[ Process/window information ]
* Creates a window with caption WinRAR \xea\xe3\x8b\x87\xf6 and classname #32770.
* Creates dialog control (static) with id 108 and caption .
* Creates dialog control (static) with id 101 and caption \xee\x07\x87\xf69(&D).
* Creates dialog control (combobox) with id 102 and caption .
* Creates dialog control (button) with id 103 and caption O\xc8(&W)…
* Pressing button with id 1.
* Attempts to (null) C:\WINDOWS\TE.
* Attempts to (null) uharc.exe e file.uha.
* Creates process “uharc.exe”.
[ Signature Scanning ]
* C:\WINDOWS\TEMP\RarSFX0\UHARC.exe (111104 bytes) : no signature detection.
* C:\WINDOWS\TEMP\RarSFX0\file.uha (118440 bytes) : no signature detection.
Malwarebytes detect it as - Trojan.Serverstart
SuperAntiSpyware does not detect
WIN32.EXE -- identity created/updated (New detection Troj/Zegost-R)
Norman
This file is multi-compressed file. Firstly compressed with SFX and after that compressed with UHARC Compresses. Actual compressed file is already detected by Norman. Detection on this archive may lead to FP.
Actual Win32.exe is detected as W32/Packed_NSPack.A.