe 15 19 25->45         started        215 Uses schtasks.exe or at.exe to add and modify task schedules 28->215 50 conhost.exe 28->50         started        52 schtasks.exe 1 28->52         started        217 Detected unpacking (changes PE section rights) 30->217 219 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->219 221 Tries to evade debugger and weak emulator (self modifying code) 30->221 233 4 other signatures 30->233 223 Multi AV Scanner detection for dropped file 32->223 225 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->225 54 powershell.exe 32->54         started        227 Contains functionality to start a terminal service 34->227 56 TempPUKIX95K2BBNY6RWPH5Q8NIXLGXL5BRT.EXE 34->56         started        58 conhost.exe 34->58         started        167 pool-phx.supportxmr.com 107.167.83.34, 443, 49734 IOFLOODUS United States 36->167 229 Query firmware table information (likely to detect VMs) 36->229 60 conhost.exe 36->60         started        231 Loading BitLocker PowerShell Module 39->231 62 conhost.exe 39->62         started        signatures10 process11 dnsIp12 175 185.39.17.162, 49710, 49714, 49719 RU-TAGNET-ASRU Russian Federation 45->175 147 TempPUKIX95K2BBNY6RWPH5Q8NIXLGXL5BRT.EXE, PE32 45->147 dropped 281 Powershell drops PE file 45->281 64 TempPUKIX95K2BBNY6RWPH5Q8NIXLGXL5BRT.EXE 4 45->64         started        68 conhost.exe 45->68         started        283 Loading BitLocker PowerShell Module 54->283 70 conhost.exe 54->70         started        285 Contains functionality to start a terminal service 56->285 file13 signatures14 process15 file16 117 C:\Users\user\AppData\Local\...\saved.exe, PE32 64->117 dropped 177 Multi AV Scanner detection for dropped file 64->177 179 Contains functionality to start a terminal service 64->179 181 Contains functionality to inject code into remote processes 64->181 72 saved.exe 2 50 64->72         started        signatures17 process18 dnsIp19 169 185.39.17.122, 49735, 49740, 80 RU-TAGNET-ASRU Russian Federation 72->169 171 185.39.17.163, 49713, 49716, 49726 RU-TAGNET-ASRU Russian Federation 72->171 173 94.26.90.80 ASDETUKhttpwwwheficedcomGB Bulgaria 72->173 129 C:\Users\user\AppData\...\52b043478b.exe, PE32 72->129 dropped 131 C:\Users\user\AppData\...\e52b288656.exe, PE32 72->131 dropped 133 C:\Users\user\AppData\Local\...\amnew.exe, PE32 72->133 dropped 135 20 other malicious files 72->135 dropped 235 Multi AV Scanner detection for dropped file 72->235 237 Contains functionality to start a terminal service 72->237 239 Creates multiple autostart registry keys 72->239 77 fNfCBPl.exe 72->77         started        80 xnTcozT.exe 72->80         started        83 fNfCBPl.exe 72->83         started        85 4 other processes 72->85 file20 signatures21 process22 file23 241 Multi AV Scanner detection for dropped file 77->241 243 Writes to foreign memory regions 77->243 245 Allocates memory in foreign processes 77->245 87 MSBuild.exe 77->87         started        90 MSBuild.exe 77->90         started        119 C:\Users\user\Documents\...\000000590029.exe, MS-DOS 80->119 dropped 247 Suspicious powershell command line found 80->247 249 Drops PE files to the document folder of the user 80->249 251 Creates multiple autostart registry keys 80->251 253 Adds a directory exclusion to Windows Defender 80->253 92 powershell.exe 80->92         started        94 000000590029.exe 80->94         started        96 conhost.exe 80->96         started        255 Injects a PE file into a foreign processes 83->255 98 MSBuild.exe 83->98         started        121 C:\Users\user\Documents\...\000001110029.exe, MS-DOS 85->121 dropped 123 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 85->123 dropped 125 C:\Users\user\AppData\Local\...\cecho.exe, PE32 85->125 dropped 127 3 other malicious files 85->127 dropped 257 Antivirus detection for dropped file 85->257 259 Detected unpacking (changes PE section rights) 85->259 261 Contains functionality to start a terminal service 85->261 263 Found strings related to Crypto-Mining 85->263 101 MSBuild.exe 85->101         started        103 laren.exe 85->103         started        105 3 other processes 85->105 signatures24 process25 dnsIp26 191 Query firmware table information (likely to detect VMs) 87->191 193 Tries to harvest and steal ftp login credentials 87->193 195 Tries to harvest and steal browser information (history, passwords, etc) 87->195 197 Tries to steal from password manager 87->197 199 Loading BitLocker PowerShell Module 92->199 107 conhost.exe 92->107         started        109 conhost.exe 94->109         started        161 bardcauft.run 172.67.218.184, 443, 49729, 49730 CLOUDFLARENETUS United States 98->161 163 t.me 149.154.167.99, 443, 49728 TELEGRAMRU United Kingdom 98->163 201 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 98->201 203 Tries to steal Crypto Currency Wallets 98->203 165 qr.ap.4t.com 91.99.2.206 PARSONLINETehran-IRANIR Iran (ISLAMIC Republic Of) 101->165 205 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 101->205 207 Multi AV Scanner detection for dropped file 103->207 209 Contains functionality to start a terminal service 103->209 111 cmd.exe 105->111         started        113 conhost.exe 105->113         started        signatures27 process28 process29 115 conhost.exe 111->115         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/61b786fe71c902cfe7057c49278d4b0fbfe8d2e61db1c1883aca3ca3c431442f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61b786fe71c902cfe7057c49278d4b0fbfe8d2e61db1c1883aca3ca3c431442f/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-04-28 04:55:16 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mg3yn7trzebm7zyfprespdklb676ruxgdwy4dcb2zi6khrbriqxq._file
Verdict:
malicious
Label(s):
admintool_putty
Create hunting rule
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
296497459462840bf9e8874e312088c4a85aae75d460d0d5bcc75a9d582343eb
Amadey
3cd1d9ec98d9199c17a59e2f71d77f0aa6950e8829c490083700d0ec62b3d865
Amadey
637dbc445534485b6df8c5378e26d5ac93e6c3c48af21bbf8b4e107dfbcaf5d6
Amadey
843f3d0d360a92fd9312599bc26b17c632684b74e6e850e5bcbc0d2f5e73b9bf
Amadey
ae308ae3eaf5742f55203a3275e69f653701ede47843eec48b9c6d06d9ec22f4
Amadey
cb584a4faa3cbf7e45b503710f3d60ea9a5a5767f56a63a64ce39fb52a6718df
Amadey
d4eb667436377f59c60a1065c7cf866d2f9030488cee1a2dfa6bfc586ea7fa16
Amadey
ee0947c688ad5b9f2d1c802f19430179392b3253fed7473c6f7efccce25c0377
Amadey
ee97743cdb423fc71707bb9ccdf5a41b77d97ab0ca8dc51a493f25a6a492717f
Amadey
error
Amadey
+ 137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250428-fmfwgssxhy/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
http://185.39.17.162/testmine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9282ea52-ca32-451f-a0f8-90e4f1ce57e4
Unpacked files
SH256 hash:
61b786fe71c902cfe7057c49278d4b0fbfe8d2e61db1c1883aca3ca3c431442f
MD5 hash:
426aa04664b300257326510faa553da4
SHA1 hash:
8e3383bff2fc39ed25cbc20d9088d3c0329372c4
Link:
https://www.unpac.me/results/b41b242d-2323-49bf-a7d2-b0310f5db012/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61b786fe71c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61b786fe71c902cfe7057c49278d4b0fbfe8d2e61db1c1883aca3ca3c431442f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/4610/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments