Malware analysis winrar-64-6.21-installer_AmGAP-1.exe Malicious activity

Add for printing

File name:	winrar-64-6.21-installer_AmGAP-1.exe
Full analysis:	https://app.any.run/tasks/87d3d8d1-4029-4738-8d2b-650e27eacada
Verdict:	Malicious activity
Threats:	Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	July 01, 2024, 14:16:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	amsi miner netreactor
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	17B1EA1089CCF5E5EF81C5DFAFDB90FF
SHA1:	AF0C22F715C97474303FF13364A71280C1D0F698
SHA256:	F81C79DE1B8BEC0FFCD299C964D8CF0BEE0D983AB465B693DBFD7347D2C64F87
SSDEEP:	49152:z7HecD4dnbibBlh/hYjPfySXi8AWAkCk1pW0RA/8XLHqwy8xSIuZfalHuxBoa4kp:/+cD4dnEhYjPfySXzAaPQYLHqw9SIuZp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 244)
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 2828)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - 4bxsh541.exe (PID: 380)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 8152)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 3128)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - UnifiedStub-installer.exe (PID: 1280)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - saBSI.exe (PID: 7416)
  - installer.exe (PID: 6776)
  - installer.exe (PID: 6684)
- Actions looks like stealing of personal data
  - UnifiedStub-installer.exe (PID: 1280)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6172)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
- Creates a writable file in the system directory
  - UnifiedStub-installer.exe (PID: 1280)
  - rsEDRSvc.exe (PID: 6172)
- Changes the autorun value in the registry
  - rundll32.exe (PID: 7800)
- Registers / Runs the DLL via REGSVR32.EXE
  - installer.exe (PID: 6776)
- Steals credentials from Web Browsers
  - servicehost.exe (PID: 7720)
SUSPICIOUS
- Executable content was dropped or overwritten
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 244)
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 2828)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - UnifiedStub-installer.exe (PID: 1280)
  - 4bxsh541.exe (PID: 380)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 8152)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 3128)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - saBSI.exe (PID: 7416)
  - installer.exe (PID: 6776)
  - installer.exe (PID: 6684)
- Reads security settings of Internet Explorer
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 3848)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - saBSI.exe (PID: 7416)
  - UnifiedStub-installer.exe (PID: 1280)
  - rsWSC.exe (PID: 7656)
  - installer.exe (PID: 6776)
  - rsEngineSvc.exe (PID: 6732)
  - rsEDRSvc.exe (PID: 6360)
  - rsEngineSvc.exe (PID: 6804)
  - uihost.exe (PID: 3596)
- Reads the date of Windows installation
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 3848)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - rsEDRSvc.exe (PID: 6172)
  - rsEngineSvc.exe (PID: 6804)
- Reads the Windows owner or organization settings
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
- Process drops legitimate windows executable
  - 4bxsh541.exe (PID: 380)
  - UnifiedStub-installer.exe (PID: 1280)
  - installer.exe (PID: 6776)
- Searches for installed software
  - UnifiedStub-installer.exe (PID: 1280)
  - Uninstall.exe (PID: 5884)
  - rsEDRSvc.exe (PID: 6172)
  - updater.exe (PID: 8464)
- Creates a software uninstall entry
  - UnifiedStub-installer.exe (PID: 1280)
  - Uninstall.exe (PID: 5884)
  - installer.exe (PID: 6776)
  - servicehost.exe (PID: 7720)
- Executes as Windows Service
  - rsSyncSvc.exe (PID: 6216)
  - rsWSC.exe (PID: 6276)
  - rsClientSvc.exe (PID: 6580)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6172)
  - servicehost.exe (PID: 7720)
  - WmiApSrv.exe (PID: 6836)
- Reads Microsoft Outlook installation path
  - winrar-64-7.01-installer.exe (PID: 7228)
- Reads Internet Explorer settings
  - winrar-64-7.01-installer.exe (PID: 7228)
- Checks Windows Trust Settings
  - saBSI.exe (PID: 7416)
  - rsWSC.exe (PID: 7656)
  - installer.exe (PID: 6776)
  - rsEngineSvc.exe (PID: 6732)
  - rsWSC.exe (PID: 6276)
  - rsEDRSvc.exe (PID: 6360)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6172)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
  - updater.exe (PID: 8464)
- The process verifies whether the antivirus software is installed
  - saBSI.exe (PID: 7416)
  - installer.exe (PID: 6684)
  - regsvr32.exe (PID: 6920)
  - regsvr32.exe (PID: 1224)
  - regsvr32.exe (PID: 7936)
  - installer.exe (PID: 6776)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6172)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
  - cmd.exe (PID: 8300)
  - updater.exe (PID: 8464)
  - cmd.exe (PID: 8524)
  - cmd.exe (PID: 8640)
  - cmd.exe (PID: 8700)
  - cmd.exe (PID: 8504)
- Executes application which crashes
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
- Drops 7-zip archiver for unpacking
  - winrar-64-7.01-installer.exe (PID: 7228)
  - UnifiedStub-installer.exe (PID: 1280)
- Creates/Modifies COM task schedule object
  - Uninstall.exe (PID: 5884)
  - regsvr32.exe (PID: 6920)
  - regsvr32.exe (PID: 7936)
- The process drops C-runtime libraries
  - UnifiedStub-installer.exe (PID: 1280)
- The process creates files with name similar to system file names
  - UnifiedStub-installer.exe (PID: 1280)
  - installer.exe (PID: 6776)
- Drops a system driver (possible attempt to evade defenses)
  - UnifiedStub-installer.exe (PID: 1280)
- Creates files in the driver directory
  - UnifiedStub-installer.exe (PID: 1280)
- Creates or modifies Windows services
  - UnifiedStub-installer.exe (PID: 1280)
  - rundll32.exe (PID: 7800)
- Uses RUNDLL32.EXE to load library
  - UnifiedStub-installer.exe (PID: 1280)
- Uses WEVTUTIL.EXE to install publishers and event logs from the manifest
  - UnifiedStub-installer.exe (PID: 1280)
- Adds/modifies Windows certificates
  - saBSI.exe (PID: 7416)
  - rsEngineSvc.exe (PID: 6732)
  - servicehost.exe (PID: 7720)
- Patches Antimalware Scan Interface function (YARA)
  - component0.exe (PID: 420)
- Dropped object may contain URLs of mainers pools
  - rsEngineSvc.exe (PID: 6804)
- Reads the BIOS version
  - rsEDRSvc.exe (PID: 6172)
  - rsEngineSvc.exe (PID: 6804)
- Process checks is Powershell's Script Block Logging on
  - rsEDRSvc.exe (PID: 6172)
- Potential Corporate Privacy Violation
  - rsAppUI.exe (PID: 5816)
- Application launched itself
  - rsAppUI.exe (PID: 2104)
- The process checks if it is being run in the virtual environment
  - rsEngineSvc.exe (PID: 6804)
- Reads Mozilla Firefox installation path
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
- Starts CMD.EXE for commands execution
  - servicehost.exe (PID: 7720)
  - updater.exe (PID: 8464)
- Hides command output
  - cmd.exe (PID: 8300)
  - cmd.exe (PID: 8504)
  - cmd.exe (PID: 8524)
INFO
- Checks supported languages
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 244)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 3848)
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 2828)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - 4bxsh541.exe (PID: 380)
  - UnifiedStub-installer.exe (PID: 1280)
  - rsSyncSvc.exe (PID: 6216)
  - identity_helper.exe (PID: 7184)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 3128)
  - rsSyncSvc.exe (PID: 4676)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 8152)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - saBSI.exe (PID: 7416)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - Uninstall.exe (PID: 5884)
  - identity_helper.exe (PID: 6420)
  - rsWSC.exe (PID: 7656)
  - installer.exe (PID: 6684)
  - installer.exe (PID: 6776)
  - rsEngineSvc.exe (PID: 6732)
  - rsWSC.exe (PID: 6276)
  - rsClientSvc.exe (PID: 6528)
  - rsClientSvc.exe (PID: 6580)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6360)
  - rsEDRSvc.exe (PID: 6172)
  - EPP.exe (PID: 6256)
  - rsHelper.exe (PID: 5332)
  - rsAppUI.exe (PID: 2104)
  - rsAppUI.exe (PID: 3680)
  - rsAppUI.exe (PID: 5816)
  - rsAppUI.exe (PID: 4988)
  - rsAppUI.exe (PID: 5316)
  - rsLitmus.A.exe (PID: 6820)
  - rsAppUI.exe (PID: 7068)
  - rsAppUI.exe (PID: 3884)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
  - rsAppUI.exe (PID: 2652)
  - rsAppUI.exe (PID: 7072)
  - updater.exe (PID: 8464)
  - rsAppUI.exe (PID: 8792)
  - rsAppUI.exe (PID: 8852)
  - rsAppUI.exe (PID: 8900)
  - rsAppUI.exe (PID: 8976)
  - rsAppUI.exe (PID: 9100)
  - rsAppUI.exe (PID: 9208)
  - rsAppUI.exe (PID: 9028)
- Create files in a temporary directory
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 244)
  - winrar-64-6.21-installer_AmGAP-1.exe (PID: 2828)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - 4bxsh541.exe (PID: 380)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 3128)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.exe (PID: 8152)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - UnifiedStub-installer.exe (PID: 1280)
  - saBSI.exe (PID: 7416)
  - installer.exe (PID: 6776)
  - rsAppUI.exe (PID: 2104)
- Reads the computer name
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 3848)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - UnifiedStub-installer.exe (PID: 1280)
  - rsSyncSvc.exe (PID: 4676)
  - identity_helper.exe (PID: 7184)
  - rsSyncSvc.exe (PID: 6216)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - saBSI.exe (PID: 7416)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - Uninstall.exe (PID: 5884)
  - identity_helper.exe (PID: 6420)
  - rsWSC.exe (PID: 7656)
  - installer.exe (PID: 6776)
  - rsClientSvc.exe (PID: 6580)
  - rsWSC.exe (PID: 6276)
  - rsClientSvc.exe (PID: 6528)
  - rsEngineSvc.exe (PID: 6732)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6360)
  - rsEDRSvc.exe (PID: 6172)
  - rsHelper.exe (PID: 5332)
  - rsAppUI.exe (PID: 2104)
  - rsAppUI.exe (PID: 5316)
  - rsAppUI.exe (PID: 5816)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
  - updater.exe (PID: 8464)
- Process checks computer location settings
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 3848)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - rsAppUI.exe (PID: 3680)
  - rsAppUI.exe (PID: 2104)
  - rsAppUI.exe (PID: 7068)
  - rsAppUI.exe (PID: 3884)
  - rsAppUI.exe (PID: 4988)
  - rsAppUI.exe (PID: 7072)
  - rsAppUI.exe (PID: 2652)
  - servicehost.exe (PID: 7720)
  - rsAppUI.exe (PID: 8792)
  - rsAppUI.exe (PID: 8852)
  - rsAppUI.exe (PID: 8900)
  - rsAppUI.exe (PID: 9028)
  - rsAppUI.exe (PID: 9100)
  - rsAppUI.exe (PID: 9208)
  - rsAppUI.exe (PID: 8976)
- Reads the software policy settings
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - UnifiedStub-installer.exe (PID: 1280)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - saBSI.exe (PID: 7416)
  - WerFault.exe (PID: 540)
  - WerFault.exe (PID: 4308)
  - rsWSC.exe (PID: 7656)
  - installer.exe (PID: 6776)
  - rsEngineSvc.exe (PID: 6732)
  - rsWSC.exe (PID: 6276)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6360)
  - rsEDRSvc.exe (PID: 6172)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
  - updater.exe (PID: 8464)
- Reads the machine GUID from the registry
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - component0.exe (PID: 420)
  - UnifiedStub-installer.exe (PID: 1280)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - saBSI.exe (PID: 7416)
  - rsWSC.exe (PID: 7656)
  - installer.exe (PID: 6776)
  - rsWSC.exe (PID: 6276)
  - rsEngineSvc.exe (PID: 6732)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6360)
  - rsEDRSvc.exe (PID: 6172)
  - rsHelper.exe (PID: 5332)
  - rsAppUI.exe (PID: 2104)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
  - updater.exe (PID: 8464)
- Disables trace logs
  - component0.exe (PID: 420)
  - UnifiedStub-installer.exe (PID: 1280)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6172)
- Reads Environment values
  - component0.exe (PID: 420)
  - UnifiedStub-installer.exe (PID: 1280)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6172)
  - rsAppUI.exe (PID: 2104)
  - servicehost.exe (PID: 7720)
- Checks proxy server information
  - component0.exe (PID: 420)
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - UnifiedStub-installer.exe (PID: 1280)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 3724)
  - winrar-64-7.01-installer_di-Kgo1.tmp (PID: 7188)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - saBSI.exe (PID: 7416)
  - WerFault.exe (PID: 540)
  - WerFault.exe (PID: 4308)
  - rsWSC.exe (PID: 7656)
  - rsEngineSvc.exe (PID: 6732)
  - rsAppUI.exe (PID: 2104)
- Creates files in the program directory
  - UnifiedStub-installer.exe (PID: 1280)
  - saBSI.exe (PID: 7416)
  - winrar-64-7.01-installer.exe (PID: 7228)
  - Uninstall.exe (PID: 5884)
  - installer.exe (PID: 6684)
  - rsWSC.exe (PID: 7656)
  - installer.exe (PID: 6776)
  - rsEngineSvc.exe (PID: 6732)
  - rsEngineSvc.exe (PID: 6804)
  - rsEDRSvc.exe (PID: 6360)
  - rsEDRSvc.exe (PID: 6172)
  - servicehost.exe (PID: 7720)
  - uihost.exe (PID: 3596)
- Reads Microsoft Office registry keys
  - winrar-64-6.21-installer_AmGAP-1.tmp (PID: 4052)
  - msedge.exe (PID: 2196)
  - msedge.exe (PID: 6348)
  - msedge.exe (PID: 1540)
- Application launched itself
  - msedge.exe (PID: 2196)
  - msedge.exe (PID: 6348)
  - msedge.exe (PID: 1540)
- Manual execution by a user
  - msedge.exe (PID: 6348)
- Drops the executable file immediately after the start
  - msedge.exe (PID: 6632)
  - msedge.exe (PID: 6348)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 6348)
  - msedge.exe (PID: 6632)
- The process uses the downloaded file
  - msedge.exe (PID: 6348)
  - msedge.exe (PID: 2344)
- Process checks Internet Explorer phishing filters
  - winrar-64-7.01-installer.exe (PID: 7228)
- Creates files or folders in the user directory
  - Uninstall.exe (PID: 5884)
  - WerFault.exe (PID: 4308)
  - WerFault.exe (PID: 540)
  - rsWSC.exe (PID: 7656)
  - rsEngineSvc.exe (PID: 6732)
  - rsAppUI.exe (PID: 2104)
  - rsEngineSvc.exe (PID: 6804)
  - rsAppUI.exe (PID: 5816)
- Reads the time zone
  - runonce.exe (PID: 7884)
  - rsEDRSvc.exe (PID: 6172)
  - rsEngineSvc.exe (PID: 6804)
- Reads security settings of Internet Explorer
  - runonce.exe (PID: 7884)
- Reads product name
  - rsEDRSvc.exe (PID: 6172)
  - rsAppUI.exe (PID: 2104)
  - rsEngineSvc.exe (PID: 6804)
  - servicehost.exe (PID: 7720)
- Reads CPU info
  - rsEDRSvc.exe (PID: 6172)
  - rsEngineSvc.exe (PID: 6804)
- .NET Reactor protector has been detected
  - rsWSC.exe (PID: 6276)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (53.5)
.exe	\|	InstallShield setup (21)
.exe	\|	Win32 EXE PECompact compressed (generic) (20.2)
.exe	\|	Win32 Executable (generic) (2.1)
.exe	\|	Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:04:14 16:10:23+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741888
InitializedDataSize:	89600
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	8.7.2431.0
ProductVersionNumber:	8.7.2431.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	Capturāl Lmk
FileVersion:	8.7.2431
LegalCopyright:	©2023 Capturāl Lmk
OriginalFileName:
ProductName:	Capturāl Lmk
ProductVersion:	8.7.2431

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

302

Monitored processes

153

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

244

"C:\Users\admin\AppData\Local\Temp\winrar-64-6.21-installer_AmGAP-1.exe"

C:\Users\admin\AppData\Local\Temp\winrar-64-6.21-installer_AmGAP-1.exe

explorer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Capturāl Lmk

Exit code:

Version:

8.7.2431

Modules

Images
c:\users\admin\appdata\local\temp\winrar-64-6.21-installer_amgap-1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

380

"C:\Users\admin\AppData\Local\Temp\4bxsh541.exe" /silent

C:\Users\admin\AppData\Local\Temp\4bxsh541.exe

component0.exe

User:

admin

Company:

ReasonLabs

Integrity Level:

HIGH

Description:

ReasonLabs-setup-wizard.exe

Exit code:

Version:

6.0.1

Modules

Images
c:\users\admin\appdata\local\temp\4bxsh541.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

420

"C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\component0.exe" -ip:"dui=bb926e54-e3ca-40fd-ae90-2764341e7792&dit=20240701141638&is_silent=true&oc=ZB_RAV_Cross_Solo_Soft&p=58f9&a=100&b=&se=true" -i

C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\component0.exe

winrar-64-6.21-installer_AmGAP-1.tmp

User:

admin

Company:

Reason Software Company Inc.

Integrity Level:

HIGH

Description:

rsStubActivator

Exit code:

Version:

1.6.1.0

Modules

Images
c:\users\admin\appdata\local\temp\is-nu2pr.tmp\component0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

540

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7188 -s 944

C:\Windows\SysWOW64\WerFault.exe

winrar-64-7.01-installer_di-Kgo1.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

964

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6156 --field-trial-handle=2256,i,7856325367257210656,12069246961281581977,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll

1192

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=8096 --field-trial-handle=2256,i,7856325367257210656,12069246961281581977,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1224

regsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"

C:\Windows\System32\regsvr32.exe

—

installer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

1280

.\UnifiedStub-installer.exe /silent

C:\Users\admin\AppData\Local\Temp\7zSC71D445B\UnifiedStub-installer.exe

4bxsh541.exe

User:

admin

Company:

Reason Software Company Inc.

Integrity Level:

HIGH

Description:

UnifiedStub

Exit code:

Version:

6.0.1

Modules

Images
c:\users\admin\appdata\local\temp\7zsc71d445b\unifiedstub-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1332

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5192 --field-trial-handle=2256,i,7856325367257210656,12069246961281581977,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1332

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5060 --field-trial-handle=2256,i,7856325367257210656,12069246961281581977,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

133 998

Read events

133 072

Write events

831

Delete events

Modification events


(PID) Process:	(4052) winrar-64-6.21-installer_AmGAP-1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: D40F000031F94546C1CBDA01
(PID) Process:	(4052) winrar-64-6.21-installer_AmGAP-1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: F8B9C587D7555060D23950343822CCEDEBDBD484A3EE91C2DB0EDFDDEB033009
(PID) Process:	(4052) winrar-64-6.21-installer_AmGAP-1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(4052) winrar-64-6.21-installer_AmGAP-1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4052) winrar-64-6.21-installer_AmGAP-1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4052) winrar-64-6.21-installer_AmGAP-1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4052) winrar-64-6.21-installer_AmGAP-1.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(420) component0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\component0_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(420) component0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\component0_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(420) component0.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\component0_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

563

Suspicious files

860

Text files

1 114

Unknown types

Dropped files

PID	Process	Filename		Type
244	winrar-64-6.21-installer_AmGAP-1.exe	C:\Users\admin\AppData\Local\Temp\is-UF099.tmp\winrar-64-6.21-installer_AmGAP-1.tmp		executable
		MD5:2C3299A97AAF7B14C4BC0145186A5851	SHA256:CA7D4BF7EA7E7A1F3EA77B885E3402D1040AD4473DB3279F59376E52A980CBA2
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\mainlogo.png		image
		MD5:18203F28D86AACD56E7A0445784E4C8C	SHA256:C175B1F46CBB8AB31E34011B35202884503BA31ECE2E236C36FEC8B6C2BD25F9
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\is-36FE2.tmp		executable
		MD5:4F09061B0024B67C673377CFD336E2BB	SHA256:2FBC1D7320F0896BD21D241D493AB3077D7709380BA1806F239AD477D1FDF30F
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\botva2.dll		executable
		MD5:67965A5957A61867D661F05AE1F4773E	SHA256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
380	4bxsh541.exe	C:\Users\admin\AppData\Local\Temp\7zSC71D445B\Microsoft.Win32.TaskScheduler.dll		executable
		MD5:87D7FB0770406BC9B4DC292FA9E1E116	SHA256:AAEB1EACBDAEB5425FD4B5C28CE2FD3714F065756664FA9F812AFDC367FBBB46
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\RAV_Cross.png		image
		MD5:4167C79312B27C8002CBEEA023FE8CB5	SHA256:C3BF350627B842BED55E6A72AB53DA15719B4F33C267A6A132CB99FF6AFE3CD8
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\is-4P0FP.tmp		image
		MD5:4167C79312B27C8002CBEEA023FE8CB5	SHA256:C3BF350627B842BED55E6A72AB53DA15719B4F33C267A6A132CB99FF6AFE3CD8
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\is-IMBKN.tmp		html
		MD5:9A8D73B7A1D5A6DDBFB78F52096C1486	SHA256:75D4931C6051E27799926FF815D6A95D761FE6D05683FBC2D05EDFFAE0DE56D9
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\v_in_black_circle.png		image
		MD5:A0F78DF30EBC15BDA8858E4C490A5EB1	SHA256:0C679E463254EC4652917110CA1387FB3663D464E4BD792D97C2D853E156D900
4052	winrar-64-6.21-installer_AmGAP-1.tmp	C:\Users\admin\AppData\Local\Temp\is-NU2PR.tmp\x_in_black_circle.png		image
		MD5:E2A07FB89C61CBB4121C5F59003769FA	SHA256:C9E0CE645EE4BCB73E797CDAB0EFCB858093120CABE5FCF6A554856C14871EFE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

598

DNS requests

391

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3800	svchost.exe	GET	200	88.221.125.143:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
3800	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
4656	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	unknown
3040	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
1544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
2064	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
2064	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
5996	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown
6348	msedge.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D	unknown	—	—	unknown
5080	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3800	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6072	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1320	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4052	winrar-64-6.21-installer_AmGAP-1.tmp	108.139.241.9:443	d1voknowivy5w4.cloudfront.net	AMAZON-02	US	unknown
3800	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
3800	svchost.exe	88.221.125.143:80	www.microsoft.com	AKAMAI-AS	DE	unknown
3040	OfficeClickToRun.exe	104.46.162.227:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	AU	unknown
3040	OfficeClickToRun.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
d1voknowivy5w4.cloudfront.net	108.139.241.9 108.139.241.107 108.139.241.164 108.139.241.219	unknown
settings-win.data.microsoft.com	4.231.128.59	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19 2.16.164.43 2.16.164.9 2.16.164.120	whitelisted
www.microsoft.com	88.221.125.143 88.221.169.152	whitelisted
self.events.data.microsoft.com	104.46.162.227	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.bing.com	2.23.209.130 2.23.209.185 2.23.209.187 2.23.209.182 2.23.209.181 2.23.209.133 2.23.209.183 2.23.209.189 2.23.209.193 2.16.100.129 2.16.100.57 2.16.100.58 2.16.100.64 2.16.100.66 2.16.100.65 2.16.101.82 2.16.101.72 2.16.100.144 2.19.96.91 2.19.96.88 2.19.96.99 2.19.96.89 2.19.96.98 2.19.96.104 2.19.96.90 2.19.96.96 2.19.96.106 2.16.101.123 2.16.101.120 2.16.100.18 2.16.101.99 2.16.101.107 2.16.100.19 2.16.101.105 2.16.101.115 2.16.101.121	whitelisted
login.live.com	20.190.159.23 20.190.159.68 20.190.159.4 40.126.31.73 40.126.31.67 20.190.159.64 20.190.159.0 20.190.159.75 40.126.31.71 20.190.159.2 20.190.159.73	whitelisted
r.bing.com	2.23.209.181 2.23.209.193 2.23.209.133 2.23.209.130 2.23.209.187 2.23.209.182 2.23.209.185 2.23.209.183 2.23.209.189 2.19.96.89 2.19.96.98 2.19.96.91 2.19.96.104 2.19.96.106 2.19.96.88 2.19.96.90 2.19.96.99 2.19.96.96	whitelisted
go.microsoft.com	2.19.246.123 184.28.89.167	whitelisted

Threats

PID	Process	Class	Message
6632	msedge.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
5816	rsAppUI.exe	Potential Corporate Privacy Violation	AV POLICY Observed TikTok Domain in TLS SNI (tiktok.com)
5816	rsAppUI.exe	Not Suspicious Traffic	INFO [ANY.RUN] An application monitoring request to sentry .io
5816	rsAppUI.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
5816	rsAppUI.exe	Not Suspicious Traffic	INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
5816	rsAppUI.exe	Not Suspicious Traffic	INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
5816	rsAppUI.exe	Not Suspicious Traffic	INFO [ANY.RUN] hCaptcha Enterprise Challenge

Add for printing

Process	Message
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-0EVHS.tmp\component0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-0EVHS.tmp\component0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-0EVHS.tmp\component0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-0EVHS.tmp\component0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in EXE directory
saBSI.exe	NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\is-0EVHS.tmp\component0_extract\saBSI.exe loading C:\Users\admin\AppData\Local\Temp\is-0EVHS.tmp\component0_extract\mfeaaca.dll, WinVerifyTrust failed with 80092003
saBSI.exe	NCPrivateLoadAndValidateMPTDll: Looking in current directory

General Info

winrar-64-6.21-installer_AmGAP-1.exe

17B1EA1089CCF5E5EF81C5DFAFDB90FF

AF0C22F715C97474303FF13364A71280C1D0F698

F81C79DE1B8BEC0FFCD299C964D8CF0BEE0D983AB465B693DBFD7347D2C64F87

49152:z7HecD4dnbibBlh/hYjPfySXi8AWAkCk1pW0RA/8XLHqwy8xSIuZfalHuxBoa4kp:/+cD4dnEhYjPfySXzAaPQYLHqw9SIuZp

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Actions looks like stealing of personal data

Creates a writable file in the system directory

Changes the autorun value in the registry

Registers / Runs the DLL via REGSVR32.EXE

Steals credentials from Web Browsers

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Searches for installed software

Creates a software uninstall entry

Executes as Windows Service

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Checks Windows Trust Settings

The process verifies whether the antivirus software is installed

Executes application which crashes

Drops 7-zip archiver for unpacking

Creates/Modifies COM task schedule object

The process drops C-runtime libraries

The process creates files with name similar to system file names

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

Creates or modifies Windows services

Uses RUNDLL32.EXE to load library

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Adds/modifies Windows certificates

Patches Antimalware Scan Interface function (YARA)

Dropped object may contain URLs of mainers pools

Reads the BIOS version

Process checks is Powershell's Script Block Logging on

Potential Corporate Privacy Violation

Application launched itself

The process checks if it is being run in the virtual environment

Reads Mozilla Firefox installation path

Starts CMD.EXE for commands execution

Hides command output

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Reads the software policy settings

Reads the machine GUID from the registry

Disables trace logs

Reads Environment values

Checks proxy server information

Creates files in the program directory

Reads Microsoft Office registry keys

Application launched itself

Manual execution by a user

Drops the executable file immediately after the start

Executable content was dropped or overwritten

The process uses the downloaded file

Process checks Internet Explorer phishing filters

Creates files or folders in the user directory

Reads the time zone

Reads security settings of Internet Explorer

Reads product name

Reads CPU info

.NET Reactor protector has been detected

Malware configuration

Static information

TRiD

EXIF