Windows Analysis Report
j7aM8mK3Sy.exe

Overview

General Information

Sample name: j7aM8mK3Sy.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 8a9cb85dae3d934c56baa4f7816bae014e4544186780bbc915751da1a4d3a4d5
Analysis ID: 1431878
MD5: 12c85ae7f3a9e483badcdf47da5b2f27
SHA1: ca6d20208934062f01c584e25983d5da1f6bf18f
SHA256: 8a9cb85dae3d934c56baa4f7816bae014e4544186780bbc915751da1a4d3a4d5
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\DatePicker.xll ReversingLabs: Detection: 26%
Source: j7aM8mK3Sy.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: DatePicker.pdbh source: j7aM8mK3Sy.exe
Source: Binary string: DatePicker.pdb source: j7aM8mK3Sy.exe
Source: Binary string: C:\Work\Excel-DNA\ExcelDna\Source\ExcelDna\x64\Release\ExcelDna64.pdb source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\Excel-DNA\ExcelDna\Source\ExcelDna\Release\ExcelDna.pdb source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://blogs.msdn.com/excel/archive/2007/08/01/sam-radakovitz-on-date-pickers.aspx
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: DatePicker.xll.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://pop-up-excel-calendar.billing-invoice-software-office-kit-com.qarchive.org/
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.codeproject.com/Articles/39204/gTimePicker-Control-to-Pick-a-Time-Value-VB-NET
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.cpearson.com/excel/WeekNumbers.aspx
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.fontstuff.com/excel/exltut02.htm
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.fontstuff.com/excel/exltut03.htm
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.quepublishing.com/articles/article.aspx?p=2067634
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.windowsdevcenter.com/pub/a/windows/2004/04/27/excelhacks.html
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: j7aM8mK3Sy.exe String found in binary or memory: https://stackoverflow.com/questions/43537990/wpf-clickonce-dpi-awareness-per-monitor-v2--
Source: j7aM8mK3Sy.exe, 00000000.00000002.4106273901.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.BoostExcel.com/contact.html
Source: j7aM8mK3Sy.exe, 00000000.00000002.4106273901.0000000002C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.BoostExcel.com/date-picker/
Source: j7aM8mK3Sy.exe, DatePicker.xll.0.dr String found in binary or memory: https://www.boostexcel.com/
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.codeproject.com/Articles/45684/Culture-Aware-Month-Calendar-and-Datepicker

System Summary
barindex
.NET source code contains very large array initializations
Source: j7aM8mK3Sy.exe, -Module-.cs Large array initialization: _206C_206E_206C_202B_202E_206A_206C_200B_200B_200F_206E_206B_206A_206E_206C_206E_202B_206D_202C_202B_206E_202A_200E_202A_200C_206A_206F_202D_200F_202E_202A_206E_200C_200E_206F_200B_206B_202D_200C_202C_202E: array initializer size 477056
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F253B8 0_2_00F253B8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2F388 0_2_00F2F388
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F20899 0_2_00F20899
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2F858 0_2_00F2F858
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21C20 0_2_00F21C20
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F24DF8 0_2_00F24DF8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F27D90 0_2_00F27D90
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F29E20 0_2_00F29E20
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F210EC 0_2_00F210EC
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F211C2 0_2_00F211C2
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F251C8 0_2_00F251C8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21111 0_2_00F21111
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2B2E8 0_2_00F2B2E8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2B2D3 0_2_00F2B2D3
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F212AB 0_2_00F212AB
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F24280 0_2_00F24280
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21279 0_2_00F21279
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F27260 0_2_00F27260
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F27250 0_2_00F27250
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2123C 0_2_00F2123C
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F243A1 0_2_00F243A1
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2135D 0_2_00F2135D
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2F326 0_2_00F2F326
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21308 0_2_00F21308
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F215FC 0_2_00F215FC
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F215DC 0_2_00F215DC
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21590 0_2_00F21590
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F29580 0_2_00F29580
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F29570 0_2_00F29570
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F216A4 0_2_00F216A4
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21684 0_2_00F21684
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21660 0_2_00F21660
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F24628 0_2_00F24628
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F277E0 0_2_00F277E0
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F277DD 0_2_00F277DD
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F25768 0_2_00F25768
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F25758 0_2_00F25758
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F288D0 0_2_00F288D0
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F238A0 0_2_00F238A0
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2A818 0_2_00F2A818
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2A809 0_2_00F2A809
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F209F8 0_2_00F209F8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F269F8 0_2_00F269F8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F20958 0_2_00F20958
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F20A63 0_2_00F20A63
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F24A20 0_2_00F24A20
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F24A11 0_2_00F24A11
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F21BA1 0_2_00F21BA1
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F28CD0 0_2_00F28CD0
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F29DE8 0_2_00F29DE8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F24DE9 0_2_00F24DE9
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2CDDB 0_2_00F2CDDB
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F20DBC 0_2_00F20DBC
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F27D81 0_2_00F27D81
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F20EA7 0_2_00F20EA7
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F2EE59 0_2_00F2EE59
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F26E30 0_2_00F26E30
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F26E20 0_2_00F26E20
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F20FA2 0_2_00F20FA2
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_00F20F47 0_2_00F20F47
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_052304E1 0_2_052304E1
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523E7E0 0_2_0523E7E0
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523C35A 0_2_0523C35A
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_05237810 0_2_05237810
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523DBE4 0_2_0523DBE4
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523D7B5 0_2_0523D7B5
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523E7D1 0_2_0523E7D1
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_05234068 0_2_05234068
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523DDED 0_2_0523DDED
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523DC5D 0_2_0523DC5D
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523DCE7 0_2_0523DCE7
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_05233FFE 0_2_05233FFE
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0D7E1820 0_2_0D7E1820
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0D7E22D0 0_2_0D7E22D0
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0D7E22C0 0_2_0D7E22C0
PE file contains executable resources (Code or Archives)
Source: DatePicker.xll.0.dr Static PE information: Resource name: RT_STRING type: PDP-11 demand-paged pure executable not stripped
Sample file is different than original file name gathered from version info
Source: j7aM8mK3Sy.exe, 00000000.00000002.4105695574.000000000105E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs j7aM8mK3Sy.exe
Source: j7aM8mK3Sy.exe, 00000000.00000000.1654066492.00000000008C7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDatePicker.exe6 vs j7aM8mK3Sy.exe
Source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameExcelDna.xll~/ vs j7aM8mK3Sy.exe
Source: j7aM8mK3Sy.exe, 00000000.00000002.4106273901.0000000002C91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs j7aM8mK3Sy.exe
Source: j7aM8mK3Sy.exe Binary or memory string: OriginalFilenameDatePicker.exe6 vs j7aM8mK3Sy.exe
Source: classification engine Classification label: mal56.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe File created: C:\Users\user\AppData\Roaming\BoostExcel Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Mutant created: NULL
Source: j7aM8mK3Sy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: j7aM8mK3Sy.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: windows.applicationmodel.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: windows.applicationmodel.store.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: webservices.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: windows.web.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Excel\Addins\OKEXLCAL.Connect Jump to behavior
Source: j7aM8mK3Sy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: j7aM8mK3Sy.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: j7aM8mK3Sy.exe Static file information: File size 2270208 > 1048576
Source: j7aM8mK3Sy.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x204a00
Source: j7aM8mK3Sy.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: j7aM8mK3Sy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: DatePicker.pdbh source: j7aM8mK3Sy.exe
Source: Binary string: DatePicker.pdb source: j7aM8mK3Sy.exe
Source: Binary string: C:\Work\Excel-DNA\ExcelDna\Source\ExcelDna\x64\Release\ExcelDna64.pdb source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Work\Excel-DNA\ExcelDna\Source\ExcelDna\Release\ExcelDna.pdb source: j7aM8mK3Sy.exe, 00000000.00000002.4108011561.0000000007800000.00000004.08000000.00040000.00000000.sdmp, DatePicker.xll.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: j7aM8mK3Sy.exe, -Module-.cs .Net Code: _206C_206E_206C_202B_202E_206A_206C_200B_200B_200F_206E_206B_206A_206E_206C_206E_202B_206D_202C_202B_206E_202A_200E_202A_200C_206A_206F_202D_200F_202E_202A_206E_200C_200E_206F_200B_206B_202D_200C_202C_202E System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: j7aM8mK3Sy.exe Static PE information: 0xA5458972 [Mon Nov 12 13:36:50 2057 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_052335B2 push edi; iretd 0_2_052335B3
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_052301DB pushfd ; iretd 0_2_052301E1
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_05237DB4 push ss; iretd 0_2_05237DB8
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_05235823 pushad ; iretd 0_2_05235831
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_0523389A push esp; iretd 0_2_0523389B
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Code function: 0_2_05233B0F push 0000005Ah; iretd 0_2_05233B14
Drops PE files
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\DatePicker.xll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\DatePicker.xll Jump to dropped file
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 2C90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 4C90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 5380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 6380000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 64B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 74B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 7C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 8C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: 9C30000 memory reserve | memory write watch Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Window / User API: threadDelayed 9780 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Excel\XLSTART\DatePicker.xll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe TID: 6940 Thread sleep time: -9780000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe TID: 6920 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Users\user\Desktop\j7aM8mK3Sy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\System32\WinMetadata\Windows.Services.winmd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\System32\WinMetadata\Windows.Foundation.winmd VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.WindowsRuntime.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\j7aM8mK3Sy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431878 Sample: j7aM8mK3Sy Startdate: 25/04/2024 Architecture: WINDOWS Score: 56 10 Multi AV Scanner detection for dropped file 2->10 12 .NET source code contains potential unpacker 2->12 14 .NET source code contains very large array initializations 2->14 5 j7aM8mK3Sy.exe 1 5 2->5         started        process3 file4 8 C:\Users\user\AppData\...\DatePicker.xll, PE32 5->8 dropped
No contacted IP infos