File name:

15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe

Full analysis: https://app.any.run/tasks/2a8375e2-56b9-44b8-97f0-b59c07074932
Verdict: Malicious activity
Threats:

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Malware Trends Tracker     >>>
Analysis date: May 27, 2024, 16:51:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
risepro
stealer
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

119F67B2AC7EB36C17560948015FBF89

SHA1:

2E16D385ACBC27A8ECCC1AE590358B89CBD89208

SHA256:

15EFEA8C372D3049265FC02DAE7DEEF2FE362F8B8788D32626E3D8EF88E35081

SSDEEP:

49152:IvNGYQke0H+7Ewx3qxFoS8xEUYqCaAUaJ6qxUZTZFUT32T+QYfJeIMSL76:IvUJh0e7mF+/rALtxUZToTu+QUJeIMSv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RISEPRO has been detected (YARA)

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • IEUpdater2663.exe (PID: 6440)

    • Uses Task Scheduler to autorun other applications

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Uses Task Scheduler to run other applications

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • RISEPRO has been detected (SURICATA)

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Changes the autorun value in the registry

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Drops the executable file immediately after the start

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Executes application which crashes

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Connects to unusual port

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Device Retrieving External IP Address Detected

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Checks for external IP

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Reads security settings of Internet Explorer

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Reads the date of Windows installation

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Starts itself from another location

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

  • INFO

    • Reads the computer name

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Creates files or folders in the user directory

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • WerFault.exe (PID: 7128)
      • WerFault.exe (PID: 6944)
      • WerFault.exe (PID: 5004)
      • WerFault.exe (PID: 1172)
      • WerFault.exe (PID: 624)
      • WerFault.exe (PID: 5920)
      • WerFault.exe (PID: 1016)
      • WerFault.exe (PID: 4148)
      • WerFault.exe (PID: 6304)
      • WerFault.exe (PID: 6456)

    • Create files in a temporary directory

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Creates files in the program directory

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Checks supported languages

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • IEUpdater2663.exe (PID: 6440)

    • Reads the machine GUID from the registry

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)

    • Reads the software policy settings

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
      • WerFault.exe (PID: 6456)

    • Checks proxy server information

      • WerFault.exe (PID: 6456)

    • Process checks computer location settings

      • 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe (PID: 6264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RisePro

(PID) Process(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
C2 (1)118.194.235.187:50500
Strings (55)VaultOpenVault
\GHISLER\wcx_ftp.ini
\.minecraft\launcher_profiles.json
\.feather\accounts.json
\OpenVPN Connect\profiles
S,{w_6
\Session Storage
\Games
\Minecraft
\databases
\accounts.xml
logins
\TotalCommander
VaultGetItem
\launcher_accounts.json
\launcher_msa_credentials.bin
\tlauncher_profiles.json
\FeatherClient
WSASend
\LunarClient
\accounts.txt
\Element
\ICQ\0001
\save.dat
\Growtopia\save.dat
C:\program files\steam
\config.json
\.purple
\Element\Local Storage
\Microsoft\Skype for Desktop\Local Storage
\OpenVPN Connect
\Signal
\config
\TLauncher
\Local Storage
\Growtopia
\accounts.json
\FileZilla
frug?0
\Pidgin
C:\program files (x86)\steam
APPDATA
\Messengers
\launcher_profiles.json
J~|Hw
\ey_tokens.txt
VaultCloseVault
\.lunarclient\settings\games\accounts.txt
UaEt,
\wcx_ftp.ini
\Steam
\.minecraft\launcher_accounts.json
\Battle.net
\.minecraft\launcher_msa_credentials.bin
\Skype
(PID) Process(6440) IEUpdater2663.exe
C2 (1)118.194.235.187:50500
Strings (55)VaultOpenVault
\GHISLER\wcx_ftp.ini
\.minecraft\launcher_profiles.json
\.feather\accounts.json
\OpenVPN Connect\profiles
S,{w_6
\Session Storage
\Games
\Minecraft
\databases
\accounts.xml
logins
\TotalCommander
VaultGetItem
\launcher_accounts.json
\launcher_msa_credentials.bin
\tlauncher_profiles.json
\FeatherClient
WSASend
\LunarClient
\accounts.txt
\Element
\ICQ\0001
\save.dat
\Growtopia\save.dat
C:\program files\steam
\config.json
\.purple
\Element\Local Storage
\Microsoft\Skype for Desktop\Local Storage
\OpenVPN Connect
\Signal
\config
\TLauncher
\Local Storage
\Growtopia
\accounts.json
\FileZilla
frug?0
\Pidgin
C:\program files (x86)\steam
APPDATA
\Messengers
\launcher_profiles.json
J~|Hw
\ey_tokens.txt
VaultCloseVault
\.lunarclient\settings\games\accounts.txt
UaEt,
\wcx_ftp.ini
\Steam
\.minecraft\launcher_accounts.json
\Battle.net
\.minecraft\launcher_msa_credentials.bin
\Skype
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:11:28 11:00:41+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 58368
InitializedDataSize: 43264000
UninitializedDataSize: -
EntryPoint: 0x44c7
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 58.0.0.0
ProductVersionNumber: 71.0.0.0
FileFlagsMask: 0x960a
FileFlags: (none)
FileOS: Unknown (0x20323)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Unknown (0328)
CharacterSet: Unknown (24E6)
FileVersions: 35.8.57.66
InternalName: Storm
FileDescription: Viernes
LegalCopyright: Copyrights (C) 2023, fulletien
OriginalFilenames: Filezera
ProductName: Viemende
ProductVersions: 57.2.96.2
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
148
Monitored processes
21
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RISEPRO 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs ieupdater2663.exe no specs #RISEPRO ieupdater2663.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
624C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1068C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1016C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1972C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1172C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1008C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3808\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4148C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1876C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5004C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1012C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5032schtasks /create /f /RU "admin" /tr "C:\ProgramData\IEUpdater2663\IEUpdater2663.exe" /tn "IEUpdater2663 HR" /sc HOURLY /rl HIGHESTC:\Windows\SysWOW64\schtasks.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5860\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5920C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6264 -s 1428C:\Windows\SysWOW64\WerFault.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6168schtasks /create /f /RU "admin" /tr "C:\ProgramData\IEUpdater2663\IEUpdater2663.exe" /tn "IEUpdater2663 LG" /sc ONLOGON /rl HIGHESTC:\Windows\SysWOW64\schtasks.exe15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
29 696
Read events
29 686
Write events
10
Delete events
0

