General Info

File name

2.zip

Full analysis
https://app.any.run/tasks/26d771c2-7422-49d0-a784-a513ed6151ef
Verdict
Malicious activity
Analysis date
7/11/2019, 22:43:26
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

5f4886df5cc9f0fadf6de4ac85c47099

SHA1

567afbd90075e43041f0e43facf4dae81d185f17

SHA256

1baa173f577e8c3bf49a7bae9157aa60074d5d29ed1f9c8707e0d3d4337b0996

SSDEEP

98304:83nbjjBJfoJ8lO0q+dEtypiy0YRdI16DPrDVQDVU4B:6nbjjBxo+U0fdMypiqdIYcfB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
240 seconds
Additional time used
180 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • L-Check Reborn.exe (PID: 2576)
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 856)
  • L-Check Reborn.exe (PID: 2576)
Executable content was dropped or overwritten
  • WinRAR.exe (PID: 3068)
Dropped object may contain Bitcoin addresses
  • WinRAR.exe (PID: 3068)
Manual execution by user
  • L-Check Reborn.exe (PID: 2576)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
None
ZipModifyDate:
2019:03:15 08:56:24
ZipCRC:
0x00000000
ZipCompressedSize:
null
ZipUncompressedSize:
null
ZipFileName:
L-Check Reborn 1.0.0.1/

Screenshots

Processes

Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start winrar.exe searchprotocolhost.exe no specs l-check reborn.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
856
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe7_ Global\UsGthrCtrlFltPipeMssGthrPipe7 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\msxml3r.dll
c:\windows\system32\version.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\appfuscated\newtonsoft.json.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\appfuscated\metroframework.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\xnet.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\newtonsoft.jsons.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\newtonsoft.json.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframeworks.fonts.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframeworks.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframeworks.design.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframework.fonts.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframework.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframework.designs.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\l-check reborn.exe
c:\windows\system32\notepad.exe

PID
3068
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\2.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2576
CMD
"C:\Users\admin\Desktop\L-Check Reborn 1.0.0.1\L-Check Reborn.exe"
Path
C:\Users\admin\Desktop\L-Check Reborn 1.0.0.1\L-Check Reborn.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Description
L-Check Reborn
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\l-check reborn 1.0.0.1\l-check reborn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframework.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\uxtheme.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\metroframework.fonts.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\users\admin\desktop\l-check reborn 1.0.0.1\newtonsoft.json.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\5ac17cc5b92efda83e2925857f4fa655\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\62a6b39f4f68c25dfd2f6308d7541401\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\1288d7e030bc0c5d8b2cbe5f33aeed7f\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll

Registry activity

Total events
825
Read events
791
Write events
34
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
856
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
856
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\System32\msxml3r.dll,-1
XML Document
856
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
3068
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3068
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3068
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3068
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\2.zip
3068
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3068
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3068
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3068
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASAPI32
EnableFileTracing
0
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASAPI32
EnableConsoleTracing
0
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASAPI32
FileTracingMask
4294901760
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASAPI32
ConsoleTracingMask
4294901760
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASAPI32
MaxFileSize
1048576
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASAPI32
FileDirectory
%windir%\tracing
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASMANCS
EnableFileTracing
0
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASMANCS
EnableConsoleTracing
0
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASMANCS
FileTracingMask
4294901760
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASMANCS
ConsoleTracingMask
4294901760
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASMANCS
MaxFileSize
1048576
2576
L-Check Reborn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\L-Check Reborn_RASMANCS
FileDirectory
%windir%\tracing
2576
L-Check Reborn.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US

Files activity

Executable files
10
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\Appfuscated\MetroFramework.dll
executable
MD5: ef08032ca4b4bbeac76f418630ba9708
SHA256: e53bea309139a056b60301104027fb4fd2e5c60d2d3bb831ebd8dfa5e5a24bf3
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\MetroFrameworks.Fonts.dll
executable
MD5: 557ef4e2e90ffc0076d30749ff1051d5
SHA256: 3dff089a924d26c429ea5c352af9fab42de15e415517c334c5c528d5a185519e
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\MetroFrameworks.Design.dll
executable
MD5: 156eb51bb36b064023170e35f4b1d037
SHA256: 57185e0a62d5485d947ca6e872bb4f472f8f51da8c16947824e8419f936cf9c4
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\MetroFramework.Fonts.dll
executable
MD5: 557ef4e2e90ffc0076d30749ff1051d5
SHA256: 3dff089a924d26c429ea5c352af9fab42de15e415517c334c5c528d5a185519e
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\MetroFrameworks.dll
executable
MD5: db12322f1797779eb661d7d8e197d559
SHA256: 593279d1fc03a668a3f16f1e97bf6aa875d34f3ab1b9e7921f61d980d9df6036
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\Appfuscated\Newtonsoft.Json.dll
executable
MD5: c9a64b6f8ada66c9c1bcf8f00756be85
SHA256: feec2693520ccac7361c04659e20060b04eaef4e14822ee0e6e8c886eb6d8078
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\Newtonsoft.Json.dll
executable
MD5: 43d5fd88135332e0d1bed1a8b69f6531
SHA256: 6a9e79545eb43b1b4b8ee3d01cb76944e08a638e31bb43695376c26003219843
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\MetroFramework.Designs.dll
executable
MD5: 156eb51bb36b064023170e35f4b1d037
SHA256: 57185e0a62d5485d947ca6e872bb4f472f8f51da8c16947824e8419f936cf9c4
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\MetroFramework.dll
executable
MD5: 4fb9f436b0d1b89ef6b668b025b6fdb5
SHA256: 2b491ff714e369674a8a68a13a166aa5dcb97211cd25dc9eb8f62adc081018a8
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\L-Check Reborn.exe
executable
MD5: 9134ab876411a69767d07c50bde599ec
SHA256: 6b0f0536e9d444846d969dcd83553e017cb69474bab388453d2c12c50773076f
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\Appfuscated\project.map.xml
xml
MD5: cccfdcea1e74bf38f536917097217bf1
SHA256: 29d8caea7f41ab7bd86a9cbfea156c907a41aa3f930aaf0aa94ed4c4e4071471
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\key.txt
text
MD5: 7eac9d6474e5d21cf73956c93f37ce66
SHA256: dcc395461e8efb1fae3b24cac25c29f95162404c080c876e39384835057c8f86
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\Newtonsoft.Jsons.dll
––
MD5:  ––
SHA256:  ––
3068
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa3068.33654\L-Check Reborn 1.0.0.1\xNet.dll
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
2576 L-Check Reborn.exe 104.24.1.112:443 Cloudflare Inc US unknown
–– –– 104.24.1.112:443 Cloudflare Inc US unknown

DNS requests

Domain IP Reputation
cracked.to 104.24.1.112
104.24.2.112
suspicious

Threats

No threats detected.

Debug output strings

Process Message
L-Check Reborn.exe %s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------