Loading ...

Play interactive tourEdit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:PO.exe
MD5:12fb37f122adb02ce6d17aeb436111f9
SHA1:2e0a8d604227d8c24b1bdebb53d321c40a9fc4a2
SHA256:4305e40a0eb2ed4133ad2b881d34f7cb4e31da8d3ccbc705968b6c6f79329d0c

Most interesting Screenshot:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO.exe (PID: 5268 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 12FB37F122ADB02CE6D17AEB436111F9)
    • conhost.exe (PID: 3980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
      • netsh.exe (PID: 3956 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • cmd.exe (PID: 3928 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 4 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: PO.exeVirustotal: Detection: 23%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: PO.exeJoe Sandbox ML: detected

      Source: unknownDNS traffic detected: query: www.centerforaunts.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.wheelchairmotion.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: queries for: www.wheelchairmotion.com
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000008.00000002.1196988740.0000000000CF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000008.00000000.944099659.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: C:\Users\user\Desktop\PO.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A2D0 NtClose,LdrInitializeThunk,0_2_02C9A2D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A240 NtReadFile,LdrInitializeThunk,0_2_02C9A240
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_02C9A3E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A360 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_02C9A360
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A6A0 NtCreateSection,LdrInitializeThunk,0_2_02C9A6A0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A610 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_02C9A610
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A750 NtCreateFile,LdrInitializeThunk,0_2_02C9A750
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A700 NtProtectVirtualMemory,LdrInitializeThunk,0_2_02C9A700
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A720 NtResumeThread,LdrInitializeThunk,0_2_02C9A720
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A480 NtMapViewOfSection,LdrInitializeThunk,0_2_02C9A480
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A4A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_02C9A4A0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A410 NtQueryInformationToken,LdrInitializeThunk,0_2_02C9A410
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_02C9A5F0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A540 NtDelayExecution,LdrInitializeThunk,0_2_02C9A540
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A560 NtQuerySystemInformation,LdrInitializeThunk,0_2_02C9A560
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A2F0 NtQueryInformationFile,0_2_02C9A2F0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A260 NtWriteFile,0_2_02C9A260
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A220 NtWaitForSingleObject,0_2_02C9A220
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9BA30 NtSetContextThread,0_2_02C9BA30
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A3D0 NtCreateKey,0_2_02C9A3D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A350 NtQueryValueKey,0_2_02C9A350
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A370 NtQueryInformationProcess,0_2_02C9A370
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A310 NtEnumerateValueKey,0_2_02C9A310
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9B0B0 NtGetContextThread,0_2_02C9B0B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A800 NtSetValueKey,0_2_02C9A800
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A6D0 NtCreateProcessEx,0_2_02C9A6D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A650 NtQueueApcThread,0_2_02C9A650
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A780 NtOpenDirectoryObject,0_2_02C9A780
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A710 NtQuerySection,0_2_02C9A710
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9ACE0 NtCreateMutant,0_2_02C9ACE0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A460 NtOpenProcess,0_2_02C9A460
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A470 NtSetInformationFile,0_2_02C9A470
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9B470 NtOpenThread,0_2_02C9B470
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9B410 NtOpenProcessToken,0_2_02C9B410
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A430 NtQueryVirtualMemory,0_2_02C9A430
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A5A0 NtWriteVirtualMemory,0_2_02C9A5A0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9BD40 NtSuspendThread,0_2_02C9BD40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A520 NtEnumerateKey,0_2_02C9A520
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_003337200_2_00333720
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_003385520_2_00338552
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D222DD0_2_02D222DD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D21A990_2_02D21A99
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C742B00_2_02C742B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84A5B0_2_02C84A5B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D2E2140_2_02D2E214
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D10A020_2_02D10A02
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8523D0_2_02C8523D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C20_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5EBE00_2_02C5EBE0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84B960_2_02C84B96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FB400_2_02C7FB40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C848CB0_2_02C848CB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D228E80_2_02D228E8
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6A0800_2_02C6A080
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D018B60_2_02D018B6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C810700_2_02C81070
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1D0160_2_02D1D016
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C898100_2_02C89810
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8E0200_2_02C8E020
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C800210_2_02C80021
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D161DF0_2_02D161DF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D219E20_2_02D219E2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C861800_2_02C86180
