Edit tour

Windows Analysis Report
7z2301-x64.exe

Overview

General Information

Sample name:	7z2301-x64.exe
Analysis ID:	1428447
MD5:	e5788b13546156281bf0a4b38bdd0901
SHA1:	7df28d340d7084647921cc25a8c2068bb192bdbb
SHA256:	26cb6e9f56333682122fafe79dbcdfd51e9f47cc7217dccd29ac6fc33b5598cd
Infos:

Detection

Score:	19
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Infects executable files (exe, dll, sys, html)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

7z2301-x64.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\7z2301-x64.exe" MD5: E5788B13546156281BF0A4B38BDD0901)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: 7z2301-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7-zip.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7z.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7-zip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior

Source: 7z2301-x64.exe, 00000000.00000003.1688177644.0000000002734000.00000004.00000020.00020000.00000000.sdmp, License.txt.0.dr	String found in binary or memory: http://www.gnu.org/
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe.0.dr	String found in binary or memory: https://www.7-zip.org/

Source: C:\Users\user\Desktop\7z2301-x64.exe

Code function: 0_2_004017DE GetModuleFileNameW,GetDlgItemTextW,lstrlenW,ShowWindow,ShowWindow,ShowWindow,SendMessageW,PeekMessageW,PeekMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,SendMessageW,PeekMessageW,PeekMessageW,SetWindowTextW,lstrcpyW,lstrcpyW,lstrlenW,GetFileAttributesW,SetFileAttributesW,lstrcatW,lstrlenW,MessageBoxW,SetFileTime,SetFileAttributesW,MoveFileExW,GetLastError,SendMessageW,SetWindowTextW,MessageBoxW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,

0_2_004017DE

Source: C:\Users\user\Desktop\7z2301-x64.exe	Code function: 0_2_00404067	0_2_00404067
Source: C:\Users\user\Desktop\7z2301-x64.exe	Code function: 0_2_0040580A	0_2_0040580A
Source: C:\Users\user\Desktop\7z2301-x64.exe	Code function: 0_2_00404CC3	0_2_00404CC3
Source: C:\Users\user\Desktop\7z2301-x64.exe	Code function: 0_2_00406BFD	0_2_00406BFD
Source: C:\Users\user\Desktop\7z2301-x64.exe	Code function: 0_2_004060B8	0_2_004060B8

Source: Joe Sandbox View	Dropped File: C:\Program Files\7-Zip\7-zip.dll F9B4944D3A5536A6F8B4D5DB17D903988A3518B22FBEE6E3F6019AAF44189B3D
Source: Joe Sandbox View	Dropped File: C:\Program Files\7-Zip\7-zip32.dll 62EF98B00232F9D63A647E201ABFB354582D3FBC342EC63DF15B2A0CE514B5A6
Source: Joe Sandbox View	Dropped File: C:\Program Files\7-Zip\7z.dll 77222E81CB7004E8C3E077AADA02B555A3D38FB05B50C64AFD36CA230A8FD5B9

Source: 7z2301-x64.exe, 00000000.00000000.1634981117.000000000040D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zipInstall.exe, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7-zip.dll, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FileVersionFileDescriptionOriginalFilename_winzip_.rsrcCOFF_SYMBOLSCERTIFICATE vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.dll, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.exe, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7z.sfx.exe, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zFM.exe, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zg.exe, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUninstall.exe, vs 7z2301-x64.exe
Source: 7z2301-x64.exe, 00000000.00000002.2876503375.0000000000197000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zipInstall.exe, vs 7z2301-x64.exe
Source: 7z2301-x64.exe	Binary or memory string: OriginalFilename7zipInstall.exe, vs 7z2301-x64.exe

Source: 7z2301-x64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: clean19.spre.winEXE@1/109@0/0

Source: C:\Users\user\Desktop\7z2301-x64.exe

0_2_004017DE

Source: C:\Users\user\Desktop\7z2301-x64.exe

Code function: 0_2_004025C5 CoCreateInstance,

0_2_004025C5

Source: 7z2301-x64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7z2301-x64.exe

File read: C:\Program Files\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7z2301-x64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\7z2301-x64.exe

File read: C:\Users\user\Desktop\7z2301-x64.exe

Jump to behavior

Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: playtodevice.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: portabledeviceapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: audiodev.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmvcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: wmasf.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Section loaded: mfperfhelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\7z2301-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: 7-Zip File Manager.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files\7-Zip\7zFM.exe
Source: 7-Zip Help.lnk.0.dr	LNK file: ..\..\..\..\..\..\Program Files\7-Zip\7-zip.chm

Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: Install
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK
Source: C:\Users\user\Desktop\7z2301-x64.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 7z2301-x64.exe

Static file information: File size 1589510 > 1048576

Source: C:\Users\user\Desktop\7z2301-x64.exe

Code function: 0_2_00401FB1 GetSystemDirectoryW,lstrlenW,lstrcpyW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,malloc,free,

0_2_00401FB1

Source: 7-zip32.dll.0.dr	Static PE information: section name: .sxdata
Source: 7z.sfx.0.dr	Static PE information: section name: .sxdata
Source: 7zCon.sfx.0.dr	Static PE information: section name: .sxdata

Source: C:\Users\user\Desktop\7z2301-x64.exe

Code function: 0_2_004072E0 push eax; ret

0_2_0040730E

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7-zip.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7z.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7-zip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior

Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7z.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7-zip32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7zCon.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file

Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7z.sfx			Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	File created: C:\Program Files\7-Zip\7zCon.sfx			Jump to dropped file

Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7-zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7-zip32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zCon.sfx	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\7z2301-x64.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file

Source: 7z2301-x64.exe, 00000000.00000002.2876920400.0000000000823000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\MusicsProd_VMware_SATA
Source: 7z2301-x64.exe, 00000000.00000003.1747576765.000000000083E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: }\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2301-x64.exe, 00000000.00000003.2353941581.0000000000865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
Source: 7z2301-x64.exe, 00000000.00000003.2353941581.0000000000865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2301-x64.exe, 00000000.00000003.2070595360.000000000083C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:x
Source: 7z2301-x64.exe, 00000000.00000002.2876920400.0000000000861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD0hh
Source: 7z2301-x64.exe, 00000000.00000003.1987033584.0000000005115000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&&
Source: 7z2301-x64.exe, 00000000.00000003.2353941581.0000000000865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}KK
Source: 7z2301-x64.exe, 00000000.00000002.2877690760.0000000005079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}yz
Source: 7z2301-x64.exe, 00000000.00000002.2877690760.0000000005079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: 7z2301-x64.exe, 00000000.00000003.2101798092.0000000000870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f==
Source: 7z2301-x64.exe, 00000000.00000003.2234627664.0000000000861000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA_CD0==
Source: 7z2301-x64.exe, 00000000.00000002.2876920400.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:o
Source: 7z2301-x64.exe, 00000000.00000003.1747032469.0000000000873000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}en
Source: 7z2301-x64.exe, 00000000.00000003.2353941581.0000000000865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 7z2301-x64.exe, 00000000.00000003.2070595360.000000000083C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 7z2301-x64.exe, 00000000.00000002.2876920400.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:<S
Source: 7z2301-x64.exe, 00000000.00000002.2876920400.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0uWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 7z2301-x64.exe, 00000000.00000002.2877690760.0000000005079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}``U
Source: 7z2301-x64.exe, 00000000.00000002.2876920400.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:&
Source: 7z2301-x64.exe, 00000000.00000003.2318928092.0000000000864000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %1!ls! (%2!c!:) %3!ls!Prod_VMware_SATA_CD0==
Source: 7z2301-x64.exe, 00000000.00000003.1688177644.0000000002734000.00000004.00000020.00020000.00000000.sdmp, History.txt.0.dr	Binary or memory string: - 7-Zip now can extract VHDX disk images (Microsoft Hyper-V Virtual Hard Disk v2 format).
Source: 7z2301-x64.exe, 00000000.00000003.2234627664.0000000000844000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$$

Source: C:\Users\user\Desktop\7z2301-x64.exe

Code function: 0_2_00401FB1 GetSystemDirectoryW,lstrlenW,lstrcpyW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,malloc,free,

0_2_00401FB1

Source: C:\Users\user\Desktop\7z2301-x64.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\7z2301-x64.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\7z2301-x64.exe

Code function: 0_2_00405B75 GetVersion,GetModuleHandleW,GetProcAddress,GetSystemDirectoryW,LoadLibraryExW,

0_2_00405B75

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7z2301-x64.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files\7-Zip\7-zip.dll	0%	ReversingLabs
C:\Program Files\7-Zip\7-zip32.dll	0%	ReversingLabs
C:\Program Files\7-Zip\7z.dll	0%	ReversingLabs
C:\Program Files\7-Zip\7z.exe	0%	ReversingLabs
C:\Program Files\7-Zip\7z.sfx	0%	ReversingLabs
C:\Program Files\7-Zip\7zCon.sfx	0%	ReversingLabs
C:\Program Files\7-Zip\7zFM.exe	0%	ReversingLabs
C:\Program Files\7-Zip\7zG.exe	0%	ReversingLabs
C:\Program Files\7-Zip\Uninstall.exe	0%	ReversingLabs

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.gnu.org/	7z2301-x64.exe, 00000000.00000003.1688177644.0000000002734000.00000004.00000020.00020000.00000000.sdmp, License.txt.0.dr	false		high
https://www.7-zip.org/	7z2301-x64.exe, 00000000.00000003.1691781092.0000000004577000.00000004.00000020.00020000.00000000.sdmp, 7zFM.exe.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428447
Start date and time:	2024-04-18 23:56:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7z2301-x64.exe
Detection:	CLEAN
Classification:	clean19.spre.winEXE@1/109@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 7z2301-x64.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files\7-Zip\7-zip.dll	https://file.io/RqcRlWKFS2O2	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_bc53e2be5cb94cf3349e488ff4045ef63b86a07b.zip	Get hash	malicious	Unknown	Browse
	SPARKtApplication.exe	Get hash	malicious	Unknown	Browse
	7z2301-x64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse
	7z2301-x64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse
C:\Program Files\7-Zip\7z.dll	SecuriteInfo.com.Win64.Malware-gen.28496.11808.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Malware-gen.28496.11808.exe	Get hash	malicious	Unknown	Browse
	https://file.io/RqcRlWKFS2O2	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_bc53e2be5cb94cf3349e488ff4045ef63b86a07b.zip	Get hash	malicious	Unknown	Browse
	SPARKtApplication.exe	Get hash	malicious	Unknown	Browse
	7z2301-x64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse
	7z2301-x64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse
C:\Program Files\7-Zip\7-zip32.dll	https://file.io/RqcRlWKFS2O2	Get hash	malicious	Unknown	Browse
	MDE_File_Sample_bc53e2be5cb94cf3349e488ff4045ef63b86a07b.zip	Get hash	malicious	Unknown	Browse
	SPARKtApplication.exe	Get hash	malicious	Unknown	Browse
	7z2301-x64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse
	7z2301-x64.exe	Get hash	malicious	Mars Stealer, Vidar	Browse

Process:	C:\Users\user\Desktop\7z2301-x64.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	115300
Entropy (8bit):	7.880920405972669
Encrypted:	false
SSDEEP:	1536:J+rROVdkoexI6ypm/HR/O/E0R9cRWTU4ioFLZbSOnLvkgB7p0gv2N6pZGMeG0/S:eYTk9r9/NE96WB5nxL3NpfW6veGZ
MD5:	DA6AEC447474DF298ECA9F18C2FDA0A9
SHA1:	C1E918FC600856A85A00A89AF6CE623A4349126B
SHA-256:	20C7B0DC8B584975803F3D8DDE90BAD423CC16C0ADDE5B33899428FCF61E485E
SHA-512:	C88D73183194B368D65DA29D5573FF4598574B579D0B1824890C9915E06CEE63F235702BFE78C943994C3FE1849D9773FDDC0343E0CFD28735BCECCF38D06DC1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	ITSF....`................\|.{.......".....\|.{......."..`.......(...............T ......................d.......................,...................j..].!......."..T.....................U.n.c.o.m.p.r.e.s.s.e.d.....M.S.C.o.m.p.r.e.s.s.e.d...{.7.F.C.2.8.9.4.0.-.9.D.3.1.-.1.1.D.0.............LZXC.......................j..A.`#.._...I...$CZ5...-B.XI....+Q.U.!^{..o..Dzq.C(jW..I.^.....!....0...c=....Oq93.I.p`.E...}.O..+.5Y.%jU.X.hb5%6...V.G."..^...X.$.V,.....[#...8...="dk..=....2kl...I.@........D#`F.D2...nJ.H]V...@..................P....uo'.;m..8.......v...._.7....o\|.7.....\|.o..e..i.......W.5.Z.B. ...-........^.._.S.e^....5k.X.G.1..._\|..iV..H.....M.vk.R.._.o....&.cd..`e..+...M^......~l. a8..&3..].$QI..d.:..G......+..C.......H>rjeQ.;.O#....($.R...:q~.UE.Xf^..3..5.L.....W....i..Y..,>..8.o..'%.^sj.[q...o.4..I....=......\|......)Z,l#)8.....a.....Uc.ke.._....ZC..5.E.(fe.../...[........X....7;........Y/.?Q.....JJ..vj...*J..W....?.yy'J.`J.]..{.4.i$.m...

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99617273831884
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7z2301-x64.exe
File size:	1'589'510 bytes
MD5:	e5788b13546156281bf0a4b38bdd0901
SHA1:	7df28d340d7084647921cc25a8c2068bb192bdbb
SHA256:	26cb6e9f56333682122fafe79dbcdfd51e9f47cc7217dccd29ac6fc33b5598cd
SHA512:	1f4da167ff2f1d34eeaf76c3003ba5fcabfc7a7da40e73e317aa99c6e1321cdf97e00f4feb9e79e1a72240e0376af0c3becb3d309e5bb0385e5192da17ea77ff
SSDEEP:	49152:RoOF3Wh8esAMmyyImtH97VTjrtlEfmSX4b:RoYWh8JAV/VH97F3tlQ+b
TLSH:	AF7533CC2B03CA29FDC71671E501E4A6DCFF69928D4C978F4B986E98B771531AE10217
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jch.............a...............a.........Y.........\.....[.....8$..............Rich....................PE..L...pN.d........../

Entrypoint:	0x407394
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x64914E70 [Tue Jun 20 07:00:00 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	cf0d2de4fd6406302012e0f40060395f

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8c44	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd000	0xfe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x652c	0x6600	445aae033e52fca0b62f15545d14e511	False	0.6483992034313726	data	6.591966668904185	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1346	0x1400	e3a3ff91203697a886881dccab0c68c5	False	0.4126953125	data	4.616946763777193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x28f0	0x200	598e1aae6ecbd8237c4383f4be94b9f1	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd000	0xfe8	0x1000	e4b28bceb799a21c6b34f15d6010fa18	False	0.373046875	data	4.367210431828476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd480	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.16532258064516128
RT_ICON	0xd768	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.32094594594594594
RT_DIALOG	0xd8b8	0x176	data	English	United States	0.5802139037433155
RT_GROUP_ICON	0xd890	0x22	data	English	United States	1.0
RT_VERSION	0xd1b0	0x2d0	data	English	United States	0.4652777777777778
RT_MANIFEST	0xda30	0x5b2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.47462277091906724

DLL	Import
ole32.dll	CoCreateInstance, CoInitialize
USER32.dll	PeekMessageW, ExitWindowsEx, GetDlgItemTextW, SetWindowTextW, ShowWindow, MessageBoxW, CreateDialogParamW, LoadIconW, SendMessageW, GetMessageW, EnableWindow, GetDlgItem, IsDialogMessageW, TranslateMessage, DispatchMessageW, SetDlgItemTextW, DestroyWindow
ADVAPI32.dll	RegSetValueExW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegCreateKeyExW
SHELL32.dll	SHGetFolderPathW, SHBrowseForFolderW, SHGetPathFromIDListW
MSVCRT.dll	_exit, _XcptFilter, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, memcpy, memcmp, memmove, malloc, free, exit, memset
KERNEL32.dll	ReadFile, CloseHandle, CreateFileW, FormatMessageW, WriteFile, DeleteFileW, CreateDirectoryW, GetSystemDirectoryW, LoadLibraryW, GetModuleFileNameW, GetFileAttributesW, SetFilePointer, GetVersion, LoadLibraryExW, GetModuleHandleA, GetStartupInfoA, LocalFree, SetFileAttributesW, SetFileTime, MoveFileExW, GetLastError, lstrcatW, GetCommandLineW, lstrcpyW, GetModuleHandleW, GetProcAddress, GetCurrentProcess, lstrlenW

Target ID:	0
Start time:	23:56:48
Start date:	18/04/2024
Path:	C:\Users\user\Desktop\7z2301-x64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7z2301-x64.exe"
Imagebase:	0x400000
File size:	1'589'510 bytes
MD5 hash:	E5788B13546156281BF0A4B38BDD0901
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Execution Coverage:	27.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.1%
Total number of Nodes:	292
Total number of Limit Nodes:	12

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7z2301-x64.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\7-Zip\7-zip.chm

C:\Program Files\7-Zip\7-zip.dll

C:\Program Files\7-Zip\7-zip32.dll

C:\Program Files\7-Zip\7z.dll

C:\Program Files\7-Zip\7z.exe

C:\Program Files\7-Zip\7z.sfx

C:\Program Files\7-Zip\7zCon.sfx

C:\Program Files\7-Zip\7zFM.exe

C:\Program Files\7-Zip\7zG.exe

C:\Program Files\7-Zip\History.txt

C:\Program Files\7-Zip\Lang\af.txt

C:\Program Files\7-Zip\Lang\an.txt

C:\Program Files\7-Zip\Lang\ar.txt

C:\Program Files\7-Zip\Lang\ast.txt

C:\Program Files\7-Zip\Lang\az.txt

C:\Program Files\7-Zip\Lang\ba.txt

C:\Program Files\7-Zip\Lang\be.txt

C:\Program Files\7-Zip\Lang\bg.txt

C:\Program Files\7-Zip\Lang\bn.txt

C:\Program Files\7-Zip\Lang\br.txt

C:\Program Files\7-Zip\Lang\ca.txt

C:\Program Files\7-Zip\Lang\co.txt

C:\Program Files\7-Zip\Lang\cs.txt

C:\Program Files\7-Zip\Lang\cy.txt

C:\Program Files\7-Zip\Lang\da.txt

C:\Program Files\7-Zip\Lang\de.txt

Windows Analysis Report
7z2301-x64.exe

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre