File name:

Reason Core Security 2.4.1.0 Multilingual [FileCR].zip

Full analysis: https://app.any.run/tasks/6ff64ce4-4ef9-4078-b815-8160cfe940ef
Verdict: Malicious activity
Analysis date: March 06, 2024, 21:49:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

557E9AC53B7059AE57E1B005010DAE42

SHA1:

1D7F5170C9880731BA8A3CB802D77B1E2273AA5B

SHA256:

BFCC061D8EE4DBB0BC576DD5833E8D0D9F398F496EA3A9C6E1AB037C1CEC7F46

SSDEEP:

98304:8xCFFitUUrs4fKtN8P4g6g3zCf0rD1viYvxr72AtaYL/h8F3DsQ4i9rHQk+YMClg:Q6S+Kepal

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • reason-core-security-setup.exe (PID: 2860)
      • reason-core-security-setup.exe (PID: 3940)
      • rsUI.exe (PID: 968)

    • Actions looks like stealing of personal data

      • rsUI.exe (PID: 968)

    • Steals credentials from Web Browsers

      • rsUI.exe (PID: 968)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • reason-core-security-setup.exe (PID: 2860)
      • reason-core-security-setup.exe (PID: 3940)
      • rsUI.exe (PID: 968)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • reason-core-security-setup.exe (PID: 3940)

    • The process creates files with name similar to system file names

      • reason-core-security-setup.exe (PID: 3940)

    • Uses TASKKILL.EXE to kill process

      • ns41EC.tmp (PID: 1336)
      • ns3F67.tmp (PID: 2208)
      • ns4053.tmp (PID: 3684)
      • ns40D1.tmp (PID: 2644)
      • ns414F.tmp (PID: 1236)
      • ns426A.tmp (PID: 1556)

    • Reads the Internet Settings

      • reason-core-security-setup.exe (PID: 3940)
      • rsUI.exe (PID: 968)
      • rsEngineHelper.exe (PID: 3192)
      • rsEngineHelper.exe (PID: 4072)
      • rsEngineHelper.exe (PID: 4084)
      • rsEngineHelper.exe (PID: 3492)
      • rsEngineHelper.exe (PID: 1192)
      • rsEngineHelper.exe (PID: 3388)
      • rsEngineHelper.exe (PID: 3180)
      • rsEngineHelper.exe (PID: 2152)
      • rsEngineHelper.exe (PID: 2832)
      • rsEngineHelper.exe (PID: 2788)
      • rsEngineHelper.exe (PID: 2248)
      • rsEngineHelper.exe (PID: 2860)
      • rsEngineHelper.exe (PID: 568)
      • rsEngineHelper.exe (PID: 2348)
      • rsEngineHelper.exe (PID: 3336)
      • rsEngineHelper.exe (PID: 2736)
      • rsEngineHelper.exe (PID: 3564)
      • rsEngineHelper.exe (PID: 3840)
      • rsEngineHelper.exe (PID: 3688)

    • Starts application with an unusual extension

      • reason-core-security-setup.exe (PID: 3940)

    • Reads security settings of Internet Explorer

      • rsUI.exe (PID: 968)

    • Reads the BIOS version

      • rsUI.exe (PID: 968)

    • Reads the date of Windows installation

      • rsUI.exe (PID: 968)

    • Creates a software uninstall entry

      • reason-core-security-setup.exe (PID: 3940)

    • Searches for installed software

      • rsUI.exe (PID: 968)

    • Reads settings of System Certificates

      • rsLggr.exe (PID: 2324)
      • rsUI.exe (PID: 968)
      • rsEngineHelper.exe (PID: 4084)
      • rsEngineHelper.exe (PID: 4072)
      • rsEngineHelper.exe (PID: 3192)
      • rsEngineHelper.exe (PID: 3492)
      • rsEngineHelper.exe (PID: 1192)
      • rsEngineHelper.exe (PID: 3388)
      • rsEngineHelper.exe (PID: 3180)
      • rsEngineHelper.exe (PID: 2832)
      • rsEngineHelper.exe (PID: 568)
      • rsEngineHelper.exe (PID: 2860)
      • rsEngineHelper.exe (PID: 3336)
      • rsEngineHelper.exe (PID: 3840)
      • rsEngineHelper.exe (PID: 3564)

    • Executes as Windows Service

      • rsService.exe (PID: 124)

    • Checks Windows Trust Settings

      • rsUI.exe (PID: 968)

    • Suspicious use of NETSH.EXE

      • rsUI.exe (PID: 968)

    • Read startup parameters

      • rsUI.exe (PID: 968)

    • Loads DLL from Mozilla Firefox

      • rsUI.exe (PID: 968)

    • Adds/modifies Windows certificates

      • rsUI.exe (PID: 968)

  • INFO

    • Manual execution by a user

      • reason-core-security-setup.exe (PID: 3932)
      • reason-core-security-setup.exe (PID: 2860)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3652)

    • Checks supported languages

      • reason-core-security-setup.exe (PID: 2860)
      • InstallTools.exe (PID: 4000)
      • reason-core-security-setup.exe (PID: 3940)
      • ns3F67.tmp (PID: 2208)
      • ns40D1.tmp (PID: 2644)
      • ns4053.tmp (PID: 3684)
      • ns414F.tmp (PID: 1236)
      • ns41EC.tmp (PID: 1336)
      • ns426A.tmp (PID: 1556)
      • rsLggr.exe (PID: 2324)
      • rsLggr.exe (PID: 1780)
      • rsUI.exe (PID: 968)
      • InstallTools.exe (PID: 712)
      • rsService.exe (PID: 3520)
      • rsLggr.exe (PID: 552)
      • rsService.exe (PID: 124)
      • rsLggr.exe (PID: 296)
      • rsLggr.exe (PID: 316)
      • rsEngineHelper.exe (PID: 3192)
      • rsEngineHelper.exe (PID: 4072)
      • rsEngineHelper.exe (PID: 4084)
      • rsEngineHelper.exe (PID: 3492)
      • rscp_setup.exe (PID: 3056)
      • rsEngineHelper.exe (PID: 1192)
      • rsEngineHelper.exe (PID: 3388)
      • rsLggr.exe (PID: 4056)
      • rsEngineHelper.exe (PID: 3180)
      • rsEngineHelper.exe (PID: 2832)
      • rsEngineHelper.exe (PID: 568)
      • rsEngineHelper.exe (PID: 2788)
      • rsEngineHelper.exe (PID: 2152)
      • rsEngineHelper.exe (PID: 2248)
      • rsEngineHelper.exe (PID: 2860)
      • rsEngineHelper.exe (PID: 3336)
      • rsEngineHelper.exe (PID: 2736)
      • rsEngineHelper.exe (PID: 2348)
      • rsEngineHelper.exe (PID: 3840)
      • rsEngineHelper.exe (PID: 3688)
      • rsEngineHelper.exe (PID: 3564)

    • Reads the computer name

      • reason-core-security-setup.exe (PID: 2860)
      • InstallTools.exe (PID: 4000)
      • reason-core-security-setup.exe (PID: 3940)
      • InstallTools.exe (PID: 712)
      • rsUI.exe (PID: 968)
      • rsService.exe (PID: 124)
      • rsLggr.exe (PID: 2324)
      • rsService.exe (PID: 3520)
      • rsEngineHelper.exe (PID: 4072)
      • rsEngineHelper.exe (PID: 3192)
      • rsEngineHelper.exe (PID: 4084)
      • rsEngineHelper.exe (PID: 3492)
      • rscp_setup.exe (PID: 3056)
      • rsEngineHelper.exe (PID: 1192)
      • rsEngineHelper.exe (PID: 3388)
      • rsEngineHelper.exe (PID: 3180)
      • rsEngineHelper.exe (PID: 2832)
      • rsEngineHelper.exe (PID: 2788)
      • rsEngineHelper.exe (PID: 568)
      • rsEngineHelper.exe (PID: 2152)
      • rsEngineHelper.exe (PID: 2248)
      • rsEngineHelper.exe (PID: 2860)
      • rsEngineHelper.exe (PID: 3336)
      • rsEngineHelper.exe (PID: 2736)
      • rsEngineHelper.exe (PID: 2348)
      • rsEngineHelper.exe (PID: 3840)
      • rsEngineHelper.exe (PID: 3688)
      • rsEngineHelper.exe (PID: 3564)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3652)

    • Create files in a temporary directory

      • reason-core-security-setup.exe (PID: 2860)
      • reason-core-security-setup.exe (PID: 3940)
      • rsUI.exe (PID: 968)

    • Reads Environment values

      • InstallTools.exe (PID: 4000)
      • reason-core-security-setup.exe (PID: 3940)
      • rsUI.exe (PID: 968)
      • InstallTools.exe (PID: 712)
      • rsService.exe (PID: 124)
      • rsEngineHelper.exe (PID: 3192)
      • rsEngineHelper.exe (PID: 4072)
      • rsEngineHelper.exe (PID: 4084)
      • rsEngineHelper.exe (PID: 3492)
      • rsEngineHelper.exe (PID: 1192)
      • rsEngineHelper.exe (PID: 3388)
      • rsEngineHelper.exe (PID: 3180)
      • rsEngineHelper.exe (PID: 2152)
      • rsEngineHelper.exe (PID: 2832)
      • rsEngineHelper.exe (PID: 2788)
      • rsEngineHelper.exe (PID: 568)
      • rsEngineHelper.exe (PID: 2248)
      • rsEngineHelper.exe (PID: 2860)
      • rsEngineHelper.exe (PID: 2348)
      • rsEngineHelper.exe (PID: 3336)
      • rsEngineHelper.exe (PID: 2736)
      • rsEngineHelper.exe (PID: 3564)
      • rsEngineHelper.exe (PID: 3840)
      • rsEngineHelper.exe (PID: 3688)

    • Checks proxy server information

      • reason-core-security-setup.exe (PID: 3940)
      • rsUI.exe (PID: 968)

    • Creates files in the program directory

      • reason-core-security-setup.exe (PID: 3940)
      • rsUI.exe (PID: 968)
      • rsService.exe (PID: 3520)
      • rsLggr.exe (PID: 2324)
      • rsEngineHelper.exe (PID: 3192)

    • Reads the machine GUID from the registry

      • rsUI.exe (PID: 968)
      • rsService.exe (PID: 3520)
      • rsService.exe (PID: 124)
      • rsEngineHelper.exe (PID: 4072)
      • rsEngineHelper.exe (PID: 4084)
      • rsLggr.exe (PID: 2324)
      • rsEngineHelper.exe (PID: 3192)
      • rsEngineHelper.exe (PID: 3492)
      • rsEngineHelper.exe (PID: 1192)
      • rsEngineHelper.exe (PID: 3388)
      • rsEngineHelper.exe (PID: 3180)
      • rsEngineHelper.exe (PID: 2152)
      • rsEngineHelper.exe (PID: 2832)
      • rsEngineHelper.exe (PID: 2788)
      • rsEngineHelper.exe (PID: 2248)
      • rsEngineHelper.exe (PID: 2860)
      • rsEngineHelper.exe (PID: 568)
      • rsEngineHelper.exe (PID: 2736)
      • rsEngineHelper.exe (PID: 3336)
      • rsEngineHelper.exe (PID: 2348)
      • rsEngineHelper.exe (PID: 3564)
      • rsEngineHelper.exe (PID: 3840)
      • rsEngineHelper.exe (PID: 3688)

    • Reads product name

      • rsUI.exe (PID: 968)
      • rsEngineHelper.exe (PID: 3192)

    • Reads the software policy settings

      • rsLggr.exe (PID: 2324)
      • rsUI.exe (PID: 968)
      • rsEngineHelper.exe (PID: 4084)
      • rsEngineHelper.exe (PID: 4072)
      • rsEngineHelper.exe (PID: 3192)
      • rsEngineHelper.exe (PID: 3492)
      • rsEngineHelper.exe (PID: 1192)
      • rsEngineHelper.exe (PID: 3388)
      • rsEngineHelper.exe (PID: 3180)
      • rsEngineHelper.exe (PID: 2832)
      • rsEngineHelper.exe (PID: 568)
      • rsEngineHelper.exe (PID: 2860)
      • rsEngineHelper.exe (PID: 3336)
      • rsEngineHelper.exe (PID: 3564)
      • rsEngineHelper.exe (PID: 3840)

    • Process checks whether UAC notifications are on

      • rsEngineHelper.exe (PID: 3192)

    • Reads Microsoft Office registry keys

      • rsUI.exe (PID: 968)

    • Creates files or folders in the user directory

      • rsUI.exe (PID: 968)

    • Reads mouse settings

      • rsUI.exe (PID: 968)

    • Uses BITSADMIN.EXE

      • rsUI.exe (PID: 968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2020:08:25 03:08:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Reason Core Security 2.4.1.0 Multilingual/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
51
Malicious processes
17
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe reason-core-security-setup.exe no specs reason-core-security-setup.exe installtools.exe no specs reason-core-security-setup.exe ns3f67.tmp no specs taskkill.exe no specs ns4053.tmp no specs taskkill.exe no specs ns40d1.tmp no specs taskkill.exe no specs ns414f.tmp no specs taskkill.exe no specs ns41ec.tmp no specs taskkill.exe no specs ns426a.tmp no specs taskkill.exe no specs rsui.exe installtools.exe no specs rslggr.exe rslggr.exe no specs rslggr.exe no specs rslggr.exe no specs rsservice.exe no specs rslggr.exe no specs rsservice.exe no specs rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rscp_setup.exe rsenginehelper.exe rsenginehelper.exe rslggr.exe no specs netsh.exe no specs bitsadmin.exe no specs rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe rsenginehelper.exe netsh.exe no specs bitsadmin.exe no specs rsenginehelper.exe rsenginehelper.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Reason\Security\rsService.exe"C:\Program Files\Reason\Security\rsService.exeservices.exe
User:
SYSTEM
Company:
Reason Software Company Inc.
Integrity Level:
SYSTEM
Description:
Reason Core Security Service
Exit code:
0
Version:
2.4.1.0
Modules
Images
c:\program files\reason\security\rsservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
296"C:\Program Files\Reason\Security\rsLggr.exe" C:\Program Files\Reason\Security\rsLggr.exersUI.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\reason\security\rslggr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
316"C:\Program Files\Reason\Security\rsLggr.exe" C:\Program Files\Reason\Security\rsLggr.exersUI.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\reason\security\rslggr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
552"C:\Program Files\Reason\Security\rsLggr.exe" C:\Program Files\Reason\Security\rsLggr.exersUI.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\reason\security\rslggr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
568"C:\Program Files\Reason\Security\rsEngineHelper.exe" uploadString url:https://api1.reasonsecurity.com/api.ashx?RETRYATTEMPT=1&method=gSR token:592ce0bf-06e8-4330-89d3-09d2f868cef4 method:scanresults product:RSC:\Program Files\Reason\Security\rsEngineHelper.exe
rsUI.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
HIGH
Description:
Reason Security Engine Helper
Exit code:
0
Version:
2.0.3.1
Modules
Images
c:\program files\reason\security\rsenginehelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
712"C:\Users\admin\AppData\Local\Temp\InstallTools.exe" "C:\Users\admin\AppData\Local\Temp\Reason Core Security 2.4.1.0 Multilingual [FileCR]\Reason Core Security 2.4.1.0 Multilingual\reason-core-security-setup.exe" Software\Reason\Security INSNDE "C:\Users\admin\AppData\Local\Temp\Reason Core Security 2.4.1.0 Multilingual [FileCR]\Reason Core Security 2.4.1.0 Multilingual\reason-core-security-setup.exe" /mode=f /url=logs.reasonsecurity.com/event /product=RSC:\Users\admin\AppData\Local\Temp\InstallTools.exereason-core-security-setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\temp\installtools.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
968"C:\Program Files\Reason\Security\rsUI.exe"C:\Program Files\Reason\Security\rsUI.exe
reason-core-security-setup.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
HIGH
Description:
Reason Core Security
Exit code:
0
Version:
2.4.1.0
Modules
Images
c:\program files\reason\security\rsui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1192"C:\Program Files\Reason\Security\rsEngineHelper.exe" uploadString url:https://api1.reasonsecurity.com/api.ashx?RETRYATTEMPT=1&method=iSA&signatures=927104&v=2.0.3.2&p=Security&sigver=1 token:9f4f21fa-81d0-42fd-aeaa-0ee46a941fe0 method:signaturesavail product:RSC:\Program Files\Reason\Security\rsEngineHelper.exe
rsUI.exe
User:
admin
Company:
Reason Software Company Inc.
Integrity Level:
HIGH
Description:
Reason Security Engine Helper
Exit code:
0
Version:
2.0.3.1
Modules
Images
c:\program files\reason\security\rsenginehelper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1236"C:\Users\admin\AppData\Local\Temp\nsp3276.tmp\ns414F.tmp" taskkill /f /im rsEngineHelper.exeC:\Users\admin\AppData\Local\Temp\nsp3276.tmp\ns414F.tmpreason-core-security-setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
128
Modules
Images
c:\users\admin\appdata\local\temp\nsp3276.tmp\ns414f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1336"C:\Users\admin\AppData\Local\Temp\nsp3276.tmp\ns41EC.tmp" taskkill /f /im rsLggr.exeC:\Users\admin\AppData\Local\Temp\nsp3276.tmp\ns41EC.tmpreason-core-security-setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
128
Modules
Images
c:\users\admin\appdata\local\temp\nsp3276.tmp\ns41ec.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
224 337
Read events
223 848
Write events
475
Delete events
14

Modification events

(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3652) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Reason Core Security 2.4.1.0 Multilingual [FileCR].zip
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3652) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
32
Suspicious files
33
Text files
531
Unknown types
28

Dropped files

PID
Process
Filename
Type
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\Reason Core Security 2.4.1.0 Multilingual [FileCR]\Reason Core Security 2.4.1.0 Multilingual\ReadMe.txttext
MD5:10AE60EBC7F25C6757D4340AC68CDCF9
SHA256:4C70646A9F4633D1DEAAB6BA23B78A67C0108982D4125A96742EBA47EFEE6031
3940reason-core-security-setup.exeC:\Users\admin\AppData\Local\Temp\nsp3276.tmp\modern-header.bmpimage
MD5:071D47FA9D9A8FBA12E820FED8CBD221
SHA256:22FAA11A3606FF4D6A0F6F3ED07EF6D908C2A99FB1B58B6C95937DF3411C2BF3
3652WinRAR.exeC:\Users\admin\AppData\Local\Temp\Reason Core Security 2.4.1.0 Multilingual [FileCR]\Reason Core Security 2.4.1.0 Multilingual\rsUtils.dllexecutable
MD5:DFAEA0C5E4F55098D6467657594CB96F
SHA256:F1D2023E074DA05D25F8B680D56B667FB769CDDE4955A5DBA45E3EE8A04C17C1
3940reason-core-security-setup.exeC:\Users\admin\AppData\Local\Temp\nsp3276.tmp\ns426A.tmpexecutable
MD5:B55F7F1B17C39018910C23108F929082
SHA256:C4C6FE032F3CD8B31528D7B99661F85EE22CB78746AEE98EC568431D4F5043F7
3940reason-core-security-setup.exeC:\Program Files\Reason\Security\rsService.exeexecutable
MD5:52C8BC9BB427CF6CAD8A2EB7DE426314
SHA256:8C9B50F19BE7BF1EECEC9A6DA7A6F93B6720649458DF2A2C16AB6DEBA12A570E
3940reason-core-security-setup.exeC:\Users\admin\AppData\Local\Temp\nsp3276.tmp\nsDialogs.dllexecutable
MD5:42B064366F780C1F298FA3CB3AEAE260
SHA256:C13104552B8B553159F50F6E2CA45114493397A6FA4BF2CBB960C4A2BBD349AB
3940reason-core-security-setup.exeC:\Users\admin\AppData\Local\Temp\nsp3276.tmp\nsExec.dllexecutable
MD5:B55F7F1B17C39018910C23108F929082
SHA256:C4C6FE032F3CD8B31528D7B99661F85EE22CB78746AEE98EC568431D4F5043F7
3940reason-core-security-setup.exeC:\Users\admin\AppData\Local\Temp\nsp3276.tmp\ns3F67.tmpexecutable
MD5:B55F7F1B17C39018910C23108F929082
SHA256:C4C6FE032F3CD8B31528D7B99661F85EE22CB78746AEE98EC568431D4F5043F7
2860reason-core-security-setup.exeC:\Users\admin\AppData\Local\Temp\InstallTools.exeexecutable
MD5:FE8DB41BDBEAB82E137DD4501AA79180
SHA256:9249F8AE780ED09A1BB915967FD61E4DD72567ADE313287EADC8BC726BADB114
2860reason-core-security-setup.exeC:\Users\admin\AppData\Local\Temp\reason-core-security-setup.exeexecutable
MD5:0BB4D6CD294E33ECE7DAC8660AE80FC5
SHA256:309E6F0B926D8E224DC2DBCF4BFAACDC53615EC40EB12B6B7C85A5CF47A5C056
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
66
TCP/UDP connections
108
DNS requests
29
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3940
reason-core-security-setup.exe
GET
200
52.21.131.106:80
http://logs.reasonsecurity.com/event?Eventname=Installer&status=Start&Product=Security&i_data=&ruserid=&tag=2.0.50727&OSVersion=6.1.0.0&version=2.4.1.0&hostapp_version=2.4.1.0
unknown
unknown
3940
reason-core-security-setup.exe
GET
200
52.21.131.106:80
http://logs.reasonsecurity.com/event?Eventname=Installer&status=Finish&Product=Security&i_data=&ruserid=&OSVersion=6.1.0.0&version=2.4.1.0&hostapp_version=2.4.1.0
unknown
unknown
968
rsUI.exe
GET
301
52.222.214.2:80
http://cdn.reasonsecurity.com/resources/installers/protection/rscp_setup.exe
unknown
html
167 b
unknown
3056
rscp_setup.exe
POST
403
13.248.169.48:80
http://logs.isrtb.com/bulk_safe
unknown
unknown
968
rsUI.exe
GET
304
92.122.50.70:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cf99a4f054be1c61
unknown
unknown
968
rsUI.exe
GET
304
92.122.50.70:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?19819c000474ec49
unknown
unknown
968
rsUI.exe
GET
200
184.86.251.206:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.01 Kb
unknown
968
rsUI.exe
GET
200
23.33.233.193:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
binary
1.05 Kb
unknown
968
rsUI.exe
GET
200
184.86.251.206:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
binary
519 b
unknown
968
rsUI.exe
GET
200
184.86.251.206:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
binary
767 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3940
reason-core-security-setup.exe
52.21.131.106:80
logs.reasonsecurity.com
AMAZON-AES
US
unknown
2324
rsLggr.exe
52.21.131.106:443
logs.reasonsecurity.com
AMAZON-AES
US
unknown
968
rsUI.exe
104.22.0.235:443
api.reasonsecurity.com
CLOUDFLARENET
unknown
968
rsUI.exe
172.67.9.68:443
api1.reasonsecurity.com
CLOUDFLARENET
US
unknown
3192
rsEngineHelper.exe
172.67.9.68:443
api1.reasonsecurity.com
CLOUDFLARENET
US
unknown
4072
rsEngineHelper.exe
104.22.0.235:443
api.reasonsecurity.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
logs.reasonsecurity.com
  • 52.21.131.106
unknown
api.reasonsecurity.com
  • 104.22.0.235
unknown
api1.reasonsecurity.com
  • 172.67.9.68
unknown
cdn.reasonsecurity.com
  • 52.222.214.2
shared
logs.isrtb.com
  • 13.248.169.48
malicious
ctldl.windowsupdate.com
  • 92.122.50.70
whitelisted
crl.microsoft.com
  • 184.86.251.206
whitelisted
www.microsoft.com
  • 23.33.233.193
whitelisted
s2.symcb.com
  • 152.199.19.74
whitelisted
s1.symcb.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
968
rsUI.exe
Potential Corporate Privacy Violation
AV POLICY HTTP request for .exe file with no User-Agent
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Reason Core Security 2.4.1.0 Multilingual [FileCR].zip