Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
WinRAR Free Powerful Compression and Archive Management.exe

Overview

General Information

Sample name:WinRAR Free Powerful Compression and Archive Management.exe
Analysis ID:1648608
MD5:894dc6f2acd2173e23f3861e492adfe6
SHA1:55c5bae54f1c0f18d38c62361f6768b3117a3b81
SHA256:9efade3ea489c09839e2b88848e842c2421204407969f1a895fa9b9beb4410a5
Infos:

Detection

Score:52
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Creates processes with suspicious names
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: WinRAR Free Powerful Compression and Archive Management.exeReversingLabs: Detection: 16%
Source: WinRAR Free Powerful Compression and Archive Management.exeVirustotal: Detection: 12%Perma Link
Source: WinRAR Free Powerful Compression and Archive Management.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 172.67.223.114:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: WinRAR Free Powerful Compression and Archive Management.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308091167.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr

Networking

barindex
Source: DNS query: bikecorn.xyz
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725 HTTP/1.1Accept: */*User-Agent: InnoDownloadPlugin/1.5Host: bikecorn.xyzConnection: Keep-AliveCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: bikecorn.xyz
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1662&a=2967&dn=420&sp
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1700&a=2967&dn=479&sp
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1706&a=2967&dn=487&sp
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=331&a=2967&dn=244&spo
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=365&a=2967&dn=310&spo
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&fz=
Source: unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/son.php?sis=hn
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=124612&spot=3&a=2967&on=244&o=331&cr=
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=349723&spot=5&a=2967&on=487&o=1706&cr=
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=579560&spot=1&a=2967&on=420&o=1662&cr=
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=652969&spot=4&a=2967&on=479&o=1700&cr=
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=846911&spot=2&a=2967&on=310&o=365&cr=
Source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311233760.00000000012EF000.00000004.00000010.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308091167.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.drString found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://goo.gl/fxTiKZ
Source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311233760.00000000012EF000.00000004.00000010.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308091167.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.drString found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://advancedmanager.io/eula
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://advancedmanager.io/privacy-policy
Source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1259006086.000000000157C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bikecorn.xyz/
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.000000000307B000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308039489.00000000036E5000.00000004.00000020.00020000.00000000.sdmp, unins000.dat.1.drString found in binary or memory: https://bikecorn.xyz/bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725
Source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bikecorn.xyz/bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725y
Source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bikecorn.xyz/in.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725
Source: WinRAR Free Powerful Compression and Archive Management.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://legal.opera.com/eula/computers/
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://legal.opera.com/privacy/
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179321044.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179771941.000000007EB6B000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000000.1181360065.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp.0.dr, is-PM1OI.tmp.1.drString found in binary or memory: https://www.innosetup.com/
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179321044.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179771941.000000007EB6B000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000000.1181360065.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp.0.dr, is-PM1OI.tmp.1.drString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 172.67.223.114:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: WinRAR Free Powerful Compression and Archive Management.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-PM1OI.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: WinRAR Free Powerful Compression and Archive Management.exeStatic PE information: Number of sections : 11 > 10
Source: WinRAR Free Powerful Compression and Archive Management.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: is-PM1OI.tmp.1.drStatic PE information: Number of sections : 11 > 10
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179771941.000000007EE8F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs WinRAR Free Powerful Compression and Archive Management.exe
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179321044.00000000030C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs WinRAR Free Powerful Compression and Archive Management.exe
Source: WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000000.1177412998.00000000002E9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs WinRAR Free Powerful Compression and Archive Management.exe
Source: WinRAR Free Powerful Compression and Archive Management.exeBinary or memory string: OriginalFileName vs WinRAR Free Powerful Compression and Archive Management.exe
Source: WinRAR Free Powerful Compression and Archive Management.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal52.troj.winEXE@3/7@1/1
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpFile created: C:\Program Files (x86)\SetupJump to behavior
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeFile created: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmpJump to behavior
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: WinRAR Free Powerful Compression and Archive Management.exeReversingLabs: Detection: 16%
Source: WinRAR Free Powerful Compression and Archive Management.exeVirustotal: Detection: 12%
Source: WinRAR Free Powerful Compression and Archive Management.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeFile read: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe "C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe"
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp "C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp" /SL5="$204B6,934334,844800,C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe"
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp "C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp" /SL5="$204B6,934334,844800,C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe" Jump to behavior
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: windows.ui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: inputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpWindow found: window name: TWizardFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: WinRAR Free Powerful Compression and Archive Management.exeStatic file information: File size 1914509 > 1048576
Source: WinRAR Free Powerful Compression and Archive Management.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308091167.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr
Source: WinRAR Free Powerful Compression and Archive Management.exeStatic PE information: section name: .didata
Source: WinRAR Free Powerful Compression and Archive Management.tmp.0.drStatic PE information: section name: .didata
Source: is-PM1OI.tmp.1.drStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeFile created: \winrar free powerful compression and archive management.exe
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeFile created: \winrar free powerful compression and archive management.exeJump to behavior
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeFile created: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpFile created: C:\Program Files (x86)\Setup\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpFile created: C:\Program Files (x86)\Setup\is-PM1OI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\idp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpDropped PE file which has not been started: C:\Program Files (x86)\Setup\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpDropped PE file which has not been started: C:\Program Files (x86)\Setup\is-PM1OI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\_isetup\_setup64.tmpJump to dropped file
Source: WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001597000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311767539.0000000001597000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1259006086.000000000158C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory2
System Owner/User Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648608 Sample: WinRAR Free Powerful Compre... Startdate: 26/03/2025 Architecture: WINDOWS Score: 52 24 bikecorn.xyz 2->24 28 Multi AV Scanner detection for submitted file 2->28 7 WinRAR Free Powerful Compression and Archive Management.exe 2 2->7         started        signatures3 30 Performs DNS queries to domains with low reputation 24->30 process4 file5 14 WinRAR Free Powerf...hive Management.tmp, PE32 7->14 dropped 10 WinRAR Free Powerful Compression and Archive Management.tmp 21 14 7->10         started        process6 dnsIp7 26 bikecorn.xyz 172.67.223.114, 443, 49723, 49724 CLOUDFLARENETUS United States 10->26 16 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 10->16 dropped 18 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 10->18 dropped 20 C:\...\unins000.exe (copy), PE32 10->20 dropped 22 C:\Program Files (x86)\Setup\is-PM1OI.tmp, PE32 10->22 dropped file8

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WinRAR Free Powerful Compression and Archive Management.exe17%ReversingLabs
WinRAR Free Powerful Compression and Archive Management.exe12%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\idp.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://bikecorn.xyz/0%Avira URL Cloudsafe
https://bikecorn.xyz/bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=17429487250%Avira URL Cloudsafe
http://bikecorn.xyz/son.php?sis=hn0%Avira URL Cloudsafe
http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=846911&spot=2&a=2967&on=310&o=365&cr=0%Avira URL Cloudsafe
http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=349723&spot=5&a=2967&on=487&o=1706&cr=0%Avira URL Cloudsafe
https://bikecorn.xyz/bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725y0%Avira URL Cloudsafe
http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=124612&spot=3&a=2967&on=244&o=331&cr=0%Avira URL Cloudsafe
http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&fz=0%Avira URL Cloudsafe
http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=365&a=2967&dn=310&spo0%Avira URL Cloudsafe
http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1700&a=2967&dn=479&sp0%Avira URL Cloudsafe
http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=579560&spot=1&a=2967&on=420&o=1662&cr=0%Avira URL Cloudsafe
http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1662&a=2967&dn=420&sp0%Avira URL Cloudsafe
https://bikecorn.xyz/in.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=17429487250%Avira URL Cloudsafe
http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=652969&spot=4&a=2967&on=479&o=1700&cr=0%Avira URL Cloudsafe
http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1706&a=2967&dn=487&sp0%Avira URL Cloudsafe
http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=331&a=2967&dn=244&spo0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bikecorn.xyz
172.67.223.114
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://bikecorn.xyz/bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725false
    • Avira URL Cloud: safe
    		unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://advancedmanager.io/eulaWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpfalse
      		high
      https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUWinRAR Free Powerful Compression and Archive Management.exefalse
        		high
        http://bikecorn.xyz/son.php?sis=hnunins000.dat.1.drfalse
        • Avira URL Cloud: safe
        		unknown
        https://bikecorn.xyz/WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1259006086.000000000157C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://bikecorn.xyz/bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725yWinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://advancedmanager.io/privacy-policyWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpfalse
          		high
          http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=349723&spot=5&a=2967&on=487&o=1706&cr=WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1700&a=2967&dn=479&spWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&fz=WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=365&a=2967&dn=310&spoWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=846911&spot=2&a=2967&on=310&o=365&cr=WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=124612&spot=3&a=2967&on=244&o=331&cr=WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=579560&spot=1&a=2967&on=420&o=1662&cr=WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
          • Avira URL Cloud: safe
          		unknown
          http://goo.gl/fxTiKZWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpfalse
            		high
            http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1662&a=2967&dn=420&spWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
            • Avira URL Cloud: safe
            		unknown
            http://bikecorn.xyz/son.php?sis=hnz3ljpbypn&paw=652969&spot=4&a=2967&on=479&o=1700&cr=WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
            • Avira URL Cloud: safe
            		unknown
            https://bikecorn.xyz/in.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.remobjects.com/psWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179321044.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179771941.000000007EB6B000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000000.1181360065.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp.0.dr, is-PM1OI.tmp.1.drfalse
              		high
              https://www.innosetup.com/WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179321044.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1179771941.000000007EB6B000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000000.1181360065.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp.0.dr, is-PM1OI.tmp.1.drfalse
                		high
                http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=1706&a=2967&dn=487&spWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://bitbucket.org/mitrich_k/inno-download-pluginWinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311233760.00000000012EF000.00000004.00000010.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308091167.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.drfalse
                  		high
                  https://legal.opera.com/eula/computers/WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://legal.opera.com/privacy/WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311487096.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001533000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1310488934.0000000001575000.00000004.00000020.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FB0000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      http://bikecorn.xyz/ron.php?sis=hnz3ljpbypn&d=inno&msg=&r=offer_exists&ko=no&o=331&a=2967&dn=244&spoWinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1312884033.0000000002A63000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.exe, 00000000.00000003.1177728135.0000000002F80000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.00000000039A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1182732864.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1309688474.0000000002FDD000.00000004.00001000.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308892273.000000000390B000.00000004.00001000.00020000.00000000.sdmp, unins000.dat.1.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://mitrichsoftware.wordpress.comBWinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000002.1311233760.00000000012EF000.00000004.00000010.00020000.00000000.sdmp, WinRAR Free Powerful Compression and Archive Management.tmp, 00000001.00000003.1308091167.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.drfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        172.67.223.114
                        		bikecorn.xyzUnited States
                        		13335CLOUDFLARENETUStrue

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1648608
                        Start date and time:2025-03-26 01:29:03 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 0s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:11
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:WinRAR Free Powerful Compression and Archive Management.exe
                        Detection:MAL
                        Classification:mal52.troj.winEXE@3/7@1/1
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 23.204.23.20, 20.109.210.53
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        CLOUDFLARENETUShttp://www.cleopatraegypttours.comGet hashmaliciousUnknownBrowse
                        • 104.21.54.69
                        Vixen Public.exeGet hashmaliciousXWormBrowse
                        • 172.67.19.24
                        https://click.pstmrk.it/3s/zar.free.hr%2F/tLrs/ZS28AQ/AQ/8c8f694f-9d41-49a1-b53b-85a5681b1594/1/KXKbs2QcC9Get hashmaliciousUnknownBrowse
                        • 172.67.152.117
                        https://teddyslimo.comGet hashmaliciousHTMLPhisherBrowse
                        • 104.16.123.96
                        rfq 25202503.bat.exeGet hashmaliciousFormBookBrowse
                        • 104.21.94.50
                        https://gamma.app/docs/San-Francisco-Design-Center-yiak8m1tzv7kh6w?mode=present#card-zkdj2dw1roq630uGet hashmaliciousUnknownBrowse
                        • 104.18.11.200
                        https://www.canva.com/design/DAGip6DbGGY/U0pN74ofNkqBSFMzXXCnAw/view?utm_content=DAGip6DbGGY&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h777bcb50d3Get hashmaliciousInvisible JS, Tycoon2FABrowse
                        • 104.17.25.14
                        https://thetti-my.sharepoint.com/:f:/p/kellieblack/EtssBivICL5BgQEDfbETZP4BZsoHTOyxYMnSj46dgeiAiA?e=0t2fdmGet hashmaliciousHTMLPhisherBrowse
                        • 104.21.112.1
                        file.exeGet hashmaliciousNetSupport RATBrowse
                        • 104.26.0.231
                        file.exeGet hashmaliciousLummaC StealerBrowse
                        • 172.67.221.138

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        37f463bf4616ecd445d4a1937da06e19http://www.cleopatraegypttours.comGet hashmaliciousUnknownBrowse
                        • 172.67.223.114
                        file.exeGet hashmaliciousVidarBrowse
                        • 172.67.223.114
                        ep_setup.exeGet hashmaliciousUnknownBrowse
                        • 172.67.223.114
                        ep_setup.exeGet hashmaliciousUnknownBrowse
                        • 172.67.223.114
                        build.msiGet hashmaliciousUnknownBrowse
                        • 172.67.223.114
                        SAMHWA.vbsGet hashmaliciousGuLoaderBrowse
                        • 172.67.223.114
                        SAMHWA.vbsGet hashmaliciousGuLoaderBrowse
                        • 172.67.223.114
                        Patch-HWMonitor.Pro.1.3x.exeGet hashmaliciousUnknownBrowse
                        • 172.67.223.114
                        HWMonitorPro_x64.exeGet hashmaliciousUnknownBrowse
                        • 172.67.223.114
                        znicegreatveryspecialguestyourareforme.htaGet hashmaliciousRemcosBrowse
                        • 172.67.223.114

                        Dropped Files

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\_isetup\_setup64.tmpfile.exeGet hashmaliciousCryptOne, LummaC Stealer, Socks5SystemzBrowse
                          file.exeGet hashmaliciousSocks5SystemzBrowse
                            LxTDOkdJN5.exeGet hashmaliciousNetSupport RATBrowse
                              ZJY0XENRZ5.exeGet hashmaliciousUnknownBrowse
                                ZJY0XENRZ5.exeGet hashmaliciousUnknownBrowse
                                  1F746kAKk9.exeGet hashmaliciousUnknownBrowse
                                    9QzBpAFWOl.exeGet hashmaliciousUnknownBrowse
                                      I82ebpwgZg.exeGet hashmaliciousUnknownBrowse
                                        random(9).exeGet hashmaliciousAmadey, CryptOne, LummaC Stealer, Socks5SystemzBrowse
                                          uac.vbsGet hashmaliciousUnknownBrowse

                                            Created / dropped Files

                                            C:\Program Files (x86)\Setup\is-PM1OI.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3543383
                                            Entropy (8bit):6.522091474858695
                                            Encrypted:false
                                            SSDEEP:49152:4uAKxvISKIJhNRQSJ3MhjxIXhEzAWig8l1sXyKFz0ool5+UKL5333TBj:4uAK6XMXhKAWwLsXa0333TB
                                            MD5:A6BD9CDD0945A21B4393BEFCFBC72F34
                                            SHA1:631C70F32B81E5E70F61447E5634BDF25DC6452A
                                            SHA-256:1563227B388AD4D133DA0026C67B0E824B6CE09CA1E8C4462F4C2308425E6096
                                            SHA-512:42002DC83172581ABB48D7C1049DA9F8A1430D9E26F917D6216A83D78B0081279AA50400D82B9AB597F5D17E99AA2751732CD81D20D7FE97C840273D4451FED5
                                            Malicious:false
                                            Reputation:low
                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...L7.g..................,...........,.......-...@...........................6...........@......@......................n....P...:....2..............................................................................Z..........(....................text....N,......P,................. ..`.itext......`,......T,............. ..`.data.........-.......,.............@....bss....t.....-..........................idata...:...P...<....-.............@....didata.(.............-.............@....edata..n.............-.............@..@.tls....X................................rdata..].............-.............@..@.reloc................-.............@..B.rsrc.........2.......1.............@..@..............6.......5.............@..@................

                                            C:\Program Files (x86)\Setup\unins000.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            File Type:InnoSetup Log WinRAR Free Powerful Compression and Archive Management.exe, version 0x418, 47285 bytes, 927537\37\user\376, C:\Program Files (x86)\Setup\376\377\377\0
                                            Category:dropped
                                            Size (bytes):47285
                                            Entropy (8bit):3.927498626141446
                                            Encrypted:false
                                            SSDEEP:384:Vz2xg18eg74F54A7nB97sbRIPcqmNb0TfWvZEVrbPIHTvTeZHO:V8xI53nB97slmaNb0T+vqVrbYTvKo
                                            MD5:E1D742BF01BCC7152427E92E643B23FD
                                            SHA1:64E23C1537DAD0A402438BF3E8D34FF8740EBDF2
                                            SHA-256:54E0E68D18E197621D96E6D22C1029E10124AB266305E3A0C47CD5360C79432F
                                            SHA-512:E3A8FFB719F56F52749FC64A4CA3359AB753A4AD58714A683F6B2715B8CDF6663DE6BD5F0204941876F849BE778644220D6A23CDEFA269EEEE7ADFA3B806FB4B
                                            Malicious:false
                                            Reputation:low
                                            Preview:Inno Setup Uninstall Log (b)....................................WinRAR Free Powerful Compression and Archive Management.exe.....................................................................WinRAR Free Powerful Compression and Archive Management.exe.................................................................................................................................................................................................</..........z.........s........9.2.7.5.3.7......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.S.e.t.u.p....................... ...........]..IFPS....6...m....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TWIZARDPAGE....TWIZARDPAGE.........TNEWPROGRESSBAR....TNEWPROGRESSBAR.........TNEWSTATICTEXT....

                                            C:\Program Files (x86)\Setup\unins000.exe (copy)

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3543383
                                            Entropy (8bit):6.522091474858695
                                            Encrypted:false
                                            SSDEEP:49152:4uAKxvISKIJhNRQSJ3MhjxIXhEzAWig8l1sXyKFz0ool5+UKL5333TBj:4uAK6XMXhKAWwLsXa0333TB
                                            MD5:A6BD9CDD0945A21B4393BEFCFBC72F34
                                            SHA1:631C70F32B81E5E70F61447E5634BDF25DC6452A
                                            SHA-256:1563227B388AD4D133DA0026C67B0E824B6CE09CA1E8C4462F4C2308425E6096
                                            SHA-512:42002DC83172581ABB48D7C1049DA9F8A1430D9E26F917D6216A83D78B0081279AA50400D82B9AB597F5D17E99AA2751732CD81D20D7FE97C840273D4451FED5
                                            Malicious:false
                                            Reputation:low
                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...L7.g..................,...........,.......-...@...........................6...........@......@......................n....P...:....2..............................................................................Z..........(....................text....N,......P,................. ..`.itext......`,......T,............. ..`.data.........-.......,.............@....bss....t.....-..........................idata...:...P...<....-.............@....didata.(.............-.............@....edata..n.............-.............@..@.tls....X................................rdata..].............-.............@..@.reloc................-.............@..B.rsrc.........2.......1.............@..@..............6.......5.............@..@................

                                            C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):3518976
                                            Entropy (8bit):6.534656790751112
                                            Encrypted:false
                                            SSDEEP:49152:AuAKxvISKIJhNRQSJ3MhjxIXhEzAWig8l1sXyKFz0ool5+UKL5333TB:AuAK6XMXhKAWwLsXa0333T
                                            MD5:6700BAA3E5971A111F34F8E0F1D66E9E
                                            SHA1:11B26E242FF2E785CC6B8C937EA71A0DCD47F691
                                            SHA-256:19FEEF671FCB9899A8DC513B16BB9E3C8922DC784685F99BA07D5662446EDF75
                                            SHA-512:C636F1C93C3BAAAC0C365D9734E57701C2958C66022C483B4EFF4A3EEC71876CE15CF2EB26CB993D61C391177AF700D844854E001184F977A62E171927DE20E6
                                            Malicious:false
                                            Reputation:low
                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...L7.g..................,...........,.......-...@...........................6...........@......@......................n....P...:....2..............................................................................Z..........(....................text....N,......P,................. ..`.itext......`,......T,............. ..`.data.........-.......,.............@....bss....t.....-..........................idata...:...P...<....-.............@....didata.(.............-.............@....edata..n.............-.............@..@.tls....X................................rdata..].............-.............@..@.reloc................-.............@..B.rsrc.........2.......1.............@..@..............6.......5.............@..@................

                                            C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\_isetup\_setup64.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                            Category:dropped
                                            Size (bytes):6144
                                            Entropy (8bit):4.720366600008286
                                            Encrypted:false
                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: file.exe, Detection: malicious, Browse
                                            • Filename: file.exe, Detection: malicious, Browse
                                            • Filename: LxTDOkdJN5.exe, Detection: malicious, Browse
                                            • Filename: ZJY0XENRZ5.exe, Detection: malicious, Browse
                                            • Filename: ZJY0XENRZ5.exe, Detection: malicious, Browse
                                            • Filename: 1F746kAKk9.exe, Detection: malicious, Browse
                                            • Filename: 9QzBpAFWOl.exe, Detection: malicious, Browse
                                            • Filename: I82ebpwgZg.exe, Detection: malicious, Browse
                                            • Filename: random(9).exe, Detection: malicious, Browse
                                            • Filename: uac.vbs, Detection: malicious, Browse
                                            Reputation:high, very likely benign file
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\check

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):2
                                            Entropy (8bit):1.0
                                            Encrypted:false
                                            SSDEEP:3:+:+
                                            MD5:7FA3B767C460B54A2BE4D49030B349C7
                                            SHA1:FD1286353570C5703799BA76999323B7C7447B06
                                            SHA-256:9390298F3FB0C5B160498935D79CB139AEF28E1C47358B4BBBA61862B9C26E59
                                            SHA-512:22494AF556A0782623729D0B5A9878F80AA6C21A6F51D346771842D613F51073C3B02FAB211BAFF42FB1998F38B77250DC7A1C71DD98B4B00CAE9620A6102AD7
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:no

                                            C:\Users\user\AppData\Local\Temp\is-PP3EV.tmp\idp.dll

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):237568
                                            Entropy (8bit):6.42067568634536
                                            Encrypted:false
                                            SSDEEP:3072:dnSx3lws+iWbUmJmE8dxMw7r+mjT5PbzEFwyGIyTcHY10tSB9j:IP0bUmQEUr+mRcbTx4N
                                            MD5:55C310C0319260D798757557AB3BF636
                                            SHA1:0892EB7ED31D8BB20A56C6835990749011A2D8DE
                                            SHA-256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED
                                            SHA-512:E0082109737097658677D7963CBF28D412DCA3FA8F5812C2567E53849336CE45EBAE2C0430DF74BFE16C0F3EEBB46961BC1A10F32CA7947692A900162128AE57
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Reputation:moderate, very likely benign file
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)Wj.H99.H99.H99..D9.H99..W9.H99..T9-H99zGd9.H99.H894H99..K9.H99..C9.H99..E9.H99..A9.H99Rich.H99........................PE..L......W...........!................Nr..............................................0............................... ;......h/..d.......................................................................@............................................text...i........................... ..`.rdata...n.......p..................@..@.data....:...@... ...@..............@....rsrc................`..............@..@.reloc..b-.......0...p..............@..B................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.569709437504722
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 98.04%
                                            • Inno Setup installer (109748/4) 1.08%
                                            • InstallShield setup (43055/19) 0.42%
                                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                            File name:WinRAR Free Powerful Compression and Archive Management.exe
                                            File size:1'914'509 bytes
                                            MD5:894dc6f2acd2173e23f3861e492adfe6
                                            SHA1:55c5bae54f1c0f18d38c62361f6768b3117a3b81
                                            SHA256:9efade3ea489c09839e2b88848e842c2421204407969f1a895fa9b9beb4410a5
                                            SHA512:908ae153d772655b0f7d6b0426e6e337358928caf8a8acb08e8f360f12f974b28c5ec6be6239ce07953fe9670a2f4ed3b72f6ab2df28e040ae147406a8529c3b
                                            SSDEEP:24576:waE+hTNrCHtLfTfuM7Djr5QpYrao2rupZdH1yNf+clGH5JaFMWHIta3+8Fk86Y1G:0+MRvHwVle4Ju+ekQoEcK
                                            TLSH:0F95CF23F2CBE03EE05E0B3705B2A15494FBAA256523AD5786ECB49CCF751601E3E647
                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                            File Icon

                                            Icon Hash:0c0c2d33ceec80aa

                                            Static PE Info

                                            General

                                            Entrypoint:0x4a7f98
                                            Entrypoint Section:.itext
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x67AC374C [Wed Feb 12 05:53:16 2025 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:6
                                            OS Version Minor:1
                                            File Version Major:6
                                            File Version Minor:1
                                            Subsystem Version Major:6
                                            Subsystem Version Minor:1
                                            Import Hash:40ab50289f7ef5fae60801f88d4541fc
                                            Instruction
                                            push ebp
                                            mov ebp, esp
                                            add esp, FFFFFFA4h
                                            push ebx
                                            push esi
                                            push edi
                                            xor eax, eax
                                            mov dword ptr [ebp-3Ch], eax
                                            mov dword ptr [ebp-40h], eax
                                            mov dword ptr [ebp-5Ch], eax
                                            mov dword ptr [ebp-30h], eax
                                            mov dword ptr [ebp-38h], eax
                                            mov dword ptr [ebp-34h], eax
                                            mov dword ptr [ebp-2Ch], eax
                                            mov dword ptr [ebp-28h], eax
                                            mov dword ptr [ebp-14h], eax
                                            mov eax, 004A3274h
                                            call 00007F19A860FD89h
                                            xor eax, eax
                                            push ebp
                                            push 004A869Dh
                                            push dword ptr fs:[eax]
                                            mov dword ptr fs:[eax], esp
                                            xor edx, edx
                                            push ebp
                                            push 004A8657h
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            mov eax, dword ptr [004B0634h]
                                            call 00007F19A86A1ABBh
                                            call 00007F19A86A160Eh
                                            lea edx, dword ptr [ebp-14h]
                                            xor eax, eax
                                            call 00007F19A869BE68h
                                            mov edx, dword ptr [ebp-14h]
                                            mov eax, 004B4214h
                                            call 00007F19A8609E37h
                                            push 00000002h
                                            push 00000000h
                                            push 00000001h
                                            mov ecx, dword ptr [004B4214h]
                                            mov dl, 01h
                                            mov eax, dword ptr [0049CCF4h]
                                            call 00007F19A869D257h
                                            mov dword ptr [004B4218h], eax
                                            xor edx, edx
                                            push ebp
                                            push 004A8603h
                                            push dword ptr fs:[edx]
                                            mov dword ptr fs:[edx], esp
                                            call 00007F19A86A1B43h
                                            mov dword ptr [004B4220h], eax
                                            mov eax, dword ptr [004B4220h]
                                            cmp dword ptr [eax+0Ch], 01h
                                            jne 00007F19A86A805Ah
                                            mov eax, dword ptr [004B4220h]
                                            mov edx, 00000028h
                                            call 00007F19A869DB74h
                                            mov edx, dword ptr [004B4220h]
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11200.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10d80.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xa56a40xa5800463e3aaab99b053f2c4a2f67933c8e57False0.3625687429191843data6.379407961748755IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .itext0xa70000x17400x1800aabad89a99811463c0c9e4733f9929f6False0.5677083333333334data6.168310852607473IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .data0xa90000x38380x3a004daf07ad25de9a5fbce0e8bfa5bebf31False0.3537176724137931data4.9726577614511855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .bss0xad0000x72780x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xba0000x10d800x10e008871bb651f0d9a00a939ad4155039605False0.5829861111111111data6.713549988072992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            .rsrc0xcb0000x112000x11200dc4972f65b418305b9d4d7f545e07f89False0.18620266879562045data3.70879208463746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                            RT_STRING0xd8e000x3f8data0.3198818897637795
                                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                                            RT_STRING0xd94d40x430data0.40578358208955223
                                            RT_STRING0xd99040x44cdata0.38636363636363635
                                            RT_STRING0xd9d500x2d4data0.39226519337016574
                                            RT_STRING0xda0240xb8data0.6467391304347826
                                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                                            RT_STRING0xda1780x374data0.4230769230769231
                                            RT_STRING0xda4ec0x398data0.3358695652173913
                                            RT_STRING0xda8840x368data0.3795871559633027
                                            RT_STRING0xdabec0x2a4data0.4275147928994083
                                            RT_RCDATA0xdae900x10data1.5
                                            RT_RCDATA0xdaea00x354data0.5586854460093896
                                            RT_RCDATA0xdb1f40x2cdata1.1818181818181819
                                            RT_GROUP_ICON0xdb2200xbcdataEnglishUnited States0.6170212765957447
                                            RT_VERSION0xdb2dc0x584dataEnglishUnited States0.2797450424929179
                                            RT_MANIFEST0xdb8600x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163
                                            DLLImport
                                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                            comctl32.dllInitCommonControls
                                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey
                                            NameOrdinalAddress
                                            __dbk_fcall_wrapper20x40fc10
                                            dbkFCallWrapperAddr10x4b063c
                                            DescriptionData
                                            CommentsThis installation was built with Inno Setup.
                                            CompanyName
                                            FileDescriptionWinRAR Free Powerful Compression and Archive Management.exe
                                            FileVersion1.0.0.0
                                            LegalCopyrightWinRAR Free Powerful Compression and Archive Management.exe
                                            OriginalFileName
                                            ProductNameWinRAR Free Powerful Compression and Archive Management.exe
                                            ProductVersion1.0.0.0
                                            Translation0x0000 0x04b0

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Download Network PCAP: filteredfull

                                            Network Port Distribution

                                            • Total Packets: 24
                                            • 443 (HTTPS)
                                            • 53 (DNS)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 26, 2025 01:30:07.218205929 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:07.218225956 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:07.218333006 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:07.226861954 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:07.226871967 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:07.455425978 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:07.455492973 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:07.508268118 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:07.508279085 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:07.509176970 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:07.509243011 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:07.512090921 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:07.552288055 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.351905107 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.352006912 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.352015018 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.352054119 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.352065086 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.352121115 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.389110088 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.389120102 CET44349723172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.389175892 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.389209032 CET49723443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.424945116 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.424963951 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.425077915 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.438503027 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.438513994 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.648706913 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.648777962 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.649259090 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.649262905 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:08.650126934 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:08.650142908 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:09.509496927 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:09.509596109 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:09.509610891 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:09.509654999 CET44349724172.67.223.114192.168.2.4
                                            Mar 26, 2025 01:30:09.509700060 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:09.509700060 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:09.510252953 CET49724443192.168.2.4172.67.223.114
                                            Mar 26, 2025 01:30:09.510268927 CET44349724172.67.223.114192.168.2.4
                                            TimestampSource PortDest PortSource IPDest IP
                                            Mar 26, 2025 01:30:07.093825102 CET5700153192.168.2.41.1.1.1
                                            Mar 26, 2025 01:30:07.211277962 CET53570011.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Mar 26, 2025 01:30:07.093825102 CET192.168.2.41.1.1.10x3f8cStandard query (0)bikecorn.xyzA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Mar 26, 2025 01:30:07.211277962 CET1.1.1.1192.168.2.40x3f8cNo error (0)bikecorn.xyz172.67.223.114A (IP address)IN (0x0001)false
                                            Mar 26, 2025 01:30:07.211277962 CET1.1.1.1192.168.2.40x3f8cNo error (0)bikecorn.xyz104.21.91.151A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • bikecorn.xyz

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.449723172.67.223.1144437416C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            TimestampBytes transferredDirectionData
                                            2025-03-26 00:30:07 UTC206OUTHEAD /bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725 HTTP/1.1
                                            Accept: */*
                                            User-Agent: InnoDownloadPlugin/1.5
                                            Host: bikecorn.xyz
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            2025-03-26 00:30:08 UTC790INHTTP/1.1 200 OK
                                            Date: Wed, 26 Mar 2025 00:30:08 GMT
                                            Content-Type: text/plain
                                            Content-Length: 2
                                            Connection: close
                                            X-Powered-By: PHP/5.5.38
                                            cf-cache-status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mFy6ZLWl1%2BSZ1AJGhp0hK4tu2KWzAG4nTFTZdfAEPmKBM%2B6ojvtrqKqBO%2FbOHJX7RNkl%2B3u4gsUlxUZtgeiMK8QcZoDtKCAdCBKEpC7RxwMfFYRUwHcDybnUZDMw4aA%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 926289a1b9c34398-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=98956&min_rtt=97889&rtt_var=21736&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2824&recv_bytes=820&delivery_rate=38036&cwnd=220&unsent_bytes=0&cid=71399495f6c4cc18&ts=918&x=0"


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.449724172.67.223.1144437416C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            TimestampBytes transferredDirectionData
                                            2025-03-26 00:30:08 UTC205OUTGET /bin.php?e=392&sis=hnz3ljpbypn&pid=4163&tid=&a=4163&cc=FR&t=1742948725 HTTP/1.1
                                            Accept: */*
                                            User-Agent: InnoDownloadPlugin/1.5
                                            Host: bikecorn.xyz
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            2025-03-26 00:30:09 UTC792INHTTP/1.1 200 OK
                                            Date: Wed, 26 Mar 2025 00:30:09 GMT
                                            Content-Type: text/plain
                                            Content-Length: 2
                                            Connection: close
                                            X-Powered-By: PHP/5.5.38
                                            cf-cache-status: DYNAMIC
                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yrTWvPVOP%2FYlcO5X9HciP%2F4NK95LC8edyvlWVINIts5ElAHi3VM50OTyGS4I1tn2ZBkELUbcKhXGjmyFnhYttQcdJSVh%2FdvibKVd6xn7xt%2B2sfnkb93p2fHTj5rW%2B3g%3D"}],"group":"cf-nel","max_age":604800}
                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                            Server: cloudflare
                                            CF-RAY: 926289a93f0b3eb4-EWR
                                            alt-svc: h3=":443"; ma=86400
                                            server-timing: cfL4;desc="?proto=TCP&rtt=98182&min_rtt=97865&rtt_var=21127&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2825&recv_bytes=819&delivery_rate=37688&cwnd=189&unsent_bytes=0&cid=68a2c71df6b196a8&ts=870&x=0"
                                            2025-03-26 00:30:09 UTC2INData Raw: 6e 6f
                                            Data Ascii: no


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            • File
                                            • Registry

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:20:30:00
                                            Start date:25/03/2025
                                            Path:C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe"
                                            Imagebase:0x230000
                                            File size:1'914'509 bytes
                                            MD5 hash:894DC6F2ACD2173E23F3861E492ADFE6
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:true
                                            Show Windows behavior

                                            File Activities

                                            Show Windows behavior

                                            Section Activities

                                            Show Windows behavior

                                            Registry Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            Show Windows behavior

                                            Process Activities

                                            Show Windows behavior

                                            Thread Activities

                                            Show Windows behavior

                                            Memory Activities

                                            Show Windows behavior

                                            System Activities

                                            Show Windows behavior

                                            Windows UI Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            General

                                            Target ID:1
                                            Start time:20:30:01
                                            Start date:25/03/2025
                                            Path:C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-KAS7O.tmp\WinRAR Free Powerful Compression and Archive Management.tmp" /SL5="$204B6,934334,844800,C:\Users\user\Desktop\WinRAR Free Powerful Compression and Archive Management.exe"
                                            Imagebase:0xa10000
                                            File size:3'518'976 bytes
                                            MD5 hash:6700BAA3E5971A111F34F8E0F1D66E9E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Reputation:low
                                            Has exited:true
                                            Show Windows behavior

                                            File Activities

                                            Show Windows behavior

                                            Section Activities

                                            Show Windows behavior

                                            Registry Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            Show Windows behavior

                                            Process Activities

                                            Show Windows behavior

                                            Thread Activities

                                            Show Windows behavior

                                            Memory Activities

                                            Show Windows behavior

                                            System Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            Show Windows behavior

                                            Windows UI Activities

                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Disassembly

                                            No disassembly