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D2D9BE0_2_02D2D9BE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CA99060_2_02CA9906
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C871100_2_02C87110
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D226F80_2_02D226F8
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E960_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C776400_2_02C77640
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84E610_2_02C84E61
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1CE660_2_02D1CE66
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C85E700_2_02C85E70
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866110_2_02C86611
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D21FCE0_2_02D21FCE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D127820_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C757900_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D217460_2_02D21746
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1DCC50_2_02D1DCC5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D134900_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D22C9A0_2_02D22C9A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D21C9F0_2_02D21C9F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6740C0_2_02C6740C
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C714100_2_02C71410
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D0F42B0_2_02D0F42B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1D5D20_2_02D1D5D2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D0FDDB0_2_02D0FDDB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D01DE30_2_02D01DE3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CFE58A0_2_02CFE58A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1E5810_2_02D1E581
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C50D400_2_02C50D40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11D1B0_2_02D11D1B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D225190_2_02D22519
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CFC53F0_2_02CFC53F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C715300_2_02C71530
      Source: C:\Users\user\Desktop\PO.exeCode function: String function: 02C5B0E0 appears 176 times
      Source: C:\Users\user\Desktop\PO.exeCode function: String function: 02CADDE8 appears 46 times
      Source: C:\Users\user\Desktop\PO.exeCode function: String function: 02CE5110 appears 38 times
      Source: PO.exe, 00000000.00000002.964074068.0000000002D4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
      Source: PO.exe, 00000000.00000002.963205826.0000000002769000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs PO.exe
      Source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: classification engineClassification label: mal96.troj.evad.winEXE@6/0@2/0
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3980:120:WilError_01
      Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: PO.exeVirustotal: Detection: 23%
      Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\user\Desktop\PO.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32Jump to behavior
      Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: PO.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.939181708.000000000D5B0000.00000002.00000001.sdmp
      Source: Binary string: netsh.pdb source: PO.exe, 00000000.00000002.963160785.0000000002750000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000002.964074068.0000000002D4F000.00000040.00000001.sdmp
      Source: Binary string: netsh.pdbGCTL source: PO.exe, 00000000.00000002.963160785.0000000002750000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: PO.exe
      Source: Binary string: C:\Codes\Version12\last_sect\Release\last_sect.pdb source: PO.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.939181708.000000000D5B0000.00000002.00000001.sdmp
      Source: PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_003370AA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003370AA
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00333705 push ecx; ret 0_2_00333718
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CADE2D push ecx; ret 0_2_02CADE40

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x73 0x32
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 0000000000BA4116 second address: 0000000000BA411C instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 0000000000BA4380 second address: 0000000000BA4386 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002FA98B4 second address: 0000000002FA98BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002FA9B1E second address: 0000000002FA9B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C97AD6 rdtsc 0_2_02C97AD6
      Source: C:\Users\user\Desktop\PO.exeAPI coverage: 5.7 %
      Source: C:\Windows\explorer.exe TID: 1076Thread sleep time: -48000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exe TID: 3472Thread sleep time: -40000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: explorer.exe, 00000008.00000000.930175945.0000000007F90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000008.00000000.930175945.0000000007F90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: explorer.exe, 00000008.00000000.930175945.0000000007F90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000008.00000000.930175945.0000000007F90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\PO.exeProcess information queried: ProcessInformationJump to behavior

      Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C97AD6 rdtsc 0_2_02C97AD6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9A2D0 NtClose,LdrInitializeThunk,0_2_02C9A2D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0033321C IsDebuggerPresent,0_2_0033321C
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_003370AA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003370AA
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_003370AA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_003370AA
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C51AC0 mov eax, dword ptr fs:[00000030h]0_2_02C51AC0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C822C3 mov eax, dword ptr fs:[00000030h]0_2_02C822C3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C822C3 mov eax, dword ptr fs:[00000030h]0_2_02C822C3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C822C3 mov eax, dword ptr fs:[00000030h]0_2_02C822C3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_02CEB2C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEB2C0 mov ecx, dword ptr fs:[00000030h]0_2_02CEB2C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_02CEB2C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_02CEB2C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_02CEB2C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEB2C0 mov eax, dword ptr fs:[00000030h]0_2_02CEB2C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D112CA mov eax, dword ptr fs:[00000030h]0_2_02D112CA
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C512F4 mov eax, dword ptr fs:[00000030h]0_2_02C512F4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8F289 mov eax, dword ptr fs:[00000030h]0_2_02C8F289
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8328D mov eax, dword ptr fs:[00000030h]0_2_02C8328D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8328D mov eax, dword ptr fs:[00000030h]0_2_02C8328D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8328D mov eax, dword ptr fs:[00000030h]0_2_02C8328D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD3284 mov eax, dword ptr fs:[00000030h]0_2_02CD3284
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD3284 mov eax, dword ptr fs:[00000030h]0_2_02CD3284
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55A90 mov eax, dword ptr fs:[00000030h]0_2_02C55A90
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55A90 mov eax, dword ptr fs:[00000030h]0_2_02C55A90
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55A90 mov eax, dword ptr fs:[00000030h]0_2_02C55A90
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C69AA0 mov eax, dword ptr fs:[00000030h]0_2_02C69AA0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C69AA0 mov eax, dword ptr fs:[00000030h]0_2_02C69AA0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7B2A0 mov eax, dword ptr fs:[00000030h]0_2_02C7B2A0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C742B0 mov eax, dword ptr fs:[00000030h]0_2_02C742B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C742B0 mov eax, dword ptr fs:[00000030h]0_2_02C742B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C742B0 mov eax, dword ptr fs:[00000030h]0_2_02C742B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C742B0 mov eax, dword ptr fs:[00000030h]0_2_02C742B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C742B0 mov ecx, dword ptr fs:[00000030h]0_2_02C742B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54A40 mov eax, dword ptr fs:[00000030h]0_2_02C54A40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54A40 mov eax, dword ptr fs:[00000030h]0_2_02C54A40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11243 mov eax, dword ptr fs:[00000030h]0_2_02D11243
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84A5B mov eax, dword ptr fs:[00000030h]0_2_02C84A5B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84A5B mov eax, dword ptr fs:[00000030h]0_2_02C84A5B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11A71 mov eax, dword ptr fs:[00000030h]0_2_02D11A71
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D20A74 mov eax, dword ptr fs:[00000030h]0_2_02D20A74
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8EA6E mov eax, dword ptr fs:[00000030h]0_2_02C8EA6E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8EA6E mov eax, dword ptr fs:[00000030h]0_2_02C8EA6E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8EA6E mov eax, dword ptr fs:[00000030h]0_2_02C8EA6E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55275 mov eax, dword ptr fs:[00000030h]0_2_02C55275
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55275 mov eax, dword ptr fs:[00000030h]0_2_02C55275
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55275 mov eax, dword ptr fs:[00000030h]0_2_02C55275
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55275 mov eax, dword ptr fs:[00000030h]0_2_02C55275
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55275 mov eax, dword ptr fs:[00000030h]0_2_02C55275
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C53200 mov eax, dword ptr fs:[00000030h]0_2_02C53200
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C58209 mov eax, dword ptr fs:[00000030h]0_2_02C58209
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C58209 mov eax, dword ptr fs:[00000030h]0_2_02C58209
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C58209 mov eax, dword ptr fs:[00000030h]0_2_02C58209
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C59210 mov eax, dword ptr fs:[00000030h]0_2_02C59210
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C59210 mov eax, dword ptr fs:[00000030h]0_2_02C59210
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C59210 mov eax, dword ptr fs:[00000030h]0_2_02C59210
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C59210 mov eax, dword ptr fs:[00000030h]0_2_02C59210
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D23A05 mov eax, dword ptr fs:[00000030h]0_2_02D23A05
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D23A05 mov eax, dword ptr fs:[00000030h]0_2_02D23A05
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD6A16 mov eax, dword ptr fs:[00000030h]0_2_02CD6A16
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD6A16 mov eax, dword ptr fs:[00000030h]0_2_02CD6A16
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD6A16 mov eax, dword ptr fs:[00000030h]0_2_02CD6A16
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D2EA09 mov eax, dword ptr fs:[00000030h]0_2_02D2EA09
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D2EA09 mov eax, dword ptr fs:[00000030h]0_2_02D2EA09
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8523D mov eax, dword ptr fs:[00000030h]0_2_02C8523D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8523D mov eax, dword ptr fs:[00000030h]0_2_02C8523D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8523D mov eax, dword ptr fs:[00000030h]0_2_02C8523D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8523D mov eax, dword ptr fs:[00000030h]0_2_02C8523D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8523D mov eax, dword ptr fs:[00000030h]0_2_02C8523D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8523D mov eax, dword ptr fs:[00000030h]0_2_02C8523D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D113D8 mov eax, dword ptr fs:[00000030h]0_2_02D113D8
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov eax, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov eax, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov eax, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov ecx, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C863C2 mov eax, dword ptr fs:[00000030h]0_2_02C863C2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C99BC7 mov eax, dword ptr fs:[00000030h]0_2_02C99BC7
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CE3BD8 mov eax, dword ptr fs:[00000030h]0_2_02CE3BD8
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5F3E0 mov eax, dword ptr fs:[00000030h]0_2_02C5F3E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5F3E0 mov eax, dword ptr fs:[00000030h]0_2_02C5F3E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5F3E0 mov eax, dword ptr fs:[00000030h]0_2_02C5F3E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8ABFE mov eax, dword ptr fs:[00000030h]0_2_02C8ABFE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8ABFE mov eax, dword ptr fs:[00000030h]0_2_02C8ABFE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C96399 mov eax, dword ptr fs:[00000030h]0_2_02C96399
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C96399 mov eax, dword ptr fs:[00000030h]0_2_02C96399
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C96399 mov eax, dword ptr fs:[00000030h]0_2_02C96399
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D19B89 mov eax, dword ptr fs:[00000030h]0_2_02D19B89
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D19B89 mov ecx, dword ptr fs:[00000030h]0_2_02D19B89
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84B96 mov eax, dword ptr fs:[00000030h]0_2_02C84B96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84B96 mov eax, dword ptr fs:[00000030h]0_2_02C84B96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84B96 mov eax, dword ptr fs:[00000030h]0_2_02C84B96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84B96 mov eax, dword ptr fs:[00000030h]0_2_02C84B96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84B96 mov eax, dword ptr fs:[00000030h]0_2_02C84B96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD63A6 mov eax, dword ptr fs:[00000030h]0_2_02CD63A6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54BB4 mov edi, dword ptr fs:[00000030h]0_2_02C54BB4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD4BBE mov eax, dword ptr fs:[00000030h]0_2_02CD4BBE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD4BBE mov eax, dword ptr fs:[00000030h]0_2_02CD4BBE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD4BBE mov eax, dword ptr fs:[00000030h]0_2_02CD4BBE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD4BBE mov eax, dword ptr fs:[00000030h]0_2_02CD4BBE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8BBBC mov eax, dword ptr fs:[00000030h]0_2_02C8BBBC
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D143A4 mov eax, dword ptr fs:[00000030h]0_2_02D143A4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D143A4 mov eax, dword ptr fs:[00000030h]0_2_02D143A4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D143A4 mov eax, dword ptr fs:[00000030h]0_2_02D143A4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D143A4 mov eax, dword ptr fs:[00000030h]0_2_02D143A4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11351 mov eax, dword ptr fs:[00000030h]0_2_02D11351
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D28356 mov eax, dword ptr fs:[00000030h]0_2_02D28356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FB40 mov eax, dword ptr fs:[00000030h]0_2_02C7FB40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FB40 mov eax, dword ptr fs:[00000030h]0_2_02C7FB40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FB40 mov eax, dword ptr fs:[00000030h]0_2_02C7FB40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FB40 mov eax, dword ptr fs:[00000030h]0_2_02C7FB40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FB40 mov eax, dword ptr fs:[00000030h]0_2_02C7FB40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FB40 mov eax, dword ptr fs:[00000030h]0_2_02C7FB40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81356 mov eax, dword ptr fs:[00000030h]0_2_02C81356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81356 mov eax, dword ptr fs:[00000030h]0_2_02C81356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81356 mov eax, dword ptr fs:[00000030h]0_2_02C81356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81356 mov eax, dword ptr fs:[00000030h]0_2_02C81356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81356 mov eax, dword ptr fs:[00000030h]0_2_02C81356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81356 mov eax, dword ptr fs:[00000030h]0_2_02C81356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81356 mov eax, dword ptr fs:[00000030h]0_2_02C81356
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9536C mov eax, dword ptr fs:[00000030h]0_2_02C9536C
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C9536C mov eax, dword ptr fs:[00000030h]0_2_02C9536C
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1E362 mov eax, dword ptr fs:[00000030h]0_2_02D1E362
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6E370 mov eax, dword ptr fs:[00000030h]0_2_02C6E370
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6E370 mov eax, dword ptr fs:[00000030h]0_2_02C6E370
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6E370 mov eax, dword ptr fs:[00000030h]0_2_02C6E370
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8AB0C mov eax, dword ptr fs:[00000030h]0_2_02C8AB0C
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8AB0C mov eax, dword ptr fs:[00000030h]0_2_02C8AB0C
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5C330 mov eax, dword ptr fs:[00000030h]0_2_02C5C330
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5C330 mov eax, dword ptr fs:[00000030h]0_2_02C5C330
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5C330 mov eax, dword ptr fs:[00000030h]0_2_02C5C330
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C848CB mov eax, dword ptr fs:[00000030h]0_2_02C848CB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C848CB mov eax, dword ptr fs:[00000030h]0_2_02C848CB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C848CB mov eax, dword ptr fs:[00000030h]0_2_02C848CB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D0F8C0 mov eax, dword ptr fs:[00000030h]0_2_02D0F8C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C590D0 mov eax, dword ptr fs:[00000030h]0_2_02C590D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C590D0 mov eax, dword ptr fs:[00000030h]0_2_02C590D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C590D0 mov eax, dword ptr fs:[00000030h]0_2_02C590D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D110CF mov eax, dword ptr fs:[00000030h]0_2_02D110CF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C858EB mov eax, dword ptr fs:[00000030h]0_2_02C858EB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C858EB mov eax, dword ptr fs:[00000030h]0_2_02C858EB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1B8F9 mov eax, dword ptr fs:[00000030h]0_2_02D1B8F9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1B8F9 mov eax, dword ptr fs:[00000030h]0_2_02D1B8F9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7E0E8 mov eax, dword ptr fs:[00000030h]0_2_02C7E0E8
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEF8F0 mov eax, dword ptr fs:[00000030h]0_2_02CEF8F0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEF8F0 mov eax, dword ptr fs:[00000030h]0_2_02CEF8F0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CE2893 mov eax, dword ptr fs:[00000030h]0_2_02CE2893
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D150B3 mov eax, dword ptr fs:[00000030h]0_2_02D150B3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D150B3 mov eax, dword ptr fs:[00000030h]0_2_02D150B3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD40A7 mov eax, dword ptr fs:[00000030h]0_2_02CD40A7
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D208A5 mov eax, dword ptr fs:[00000030h]0_2_02D208A5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D208A5 mov eax, dword ptr fs:[00000030h]0_2_02D208A5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D208A5 mov eax, dword ptr fs:[00000030h]0_2_02D208A5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C558BC mov eax, dword ptr fs:[00000030h]0_2_02C558BC
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8E845 mov eax, dword ptr fs:[00000030h]0_2_02C8E845
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C59050 mov eax, dword ptr fs:[00000030h]0_2_02C59050
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1A844 mov eax, dword ptr fs:[00000030h]0_2_02D1A844
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1A844 mov eax, dword ptr fs:[00000030h]0_2_02D1A844
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F050 mov eax, dword ptr fs:[00000030h]0_2_02C6F050
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F050 mov eax, dword ptr fs:[00000030h]0_2_02C6F050
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7E067 mov eax, dword ptr fs:[00000030h]0_2_02C7E067
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7E067 mov eax, dword ptr fs:[00000030h]0_2_02C7E067
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEF867 mov eax, dword ptr fs:[00000030h]0_2_02CEF867
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7F076 mov eax, dword ptr fs:[00000030h]0_2_02C7F076
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7F076 mov eax, dword ptr fs:[00000030h]0_2_02C7F076
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7F076 mov eax, dword ptr fs:[00000030h]0_2_02C7F076
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7F076 mov eax, dword ptr fs:[00000030h]0_2_02C7F076
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7F076 mov eax, dword ptr fs:[00000030h]0_2_02C7F076
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C72073 mov eax, dword ptr fs:[00000030h]0_2_02C72073
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C82870 mov eax, dword ptr fs:[00000030h]0_2_02C82870
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C74800 mov eax, dword ptr fs:[00000030h]0_2_02C74800
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C74800 mov eax, dword ptr fs:[00000030h]0_2_02C74800
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C74800 mov eax, dword ptr fs:[00000030h]0_2_02C74800
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C74800 mov eax, dword ptr fs:[00000030h]0_2_02C74800
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11008 mov eax, dword ptr fs:[00000030h]0_2_02D11008
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6A01A mov eax, dword ptr fs:[00000030h]0_2_02C6A01A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6A01A mov eax, dword ptr fs:[00000030h]0_2_02C6A01A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6A01A mov eax, dword ptr fs:[00000030h]0_2_02C6A01A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6A01A mov eax, dword ptr fs:[00000030h]0_2_02C6A01A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C57025 mov eax, dword ptr fs:[00000030h]0_2_02C57025
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55020 mov eax, dword ptr fs:[00000030h]0_2_02C55020
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55020 mov eax, dword ptr fs:[00000030h]0_2_02C55020
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C55020 mov eax, dword ptr fs:[00000030h]0_2_02C55020
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C80021 mov eax, dword ptr fs:[00000030h]0_2_02C80021
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C80021 mov eax, dword ptr fs:[00000030h]0_2_02C80021
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C80021 mov eax, dword ptr fs:[00000030h]0_2_02C80021
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C80021 mov eax, dword ptr fs:[00000030h]0_2_02C80021
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D0F83F mov eax, dword ptr fs:[00000030h]0_2_02D0F83F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C94030 mov eax, dword ptr fs:[00000030h]0_2_02C94030
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5383B mov eax, dword ptr fs:[00000030h]0_2_02C5383B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5383B mov eax, dword ptr fs:[00000030h]0_2_02C5383B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D111D2 mov eax, dword ptr fs:[00000030h]0_2_02D111D2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C869C0 mov ecx, dword ptr fs:[00000030h]0_2_02C869C0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C551E0 mov eax, dword ptr fs:[00000030h]0_2_02C551E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C551E0 mov ecx, dword ptr fs:[00000030h]0_2_02C551E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C551E0 mov eax, dword ptr fs:[00000030h]0_2_02C551E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C551E0 mov eax, dword ptr fs:[00000030h]0_2_02C551E0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C679F7 mov eax, dword ptr fs:[00000030h]0_2_02C679F7
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD7194 mov eax, dword ptr fs:[00000030h]0_2_02CD7194
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD7194 mov eax, dword ptr fs:[00000030h]0_2_02CD7194
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD7194 mov eax, dword ptr fs:[00000030h]0_2_02CD7194
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5A9A6 mov eax, dword ptr fs:[00000030h]0_2_02C5A9A6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5A9A6 mov eax, dword ptr fs:[00000030h]0_2_02C5A9A6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C819B0 mov eax, dword ptr fs:[00000030h]0_2_02C819B0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11151 mov eax, dword ptr fs:[00000030h]0_2_02D11151
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8594B mov eax, dword ptr fs:[00000030h]0_2_02C8594B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8214F mov eax, dword ptr fs:[00000030h]0_2_02C8214F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C53158 mov ecx, dword ptr fs:[00000030h]0_2_02C53158
