File name:

winrar-x32-700es.exe

Full analysis: https://app.any.run/tasks/7073230f-68aa-42d7-9a6f-524ba488f285
Verdict: Malicious activity
Analysis date: April 18, 2024, 10:48:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5CCAC127BE0B540557AD51D98AD7C8EC

SHA1:

782F7716709F61D0AB718DB6072A4CE9B0DC0730

SHA256:

6D550FAEF608143D17178F66272C4503118F62084AD514AC57AFC25122C9B110

SSDEEP:

98304:ncnA/8pXxt3KT18h18Iu15x2JZIm8ZnENlniQkobHV05dL2F5LyHmhFqQYbGLG/a:1t0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • winrar-x32-700es.exe (PID: 3108)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • winrar-x32-700es.exe (PID: 3108)

    • Drops 7-zip archiver for unpacking

      • winrar-x32-700es.exe (PID: 3108)

    • Reads Internet Explorer settings

      • winrar-x32-700es.exe (PID: 3108)

    • Reads Microsoft Outlook installation path

      • winrar-x32-700es.exe (PID: 3108)

    • Reads the Internet Settings

      • winrar-x32-700es.exe (PID: 3108)

    • Executable content was dropped or overwritten

      • winrar-x32-700es.exe (PID: 3108)

    • Creates a software uninstall entry

      • uninstall.exe (PID: 3604)

    • Searches for installed software

      • uninstall.exe (PID: 3604)

    • Creates/Modifies COM task schedule object

      • uninstall.exe (PID: 3604)

  • INFO

    • Reads the computer name

      • winrar-x32-700es.exe (PID: 3108)
      • uninstall.exe (PID: 3604)

    • Checks proxy server information

      • winrar-x32-700es.exe (PID: 3108)

    • Checks supported languages

      • winrar-x32-700es.exe (PID: 3108)
      • uninstall.exe (PID: 3604)

    • Reads the machine GUID from the registry

      • winrar-x32-700es.exe (PID: 3108)

    • Creates files in the program directory

      • winrar-x32-700es.exe (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:02:26 09:02:00+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 238592
InitializedDataSize: 273920
UninitializedDataSize: -
EntryPoint: 0x23be0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 7.0.0.0
ProductVersionNumber: 7.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
ProductName: WinRAR
CompanyName: Alexander Roshal
FileDescription: WinRAR
FileVersion: 7.0.0
ProductVersion: 7.0.0
InternalName: WinRAR
LegalCopyright: Copyright © Alexander Roshal 1993-2024
OriginalFileName: WinRAR.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar-x32-700es.exe uninstall.exe no specs winrar-x32-700es.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exe" C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR
Exit code:
3221226540
Version:
7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\winrar-x32-700es.exe
c:\windows\system32\ntdll.dll
3108"C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exe" C:\Users\admin\AppData\Local\Temp\winrar-x32-700es.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR
Exit code:
0
Version:
7.0.0
Modules
Images
c:\users\admin\appdata\local\temp\winrar-x32-700es.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3604"C:\Program Files\WinRAR\uninstall.exe" /setupC:\Program Files\WinRAR\uninstall.exewinrar-x32-700es.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
Uninstall WinRAR
Exit code:
0
Version:
7.0.0
Modules
Images
c:\program files\winrar\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
1 537
Read events
1 439
Write events
94
Delete events
4

Modification events

(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\WinRAR SFX
Operation:writeName:C%%Program Files%WinRAR
Value:
C:\Program Files\WinRAR
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Program Files\WinRAR\RarExt.dll.0.tmp
(PID) Process:(3108) winrar-x32-700es.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
Executable files
10
Suspicious files
1
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3108winrar-x32-700es.exe
MD5:
SHA256:
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Uninstall.lsttext
MD5:6EEEFCB85673C14201D024B6E6AC6258
SHA256:B75FDEE208D2834AB147DACB51F4E7D70E44457C8B639048FE67B252B8D61F1F
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Order.htmhtml
MD5:C72CD50B92DBA793311C112A6EB7131A
SHA256:52AE66630ACFF51123391601F7B1A8AAEA54EA969F54AA7B9F3A8B58141559B2
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Leame.txttext
MD5:9CA7B51C043AE285F06F779B24138837
SHA256:D1A22A76FC4AC0072E4F3D72A9F5D6CB91F62DF817806E37CE3C70EC6E8E137F
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Descript.iontext
MD5:3772CB2CA37FA9F4BF61D20FD901F641
SHA256:AFE2EA73361D5F41AF3D74651EA0D5C1A7EDD4AD991639B448945A7C83E9AD1F
3108winrar-x32-700es.exeC:\Program Files\WinRAR\licencia.rtftext
MD5:21A8C92819658C242AF1291CF3F06297
SHA256:A0170BDDB45F13158A7334DDACFF649C3D02A981A639380CD93548658F687098
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Rar.exeexecutable
MD5:7F7292519EF82E7935008597E64B8304
SHA256:842E800CF3E4570B916250718580A8F53388FCBB8D1EAC61E3DDCA1DB287ED46
3108winrar-x32-700es.exeC:\Program Files\WinRAR\Uninstall.exeexecutable
MD5:2A4A7FD38C327C1581EFA7FA76F87B6E
SHA256:BDADD42B39EF1F00AAAC4B56519FA652A8D433AB3EBE10362D201DE800EFFA9E
3108winrar-x32-700es.exeC:\Program Files\WinRAR\UnRAR.exeexecutable
MD5:FA54446689DEA37D67805A380B38BECE
SHA256:1E3C12A2361FD69D1A99ECF9AF7298A0A6488E8C7D7FA7F512866ACFB3B1E4CE
3108winrar-x32-700es.exeC:\Program Files\WinRAR\License.txttext
MD5:B6B0EBF5C6109A761C78B32B2416BBC7
SHA256:2BB5EAB31A0ADDF68DF63026161470B524E4C36F6D38E015C128139112194456
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winrar-x32-700es.exe