Edit tour

Windows Analysis Report
7z2408-x64.exe

Overview

General Information

Sample name:	7z2408-x64.exe
Analysis ID:	1541328
MD5:	0330d0bd7341a9afe5b6d161b1ff4aa1
SHA1:	86918e72f2e43c9c664c246e62b41452d662fbf3
SHA256:	67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b
Infos:

Detection

Score:	19
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Infects executable files (exe, dll, sys, html)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

7z2408-x64.exe (PID: 6184 cmdline: "C:\Users\user\Desktop\7z2408-x64.exe" MD5: 0330D0BD7341A9AFE5B6D161B1FF4AA1)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 7z2408-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7-zip.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7z.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7-zip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior

Source: 7z2408-x64.exe, 00000000.00000003.1756539856.0000000002740000.00000004.00000020.00020000.00000000.sdmp, License.txt.0.dr	String found in binary or memory: http://www.gnu.org/
Source: 7z2408-x64.exe, 00000000.00000003.1756539856.0000000002740000.00000004.00000020.00020000.00000000.sdmp, History.txt.0.dr	String found in binary or memory: https://7-zip.org/history.txt
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe.0.dr	String found in binary or memory: https://www.7-zip.org/

Source: C:\Users\user\Desktop\7z2408-x64.exe

Code function: 0_2_004017DE GetModuleFileNameW,GetDlgItemTextW,lstrlenW,ShowWindow,ShowWindow,ShowWindow,SendMessageW,PeekMessageW,PeekMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,SendMessageW,PeekMessageW,PeekMessageW,SetWindowTextW,lstrcpyW,lstrcpyW,lstrlenW,GetFileAttributesW,SetFileAttributesW,lstrcatW,lstrlenW,MessageBoxW,SetFileTime,SetFileAttributesW,MoveFileExW,GetLastError,SendMessageW,SetWindowTextW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_004017DE

Source: C:\Users\user\Desktop\7z2408-x64.exe	Code function: 0_2_00405F40	0_2_00405F40
Source: C:\Users\user\Desktop\7z2408-x64.exe	Code function: 0_2_00404061	0_2_00404061
Source: C:\Users\user\Desktop\7z2408-x64.exe	Code function: 0_2_00407430	0_2_00407430
Source: C:\Users\user\Desktop\7z2408-x64.exe	Code function: 0_2_00406A85	0_2_00406A85
Source: C:\Users\user\Desktop\7z2408-x64.exe	Code function: 0_2_00405692	0_2_00405692

Source: Joe Sandbox View	Dropped File: C:\Program Files\7-Zip\7z.dll E79DDFB6319DBF9BAC6382035D23597DAD979DB5E71A605D81A61EE817C1E812
Source: Joe Sandbox View	Dropped File: C:\Program Files\7-Zip\7z.exe 707F415D7D581EDD9BCE99A0429AD4629D3BE0316C329E8B9EBD576F7AB50B71

Source: 7z2408-x64.exe, 00000000.00000002.2968372960.0000000000197000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zipInstall.exe, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000002.2968559714.000000000040E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zipInstall.exe, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7-zip.dll, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FileVersionFileDescriptionOriginalFilename_winzip_.rsrcCOFF_SYMBOLSCERTIFICATE.pdata.reloc vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.dll, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zFM.exe, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zg.exe, vs 7z2408-x64.exe
Source: 7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUninstall.exe, vs 7z2408-x64.exe
Source: 7z2408-x64.exe	Binary or memory string: OriginalFilename7zipInstall.exe, vs 7z2408-x64.exe

Source: 7z2408-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: clean19.spre.winEXE@1/109@0/0

Source: C:\Users\user\Desktop\7z2408-x64.exe

0_2_004017DE

Source: C:\Users\user\Desktop\7z2408-x64.exe

Code function: 0_2_004025C5 CoCreateInstance,

0_2_004025C5

Source: 7z2408-x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7z2408-x64.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7z2408-x64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\7z2408-x64.exe

File read: C:\Users\user\Desktop\7z2408-x64.exe

Jump to behavior

Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: playtodevice.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\7z2408-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: 7-Zip File Manager.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files\7-Zip\7zFM.exe
Source: 7-Zip Help.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files\7-Zip\7-zip.chm

Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: Install
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2408-x64.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 7z2408-x64.exe

Static file information: File size 1624144 > 1048576

Source: C:\Users\user\Desktop\7z2408-x64.exe

Code function: 0_2_00401FB1 GetSystemDirectoryW,lstrlenW,lstrcpyW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,malloc,free,

0_2_00401FB1

Source: 7-zip32.dll.0.dr	Static PE information: section name: .sxdata
Source: 7z.sfx.0.dr	Static PE information: section name: .sxdata
Source: 7zCon.sfx.0.dr	Static PE information: section name: .sxdata

Source: C:\Users\user\Desktop\7z2408-x64.exe

Code function: 0_2_004071E0 push eax; ret

0_2_0040720E

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7-zip.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7z.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7-zip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior

Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7z.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7-zip32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7zCon.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file

Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7z.sfx			Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	File created: C:\Program Files\7-Zip\7zCon.sfx			Jump to dropped file

Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7-zip32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zCon.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2408-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file

Source: C:\Users\user\Desktop\7z2408-x64.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: 7z2408-x64.exe, 00000000.00000003.2644291325.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Qdc
Source: 7z2408-x64.exe, 00000000.00000003.2087105031.0000000000668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRA~1_VMware_SATA_CD0^']
Source: 7z2408-x64.exe, 00000000.00000003.2062199390.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ef&&
Source: 7z2408-x64.exe, 00000000.00000002.2970058084.000000000A330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:T
Source: 7z2408-x64.exe, 00000000.00000003.1979640351.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.1978887267.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2333268101.000000000065B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD0^'\
Source: 7z2408-x64.exe, 00000000.00000003.2393903090.000000000A34B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Tjh
Source: 7z2408-x64.exe, 00000000.00000003.2561954201.000000000A34A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}^ff
Source: 7z2408-x64.exe, 00000000.00000003.2311360135.000000000A2AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA{']
Source: 7z2408-x64.exe, 00000000.00000002.2970058084.000000000A330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:h
Source: 7z2408-x64.exe, 00000000.00000003.2724562565.000000000A346000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: E#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2644936228.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2561954201.000000000A34A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}~QG
Source: 7z2408-x64.exe, 00000000.00000003.2394625067.000000000A34B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Tjh
Source: 7z2408-x64.exe, 00000000.00000003.2394625067.000000000A34B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Qdc
Source: 7z2408-x64.exe, 00000000.00000003.2644936228.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2-00a0c91efb8b}\\?\STORAG6~
Source: 7z2408-x64.exe, 00000000.00000003.2171636830.000000000A2A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA{']
Source: 7z2408-x64.exe, 00000000.00000003.2725173354.000000000A33D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b})
Source: 7z2408-x64.exe, 00000000.00000003.2888976790.000000000A2A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2480395971.000000000A34A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}^ff
Source: 7z2408-x64.exe, 00000000.00000003.2749161396.000000000A34D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:e\CLX]
Source: 7z2408-x64.exe, 00000000.00000002.2969841456.000000000A2A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: 7z2408-x64.exe, 00000000.00000003.2724791506.000000000A330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 7z2408-x64.exe, 00000000.00000002.2969841456.000000000A2A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2644936228.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: lume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2888709824.000000000A351000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94@]
Source: 7z2408-x64.exe, 00000000.00000003.2889013936.000000000A348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Qjc
Source: 7z2408-x64.exe, 00000000.00000003.2644936228.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2644291325.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}11ee-8c18-806e6f6e6963}#00
Source: 7z2408-x64.exe, 00000000.00000003.2725173354.000000000A33D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C
Source: 7z2408-x64.exe, 00000000.00000003.2311246255.000000000065B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}uu
Source: 7z2408-x64.exe, 00000000.00000003.2229433583.00000000006A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&&
Source: 7z2408-x64.exe, 00000000.00000003.2061434167.0000000000668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}--
Source: 7z2408-x64.exe, 00000000.00000003.2644291325.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a33c735c-61ca-11ee-8c18-80
Source: 7z2408-x64.exe, 00000000.00000003.2725173354.000000000A33D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}6f6e6963}#0000000006500000^
Source: 7z2408-x64.exe, 00000000.00000003.2644936228.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2644936228.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000002.2969841456.000000000A2A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000002.2968725040.000000000060A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0uWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 7z2408-x64.exe, 00000000.00000003.2061506490.00000000006A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wgSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ef&&
Source: 7z2408-x64.exe, 00000000.00000003.2644291325.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}7f
Source: 7z2408-x64.exe, 00000000.00000003.2725173354.000000000A33D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2644291325.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2644824463.000000000065B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000007
Source: 7z2408-x64.exe, 00000000.00000003.1978887267.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$
Source: 7z2408-x64.exe, 00000000.00000003.2724562565.000000000A346000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}\\?\STORAGE#Volume#{a33crcG
Source: 7z2408-x64.exe, 00000000.00000003.2562065555.000000000A34E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.1900346230.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j8ycSTORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2394494523.000000000A2A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA{']
Source: 7z2408-x64.exe, 00000000.00000003.2480395971.000000000A34A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}OhU
Source: 7z2408-x64.exe, 00000000.00000003.2644291325.000000000A342000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2408-x64.exe, 00000000.00000003.2561954201.000000000A34A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}OhU
Source: 7z2408-x64.exe, 00000000.00000003.2561954201.000000000A34A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: a-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Tjh

Source: C:\Users\user\Desktop\7z2408-x64.exe

Code function: 0_2_00401FB1 GetSystemDirectoryW,lstrlenW,lstrcpyW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,malloc,free,

0_2_00401FB1

Source: C:\Users\user\Desktop\7z2408-x64.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7z2408-x64.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\7z2408-x64.exe

Code function: 0_2_004059FD GetVersion,GetModuleHandleW,GetProcAddress,GetSystemDirectoryW,LoadLibraryExW,

0_2_004059FD

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7z2408-x64.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\7-Zip\7-zip.dll	0%	ReversingLabs
C:\Program Files\7-Zip\7-zip32.dll	0%	ReversingLabs
C:\Program Files\7-Zip\7z.dll	0%	ReversingLabs
C:\Program Files\7-Zip\7z.exe	0%	ReversingLabs
C:\Program Files\7-Zip\7z.sfx	0%	ReversingLabs
C:\Program Files\7-Zip\7zCon.sfx	0%	ReversingLabs
C:\Program Files\7-Zip\7zFM.exe	0%	ReversingLabs
C:\Program Files\7-Zip\7zG.exe	0%	ReversingLabs
C:\Program Files\7-Zip\Uninstall.exe	0%	ReversingLabs

Name	Source	Malicious	Reputation
http://www.gnu.org/	7z2408-x64.exe, 00000000.00000003.1756539856.0000000002740000.00000004.00000020.00020000.00000000.sdmp, License.txt.0.dr	false	unknown
https://www.7-zip.org/	7z2408-x64.exe, 00000000.00000003.1759096947.00000000045AF000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe.0.dr	false	unknown
https://7-zip.org/history.txt	7z2408-x64.exe, 00000000.00000003.1756539856.0000000002740000.00000004.00000020.00020000.00000000.sdmp, History.txt.0.dr	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541328
Start date and time:	2024-10-24 17:35:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7z2408-x64.exe
Detection:	CLEAN
Classification:	clean19.spre.winEXE@1/109@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 7z2408-x64.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\7-Zip\7z.dll	6rxVO117yJ.exe	Get hash	malicious	RHADAMANTHYS	Browse
	6rxVO117yJ.exe	Get hash	malicious	RHADAMANTHYS	Browse
	O1cd60GrHb.exe	Get hash	malicious	RHADAMANTHYS	Browse
	O1cd60GrHb.exe	Get hash	malicious	RHADAMANTHYS	Browse
C:\Program Files\7-Zip\7z.exe	6rxVO117yJ.exe	Get hash	malicious	RHADAMANTHYS	Browse
	6rxVO117yJ.exe	Get hash	malicious	RHADAMANTHYS	Browse
	O1cd60GrHb.exe	Get hash	malicious	RHADAMANTHYS	Browse
	O1cd60GrHb.exe	Get hash	malicious	RHADAMANTHYS	Browse

Process:	C:\Users\user\Desktop\7z2408-x64.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	120396
Entropy (8bit):	7.886177960928617
Encrypted:	false
SSDEEP:	3072:LbVXJ5WfBbkivVIdgKd07cleTTsM7YISV0ifmMz7:fZeBb1V0gZ7cloz+d
MD5:	99B88F4D6D13713053DB06B449ED6A9F
SHA1:	F718E09A42E9EC49DB060589D24135CA6929E8E0
SHA-256:	F830DDC5280D00E1CB160F9E5DD114292D5EFEF66C23C3C03C224894250BAC2F
SHA-512:	9F1CB9AD8023B340C82E987BAB33CDDD817E3ECE892ACA7350650343396D4DC5D00CFD99C0718A862280C81D7D525C5E870390E1CDFDB4987B6663B1394CF1FC
Malicious:	false
Reputation:	low
Preview:	ITSF....`.........#;.......\|.{.......".....\|.{......."..`.......(...............T ......................L.......................,...................j..].!......."..T.....................U.n.c.o.m.p.r.e.s.s.e.d.....M.S.C.o.m.p.r.e.s.s.e.d...{.7.F.C.2.8.9.4.0.-.9.D.3.1.-.1.1.D.0.<...........LZXC......................`N..A.`#.._.....HM.a.Zk5..$$...BQ.+C....^z..79w....?wJ.^...UT5.N%w..ff.h......W..z.F..;S..7....f{.0.?t3W.....i..+v.....E.>d,..k......t..ib.....XHB"....#.<.,="b..C..$..6..FC..$.:....t.`........7..rR[H....2.#.G.A... ..>..Q.....U.(..B....................w..]..x.....w]...y.V..N... ....@.....n.cl!ija..\............ml,^m6$\..k..1k.....'.q.o,D..T.!m.`3.-N.~.`.\.-.m.....N..i.;x..Uu....Ks..m...'.6...,.~.d..KY.....v_...Y.&......`..g.[6 .9.....}U..,...[.8.t....Z.Dw.....+.r\|ge.rw...n.s.D.8...N?;.V....B'7.[.D..._'.c~..{..D[q.7k..l."..\.?...~W.=.......9L....d]\|.....X~..o.....:/tk.....]..e......{.;u+...v........2....1...[...(...d.n...]..fa......q...u.};..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.996466295353874
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7z2408-x64.exe
File size:	1'624'144 bytes
MD5:	0330d0bd7341a9afe5b6d161b1ff4aa1
SHA1:	86918e72f2e43c9c664c246e62b41452d662fbf3
SHA256:	67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b
SHA512:	850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1
SSDEEP:	24576:UEBmEo1y9fcw5K42KmEDaMYAhr08oSG4OdWrfjcaHSNXJdx7wE9iko6qzLJmYYUP:UEvoo24xV2JJdPwMJ3x75z5q0jc/3
TLSH:	307533927C094177FA5942F1949BBDEEF8FCDD154CAC818D0BA10A6F98B5740827E2E3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..X:...:...:...U...1.......?...U...8.......8...:...h.......1.......7.......;.......;...Rich:...........................PE..L..

Entrypoint:	0x407294
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x66B8B5D0 [Sun Aug 11 13:00:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cf0d2de4fd6406302012e0f40060395f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8c44	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0xfe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x65ee	0x6600	92c15bc559436197211dd4ef06b937c3	False	0.6510416666666666	data	6.614114625059912	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1346	0x1400	6371f58804eb9c582c616252e35f441a	False	0.4130859375	data	4.617694084721839	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x38ec	0x200	598e1aae6ecbd8237c4383f4be94b9f1	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xe000	0xfe8	0x1000	20da3b4bc17b37bbf40354d2a9099839	False	0.37255859375	data	4.366205442800389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xe480	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0xe768	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_DIALOG	0xe8b8	0x176	data	English	United States	0.5802139037433155
RT_GROUP_ICON	0xe890	0x22	data	English	United States	1.0
RT_VERSION	0xe1b0	0x2d0	data	English	United States	0.4666666666666667
RT_MANIFEST	0xea30	0x5b2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.47462277091906724

DLL	Import
ole32.dll	CoCreateInstance, CoInitialize
USER32.dll	PeekMessageW, ExitWindowsEx, GetDlgItemTextW, SetWindowTextW, ShowWindow, MessageBoxW, CreateDialogParamW, LoadIconW, SendMessageW, GetMessageW, EnableWindow, GetDlgItem, IsDialogMessageW, TranslateMessage, DispatchMessageW, SetDlgItemTextW, DestroyWindow
ADVAPI32.dll	RegSetValueExW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegCreateKeyExW
SHELL32.dll	SHGetFolderPathW, SHBrowseForFolderW, SHGetPathFromIDListW
MSVCRT.dll	_exit, _XcptFilter, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, memcpy, memcmp, memmove, malloc, free, exit, memset
KERNEL32.dll	ReadFile, CloseHandle, CreateFileW, FormatMessageW, WriteFile, DeleteFileW, CreateDirectoryW, GetSystemDirectoryW, LoadLibraryW, GetModuleFileNameW, GetFileAttributesW, SetFilePointer, GetVersion, LoadLibraryExW, GetModuleHandleA, GetStartupInfoA, LocalFree, SetFileAttributesW, SetFileTime, MoveFileExW, GetLastError, lstrcatW, GetCommandLineW, lstrcpyW, GetModuleHandleW, GetProcAddress, GetCurrentProcess, lstrlenW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 17:37:00.423110008 CEST	53	57922	1.1.1.1	192.168.2.4
Oct 24, 2024 17:37:02.094926119 CEST	53	55687	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	11:36:38
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\7z2408-x64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7z2408-x64.exe"
Imagebase:	0x400000
File size:	1'624'144 bytes
MD5 hash:	0330D0BD7341A9AFE5B6D161B1FF4AA1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Execution Coverage:	27.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.6%
Total number of Nodes:	294
Total number of Limit Nodes:	9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7z2408-x64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\7-Zip\7-zip.chm

C:\Program Files\7-Zip\7-zip.dll

C:\Program Files\7-Zip\7-zip32.dll

C:\Program Files\7-Zip\7z.dll

C:\Program Files\7-Zip\7z.exe

C:\Program Files\7-Zip\7z.sfx

C:\Program Files\7-Zip\7zCon.sfx

C:\Program Files\7-Zip\7zFM.exe

C:\Program Files\7-Zip\7zG.exe

C:\Program Files\7-Zip\History.txt

C:\Program Files\7-Zip\Lang\af.txt

C:\Program Files\7-Zip\Lang\an.txt

C:\Program Files\7-Zip\Lang\ar.txt

C:\Program Files\7-Zip\Lang\ast.txt

C:\Program Files\7-Zip\Lang\az.txt

C:\Program Files\7-Zip\Lang\ba.txt

C:\Program Files\7-Zip\Lang\be.txt

C:\Program Files\7-Zip\Lang\bg.txt

C:\Program Files\7-Zip\Lang\bn.txt

C:\Program Files\7-Zip\Lang\br.txt

C:\Program Files\7-Zip\Lang\ca.txt

C:\Program Files\7-Zip\Lang\co.txt

C:\Program Files\7-Zip\Lang\cs.txt

C:\Program Files\7-Zip\Lang\cy.txt

C:\Program Files\7-Zip\Lang\da.txt

C:\Program Files\7-Zip\Lang\de.txt

C:\Program Files\7-Zip\Lang\el.txt

Windows Analysis Report
7z2408-x64.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre