File name:

SWUpdaterSetup.exe.zip

Full analysis: https://app.any.run/tasks/c24750e8-22cc-453f-b3e9-2f71699babcb
Verdict: Malicious activity
Analysis date: April 20, 2021, 13:21:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

35A8428702B610F07CDB3D7EA6DCD09A

SHA1:

9C2AB526D579AF7E263728A8E99E10F8643D922F

SHA256:

1B018C05E31982E0BEFCB5E479A9EDDB17E59A4526291892592CDFF44A5116CA

SSDEEP:

24576:iPcrqUrXCWd1VbUtTTPH9rjwDerk9MSV13ZZSXyOygGSV:e6vd3bGT7drMrpZSiOESV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SWUpdaterSetup.exe (PID: 2188)

    • Drops executable file immediately after starts

      • SWUpdaterSetup.exe (PID: 2188)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1704)
      • SWUpdaterSetup.exe (PID: 2188)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 1704)
      • SWUpdaterSetup.exe (PID: 2188)

    • Drops a file with a compile date too recent

      • SWUpdaterSetup.exe (PID: 2188)
      • WinRAR.exe (PID: 1704)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: SWUpdaterSetup.exe
ZipUncompressedSize: 912232
ZipCompressedSize: 840058
ZipCRC: 0xcfb05aa4
ZipModifyDate: 2021:04:19 13:10:16
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe swupdatersetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
1704"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SWUpdaterSetup.exe.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2188"C:\Users\admin\AppData\Local\Temp\Rar$EXb1704.25660\SWUpdaterSetup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1704.25660\SWUpdaterSetup.exe
WinRAR.exe
User:
admin
Company:
Wavesor Software
Integrity Level:
MEDIUM
Description:
Wavesor SWUpdater Setup
Exit code:
2147747664
Version:
1.3.107.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb1704.25660\swupdatersetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
438
Read events
424
Write events
14
Delete events
0

Modification events

(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1704) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1704) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SWUpdaterSetup.exe.zip
(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1704) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
15
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUTF47B.tmp
MD5:
SHA256:
1704WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1704.25660\SWUpdaterSetup.exeexecutable
MD5:E529F52C4F81CB54154351390EED5CE6
SHA256:4DDF0408908E7D9FB15F2AD9063EFAA5371AE5FFAE6BCACF1D2CB7C4C636D947
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\SWUpdater.exeexecutable
MD5:A5E345518E6817F72C9B409915741689
SHA256:1B259D8CA9BB4579FEB56748082A32239A433CEA619C09F827FD6DF805707F37
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\SWUpdaterCrashHandler.exeexecutable
MD5:0166450A90D5DFEE981059DF6A5FEE06
SHA256:D2BFD10EC7D26548E54E7649E388A8FDC2F3C4714BDE28A2E751B2905E7C5E0D
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\SWUpdaterSetup.exeexecutable
MD5:E529F52C4F81CB54154351390EED5CE6
SHA256:4DDF0408908E7D9FB15F2AD9063EFAA5371AE5FFAE6BCACF1D2CB7C4C636D947
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\psmachine.dllexecutable
MD5:58C1234BA4B59F88A76B8F7B37295748
SHA256:8AEDD7F006845A63D382B1B86DCA921931AD8E7A813B3ADE92AC193377D0D171
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\SWUpdaterBroker.exeexecutable
MD5:503A0CB9637DD685AEACBD219EC778D1
SHA256:6634888AD7FF974888C8F6DE1D5FE82BFFFE70FB02A21886EF3CF8AF6FABCDC6
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\SWUpdaterComRegisterShell64.exeexecutable
MD5:B6AC081FFACBEE5F49E120F1443E3B26
SHA256:BF27695A23C59ACC6602CBA85A0F2B7639FD4924D7AB25B42F44A7C63283869A
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\SWUpdaterOnDemand.exeexecutable
MD5:1D35414DDF16972137822372937F8719
SHA256:ED8226E9DC79049E69F970E46DADC9EA912C606DC3B51A4EDE5EC1A17599A808
2188SWUpdaterSetup.exeC:\Users\admin\AppData\Local\Temp\GUMF47A.tmp\psuser.dllexecutable
MD5:C55AC99DD5FD370D519F3B00811933A9
SHA256:E4CA4C9ACB3B2C9827380ACAE2714538719D433AE9813A2A91A07C24D2CA6577
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.151:137
malicious

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SWUpdaterSetup.exe.zip