Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad.zip

Overview

General Information

Sample name:MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad.zip
Analysis ID:1541009
MD5:f94bb50582afd5d946ce7f7158388e1b
SHA1:486c8dfcb022f3e9ae33d99c27fcd7f9ecb49827
SHA256:8be13669d782879a93a8eae64fee5367fcf011429cdaaeac196a6a3f1ace5191
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Binary is likely a compiled AutoIt script file
Machine Learning detection for dropped file
Sets file extension default program settings to executables
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 6976 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • 7zG.exe (PID: 1876 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -spe -an -ai#7zMap23948:168:7zEvent30997 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • 7zG.exe (PID: 4184 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -an -ai#7zMap29602:242:7zEvent12266 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • notepad.exe (PID: 6956 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\string.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • notepad.exe (PID: 1536 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\version.txt MD5: 27F71B12CB585541885A31BE22F61C83)
  • OpenWith.exe (PID: 5400 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • notepad.exe (PID: 6196 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\0\RCDATA\SCRIPT MD5: 27F71B12CB585541885A31BE22F61C83)
  • 7zG.exe (PID: 2464 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -ad -an -ai#7zMap4539:168:7zEvent11394 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • 7zG.exe (PID: 4100 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\" -ad -an -ai#7zMap22436:138:7zEvent16567 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • OpenWith.exe (PID: 640 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • notepad.exe (PID: 6044 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.data MD5: 27F71B12CB585541885A31BE22F61C83)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9adReversingLabs: Detection: 16%
Source: C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9adReversingLabs: Detection: 16%
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9adJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9adJoe Sandbox ML: detected

System Summary

barindex
Binary is likely a compiled AutoIt script file
Source: 7zG.exe, 0000000B.00000003.1397164977.0000021B97F3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ea226f9c-8
Source: 7zG.exe, 0000000B.00000003.1397164977.0000021B97F3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_77c0861a-1
Source: 7zG.exe, 0000000B.00000003.1400740820.0000021B97D00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_14251795-2
Source: 7zG.exe, 0000000B.00000003.1400740820.0000021B97D00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a5332fc9-2
Source: b70d20ce558c0162a271d1ecf0e80035ee00f9ad.9.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b14593fa-a
Source: b70d20ce558c0162a271d1ecf0e80035ee00f9ad.9.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_67737973-1
Source: .rdata.11.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d1f35e8c-4
Source: .rdata.11.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_84702d4c-7
Source: b70d20ce558c0162a271d1ecf0e80035ee00f9ad.20.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_eb6f1ca9-f
Source: b70d20ce558c0162a271d1ecf0e80035ee00f9ad.20.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8b387a5b-2
Source: .rdata.22.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b90eb868-3
Source: .rdata.22.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_77682df8-8
Source: classification engineClassification label: mal60.winZIP@13/50@0/0
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9adJump to behavior
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:640:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -spe -an -ai#7zMap23948:168:7zEvent30997
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -an -ai#7zMap29602:242:7zEvent12266
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\string.txt
Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\version.txt
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\0\RCDATA\SCRIPT
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -ad -an -ai#7zMap4539:168:7zEvent11394
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\" -ad -an -ai#7zMap22436:138:7zEvent16567
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.data
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\0\RCDATA\SCRIPTJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.dataJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\7-Zip\7zG.exeWindow detected: Number of UI elements: 15
Source: C:\Program Files\7-Zip\7zG.exeWindow detected: Number of UI elements: 15
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9adJump to dropped file
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9adJump to dropped file
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9adJump to dropped file
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9adJump to dropped file

Boot Survival

barindex
Sets file extension default program settings to executables
Source: C:\Windows\System32\OpenWith.exeRegistry value created: HKEY_CURRENT_USER_Classes\data_auto_file\shell\open\command %SystemRoot%\system32\NOTEPAD.EXE %1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9adJump to dropped file
Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9adJump to dropped file
Source: C:\Windows\System32\OpenWith.exe TID: 3460Thread sleep count: 42 > 30Jump to behavior
Source: OpenWith.exe, 0000000F.00000002.1694814666.000001C2E25BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f0,\
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\0\RCDATA\SCRIPTJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.dataJump to behavior
Source: 7zG.exe, 0000000B.00000003.1397164977.0000021B97F3F000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000B.00000003.1400740820.0000021B97D00000.00000004.00000800.00020000.00000000.sdmp, b70d20ce558c0162a271d1ecf0e80035ee00f9ad.9.dr, .rdata.11.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\string.txt VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\version.txt VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\0\RCDATA\SCRIPT VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.data VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		12
Process Injection		111
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets11
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9ad100%Joe Sandbox ML
C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9ad100%Joe Sandbox ML
C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.data0%ReversingLabs
C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9ad16%ReversingLabs
C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9ad16%ReversingLabs
C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.data0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541009
Start date and time:2024-10-24 10:30:53 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 59s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad.zip
Detection:MAL
Classification:mal60.winZIP@13/50@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .zip

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad.zip

Simulations

Behavior and APIs

TimeTypeDescription
04:32:12API Interceptor2x Sleep call for process: OpenWith.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.data

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:DOS executable (block device driver @\273\)
Category:dropped
Size (bytes):18432
Entropy (8bit):0.58466669869824
Encrypted:false
SSDEEP:24:1QNhBSqe6uSkeKH6uSkeKfLLLLLLLTPPPPPqcyux5ZEzwJkzRQkKUCg6gI7:yvkjTk4Tkoyujqz5RQk
MD5:53B9025D545D65E23295E30AFDBD16D9
SHA1:B958D08B90B56AFF3F2E0D6DAF36B91C8F31CA4C
SHA-256:3E7AC07BC2E03413763B49457AA252B016CC40394CEA187DA97BBD072C031F08
SHA-512:325A7236819C19559C79F8D9721DBD4932B8F49420E6D73AC9AB1CF9B8A6C24677A7DC1E531955EBA1AD0CA1783B600D31D286ABAF662979721EE738774EAB13
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Reputation:low
Preview:...................DN.@......................... ............................ ....................................................... ....................................................... ...........................................................................................&J...............................................L...............L...............L...............L...............L.......................L......... )J..*J...J...........................L...L.C....#J.................................................................................................................................................................................................................................................................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!.......................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rdata

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):195584
Entropy (8bit):5.691811547483715
Encrypted:false
SSDEEP:3072:kMm0aVPeAg0Fuz08XvBNbhaAtwPy6sNuxPgarB:tAOz04pXdaK6Fgar
MD5:C9CF2468B60BF4F80F136ED54B3989FB
SHA1:DD2C684A16B3F370A7C66588627005BEFD670B80
SHA-256:351B803807DFB852077C389B6B96198B5639A53F83045D190ABDF265DAB2C7A8
SHA-512:BE57680B7C0C6DBF04D4D03C010EBBBC99F7C42D78785B0188D6960648D89F19D05441B60CE3020A2681562AF03B74A37F62ECF82470828F21DFADDC8604F0A9
Malicious:false
Preview:....n...\...L...<...*...................D...d...t............................. ...*...8...T...l...v................................8...P...d...x........................$.......................................t...f...\...P...D...:.............."........................... ...0...................n...b...V...J...>.............................................&.......D...Z...d...t............................................H...X...f...x....................................0...B...T...b...x...................N.....................4...P...`...p........................................0...@...N...d...v.................................2...P...r.............................(...:...L...b...r...~....................................0...>...J...^...v.....................6...*........................................................z...........6...L...X...h...t........................................$...6...F...X...f...v................................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.reloc

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):30208
Entropy (8bit):6.7972128181359786
Encrypted:false
SSDEEP:768:093blAXbm3+R7wGfs9doeChZ30ghggh5HPY4uRIYFya:83RALN7p6of0ghg85HPGzFy
MD5:C68EE8931A32D45EB82DC450EE40EFC3
SHA1:359F6B9001CBAD77104E5ED741F6D8024A1E6FFD
SHA-256:92760FB78D9D6D312889C53B386DD9F87FA6CFE12841575D12972D831DEBB089
SHA-512:5B8B9A97F1166E3BAE350C4CA3D7BCAAA50212E4943F53E39CFCF7D77A1C0A4E048CAFF2A8C9DE6AC5252BD4A23639AECC3DD279FD7BE988E6806057246D19BF
Malicious:false
Preview:....l....0.0.0(090K0W0`0k0|0.0.0.0.0.0.0.0.1.1.1.1 1*13171<1K1R1W1\1a1k1u1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2.2 2%2*2024292>2C2I2M2R2W2\2b2f2k2p2u2z2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3*33383=3B3G3L3Q3W3\3a3f3l3~3.3.3.3.3.3.3.3.3.3.3.3.3.3+4U4[4.4D5.5.5.5.5)6.6.6W7.7.8M:Y:_:g:m:s:x:~:.:.:.:.:.:.:.;.;.;B<S<Y<e<q<x<~<.<.<.<.<.<.<.=.=,=R=`=... .......0k0.0*1.2.3.7.7.7.7.7.7.7.7.7.7.7.7.7d:w:.:.:.:.:.:.:.:.:.:.:.;.;1;7;F;Q;m;.;.;.;.;.;.;.;.;.;.;.;.;.;.<2<<<B<H<N<T<g<p<.<.<.<.<.<.<.<.<.<.<.=&=-=3=8=>=D=I=a=q=|=.=.=.=.=.=.=.=V>o>.>.>.>.>.>P?e?z?.?.?.?.?.?...0..p....0.0.0.1$1P1x1.1.1.2.2)2.242:2@2H2M2Z2i2{3h4n4u4|4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5(5:5a5l5.5[6a6g6s6|6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7.7"7'7,747:7@7F7[7a7j7p7v7|7.7.7.7.7.7n8.8.8.8.8.9.919O9q9.9.9.:z:.:.:.:.;B;c;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<!<,<7<A<R<[<f<o<|<.<.<.<.<.<.<.<.<.<.<.<.=.=.>.>.>(>2><>F>Q>u>.>.>.>.>.>.>.?6?M?.?.?.?.?.@.......1.1.1.1.1.1.242=2B2[2.2.2.2.2.2.3.3'323I3_3

