Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe

Overview

General Information

Sample name:SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Analysis ID:1429050
MD5:cc32b562c4288cf37e43c3035aed3621
SHA1:b0ec7f6d4bc40442b105658e9101a9ae8f687b76
SHA256:fdfb3b626e16bfc9bd0eb8b77f67f7f9ba533884aff01379086b2038d9c6dd5d
Tags:exe
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Enables debug privileges
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\_External\ExcelDna\Source\ExcelDna\x64\Release\ExcelDna64.pdb source: FormulaDesk Math 64.xll
Source: Binary string: D:\Projects\Slyce\excel-add-ins\Installer\SmartAssembly\Output\FormulaDesk.Installer.pdb source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Source: Binary string: D:\Projects\_External\ExcelDna\Source\ExcelDna\Release\ExcelDna.pdb source: FormulaDesk Math 32.xll
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: http://ocsp.sectigo.com0%
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: http://sawebservice.red-gate.com/
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2970326644.00000000030E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_me
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: http://www.slyce.com
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllString found in binary or memory: https://sectigo.com/CPS0
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: https://www.formuladesk.com/email-signup/
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: https://www.formuladesk.com/logevent.html
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: https://www.formuladesk.com/update/index.html?version=%Security
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeCode function: 0_2_00007FFD9B8835600_2_00007FFD9B883560
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeCode function: 0_2_00007FFD9B8864F60_2_00007FFD9B8864F6
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000000.1714347814.0000000000D16000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFormulaDesk.Installer.exeL vs SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2970326644.00000000030E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2970326644.00000000030E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2970326644.00000000030E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,\\StringFileInfo\\000004B0\\OriginalFilename vs SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeBinary or memory string: OriginalFilenameFormulaDesk.Installer.exeL vs SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, --.csCryptographic APIs: 'TransformFinalBlock'
Source: classification engineClassification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeMutant created: NULL
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: WelcomeScreen#SmartAssembly.exe+/AddExceptionReport "
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeString found in binary or memory: D:\Projects\Slyce\excel-add-ins\Installer\SmartAssembly\Output\FormulaDesk.Installer.pdb
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\11.0\Excel\InstallRootJump to behavior
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: certificate valid
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic file information: File size 5543648 > 1048576
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x543000
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\_External\ExcelDna\Source\ExcelDna\x64\Release\ExcelDna64.pdb source: FormulaDesk Math 64.xll
Source: Binary string: D:\Projects\Slyce\excel-add-ins\Installer\SmartAssembly\Output\FormulaDesk.Installer.pdb source: SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
Source: Binary string: D:\Projects\_External\ExcelDna\Source\ExcelDna\Release\ExcelDna.pdb source: FormulaDesk Math 32.xll
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeCode function: 0_2_00007FFD9B889DA7 push edx; iretd 0_2_00007FFD9B889DBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeMemory allocated: 1B0E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeProcess token adjusted: DebugJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services11
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS13
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe6%ReversingLabs
SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.smartassembly.com/webservices/Reporting/0%VirustotalBrowse
http://www.slyce.com0%VirustotalBrowse
https://www.formuladesk.com/email-signup/0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.smartassembly.com/webservices/Reporting/UploadReport20%VirustotalBrowse
http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL0%VirustotalBrowse
https://www.formuladesk.com/logevent.html0%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
https://www.formuladesk.com/update/index.html?version=%Security0%VirustotalBrowse
http://www.smartassembly.com/webservices/UploadReportLogin/0%VirustotalBrowse
http://www.zhongyicts.com.cn1%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllfalse
  • URL Reputation: safe
unknown
http://www.slyce.comSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown
http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.comSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designersGSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://sectigo.com/CPS0SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllfalse
        • URL Reputation: safe
        		unknown
        http://www.fontbureau.com/designers/?SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bTheSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalseunknown
          http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllfalse
          • URL Reputation: safe
          		unknown
          http://ocsp.sectigo.com0SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllfalse
            • URL Reputation: safe
            		unknown
            http://sawebservice.red-gate.com/SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalse
              		high
              http://www.smartassembly.com/webservices/Reporting/UploadReport2SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown
              https://www.formuladesk.com/email-signup/SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown
              http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_meSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalse
                		high
                http://www.tiro.comSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designersSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.smartassembly.com/webservices/Reporting/SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown
                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.goodfont.co.krSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURLSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown
                  http://ocsp.sectigo.com0%SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, FormulaDesk Math 32.xll, FormulaDesk Math 64.xllfalse
                    		low
                    http://www.carterandcone.comlSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/cTheSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.formuladesk.com/update/index.html?version=%SecuritySecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown
                        http://www.jiyu-kobo.co.jp/SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.formuladesk.com/logevent.htmlSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown
                        http://www.fontbureau.com/designers8SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fonts.comSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deDPleaseSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2970326644.00000000030E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sakkal.comSecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe, 00000000.00000002.2972183197.000000001CE32000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.smartassembly.com/webservices/UploadReportLogin/SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exefalseunknown

                              World Map of Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1429050
                              Start date and time:2024-04-20 12:26:12 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 4m 41s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:7
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
                              Detection:CLEAN
                              Classification:clean3.winEXE@1/0@0/0
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 3
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.8865578236328
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                              • Win32 Executable (generic) a (10002005/4) 49.93%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
                              File size:5'543'648 bytes
                              MD5:cc32b562c4288cf37e43c3035aed3621
                              SHA1:b0ec7f6d4bc40442b105658e9101a9ae8f687b76
                              SHA256:fdfb3b626e16bfc9bd0eb8b77f67f7f9ba533884aff01379086b2038d9c6dd5d
                              SHA512:c21786b4a58b6adcc0c80cbde3da3cabf999a4d152dc0ec9215de3dc596875fe1a5474dc4c1c9904de211bb8349b5dacedd28dfa8a8ce1f10e1784973dd226e5
                              SSDEEP:98304:mQGH4t2VrMcPUTwE2/dLx1YIx7+RONCfAR3csZUv0UOD2YvFPYPQ:mPHq2tMpsEgKw+RONCAFczsUQc4
                              TLSH:3446F1E4DC2CC6C9F776657A1604C2840AF09C01B105BAA7766074B6D9F93C189BEFAF
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v6.b.................0T..........NT.. ...`T...@.. ........................T.......T...@................................

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x944eb5
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x62BF3676 [Fri Jul 1 18:01:26 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Authenticode Signature

                              Signature Valid:true
                              Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                              Signature Validation Error:The operation completed successfully
                              Error Number:0
                              Not Before, Not After
                              • 17/01/2022 00:00:00 17/01/2023 23:59:59
                              Subject Chain
                              • CN=Slyce Software Limited, O=Slyce Software Limited, S=Auckland, C=NZ, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NZ, SERIALNUMBER=1588096
                              Version:3
                              Thumbprint MD5:1EE053DC08A740BE8AC4B703B472C355
                              Thumbprint SHA-1:E3295E0A331FD9C51FC6B7C47D6C7C0221E8DE24
                              Thumbprint SHA-256:5721A9DF3BC26524CD303EFCD5626982EB2B6EAE45DD29EDA1DA212AFBB17DA0
                              Serial:49EDC66875B85CB50BA82C723F8004BE

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x544e6b0x4a.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5460000x634.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x543c000x5ae0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x5480000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x544dde0x8d.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x542ebb0x5430005999f5eb82c6b427e6c5e0014a589115unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x5460000x6340x8000a820dcd933ec4bd53135afdd74a2de9False0.33642578125data3.5305761817613943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x5480000xc0x2005c99867a79c0e15ff9f4e05ac8eeaee2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0x54605c0x3b2data0.3974630021141649
                              RT_MANIFEST0x54644a0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              No network behavior found

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:12:27:07
                              Start date:20/04/2024
                              Path:C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.PUA.MSIL.Exceldna.15523.25242.exe"
                              Imagebase:0x7d0000
                              File size:5'543'648 bytes
                              MD5 hash:CC32B562C4288CF37E43C3035AED3621
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:18.3%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:4
                                Total number of Limit Nodes:0
                                execution_graph 4632 7ffd9b881a89 4633 7ffd9b881aab 4632->4633 4634 7ffd9b881b42 SetProcessWorkingSetSizeEx 4633->4634 4635 7ffd9b881b81 4634->4635

                                Executed Functions

                                Function 00007FFD9B883560 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
                                Download Yara Rule

                                Control-flow Graph

                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2973566162.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6__H
                                • API String ID: 0-3602946517
                                • Opcode ID: 68557fa2755f7b1a1c884887de2e94d6ddff7f174911edbd09dc6090452c8fa6
                                • Instruction ID: 32f7eab3e44a92453dfe605a4ac734b239b756afd8439bff3dfd6d388be4299f
                                • Opcode Fuzzy Hash: 68557fa2755f7b1a1c884887de2e94d6ddff7f174911edbd09dc6090452c8fa6
                                • Instruction Fuzzy Hash: A502AF72B09E4D8FEBA4EF5CC49866933E2FF98301B114579E41DC72A6DA35E9428B40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00007FFD9B8864F6 Relevance: .9, Instructions: 887COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 318 7ffd9b8864f6-7ffd9b886519 call 7ffd9b885f68 call 7ffd9b885f88 323 7ffd9b88651f-7ffd9b88656c call 7ffd9b886080 call 7ffd9b886160 call 7ffd9b885d40 318->323 324 7ffd9b886825-7ffd9b886828 318->324 368 7ffd9b88656e-7ffd9b886581 call 7ffd9b885d40 323->368 369 7ffd9b8865dc-7ffd9b8867ce call 7ffd9b884b80 call 7ffd9b884b70 call 7ffd9b886160 call 7ffd9b886150 call 7ffd9b884b50 call 7ffd9b886160 * 3 call 7ffd9b884b50 call 7ffd9b884b60 call 7ffd9b882728 323->369 325 7ffd9b88686a-7ffd9b88686d 324->325 326 7ffd9b88682a-7ffd9b886860 call 7ffd9b886068 call 7ffd9b886160 324->326 329 7ffd9b88686f-7ffd9b8868a7 call 7ffd9b885fc8 call 7ffd9b886160 325->329 330 7ffd9b8868ac-7ffd9b8868af 325->330 350 7ffd9b886865 326->350 329->330 332 7ffd9b886b25-7ffd9b886b28 330->332 333 7ffd9b8868b5-7ffd9b886920 call 7ffd9b885ef8 330->333 339 7ffd9b886b33-7ffd9b886b36 332->339 340 7ffd9b886b2a-7ffd9b886b2d 332->340 407 7ffd9b886922-7ffd9b886932 call 7ffd9b880c50 333->407 408 7ffd9b886950-7ffd9b88695b 333->408 346 7ffd9b886b4b-7ffd9b886b4e 339->346 347 7ffd9b886b38-7ffd9b886b46 339->347 340->339 345 7ffd9b886c85-7ffd9b886c88 340->345 351 7ffd9b886c8a-7ffd9b886cc2 call 7ffd9b886030 call 7ffd9b886160 345->351 352 7ffd9b886cc7-7ffd9b886cca 345->352 353 7ffd9b886c17-7ffd9b886c80 call 7ffd9b885f98 call 7ffd9b886160 call 7ffd9b886150 call 7ffd9b882808 346->353 354 7ffd9b886b54-7ffd9b886b86 call 7ffd9b885170 346->354 347->353 350->325 351->352 363 7ffd9b886cd0-7ffd9b886d67 call 7ffd9b886018 call 7ffd9b886160 call 7ffd9b886150 * 2 call 7ffd9b886160 call 7ffd9b886150 352->363 364 7ffd9b886d6c-7ffd9b886d6f 352->364 353->345 354->353 392 7ffd9b886b8c-7ffd9b886bd5 call 7ffd9b880a08 call 7ffd9b884b08 call 7ffd9b880ce0 354->392 363->364 370 7ffd9b886d71-7ffd9b886dda call 7ffd9b885ff0 call 7ffd9b886160 call 7ffd9b886150 call 7ffd9b882808 364->370 371 7ffd9b886ddf-7ffd9b886de2 364->371 368->369 394 7ffd9b886583-7ffd9b886596 call 7ffd9b885d40 368->394 528 7ffd9b8867d4-7ffd9b8867eb call 7ffd9b884330 369->528 370->371 376 7ffd9b886e84-7ffd9b886f05 call 7ffd9b882728 371->376 377 7ffd9b886de8-7ffd9b886e7f call 7ffd9b885fc8 call 7ffd9b886160 call 7ffd9b886150 * 2 call 7ffd9b886160 call 7ffd9b886150 371->377 507 7ffd9b886f47-7ffd9b886f55 376->507 377->376 457 7ffd9b886bfc-7ffd9b886c13 392->457 458 7ffd9b886bd7-7ffd9b886bf4 392->458 394->369 426 7ffd9b886598-7ffd9b8865d7 call 7ffd9b880e30 call 7ffd9b886150 394->426 442 7ffd9b886934-7ffd9b88693e call 7ffd9b885d00 407->442 443 7ffd9b886943-7ffd9b88694e call 7ffd9b885ef8 407->443 415 7ffd9b886a84-7ffd9b886b1b call 7ffd9b886018 call 7ffd9b886160 call 7ffd9b886150 * 2 call 7ffd9b886160 call 7ffd9b886150 408->415 416 7ffd9b886961-7ffd9b886978 408->416 463 7ffd9b886b20 415->463 425 7ffd9b886a27-7ffd9b886a37 416->425 434 7ffd9b88697d-7ffd9b88698d 425->434 435 7ffd9b886a3d-7ffd9b886a7e 425->435 426->369 452 7ffd9b88698f-7ffd9b886994 434->452 453 7ffd9b88699e-7ffd9b8869ac 434->453 435->415 442->443 443->407 443->408 452->453 462 7ffd9b8869b2-7ffd9b886a03 453->462 453->463 457->353 458->457 494 7ffd9b886a20-7ffd9b886a25 462->494 495 7ffd9b886a05-7ffd9b886a1a 462->495 463->332 494->425 495->494 509 7ffd9b886f5c-7ffd9b886f67 507->509 510 7ffd9b886f57 507->510 510->509 528->507 531 7ffd9b8867f1-7ffd9b886820 call 7ffd9b882808 call 7ffd9b8813e8 528->531 531->507
                                Memory Dump Source
                                • Source File: 00000000.00000002.2973566162.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 852a87fa0fc1cc6fcfe78ad3537881b897a3acc194e8b0773de554f416cf442c
                                • Instruction ID: 05172dc9064808c575c951dea35cb4fc68bc959072e79bab241e1a3c6b144eca
                                • Opcode Fuzzy Hash: 852a87fa0fc1cc6fcfe78ad3537881b897a3acc194e8b0773de554f416cf442c
                                • Instruction Fuzzy Hash: 2E620070B0991D8FEBA9EB58C464BA873A2FF9C304F5541F9D01DD7296CE35A982CB40
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00007FFD9B881A89 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2973566162.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b880000_SecuriteInfo.jbxd
                                Similarity
                                • API ID: ProcessSizeWorking
                                • String ID:
                                • API String ID: 3584180929-0
                                • Opcode ID: 7c87e7d4c4b1dc1470a5368b92159100d28ab214e7f7fdbaaed7aca4894dd578
                                • Instruction ID: 927310dbc0fc175e3d50dacace642fbc642ceb4e9d3741d08d665ea6923b964f
                                • Opcode Fuzzy Hash: 7c87e7d4c4b1dc1470a5368b92159100d28ab214e7f7fdbaaed7aca4894dd578
                                • Instruction Fuzzy Hash: 5141083090DB8C8FD719EB68D8566E97BF0EF5A311F0401AFD089C71A3D724A806C751
                                Uniqueness

                                Uniqueness Score: -1.00%