download:

winhex.zip

Full analysis: https://app.any.run/tasks/b28c930e-b72c-463b-8759-45dda4603da5
Verdict: Malicious activity
Analysis date: May 17, 2019, 15:21:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

61A9A0C13391476C5F23C456F86BFBA9

SHA1:

F670EAC27209A469BD836B00921FDC51631B021F

SHA256:

5077181BE75D19FED2F2F8E55B7D50A603F9C561FCD9C55BF6141F0DDEB364D6

SSDEEP:

49152:N0KRPwJnykbmiFFt5U6HpUB6ihqGhJ3e4Aoz/OjgX/QF90bNnYdwfyShrz:NxRoxyNiFFt5JHCk0qGhZZOsINyyw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Dokan.exe (PID: 4024)
      • Dokan.exe (PID: 3252)
      • dokanctl.exe (PID: 3044)
      • mounter.exe (PID: 2936)
      • dokanctl.exe (PID: 2480)
      • dokanctl.exe (PID: 2628)
      • dokanctl.exe (PID: 3920)
      • mounter.exe (PID: 3960)
      • dokanctl.exe (PID: 2464)
      • dokanctl.exe (PID: 2816)
      • dokanctl.exe (PID: 1424)

    • Loads dropped or rewritten executable

      • dokanctl.exe (PID: 3044)
      • dokanctl.exe (PID: 2464)
      • dokanctl.exe (PID: 1424)
      • dokanctl.exe (PID: 2628)
      • Dokan.exe (PID: 3252)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3984)
      • Dokan.exe (PID: 3252)

    • Creates files in the driver directory

      • Dokan.exe (PID: 3252)

    • Creates files in the Windows directory

      • Dokan.exe (PID: 3252)

    • Creates files in the program directory

      • Dokan.exe (PID: 3252)

    • Creates a software uninstall entry

      • Dokan.exe (PID: 3252)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:08 19:08:01
ZipCRC: 0xdefcb594
ZipCompressedSize: 619
ZipUncompressedSize: 1217
ZipFileName: Boot Sector FAT.tpl
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
14
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs dokan.exe no specs dokan.exe dokanctl.exe mounter.exe no specs dokanctl.exe no specs dokanctl.exe no specs dokanctl.exe cmd.exe no specs dokanctl.exe no specs dokanctl.exe no specs dokanctl.exe mounter.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1012"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1424"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" C:\Program Files\Dokan\DokanLibrary\dokanctl.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
2440"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2464"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" /i nC:\Program Files\Dokan\DokanLibrary\dokanctl.exeDokan.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
2480"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" C:\Program Files\Dokan\DokanLibrary\dokanctl.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
2628"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" C:\Program Files\Dokan\DokanLibrary\dokanctl.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
2816dokanctl.exec:\Program Files\Dokan\DokanLibrary\dokanctl.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
2936"C:\Program Files\Dokan\DokanLibrary\mounter.exe"C:\Program Files\Dokan\DokanLibrary\mounter.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\dokan\dokanlibrary\mounter.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
3044"C:\Program Files\Dokan\DokanLibrary\dokanctl.exe" /i aC:\Program Files\Dokan\DokanLibrary\dokanctl.exe
Dokan.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\dokan\dokanlibrary\dokanctl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dokan.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120.dll
3252"C:\Users\admin\AppData\Local\Temp\winhex\Dokan.exe" C:\Users\admin\AppData\Local\Temp\winhex\Dokan.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\winhex\dokan.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
898
Read events
871
Write events
27
Delete events
0

Modification events

(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\winhex.zip
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
(PID) Process:(3984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:@C:\Windows\System32\hhctrl.ocx,-452
Value:
Compiled HTML Help file
Executable files
9
Suspicious files
0
Text files
16
Unknown types
2

Dropped files

PID
Process
Filename
Type
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\README.urltext
MD5:D73E2EA707A98BCE24B1970C91D82F6C
SHA256:64BDC2E022158E93EEFB2F1473F419AE9F135BC193A846300D95BE39A0A4237D
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\dokan.htext
MD5:FB7E1E3B846074C7C0863B41A0EEA829
SHA256:1C91385E3EACB4303E3C8A3C6677FB8A9831B98056592B4E687D5A6FE0941602
3984WinRAR.exeC:\Users\admin\AppData\Local\Temp\winhex\Dokan.exeexecutable
MD5:B2E209833057CC4780209A6002C45D12
SHA256:3D676CE6E3A12C14F275B03F64D73D49463A0FF946A5F661B603559025E71A84
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\dokan.libobj
MD5:7CD6D6409DB7733A6F5B3B644F04B70E
SHA256:59EF0689B6C4CE4027A8A9471C429FD98FEB7AF232BD8349E906B4AB10181D1A
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\include\fuse\ScopeGuard.htext
MD5:AC9B04DCB1BF826E1FD0B6428585CE99
SHA256:B69359DE466EC783F7A0070C9ECC2930E0CF4EDE5D729EB7F2A408AFCFDF9F33
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\include\fuse\fuse_common.htext
MD5:C300E164946016AE0370A5DC1D01847D
SHA256:4A45F7A5115FEE69753F6D6988486082B67B99EB65A7D0CDEF428C505821C39C
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\license.mit.txttext
MD5:5CE1C10E198C8A29657C1A8462045A1D
SHA256:B0B8A1AC2D22E95F3EF94B4EC2074BF22861EDD7513696EE9CE4201BAD00B3D1
3252Dokan.exeC:\Users\admin\AppData\Local\Temp\nsaB01.tmp\System.dllexecutable
MD5:883EFF06AC96966270731E4E22817E11
SHA256:44E5DFD551B38E886214BD6B9C8EE913C4C4D1F085A6575D97C3E892B925DA82
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\include\fuse\docanfuse.htext
MD5:7EF0EAF8682DCA128A0F47D911B7E055
SHA256:8A330B29A0DFCB48C884E8B40787E8FC905AFA1E9ABF743EF78FACEE84AFA10E
3252Dokan.exeC:\Program Files\Dokan\DokanLibrary\sample\mirror\dokan_mirror.vcxprojxml
MD5:477102FAB2EC919624738301E3F3BA9A
SHA256:0BF3DAA3B7DE92726D4D7B0BE24C25F6414BE98D6F254DF78B61ACEFC1AE6B93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
dokanctl.exe
Service (Dokan) installed
dokanctl.exe
Service (Dokan) started
dokanctl.exe
Service (Dokan) started
dokanctl.exe
Service (DokanMounter) installed
dokanctl.exe
Service (DokanMounter) started
dokanctl.exe
Service (DokanMounter) started
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winhex.zip