Windows Analysis Report
winrar-x64-701(1).exe

Overview

General Information

Sample name: winrar-x64-701(1).exe
Analysis ID: 1530646
MD5: 46c17c999744470b689331f41eab7df1
SHA1: b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256: c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Compliance

Score: 48
Range: 0 - 100

Signatures

Drops PE files to the user root directory
Writes a notice file (html or txt) to demand a ransom
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Classes Autorun Keys Modification
Stores files to the Windows start menu directory

Classification

EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\WinRAR.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\RarExtInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\Rar.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\UnRAR.exe Jump to behavior

Compliance
barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\WinRAR.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\RarExtInstaller.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\Rar.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\Uninstall.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe EXE: C:\Users\user\UnRAR.exe Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\License.txt Jump to behavior
Source: winrar-x64-701(1).exe Static PE information: certificate valid
Source: winrar-x64-701(1).exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, Default32.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\build\winrar64\Release\WinRAR.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, WinRAR.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\sfxcon32\Release\sfxcon.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinCon32.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar-x64-701(1).exe
Source: Binary string: D:\Projects\WinRAR\rarext\build\64\Release\rarext.pdb, source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, RarExt.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, Zip32.SFX.0.dr
Source: Binary string: se\uninstall.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Projects\WinRAR\rarext\build\64\Release\rarext.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, RarExt.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, UnRAR.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\sfxcon64\Release\sfxcon.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinCon.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\uninstall\build\uninstall64\Release\uninstall.pdb source: Uninstall.exe, 00000004.00000002.425421662.000000013FA72000.00000002.00000001.01000000.0000000C.sdmp, Uninstall.exe, 00000004.00000000.384135535.000000013FA72000.00000002.00000001.01000000.0000000C.sdmp, Uninstall.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, Default.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, Zip.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Rar.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\sfxcon64\Release\sfxcon.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinCon.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\rarext\Installer\x64\Release\RarExtInstaller.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, RarExtInstaller.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rarext\build\32\Release\rarext.pdb6 source: RarExt32.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-701(1).exe
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Rar.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rarext\build\32\Release\rarext.pdb source: RarExt32.dll.0.dr
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F791F08 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_000000013F791F08
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B9B40 FindFirstFileExW, 0_2_000000013F7B9B40
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A34D0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_000000013F7A34D0
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA49B10 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 4_2_000000013FA49B10
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA66DC0 FindFirstFileExW, 4_2_000000013FA66DC0
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Rar.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: winrar-x64-701(1).exe, UnRAR.exe.0.dr, RarExtInstaller.exe.0.dr, WinRAR.exe.0.dr, Uninstall.exe.0.dr, RarExt32.dll.0.dr, RarExt.dll.0.dr, 7zxa.dll.0.dr, Rar.exe.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Order.htm.0.dr String found in binary or memory: https://www.rarlab.com/registration.php
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, WinRAR.exe.0.dr String found in binary or memory: https://www.rarlab.com/reminder.php?language=$L&source=rarlab&architecture=$A&version=$Vorder.htmInt
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinRAR.exe.0.dr String found in binary or memory: https://www.rarlab.com/themes.htm
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, Uninstall.exe, Uninstall.exe, 00000004.00000002.425440793.000000013FA8F000.00000002.00000001.01000000.0000000C.sdmp, Order.htm.0.dr, Uninstall.exe.0.dr String found in binary or memory: https://www.win-rar.com
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinRAR.exe.0.dr String found in binary or memory: https://www.win-rar.comIhttps://notifier.win-rar.com/buyredirect?L=0&BL=0&src=wrr&arch=64&ver=701H