Modification events

(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RageMP2663
Value:
C:\Users\admin\AppData\Local\RageMP2663\RageMP2663.exe
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:LegalHelper2663
Value:
C:\Users\admin\AppData\Local\LegalHelper2663\LegalHelper2663.exe
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6264) 15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
4
Suspicious files
20
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
6944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_5e4ba744-4b17-495e-b8a9-55a767ec0408\Report.wer
MD5:
SHA256:
7128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_c303273c-8962-4a00-b254-2f48f6c1eff0\Report.wer
MD5:
SHA256:
5004WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_de061075-d095-47bb-8b5a-ca25b854c081\Report.wer
MD5:
SHA256:
1172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_2b70363d-c086-4063-8ed3-882e9e0388d1\Report.wer
MD5:
SHA256:
626415efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeC:\ProgramData\MPGPH2663\MPGPH2663.exeexecutable
MD5:119F67B2AC7EB36C17560948015FBF89
SHA256:15EFEA8C372D3049265FC02DAE7DEEF2FE362F8B8788D32626E3D8EF88E35081
626415efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exeC:\Users\admin\AppData\Local\RageMP2663\RageMP2663.exeexecutable
MD5:119F67B2AC7EB36C17560948015FBF89
SHA256:15EFEA8C372D3049265FC02DAE7DEEF2FE362F8B8788D32626E3D8EF88E35081
6944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7568.tmp.WERInternalMetadata.xmlxml
MD5:9CED518C5C1A508E6DE76F318F978552
SHA256:6AD03AFE571152BB6C9DEA76C89ADBFD159313C5E68E837B0C4D120872C896E5
624WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_15efea8c372d3049_b2a4dc95cf42eeacd672eeccac8de3f0fd53_a3d2165e_1c2bea07-e2fc-4a54-8048-54ceb5d94e68\Report.wer
MD5:
SHA256:
7128WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7CDA.tmp.WERInternalMetadata.xmlxml
MD5:5B243B8329B164F9C846ECBFF78C7ABE
SHA256:EEF6828FED1653FB99F75614F3ACEC780EF291EBDC823C0830173974B1A0EE92
6944WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7598.tmp.xmlxml
MD5:D7EC20C874A099AB738F03714DC0FCD1
SHA256:690C1D813DD34139B0E945656B2B5920FAB380E6ED1C1A91E6157CDCA9422E14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
26
DNS requests
9
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5448
svchost.exe
GET
200
92.122.157.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5548
RUXIMICS.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5448
svchost.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
GET
200
34.117.186.192:443
https://ipinfo.io/widget/demo/216.24.213.92
unknown
binary
979 b
2908
OfficeClickToRun.exe
POST
200
51.116.246.104:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
GET
200
104.26.4.15:443
https://db-ip.com/demo/home.php?s=216.24.213.92
unknown
binary
705 b
5140
MoUsoCoreWorker.exe
GET
200
92.122.157.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5548
RUXIMICS.exe
GET
200
92.122.157.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
5448
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5548
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5548
RUXIMICS.exe
92.122.157.90:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
92.122.157.90:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5448
svchost.exe
92.122.157.90:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5448
svchost.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
5548
RUXIMICS.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 92.122.157.90
  • 92.122.157.88
whitelisted
www.microsoft.com
  • 92.122.89.124
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
ipinfo.io
  • 34.117.186.192
shared
db-ip.com
  • 172.67.75.166
  • 104.26.4.15
  • 104.26.5.15
whitelisted
watson.events.data.microsoft.com
  • 104.208.16.94
whitelisted
self.events.data.microsoft.com
  • 52.168.117.168
whitelisted

Threats

PID
Process
Class
Message
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
A Network Trojan was detected
ET MALWARE RisePro TCP Heartbeat Packet
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (Token)
A Network Trojan was detected
ET MALWARE [ANY.RUN] RisePro TCP (Token)
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6264
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io)
A Network Trojan was detected
ET MALWARE [ANY.RUN] RisePro TCP (Activity)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (activity)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] RisePro TCP (get_settings)
Process
Message
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
ret 345 fdhg r
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
tr 656 56 65 8658 658hfty
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
er er y try rtsdh
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe
h6rt hrd54
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
15efea8c372d3049265fc02dae7deef2fe362f8b8788d32626e3d8ef88e35081.exe