MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67
SHA3-384 hash: 28c761d63d7818d5594398a74631dedb3d78a7d32b7d8782785ca664d81ebf57c34df4c969341ec613df14443c4e800f
SHA1 hash: d90f373f2fb03831d6b6ec96028ebf42b62ee948
MD5 hash: b74027988f26bda55eb39efb38be15f6
humanhash: diet-wyoming-emma-video
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:961'024 bytes
First seen:2025-06-09 10:05:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 948cc502fe9226992dce9417f952fce3 (1'182 x CredentialFlusher, 446 x Formbook, 231 x AgentTesla)
ssdeep 24576:BqDEvCTbMWu7rQYlBQcBiT6rprG8aOky:BTvC/MTQYxsWR7aOk
Threatray 3 similar samples on MalwareBazaar
TLSH T175159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
458
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-09 15:29:26 UTC
Tags:
auto-sch loader amadey botnet stealer themida rdp
Link:
https://app.any.run/tasks/d420a49d-1823-415e-95ae-c031b572e2c1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8054/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6846b4298bd5d68a12e7094f
Tags:
vmdetect autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Creating a file
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
Searching for synchronization primitives
Connection attempt to an infection source
Enabling autorun by creating a file
Launching a file downloaded from the Internet
Sending an HTTP POST request to an infection source
Verdict:
Malicious
Labled as:
JS/Kryptik.CVO trojan
Link:
https://www.hybrid-analysis.com/sample/ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13f1a532-aa3a-4741-8123-735b991aa68f
Result
Threat name:
Amadey, HTMLPhisher, LummaC Stealer, RHA
Create hunting rule
Detection:
malicious
Classification:
phis.bank.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1709508
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates HTA files
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Encrypted powershell cmdline option found
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Registers a new ROOT certificate
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to download and execute files (via powershell)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected BlockedWebSite
Yara detected Costura Assembly Loader
Yara detected LummaC Stealer
Yara detected obfuscated html page
Yara detected PersistenceViaHiddenTask
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1709508 Sample: random.exe Startdate: 09/06/2025 Architecture: WINDOWS Score: 100 183 Found malware configuration 2->183 185 Malicious sample detected (through community Yara rule) 2->185 187 Antivirus detection for dropped file 2->187 189 30 other signatures 2->189 14 random.exe 1 2->14         started        18 mshta.exe 1 2->18         started        20 ramez.exe 2->20         started        22 4 other processes 2->22 process3 dnsIp4 157 C:\Users\user\AppData\Local\...\DOohXPj8x.hta, HTML 14->157 dropped 265 Binary is likely a compiled AutoIt script file 14->265 267 Found API chain indicative of sandbox detection 14->267 269 Creates HTA files 14->269 25 mshta.exe 1 14->25         started        28 cmd.exe 1 14->28         started        271 Suspicious powershell command line found 18->271 273 Tries to download and execute files (via powershell) 18->273 30 powershell.exe 14 16 18->30         started        275 Hides threads from debuggers 20->275 277 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->277 279 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->279 165 104.69.85.120 AKAMAI-ASN1EU United States 22->165 167 127.0.0.1 unknown unknown 22->167 32 cmd.exe 22->32         started        34 cmd.exe 22->34         started        36 cmd.exe 22->36         started        38 2 other processes 22->38 file5 signatures6 process7 signatures8 205 Suspicious powershell command line found 25->205 207 Tries to download and execute files (via powershell) 25->207 40 powershell.exe 15 19 25->40         started        209 Encrypted powershell cmdline option found 28->209 211 Bypasses PowerShell execution policy 28->211 213 Uses schtasks.exe or at.exe to add and modify task schedules 28->213 45 conhost.exe 28->45         started        47 schtasks.exe 1 28->47         started        49 TempGGYOVZHUYACEAXDMZ7UNIXAS62UVUQTX.EXE 30->49         started        51 conhost.exe 30->51         started        53 conhost.exe 32->53         started        55 WMIC.exe 32->55         started        59 2 other processes 34->59 57 WMIC.exe 36->57         started        process9 dnsIp10 169 185.156.72.2 ITDELUXE-ASRU Russian Federation 40->169 143 TempGGYOVZHUYACEAXDMZ7UNIXAS62UVUQTX.EXE, PE32 40->143 dropped 221 Suspicious powershell command line found 40->221 223 Registers a new ROOT certificate 40->223 225 Uses ipconfig to lookup or modify the Windows network settings 40->225 235 2 other signatures 40->235 61 TempGGYOVZHUYACEAXDMZ7UNIXAS62UVUQTX.EXE 4 40->61         started        65 conhost.exe 40->65         started        227 Contains functionality to start a terminal service 49->227 229 Hides threads from debuggers 49->229 231 Tries to detect sandboxes / dynamic malware analysis system (registry check) 49->231 233 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 49->233 file11 signatures12 process13 file14 155 C:\Users\user\AppData\Local\...\ramez.exe, PE32 61->155 dropped 257 Antivirus detection for dropped file 61->257 259 Multi AV Scanner detection for dropped file 61->259 261 Detected unpacking (changes PE section rights) 61->261 263 7 other signatures 61->263 67 ramez.exe 61->67         started        signatures15 process16 dnsIp17 159 185.156.72.96 ITDELUXE-ASRU Russian Federation 67->159 161 185.156.72.61 ITDELUXE-ASRU Russian Federation 67->161 163 2 other IPs or domains 67->163 131 C:\Users\user\AppData\Local\...\5pgxe9I.exe, PE32+ 67->131 dropped 133 C:\Users\user\AppData\Local\...\B7n6Vgu.exe, PE32+ 67->133 dropped 135 C:\Users\user\AppData\Local\...\CLtpweA.exe, PE32+ 67->135 dropped 137 39 other malicious files 67->137 dropped 195 Detected unpacking (changes PE section rights) 67->195 197 Contains functionality to start a terminal service 67->197 199 Creates HTML files with .exe extension (expired dropper behavior) 67->199 201 4 other signatures 67->201 72 rZBRvVk.exe 67->72         started        77 cmd.exe 67->77         started        79 B4HaM6C.exe 67->79         started        81 4 other processes 67->81 file18 signatures19 process20 dnsIp21 171 203.15.121.21 TPG-INTERNET-APTPGTelecomLimitedAU Australia 72->171 173 94.139.32.11 ENIX-ASFR Belgium 72->173 179 3 other IPs or domains 72->179 145 C:\Users\user\...\JDJUAIQ1JR8QQWSXAWU.exe, PE32+ 72->145 dropped 237 Antivirus detection for dropped file 72->237 239 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 72->239 241 Query firmware table information (likely to detect VMs) 72->241 255 8 other signatures 72->255 243 Suspicious powershell command line found 77->243 245 Encrypted powershell cmdline option found 77->245 83 powershell.exe 77->83         started        86 powershell.exe 77->86         started        102 4 other processes 77->102 175 172.86.105.63 PONYNETUS United States 79->175 147 C:\Users\user\AppData\...\rlkservice.exe, PE32+ 79->147 dropped 247 Multi AV Scanner detection for dropped file 79->247 89 cmd.exe 79->89         started        91 cmd.exe 79->91         started        93 cmd.exe 79->93         started        95 B4HaM6C.exe 79->95         started        177 91.92.46.53 TELECOMASET-ASBG Bulgaria 81->177 149 C:\Users\user\AppData\Roaming\...\Source.exe, PE32+ 81->149 dropped 151 C:\Users\user\AppData\Local\...\error.log, ASCII 81->151 dropped 153 C:\Users\user\AppData\Local\...\error.log, ASCII 81->153 dropped 249 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 81->249 251 Switches to a custom stack to bypass stack traces 81->251 253 Tries to detect sandboxes / dynamic malware analysis system (registry check) 81->253 98 conhost.exe 81->98         started        100 conhost.exe 81->100         started        file22 signatures23 process24 dnsIp25 191 Suspicious powershell command line found 83->191 104 powershell.exe 83->104         started        139 C:\Users\user\Documents\invite_341.ps1, Unicode 86->139 dropped 193 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 89->193 108 WMIC.exe 89->108         started        110 conhost.exe 89->110         started        112 conhost.exe 91->112         started        114 WMIC.exe 91->114         started        116 conhost.exe 93->116         started        118 WMIC.exe 93->118         started        181 88.119.165.169 IST-ASLT Lithuania 95->181 file26 signatures27 process28 file29 141 C:\Users\user\AppData\...\certificate.cer, PEM 104->141 dropped 215 Registers a new ROOT certificate 104->215 217 Loading BitLocker PowerShell Module 104->217 120 powershell.exe 104->120         started        123 certutil.exe 104->123         started        125 conhost.exe 104->125         started        127 ipconfig.exe 104->127         started        219 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 108->219 signatures30 process31 signatures32 203 Installs new ROOT certificates 120->203 129 conhost.exe 120->129         started        process33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67/
Threat name:
Win32.Trojan.PSLoader
Create hunting rule
Status:
Malicious
First seen:
2025-06-09 10:06:19 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=54xnmq5h3y5cismnwhmf23m37qqxxwuq6xbjjdm5hiyxwlqvl5tq._file
Verdict:
malicious
Label(s):
amadey
Create hunting rule
Similar samples:
059a0a5f8ab02faae85536a23a83f9224c4ec60055ec5a1067fa0a026f72a1b4
LummaStealer
befd8cd9a5915adc34a91c4ea4c8be5a09c1d04ba1acaf6b245a744c80cf9280
LummaStealer
ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67
LummaStealer
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:lumma botnet:8d33eb collection defense_evasion discovery execution persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/250609-l4wadsyn13/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Gathers network information
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Modifies system certificate store
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Share Discovery
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Identifies Wine through registry keys
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Unexpected DNS network traffic destination
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Manipulates Digital Signatures
Sets service image path in registry
Stops running service(s)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Lumma Stealer, LummaC
Lumma family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://185.156.72.96
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://stochalyqp.xyz/alfp
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://peppinqikp.xyz/xaow
https://shootef.world/api
Dropper Extraction:
http://185.156.72.2/testmine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b9fee6b5-8120-4fc9-b3bd-0fe75ac5579b
Unpacked files
SH256 hash:
ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67
MD5 hash:
b74027988f26bda55eb39efb38be15f6
SHA1 hash:
d90f373f2fb03831d6b6ec96028ebf42b62ee948
Link:
https://www.unpac.me/results/72b0a9dc-b38f-48d5-936f-f84f21fb8d11/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe ef2ed643a7de3a24498db1d85d6d9bfc217bda90f5c2948d9d3a317b2e155f67

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/8054/
  
URLhaus
https://urlhaus.abuse.ch/url/3542097/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments