Loading ...

Play interactive tourEdit tour

Analysis Report Cont-024.xls.exe

Overview

General Information

Sample Name:Cont-024.xls.exe
Analysis ID:298053
MD5:98ec62a875ec70797f2ea35d2ebfabaa
SHA1:240e89e8a2499d8c2ba4770730d274b624eb2b12
SHA256:3b6bd50cbfa7f874757c7d87f02efa24ab2b8bf1eaa18d0abbc3dfd25e2ecc15
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Uses netsh to modify the Windows network and firewall settings
Yara detected VB6 Downloader Generic
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Cont-024.xls.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\Cont-024.xls.exe' MD5: 98EC62A875EC70797F2EA35D2EBFABAA)
    • Cont-024.xls.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\Cont-024.xls.exe' MD5: 98EC62A875EC70797F2EA35D2EBFABAA)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 1348 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 1404 cmdline: /c del 'C:\Users\user\Desktop\Cont-024.xls.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x8ba4:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b2f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c2fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183d9:$sqlite3step: 68 34 1C 7B E1
    • 0x184ec:$sqlite3step: 68 34 1C 7B E1
    • 0x18408:$sqlite3text: 68 38 2A 90 C5
    • 0x1852d:$sqlite3text: 68 38 2A 90 C5
    • 0x1841b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18543:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Click to see the 19 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Double ExtensionShow sources
      Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: 'C:\Users\user\Desktop\Cont-024.xls.exe' , CommandLine: 'C:\Users\user\Desktop\Cont-024.xls.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Cont-024.xls.exe, NewProcessName: C:\Users\user\Desktop\Cont-024.xls.exe, OriginalFileName: C:\Users\user\Desktop\Cont-024.xls.exe, ParentCommandLine: 'C:\Users\user\Desktop\Cont-024.xls.exe' , ParentImage: C:\Users\user\Desktop\Cont-024.xls.exe, ParentProcessId: 6776, ProcessCommandLine: 'C:\Users\user\Desktop\Cont-024.xls.exe' , ProcessId: 6996

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: Cont-024.xls.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: Cont-024.xls.exeVirustotal: Detection: 34%Perma Link
      Source: Cont-024.xls.exeReversingLabs: Detection: 33%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
      Source: 0.0.Cont-024.xls.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 3.0.Cont-024.xls.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: 0.2.Cont-024.xls.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop ebx
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 0000000C.00000000.344941106.0000000008C57000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
      Source: explorer.exe, 0000000C.00000000.344941106.0000000008C57000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micr
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000000C.00000000.337001983.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000000C.00000000.346253925.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Cont-024.xls.exe, 00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=5E15857517F5B05A&resid=5E15857517F5B05A%21111&authkey=ALq-M7H
      Source: Cont-024.xls.exe, 00000000.00000002.265763391.000000000071A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000010.00000002.514108192.0000000002EB4000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D1029 NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D2EBE NtResumeThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D012F EnumWindows,NtSetInformationThread,TerminateProcess,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D2B6B NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D26C2 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D01B7 NtSetInformationThread,TerminateProcess,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D07B0 NtSetInformationThread,TerminateProcess,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A20 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D98F0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9540 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D99A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D95D0 NtClose,LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9610 NtEnumerateValueKey,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A10 NtQuerySection,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9670 NtQueryInformationProcess,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9650 NtQueryValueKey,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9A80 NtOpenDirectoryObject,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D96D0 NtCreateKey,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9730 NtQueryVirtualMemory,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DA710 NtOpenProcessToken,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9B00 NtSetValueKey,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9770 NtSetInformationFile,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DA770 NtOpenThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9760 NtOpenProcess,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DA3B0 NtGetContextThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9FE0 NtCreateMutant,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9820 NtEnumerateKey,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DB040 NtSuspendThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D98A0 NtWriteVirtualMemory,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3DAD30 NtSetContextThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9520 NtWaitForSingleObject,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9560 NtWriteFile,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D9950 NtQueueApcThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D95F0 NtQueryInformationFile,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D99D0 NtCreateProcessEx,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00562EBE NtSetInformationThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00562B6B NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_0056047E NtProtectVirtualMemory,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00561029 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005601B7 NtSetInformationThread,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005607B0 NtSetInformationThread,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549710 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549FE0 NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549780 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A50 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035496D0 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035496E0 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549540 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549910 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035495D0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035499A0 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549840 NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549860 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549770 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354A770 NtOpenThread,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549760 NtOpenProcess,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354A710 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549B00 NtSetValueKey,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549730 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354A3B0 NtGetContextThread,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035497A0 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549650 NtQueryValueKey,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549670 NtQueryInformationProcess,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549660 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549610 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A10 NtQuerySection,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A00 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A20 NtResumeThread,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549A80 NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549950 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549560 NtWriteFile,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354AD30 NtSetContextThread,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549520 NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035499D0 NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035495F0 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354B040 NtSuspendThread,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03549820 NtEnumerateKey,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035498F0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035498A0 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9DE0 NtReadFile,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9D30 NtCreateFile,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9E60 NtClose,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9DDA NtReadFile,
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008E9E2D NtReadFile,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00403B59
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B6E30
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CEBB0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A841F
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451002
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB090
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E461D55
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E390D20
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B4120
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39F900
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AD5E0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0353EBB0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03526E30
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D1D55
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350F900
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03500D20
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03524120
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351D5E0
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351841F
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035C1002
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351B090
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EEA89
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EE230
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EE58D
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D2D87
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D2D90
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008EE590
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D9E2B
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D9E30
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_008D2FB0
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: String function: 1E39B150 appears 32 times
      Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0350B150 appears 32 times
      Source: Cont-024.xls.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Cont-024.xls.exe, 00000000.00000000.244493400.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000000.00000002.266327232.0000000002930000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameciscoscampuseslazi.exeFE2X vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.374376949.000000001E61F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.365403295.00000000000EC000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000000.263140933.000000000040C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.370414082.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Cont-024.xls.exe
      Source: Cont-024.xls.exe, 00000003.00000002.370363970.000000001DC50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Cont-024.xls.exe
      Source: Cont-024.xls.exeBinary or memory string: OriginalFilenameciscoscampuseslazi.exe vs Cont-024.xls.exe
      Source: 00000010.00000002.517481605.0000000003A0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.365236576.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.370576629.000000001E140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.513869783.0000000002E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.513794763.0000000002E10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000010.00000002.514108192.0000000002EB4000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000010.00000002.512373719.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@4/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_01
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFE28EB8CE67E796AA.TMPJump to behavior
      Source: Cont-024.xls.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Cont-024.xls.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\user\Desktop\Cont-024.xls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Cont-024.xls.exeVirustotal: Detection: 34%
      Source: Cont-024.xls.exeReversingLabs: Detection: 33%
      Source: unknownProcess created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess created: C:\Users\user\Desktop\Cont-024.xls.exe 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Cont-024.xls.exe'
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.347258325.000000000E8F0000.00000002.00000001.sdmp
      Source: Binary string: netsh.pdb source: Cont-024.xls.exe, 00000003.00000002.365351452.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: netsh.pdbGCTL source: Cont-024.xls.exe, 00000003.00000002.365351452.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: Cont-024.xls.exe, 00000003.00000002.371157817.000000001E370000.00000040.00000001.sdmp, netsh.exe, 00000010.00000002.514552427.00000000034E0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: Cont-024.xls.exe, netsh.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.347258325.000000000E8F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000003.00000002.365472152.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6996, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6776, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6996, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Cont-024.xls.exe PID: 6776, type: MEMORY
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408048 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040805C push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408070 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00404A06 push edi; retf
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040800C push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408020 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408034 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080C0 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004060C4 push esp; retf
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080D4 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080E8 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080FC push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408084 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407E8A push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408098 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_004080AC push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040814C push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408160 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408174 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408110 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408124 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408138 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407FD0 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407FE4 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407DE8 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407FF8 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407F80 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00408188 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00407F94 push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_0040819C push 00401144h; ret
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_00405FA2 push edi; retf

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x83 0x3E 0xE2
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: xls.exeStatic PE information: Cont-024.xls.exe
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000020D2700 second address: 00000000020D2700 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD238D1A0B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test al, al 0x00000022 cmp dx, bx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD238D1A09Ch 0x0000002d push ecx 0x0000002e cmp al, dl 0x00000030 call 00007FD238D1A0CCh 0x00000035 call 00007FD238D1A0CAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\Cont-024.xls.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Cont-024.xls.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000020D2700 second address: 00000000020D2700 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FD238D1A0B8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 test al, al 0x00000022 cmp dx, bx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007FD238D1A09Ch 0x0000002d push ecx 0x0000002e cmp al, dl 0x00000030 call 00007FD238D1A0CCh 0x00000035 call 00007FD238D1A0CAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000020D2722 second address: 00000000020D2722 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD238D1A0E3h 0x0000001f popad 0x00000020 call 00007FD238D19FCAh 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000562722 second address: 0000000000562722 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FD238D1A233h 0x0000001f popad 0x00000020 call 00007FD238D1A11Ah 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560C89 second address: 0000000000560CBF instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 mov ecx, dword ptr [edi+00000808h] 0x0000000b jmp 00007FD238D19F69h 0x0000000d mov dword ptr [eax+20h], ecx 0x00000010 test dh, dh 0x00000012 mov esi, dword ptr [edi+00000800h] 0x00000018 test cx, dx 0x0000001b mov dword ptr [eax+18h], esi 0x0000001e test eax, ebx 0x00000020 add esi, dword ptr [edi+00000850h] 0x00000026 mov dword ptr [eax+1Ch], esi 0x00000029 pushad 0x0000002a mov edi, 00000009h 0x0000002f rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560CBF second address: 0000000000560CF1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 cmp dword ptr [ebp+70h], 01h 0x00000009 je 00007FD238D1A16Dh 0x0000000f mov esi, edi 0x00000011 add esi, 00001000h 0x00000017 xor ecx, ecx 0x00000019 test dl, cl 0x0000001b push ecx 0x0000001c test dh, dh 0x0000001e push edi 0x0000001f test cx, dx 0x00000022 test eax, ebx 0x00000024 mov eax, ebp 0x00000026 add eax, 0000009Ch 0x0000002b push eax 0x0000002c pushad 0x0000002d mov edi, 00000094h 0x00000032 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560D7F second address: 0000000000560D9F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 pop edi 0x00000006 test dl, cl 0x00000008 cmp dword ptr [ebp+70h], 01h 0x0000000c jne 00007FD238D19F6Ch 0x0000000e test eax, ebx 0x00000010 pushad 0x00000011 mov edi, 00000088h 0x00000016 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560D9F second address: 0000000000560DD6 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dh, ch 0x00000005 mov eax, dword ptr [edi+00000850h] 0x0000000b add eax, dword ptr [edi+00000800h] 0x00000011 jmp 00007FD238D1C2B1h 0x00000016 call 00007FD238D17EB4h 0x0000001b pop edx 0x0000001c test dl, cl 0x0000001e mov dword ptr [edx+01h], eax 0x00000021 test dh, dh 0x00000023 mov ecx, dword ptr [ebp+000000ACh] 0x00000029 test cx, dx 0x0000002c mov esi, dword ptr [ebp+20h] 0x0000002f test eax, ebx 0x00000031 dec ecx 0x00000032 mov byte ptr [esi+ecx], 00000000h 0x00000036 pushad 0x00000037 mov edi, 000000ECh 0x0000003c rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000560DD6 second address: 0000000000560DD6 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp ecx, 00000000h 0x00000006 jne 00007FD238D19F4Fh 0x00000008 dec ecx 0x00000009 mov byte ptr [esi+ecx], 00000000h 0x0000000d pushad 0x0000000e mov edi, 000000ECh 0x00000013 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 00000000008D98E4 second address: 00000000008D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 00000000008D9B4E second address: 00000000008D9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D0C5D rdtsc
      Source: C:\Windows\explorer.exe TID: 3804Thread sleep time: -44000s >= -30000s
      Source: C:\Windows\SysWOW64\netsh.exe TID: 1344Thread sleep time: -35000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 0000000C.00000000.344255275.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
      Source: explorer.exe, 0000000C.00000000.344255275.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
      Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
      Source: explorer.exe, 0000000C.00000000.344441869.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: Cont-024.xls.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
      Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
      Source: explorer.exe, 0000000C.00000002.530285921.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
      Source: explorer.exe, 0000000C.00000000.344585647.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
      Source: explorer.exe, 0000000C.00000000.344441869.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
      Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: vmicvss
      Source: explorer.exe, 0000000C.00000000.337180197.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
      Source: Cont-024.xls.exe, 00000000.00000002.266473926.00000000038CA000.00000004.00000001.sdmp, Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
      Source: Cont-024.xls.exe, 00000003.00000002.366694123.000000000241A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
      Source: explorer.exe, 0000000C.00000000.336260819.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Hides threads from debuggersShow sources
      Source: C:\Users\user\Desktop\Cont-024.xls.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Cont-024.xls.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Cont-024.xls.exeThread information set: HideFromDebugger
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Cont-024.xls.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D0C5D rdtsc
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D1D10 LdrInitializeThunk,
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D14AE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D28F2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D2371 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D25AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D09B8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 0_2_020D0DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E424257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44B260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B3A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BAE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44FE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A7E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44FEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AAAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CFAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3952A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CD294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A76E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C16E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E460EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E4146A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C36CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D8EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CE730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E394F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E394F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C3B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AFF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E45131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AEF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CB390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A1B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E44D380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D37F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E45138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E465BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AB02A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CBC2C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42C450 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E461074 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E452073 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E451C06 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E46740D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416C0A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E464015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E464015 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B746D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E417016 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B0050 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CF0BF mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CF0BF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468CD6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D90AF mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E42B8D0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E416CF0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399080 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E4514FB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E413884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E413884 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E413540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C513A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C4D3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3A3D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B4120 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B4120 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E399100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BC577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3B7D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E468D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E41A537 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3D3D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BB944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3C35A1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CFD9B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E4241E8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E392D8A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E448DF1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3CA185 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3BC182 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E39B1E1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_1E3AD5E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00560DB5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005628F2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005614AE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005609B8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_005625AC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\Cont-024.xls.exeCode function: 3_2_00562371 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D8B58 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350F358 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350DB40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351EF40 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03533B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03533B7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350DB60 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351FF60 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D8F6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035C131B mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0359FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0359FF10 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D070D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0353E730 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03504F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03504F2E mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035437F5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0353B390 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03587794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03587794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03587794 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035C138A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035BD380 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03511B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03511B8F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D5BA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03594257 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03509240 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03517E41 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352AE73 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0354927A mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035BB260 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351766D mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D8A62 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03523A1C mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350C600 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035BFE3F mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350E620 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D8ED6 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03548EC7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035BFEC0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035336CC mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035316E0 mov ecx, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035176E2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0353D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0353D294 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0359FE87 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0351AAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0353FAB0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035052A5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035D0EA5 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_035846A7 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03527D50 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352B944 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03543D43 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03583540 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350B171 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0352C577 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350C962 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03509100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03509100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03509100 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_0350AD30 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exeCode function: 16_2_03513D34 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\netsh.exe