analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Win 10 Tweaker Pro 15.2 MOD Portable.7z

Full analysis: https://app.any.run/tasks/0c95ae8f-aeb6-4a68-89cf-974e9c4cbb74
Verdict: Malicious activity
Analysis date: November 16, 2019, 22:26:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

826234122DBDC122DC2423BEEF43881C

SHA1:

BEE7CDD4DCD850D74B9D62B3D0AA8D619DF230FA

SHA256:

4107A9C527BF648B942554C8AE69F80BB32FC635301F2B1440143686DB99095A

SSDEEP:

12288:SVrYqg0buhfUn7b8bI2dToz4TOQwImaUAdE1WcZCppvWgZNiyqNSqC6yUbhjhM+Q:SvbbuJQh2dskVTUAShqpxZqNSMjM+LjY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Win10TweakerPort.exe (PID: 2476)
      • Win10TweakerPort.exe (PID: 1956)
      • Win10TweakerNoF8Port.exe (PID: 1296)
      • Win10TweakerNoF8Port.exe (PID: 2200)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 3808)
      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 2864)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 184)
      • schtasks.exe (PID: 1536)
      • schtasks.exe (PID: 2152)
      • schtasks.exe (PID: 444)

    • Changes settings of System certificates

      • Win 10 Tweaker.exe (PID: 2820)

  • SUSPICIOUS

    • Reads CPU info

      • Win 10 Tweaker.exe (PID: 2992)
      • Win 10 Tweaker.exe (PID: 2820)

    • Reads Environment values

      • Win 10 Tweaker.exe (PID: 2992)
      • Win 10 Tweaker.exe (PID: 2820)

    • Executable content was dropped or overwritten

      • Win10TweakerPort.exe (PID: 1956)
      • Win10TweakerPort.exe (PID: 2476)
      • Win10TweakerNoF8Port.exe (PID: 1296)
      • Win10TweakerNoF8Port.exe (PID: 2200)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 2524)
      • Win10TweakerPort.exe (PID: 2476)
      • Win10TweakerNoF8Port.exe (PID: 2200)

    • Application launched itself

      • Win10TweakerPort.exe (PID: 1956)
      • Win10TweakerNoF8Port.exe (PID: 1296)

    • Starts CMD.EXE for commands execution

      • Win 10 Tweaker.exe (PID: 2992)
      • Win 10 Tweaker.exe (PID: 2820)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1800)

    • Reads mouse settings

      • Win 10 Tweaker.exe (PID: 2992)
      • Win 10 Tweaker.exe (PID: 2820)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 3940)
      • cmd.exe (PID: 2096)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3808)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 3836)
      • cmd.exe (PID: 2864)

    • Executes PowerShell scripts

      • Win 10 Tweaker.exe (PID: 2992)
      • Win 10 Tweaker.exe (PID: 2820)

    • Creates files in the user directory

      • powershell.exe (PID: 3408)
      • Win 10 Tweaker.exe (PID: 2820)
      • powershell.exe (PID: 332)

    • Adds / modifies Windows certificates

      • Win 10 Tweaker.exe (PID: 2820)

    • Reads internet explorer settings

      • Win 10 Tweaker.exe (PID: 2820)

    • Reads Internet Cache Settings

      • Win 10 Tweaker.exe (PID: 2820)

  • INFO

    • Manual execution by user

      • Win10TweakerPort.exe (PID: 1956)
      • Win10TweakerNoF8Port.exe (PID: 1296)

    • Reads the hosts file

      • Win 10 Tweaker.exe (PID: 2992)
      • Win 10 Tweaker.exe (PID: 2820)

    • Reads settings of System Certificates

      • Win 10 Tweaker.exe (PID: 2820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
80
Monitored processes
27
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs win10tweakerport.exe win10tweakerport.exe win 10 tweaker.exe no specs cmd.exe no specs chcp.com no specs schtasks.exe no specs cmd.exe no specs chcp.com no specs schtasks.exe no specs cmd.exe no specs netsh.exe no specs powershell.exe no specs cmd.exe no specs taskkill.exe no specs win10tweakernof8port.exe win10tweakernof8port.exe win 10 tweaker.exe cmd.exe no specs chcp.com no specs schtasks.exe no specs cmd.exe no specs chcp.com no specs schtasks.exe no specs cmd.exe no specs netsh.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Win 10 Tweaker Pro 15.2 MOD Portable.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1956"C:\Users\admin\Desktop\Win 10 Tweaker Pro 15.2 MOD Portable\Win10TweakerPort.exe" C:\Users\admin\Desktop\Win 10 Tweaker Pro 15.2 MOD Portable\Win10TweakerPort.exe
explorer.exe
User:
admin
Company:
Zeka
Integrity Level:
MEDIUM
Description:
Win 10 Tweaker Portable
Exit code:
1223
Version:
2.2.1.0
2476"C:\Users\admin\Desktop\Win 10 Tweaker Pro 15.2 MOD Portable\Win10TweakerPort.exe" /UAC:401DC /NCRC C:\Users\admin\Desktop\Win 10 Tweaker Pro 15.2 MOD Portable\Win10TweakerPort.exe
Win10TweakerPort.exe
User:
admin
Company:
Zeka
Integrity Level:
HIGH
Description:
Win 10 Tweaker Portable
Exit code:
1223
Version:
2.2.1.0
2992"C:\Users\admin\Desktop\Win 10 Tweaker Pro 15.2 MOD Portable\App\Tweaker\Win 10 Tweaker.exe" /UAC:401DC /NCRCC:\Users\admin\Desktop\Win 10 Tweaker Pro 15.2 MOD Portable\App\Tweaker\Win 10 Tweaker.exeWin10TweakerPort.exe
User:
admin
Company:
Шлюха
Integrity Level:
HIGH
Description:
Проститутка
Exit code:
1
Version:
Анус дырявый
3356"cmd.exe" /c chcp 65001 & schtasks /TN \Microsoft\Windows\Maintenance\WinSATC:\Windows\system32\cmd.exeWin 10 Tweaker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4004chcp 65001 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1536schtasks /TN \Microsoft\Windows\Maintenance\WinSATC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3808"cmd.exe" /c chcp 65001 & schtasks /TN \Microsoft\Windows\MemoryDiagnostic\CorruptionDetectorC:\Windows\system32\cmd.exeWin 10 Tweaker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3336chcp 65001 C:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
184schtasks /TN \Microsoft\Windows\MemoryDiagnostic\CorruptionDetectorC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
10 421
Read events
10 129
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
5
Text files
18
Unknown types
1

Dropped files

PID
Process
Filename
Type
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\App\AppInfo\appicon.ico
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\App\AppInfo\appinfo.ini
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\App\AppInfo\Launcher\Win10TweakerNoF8Port.ini
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\App\AppInfo\Launcher\Win10TweakerPort.ini
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\App\DefaultData\settings\Win10Tweaker.reg
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\desktop.ini
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\Внимание.txt
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\Описание.txt
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\App\Tweaker\Win 10 Tweaker.exe
MD5:
SHA256:
2524WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2524.19831\Win 10 Tweaker Pro 15.2 MOD Portable\Win10TweakerNoF8Port.exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2820
Win 10 Tweaker.exe
87.236.16.98:443
jailbreakvideo.ru
Beget Ltd
RU
suspicious
2820
Win 10 Tweaker.exe
216.58.207.36:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 216.58.207.36
whitelisted
jailbreakvideo.ru
  • 87.236.16.98
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Win 10 Tweaker Pro 15.2 MOD Portable.7z