General Info

File name

Cracked_by_xany_1.zip

Full analysis
https://app.any.run/tasks/f3ddaa75-9c16-43f4-8f5e-f6b0aa70fc16
Verdict
Malicious activity
Analysis date
6/12/2019, 01:58:44
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

trojan

rat

quasar

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

1d172ff502f0801053a05bd5ac134963

SHA1

0595c3662a2f4566647dc6c3782195037c5a9e04

SHA256

d2f90b648f96f5d993ca89dfe81e92deb650a8a7ffb435a75b8e179a36880a0d

SSDEEP

98304:CG8wRhKKugYD/fKKu8ADUS+fFyinaUDUPQlLNSqgyJJ:1/vuFfvuD4S+psgYHaJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • icsys.icn.exe (PID: 3280)
  • coca crypter cracked by xany.exe  (PID: 2380)
  • coca crypter cracked by xany.exe  (PID: 2512)
  • Coca Crypter cracked by xany.exe (PID: 2672)
  • icsys.icn.exe (PID: 2140)
  • Coca Crypter cracked by xany.exe (PID: 2416)
Changes the autorun value in the registry
  • coca crypter cracked by xany.exe  (PID: 2512)
QUASAR was detected
  • RegAsm.exe (PID: 3584)
Uses RUNDLL32.EXE to load library
  • WinRAR.exe (PID: 3296)
Executable content was dropped or overwritten
  • coca crypter cracked by xany.exe  (PID: 2512)
  • Coca Crypter cracked by xany.exe (PID: 2672)
  • Coca Crypter cracked by xany.exe (PID: 2416)
  • WinRAR.exe (PID: 3296)
Checks for external IP
  • RegAsm.exe (PID: 3584)
Creates files in the user directory
  • coca crypter cracked by xany.exe  (PID: 2512)
Starts itself from another location
  • Coca Crypter cracked by xany.exe (PID: 2672)
  • Coca Crypter cracked by xany.exe (PID: 2416)
Starts application with an unusual extension
  • Coca Crypter cracked by xany.exe (PID: 2672)
  • Coca Crypter cracked by xany.exe (PID: 2416)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
null
ZipCompression:
Deflated
ZipModifyDate:
2019:06:10 13:58:25
ZipCRC:
0x0af619ed
ZipCompressedSize:
814387
ZipUncompressedSize:
1430488
ZipFileName:
Coca Crypt/Coca Crypter cracked by xany.exe

Screenshots

Processes

Total processes
45
Monitored processes
14
Malicious processes
7
Suspicious processes
0

Behavior graph

+
drop and start drop and start start drop and start drop and start winrar.exe coca crypter cracked by xany.exe coca crypter cracked by xany.exe  icsys.icn.exe no specs regasm.exe no specs #QUASAR regasm.exe coca crypter cracked by xany.exe coca crypter cracked by xany.exe  no specs icsys.icn.exe no specs regasm.exe no specs rundll32.exe no specs regasm.exe no specs notepad.exe no specs regasm.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3296
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\notepad.exe
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\rar$exa3296.6696\coca crypt\coca crypter cracked by xany.exe
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\users\admin\appdata\local\temp\rar$exa3296.8585\coca crypt\coca crypter cracked by xany.exe
c:\windows\system32\rundll32.exe

PID
2416
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\Coca Crypter cracked by xany.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\Coca Crypter cracked by xany.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3296.6696\coca crypt\coca crypter cracked by xany.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\rar$exa3296.6696\coca crypt\coca crypter cracked by xany.exe 
c:\users\admin\appdata\local\icsys.icn.exe

PID
2512
CMD
"c:\users\admin\appdata\local\temp\rar$exa3296.6696\coca crypt\coca crypter cracked by xany.exe "
Path
c:\users\admin\appdata\local\temp\rar$exa3296.6696\coca crypt\coca crypter cracked by xany.exe 
Indicators
Parent process
Coca Crypter cracked by xany.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3296.6696\coca crypt\coca crypter cracked by xany.exe 
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ntdll.dll
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\apphelp.dll

PID
2140
CMD
C:\Users\admin\AppData\Local\icsys.icn.exe
Path
C:\Users\admin\AppData\Local\icsys.icn.exe
Indicators
No indicators
Parent process
Coca Crypter cracked by xany.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\local\icsys.icn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll

PID
2652
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Indicators
No indicators
Parent process
coca crypter cracked by xany.exe 
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Assembly Registration Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll

PID
3584
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Indicators
Parent process
coca crypter cracked by xany.exe 
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Assembly Registration Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\c56771a9cfb87e660d60453e232abe27\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\smdiagnostics\4a2a848ea1fea1a74d5aa2f1c21c5ce8\smdiagnostics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\46957030830964165644b52b0696c5d9\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\d86b080a37c60a872c82b912a2a63dac\system.xml.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.servd1dec626#\52e9ac689c75dd011f0f7e827551e985\system.servicemodel.internals.ni.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

PID
2672
CMD
"C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\Coca Crypter cracked by xany.exe"
Path
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\Coca Crypter cracked by xany.exe
Indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3296.8585\coca crypt\coca crypter cracked by xany.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\rar$exa3296.8585\coca crypt\coca crypter cracked by xany.exe 
c:\users\admin\appdata\local\icsys.icn.exe

PID
2380
CMD
"c:\users\admin\appdata\local\temp\rar$exa3296.8585\coca crypt\coca crypter cracked by xany.exe "
Path
c:\users\admin\appdata\local\temp\rar$exa3296.8585\coca crypt\coca crypter cracked by xany.exe 
Indicators
No indicators
Parent process
Coca Crypter cracked by xany.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\rar$exa3296.8585\coca crypt\coca crypter cracked by xany.exe 
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\wininet.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\apphelp.dll
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe

PID
3280
CMD
C:\Users\admin\AppData\Local\icsys.icn.exe
Path
C:\Users\admin\AppData\Local\icsys.icn.exe
Indicators
No indicators
Parent process
Coca Crypter cracked by xany.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft
Description
Version
1.00
Modules
Image
c:\users\admin\appdata\local\icsys.icn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\psapi.dll

PID
764
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Indicators
No indicators
Parent process
coca crypter cracked by xany.exe 
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Assembly Registration Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3716
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Rar$DIa3296.9477\coca crypter cracked by xany.exe 
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
3116
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Indicators
No indicators
Parent process
coca crypter cracked by xany.exe 
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Assembly Registration Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\bcrypt.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\4dfa27fdd6a4cce26f99585e1c744f9b\system.management.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3700
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Rar$DIa3296.10030\Offensive.log
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
WinRAR.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
3152
CMD
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Path
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Indicators
No indicators
Parent process
coca crypter cracked by xany.exe 
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Microsoft .NET Assembly Registration Utility
Version
4.6.1055.0 built by: NETFXREL2
Modules
Image
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\52cca48930e580e3189eac47158c20be\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\55560c2014611e9119f99923c9ebdeef\system.core.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\646b4b01cb29986f8e076aa65c9e9753\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\5aac750b35b27770dccb1a43f83cced7\system.windows.forms.ni.dll
c:\windows\microsoft.net\assembly\gac_msil\system.windows.forms\v4.0_4.0.0.0__b77a5c561934e089\system.windows.forms.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll

Registry activity

Total events
821
Read events
771
Write events
50
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3296
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1.zip
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3296
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3296
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2416
Coca Crypter cracked by xany.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
LO
1
2512
coca crypter cracked by xany.exe 
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Load
C:\Users\admin\AppData\Roaming\WerFault\dllhost.exe
2140
icsys.icn.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
LO
1
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
EnableFileTracing
0
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
EnableConsoleTracing
0
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
FileTracingMask
4294901760
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
ConsoleTracingMask
4294901760
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
MaxFileSize
1048576
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32
FileDirectory
%windir%\tracing
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
EnableFileTracing
0
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
EnableConsoleTracing
0
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
FileTracingMask
4294901760
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
ConsoleTracingMask
4294901760
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
MaxFileSize
1048576
3584
RegAsm.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS
FileDirectory
%windir%\tracing
2672
Coca Crypter cracked by xany.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
LO
1
3280
icsys.icn.exe
write
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process
LO
1

Files activity

Executable files
16
Suspicious files
2
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1\Coca Crypter cracked by xany.exe
executable
MD5: 4bb0a3628410f22f8f09fd0d122023c0
SHA256: e50c8234d3978e2eba1142f9b828596a2ea966abc5b327b3570bf16dd9999064
2416
Coca Crypter cracked by xany.exe
C:\Users\admin\AppData\Local\icsys.icn.exe
executable
MD5: 26dc5244dc142929d393ab60b46737c5
SHA256: 4686ff2ce3f9fba3c3cb14613a5242aa7e22e50a9e6373193b1a0a73ef0c2b94
2416
Coca Crypter cracked by xany.exe
C:\users\admin\appdata\local\temp\rar$exa3296.6696\coca crypt\coca crypter cracked by xany.exe 
executable
MD5: 883f9aeb777d701e39d592e0c3097419
SHA256: 4094c31d0fc028801c9b41199b0fd42d230656ce0cf0f708be4fb32069cb921f
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\rundll.dll
executable
MD5: dc230a66f89b4e42e2330be22201ca1f
SHA256: 895aeb8eedf46402211b8378c755cb4a15cc4e4f5064f1b9c665036f4acda29b
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\Protectednow.exe,
executable
MD5: df5a4b14af0f968e83e2870a5e6e97e5
SHA256: fbbe6c205add543f314f19f4888dde5760d2585fe1e000110dd16f5a9caad7c3
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\coca crypter cracked by xany.exe 
executable
MD5: 883f9aeb777d701e39d592e0c3097419
SHA256: 4094c31d0fc028801c9b41199b0fd42d230656ce0cf0f708be4fb32069cb921f
2672
Coca Crypter cracked by xany.exe
C:\Users\admin\AppData\Local\icsys.icn.exe
executable
MD5: 26dc5244dc142929d393ab60b46737c5
SHA256: 4686ff2ce3f9fba3c3cb14613a5242aa7e22e50a9e6373193b1a0a73ef0c2b94
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1\rundll.dll
executable
MD5: dc230a66f89b4e42e2330be22201ca1f
SHA256: 895aeb8eedf46402211b8378c755cb4a15cc4e4f5064f1b9c665036f4acda29b
2672
Coca Crypter cracked by xany.exe
C:\users\admin\appdata\local\temp\rar$exa3296.8585\coca crypt\coca crypter cracked by xany.exe 
executable
MD5: 883f9aeb777d701e39d592e0c3097419
SHA256: 4094c31d0fc028801c9b41199b0fd42d230656ce0cf0f708be4fb32069cb921f
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1\Protectednow.exe,
executable
MD5: df5a4b14af0f968e83e2870a5e6e97e5
SHA256: fbbe6c205add543f314f19f4888dde5760d2585fe1e000110dd16f5a9caad7c3
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3296.9477\coca crypter cracked by xany.exe 
executable
MD5: 883f9aeb777d701e39d592e0c3097419
SHA256: 4094c31d0fc028801c9b41199b0fd42d230656ce0cf0f708be4fb32069cb921f
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\Coca Crypter cracked by xany.exe
executable
MD5: 4bb0a3628410f22f8f09fd0d122023c0
SHA256: e50c8234d3978e2eba1142f9b828596a2ea966abc5b327b3570bf16dd9999064
2512
coca crypter cracked by xany.exe 
C:\Users\admin\AppData\Roaming\WerFault\dllhost.exe
executable
MD5: 5b82e9c13b8d733b30a395d313429dcd
SHA256: b8ea0042926715daec2e74eafeac01d0e37a568b761a97466f17dfa94e0aa9b2
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\Protectednow.exe,
executable
MD5: df5a4b14af0f968e83e2870a5e6e97e5
SHA256: fbbe6c205add543f314f19f4888dde5760d2585fe1e000110dd16f5a9caad7c3
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\rundll.dll
executable
MD5: dc230a66f89b4e42e2330be22201ca1f
SHA256: 895aeb8eedf46402211b8378c755cb4a15cc4e4f5064f1b9c665036f4acda29b
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\Coca Crypter cracked by xany.exe
executable
MD5: 4bb0a3628410f22f8f09fd0d122023c0
SHA256: e50c8234d3978e2eba1142f9b828596a2ea966abc5b327b3570bf16dd9999064
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\__rzi_3296.7419
––
MD5:  ––
SHA256:  ––
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1.zip
compressed
MD5: 205232ad832663203356131fd2196db4
SHA256: a7fa72a948de119dc992b231fd304376308e02125944bd33ccf3f75d3a6e2bbc
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1\Offensive.log
text
MD5: 0b77f3ff4c33545a4471bd023e7e5e47
SHA256: 56ded75c0dbdc32638acf9cb4ae2af79f56f021bc8fe2ff15bda48a0bfe9ed84
2416
Coca Crypter cracked by xany.exe
C:\Users\admin\AppData\Local\Temp\~DF7AE0C9B00C4D4D7A.TMP
––
MD5:  ––
SHA256:  ––
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\__rzi_3296.9129
––
MD5:  ––
SHA256:  ––
2672
Coca Crypter cracked by xany.exe
C:\Users\admin\AppData\Local\Temp\~DFC366C3AB0DB82392.TMP
––
MD5:  ––
SHA256:  ––
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\Xenos.log
text
MD5: 2bda7cb956f940caabf0bee94736cae1
SHA256: 5e999eef58c480da07a629da0ecafe7954ee9aa1b8b5fe879a17ceb0cfefd06c
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\XenosCurrentProfile.xpr
text
MD5: 2d8d5adfccca966ae064650b4d38348b
SHA256: 1ff1c0710f87b2f19a981b9bd65a9a695ad16b3ac9c03d6e76b5ef6362e5909a
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\Xenos.log
text
MD5: 2bda7cb956f940caabf0bee94736cae1
SHA256: 5e999eef58c480da07a629da0ecafe7954ee9aa1b8b5fe879a17ceb0cfefd06c
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\XenosCurrentProfile.xpr
text
MD5: 2d8d5adfccca966ae064650b4d38348b
SHA256: 1ff1c0710f87b2f19a981b9bd65a9a695ad16b3ac9c03d6e76b5ef6362e5909a
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\readme.txt
text
MD5: 56cf8081f04ed9d2cd937d90c0043d9d
SHA256: b791929d120c84040de8dbb5f67192c4765b2fca412363e668a3d0f6370309dc
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\readme.txt
text
MD5: 56cf8081f04ed9d2cd937d90c0043d9d
SHA256: b791929d120c84040de8dbb5f67192c4765b2fca412363e668a3d0f6370309dc
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.6696\Coca Crypt\Offensive.log
text
MD5: 0b77f3ff4c33545a4471bd023e7e5e47
SHA256: 56ded75c0dbdc32638acf9cb4ae2af79f56f021bc8fe2ff15bda48a0bfe9ed84
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DIa3296.10030\Offensive.log
text
MD5: 0b77f3ff4c33545a4471bd023e7e5e47
SHA256: 56ded75c0dbdc32638acf9cb4ae2af79f56f021bc8fe2ff15bda48a0bfe9ed84
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1\Xenos.log
text
MD5: 2bda7cb956f940caabf0bee94736cae1
SHA256: 5e999eef58c480da07a629da0ecafe7954ee9aa1b8b5fe879a17ceb0cfefd06c
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1\XenosCurrentProfile.xpr
text
MD5: 2d8d5adfccca966ae064650b4d38348b
SHA256: 1ff1c0710f87b2f19a981b9bd65a9a695ad16b3ac9c03d6e76b5ef6362e5909a
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$EXa3296.8585\Coca Crypt\Offensive.log
text
MD5: 0b77f3ff4c33545a4471bd023e7e5e47
SHA256: 56ded75c0dbdc32638acf9cb4ae2af79f56f021bc8fe2ff15bda48a0bfe9ed84
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1\readme.txt
text
MD5: 56cf8081f04ed9d2cd937d90c0043d9d
SHA256: b791929d120c84040de8dbb5f67192c4765b2fca412363e668a3d0f6370309dc
3296
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Cracked_by_xany_1.zip
compressed
MD5: d304a9db887274ac10f3349568d3e153
SHA256: 67c2ccee2812149782dcca63a1d87772049c60e9316c08b102fea5fd1defb400
2140
icsys.icn.exe
C:\Users\admin\AppData\Local\Temp\~DF37B205F8B025EA94.TMP
––
MD5:  ––
SHA256:  ––
3280
icsys.icn.exe
C:\Users\admin\AppData\Local\Temp\~DF2A7D76E8022C32BE.TMP
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
5

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3584 RegAsm.exe GET 200 185.194.141.58:80 http://ip-api.com/json/ DE
text
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3584 RegAsm.exe 185.194.141.58:80 netcup GmbH DE malicious
3584 RegAsm.exe 104.248.42.215:4782 US malicious

DNS requests

Domain IP Reputation
ip-api.com 185.194.141.58
shared

Threats

PID Process Class Message
3584 RegAsm.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
3584 RegAsm.exe Potential Corporate Privacy Violation AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3584 RegAsm.exe A Network Trojan was detected MALWARE [PTsecurity] Quasar 1.3 RAT IP Lookup ip-api.com (HTTP headeer)
3584 RegAsm.exe A Network Trojan was detected MALWARE [PTsecurity] Quasar RAT

1 ETPRO signatures available at the full report

Debug output strings

No debug info.