Windows Analysis Report
MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip

Overview

General Information

Sample name: MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip
Analysis ID: 1541097
MD5: ea07069d2ef7ccd6c859890fac77d4b1
SHA1: 2786bda72a880148d4bb3b026b1cc4d9f6d4fb9a
SHA256: dc38ea5bab9b147b2f11bb1d8ae0336d894694caa186a09efbbe7f3adcc117aa
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956 Avira: detection malicious, Label: TR/Redcap.dwqmd
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956 ReversingLabs: Detection: 68%
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956 Joe Sandbox ML: detected
Source: 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7765000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: HTTPS://MEDICATUSB.XYZ
Source: 7zFM.exe, 0000000A.00000003.1490136825.000001E2A77FC000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7744000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000C.00000003.1665550233.000001E873DE0000.00000004.00000800.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2364207039.0000018465A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2343568833.0000018464035000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2383956115.0000018466550000.00000004.00000020.00020000.00000000.sdmp, e19dc7b20219d61c5587dc754f676b67f7b77956.12.dr String found in binary or memory: HTTPS://MEDICATUSB.XYZV2
Source: 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7765000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: HTTPS://MON5TERMATT.CLUB
Source: 7zFM.exe, 0000000A.00000003.1490136825.000001E2A77FC000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7744000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000C.00000003.1665550233.000001E873DE0000.00000004.00000800.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2364207039.0000018465A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2343568833.0000018464035000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2383956115.0000018466550000.00000004.00000020.00020000.00000000.sdmp, e19dc7b20219d61c5587dc754f676b67f7b77956.12.dr String found in binary or memory: HTTPS://MON5TERMATT.CLUBF&
Source: wordpad.exe, 00000011.00000003.2339365665.0000018461618000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mic
Source: wordpad.exe, 00000011.00000003.2349516116.0000018463A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2345095253.0000018463A46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr;=.
Source: wordpad.exe, 00000011.00000003.2388435172.0000018463317000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: wordpad.exe, 00000011.00000003.2330456781.0000018463A42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.
Source: wordpad.exe, 00000011.00000003.2332905374.0000018463A42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.c
Source: classification engine Classification label: mal60.winZIP@8/1@0/0
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956"
Source: unknown Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap3752:168:7zEvent1655
Source: unknown Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows NT\Accessories\wordpad.exe "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows NT\Accessories\wordpad.exe "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.appdefaults.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.fileexplorer.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: structuredquery.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.search.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ehstorshell.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mrmcorer.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zFM.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.appdefaults.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: thumbcache.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: directmanipulation.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: ninput.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: uiribbon.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: prntvpt.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: fms.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: print.printsupport.source.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: xpspushlayer.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: xpsservices.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: fontsub.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe File opened: C:\Windows\SYSTEM32\MSFTEDIT.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\OpenWith.exe Window detected: Number of UI elements: 13
PE file contains an invalid checksum
Source: e19dc7b20219d61c5587dc754f676b67f7b77956.12.dr Static PE information: real checksum: 0x20cf2 should be: 0x423d6
Drops PE files
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\7-Zip\7zG.exe File created: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956 Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\7-Zip\7zG.exe Dropped PE file which has not been started: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956 Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\OpenWith.exe TID: 2792 Thread sleep count: 174 > 30 Jump to behavior
Source: OpenWith.exe, 00000009.00000002.1499337968.0000025442211000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA_CD00#4&
Source: OpenWith.exe, 00000009.00000002.1500262071.00000254422B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}E=Cons66&S
Source: OpenWith.exe, 00000009.00000003.1484500530.000002544220C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA_CD00#4&
Source: wordpad.exe, 00000011.00000003.2399562499.0000018463332000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_&3c
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows NT\Accessories\wordpad.exe "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541097 Sample: MDE_File_Sample_e19dc7b2021... Startdate: 24/10/2024 Architecture: WINDOWS Score: 60 21 Antivirus detection for dropped file 2->21 23 Multi AV Scanner detection for dropped file 2->23 25 Machine Learning detection for dropped file 2->25 6 7zG.exe 1 2->6         started        9 OpenWith.exe 57 16 2->9         started        11 OpenWith.exe 3 6 2->11         started        13 rundll32.exe 2->13         started        process3 file4 19 e19dc7b20219d61c5587dc754f676b67f7b77956, PE32 6->19 dropped 15 7zFM.exe 2 9->15         started        17 wordpad.exe 12 1 11->17         started        process5
No contacted IP infos