MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PrivateLoader


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
SHA3-384 hash: 8770132bbc6456220cf3850718156f235b29c06fd7320250385ace4a623c1bed5d7951b132c87e58663ae3bcfdf14742
SHA1 hash: 5d73bbd168fb9b1e43051340a415d95f28c40f4d
MD5 hash: 7ff8c26a36f5a4566990745dff1594f3
humanhash: carbon-xray-kentucky-red
File name:7ff8c26a36f5a4566990745dff1594f3
Download: download sample
Signature PrivateLoader
Create hunting rule
File size:1'843'424 bytes
First seen:2024-05-24 09:27:08 UTC
Last seen:2024-05-24 10:34:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 79856d4b034c49dc3dd3e403b25b6bbf (3 x AgentTesla, 2 x PrivateLoader)
ssdeep 24576:jynjN3fi9dEoZR814OEQjls30eTFxmT4i8eMOq52eOXuq01dKqOF7:ujN3CdJ81nEQhs30eWuqsrOF7
Threatray 53 similar samples on MalwareBazaar
TLSH T13F85BF05A3F801E4E46BC634CA599733D2B1B44A1730E5CB0A5AD7922F73EE15BBF612
TrID 72.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
13.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.EXE) OS/2 Executable (generic) (2029/13)
2.5% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 exe PrivateLoader signed

Code Signing Certificate

Organisation:Microsoft Code Signing PCA 2011
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-23T17:17:17Z
Valid to:2025-05-23T17:17:17Z
Serial number: d2294495b534277f8b0f619cbcd5aab8
Thumbprint Algorithm:SHA256
Thumbprint: 756ab42eededd6ed3e697aff8b1de9449d59fd84b5244be1e57acb79f817c8cb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
452
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813.exe
Verdict:
Malicious activity
Analysis date:
2024-05-24 09:27:30 UTC
Tags:
opendir evasion loader berbew privateloader adware neoreklami
Link:
https://app.any.run/tasks/00c3fd41-7680-4ac4-9ac9-4b78d17b8384

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.1571.28055.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66505fe5a8a296404f97a63cwin7simulatehigh_evasion
Tags:
Encryption Execution Network Static
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a process with a hidden window
Creating a file
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Sending an HTTP GET request
Searching for analyzing tools
Moving a file to the %temp% directory
Running batch commands
Modifying a system file
Using the Windows Management Instrumentation requests
Replacing files
Launching a service
Reading critical registry keys
Launching cmd.exe command interpreter
Moving a recently created file
Connection attempt to an infection source
Blocking the Windows Defender launch
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive fingerprint hacktool lolbin overlay packed regedit shell32
Link:
https://www.filescan.io/uploads/66505daa32eca5b280fce952/reports/ea185306-7f1d-404a-b5ab-00c7918a41fe/overview
Verdict:
Malicious
Labled as:
Win64/Kryptik.EKI trojan
Link:
https://www.hybrid-analysis.com/sample/fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfe3b8ad-3cf7-4781-aad9-251413eecf22
Result
Threat name:
Neoreklami, PureLog Stealer, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1447097
Signature
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Neoreklami
Yara detected PureLog Stealer
Yara detected SmokeLoader
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447097 Sample: lgX7lgUL1w.exe Startdate: 24/05/2024 Architecture: WINDOWS Score: 100 169 Multi AV Scanner detection for domain / URL 2->169 171 Found malware configuration 2->171 173 Malicious sample detected (through community Yara rule) 2->173 175 17 other signatures 2->175 12 lgX7lgUL1w.exe 3 2->12         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        20 11 other processes 2->20 process3 dnsIp4 135 C:\Users\user\lgX7lgUL1w.exe, PE32+ 12->135 dropped 209 Drops PE files to the user root directory 12->209 211 Writes to foreign memory regions 12->211 213 Allocates memory in foreign processes 12->213 221 3 other signatures 12->221 23 AddInProcess32.exe 15 162 12->23         started        28 powershell.exe 23 12->28         started        30 conhost.exe 12->30         started        215 Tries to delay execution (extensive OutputDebugStringW loop) 16->215 217 Query firmware table information (likely to detect VMs) 18->217 157 20.101.57.9 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->157 159 20.190.159.4 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->159 161 4 other IPs or domains 20->161 219 Changes security center settings (notifications, updates, antivirus, firewall) 20->219 32 WerFault.exe 20->32         started        file5 signatures6 process7 dnsIp8 163 5.42.66.47 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 23->163 165 104.192.108.17 QIHOOBeijingQihuTechnologyCompanyLimitedCN United States 23->165 167 10 other IPs or domains 23->167 127 C:\Users\...\z7qYuSNnmN1T20mVDPQyJKNf.exe, MS-DOS 23->127 dropped 129 C:\Users\...\xJOdjN6fVDYC0Ta4cXD9JBiF.exe, PE32 23->129 dropped 131 C:\Users\...\xHjBfoMXM1Bms4i9lirVpf5B.exe, PE32 23->131 dropped 133 120 other malicious files 23->133 dropped 201 Drops script or batch files to the startup folder 23->201 203 Creates HTML files with .exe extension (expired dropper behavior) 23->203 205 Writes many files with high entropy 23->205 34 c12YwoiQ34lE0LgBRkxJOClX.exe 23->34         started        39 iYU7jmLL0jPLxgjctxjq1ReZ.exe 23->39         started        41 PZ3hKWPffUrXuh6Gjn77Ivv1.exe 23->41         started        45 2 other processes 23->45 207 Loading BitLocker PowerShell Module 28->207 43 conhost.exe 28->43         started        file9 signatures10 process11 dnsIp12 137 176.111.174.109 WILWAWPL Russian Federation 34->137 139 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 34->139 145 17 other IPs or domains 34->145 103 C:\Users\...\xCrl2X_yjihZJLjlfNXcaGsm.exe, PE32 34->103 dropped 105 C:\Users\...\wPxPcov2_iRQt91bGzfyQLn0.exe, PE32 34->105 dropped 107 C:\Users\...\sCKRGnz9ufcbydLPdvMHEgfk.exe, PE32 34->107 dropped 117 26 other malicious files 34->117 dropped 177 Query firmware table information (likely to detect VMs) 34->177 179 Drops PE files to the document folder of the user 34->179 181 Tries to detect sandboxes and other dynamic analysis tools (window names) 34->181 191 11 other signatures 34->191 109 C:\Users\user\AppData\Local\...\notepad.exe, PE32+ 39->109 dropped 119 4 other malicious files 39->119 dropped 47 Install.exe 39->47         started        183 Detected unpacking (changes PE section rights) 41->183 185 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 41->185 187 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->187 193 3 other signatures 41->193 50 explorer.exe 41->50 injected 141 108.156.60.116 AMAZON-02US United States 45->141 143 108.156.60.18 AMAZON-02US United States 45->143 147 10 other IPs or domains 45->147 111 C:\Users\user\Pictures\360TS_Setup.exe.P2P, PE32 45->111 dropped 113 C:\Users\user\...\360TS_Setup.exe (copy), PE32 45->113 dropped 115 C:\Users\user\AppData\Local\...\360P2SP.dll, PE32 45->115 dropped 189 Writes many files with high entropy 45->189 54 WerFault.exe 45->54         started        file13 signatures14 process15 dnsIp16 227 Multi AV Scanner detection for dropped file 47->227 229 Uses schtasks.exe or at.exe to add and modify task schedules 47->229 231 Modifies Windows Defender protection settings 47->231 56 cmd.exe 47->56         started        59 forfiles.exe 47->59         started        61 schtasks.exe 47->61         started        149 190.224.203.37 TelecomArgentinaSAAR Argentina 50->149 151 66.85.156.89 SSASN2US United States 50->151 155 2 other IPs or domains 50->155 121 C:\Users\user\AppData\Roaming\hvfsedh, PE32 50->121 dropped 123 C:\Users\user\AppData\Local\Temp\FFE8.exe, PE32 50->123 dropped 125 C:\Users\user\AppData\Local\TempD0F.exe, PE32 50->125 dropped 233 System process connects to network (likely due to code injection or exploit) 50->233 235 Benign windows process drops PE files 50->235 237 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->237 153 13.89.179.12 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 54->153 file17 signatures18 process19 signatures20 195 Suspicious powershell command line found 56->195 197 Uses cmd line tools excessively to alter registry or file data 56->197 199 Modifies Windows Defender protection settings 56->199 63 forfiles.exe 56->63         started        66 forfiles.exe 56->66         started        68 forfiles.exe 56->68         started        76 3 other processes 56->76 70 cmd.exe 59->70         started        72 conhost.exe 59->72         started        74 conhost.exe 61->74         started        process21 signatures22 239 Modifies Windows Defender protection settings 63->239 78 cmd.exe 63->78         started        81 cmd.exe 66->81         started        83 cmd.exe 68->83         started        241 Suspicious powershell command line found 70->241 85 powershell.exe 70->85         started        87 cmd.exe 76->87         started        89 cmd.exe 76->89         started        process23 signatures24 223 Uses cmd line tools excessively to alter registry or file data 78->223 91 reg.exe 78->91         started        93 reg.exe 81->93         started        95 reg.exe 83->95         started        97 WMIC.exe 85->97         started        99 reg.exe 87->99         started        225 Suspicious powershell command line found 89->225 101 powershell.exe 89->101         started        process25
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-05-24 09:28:08 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
6 of 38 (15.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rckb2awded6opzop4holmtevdrmpd226nbxytfsknawmhni3ajq._file
Verdict:
malicious
Similar samples:
0eca094ac422e8d7b0b58532b5a1fb7a59b4cc6cb6bbe1ec49259ebf10522ae5
PrivateLoader
803af90de603592cfdca6c9b6a8ffc39130a54dee552f0758f7ebf07ab327fc5
PrivateLoader
97fa9df0ae7536db7c2427ff65ba51db3bbd22ebe957bf406ebe3f4ba4a46f7f
PrivateLoader
c685ab98e1910af3a51286a6d68d706e2a7be5298f74c061f98b9e87e290d357
PrivateLoader
ca58a17fe665c5997d673e7e5317d2a70dc2225ced1dbeea010888874ae48a81
PrivateLoader
+ 43 additional samples on MalwareBazaar
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader adware bootkit discovery evasion execution loader persistence spyware stealer themida trojan
Link:
https://tria.ge/reports/240524-lfbwvace41/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Drops Chrome extension
Enumerates connected drives
Installs/modifies Browser Helper Object
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Maps connected drives based on registry
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Registers COM server for autorun
Themida packer
Unexpected DNS network traffic destination
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Installed Components in the registry
Sets service image path in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies firewall policy service
PrivateLoader
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4772e201-428b-434f-a641-fa2538223eac
Unpacked files
SH256 hash:
fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
MD5 hash:
7ff8c26a36f5a4566990745dff1594f3
SHA1 hash:
5d73bbd168fb9b1e43051340a415d95f28c40f4d
Detections:
INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Link:
https://www.unpac.me/results/3f069373-0aaa-4854-9aad-b6d6ac3f00c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables (downlaoders) containing URLs to raw contents of a paste
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PrivateLoader

Executable exe fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2862270/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::ImpersonateLoggedOnUser
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::VirtualAllocExNuma
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleWindow
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptDecrypt
bcrypt.dll::BCryptDestroyKey
bcrypt.dll::BCryptEncrypt
bcrypt.dll::BCryptGenRandom
bcrypt.dll::BCryptImportKey
bcrypt.dll::BCryptOpenAlgorithmProvider
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
ADVAPI32.dll::RegSetValueExA

Comments


Avatar
zbet commented on 2024-05-24 09:27:09 UTC

url : hxxp://5.42.66.47/files/time2time.exe