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes a notice file (html or txt) to demand a ransom
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File dropped: C:\Users\user\Rar.txt -> decrypt archive data and it cannot merge or create volumes. if no switches are specified, 'ch' command just copies the archive data without modification. if used with -amr switch to restore the saved archive name and time, other archive modification switches are ignored. example: set archive time to latest file: rar ch -tl files.rar cw write archive comment to specified file. format of output file depends on -sc switch. if output file name is not specified, comment data will be sent to stdout. examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d delete files from archive. if this command removes all files from archive, the empty archive is removed. e extract files without archived paths. extract f Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A0A20 SetWindowLongPtrW,NtdllDefWindowProc_W,NtdllDefWindowProc_W, 0_2_000000013F7A0A20
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F78C4E0: CreateFileW,CloseHandle,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_000000013F78C4E0
Detected potential crypto function
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F78DE98 0_2_000000013F78DE98
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F795B4C 0_2_000000013F795B4C
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A5ABC 0_2_000000013F7A5ABC
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F796960 0_2_000000013F796960
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A4930 0_2_000000013F7A4930
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F785330 0_2_000000013F785330
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F79D3C0 0_2_000000013F79D3C0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A41D0 0_2_000000013F7A41D0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F79EEF0 0_2_000000013F79EEF0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F797FC8 0_2_000000013F797FC8
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7BCFAC 0_2_000000013F7BCFAC
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B7D40 0_2_000000013F7B7D40
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A1CE8 0_2_000000013F7A1CE8
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B1D94 0_2_000000013F7B1D94
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B9B40 0_2_000000013F7B9B40
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7BCB10 0_2_000000013F7BCB10
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F788BE0 0_2_000000013F788BE0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B1B90 0_2_000000013F7B1B90
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F79F9B0 0_2_000000013F79F9B0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B1984 0_2_000000013F7B1984
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F798978 0_2_000000013F798978
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B2840 0_2_000000013F7B2840
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B78AC 0_2_000000013F7B78AC
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F787754 0_2_000000013F787754
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B1780 0_2_000000013F7B1780
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F784778 0_2_000000013F784778
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7C1518 0_2_000000013F7C1518
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B35D4 0_2_000000013F7B35D4
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B65C0 0_2_000000013F7B65C0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B1574 0_2_000000013F7B1574
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7994DC 0_2_000000013F7994DC
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B83C0 0_2_000000013F7B83C0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B1370 0_2_000000013F7B1370
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F78A1EC 0_2_000000013F78A1EC
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B31D0 0_2_000000013F7B31D0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F79F04C 0_2_000000013F79F04C
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA6CC50 4_2_000000013FA6CC50
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA4BA0C 4_2_000000013FA4BA0C
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA48F98 4_2_000000013FA48F98
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5C780 4_2_000000013FA5C780
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA52FD8 4_2_000000013FA52FD8
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA4C7E0 4_2_000000013FA4C7E0
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5DFC0 4_2_000000013FA5DFC0
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA6C704 4_2_000000013FA6C704
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5BF60 4_2_000000013FA5BF60
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA62D9C 4_2_000000013FA62D9C
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5C57C 4_2_000000013FA5C57C
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA6F5C8 4_2_000000013FA6F5C8
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA66DC0 4_2_000000013FA66DC0
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5BD5C 4_2_000000013FA5BD5C
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA69D30 4_2_000000013FA69D30
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5C370 4_2_000000013FA5C370
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5DBBC 4_2_000000013FA5DBBC
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA63230 4_2_000000013FA63230
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5D22C 4_2_000000013FA5D22C
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5C16C 4_2_000000013FA5C16C
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA6A1CC 4_2_000000013FA6A1CC
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA61928 4_2_000000013FA61928
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA638B0 4_2_000000013FA638B0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\7zxa.dll DB3D0484228ED14AD8D3763F4880D36024FB27B189C91720FF147B92D46BCB5A
Source: Joe Sandbox View Dropped File: C:\Users\user\Default.SFX B83A105DDA4806F7AC5E9F3B6546829B37D42D85911D1C4487B1E95BFEA91E9D
Found potential string decryption / allocating functions
Source: C:\Users\user\Uninstall.exe Code function: String function: 000000013FA41B9C appears 145 times
Source: C:\Users\user\Uninstall.exe Code function: String function: 000000013FA4E30C appears 35 times
Sample file is different than original file name gathered from version info
Source: winrar-x64-701(1).exe Binary or memory string: OriginalFilename vs winrar-x64-701(1).exe
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRarExtInstaller.exeD vs winrar-x64-701(1).exe
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUninstall.exeD vs winrar-x64-701(1).exe
Source: winrar-x64-701(1).exe, 00000000.00000000.351469154.000000013F7EB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWinRAR.exeD vs winrar-x64-701(1).exe
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWinRAR.exeD vs winrar-x64-701(1).exe
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7zxa.dll, vs winrar-x64-701(1).exe
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRarExt.dllD vs winrar-x64-701(1).exe
Source: winrar-x64-701(1).exe Binary or memory string: OriginalFilenameWinRAR.exeD vs winrar-x64-701(1).exe
Searches for the Microsoft Outlook file path
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: classification engine Classification label: sus24.rans.winEXE@3/38@0/0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F78BA38 GetLastError,FormatMessageW,LocalFree, 0_2_000000013F78BA38
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA4853C GetDiskFreeSpaceExW, 4_2_000000013FA4853C
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A02DC CLSIDFromString,CoCreateInstance, 0_2_000000013F7A02DC
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A1FEC FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GlobalUnlock,GlobalFree, 0_2_000000013F7A1FEC
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\__tmp_rar_sfx_access_check_7330424 Jump to behavior
Source: winrar-x64-701(1).exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Uninstall.exe String found in binary or memory: -install -extall
Source: Uninstall.exe String found in binary or memory: -install
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File read: C:\Users\user\Desktop\winrar-x64-701(1).exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\winrar-x64-701(1).exe "C:\Users\user\Desktop\winrar-x64-701(1).exe"
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process created: C:\Users\user\Uninstall.exe "C:\Users\user\uninstall.exe" /setup
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process created: C:\Users\user\Uninstall.exe "C:\Users\user\uninstall.exe" /setup Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: cscdll.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: samlib.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Uninstall.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: WinRAR.lnk.4.dr LNK file: ..\..\..\..\..\..\..\WinRAR.exe
Source: WinRAR help.lnk.4.dr LNK file: ..\..\..\..\..\..\..\WinRAR.chm
Source: Console RAR manual.lnk.4.dr LNK file: ..\..\..\..\..\..\..\Rar.txt
Source: What is new in the latest version.lnk.4.dr LNK file: ..\..\..\..\..\..\..\WhatsNew.txt
Source: WinRAR.lnk0.4.dr LNK file: ..\..\..\..\..\..\Users\user\WinRAR.exe
Source: WinRAR help.lnk0.4.dr LNK file: ..\..\..\..\..\..\Users\user\WinRAR.chm
Source: Console RAR manual.lnk0.4.dr LNK file: ..\..\..\..\..\..\Users\user\Rar.txt
Source: What is new in the latest version.lnk0.4.dr LNK file: ..\..\..\..\..\..\Users\user\WhatsNew.txt
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Automated click: OK
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Automated click: Install
Source: C:\Users\user\Uninstall.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Uninstall.exe Window detected: Number of UI elements: 33
Source: winrar-x64-701(1).exe Static PE information: certificate valid
Source: winrar-x64-701(1).exe Static PE information: Image base 0x140000000 > 0x60000000
Source: winrar-x64-701(1).exe Static file information: File size 3948120 > 1048576
Source: winrar-x64-701(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: winrar-x64-701(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: winrar-x64-701(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: winrar-x64-701(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: winrar-x64-701(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: winrar-x64-701(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: winrar-x64-701(1).exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: winrar-x64-701(1).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, Default32.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\build\winrar64\Release\WinRAR.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, WinRAR.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\sfxcon32\Release\sfxcon.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinCon32.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb. source: winrar-x64-701(1).exe
Source: Binary string: D:\Projects\WinRAR\rarext\build\64\Release\rarext.pdb, source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, RarExt.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, Zip32.SFX.0.dr
Source: Binary string: se\uninstall.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Projects\WinRAR\rarext\build\64\Release\rarext.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, RarExt.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\unrar64\Release\UnRAR.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, UnRAR.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\sfxcon64\Release\sfxcon.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinCon.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\uninstall\build\uninstall64\Release\uninstall.pdb source: Uninstall.exe, 00000004.00000002.425421662.000000013FA72000.00000002.00000001.01000000.0000000C.sdmp, Uninstall.exe, 00000004.00000000.384135535.000000013FA72000.00000002.00000001.01000000.0000000C.sdmp, Uninstall.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, Default.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, Zip.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Rar.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rar\build\sfxcon64\Release\sfxcon.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006FF4000.00000004.00000020.00020000.00000000.sdmp, WinCon.SFX.0.dr
Source: Binary string: D:\Projects\WinRAR\rarext\Installer\x64\Release\RarExtInstaller.pdb source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, RarExtInstaller.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rarext\build\32\Release\rarext.pdb6 source: RarExt32.dll.0.dr
Source: Binary string: D:\Projects\WinRAR\sfx\setup\build\sfxrar64\Release\sfxrar.pdb source: winrar-x64-701(1).exe
Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: Rar.exe.0.dr
Source: Binary string: D:\Projects\WinRAR\rarext\build\32\Release\rarext.pdb source: RarExt32.dll.0.dr
Source: winrar-x64-701(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: winrar-x64-701(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: winrar-x64-701(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: winrar-x64-701(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: winrar-x64-701(1).exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\__tmp_rar_sfx_access_check_7330424 Jump to behavior
PE file contains sections with non-standard names
Source: winrar-x64-701(1).exe Static PE information: section name: .didat
Source: winrar-x64-701(1).exe Static PE information: section name: _RDATA
Source: Rar.exe.0.dr Static PE information: section name: _RDATA
Source: RarExtInstaller.exe.0.dr Static PE information: section name: _RDATA
Source: Uninstall.exe.0.dr Static PE information: section name: _RDATA
Source: UnRAR.exe.0.dr Static PE information: section name: _RDATA
Source: WinRAR.exe.0.dr Static PE information: section name: .didat
Source: WinRAR.exe.0.dr Static PE information: section name: _RDATA
Source: RarExt.dll.0.dr Static PE information: section name: _RDATA
Source: WinCon.SFX.0.dr Static PE information: section name: .didat
Source: WinCon.SFX.0.dr Static PE information: section name: _RDATA
Source: WinCon32.SFX.0.dr Static PE information: section name: .didat
Source: Zip.SFX.0.dr Static PE information: section name: .didat
Source: Zip.SFX.0.dr Static PE information: section name: _RDATA
Source: Zip32.SFX.0.dr Static PE information: section name: .didat
Source: Default.SFX.0.dr Static PE information: section name: .didat
Source: Default.SFX.0.dr Static PE information: section name: _RDATA
Source: Default32.SFX.0.dr Static PE information: section name: .didat
Drops PE files
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExtInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Rar.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExt.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\UnRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\7zxa.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExt32.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip.SFX Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExtInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Rar.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExt.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\UnRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\7zxa.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExt32.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip.SFX Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\ReadMe.txt Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\License.txt Jump to behavior

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExtInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Rar.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Default32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExt.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\UnRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\WinCon32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\7zxa.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\RarExt32.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe File created: C:\Users\user\Zip.SFX Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\user\Uninstall.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR help.lnk Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\Console RAR manual.lnk Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\What is new in the latest version.lnk Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR help.lnk Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\Console RAR manual.lnk Jump to behavior
Source: C:\Users\user\Uninstall.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\What is new in the latest version.lnk Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Memory allocated: 2EA0000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Memory allocated: 5FE0000 memory commit | memory reserve | memory write watch Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\WinRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\RarExtInstaller.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\WinCon.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\Zip32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\Default.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\Default32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\Rar.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\RarExt.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\UnRAR.exe Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\7zxa.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\WinCon32.SFX Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\RarExt32.dll Jump to dropped file
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Dropped PE file which has not been started: C:\Users\user\Zip.SFX Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe TID: 3444 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F791F08 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_000000013F791F08
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7B9B40 FindFirstFileExW, 0_2_000000013F7B9B40
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A34D0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW, 0_2_000000013F7A34D0
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA49B10 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 4_2_000000013FA49B10
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA66DC0 FindFirstFileExW, 4_2_000000013FA66DC0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A88A0 VirtualQuery,GetSystemInfo, 0_2_000000013F7A88A0
Source: winrar-x64-701(1).exe, 00000000.00000003.383527806.000000000043E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: qEmulateIE8
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7AFEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000013F7AFEC8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7BB630 GetProcessHeap, 0_2_000000013F7BB630
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A9D00 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 0_2_000000013F7A9D00
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7AFEC8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000013F7AFEC8
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A9458 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_000000013F7A9458
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7AA354 SetUnhandledExceptionFilter, 0_2_000000013F7AA354
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7AA170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000000013F7AA170
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA54E10 SetUnhandledExceptionFilter,_invalid_parameter_noinfo, 4_2_000000013FA54E10
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA5AE38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_000000013FA5AE38
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA55488 SetUnhandledExceptionFilter, 4_2_000000013FA55488
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA55298 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_000000013FA55298
Source: C:\Users\user\Uninstall.exe Code function: 4_2_000000013FA547F8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_000000013FA547F8
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A4930 SetDlgItemTextW,EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,ShowWindow,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,ShowWindow,ShowWindow,SetDlgItemTextW,ShowWindow,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SetDlgItemTextW,DeleteObject,DeleteObject,SendDlgItemMessageW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,SetForegroundWindow,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW, 0_2_000000013F7A4930
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Process created: C:\Users\user\Uninstall.exe "C:\Users\user\uninstall.exe" /setup Jump to behavior
Source: winrar-x64-701(1).exe, 00000000.00000003.383302856.0000000006BB0000.00000004.00000020.00020000.00000000.sdmp, WinRAR.exe.0.dr Binary or memory string: %%=%c:%%=%c:EDITtooltips_class32CMDWNDADDCMDWNDOTHERCMDWNDCONVERTCMDWNDFINDCMDWNDBENCHCMDWNDREAD* %sHELPExecArcCmdInterface\CmdWin\%sDoneCMDMODETaskbarCreatedProgmanHELPCmdMode
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F79AEE4 cpuid 0_2_000000013F79AEE4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: GetLocaleInfoW, 0_2_000000013F7A2954
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\Users\user\WinRAR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\Users\user\WinRAR.chm VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\Users\user\Rar.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\Users\user\WhatsNew.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\Users\user\WinRAR.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\Users\user\Rar.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Uninstall.exe Queries volume information: C:\Users\user\WhatsNew.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F7A41D0 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize, 0_2_000000013F7A41D0
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Code function: 0_2_000000013F792D64 GetVersionExW, 0_2_000000013F792D64
Source: C:\Users\user\Desktop\winrar-x64-701(1).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1530646 Sample: winrar-x64-701(1).exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 24 5 winrar-x64-701(1).exe 3 41 2->5         started        file3 11 C:\Users\user\Zip32.SFX, PE32 5->11 dropped 13 C:\Users\user\Zip.SFX, PE32+ 5->13 dropped 15 C:\Users\user\WinRAR.exe, PE32+ 5->15 dropped 17 12 other malicious files 5->17 dropped 19 Writes a notice file (html or txt) to demand a ransom 5->19 21 Drops PE files to the user root directory 5->21 9 Uninstall.exe 107 13 5->9         started        signatures4 process5
No contacted IP infos