Malware analysis 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d Malicious activity

Add for printing

File name:	6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d
Full analysis:	https://app.any.run/tasks/390f68f8-8b26-4e15-9bfe-09c8521315ca
Verdict:	Malicious activity
Threats:	RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Malware Trends Tracker >>>
Analysis date:	July 21, 2025, 01:08:46
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	enigma antivm risepro delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	45866C464C8F50A614324B1F88571523
SHA1:	9804C11269E1581BCDBA178AAFCC7363E9DD2FE6
SHA256:	6F0DB4C220DD426D1EEF5AFF9DADA2384DF7AB961052F27501DCBE17DE783A5D
SSDEEP:	49152:CttggUyZ7EkpaIuVh2jyI4FDALYkNaAvAysVhCPiTi2RYC/hV5glMHlUgGm+kzZf:WtgQVFpRuV8yIqCYksAvt8hjTh1FUMH5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- RISEPRO has been detected (YARA)
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)
SUSPICIOUS
- There is functionality for VM detection VirtualBox (YARA)
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)
- There is functionality for taking screenshot (YARA)
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)
INFO
- Checks supported languages
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)
- Reads the computer name
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)
- Enigma protector has been detected
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)
- Compiled with Borland Delphi (YARA)
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)
- Create files in a temporary directory
  - 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe (PID: 5436)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RisePro

(PID) Process(5436) 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe

C2 (1)193.233.132.62:50500

Strings (477)SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Elements Browser\User Data

Sollet

\Coinomi

POP3 Password

demoInfo

\logins.json

merge_browser_data

ChromiumViewer

Profiles/

hnfanknocfeofbddgcijnmhnfnkdnaad

kpfopkelmapcoipemfendmdcghnegimn

\NetboxBrowser\User Data

Kometa

Dragon

EOS Authenticator

\Wasabi

/ %s

Battle.net

\key4.db

Keyboard Languages:

\config

mark_check_history

MewCx

An uncaught exception occurred_ip1. The type was unknown so no information was available.

\Games

\information.txt

\ICQ\0001

jobA3

\Comodo\User Data

mcohilncbfahbmgdjkbpemcciiolgcge

ProcessorNameString

\Discord

coin98

nanjmdknhkinifnkgdcggcfnhdaammmj

slickSlideAnd

Computer Name: %s

XDEFI Wallet

[Processes]

\bither.db

Chedot

CocCoc

Display Language: %ws

GoldCoin (GLD)

Citrio

\NVIDIA Corporation\NVIDIA GeForce Experience

history

Phantom

mark_check_cookies

uCozMedia

iWallet

\accounts.json

pdadjkfkgcafgbceimcpbkalnfnepbnk

Elements Browser

An uncaught exception occurred_ip2. The type was unknown so no information was available.

SELECT host_key, is_httponly, path, is_secure, expires_utc, name, value, encrypted_value FROM cookies

\Jaxx

\Battle.net

Daedalus Mainnet

User Name: %s

\.minecraft\launcher_profiles.json

An uncaught exception occurred1. The type was unknown so no information was available.

api.myip.com/

CentBrowser

\uCozMedia\Uran\User Data

Terra

Finnie

logins

password

\databases

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

An uncaught exception occurred1:

amkmjjmmflddogmhpjloimipbofnfjih

ookjlbkiijinhpmnjffcofjonbfbgaoc

PaliWallet

DashCore

\BraveSoftware\Brave-Browser\User Data

\MultiDoge

An uncaught exception occurred_ip0_2. The type was unknown so no information was available.

Namecoin

\.feather\accounts.json

Harmony

USERPROFILE

Iridium

HARDWARE\DESCRIPTION\System\CentralProcessor\0

Sender Wallet

APPDATA

\Sync Extension Settings\

\discorddevelopment

\cert9.db

kkpllkodjeloidieedojogacfhpaihoh

Mincoin

C:\program files (x86)\steam

Solflare

\Electrum-LTC\wallets

Florincoin

mark_check_passwords

SOFTWARE\Microsoft\Cryptography

acmacodkjbdgmoleebolmdjonilkdbch

https://

Terracoin

Reddcoin

epapihdplajcdnnkdeiahlgigofloibg

[Hardware]

MathWallet

devcoin

oeljdldpnmdbchonielidgobddffflal

value

names

Web Data

Authenticator

\Session Storage

ld_geo

hmeobnfnfcmdkdcmlblgagmfpfboieaf

Storage: %s

CryptoTab

Outlook

ffnbelfdoeiohenkjibnmadjiehjhajb

\Growtopia\save.dat

bhghoamapcdpbohphigoooaddinpkbai

cert8.db

\accounts.xml

DiscordCanary

key3.db

os_crypt

\Chromium\User Data

\Torch\User Data

\signons.sqlite

\LocalPrefs.json

log_watermark_line_1

ejjladinnckdgjemekebdpeokbikhfci

NetboxBrowser

Torch

api64.ipify.org/?format=json

kmhcihpebfmpgmihbkipmjlmmioameka

encrypted_key

Infinitecoin

\Element\Local Storage

An uncaught exception occurred_ip0_1. The type was unknown so no information was available.

Coowon

Storage: %s [%s]

SELECT name_on_card, exp_month, exp_year, last_four, nickname FROM masked_credit_cards

\MapleStudio\ChromePlus\User Data

Anoncoin

ICONex

grab_vpn

jnkelfanjkeadonecabehalmbgpfodjm

NeoLine

\Exodus\exodus.wallet

Token: %s

VideoCard #%d: %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Petra Aptos Wallet

SMTP Password

\CURRENT

An uncaught exception occurred_ip0_2:

Franko

E-MAIL: %s

Ledger Live

Yandex

Network\

UserName: %s

#.B}T

gtokens

blnieiiffboillknjnepogjhkgnoapac

log_watermark_line_2

\Armory

HWID: %s

fihkakfobkmkjojpchpfgcmhfjnmnfpi

grab_messengers

\ElectrumLTC

TronLink

\Vivaldi\User Data

\discordcanary

An uncaught exception occurred_ip4. The type was unknown so no information was available.

Amigo

kncchdigobghenbbaddojjnnaogfppfj

Path: %s

Hashpack

aholpfdialjgjfhomihkjbmgjidlcdno

formSubmitURL

EMartian Aptos Wallet

CPU Count: %d

\OpenVPN Connect\profiles

Keplr

lpfcbjknijpeeillifnkikgncikgfhdo

ibnejdfjmmkpcnlpebklmnkoeoihofec

Bolt X

grab_ftp

\launcher_profiles.json

\Growtopia

EQUALWallet

An uncaught exception occurred_ip1:

odbfpeeihdkbihmopkbjmoonfanlbfcl

\Opera Software

aodkkagnadcbobfpggfnjeongemjbjca

\Electrum\wallets

IP: %s

\cert8.db

\Ethereum\wallets

LocalPrefs.json

digitalcoin

Megacoin

DiscordDevelopment

%s [%d]

imloifkgjagghnncjkhggdhalmcnfklk

cnmamaachppnkjgnildpdmkaakejnhae

\Google\Chrome\User Data

\Coowon\Coowon\User Data

\7Star\7Star\User Data

MetaMask

\Ethereum

\Minecraft

\ElectronCash

fhmfendgdocmcbmfikdcogofphimnkno

\GoogleAccounts

\Microsoft\Skype for Desktop\Local Storage

OKX Wallet

config

YACoin

cert9.db

aiifbnbfobpmeekipheeijimdpnlpgpp

\com.liberty.jaxx

jojhfeoedkpkglbfimdfabpdfjaoolaf

This program is a virus. Do you really want to run it?

ld_name

\Maxthon3\User Data

CyanoWallet

IOCoin

\accounts.txt

BinanceChainWallet

Opera Wallet

Freicoin

nkddgncdjgjfcddamfgcmfnlhccnimig

Opera

\save.dat

Date: %s

\Signal

country

HTTP Password

\Uran\User Data

Eth and Polk Web3 Wallet

DisplayVersion

An uncaught exception occurred_ip4:

\MultiDoge\multidoge.wallet

phkbamefinggmakgklpkljjmgibohnba

use_hvnc

nlbmnnijcnlegkjjpcfjclmcfggfefdm

\Messengers

gojhcdgcpbpfigcaejpfhfegekdgiblk

dmkamcknogkgcdfhhbddcghachkejeap

%s\%s

1.1.1.1

\discordptb

key4.db

jbdaocneiiinmjbjlgalhcelgbejmnid

\Pidgin

Oxygen

Vivaldi

Maxthon3

\360Browser\Browser\User Data

b.B}T

Eternl

mnfifefkajgofkcjkemidiaecocnkjeh

Version: %s

mark_countries

\Atomic

\Chromodo\User Data

hpglfhgfnhbgpjdenjgmdgoeiappafln

Discord

\Mail.Ru\Atom\User Data

\key3.db

\Jaxx Liberty

\Amigo\User\User Data

bfnaelmomeimhlpmgjnjophhpkkoljpa

\Kometa\User Data

\wcx_ftp.ini

Jaxx Liberty Extension

\CatalinaGroup\Citrio\User Data

\tlauncher_profiles.json

\liebao\User Data

NiftyWallet

\Browsers

mark_domains

Chromodo

\Jaxx\Local Storage

Yoroi

profile

LiqualityWallet

\atomic\Local Storage

\.lunarclient\settings\games\accounts.txt

\K-Melon\User Data

\Passwords.txt

www.maxmind.com/geoip/v2.1/city/me

Sputnik

\Guarda

360Browser

\foxmail.txt

ProductName

Leap Terra Wallet

CloverWallet

SaturnWallet

\CocCoc\Browser\User Data

grab_tg

Steam

liebao

grab_ihistory

DiscordPTB

\GHISLER\wcx_ftp.ini

GuildWallet

aijcbedoijmgnlmjeegjaglmepbmpkpi

Local Time: %d/%d/%d %d:%d:%d

Display Resolution: %dx%d

Windows: %s [%s]

\Exodus

\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json

Trezor Password Manager

RAM: %u MB

Guarda

BitAppWallet

An uncaught exception occurred_ip2:

Epic Privacy Browser

dkdedlpgdmmkkfjabffeganieamfklkm

\Cookies.txt

\CentBrowser\User Data

\Bither\bither.db

\Epic Privacy Browser\User Data

jobA4

Warning!

Wombat

Orbitum

hcflpincpppdclinealmandijcmnkbgn

Work Dir: %s

countryCode

WavesKeeper

\Sputnik\Sputnik\User Data

\WalletWasabi\Client\Wallets

ilgcnhelpchnceeipipijaljkblbcobl

\.minecraft\launcher_accounts.json

\ElectronCash\wallets

Coinbase

[Software]

\Element

\launcher_msa_credentials.bin

Chromium

Exodus_E

\profiles.ini

fhilaheimglignddkjgofkcbgekhenbh

\Comodo\Dragon\User Data

\passwords.txt

flpiciilemghbmfalicajoolhkkenfel

TezBox

\Skype

\ey_tokens.txt

Braavos wallet

iso_code

fhbohimaelbohpjbbldcngcnapndodjp

nkbihfbeogaeaoehlefnkodbefgpgknn

RoninWallet

7Star

Trust Wallet

\multidoge.wallet

SMTP Server

Zcash

\.purple

jnlgamecbpmbajjfhmmmlhejkemejdma

BraveWallet

Password: %s

\app-store.json

ForboleX

Local State

Chrome

\Binance\app-store.json

Bitcoin

\config.json

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Iridium\User Data

Maiar DeFi Wallet

\CryptoTab Browser\User Data

\Coinomi\Coinomi\wallets

C:\program files\steam

\History

MachineGuid

\Monero

\Network

efbglgofoippbgcjepnhiblaibcnclgk

URL: %s

EVER Wallet

Ixcoin

lpilbniiabackdjcionkobglmddfbcjo

Location: %s, %s

bgpipimickeadkjlklgciifhnalhdjhe

\Google(x86)\Chrome\User Data

\Orbitum\User Data

cgeeodpfagjceefieflmdfphplkenlfk

ChromePlus

\OpenVPN Connect

mgffkfbidihjpoaomajlbgchddlicgpn

Chrome (x86)

\Bither

GAuth Authenticator

\Cookies

\Yandex\YandexBrowser\User Data

BBQCoin

fnnegphlobjdpkhecapkijjdkgcjhkib

Temple

aeachknmefphepccionboohckonoeemg

WININET.DLL

\TLauncher

fmblappgoiilbgafhjklehhfifbdocee

\Steam

DisplayName

nhnkbkgjikgcigadomkphalanndcapjk

Rabby

NVIDIA

QIP Surf

GeroWallet

\discord.txt

KardiaChain

afbcbjpbpfadlkmhmclhkeeodmamcflc

History

\IndexedDB

\Nichrome\User Data

\launcher_accounts.json

grab_ds

\LunarClient

Pontem Aptos Wallet

PolymeshWallet

cphhlgmgameodnhkjdmkpanlelnlohao

\FeatherClient

K-Melon

LOCALAPPDATA

grab_screen

cards

Primecoin

Brave

AuroWallet

\QIP Surf\User Data

db-ip.com/demo/home.php?s=

ipinfo.io/widget/demo/

dngmlblcodfobpdpecaadgfbcggfjfnm

ld_marks

gjagmgiddbbciopjhllkdnddhcglnemk

\Monero\wallets

cjmkndjhnagcfbpiemnkdpomccnjblmj

\Electrum

aaaaa

grab_wallets

Nichrome

NtTerminateProcess

An uncaught exception occurred_ip0_1:

bhhhlbepdkbapadjdnnojkbgioiodbic

\Chedot\User Data

grab_games

\Binance

\FileZilla

Dogecoin

Comodo

Processor: %s

\Local Storage

%s [%s]

\Microsoft\Edge\User Data

fnjhmkhhmkbjkkabndcnnogagogbneec

Unknown

\TotalCommander

ld_url

cjelfplplebdjjenllpjcblmjkfcffne

HVNC.dll

egjidjbpglichdcondbcbdnbeeppgdph

Litecoin

log_watermark_line_3

\.minecraft\launcher_msa_credentials.bin

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:01:20 12:42:03+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.34
CodeSize:	1088000
InitializedDataSize:	223744
UninitializedDataSize:	-
EntryPoint:	0x4e13f0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

320

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

5436

"C:\Users\admin\AppData\Local\Temp\6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe"

C:\Users\admin\AppData\Local\Temp\6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

RisePro

(PID) Process(5436) 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe

C2 (1)193.233.132.62:50500

Strings (477)SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Elements Browser\User Data

Sollet

\Coinomi

POP3 Password

demoInfo

\logins.json

merge_browser_data

ChromiumViewer

Profiles/

hnfanknocfeofbddgcijnmhnfnkdnaad

kpfopkelmapcoipemfendmdcghnegimn

\NetboxBrowser\User Data

Kometa

Dragon

EOS Authenticator

\Wasabi

/ %s

Battle.net

\key4.db

Keyboard Languages:

\config

mark_check_history

MewCx

An uncaught exception occurred_ip1. The type was unknown so no information was available.

\Games

\information.txt

\ICQ\0001

jobA3

\Comodo\User Data

mcohilncbfahbmgdjkbpemcciiolgcge

ProcessorNameString

\Discord

coin98

nanjmdknhkinifnkgdcggcfnhdaammmj

slickSlideAnd

Computer Name: %s

XDEFI Wallet

[Processes]

\bither.db

Chedot

CocCoc

Display Language: %ws

GoldCoin (GLD)

Citrio

\NVIDIA Corporation\NVIDIA GeForce Experience

history

Phantom

mark_check_cookies

uCozMedia

iWallet

\accounts.json

pdadjkfkgcafgbceimcpbkalnfnepbnk

Elements Browser

An uncaught exception occurred_ip2. The type was unknown so no information was available.

SELECT host_key, is_httponly, path, is_secure, expires_utc, name, value, encrypted_value FROM cookies

\Jaxx

\Battle.net

Daedalus Mainnet

User Name: %s

\.minecraft\launcher_profiles.json

An uncaught exception occurred1. The type was unknown so no information was available.

api.myip.com/

CentBrowser

\uCozMedia\Uran\User Data

Terra

Finnie

logins

password

\databases

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

An uncaught exception occurred1:

amkmjjmmflddogmhpjloimipbofnfjih

ookjlbkiijinhpmnjffcofjonbfbgaoc

PaliWallet

DashCore

\BraveSoftware\Brave-Browser\User Data

\MultiDoge

An uncaught exception occurred_ip0_2. The type was unknown so no information was available.

Namecoin

\.feather\accounts.json

Harmony

USERPROFILE

Iridium

HARDWARE\DESCRIPTION\System\CentralProcessor\0

Sender Wallet

APPDATA

\Sync Extension Settings\

\discorddevelopment

\cert9.db

kkpllkodjeloidieedojogacfhpaihoh

Mincoin

C:\program files (x86)\steam

Solflare

\Electrum-LTC\wallets

Florincoin

mark_check_passwords

SOFTWARE\Microsoft\Cryptography

acmacodkjbdgmoleebolmdjonilkdbch

https://

Terracoin

Reddcoin

epapihdplajcdnnkdeiahlgigofloibg

[Hardware]

MathWallet

devcoin

oeljdldpnmdbchonielidgobddffflal

value

names

Web Data

Authenticator

\Session Storage

ld_geo

hmeobnfnfcmdkdcmlblgagmfpfboieaf

Storage: %s

CryptoTab

Outlook

ffnbelfdoeiohenkjibnmadjiehjhajb

\Growtopia\save.dat

bhghoamapcdpbohphigoooaddinpkbai

cert8.db

\accounts.xml

DiscordCanary

key3.db

os_crypt

\Chromium\User Data

\Torch\User Data

\signons.sqlite

\LocalPrefs.json

log_watermark_line_1

ejjladinnckdgjemekebdpeokbikhfci

NetboxBrowser

Torch

api64.ipify.org/?format=json

kmhcihpebfmpgmihbkipmjlmmioameka

encrypted_key

Infinitecoin

\Element\Local Storage

An uncaught exception occurred_ip0_1. The type was unknown so no information was available.

Coowon

Storage: %s [%s]

SELECT name_on_card, exp_month, exp_year, last_four, nickname FROM masked_credit_cards

\MapleStudio\ChromePlus\User Data

Anoncoin

ICONex

grab_vpn

jnkelfanjkeadonecabehalmbgpfodjm

NeoLine

\Exodus\exodus.wallet

Token: %s

VideoCard #%d: %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Petra Aptos Wallet

SMTP Password

\CURRENT

An uncaught exception occurred_ip0_2:

Franko

E-MAIL: %s

Ledger Live

Yandex

Network\

UserName: %s

#.B}T

gtokens

blnieiiffboillknjnepogjhkgnoapac

log_watermark_line_2

\Armory

HWID: %s

fihkakfobkmkjojpchpfgcmhfjnmnfpi

grab_messengers

\ElectrumLTC

TronLink

\Vivaldi\User Data

\discordcanary

An uncaught exception occurred_ip4. The type was unknown so no information was available.

Amigo

kncchdigobghenbbaddojjnnaogfppfj

Path: %s

Hashpack

aholpfdialjgjfhomihkjbmgjidlcdno

formSubmitURL

EMartian Aptos Wallet

CPU Count: %d

\OpenVPN Connect\profiles

Keplr

lpfcbjknijpeeillifnkikgncikgfhdo

ibnejdfjmmkpcnlpebklmnkoeoihofec

Bolt X

grab_ftp

\launcher_profiles.json

\Growtopia

EQUALWallet

An uncaught exception occurred_ip1:

odbfpeeihdkbihmopkbjmoonfanlbfcl

\Opera Software

aodkkagnadcbobfpggfnjeongemjbjca

\Electrum\wallets

IP: %s

\cert8.db

\Ethereum\wallets

LocalPrefs.json

digitalcoin

Megacoin

DiscordDevelopment

%s [%d]

imloifkgjagghnncjkhggdhalmcnfklk

cnmamaachppnkjgnildpdmkaakejnhae

\Google\Chrome\User Data

\Coowon\Coowon\User Data

\7Star\7Star\User Data

MetaMask

\Ethereum

\Minecraft

\ElectronCash

fhmfendgdocmcbmfikdcogofphimnkno

\GoogleAccounts

\Microsoft\Skype for Desktop\Local Storage

OKX Wallet

config

YACoin

cert9.db

aiifbnbfobpmeekipheeijimdpnlpgpp

\com.liberty.jaxx

jojhfeoedkpkglbfimdfabpdfjaoolaf

This program is a virus. Do you really want to run it?

ld_name

\Maxthon3\User Data

CyanoWallet

IOCoin

\accounts.txt

BinanceChainWallet

Opera Wallet

Freicoin

nkddgncdjgjfcddamfgcmfnlhccnimig

Opera

\save.dat

Date: %s

\Signal

country

HTTP Password

\Uran\User Data

Eth and Polk Web3 Wallet

DisplayVersion

An uncaught exception occurred_ip4:

\MultiDoge\multidoge.wallet

phkbamefinggmakgklpkljjmgibohnba

use_hvnc

nlbmnnijcnlegkjjpcfjclmcfggfefdm

\Messengers

gojhcdgcpbpfigcaejpfhfegekdgiblk

dmkamcknogkgcdfhhbddcghachkejeap

%s\%s

1.1.1.1

\discordptb

key4.db

jbdaocneiiinmjbjlgalhcelgbejmnid

\Pidgin

Oxygen

Vivaldi

Maxthon3

\360Browser\Browser\User Data

b.B}T

Eternl

mnfifefkajgofkcjkemidiaecocnkjeh

Version: %s

mark_countries

\Atomic

\Chromodo\User Data

hpglfhgfnhbgpjdenjgmdgoeiappafln

Discord

\Mail.Ru\Atom\User Data

\key3.db

\Jaxx Liberty

\Amigo\User\User Data

bfnaelmomeimhlpmgjnjophhpkkoljpa

\Kometa\User Data

\wcx_ftp.ini

Jaxx Liberty Extension

\CatalinaGroup\Citrio\User Data

\tlauncher_profiles.json

\liebao\User Data

NiftyWallet

\Browsers

mark_domains

Chromodo

\Jaxx\Local Storage

Yoroi

profile

LiqualityWallet

\atomic\Local Storage

\.lunarclient\settings\games\accounts.txt

\K-Melon\User Data

\Passwords.txt

www.maxmind.com/geoip/v2.1/city/me

Sputnik

\Guarda

360Browser

\foxmail.txt

ProductName

Leap Terra Wallet

CloverWallet

SaturnWallet

\CocCoc\Browser\User Data

grab_tg

Steam

liebao

grab_ihistory

DiscordPTB

\GHISLER\wcx_ftp.ini

GuildWallet

aijcbedoijmgnlmjeegjaglmepbmpkpi

Local Time: %d/%d/%d %d:%d:%d

Display Resolution: %dx%d

Windows: %s [%s]

\Exodus

\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json

Trezor Password Manager

RAM: %u MB

Guarda

BitAppWallet

An uncaught exception occurred_ip2:

Epic Privacy Browser

dkdedlpgdmmkkfjabffeganieamfklkm

\Cookies.txt

\CentBrowser\User Data

\Bither\bither.db

\Epic Privacy Browser\User Data

jobA4

Warning!

Wombat

Orbitum

hcflpincpppdclinealmandijcmnkbgn

Work Dir: %s

countryCode

WavesKeeper

\Sputnik\Sputnik\User Data

\WalletWasabi\Client\Wallets

ilgcnhelpchnceeipipijaljkblbcobl

\.minecraft\launcher_accounts.json

\ElectronCash\wallets

Coinbase

[Software]

\Element

\launcher_msa_credentials.bin

Chromium

Exodus_E

\profiles.ini

fhilaheimglignddkjgofkcbgekhenbh

\Comodo\Dragon\User Data

\passwords.txt

flpiciilemghbmfalicajoolhkkenfel

TezBox

\Skype

\ey_tokens.txt

Braavos wallet

iso_code

fhbohimaelbohpjbbldcngcnapndodjp

nkbihfbeogaeaoehlefnkodbefgpgknn

RoninWallet

7Star

Trust Wallet

\multidoge.wallet

SMTP Server

Zcash

\.purple

jnlgamecbpmbajjfhmmmlhejkemejdma

BraveWallet

Password: %s

\app-store.json

ForboleX

Local State

Chrome

\Binance\app-store.json

Bitcoin

\config.json

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Iridium\User Data

Maiar DeFi Wallet

\CryptoTab Browser\User Data

\Coinomi\Coinomi\wallets

C:\program files\steam

\History

MachineGuid

\Monero

\Network

efbglgofoippbgcjepnhiblaibcnclgk

URL: %s

EVER Wallet

Ixcoin

lpilbniiabackdjcionkobglmddfbcjo

Location: %s, %s

bgpipimickeadkjlklgciifhnalhdjhe

\Google(x86)\Chrome\User Data

\Orbitum\User Data

cgeeodpfagjceefieflmdfphplkenlfk

ChromePlus

\OpenVPN Connect

mgffkfbidihjpoaomajlbgchddlicgpn

Chrome (x86)

\Bither

GAuth Authenticator

\Cookies

\Yandex\YandexBrowser\User Data

BBQCoin

fnnegphlobjdpkhecapkijjdkgcjhkib

Temple

aeachknmefphepccionboohckonoeemg

WININET.DLL

\TLauncher

fmblappgoiilbgafhjklehhfifbdocee

\Steam

DisplayName

nhnkbkgjikgcigadomkphalanndcapjk

Rabby

NVIDIA

QIP Surf

GeroWallet

\discord.txt

KardiaChain

afbcbjpbpfadlkmhmclhkeeodmamcflc

History

\IndexedDB

\Nichrome\User Data

\launcher_accounts.json

grab_ds

\LunarClient

Pontem Aptos Wallet

PolymeshWallet

cphhlgmgameodnhkjdmkpanlelnlohao

\FeatherClient

K-Melon

LOCALAPPDATA

grab_screen

cards

Primecoin

Brave

AuroWallet

\QIP Surf\User Data

db-ip.com/demo/home.php?s=

ipinfo.io/widget/demo/

dngmlblcodfobpdpecaadgfbcggfjfnm

ld_marks

gjagmgiddbbciopjhllkdnddhcglnemk

\Monero\wallets

cjmkndjhnagcfbpiemnkdpomccnjblmj

\Electrum

aaaaa

grab_wallets

Nichrome

NtTerminateProcess

An uncaught exception occurred_ip0_1:

bhhhlbepdkbapadjdnnojkbgioiodbic

\Chedot\User Data

grab_games

\Binance

\FileZilla

Dogecoin

Comodo

Processor: %s

\Local Storage

%s [%s]

\Microsoft\Edge\User Data

fnjhmkhhmkbjkkabndcnnogagogbneec

Unknown

\TotalCommander

ld_url

cjelfplplebdjjenllpjcblmjkfcffne

HVNC.dll

egjidjbpglichdcondbcbdnbeeppgdph

Litecoin

log_watermark_line_3

\.minecraft\launcher_msa_credentials.bin

Add for printing

Total events

236

Read events

235

Write events

Delete events

Modification events


(PID) Process:	(5436) 6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Enigma Protector\BB3DF1FDBB935E9B-50AFA6E27F8A32AF\1D23E801FF916F1C-DF69CE3484AE41BB
Operation:	write	Name:	AEF6E8B3
Value: 131F8A4BC3DE68A2588FDFBA3747

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5436	6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d.exe	C:\Users\admin\AppData\Local\Temp\F59E91F8		binary
		MD5:8E24A58D014E790F4CBA385433173F41	SHA256:4793EC8365FC7316829D9F5013AE4255EE8A04BC9D429481795DDED97429B82A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
892	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1496	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1496	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
188	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
892	svchost.exe	20.190.160.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
login.live.com	20.190.160.2 20.190.160.64 40.126.32.68 20.190.160.3 20.190.160.130 20.190.160.132 20.190.160.66 20.190.160.14	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
self.events.data.microsoft.com	51.132.193.104	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

6f0db4c220dd426d1eef5aff9dada2384df7ab961052f27501dcbe17de783a5d

45866C464C8F50A614324B1F88571523

9804C11269E1581BCDBA178AAFCC7363E9DD2FE6

6F0DB4C220DD426D1EEF5AFF9DADA2384DF7AB961052F27501DCBE17DE783A5D

49152:CttggUyZ7EkpaIuVh2jyI4FDALYkNaAvAysVhCPiTi2RYC/hV5glMHlUgGm+kzZf:WtgQVFpRuV8yIqCYksAvt8hjTh1FUMH5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RISEPRO has been detected (YARA)

SUSPICIOUS

There is functionality for VM detection VirtualBox (YARA)

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Reads the computer name

Enigma protector has been detected

Compiled with Borland Delphi (YARA)

Create files in a temporary directory

Malware configuration

RisePro

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Malware configuration

RisePro

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings