File name:

RIP Tweaks Free Pack V5.zip

Full analysis: https://app.any.run/tasks/bff1a411-5333-4a47-ba51-ad695ff1f4cf
Verdict: Malicious activity
Analysis date: December 20, 2024, 17:53:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

14AEA1C85FBF9DD355657FA8C387FC6F

SHA1:

F83C655373E25F10E215085199DC07F82CF0FCAD

SHA256:

573E996D359B26593F4255A62606EA5F38787DC53B70C911E0AA523685AE9439

SSDEEP:

1536:BQSOOseSChWDw4yc1prVL1Yg/gxX+1O1p1R1DpMl/:WFCMwrYhNKgYxX+QXDPu/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 4952)

    • Changes the autorun value in the registry

      • netsh.exe (PID: 188)
      • netsh.exe (PID: 5696)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6832)
      • cmd.exe (PID: 7112)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6936)
      • cmd.exe (PID: 7112)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 6936)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6832)
      • cmd.exe (PID: 7112)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 6832)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7112)

    • Creates or modifies Windows services

      • reg.exe (PID: 6600)
      • reg.exe (PID: 4628)
      • reg.exe (PID: 6368)
      • reg.exe (PID: 6344)
      • reg.exe (PID: 6588)
      • reg.exe (PID: 2076)
      • reg.exe (PID: 5200)
      • reg.exe (PID: 4360)
      • reg.exe (PID: 6676)
      • reg.exe (PID: 6944)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 5696)
      • schtasks.exe (PID: 5888)
      • schtasks.exe (PID: 4840)
      • schtasks.exe (PID: 4764)
      • schtasks.exe (PID: 5576)
      • schtasks.exe (PID: 2160)
      • schtasks.exe (PID: 5856)

    • Process uses IPCONFIG to clear DNS cache

      • cmd.exe (PID: 7112)

    • Process uses IPCONFIG to discard the IP address configuration

      • cmd.exe (PID: 7112)

    • Process uses IPCONFIG to renew DHCP configuration

      • cmd.exe (PID: 7112)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 7112)

    • Hides errors and continues executing the command without stopping

      • powershell.exe (PID: 1200)
      • powershell.exe (PID: 1580)

    • Process uses powershell cmdlet to discover network configuration

      • cmd.exe (PID: 7112)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 1200)
      • powershell.exe (PID: 7032)

    • Suspicious use of NETSH.EXE

      • cmd.exe (PID: 7112)
      • cmd.exe (PID: 6788)

    • Application launched itself

      • cmd.exe (PID: 7112)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6788)
      • cmd.exe (PID: 3188)
      • cmd.exe (PID: 5080)
      • cmd.exe (PID: 5936)
      • cmd.exe (PID: 1292)

    • Uses WMIC.EXE

      • cmd.exe (PID: 1292)
      • cmd.exe (PID: 3188)
      • cmd.exe (PID: 5080)
      • cmd.exe (PID: 5936)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 6832)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6892)
      • mode.com (PID: 5496)
      • mode.com (PID: 4872)
      • mode.com (PID: 1296)
      • mode.com (PID: 3544)
      • mode.com (PID: 4136)
      • mode.com (PID: 1400)
      • mode.com (PID: 3544)
      • mode.com (PID: 644)
      • mode.com (PID: 2380)
      • mode.com (PID: 5920)
      • mode.com (PID: 1472)
      • mode.com (PID: 1620)
      • mode.com (PID: 3040)

    • Checks supported languages

      • mode.com (PID: 6892)
      • mode.com (PID: 5496)
      • chcp.com (PID: 512)
      • mode.com (PID: 4872)
      • mode.com (PID: 3544)
      • mode.com (PID: 1296)
      • mode.com (PID: 1400)
      • mode.com (PID: 4136)
      • mode.com (PID: 3544)
      • mode.com (PID: 2380)
      • mode.com (PID: 644)
      • chcp.com (PID: 7004)
      • mode.com (PID: 5920)
      • mode.com (PID: 1472)
      • mode.com (PID: 1620)

    • The process uses the downloaded file

      • WinRAR.exe (PID: 4952)
      • powershell.exe (PID: 6936)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7112)

    • Disables trace logs

      • netsh.exe (PID: 6720)
      • netsh.exe (PID: 2356)
      • netsh.exe (PID: 5560)
      • netsh.exe (PID: 7080)
      • netsh.exe (PID: 1792)
      • netsh.exe (PID: 1328)
      • netsh.exe (PID: 4076)
      • netsh.exe (PID: 6452)
      • netsh.exe (PID: 5568)
      • netsh.exe (PID: 6484)
      • netsh.exe (PID: 3172)
      • netsh.exe (PID: 6556)
      • netsh.exe (PID: 6588)
      • netsh.exe (PID: 6600)
      • netsh.exe (PID: 4128)
      • netsh.exe (PID: 6592)
      • netsh.exe (PID: 6484)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 1200)
      • powershell.exe (PID: 1580)
      • powershell.exe (PID: 68)
      • powershell.exe (PID: 1684)
      • powershell.exe (PID: 2072)
      • powershell.exe (PID: 6988)
      • powershell.exe (PID: 7032)
      • powershell.exe (PID: 6296)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 68)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:12:11 23:07:18
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: RIP Tweaks Free Pack V5/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
638
Monitored processes
507
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs cmd.exe no specs conhost.exe no specs mode.com no specs reg.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs mode.com no specs reg.exe no specs chcp.com no specs reg.exe no specs mode.com no specs mode.com no specs mode.com no specs mode.com no specs choice.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs bcdedit.exe no specs bcdedit.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs bcdedit.exe no specs bcdedit.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs bcdedit.exe no specs bcdedit.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs bcdedit.exe no specs bcdedit.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs mode.com no specs mode.com no specs choice.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs fsutil.exe no specs fsutil.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs mode.com no specs mode.com no specs choice.exe no specs choice.exe no specs ipconfig.exe no specs ipconfig.exe no specs ipconfig.exe no specs netsh.exe netsh.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs findstr.exe no specs netsh.exe no specs timeout.exe no specs netsh.exe no specs choice.exe no specs chcp.com no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs netsh.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs mode.com no specs mode.com no specs choice.exe no specs choice.exe no specs mode.com no specs mode.com no specs choice.exe no specs choice.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68PowerShell Disable-NetAdapterChecksumOffload -Name "*"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
188Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "ComputePreemption" /t REG_DWORD /d "0" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
188netsh winsock resetC:\Windows\System32\netsh.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
396Reg.exe add "HKLM\SOFTWARE\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d "0" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
440Reg.exe add "%n" /v "UDPChecksumOffloadIPv4" /t REG_SZ /d "0" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
488C:\WINDOWS\System32\choice.exe /c:1234 /n /m "  Type In Your Option > "C:\Windows\System32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Offers the user a choice
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
512chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
512C:\WINDOWS\System32\choice.exe /c:1234 /n /m "  Type In Your Option > "C:\Windows\System32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Offers the user a choice
Exit code:
3
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
512Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "TCCSupported" /t REG_DWORD /d "0" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
516Reg.exe add "HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d "3" /f C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
Total events
90 079
Read events
88 971
Write events
862
Delete events
246

Modification events

(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\RIP Tweaks Free Pack V5.zip
(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4952) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6936) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(6936) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
Executable files
0
Suspicious files
4
Text files
30
Unknown types
0

Dropped files

PID
Process
Filename
Type
4952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4952.4481\RIP Tweaks Free Pack V5\Fixes\Fix Fortnite Not Starting (RUN AS ADMIN).battext
MD5:7B76612B5C17E433BE96A95C779DEA78
SHA256:8800D8BF0060E79E07E0BD45636FAA2E2F3480C0B62F57F0CFCC001EE8F683CF
4952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4952.4481\RIP Tweaks Free Pack V5\Fixes\Fix Disabled WiFi (RUN AS ADMIN).battext
MD5:2F81D06B38C08600C5FD77B386DF5D2B
SHA256:5E3930B01539B45525F96E831C068589D392C1A79DF9D20B86610C33C7B6FAD4
4952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4952.4481\RIP Tweaks Free Pack V5\RIP Tweaks - Free Pack V5 (RUN AS ADMIN).battext
MD5:2741D55A9C1C8167A9193B32B20B41D8
SHA256:C57A0135BCB4F7E389537840B72A54D8F97857856F9CE8407918E252E94CD810
4952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4952.4481\RIP Tweaks Free Pack V5\Stretch Resolution by RIP Tweaks\1811x1080\GameUserSettings.initext
MD5:C8F038C33BC3DB5CF3D74634A74DC577
SHA256:27CA81080D00CE21AE4E5481E161A75636BCE7115CC47901F6C5B176AF48AD19
4952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4952.4481\RIP Tweaks Free Pack V5\Stretch Resolution by RIP Tweaks\1024x768\GameUserSettings.initext
MD5:644370A8A891D9C46FDFBD56F407972F
SHA256:8AD71905EE65C4997FFB3A697758640A20EE3F780B33F24F13127FDCA50F3639
4952WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4952.4481\RIP Tweaks Free Pack V5\Stretch Resolution by RIP Tweaks\1720x1080\GameUserSettings.initext
MD5:1C3930C46C5564332AA165D77E960362
SHA256:094F76DA9D9111AAC3082771652041F36AFE3B12DFE1B98E6932DA3AEA1ACBE8
6936powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF13b614.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ubjawbr.w5j.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6936powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:FFD3B97B64194970F7695192047E74EE
SHA256:822602C1B5361D1C467CD1364C17A085BC57E8C08A13C41C032BD0A733063D45
6936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gjsd2olu.5v5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
440
svchost.exe
GET
200
23.222.27.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.222.27.138:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
svchost.exe
GET
200
23.45.86.28:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.211.108:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.45.86.28:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
440
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3416
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
23.45.123.34:443
www.bing.com
Akamai International B.V.
US
whitelisted
440
svchost.exe
23.222.27.138:80
crl.microsoft.com
AKAMAI-AS
US
whitelisted
4712
MoUsoCoreWorker.exe
23.222.27.138:80
crl.microsoft.com
AKAMAI-AS
US
whitelisted
5064
SearchApp.exe
192.229.211.108:80
ocsp.digicert.com
EDGECAST
US
whitelisted
440
svchost.exe
23.45.86.28:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.213.14
whitelisted
crl.microsoft.com
  • 23.222.27.138
whitelisted
www.bing.com
  • 23.45.123.34
whitelisted
ocsp.digicert.com
  • 192.229.211.108
whitelisted
www.microsoft.com
  • 23.45.86.28
whitelisted
settings-win.data.microsoft.com
  • 52.183.220.149
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RIP Tweaks Free Pack V5.zip