File name:

Generator Doładowań 2012 (Darmowe doładowania).rar

Full analysis: https://app.any.run/tasks/e342d1f4-a11f-4746-8f21-ca6db5930a33
Verdict: Malicious activity
Analysis date: February 11, 2024, 02:20:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v2.0, os: Win32
MD5:

677A40CA7F9697E43006C782F632EA40

SHA1:

8C17D5D9D2A5F6F7D630273A305C8651F4145806

SHA256:

A1891D3F5ECB2CDEA4F7618718C7508EE7A45128A538708E6BFA29D31C7CAFAA

SSDEEP:

49152:zX3aMVsggY8aN/Begjy4kb7kQH6RP3/Ma0Kv1VApsCbZakC4+5xnNkFTfXC+BC59:TZGzbLkdVADokCrKTq+d2/R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3796)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Generator Doładowań 2012.exe (PID: 3708)

    • Reads settings of System Certificates

      • Generator Doładowań 2012.exe (PID: 3708)

    • Checks for external IP

      • Generator Doładowań 2012.exe (PID: 3708)

  • INFO

    • Manual execution by a user

      • Generator Doładowań 2012.exe (PID: 3708)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3796)

    • Checks supported languages

      • Generator Doładowań 2012.exe (PID: 3708)

    • Reads the computer name

      • Generator Doładowań 2012.exe (PID: 3708)

    • Reads the machine GUID from the registry

      • Generator Doładowań 2012.exe (PID: 3708)

    • Reads Environment values

      • Generator Doładowań 2012.exe (PID: 3708)

    • Create files in a temporary directory

      • Generator Doładowań 2012.exe (PID: 3708)

    • Reads the software policy settings

      • Generator Doładowań 2012.exe (PID: 3708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 1224767
UncompressedSize: 1224704
OperatingSystem: Win32
ModifyDate: 2012:12:02 14:54:04
PackingMethod: Stored
ArchivedFileName: Generator Do?adowa? 2012.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe generator doładowań 2012.exe

Process information

PID
CMD
Path
Indicators
Parent process
3708"C:\Users\admin\Desktop\Generator Doładowań 2012.exe" C:\Users\admin\Desktop\Generator Doładowań 2012.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DOLAD
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\generator doładowań 2012.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3796"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Generator Doładowań 2012 (Darmowe doładowania).rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
9 365
Read events
9 316
Write events
49
Delete events
0

Modification events

(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3796) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Generator Doładowań 2012 (Darmowe doładowania).rar
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3796) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
3
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
3796WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3796.3345\Generator Doładowań 2012.exeexecutable
MD5:258DF72CD597AA0A239D364F9F7122BA
SHA256:9C190B9DDD86505882931BCC78C315CF34A7A2D14C5C0B1F38228E10E068B921
3796WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3796.3345\3.1mb.txttext
MD5:16737B9B0C28EB5844977CE6F6322797
SHA256:649D349DF8C76B8EA9E2143A65CADD03FA7DE4EBE00CC966B6381397FBA2E908
3796WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3796.3345\Zarabiaj w internecie!!.txttext
MD5:0B9DAFAED8E7903C8EA2FEB82A90E2F8
SHA256:ECA38CF665BA4B013EBA30A32EA5E5459CE3A31632E08EAA867D73C73B0BA5C3
3708Generator Doładowań 2012.exeC:\Users\admin\AppData\Local\Temp\Tar41E7.tmpbinary
MD5:9C0C641C06238516F27941AA1166D427
SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
3708Generator Doładowań 2012.exeC:\Users\admin\AppData\Local\Temp\Cab41E6.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
3708Generator Doładowań 2012.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
3708Generator Doładowań 2012.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:D792D280BE0AB663EEF4CB6127380661
SHA256:66DE450F5BA9353B3E3934D84CAB14F00CC52240D507A38242E58CC6FCA7DEA8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
111
DNS requests
7
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3708
Generator Doładowań 2012.exe
GET
301
51.79.49.219:80
http://cmyip.com/
unknown
html
226 b
unknown
3708
Generator Doładowań 2012.exe
GET
200
41.63.96.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f3ac3a6ecc96bed9
unknown
compressed
65.2 Kb
unknown
3708
Generator Doładowań 2012.exe
GET
301
51.79.49.219:80
http://cmyip.com/
unknown
html
226 b
unknown
3708
Generator Doładowań 2012.exe
GET
301
51.79.49.219:80
http://cmyip.com/
unknown
html
226 b
unknown
3708
Generator Doładowań 2012.exe
GET
302
178.182.200.84:80
http://download.t-mobile.pl/updir/updir.cgi?msisdn=48883795291
unknown
unknown
3708
Generator Doładowań 2012.exe
POST
405
95.211.144.68:80
http://futerko.cba.pl/dolaa/added.php
unknown
html
552 b
unknown
3708
Generator Doładowań 2012.exe
GET
301
51.79.49.219:80
http://cmyip.com/
unknown
html
226 b
unknown
3708
Generator Doładowań 2012.exe
GET
301
172.67.70.98:80
http://cpalead.com/exitpopup-lander-spin.php?pub=164436&gateid=437734
unknown
unknown
3708
Generator Doładowań 2012.exe
POST
405
95.211.144.68:80
http://futerko.cba.pl/dolaa/added.php
unknown
html
552 b
unknown
3708
Generator Doładowań 2012.exe
GET
301
51.79.49.219:80
http://cmyip.com/
unknown
html
226 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3708
Generator Doładowań 2012.exe
51.79.49.219:80
cmyip.com
OVH SAS
CA
unknown
3708
Generator Doładowań 2012.exe
51.79.49.219:443
cmyip.com
OVH SAS
CA
unknown
3708
Generator Doładowań 2012.exe
41.63.96.0:80
ctldl.windowsupdate.com
LLNW
ZA
unknown
3708
Generator Doładowań 2012.exe
178.182.200.84:80
download.t-mobile.pl
T-Mobile Polska S.A.
PL
unknown
3708
Generator Doładowań 2012.exe
178.182.200.84:443
download.t-mobile.pl
T-Mobile Polska S.A.
PL
unknown
3708
Generator Doładowań 2012.exe
95.211.144.68:80
futerko.cba.pl
LeaseWeb Netherlands B.V.
NL
unknown
3708
Generator Doładowań 2012.exe
172.67.70.98:80
cpalead.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
cmyip.com
  • 51.79.49.219
unknown
ctldl.windowsupdate.com
  • 41.63.96.0
whitelisted
www.cmyip.com
  • 51.79.49.219
unknown
download.t-mobile.pl
  • 178.182.200.84
unknown
futerko.cba.pl
  • 95.211.144.68
unknown
cpalead.com
  • 172.67.70.98
  • 104.26.1.163
  • 104.26.0.163
whitelisted
www.cpalead.com
  • 104.26.1.163
  • 172.67.70.98
  • 104.26.0.163
malicious

Threats

PID
Process
Class
Message
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
3708
Generator Doładowań 2012.exe
Attempted Information Leak
ET POLICY IP Check Domain (cmyip.com in HTTP Host)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Generator Doładowań 2012 (Darmowe doładowania).rar