File name:

7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015

Full analysis: https://app.any.run/tasks/33bdac73-5cd5-4efd-84eb-edee304250e5
Verdict: Malicious activity
Analysis date: April 19, 2024, 09:09:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

09BFF35C5CDB1B96B3F4DB7A3AC61C11

SHA1:

D54828E023E1D5C39D9392F0EC95C0D102877EA6

SHA256:

7966EE1AE9042E7345A55AA98DDEB4F39133216438D67461C7EE39864292E015

SSDEEP:

98304:EPcpEiDsIYLB8R9L99LmW3oHUHPdA5n2olZs8jv0RdP+cCHkvFVJ8eBMD5SgoC4/:YAOR7W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 668)
      • Advanced-ip-scanner.exe (PID: 2880)

    • Starts CMD.EXE for self-deleting

      • Advanced-ip-scanner.exe (PID: 2880)
      • Advanced-ip-scanner.exe (PID: 3564)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Advanced-ip-scanner.exe (PID: 2932)
      • Advanced-ip-scanner.exe (PID: 3664)
      • Advanced-ip-scanner.exe (PID: 2880)
      • Advanced-ip-scanner.exe (PID: 3564)
      • Advanced-ip-scanner.exe (PID: 532)
      • Advanced-ip-scanner.exe (PID: 2528)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 668)
      • Advanced-ip-scanner.exe (PID: 2880)
      • WinRAR.exe (PID: 3332)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 668)
      • WinRAR.exe (PID: 3332)

    • Application launched itself

      • Advanced-ip-scanner.exe (PID: 2932)
      • Advanced-ip-scanner.exe (PID: 3664)

    • Starts CMD.EXE for commands execution

      • Advanced-ip-scanner.exe (PID: 2880)
      • Advanced-ip-scanner.exe (PID: 3564)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2868)
      • cmd.exe (PID: 1632)

    • Hides command output

      • cmd.exe (PID: 2868)
      • cmd.exe (PID: 1632)

    • Executable content was dropped or overwritten

      • Advanced-ip-scanner.exe (PID: 2880)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 668)
      • WinRAR.exe (PID: 3332)

    • Checks supported languages

      • Advanced-ip-scanner.exe (PID: 2932)
      • Advanced-ip-scanner.exe (PID: 3664)
      • Advanced-ip-scanner.exe (PID: 3564)
      • Advanced-ip-scanner.exe (PID: 2528)
      • Advanced-ip-scanner.exe (PID: 532)
      • Advanced-ip-scanner.exe (PID: 2880)

    • Reads the computer name

      • Advanced-ip-scanner.exe (PID: 2932)
      • Advanced-ip-scanner.exe (PID: 3664)
      • Advanced-ip-scanner.exe (PID: 2880)
      • Advanced-ip-scanner.exe (PID: 2528)
      • Advanced-ip-scanner.exe (PID: 3564)
      • Advanced-ip-scanner.exe (PID: 532)

    • Reads the machine GUID from the registry

      • Advanced-ip-scanner.exe (PID: 2932)
      • Advanced-ip-scanner.exe (PID: 3664)
      • Advanced-ip-scanner.exe (PID: 532)
      • Advanced-ip-scanner.exe (PID: 2528)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3332)

    • Manual execution by a user

      • WinRAR.exe (PID: 3332)

    • Creates files or folders in the user directory

      • Advanced-ip-scanner.exe (PID: 2880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:03:17 03:25:50
ZipCRC: 0x7b400fe4
ZipCompressedSize: 2334619
ZipUncompressedSize: 23068672
ZipFileName: IVIEWERS.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
14
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe advanced-ip-scanner.exe no specs advanced-ip-scanner.exe no specs advanced-ip-scanner.exe winrar.exe onedrive.exe no specs cmd.exe no specs ping.exe no specs advanced-ip-scanner.exe no specs advanced-ip-scanner.exe no specs advanced-ip-scanner.exe no specs onedrive.exe no specs cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
532"C:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11727\Advanced-ip-scanner.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11727\Advanced-ip-scanner.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3332.11727\advanced-ip-scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
668"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1172ping -n 3 127.0.0.1 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
1376"C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exe" C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exeAdvanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Version:
23.256.1211.0001
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\update\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1632cmd.exe /C for /l %x in (0,0,0) do (ping -n 3 127.0.0.1 > NUL & for %p in ("C:\Users\admin\AppData\Local\Temp\Rar$EXa668.7947\Advanced-ip-scanner.exe") do (del /f /q %p & if not exist %p exit))C:\Windows\System32\cmd.exeAdvanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2528"C:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11900\Advanced-ip-scanner.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11900\Advanced-ip-scanner.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3332.11900\advanced-ip-scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2868cmd.exe /C for /l %x in (0,0,0) do (ping -n 3 127.0.0.1 > NUL & for %p in ("C:\Users\admin\AppData\Local\Temp\Rar$EXa668.7069\Advanced-ip-scanner.exe") do (del /f /q %p & if not exist %p exit))C:\Windows\System32\cmd.exeAdvanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2880"C:\Users\admin\AppData\Local\Temp\Rar$EXa668.7069\Advanced-ip-scanner.exe"C:\Users\admin\AppData\Local\Temp\Rar$EXa668.7069\Advanced-ip-scanner.exe
Advanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa668.7069\advanced-ip-scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2888"C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exe" C:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exeAdvanced-ip-scanner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDrive
Version:
23.256.1211.0001
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\update\onedrive.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2932"C:\Users\admin\AppData\Local\Temp\Rar$EXa668.7069\Advanced-ip-scanner.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa668.7069\Advanced-ip-scanner.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
OLE/COM Object Viewer
Exit code:
0
Version:
6.0.6001.17131 (longhorn_rtm.080108-2300)
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa668.7069\advanced-ip-scanner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
13 111
Read events
13 067
Write events
44
Delete events
0

Modification events

(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(668) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015.zip
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(668) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
11
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa668.7069\Advanced-ip-scanner.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa668.7947\IVIEWERS.dllexecutable
MD5:980ED493FB2FAAD0376D71523F5ABDCD
SHA256:722A44F6A4718D853D640381E77D1B9815D6F1663603859FF758DED896860CBA
668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa668.7947\Advanced-ip-scanner.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
3332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11727\IVIEWERS.dllexecutable
MD5:980ED493FB2FAAD0376D71523F5ABDCD
SHA256:722A44F6A4718D853D640381E77D1B9815D6F1663603859FF758DED896860CBA
668WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa668.7069\IVIEWERS.dllexecutable
MD5:980ED493FB2FAAD0376D71523F5ABDCD
SHA256:722A44F6A4718D853D640381E77D1B9815D6F1663603859FF758DED896860CBA
2880Advanced-ip-scanner.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\OneDrive.exeexecutable
MD5:02A60567F6B14748E303C423C38DCC57
SHA256:9BBA4C707DE5A66D8C47E3E18E575D43BA8011302DAD452230C4B9D6B314EE26
3332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11900\Advanced-ip-scanner.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
3332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11900\IVIEWERS.dllexecutable
MD5:980ED493FB2FAAD0376D71523F5ABDCD
SHA256:722A44F6A4718D853D640381E77D1B9815D6F1663603859FF758DED896860CBA
3332WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3332.11727\Advanced-ip-scanner.exeexecutable
MD5:DF33C821C06835A1349CBE3B0C65F24C
SHA256:0263663C5375289FA2550D0CFF3553DFC160A767E718A9C38EFC0DA3D7A4B626
2880Advanced-ip-scanner.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\Update\Secur32.dllexecutable
MD5:D5E3EC5E028EA9923C60A8249186AC6D
SHA256:287A0A80A995F1E62B317CF5FAA1DB94AF6EE9132B0F8483AFBD6819AA903D31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7966ee1ae9042e7345a55aa98ddeb4f39133216438d67461c7ee39864292e015