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\0\RCDATA\SCRIPT

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):286854
Entropy (8bit):7.999370781391767
Encrypted:true
SSDEEP:6144:nPu8WWB5SeGGUJGVgr7CfWBebkLckgyD2ciGws3gbhLKjii8gPFX:PBF3GTGVgr7bB/LcDe9MsshLKjUgN
MD5:0D5477277A67D4ABBF2765ADBADE3FA4
SHA1:73FD15D2E5904475315621FA19D78957D6D7239F
SHA-256:0C736D82BF2A0DBB4C63AEDBD9D8DAA874476D1D8C354247DA10AA4D1D842CB0
SHA-512:B8BB56F5682DD633C5414C5DAF58BE00DDFB00ACFA6C0C2D14247D4D201EB662821179806B4FB5BE0D17146810B5F0FC8AEFC6616B064B4379C90223BC6D9A02
Malicious:false
Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Me....,.. .o.UA..1.An....H.`:$@.nY.2........s:V7p=..'P.B..%....n.K...;h..<u.w.Z3.lw...Aw>..y..1..Q3....T4}..5...U.=.....jS..*=.#mIn>3(..$..................|u......|u..kC.R......%x....}...q..U-...(....%....V..?p.hi...r..-..>."......b.&..R.v..Q....o....N...F...}FRh..N.}...).....S..M{.......h.E....3"....A.......w.gF.C.)...]|..mX....../..7L.....o.O.?..Q.?=.[.2........K.......8{.....sN..m.....x..x.5...x...).U'j...`$.1.#.e.\.....+..io....b=....$,..#..PWG..G...c.'..6..`.#..megXg?..-.#.m<}..P@.{."...6.+y.u.5..3.g .Q..'....3cW.2...|....-..<.....ny5.".J................o.H.(/..C&JM.....L.!....wf.......j.u?P..u..jz.N......l .....t.~...R.....vi..>.4s...,d..2.....+&.YI.h.x/.x+:.%.B.~EY..~Q.B.H..7.[....m?..Z.I....K4.`CoH..MK.I...u.....qPy.....oZ...?..._...;......nP.....l..kh.=......a.@8'.l...)?...U...q..z0..x..Xd.....Q5q.B.n.]....../.!6.My!.._.'.sV..R}nz...-...u.T.c. ........

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\GROUP_ICON\162

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):20
Entropy (8bit):2.023219672335508
Encrypted:false
SSDEEP:3:8zNOl:8zQl
MD5:7A9605CB416B1A091D889B9D9F37EC66
SHA1:866C01641D672B6CD69901C1E055F174F47B35BB
SHA-256:6BCCE1250099CC08D574211B3DEBABB0244CD2641F6D960538E7DDC97D319164
SHA-512:FD63730E09AA5D68BDC2022422F6D11DEF036C6A86BAF2ADF8077FD4EC8B8CF5340038D2F1F0EFA775158AA23602A001E7F805320ECE3A1CBF80F4B809BBC4D8
Malicious:false
Preview:..............(.....

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\GROUP_ICON\164

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):20
Entropy (8bit):1.842737648613667
Encrypted:false
SSDEEP:3:8zNNl:8zp
MD5:F64C60B749269FCF6659C450DDA98486
SHA1:42945C3496BC4E1943A1A05926A9B5EE31D3E450
SHA-256:AE172A9A2FD008910B537C92A95B38BFBA0E5BBDAACA719BF686E6415A7A2BA1
SHA-512:DE4A518F0788A98E5F99F9599481272C78D7302C87C555A13AA8710B69E1C38BC44DA20081BB2056B27430AB3BF9B2434F0751A0DD621EFDDDAEDD604EBDE6D9
Malicious:false
Preview:..............(.....

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\GROUP_ICON\169

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):20
Entropy (8bit):2.023219672335508
Encrypted:false
SSDEEP:3:8zNPl:8zD
MD5:60F05E3B8EA9E18928923BDBCC112277
SHA1:D97726A6E9C326A37507F879FECA7E152157839C
SHA-256:7698EF362B288A7E3B96304CA50814B42518CBA38598DB9DBB36D8B90212D76A
SHA-512:7A45071AB1D52CF5F01E029A1D3711B70B8B8D81011AB0E5AC0D754D003E16670BC44CA043EFA4F3700C0AD1408FC44514BFA3FD50903280D39CA00C2BF34A46
Malicious:false
Preview:..............(.....

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\GROUP_ICON\99

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):104
Entropy (8bit):3.037061926087002
Encrypted:false
SSDEEP:3:yfmlf/guoj/tkfVlGNlk7lv4stlOlsv:yulfou+/WG3kHtEsv
MD5:2A6F65EFF70516EB284F7A9B538D98C9
SHA1:EB43276E3C9CF44265CF115E6F52AFF59DA95DBE
SHA-256:85E3514D47F5110077AD89DB5B7D4A83D3363BD2B336C2DB152A1F30B4F311CD
SHA-512:1A3D4C915FA7549DC2F04388C2C8AED992731E7BE38FCC42DC5E3F0826B3B63903599BFD323F439BFE9BEF2B39DB30651F18101D7CAA3EA28A1DAAB45F6DCCDF
Malicious:false
Preview:............ .h..... .... .......00.... ..%....@@.... .(B....HH.... ..T....``.... ............. .(.....

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\1.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:dropped
Size (bytes):318
Entropy (8bit):3.6291489605393212
Encrypted:false
SSDEEP:6:kyF69TKAT1UUMl0G5Y36//PllaK+J9PrdBT9h/hx5n:kW69eATCUJa/xw9DdBhJb5n
MD5:EE0C3349DF52B24610983C3F0ABDE2DE
SHA1:72C4920FB2BA1A6D69DB26A65E69EFF88A8147C0
SHA-256:83BE36D195C9EE3ED9CD68A3662E65E59A06DB4F12BA607CA29035B95AFCE425
SHA-512:1DFC1DF452B4D7E84B21B4C57C63158D751E680B86549C6AA3E3C96070EC78812D14CD3050DFA27742E53689A740C3265D9D0B3B3935F110AEA3D755CC1905E4
Malicious:false
Preview:..............(.......(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................\.......V....[..%........\..k............Wz......e.......kM........:....[.........P..\.......0..........................................?...?.............................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\10.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, -128x-128
Category:dropped
Size (bytes):67646
Entropy (8bit):3.275186331620235
Encrypted:false
SSDEEP:768:MolzUHgu21acmwtKvDJzRYIXS/ya9B0agw6:Mox2T21acmwtKVR3S/RBjg5
MD5:864B520E436CB7EB774B6E7B465905FC
SHA1:3E3A89E5F192A034013D38ECAC7E40F6950B7EFC
SHA-256:D3DDE77EF4FDFB85DA26A65A6EF402BC3E91F0C66BDC46E3DB423FF2B68DF110
SHA-512:AA37C75B828DA9C8B18DF28F24B387F8217F1E12475ACD68746FE066F816ED4D72C2480669B07075D1D3C4264F807D375A4467F45AD7597B23D9B68776A46387
Malicious:false
Preview:..............(.......(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\2.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:dropped
Size (bytes):318
Entropy (8bit):2.116719447377168
Encrypted:false
SSDEEP:3:PFErXllvlNl/AXll/l1ltllkoKJqFWgW9TOlmDlPHplBF1atXn/5555555555559:kyF69TKAT1UP555555555555555n
MD5:F696D1AE85B4E39757464317EB9221C4
SHA1:D2E6FD7F7998CEDE11D93822E92B68E3284633C6
SHA-256:6463AC8E13612BA8F11B248170062141A875F35068C3D47E13618EEBCB3E1880
SHA-512:6A8B55FD145798957FF22B04593892CE18D4F71909717C4737AA42435BCA1AE711C0189337A262224C4346894B8DDF7D4A76077BE622A2AC5BE048E706E06547
Malicious:false
Preview:..............(.......(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee.................................................................................................................................................................................................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\3.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:dropped
Size (bytes):318
Entropy (8bit):2.3073880035185548
Encrypted:false
SSDEEP:3:PFErXllvlNl/AXll1GoKJqFWgW9TOlmDlPHplBF1atXn/55ojEaWMMjqDn:kyF69TKAT1UP55En
MD5:A10137B4C027DE2C5C2B3D7D7781F30D
SHA1:A47CCBCA0F61001DDF322174222EEF4CC167E133
SHA-256:4F83B51B9A1F155EBC3C2610DDF1BA20FEDAB13C24725127A026C6D18EF12796
SHA-512:C80791D8E41623925E6B0A15670D1C959E18423319FF3682C616ABD23071CBF7D95D2CF3BBFFDE49783C2CDD01ACD0FAA7D52C1B3723AC7E77C17DC4C17CF165
Malicious:false
Preview:..............(.......(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7..............................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\4.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16
Category:dropped
Size (bytes):1150
Entropy (8bit):5.439329278950028
Encrypted:false
SSDEEP:24:7AKe7fCc/zZ2UZTatg3zxeLfV55Q+fixYckJC8TPfL:7faCc/EOTV3VeZ557fkY9CgHL
MD5:A927B180DDD05D982428988CD59321C5
SHA1:84A052AAC78B9A3F1A7A17454E0EFE4C1AC1B03C
SHA-256:D578B888492D63A78E2DFCFBE4B63CE2E786097046ECC1FF70276955FB1818FB
SHA-512:6BF8E5D3966EB698BF3BD3C83F292687D843D35DBA12FDAA6B5276E7ABB10012D2FEE5AC443F3BB7CD1BE1B85FD01294515E900268F0FF0E414A1C8B00CE6DDD
Malicious:false
Preview:..............h.......(....... ..... .....@.......................................>CF"Di..?b..@FM.....`\\Wqkk.tnn6tnn.smm.fbbZ................31/.<ELv@....r..Ib.2FDC'qkk...tnnQtnn.....uoo.................31/,;CK.;...+m..AYy.UQP[upp.....tnn.tnn.....vpp.............666.420j;CJ.:...+j..;HXc31/ruoo...............vpp.222.///(222-222V320w:BHz:...)h..7>G./-+OUTT`xrr.........}uu.f``.111.333&111$555#31-.@Qb>:...+k..@Up6/-,.....}yy.........}uu.KKK-....................Ns.'8...-k..Nt.'........{ww......uu.lee.KLL+....................Ov.)9.../l..Nt..........{wv.........rmm.KKK,....................Ou.#=...1n..Nt..........yuu.............HII,....................Rw..A...2s..Px..........yut.............HHH,....................Ot..J...<{..@`..........zvv........}zz.JJJ,.......................H]hq.Zem....G........mii.tnn.....zvv.KLL,...........;............-+).%#!........;...+....rkk.......KKK............]FFF..--.000.....................^]].....SMM..yy.NNN.............%#!.%#!.%#!.%#!.%#!.%#!.SSS.TT

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\5.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 32x32
Category:dropped
Size (bytes):4286
Entropy (8bit):4.773122236212395
Encrypted:false
SSDEEP:48:C6enlcG+YIB1vpg5PvsIHdpM8g51SOAkwC81k:WnitYA125PvsIH7qcCwL1k
MD5:5AB412D89B469B76C5EFDE2D66D10482
SHA1:AF167BFFBD81A3DBD069610D9E1DB7B2AEC51EEB
SHA-256:80A1C42C1F01417356973F220CA52E21D937870F696C1250BA3C8182897CB707
SHA-512:EFDBE7F7F9530E87E8EB7188986D270555D6AFC9511864C0559F0831C9073333229FEBC5A442208B5E970F8901A7D0615864256FB0CBCF4193C1D45F6521FE09
Malicious:false
Preview:...... ..............(... ...@..... .....................................................................................................................................................................................................234.;EPB@KXM>KWM;EQC334.....................'''.VSS.IFFi........111.QNN}URR}IJJ.............................................975.?ITt^...F...8w..I...G_|s........111.555/011Zfbb....iaa.....555%-..jyrr....XTT.KLL.........................................1/-9@MY.P...,v...]..2o..Pw......?=:.333O000wEDD........h``.)**R555{,,,..{{.........A@@a....................................444.30.h?KW.P....w..._..3n..Pv......531.333c222.{ww.........lee....u000O,--+............CAA.................................444.444R30.w?KW.O....w..._..3n..Qx......+)&.111O@AA.............d]].011.....................IGG.................................666,444x30.t?KW.N....x..._..3o..Os.~....432W111vEEE.................c]].NJJ.f``............XUU.............................888.444a444{30

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\6.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 48x48
Category:dropped
Size (bytes):9662
Entropy (8bit):4.287808671637714
Encrypted:false
SSDEEP:96:9DIAtQdBGeOYvNHoQk8bLtk5I82z5zV8atwOZP4uTLxd9HD9oQuREjjjjxlxlxls:91KloQRbLi5ItrFZzL5rPu
MD5:4B748B01741331C75B0F9FF14BBED45A
SHA1:F9B6B52BBE9CF852B25CE10EF682BA2084158FAE
SHA-256:A07E9321B67EDC4F004691E2A210961D72C036932497BE21AC62A09CB312AFD1
SHA-512:2C2E895BE38A7432C3000E3881FAC7696DC24FC6CB86468F6014930CDC560ADA065C53E33C9BFAE78D4E8821F7DA3D1D4214FC9C401377A400326E4120826C13
Malicious:false
Preview:......00.......%......(...0...`..... ......%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................004.558.558.568.568.*)).....................................&''.HHHoMLL.+++.............***.???ANMM.IJJA................................................................................&9L.!S..$]..#\.. Z...Q...Q.."U..&?Y.........................000.0117@@@..xx.....766K........888.111?DCC.....YTT.DDDi........................................................................655..6AW.T..T...8...0s..+l..2t...T...T~.............---.444)555Y122jPNN............(''E....777!333`111p@??...

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\7.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 64x64
Category:dropped
Size (bytes):16958
Entropy (8bit):4.154912489178019
Encrypted:false
SSDEEP:192:ctu558wd26GTrgdkatQ9DVz0WSQ0J/NgoN0V5:6qwTbS+Z0+0xanf
MD5:B30F417BD7944C94CBA2A422387594F2
SHA1:25258535926AA4E025A85BFB84BFF66EEE0478D1
SHA-256:9B7DDBD4BCCFAE58EC1C38D2F334E564FAA1141D326E327EF4AF8DC1B54D33FC
SHA-512:48E2687ACC003E72EE4437C5E6F3C9D08972C92742DDCABB441858C2CCFF914EE974C56354BC740C0CA64A5E981F8FAA45C66F6E9D85B29FB31D649208D1C82E
Malicious:false
Preview:......@@......(B......(...@......... ......B............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\8.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 72x72
Category:dropped
Size (bytes):21662
Entropy (8bit):4.04359891955288
Encrypted:false
SSDEEP:192:5/pxV5KME4OEKHrCJimofWefQYuX2nGPR:1OLCJyfWeJudPR
MD5:000D441D9532FF9EBB870A1B00763A22
SHA1:DD8F59817A477C2D4FDD53FFD963CB0DEA7C189E
SHA-256:697064BFECBD0F5C85E2E87763D30CE785B7A9B4C2391A33DB0F44FBBDB292AB
SHA-512:4363E6D629541BD65CAFFE9100A37FA5BED224AA636CB2C719E6EEB4267747D473A571F4C77364A436E80CFEC460229732B3D2E7EF47EE9091FC3FC0117CCACB
Malicious:false
Preview:......HH.......T......(...H......... .....`T............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\ICON\9.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 96x96
Category:dropped
Size (bytes):38078
Entropy (8bit):3.8899713181408666
Encrypted:false
SSDEEP:384:TSBbwqgL5b3DqOaAUAUtrcKVWZDRsajqTZ3pazG:GGqgL5SuUAMmRvql
MD5:D30EF2B0D42F9CA0DB827D81DEDF851C
SHA1:19F596B20349F527CF97F4E251F0AAA55D3C6878
SHA-256:606B069A103752FAC75BB685B3D2D554EFC87B9BC8C021A678EA6254E52CD23C
SHA-512:3B57A371D2D184A4C787009813CFA883F12B3F58BB443FF224A9BC671B09E30A61F6F1EE6EC7868B971542620BDB641EACB22D6D6C31DA81FE96D8D9A15EA491
Malicious:false
Preview:......``..............(...`......... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\MANIFEST\1

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1018
Entropy (8bit):5.392643085279409
Encrypted:false
SSDEEP:12:OYp53SNK+bJTgVNsJv34mNkM6N5wi9F5aRvqcGkVtvC3kGmyi5ysykq+/G:OgiNK+bRgMtPkM0qi7Yqcs3rQqp
MD5:79FF2B6CFBAED20D0761E88F8B47DC80
SHA1:7EF2897A5A54BE6EB3E82C3A936D070DC001E537
SHA-256:2FB51DAC382441E19215B5016EDDD256A4FDF99D325FE691D77A6E450988ECBE
SHA-512:40514B585D925F3F4756FCCD845AFE18EFFC492B788FE1B5D2AFBEDE2B08E4BD2938D51F69ED1A54422EB4EBCA6C0025E42ABC3FA7748412281CE89CFB29316C
Malicious:false
Preview:<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. .<dependency>.. ..<dependentAssembly>.. ...<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>.. ..</dependentAssembly>.. .</dependency>.. .<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. ..<security>.. ...<requestedPrivileges>.. ....<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>.. ...</requestedPrivileges>.. ..</security>.. .</trustInfo>...<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. ..<application>.. ...<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.....<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.....<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.....<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.....<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>....</application>.. .</compatibili

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\MENU\166

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):80
Entropy (8bit):2.6829183153667957
Encrypted:false
SSDEEP:3:3lDMKll/BlyXCZjlikt/lHlydlMDln:hn//BUokMinM5n
MD5:8140596AB00B98A11C13E6977D2D0977
SHA1:58ABC231C2B5AC778A543A5DFFCFABE867A6758D
SHA-256:54F5E2ECBFC4F87380CA7466337676B99D0C4A21F806CF83F69FD48934C857AB
SHA-512:BA6525EEE05AF1251D92C55D302CD8EFA36873128857CA7244E8766F267249878AE0A9D6AC42EC74099606F3708E7EDA171EADB037880B2518CE0F934D5E174F
Malicious:false
Preview:......C.o.n.t.e.x.t.1.......S.c.r.i.p.t. .&.P.a.u.s.e.d.............E.&.x.i.t...

