File name:

winrar-x32-700es.exe

Full analysis: https://app.any.run/tasks/7073230f-68aa-42d7-9a6f-524ba488f285
Verdict: Malicious activity
Analysis date: April 18, 2024, 10:48:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5CCAC127BE0B540557AD51D98AD7C8EC

SHA1:

782F7716709F61D0AB718DB6072A4CE9B0DC0730

SHA256:

6D550FAEF608143D17178F66272C4503118F62084AD514AC57AFC25122C9B110

SSDEEP:

98304:ncnA/8pXxt3KT18h18Iu15x2JZIm8ZnENlniQkobHV05dL2F5LyHmhFqQYbGLG/a:1t0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • winrar-x32-700es.exe (PID: 3108)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • winrar-x32-700es.exe (PID: 3108)

    • Reads Microsoft Outlook installation path

      • winrar-x32-700es.exe (PID: 3108)

    • Reads Internet Explorer settings

      • winrar-x32-700es.exe (PID: 3108)

    • Reads the Internet Settings

      • winrar-x32-700es.exe (PID: 3108)

    • Executable content was dropped or overwritten

      • winrar-x32-700es.exe (PID: 3108)

    • Drops 7-zip archiver for unpacking

      • winrar-x32-700es.exe (PID: 3108)

    • Creates/Modifies COM task schedule object

      • uninstall.exe (PID: 3604)

    • Creates a software uninstall entry

      • uninstall.exe (PID: 3604)

    • Searches for installed software

      • uninstall.exe (PID: 3604)

  • INFO

    • Reads the computer name

      • winrar-x32-700es.exe (PID: 3108)
      • uninstall.exe (PID: 3604)

    • Checks supported languages

      • winrar-x32-700es.exe (PID: 3108)
      • uninstall.exe (PID: 3604)

    • Checks proxy server information

      • winrar-x32-700es.exe (PID: 3108)

    • Reads the machine GUID from the registry

      • winrar-x32-700es.exe (PID: 3108)

    • Creates files in the program directory

      • winrar-x32-700es.exe (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:26 09:02:00+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 238592
InitializedDataSize: 273920
UninitializedDataSize: -
EntryPoint: 0x23be0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 7.0.0.0
ProductVersionNumber: 7.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
ProductName: WinRAR
CompanyName: Alexander Roshal
FileDescription: WinRAR
FileVersion: 7.0.0
ProductVersion: 7.0.0
InternalName: WinRAR
LegalCopyright: Copyright © Alexander Roshal 1993-2024
OriginalFileName: WinRAR.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar-x32-700es.exe uninstall.exe no specs winrar-x32-700es.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exe" C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR
Exit code:
3221226540
Version:
7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\winrar-x32-700es.exe
c:\windows\system32\ntdll.dll
3108"C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exe" C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR
Exit code:
0
Version:
7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\winrar-x32-700es.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3604"C:\Program Files\WinRAR\uninstall.exe" /setupC:\Program Files\WinRAR\uninstall.exewinrar-x32-700es.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
Uninstall WinRAR
Exit code:
0
Version:
7.0.0
Modules
Images
c:\program files\winrar\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
1 537
Read events
1 439
Write events
94
Delete events
4

Modification events

(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\WinRAR SFX
Operation:writeName:C%%Program Files%WinRAR
Value:
C:\Program Files\WinRAR
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Program Files\WinRAR\RarExt.dll.0.tmp
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
Executable files
10
Suspicious files
1
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3108winrar-x32-700es.exe
MD5:
SHA256:
3108winrar-x32-700es.exeC:\Program Files\WinRAR\uninstall.lngtext
MD5:18922BCF812C64F7B16C28D1B9AB92D4
SHA256:ED25CAC60860CC57BA46A28141EF7E5A678B787C04FDABB24B69DF1A8ECBFDBF
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Uninstall.lsttext
MD5:6EEEFCB85673C14201D024B6E6AC6258
SHA256:B75FDEE208D2834AB147DACB51F4E7D70E44457C8B639048FE67B252B8D61F1F
3108winrar-x32-700es.exeC:\Program Files\WinRAR\License.txttext
MD5:B6B0EBF5C6109A761C78B32B2416BBC7
SHA256:2BB5EAB31A0ADDF68DF63026161470B524E4C36F6D38E015C128139112194456
3108winrar-x32-700es.exeC:\Program Files\WinRAR\RarExt.dll.0.tmpexecutable
MD5:2733916C8F774F8E27B9C28243D95A4D
SHA256:3BD0AD88051CEA26CD5F59D93325E15A9E59B3EA87C88727466A554538FA33EE
3108winrar-x32-700es.exeC:\Program Files\WinRAR\UnRAR.exeexecutable
MD5:FA54446689DEA37D67805A380B38BECE
SHA256:1E3C12A2361FD69D1A99ECF9AF7298A0A6488E8C7D7FA7F512866ACFB3B1E4CE
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Novedades.txttext
MD5:1DB0898605BB38D03DA7F1C9350E32CF
SHA256:58C6E509C857FF49FEC03C30E6BC8C7DA7404451EBB913C07FA58935B2FB2A64
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Rar.txttext
MD5:F0A05D4F61EAEA0029F819E36EDFA81C
SHA256:E16138D6DE8CD62A17258817B6A1F83B1DAB25F6F4743999E1D4BE0A74E65CEE
3108winrar-x32-700es.exeC:\Program Files\WinRAR\RarExt64.dllexecutable
MD5:04317ACF9CA114DF3172056A8251486B
SHA256:F9397EDED0026E3E50B83157049D526443572189092DEF3091332807753B8AD8
3108winrar-x32-700es.exeC:\Program Files\WinRAR\RarExt.dllexecutable
MD5:E5E51D3BD2EA0F858728489DE32106B1
SHA256:0CE0E0D2E5D9727D01E89A085F582DEB3CDEDF591F4001D633A43E7785A862F0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winrar-x32-700es.exe