General Info Watch the FULL Interactive Analysis at ANY.RUN!

File name

Simple Roblox Cracker.rar

Verdict
Malicious activity
Analysis date
12/6/2018, 15:40:49
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v4, os: Win32
MD5

3abd9e3083c717ae93d4b4c11d12f04a

SHA1

6440bd9e58bf9761daaad0dd97da565dc57f8fd7

SHA256

9e1efd1c7c6edd275af0af9f415753edaca9b2ac2e863b1fd74ce9a2bbb890e6

SSDEEP

12288:gcdu7gfMazkIDcAszqepOO7MVaxnhfxQlgQ9cov2Lmum4v32d8egvbtP4+Uy:3dGgfZYccAsOXh8vil7VKmB4O3mpP4+j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • Cracker.exe (PID: 2868)
  • stub.exe (PID: 2252)
  • RobloxChecker.exe (PID: 2508)
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 416)
Executable content was dropped or overwritten
  • RobloxChecker.exe (PID: 2508)
  • stub.exe (PID: 2252)
  • WinRAR.exe (PID: 2940)
Reads the cookies of Google Chrome
  • stub.exe (PID: 2252)
Reads settings of System Certificates
  • Cracker.exe (PID: 2868)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v-4.x) (58.3%)
.rar
|   RAR compressed archive (gen) (41.6%)
EXIF
ZIP
CompressedSize:
11289
UncompressedSize:
19223
OperatingSystem:
Win32
ModifyDate:
2018:11:17 14:59:16
PackingMethod:
Normal
ArchivedFileName:
Roblox Cracker\checking.txt

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start drop and start drop and start winrar.exe searchprotocolhost.exe no specs robloxchecker.exe stub.exe cracker.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
416
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\notepad.exe
c:\windows\system32\version.dll
c:\users\admin\desktop\xnet.dll
c:\users\admin\desktop\robloxchecker.exe
c:\windows\system32\msxml3r.dll
c:\users\admin\desktop\newtonsoft.json.dll
c:\users\admin\desktop\json.dll

PID
2940
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Simple Roblox Cracker.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\iconcodecservice.dll
c:\program files\common files\microsoft shared\office14\msoxev.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2508
CMD
"C:\Users\admin\Desktop\RobloxChecker.exe"
Path
C:\Users\admin\Desktop\RobloxChecker.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Description
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\robloxchecker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\stub.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2252
CMD
"C:\Users\admin\AppData\Local\Temp\stub.exe"
Path
C:\Users\admin\AppData\Local\Temp\stub.exe
Indicators
Parent process
RobloxChecker.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\stub.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\cracker.exe
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\windowscodecs.dll

PID
2868
CMD
"C:\Users\admin\AppData\Local\Temp\Cracker.exe"
Path
C:\Users\admin\AppData\Local\Temp\Cracker.exe
Indicators
Parent process
stub.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221225786
Version:
Company
Description
ConsoleApp6
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\cracker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll

Registry activity

Total events
1379
Read events
1289
Write events
90
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2940
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Simple Roblox Cracker.rar
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
416
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
416
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
416
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\msxml3r.dll,-1
XML Document
2508
RobloxChecker.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2508
RobloxChecker.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
EnableFileTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
EnableConsoleTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
FileTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
ConsoleTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
MaxFileSize
1048576
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
FileDirectory
%windir%\tracing
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
EnableFileTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
EnableConsoleTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
FileTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
ConsoleTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
MaxFileSize
1048576
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
FileDirectory
%windir%\tracing
2252
stub.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2252
stub.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
EnableFileTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
EnableConsoleTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
FileTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
ConsoleTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
MaxFileSize
1048576
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
FileDirectory
%windir%\tracing
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
EnableFileTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
EnableConsoleTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
FileTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
ConsoleTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
MaxFileSize
1048576
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
FileDirectory
%windir%\tracing
2252
stub.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
EnableFileTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
EnableConsoleTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
FileTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
ConsoleTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
MaxFileSize
1048576
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
FileDirectory
%windir%\tracing
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
EnableFileTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
EnableConsoleTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
FileTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
ConsoleTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
MaxFileSize
1048576
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
FileDirectory
%windir%\tracing
2868
Cracker.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
4
Suspicious files
0
Text files
11
Unknown types
0

Dropped files

PID Process Filename Type
2252 stub.exe C:\Users\admin\AppData\Local\Temp\Cracker.exe executable
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Newtonsoft.Json.dll executable
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Json.dll executable
2508 RobloxChecker.exe C:\Users\admin\AppData\Local\Temp\stub.exe executable
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\README.txt ––
2868 Cracker.exe C:\Users\admin\Desktop\Hits.txt text
2868 Cracker.exe C:\Users\admin\Desktop\Hits.txt text
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\RobloxChecker.exe ––
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\checking.txt text
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\xNet.dll ––
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Newtonsoft.Json.xml xml
2868 Cracker.exe C:\Users\admin\Desktop\Hits.txt text
2868 Cracker.exe C:\Users\admin\Desktop\Hits.txt text
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\devices.txt text
2940 WinRAR.exe C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Hits.txt text
2868 Cracker.exe C:\Users\admin\Desktop\Hits.txt text

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
9
TCP/UDP connections
47
DNS requests
6
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2508 RobloxChecker.exe GET 200 198.91.80.25:80 http://cookiemuncher.x10host.com/CMR7Files/check.php?hwid=OTM7v7nJFts6B5pbS5SSB5GqILMeEBpoqyZIIXo/HlDyA9Xy5eVRmFyiCsN6nmnzeRexvimhnU6kOsBWM2IF4V%2BCxq3kGY6Vt7KhntxkPZUnCVFcOwbVn2XwWps4/sWl US
html
unknown
2252 stub.exe GET 200 198.91.80.25:80 http://cookiemuncher.x10host.com/CMR7Files/check.php?hwid=OTM7v7nJFts6B5pbS5SSB5GqILMeEBpoqyZIIXo/HlDyA9Xy5eVRmFyiCsN6nmnzeRexvimhnU6kOsBWM2IF4V%2BCxq3kGY6Vt7KhntxkPZUnCVFcOwbVn2XwWps4/sWl US
html
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2508 RobloxChecker.exe 198.91.80.25:80 SingleHop, Inc. US unknown
2252 stub.exe 104.16.58.5:443 Cloudflare Inc US shared
2868 Cracker.exe 209.206.41.3:443 Roblox US unknown
2252 stub.exe 198.91.80.25:80 SingleHop, Inc. US unknown
2868 Cracker.exe 209.206.41.46:443 Roblox US unknown
2868 Cracker.exe 209.206.41.46:80 Roblox US unknown

DNS requests

Domain IP Reputation
cookiemuncher.x10host.com 198.91.80.25
unknown
discordapp.com 104.16.58.5
104.16.59.5
whitelisted
api.roblox.com 209.206.41.3
unknown
www.roblox.com 209.206.41.46
unknown

Threats

No threats detected.

Debug output strings

No debug info.