Loading ...

Play interactive tourEdit tour

Analysis Report Order_list.xlsx.exe

Overview

General Information

Sample Name:Order_list.xlsx.exe
Analysis ID:297040
MD5:35fece9013d71160b7de39d8e707744e
SHA1:a45ddca5b8e7ff333fd777c22479c73851311f5a
SHA256:a5395444a0887fa24ce76d37dcbb4d9482128afe323dba12fa1d2db339af2691
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contain functionality to detect virtual machines
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Order_list.xlsx.exe (PID: 5880 cmdline: 'C:\Users\user\Desktop\Order_list.xlsx.exe' MD5: 35FECE9013D71160B7DE39D8E707744E)
    • Order_list.xlsx.exe (PID: 5864 cmdline: 'C:\Users\user\Desktop\Order_list.xlsx.exe' MD5: 35FECE9013D71160B7DE39D8E707744E)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.972742542.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x183d9:$sqlite3step: 68 34 1C 7B E1
      • 0x184ec:$sqlite3step: 68 34 1C 7B E1
      • 0x18408:$sqlite3text: 68 38 2A 90 C5
      • 0x1852d:$sqlite3text: 68 38 2A 90 C5
      • 0x1841b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18543:$sqlite3blob: 68 53 D8 7F 8C
      Process Memory Space: Order_list.xlsx.exe PID: 5880JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
        Click to see the 4 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: 'C:\Users\user\Desktop\Order_list.xlsx.exe' , CommandLine: 'C:\Users\user\Desktop\Order_list.xlsx.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Order_list.xlsx.exe, NewProcessName: C:\Users\user\Desktop\Order_list.xlsx.exe, OriginalFileName: C:\Users\user\Desktop\Order_list.xlsx.exe, ParentCommandLine: 'C:\Users\user\Desktop\Order_list.xlsx.exe' , ParentImage: C:\Users\user\Desktop\Order_list.xlsx.exe, ParentProcessId: 5880, ProcessCommandLine: 'C:\Users\user\Desktop\Order_list.xlsx.exe' , ProcessId: 5864

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: Order_list.xlsx.exeVirustotal: Detection: 27%Perma Link
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORY
        Source: 0.0.Order_list.xlsx.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
        Source: 0.2.Order_list.xlsx.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
        Source: 6.0.Order_list.xlsx.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
        Source: unknownDNS traffic detected: queries for: onedrive.live.com
        Source: Order_list.xlsx.exe, 00000006.00000003.919830181.00000000008C9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Order_list.xlsx.exe, 00000006.00000003.919830181.00000000008C9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: Order_list.xlsx.exe, 00000006.00000003.919830181.00000000008C9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: explorer.exe, 00000007.00000000.925196746.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 00000007.00000000.942952085.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Order_list.xlsx.exe, 00000006.00000002.973307988.00000000008A0000.00000004.00000020.sdmpString found in binary or memory: https://jjh6bg.by.files.1drv.com/
        Source: Order_list.xlsx.exe, 00000006.00000002.973307988.00000000008A0000.00000004.00000020.sdmpString found in binary or memory: https://jjh6bg.by.files.1drv.com/A
        Source: Order_list.xlsx.exe, 00000006.00000002.973307988.00000000008A0000.00000004.00000020.sdmpString found in binary or memory: https://jjh6bg.by.files.1drv.com/D
        Source: Order_list.xlsx.exe, 00000006.00000003.919817287.00000000008AB000.00000004.00000001.sdmpString found in binary or memory: https://jjh6bg.by.files.1drv.com/U
        Source: Order_list.xlsx.exe, 00000006.00000003.919817287.00000000008AB000.00000004.00000001.sdmpString found in binary or memory: https://jjh6bg.by.files.1drv.com/y4mB_VfqtUUwqoQqbdHH0ZucgpNvdwKbDVahehZTFdwAiSxD1BYMhQo68RDVDqmqje-
        Source: Order_list.xlsx.exe, 00000006.00000003.919769894.00000000008F3000.00000004.00000001.sdmpString found in binary or memory: https://jjh6bg.by.files.1drv.com/y4mikari14E5WRTqA6IDaUpoMUa2ZUI2AxU7FpC9RdHU7ZAtwaRVgoVFv1AC8DKkO9y
        Source: Order_list.xlsx.exe, 00000006.00000002.973270246.0000000000868000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
        Source: Order_list.xlsx.exe, 00000006.00000002.973270246.0000000000868000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/V
        Source: Order_list.xlsx.exe, 00000006.00000003.919830181.00000000008C9000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000003.919902284.00000000008A5000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=5E15857517F5B05A&resid=5E15857517F5B05A%21108&authkey=AAHfzWF
        Source: Order_list.xlsx.exe, 00000006.00000003.919830181.00000000008C9000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.s.1drv.com/
        Source: Order_list.xlsx.exe, 00000006.00000003.919830181.00000000008C9000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
        Source: Order_list.xlsx.exe, 00000000.00000002.768516173.000000000077A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Order_list.xlsx.exe
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C1679 NtWriteVirtualMemory,0_2_021C1679
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C2CD8 NtResumeThread,0_2_021C2CD8
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C0F30 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_021C0F30
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C298C NtProtectVirtualMemory,0_2_021C298C
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C163C NtWriteVirtualMemory,0_2_021C163C
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C242B NtWriteVirtualMemory,0_2_021C242B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C0E50 NtWriteVirtualMemory,0_2_021C0E50
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C24C8 NtWriteVirtualMemory,0_2_021C24C8
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C255D NtWriteVirtualMemory,0_2_021C255D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C0540 NtSetInformationThread,TerminateProcess,0_2_021C0540
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C017D NtSetInformationThread,TerminateProcess,0_2_021C017D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C236E NtWriteVirtualMemory,0_2_021C236E
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C118B NtWriteVirtualMemory,0_2_021C118B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C2DAA NtResumeThread,0_2_021C2DAA
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C15A6 NtWriteVirtualMemory,0_2_021C15A6
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_1E3F9660
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F96E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_1E3F96E0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9780 NtMapViewOfSection,LdrInitializeThunk,6_2_1E3F9780
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9860 NtQuerySystemInformation,LdrInitializeThunk,6_2_1E3F9860
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_1E3F9910
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F99A0 NtCreateSection,LdrInitializeThunk,6_2_1E3F99A0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F95D0 NtClose,LdrInitializeThunk,6_2_1E3F95D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9A20 NtResumeThread,6_2_1E3F9A20
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9610 NtEnumerateValueKey,6_2_1E3F9610
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9A10 NtQuerySection,6_2_1E3F9A10
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9A00 NtProtectVirtualMemory,6_2_1E3F9A00
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9670 NtQueryInformationProcess,6_2_1E3F9670
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9A50 NtCreateFile,6_2_1E3F9A50
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9650 NtQueryValueKey,6_2_1E3F9650
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9A80 NtOpenDirectoryObject,6_2_1E3F9A80
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F96D0 NtCreateKey,6_2_1E3F96D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9730 NtQueryVirtualMemory,6_2_1E3F9730
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3FA710 NtOpenProcessToken,6_2_1E3FA710
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9710 NtQueryInformationToken,6_2_1E3F9710
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9B00 NtSetValueKey,6_2_1E3F9B00
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9770 NtSetInformationFile,6_2_1E3F9770
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3FA770 NtOpenThread,6_2_1E3FA770
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9760 NtOpenProcess,6_2_1E3F9760
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3FA3B0 NtGetContextThread,6_2_1E3FA3B0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F97A0 NtUnmapViewOfSection,6_2_1E3F97A0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9FE0 NtCreateMutant,6_2_1E3F9FE0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9820 NtEnumerateKey,6_2_1E3F9820
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9840 NtDelayExecution,6_2_1E3F9840
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3FB040 NtSuspendThread,6_2_1E3FB040
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F98A0 NtWriteVirtualMemory,6_2_1E3F98A0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F98F0 NtReadVirtualMemory,6_2_1E3F98F0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3FAD30 NtSetContextThread,6_2_1E3FAD30
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9520 NtWaitForSingleObject,6_2_1E3F9520
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9560 NtWriteFile,6_2_1E3F9560
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9950 NtQueueApcThread,6_2_1E3F9950
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F9540 NtReadFile,6_2_1E3F9540
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F95F0 NtQueryInformationFile,6_2_1E3F95F0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F99D0 NtCreateProcessEx,6_2_1E3F99D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_00562CD8 NtSetInformationThread,6_2_00562CD8
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_0056298C NtProtectVirtualMemory,6_2_0056298C
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_00560540 NtSetInformationThread,6_2_00560540
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_0056017D NtSetInformationThread,6_2_0056017D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_00562DAA NtSetInformationThread,6_2_00562DAA
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_00560F30 NtSetInformationThread,6_2_00560F30
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00403B800_2_00403B80
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D6E306_2_1E3D6E30
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EEBB06_2_1E3EEBB0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C841F6_2_1E3C841F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E4710026_2_1E471002
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3CB0906_2_1E3CB090
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B0D206_2_1E3B0D20
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E481D556_2_1E481D55
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D41206_2_1E3D4120
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BF9006_2_1E3BF900
        Source: Order_list.xlsx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Order_list.xlsx.exe, 00000000.00000002.768472887.0000000000760000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Order_list.xlsx.exe
        Source: Order_list.xlsx.exe, 00000000.00000002.768205469.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBatteringhande3.exe vs Order_list.xlsx.exe
        Source: Order_list.xlsx.exe, 00000000.00000002.769491244.0000000002B70000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBatteringhande3.exeFE2X vs Order_list.xlsx.exe
        Source: Order_list.xlsx.exe, 00000006.00000002.977050607.000000001E4AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order_list.xlsx.exe
        Source: Order_list.xlsx.exe, 00000006.00000002.973742411.0000000000C50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Order_list.xlsx.exe
        Source: Order_list.xlsx.exe, 00000006.00000002.973823217.0000000002540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Order_list.xlsx.exe
        Source: Order_list.xlsx.exe, 00000006.00000000.767149898.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBatteringhande3.exe vs Order_list.xlsx.exe
        Source: Order_list.xlsx.exeBinary or memory string: OriginalFilenameBatteringhande3.exe vs Order_list.xlsx.exe
        Source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@2/0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC6583DC96329598C.TMPJump to behavior
        Source: Order_list.xlsx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Order_list.xlsx.exeVirustotal: Detection: 27%
        Source: unknownProcess created: C:\Users\user\Desktop\Order_list.xlsx.exe 'C:\Users\user\Desktop\Order_list.xlsx.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Order_list.xlsx.exe 'C:\Users\user\Desktop\Order_list.xlsx.exe'
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess created: C:\Users\user\Desktop\Order_list.xlsx.exe 'C:\Users\user\Desktop\Order_list.xlsx.exe' Jump to behavior
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.970344725.0000000005A00000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: Order_list.xlsx.exe, 00000006.00000002.977050607.000000001E4AF000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: Order_list.xlsx.exe
        Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.970344725.0000000005A00000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000006.00000002.972742542.0000000000560000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order_list.xlsx.exe PID: 5880, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order_list.xlsx.exe PID: 5864, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: Order_list.xlsx.exe PID: 5880, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Order_list.xlsx.exe PID: 5864, type: MEMORY
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E44 push 00401144h; ret 0_2_00407E57
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E58 push 00401144h; ret 0_2_00407E6B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E6C push 00401144h; ret 0_2_00407E7F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E08 push 00401144h; ret 0_2_00407E1B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E1C push 00401144h; ret 0_2_00407E2F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E30 push 00401144h; ret 0_2_00407E43
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407ED0 push 00401144h; ret 0_2_00407EE3
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_004042DC push ebp; iretw 0_2_00404328
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407EE4 push 00401144h; ret 0_2_00407EF7
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407EF8 push 00401144h; ret 0_2_00407F0B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E80 push 00401144h; ret 0_2_00407E93
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407E94 push 00401144h; ret 0_2_00407EA7
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407EA8 push 00401144h; ret 0_2_00407EBB
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_004042B1 push ebp; iretw 0_2_00404328
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407EBC push 00401144h; ret 0_2_00407ECF
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F48 push 00401144h; ret 0_2_00407F5B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F5C push 00401144h; ret 0_2_00407F6F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F70 push 00401144h; ret 0_2_00407F83
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F0C push 00401144h; ret 0_2_00407F1F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F20 push 00401144h; ret 0_2_00407F33
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F34 push 00401144h; ret 0_2_00407F47
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407FC0 push 00401144h; ret 0_2_00407FD3
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407DCC push 00401144h; ret 0_2_00407DDF
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407FD4 push 00401144h; ret 0_2_00407FE7
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407DE0 push 00401144h; ret 0_2_00407DF3
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407FE8 push 00401144h; ret 0_2_00407FFB
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407DF4 push 00401144h; ret 0_2_00407E07
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F84 push 00401144h; ret 0_2_00407F97
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407F98 push 00401144h; ret 0_2_00407FAB
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407FAC push 00401144h; ret 0_2_00407FBF
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_00407DB5 push 00401144h; ret 0_2_00407DCB

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: xlsx.exeStatic PE information: Order_list.xlsx.exe
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contain functionality to detect virtual machinesShow sources
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe 0_2_021C163C
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeRDTSC instruction interceptor: First address: 00000000021C2505 second address: 00000000021C2505 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F7318FA3D48h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test ebx, eax 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F7318FA3D31h 0x0000002a push ecx 0x0000002b call 00007F7318FA3D68h 0x00000030 call 00007F7318FA3D5Ah 0x00000035 lfence 0x00000038 mov edx, dword ptr [7FFE0014h] 0x0000003e lfence 0x00000041 ret 0x00000042 mov esi, edx 0x00000044 pushad 0x00000045 rdtsc
        Tries to detect Any.runShow sources
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Order_list.xlsx.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeRDTSC instruction interceptor: First address: 00000000021C2505 second address: 00000000021C2505 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F7318FA3D48h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test ebx, eax 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F7318FA3D31h 0x0000002a push ecx 0x0000002b call 00007F7318FA3D68h 0x00000030 call 00007F7318FA3D5Ah 0x00000035 lfence 0x00000038 mov edx, dword ptr [7FFE0014h] 0x0000003e lfence 0x00000041 ret 0x00000042 mov esi, edx 0x00000044 pushad 0x00000045 rdtsc
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeRDTSC instruction interceptor: First address: 00000000021C2536 second address: 00000000021C2536 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F7318F35359h 0x0000001f popad 0x00000020 call 00007F7318F35228h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeRDTSC instruction interceptor: First address: 0000000000562536 second address: 0000000000562536 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F7318FA3EE9h 0x0000001f popad 0x00000020 call 00007F7318FA3DB8h 0x00000025 lfence 0x00000028 rdtsc
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C2533 rdtsc 0_2_021C2533
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: explorer.exe, 00000007.00000000.934077160.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: Order_list.xlsx.exe, 00000006.00000002.973270246.0000000000868000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW`Z
        Source: explorer.exe, 00000007.00000000.939212894.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: Order_list.xlsx.exe, 00000006.00000003.919817287.00000000008AB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: explorer.exe, 00000007.00000000.932809507.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
        Source: explorer.exe, 00000007.00000000.939304845.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
        Source: Order_list.xlsx.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: explorer.exe, 00000007.00000000.934077160.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: explorer.exe, 00000007.00000000.939368687.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: explorer.exe, 00000007.00000000.939212894.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
        Source: explorer.exe, 00000007.00000002.970593618.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: vmicvss
        Source: Order_list.xlsx.exe, 00000006.00000003.919817287.00000000008AB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn
        Source: explorer.exe, 00000007.00000000.934077160.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: Order_list.xlsx.exe, 00000000.00000002.769607940.0000000003BFA000.00000004.00000001.sdmp, Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: Order_list.xlsx.exe, 00000006.00000002.973854032.000000000260A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
        Source: explorer.exe, 00000007.00000000.934077160.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging:

        barindex
        Contains functionality to hide a thread from the debuggerShow sources
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C0F30 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,000000000_2_021C0F30
        Hides threads from debuggersShow sources
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeThread information set: HideFromDebuggerJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C2533 rdtsc 0_2_021C2533
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F967A LdrInitializeThunk,6_2_1E3F967A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C0A0D mov eax, dword ptr fs:[00000030h]0_2_021C0A0D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C0E50 mov eax, dword ptr fs:[00000030h]0_2_021C0E50
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C149B mov eax, dword ptr fs:[00000030h]0_2_021C149B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C271D mov eax, dword ptr fs:[00000030h]0_2_021C271D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C2712 mov eax, dword ptr fs:[00000030h]0_2_021C2712
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C23BA mov eax, dword ptr fs:[00000030h]0_2_021C23BA
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 0_2_021C21EC mov eax, dword ptr fs:[00000030h]0_2_021C21EC
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BE620 mov eax, dword ptr fs:[00000030h]6_2_1E3BE620
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D3A1C mov eax, dword ptr fs:[00000030h]6_2_1E3D3A1C
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E46B260 mov eax, dword ptr fs:[00000030h]6_2_1E46B260
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E46B260 mov eax, dword ptr fs:[00000030h]6_2_1E46B260
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E488A62 mov eax, dword ptr fs:[00000030h]6_2_1E488A62
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BC600 mov eax, dword ptr fs:[00000030h]6_2_1E3BC600
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BC600 mov eax, dword ptr fs:[00000030h]6_2_1E3BC600
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BC600 mov eax, dword ptr fs:[00000030h]6_2_1E3BC600
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F927A mov eax, dword ptr fs:[00000030h]6_2_1E3F927A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]6_2_1E3DAE73
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]6_2_1E3DAE73
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]6_2_1E3DAE73
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]6_2_1E3DAE73
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DAE73 mov eax, dword ptr fs:[00000030h]6_2_1E3DAE73
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C766D mov eax, dword ptr fs:[00000030h]6_2_1E3C766D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E46FE3F mov eax, dword ptr fs:[00000030h]6_2_1E46FE3F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9240 mov eax, dword ptr fs:[00000030h]6_2_1E3B9240
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9240 mov eax, dword ptr fs:[00000030h]6_2_1E3B9240
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9240 mov eax, dword ptr fs:[00000030h]6_2_1E3B9240
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9240 mov eax, dword ptr fs:[00000030h]6_2_1E3B9240
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]6_2_1E3C7E41
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]6_2_1E3C7E41
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]6_2_1E3C7E41
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]6_2_1E3C7E41
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]6_2_1E3C7E41
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C7E41 mov eax, dword ptr fs:[00000030h]6_2_1E3C7E41
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E46FEC0 mov eax, dword ptr fs:[00000030h]6_2_1E46FEC0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EFAB0 mov eax, dword ptr fs:[00000030h]6_2_1E3EFAB0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]6_2_1E3B52A5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]6_2_1E3B52A5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]6_2_1E3B52A5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]6_2_1E3B52A5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B52A5 mov eax, dword ptr fs:[00000030h]6_2_1E3B52A5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E488ED6 mov eax, dword ptr fs:[00000030h]6_2_1E488ED6
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3ED294 mov eax, dword ptr fs:[00000030h]6_2_1E3ED294
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3ED294 mov eax, dword ptr fs:[00000030h]6_2_1E3ED294
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44FE87 mov eax, dword ptr fs:[00000030h]6_2_1E44FE87
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E16E0 mov ecx, dword ptr fs:[00000030h]6_2_1E3E16E0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C76E2 mov eax, dword ptr fs:[00000030h]6_2_1E3C76E2
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E4346A7 mov eax, dword ptr fs:[00000030h]6_2_1E4346A7
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E480EA5 mov eax, dword ptr fs:[00000030h]6_2_1E480EA5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E480EA5 mov eax, dword ptr fs:[00000030h]6_2_1E480EA5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E480EA5 mov eax, dword ptr fs:[00000030h]6_2_1E480EA5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E36CC mov eax, dword ptr fs:[00000030h]6_2_1E3E36CC
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F8EC7 mov eax, dword ptr fs:[00000030h]6_2_1E3F8EC7
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EE730 mov eax, dword ptr fs:[00000030h]6_2_1E3EE730
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E488B58 mov eax, dword ptr fs:[00000030h]6_2_1E488B58
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B4F2E mov eax, dword ptr fs:[00000030h]6_2_1E3B4F2E
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B4F2E mov eax, dword ptr fs:[00000030h]6_2_1E3B4F2E
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E488F6A mov eax, dword ptr fs:[00000030h]6_2_1E488F6A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E3B7A mov eax, dword ptr fs:[00000030h]6_2_1E3E3B7A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E3B7A mov eax, dword ptr fs:[00000030h]6_2_1E3E3B7A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E48070D mov eax, dword ptr fs:[00000030h]6_2_1E48070D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E48070D mov eax, dword ptr fs:[00000030h]6_2_1E48070D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44FF10 mov eax, dword ptr fs:[00000030h]6_2_1E44FF10
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44FF10 mov eax, dword ptr fs:[00000030h]6_2_1E44FF10
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BDB60 mov ecx, dword ptr fs:[00000030h]6_2_1E3BDB60
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E47131B mov eax, dword ptr fs:[00000030h]6_2_1E47131B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3CFF60 mov eax, dword ptr fs:[00000030h]6_2_1E3CFF60
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BF358 mov eax, dword ptr fs:[00000030h]6_2_1E3BF358
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BDB40 mov eax, dword ptr fs:[00000030h]6_2_1E3BDB40
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3CEF40 mov eax, dword ptr fs:[00000030h]6_2_1E3CEF40
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C1B8F mov eax, dword ptr fs:[00000030h]6_2_1E3C1B8F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C1B8F mov eax, dword ptr fs:[00000030h]6_2_1E3C1B8F
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E46D380 mov ecx, dword ptr fs:[00000030h]6_2_1E46D380
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E47138A mov eax, dword ptr fs:[00000030h]6_2_1E47138A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E437794 mov eax, dword ptr fs:[00000030h]6_2_1E437794
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E437794 mov eax, dword ptr fs:[00000030h]6_2_1E437794
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E437794 mov eax, dword ptr fs:[00000030h]6_2_1E437794
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E485BA5 mov eax, dword ptr fs:[00000030h]6_2_1E485BA5
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EBC2C mov eax, dword ptr fs:[00000030h]6_2_1E3EBC2C
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44C450 mov eax, dword ptr fs:[00000030h]6_2_1E44C450
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44C450 mov eax, dword ptr fs:[00000030h]6_2_1E44C450
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3CB02A mov eax, dword ptr fs:[00000030h]6_2_1E3CB02A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3CB02A mov eax, dword ptr fs:[00000030h]6_2_1E3CB02A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3CB02A mov eax, dword ptr fs:[00000030h]6_2_1E3CB02A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3CB02A mov eax, dword ptr fs:[00000030h]6_2_1E3CB02A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E472073 mov eax, dword ptr fs:[00000030h]6_2_1E472073
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E481074 mov eax, dword ptr fs:[00000030h]6_2_1E481074
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E471C06 mov eax, dword ptr fs:[00000030h]6_2_1E471C06
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E48740D mov eax, dword ptr fs:[00000030h]6_2_1E48740D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E48740D mov eax, dword ptr fs:[00000030h]6_2_1E48740D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E48740D mov eax, dword ptr fs:[00000030h]6_2_1E48740D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E436C0A mov eax, dword ptr fs:[00000030h]6_2_1E436C0A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E436C0A mov eax, dword ptr fs:[00000030h]6_2_1E436C0A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E436C0A mov eax, dword ptr fs:[00000030h]6_2_1E436C0A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E436C0A mov eax, dword ptr fs:[00000030h]6_2_1E436C0A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D746D mov eax, dword ptr fs:[00000030h]6_2_1E3D746D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E437016 mov eax, dword ptr fs:[00000030h]6_2_1E437016
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E437016 mov eax, dword ptr fs:[00000030h]6_2_1E437016
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E437016 mov eax, dword ptr fs:[00000030h]6_2_1E437016
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E484015 mov eax, dword ptr fs:[00000030h]6_2_1E484015
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E484015 mov eax, dword ptr fs:[00000030h]6_2_1E484015
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D0050 mov eax, dword ptr fs:[00000030h]6_2_1E3D0050
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D0050 mov eax, dword ptr fs:[00000030h]6_2_1E3D0050
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EF0BF mov ecx, dword ptr fs:[00000030h]6_2_1E3EF0BF
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EF0BF mov eax, dword ptr fs:[00000030h]6_2_1E3EF0BF
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EF0BF mov eax, dword ptr fs:[00000030h]6_2_1E3EF0BF
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F90AF mov eax, dword ptr fs:[00000030h]6_2_1E3F90AF
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]6_2_1E44B8D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44B8D0 mov ecx, dword ptr fs:[00000030h]6_2_1E44B8D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]6_2_1E44B8D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]6_2_1E44B8D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]6_2_1E44B8D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E44B8D0 mov eax, dword ptr fs:[00000030h]6_2_1E44B8D0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E488CD6 mov eax, dword ptr fs:[00000030h]6_2_1E488CD6
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E436CF0 mov eax, dword ptr fs:[00000030h]6_2_1E436CF0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E436CF0 mov eax, dword ptr fs:[00000030h]6_2_1E436CF0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E436CF0 mov eax, dword ptr fs:[00000030h]6_2_1E436CF0
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9080 mov eax, dword ptr fs:[00000030h]6_2_1E3B9080
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E4714FB mov eax, dword ptr fs:[00000030h]6_2_1E4714FB
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E433884 mov eax, dword ptr fs:[00000030h]6_2_1E433884
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E433884 mov eax, dword ptr fs:[00000030h]6_2_1E433884
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E433540 mov eax, dword ptr fs:[00000030h]6_2_1E433540
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E513A mov eax, dword ptr fs:[00000030h]6_2_1E3E513A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E513A mov eax, dword ptr fs:[00000030h]6_2_1E3E513A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E4D3B mov eax, dword ptr fs:[00000030h]6_2_1E3E4D3B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E4D3B mov eax, dword ptr fs:[00000030h]6_2_1E3E4D3B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E4D3B mov eax, dword ptr fs:[00000030h]6_2_1E3E4D3B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3C3D34 mov eax, dword ptr fs:[00000030h]6_2_1E3C3D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BAD30 mov eax, dword ptr fs:[00000030h]6_2_1E3BAD30
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D4120 mov eax, dword ptr fs:[00000030h]6_2_1E3D4120
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D4120 mov eax, dword ptr fs:[00000030h]6_2_1E3D4120
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D4120 mov eax, dword ptr fs:[00000030h]6_2_1E3D4120
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D4120 mov eax, dword ptr fs:[00000030h]6_2_1E3D4120
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D4120 mov ecx, dword ptr fs:[00000030h]6_2_1E3D4120
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9100 mov eax, dword ptr fs:[00000030h]6_2_1E3B9100
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9100 mov eax, dword ptr fs:[00000030h]6_2_1E3B9100
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B9100 mov eax, dword ptr fs:[00000030h]6_2_1E3B9100
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BB171 mov eax, dword ptr fs:[00000030h]6_2_1E3BB171
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BB171 mov eax, dword ptr fs:[00000030h]6_2_1E3BB171
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DC577 mov eax, dword ptr fs:[00000030h]6_2_1E3DC577
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DC577 mov eax, dword ptr fs:[00000030h]6_2_1E3DC577
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3D7D50 mov eax, dword ptr fs:[00000030h]6_2_1E3D7D50
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DB944 mov eax, dword ptr fs:[00000030h]6_2_1E3DB944
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DB944 mov eax, dword ptr fs:[00000030h]6_2_1E3DB944
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E488D34 mov eax, dword ptr fs:[00000030h]6_2_1E488D34
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3F3D43 mov eax, dword ptr fs:[00000030h]6_2_1E3F3D43
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3E35A1 mov eax, dword ptr fs:[00000030h]6_2_1E3E35A1
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EFD9B mov eax, dword ptr fs:[00000030h]6_2_1E3EFD9B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EFD9B mov eax, dword ptr fs:[00000030h]6_2_1E3EFD9B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]6_2_1E3B2D8A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]6_2_1E3B2D8A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]6_2_1E3B2D8A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]6_2_1E3B2D8A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3B2D8A mov eax, dword ptr fs:[00000030h]6_2_1E3B2D8A
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E468DF1 mov eax, dword ptr fs:[00000030h]6_2_1E468DF1
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3EA185 mov eax, dword ptr fs:[00000030h]6_2_1E3EA185
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3DC182 mov eax, dword ptr fs:[00000030h]6_2_1E3DC182
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h]6_2_1E3BB1E1
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h]6_2_1E3BB1E1
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_1E3BB1E1 mov eax, dword ptr fs:[00000030h]6_2_1E3BB1E1
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_00560E50 mov eax, dword ptr fs:[00000030h]6_2_00560E50
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_0056149B mov eax, dword ptr fs:[00000030h]6_2_0056149B
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_005621EC mov eax, dword ptr fs:[00000030h]6_2_005621EC
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_00560A0D mov eax, dword ptr fs:[00000030h]6_2_00560A0D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_00562712 mov eax, dword ptr fs:[00000030h]6_2_00562712
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_0056271D mov eax, dword ptr fs:[00000030h]6_2_0056271D
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeCode function: 6_2_005623BA mov eax, dword ptr fs:[00000030h]6_2_005623BA
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\Order_list.xlsx.exeProcess created: C:\Users\user\Desktop\Order_list.xlsx.exe 'C:\Users\user\Desktop\Order_list.xlsx.exe' Jump to behavior
        Source: explorer.exe, 00000007.00000000.923801884.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
        Source: Order_list.xlsx.exe, 00000006.00000002.973760679.0000000000FF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.955830416.0000000001080000.00000002.00000001.sdmpBinary or memory string: Program Manager
        Source: Order_list.xlsx.exe, 00000006.00000002.973760679.0000000000FF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.934621362.0000000005E50000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Order_list.xlsx.exe, 00000006.00000002.973760679.0000000000FF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.955830416.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Order_list.xlsx.exe, 00000006.00000002.973760679.0000000000FF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.955830416.0000000001080000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 00000007.00000000.939304845.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORY
        Yara detected Generic DropperShow sources
        Source: Yara matchFile source: Process Memory Space: Order_list.xlsx.exe PID: 5864, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000006.00000002.976891131.000000001E150000.00000040.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Masquerading1Input Capture1Security Software Discovery721Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion31LSASS MemoryVirtualization/Sandbox Evasion31Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery21SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.