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\string.txt

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):9762
Entropy (8bit):3.4525502961259815
Encrypted:false
SSDEEP:96:Wgw62QAySMqEBRczjfIjxymVqQNxv5Rzs3MpjVqfSTx/ii4b+rSq9aTba4hzRCmQ:klQ/cItPNZ+EVj+NqibuMNMsrwNRcG6i
MD5:8236FF6A515961C2C991691D3AC533F0
SHA1:5F1122DD81C3EAD5419A0918BA0E1E3D82088183
SHA-256:A8ACD82F5CDF8E989D22958EAB32963CCB2CBDC4427ABB2A81AD6D2F2F1A4454
SHA-512:F1FD6565129AFF6FB10586A2DE87F7B6ED82F56D5D2CE57BFB409788786796F701B2DA0C295D004E92C76926DB8EEB51EBE68131584F949044FF0368AC181334
Malicious:false
Preview:1.0.1...(.P.a.u.s.e.d.). .....1.0.2...A.u.t.o.I.t. .E.r.r.o.r.....1.0.3...A.u.t.o.I.t. .h.a.s. .d.e.t.e.c.t.e.d. .t.h.e. .s.t.a.c.k. .h.a.s. .b.e.c.o.m.e. .c.o.r.r.u.p.t...\.n.\.n.S.t.a.c.k. .c.o.r.r.u.p.t.i.o.n. .t.y.p.i.c.a.l.l.y. .o.c.c.u.r.s. .w.h.e.n. .e.i.t.h.e.r. .t.h.e. .w.r.o.n.g. .c.a.l.l.i.n.g. .c.o.n.v.e.n.t.i.o.n. .i.s. .u.s.e.d. .o.r. .w.h.e.n. .t.h.e. .f.u.n.c.t.i.o.n. .i.s. .c.a.l.l.e.d. .w.i.t.h. .t.h.e. .w.r.o.n.g. .n.u.m.b.e.r. .o.f. .a.r.g.u.m.e.n.t.s...\.n.\.n.A.u.t.o.I.t. .s.u.p.p.o.r.t.s. .t.h.e. ._._.s.t.d.c.a.l.l. .(.W.I.N.A.P.I.). .a.n.d. ._._.c.d.e.c.l. .c.a.l.l.i.n.g. .c.o.n.v.e.n.t.i.o.n.s... . .T.h.e. ._._.s.t.d.c.a.l.l. .(.W.I.N.A.P.I.). .c.o.n.v.e.n.t.i.o.n. .i.s. .u.s.e.d. .b.y. .d.e.f.a.u.l.t. .b.u.t. ._._.c.d.e.c.l. .c.a.n. .b.e. .u.s.e.d. .i.n.s.t.e.a.d... . .S.e.e. .t.h.e. .D.l.l.C.a.l.l.(.). .d.o.c.u.m.e.n.t.a.t.i.o.n. .f.o.r. .d.e.t.a.i.l.s. .o.n. .c.h.a.n.g.i.n.g. .t.h.e. .c.a.l.l.i.n.g. .c.o.n.v.e.n.t.i.o.n.......1.0.4...".E.n.d.W.i.t.h.". .m.i.

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\version.txt

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):652
Entropy (8bit):3.3804167688477387
Encrypted:false
SSDEEP:12:ft5JXt5yoIqIjUUbOlJvAwXfCqYAV8fpMfqAVky9Y:ftHtIVqcbKJvFXfC3I8fpMfqIkGY
MD5:7EC588F60DFB170F0B1D1BF6CD8FCC32
SHA1:65BE534425D86F4847C6AD6A7A66859F5AFD019D
SHA-256:F2B2715C6C23A016B6A86C51477F05E8372AAC15DFF4362317D68F7306F1F86C
SHA-512:F184540FF1E20830723BAAA50D1E91CE2C6E00E0C58356305DEFA9D6B02E337020EF2462D680B899A773954CEF1F0300AAD4CFB295F6A2709687CCB67003C973
Malicious:false
Preview:F.I.L.E.V.E.R.S.I.O.N. . . . .0.,.0.,.0.,.0.....P.R.O.D.U.C.T.V.E.R.S.I.O.N. .0.,.0.,.0.,.0.....F.I.L.E.F.L.A.G.S.M.A.S.K. . .0.x.0.....F.I.L.E.F.L.A.G.S. . . . . . .0.x.0.....F.I.L.E.O.S. . . . . . . . . .V.O.S._.U.N.K.N.O.W.N. .|. .V.O.S._._.W.I.N.D.O.W.S.3.2.....F.I.L.E.T.Y.P.E. . . . . . . .V.F.T._.A.P.P.....F.I.L.E.S.U.B.T.Y.P.E. . . . .0.x.0.....{..... . .B.L.O.C.K. .".S.t.r.i.n.g.F.i.l.e.I.n.f.o."..... . .{..... . . . .B.L.O.C.K. .".0.8.0.9.0.4.B.0."..... . . . .{..... . . . .}..... . .}..... . .B.L.O.C.K. .".V.a.r.F.i.l.e.I.n.f.o."..... . .{..... . . . .V.A.L.U.E. .".T.r.a.n.s.l.a.t.i.o.n.".,. .0.x.8.0.9.,. .1.2.0.0..... . .}.....}.....

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc_1

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:ASCII text, with very long lines (446), with no line terminators
Category:dropped
Size (bytes):446
Entropy (8bit):2.7509764668565446
Encrypted:false
SSDEEP:6:6J+QKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQx:6JNhhhhhhhhhhhhhhhhhhhhhhhhhhx
MD5:9D452D49927EEA18FC409D622F7B6E3B
SHA1:216EA284ACA4753AC5D9625BF2D4187B38E9FE85
SHA-256:BAC4D2F73E517F7C7FB2983AE836E2C71CBC5E35E514DFDBDFB2EA88D9B34E8C
SHA-512:F7ABB83125C155BDF90053156F13519E44AF0F7B9EF3226476678082BAC9FE6DC7554B6B7AC3EF45D2CE4519641E342383E9D9FAB7A6F94699435E67642385D1
Malicious:false
Preview:PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.text

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):633856
Entropy (8bit):6.668273581389306
Encrypted:false
SSDEEP:12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrp:rqDEvCTbMWu7rQYlBQcBiT6rp
MD5:0A1473F3064DCBC32EF93C5C8A90F3A6
SHA1:25C1457C129EE77C0AAF98BEB58F3526677687D4
SHA-256:1DF328D893FD19C2119C9A872FBC33E83B929B7119BEE88D15BD9FAE9D4246DD
SHA-512:EB4D2234A4533F2EDB9C35770264923640423430588B355E4D503F627DF49340FCC4092CA15BDD02DFEA9E0FDB517E9F964D5045F356EF27342A7E95EB69F013
Malicious:false
Preview:.t.M..8...h.#D.....Y.h.#D.....Y......h.#D..r...Y..Y<..h.#D..a...Y.Q....h.$D..O...Y.0.M.Q.@..0.M.P..#..h.$D../...Y...%..h.$D......Y.....h!$D......Y..A2..h&$D......Y..P...h0$D......Y..%M....h?$D......Y.V..N.....N....j(V.....YY..^...U...8..0.M.t.I.3.....M.0.I.....M.....M.VQf....M..o....0.M..@..0.M.\.I..0.M..H.........,.M.3....M....M....M....M..Y......M........M........M.....3....M..T.M..X.M..\.M..`.M..d.M..h.M..l.M..p.M..t.M..x.M....3.....M.<.I....M....M....M.f...M....M....M.f...M....M....M....M....M....M....M.....M.@.I....M....M....M.....M.@.I....M....M....M.....M.@.I....M....M....M.....M.D.I....M....M....M....M....M.....M..........(.M.........M.<.I.3...M.....M.....M.....M......@.M....3....M.P.`.M..d.M..h.M..p.M..t.M..x.M..G....M..$...P.0.M..H...4.M......M.....M..{...3.f..0.M...j..,.M.. .M..$.M....M....M..(.M....M.f.l.M....M..}.M..\.M...h.I...........3..|.M......R..h.I..0.M.^.....0.M..@.M.V.@..0.M.h.I.3..4.M..8.M..<.M..+....t.M..!......M......h .I....oW..

C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\b70d20ce558c0162a271d1ecf0e80035ee00f9ad

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):1338368
Entropy (8bit):6.823441157270632
Encrypted:false
SSDEEP:24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8aDQg8sLPt/LcDe9MoB:FTvC/MTQYxsWR7aDQg8kN8e9Mo
MD5:CA51E5A000699F85753C85FDACD4617A
SHA1:B70D20CE558C0162A271D1ECF0E80035EE00F9AD
SHA-256:0615B2C6C5F550BC9CDACC3D35B3423EF6BF84F81623C9C386886C76D567CCDF
SHA-512:1A8228A6C9E0F080653C854F50449AC52A885235F37D2FB8CABBA6D3B08CFE9445462E92A23834ECC3E4D6BE24D8F5BDDC770467DC13E668785347CD82A7FB7B
Malicious:true
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 16%
Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...K..g..........".................w.............@.......................................@...@.......@.....................d...|....@..D....................P...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...D....@......................@..@.reloc...u...P...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9ad

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):1338368
Entropy (8bit):6.823441157270632
Encrypted:false
SSDEEP:24576:FqDEvCTbMWu7rQYlBQcBiT6rprG8aDQg8sLPt/LcDe9MoB:FTvC/MTQYxsWR7aDQg8kN8e9Mo
MD5:CA51E5A000699F85753C85FDACD4617A
SHA1:B70D20CE558C0162A271D1ECF0E80035EE00F9AD
SHA-256:0615B2C6C5F550BC9CDACC3D35B3423EF6BF84F81623C9C386886C76D567CCDF
SHA-512:1A8228A6C9E0F080653C854F50449AC52A885235F37D2FB8CABBA6D3B08CFE9445462E92A23834ECC3E4D6BE24D8F5BDDC770467DC13E668785347CD82A7FB7B
Malicious:true
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 16%
Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...K..g..........".................w.............@.......................................@...@.......@.....................d...|....@..D....................P...u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...D....@......................@..@.reloc...u...P...v..................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.data

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:DOS executable (block device driver @\273\)
Category:dropped
Size (bytes):18432
Entropy (8bit):0.58466669869824
Encrypted:false
SSDEEP:24:1QNhBSqe6uSkeKH6uSkeKfLLLLLLLTPPPPPqcyux5ZEzwJkzRQkKUCg6gI7:yvkjTk4Tkoyujqz5RQk
MD5:53B9025D545D65E23295E30AFDBD16D9
SHA1:B958D08B90B56AFF3F2E0D6DAF36B91C8F31CA4C
SHA-256:3E7AC07BC2E03413763B49457AA252B016CC40394CEA187DA97BBD072C031F08
SHA-512:325A7236819C19559C79F8D9721DBD4932B8F49420E6D73AC9AB1CF9B8A6C24677A7DC1E531955EBA1AD0CA1783B600D31D286ABAF662979721EE738774EAB13
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
Preview:...................DN.@......................... ............................ ....................................................... ....................................................... ...........................................................................................&J...............................................L...............L...............L...............L...............L.......................L......... )J..*J...J...........................L...L.C....#J.................................................................................................................................................................................................................................................................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!.......................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rdata

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):195584
Entropy (8bit):5.691811547483715
Encrypted:false
SSDEEP:3072:kMm0aVPeAg0Fuz08XvBNbhaAtwPy6sNuxPgarB:tAOz04pXdaK6Fgar
MD5:C9CF2468B60BF4F80F136ED54B3989FB
SHA1:DD2C684A16B3F370A7C66588627005BEFD670B80
SHA-256:351B803807DFB852077C389B6B96198B5639A53F83045D190ABDF265DAB2C7A8
SHA-512:BE57680B7C0C6DBF04D4D03C010EBBBC99F7C42D78785B0188D6960648D89F19D05441B60CE3020A2681562AF03B74A37F62ECF82470828F21DFADDC8604F0A9
Malicious:false
Preview:....n...\...L...<...*...................D...d...t............................. ...*...8...T...l...v................................8...P...d...x........................$.......................................t...f...\...P...D...:.............."........................... ...0...................n...b...V...J...>.............................................&.......D...Z...d...t............................................H...X...f...x....................................0...B...T...b...x...................N.....................4...P...`...p........................................0...@...N...d...v.................................2...P...r.............................(...:...L...b...r...~....................................0...>...J...^...v.....................6...*........................................................z...........6...L...X...h...t........................................$...6...F...X...f...v................................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.reloc

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):30208
Entropy (8bit):6.7972128181359786
Encrypted:false
SSDEEP:768:093blAXbm3+R7wGfs9doeChZ30ghggh5HPY4uRIYFya:83RALN7p6of0ghg85HPGzFy
MD5:C68EE8931A32D45EB82DC450EE40EFC3
SHA1:359F6B9001CBAD77104E5ED741F6D8024A1E6FFD
SHA-256:92760FB78D9D6D312889C53B386DD9F87FA6CFE12841575D12972D831DEBB089
SHA-512:5B8B9A97F1166E3BAE350C4CA3D7BCAAA50212E4943F53E39CFCF7D77A1C0A4E048CAFF2A8C9DE6AC5252BD4A23639AECC3DD279FD7BE988E6806057246D19BF
Malicious:false
Preview:....l....0.0.0(090K0W0`0k0|0.0.0.0.0.0.0.0.1.1.1.1 1*13171<1K1R1W1\1a1k1u1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2.2 2%2*2024292>2C2I2M2R2W2\2b2f2k2p2u2z2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3*33383=3B3G3L3Q3W3\3a3f3l3~3.3.3.3.3.3.3.3.3.3.3.3.3.3+4U4[4.4D5.5.5.5.5)6.6.6W7.7.8M:Y:_:g:m:s:x:~:.:.:.:.:.:.:.;.;.;B<S<Y<e<q<x<~<.<.<.<.<.<.<.=.=,=R=`=... .......0k0.0*1.2.3.7.7.7.7.7.7.7.7.7.7.7.7.7d:w:.:.:.:.:.:.:.:.:.:.:.;.;1;7;F;Q;m;.;.;.;.;.;.;.;.;.;.;.;.;.;.<2<<<B<H<N<T<g<p<.<.<.<.<.<.<.<.<.<.<.=&=-=3=8=>=D=I=a=q=|=.=.=.=.=.=.=.=V>o>.>.>.>.>.>P?e?z?.?.?.?.?.?...0..p....0.0.0.1$1P1x1.1.1.2.2)2.242:2@2H2M2Z2i2{3h4n4u4|4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5(5:5a5l5.5[6a6g6s6|6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7.7.7"7'7,747:7@7F7[7a7j7p7v7|7.7.7.7.7.7n8.8.8.8.8.9.919O9q9.9.9.:z:.:.:.:.;B;c;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<!<,<7<A<R<[<f<o<|<.<.<.<.<.<.<.<.<.<.<.<.=.=.>.>.>(>2><>F>Q>u>.>.>.>.>.>.>.?6?M?.?.?.?.?.@.......1.1.1.1.1.1.242=2B2[2.2.2.2.2.2.3.3'323I3_3

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\0\RCDATA\SCRIPT

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):286854
Entropy (8bit):7.999370781391767
Encrypted:true
SSDEEP:6144:nPu8WWB5SeGGUJGVgr7CfWBebkLckgyD2ciGws3gbhLKjii8gPFX:PBF3GTGVgr7bB/LcDe9MsshLKjUgN
MD5:0D5477277A67D4ABBF2765ADBADE3FA4
SHA1:73FD15D2E5904475315621FA19D78957D6D7239F
SHA-256:0C736D82BF2A0DBB4C63AEDBD9D8DAA874476D1D8C354247DA10AA4D1D842CB0
SHA-512:B8BB56F5682DD633C5414C5DAF58BE00DDFB00ACFA6C0C2D14247D4D201EB662821179806B4FB5BE0D17146810B5F0FC8AEFC6616B064B4379C90223BC6D9A02
Malicious:false
Preview:.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Me....,.. .o.UA..1.An....H.`:$@.nY.2........s:V7p=..'P.B..%....n.K...;h..<u.w.Z3.lw...Aw>..y..1..Q3....T4}..5...U.=.....jS..*=.#mIn>3(..$..................|u......|u..kC.R......%x....}...q..U-...(....%....V..?p.hi...r..-..>."......b.&..R.v..Q....o....N...F...}FRh..N.}...).....S..M{.......h.E....3"....A.......w.gF.C.)...]|..mX....../..7L.....o.O.?..Q.?=.[.2........K.......8{.....sN..m.....x..x.5...x...).U'j...`$.1.#.e.\.....+..io....b=....$,..#..PWG..G...c.'..6..`.#..megXg?..-.#.m<}..P@.{."...6.+y.u.5..3.g .Q..'....3cW.2...|....-..<.....ny5.".J................o.H.(/..C&JM.....L.!....wf.......j.u?P..u..jz.N......l .....t.~...R.....vi..>.4s...,d..2.....+&.YI.h.x/.x+:.%.B.~EY..~Q.B.H..7.[....m?..Z.I....K4.`CoH..MK.I...u.....qPy.....oZ...?..._...;......nP.....l..kh.=......a.@8'.l...)?...U...q..z0..x..Xd.....Q5q.B.n.]....../.!6.My!.._.'.sV..R}nz...-...u.T.c. ........

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\GROUP_ICON\162

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):20
Entropy (8bit):2.023219672335508
Encrypted:false
SSDEEP:3:8zNOl:8zQl
MD5:7A9605CB416B1A091D889B9D9F37EC66
SHA1:866C01641D672B6CD69901C1E055F174F47B35BB
SHA-256:6BCCE1250099CC08D574211B3DEBABB0244CD2641F6D960538E7DDC97D319164
SHA-512:FD63730E09AA5D68BDC2022422F6D11DEF036C6A86BAF2ADF8077FD4EC8B8CF5340038D2F1F0EFA775158AA23602A001E7F805320ECE3A1CBF80F4B809BBC4D8
Malicious:false
Preview:..............(.....

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\GROUP_ICON\164

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):20
Entropy (8bit):1.842737648613667
Encrypted:false
SSDEEP:3:8zNNl:8zp
MD5:F64C60B749269FCF6659C450DDA98486
SHA1:42945C3496BC4E1943A1A05926A9B5EE31D3E450
SHA-256:AE172A9A2FD008910B537C92A95B38BFBA0E5BBDAACA719BF686E6415A7A2BA1
SHA-512:DE4A518F0788A98E5F99F9599481272C78D7302C87C555A13AA8710B69E1C38BC44DA20081BB2056B27430AB3BF9B2434F0751A0DD621EFDDDAEDD604EBDE6D9
Malicious:false
Preview:..............(.....

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\GROUP_ICON\169

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):20
Entropy (8bit):2.023219672335508
Encrypted:false
SSDEEP:3:8zNPl:8zD
MD5:60F05E3B8EA9E18928923BDBCC112277
SHA1:D97726A6E9C326A37507F879FECA7E152157839C
SHA-256:7698EF362B288A7E3B96304CA50814B42518CBA38598DB9DBB36D8B90212D76A
SHA-512:7A45071AB1D52CF5F01E029A1D3711B70B8B8D81011AB0E5AC0D754D003E16670BC44CA043EFA4F3700C0AD1408FC44514BFA3FD50903280D39CA00C2BF34A46
Malicious:false
Preview:..............(.....

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\GROUP_ICON\99

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):104
Entropy (8bit):3.037061926087002
Encrypted:false
SSDEEP:3:yfmlf/guoj/tkfVlGNlk7lv4stlOlsv:yulfou+/WG3kHtEsv
MD5:2A6F65EFF70516EB284F7A9B538D98C9
SHA1:EB43276E3C9CF44265CF115E6F52AFF59DA95DBE
SHA-256:85E3514D47F5110077AD89DB5B7D4A83D3363BD2B336C2DB152A1F30B4F311CD
SHA-512:1A3D4C915FA7549DC2F04388C2C8AED992731E7BE38FCC42DC5E3F0826B3B63903599BFD323F439BFE9BEF2B39DB30651F18101D7CAA3EA28A1DAAB45F6DCCDF
Malicious:false
Preview:............ .h..... .... .......00.... ..%....@@.... .(B....HH.... ..T....``.... ............. .(.....

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\1.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:dropped
Size (bytes):318
Entropy (8bit):3.6291489605393212
Encrypted:false
SSDEEP:6:kyF69TKAT1UUMl0G5Y36//PllaK+J9PrdBT9h/hx5n:kW69eATCUJa/xw9DdBhJb5n
MD5:EE0C3349DF52B24610983C3F0ABDE2DE
SHA1:72C4920FB2BA1A6D69DB26A65E69EFF88A8147C0
SHA-256:83BE36D195C9EE3ED9CD68A3662E65E59A06DB4F12BA607CA29035B95AFCE425
SHA-512:1DFC1DF452B4D7E84B21B4C57C63158D751E680B86549C6AA3E3C96070EC78812D14CD3050DFA27742E53689A740C3265D9D0B3B3935F110AEA3D755CC1905E4
Malicious:false
Preview:..............(.......(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................\.......V....[..%........\..k............Wz......e.......kM........:....[.........P..\.......0..........................................?...?.............................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\10.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, -128x-128
Category:dropped
Size (bytes):67646
Entropy (8bit):3.275186331620235
Encrypted:false
SSDEEP:768:MolzUHgu21acmwtKvDJzRYIXS/ya9B0agw6:Mox2T21acmwtKVR3S/RBjg5
MD5:864B520E436CB7EB774B6E7B465905FC
SHA1:3E3A89E5F192A034013D38ECAC7E40F6950B7EFC
SHA-256:D3DDE77EF4FDFB85DA26A65A6EF402BC3E91F0C66BDC46E3DB423FF2B68DF110
SHA-512:AA37C75B828DA9C8B18DF28F24B387F8217F1E12475ACD68746FE066F816ED4D72C2480669B07075D1D3C4264F807D375A4467F45AD7597B23D9B68776A46387
Malicious:false
Preview:..............(.......(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\2.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:dropped
Size (bytes):318
Entropy (8bit):2.116719447377168
Encrypted:false
SSDEEP:3:PFErXllvlNl/AXll/l1ltllkoKJqFWgW9TOlmDlPHplBF1atXn/5555555555559:kyF69TKAT1UP555555555555555n
MD5:F696D1AE85B4E39757464317EB9221C4
SHA1:D2E6FD7F7998CEDE11D93822E92B68E3284633C6
SHA-256:6463AC8E13612BA8F11B248170062141A875F35068C3D47E13618EEBCB3E1880
SHA-512:6A8B55FD145798957FF22B04593892CE18D4F71909717C4737AA42435BCA1AE711C0189337A262224C4346894B8DDF7D4A76077BE622A2AC5BE048E706E06547
Malicious:false
Preview:..............(.......(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee.................................................................................................................................................................................................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\3.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
Category:dropped
Size (bytes):318
Entropy (8bit):2.3073880035185548
Encrypted:false
SSDEEP:3:PFErXllvlNl/AXll1GoKJqFWgW9TOlmDlPHplBF1atXn/55ojEaWMMjqDn:kyF69TKAT1UP55En
MD5:A10137B4C027DE2C5C2B3D7D7781F30D
SHA1:A47CCBCA0F61001DDF322174222EEF4CC167E133
SHA-256:4F83B51B9A1F155EBC3C2610DDF1BA20FEDAB13C24725127A026C6D18EF12796
SHA-512:C80791D8E41623925E6B0A15670D1C959E18423319FF3682C616ABD23071CBF7D95D2CF3BBFFDE49783C2CDD01ACD0FAA7D52C1B3723AC7E77C17DC4C17CF165
Malicious:false
Preview:..............(.......(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7..............................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\4.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 16x16
Category:dropped
Size (bytes):1150
Entropy (8bit):5.439329278950028
Encrypted:false
SSDEEP:24:7AKe7fCc/zZ2UZTatg3zxeLfV55Q+fixYckJC8TPfL:7faCc/EOTV3VeZ557fkY9CgHL
MD5:A927B180DDD05D982428988CD59321C5
SHA1:84A052AAC78B9A3F1A7A17454E0EFE4C1AC1B03C
SHA-256:D578B888492D63A78E2DFCFBE4B63CE2E786097046ECC1FF70276955FB1818FB
SHA-512:6BF8E5D3966EB698BF3BD3C83F292687D843D35DBA12FDAA6B5276E7ABB10012D2FEE5AC443F3BB7CD1BE1B85FD01294515E900268F0FF0E414A1C8B00CE6DDD
Malicious:false
Preview:..............h.......(....... ..... .....@.......................................>CF"Di..?b..@FM.....`\\Wqkk.tnn6tnn.smm.fbbZ................31/.<ELv@....r..Ib.2FDC'qkk...tnnQtnn.....uoo.................31/,;CK.;...+m..AYy.UQP[upp.....tnn.tnn.....vpp.............666.420j;CJ.:...+j..;HXc31/ruoo...............vpp.222.///(222-222V320w:BHz:...)h..7>G./-+OUTT`xrr.........}uu.f``.111.333&111$555#31-.@Qb>:...+k..@Up6/-,.....}yy.........}uu.KKK-....................Ns.'8...-k..Nt.'........{ww......uu.lee.KLL+....................Ov.)9.../l..Nt..........{wv.........rmm.KKK,....................Ou.#=...1n..Nt..........yuu.............HII,....................Rw..A...2s..Px..........yut.............HHH,....................Ot..J...<{..@`..........zvv........}zz.JJJ,.......................H]hq.Zem....G........mii.tnn.....zvv.KLL,...........;............-+).%#!........;...+....rkk.......KKK............]FFF..--.000.....................^]].....SMM..yy.NNN.............%#!.%#!.%#!.%#!.%#!.%#!.SSS.TT

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\5.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 32x32
Category:dropped
Size (bytes):4286
Entropy (8bit):4.773122236212395
Encrypted:false
SSDEEP:48:C6enlcG+YIB1vpg5PvsIHdpM8g51SOAkwC81k:WnitYA125PvsIH7qcCwL1k
MD5:5AB412D89B469B76C5EFDE2D66D10482
SHA1:AF167BFFBD81A3DBD069610D9E1DB7B2AEC51EEB
SHA-256:80A1C42C1F01417356973F220CA52E21D937870F696C1250BA3C8182897CB707
SHA-512:EFDBE7F7F9530E87E8EB7188986D270555D6AFC9511864C0559F0831C9073333229FEBC5A442208B5E970F8901A7D0615864256FB0CBCF4193C1D45F6521FE09
Malicious:false
Preview:...... ..............(... ...@..... .....................................................................................................................................................................................................234.;EPB@KXM>KWM;EQC334.....................'''.VSS.IFFi........111.QNN}URR}IJJ.............................................975.?ITt^...F...8w..I...G_|s........111.555/011Zfbb....iaa.....555%-..jyrr....XTT.KLL.........................................1/-9@MY.P...,v...]..2o..Pw......?=:.333O000wEDD........h``.)**R555{,,,..{{.........A@@a....................................444.30.h?KW.P....w..._..3n..Pv......531.333c222.{ww.........lee....u000O,--+............CAA.................................444.444R30.w?KW.O....w..._..3n..Qx......+)&.111O@AA.............d]].011.....................IGG.................................666,444x30.t?KW.N....x..._..3o..Os.~....432W111vEEE.................c]].NJJ.f``............XUU.............................888.444a444{30

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\6.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 48x48
Category:dropped
Size (bytes):9662
Entropy (8bit):4.287808671637714
Encrypted:false
SSDEEP:96:9DIAtQdBGeOYvNHoQk8bLtk5I82z5zV8atwOZP4uTLxd9HD9oQuREjjjjxlxlxls:91KloQRbLi5ItrFZzL5rPu
MD5:4B748B01741331C75B0F9FF14BBED45A
SHA1:F9B6B52BBE9CF852B25CE10EF682BA2084158FAE
SHA-256:A07E9321B67EDC4F004691E2A210961D72C036932497BE21AC62A09CB312AFD1
SHA-512:2C2E895BE38A7432C3000E3881FAC7696DC24FC6CB86468F6014930CDC560ADA065C53E33C9BFAE78D4E8821F7DA3D1D4214FC9C401377A400326E4120826C13
Malicious:false
Preview:......00.......%......(...0...`..... ......%..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................004.558.558.568.568.*)).....................................&''.HHHoMLL.+++.............***.???ANMM.IJJA................................................................................&9L.!S..$]..#\.. Z...Q...Q.."U..&?Y.........................000.0117@@@..xx.....766K........888.111?DCC.....YTT.DDDi........................................................................655..6AW.T..T...8...0s..+l..2t...T...T~.............---.444)555Y122jPNN............(''E....777!333`111p@??...

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\7.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 64x64
Category:dropped
Size (bytes):16958
Entropy (8bit):4.154912489178019
Encrypted:false
SSDEEP:192:ctu558wd26GTrgdkatQ9DVz0WSQ0J/NgoN0V5:6qwTbS+Z0+0xanf
MD5:B30F417BD7944C94CBA2A422387594F2
SHA1:25258535926AA4E025A85BFB84BFF66EEE0478D1
SHA-256:9B7DDBD4BCCFAE58EC1C38D2F334E564FAA1141D326E327EF4AF8DC1B54D33FC
SHA-512:48E2687ACC003E72EE4437C5E6F3C9D08972C92742DDCABB441858C2CCFF914EE974C56354BC740C0CA64A5E981F8FAA45C66F6E9D85B29FB31D649208D1C82E
Malicious:false
Preview:......@@......(B......(...@......... ......B............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\8.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 72x72
Category:dropped
Size (bytes):21662
Entropy (8bit):4.04359891955288
Encrypted:false
SSDEEP:192:5/pxV5KME4OEKHrCJimofWefQYuX2nGPR:1OLCJyfWeJudPR
MD5:000D441D9532FF9EBB870A1B00763A22
SHA1:DD8F59817A477C2D4FDD53FFD963CB0DEA7C189E
SHA-256:697064BFECBD0F5C85E2E87763D30CE785B7A9B4C2391A33DB0F44FBBDB292AB
SHA-512:4363E6D629541BD65CAFFE9100A37FA5BED224AA636CB2C719E6EEB4267747D473A571F4C77364A436E80CFEC460229732B3D2E7EF47EE9091FC3FC0117CCACB
Malicious:false
Preview:......HH.......T......(...H......... .....`T............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\ICON\9.ico

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:MS Windows icon resource - 1 icon, 96x96
Category:dropped
Size (bytes):38078
Entropy (8bit):3.8899713181408666
Encrypted:false
SSDEEP:384:TSBbwqgL5b3DqOaAUAUtrcKVWZDRsajqTZ3pazG:GGqgL5SuUAMmRvql
MD5:D30EF2B0D42F9CA0DB827D81DEDF851C
SHA1:19F596B20349F527CF97F4E251F0AAA55D3C6878
SHA-256:606B069A103752FAC75BB685B3D2D554EFC87B9BC8C021A678EA6254E52CD23C
SHA-512:3B57A371D2D184A4C787009813CFA883F12B3F58BB443FF224A9BC671B09E30A61F6F1EE6EC7868B971542620BDB641EACB22D6D6C31DA81FE96D8D9A15EA491
Malicious:false
Preview:......``..............(...`......... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\MANIFEST\1

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):1018
Entropy (8bit):5.392643085279409
Encrypted:false
SSDEEP:12:OYp53SNK+bJTgVNsJv34mNkM6N5wi9F5aRvqcGkVtvC3kGmyi5ysykq+/G:OgiNK+bRgMtPkM0qi7Yqcs3rQqp
MD5:79FF2B6CFBAED20D0761E88F8B47DC80
SHA1:7EF2897A5A54BE6EB3E82C3A936D070DC001E537
SHA-256:2FB51DAC382441E19215B5016EDDD256A4FDF99D325FE691D77A6E450988ECBE
SHA-512:40514B585D925F3F4756FCCD845AFE18EFFC492B788FE1B5D2AFBEDE2B08E4BD2938D51F69ED1A54422EB4EBCA6C0025E42ABC3FA7748412281CE89CFB29316C
Malicious:false
Preview:<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. .<dependency>.. ..<dependentAssembly>.. ...<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>.. ..</dependentAssembly>.. .</dependency>.. .<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. ..<security>.. ...<requestedPrivileges>.. ....<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>.. ...</requestedPrivileges>.. ..</security>.. .</trustInfo>...<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. ..<application>.. ...<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.....<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>.....<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>.....<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>.....<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>....</application>.. .</compatibili

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\MENU\166

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):80
Entropy (8bit):2.6829183153667957
Encrypted:false
SSDEEP:3:3lDMKll/BlyXCZjlikt/lHlydlMDln:hn//BUokMinM5n
MD5:8140596AB00B98A11C13E6977D2D0977
SHA1:58ABC231C2B5AC778A543A5DFFCFABE867A6758D
SHA-256:54F5E2ECBFC4F87380CA7466337676B99D0C4A21F806CF83F69FD48934C857AB
SHA-512:BA6525EEE05AF1251D92C55D302CD8EFA36873128857CA7244E8766F267249878AE0A9D6AC42EC74099606F3708E7EDA171EADB037880B2518CE0F934D5E174F
Malicious:false
Preview:......C.o.n.t.e.x.t.1.......S.c.r.i.p.t. .&.P.a.u.s.e.d.............E.&.x.i.t...

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\string.txt

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):9762
Entropy (8bit):3.4525502961259815
Encrypted:false
SSDEEP:96:Wgw62QAySMqEBRczjfIjxymVqQNxv5Rzs3MpjVqfSTx/ii4b+rSq9aTba4hzRCmQ:klQ/cItPNZ+EVj+NqibuMNMsrwNRcG6i
MD5:8236FF6A515961C2C991691D3AC533F0
SHA1:5F1122DD81C3EAD5419A0918BA0E1E3D82088183
SHA-256:A8ACD82F5CDF8E989D22958EAB32963CCB2CBDC4427ABB2A81AD6D2F2F1A4454
SHA-512:F1FD6565129AFF6FB10586A2DE87F7B6ED82F56D5D2CE57BFB409788786796F701B2DA0C295D004E92C76926DB8EEB51EBE68131584F949044FF0368AC181334
Malicious:false
Preview:1.0.1...(.P.a.u.s.e.d.). .....1.0.2...A.u.t.o.I.t. .E.r.r.o.r.....1.0.3...A.u.t.o.I.t. .h.a.s. .d.e.t.e.c.t.e.d. .t.h.e. .s.t.a.c.k. .h.a.s. .b.e.c.o.m.e. .c.o.r.r.u.p.t...\.n.\.n.S.t.a.c.k. .c.o.r.r.u.p.t.i.o.n. .t.y.p.i.c.a.l.l.y. .o.c.c.u.r.s. .w.h.e.n. .e.i.t.h.e.r. .t.h.e. .w.r.o.n.g. .c.a.l.l.i.n.g. .c.o.n.v.e.n.t.i.o.n. .i.s. .u.s.e.d. .o.r. .w.h.e.n. .t.h.e. .f.u.n.c.t.i.o.n. .i.s. .c.a.l.l.e.d. .w.i.t.h. .t.h.e. .w.r.o.n.g. .n.u.m.b.e.r. .o.f. .a.r.g.u.m.e.n.t.s...\.n.\.n.A.u.t.o.I.t. .s.u.p.p.o.r.t.s. .t.h.e. ._._.s.t.d.c.a.l.l. .(.W.I.N.A.P.I.). .a.n.d. ._._.c.d.e.c.l. .c.a.l.l.i.n.g. .c.o.n.v.e.n.t.i.o.n.s... . .T.h.e. ._._.s.t.d.c.a.l.l. .(.W.I.N.A.P.I.). .c.o.n.v.e.n.t.i.o.n. .i.s. .u.s.e.d. .b.y. .d.e.f.a.u.l.t. .b.u.t. ._._.c.d.e.c.l. .c.a.n. .b.e. .u.s.e.d. .i.n.s.t.e.a.d... . .S.e.e. .t.h.e. .D.l.l.C.a.l.l.(.). .d.o.c.u.m.e.n.t.a.t.i.o.n. .f.o.r. .d.e.t.a.i.l.s. .o.n. .c.h.a.n.g.i.n.g. .t.h.e. .c.a.l.l.i.n.g. .c.o.n.v.e.n.t.i.o.n.......1.0.4...".E.n.d.W.i.t.h.". .m.i.

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc\2057\version.txt

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):652
Entropy (8bit):3.3804167688477387
Encrypted:false
SSDEEP:12:ft5JXt5yoIqIjUUbOlJvAwXfCqYAV8fpMfqAVky9Y:ftHtIVqcbKJvFXfC3I8fpMfqIkGY
MD5:7EC588F60DFB170F0B1D1BF6CD8FCC32
SHA1:65BE534425D86F4847C6AD6A7A66859F5AFD019D
SHA-256:F2B2715C6C23A016B6A86C51477F05E8372AAC15DFF4362317D68F7306F1F86C
SHA-512:F184540FF1E20830723BAAA50D1E91CE2C6E00E0C58356305DEFA9D6B02E337020EF2462D680B899A773954CEF1F0300AAD4CFB295F6A2709687CCB67003C973
Malicious:false
Preview:F.I.L.E.V.E.R.S.I.O.N. . . . .0.,.0.,.0.,.0.....P.R.O.D.U.C.T.V.E.R.S.I.O.N. .0.,.0.,.0.,.0.....F.I.L.E.F.L.A.G.S.M.A.S.K. . .0.x.0.....F.I.L.E.F.L.A.G.S. . . . . . .0.x.0.....F.I.L.E.O.S. . . . . . . . . .V.O.S._.U.N.K.N.O.W.N. .|. .V.O.S._._.W.I.N.D.O.W.S.3.2.....F.I.L.E.T.Y.P.E. . . . . . . .V.F.T._.A.P.P.....F.I.L.E.S.U.B.T.Y.P.E. . . . .0.x.0.....{..... . .B.L.O.C.K. .".S.t.r.i.n.g.F.i.l.e.I.n.f.o."..... . .{..... . . . .B.L.O.C.K. .".0.8.0.9.0.4.B.0."..... . . . .{..... . . . .}..... . .}..... . .B.L.O.C.K. .".V.a.r.F.i.l.e.I.n.f.o."..... . .{..... . . . .V.A.L.U.E. .".T.r.a.n.s.l.a.t.i.o.n.".,. .0.x.8.0.9.,. .1.2.0.0..... . .}.....}.....

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.rsrc_1

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:ASCII text, with very long lines (446), with no line terminators
Category:dropped
Size (bytes):446
Entropy (8bit):2.7509764668565446
Encrypted:false
SSDEEP:6:6J+QKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQKQx:6JNhhhhhhhhhhhhhhhhhhhhhhhhhhx
MD5:9D452D49927EEA18FC409D622F7B6E3B
SHA1:216EA284ACA4753AC5D9625BF2D4187B38E9FE85
SHA-256:BAC4D2F73E517F7C7FB2983AE836E2C71CBC5E35E514DFDBDFB2EA88D9B34E8C
SHA-512:F7ABB83125C155BDF90053156F13519E44AF0F7B9EF3226476678082BAC9FE6DC7554B6B7AC3EF45D2CE4519641E342383E9D9FAB7A6F94699435E67642385D1
Malicious:false
Preview:PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD

C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.text

Download File
Process:C:\Program Files\7-Zip\7zG.exe
File Type:data
Category:dropped
Size (bytes):633856
Entropy (8bit):6.668273581389306
Encrypted:false
SSDEEP:12288:rqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrp:rqDEvCTbMWu7rQYlBQcBiT6rp
MD5:0A1473F3064DCBC32EF93C5C8A90F3A6
SHA1:25C1457C129EE77C0AAF98BEB58F3526677687D4
SHA-256:1DF328D893FD19C2119C9A872FBC33E83B929B7119BEE88D15BD9FAE9D4246DD
SHA-512:EB4D2234A4533F2EDB9C35770264923640423430588B355E4D503F627DF49340FCC4092CA15BDD02DFEA9E0FDB517E9F964D5045F356EF27342A7E95EB69F013
Malicious:false
Preview:.t.M..8...h.#D.....Y.h.#D.....Y......h.#D..r...Y..Y<..h.#D..a...Y.Q....h.$D..O...Y.0.M.Q.@..0.M.P..#..h.$D../...Y...%..h.$D......Y.....h!$D......Y..A2..h&$D......Y..P...h0$D......Y..%M....h?$D......Y.V..N.....N....j(V.....YY..^...U...8..0.M.t.I.3.....M.0.I.....M.....M.VQf....M..o....0.M..@..0.M.\.I..0.M..H.........,.M.3....M....M....M....M..Y......M........M........M.....3....M..T.M..X.M..\.M..`.M..d.M..h.M..l.M..p.M..t.M..x.M....3.....M.<.I....M....M....M.f...M....M....M.f...M....M....M....M....M....M....M.....M.@.I....M....M....M.....M.@.I....M....M....M.....M.@.I....M....M....M.....M.D.I....M....M....M....M....M.....M..........(.M.........M.<.I.3...M.....M.....M.....M......@.M....3....M.P.`.M..d.M..h.M..p.M..t.M..x.M..G....M..$...P.0.M..H...4.M......M.....M..{...3.f..0.M...j..,.M.. .M..$.M....M....M..(.M....M.f.l.M....M..}.M..\.M...h.I...........3..|.M......R..h.I..0.M.^.....0.M..@.M.V.@..0.M.h.I.3..4.M..8.M..<.M..+....t.M..!......M......h .I....oW..

Static File Info

General

File type:Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):7.999735257005204
TrID:
  • ZIP compressed archive (8000/1) 100.00%
File name:MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad.zip
File size:787'161 bytes
MD5:f94bb50582afd5d946ce7f7158388e1b
SHA1:486c8dfcb022f3e9ae33d99c27fcd7f9ecb49827
SHA256:8be13669d782879a93a8eae64fee5367fcf011429cdaaeac196a6a3f1ace5191
SHA512:6d2238b74d48855235a95c8b53d2751e3495e0bd7b26370ba507b3bb3a4b633b7ccd0bd8daa5fdf8cde9d049995c1a9542c5490e810755efcb35a6a7b02ec7d1
SSDEEP:12288:0AEFv+aNM4BFBLeq91y1OK84ZR6JLHwA21wnnev25chmEO/bTgFOyVFnTWARnvio:031M4TB6QxK3ZR+2vv25c5kbCtTWI1wA
TLSH:1DF423CF5DB696EED5C0BE90A8A49B804A2F947117C2C493DC74CE2A4F86C60CB35D79
File Content Preview:PK........8CXY...,.....l..(.$.b70d20ce558c0162a271d1ecf0e80035ee00f9ad.. ...........-T.%....-T.%....-T.%.......l.Jw.J"..%....J..].....'nH*.0.0.....R ..F?..v.....RVoE..d.d.}.s\..R.F..L...h.<.~p..F[.-.....C.....h5..ZP...z.._>..p.}..g.`...1b.S..]t....M.&....

File Icon

Icon Hash:1c1c1e4e4ececedc

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:04:31:22
Start date:24/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:0x7ff62da70000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:9
Start time:04:31:33
Start date:24/10/2024
Path:C:\Program Files\7-Zip\7zG.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -spe -an -ai#7zMap23948:168:7zEvent30997
Imagebase:0xf80000
File size:700'416 bytes
MD5 hash:50F289DF0C19484E970849AAC4E6F977
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:11
Start time:04:31:45
Start date:24/10/2024
Path:C:\Program Files\7-Zip\7zG.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -an -ai#7zMap29602:242:7zEvent12266
Imagebase:0xf80000
File size:700'416 bytes
MD5 hash:50F289DF0C19484E970849AAC4E6F977
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:13
Start time:04:32:00
Start date:24/10/2024
Path:C:\Windows\System32\notepad.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\string.txt
Imagebase:0x7ff7cda80000
File size:201'216 bytes
MD5 hash:27F71B12CB585541885A31BE22F61C83
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:14
Start time:04:32:05
Start date:24/10/2024
Path:C:\Windows\System32\notepad.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\2057\version.txt
Imagebase:0x7ff7cda80000
File size:201'216 bytes
MD5 hash:27F71B12CB585541885A31BE22F61C83
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:15
Start time:04:32:12
Start date:24/10/2024
Path:C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:0x7ff714240000
File size:123'984 bytes
MD5 hash:E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:16
Start time:04:32:14
Start date:24/10/2024
Path:C:\Windows\System32\notepad.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\.rsrc\0\RCDATA\SCRIPT
Imagebase:0x7ff7cda80000
File size:201'216 bytes
MD5 hash:27F71B12CB585541885A31BE22F61C83
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:20
Start time:04:32:38
Start date:24/10/2024
Path:C:\Program Files\7-Zip\7zG.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\MDE_File_Sample_b70d20ce558c0162a271d1ecf0e80035ee00f9ad\" -ad -an -ai#7zMap4539:168:7zEvent11394
Imagebase:0xf80000
File size:700'416 bytes
MD5 hash:50F289DF0C19484E970849AAC4E6F977
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:22
Start time:04:32:53
Start date:24/10/2024
Path:C:\Program Files\7-Zip\7zG.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\test\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\" -ad -an -ai#7zMap22436:138:7zEvent16567
Imagebase:0xf80000
File size:700'416 bytes
MD5 hash:50F289DF0C19484E970849AAC4E6F977
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

General

Target ID:24
Start time:04:33:04
Start date:24/10/2024
Path:C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:0x7ff6912d0000
File size:123'984 bytes
MD5 hash:E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:26
Start time:04:33:08
Start date:24/10/2024
Path:C:\Windows\System32\notepad.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\test\test2\b70d20ce558c0162a271d1ecf0e80035ee00f9ad~\.data
Imagebase:0x7ff7cda80000
File size:201'216 bytes
MD5 hash:27F71B12CB585541885A31BE22F61C83
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:moderate
Has exited:true

Disassembly

No disassembly