MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


XenoRAT


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614
SHA3-384 hash: 69988b15e67bb77fa35432b4e2536ec6e767887e6166ab7b0f2aae996e412db091504aafc267896c090ebdac9d37f6a8
SHA1 hash: 35ebfb0e6a13a6f954d21c765add7a100c36f355
MD5 hash: 3f73eb2f938ec885ab9bc29226a23031
humanhash: echo-crazy-crazy-berlin
File name:3F73EB2F938EC885AB9BC29226A23031.exe
Download: download sample
Signature XenoRAT
Create hunting rule
File size:4'926'464 bytes
First seen:2025-07-26 18:06:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:iCoo+Ifs9TQdiTW7JiQQI1/QEe2aiB/CGHGYWOeGNlmZhEq9:iCovnJTW7Jimq12a/s5lmZWq9
Threatray 80 similar samples on MalwareBazaar
TLSH T153363305F6CC0626F9A14BF496B307A304793E6297B19A9A170F259C0EF27C4A5F4BD3
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10522/11/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe XenoRAT


Avatar
abuse_ch
XenoRAT C2:
185.100.157.116:7930

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.100.157.116:7930 https://threatfox.abuse.ch/ioc/1560932/

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
3F73EB2F938EC885AB9BC29226A23031.exe
Verdict:
Malicious activity
Analysis date:
2025-07-26 18:18:22 UTC
Tags:
lumma stealer amadey botnet rdp loader arch-exec
Link:
https://app.any.run/tasks/6bca6e08-b93d-4639-b9a3-12ecbee2e944

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/17052/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688519630b4775fb2131a23f
Tags:
autorun autoit emotet delphi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Сreating synchronization primitives
Searching for analyzing tools
DNS request
Behavior that indicates a threat
Connection attempt
Sending a custom TCP request
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Running batch commands
Launching a process
Sending an HTTP POST request
Launching a service
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-vm anti-vm CAB explorer fingerprint installer lolbin microsoft_visual_cc overlay packed rundll32 runonce sfx
Link:
https://www.filescan.io/uploads/6885196413488cfd44d9a152/reports/33098d73-12e9-420c-abca-790faa0cb18f/overview
Verdict:
Malicious
Labled as:
Crifi.Generic
Link:
https://www.hybrid-analysis.com/sample/99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b578809e-4e9b-410d-a139-b1ff69e06d08
Result
Threat name:
Amadey, LummaC Stealer, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1744752
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to start a terminal service
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Drops password protected ZIP file
Found API chain indicative of sandbox detection
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation STDIN+ Launcher
Sigma detected: PUA - NSudo Execution
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the nircmd tool (NirSoft)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected LummaC Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1744752 Sample: nSHUHmko86.exe Startdate: 26/07/2025 Architecture: WINDOWS Score: 100 125 stfota.xyz 2->125 127 sparklfm.xyz 2->127 129 11 other IPs or domains 2->129 139 Suricata IDS alerts for network traffic 2->139 141 Found malware configuration 2->141 143 Antivirus detection for dropped file 2->143 147 16 other signatures 2->147 12 nSHUHmko86.exe 1 4 2->12         started        15 Y37lBBTr.exe 2->15         started        18 svchost.exe 2->18         started        20 6 other processes 2->20 signatures3 145 Performs DNS queries to domains with low reputation 127->145 process4 file5 113 C:\Users\user\AppData\Local\...\2l1232.exe, PE32 12->113 dropped 115 C:\Users\user\AppData\Local\...\1G15d7.exe, PE32 12->115 dropped 22 2l1232.exe 7 12->22         started        26 1G15d7.exe 12->26         started        199 Binary is likely a compiled AutoIt script file 15->199 29 cmd.exe 15->29         started        31 KnzZ6ruZ.exe 15->31         started        33 cmd.exe 15->33         started        35 cmd.exe 15->35         started        201 Changes security center settings (notifications, updates, antivirus, firewall) 18->201 signatures6 process7 dnsIp8 99 C:\WYsOzmK\Y37lBBTr.exe, PE32 22->99 dropped 101 C:\WYsOzmK\XaoEUsj5.exe, PE32 22->101 dropped 103 C:\WYsOzmK\IzfSampC.exe, PE32 22->103 dropped 165 Multi AV Scanner detection for dropped file 22->165 37 cmd.exe 1 22->37         started        131 steamcommunity.com 23.54.187.178, 443, 49715 AKAMAI-ASUS United States 26->131 167 Antivirus detection for dropped file 26->167 169 Detected unpacking (changes PE section rights) 26->169 171 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->171 177 4 other signatures 26->177 173 Suspicious powershell command line found 29->173 40 powershell.exe 29->40         started        42 conhost.exe 29->42         started        175 Contains functionality to start a terminal service 31->175 44 conhost.exe 33->44         started        46 XaoEUsj5.exe 33->46         started        48 conhost.exe 35->48         started        50 schtasks.exe 35->50         started        file9 signatures10 process11 signatures12 155 Suspicious powershell command line found 37->155 157 Uses cmd line tools excessively to alter registry or file data 37->157 159 Bypasses PowerShell execution policy 37->159 163 2 other signatures 37->163 52 Y37lBBTr.exe 37->52         started        55 IzfSampC.exe 15 37->55         started        58 conhost.exe 37->58         started        161 Loading BitLocker PowerShell Module 40->161 process13 file14 149 Multi AV Scanner detection for dropped file 52->149 151 Binary is likely a compiled AutoIt script file 52->151 153 Found API chain indicative of sandbox detection 52->153 60 KnzZ6ruZ.exe 55 52->60         started        65 cmd.exe 52->65         started        67 cmd.exe 1 52->67         started        69 cmd.exe 52->69         started        105 C:\Users\user\AppData\Local\...\nircmd.exe, PE32+ 55->105 dropped 107 C:\Users\user\AppData\Local\...\cecho.exe, PE32 55->107 dropped 109 C:\Users\user\AppData\Local\...109SudoLG.exe, PE32+ 55->109 dropped 111 2 other malicious files 55->111 dropped 71 cmd.exe 55->71         started        signatures15 process16 dnsIp17 133 94.154.35.25, 49717, 49718, 49726 SELECTELRU Ukraine 60->133 135 176.46.158.8, 49720, 49727, 49731 ESTPAKEE Iran (ISLAMIC Republic Of) 60->135 137 api.spurdo.me 172.67.133.37, 443, 49736, 49739 CLOUDFLARENETUS United States 60->137 117 C:\Users\user\AppData\Local\...\DcLvSKS.exe, PE32+ 60->117 dropped 119 C:\Users\user\AppData\Local\...\zjnjOKt.exe, PE32+ 60->119 dropped 121 C:\Users\user\AppData\Local\...\YT1For2.exe, PE32 60->121 dropped 123 22 other malicious files 60->123 dropped 189 Multi AV Scanner detection for dropped file 60->189 191 Contains functionality to start a terminal service 60->191 193 Creates HTML files with .exe extension (expired dropper behavior) 60->193 73 55e2d8124e.exe 60->73         started        195 Suspicious powershell command line found 65->195 76 powershell.exe 65->76         started        78 conhost.exe 65->78         started        80 XaoEUsj5.exe 2 67->80         started        83 conhost.exe 67->83         started        85 conhost.exe 69->85         started        87 schtasks.exe 69->87         started        197 Uses cmd line tools excessively to alter registry or file data 71->197 89 cmd.exe 71->89         started        91 20 other processes 71->91 file18 signatures19 process20 file21 179 Multi AV Scanner detection for dropped file 73->179 181 Writes to foreign memory regions 73->181 183 Allocates memory in foreign processes 73->183 185 Injects a PE file into a foreign processes 73->185 187 Loading BitLocker PowerShell Module 76->187 97 C:\WYsOzmK\KnzZ6ruZ.exe, PE32 80->97 dropped 93 tasklist.exe 89->93         started        95 Conhost.exe 89->95         started        signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/3f73eb2f938ec885ab9bc29226a23031
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.HTTP
Link:
https://tip.neiki.dev/file/99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-25 13:32:00 UTC
File Type:
PE (Exe)
Extracted files:
147
AV detection:
24 of 36 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tgua4ilx4jl6llavbfctvlyxlj2ic54gc5lnho7gpx3gafepsyka._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
admintool_nircmd
Create hunting rule
amadey
Create hunting rule
lummastealer
Create hunting rule
admintool_nsudo
Create hunting rule
Similar samples:
26f441d9c0ad5c0fe48fb4c64c8e70267574282e0688938d991a8db413ad13bf
XenoRAT
4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5
XenoRAT
4fb901198759e576ee8fb73510eddcf802091166f227af43b5903742079a2c8f
XenoRAT
62274f044b7407f18bcec4712d6de71076213915f9e4a95c5363436c5f8ebb22
XenoRAT
7e348ac70407e6051594dfc5cd130adb5cc8fa9a2ae9ad81877f0747bf7c2b03
XenoRAT
9bc261a18c3b454d5d75801d2b9d34c835952ec0a52e6a325712de854af0c534
XenoRAT
9ccfe968b46b9c43056d5cfe626824f586f11791e22161262647fd67f5f05cf1
XenoRAT
cd385e78225757bc6032c670edb25fca7fc51110454a8c0da3ae1c2b28bc2464
XenoRAT
error
XenoRAT
+ 70 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:asyncrat family:deerstealer family:lumma family:salatstealer family:stealc family:xenorat family:xmrig botnet:default botnet:fbf543 botnet:pohuy botnet:system adware defense_evasion discovery execution miner persistence rat spyware stealer themida trojan upx
Link:
https://tria.ge/reports/250726-wqhr9a1q15/
Behaviour
Checks processor information in registry
GoLang User-Agent
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Themida packer
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Detectes NiceHashMiner Payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Amadey
Amadey family
AsyncRat
Asyncrat family
DeerStealer
Deerstealer family
Detect SalatStealer payload
Detect XenoRat Payload
Detects DeerStealer
Disables service(s)
Lumma Stealer, LummaC
Lumma family
Salatstealer family
Stealc
Stealc family
XenorRat
Xenorat family
Xmrig family
salatstealer
xmrig
Malware Config
C2 Extraction:
https://delfxus.today/xjdz
https://stfota.xyz/toxz
https://mosaicia.top/zlap
https://jambnwz.top/gakh
https://ondcvxe.top/xkdz
https://keepnody.top/tiow
https://eartheea.life/itiz
https://glassma.live/alpz
https://sparklfm.xyz/xoit
https://boltex.net/xpao
https://molefkx.com/xalo
https://sponfht.com/xrie
https://runuxs.org/zpla
https://follcp.org/atnr
https://remotuw.org/xiza
https://detrewb.net/aqyw
https://berijng.net/otir
http://94.154.35.25
185.100.157.116
http://141.98.6.181
http://45.141.233.187
85.192.63.194:8848
Verdict:
Malicious
Tags:
stealer redline Win.Packed.Nanocore-9942160-0
YARA:
win_redline_wextract_hunting_oct_2023
Link:
https://app.threat.zone/submission/636f323c-67fc-4f10-a939-82f36bae5a17
Unpacked files
SH256 hash:
99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614
MD5 hash:
3f73eb2f938ec885ab9bc29226a23031
SHA1 hash:
35ebfb0e6a13a6f954d21c765add7a100c36f355
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
c36fdbd5daf90588a72228e55d4f3e64a21ced196697946e2918dd25fae0d3e3
MD5 hash:
6506a05e89238fb2653f7962863b0b78
SHA1 hash:
94eae16d485802e400fef557fc7b106b486b62a1
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
0c609adda0092129a03719b0536a21a842ba0f21841bec03fae618f0114f5836
MD5 hash:
0e502ce41470c5a5095974169782e9ac
SHA1 hash:
73c17c5e57823b0ac1141dde1cf321e9af6b08ae
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
307655c5ed799085687c1ad1b67b64249023c6358d892d3615ed0c2b9f9ca983
MD5 hash:
86d17880192d72acb144c6c7174069c8
SHA1 hash:
5f57276fd017187164bf09a87569da58ed0d4716
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
dad3cc963392e1ed85b477e0e3ef8678a092f810893dc40db3bf0c5689458194
MD5 hash:
1872e19ab280be4057a42043529658e9
SHA1 hash:
64db69e0abd1707f5e457667270543e6d8a0b638
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
ac2df7d1f3e41b70f6f701797629272b3b580dceacf9670498e00a8c56a433c9
MD5 hash:
30fc198281dcc2186e476e222ff60cb2
SHA1 hash:
a4f93588ecd253f7725caeeefb9515963da0941f
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
3c7959d26a0e983a65a0f0cb9501567ad6b7149f9052e649649d1f4f8390480a
MD5 hash:
d6a28e90544f88191342edd75cd1732b
SHA1 hash:
25f16dc288f9f819b113f090227c32f36704c6d1
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
3d9f7d881c3d2d619a502072aea8bfcc85616200f79d28101c4aec05b79f81ad
MD5 hash:
6f306c36423ffb6159e629c641dbda8d
SHA1 hash:
ad4561048004841df11c87fec587be972eb10743
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
SH256 hash:
84650e28d06640c00b558b1a80fac3dbb80e6f94b26bdaeee0eb80f1c58fb0f4
MD5 hash:
b64e019681970678d241fd96e184a73a
SHA1 hash:
f340dd298b3bc6e6c26fab53b2930b3db511c868
Link:
https://www.unpac.me/results/3f074144-d911-4252-bb2e-d09b6f288dde/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/99a80e2177e257e5ac1509453aaf175a748177861756d3bbe67df660148f9614

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17052/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetVolumeInformationA
KERNEL32.dll::GetSystemInfo
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileA
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegQueryInfoKeyA
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA

Comments