Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip

Overview

General Information

Sample name:MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip
Analysis ID:1541097
MD5:ea07069d2ef7ccd6c859890fac77d4b1
SHA1:2786bda72a880148d4bb3b026b1cc4d9f6d4fb9a
SHA256:dc38ea5bab9b147b2f11bb1d8ae0336d894694caa186a09efbbe7f3adcc117aa
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Machine Learning detection for dropped file
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w10x64_ra
  • rundll32.exe (PID: 6536 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • OpenWith.exe (PID: 6816 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • 7zFM.exe (PID: 3952 cmdline: "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956" MD5: 30AC0B832D75598FB3EC37B6F2A8C86A)
  • 7zG.exe (PID: 456 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap3752:168:7zEvent1655 MD5: 50F289DF0C19484E970849AAC4E6F977)
  • OpenWith.exe (PID: 7132 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • wordpad.exe (PID: 2912 cmdline: "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956" MD5: 91F992550EAF33609B8C27C680402EBA)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956Avira: detection malicious, Label: TR/Redcap.dwqmd
Source: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956Joe Sandbox ML: detected
Source: 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7765000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTPS://MEDICATUSB.XYZ
Source: 7zFM.exe, 0000000A.00000003.1490136825.000001E2A77FC000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7744000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000C.00000003.1665550233.000001E873DE0000.00000004.00000800.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2364207039.0000018465A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2343568833.0000018464035000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2383956115.0000018466550000.00000004.00000020.00020000.00000000.sdmp, e19dc7b20219d61c5587dc754f676b67f7b77956.12.drString found in binary or memory: HTTPS://MEDICATUSB.XYZV2
Source: 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7765000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTTPS://MON5TERMATT.CLUB
Source: 7zFM.exe, 0000000A.00000003.1490136825.000001E2A77FC000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7744000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000C.00000003.1665550233.000001E873DE0000.00000004.00000800.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2364207039.0000018465A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2343568833.0000018464035000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2383956115.0000018466550000.00000004.00000020.00020000.00000000.sdmp, e19dc7b20219d61c5587dc754f676b67f7b77956.12.drString found in binary or memory: HTTPS://MON5TERMATT.CLUBF&
Source: wordpad.exe, 00000011.00000003.2339365665.0000018461618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic
Source: wordpad.exe, 00000011.00000003.2349516116.0000018463A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2345095253.0000018463A46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr;=.
Source: wordpad.exe, 00000011.00000003.2388435172.0000018463317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micro
Source: wordpad.exe, 00000011.00000003.2330456781.0000018463A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.
Source: wordpad.exe, 00000011.00000003.2332905374.0000018463A42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.c
Source: classification engineClassification label: mal60.winZIP@8/1@0/0
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956Jump to behavior
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956"
Source: unknownProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap3752:168:7zEvent1655
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\Windows NT\Accessories\wordpad.exe "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956"
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956"Jump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\Windows NT\Accessories\wordpad.exe "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956"Jump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.fileexplorer.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: structuredquery.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.search.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ehstorshell.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: cscui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: networkexplorer.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: ninput.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: acgenral.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: mpr.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: propsys.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: winmm.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: ninput.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: uiribbon.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: globinputhost.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: prntvpt.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: fms.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: print.printsupport.source.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: jscript.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: sxs.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: xpspushlayer.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: xpsservices.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: fontsub.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: compstui.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: compstui.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: amsi.dllJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeFile opened: C:\Windows\SYSTEM32\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\OpenWith.exeWindow detected: Number of UI elements: 13
Source: e19dc7b20219d61c5587dc754f676b67f7b77956.12.drStatic PE information: real checksum: 0x20cf2 should be: 0x423d6
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exeFile created: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956Jump to dropped file
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Windows NT\Accessories\wordpad.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\7-Zip\7zG.exeDropped PE file which has not been started: C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956Jump to dropped file
Source: C:\Windows\System32\OpenWith.exe TID: 2792Thread sleep count: 174 > 30Jump to behavior
Source: OpenWith.exe, 00000009.00000002.1499337968.0000025442211000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA_CD00#4&
Source: OpenWith.exe, 00000009.00000002.1500262071.00000254422B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}E=Cons66&S
Source: OpenWith.exe, 00000009.00000003.1484500530.000002544220C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA_CD00#4&
Source: wordpad.exe, 00000011.00000003.2399562499.0000018463332000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_&3c
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956"Jump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\Windows NT\Accessories\wordpad.exe "C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956"Jump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
11
Masquerading
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32
Security Account Manager1
File and Directory Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection
NTDS11
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541097 Sample: MDE_File_Sample_e19dc7b2021... Startdate: 24/10/2024 Architecture: WINDOWS Score: 60 21 Antivirus detection for dropped file 2->21 23 Multi AV Scanner detection for dropped file 2->23 25 Machine Learning detection for dropped file 2->25 6 7zG.exe 1 2->6         started        9 OpenWith.exe 57 16 2->9         started        11 OpenWith.exe 3 6 2->11         started        13 rundll32.exe 2->13         started        process3 file4 19 e19dc7b20219d61c5587dc754f676b67f7b77956, PE32 6->19 dropped 15 7zFM.exe 2 9->15         started        17 wordpad.exe 12 1 11->17         started        process5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956100%AviraTR/Redcap.dwqmd
C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956100%Joe Sandbox ML
C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b7795668%ReversingLabsWin32.Trojan.Bingoml
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://schemas.micro0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
HTTPS://MON5TERMATT.CLUBF&7zFM.exe, 0000000A.00000003.1490136825.000001E2A77FC000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7744000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000C.00000003.1665550233.000001E873DE0000.00000004.00000800.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2364207039.0000018465A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2343568833.0000018464035000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2383956115.0000018466550000.00000004.00000020.00020000.00000000.sdmp, e19dc7b20219d61c5587dc754f676b67f7b77956.12.drfalse
    unknown
    http://schemas.micr;=.wordpad.exe, 00000011.00000003.2349516116.0000018463A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2345095253.0000018463A46000.00000004.00000020.00020000.00000000.sdmpfalse
      unknown
      http://schemas.microsoft.wordpad.exe, 00000011.00000003.2330456781.0000018463A42000.00000004.00000020.00020000.00000000.sdmpfalse
        unknown
        http://schemas.microsoft.cwordpad.exe, 00000011.00000003.2332905374.0000018463A42000.00000004.00000020.00020000.00000000.sdmpfalse
          unknown
          http://schemas.micwordpad.exe, 00000011.00000003.2339365665.0000018461618000.00000004.00000020.00020000.00000000.sdmpfalse
            unknown
            HTTPS://MEDICATUSB.XYZ7zFM.exe, 0000000A.00000002.1509158031.000001E2A7765000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              http://schemas.microwordpad.exe, 00000011.00000003.2388435172.0000018463317000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              HTTPS://MEDICATUSB.XYZV27zFM.exe, 0000000A.00000003.1490136825.000001E2A77FC000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A76F0000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe, 0000000A.00000002.1509158031.000001E2A7744000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000C.00000003.1665550233.000001E873DE0000.00000004.00000800.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2364207039.0000018465A46000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2343568833.0000018464035000.00000004.00000020.00020000.00000000.sdmp, wordpad.exe, 00000011.00000003.2383956115.0000018466550000.00000004.00000020.00020000.00000000.sdmp, e19dc7b20219d61c5587dc754f676b67f7b77956.12.drfalse
                unknown
                HTTPS://MON5TERMATT.CLUB7zFM.exe, 0000000A.00000002.1509158031.000001E2A7765000.00000004.00000020.00020000.00000000.sdmpfalse
                  unknown
                  No contacted IP infos
                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1541097
                  Start date and time:2024-10-24 12:14:47 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 53s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:19
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip
                  Detection:MAL
                  Classification:mal60.winZIP@8/1@0/0
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .zip
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip
                  TimeTypeDescription
                  06:15:30API Interceptor7x Sleep call for process: OpenWith.exe modified
                  06:17:13API Interceptor1x Sleep call for process: wordpad.exe modified
                  No context
                  No context
                  No context
                  No context
                  No context
                  Process:C:\Program Files\7-Zip\7zG.exe
                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):251345
                  Entropy (8bit):6.893775824944015
                  Encrypted:false
                  SSDEEP:6144:6bY3pmjANFdjohb1b3e2Ew1tCpxXDpIglzNu8:kY3pmDr1Ap9DV
                  MD5:D189452FD279C9074B3A6FAAB5462D70
                  SHA1:E19DC7B20219D61C5587DC754F676B67F7B77956
                  SHA-256:F9622474351E5548B63E5136081A50AA20AEFE42644CF57A4D5824D77BB42A2F
                  SHA-512:B6E48FD9AC72E39AABB4B81ADB2A1D70FDEB5FAACB237037FE3B154C95188884D727F95AAE270334F3CC2FC00CAFD5265128CBEAAE497968CFD7766362A8E1A0
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 68%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... .oN..oN..oN..sB..oN.`pE..oN..s@..oN..p]..oN..oO..oN.`pD..oN.0iH..oN.Rich.oN.................PE..L....d.S............................Dd............@.............................................................................<......H............................................................................................................text............................... ..`.rdata..`...........................@..@.data............ ..................@....rsrc...H..........................@..@................................................................................................................................................................................................................................................................................................................................................................................
                  File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                  Entropy (8bit):7.998837074469351
                  TrID:
                  • ZIP compressed archive (8000/1) 100.00%
                  File name:MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip
                  File size:150'688 bytes
                  MD5:ea07069d2ef7ccd6c859890fac77d4b1
                  SHA1:2786bda72a880148d4bb3b026b1cc4d9f6d4fb9a
                  SHA256:dc38ea5bab9b147b2f11bb1d8ae0336d894694caa186a09efbbe7f3adcc117aa
                  SHA512:fe0146732d8100db6a482d752c1553c5aef7896e8b825fb842673d373ecfeb5856949f6c3affb54df1a87f409692d44a9ad22ee9b7e78c3bec9536ca8f461f20
                  SSDEEP:3072:JpMc/32bWnXwz8fqszRs4GJ9385mvkEZScGa5T3g/FidqAXKFiCEKZG4MURf7b:JK6m+BqsNTGJ93cmnSq5T33tzCEKsQRf
                  TLSH:C7E312380C416EBD9B46E8BBBFE5340255B1D53B5E7093CEB08EA34D18A7C5E706462D
                  File Content Preview:PK.........QXY..xW.K......(.$.e19dc7b20219d61c5587dc754f676b67f7b77956.. ............Z.%.....Z.%.....Z.%..<..J.....r....^...-...<....I....r.d..d.A./..n*df......@........kS.:...."E(.n.7.lV...Mv..tB.b>.+..E....~r6w;Q-...#.....|.. ...F...z.Um.e1.CUfh...Lv..s
                  Icon Hash:1c1c1e4e4ececedc
                  No network behavior found

                  Click to jump to process

                  Click to jump to process

                  Click to dive into process behavior distribution

                  Click to jump to process

                  Target ID:0
                  Start time:06:15:19
                  Start date:24/10/2024
                  Path:C:\Windows\System32\rundll32.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  Imagebase:0x7ff7f0910000
                  File size:71'680 bytes
                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:9
                  Start time:06:15:30
                  Start date:24/10/2024
                  Path:C:\Windows\System32\OpenWith.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                  Imagebase:0x7ff645930000
                  File size:123'984 bytes
                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:10
                  Start time:06:15:49
                  Start date:24/10/2024
                  Path:C:\Program Files\7-Zip\7zFM.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MDE_File_Sample_e19dc7b20219d61c5587dc754f676b67f7b77956.zip\e19dc7b20219d61c5587dc754f676b67f7b77956"
                  Imagebase:0x830000
                  File size:952'832 bytes
                  MD5 hash:30AC0B832D75598FB3EC37B6F2A8C86A
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:12
                  Start time:06:16:02
                  Start date:24/10/2024
                  Path:C:\Program Files\7-Zip\7zG.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\" -an -ai#7zMap3752:168:7zEvent1655
                  Imagebase:0x7c0000
                  File size:700'416 bytes
                  MD5 hash:50F289DF0C19484E970849AAC4E6F977
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:16
                  Start time:06:17:01
                  Start date:24/10/2024
                  Path:C:\Windows\System32\OpenWith.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                  Imagebase:0x7ff645930000
                  File size:123'984 bytes
                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:17
                  Start time:06:17:12
                  Start date:24/10/2024
                  Path:C:\Program Files\Windows NT\Accessories\wordpad.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE" "C:\Users\user\Desktop\e19dc7b20219d61c5587dc754f676b67f7b77956"
                  Imagebase:0x7ff63d300000
                  File size:3'059'712 bytes
                  MD5 hash:91F992550EAF33609B8C27C680402EBA
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  No disassembly