ID: 41263 Sample Name: wrar550.exe Cookbook: default.jbs Time: 15:29:39 Date: 29/12/2017 Version: 20.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Networking: 6 Boot Survival: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Language, Device and Operating System Detection: 7 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 9 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 10 Screenshot 10 Startup 10 Created / dropped Files 11 Contacted Domains/Contacted IPs 15 Contacted Domains 15 Contacted IPs 15 Static File Info 16 General 16 File Icon 16 Static PE Info 16 General 16 Authenticode Signature 16 Entrypoint Preview 16 Data Directories 18 Sections 18 Resources 18 Copyright Joe Security LLC 2017 Page 2 of 25 Imports 18 Possible Origin 19 Network Behavior 19 Code Manipulations 19 Statistics 19 Behavior 19 System Behavior 20 Analysis Process: wrar550.exe PID: 3432 Parent PID: 3048 20 General 20 File Activities 20 File Created 20 File Deleted 20 Registry Activities 20 Key Created 20 Key Value Created 20 Analysis Process: Uninstall.exe PID: 3668 Parent PID: 3432 20 General 20 File Activities 21 File Created 21 File Written 21 Registry Activities 21 Key Created 21 Key Value Created 23 Disassembly 25 Code Analysis 25
Copyright Joe Security LLC 2017 Page 3 of 25 Analysis Report
Overview
General Information
Joe Sandbox Version: 20.0.0 Analysis ID: 41263 Start time: 15:29:39 Joe Sandbox Product: CloudBasic Start date: 29.12.2017 Overall analysis duration: 0h 5m 13s Hypervisor based Inspection enabled: false Report type: light Sample file name: wrar550.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: SUS Classification: sus24.winEXE@3/30@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 99.8% (good quality ratio 95.2%) Quality average: 80% Quality standard deviation: 27.2% Cookbook Comments: Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.
Detection
Strategy Score Range Reporting Detection
Threshold 24 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2017 Page 4 of 25 Strategy Score Range Further Analysis Required? Confidence
Threshold 2 0 - 5 true
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample searches for specific file, try point organization specific fake files to the analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Copyright Joe Security LLC 2017 Page 5 of 25 Signature Overview
• Key, Mouse, Clipboard, Microphone and Screen Capturing • Networking • Boot Survival • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection
Click to jump to signature section
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a window with clipboard capturing capabilities
Networking:
Found strings which match to known social media urls
Urls found in memory or binary data
Social media urls found in memory data
Boot Survival:
Stores files to the Windows start menu directory
Creates an undocumented autostart registry key
Persistence and Installation Behavior:
Creates license or readme file
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Data Obfuscation:
File is packed with WinRar
Uses code obfuscation techniques (call, push, ret)
Spreading:
Contains functionality to enumerate / list files inside a directory
Enumerates the file system
System Summary:
Found GUI installer (many successful clicks)
Found installer window with terms and condition text
Found window with many clickable UI elements (buttons, textforms, scrollbars etc)
Creates a directory in C:\Program Files
Creates a software uninstall entry Copyright Joe Security LLC 2017 Page 6 of 25 Submission file is bigger than most known malware samples
PE file contains a mix of data directories often seen in goodware
Contains modern PE file flags such as dynamic base (ASLR) or NX
PE file contains a debug data directory
Binary contains paths to debug symbols
PE file contains a valid data directory to section mapping
Classification label
Contains functionality to check free disk space
Contains functionality to instantiate COM classes
Creates files inside the program directory
Creates files inside the user directory
PE file has an executable .text section and no other executable section
Reads ini files
Reads software policies
Sample is known by Antivirus (Virustotal or Metascan)
Spawns processes
Uses an in-process (OLE) Automation server
Contains functionality to communicate with device drivers
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Sample reads its own file content
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
HIPS / PFW / Operating System Protection Evasion:
May try to detect the Windows Explorer process (often used for injection)
Anti Debugging:
Contains functionality to register its own exception handler
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Malware Analysis System Evasion:
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
Program exit points
Enumerates the file system
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Language, Device and Operating System Detection:
Contains functionality to query local / system time
Copyright Joe Security LLC 2017 Page 7 of 25 Contains functionality to query windows version
Queries the cryptographic machine GUID
Contains functionality locales information (e.g. system language)
Contains functionality to query CPU information (cpuid)
Queries the volume information (name, serial number etc) of a device
Behavior Graph
Hide Legend Behavior Graph Legend:
ID: 41263 Process Signature Sample: wrar550.exe Created File Startdate: 29/12/2017 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 24 Is Windows Process
started Number of created Registry Values
Number of created Files wrar550.exe Visual Basic
Delphi 1 33 Java
dropped dropped dropped dropped .Net C# or VB.NET
C, C++ or other language Dropped files exeeded maximum capacity for this level. Rar.exe, PE32 Uninstall.exe, PE32 UnRAR.exe, PE32 8 dropped files have been hidden. Is malicious
started
Drops files with a non-matching file extension (content does not match file extension)
Uninstall.exe
149 13
Creates an undocumented autostart registry key
Simulations
Behavior and APIs
No simulations
Antivirus Detection
Initial Sample
Copyright Joe Security LLC 2017 Page 8 of 25 Source Detection Cloud Link wrar550.exe 3% virustotal Browse wrar550.exe 3% metadefender Browse
Dropped Files
Source Detection Cloud Link C:\Program Files\WinRAR\7zxa.dll 0% virustotal Browse C:\Program Files\WinRAR\7zxa.dll 0% metadefender Browse C:\Program Files\WinRAR\Default.SFX 1% virustotal Browse C:\Program Files\WinRAR\Rar.exe 0% virustotal Browse C:\Program Files\WinRAR\RarExt.dll 0% virustotal Browse C:\Program Files\WinRAR\RarExt.dll 0% metadefender Browse C:\Program Files\WinRAR\RarExt64.dll 0% virustotal Browse C:\Program Files\WinRAR\RarExt64.dll 0% metadefender Browse C:\Program Files\WinRAR\UNACEV2.DLL 0% virustotal Browse C:\Program Files\WinRAR\UNACEV2.DLL 0% metadefender Browse C:\Program Files\WinRAR\UnRAR.exe 0% virustotal Browse C:\Program Files\WinRAR\UnRAR.exe 0% metadefender Browse
Domains
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
Copyright Joe Security LLC 2017 Page 9 of 25 No context
Dropped Files
Associated Sample Match Name / URL SHA 256 Detection Link Context C:\Program Files\WinRAR\UNACEV2.DLL wrar540.exe e81baa5c2d2771cbad2d168ecf2 malicious Browse 78f865dc2de38983c6a169d5839 49375ea735 wrar531.exe 60a64ce6ad8a4e4f713cd3f6fa06 malicious Browse e8d4565f79a68c877ad58fbeacf6 94a86a13 wrar540.exe e81baa5c2d2771cbad2d168ecf2 malicious Browse 78f865dc2de38983c6a169d5839 49375ea735
Screenshot
Startup
System is w7 wrar550.exe (PID: 3432 cmdline: 'C:\Users\user\Desktop\wrar550.exe' MD5: 62EAB80792DB53BF945FF0F835790D36) Uninstall.exe (PID: 3668 cmdline: 'C:\Program Files\WinRAR\uninstall.exe' /setup MD5: EAC86E6777CED077336AA5A32CB3565C) cleanup
Copyright Joe Security LLC 2017 Page 10 of 25 Created / dropped Files
C:\Program Files\WinRAR\7zxa.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: AE27DB1A0E1E2B338C79AF9D74967B7D SHA1: 30F5BC5E12279859043C43A2DBE6A97F57BFEBF8 SHA-256: DBE966226D1DF41C9AB854DA3897C0FA99858D8848DD23470EDB4974F256C2FA SHA-512: F66FC1244078BF1BA259B87F83D92A35226AA99DBB4C253C62443BC71C54DBA155E10B1F781FBBD7C31F48A528821BC58 8DA24D853FDEE17CD75ECF8FCB7E35E Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low
C:\Program Files\WinRAR\Default.SFX File Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 6E45ECF99DE7C1C9DB437F2E9901C590 SHA1: 6970633E09E1A0982D45330CECCCEAAB82730B4B SHA-256: 68901CC8929C6B1752AD59A5D8D4A7EBB368FEEE08755EEA5615F4828CA343E4 SHA-512: 570939FBB97E3AF96410E61BBAAA0AC08566A6D4E2E0C80E86D365B1C69C4F61746384501E164B8D14DBD6387D1EF6AC C4654EE356F3C3F0737488C7FC72A913 Malicious: true Antivirus: Antivirus: virustotal, Detection: 1%, Browse Reputation: low
C:\Program Files\WinRAR\Descript.ion File Type: ASCII text, with CRLF line terminators MD5: 00108204DCD800042FEF0A27E45A4332 SHA1: 6B01F3F93563C1FD1C2BC087E9D0D01449B7C7DF SHA-256: C1B109BA7C58FD6F3EFF876E35A877A5E13C36F5AC6DD714B5D239F169A8F068 SHA-512: A9ABEC037590CFCAD76961726CB19990628DC9137EAAB47910A628919DB807FBEE1644ACD7FD5094D373D8164E0DF86E 1203B0CF2E948DF7CD1C2764E803080D Malicious: false Reputation: low
C:\Program Files\WinRAR\License.txt File Type: ASCII text, with CRLF line terminators MD5: 672064CF19DB0B083B981CF0BE7662B0 SHA1: C200C77558CA77C044A2C2D794C98F8437FFD2B4 SHA-256: 9FC8AA33CCAFA04C1CE4C0A61047B341297D720ADAB1B77F67B5FE59F43BB59F SHA-512: A016B287B6D1A4320BD5AB5790163F837A28B54D8BCCA56A51DC8B6A50374AACB35C0341D42915CD97D3B135DBF1F3630 87A4631DEB69F82811D41DB2F78A0A8 Malicious: false Reputation: low
C:\Program Files\WinRAR\Order.htm File Type: HTML document, ASCII text, with CRLF line terminators MD5: 5BFBAD2B771C10C15D9A64F46EE72DD6 SHA1: 579A9CA74CD0D1242556F38A5B471F2C28D49889 SHA-256: 1B725FDF19AD3897FC20D3464C2393A1FB53117DC4C945B8C91A2280D7735BED SHA-512: 3543F6F06FE9DD2C442BF4D2704B47AED4AD8AC330061BA52B085BF2176C62D85D457935A7BF02C6D17D3CF3ACD35C61 8433EBBDA579BB2A2B06A81E76B47296 Malicious: false Reputation: low
C:\Program Files\WinRAR\Rar.exe File Type: PE32 executable (console) Intel 80386, for MS Windows MD5: 4567ABA92BA845374580443B56C8F4F6 SHA1: CCE0E924A854B49B43E0445AE2B11F7B6B2584D5 SHA-256: C5678EE1A448B8A5FB437EC637AA1EDCDE1CF423C153FFB62AB8E1244D815E35 SHA-512: 0511260E2B47ECA24B5DD2B89EBB4ADA390ED75624615CEC05C8C8D25407C099555E75B0231E6C5A9423395DEED5777D CB7527CE3BF92F7B81C995FB04DCF4BD Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Reputation: low
Copyright Joe Security LLC 2017 Page 11 of 25 C:\Program Files\WinRAR\Rar.txt File Type: ASCII text, with CRLF line terminators MD5: 58853E27CCDE64F9D7F342936C463658 SHA1: 0F62A5623EC68B78DB590BCFB761F7A02019B1B0 SHA-256: 42395A530A8DCC552208D51516063DF96B85E36057A75EEE2B03BBCCEF27C513 SHA-512: EE05BE29AF60BC31E85033AB3CA91F3B34CACBF95D7CA54A59D403A160E0EBCBE243F2D10FA75A29859D41F46619650 E4EB7AA0AA0A5F195EC369D686A0245A3 Malicious: false Reputation: low
C:\Program Files\WinRAR\RarExt.dll File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: 958C2BF305BD337BB567FD3FEE97757C SHA1: F6C6DE7609AC2A9EAA48FD9DC0F87EE0E3746294 SHA-256: EA604DF80384ED3E2EE7651FBC5A9277A06C80952DA6AD8D059730F1024F90D4 SHA-512: 573E223B8754ED137BC9578985B07D80A427EE274A54593AF1F84E4F051833C0C185D881B0843F2FBD9236F2869AB27E6E F961C53D4BEBA8343C409B6820CBD3 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low
C:\Program Files\WinRAR\RarExt64.dll File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows MD5: B95315FFD66A341B5DABDD6B93D6EB25 SHA1: 8DBDB916805D3057FF356E4D02016B23A2421F56 SHA-256: D1D93093F9109233E9E9FEDC9D61ED2702DF8905B7A3372671D5DC948748FFA6 SHA-512: 443A500D8E2BF2EB4892D9422ADD186FEC5DBA7BF4CA61117E0DA511AF646A29748A3A7AE843CCF2E4817AC135E2A5A 858BC9BE66C46CD7C4217C9703B7BD66A Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low
C:\Program Files\WinRAR\RarFiles.lst File Type: ASCII text, with CRLF line terminators MD5: 08EA0309D72A874C182F08CBF9DA2CC3 SHA1: 7CCB8BDAAEE66D512577DCCF66DD3ECC7DAABC60 SHA-256: 12787F8204EEDB0B8BDABF5D68D557334FDDB2D70B46E1422510713DDA5E6A01 SHA-512: 93CCF9A6DB360FADA6507EF8A4A893FD7E7D92178984B99CEE11F22090A9C1293B5367FE25EA8301E317E743F6E987EB4 406AF8EE76073662E2C2F8005E98D51 Malicious: false Reputation: low
C:\Program Files\WinRAR\ReadMe.txt File Type: ASCII text, with CRLF line terminators MD5: 6A697FE386885EA78AB05AD1BD4A96EB SHA1: C07C12AD0F8D39D5D26C708FC132469D5570AADA SHA-256: 25C6C5F336B404579889549B10A45F5E32CE5844A5A5A29075168D460D025BD2 SHA-512: 01A923EBB8BB23AA1F37947AF04B08B424631DFF1003D9CDD63ABE25A8C164D347DE72214A0F8613D600819FA2EB151D9 2A29573AF24BDD05435534BDEE552FA Malicious: false Reputation: low
C:\Program Files\WinRAR\UNACEV2.DLL File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5: DE02C4D04088B69E64ECC30A3D9E22E5 SHA1: A5F66D420B6A6EBB04242FB85CA462A99DBF89B6 SHA-256: C9D28800E740A1569AEC8FE27DF10EF186D883F94CEC15A5C228826B45A24F9D SHA-512: 32B22966ECEC433636F927DC7B27CF782271B36169A9FDD50AA99A4D8CF14496AC3948A3747B7B7680D2D472F6AF714E64 0B05C29194E8F2DB92B21619B09C11 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low
C:\Program Files\WinRAR\UnRAR.exe File Type: PE32 executable (console) Intel 80386, for MS Windows MD5: C57CB8BB5996C484A4001625217E02EC Copyright Joe Security LLC 2017 Page 12 of 25 C:\Program Files\WinRAR\UnRAR.exe SHA1: 45DF6BF65B9E151602E707200D4A56912E459860 SHA-256: BDE482AAB0AD49ABCF46CB0A3D7FD44A2F6E8E649ACF57E66C59085426A86504 SHA-512: 4561B7C0AD65D57A5B1225FD81953C17E590A80DE24141BE463972FDB4D332D3979A73E71D6CC041AAC9B9785815DE36B 06DA335D246D452E2EFD6D690E97DB6 Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse Reputation: low
C:\Program Files\WinRAR\Uninstall.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: EAC86E6777CED077336AA5A32CB3565C SHA1: C163A21457CF22EF725DED7B7B4364521263315C SHA-256: EB0BA7F588DD28E72F72F0FE08CC9217B2D438AC1A7D3519DBF81D2E54FA8C9D SHA-512: AE9ACF747ABF45453FE9DB5DA5A020E960697024F7E84DD3C40B8110639A407E78A8D78CA7C6C58AD68774AA9C6A3B4B 2FB8AA2A8C3D9DBC93E1088FA7A4499C Malicious: true Reputation: low
C:\Program Files\WinRAR\Uninstall.lst File Type: ASCII text, with CRLF line terminators MD5: DC20A41DD5976945AD2FF6A742BC26DD SHA1: 9A2EE5D73F4CDBE44F136ADAF4CA4A1142082EDC SHA-256: 548291EC78A04CB9B1606858A6913ECCF215C5B57F05E510EC82B4A1BDCFEF8C SHA-512: 2E951B193FF6DC46769F4FA374B4F389D604DBA5ED38D996A402156C616101E066AFC2C3AD3DE32DB4D4F487A8A384B3A 99F7C36B068319BC32D466BB77827D1 Malicious: false Reputation: low
C:\Program Files\WinRAR\WhatsNew.txt File Type: ASCII text, with CRLF line terminators MD5: BB1A87154DB45C9240B9270FF60308A8 SHA1: EA7504754F447C98258641F1199B028600C51942 SHA-256: 2A191C59B4ED6EC7C5D78F51BA0704CFA7B6524C2E184EEF91B18FDFACF7EA0C SHA-512: 45E8D0A1D560F9E00F0F5EA9B314431C9865980F13AC93D4FE6D9A82118EAC5A477C1F15A9F1479D8B74AFA12748EA38C 48E6D8F03428C7FC77D2B0A13AD2561 Malicious: false Reputation: low
C:\Program Files\WinRAR\WinCon.SFX File Type: PE32 executable (console) Intel 80386, for MS Windows MD5: 06A70A222E6B5BE74AF976F3E8CE375B SHA1: 52006DDB950C4B6328974F95867360AD214BAB5B SHA-256: 8C0F6C0A0C23D0AB429DBA116A0D080207E4A6685F82A2B6FD3931E5FC6D457A SHA-512: DBB536C540D648C9B0DA1223C23CB3E57E1C0F7C1A367E8CF38196F1A3792CA1409C30F149655B1ED2FB9548A5C126C1 C8C5B072DA0BD04F1E8B7E1146F8108E Malicious: true Reputation: low
C:\Program Files\WinRAR\WinRAR.chm File Type: MS Windows HtmlHelp Data MD5: 1E7A61E1EF2E8FA4F05F61B872487175 SHA1: 6780CF3A91C4C76B3778C1F2F08A17DF97FD8ED1 SHA-256: 5A50522957DEE36439AB53A0B8B482F4622F1F95DA4A1A5531C49189383A432F SHA-512: 35E0E6D8CDA7E2F89B2BA1658C3AAD433C4122508DD7254168E9BDE6BD769BEB94FFDAA7A03D056774B3257A92C72412 D628D495720ED03B9956DC8C62F3F72D Malicious: false Reputation: low
