analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Win 10 Tweaker 15.2 Pro-RSLOAD.NET-.zip

Full analysis: https://app.any.run/tasks/a7070f3c-049e-4091-815c-f9f4ff026cfb
Verdict: Malicious activity
Analysis date: November 16, 2019, 22:14:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F03B189A54332A0A3FF9C3D06FF73D42

SHA1:

E220ADC35F1991266665C7ECB83455698236A024

SHA256:

19CA365A1DB3A7DADB58D705841E45401FB1C92BE99958ABD394B258891716FE

SSDEEP:

49152:4IoifIqVMtnLGL5BK5NA39o+4Vdx/yFmi597c2Hi27lsFVUDzNx0aaBA5FEXgmy:JoifPVM8BkONoryFmi5eEmFVUP70akfc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Repair Win 10 Tweaker v5.0.exe (PID: 460)
      • Repair Win 10 Tweaker v5.0.exe (PID: 2564)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3476)
      • Repair Win 10 Tweaker v5.0.exe (PID: 2564)
    • Changes settings of System certificates

      • Win 10 Tweaker 15.2.exe (PID: 3880)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3924)
      • cmd.exe (PID: 1096)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2996)
      • schtasks.exe (PID: 2552)
  • SUSPICIOUS

    • Low-level read access rights to disk partition

      • Repair Win 10 Tweaker v5.0.exe (PID: 2564)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1484)
      • Repair Win 10 Tweaker v5.0.exe (PID: 2564)
    • Reads CPU info

      • Win 10 Tweaker 15.2.exe (PID: 3880)
      • Win 10 Tweaker 15.2.exe (PID: 2776)
    • Reads Environment values

      • Win 10 Tweaker 15.2.exe (PID: 3880)
      • Win 10 Tweaker 15.2.exe (PID: 2776)
    • Starts CMD.EXE for commands execution

      • Win 10 Tweaker 15.2.exe (PID: 3880)
      • Repair Win 10 Tweaker v5.0.exe (PID: 2564)
      • Win 10 Tweaker 15.2.exe (PID: 2776)
    • Adds / modifies Windows certificates

      • Win 10 Tweaker 15.2.exe (PID: 3880)
    • Starts CMD.EXE for self-deleting

      • Repair Win 10 Tweaker v5.0.exe (PID: 2564)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3956)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3924)
      • cmd.exe (PID: 1096)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3992)
    • Reads mouse settings

      • Win 10 Tweaker 15.2.exe (PID: 2776)
    • Executes PowerShell scripts

      • Win 10 Tweaker 15.2.exe (PID: 2776)
    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1048)
    • Creates files in the user directory

      • powershell.exe (PID: 2304)
  • INFO

    • Manual execution by user

      • Repair Win 10 Tweaker v5.0.exe (PID: 2564)
      • Repair Win 10 Tweaker v5.0.exe (PID: 460)
      • NOTEPAD.EXE (PID: 2588)
      • Win 10 Tweaker 15.2.exe (PID: 2196)
      • Win 10 Tweaker 15.2.exe (PID: 3880)
      • Win 10 Tweaker 15.2.exe (PID: 2472)
      • Win 10 Tweaker 15.2.exe (PID: 2776)
    • Reads settings of System Certificates

      • Win 10 Tweaker 15.2.exe (PID: 3880)
    • Reads the hosts file

      • Win 10 Tweaker 15.2.exe (PID: 2776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:05:28 15:26:11
ZipCRC: 0xb44ac292
ZipCompressedSize: 274705
ZipUncompressedSize: 302592
ZipFileName: Repair Win 10 Tweaker v5.0.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
24
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe repair win 10 tweaker v5.0.exe no specs repair win 10 tweaker v5.0.exe searchprotocolhost.exe no specs notepad.exe no specs regini.exe no specs win 10 tweaker 15.2.exe no specs win 10 tweaker 15.2.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs timeout.exe no specs attrib.exe no specs win 10 tweaker 15.2.exe no specs win 10 tweaker 15.2.exe cmd.exe no specs chcp.com no specs schtasks.exe no specs cmd.exe no specs chcp.com no specs schtasks.exe no specs cmd.exe no specs netsh.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1484"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Win 10 Tweaker 15.2 Pro-RSLOAD.NET-.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
460"C:\Users\admin\Desktop\Repair Win 10 Tweaker v5.0.exe" C:\Users\admin\Desktop\Repair Win 10 Tweaker v5.0.exeexplorer.exe
User:
admin
Company:
JailbaitVideo
Integrity Level:
MEDIUM
Description:
Repair Win 10 Tweaker
Exit code:
3221226540
Version:
5.00
2564"C:\Users\admin\Desktop\Repair Win 10 Tweaker v5.0.exe" C:\Users\admin\Desktop\Repair Win 10 Tweaker v5.0.exe
explorer.exe
User:
admin
Company:
JailbaitVideo
Integrity Level:
HIGH
Description:
Repair Win 10 Tweaker
Exit code:
3221225547
Version:
5.00
3476"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2588"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Читать.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
392regini C:\Users\admin\AppData\Local\Temp\res.txtC:\Windows\system32\regini.exeRepair Win 10 Tweaker v5.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Initializer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2196"C:\Users\admin\Desktop\Win 10 Tweaker\Win 10 Tweaker 15.2.exe" C:\Users\admin\Desktop\Win 10 Tweaker\Win 10 Tweaker 15.2.exeexplorer.exe
User:
admin
Company:
JailbreakVideo
Integrity Level:
MEDIUM
Description:
Win 10 Tweaker
Exit code:
3221226540
Version:
15.2
3880"C:\Users\admin\Desktop\Win 10 Tweaker\Win 10 Tweaker 15.2.exe" C:\Users\admin\Desktop\Win 10 Tweaker\Win 10 Tweaker 15.2.exe
explorer.exe
User:
admin
Company:
JailbreakVideo
Integrity Level:
HIGH
Description:
Win 10 Tweaker
Exit code:
1
Version:
15.2
3956"C:\Windows\System32\cmd.exe" /c taskkill /f /pid "3880"C:\Windows\System32\cmd.exeWin 10 Tweaker 15.2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
996taskkill /f /pid "3880"C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
5 243
Read events
4 997
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.49553\W10T.KeyGen.DBF.exe
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.49553\Win 10 Tweaker\Win 10 Tweaker 12.4.exe
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.49553\Win 10 Tweaker\Win 10 Tweaker 13.0.exe
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.49553\Win 10 Tweaker\Win 10 Tweaker 14.3.exe
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.49553\Win 10 Tweaker\Win 10 Tweaker 15.2.exe
MD5:
SHA256:
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.49553\Читать.txt
MD5:
SHA256:
2564Repair Win 10 Tweaker v5.0.exeC:\Users\admin\AppData\Local\Temp\song.xm
MD5:
SHA256:
2304powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHK88U5Q7LMK9CLK4ZIF.temp
MD5:
SHA256:
2304powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:35375F3D71AE42AA9777154D256B33BF
SHA256:BCFF55E0934722E7952EA75D73AE7CE376E4ADBC73DE5E71D629975E9EAC87EF
1484WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1484.49553\Repair Win 10 Tweaker v5.0.exeexecutable
MD5:F5B4BB7A1B0B04954D354D19554F88FE
SHA256:F4AACB0E7C7528CADF7B1ADB57811546B4833055F6407217574096F010672EED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3880
Win 10 Tweaker 15.2.exe
87.236.16.98:443
win10tweaker.com
Beget Ltd
RU
suspicious

DNS requests

Domain
IP
Reputation
win10tweaker.com
  • 87.236.16.98
suspicious

Threats

No threats detected
No debug info