Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r2iL9TLvO3.dll

Overview

General Information

Sample name:r2iL9TLvO3.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534.exe
Analysis ID:1469006
MD5:d46476f7f27be8ef618b7646a46f5e66
SHA1:8219d1ead31d16f6380941827bf96a488453d5c0
SHA256:9645a12079edffd20560d4631160a6052ae5728d6f73b7366588166ad281c534
Tags:exeLatrodectus
Infos:

Detection

Latrodectus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Latrodectus
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Sample uses string decryption to hide its real strings
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to query network adapater information
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication

Classification

  • System is w10x64
  • loaddll64.exe (PID: 7480 cmdline: loaddll64.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7528 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7556 cmdline: rundll32.exe "C:\Users\user\Desktop\r2iL9TLvO3.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7540 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,extra MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 7620 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7728 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,follower MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 7764 cmdline: rundll32.exe C:\Users\user\Desktop\r2iL9TLvO3.dll,run MD5: EF3179D498793BF4234F708D3BE28633)
  • rundll32.exe (PID: 7640 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dll", extra MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Unidentified 111 (Latrodectus), LatrodectusFirst discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111
{"C2 url": ["https://winarkamaps.com/live/", "https://stratimasesstr.com/live/"], "Group Name": "Facial", "Campaign ID": 3828029093}
SourceRuleDescriptionAuthorStrings
r2iL9TLvO3.dllJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dllJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
      SourceRuleDescriptionAuthorStrings
      00000003.00000002.1295006377.00007FFB1E861000.00000020.00000001.01000000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
        00000003.00000003.1294422202.000001ED7A460000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
          00000006.00000002.2559163401.00007FFB1C811000.00000020.00000001.01000000.00000005.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
            00000006.00000002.2556577168.00000081943F8000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
              Process Memory Space: rundll32.exe PID: 7620JoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                Click to see the 1 entries
                SourceRuleDescriptionAuthorStrings
                6.2.rundll32.exe.7ffb1c810000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                  3.3.rundll32.exe.1ed7a460000.0.raw.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                    3.2.rundll32.exe.7ffb1e860000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                      3.3.rundll32.exe.1ed7a460000.0.unpackJoeSecurity_LatrodectusYara detected LatrodectusJoe Security
                        No Sigma rule has matched
                        No Snort rule has matched

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: r2iL9TLvO3.dllAvira: detected
                        Source: https://winarkamaps.com/qAvira URL Cloud: Label: malware
                        Source: https://winarkamaps.com/live/compAvira URL Cloud: Label: phishing
                        Source: https://stratimasesstr.com/FAvira URL Cloud: Label: malware
                        Source: https://winarkamaps.com/live/Avira URL Cloud: Label: malware
                        Source: https://winarkamaps.com/live/alAvira URL Cloud: Label: malware
                        Source: https://stratimasesstr.com/live/lAvira URL Cloud: Label: phishing
                        Source: https://winarkamaps.com/%Avira URL Cloud: Label: malware
                        Source: https://stratimasesstr.com/Avira URL Cloud: Label: malware
                        Source: https://winarkamaps.com/m/=Avira URL Cloud: Label: malware
                        Source: https://stratimasesstr.com/live/$Avira URL Cloud: Label: phishing
                        Source: https://stratimasesstr.com/live/Avira URL Cloud: Label: malware
                        Source: https://winarkamaps.com/Avira URL Cloud: Label: malware
                        Source: https://winarkamaps.com/live/FAvira URL Cloud: Label: malware
                        Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dllAvira: detection malicious, Label: TR/Agent.dxjic
                        Source: r2iL9TLvO3.dllMalware Configuration Extractor: Latrodectus {"C2 url": ["https://winarkamaps.com/live/", "https://stratimasesstr.com/live/"], "Group Name": "Facial", "Campaign ID": 3828029093}
                        Source: winarkamaps.comVirustotal: Detection: 20%Perma Link
                        Source: stratimasesstr.comVirustotal: Detection: 17%Perma Link
                        Source: https://winarkamaps.com/live/Virustotal: Detection: 18%Perma Link
                        Source: https://stratimasesstr.com/Virustotal: Detection: 17%Perma Link
                        Source: https://winarkamaps.com/live/FVirustotal: Detection: 17%Perma Link
                        Source: https://winarkamaps.com/Virustotal: Detection: 20%Perma Link
                        Source: https://stratimasesstr.com/live/Virustotal: Detection: 15%Perma Link
                        Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dllReversingLabs: Detection: 65%
                        Source: C:\Users\user\AppData\Roaming\Custom_update\Update_8c0cffeb.dllVirustotal: Detection: 79%Perma Link
                        Source: r2iL9TLvO3.dllVirustotal: Detection: 79%Perma Link
                        Source: r2iL9TLvO3.dllReversingLabs: Detection: 65%
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                        Source: r2iL9TLvO3.dllString decryptor: /c ipconfig /all
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: /c systeminfo
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: /c nltest /domain_trusts
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: /c net view /all /domain
                        Source: r2iL9TLvO3.dllString decryptor: /c nltest /domain_trusts /all_trusts
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: /c net view /all
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: &ipconfig=
                        Source: r2iL9TLvO3.dllString decryptor: /c net group "Domain Admins" /domain
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\wbem\wmic.exe
                        Source: r2iL9TLvO3.dllString decryptor: /c net config workstation
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: /c whoami /groups
                        Source: r2iL9TLvO3.dllString decryptor: C:\Windows\System32\cmd.exe
                        Source: r2iL9TLvO3.dllString decryptor: &systeminfo=
                        Source: r2iL9TLvO3.dllString decryptor: &domain_trusts=
                        Source: r2iL9TLvO3.dllString decryptor: &domain_trusts_all=
                        Source: r2iL9TLvO3.dllString decryptor: &net_view_all_domain=
                        Source: r2iL9TLvO3.dllString decryptor: &net_view_all=
                        Source: r2iL9TLvO3.dllString decryptor: &net_group=
                        Source: r2iL9TLvO3.dllString decryptor: &wmic=
                        Source: r2iL9TLvO3.dllString decryptor: &net_config_ws=
                        Source: r2iL9TLvO3.dllString decryptor: &net_wmic_av=
                        Source: r2iL9TLvO3.dllString decryptor: &whoami_group=
                        Source: r2iL9TLvO3.dllString decryptor: "pid":
                        Source: r2iL9TLvO3.dllString decryptor: "%d",
                        Source: r2iL9TLvO3.dllString decryptor: "proc":
                        Source: r2iL9TLvO3.dllString decryptor: "%s",
                        Source: r2iL9TLvO3.dllString decryptor: "subproc": [
                        Source: r2iL9TLvO3.dllString decryptor: &proclist=[
                        Source: r2iL9TLvO3.dllString decryptor: "pid":
                        Source: r2iL9TLvO3.dllString decryptor: "%d",
                        Source: r2iL9TLvO3.dllString decryptor: "proc":
                        Source: r2iL9TLvO3.dllString decryptor: "%s",
                        Source: r2iL9TLvO3.dllString decryptor: "subproc": [
                        Source: r2iL9TLvO3.dllString decryptor: &desklinks=[
                        Source: r2iL9TLvO3.dllString decryptor: *.*
                        Source: r2iL9TLvO3.dllString decryptor: "%s"
                        Source: r2iL9TLvO3.dllString decryptor: Update_%x
                        Source: r2iL9TLvO3.dllString decryptor: Custom_update
                        Source: r2iL9TLvO3.dllString decryptor: .dll
                        Source: r2iL9TLvO3.dllString decryptor: .exe
                        Source: r2iL9TLvO3.dllString decryptor: Updater
                        Source: r2iL9TLvO3.dllString decryptor: "%s"
                        Source: r2iL9TLvO3.dllString decryptor: rundll32.exe
                        Source: r2iL9TLvO3.dllString decryptor: "%s", %s %s
                        Source: r2iL9TLvO3.dllString decryptor: runnung
                        Source: r2iL9TLvO3.dllString decryptor: :wtfbbq
                        Source: r2iL9TLvO3.dllString decryptor: %d
                        Source: r2iL9TLvO3.dllString decryptor: %s%s
                        Source: r2iL9TLvO3.dllString decryptor: files/bp.dat
                        Source: r2iL9TLvO3.dllString decryptor: %s\%d.dll
                        Source: r2iL9TLvO3.dllString decryptor: %d.dat
                        Source: r2iL9TLvO3.dllString decryptor: %s\%s
                        Source: r2iL9TLvO3.dllString decryptor: init -zzzz="%s\%s"
                        Source: r2iL9TLvO3.dllString decryptor: front
                        Source: r2iL9TLvO3.dllString decryptor: /files/
                        Source: r2iL9TLvO3.dllString decryptor: Facial
                        Source: r2iL9TLvO3.dllString decryptor: .exe
                        Source: r2iL9TLvO3.dllString decryptor: Content-Type: application/x-www-form-urlencoded
                        Source: r2iL9TLvO3.dllString decryptor: POST
                        Source: r2iL9TLvO3.dllString decryptor: GET
                        Source: r2iL9TLvO3.dllString decryptor: curl/7.88.1
                        Source: r2iL9TLvO3.dllString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                        Source: r2iL9TLvO3.dllString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                        Source: r2iL9TLvO3.dllString decryptor: CLEARURL
                        Source: r2iL9TLvO3.dllString decryptor: URLS
                        Source: r2iL9TLvO3.dllString decryptor: COMMAND
                        Source: r2iL9TLvO3.dllString decryptor: ERROR
                        Source: r2iL9TLvO3.dllString decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
                        Source: r2iL9TLvO3.dllString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                        Source: r2iL9TLvO3.dllString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                        Source: r2iL9TLvO3.dllString decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
                        Source: r2iL9TLvO3.dllString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
                        Source: r2iL9TLvO3.dllString decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
                        Source: r2iL9TLvO3.dllString decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
                        Source: r2iL9TLvO3.dllString decryptor: <html>
                        Source: r2iL9TLvO3.dllString decryptor: <!DOCTYPE
                        Source: r2iL9TLvO3.dllString decryptor: %s%d.dll
                        Source: r2iL9TLvO3.dllString decryptor: 12345
                        Source: r2iL9TLvO3.dllString decryptor: &stiller=
                        Source: r2iL9TLvO3.dllString decryptor: %s%d.exe
                        Source: r2iL9TLvO3.dllString decryptor: LogonTrigger
                        Source: r2iL9TLvO3.dllString decryptor: %x%x
                        Source: r2iL9TLvO3.dllString decryptor: TimeTrigger
                        Source: r2iL9TLvO3.dllString decryptor: PT1H%02dM
                        Source: r2iL9TLvO3.dllString decryptor: %04d-%02d-%02dT%02d:%02d:%02d
                        Source: r2iL9TLvO3.dllString decryptor: &mac=
                        Source: r2iL9TLvO3.dllString decryptor: %02x
                        Source: r2iL9TLvO3.dllString decryptor: :%02x
                        Source: r2iL9TLvO3.dllString decryptor: PT0S
                        Source: r2iL9TLvO3.dllString decryptor: &computername=%s
                        Source: r2iL9TLvO3.dllString decryptor: &domain=%s
                        Source: r2iL9TLvO3.dllString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
                        Source: r2iL9TLvO3.dllString decryptor: \*.dll
                        Source: r2iL9TLvO3.dllString decryptor: %04X%04X%04X%04X%08X%04X
                        Source: r2iL9TLvO3.dllString decryptor: %04X%04X%04X%04X%08X%04X
                        Source: r2iL9TLvO3.dllString decryptor: \Registry\Machine\
                        Source: r2iL9TLvO3.dllString decryptor: https://winarkamaps.com/live/
                        Source: r2iL9TLvO3.dllString decryptor: https://stratimasesstr.com/live/
                        Source: r2iL9TLvO3.dllString decryptor: AppData
                        Source: r2iL9TLvO3.dllString decryptor: Desktop
                        Source: r2iL9TLvO3.dllString decryptor: Startup
                        Source: r2iL9TLvO3.dllString decryptor: Personal
                        Source: r2iL9TLvO3.dllString decryptor: Local AppData
                        Source: r2iL9TLvO3.dllString decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                        Source: r2iL9TLvO3.dllString decryptor: \update_data.dat
                        Source: r2iL9TLvO3.dllString decryptor: URLS
                        Source: r2iL9TLvO3.dllString decryptor: URLS|%d|%s
                        Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.7:49708 version: TLS 1.2
                        Source: r2iL9TLvO3.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
                        Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
                        Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFB1E86A350 FindFirstFileW,FindNextFileW,LoadLibraryW,3_2_00007FFB1E86A350
                        Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFB1E861A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,3_2_00007FFB1E861A08
                        Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFB1C81A350 FindFirstFileW,FindNextFileW,LoadLibraryW,6_2_00007FFB1C81A350
                        Source: C:\Windows\System32\rundll32.exeCode function: 6_2_00007FFB1C811A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,6_2_00007FFB1C811A08

                        Networking