Windows Analysis Report
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Overview

General Information

Sample name:	Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Analysis ID:	1438600
MD5:	b543ca28c1fc8be534a8a701a0a96964
SHA1:	df7680b5721f14631bd12aa7511171e5dd36e2e9
SHA256:	bdb793b89f3ac3487cac8d5333d12ce2969c22de97941eab01a2c55b9f97b4f9
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Signatures

Uses 32bit PE files

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Uses 32bit PE files

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean3.winEXE@8/8@0/0

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File read: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Source: unknown	Process created: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe "C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe"
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F87BDED09FA11A60C7FEB9A0B8A11B7C C
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process created: C:\Windows\SysWOW64\msiexec.exe MSIEXEC.EXE /i "C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.msi" SETUPEXEDIR="C:\Users\user\AppData\Local\Temp\RarSFX0" SETUPEXENAME="setup.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F87BDED09FA11A60C7FEB9A0B8A11B7C C

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: riched32.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: oleacc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File written: C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Window found: window name: RichEdit

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static file information: File size 21640831 > 1048576

Source: Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

File is packed with WinRar

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5079359

Drops PE files

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI9A55.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI9A55.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe" /w

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Screenshots

Network Map

⊘No contacted IP infos

ID:	1438600
Product:	CloudBasic
Start time:	21:59:55
Start date:	08.05.2024
Sample:	Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b543ca28c1fc8be534a8a701a0a96964
SHA1:	df7680b5721f14631bd12aa7511171e5dd36e2e9
SHA256:	bdb793b89f3ac3487cac8d5333d12ce2969c22de97941eab01a2c55b9f97b4f9
Filetype:	Win32 Executable (generic) a (10002005/4) 96.68%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\MSI9A55.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	30C906DDC7AEE8899414F98FE9034132	171F5D3379779EE165B4EF614638B75CF44F29A8	2AC85D37DCACE83FE72F960BAC4BA4DFCAC65DED2242C63261D227C9A7A22E4D
C:\Users\user\AppData\Local\Temp\RarSFX0\0x0409.ini	Unicode text, UTF-16, little-endian text, with CRLF line terminators	758747727E96A23C7C5A5BBB011656E4	51CC637E7EB3451D6DFA9465D949D6DFB2CD65C9	BAD3B2E854149DF9413F06E6C1C7B7C875545393877F59B59907F6B083CE5825
C:\Users\user\AppData\Local\Temp\RarSFX0\Data1.cab	Microsoft Cabinet archive data, many, 14538947 bytes, 19 files, at 0x5c +A "_05552B74CCDE077E19276A4B56E61CF6", iFolder 0x1 +A "_B05A2AB076DDA62641C63DBF405CBA38", 7 cffolders, ID 1111, number 1, 105 datablocks, 0x1 compression	D798790881E6663275B0DEB78C5E1389	6B2A904076565024122722EA6B91A525995F8BC3	30EC64EABACC6112DE2643E277F1660FC47EE5CEF3DC2F739E8137F63B66AC72
C:\Users\user\AppData\Local\Temp\RarSFX0\Lakes Environmental WRPLOT View - Freeware V.8.0.2.MSI	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Author: InstallShield Software Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Template: Intel;1033, Last Saved By: InstallShield, Revision Number: {79A894FC-A5C1-4F47-BD8C-296A0B8F9A34}, Last Printed: Wed Mar 21 11:30:00 2018, Create Time/Date: Wed Mar 21 11:30:00 2018, Last Saved Time/Date: Wed Mar 21 11:30:00 2018, Number of Pages: 200, Number of Words: 0, Number of Characters: 0, Name of Creating Application: InstallShield 2009 - Express Edition 15, Security: 1	B876CC0991FC55A4C7CC5B9B48BDBA86	9D3A8891AE4578C86523663B6D6326E9CF08206E	668D4EA8050A6FC3B6165F23D489615F8ADED2B50BE376B0B3FF5E4414705116
C:\Users\user\AppData\Local\Temp\RarSFX0\Setup.ini	Generic INItialization configuration [Startup]	497073452F115176668260571049BC75	EC94F04B9F31F5D5C08AA501E8D8CAE7D956A2B3	261DFAC64E66DD36740DEA1464C70146225C38B9B31C67713652D90D3DF4E0F2
C:\Users\user\AppData\Local\Temp\RarSFX0\instmsia.exe	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive	43F7305C2E5DD4A8F3C5ABEB2FFE4833	03BDA624AB7F0D7CB9ADA41A960C35C0152F98FD	267304EFCC831E35927C1F25D610D36FB64121D108A6F4FF0168C53DF01E2B16
C:\Users\user\AppData\Local\Temp\RarSFX0\instmsiw.exe	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive	61A5FB191AE2AE876DB31DCCE75E4183	751669C38B666C7435B2A65A5C6FE40435D59AAA	B93FDCD1136FAA9A8CB73A329B2F1F5F430A150DDCEC35DE916E3A1539F09351
C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3CBE75E9FCC9FA789A84FF883867CD90	6D46C9922839ADACB2CFEF7332D82F3D5DB67047	59B670AA56C597DD5206A71C00431688B51D54473B7CD5321B62C8BB5C80EDD6

Windows Analysis Report
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report
Lakes_Environmental_WRPLOT_View_Freeware_V.8.0.2.exe