File name:

Velocitys15TweaksPack.7z

Full analysis: https://app.any.run/tasks/8f568d16-d618-4c49-92a3-19d9b42f7396
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:04:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-doc
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

A983DB96CF6A69AF17F625228694C6D9

SHA1:

99289978C8734F51F798CEB12F3AB490ABF68288

SHA256:

29EC4B66B1127759FB830322AE431D78BCCB42CE23167D041A910FF859ACBBB1

SSDEEP:

98304:6Zzs6z1FiGt5MqCZdE5qOLb0UCCMbIQb0Zuypf0BOg7LulkOI3z8Ycy0Wmy2oTV6:waLn45

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4504)

    • Antivirus name has been found in the command line (generic signature)

      • MpCmdRun.exe (PID: 3780)
      • MpCmdRun.exe (PID: 4596)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 4504)

    • Probably fake Windows Update file has been dropped

      • WinRAR.exe (PID: 4504)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 4504)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 4504)

    • Write to the desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 4504)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4504)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4504)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 3780)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 4504)

    • Checks supported languages

      • MpCmdRun.exe (PID: 4596)
      • MpCmdRun.exe (PID: 3780)

    • Reads the computer name

      • MpCmdRun.exe (PID: 3780)
      • MpCmdRun.exe (PID: 4596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2024:08:16 06:25:42+00:00
ArchivedFileName: Velocity's 15 Tweaks Pack
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3780"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
4444C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR4504.3636\Rar$Scan67490.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4504"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Velocitys15TweaksPack.7zC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4596"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR4504.3636"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
4724C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Rar$Scan25697.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
6072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 710
Read events
1 700
Write events
10
Delete events
0

Modification events

(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Velocitys15TweaksPack.7z
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4504) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\VirusScan
Operation:writeName:DefScanner
Value:
Windows Defender
Executable files
16
Suspicious files
8
Text files
23
Unknown types
14

Dropped files

PID
Process
Filename
Type
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\11. Device cleanup\DeviceCleanup.initext
MD5:71F887495A2C25BFF5B00CA4E9F3A1EE
SHA256:45D2D92DEB3E872B1A78AFD8C1949C1ABF68BE98B0E072CD527C664FDC06C115
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\8. Disable windows updates\Wub.initext
MD5:E774BF5669B46760AA61C6AA0A31CB67
SHA256:26F47C23D2494C61CFE17DF6AA1B894602728877581C95FF124B879E7A6CE628
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\2. Power plan\Power plan.lnklnk
MD5:464C4606AABDB3648C76D1121D3BF323
SHA256:3FB8646BA5F861EA6FD70CA0D21FB555EBCC52889E966BBB2E35952C045D1BFD
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\0. Create a restore point\Restore Point.lnklnk
MD5:7E6CA5FF427E56332EB24781283902B9
SHA256:C38003847F2A60E918FAFE557D5BCC56FB82205E0665F440A00490E51D78FF03
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\14. Defragment drives\dfrgui.lnklnk
MD5:984017C5E100F7245D3508DF5F8C5ADF
SHA256:DA4598C4C25B914E5F17432C0FE17A00ED74B55D66CFD48289EDB2A85C935853
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\2. Power plan\Powerplan copy and paste.txttext
MD5:07AAB9F5581508AA0CFFCAF4A6211357
SHA256:231ED7D53087321FC8846AC082847976E5A29ACD4FF6077DE00759515E772FCA
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\4. NVIDIA Profile Inspector settings\nvidiaProfileInspector.exe.configxml
MD5:CE6D0BC7328B0FAB08DE80F292C1EAA4
SHA256:383B8DCB968B6BD0633658D9BB55C4ACAF4C85A075AA456904A42D4E4EFD5561
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\4. NVIDIA Profile Inspector settings\Newest Nvidia Profile.nipxml
MD5:77667E62A091BB4835892B7D0DE5E20B
SHA256:DD45F5974A1C00893C8F1ABFB72D046D63BB76FB77EA09B6328B8A1C7D635454
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\12. Fortnite Config\GameUserSettings.initext
MD5:EED267F8DF27A6FBF62C1E5D6A1315FB
SHA256:ED224F8D41730752197BFF65B9E9E5214B9301D5373C3DF8D2950B7C6BD66B0B
4504WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4504.49478\Velocitys15TweaksPack.7z\Velocity's 15 Tweaks Pack\1. Windows settings\Settings.urlurl
MD5:5E1DCBA4C21A6CCA2CA6AAA9FAD68FAB
SHA256:8D6E04F7A0A784157734992EAC17C0BACBBFA0F9B1C33C3A938F7EBCCBBCF1BA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1688
svchost.exe
GET
200
2.16.164.113:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.113:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1688
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1688
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.209.185:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
1688
svchost.exe
2.16.164.113:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.113:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1688
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.23.209.185
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.130
  • 2.23.209.189
  • 2.23.209.179
  • 2.23.209.140
  • 2.23.209.182
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.16.164.113
  • 2.16.164.112
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 104.208.16.90
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Velocitys15TweaksPack.7z