File name:

HDDScan.zip

Full analysis: https://app.any.run/tasks/338fdac5-d420-4fc9-b846-5be1eb341a05
Verdict: Malicious activity
Analysis date: April 06, 2024, 10:23:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

86C2471E6B1DB628CAF48B1A6EA1D70C

SHA1:

CE98D12702E26947739BD5B507C933D4C51A4C8F

SHA256:

8F392FC0C2DBB5B75848B7F791C105DA28D5F1260E3D324B2F9EA9C72122657C

SSDEEP:

98304:ZrhclCz/jdtN6PTdLDBtH1lbmUOQRQJFLqFJJA4cP093NXNdiDqHzihlKWCdy4q9:V2og0vgq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3500)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • HDDScan.exe (PID: 3180)
      • WinRAR.exe (PID: 3500)

    • Checks Windows Trust Settings

      • HDDScan.exe (PID: 3180)

    • Reads settings of System Certificates

      • HDDScan.exe (PID: 3180)

    • Reads the Internet Settings

      • HDDScan.exe (PID: 3180)

    • Adds/modifies Windows certificates

      • HDDScan.exe (PID: 3180)

    • Reads Microsoft Outlook installation path

      • HDDScan.exe (PID: 3180)

    • Reads Internet Explorer settings

      • HDDScan.exe (PID: 3180)

  • INFO

    • Reads the computer name

      • HDDScan.exe (PID: 3180)

    • Checks supported languages

      • HDDScan.exe (PID: 3180)

    • Checks proxy server information

      • HDDScan.exe (PID: 3180)

    • Reads the machine GUID from the registry

      • HDDScan.exe (PID: 3180)

    • Reads the software policy settings

      • HDDScan.exe (PID: 3180)

    • Create files in a temporary directory

      • HDDScan.exe (PID: 3180)

    • Creates files or folders in the user directory

      • HDDScan.exe (PID: 3180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:08:31 12:21:46
ZipCRC: 0xd1cc1d72
ZipCompressedSize: 3159007
ZipUncompressedSize: 7131648
ZipFileName: HDDScan.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs hddscan.exe no specs hddscan.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232"C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\HDDScan.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\HDDScan.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
4.1.0.29
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3500.646\hddscan.exe
c:\windows\system32\ntdll.dll
3180"C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\HDDScan.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\HDDScan.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Version:
4.1.0.29
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3500.646\hddscan.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3500"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HDDScan.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
15 614
Read events
15 508
Write events
92
Delete events
14

Modification events

(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3500) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\HDDScan.zip
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3500) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
2
Suspicious files
3
Text files
21
Unknown types
4

Dropped files

PID
Process
Filename
Type
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\HDDScan.exeexecutable
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\DEFECTSL.xsltxml
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\DEFECTSP.xsltxml
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\Flash.initext
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\GREEN.icoimage
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\HDD.jpgimage
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\IDEID.xsltxml
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\NAND.pngimage
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\pad_file.xmlxml
MD5:
SHA256:
3500WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3500.646\res\RED.icoimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
HDDScan.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?86d6139f3b7ef26c
US
unknown
3180
HDDScan.exe
GET
200
95.101.54.130:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNwwetcm3%2FK8GaphXHCH%2B5MGA%3D%3D
DE
binary
503 b
unknown
3180
HDDScan.exe
GET
200
2.19.245.44:80
http://x1.c.lencr.org/
DE
binary
717 b
unknown
3180
HDDScan.exe
GET
301
64.227.26.16:80
http://hddscan.com/dfgkjdfg435egdvkjdv/update.xml
US
html
335 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3180
HDDScan.exe
64.227.26.16:80
hddscan.com
DIGITALOCEAN-ASN
US
unknown
3180
HDDScan.exe
64.227.26.16:443
hddscan.com
DIGITALOCEAN-ASN
US
unknown
3180
HDDScan.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3180
HDDScan.exe
2.19.245.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
3180
HDDScan.exe
95.101.54.99:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown
3180
HDDScan.exe
95.101.54.130:80
r3.o.lencr.org
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
hddscan.com
  • 64.227.26.16
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
x1.c.lencr.org
  • 2.19.245.44
whitelisted
r3.o.lencr.org
  • 95.101.54.99
  • 95.101.54.130
  • 2.16.202.115
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
HDDScan.zip