Malware analysis setup.rar Malicious activity | ANY.RUN

Add for printing

File name:	setup.rar
Full analysis:	https://app.any.run/tasks/d023e6a3-2b2b-49e8-889d-32ca517d59ff
Verdict:	Malicious activity
Analysis date:	July 25, 2024, 20:21:37
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	0524037A5D3227003AED8466C8378895
SHA1:	ED94257DECCC7A63F0FA8C0917A6B01B17CA4B96
SHA256:	3C7AE3DFDD28DE85D57D0DDBDA47C93EF689B3C280D3C9969BD2747AF908D57D
SSDEEP:	98304:T+hNk4bnlu5YmEqMRxpUxOoDNARHM9nfe795dEN11TFU4HwIKkpWwG7er/gvJEof:Q6p06K3/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 5564)
  - Setup.exe (PID: 6344)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 5564)
- Executable content was dropped or overwritten
  - Setup.exe (PID: 6344)
- Starts application with an unusual extension
  - Setup.exe (PID: 6344)
  - Setup.exe (PID: 4544)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5564)
- Creates files in the program directory
  - Setup.exe (PID: 6344)
  - Setup.exe (PID: 4544)
- Creates files or folders in the user directory
  - Setup.exe (PID: 6344)
- Checks supported languages
  - Setup.exe (PID: 6344)
  - StrCmp.exe (PID: 6860)
  - more.com (PID: 6296)
  - Setup.exe (PID: 4544)
  - StrCmp.exe (PID: 6036)
  - more.com (PID: 3384)
- Reads the computer name
  - Setup.exe (PID: 6344)
  - StrCmp.exe (PID: 6860)
  - more.com (PID: 6296)
  - Setup.exe (PID: 4544)
  - more.com (PID: 3384)
  - StrCmp.exe (PID: 6036)
- Create files in a temporary directory
  - Setup.exe (PID: 6344)
  - more.com (PID: 6296)
  - Setup.exe (PID: 4544)
  - more.com (PID: 3384)
- Manual execution by a user
  - Setup.exe (PID: 4544)
  - Setup.exe (PID: 6344)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

146

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3384

C:\WINDOWS\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

—

Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

More Utility

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\ulib.dll

4296

C:\WINDOWS\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

—

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Windows Search Indexer

Version:

7.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\lgi
c:\windows\syswow64\searchindexer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll

4544

"C:\Users\admin\Desktop\setup\Setup.exe"

C:\Users\admin\Desktop\setup\Setup.exe

—

explorer.exe

User:

admin

Company:

CANON INC.

Integrity Level:

MEDIUM

Description:

Universal Installer Windows

Exit code:

Version:

2.5.30.7

Modules

Images
c:\users\admin\desktop\setup\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

4552

C:\WINDOWS\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

—

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Windows Search Indexer

Version:

7.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\dwhlaqaqmqb

5564

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\setup.rar

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

5648

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

more.com

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6036

C:\Users\admin\AppData\Roaming\nloud\ZGJPUSRSRWGVPEFRDY\StrCmp.exe

—

Setup.exe

User:

admin

Company:

aaa

Integrity Level:

MEDIUM

Exit code:

Version:

1.00

Modules

Images
c:\users\admin\appdata\roaming\nloud\zgjpusrsrwgvpefrdy\strcmp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll

6296

C:\WINDOWS\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

—

Setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

More Utility

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\more.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6344

"C:\Users\admin\Desktop\setup\Setup.exe"

C:\Users\admin\Desktop\setup\Setup.exe

explorer.exe

User:

admin

Company:

CANON INC.

Integrity Level:

HIGH

Description:

Universal Installer Windows

Exit code:

Version:

2.5.30.7

Modules

Images
c:\users\admin\desktop\setup\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6468

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

5 761

Read events

5 737

Write events

Delete events

Modification events


(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\setup.rar
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4FFFFFF78000000A403000061020000
(PID) Process:	(5564) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\General
Operation:	write	Name:	LastFolder
Value: C:\Users\admin\AppData\Local\Temp

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6296	more.com	C:\Users\admin\AppData\Local\Temp\lgi		—
		MD5:—	SHA256:—
3384	more.com	C:\Users\admin\AppData\Local\Temp\dwhlaqaqmqb		—
		MD5:—	SHA256:—
5564	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5564.22393\setup\plugins\lang-1049.dll		executable
		MD5:0AC98A4BFC717523E344010A42C2F4BA	SHA256:68546336232AA2BE277711AFA7C1F08ECD5FCC92CC182F90459F0C61FB39507F
5564	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5564.22393\setup\caftan.html		binary
		MD5:0EFA25FB647F55E05A0EB1237989D257	SHA256:6428C618AD7FF64008619DA3E9F5B50C0AFBC03CA5B9E0494D1823F71A5B002D
5564	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5564.22393\setup\holoplankton.iso		binary
		MD5:97F629FBD4F49D8F13A82DEA496E929D	SHA256:AF7FE78241059B6C27B11F87052E67F6A28D5EC9C307EBEA03DA4BB452C20F72
5564	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5564.22393\setup\UIxMarketPlugin.dll		executable
		MD5:4C96E767E3DB9A540C65FE5BED7A408E	SHA256:37E11B7B717FE7E8C1F74DCC5BA80CD3BB0DA196B33D548EB3E2A2FBAC5B779C
6344	Setup.exe	C:\Users\admin\AppData\Roaming\nloud\caftan.html		binary
		MD5:0EFA25FB647F55E05A0EB1237989D257	SHA256:6428C618AD7FF64008619DA3E9F5B50C0AFBC03CA5B9E0494D1823F71A5B002D
5564	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa5564.22393\setup\Setup.exe		executable
		MD5:9FB4770CED09AAE3B437C1C6EB6D7334	SHA256:A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
6344	Setup.exe	C:\Users\admin\AppData\Local\Temp\c926b32b		binary
		MD5:545C8B7F00E2ED498315C42ED5C99990	SHA256:7D6072687F714733937B370C8C7BD6EA3B5D6BD06C1316CC17690FA43B97D690
6344	Setup.exe	C:\Users\admin\AppData\Roaming\nloud\relay.dll		executable
		MD5:7D2F87123E63950159FB2C724E55BDAB	SHA256:B3483BB771948ED8D3F76FAAA3606C8EF72E3D2D355EAA652877E21E0651AA9A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5368	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5272	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5272	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1568	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5552	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4516	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6012	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4360	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.177:443	—	Akamai International B.V.	DE	unknown
4204	svchost.exe	4.209.33.156:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4516	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4468	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 4.231.128.59 51.124.78.146	whitelisted
google.com	142.250.185.110	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
www.bing.com	104.126.37.128 104.126.37.137 104.126.37.153 104.126.37.129 104.126.37.131 104.126.37.144 104.126.37.136 104.126.37.145 104.126.37.139	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.160.22 40.126.32.138 20.190.160.14 40.126.32.72 40.126.32.76 20.190.160.20 40.126.32.74 40.126.32.68	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.24.121.134	whitelisted
go.microsoft.com	184.28.89.167	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

setup.rar

0524037A5D3227003AED8466C8378895

ED94257DECCC7A63F0FA8C0917A6B01B17CA4B96

3C7AE3DFDD28DE85D57D0DDBDA47C93EF689B3C280D3C9969BD2747AF908D57D

98304:T+hNk4bnlu5YmEqMRxpUxOoDNARHM9nfe795dEN11TFU4HwIKkpWwG7er/gvJEof:Q6p06K3/

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Starts application with an unusual extension

INFO

Executable content was dropped or overwritten

Creates files in the program directory

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Create files in a temporary directory

Manual execution by a user

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings