download:

winhex.zip

Full analysis: https://app.any.run/tasks/b28c930e-b72c-463b-8759-45dda4603da5
Verdict: Malicious activity
Analysis date: May 17, 2019, 15:21:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

61A9A0C13391476C5F23C456F86BFBA9

SHA1:

F670EAC27209A469BD836B00921FDC51631B021F

SHA256:

5077181BE75D19FED2F2F8E55B7D50A603F9C561FCD9C55BF6141F0DDEB364D6

SSDEEP:

49152:N0KRPwJnykbmiFFt5U6HpUB6ihqGhJ3e4Aoz/OjgX/QF90bNnYdwfyShrz:NxRoxyNiFFt5JHCk0qGhZZOsINyyw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Dokan.exe (PID: 4024)
      • Dokan.exe (PID: 3252)
      • dokanctl.exe (PID: 3044)
      • dokanctl.exe (PID: 2464)
      • mounter.exe (PID: 2936)
      • dokanctl.exe (PID: 2480)
      • dokanctl.exe (PID: 2628)
      • dokanctl.exe (PID: 2816)
      • dokanctl.exe (PID: 1424)
      • dokanctl.exe (PID: 3920)
      • mounter.exe (PID: 3960)

    • Loads dropped or rewritten executable

      • Dokan.exe (PID: 3252)
      • dokanctl.exe (PID: 3044)
      • dokanctl.exe (PID: 2464)
      • dokanctl.exe (PID: 2628)
      • dokanctl.exe (PID: 1424)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3984)
      • Dokan.exe (PID: 3252)

    • Creates files in the Windows directory

      • Dokan.exe (PID: 3252)

    • Creates files in the driver directory

      • Dokan.exe (PID: 3252)

    • Creates files in the program directory

      • Dokan.exe (PID: 3252)

    • Creates a software uninstall entry

      • Dokan.exe (PID: 3252)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:08 19:08:01
ZipCRC: 0xdefcb594
ZipCompressedSize: 619
ZipUncompressedSize: 1217
ZipFileName: Boot Sector FAT.tpl
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
14
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start winrar.exe explorer.exe no specs dokan.exe no specs dokan.exe dokanctl.exe mounter.exe no specs dokanctl.exe no specs dokanctl.exe no specs dokanctl.exe cmd.exe no specs dokanctl.exe no specs dokanctl.exe no specs dokanctl.exe mounter.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1012"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1424"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" C:\Program Files\Dokan\DokanLibrary\dokanctl.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
2440"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2464"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" /i nC:\Program Files\Dokan\DokanLibrary\dokanctl.exeDokan.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
2480"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" C:\Program Files\Dokan\DokanLibrary\dokanctl.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
2628"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" C:\Program Files\Dokan\DokanLibrary\dokanctl.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
2816dokanctl.exec:\Program Files\Dokan\DokanLibrary\dokanctl.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
2936"C:\Program Files\Dokan\DokanLibrary\mounter.exe"C:\Program Files\Dokan\DokanLibrary\mounter.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\dokan\dokanlibrary\mounter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
3044"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" /i aC:\Program Files\Dokan\DokanLibrary\dokanctl.exe
Dokan.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
3252"C:\Users\admin\AppData\Local\Temp\winhex\Dokan.exe" C:\Users\admin\AppData\Local\Temp\winhex\Dokan.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\winhex\dokan.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
898
Read events
871
Write events
27
Delete events
0

Modification events

(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\winhex.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\System32\hhctrl.ocx,-452
Value:
Compiled HTML Help file
Executable files
9
Suspicious files
0
Text files
16
Unknown types
2

Dropped files

PID
Process
Filename
Type
3252Dokan.exeC:\Users\admin\AppData\Local\Temp\nsaB01.tmp\System.dllexecutable
MD5:883EFF06AC96966270731E4E22817E11
SHA256:44E5DFD551B38E886214BD6B9C8EE913C4C4D1F085A6575D97C3E892B925DA82
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\license.lgpl.txttext
MD5:8E3494BF8CF1967AFD3B1016FBBE5BB0
SHA256:319917F5CCD09878DB6F67C9A77DEE846055644CA49EB535628B9E020A87261E
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\dokan.htext
MD5:FB7E1E3B846074C7C0863B41A0EEA829
SHA256:1C91385E3EACB4303E3C8A3C6677FB8A9831B98056592B4E687D5A6FE0941602
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\license.gpl.txttext
MD5:3C34AFDC3ADF82D2448F12715A255122
SHA256:0B383D5A63DA644F628D99C33976EA6487ED89AAA59F0B3257992DEAC1171E6B
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\mounter.exeexecutable
MD5:6569D05C382977BCA5644385B464B611
SHA256:7E999FFD64D21810B7EB7725188B0023FBA19753875AE6B0C27F0D5D9D9E4503
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\dokan.libobj
MD5:7CD6D6409DB7733A6F5B3B644F04B70E
SHA256:59EF0689B6C4CE4027A8A9471C429FD98FEB7AF232BD8349E906B4AB10181D1A
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\dokanctl.exeexecutable
MD5:E40B0A2F59F793740329ED22D3B541F7
SHA256:83B3BDEB96229130D83B7B813A73CB88E08F347E3488EC8B9FA09BE135E5E590
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\include\fuse\ScopeGuard.htext
MD5:AC9B04DCB1BF826E1FD0B6428585CE99
SHA256:B69359DE466EC783F7A0070C9ECC2930E0CF4EDE5D729EB7F2A408AFCFDF9F33
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\sample\mirror\mirror.exeexecutable
MD5:6ACBC945F2D080370369E635B0DBF34E
SHA256:9FB18147D2D0FBE0CA4380B046EC4C8B4E9C768563496F55AF3F7AB030E11B08
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\sample\mirror\mirror.ctext
MD5:B896D6735B9403268B7C12211D80839D
SHA256:14E63F684B88CACD78636DEE1E1746F3C66C907550C8FCAF3D1561470FD2C9CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
dokanctl.exe
Service (Dokan) installed
dokanctl.exe
Service (Dokan) started
dokanctl.exe
Service (Dokan) started
dokanctl.exe
Service (DokanMounter) installed
dokanctl.exe
Service (DokanMounter) started
dokanctl.exe
Service (DokanMounter) started
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winhex.zip