C:\Program Files\WinRAR\WinRAR.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 10972633D5C179C507EF30FB89D0EEA8 SHA1: 18A5E9E098893CFB3D339EEC58FDB05B914DC596 SHA-256: 6E94553C5F5808BC65B4E9B51CEAA085401E90694AB904B54ACB6C0BDDD10F4C SHA-512: BDE85D218B6D2277159EA728686EDA721E8C0BBBF25555FFDBC5507EC5DF88E244188D66D84EF27E11D9CE52E5FFB92A 1DC599C23CE6D8210CBA946F390195F5 Malicious: false
Copyright Joe Security LLC 2017 Page 13 of 25 C:\Program Files\WinRAR\WinRAR.exe Reputation: low
C:\Program Files\WinRAR\Zip.SFX File Type: PE32 executable (GUI) Intel 80386, for MS Windows MD5: 9E18EF259387E4D5B74EC147F3E2CE44 SHA1: 444B4B0763B4E9A0525F9970EE29D93115359328 SHA-256: 9BF21AA0932D5CAB3800DCC2621EED34B7338F8373A782E22D0E2EF343F45698 SHA-512: CD0599A93EBD9EAFA5EE58074A8AFB0ACDE613845068651B37DB1D305C43E90D2840A74477D78C3332BCC5616802EA634 795186E639B2E1FB81955D68AA34340 Malicious: true Reputation: low
C:\Program Files\WinRAR\rarnew.dat File Type: Archive volume, Commented, Locked, Solid, MD5: C69D0B5902A959577C02E9DCDDA77DE0 SHA1: 6233724F8B3AC18649DC248D1C778E2BCA78A7F2 SHA-256: 4301EC2E9592E7A22262D1C046954545033B73BE322B33A8117D201556C4254B SHA-512: 2E8945172EF567D4AE84D6317EFCE63502A6D9496CAA48B8DC09CF12D1CEEC3E89D033D6D9FCEEBA82F403107D15341B CDB72B4A6F60BA3E6DF4D2A2CB6E48CD Malicious: false Reputation: low
C:\Program Files\WinRAR\zipnew.dat File Type: Zip archive data (empty) MD5: 76CDB2BAD9582D23C1F6F4D868218D6C SHA1: B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33 SHA-256: 8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85 SHA-512: 5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23 CA4951C05455CDAE9357CC3B5A5825F Malicious: false Reputation: low
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\Console RAR manual.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Thu Jul 6 09:54:19 2017, length=101987, window=hide MD5: 5275FD9F1E7CAADC706CA0935FDDCA50 SHA1: DE8D68E2AE1F3B25403670A00FAF06F4B7F16E5D SHA-256: 986C82E4ABAFE8D666C63783AB17FE9A7295BE8225498BFA2FD57DDD6AC05234 SHA-512: 82A134E7F9A2E2A9781CE20BB94BA52410EC7E0BCD430C6CFAB3E2EB5703A7DB50C4E90C372D96EC149042AE9DDE03E 960AEC39741DC839A64A93782D87C1668 Malicious: false Reputation: low
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\What is new in the latest version.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Fri Aug 11 13:48:51 2017, length=63945, window=hide MD5: DEB8D0B44FC48B1A867FED154AF39595 SHA1: FC0977C8D4FF4DE5451FABD5D8937DAAE4236D88 SHA-256: 21532401BA99609678F7A57751F17DA4CB56432D6929E1D71209AC68782348A0 SHA-512: F8EC5C340AF391BE5BC677E2194209C736BA6F631F475ACADDAEAE825E870109504300063816FAA493CBC185C58934F0F 7ABE5B34C28A63667F4A23B227C2279 Malicious: false Reputation: low
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR help.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Fri Aug 11 13:54:23 2017, length=310448, window=hide MD5: E635E6ACB18EE4A4B04FFE08093A1DA9 SHA1: A4418499A5E2E5FA3D4286C89A27719AE1036AAA SHA-256: 04FCF483B7545625F96336C3269D91CE067C2AD800EA2C4520DCA2B4424B22D3 SHA-512: 66059DCDAC6D04A3DA0A71AAD0364604D665BE30A367464745F4CE1F74DC1C09BF887A2C4696CE1D610D7C36FF0ED3C8 97943439D44062485575B8C093E21413 Malicious: false Reputation: low
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Fri Aug 11 13:54:30 2017, length=1521880, window=hide
Copyright Joe Security LLC 2017 Page 14 of 25 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk MD5: F7B0C3397863E0640FDA7770CA18B5F2 SHA1: 452F4A8EB938CE7DB498BCC3050B56CE3CF8A236 SHA-256: EF55E3C486851EBF29B475E5D1BD2B704BA1D8E149DACE1107E17D7E9A03643F SHA-512: 594186490201856DA158ABB18051DB63D821DC9874621E8AA7792B83D94C64594A053A9F1582D99F7821BE46EB43BC86E0 C2D3EC7EC77CD5F6BCFC6F0E9DC30D Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\Console RAR manual.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Thu Jul 6 09:54:19 2017, length=101987, window=hide MD5: B3BCF4CADA744DDC180DC170E7EE952C SHA1: 1C5E375C71E13CBFD692AFC5F3513B4B5585F818 SHA-256: 4101DBF6E51A77E0FC678782F8863ED51D7D262D12F6375F025F63F3A901A638 SHA-512: 2B1E7AB8F79A1E5ED6A0B7D51809C60C4EE121BB6FB533E90A725DB0C8D86DC8E1466D8C1AA029535C31383C66818C7F ACC378E968AD64B39B75FB2095FB23D7 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\What is new in the latest version.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Fri Aug 11 13:48:51 2017, length=63945, window=hide MD5: DD74ED4BDCCB0D8D5C02FAA86A1D1418 SHA1: 8EF768AEACD333A504264F4DF341566F6E741A2D SHA-256: EACB549CCF11B0D8DB0D7951F144750A5DC6F03F6C2CB8CBDCEA04AC0D615B19 SHA-512: A2F6AFE5693CEA6BE9A705D944F08F3B18C5332E7B15884DA42BA01BE4283DFC07865196214249D308E3970374ECBE6FF 89D41B2F4B348EF94B100B78E4EC5DE Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR help.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Fri Aug 11 13:54:23 2017, length=310448, window=hide MD5: DC5F3CFCCD9898EB965732DDFAAE3B14 SHA1: 755EF0926753FE00374E2824265AA03D056D6FD3 SHA-256: E624A60AC9FB17F9E2FB1EECE151F04ADA48A80B43EB9D73E8791B4F30A40270 SHA-512: D625E097077B0248474FBBE1E7A6A72EEF9C27AEAFC2DB2421F461E662E6B48B22D02F5753E85A8EC1D0347B96CE9158 25574211885D4D663AC64F9FC2BEEF70 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctim e=Fri Dec 29 14:30:52 2017, mtime=Fri Dec 29 14:30:52 2017, atime=Fri Aug 11 13:54:30 2017, length=1521880, window=hide MD5: C9925478B1BC3C9FD9A41186283E72EA SHA1: 9A8EFB689BC24A5676ECF9F576EAC6CBBCECCF05 SHA-256: E61893867CAAC5DB609A258B2934C4B434EAF1D1B60787D06EF86DEB2185C6AB SHA-512: BFDBDAAD6327EFF3A6375C3A3B794FCC49C34D3F85325D475157031F669159AEA966B78DEF243C00306D9745013C9CB68 B9768811B4AF0CF040B6B686ADCA331 Malicious: false Reputation: low
Contacted Domains/Contacted IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
Copyright Joe Security LLC 2017 Page 15 of 25 Static File Info
General
File type: PE32 executable (GUI) Intel 80386, for MS Windows TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: wrar550.exe File size: 1997168 MD5: 62eab80792db53bf945ff0f835790d36 SHA1: a827d89e1aa13177d97bbd378774fdabfbfa7592 SHA256: 48f67be806b4e823280f03ee5512ffd58deb6f37ecc80842 265d4e8d2ca30055 SHA512: 11cbfbd918ee82a3baf9a3027c4ebace021ccfe8b5d0ef8 5071ba6dd1bb1d7e9b404af310862965e267edbf366f069 4ae8c059d51ae5c4940c645c07d770d4cb File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... 1..`_Z.` _Z.`_Z...Z.`_Z...Z1`_Z...Z.`_Z.>\[.`_Z.>[[.`_Z.>Z[.`_Z...Z.` _Z...Z.`_Z.`^Z@`_Z->Z[.`_Z->_[.`_Z(>.Z.`_Z->][.`_ZRich. `_
File Icon
Static PE Info
General Entrypoint: 0x41c869 Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x598DB709 [Fri Aug 11 13:54:17 2017 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: 027ea80e8125c6dda271246922d4c3b0
Authenticode Signature
Signature Valid: true Signature Issuer: CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 6/2/2017 2:00:00 AM 6/2/2020 1:59:59 AM Subject Chain CN=win.rar GmbH, O=win.rar GmbH, STREET=Marienstrasse 12, L=Berlin, S=Berlin, PostalCode=10117, C=DE Version: 3 Thumbprint: CA0CE78818E27A35FA76F8857A1A163EF3679729 Serial: 529E3F9FCF7D58D520D607AB74395002
Entrypoint Preview
Copyright Joe Security LLC 2017 Page 16 of 25 Instruction call 00007F778C9DB29Fh jmp 00007F778C9DAC93h cmp ecx, dword ptr [004391B8h] jne 00007F778C9DAE05h ret jmp 00007F778C9DB418h and dword ptr [ecx+04h], 00000000h mov eax, ecx and dword ptr [ecx+08h], 00000000h mov dword ptr [ecx+04h], 0042FF60h mov dword ptr [ecx], 004308E4h ret push ebp mov ebp, esp push esi push dword ptr [ebp+08h] mov esi, ecx call 00007F778C9CEBDFh mov dword ptr [esi], 004308F0h mov eax, esi pop esi pop ebp retn 0004h and dword ptr [ecx+04h], 00000000h mov eax, ecx and dword ptr [ecx+08h], 00000000h mov dword ptr [ecx+04h], 004308F8h mov dword ptr [ecx], 004308F0h ret lea eax, dword ptr [ecx+04h] mov dword ptr [ecx], 004308D8h push eax call 00007F778C9DDFBEh pop ecx ret push ebp mov ebp, esp push esi mov esi, ecx lea eax, dword ptr [esi+04h] mov dword ptr [esi], 004308D8h push eax call 00007F778C9DDFA7h test byte ptr [ebp+08h], 00000001h pop ecx je 00007F778C9DAE0Ch push 0000000Ch push esi call 00007F778C9DA3EDh pop ecx pop ecx mov eax, esi pop esi pop ebp retn 0004h push ebp mov ebp, esp sub esp, 0Ch lea ecx, dword ptr [ebp-0Ch] call 00007F778C9DAD6Eh push 00436AD4h lea eax, dword ptr [ebp-0Ch] push eax call 00007F778C9DD6A6h
Copyright Joe Security LLC 2017 Page 17 of 25 Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x37ba0 0x34 .rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0x37bd4 0x28 .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x5a000 0x68a0 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x1e4498 0x34d8 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x61000 0x1f0c .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x35e30 0x54 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x30878 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2f000 0x21c .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x371ac 0x100 .rdata IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x2db7a 0x2dc00 False 0.591055114413 data 6.7082220846 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x2f000 0x9800 0x9800 False 0.460963199013 data 5.15041222066 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .data 0x39000 0x1f278 0xc00 False 0.274739583333 data 3.19714578646 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .gfids 0x59000 0xe8 0x200 False 0.337890625 data 2.12007811523 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .rsrc 0x5a000 0x68a0 0x6a00 False 0.637382075472 data 6.62086365035 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ .reloc 0x61000 0x1f0c 0x2000 False 0.782104492188 data 6.6164493428 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_BITMAP 0x5b730 0x36b0 data English United States RT_ICON 0x5a4d0 0x8a8 data English United States RT_ICON 0x5ad78 0x568 GLS_BINARY_LSB_FIRST English United States RT_ICON 0x5b2e0 0x2e8 data English United States RT_ICON 0x5b5c8 0x128 GLS_BINARY_LSB_FIRST English United States RT_DIALOG 0x5f5d8 0xdc data English United States RT_DIALOG 0x5f4a8 0x12e data English United States RT_DIALOG 0x5f170 0x338 data English United States RT_DIALOG 0x5ede0 0x38a data English United States RT_STRING 0x5fe08 0x178 data English United States RT_STRING 0x5ff80 0x1b4 data English United States RT_STRING 0x60138 0x1b2 data English United States RT_STRING 0x602f0 0x146 Hitachi SH big-endian COFF object, not stripped English United States RT_STRING 0x60438 0x1d6 data English United States RT_STRING 0x60610 0xd6 data English United States RT_STRING 0x606e8 0x9a data English United States RT_STRING 0x60788 0x3a data English United States RT_STRING 0x607c8 0xd6 data English United States RT_GROUP_ICON 0x5b6f0 0x3e MS Windows icon resource - 4 icons, 32x32, 256- English United States colors RT_MANIFEST 0x5f6b8 0x750 XML document text English United States
Imports
DLL Import
Copyright Joe Security LLC 2017 Page 18 of 25 DLL Import KERNEL32.dll GetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, GetConsoleCP, GetConsoleMode, SetFilePointerEx, DecodePointer
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• wrar550.exe • Uninstall.exe
Click to jump to process
Copyright Joe Security LLC 2017 Page 19 of 25 System Behavior
Analysis Process: wrar550.exe PID: 3432 Parent PID: 3048
General
Start time: 15:30:45 Start date: 29/12/2017 Path: C:\Users\user\Desktop\wrar550.exe Wow64 process (32bit): false Commandline: 'C:\Users\user\Desktop\wrar550.exe' Imagebase: 0x76a30000 File size: 1997168 bytes MD5 hash: 62EAB80792DB53BF945FF0F835790D36 Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files read data or list normal directory file and object name collision 1 1329959 CreateDirectoryW directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\Program Files\WinRAR read data or list normal directory file and success or wait 1 1329959 CreateDirectoryW directory and synchronous io synchronize non alert and open for backup ident and open reparse point
File Deleted
Source File Path Completion Count Address Symbol C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_357133 success or wait 1 1329869 DeleteFileW
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_USERS\Software\WinRAR SFX success or wait 1 133AFA4 RegCreateKeyExW
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_USERS\Software\WinRAR SFX C%%Program unicode C:\Program Files\WinRAR success or wait 1 133AFCF RegSetValueExW Files%WinRAR
Analysis Process: Uninstall.exe PID: 3668 Parent PID: 3432
General
Copyright Joe Security LLC 2017 Page 20 of 25 Start time: 15:30:52 Start date: 29/12/2017 Path: C:\Program Files\WinRAR\Uninstall.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\WinRAR\uninstall.exe' /setup Imagebase: 0x74ed0000 File size: 203480 bytes MD5 hash: EAC86E6777CED077336AA5A32CB3565C Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files\WinRAR\rarnew.dat read attributes normal synchronous io success or wait 1 879546 CreateFileW and synchroniz non alert and n e and generic on directory file write C:\Program Files\WinRAR\zipnew.dat read attributes normal synchronous io success or wait 1 879546 CreateFileW and synchroniz non alert and n e and generic on directory file write C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\P read data or list normal directory file and success or wait 1 8626FD CreateDirectoryW rograms\WinRAR directory and synchronous io synchronize non alert and open for backup ident and open reparse point C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR read data or list normal directory file and success or wait 1 8628C8 CreateDirectoryW directory and synchronous io synchronize non alert and open for backup ident and open reparse point
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files\WinRAR\rarnew.dat unknown 24 52 61 72 21 1a 07 01 Rar!...... _V.....wVQ.... success or wait 1 8739C1 WriteFile 00 c1 df 5f 56 03 01 04 00 1d 77 56 51 03 05 04 00 C:\Program Files\WinRAR\zipnew.dat unknown 22 50 4b 05 06 00 00 00 PK...... success or wait 1 8739C1 WriteFile 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_USERS\Software\WinRAR success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.rar success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.zip success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.cab success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.arj success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.lz success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.lzh success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.ace success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.7z success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.tar success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.gz success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.uue success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.bz2 success or wait 1 8674BB RegCreateKeyExW
Copyright Joe Security LLC 2017 Page 21 of 25 Source Key Path Completion Count Address Symbol HKEY_USERS\Software\WinRAR\Setup\.jar success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.iso success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.z success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.xz success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.zipx success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.001 success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\Links success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\Software\WinRAR success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906- success or wait 1 8674BB RegCreateKeyExW E49FADC173CA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906- success or wait 1 8674BB RegCreateKeyExW E49FADC173CA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906- success or wait 1 8674BB RegCreateKeyExW E49FADC173CA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906- success or wait 1 8674BB RegCreateKeyExW E49FADC173CA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906- success or wait 1 8674BB RegCreateKeyExW E49FADC173CA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\Software\WinRAR\Capabilities success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\Software\WinRAR\Capabilities\FileAssociations success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rar success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r00 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r01 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r02 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r03 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r04 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r05 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r06 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r07 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r08 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r09 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r10 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r11 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r12 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r13 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r14 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r15 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r16 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r17 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r18 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r19 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r20 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r21 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r22 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r23 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r24 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r25 success or wait 1 8674BB RegCreateKeyExW Copyright Joe Security LLC 2017 Page 22 of 25 Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r26 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r27 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r28 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.r29 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rar\ShellNew success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zip\ShellNew success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.arj success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lz success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.tlz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tlz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lzh success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.lha success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.lha success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ace success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.7z success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.tgz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.uue success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.xxe success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xxe success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.uu success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.uu success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz2 success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.tbz2 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz2 success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.bz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bz success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.tbz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.tbz success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.taz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.taz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xz success or wait 1 8674BB RegCreateKeyExW HKEY_USERS\Software\WinRAR\Setup\.txz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txz success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.zipx success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.001 success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell\open success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.rev success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\shell success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon success or wait 1 8674BB RegCreateKeyExW HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver success or wait 1 8674BB RegCreateKeyExW
Key Value Created
Source Key Path Name Type Data Completion Count Address Symbol HKEY_USERS\Software\WinRAR\Setup\.rar Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.zip Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.cab Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.arj Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.lz Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.lzh Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.ace Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.7z Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.tar Set dword 1 success or wait 1 867C28 RegSetValueExW Copyright Joe Security LLC 2017 Page 23 of 25 Source Key Path Name Type Data Completion Count Address Symbol HKEY_USERS\Software\WinRAR\Setup\.gz Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.uue Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.bz2 Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.jar Set dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.iso Set dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.z Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.xz Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.zipx Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.001 Set dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\Links Desktop dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\Links StartMenu dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\Links Programs dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup ShellExt dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup CascadedMenu dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup MenuIcons dword 1 success or wait 1 867C28 RegSetValueExW HKEY_LOCAL_MACHINE\SOFTWARE\Wi .rar unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .zip unicode WinRAR.ZIP success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .cab unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .arj unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .lz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .tlz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .lzh unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .lha unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .ace unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .7z unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .tar unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .gz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .tgz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .uue unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .xxe unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .uu unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .bz2 unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .tbz2 unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .bz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .tbz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .jar unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .iso unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .z unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .taz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .xz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .txz unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .zipx unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations HKEY_LOCAL_MACHINE\SOFTWARE\Wi .001 unicode WinRAR success or wait 1 867BB5 RegSetValueExW nRAR\Capabilities\FileAssociations
Copyright Joe Security LLC 2017 Page 24 of 25 Source Key Path Name Type Data Completion Count Address Symbol HKEY_USERS\Software\WinRAR\Setup\.rar Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.zip Exist dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.cab Exist dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.arj Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.lz Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.tlz Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.lzh Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.lha Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.ace Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.7z Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.tar Exist dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.gz Exist dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.tgz Exist dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.uue Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.xxe Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.uu Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.bz2 Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.tbz2 Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.bz Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.tbz Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.z Exist dword 1 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.taz Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.xz Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.txz Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.zipx Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_USERS\Software\WinRAR\Setup\.001 Exist dword 0 success or wait 1 867C28 RegSetValueExW HKEY_LOCAL_MACHINE\SOFTWARE\Mi VersionMajor dword 5 success or wait 1 867C28 RegSetValueExW crosoft\Windows\CurrentVersion\Uninstall\WinRAR archiver HKEY_LOCAL_MACHINE\SOFTWARE\Mi VersionMinor dword 50 success or wait 1 867C28 RegSetValueExW crosoft\Windows\CurrentVersion\Uninstall\WinRAR archiver HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoModify dword 1 success or wait 1 867C28 RegSetValueExW crosoft\Windows\CurrentVersion\Uninstall\WinRAR archiver HKEY_LOCAL_MACHINE\SOFTWARE\Mi NoRepair dword 1 success or wait 1 867C28 RegSetValueExW crosoft\Windows\CurrentVersion\Uninstall\WinRAR archiver HKEY_LOCAL_MACHINE\SOFTWARE\Mi Language dword 0 success or wait 1 867C28 RegSetValueExW crosoft\Windows\CurrentVersion\Uninstall\WinRAR archiver
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Disassembly
Code Analysis
Copyright Joe Security LLC 2017 Page 25 of 25