File name:

PAYSAFECARD.rar

Full analysis: https://app.any.run/tasks/2ddb9382-2349-4659-a60d-580e9c85aca6
Verdict: Malicious activity
Analysis date: April 06, 2024, 18:14:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

4760C9B44199E3D676DC9991211EAC9D

SHA1:

F4A078D3A53AE1178C811A1C616B21DBC204B87A

SHA256:

3D9D9B199ECF579B878484FB1368B1F7B91A021FAB9F2054D33AF601AF6DDDFC

SSDEEP:

98304:ph9OWYmb+pZiaTYghz2cLvuHwg2WZqmWyrQiMKQ+rKhw/O8z1h4AtqsT4FEq4x3F:knux5IFrDCG4t5EGiZ0HIe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2340)
      • Launcher.exe (PID: 2156)

    • Adds path to the Windows Defender exclusion list

      • Launcher.exe (PID: 2156)

    • Create files in the Startup directory

      • Launcher.exe (PID: 2156)

    • Changes the autorun value in the registry

      • Launcher.exe (PID: 2156)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 2340)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3936)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 2340)
      • Gift Card Generator By MT_SOFT.exe (PID: 2208)
      • Launcher.exe (PID: 2156)
      • Windows Services.exe (PID: 1556)

    • Write to the desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 3936)

    • Reads the Internet Settings

      • Gift Card Generator By MT_SOFT.exe (PID: 2208)
      • Launcher.exe (PID: 2156)
      • Windows Services.exe (PID: 1556)
      • powershell.exe (PID: 2644)
      • GC by SOFT.exe (PID: 1308)

    • Script adds exclusion path to Windows Defender

      • Launcher.exe (PID: 2156)

    • Starts POWERSHELL.EXE for commands execution

      • Launcher.exe (PID: 2156)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 2644)

    • The process creates files with name similar to system file names

      • Launcher.exe (PID: 2156)

    • Blank space has been found in the path

      • GC by SOFT.exe (PID: 1308)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3936)

    • Checks supported languages

      • Gift Card Generator By MT_SOFT.exe (PID: 2208)
      • Launcher.exe (PID: 2156)
      • Windows Services.exe (PID: 1556)
      • GC by SOFT.exe (PID: 1308)
      • Runtime Explorer.exe (PID: 844)
      • Secure System Shell.exe (PID: 3680)
      • Runtime Explorer.exe (PID: 1816)
      • Runtime Explorer.exe (PID: 1892)
      • Runtime Explorer.exe (PID: 3088)

    • Reads the computer name

      • Gift Card Generator By MT_SOFT.exe (PID: 2208)
      • Launcher.exe (PID: 2156)
      • GC by SOFT.exe (PID: 1308)
      • Windows Services.exe (PID: 1556)
      • Secure System Shell.exe (PID: 3680)

    • Reads the machine GUID from the registry

      • Gift Card Generator By MT_SOFT.exe (PID: 2208)
      • Launcher.exe (PID: 2156)
      • GC by SOFT.exe (PID: 1308)
      • Windows Services.exe (PID: 1556)
      • Secure System Shell.exe (PID: 3680)
      • Runtime Explorer.exe (PID: 1892)
      • Runtime Explorer.exe (PID: 844)
      • Runtime Explorer.exe (PID: 3088)
      • Runtime Explorer.exe (PID: 1816)

    • Manual execution by a user

      • Gift Card Generator By MT_SOFT.exe (PID: 2208)
      • msedge.exe (PID: 2480)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2644)

    • Creates files or folders in the user directory

      • Launcher.exe (PID: 2156)

    • Create files in a temporary directory

      • Runtime Explorer.exe (PID: 1816)
      • Runtime Explorer.exe (PID: 1892)
      • Runtime Explorer.exe (PID: 3088)
      • Runtime Explorer.exe (PID: 844)

    • Application launched itself

      • msedge.exe (PID: 1728)
      • msedge.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 9003301
UncompressedSize: 9003248
OperatingSystem: Win32
ModifyDate: 2023:05:18 12:19:22
PackingMethod: Stored
ArchivedFileName: PSN Gift Card Generator.rar
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
32
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs gift card generator by mt_soft.exe no specs launcher.exe powershell.exe no specs gc by soft.exe windows services.exe no specs secure system shell.exe no specs runtime explorer.exe no specs runtime explorer.exe no specs runtime explorer.exe no specs runtime explorer.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 --field-trial-handle=1324,i,4464193092073239800,602660152542960281,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
552"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 --field-trial-handle=1244,i,7645576002595230514,17056044897557376258,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
572"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=840 --field-trial-handle=1324,i,4464193092073239800,602660152542960281,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
844"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exeWindows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\imf\runtime explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
984"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1244,i,7645576002595230514,17056044897557376258,131072 /prefetch:3C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6a7bf598,0x6a7bf5a8,0x6a7bf5b4C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1308"C:\Users\admin\Desktop\Gift Card Generator By MT_SOFT\lib\GC by SOFT.exe" C:\Users\admin\Desktop\Gift Card Generator By MT_SOFT\lib\GC by SOFT.exe
Gift Card Generator By MT_SOFT.exe
User:
admin
Integrity Level:
HIGH
Description:
Gift Card Generator By MT_SOFT
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\gift card generator by mt_soft\lib\gc by soft.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1392"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 --field-trial-handle=1324,i,4464193092073239800,602660152542960281,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1556"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}C:\Windows\IMF\Windows Services.exeLauncher.exe
User:
admin
Integrity Level:
HIGH
Description:
Windows Services
Version:
1.0.0.0
Modules
Images
c:\windows\imf\windows services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1728"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/AccountCrackC:\Program Files\Microsoft\Edge\Application\msedge.exeGC by SOFT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
16 536
Read events
16 398
Write events
131
Delete events
7

Modification events

(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2340) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\PAYSAFECARD.rar
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2340) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
17
Suspicious files
17
Text files
53
Unknown types
61

Dropped files

PID
Process
Filename
Type
2340WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2340.28712\Gift Card Generator By MT_SOFT.rarcompressed
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\Gift Card Generator By MT_SOFT.exeexecutable
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\lib\GC by SOFT.exeexecutable
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\lib\Ionic.Zip.dllexecutable
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\lib\Launcher.exeexecutable
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\lib\LICENCE.datcompressed
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\lib\MetroSuite 2.0.dllexecutable
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\MetroSuite 2.0.dllexecutable
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\mfc100cht.dllexecutable
MD5:
SHA256:
3936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3936.28969\Gift Card Generator By MT_SOFT\mfc70enu.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
20
DNS requests
16
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
268
msedge.exe
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
unknown
2480
msedge.exe
239.255.255.250:1900
unknown
268
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
268
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
268
msedge.exe
34.111.35.152:443
cdn4.cdn-telegram.org
GOOGLE
US
unknown
2480
msedge.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
t.me
  • 149.154.167.99
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
telegram.org
  • 149.154.167.99
whitelisted
cdn4.cdn-telegram.org
  • 34.111.35.152
unknown
www.bing.com
  • 80.67.82.51
  • 80.67.82.56
  • 80.67.82.41
  • 80.67.82.34
  • 80.67.82.27
  • 80.67.82.35
  • 80.67.82.26
  • 80.67.82.42
  • 80.67.82.49
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted

Threats

PID
Process
Class
Message
268
msedge.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
268
msedge.exe
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PAYSAFECARD.rar