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5516E mov eax, dword ptr fs:[00000030h]0_2_02C5516E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5516E mov ecx, dword ptr fs:[00000030h]0_2_02C5516E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5B171 mov eax, dword ptr fs:[00000030h]0_2_02C5B171
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5B171 mov eax, dword ptr fs:[00000030h]0_2_02C5B171
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5B171 mov eax, dword ptr fs:[00000030h]0_2_02C5B171
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5397E mov eax, dword ptr fs:[00000030h]0_2_02C5397E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5397E mov eax, dword ptr fs:[00000030h]0_2_02C5397E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5B101 mov eax, dword ptr fs:[00000030h]0_2_02C5B101
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5B101 mov eax, dword ptr fs:[00000030h]0_2_02C5B101
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54101 mov eax, dword ptr fs:[00000030h]0_2_02C54101
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54101 mov eax, dword ptr fs:[00000030h]0_2_02C54101
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54101 mov eax, dword ptr fs:[00000030h]0_2_02C54101
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C87110 mov eax, dword ptr fs:[00000030h]0_2_02C87110
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C87110 mov eax, dword ptr fs:[00000030h]0_2_02C87110
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C87110 mov eax, dword ptr fs:[00000030h]0_2_02C87110
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F11B mov eax, dword ptr fs:[00000030h]0_2_02C6F11B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F11B mov eax, dword ptr fs:[00000030h]0_2_02C6F11B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F11B mov eax, dword ptr fs:[00000030h]0_2_02C6F11B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F11B mov eax, dword ptr fs:[00000030h]0_2_02C6F11B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F11B mov eax, dword ptr fs:[00000030h]0_2_02C6F11B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F11B mov eax, dword ptr fs:[00000030h]0_2_02C6F11B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6F11B mov eax, dword ptr fs:[00000030h]0_2_02C6F11B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D2010D mov eax, dword ptr fs:[00000030h]0_2_02D2010D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D2010D mov eax, dword ptr fs:[00000030h]0_2_02D2010D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8A93B mov eax, dword ptr fs:[00000030h]0_2_02C8A93B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C966D0 mov eax, dword ptr fs:[00000030h]0_2_02C966D0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D10EFB mov eax, dword ptr fs:[00000030h]0_2_02D10EFB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C816E5 mov eax, dword ptr fs:[00000030h]0_2_02C816E5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C816E5 mov eax, dword ptr fs:[00000030h]0_2_02C816E5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54EFE mov eax, dword ptr fs:[00000030h]0_2_02C54EFE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54EFE mov eax, dword ptr fs:[00000030h]0_2_02C54EFE
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C66682 mov eax, dword ptr fs:[00000030h]0_2_02C66682
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13E96 mov eax, dword ptr fs:[00000030h]0_2_02D13E96
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C93E9A mov eax, dword ptr fs:[00000030h]0_2_02C93E9A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C93E9A mov eax, dword ptr fs:[00000030h]0_2_02C93E9A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C93E9A mov eax, dword ptr fs:[00000030h]0_2_02C93E9A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5C692 mov eax, dword ptr fs:[00000030h]0_2_02C5C692
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C53EA0 mov eax, dword ptr fs:[00000030h]0_2_02C53EA0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C53EA0 mov eax, dword ptr fs:[00000030h]0_2_02C53EA0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D286A9 mov eax, dword ptr fs:[00000030h]0_2_02D286A9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C866B4 mov eax, dword ptr fs:[00000030h]0_2_02C866B4
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5CE50 mov eax, dword ptr fs:[00000030h]0_2_02C5CE50
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5E650 mov eax, dword ptr fs:[00000030h]0_2_02C5E650
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8DE50 mov eax, dword ptr fs:[00000030h]0_2_02C8DE50
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C95651 mov eax, dword ptr fs:[00000030h]0_2_02C95651
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C95651 mov eax, dword ptr fs:[00000030h]0_2_02C95651
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84E61 mov eax, dword ptr fs:[00000030h]0_2_02C84E61
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84E61 mov eax, dword ptr fs:[00000030h]0_2_02C84E61
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C84E61 mov eax, dword ptr fs:[00000030h]0_2_02C84E61
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5CE70 mov ecx, dword ptr fs:[00000030h]0_2_02C5CE70
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C85E70 mov eax, dword ptr fs:[00000030h]0_2_02C85E70
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C85E70 mov eax, dword ptr fs:[00000030h]0_2_02C85E70
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C85E70 mov eax, dword ptr fs:[00000030h]0_2_02C85E70
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C85E70 mov eax, dword ptr fs:[00000030h]0_2_02C85E70
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8A675 mov eax, dword ptr fs:[00000030h]0_2_02C8A675
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD660A mov eax, dword ptr fs:[00000030h]0_2_02CD660A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD660A mov eax, dword ptr fs:[00000030h]0_2_02CD660A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD660A mov eax, dword ptr fs:[00000030h]0_2_02CD660A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD660A mov eax, dword ptr fs:[00000030h]0_2_02CD660A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C72600 mov eax, dword ptr fs:[00000030h]0_2_02C72600
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5A60B mov eax, dword ptr fs:[00000030h]0_2_02C5A60B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5A60B mov eax, dword ptr fs:[00000030h]0_2_02C5A60B
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D11606 mov eax, dword ptr fs:[00000030h]0_2_02D11606
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C82616 mov eax, dword ptr fs:[00000030h]0_2_02C82616
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7FE37 mov eax, dword ptr fs:[00000030h]0_2_02C7FE37
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8CE34 mov eax, dword ptr fs:[00000030h]0_2_02C8CE34
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8CE34 mov eax, dword ptr fs:[00000030h]0_2_02C8CE34
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C51638 mov eax, dword ptr fs:[00000030h]0_2_02C51638
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEBE30 mov eax, dword ptr fs:[00000030h]0_2_02CEBE30
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CEBE30 mov eax, dword ptr fs:[00000030h]0_2_02CEBE30
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D0F7D3 mov eax, dword ptr fs:[00000030h]0_2_02D0F7D3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD67C9 mov eax, dword ptr fs:[00000030h]0_2_02CD67C9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD67C9 mov eax, dword ptr fs:[00000030h]0_2_02CD67C9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD67C9 mov eax, dword ptr fs:[00000030h]0_2_02CD67C9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD67C9 mov ecx, dword ptr fs:[00000030h]0_2_02CD67C9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD67C9 mov eax, dword ptr fs:[00000030h]0_2_02CD67C9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD67C9 mov eax, dword ptr fs:[00000030h]0_2_02CD67C9
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov ecx, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52FD0 mov eax, dword ptr fs:[00000030h]0_2_02C52FD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C53FE5 mov eax, dword ptr fs:[00000030h]0_2_02C53FE5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C53FE5 mov eax, dword ptr fs:[00000030h]0_2_02C53FE5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C53FE5 mov eax, dword ptr fs:[00000030h]0_2_02C53FE5
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D087F1 mov eax, dword ptr fs:[00000030h]0_2_02D087F1
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C677ED mov eax, dword ptr fs:[00000030h]0_2_02C677ED
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_02D1F7E2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_02D1F7E2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_02D1F7E2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1F7E2 mov eax, dword ptr fs:[00000030h]0_2_02D1F7E2
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C847FD mov esi, dword ptr fs:[00000030h]0_2_02C847FD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C847FD mov eax, dword ptr fs:[00000030h]0_2_02C847FD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C847FD mov eax, dword ptr fs:[00000030h]0_2_02C847FD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5E7F3 mov eax, dword ptr fs:[00000030h]0_2_02C5E7F3
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1AF81 mov eax, dword ptr fs:[00000030h]0_2_02D1AF81
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1AF81 mov eax, dword ptr fs:[00000030h]0_2_02D1AF81
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1AF81 mov eax, dword ptr fs:[00000030h]0_2_02D1AF81
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1AF81 mov eax, dword ptr fs:[00000030h]0_2_02D1AF81
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12782 mov eax, dword ptr fs:[00000030h]0_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12782 mov eax, dword ptr fs:[00000030h]0_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12782 mov eax, dword ptr fs:[00000030h]0_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12782 mov eax, dword ptr fs:[00000030h]0_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12782 mov eax, dword ptr fs:[00000030h]0_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12782 mov eax, dword ptr fs:[00000030h]0_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12782 mov eax, dword ptr fs:[00000030h]0_2_02D12782
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov ecx, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov ecx, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov ecx, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov ecx, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C75790 mov eax, dword ptr fs:[00000030h]0_2_02C75790
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7E79A mov eax, dword ptr fs:[00000030h]0_2_02C7E79A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7A7B6 mov eax, dword ptr fs:[00000030h]0_2_02C7A7B6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1FFAC mov eax, dword ptr fs:[00000030h]0_2_02D1FFAC
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1FFAC mov eax, dword ptr fs:[00000030h]0_2_02D1FFAC
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6DF40 mov eax, dword ptr fs:[00000030h]0_2_02C6DF40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C85744 mov eax, dword ptr fs:[00000030h]0_2_02C85744
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C85744 mov eax, dword ptr fs:[00000030h]0_2_02C85744
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CD2F40 mov eax, dword ptr fs:[00000030h]0_2_02CD2F40
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7C74A mov eax, dword ptr fs:[00000030h]0_2_02C7C74A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7C74A mov eax, dword ptr fs:[00000030h]0_2_02C7C74A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D03740 mov eax, dword ptr fs:[00000030h]0_2_02D03740
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6EF60 mov eax, dword ptr fs:[00000030h]0_2_02C6EF60
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C90761 mov eax, dword ptr fs:[00000030h]0_2_02C90761
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C99F7A mov eax, dword ptr fs:[00000030h]0_2_02C99F7A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C66F05 mov eax, dword ptr fs:[00000030h]0_2_02C66F05
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C66F05 mov eax, dword ptr fs:[00000030h]0_2_02C66F05
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C66F05 mov eax, dword ptr fs:[00000030h]0_2_02C66F05
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C66F05 mov eax, dword ptr fs:[00000030h]0_2_02C66F05
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C66F05 mov eax, dword ptr fs:[00000030h]0_2_02C66F05
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12F18 mov eax, dword ptr fs:[00000030h]0_2_02D12F18
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12F18 mov eax, dword ptr fs:[00000030h]0_2_02D12F18
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D12F18 mov eax, dword ptr fs:[00000030h]0_2_02D12F18
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81F10 mov eax, dword ptr fs:[00000030h]0_2_02C81F10
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C81F10 mov eax, dword ptr fs:[00000030h]0_2_02C81F10
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D2870A mov eax, dword ptr fs:[00000030h]0_2_02D2870A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1DF39 mov eax, dword ptr fs:[00000030h]0_2_02D1DF39
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7E4C6 mov eax, dword ptr fs:[00000030h]0_2_02C7E4C6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C7E4C6 mov eax, dword ptr fs:[00000030h]0_2_02C7E4C6
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C5ACC0 mov eax, dword ptr fs:[00000030h]0_2_02C5ACC0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C54CD0 mov eax, dword ptr fs:[00000030h]0_2_02C54CD0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61CDD mov eax, dword ptr fs:[00000030h]0_2_02C61CDD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61CDD mov eax, dword ptr fs:[00000030h]0_2_02C61CDD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61CDD mov eax, dword ptr fs:[00000030h]0_2_02C61CDD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D284CD mov eax, dword ptr fs:[00000030h]0_2_02D284CD
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D144EF mov eax, dword ptr fs:[00000030h]0_2_02D144EF
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C52CFB mov eax, dword ptr fs:[00000030h]0_2_02C52CFB
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D13490 mov eax, dword ptr fs:[00000030h]0_2_02D13490
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61C8E mov eax, dword ptr fs:[00000030h]0_2_02C61C8E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61C8E mov eax, dword ptr fs:[00000030h]0_2_02C61C8E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61C8E mov eax, dword ptr fs:[00000030h]0_2_02C61C8E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61C8E mov ecx, dword ptr fs:[00000030h]0_2_02C61C8E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61C8E mov eax, dword ptr fs:[00000030h]0_2_02C61C8E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C61C8E mov eax, dword ptr fs:[00000030h]0_2_02C61C8E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D10C9A mov eax, dword ptr fs:[00000030h]0_2_02D10C9A
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C67488 mov eax, dword ptr fs:[00000030h]0_2_02C67488
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C514A0 mov eax, dword ptr fs:[00000030h]0_2_02C514A0
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D28452 mov eax, dword ptr fs:[00000030h]0_2_02D28452
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1E455 mov eax, dword ptr fs:[00000030h]0_2_02D1E455
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CE3C47 mov eax, dword ptr fs:[00000030h]0_2_02CE3C47
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1145F mov eax, dword ptr fs:[00000030h]0_2_02D1145F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8245F mov eax, dword ptr fs:[00000030h]0_2_02C8245F
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02CDE460 mov eax, dword ptr fs:[00000030h]0_2_02CDE460
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D0AC60 mov eax, dword ptr fs:[00000030h]0_2_02D0AC60
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D0AC60 mov eax, dword ptr fs:[00000030h]0_2_02D0AC60
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6EC77 mov eax, dword ptr fs:[00000030h]0_2_02C6EC77
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6EC77 mov eax, dword ptr fs:[00000030h]0_2_02C6EC77
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6EC77 mov eax, dword ptr fs:[00000030h]0_2_02C6EC77
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C6EC77 mov eax, dword ptr fs:[00000030h]0_2_02C6EC77
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C8547E mov eax, dword ptr fs:[00000030h]0_2_02C8547E
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02C77C7D mov eax, dword ptr fs:[00000030h]0_2_02C77C7D
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1A416 mov eax, dword ptr fs:[00000030h]0_2_02D1A416
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02D1A416 mov eax, dword ptr fs:[00000030h]0_2_02D1A416
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_003343BC GetProcessHeap,0_2_003343BC
      Source: C:\Users\user\Desktop\PO.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00335A52 SetUnhandledExceptionFilter,0_2_00335A52
      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00335A75 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00335A75

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\PO.exeThread register set: target process: 2928Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 2928Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\PO.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\PO.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 820000Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'Jump to behavior
      Source: explorer.exe, 00000008.00000002.1197316228.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000008.00000002.1197316228.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000008.00000002.1197316228.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000008.00000002.1197316228.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: explorer.exe, 00000008.00000000.907469845.0000000000BC0000.00000004.00000020.sdmpBinary or memory string: Progman9

      Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00334A34 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,0_2_00334A34

      Lowering of HIPS / PFW / Operating System Security Settings:

      barindex
      Uses netsh to modify the Windows network and firewall settingsShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.962678448.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962350898.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.962565327.0000000000B9A000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsExecution through API1Hooking1Hooking1Rootkit1Hooking1System Time Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Replication Through Removable MediaExecution through Module Load1Port MonitorsProcess Injection412Disabling Security Tools1Network SniffingVirtualization/Sandbox Evasion2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion2Input CaptureProcess Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection412Credentials in FilesSecurity Software Discovery151Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
      Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery12Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet