Loading ...

Play interactive tourEdit tour

Analysis Report Cont-024.xls.exe

Overview

General Information

Sample Name:Cont-024.xls.exe
Analysis ID:298053
MD5:98ec62a875ec70797f2ea35d2ebfabaa
SHA1:240e89e8a2499d8c2ba4770730d274b624eb2b12
SHA256:3b6bd50cbfa7f874757c7d87f02efa24ab2b8bf1eaa18d0abbc3dfd25e2ecc15
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Cont-024.xls.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\Cont-024.xls.exe' MD5: 98EC62A875EC70797F2EA35D2EBFABAA)
    • Cont-024.xls.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\Cont-024.xls.exe' MD5: 98EC62A875EC70797F2EA35D2EBFABAA)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 1348 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 1404 cmdline: /c del 'C:\Users\user\Desktop\Cont-024.xls.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x8ba4:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183d9:$sqlite3step: 68 34 1C 7B E1
    • 0x184ec:$sqlite3step: 68 34 1C 7B E1
    • 0x18408:$sqlite3text: 68 38 2A 90 C5
    • 0x1852d:$sqlite3text: 68 38 2A 90 C5
    • 0x1841b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18543:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Click to see the 19 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: 'C:\Users\user\Desktop\Cont-024.xls.exe' , CommandLine: 'C:\Users\user\Desktop\Cont-024.xls.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Cont-024.xls.exe, NewProcessName: C:\Users\user\Desktop\Cont-024.xls.exe, OriginalFileName: C:\Users\user\Desktop\Cont-024.xls.exe, ParentCommandLine: 'C:\Users\user\Desktop\Cont-024.xls.exe' , ParentImage: C:\Users\user\Desktop\Cont-024.xls.exe, ParentProcessId: 6776, ProcessCommandLine: 'C:\Users\user\Desktop\Cont-024.xls.exe' , ProcessId: 6996

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Cont-024.xls.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: Cont-024.xls.exeVirustotal: Detection: 34%Perma Link
      Source: Cont-024.xls.exeReversingLabs: Detection: 33%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
      Source: 0.0.Cont-024.xls.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 3.0.Cont-024.xls.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 0.2.Cont-024.xls.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi16_2_008E72BD
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop ebx16_2_008D7AFB
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 0000000C.00000000.344941106.0000000008C57000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
      Source: explorer.exe, 0000000C.00000000.344941106.0000000008C57000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micr
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000C.00000000.337001983.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Cont-024.xls.exe, 00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=5E15857517F5B05A&resid=5E15857517F5B05A%21111&authkey=ALq-M7H
      Source: Cont-024.xls.exe, 00000000.00000002.265763391.000000000071A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.514108192.0000000002EB4000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D1029 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,0_2_020D1029
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D2EBE NtResumeThread,0_2_020D2EBE
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D012F EnumWindows,NtSetInformationThread,TerminateProcess,0_2_020D012F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D2B6B NtProtectVirtualMemory,0_2_020D2B6B
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D26C2 NtWriteVirtualMemory,0_2_020D26C2
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D01B7 NtSetInformationThread,TerminateProcess,0_2_020D01B7
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D07B0 NtSetInformationThread,TerminateProcess,0_2_020D07B0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A20 NtResumeThread,LdrInitializeThunk,3_2_1E3D9A20
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_1E3D9A00
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_1E3D9660
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A50 NtCreateFile,LdrInitializeThunk,3_2_1E3D9A50
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_1E3D96E0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9710 NtQueryInformationToken,LdrInitializeThunk,3_2_1E3D9710
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_1E3D97A0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9780 NtMapViewOfSection,LdrInitializeThunk,3_2_1E3D9780
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_1E3D9860
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9840 NtDelayExecution,LdrInitializeThunk,3_2_1E3D9840
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_1E3D98F0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_1E3D9910
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9540 NtReadFile,LdrInitializeThunk,3_2_1E3D9540
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D99A0 NtCreateSection,LdrInitializeThunk,3_2_1E3D99A0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D95D0 NtClose,LdrInitializeThunk,3_2_1E3D95D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9610 NtEnumerateValueKey,3_2_1E3D9610
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A10 NtQuerySection,3_2_1E3D9A10
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9670 NtQueryInformationProcess,3_2_1E3D9670
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9650 NtQueryValueKey,3_2_1E3D9650
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A80 NtOpenDirectoryObject,3_2_1E3D9A80
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D96D0 NtCreateKey,3_2_1E3D96D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9730 NtQueryVirtualMemory,3_2_1E3D9730
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DA710 NtOpenProcessToken,3_2_1E3DA710
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9B00 NtSetValueKey,3_2_1E3D9B00
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9770 NtSetInformationFile,3_2_1E3D9770
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DA770 NtOpenThread,3_2_1E3DA770
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9760 NtOpenProcess,3_2_1E3D9760
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DA3B0 NtGetContextThread,3_2_1E3DA3B0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9FE0 NtCreateMutant,3_2_1E3D9FE0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9820 NtEnumerateKey,3_2_1E3D9820
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DB040 NtSuspendThread,3_2_1E3DB040
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D98A0 NtWriteVirtualMemory,3_2_1E3D98A0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DAD30 NtSetContextThread,3_2_1E3DAD30
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9520 NtWaitForSingleObject,3_2_1E3D9520
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9560 NtWriteFile,3_2_1E3D9560
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9950 NtQueueApcThread,3_2_1E3D9950
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D95F0 NtQueryInformationFile,3_2_1E3D95F0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D99D0 NtCreateProcessEx,3_2_1E3D99D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00562EBE NtSetInformationThread,3_2_00562EBE
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00562B6B NtProtectVirtualMemory,3_2_00562B6B
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_0056047E NtProtectVirtualMemory,3_2_0056047E
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00561029 NtSetInformationThread,3_2_00561029
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005601B7 NtSetInformationThread,3_2_005601B7
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005607B0 NtSetInformationThread,3_2_005607B0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549710 NtQueryInformationToken,LdrInitializeThunk,16_2_03549710
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549FE0 NtCreateMutant,LdrInitializeThunk,16_2_03549FE0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549780 NtMapViewOfSection,LdrInitializeThunk,16_2_03549780
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A50 NtCreateFile,LdrInitializeThunk,16_2_03549A50
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035496D0 NtCreateKey,LdrInitializeThunk,16_2_035496D0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_035496E0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549540 NtReadFile,LdrInitializeThunk,16_2_03549540
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_03549910
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035495D0 NtClose,LdrInitializeThunk,16_2_035495D0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035499A0 NtCreateSection,LdrInitializeThunk,16_2_035499A0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549840 NtDelayExecution,LdrInitializeThunk,16_2_03549840
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549860 NtQuerySystemInformation,LdrInitializeThunk,16_2_03549860
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549770 NtSetInformationFile,16_2_03549770
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354A770 NtOpenThread,16_2_0354A770
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549760 NtOpenProcess,16_2_03549760
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354A710 NtOpenProcessToken,16_2_0354A710
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549B00 NtSetValueKey,16_2_03549B00
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549730 NtQueryVirtualMemory,16_2_03549730
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354A3B0 NtGetContextThread,16_2_0354A3B0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035497A0 NtUnmapViewOfSection,16_2_035497A0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549650 NtQueryValueKey,16_2_03549650
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549670 NtQueryInformationProcess,16_2_03549670
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549660 NtAllocateVirtualMemory,16_2_03549660
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549610 NtEnumerateValueKey,16_2_03549610
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A10 NtQuerySection,16_2_03549A10
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A00 NtProtectVirtualMemory,16_2_03549A00
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A20 NtResumeThread,16_2_03549A20
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A80 NtOpenDirectoryObject,16_2_03549A80
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549950 NtQueueApcThread,16_2_03549950
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549560 NtWriteFile,16_2_03549560
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354AD30 NtSetContextThread,16_2_0354AD30
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549520 NtWaitForSingleObject,16_2_03549520
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035499D0 NtCreateProcessEx,16_2_035499D0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035495F0 NtQueryInformationFile,16_2_035495F0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354B040 NtSuspendThread,16_2_0354B040
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549820 NtEnumerateKey,16_2_03549820
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035498F0 NtReadVirtualMemory,16_2_035498F0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035498A0 NtWriteVirtualMemory,16_2_035498A0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9DE0 NtReadFile,16_2_008E9DE0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9D30 NtCreateFile,16_2_008E9D30
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9E60 NtClose,16_2_008E9E60
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9DDA NtReadFile,16_2_008E9DDA
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9E2D NtReadFile,16_2_008E9E2D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00403B590_2_00403B59
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B6E303_2_1E3B6E30
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CEBB03_2_1E3CEBB0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A841F3_2_1E3A841F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E4510023_2_1E451002
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB0903_2_1E3AB090
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E461D553_2_1E461D55
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E390D203_2_1E390D20
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B41203_2_1E3B4120
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39F9003_2_1E39F900
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AD5E03_2_1E3AD5E0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0353EBB016_2_0353EBB0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03526E3016_2_03526E30
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D1D5516_2_035D1D55
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350F90016_2_0350F900
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03500D2016_2_03500D20
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352412016_2_03524120
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351D5E016_2_0351D5E0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351841F16_2_0351841F
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035C100216_2_035C1002
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351B09016_2_0351B090
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EEA8916_2_008EEA89
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EE23016_2_008EE230
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EE58D16_2_008EE58D
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D2D8716_2_008D2D87
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D2D9016_2_008D2D90
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EE59016_2_008EE590
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D9E2B16_2_008D9E2B
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D9E3016_2_008D9E30
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D2FB016_2_008D2FB0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: String function: 1E39B150 appears 32 times
      Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0350B150 appears 32 times
      Source: Cont-024.xls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Cont-024.xls.exe, 00000000.00000000.244493400.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000000.00000002.266327232.0000000002930000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameciscoscampuseslazi.exeFE2X vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.374376949.000000001E61F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.365403295.00000000000EC000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000000.263140933.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.370414082.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.370363970.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Cont-024.xls.exe
      Source: Cont-024.xls.exeBinary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
      Source: 00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.514108192.0000000002EB4000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@4/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_01
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFE28EB8CE67E796AA.TMPJump to behavior
      Source: Cont-024.xls.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Cont-024.xls.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Cont-024.xls.exeVirustotal: Detection: 34%
      Source: Cont-024.xls.exeReversingLabs: Detection: 33%
      Source: unknownProcess created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Cont-024.xls.exe'Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.347258325.000000000E8F0000.00000002.00000001.sdmp
      Source: Binary string: netsh.pdb source: Cont-024.xls.exe, 00000003.00000002.365351452.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: netsh.pdbGCTL source: Cont-024.xls.exe, 00000003.00000002.365351452.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Cont-024.xls.exe, 00000003.00000002.371157817.000000001E370000.00000040.00000001.sdmp, netsh.exe, 00000010.00000002.514552427.00000000034E0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Cont-024.xls.exe, netsh.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.347258325.000000000E8F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6996, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6776, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6996, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6776, type: MEMORY
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408048 push 00401144h; ret 0_2_0040805B
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040805C push 00401144h; ret 0_2_0040806F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408070 push 00401144h; ret 0_2_00408083
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00404A06 push edi; retf 0_2_00404A17
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040800C push 00401144h; ret 0_2_0040801F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408020 push 00401144h; ret 0_2_00408033
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408034 push 00401144h; ret 0_2_00408047
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080C0 push 00401144h; ret 0_2_004080D3
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004060C4 push esp; retf 0_2_004060D2
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080D4 push 00401144h; ret 0_2_004080E7
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080E8 push 00401144h; ret 0_2_004080FB
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080FC push 00401144h; ret 0_2_0040810F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408084 push 00401144h; ret 0_2_00408097
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407E8A push 00401144h; ret 0_2_00407F7F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408098 push 00401144h; ret 0_2_004080AB
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080AC push 00401144h; ret 0_2_004080BF
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040814C push 00401144h; ret 0_2_0040815F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408160 push 00401144h; ret 0_2_00408173
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408174 push 00401144h; ret 0_2_00408187
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408110 push 00401144h; ret 0_2_00408123
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408124 push 00401144h; ret 0_2_00408137
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408138 push 00401144h; ret 0_2_0040814B
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407FD0 push 00401144h; ret 0_2_00407FE3
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407FE4 push 00401144h; ret 0_2_00407FF7
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407DE8 push 00401144h; ret 0_2_00407F7F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407FF8 push 00401144h; ret 0_2_0040800B
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407F80 push 00401144h; ret 0_2_00407F93
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408188 push 00401144h; ret 0_2_0040819B
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407F94 push 00401144h; ret 0_2_00407FA7
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040819C push 00401144h; ret 0_2_004081AF
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00405FA2 push edi; retf 0_2_00406082

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE2
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: xls.exeStatic PE information: Cont-024.xls.exe
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000020D2700 second address: 00000000020D2700 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD238D1A0B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test al, al 0x00000022 cmp dx, bx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD238D1A09Ch 0x0000002d push ecx 0x0000002e cmp al, dl 0x00000030 call 00007FD238D1A0CCh 0x00000035 call 00007FD238D1A0CAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Cont-024.xls.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000020D2700 second address: 00000000020D2700 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD238D1A0B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test al, al 0x00000022 cmp dx, bx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD238D1A09Ch 0x0000002d push ecx 0x0000002e cmp al, dl 0x00000030 call 00007FD238D1A0CCh 0x00000035 call 00007FD238D1A0CAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000020D2722 second address: 00000000020D2722 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD238D1A0E3h 0x0000001f popad 0x00000020 call 00007FD238D19FCAh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000562722 second address: 0000000000562722 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD238D1A233h 0x0000001f popad 0x00000020 call 00007FD238D1A11Ah 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560C89 second address: 0000000000560CBF instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 mov ecx, dword ptr [edi+00000808h] 0x0000000b jmp 00007FD238D19F69h 0x0000000d mov dword ptr [eax+20h], ecx 0x00000010 test dh, dh 0x00000012 mov esi, dword ptr [edi+00000800h] 0x00000018 test cx, dx 0x0000001b mov dword ptr [eax+18h], esi 0x0000001e test eax, ebx 0x00000020 add esi, dword ptr [edi+00000850h] 0x00000026 mov dword ptr [eax+1Ch], esi 0x00000029 pushad 0x0000002a mov edi, 00000009h 0x0000002f rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560CBF second address: 0000000000560CF1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 cmp dword ptr [ebp+70h], 01h 0x00000009 je 00007FD238D1A16Dh 0x0000000f mov esi, edi 0x00000011 add esi, 00001000h 0x00000017 xor ecx, ecx 0x00000019 test dl, cl 0x0000001b push ecx 0x0000001c test dh, dh 0x0000001e push edi 0x0000001f test cx, dx 0x00000022 test eax, ebx 0x00000024 mov eax, ebp 0x00000026 add eax, 0000009Ch 0x0000002b push eax 0x0000002c pushad 0x0000002d mov edi, 00000094h 0x00000032 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560D7F second address: 0000000000560D9F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 pop edi 0x00000006 test dl, cl 0x00000008 cmp dword ptr [ebp+70h], 01h 0x0000000c jne 00007FD238D19F6Ch 0x0000000e test eax, ebx 0x00000010 pushad 0x00000011 mov edi, 00000088h 0x00000016 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560D9F second address: 0000000000560DD6 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 mov eax, dword ptr [edi+00000850h] 0x0000000b add eax, dword ptr [edi+00000800h] 0x00000011 jmp 00007FD238D1C2B1h 0x00000016 call 00007FD238D17EB4h 0x0000001b pop edx 0x0000001c test dl, cl 0x0000001e mov dword ptr [edx+01h], eax 0x00000021 test dh, dh 0x00000023 mov ecx, dword ptr [ebp+000000ACh] 0x00000029 test cx, dx 0x0000002c mov esi, dword ptr [ebp+20h] 0x0000002f test eax, ebx 0x00000031 dec ecx 0x00000032 mov byte ptr [esi+ecx], 00000000h 0x00000036 pushad 0x00000037 mov edi, 000000ECh 0x0000003c rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560DD6 second address: 0000000000560DD6 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp ecx, 00000000h 0x00000006 jne 00007FD238D19F4Fh 0x00000008 dec ecx 0x00000009 mov byte ptr [esi+ecx], 00000000h 0x0000000d pushad 0x0000000e mov edi, 000000ECh 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 00000000008D98E4 second address: 00000000008D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 00000000008D9B4E second address: 00000000008D9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D0C5D rdtsc 0_2_020D0C5D
      Source: C:\Windows\explorer.exe TID: 3804Thread sleep time: -44000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exe TID: 1344Thread sleep time: -35000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 0000000C.00000000.344255275.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 0000000C.00000000.344255275.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: explorer.exe, 0000000C.00000000.344441869.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: Cont-024.xls.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: explorer.exe, 0000000C.00000002.530285921.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
      Source: explorer.exe, 0000000C.00000000.344441869.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
      Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: explorer.exe, 0000000C.00000000.337180197.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information queried: ProcessInformationJump to behavior

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeThread information set: HideFromDebuggerJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D0C5D rdtsc 0_2_020D0C5D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D1D10 LdrInitializeThunk,0_2_020D1D10
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D14AE mov eax, dword ptr fs:[00000030h]0_2_020D14AE
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D28F2 mov eax, dword ptr fs:[00000030h]0_2_020D28F2
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D2371 mov eax, dword ptr fs:[00000030h]0_2_020D2371
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D25AC mov eax, dword ptr fs:[00000030h]0_2_020D25AC
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D09B8 mov eax, dword ptr fs:[00000030h]0_2_020D09B8
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D0DB5 mov eax, dword ptr fs:[00000030h]0_2_020D0DB5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E424257 mov eax, dword ptr fs:[00000030h]3_2_1E424257
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39E620 mov eax, dword ptr fs:[00000030h]3_2_1E39E620
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44B260 mov eax, dword ptr fs:[00000030h]3_2_1E44B260
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44B260 mov eax, dword ptr fs:[00000030h]3_2_1E44B260
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468A62 mov eax, dword ptr fs:[00000030h]3_2_1E468A62
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B3A1C mov eax, dword ptr fs:[00000030h]3_2_1E3B3A1C
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h]3_2_1E39C600
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h]3_2_1E39C600
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h]3_2_1E39C600
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D927A mov eax, dword ptr fs:[00000030h]3_2_1E3D927A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]3_2_1E3BAE73
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]3_2_1E3BAE73
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]3_2_1E3BAE73
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]3_2_1E3BAE73
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]3_2_1E3BAE73
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A766D mov eax, dword ptr fs:[00000030h]3_2_1E3A766D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]3_2_1E399240
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]3_2_1E399240
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]3_2_1E399240
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]3_2_1E399240
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44FE3F mov eax, dword ptr fs:[00000030h]3_2_1E44FE3F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]3_2_1E3A7E41
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]3_2_1E3A7E41
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]3_2_1E3A7E41
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]3_2_1E3A7E41
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]3_2_1E3A7E41
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]3_2_1E3A7E41
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44FEC0 mov eax, dword ptr fs:[00000030h]3_2_1E44FEC0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]3_2_1E3AAAB0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]3_2_1E3AAAB0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CFAB0 mov eax, dword ptr fs:[00000030h]3_2_1E3CFAB0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468ED6 mov eax, dword ptr fs:[00000030h]3_2_1E468ED6
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]3_2_1E3952A5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]3_2_1E3952A5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]3_2_1E3952A5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]3_2_1E3952A5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]3_2_1E3952A5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CD294 mov eax, dword ptr fs:[00000030h]3_2_1E3CD294
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CD294 mov eax, dword ptr fs:[00000030h]3_2_1E3CD294
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42FE87 mov eax, dword ptr fs:[00000030h]3_2_1E42FE87
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A76E2 mov eax, dword ptr fs:[00000030h]3_2_1E3A76E2
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C16E0 mov ecx, dword ptr fs:[00000030h]3_2_1E3C16E0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h]3_2_1E460EA5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h]3_2_1E460EA5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h]3_2_1E460EA5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E4146A7 mov eax, dword ptr fs:[00000030h]3_2_1E4146A7
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C36CC mov eax, dword ptr fs:[00000030h]3_2_1E3C36CC
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D8EC7 mov eax, dword ptr fs:[00000030h]3_2_1E3D8EC7
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CE730 mov eax, dword ptr fs:[00000030h]3_2_1E3CE730
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E394F2E mov eax, dword ptr fs:[00000030h]3_2_1E394F2E
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E394F2E mov eax, dword ptr fs:[00000030h]3_2_1E394F2E
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468B58 mov eax, dword ptr fs:[00000030h]3_2_1E468B58
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468F6A mov eax, dword ptr fs:[00000030h]3_2_1E468F6A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]3_2_1E3C3B7A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]3_2_1E3C3B7A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46070D mov eax, dword ptr fs:[00000030h]3_2_1E46070D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46070D mov eax, dword ptr fs:[00000030h]3_2_1E46070D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42FF10 mov eax, dword ptr fs:[00000030h]3_2_1E42FF10
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42FF10 mov eax, dword ptr fs:[00000030h]3_2_1E42FF10
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39DB60 mov ecx, dword ptr fs:[00000030h]3_2_1E39DB60
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AFF60 mov eax, dword ptr fs:[00000030h]3_2_1E3AFF60
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E45131B mov eax, dword ptr fs:[00000030h]3_2_1E45131B
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39F358 mov eax, dword ptr fs:[00000030h]3_2_1E39F358
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39DB40 mov eax, dword ptr fs:[00000030h]3_2_1E39DB40
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AEF40 mov eax, dword ptr fs:[00000030h]3_2_1E3AEF40
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CB390 mov eax, dword ptr fs:[00000030h]3_2_1E3CB390
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]3_2_1E3A1B8F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]3_2_1E3A1B8F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44D380 mov ecx, dword ptr fs:[00000030h]3_2_1E44D380
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D37F5 mov eax, dword ptr fs:[00000030h]3_2_1E3D37F5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E45138A mov eax, dword ptr fs:[00000030h]3_2_1E45138A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h]3_2_1E417794
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h]3_2_1E417794
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h]3_2_1E417794
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E465BA5 mov eax, dword ptr fs:[00000030h]3_2_1E465BA5
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]3_2_1E3AB02A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]3_2_1E3AB02A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]3_2_1E3AB02A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]3_2_1E3AB02A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CBC2C mov eax, dword ptr fs:[00000030h]3_2_1E3CBC2C
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42C450 mov eax, dword ptr fs:[00000030h]3_2_1E42C450
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42C450 mov eax, dword ptr fs:[00000030h]3_2_1E42C450
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E461074 mov eax, dword ptr fs:[00000030h]3_2_1E461074
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E452073 mov eax, dword ptr fs:[00000030h]3_2_1E452073
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]3_2_1E451C06
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h]3_2_1E46740D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h]3_2_1E46740D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h]3_2_1E46740D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]3_2_1E416C0A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]3_2_1E416C0A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]3_2_1E416C0A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]3_2_1E416C0A
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E464015 mov eax, dword ptr fs:[00000030h]3_2_1E464015
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E464015 mov eax, dword ptr fs:[00000030h]3_2_1E464015
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B746D mov eax, dword ptr fs:[00000030h]3_2_1E3B746D
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h]3_2_1E417016
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h]3_2_1E417016
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h]3_2_1E417016
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B0050 mov eax, dword ptr fs:[00000030h]3_2_1E3B0050
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B0050 mov eax, dword ptr fs:[00000030h]3_2_1E3B0050
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CF0BF mov ecx, dword ptr fs:[00000030h]3_2_1E3CF0BF
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]3_2_1E3CF0BF
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]3_2_1E3CF0BF
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468CD6 mov eax, dword ptr fs:[00000030h]3_2_1E468CD6
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D90AF mov eax, dword ptr fs:[00000030h]3_2_1E3D90AF
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E42B8D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov ecx, dword ptr fs:[00000030h]3_2_1E42B8D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E42B8D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E42B8D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E42B8D0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]3_2_1E42B8D0