Analysis Report Cont-024.xls.exe

Overview

General Information

Sample Name: Cont-024.xls.exe
Analysis ID: 298053
MD5: 98ec62a875ec70797f2ea35d2ebfabaa
SHA1: 240e89e8a2499d8c2ba4770730d274b624eb2b12
SHA256: 3b6bd50cbfa7f874757c7d87f02efa24ab2b8bf1eaa18d0abbc3dfd25e2ecc15
Tags: exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Cont-024.xls.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Cont-024.xls.exe Virustotal: Detection: 34% Perma Link
Source: Cont-024.xls.exe ReversingLabs: Detection: 33%
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Cont-024.xls.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 3.0.Cont-024.xls.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 0.2.Cont-024.xls.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop esi 16_2_008E72BD
Source: C:\Windows\SysWOW64\netsh.exe Code function: 4x nop then pop ebx 16_2_008D7AFB
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000C.00000000.344941106.0000000008C57000.00000004.00000001.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 0000000C.00000000.344941106.0000000008C57000.00000004.00000001.sdmp String found in binary or memory: http://schemas.micr
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000C.00000000.337001983.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Cont-024.xls.exe, 00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=5E15857517F5B05A&resid=5E15857517F5B05A%21111&authkey=ALq-M7H

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Cont-024.xls.exe, 00000000.00000002.265763391.000000000071A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.514108192.0000000002EB4000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D1029 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess, 0_2_020D1029
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D2EBE NtResumeThread, 0_2_020D2EBE
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D012F EnumWindows,NtSetInformationThread,TerminateProcess, 0_2_020D012F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D2B6B NtProtectVirtualMemory, 0_2_020D2B6B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D26C2 NtWriteVirtualMemory, 0_2_020D26C2
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D01B7 NtSetInformationThread,TerminateProcess, 0_2_020D01B7
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D07B0 NtSetInformationThread,TerminateProcess, 0_2_020D07B0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9A20 NtResumeThread,LdrInitializeThunk, 3_2_1E3D9A20
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_1E3D9A00
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_1E3D9660
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9A50 NtCreateFile,LdrInitializeThunk, 3_2_1E3D9A50
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_1E3D96E0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_1E3D9710
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_1E3D97A0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_1E3D9780
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_1E3D9860
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9840 NtDelayExecution,LdrInitializeThunk, 3_2_1E3D9840
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_1E3D98F0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_1E3D9910
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9540 NtReadFile,LdrInitializeThunk, 3_2_1E3D9540
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D99A0 NtCreateSection,LdrInitializeThunk, 3_2_1E3D99A0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D95D0 NtClose,LdrInitializeThunk, 3_2_1E3D95D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9610 NtEnumerateValueKey, 3_2_1E3D9610
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9A10 NtQuerySection, 3_2_1E3D9A10
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9670 NtQueryInformationProcess, 3_2_1E3D9670
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9650 NtQueryValueKey, 3_2_1E3D9650
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9A80 NtOpenDirectoryObject, 3_2_1E3D9A80
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D96D0 NtCreateKey, 3_2_1E3D96D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9730 NtQueryVirtualMemory, 3_2_1E3D9730
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3DA710 NtOpenProcessToken, 3_2_1E3DA710
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9B00 NtSetValueKey, 3_2_1E3D9B00
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9770 NtSetInformationFile, 3_2_1E3D9770
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3DA770 NtOpenThread, 3_2_1E3DA770
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9760 NtOpenProcess, 3_2_1E3D9760
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3DA3B0 NtGetContextThread, 3_2_1E3DA3B0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9FE0 NtCreateMutant, 3_2_1E3D9FE0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9820 NtEnumerateKey, 3_2_1E3D9820
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3DB040 NtSuspendThread, 3_2_1E3DB040
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D98A0 NtWriteVirtualMemory, 3_2_1E3D98A0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3DAD30 NtSetContextThread, 3_2_1E3DAD30
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9520 NtWaitForSingleObject, 3_2_1E3D9520
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9560 NtWriteFile, 3_2_1E3D9560
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D9950 NtQueueApcThread, 3_2_1E3D9950
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D95F0 NtQueryInformationFile, 3_2_1E3D95F0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D99D0 NtCreateProcessEx, 3_2_1E3D99D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_00562EBE NtSetInformationThread, 3_2_00562EBE
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_00562B6B NtProtectVirtualMemory, 3_2_00562B6B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_0056047E NtProtectVirtualMemory, 3_2_0056047E
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_00561029 NtSetInformationThread, 3_2_00561029
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_005601B7 NtSetInformationThread, 3_2_005601B7
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_005607B0 NtSetInformationThread, 3_2_005607B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549710 NtQueryInformationToken,LdrInitializeThunk, 16_2_03549710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549FE0 NtCreateMutant,LdrInitializeThunk, 16_2_03549FE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549780 NtMapViewOfSection,LdrInitializeThunk, 16_2_03549780
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549A50 NtCreateFile,LdrInitializeThunk, 16_2_03549A50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035496D0 NtCreateKey,LdrInitializeThunk, 16_2_035496D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_035496E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549540 NtReadFile,LdrInitializeThunk, 16_2_03549540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_03549910
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035495D0 NtClose,LdrInitializeThunk, 16_2_035495D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035499A0 NtCreateSection,LdrInitializeThunk, 16_2_035499A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549840 NtDelayExecution,LdrInitializeThunk, 16_2_03549840
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_03549860
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549770 NtSetInformationFile, 16_2_03549770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0354A770 NtOpenThread, 16_2_0354A770
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549760 NtOpenProcess, 16_2_03549760
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0354A710 NtOpenProcessToken, 16_2_0354A710
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549B00 NtSetValueKey, 16_2_03549B00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549730 NtQueryVirtualMemory, 16_2_03549730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0354A3B0 NtGetContextThread, 16_2_0354A3B0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035497A0 NtUnmapViewOfSection, 16_2_035497A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549650 NtQueryValueKey, 16_2_03549650
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549670 NtQueryInformationProcess, 16_2_03549670
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549660 NtAllocateVirtualMemory, 16_2_03549660
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549610 NtEnumerateValueKey, 16_2_03549610
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549A10 NtQuerySection, 16_2_03549A10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549A00 NtProtectVirtualMemory, 16_2_03549A00
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549A20 NtResumeThread, 16_2_03549A20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549A80 NtOpenDirectoryObject, 16_2_03549A80
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549950 NtQueueApcThread, 16_2_03549950
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549560 NtWriteFile, 16_2_03549560
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0354AD30 NtSetContextThread, 16_2_0354AD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549520 NtWaitForSingleObject, 16_2_03549520
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035499D0 NtCreateProcessEx, 16_2_035499D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035495F0 NtQueryInformationFile, 16_2_035495F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0354B040 NtSuspendThread, 16_2_0354B040
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03549820 NtEnumerateKey, 16_2_03549820
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035498F0 NtReadVirtualMemory, 16_2_035498F0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035498A0 NtWriteVirtualMemory, 16_2_035498A0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008E9DE0 NtReadFile, 16_2_008E9DE0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008E9D30 NtCreateFile, 16_2_008E9D30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008E9E60 NtClose, 16_2_008E9E60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008E9DDA NtReadFile, 16_2_008E9DDA
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008E9E2D NtReadFile, 16_2_008E9E2D
Detected potential crypto function
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00403B59 0_2_00403B59
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B6E30 3_2_1E3B6E30
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CEBB0 3_2_1E3CEBB0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A841F 3_2_1E3A841F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451002 3_2_1E451002
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AB090 3_2_1E3AB090
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E461D55 3_2_1E461D55
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E390D20 3_2_1E390D20
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B4120 3_2_1E3B4120
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39F900 3_2_1E39F900
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AD5E0 3_2_1E3AD5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353EBB0 16_2_0353EBB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03526E30 16_2_03526E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D1D55 16_2_035D1D55
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350F900 16_2_0350F900
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03500D20 16_2_03500D20
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03524120 16_2_03524120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351D5E0 16_2_0351D5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351841F 16_2_0351841F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1002 16_2_035C1002
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351B090 16_2_0351B090
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008EEA89 16_2_008EEA89
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008EE230 16_2_008EE230
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008EE58D 16_2_008EE58D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008D2D87 16_2_008D2D87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008D2D90 16_2_008D2D90
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008EE590 16_2_008EE590
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008D9E2B 16_2_008D9E2B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008D9E30 16_2_008D9E30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_008D2FB0 16_2_008D2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: String function: 1E39B150 appears 32 times
Source: C:\Windows\SysWOW64\netsh.exe Code function: String function: 0350B150 appears 32 times
PE file contains strange resources
Source: Cont-024.xls.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Cont-024.xls.exe, 00000000.00000000.244493400.000000000040C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
Source: Cont-024.xls.exe, 00000000.00000002.266327232.0000000002930000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameciscoscampuseslazi.exeFE2X vs Cont-024.xls.exe
Source: Cont-024.xls.exe, 00000003.00000002.374376949.000000001E61F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Cont-024.xls.exe
Source: Cont-024.xls.exe, 00000003.00000002.365403295.00000000000EC000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamenetsh.exej% vs Cont-024.xls.exe
Source: Cont-024.xls.exe, 00000003.00000000.263140933.000000000040C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
Source: Cont-024.xls.exe, 00000003.00000002.370414082.000000001DDA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Cont-024.xls.exe
Source: Cont-024.xls.exe, 00000003.00000002.370363970.000000001DC50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Cont-024.xls.exe
Source: Cont-024.xls.exe Binary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
Yara signature match
Source: 00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.514108192.0000000002EB4000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/0@4/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_01
Source: C:\Users\user\Desktop\Cont-024.xls.exe File created: C:\Users\user~1\AppData\Local\Temp\~DFE28EB8CE67E796AA.TMP Jump to behavior
Source: Cont-024.xls.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Cont-024.xls.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Cont-024.xls.exe Virustotal: Detection: 34%
Source: Cont-024.xls.exe ReversingLabs: Detection: 33%
Source: unknown Process created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe'
Source: unknown Process created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe'
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Cont-024.xls.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe' Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Cont-024.xls.exe' Jump to behavior
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.347258325.000000000E8F0000.00000002.00000001.sdmp
Source: Binary string: netsh.pdb source: Cont-024.xls.exe, 00000003.00000002.365351452.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: netsh.pdbGCTL source: Cont-024.xls.exe, 00000003.00000002.365351452.00000000000D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: Cont-024.xls.exe, 00000003.00000002.371157817.000000001E370000.00000040.00000001.sdmp, netsh.exe, 00000010.00000002.514552427.00000000034E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Cont-024.xls.exe, netsh.exe
Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.347258325.000000000E8F0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Cont-024.xls.exe PID: 6996, type: MEMORY
Source: Yara match File source: Process Memory Space: Cont-024.xls.exe PID: 6776, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Cont-024.xls.exe PID: 6996, type: MEMORY
Source: Yara match File source: Process Memory Space: Cont-024.xls.exe PID: 6776, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408048 push 00401144h; ret 0_2_0040805B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_0040805C push 00401144h; ret 0_2_0040806F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408070 push 00401144h; ret 0_2_00408083
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00404A06 push edi; retf 0_2_00404A17
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_0040800C push 00401144h; ret 0_2_0040801F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408020 push 00401144h; ret 0_2_00408033
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408034 push 00401144h; ret 0_2_00408047
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_004080C0 push 00401144h; ret 0_2_004080D3
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_004060C4 push esp; retf 0_2_004060D2
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_004080D4 push 00401144h; ret 0_2_004080E7
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_004080E8 push 00401144h; ret 0_2_004080FB
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_004080FC push 00401144h; ret 0_2_0040810F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408084 push 00401144h; ret 0_2_00408097
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00407E8A push 00401144h; ret 0_2_00407F7F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408098 push 00401144h; ret 0_2_004080AB
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_004080AC push 00401144h; ret 0_2_004080BF
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_0040814C push 00401144h; ret 0_2_0040815F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408160 push 00401144h; ret 0_2_00408173
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408174 push 00401144h; ret 0_2_00408187
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408110 push 00401144h; ret 0_2_00408123
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408124 push 00401144h; ret 0_2_00408137
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408138 push 00401144h; ret 0_2_0040814B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00407FD0 push 00401144h; ret 0_2_00407FE3
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00407FE4 push 00401144h; ret 0_2_00407FF7
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00407DE8 push 00401144h; ret 0_2_00407F7F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00407FF8 push 00401144h; ret 0_2_0040800B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00407F80 push 00401144h; ret 0_2_00407F93
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00408188 push 00401144h; ret 0_2_0040819B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00407F94 push 00401144h; ret 0_2_00407FA7
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_0040819C push 00401144h; ret 0_2_004081AF
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_00405FA2 push edi; retf 0_2_00406082

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE2
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: xls.exe Static PE information: Cont-024.xls.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Cont-024.xls.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 00000000020D2700 second address: 00000000020D2700 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD238D1A0B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test al, al 0x00000022 cmp dx, bx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD238D1A09Ch 0x0000002d push ecx 0x0000002e cmp al, dl 0x00000030 call 00007FD238D1A0CCh 0x00000035 call 00007FD238D1A0CAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
Tries to detect Any.run
Source: C:\Users\user\Desktop\Cont-024.xls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Cont-024.xls.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 00000000020D2700 second address: 00000000020D2700 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD238D1A0B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test al, al 0x00000022 cmp dx, bx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD238D1A09Ch 0x0000002d push ecx 0x0000002e cmp al, dl 0x00000030 call 00007FD238D1A0CCh 0x00000035 call 00007FD238D1A0CAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 00000000020D2722 second address: 00000000020D2722 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD238D1A0E3h 0x0000001f popad 0x00000020 call 00007FD238D19FCAh 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 0000000000562722 second address: 0000000000562722 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD238D1A233h 0x0000001f popad 0x00000020 call 00007FD238D1A11Ah 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 0000000000560C89 second address: 0000000000560CBF instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 mov ecx, dword ptr [edi+00000808h] 0x0000000b jmp 00007FD238D19F69h 0x0000000d mov dword ptr [eax+20h], ecx 0x00000010 test dh, dh 0x00000012 mov esi, dword ptr [edi+00000800h] 0x00000018 test cx, dx 0x0000001b mov dword ptr [eax+18h], esi 0x0000001e test eax, ebx 0x00000020 add esi, dword ptr [edi+00000850h] 0x00000026 mov dword ptr [eax+1Ch], esi 0x00000029 pushad 0x0000002a mov edi, 00000009h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 0000000000560CBF second address: 0000000000560CF1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 cmp dword ptr [ebp+70h], 01h 0x00000009 je 00007FD238D1A16Dh 0x0000000f mov esi, edi 0x00000011 add esi, 00001000h 0x00000017 xor ecx, ecx 0x00000019 test dl, cl 0x0000001b push ecx 0x0000001c test dh, dh 0x0000001e push edi 0x0000001f test cx, dx 0x00000022 test eax, ebx 0x00000024 mov eax, ebp 0x00000026 add eax, 0000009Ch 0x0000002b push eax 0x0000002c pushad 0x0000002d mov edi, 00000094h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 0000000000560D7F second address: 0000000000560D9F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 pop edi 0x00000006 test dl, cl 0x00000008 cmp dword ptr [ebp+70h], 01h 0x0000000c jne 00007FD238D19F6Ch 0x0000000e test eax, ebx 0x00000010 pushad 0x00000011 mov edi, 00000088h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 0000000000560D9F second address: 0000000000560DD6 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 mov eax, dword ptr [edi+00000850h] 0x0000000b add eax, dword ptr [edi+00000800h] 0x00000011 jmp 00007FD238D1C2B1h 0x00000016 call 00007FD238D17EB4h 0x0000001b pop edx 0x0000001c test dl, cl 0x0000001e mov dword ptr [edx+01h], eax 0x00000021 test dh, dh 0x00000023 mov ecx, dword ptr [ebp+000000ACh] 0x00000029 test cx, dx 0x0000002c mov esi, dword ptr [ebp+20h] 0x0000002f test eax, ebx 0x00000031 dec ecx 0x00000032 mov byte ptr [esi+ecx], 00000000h 0x00000036 pushad 0x00000037 mov edi, 000000ECh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 0000000000560DD6 second address: 0000000000560DD6 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp ecx, 00000000h 0x00000006 jne 00007FD238D19F4Fh 0x00000008 dec ecx 0x00000009 mov byte ptr [esi+ecx], 00000000h 0x0000000d pushad 0x0000000e mov edi, 000000ECh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Cont-024.xls.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 00000000008D98E4 second address: 00000000008D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\netsh.exe RDTSC instruction interceptor: First address: 00000000008D9B4E second address: 00000000008D9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D0C5D rdtsc 0_2_020D0C5D
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3804 Thread sleep time: -44000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe TID: 1344 Thread sleep time: -35000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: explorer.exe, 0000000C.00000000.344255275.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000C.00000000.344255275.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: explorer.exe, 0000000C.00000000.344441869.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Cont-024.xls.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: explorer.exe, 0000000C.00000002.530285921.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000C.00000000.344441869.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 0000000C.00000000.337180197.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Cont-024.xls.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D0C5D rdtsc 0_2_020D0C5D
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D1D10 LdrInitializeThunk, 0_2_020D1D10
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D14AE mov eax, dword ptr fs:[00000030h] 0_2_020D14AE
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D28F2 mov eax, dword ptr fs:[00000030h] 0_2_020D28F2
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D2371 mov eax, dword ptr fs:[00000030h] 0_2_020D2371
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D25AC mov eax, dword ptr fs:[00000030h] 0_2_020D25AC
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D09B8 mov eax, dword ptr fs:[00000030h] 0_2_020D09B8
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 0_2_020D0DB5 mov eax, dword ptr fs:[00000030h] 0_2_020D0DB5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E424257 mov eax, dword ptr fs:[00000030h] 3_2_1E424257
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39E620 mov eax, dword ptr fs:[00000030h] 3_2_1E39E620
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E44B260 mov eax, dword ptr fs:[00000030h] 3_2_1E44B260
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E44B260 mov eax, dword ptr fs:[00000030h] 3_2_1E44B260
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E468A62 mov eax, dword ptr fs:[00000030h] 3_2_1E468A62
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B3A1C mov eax, dword ptr fs:[00000030h] 3_2_1E3B3A1C
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h] 3_2_1E39C600
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h] 3_2_1E39C600
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h] 3_2_1E39C600
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D927A mov eax, dword ptr fs:[00000030h] 3_2_1E3D927A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h] 3_2_1E3BAE73
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h] 3_2_1E3BAE73
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h] 3_2_1E3BAE73
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h] 3_2_1E3BAE73
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h] 3_2_1E3BAE73
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A766D mov eax, dword ptr fs:[00000030h] 3_2_1E3A766D
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h] 3_2_1E399240
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h] 3_2_1E399240
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h] 3_2_1E399240
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h] 3_2_1E399240
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E44FE3F mov eax, dword ptr fs:[00000030h] 3_2_1E44FE3F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h] 3_2_1E3A7E41
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h] 3_2_1E3A7E41
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h] 3_2_1E3A7E41
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h] 3_2_1E3A7E41
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h] 3_2_1E3A7E41
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h] 3_2_1E3A7E41
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E44FEC0 mov eax, dword ptr fs:[00000030h] 3_2_1E44FEC0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h] 3_2_1E3AAAB0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h] 3_2_1E3AAAB0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CFAB0 mov eax, dword ptr fs:[00000030h] 3_2_1E3CFAB0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E468ED6 mov eax, dword ptr fs:[00000030h] 3_2_1E468ED6
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h] 3_2_1E3952A5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h] 3_2_1E3952A5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h] 3_2_1E3952A5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h] 3_2_1E3952A5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h] 3_2_1E3952A5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CD294 mov eax, dword ptr fs:[00000030h] 3_2_1E3CD294
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CD294 mov eax, dword ptr fs:[00000030h] 3_2_1E3CD294
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42FE87 mov eax, dword ptr fs:[00000030h] 3_2_1E42FE87
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A76E2 mov eax, dword ptr fs:[00000030h] 3_2_1E3A76E2
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C16E0 mov ecx, dword ptr fs:[00000030h] 3_2_1E3C16E0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h] 3_2_1E460EA5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h] 3_2_1E460EA5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h] 3_2_1E460EA5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E4146A7 mov eax, dword ptr fs:[00000030h] 3_2_1E4146A7
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C36CC mov eax, dword ptr fs:[00000030h] 3_2_1E3C36CC
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D8EC7 mov eax, dword ptr fs:[00000030h] 3_2_1E3D8EC7
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CE730 mov eax, dword ptr fs:[00000030h] 3_2_1E3CE730
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E394F2E mov eax, dword ptr fs:[00000030h] 3_2_1E394F2E
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E394F2E mov eax, dword ptr fs:[00000030h] 3_2_1E394F2E
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E468B58 mov eax, dword ptr fs:[00000030h] 3_2_1E468B58
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E468F6A mov eax, dword ptr fs:[00000030h] 3_2_1E468F6A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C3B7A mov eax, dword ptr fs:[00000030h] 3_2_1E3C3B7A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C3B7A mov eax, dword ptr fs:[00000030h] 3_2_1E3C3B7A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E46070D mov eax, dword ptr fs:[00000030h] 3_2_1E46070D
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E46070D mov eax, dword ptr fs:[00000030h] 3_2_1E46070D
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42FF10 mov eax, dword ptr fs:[00000030h] 3_2_1E42FF10
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42FF10 mov eax, dword ptr fs:[00000030h] 3_2_1E42FF10
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39DB60 mov ecx, dword ptr fs:[00000030h] 3_2_1E39DB60
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AFF60 mov eax, dword ptr fs:[00000030h] 3_2_1E3AFF60
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E45131B mov eax, dword ptr fs:[00000030h] 3_2_1E45131B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39F358 mov eax, dword ptr fs:[00000030h] 3_2_1E39F358
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39DB40 mov eax, dword ptr fs:[00000030h] 3_2_1E39DB40
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AEF40 mov eax, dword ptr fs:[00000030h] 3_2_1E3AEF40
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CB390 mov eax, dword ptr fs:[00000030h] 3_2_1E3CB390
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A1B8F mov eax, dword ptr fs:[00000030h] 3_2_1E3A1B8F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A1B8F mov eax, dword ptr fs:[00000030h] 3_2_1E3A1B8F
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E44D380 mov ecx, dword ptr fs:[00000030h] 3_2_1E44D380
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D37F5 mov eax, dword ptr fs:[00000030h] 3_2_1E3D37F5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E45138A mov eax, dword ptr fs:[00000030h] 3_2_1E45138A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h] 3_2_1E417794
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h] 3_2_1E417794
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h] 3_2_1E417794
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E465BA5 mov eax, dword ptr fs:[00000030h] 3_2_1E465BA5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h] 3_2_1E3AB02A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h] 3_2_1E3AB02A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h] 3_2_1E3AB02A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h] 3_2_1E3AB02A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CBC2C mov eax, dword ptr fs:[00000030h] 3_2_1E3CBC2C
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42C450 mov eax, dword ptr fs:[00000030h] 3_2_1E42C450
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42C450 mov eax, dword ptr fs:[00000030h] 3_2_1E42C450
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E461074 mov eax, dword ptr fs:[00000030h] 3_2_1E461074
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E452073 mov eax, dword ptr fs:[00000030h] 3_2_1E452073
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h] 3_2_1E451C06
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h] 3_2_1E46740D
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h] 3_2_1E46740D
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h] 3_2_1E46740D
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h] 3_2_1E416C0A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h] 3_2_1E416C0A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h] 3_2_1E416C0A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h] 3_2_1E416C0A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E464015 mov eax, dword ptr fs:[00000030h] 3_2_1E464015
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E464015 mov eax, dword ptr fs:[00000030h] 3_2_1E464015
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B746D mov eax, dword ptr fs:[00000030h] 3_2_1E3B746D
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h] 3_2_1E417016
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h] 3_2_1E417016
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h] 3_2_1E417016
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B0050 mov eax, dword ptr fs:[00000030h] 3_2_1E3B0050
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B0050 mov eax, dword ptr fs:[00000030h] 3_2_1E3B0050
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CF0BF mov ecx, dword ptr fs:[00000030h] 3_2_1E3CF0BF
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CF0BF mov eax, dword ptr fs:[00000030h] 3_2_1E3CF0BF
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CF0BF mov eax, dword ptr fs:[00000030h] 3_2_1E3CF0BF
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E468CD6 mov eax, dword ptr fs:[00000030h] 3_2_1E468CD6
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D90AF mov eax, dword ptr fs:[00000030h] 3_2_1E3D90AF
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h] 3_2_1E42B8D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_1E42B8D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h] 3_2_1E42B8D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h] 3_2_1E42B8D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h] 3_2_1E42B8D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h] 3_2_1E42B8D0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E416CF0 mov eax, dword ptr fs:[00000030h] 3_2_1E416CF0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E416CF0 mov eax, dword ptr fs:[00000030h] 3_2_1E416CF0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E416CF0 mov eax, dword ptr fs:[00000030h] 3_2_1E416CF0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399080 mov eax, dword ptr fs:[00000030h] 3_2_1E399080
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E4514FB mov eax, dword ptr fs:[00000030h] 3_2_1E4514FB
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E413884 mov eax, dword ptr fs:[00000030h] 3_2_1E413884
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E413884 mov eax, dword ptr fs:[00000030h] 3_2_1E413884
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E413540 mov eax, dword ptr fs:[00000030h] 3_2_1E413540
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C513A mov eax, dword ptr fs:[00000030h] 3_2_1E3C513A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C513A mov eax, dword ptr fs:[00000030h] 3_2_1E3C513A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C4D3B mov eax, dword ptr fs:[00000030h] 3_2_1E3C4D3B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C4D3B mov eax, dword ptr fs:[00000030h] 3_2_1E3C4D3B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C4D3B mov eax, dword ptr fs:[00000030h] 3_2_1E3C4D3B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39AD30 mov eax, dword ptr fs:[00000030h] 3_2_1E39AD30
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h] 3_2_1E3A3D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h] 3_2_1E3B4120
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h] 3_2_1E3B4120
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h] 3_2_1E3B4120
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h] 3_2_1E3B4120
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B4120 mov ecx, dword ptr fs:[00000030h] 3_2_1E3B4120
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399100 mov eax, dword ptr fs:[00000030h] 3_2_1E399100
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399100 mov eax, dword ptr fs:[00000030h] 3_2_1E399100
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E399100 mov eax, dword ptr fs:[00000030h] 3_2_1E399100
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39B171 mov eax, dword ptr fs:[00000030h] 3_2_1E39B171
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39B171 mov eax, dword ptr fs:[00000030h] 3_2_1E39B171
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BC577 mov eax, dword ptr fs:[00000030h] 3_2_1E3BC577
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BC577 mov eax, dword ptr fs:[00000030h] 3_2_1E3BC577
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3B7D50 mov eax, dword ptr fs:[00000030h] 3_2_1E3B7D50
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E468D34 mov eax, dword ptr fs:[00000030h] 3_2_1E468D34
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E41A537 mov eax, dword ptr fs:[00000030h] 3_2_1E41A537
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3D3D43 mov eax, dword ptr fs:[00000030h] 3_2_1E3D3D43
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BB944 mov eax, dword ptr fs:[00000030h] 3_2_1E3BB944
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BB944 mov eax, dword ptr fs:[00000030h] 3_2_1E3BB944
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3C35A1 mov eax, dword ptr fs:[00000030h] 3_2_1E3C35A1
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CFD9B mov eax, dword ptr fs:[00000030h] 3_2_1E3CFD9B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CFD9B mov eax, dword ptr fs:[00000030h] 3_2_1E3CFD9B
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E4241E8 mov eax, dword ptr fs:[00000030h] 3_2_1E4241E8
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h] 3_2_1E392D8A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h] 3_2_1E392D8A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h] 3_2_1E392D8A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h] 3_2_1E392D8A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h] 3_2_1E392D8A
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E448DF1 mov eax, dword ptr fs:[00000030h] 3_2_1E448DF1
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3CA185 mov eax, dword ptr fs:[00000030h] 3_2_1E3CA185
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3BC182 mov eax, dword ptr fs:[00000030h] 3_2_1E3BC182
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39B1E1 mov eax, dword ptr fs:[00000030h] 3_2_1E39B1E1
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39B1E1 mov eax, dword ptr fs:[00000030h] 3_2_1E39B1E1
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E39B1E1 mov eax, dword ptr fs:[00000030h] 3_2_1E39B1E1
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h] 3_2_1E3AD5E0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h] 3_2_1E3AD5E0
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_00560DB5 mov eax, dword ptr fs:[00000030h] 3_2_00560DB5
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_005628F2 mov eax, dword ptr fs:[00000030h] 3_2_005628F2
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_005614AE mov eax, dword ptr fs:[00000030h] 3_2_005614AE
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_005609B8 mov eax, dword ptr fs:[00000030h] 3_2_005609B8
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_005625AC mov eax, dword ptr fs:[00000030h] 3_2_005625AC
Source: C:\Users\user\Desktop\Cont-024.xls.exe Code function: 3_2_00562371 mov eax, dword ptr fs:[00000030h] 3_2_00562371
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D8B58 mov eax, dword ptr fs:[00000030h] 16_2_035D8B58
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350F358 mov eax, dword ptr fs:[00000030h] 16_2_0350F358
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350DB40 mov eax, dword ptr fs:[00000030h] 16_2_0350DB40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351EF40 mov eax, dword ptr fs:[00000030h] 16_2_0351EF40
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03533B7A mov eax, dword ptr fs:[00000030h] 16_2_03533B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03533B7A mov eax, dword ptr fs:[00000030h] 16_2_03533B7A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350DB60 mov ecx, dword ptr fs:[00000030h] 16_2_0350DB60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351FF60 mov eax, dword ptr fs:[00000030h] 16_2_0351FF60
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D8F6A mov eax, dword ptr fs:[00000030h] 16_2_035D8F6A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C131B mov eax, dword ptr fs:[00000030h] 16_2_035C131B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359FF10 mov eax, dword ptr fs:[00000030h] 16_2_0359FF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359FF10 mov eax, dword ptr fs:[00000030h] 16_2_0359FF10
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D070D mov eax, dword ptr fs:[00000030h] 16_2_035D070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D070D mov eax, dword ptr fs:[00000030h] 16_2_035D070D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353E730 mov eax, dword ptr fs:[00000030h] 16_2_0353E730
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03504F2E mov eax, dword ptr fs:[00000030h] 16_2_03504F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03504F2E mov eax, dword ptr fs:[00000030h] 16_2_03504F2E
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035437F5 mov eax, dword ptr fs:[00000030h] 16_2_035437F5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353B390 mov eax, dword ptr fs:[00000030h] 16_2_0353B390
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03587794 mov eax, dword ptr fs:[00000030h] 16_2_03587794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03587794 mov eax, dword ptr fs:[00000030h] 16_2_03587794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03587794 mov eax, dword ptr fs:[00000030h] 16_2_03587794
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C138A mov eax, dword ptr fs:[00000030h] 16_2_035C138A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035BD380 mov ecx, dword ptr fs:[00000030h] 16_2_035BD380
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03511B8F mov eax, dword ptr fs:[00000030h] 16_2_03511B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03511B8F mov eax, dword ptr fs:[00000030h] 16_2_03511B8F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D5BA5 mov eax, dword ptr fs:[00000030h] 16_2_035D5BA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03594257 mov eax, dword ptr fs:[00000030h] 16_2_03594257
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509240 mov eax, dword ptr fs:[00000030h] 16_2_03509240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509240 mov eax, dword ptr fs:[00000030h] 16_2_03509240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509240 mov eax, dword ptr fs:[00000030h] 16_2_03509240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509240 mov eax, dword ptr fs:[00000030h] 16_2_03509240
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h] 16_2_03517E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h] 16_2_03517E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h] 16_2_03517E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h] 16_2_03517E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h] 16_2_03517E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h] 16_2_03517E41
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h] 16_2_0352AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h] 16_2_0352AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h] 16_2_0352AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h] 16_2_0352AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h] 16_2_0352AE73
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0354927A mov eax, dword ptr fs:[00000030h] 16_2_0354927A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035BB260 mov eax, dword ptr fs:[00000030h] 16_2_035BB260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035BB260 mov eax, dword ptr fs:[00000030h] 16_2_035BB260
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351766D mov eax, dword ptr fs:[00000030h] 16_2_0351766D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D8A62 mov eax, dword ptr fs:[00000030h] 16_2_035D8A62
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03523A1C mov eax, dword ptr fs:[00000030h] 16_2_03523A1C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350C600 mov eax, dword ptr fs:[00000030h] 16_2_0350C600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350C600 mov eax, dword ptr fs:[00000030h] 16_2_0350C600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350C600 mov eax, dword ptr fs:[00000030h] 16_2_0350C600
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035BFE3F mov eax, dword ptr fs:[00000030h] 16_2_035BFE3F
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350E620 mov eax, dword ptr fs:[00000030h] 16_2_0350E620
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D8ED6 mov eax, dword ptr fs:[00000030h] 16_2_035D8ED6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03548EC7 mov eax, dword ptr fs:[00000030h] 16_2_03548EC7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035BFEC0 mov eax, dword ptr fs:[00000030h] 16_2_035BFEC0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035336CC mov eax, dword ptr fs:[00000030h] 16_2_035336CC
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035316E0 mov ecx, dword ptr fs:[00000030h] 16_2_035316E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035176E2 mov eax, dword ptr fs:[00000030h] 16_2_035176E2
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353D294 mov eax, dword ptr fs:[00000030h] 16_2_0353D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353D294 mov eax, dword ptr fs:[00000030h] 16_2_0353D294
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359FE87 mov eax, dword ptr fs:[00000030h] 16_2_0359FE87
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0351AAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0351AAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353FAB0 mov eax, dword ptr fs:[00000030h] 16_2_0353FAB0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h] 16_2_035052A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h] 16_2_035052A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h] 16_2_035052A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h] 16_2_035052A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h] 16_2_035052A5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D0EA5 mov eax, dword ptr fs:[00000030h] 16_2_035D0EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D0EA5 mov eax, dword ptr fs:[00000030h] 16_2_035D0EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D0EA5 mov eax, dword ptr fs:[00000030h] 16_2_035D0EA5
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035846A7 mov eax, dword ptr fs:[00000030h] 16_2_035846A7
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03527D50 mov eax, dword ptr fs:[00000030h] 16_2_03527D50
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352B944 mov eax, dword ptr fs:[00000030h] 16_2_0352B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352B944 mov eax, dword ptr fs:[00000030h] 16_2_0352B944
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03543D43 mov eax, dword ptr fs:[00000030h] 16_2_03543D43
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03583540 mov eax, dword ptr fs:[00000030h] 16_2_03583540
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350B171 mov eax, dword ptr fs:[00000030h] 16_2_0350B171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350B171 mov eax, dword ptr fs:[00000030h] 16_2_0350B171
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352C577 mov eax, dword ptr fs:[00000030h] 16_2_0352C577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352C577 mov eax, dword ptr fs:[00000030h] 16_2_0352C577
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350C962 mov eax, dword ptr fs:[00000030h] 16_2_0350C962
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509100 mov eax, dword ptr fs:[00000030h] 16_2_03509100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509100 mov eax, dword ptr fs:[00000030h] 16_2_03509100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509100 mov eax, dword ptr fs:[00000030h] 16_2_03509100
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350AD30 mov eax, dword ptr fs:[00000030h] 16_2_0350AD30
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h] 16_2_03513D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03534D3B mov eax, dword ptr fs:[00000030h] 16_2_03534D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03534D3B mov eax, dword ptr fs:[00000030h] 16_2_03534D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03534D3B mov eax, dword ptr fs:[00000030h] 16_2_03534D3B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D8D34 mov eax, dword ptr fs:[00000030h] 16_2_035D8D34
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353513A mov eax, dword ptr fs:[00000030h] 16_2_0353513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353513A mov eax, dword ptr fs:[00000030h] 16_2_0353513A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0358A537 mov eax, dword ptr fs:[00000030h] 16_2_0358A537
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03524120 mov eax, dword ptr fs:[00000030h] 16_2_03524120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03524120 mov eax, dword ptr fs:[00000030h] 16_2_03524120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03524120 mov eax, dword ptr fs:[00000030h] 16_2_03524120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03524120 mov eax, dword ptr fs:[00000030h] 16_2_03524120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03524120 mov ecx, dword ptr fs:[00000030h] 16_2_03524120
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035B8DF1 mov eax, dword ptr fs:[00000030h] 16_2_035B8DF1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0350B1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0350B1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0350B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0350B1E1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035941E8 mov eax, dword ptr fs:[00000030h] 16_2_035941E8
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0351D5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0351D5E0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353FD9B mov eax, dword ptr fs:[00000030h] 16_2_0353FD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353FD9B mov eax, dword ptr fs:[00000030h] 16_2_0353FD9B
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352C182 mov eax, dword ptr fs:[00000030h] 16_2_0352C182
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353A185 mov eax, dword ptr fs:[00000030h] 16_2_0353A185
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03502D8A mov eax, dword ptr fs:[00000030h] 16_2_03502D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03502D8A mov eax, dword ptr fs:[00000030h] 16_2_03502D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03502D8A mov eax, dword ptr fs:[00000030h] 16_2_03502D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03502D8A mov eax, dword ptr fs:[00000030h] 16_2_03502D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03502D8A mov eax, dword ptr fs:[00000030h] 16_2_03502D8A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035335A1 mov eax, dword ptr fs:[00000030h] 16_2_035335A1
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03520050 mov eax, dword ptr fs:[00000030h] 16_2_03520050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03520050 mov eax, dword ptr fs:[00000030h] 16_2_03520050
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359C450 mov eax, dword ptr fs:[00000030h] 16_2_0359C450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359C450 mov eax, dword ptr fs:[00000030h] 16_2_0359C450
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D1074 mov eax, dword ptr fs:[00000030h] 16_2_035D1074
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C2073 mov eax, dword ptr fs:[00000030h] 16_2_035C2073
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0352746D mov eax, dword ptr fs:[00000030h] 16_2_0352746D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D4015 mov eax, dword ptr fs:[00000030h] 16_2_035D4015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D4015 mov eax, dword ptr fs:[00000030h] 16_2_035D4015
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03587016 mov eax, dword ptr fs:[00000030h] 16_2_03587016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03587016 mov eax, dword ptr fs:[00000030h] 16_2_03587016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03587016 mov eax, dword ptr fs:[00000030h] 16_2_03587016
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D740D mov eax, dword ptr fs:[00000030h] 16_2_035D740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D740D mov eax, dword ptr fs:[00000030h] 16_2_035D740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D740D mov eax, dword ptr fs:[00000030h] 16_2_035D740D
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03586C0A mov eax, dword ptr fs:[00000030h] 16_2_03586C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03586C0A mov eax, dword ptr fs:[00000030h] 16_2_03586C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03586C0A mov eax, dword ptr fs:[00000030h] 16_2_03586C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03586C0A mov eax, dword ptr fs:[00000030h] 16_2_03586C0A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C1C06 mov eax, dword ptr fs:[00000030h] 16_2_035C1C06
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351B02A mov eax, dword ptr fs:[00000030h] 16_2_0351B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351B02A mov eax, dword ptr fs:[00000030h] 16_2_0351B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351B02A mov eax, dword ptr fs:[00000030h] 16_2_0351B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0351B02A mov eax, dword ptr fs:[00000030h] 16_2_0351B02A
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353BC2C mov eax, dword ptr fs:[00000030h] 16_2_0353BC2C
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0359B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359B8D0 mov ecx, dword ptr fs:[00000030h] 16_2_0359B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0359B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0359B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0359B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0359B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0359B8D0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035D8CD6 mov eax, dword ptr fs:[00000030h] 16_2_035D8CD6
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035C14FB mov eax, dword ptr fs:[00000030h] 16_2_035C14FB
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03586CF0 mov eax, dword ptr fs:[00000030h] 16_2_03586CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03586CF0 mov eax, dword ptr fs:[00000030h] 16_2_03586CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03586CF0 mov eax, dword ptr fs:[00000030h] 16_2_03586CF0
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03509080 mov eax, dword ptr fs:[00000030h] 16_2_03509080
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03583884 mov eax, dword ptr fs:[00000030h] 16_2_03583884
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_03583884 mov eax, dword ptr fs:[00000030h] 16_2_03583884
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353F0BF mov ecx, dword ptr fs:[00000030h] 16_2_0353F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353F0BF mov eax, dword ptr fs:[00000030h] 16_2_0353F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_0353F0BF mov eax, dword ptr fs:[00000030h] 16_2_0353F0BF
Source: C:\Windows\SysWOW64\netsh.exe Code function: 16_2_035490AF mov eax, dword ptr fs:[00000030h] 16_2_035490AF
Enables debug privileges
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Cont-024.xls.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Cont-024.xls.exe Section loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Cont-024.xls.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Thread register set: target process: 3292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Cont-024.xls.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Cont-024.xls.exe Section unmapped: C:\Windows\SysWOW64\netsh.exe base address: 970000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Cont-024.xls.exe Process created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe' Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Cont-024.xls.exe' Jump to behavior
Source: explorer.exe, 0000000C.00000000.320356914.0000000001400000.00000002.00000001.sdmp, netsh.exe, 00000010.00000002.517777332.0000000004970000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000C.00000000.320356914.0000000001400000.00000002.00000001.sdmp, netsh.exe, 00000010.00000002.517777332.0000000004970000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.320356914.0000000001400000.00000002.00000001.sdmp, netsh.exe, 00000010.00000002.517777332.0000000004970000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.320356914.0000000001400000.00000002.00000001.sdmp, netsh.exe, 00000010.00000002.517777332.0000000004970000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000002.513610486.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000000C.00000000.344441869.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: netsh.exe PID: 1348, type: MEMORY
Source: Yara match File source: Process Memory Space: Cont-024.xls.exe PID: 6996, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY