File name:

_Getintopc.com_Internet_Download_Manager_6.41_Build_3.rar

Full analysis: https://app.any.run/tasks/4fcd08d6-ced2-48dc-8f75-940464238c49
Verdict: Malicious activity
Analysis date: June 06, 2024, 08:26:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

87F50E1499CFA92C3C4D49AB61B98D3D

SHA1:

0E348D38F02C4E220C853E0C4D74859C160D91EB

SHA256:

842177B1573BF2DFFFA813F5FF4827CB77125D06AAB0D2DC648A22AA3431D350

SSDEEP:

98304:aiCkwg8viyrgMPvFYRW/Nh3CyuhdM8QxyzaJc0GiDCz3s2EAnZzAgDgervmkC3OR:alKraoAvV55/uPrOcm+RY+s0RqXj8mu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Setup_Install.exe (PID: 1844)
      • msiexec.exe (PID: 2240)
      • msiexec.exe (PID: 1940)

    • Opens a text file (SCRIPT)

      • msiexec.exe (PID: 1940)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3988)
      • WinRAR.exe (PID: 124)
      • msiexec.exe (PID: 1940)
      • IDM1.tmp (PID: 2648)
      • IDMan.exe (PID: 2816)

    • Application launched itself

      • WinRAR.exe (PID: 3988)

    • Executable content was dropped or overwritten

      • Setup_Install.exe (PID: 1844)

    • Reads the Windows owner or organization settings

      • Setup_Install.exe (PID: 1844)
      • msiexec.exe (PID: 2240)

    • Reads data from a binary Stream object (SCRIPT)

      • msiexec.exe (PID: 1940)

    • Checks whether a specific file exists (SCRIPT)

      • msiexec.exe (PID: 1940)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • msiexec.exe (PID: 1940)

    • Reads the Internet Settings

      • msiexec.exe (PID: 1940)
      • IDM1.tmp (PID: 2648)
      • IDMan.exe (PID: 2816)

    • Starts application with an unusual extension

      • idman641build3f.exe (PID: 2620)

    • Creates a software uninstall entry

      • IDM1.tmp (PID: 2648)

    • The process creates files with name similar to system file names

      • IDM1.tmp (PID: 2648)

    • Runs shell command (SCRIPT)

      • msiexec.exe (PID: 1940)

    • Creates/Modifies COM task schedule object

      • IDM1.tmp (PID: 2648)
      • IDMan.exe (PID: 2816)

    • Reads settings of System Certificates

      • IDMan.exe (PID: 2816)

    • Checks Windows Trust Settings

      • IDMan.exe (PID: 2816)

  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 124)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 124)
      • msiexec.exe (PID: 2240)
      • msiexec.exe (PID: 1940)

    • Checks supported languages

      • Setup_Install.exe (PID: 1844)
      • msiexec.exe (PID: 2240)
      • msiexec.exe (PID: 2264)
      • msiexec.exe (PID: 1940)
      • IDM1.tmp (PID: 2648)
      • idmBroker.exe (PID: 2388)
      • idman641build3f.exe (PID: 2620)
      • msiexec.exe (PID: 2480)
      • wmpnscfg.exe (PID: 2564)
      • IDMan.exe (PID: 2816)

    • Reads the computer name

      • Setup_Install.exe (PID: 1844)
      • msiexec.exe (PID: 2240)
      • msiexec.exe (PID: 2264)
      • msiexec.exe (PID: 1940)
      • IDM1.tmp (PID: 2648)
      • msiexec.exe (PID: 2480)
      • IDMan.exe (PID: 2816)
      • wmpnscfg.exe (PID: 2564)

    • Reads Environment values

      • Setup_Install.exe (PID: 1844)
      • msiexec.exe (PID: 1940)
      • msiexec.exe (PID: 2480)

    • Reads the machine GUID from the registry

      • Setup_Install.exe (PID: 1844)
      • msiexec.exe (PID: 2240)
      • msiexec.exe (PID: 2264)
      • msiexec.exe (PID: 1940)
      • msiexec.exe (PID: 2480)
      • IDM1.tmp (PID: 2648)
      • IDMan.exe (PID: 2816)

    • Creates files or folders in the user directory

      • Setup_Install.exe (PID: 1844)
      • IDM1.tmp (PID: 2648)
      • IDMan.exe (PID: 2816)

    • Application launched itself

      • msiexec.exe (PID: 2240)

    • Create files in a temporary directory

      • msiexec.exe (PID: 2240)
      • IDM1.tmp (PID: 2648)
      • idman641build3f.exe (PID: 2620)
      • IDMan.exe (PID: 2816)

    • Creates files in the program directory

      • IDM1.tmp (PID: 2648)
      • IDMan.exe (PID: 2816)

    • Reads the software policy settings

      • IDMan.exe (PID: 2816)

    • Disables trace logs

      • IDMan.exe (PID: 2816)

    • Checks proxy server information

      • IDMan.exe (PID: 2816)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
14
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe setup_install.exe no specs setup_install.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe idman641build3f.exe no specs msiexec.exe no specs idm1.tmp no specs idmbroker.exe no specs idman.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb3988.27076\Setup_Install.rarC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
824"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\Getintopc.com\EXE - Step 3 - Setup_Install 1.0.0\install\A9F990C\GetintoPC-Top-EXE.msi" /quiet /qn AI_SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\Rar$EXb124.27891\Setup_Install.exe SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\Rar$EXb124.27891\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1717661329 " AI_EUIMSI=""C:\Windows\System32\msiexec.exeSetup_Install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
1603
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1432"C:\Users\admin\AppData\Local\Temp\Rar$EXb124.27891\Setup_Install.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb124.27891\Setup_Install.exeWinRAR.exe
User:
admin
Company:
Getintopc.com
Integrity Level:
MEDIUM
Description:
EXE - Step 3 - Setup_Install Installer
Exit code:
3221226540
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb124.27891\setup_install.exe
c:\windows\system32\ntdll.dll
1844"C:\Users\admin\AppData\Local\Temp\Rar$EXb124.27891\Setup_Install.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb124.27891\Setup_Install.exe
WinRAR.exe
User:
admin
Company:
Getintopc.com
Integrity Level:
HIGH
Description:
EXE - Step 3 - Setup_Install Installer
Exit code:
1603
Version:
1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb124.27891\setup_install.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
1940C:\Windows\system32\MsiExec.exe -Embedding 9F43FCAD15C1A10A577D81B7650571D0C:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2240C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2264C:\Windows\system32\MsiExec.exe -Embedding 52E1D9DC812459E9896E20F329B22C5E CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2388"C:\Program Files\Internet Download Manager\idmBroker.exe" -RegServerC:\Program Files\Internet Download Manager\idmBroker.exeIDM1.tmp
User:
admin
Company:
Internet Download Manager, Tonec Inc.
Integrity Level:
HIGH
Description:
Broker for reading of IDM settings
Exit code:
0
Version:
6, 35, 9, 1
Modules
Images
c:\program files\internet download manager\idmbroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2480C:\Windows\system32\MsiExec.exe -Embedding A70EC14E53EFC7D4C0DFBA033C85A8EB E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2564"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
21 712
Read events
21 356
Write events
272
Delete events
84

Modification events

(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3988) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\_Getintopc.com_Internet_Download_Manager_6.41_Build_3.rar
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3988) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
12
Suspicious files
27
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3988WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3988.27076\Setup_Install.rar
MD5:
SHA256:
2480msiexec.exeC:\Windows\SystemTemp\msiA7F5.txt
MD5:
SHA256:
2480msiexec.exeC:\Windows\SystemTemp\scrA7F6.ps1
MD5:
SHA256:
2480msiexec.exeC:\Windows\SystemTemp\scrA7F7.txt
MD5:
SHA256:
2480msiexec.exeC:\Windows\SystemTemp\pssA808.ps1
MD5:
SHA256:
124WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb124.27891\Data_xe.binexecutable
MD5:903ADF8E67C97804FB458D9A9D91860E
SHA256:57951B66BE1A88A2C6AED32DCB15A4BCBE790A51EBA198B206A869D84E386C93
1844Setup_Install.exeC:\Users\admin\AppData\Roaming\Getintopc.com\EXE - Step 3 - Setup_Install 1.0.0\install\A9F990C\LocalAppDataFolder\Updates\WindowsService.exeexecutable
MD5:9CEADCFE7E7535B2088F1FCF3C4B30C7
SHA256:5AF9E89A7BFCFCAE1C75DE6ACB7194B667D13776B61E79EA8AEAB95F0AF76BC7
2240msiexec.exeC:\Windows\Installer\MSIA47C.tmpexecutable
MD5:4A3F6A4023ABD6BBA56534DE47D20017
SHA256:A8DFDC283AD8D4DC6F500DDFAB564E79DADAE075C0D54784B50E1CA548709B30
2240msiexec.exeC:\Windows\Installer\MSIA42D.tmpexecutable
MD5:5A1F2196056C0A06B79A77AE981C7761
SHA256:52F41817669AF7AC55B1516894EE705245C3148F2997FA0E6617E9CC6353E41E
2240msiexec.exeC:\Windows\Installer\11a334.ipibinary
MD5:10CE03FBE982D03C5FE27A67BB9B5D57
SHA256:D6868FA9345B711299BF9C533C5263DA15ABC6C5AB2C445166FA5754C4BF7A30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2816
IDMan.exe
GET
23.32.238.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dc7c14e76654da01
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2816
IDMan.exe
23.32.238.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 23.32.238.216
  • 23.32.238.203
  • 23.32.238.201
  • 23.32.238.168
  • 23.32.238.169
  • 23.32.238.185
  • 23.32.238.200
  • 23.32.238.210
  • 23.32.238.235
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_Getintopc.com_Internet_Download_Manager_6.41_Build_3.rar