General Info

File name

Simple Roblox Cracker.rar

Full analysis
https://app.any.run/tasks/ecef002f-ea29-4984-90ba-dda9f383f773
Verdict
Malicious activity
Analysis date
12/6/2018, 15:40:49
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-rar
File info:
RAR archive data, v4, os: Win32
MD5

3abd9e3083c717ae93d4b4c11d12f04a

SHA1

6440bd9e58bf9761daaad0dd97da565dc57f8fd7

SHA256

9e1efd1c7c6edd275af0af9f415753edaca9b2ac2e863b1fd74ce9a2bbb890e6

SSDEEP

12288:gcdu7gfMazkIDcAszqepOO7MVaxnhfxQlgQ9cov2Lmum4v32d8egvbtP4+Uy:3dGgfZYccAsOXh8vil7VKmB4O3mpP4+j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 416)
Application was dropped or rewritten from another process
  • stub.exe (PID: 2252)
  • RobloxChecker.exe (PID: 2508)
  • Cracker.exe (PID: 2868)
Executable content was dropped or overwritten
  • stub.exe (PID: 2252)
  • WinRAR.exe (PID: 2940)
  • RobloxChecker.exe (PID: 2508)
Reads the cookies of Google Chrome
  • stub.exe (PID: 2252)
Reads settings of System Certificates
  • Cracker.exe (PID: 2868)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.rar
|   RAR compressed archive (v-4.x) (58.3%)
.rar
|   RAR compressed archive (gen) (41.6%)
EXIF
ZIP
CompressedSize:
11289
UncompressedSize:
19223
OperatingSystem:
Win32
ModifyDate:
2018:11:17 14:59:16
PackingMethod:
Normal
ArchivedFileName:
Roblox Cracker\checking.txt

Screenshots

Processes

Total processes
36
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start drop and start drop and start winrar.exe searchprotocolhost.exe no specs robloxchecker.exe stub.exe cracker.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
416
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\notepad.exe
c:\windows\system32\version.dll
c:\users\admin\desktop\xnet.dll
c:\users\admin\desktop\robloxchecker.exe
c:\windows\system32\msxml3r.dll
c:\users\admin\desktop\newtonsoft.json.dll
c:\users\admin\desktop\json.dll

PID
2940
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Simple Roblox Cracker.rar"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\iconcodecservice.dll
c:\program files\common files\microsoft shared\office14\msoxev.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2508
CMD
"C:\Users\admin\Desktop\RobloxChecker.exe"
Path
C:\Users\admin\Desktop\RobloxChecker.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Description
Version
1.0.0.0
Modules
Image
c:\users\admin\desktop\robloxchecker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\stub.exe
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\windowscodecs.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
2252
CMD
"C:\Users\admin\AppData\Local\Temp\stub.exe"
Path
C:\Users\admin\AppData\Local\Temp\stub.exe
Indicators
Parent process
RobloxChecker.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Description
Version
0.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\stub.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\microsoft.v9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\microsoft.visualbasic.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\cracker.exe
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\windowscodecs.dll

PID
2868
CMD
"C:\Users\admin\AppData\Local\Temp\Cracker.exe"
Path
C:\Users\admin\AppData\Local\Temp\Cracker.exe
Indicators
Parent process
stub.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221225786
Version:
Company
Description
ConsoleApp6
Version
1.0.0.0
Modules
Image
c:\users\admin\appdata\local\temp\cracker.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\rsaenh.dll

Registry activity

Total events
1379
Read events
1289
Write events
90
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
416
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
416
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
416
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
@C:\Windows\System32\msxml3r.dll,-1
XML Document
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2940
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Simple Roblox Cracker.rar
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2508
RobloxChecker.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2508
RobloxChecker.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
EnableFileTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
EnableConsoleTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
FileTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
ConsoleTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
MaxFileSize
1048576
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASAPI32
FileDirectory
%windir%\tracing
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
EnableFileTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
EnableConsoleTracing
0
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
FileTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
ConsoleTracingMask
4294901760
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
MaxFileSize
1048576
2508
RobloxChecker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RobloxChecker_RASMANCS
FileDirectory
%windir%\tracing
2252
stub.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2252
stub.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
EnableFileTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
EnableConsoleTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
FileTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
ConsoleTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
MaxFileSize
1048576
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASAPI32
FileDirectory
%windir%\tracing
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
EnableFileTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
EnableConsoleTracing
0
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
FileTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
ConsoleTracingMask
4294901760
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
MaxFileSize
1048576
2252
stub.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\stub_RASMANCS
FileDirectory
%windir%\tracing
2252
stub.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
EnableFileTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
EnableConsoleTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
FileTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
ConsoleTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
MaxFileSize
1048576
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASAPI32
FileDirectory
%windir%\tracing
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
EnableFileTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
EnableConsoleTracing
0
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
FileTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
ConsoleTracingMask
4294901760
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
MaxFileSize
1048576
2868
Cracker.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Cracker_RASMANCS
FileDirectory
%windir%\tracing
2868
Cracker.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
4
Suspicious files
0
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
2252
stub.exe
C:\Users\admin\AppData\Local\Temp\Cracker.exe
executable
MD5: 778d8c0225856ad02d46baf8967db9ff
SHA256: a295bd36584e6476783c41f6abc14def62f0fd00f50f977114dc4329f4f4aee2
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Newtonsoft.Json.dll
executable
MD5: 5afda7c7d4f7085e744c2e7599279db3
SHA256: f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Json.dll
executable
MD5: 643ceb04b4e759f576de7da86b6e00ad
SHA256: ef36bd4a2e5bf17293ce0d32d2f27a8cfe58c58de48084865d4bb46ceb5ee485
2508
RobloxChecker.exe
C:\Users\admin\AppData\Local\Temp\stub.exe
executable
MD5: 5fc49619385840c90978b0f4b1962436
SHA256: 2e178363cdd4292afd6f62af058640b5048afd8817865536c34d318cee9f71ba
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\README.txt
––
MD5:  ––
SHA256:  ––
2868
Cracker.exe
C:\Users\admin\Desktop\Hits.txt
text
MD5: 78b017393710ae23186cbdabefbfb162
SHA256: 40db519825300ddb5da38199840f8fdc29d7860ae0757db90ec254009d0a3159
2868
Cracker.exe
C:\Users\admin\Desktop\Hits.txt
text
MD5: 1a6a5f8d1abe07464c65435a6d189f02
SHA256: e64f4f8e7c37f21bc5c5d7a883e241570c172053bb0bc93dc9ba8a42607543b9
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\RobloxChecker.exe
––
MD5:  ––
SHA256:  ––
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\checking.txt
text
MD5: ff14d6912b3ec8a2dd45bb94dfd40d8b
SHA256: c6bd13973857c1dc3417f718d9492d366797686f60f2702fdd46ae83f6909814
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\xNet.dll
––
MD5:  ––
SHA256:  ––
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Newtonsoft.Json.xml
xml
MD5: f9e37f618621c1cbee48a83fcd4366d8
SHA256: c7add8659a3da1723f3a0726418c0ab5a3969e1b3265f7a212f8db28a4d2ef8b
2868
Cracker.exe
C:\Users\admin\Desktop\Hits.txt
text
MD5: 5b79a29a2c562ee1d589fb61fcaacc83
SHA256: 199f0ff61077aed760a41d0cdba95dfb0811bcbeffcd6e08d4568a49f7df39ef
2868
Cracker.exe
C:\Users\admin\Desktop\Hits.txt
text
MD5: ad8ecc85a87312cec09f6db0be9b0814
SHA256: ae49663c9e18068335347e4afd86a3a5202c309a9f3c3c90ff99efd52cfa7918
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\devices.txt
text
MD5: ac2a5de2e25d46d9c712c3534a092df5
SHA256: 26b1b5435a81cdb7e5611118f7f5afab9b94ec1ca129d9325b101f1427f45311
2940
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRa2940.28635\Roblox Cracker\Hits.txt
text
MD5: 53eaf4a8ecdb4ad06c328a1637623fe1
SHA256: 5e44c3b7d049a35ec8b77677d0a498b726014af9d05617248d4f0c3727bfcd0c
2868
Cracker.exe
C:\Users\admin\Desktop\Hits.txt
text
MD5: d06d29b0cc475002f0ae2f2752ef9653
SHA256: 89f2e1b5e22df7357a29b13fd8ff7e7ea5ec9dde4958435a32afeb49a6644665

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
9
TCP/UDP connections
47
DNS requests
6
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2508 RobloxChecker.exe GET 200 198.91.80.25:80 http://cookiemuncher.x10host.com/CMR7Files/check.php?hwid=OTM7v7nJFts6B5pbS5SSB5GqILMeEBpoqyZIIXo/HlDyA9Xy5eVRmFyiCsN6nmnzeRexvimhnU6kOsBWM2IF4V%2BCxq3kGY6Vt7KhntxkPZUnCVFcOwbVn2XwWps4/sWl US
html
unknown
2252 stub.exe GET 200 198.91.80.25:80 http://cookiemuncher.x10host.com/CMR7Files/check.php?hwid=OTM7v7nJFts6B5pbS5SSB5GqILMeEBpoqyZIIXo/HlDyA9Xy5eVRmFyiCsN6nmnzeRexvimhnU6kOsBWM2IF4V%2BCxq3kGY6Vt7KhntxkPZUnCVFcOwbVn2XwWps4/sWl US
html
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown
2868 Cracker.exe GET 200 209.206.41.46:80 http://www.roblox.com/mobileapi/userinfo US
text
unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2508 RobloxChecker.exe 198.91.80.25:80 SingleHop, Inc. US unknown
2252 stub.exe 104.16.58.5:443 Cloudflare Inc US shared
2868 Cracker.exe 209.206.41.3:443 Roblox US unknown
2252 stub.exe 198.91.80.25:80 SingleHop, Inc. US unknown
2868 Cracker.exe 209.206.41.46:443 Roblox US unknown
2868 Cracker.exe 209.206.41.46:80 Roblox US unknown

DNS requests

Domain IP Reputation
cookiemuncher.x10host.com 198.91.80.25
unknown
discordapp.com 104.16.58.5
104.16.59.5
whitelisted
api.roblox.com 209.206.41.3
unknown
www.roblox.com 209.206.41.46
unknown

Threats

No threats detected.

Debug output strings

No debug info.