File name:

15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe

Full analysis: https://app.any.run/tasks/2a8375e2-56b9-44b8-97f0-b59c07074932
Verdict: Malicious activity
Threats:

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Malware Trends Tracker     >>>
Analysis date: May 27, 2024, 16:51:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
risepro
stealer
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

119F67B2AC7EB36C17560948015FBF89

SHA1:

2E16D385ACBC27A8ECCC1AE590358B89CBD89208

SHA256:

15EFEA8C372D3049265FC02DAE7DEEF2FE362F8B8788D32626E3D8EF88E35081

SSDEEP:

49152:IvNGYQke0H+7Ewx3qxFoS8xEUYqCaAUaJ6qxUZTZFUT32T+QYfJeIMSL76:IvUJh0e7mF+/rALtxUZToTu+QUJeIMSv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Changes the autorun value in the registry

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • RISEPRO has been detected (YARA)

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • IEUpdater2663.exe (PID: 6440)

    • Uses Task Scheduler to run other applications

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • RISEPRO has been detected (SURICATA)

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Uses Task Scheduler to autorun other applications

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Executes application which crashes

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Checks for external IP

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Reads security settings of Internet Explorer

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Reads the date of Windows installation

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Device Retrieving External IP Address Detected

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Starts itself from another location

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Connects to unusual port

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

  • INFO

    • Checks supported languages

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • IEUpdater2663.exe (PID: 6440)

    • Creates files or folders in the user directory

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • WerFault.exe (PID: 624)
      • WerFault.exe (PID: 7128)
      • WerFault.exe (PID: 1172)
      • WerFault.exe (PID: 5004)
      • WerFault.exe (PID: 4148)
      • WerFault.exe (PID: 5920)
      • WerFault.exe (PID: 1016)
      • WerFault.exe (PID: 6304)
      • WerFault.exe (PID: 6456)
      • WerFault.exe (PID: 6944)

    • Reads the computer name

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Creates files in the program directory

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Create files in a temporary directory

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Reads the machine GUID from the registry

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Reads the software policy settings

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • WerFault.exe (PID: 6456)

    • Checks proxy server information

      • WerFault.exe (PID: 6456)

    • Process checks computer location settings

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RisePro

(PID) Process(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
C2 (1)118.194.235.187:50500
Strings (55)VaultOpenVault
\GHISLER\wcx_ftp.ini
\.minecraft\launcher_profiles.json
\.feather\accounts.json
\OpenVPN Connect\profiles
S,{w_6
\Session Storage
\Games
\Minecraft
\databases
\accounts.xml
logins
\TotalCommander
VaultGetItem
\launcher_accounts.json
\launcher_msa_credentials.bin
\tlauncher_profiles.json
\FeatherClient
WSASend
\LunarClient
\accounts.txt
\Element
\ICQ\0001
\save.dat
\Growtopia\save.dat
C:\program files\steam
\config.json
\.purple
\Element\Local Storage
\Microsoft\Skype for Desktop\Local Storage
\OpenVPN Connect
\Signal
\config
\TLauncher
\Local Storage
\Growtopia
\accounts.json
\FileZilla
frug?0
\Pidgin
C:\program files (x86)\steam
APPDATA
\Messengers
\launcher_profiles.json
J~|Hw
\ey_tokens.txt
VaultCloseVault
\.lunarclient\settings\games\accounts.txt
UaEt,
\wcx_ftp.ini
\Steam
\.minecraft\launcher_accounts.json
\Battle.net
\.minecraft\launcher_msa_credentials.bin
\Skype
(PID) Process(6440) IEUpdater2663.exe
C2 (1)118.194.235.187:50500
Strings (55)VaultOpenVault
\GHISLER\wcx_ftp.ini
\.minecraft\launcher_profiles.json
\.feather\accounts.json
\OpenVPN Connect\profiles
S,{w_6
\Session Storage
\Games
\Minecraft
\databases
\accounts.xml
logins
\TotalCommander
VaultGetItem
\launcher_accounts.json
\launcher_msa_credentials.bin
\tlauncher_profiles.json
\FeatherClient
WSASend
\LunarClient
\accounts.txt
\Element
\ICQ\0001
\save.dat
\Growtopia\save.dat
C:\program files\steam
\config.json
\.purple
\Element\Local Storage
\Microsoft\Skype for Desktop\Local Storage
\OpenVPN Connect
\Signal
\config
\TLauncher
\Local Storage
\Growtopia
\accounts.json
\FileZilla
frug?0
\Pidgin
C:\program files (x86)\steam
APPDATA
\Messengers
\launcher_profiles.json
J~|Hw
\ey_tokens.txt
VaultCloseVault
\.lunarclient\settings\games\accounts.txt
UaEt,
\wcx_ftp.ini
\Steam
\.minecraft\launcher_accounts.json
\Battle.net
\.minecraft\launcher_msa_credentials.bin
\Skype
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:28 11:00:41+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 58368
InitializedDataSize: 43264000
UninitializedDataSize: -
EntryPoint: 0x44c7
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 58.0.0.0
ProductVersionNumber: 71.0.0.0
FileFlagsMask: 0x960a
FileFlags: (none)
FileOS: Unknown (0x20323)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Unknown (0328)
CharacterSet: Unknown (24E6)
FileVersions: 35.8.57.66
InternalName: Storm
FileDescription: Viernes
LegalCopyright: Copyrights (C) 2023, fulletien
OriginalFilenames: Filezera
ProductName: Viemende
ProductVersions: 57.2.96.2
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
21
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RISEPRO 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs ieupdater2663.exe no specs #RISEPRO ieupdater2663.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
624C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1068C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1016C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1972C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1172C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1008C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4148C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1876C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5004C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1012C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5032schtasks /create /f /RU "admin" /tr "C:\ProgramData\IEUpdater2663\IEUpdater2663.exe" /tn "IEUpdater2663 HR" /sc HOURLY /rl HIGHESTC:\Windows\SysWOW64\schtasks.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5860\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5920C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1428C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6168schtasks /create /f /RU "admin" /tr "C:\ProgramData\IEUpdater2663\IEUpdater2663.exe" /tn "IEUpdater2663 LG" /sc ONLOGON /rl HIGHESTC:\Windows\SysWOW64\schtasks.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
29 696
Read events
29 686
Write events
10
Delete events
0

Modification events

(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RageMP2663
Value:
C:\Users\admin\AppData\Local\RageMP2663\RageMP2663.exe
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LegalHelper2663
Value:
C:\Users\admin\AppData\Local\LegalHelper2663\LegalHelper2663.exe
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
4
Suspicious files
20
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
6944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_5e4ba744-4b17-495e-b8a9-55a767ec0408\Report.wer
MD5:
SHA256:
7128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_c303273c-8962-4a00-b254-2f48f6c1eff0\Report.wer
MD5:
SHA256:
5004WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_de061075-d095-47bb-8b5a-ca25b854c081\Report.wer
MD5:
SHA256:
1172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_2b70363d-c086-4063-8ed3-882e9e0388d1\Report.wer
MD5:
SHA256:
6944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER746D.tmp.dmpdmp
MD5:607BEC85FF5519D7B595BF283DF3E5E8
SHA256:45C0C4EE9813AAED15C3D356EC980180C8779F0E01CD6582BA81034B5CAC4B8B
626415efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeC:\Users\admin\AppData\Local\Temp\rage2663MP.tmptext
MD5:F82672B634460B5C45D746065BADE793
SHA256:C6D6245639FDF4454F0E3BE7747EF562584E2FC0B5F71926C184602E55ECA5A5
5004WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7EBD.tmp.dmpbinary
MD5:75E4FE76EACAD6D2BE29AD0260849F29
SHA256:D98C9A321E38563C73F6C6B17DE19239B172EC520A32B68E036B57D458DD4767
624WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_1c2bea07-e2fc-4a54-8048-54ceb5d94e68\Report.wer
MD5:
SHA256:
7128WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe(1).6264.dmpbinary
MD5:D04C268E197C232122DB62CDD56F0837
SHA256:B0AECEF2D3F4883FC967C9FC3DEFB213252F1E70864A18A36D1031826565F6B4
626415efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeC:\Users\admin\AppData\Local\RageMP2663\RageMP2663.exeexecutable
MD5:119F67B2AC7EB36C17560948015FBF89
SHA256:15EFEA8C372D3049265FC02DAE7DEEF2FE362F8B8788D32626E3D8EF88E35081
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
26
DNS requests
9
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5548
RUXIMICS.exe
GET
200
92.122.157.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5448
svchost.exe
GET
200
92.122.157.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5548
RUXIMICS.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
92.122.157.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5448
svchost.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2908
OfficeClickToRun.exe
POST
200
51.116.246.104:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
unknown
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
GET
200
34.117.186.192:443
https://ipinfo.io/widget/demo/216.24.213.92
unknown
binary
979 b
unknown
GET
200
104.26.4.15:443
https://db-ip.com/demo/home.php?s=216.24.213.92
unknown
binary
705 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5448
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5548
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5548
RUXIMICS.exe
92.122.157.90:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
92.122.157.90:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5448
svchost.exe
92.122.157.90:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5448
svchost.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5548
RUXIMICS.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 92.122.157.90
  • 92.122.157.88
whitelisted
www.microsoft.com
  • 92.122.89.124
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
ipinfo.io
  • 34.117.186.192
shared
db-ip.com
  • 172.67.75.166
  • 104.26.4.15
  • 104.26.5.15
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

PID
Process
Class
Message
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
A Network Trojan was detected
ET MALWARE RisePro TCP Heartbeat Packet
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (Token)
A Network Trojan was detected
ET MALWARE [ANY.RUN] RisePro TCP (Token)
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
A Network Trojan was detected
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (activity)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (get_settings)
Process
Message
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
ret 345 fdhg r
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
tr 656 56 65 8658 658hfty
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
er er y try rtsdh
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
h6rt hrd54
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe