Loading ...

Play interactive tourEdit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:PO.exe
Analysis ID:321086
MD5:1a278a89f8176f9d38a04f4e58a8c072
SHA1:50beebd33a8b68602632e1ec065cc6e3b70b40ea
SHA256:73a8ac37a0f0c6761800a276b77b0fd34d1cf43830f822ef18ff50dbda934751
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO.exe (PID: 3064 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 1A278A89F8176F9D38A04F4E58A8C072)
    • PO.exe (PID: 5820 cmdline: C:\Users\user\Desktop\PO.exe MD5: 1A278A89F8176F9D38A04F4E58A8C072)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6964 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 7052 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 4456 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1204 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.PO.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.PO.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.PO.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        3.2.PO.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.PO.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: PO.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO.exeVirustotal: Detection: 38%Perma Link
          Source: PO.exeReversingLabs: Detection: 10%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.483269971.0000000002E50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.313036443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.314657268.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.483171472.0000000002DB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO.exeJoe Sandbox ML: detected
          Source: 3.2.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: unknownDNS traffic detected: queries for: www.novavitarealty.com
          Source: explorer.exe, 00000006.00000000.299457272.000000000F5C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000006.00000002.484389821.0000000001398000.00000004.00000020.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000000.288649915.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: netsh.exe, 00000010.00000002.491969634.000000000432F000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.483269971.0000000002E50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.313036443.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.314657268.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.483171472.0000000002DB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.483269971.0000000002E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.483269971.0000000002E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.313036443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.313036443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.314657268.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.314657268.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.483171472.0000000002DB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.483171472.0000000002DB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041A060 NtClose,3_2_0041A060
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041A110 NtAllocateVirtualMemory,3_2_0041A110
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00419F30 NtCreateFile,3_2_00419F30
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00419FE0 NtReadFile,3_2_00419FE0
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041A05B NtClose,3_2_0041A05B
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041A10A NtAllocateVirtualMemory,3_2_0041A10A
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00419F2B NtCreateFile,3_2_00419F2B
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00419FDA NtReadFile,3_2_00419FDA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709710 NtQueryInformationToken,LdrInitializeThunk,16_2_03709710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709FE0 NtCreateMutant,LdrInitializeThunk,16_2_03709FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709780 NtMapViewOfSection,LdrInitializeThunk,16_2_03709780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709A50 NtCreateFile,LdrInitializeThunk,16_2_03709A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037096E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_037096E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037096D0 NtCreateKey,LdrInitializeThunk,16_2_037096D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709540 NtReadFile,LdrInitializeThunk,16_2_03709540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_03709910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037095D0 NtClose,LdrInitializeThunk,16_2_037095D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037099A0 NtCreateSection,LdrInitializeThunk,16_2_037099A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709860 NtQuerySystemInformation,LdrInitializeThunk,16_2_03709860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709840 NtDelayExecution,LdrInitializeThunk,16_2_03709840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709770 NtSetInformationFile,16_2_03709770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0370A770 NtOpenThread,16_2_0370A770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709760 NtOpenProcess,16_2_03709760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709730 NtQueryVirtualMemory,16_2_03709730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0370A710 NtOpenProcessToken,16_2_0370A710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709B00 NtSetValueKey,16_2_03709B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0370A3B0 NtGetContextThread,16_2_0370A3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037097A0 NtUnmapViewOfSection,16_2_037097A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709670 NtQueryInformationProcess,16_2_03709670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709660 NtAllocateVirtualMemory,16_2_03709660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709650 NtQueryValueKey,16_2_03709650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709A20 NtResumeThread,16_2_03709A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709610 NtEnumerateValueKey,16_2_03709610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709A10 NtQuerySection,16_2_03709A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709A00 NtProtectVirtualMemory,16_2_03709A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709A80 NtOpenDirectoryObject,16_2_03709A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709560 NtWriteFile,16_2_03709560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709950 NtQueueApcThread,16_2_03709950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0370AD30 NtSetContextThread,16_2_0370AD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709520 NtWaitForSingleObject,16_2_03709520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037095F0 NtQueryInformationFile,16_2_037095F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037099D0 NtCreateProcessEx,16_2_037099D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0370B040 NtSuspendThread,16_2_0370B040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03709820 NtEnumerateKey,16_2_03709820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037098F0 NtReadVirtualMemory,16_2_037098F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037098A0 NtWriteVirtualMemory,16_2_037098A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DCA060 NtClose,16_2_02DCA060
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DC9FE0 NtReadFile,16_2_02DC9FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DC9F30 NtCreateFile,16_2_02DC9F30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DCA05B NtClose,16_2_02DCA05B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DC9FDA NtReadFile,16_2_02DC9FDA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DC9F2B NtCreateFile,16_2_02DC9F2B
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041D1733_2_0041D173
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041DB483_2_0041DB48
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041D4FF3_2_0041D4FF
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041DD043_2_0041DD04
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00402D883_2_00402D88
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00409E403_2_00409E40
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041E79E3_2_0041E79E
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_007391163_2_00739116
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0068035A3_2_0068035A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FEBB016_2_036FEBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E6E3016_2_036E6E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03791D5516_2_03791D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C0D2016_2_036C0D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E412016_2_036E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CF90016_2_036CF900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DD5E016_2_036DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F258116_2_036F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D841F16_2_036D841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0378100216_2_03781002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F20A016_2_036F20A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DB09016_2_036DB090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DB9E4016_2_02DB9E40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DCE79E16_2_02DCE79E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DB2FB016_2_02DB2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DB2D9016_2_02DB2D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DB2D8816_2_02DB2D88
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 036CB150 appears 35 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1204
          Source: PO.exeBinary or memory string: OriginalFilename vs PO.exe
          Source: PO.exe, 00000003.00000003.267458022.00000000011CF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000003.00000002.316029296.0000000002F4C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs PO.exe
          Source: PO.exe, 00000003.00000002.313036443.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecdcd aaa.exe2 vs PO.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.314545610.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.484649434.00000000031B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.483269971.0000000002E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.483269971.0000000002E50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.313036443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.313036443.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.314657268.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.314657268.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.483171472.0000000002DB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.483171472.0000000002DB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@2/1
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3064
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2F6.tmpJump to behavior
          Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO.exeVirustotal: Detection: 38%
          Source: PO.exeReversingLabs: Detection: 10%
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\user\Desktop\PO.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1204
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\PO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: PO.exeStatic file information: File size 2490880 > 1048576
          Source: PO.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x25fe00
          Source: PO.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: System.Core.ni.pdbRSDSD source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Xml.ni.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.297582675.000000000E6C0000.00000002.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000003.00000003.267283620.00000000010B0000.00000004.00000001.sdmp, netsh.exe, 00000010.00000002.485583016.00000000036A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, 00000003.00000003.267283620.00000000010B0000.00000004.00000001.sdmp, netsh.exe
          Source: Binary string: System.Configuration.ni.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Configuration.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: Microsoft.VisualBasic.pdb*p@# source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Xml.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.297582675.000000000E6C0000.00000002.00000001.sdmp
          Source: Binary string: System.Xml.pdbH'g source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Core.ni.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Windows.Forms.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: mscorlib.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Core.pdb9 source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: netsh.pdb source: PO.exe, 00000003.00000002.315870877.0000000002F30000.00000040.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: netsh.pdbGCTL source: PO.exe, 00000003.00000002.315870877.0000000002F30000.00000040.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Core.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.Xml.ni.pdbRSDS source: WERD2F6.tmp.dmp.5.dr
          Source: Binary string: System.ni.pdb source: WERD2F6.tmp.dmp.5.dr
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041D0D2 push eax; ret 3_2_0041D0D8
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041D0DB push eax; ret 3_2_0041D142
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0040D8E6 push ecx; retf 3_2_0040D8EE
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041D085 push eax; ret 3_2_0041D0D8
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0041D13C push eax; ret 3_2_0041D142
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0040EC2D push edx; iretd 3_2_0040EC2F
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_006F0218 push AA20259Ch; retn 0000h3_2_006F02C5
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_006F02C8 push B120259Ch; retn 0000h3_2_006F0313
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0371D0D1 push ecx; ret 16_2_0371D0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DCD0DB push eax; ret 16_2_02DCD142
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DCD0D2 push eax; ret 16_2_02DCD0D8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DBD8E6 push ecx; retf 16_2_02DBD8EE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DCD085 push eax; ret 16_2_02DCD0D8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DCD13C push eax; ret 16_2_02DCD142
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_02DBEC2D push edx; iretd 16_2_02DBEC2F

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xE7
          Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002DB98E4 second address: 0000000002DB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002DB9B5E second address: 0000000002DB9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00409A90 rdtsc 3_2_00409A90
          Source: C:\Windows\explorer.exe TID: 3596Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 1328Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: explorer.exe, 00000006.00000000.286114617.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000006.00000000.286114617.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000006.00000000.285548658.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000006.00000000.285912938.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.280827283.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000006.00000000.286114617.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000006.00000000.286114617.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000006.00000000.286194290.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000006.00000000.280856309.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000006.00000000.285548658.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000006.00000000.285548658.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000006.00000000.285548658.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeThread information set: HideFromDebuggerJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_00409A90 rdtsc 3_2_00409A90
          Source: C:\Users\user\Desktop\PO.exeCode function: 3_2_0040ACD0 LdrLoadDll,3_2_0040ACD0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CDB60 mov ecx, dword ptr fs:[00000030h]16_2_036CDB60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DFF60 mov eax, dword ptr fs:[00000030h]16_2_036DFF60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03798F6A mov eax, dword ptr fs:[00000030h]16_2_03798F6A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F3B7A mov eax, dword ptr fs:[00000030h]16_2_036F3B7A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F3B7A mov eax, dword ptr fs:[00000030h]16_2_036F3B7A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03798B58 mov eax, dword ptr fs:[00000030h]16_2_03798B58
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CDB40 mov eax, dword ptr fs:[00000030h]16_2_036CDB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DEF40 mov eax, dword ptr fs:[00000030h]16_2_036DEF40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CF358 mov eax, dword ptr fs:[00000030h]16_2_036CF358
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C4F2E mov eax, dword ptr fs:[00000030h]16_2_036C4F2E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C4F2E mov eax, dword ptr fs:[00000030h]16_2_036C4F2E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FE730 mov eax, dword ptr fs:[00000030h]16_2_036FE730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FA70E mov eax, dword ptr fs:[00000030h]16_2_036FA70E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FA70E mov eax, dword ptr fs:[00000030h]16_2_036FA70E
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0378131B mov eax, dword ptr fs:[00000030h]16_2_0378131B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0375FF10 mov eax, dword ptr fs:[00000030h]16_2_0375FF10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0375FF10 mov eax, dword ptr fs:[00000030h]16_2_0375FF10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0379070D mov eax, dword ptr fs:[00000030h]16_2_0379070D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0379070D mov eax, dword ptr fs:[00000030h]16_2_0379070D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EF716 mov eax, dword ptr fs:[00000030h]16_2_036EF716
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037037F5 mov eax, dword ptr fs:[00000030h]16_2_037037F5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EDBE9 mov eax, dword ptr fs:[00000030h]16_2_036EDBE9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F03E2 mov eax, dword ptr fs:[00000030h]16_2_036F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F03E2 mov eax, dword ptr fs:[00000030h]16_2_036F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F03E2 mov eax, dword ptr fs:[00000030h]16_2_036F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F03E2 mov eax, dword ptr fs:[00000030h]16_2_036F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F03E2 mov eax, dword ptr fs:[00000030h]16_2_036F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F03E2 mov eax, dword ptr fs:[00000030h]16_2_036F03E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037453CA mov eax, dword ptr fs:[00000030h]16_2_037453CA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037453CA mov eax, dword ptr fs:[00000030h]16_2_037453CA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F4BAD mov eax, dword ptr fs:[00000030h]16_2_036F4BAD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F4BAD mov eax, dword ptr fs:[00000030h]16_2_036F4BAD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F4BAD mov eax, dword ptr fs:[00000030h]16_2_036F4BAD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03795BA5 mov eax, dword ptr fs:[00000030h]16_2_03795BA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03747794 mov eax, dword ptr fs:[00000030h]16_2_03747794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03747794 mov eax, dword ptr fs:[00000030h]16_2_03747794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03747794 mov eax, dword ptr fs:[00000030h]16_2_03747794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D1B8F mov eax, dword ptr fs:[00000030h]16_2_036D1B8F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D1B8F mov eax, dword ptr fs:[00000030h]16_2_036D1B8F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0378138A mov eax, dword ptr fs:[00000030h]16_2_0378138A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0377D380 mov ecx, dword ptr fs:[00000030h]16_2_0377D380
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2397 mov eax, dword ptr fs:[00000030h]16_2_036F2397
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D8794 mov eax, dword ptr fs:[00000030h]16_2_036D8794
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FB390 mov eax, dword ptr fs:[00000030h]16_2_036FB390
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D766D mov eax, dword ptr fs:[00000030h]16_2_036D766D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0370927A mov eax, dword ptr fs:[00000030h]16_2_0370927A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0377B260 mov eax, dword ptr fs:[00000030h]16_2_0377B260
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0377B260 mov eax, dword ptr fs:[00000030h]16_2_0377B260
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03798A62 mov eax, dword ptr fs:[00000030h]16_2_03798A62
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EAE73 mov eax, dword ptr fs:[00000030h]16_2_036EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EAE73 mov eax, dword ptr fs:[00000030h]16_2_036EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EAE73 mov eax, dword ptr fs:[00000030h]16_2_036EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EAE73 mov eax, dword ptr fs:[00000030h]16_2_036EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EAE73 mov eax, dword ptr fs:[00000030h]16_2_036EAE73
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03754257 mov eax, dword ptr fs:[00000030h]16_2_03754257
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C9240 mov eax, dword ptr fs:[00000030h]16_2_036C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C9240 mov eax, dword ptr fs:[00000030h]16_2_036C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C9240 mov eax, dword ptr fs:[00000030h]16_2_036C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C9240 mov eax, dword ptr fs:[00000030h]16_2_036C9240
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D7E41 mov eax, dword ptr fs:[00000030h]16_2_036D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D7E41 mov eax, dword ptr fs:[00000030h]16_2_036D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D7E41 mov eax, dword ptr fs:[00000030h]16_2_036D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D7E41 mov eax, dword ptr fs:[00000030h]16_2_036D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D7E41 mov eax, dword ptr fs:[00000030h]16_2_036D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D7E41 mov eax, dword ptr fs:[00000030h]16_2_036D7E41
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0377FE3F mov eax, dword ptr fs:[00000030h]16_2_0377FE3F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CE620 mov eax, dword ptr fs:[00000030h]16_2_036CE620
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03704A2C mov eax, dword ptr fs:[00000030h]16_2_03704A2C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03704A2C mov eax, dword ptr fs:[00000030h]16_2_03704A2C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D8A0A mov eax, dword ptr fs:[00000030h]16_2_036D8A0A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CC600 mov eax, dword ptr fs:[00000030h]16_2_036CC600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CC600 mov eax, dword ptr fs:[00000030h]16_2_036CC600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CC600 mov eax, dword ptr fs:[00000030h]16_2_036CC600
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F8E00 mov eax, dword ptr fs:[00000030h]16_2_036F8E00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03781608 mov eax, dword ptr fs:[00000030h]16_2_03781608
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E3A1C mov eax, dword ptr fs:[00000030h]16_2_036E3A1C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FA61C mov eax, dword ptr fs:[00000030h]16_2_036FA61C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FA61C mov eax, dword ptr fs:[00000030h]16_2_036FA61C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CAA16 mov eax, dword ptr fs:[00000030h]16_2_036CAA16
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CAA16 mov eax, dword ptr fs:[00000030h]16_2_036CAA16
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C5210 mov eax, dword ptr fs:[00000030h]16_2_036C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C5210 mov ecx, dword ptr fs:[00000030h]16_2_036C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C5210 mov eax, dword ptr fs:[00000030h]16_2_036C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C5210 mov eax, dword ptr fs:[00000030h]16_2_036C5210
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2AE4 mov eax, dword ptr fs:[00000030h]16_2_036F2AE4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F16E0 mov ecx, dword ptr fs:[00000030h]16_2_036F16E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D76E2 mov eax, dword ptr fs:[00000030h]16_2_036D76E2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F36CC mov eax, dword ptr fs:[00000030h]16_2_036F36CC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2ACB mov eax, dword ptr fs:[00000030h]16_2_036F2ACB
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03798ED6 mov eax, dword ptr fs:[00000030h]16_2_03798ED6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0377FEC0 mov eax, dword ptr fs:[00000030h]16_2_0377FEC0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03708EC7 mov eax, dword ptr fs:[00000030h]16_2_03708EC7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C52A5 mov eax, dword ptr fs:[00000030h]16_2_036C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C52A5 mov eax, dword ptr fs:[00000030h]16_2_036C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C52A5 mov eax, dword ptr fs:[00000030h]16_2_036C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C52A5 mov eax, dword ptr fs:[00000030h]16_2_036C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C52A5 mov eax, dword ptr fs:[00000030h]16_2_036C52A5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037446A7 mov eax, dword ptr fs:[00000030h]16_2_037446A7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03790EA5 mov eax, dword ptr fs:[00000030h]16_2_03790EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03790EA5 mov eax, dword ptr fs:[00000030h]16_2_03790EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03790EA5 mov eax, dword ptr fs:[00000030h]16_2_03790EA5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DAAB0 mov eax, dword ptr fs:[00000030h]16_2_036DAAB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DAAB0 mov eax, dword ptr fs:[00000030h]16_2_036DAAB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FFAB0 mov eax, dword ptr fs:[00000030h]16_2_036FFAB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0375FE87 mov eax, dword ptr fs:[00000030h]16_2_0375FE87
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FD294 mov eax, dword ptr fs:[00000030h]16_2_036FD294
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FD294 mov eax, dword ptr fs:[00000030h]16_2_036FD294
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CC962 mov eax, dword ptr fs:[00000030h]16_2_036CC962
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EC577 mov eax, dword ptr fs:[00000030h]16_2_036EC577
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EC577 mov eax, dword ptr fs:[00000030h]16_2_036EC577
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CB171 mov eax, dword ptr fs:[00000030h]16_2_036CB171
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CB171 mov eax, dword ptr fs:[00000030h]16_2_036CB171
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EB944 mov eax, dword ptr fs:[00000030h]16_2_036EB944
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EB944 mov eax, dword ptr fs:[00000030h]16_2_036EB944
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03703D43 mov eax, dword ptr fs:[00000030h]16_2_03703D43
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03743540 mov eax, dword ptr fs:[00000030h]16_2_03743540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E7D50 mov eax, dword ptr fs:[00000030h]16_2_036E7D50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0374A537 mov eax, dword ptr fs:[00000030h]16_2_0374A537
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03798D34 mov eax, dword ptr fs:[00000030h]16_2_03798D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E4120 mov eax, dword ptr fs:[00000030h]16_2_036E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E4120 mov eax, dword ptr fs:[00000030h]16_2_036E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E4120 mov eax, dword ptr fs:[00000030h]16_2_036E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E4120 mov eax, dword ptr fs:[00000030h]16_2_036E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E4120 mov ecx, dword ptr fs:[00000030h]16_2_036E4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F4D3B mov eax, dword ptr fs:[00000030h]16_2_036F4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F4D3B mov eax, dword ptr fs:[00000030h]16_2_036F4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F4D3B mov eax, dword ptr fs:[00000030h]16_2_036F4D3B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F513A mov eax, dword ptr fs:[00000030h]16_2_036F513A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F513A mov eax, dword ptr fs:[00000030h]16_2_036F513A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036D3D34 mov eax, dword ptr fs:[00000030h]16_2_036D3D34
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CAD30 mov eax, dword ptr fs:[00000030h]16_2_036CAD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C9100 mov eax, dword ptr fs:[00000030h]16_2_036C9100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C9100 mov eax, dword ptr fs:[00000030h]16_2_036C9100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C9100 mov eax, dword ptr fs:[00000030h]16_2_036C9100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03778DF1 mov eax, dword ptr fs:[00000030h]16_2_03778DF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CB1E1 mov eax, dword ptr fs:[00000030h]16_2_036CB1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CB1E1 mov eax, dword ptr fs:[00000030h]16_2_036CB1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036CB1E1 mov eax, dword ptr fs:[00000030h]16_2_036CB1E1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DD5E0 mov eax, dword ptr fs:[00000030h]16_2_036DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036DD5E0 mov eax, dword ptr fs:[00000030h]16_2_036DD5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037541E8 mov eax, dword ptr fs:[00000030h]16_2_037541E8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03746DC9 mov eax, dword ptr fs:[00000030h]16_2_03746DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03746DC9 mov eax, dword ptr fs:[00000030h]16_2_03746DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03746DC9 mov eax, dword ptr fs:[00000030h]16_2_03746DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03746DC9 mov ecx, dword ptr fs:[00000030h]16_2_03746DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03746DC9 mov eax, dword ptr fs:[00000030h]16_2_03746DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03746DC9 mov eax, dword ptr fs:[00000030h]16_2_03746DC9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037451BE mov eax, dword ptr fs:[00000030h]16_2_037451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037451BE mov eax, dword ptr fs:[00000030h]16_2_037451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037451BE mov eax, dword ptr fs:[00000030h]16_2_037451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037451BE mov eax, dword ptr fs:[00000030h]16_2_037451BE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F35A1 mov eax, dword ptr fs:[00000030h]16_2_036F35A1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F61A0 mov eax, dword ptr fs:[00000030h]16_2_036F61A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F61A0 mov eax, dword ptr fs:[00000030h]16_2_036F61A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037469A6 mov eax, dword ptr fs:[00000030h]16_2_037469A6
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037905AC mov eax, dword ptr fs:[00000030h]16_2_037905AC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_037905AC mov eax, dword ptr fs:[00000030h]16_2_037905AC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F1DB5 mov eax, dword ptr fs:[00000030h]16_2_036F1DB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F1DB5 mov eax, dword ptr fs:[00000030h]16_2_036F1DB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F1DB5 mov eax, dword ptr fs:[00000030h]16_2_036F1DB5
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C2D8A mov eax, dword ptr fs:[00000030h]16_2_036C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C2D8A mov eax, dword ptr fs:[00000030h]16_2_036C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C2D8A mov eax, dword ptr fs:[00000030h]16_2_036C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C2D8A mov eax, dword ptr fs:[00000030h]16_2_036C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036C2D8A mov eax, dword ptr fs:[00000030h]16_2_036C2D8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FA185 mov eax, dword ptr fs:[00000030h]16_2_036FA185
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036EC182 mov eax, dword ptr fs:[00000030h]16_2_036EC182
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2581 mov eax, dword ptr fs:[00000030h]16_2_036F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2581 mov eax, dword ptr fs:[00000030h]16_2_036F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2581 mov eax, dword ptr fs:[00000030h]16_2_036F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2581 mov eax, dword ptr fs:[00000030h]16_2_036F2581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FFD9B mov eax, dword ptr fs:[00000030h]16_2_036FFD9B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036FFD9B mov eax, dword ptr fs:[00000030h]16_2_036FFD9B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036F2990 mov eax, dword ptr fs:[00000030h]16_2_036F2990
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_036E746D mov eax, dword ptr fs:[00000030h]16_2_036E746D
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03782073 mov eax,