File name:

Rainmeter-4.5.18.exe

Full analysis: https://app.any.run/tasks/e9356126-e48b-465f-b8dc-3d8a24001195
Verdict: Malicious activity
Analysis date: January 19, 2024, 23:22:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E2D2743839D187982E9C602575EFC48C

SHA1:

E5B6808770E6BCA105C1616E31015160725F855E

SHA256:

5AC959E5DEE9884512F4A34623BBAD2C08BE427669015B917A750F7CBFBB0A75

SSDEEP:

49152:mQ5YRSuP59wVHUY1jLjTwtuXUaLEikcepufsJvHtgomcyC5eieKalFvv+Xg8V:m7Ss9wVHUCY8TIPC34eieKa/8NV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Rainmeter-4.5.18.exe (PID: 124)
      • Rainmeter-4.5.18.exe (PID: 956)
      • Rainmeter.exe (PID: 2308)

    • Create files in the Startup directory

      • Rainmeter-4.5.18.exe (PID: 124)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Rainmeter-4.5.18.exe (PID: 124)
      • Rainmeter-4.5.18.exe (PID: 956)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Rainmeter-4.5.18.exe (PID: 124)
      • Rainmeter-4.5.18.exe (PID: 956)

    • Executable content was dropped or overwritten

      • Rainmeter-4.5.18.exe (PID: 124)
      • Rainmeter-4.5.18.exe (PID: 956)
      • Rainmeter.exe (PID: 2308)

    • Application launched itself

      • Rainmeter-4.5.18.exe (PID: 124)

    • Reads the Internet Settings

      • Rainmeter-4.5.18.exe (PID: 124)
      • RestartRainmeter.exe (PID: 920)
      • Rainmeter.exe (PID: 1812)

    • Process requests binary or script from the Internet

      • Rainmeter.exe (PID: 1812)

    • Reads settings of System Certificates

      • Rainmeter.exe (PID: 1812)

    • Reads security settings of Internet Explorer

      • Rainmeter.exe (PID: 1812)

    • Checks Windows Trust Settings

      • Rainmeter.exe (PID: 1812)

  • INFO

    • Checks supported languages

      • Rainmeter-4.5.18.exe (PID: 124)
      • wmpnscfg.exe (PID: 1308)
      • Rainmeter-4.5.18.exe (PID: 956)
      • Rainmeter.exe (PID: 2308)
      • RestartRainmeter.exe (PID: 920)
      • Rainmeter.exe (PID: 1812)
      • Rainmeter.exe (PID: 2176)

    • Reads the computer name

      • Rainmeter-4.5.18.exe (PID: 124)
      • wmpnscfg.exe (PID: 1308)
      • Rainmeter-4.5.18.exe (PID: 956)
      • Rainmeter.exe (PID: 2308)
      • RestartRainmeter.exe (PID: 920)
      • Rainmeter.exe (PID: 1812)

    • Create files in a temporary directory

      • Rainmeter-4.5.18.exe (PID: 124)
      • Rainmeter-4.5.18.exe (PID: 956)
      • Rainmeter.exe (PID: 2308)
      • Rainmeter.exe (PID: 1812)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1308)
      • explorer.exe (PID: 1748)
      • RestartRainmeter.exe (PID: 920)

    • Creates files in the program directory

      • Rainmeter-4.5.18.exe (PID: 956)

    • Reads the machine GUID from the registry

      • Rainmeter.exe (PID: 2308)
      • Rainmeter.exe (PID: 1812)

    • Creates files or folders in the user directory

      • Rainmeter.exe (PID: 2308)
      • Rainmeter.exe (PID: 1812)
      • Rainmeter-4.5.18.exe (PID: 124)

    • Reads Environment values

      • Rainmeter.exe (PID: 2308)
      • Rainmeter.exe (PID: 1812)

    • Reads product name

      • Rainmeter.exe (PID: 2308)
      • Rainmeter.exe (PID: 1812)

    • Checks proxy server information

      • Rainmeter.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 23:56:47+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x3640
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.5.18.3727
ProductVersionNumber: 4.5.18.3727
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Rainmeter
FileDescription: Rainmeter Installer
FileVersion: 4.5.18.3727
LegalCopyright: © 2023 Rainmeter Team
OriginalFileName: Rainmeter-4.5.18.exe
ProductName: Rainmeter
ProductVersion: 4.5.18.3727
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rainmeter-4.5.18.exe wmpnscfg.exe no specs rainmeter-4.5.18.exe rainmeter.exe explorer.exe no specs restartrainmeter.exe no specs rainmeter.exe no specs rainmeter.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\AppData\Local\Temp\Rainmeter-4.5.18.exe" C:\Users\admin\AppData\Local\Temp\Rainmeter-4.5.18.exe
explorer.exe
User:
admin
Company:
Rainmeter
Integrity Level:
MEDIUM
Description:
Rainmeter Installer
Exit code:
0
Version:
4.5.18.3727
Modules
Images
c:\users\admin\appdata\local\temp\rainmeter-4.5.18.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
920"C:\Program Files\Rainmeter\RestartRainmeter.exe" C:\Program Files\Rainmeter\RestartRainmeter.exeexplorer.exe
User:
admin
Company:
Rainmeter
Integrity Level:
MEDIUM
Description:
Restarts Rainmeter
Exit code:
0
Version:
4.5.18.3727
Modules
Images
c:\program files\rainmeter\restartrainmeter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
956"C:\Users\admin\AppData\Local\Temp\Rainmeter-4.5.18.exe" /UAC:30152 /NCRC C:\Users\admin\AppData\Local\Temp\Rainmeter-4.5.18.exe
Rainmeter-4.5.18.exe
User:
admin
Company:
Rainmeter
Integrity Level:
HIGH
Description:
Rainmeter Installer
Exit code:
0
Version:
4.5.18.3727
Modules
Images
c:\users\admin\appdata\local\temp\rainmeter-4.5.18.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1308"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1748"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1812"C:\Program Files\Rainmeter\Rainmeter.exe" C:\Program Files\Rainmeter\Rainmeter.exe
RestartRainmeter.exe
User:
admin
Company:
Rainmeter
Integrity Level:
MEDIUM
Description:
Rainmeter desktop customization tool
Exit code:
0
Version:
4.5.18.3727
Modules
Images
c:\program files\rainmeter\rainmeter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2176"C:\Program Files\Rainmeter\Rainmeter.exe" !QuitC:\Program Files\Rainmeter\Rainmeter.exeRestartRainmeter.exe
User:
admin
Company:
Rainmeter
Integrity Level:
MEDIUM
Description:
Rainmeter desktop customization tool
Exit code:
0
Version:
4.5.18.3727
Modules
Images
c:\program files\rainmeter\rainmeter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2308"C:\Program Files\Rainmeter\Rainmeter.exe" C:\Program Files\Rainmeter\Rainmeter.exe
Rainmeter-4.5.18.exe
User:
admin
Company:
Rainmeter
Integrity Level:
MEDIUM
Description:
Rainmeter desktop customization tool
Exit code:
0
Version:
4.5.18.3727
Modules
Images
c:\program files\rainmeter\rainmeter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
6 456
Read events
6 414
Write events
42
Delete events
0

Modification events

(PID) Process:(124) Rainmeter-4.5.18.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(124) Rainmeter-4.5.18.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(124) Rainmeter-4.5.18.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(124) Rainmeter-4.5.18.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(920) RestartRainmeter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(920) RestartRainmeter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(920) RestartRainmeter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(920) RestartRainmeter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1812) Rainmeter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1812) Rainmeter.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
71
Suspicious files
30
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
124Rainmeter-4.5.18.exeC:\Users\admin\AppData\Local\Temp\nsiF7C0.tmp\modern-wizard.bmpimage
MD5:E713642C356C0A90D844F0DF15E2C686
SHA256:20ABB0C4188442CE1AECBE40455BA4F797A6DB706157BC188615B49420C2DAC3
124Rainmeter-4.5.18.exeC:\Users\admin\AppData\Local\Temp\nsiF7C0.tmp\LangDLL.dllexecutable
MD5:68B287F4067BA013E34A1339AFDB1EA8
SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
956Rainmeter-4.5.18.exeC:\Program Files\Rainmeter\RestartRainmeter.exeexecutable
MD5:5936D924958D16CF86AD22A65FA52CF3
SHA256:9F97B35CAC1AACBF7762E0034147D2B1CE1AB2FEB327325E4E80899CFACA4F96
956Rainmeter-4.5.18.exeC:\Users\admin\AppData\Local\Temp\nsm885E.tmp\modern-wizard.bmpimage
MD5:E713642C356C0A90D844F0DF15E2C686
SHA256:20ABB0C4188442CE1AECBE40455BA4F797A6DB706157BC188615B49420C2DAC3
956Rainmeter-4.5.18.exeC:\Program Files\Rainmeter\VisualElements\Rainmeter_176.pngimage
MD5:3E92CD2C272056F0FA1A5EBC3B4C1549
SHA256:8D7877FBD9C13AB4C7B6F00BA461F564775FDF89A05B2381D6D4F26D4C099B84
956Rainmeter-4.5.18.exeC:\Program Files\Rainmeter\Rainmeter.exe.configxml
MD5:150DE4D93067CEB1BB07C2E60FD75CB4
SHA256:E46068C9A86EFF44D657A2221B128558468820776BB5902CB5948525F642AD3D
956Rainmeter-4.5.18.exeC:\Program Files\Rainmeter\Rainmeter.exeexecutable
MD5:2588F7768CC525B7B6530F077486341D
SHA256:4BB118165FF97683C9D188A7B49075142D3A6D40A91222AC436FABA58714C615
956Rainmeter-4.5.18.exeC:\Program Files\Rainmeter\Rainmeter.dllexecutable
MD5:A65154D1508AAB4E6B955D9E8B66266C
SHA256:B581E431F1DFE1F11A85AF976C6FF635F596789572313A845C84D10537513F1D
956Rainmeter-4.5.18.exeC:\Program Files\Rainmeter\Plugins\ActionTimer.dllexecutable
MD5:E88AC8138E253C9EF0C068438D3E5586
SHA256:6630A385ACB7F88C70F964FC08B411003801EE1575D23DE7838FFAFF9531B92F
956Rainmeter-4.5.18.exeC:\Program Files\Rainmeter\Plugins\AdvancedCPU.dllexecutable
MD5:9479B71ABCCC8B4BAF28F18AE1B62829
SHA256:588FFAF985166E119C9AC8DC37D190C9F6F4E71CCAD83F17E2972B60FF233454
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
11
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
Rainmeter.exe
GET
301
172.67.131.200:80
http://version.rainmeter.net/rainmeter/status.json
unknown
unknown
1812
Rainmeter.exe
GET
301
185.199.110.153:80
http://rainmeter.github.io/rainmeter/status.json
unknown
html
162 b
unknown
1812
Rainmeter.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f6fadfc181548299
unknown
compressed
4.66 Kb
unknown
1812
Rainmeter.exe
GET
200
23.32.238.178:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cec3efb7a81126c6
unknown
compressed
65.2 Kb
unknown
1812
Rainmeter.exe
GET
200
69.192.161.44:80
http://x2.c.lencr.org/
unknown
binary
300 b
unknown
1080
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?34275567a5b520f7
unknown
unknown
1812
Rainmeter.exe
GET
200
69.192.161.44:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1812
Rainmeter.exe
185.199.110.153:80
rainmeter.github.io
FASTLY
US
shared
1812
Rainmeter.exe
172.67.131.200:80
version.rainmeter.net
CLOUDFLARENET
US
unknown
1812
Rainmeter.exe
172.67.131.200:443
version.rainmeter.net
CLOUDFLARENET
US
unknown
1812
Rainmeter.exe
23.32.238.178:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1812
Rainmeter.exe
69.192.161.44:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown
1080
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
rainmeter.github.io
  • 185.199.110.153
  • 185.199.109.153
  • 185.199.111.153
  • 185.199.108.153
unknown
version.rainmeter.net
  • 172.67.131.200
  • 104.21.11.41
unknown
ctldl.windowsupdate.com
  • 23.32.238.178
  • 23.32.238.201
  • 23.32.238.219
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 69.192.161.44
whitelisted
x2.c.lencr.org
  • 69.192.161.44
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Rainmeter-4.5.18.exe