download:

wrarulabinstps.exe

Full analysis: https://app.any.run/tasks/73f6b11f-40a2-4f8a-aea6-f2db8dc485e4
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 05, 2020, 22:34:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B81A2206223CAFC5D9E28777D4E176AC

SHA1:

63CF5D620803700FBA81B3E2635ABD320BD40895

SHA256:

5F1BC69678335CB3931931F29F55DAB866DE5D536D9BA7D0E4D33B7403BBFEE5

SSDEEP:

24576:XVSE9Bz2BmRFz73NtmVUPF53iHDBiN8/NmBtXfEw+NpLWqd8tlZB4Xs+pVVb40BA:kE9Bz2BmnzNtv3KDS8/N8sw+NpLWqWBB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wrar540.exe (PID: 3796)
      • uninstall.exe (PID: 3672)
      • netsvc.exe (PID: 3884)
      • sgdsvc.exe (PID: 3796)
      • netsvc.exe (PID: 436)
      • sgdsvc.exe (PID: 2788)
      • updsvc.exe (PID: 2508)
      • sgdsvc.exe (PID: 2748)
      • updsvc.exe (PID: 236)
      • updsvc.exe (PID: 3744)
      • sgdtray.exe (PID: 332)
      • certutil.exe (PID: 2740)
      • certutil.exe (PID: 2608)
      • certutil.exe (PID: 1856)
      • certutil.exe (PID: 2428)
      • sgdtray.exe (PID: 4016)
      • sgdtray.exe (PID: 1600)
      • sgdtray.exe (PID: 2600)

    • Changes settings of System certificates

      • wrarulabinstps.exe (PID: 956)
      • netsvc.exe (PID: 436)

    • Downloads executable files from the Internet

      • wrarulabinstps.exe (PID: 956)

    • Starts NET.EXE for service management

      • sgdsvc.exe (PID: 3796)
      • sgdsvc.exe (PID: 2748)

    • Loads dropped or rewritten executable

      • sgdsvc.exe (PID: 3796)
      • netsvc.exe (PID: 436)
      • netsvc.exe (PID: 3884)
      • sgdsvc.exe (PID: 2748)
      • sgdtray.exe (PID: 332)
      • certutil.exe (PID: 2740)
      • sgdtray.exe (PID: 4016)
      • certutil.exe (PID: 2608)
      • certutil.exe (PID: 1856)
      • certutil.exe (PID: 2428)
      • sgdtray.exe (PID: 1600)
      • sgdtray.exe (PID: 2600)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2880)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wrar540.exe (PID: 3796)
      • wrarulabinstps.exe (PID: 956)
      • msiexec.exe (PID: 1912)
      • sgdsvc.exe (PID: 3796)
      • MsiExec.exe (PID: 3116)

    • Reads internet explorer settings

      • wrarulabinstps.exe (PID: 956)
      • wrarulabinstps.exe (PID: 2408)

    • Adds / modifies Windows certificates

      • wrarulabinstps.exe (PID: 956)

    • Creates COM task schedule object

      • uninstall.exe (PID: 3672)

    • Creates files in the user directory

      • uninstall.exe (PID: 3672)
      • MSIFBCF.tmp (PID: 3048)
      • msiexec.exe (PID: 1912)
      • sgdtray.exe (PID: 332)
      • certutil.exe (PID: 2428)
      • certutil.exe (PID: 2740)
      • Skype.exe (PID: 2580)
      • Skype.exe (PID: 2536)
      • Skype.exe (PID: 1324)

    • Starts Microsoft Installer

      • wrarulabinstps.exe (PID: 956)

    • Creates files in the program directory

      • wrar540.exe (PID: 3796)
      • uninstall.exe (PID: 3672)
      • netsvc.exe (PID: 436)
      • sgdsvc.exe (PID: 3796)
      • wrarulabinstps.exe (PID: 956)
      • updsvc.exe (PID: 3744)
      • sgdsvc.exe (PID: 2748)

    • Modifies the open verb of a shell class

      • uninstall.exe (PID: 3672)
      • Skype.exe (PID: 1324)

    • Creates a software uninstall entry

      • uninstall.exe (PID: 3672)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 1912)

    • Creates files in the Windows directory

      • sgdsvc.exe (PID: 3796)

    • Creates files in the driver directory

      • sgdsvc.exe (PID: 3796)

    • Executed as Windows Service

      • netsvc.exe (PID: 436)
      • sgdsvc.exe (PID: 2748)
      • updsvc.exe (PID: 3744)

    • Application launched itself

      • Skype.exe (PID: 1324)
      • Skype.exe (PID: 2580)
      • Skype.exe (PID: 2536)

    • Reads CPU info

      • Skype.exe (PID: 1324)

    • Uses REG.EXE to modify Windows registry

      • Skype.exe (PID: 1324)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 1912)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 1912)

    • Application was dropped or rewritten from another process

      • MSIFBCF.tmp (PID: 3048)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2184)
      • MsiExec.exe (PID: 3116)

    • Creates files in the program directory

      • msiexec.exe (PID: 1912)
      • MsiExec.exe (PID: 3116)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1912)

    • Manual execution by user

      • wrarulabinstps.exe (PID: 4012)
      • sgdtray.exe (PID: 4016)
      • wrarulabinstps.exe (PID: 2408)
      • Skype.exe (PID: 1324)
      • sgdtray.exe (PID: 1600)
      • sgdtray.exe (PID: 2600)

    • Reads the hosts file

      • Skype.exe (PID: 1324)

    • Reads settings of System Certificates

      • Skype.exe (PID: 1324)

    • Dropped object may contain Bitcoin addresses

      • Skype.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:28 17:44:26+02:00
PEType: PE32
LinkerVersion: 10
CodeSize: 581120
InitializedDataSize: 499712
UninitializedDataSize: -
EntryPoint: 0x693de
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.39.0
ProductVersionNumber: 1.0.39.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: WinRAR UTILILAB Installer
FileVersion: 1.0.39
InternalName: WinRAR UTILILAB Installer
LegalCopyright: UTILILAB GmbH Copyright (C) 2019
OriginalFileName: installer.exe
ProductName: WinRAR UTILILAB Installer
ProductVersion: 1.0.39

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-May-2019 15:44:26
Detected languages:
  • English - United States
TLS Callbacks: 1 callback(s) detected.
FileDescription: WinRAR UTILILAB Installer
FileVersion: 1.0.39
InternalName: WinRAR UTILILAB Installer
LegalCopyright: UTILILAB GmbH Copyright (C) 2019
OriginalFilename: installer.exe
ProductName: WinRAR UTILILAB Installer
ProductVersion: 1.0.39

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 28-May-2019 15:44:26
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0008DDEC
0x0008DE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65308
.rdata
0x0008F000
0x00027A90
0x00027C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.53051
.data
0x000B7000
0x00009744
0x00006C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.9115
.tls
0x000C1000
0x00000002
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x000C2000
0x0003BF80
0x0003C000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.75581
.reloc
0x000FE000
0x0000F404
0x0000F600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.91616

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.17972
881
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.22627
744
Latin 1 / Western European
English - United States
RT_ICON
3
3.69555
296
Latin 1 / Western European
English - United States
RT_ICON
4
7.97794
44913
Latin 1 / Western European
English - United States
RT_ICON
5
6.10452
3752
Latin 1 / Western European
English - United States
RT_ICON
6
6.45457
2216
Latin 1 / Western European
English - United States
RT_ICON
7
4.8163
1384
Latin 1 / Western European
English - United States
RT_ICON
8
7.99254
62917
Latin 1 / Western European
English - United States
RT_ICON
9
1.34631
50
Latin 1 / Western European
English - United States
RT_STRING
10
6.05594
4264
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
PSAPI.DLL
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
100
Monitored processes
41
Malicious processes
15
Suspicious processes
5

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start wrarulabinstps.exe wrar540.exe uninstall.exe no specs msiexec.exe no specs msiexec.exe msifbcf.tmp msiexec.exe no specs msiexec.exe sgdsvc.exe net.exe no specs net1.exe no specs netsvc.exe no specs net.exe no specs net1.exe no specs netsvc.exe no specs updsvc.exe no specs sgdsvc.exe no specs sgdsvc.exe updsvc.exe no specs net.exe no specs updsvc.exe no specs net1.exe no specs sgdtray.exe certutil.exe no specs certutil.exe no specs certutil.exe no specs certutil.exe no specs wrarulabinstps.exe no specs wrarulabinstps.exe sgdtray.exe no specs skype.exe skype.exe reg.exe skype.exe no specs reg.exe no specs skype.exe skype.exe no specs skype.exe sgdtray.exe no specs sgdtray.exe no specs wrarulabinstps.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Program Files\UTILILAB\ProtectedSEARCH\updsvc.exe" --startC:\Program Files\UTILILAB\ProtectedSEARCH\updsvc.exeMsiExec.exe
User:
SYSTEM
Company:
UTILILAB GmbH
Integrity Level:
SYSTEM
Description:
UTILILAB Update Service
Exit code:
0
Version:
1.0.40
Modules
Images
c:\program files\utililab\protectedsearch\updsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
332"C:\Program Files\UTILILAB\ProtectedSEARCH\sgdtray.exe"C:\Program Files\UTILILAB\ProtectedSEARCH\sgdtray.exe
wrarulabinstps.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\utililab\protectedsearch\sgdtray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
436"C:\Program Files\UTILILAB\ProtectedSEARCH\netsvc.exe"C:\Program Files\UTILILAB\ProtectedSEARCH\netsvc.exeservices.exe
User:
SYSTEM
Company:
UtilTool Limited
Integrity Level:
SYSTEM
Description:
UtilTool Net Filter Service
Exit code:
0
Version:
1.2.162
Modules
Images
c:\program files\utililab\protectedsearch\netsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
564msiexec /i C:\Users\admin\AppData\Local\Temp\ProtectedSEARCH.msi /qnC:\Windows\system32\msiexec.exewrarulabinstps.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
784"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
956"C:\Users\admin\Desktop\wrarulabinstps.exe" C:\Users\admin\Desktop\wrarulabinstps.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
WinRAR UTILILAB Installer
Exit code:
0
Version:
1.0.39
Modules
Images
c:\users\admin\desktop\wrarulabinstps.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1324"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
0
Version:
8.29.0.50
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\node.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\program files\microsoft\skype for desktop\msvcp140.dll
1516net start netsvcC:\Windows\system32\net.exesgdsvc.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Net Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1600"C:\Program Files\UTILILAB\ProtectedSEARCH\sgdtray.exe" C:\Program Files\UTILILAB\ProtectedSEARCH\sgdtray.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\program files\utililab\protectedsearch\sgdtray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1856nss\certutil -A -t "TCu" -i "C:\ProgramData\NETC\temp\sgd\SSL\UTILILAB ProtectedSEARCH CA 2.cer" -n "UTILILAB ProtectedSEARCH CA" -d "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default"C:\Program Files\UTILILAB\ProtectedSEARCH\nss\certutil.exenetsvc.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\utililab\protectedsearch\nss\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\utililab\protectedsearch\nss\nssutil3.dll
c:\program files\utililab\protectedsearch\nss\libplc4.dll
c:\program files\utililab\protectedsearch\nss\libnspr4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
Total events
1 393
Read events
989
Write events
382
Delete events
22

Modification events

(PID) Process:(956) wrarulabinstps.exeKey:HKEY_CURRENT_USER\Software\UTILILAB\ProtectedSEARCH
Operation:writeName:Language
Value:
en_GB
(PID) Process:(956) wrarulabinstps.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\USG
Operation:writeName:ps
Value:
lite
(PID) Process:(956) wrarulabinstps.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(956) wrarulabinstps.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Operation:writeName:Blob
Value:
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
(PID) Process:(3796) wrar540.exeKey:HKEY_CURRENT_USER\Software\WinRAR SFX
Operation:writeName:C%%Program Files%WinRAR
Value:
C:\Program Files\WinRAR
(PID) Process:(3796) wrar540.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3796) wrar540.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3672) uninstall.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Setup\.rar
Operation:writeName:Set
Value:
1
(PID) Process:(3672) uninstall.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Setup\.zip
Operation:writeName:Set
Value:
1
(PID) Process:(3672) uninstall.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Setup\.cab
Operation:writeName:Set
Value:
1
Executable files
46
Suspicious files
28
Text files
75
Unknown types
18

Dropped files

PID
Process
Filename
Type
956wrarulabinstps.exeC:\Users\admin\AppData\Local\Temp\ProtectedSEARCH.msi
MD5:
SHA256:
956wrarulabinstps.exeC:\Users\admin\AppData\Local\Temp\process.gifimage
MD5:EE238B9089A000C1B25085FF7B5E48B3
SHA256:4DE4382EE271F06E8CE3C0F3EBAB6B7B357311646562C16421891F6D458D4F72
956wrarulabinstps.exeC:\Users\admin\AppData\Local\Temp\wrar540.exeexecutable
MD5:5D930FA790EED4B6C7DD22262A015723
SHA256:E81BAA5C2D2771CBAD2D168ECF278F865DC2DE38983C6A169D583949375EA735
3796wrar540.exeC:\Program Files\WinRAR\Rar.exeexecutable
MD5:DC0222F1E0868C3612A93BA2D83B99BE
SHA256:6BC4497B86DF521B413E4574F4CD4289C986348D2A69DA1945FF1A1784DB05DB
3796wrar540.exeC:\Program Files\WinRAR\WhatsNew.txttext
MD5:9F49544A844B7652D5765EEF0A6028AE
SHA256:0D35A441F492BD5FC5A216B475DFF0193DA933E946E984E5D53649A12D215CA2
3796wrar540.exeC:\Program Files\WinRAR\ReadMe.txttext
MD5:6A697FE386885EA78AB05AD1BD4A96EB
SHA256:25C6C5F336B404579889549B10A45F5E32CE5844A5A5A29075168D460D025BD2
3796wrar540.exeC:\Program Files\WinRAR\Rar.txttext
MD5:AF65D295F498939287D335875661E38C
SHA256:C8E739A280ED99A2031EF532663471F1F74408E915A24A7F867284F178097108
3796wrar540.exeC:\Program Files\WinRAR\Order.htmhtml
MD5:5BFBAD2B771C10C15D9A64F46EE72DD6
SHA256:1B725FDF19AD3897FC20D3464C2393A1FB53117DC4C945B8C91A2280D7735BED
3796wrar540.exeC:\Program Files\WinRAR\License.txttext
MD5:672064CF19DB0B083B981CF0BE7662B0
SHA256:9FC8AA33CCAFA04C1CE4C0A61047B341297D720ADAB1B77F67B5FE59F43BB59F
3796wrar540.exeC:\Program Files\WinRAR\Descript.iontext
MD5:73E2E911B7730A92C04298EC770B0AB6
SHA256:29BF0E22BA729921958BBE4DC42D8BF688CCCFBFEAC6EF68B79674023B05D01F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
956
wrarulabinstps.exe
GET
301
5.135.104.108:80
http://www.rarlabs.com/rar/wrar540.exe
DE
suspicious
956
wrarulabinstps.exe
GET
301
5.135.104.98:80
http://www.rarlab.com/rar/wrar540.exe
DE
malicious
956
wrarulabinstps.exe
GET
200
83.241.219.60:80
http://utililab.av-updates.net/releases/ProtectedSEARCH.msi
SE
executable
14.9 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
956
wrarulabinstps.exe
83.241.219.60:443
data.mysearchguardian.com
DGC Access AB
SE
malicious
956
wrarulabinstps.exe
5.135.104.108:80
www.rarlabs.com
OVH SAS
DE
unknown
956
wrarulabinstps.exe
5.135.104.98:80
www.rarlab.com
OVH SAS
DE
malicious
956
wrarulabinstps.exe
5.135.104.98:443
www.rarlab.com
OVH SAS
DE
malicious
956
wrarulabinstps.exe
83.241.219.60:80
data.mysearchguardian.com
DGC Access AB
SE
malicious
3048
MSIFBCF.tmp
172.217.22.8:443
ssl.google-analytics.com
Google Inc.
US
whitelisted
3796
sgdsvc.exe
83.241.219.60:443
data.mysearchguardian.com
DGC Access AB
SE
malicious
2748
sgdsvc.exe
83.241.219.60:443
data.mysearchguardian.com
DGC Access AB
SE
malicious
332
sgdtray.exe
83.241.219.60:443
data.mysearchguardian.com
DGC Access AB
SE
malicious
1324
Skype.exe
13.90.95.57:443
get.skype.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
data.mysearchguardian.com
  • 83.241.219.60
malicious
www.rarlabs.com
  • 5.135.104.108
suspicious
www.rarlab.com
  • 5.135.104.98
unknown
utililab.av-updates.net
  • 83.241.219.60
malicious
ssl.google-analytics.com
  • 172.217.22.8
whitelisted
login.yahoo.com
  • 212.82.100.140
whitelisted
edit.yahoo.com
  • 212.82.100.140
unknown
www.tumblr.com
  • 152.199.21.147
whitelisted
tumblr.com
  • 66.6.33.31
  • 66.6.33.159
  • 66.6.32.31
whitelisted
www.nwolb.com
  • 155.136.22.4
unknown

Threats

No threats detected
Process
Message
Skype.exe
[784:3932:0105/223615.588:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Skype.exe
[784:3932:0105/223615.588:VERBOSE1:crash_service_main.cc(94)] Ready to process crash requests
Skype.exe
[784:3932:0105/223615.588:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[784:3932:0105/223615.588:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[784:3932:0105/223615.588:VERBOSE1:crash_service.cc(145)] window handle is 000701C2
Skype.exe
[784:3580:0105/223615.588:VERBOSE1:crash_service.cc(333)] client start. pid = 1324
Skype.exe
[784:3580:0105/223617.165:VERBOSE1:crash_service.cc(333)] client start. pid = 2580
Skype.exe
[3984:236:0105/223617.318:VERBOSE1:crash_service.cc(300)] pipe name is \\.\pipe\skype-preview Crash Service dumps at C:\Users\admin\AppData\Local\Temp\skype-preview Crashes
Skype.exe
[3984:236:0105/223617.318:VERBOSE1:crash_service.cc(304)] checkpoint is C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\crash_checkpoint.txt server is https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload maximum 128 reports/day reporter is electron-crash-service
Skype.exe
[3984:236:0105/223617.318:VERBOSE1:crash_service_main.cc(78)] Session start. cmdline is [--reporter-url=https://rink.hockeyapp.net/api/2/apps/a741743329d94bc08826af367733939d/crashes/upload --application-name=skype-preview "--crashes-directory=C:\Users\admin\AppData\Local\Temp\skype-preview Crashes" --v=1]
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wrarulabinstps.exe