File name:

winrar-x32-624.exe

Full analysis: https://app.any.run/tasks/2cd34e7e-a4ec-4a61-b163-e6e567a2850a
Verdict: Malicious activity
Analysis date: January 27, 2024, 16:37:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5AEEEE02E7B6B8E4A6B46D7BFC2E4BB3

SHA1:

25026A74B8349FFFF4246791BE60C37EC02EF631

SHA256:

C8AD5D77A2882AD8FEE57FFF69D8F90D58CB7490B5D1CDF5571472F5FA8C7CDC

SSDEEP:

98304:WQ3WYCa60jPVMXzu3+xs8Yo+vafCiV3qZV3G3XHIF4WD+WZ0kzB2CYUjZgqm2Tnw:f/ux

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • winrar-x32-624.exe (PID: 876)

  • SUSPICIOUS

    • Reads the Internet Settings

      • winrar-x32-624.exe (PID: 876)

    • Reads Microsoft Outlook installation path

      • winrar-x32-624.exe (PID: 876)

    • Reads Internet Explorer settings

      • winrar-x32-624.exe (PID: 876)

    • Drops 7-zip archiver for unpacking

      • winrar-x32-624.exe (PID: 876)

    • Executable content was dropped or overwritten

      • winrar-x32-624.exe (PID: 876)

    • Creates/Modifies COM task schedule object

      • uninstall.exe (PID: 2256)

    • Creates a software uninstall entry

      • uninstall.exe (PID: 2256)

    • Searches for installed software

      • uninstall.exe (PID: 2256)

  • INFO

    • Reads the computer name

      • winrar-x32-624.exe (PID: 876)
      • uninstall.exe (PID: 2256)

    • Checks supported languages

      • winrar-x32-624.exe (PID: 876)
      • uninstall.exe (PID: 2256)

    • Checks proxy server information

      • winrar-x32-624.exe (PID: 876)

    • Creates files in the program directory

      • winrar-x32-624.exe (PID: 876)

    • Reads the machine GUID from the registry

      • winrar-x32-624.exe (PID: 876)

    • Manual execution by a user

      • WinRAR.exe (PID: 3068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:10:03 09:51:32+02:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.33
CodeSize: 222208
InitializedDataSize: 364544
UninitializedDataSize: -
EntryPoint: 0x215d0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.24.0.0
ProductVersionNumber: 6.24.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
ProductName: WinRAR
CompanyName: Alexander Roshal
FileDescription: WinRAR archiver
FileVersion: 6.24.0
ProductVersion: 6.24.0
InternalName: WinRAR
LegalCopyright: Copyright © Alexander Roshal 1993-2023
OriginalFileName: WinRAR.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar-x32-624.exe uninstall.exe no specs winrar.exe no specs winrar-x32-624.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
876"C:\Users\admin\Desktop\winrar-x32-624.exe" C:\Users\admin\Desktop\winrar-x32-624.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR archiver
Exit code:
0
Version:
6.24.0
Modules
Images
c:\users\admin\desktop\winrar-x32-624.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2256"C:\Program Files\WinRAR\uninstall.exe" /setupC:\Program Files\WinRAR\uninstall.exewinrar-x32-624.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
Uninstall WinRAR
Exit code:
0
Version:
6.24.0
Modules
Images
c:\program files\winrar\uninstall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2628"C:\Users\admin\Desktop\winrar-x32-624.exe" C:\Users\admin\Desktop\winrar-x32-624.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
3221226540
Version:
6.24.0
Modules
Images
c:\users\admin\desktop\winrar-x32-624.exe
c:\windows\system32\ntdll.dll
3068"C:\Program Files\WinRAR\WinRAR.exe" C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
6.24.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
1 407
Read events
1 323
Write events
82
Delete events
2

Modification events

(PID) Process:(876) winrar-x32-624.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(876) winrar-x32-624.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(876) winrar-x32-624.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(876) winrar-x32-624.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(876) winrar-x32-624.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(876) winrar-x32-624.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(876) winrar-x32-624.exeKey:HKEY_CURRENT_USER\Software\WinRAR SFX
Operation:writeName:C%%Program Files%WinRAR
Value:
C:\Program Files\WinRAR
(PID) Process:(2256) uninstall.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Setup\.rar
Operation:writeName:Set
Value:
1
(PID) Process:(2256) uninstall.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Setup\.zip
Operation:writeName:Set
Value:
1
(PID) Process:(2256) uninstall.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Setup\.cab
Operation:writeName:Set
Value:
1
Executable files
10
Suspicious files
3
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
876winrar-x32-624.exeC:\Program Files\WinRAR\Rar.txttext
MD5:B689A0CB8C288849FEBFFAFC2144576B
SHA256:59334A8FFFF612755A64A912389BC23FBC35933CF209F845BDE34F055011B8A6
876winrar-x32-624.exebinary
MD5:
SHA256:
876winrar-x32-624.exeC:\Program Files\WinRAR\Descript.iontext
MD5:3FB658E292A09D2303B6D84FAF079E0C
SHA256:FA7BFC756E502CA814F927130574CBB472FC8B9C608F98B470409E7D8D1AD30D
876winrar-x32-624.exeC:\Program Files\WinRAR\ReadMe.txttext
MD5:00D0A57A6D64EE3DE8F4D5529D6C6447
SHA256:FCD13E1B97AF47B8B923BA97AE15E9731C66093609667C3171D5DD24A6F7F2E6
876winrar-x32-624.exeC:\Program Files\WinRAR\Uninstall.exeexecutable
MD5:A7B1BA59344D02CEDA24F9A5A6143158
SHA256:84568AF8B5D6C25F6D1DB5E54DDC8103300D636F19034C65C8C3564E9C987643
876winrar-x32-624.exeC:\Program Files\WinRAR\Rar.exeexecutable
MD5:385B4223AB995ABC6DDDCC91ED0698C0
SHA256:7690498D7A2F240CA7CD3E484EE2BAACC6F282F25ED17D73F4BB8C36BE50C269
876winrar-x32-624.exeC:\Program Files\WinRAR\RarExt.dllexecutable
MD5:6969236C69FA44FA8719400494452677
SHA256:B8392BFCCAB2C7F0A5ADF895AF422E8592FFDFE33F682AD22DFEC7857DDD46EC
876winrar-x32-624.exeC:\Program Files\WinRAR\Default.SFXexecutable
MD5:120508B3B012C40CF5E5ACBCC573C586
SHA256:E3AC1431CF3564C2F6FB48960DDAA70AD78225EA7758AF2156DF08CBE723DB37
876winrar-x32-624.exeC:\Program Files\WinRAR\RarExt64.dllexecutable
MD5:74A2B3D3EA2FA308895869CD2ECCE130
SHA256:39E90AB6E8E593A9CCD636B886FE3AC5B1321EE84D28935DF52D965D8EE474BF
876winrar-x32-624.exeC:\Program Files\WinRAR\WinCon.SFXexecutable
MD5:D27A3D83167276DA2847EC3D385446F7
SHA256:36B6A07833FE16E701C68A6775B711707D962C9057646D7181E762633B07EB9C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winrar-x32-624.exe