The string typically appears in the path ...\20882\Rar$Scan... when a malicious archive is extracted or scanned by WinRAR. Reports from the malware analysis platform ANY.RUN indicate this specific directory was used during the execution of a multi-stage infection chain. Technical Findings
Malware analysis ibso9p0sjp44crzm.7z Malicious activity | ANY.RUN
: C:\Users\admin\AppData\Local\Temp\20882\ (or similar Temp subdirectories).
: Look for variations of Rar$Scan[Number].bat .
: The analysis shows a file named Rar$Scan19941.bat being launched from the 20882 directory via cmd.exe .