File name:

Scanwin.zip

Full analysis: https://app.any.run/tasks/79c01f0d-a1d8-4e00-a9b1-5d4cdee66a8a
Verdict: Malicious activity
Analysis date: May 31, 2021, 22:31:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

8C54A3A75A378132EDC81FD5990188E0

SHA1:

26B6DAF7575CA2AEFAA6F53259A46801F6CCC99E

SHA256:

AC3430FD2A7F83C08ED3CA690660EC11D4B7A4624C4D57502675109C5E127B89

SSDEEP:

98304:hr3cqX10YKnV5yebNQKD5djCm14oohxjoooooooIncOvJ00lAw1ZNNus9:hAWGnVTbNbdjKoooooooIRvHNNug

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ScanWin.exe (PID: 3640)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1248)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 1248)

    • Creates files in the program directory

      • ScanWin.exe (PID: 3640)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 1248)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 584)
      • cmd.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Setup.cmd
ZipUncompressedSize: 302
ZipCompressedSize: 194
ZipCRC: 0xb60bb231
ZipModifyDate: 2021:05:31 15:34:14
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe explorer.exe no specs cmd.exe no specs scanwin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
584"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1248"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Scanwin.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3640"ScanWin\ScanWin.exe" /c 127.0.0.1 /fp /lu /rp /sl /sC:\temp\ScanWin\ScanWin.execmd.exe
User:
admin
Company:
License Dashboard
Integrity Level:
MEDIUM
Description:
ScanWin
Exit code:
0
Version:
2.1.8.5
Modules
Images
c:\temp\scanwin\scanwin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3864"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
522
Read events
497
Write events
25
Delete events
0

Modification events

(PID) Process:(1248) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1248) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1248) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1248) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(1248) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Scanwin.zip
(PID) Process:(1248) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1248) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1248) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1248) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1248) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\System32\acppage.dll,-6003
Value:
Windows Command Script
Executable files
30
Suspicious files
0
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\LD.Common.Logger.dllexecutable
MD5:
SHA256:
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\FilePackages.xmlxml
MD5:
SHA256:
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\AutodeskProductCodestext
MD5:
SHA256:
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\LD.Common.Logger.Serilog.dllexecutable
MD5:
SHA256:
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\Autodesk.icoimage
MD5:
SHA256:
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\Setup.cmdtext
MD5:
SHA256:
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\IPAddressRange.dllexecutable
MD5:39C37A31A38E60265F3C777415B84755
SHA256:9A678D2D432FE636A797C2968736EE27B26D9597C2A432A3B3EE037BFA0386DF
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\EULA.rtftext
MD5:61DA54F9FCA834AAA6A8D69556CDABBD
SHA256:320731435064464EE69A609B5575CABEBA1F7326A5E288E1A86F58D72709C7EE
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\CommonServiceLocator.dllexecutable
MD5:58DAC63B3B06AE3F57A05593437BF707
SHA256:4489ACEF15490A93AA589670F1666E6A7DF76D50CE45F3CB4C8DC8D85FADF44E
1248WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1248.13697\ScanWin\ControlzEx.dllexecutable
MD5:5CF2837021516334344629CB679D40B5
SHA256:55CAE0AF8517AC2D787B210AC6F79C9AAC7F58035B69FAAF620A90F33E2676FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Scanwin.zip