File name:

Prynt – Stealthy Malware.zip

Full analysis: https://app.any.run/tasks/ddf0b62f-0fee-4921-8fee-da1ab46e4fd0
Verdict: Malicious activity
Threats:

PrivateLoader is a malware family that is specifically created to infect computer systems and drop additional malicious programs. It operates using a pay-per-install business model, which means that the individuals behind it are paid for each instance of successful deployment of different types of harmful programs, including trojans, stealers, and other ransomware.

Malware Trends Tracker     >>>
Analysis date: April 22, 2024, 13:17:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
risepro
privateloader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

62A552D31CCE699E5CB1599FAF1CA148

SHA1:

A32C4A2E3DC986C29CC645FE0D388F777DADB79F

SHA256:

771AE79F27524FE97CDC462E8F1D9BB8D79A1BACAD75B683917B7642C850C41C

SSDEEP:

49152:vFcjcIehdXSopI9vrbP9Sw8wh8wn5m3gxYFOhDJ4J5F+rvSG3eeMBJdD0XFLdU/p:v2S/mrRh8LQxnhDJ4JqbSG3eeMBDw50P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1288)

    • PRIVATELOADER has been detected (YARA)

      • 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe (PID: 2740)

    • RISEPRO has been detected (YARA)

      • 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe (PID: 2740)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 1288)

    • Connects to unusual port

      • 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe (PID: 2740)

  • INFO

    • Checks supported languages

      • 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe (PID: 2740)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

PrivateLoader

(PID) Process(2740) 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
C2 (4)discord.com/api/v9/users/@me
api64.ipify.org/?format=json
ipinfo.io/widget/demo/
db-ip.com/demo/home.php?s=
Strings (303)winhttp.dll
wininet.dll
LocalSimbl
LocalSimba
grab_screen
grab_tg
grab_ds
grab_wallets
grab_ihistory
logins
Vault_IE
WindowsCredentials
\screenshot.png
\Files
\FileZilla
\Plugins
IndexedDB
Local
\Wallets
%s %llu
nickname
name_on_card
card_number
last_four
**** **** ****
billing_address_id
exp_month
exp_year
expiration_month
\Autofill
value
%s %s
\Downloads
%s %s
domain
expirationDate
secure
FALSE
httpOnly
%s %s %s %s %llu %s %s
\passwords.txt
login
password
profile
Storage: %s [%s] URL: %s Login: %s Password: %s
\discord.txt
Storage: %s UserName: %s E-MAIL: %s Token: %s
nss3.dll
autofill
download_history
cookies
history
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
Jaxx Liberty Extension
cjelfplplebdjjenllpjcblmjkfcffne
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
SaturnWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
Local State
Login Data
Login Data For Account
Web Data
History
cards
Cookies
An uncaught exception occurred1:
An uncaught exception occurred1. The type was unknown so no information was available.
\Mozilla\Firefox
Firefox
\Waterfox
Waterfox
\K-Meleon
K-Meleon
\Thunderbird
Thunderbird
\Comodo\IceDragon
IceDragon
\8pecxstudios\Cyberfox
Cyberfox
\NETGATE Technologies\BlackHaw
BlackHaw
\Moonchild Productions\Pale Moon
Pale Moon
\Discord
Discord
\discordcanary
DiscordCanary
\discordptb
DiscordPTB
\discorddevelopment
DiscordDevelopment
\Opera Software
Opera
\Google\Chrome\User Data
Chrome
\Microsoft\Edge\User Data
\BraveSoftware\Brave-Browser\User Data
Brave
\CryptoTab Browser\User Data
CryptoTab
\Battle.net
Battle.net
\Chromium\User Data
Chromium
\Google(x86)\Chrome\User Data
Chrome (x86)
\Yandex\YandexBrowser\User Data
Yandex
\NVIDIA Corporation\NVIDIA GeForce Experience
NVIDIA
\Steam
Steam
\Amigo\User\User Data
Amigo
\Iridium\User Data
Iridium
\MapleStudio\ChromePlus\User Data
ChromePlus
\7Star\7Star\User Data
rule_exceptions
rule_files
rule_folder
rule_size_kb
rule_collect_recursv
%DESKTOP%
%DOCUMENTS%
%USERPROFILE%
%APPDATA%
%LOCALAPPDATA%
%RECENT%
ld_marks
ld_geo
ld_url
mark_check_cookies
mark_check_passwords
mark_check_history
mark_domains
\Telegram Desktop
\tdata
\key_datas
\maps
\Telegram
VaultEnumerateItems
VaultEnumerateVaults
VaultGetItem
\profiles.ini
Profile
\places.sqlite
SELECT place_id, visit_date FROM(SELECT place_id, visit_date, id FROM moz_historyvisits ORDER BY id DESC LIMIT 2500) ORDER BY id ASC
SELECT url FROM moz_places WHERE (`id` =
\cookies.sqlite
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT place_id, content FROM moz_annos WHERE (`anno_attribute_id` = 1)
file:///
\formhistory.sqlite
SELECT fieldname, value FROM moz_formhistory
\logins.json
\signons.sqlite
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
formSubmitURL
encryptedUsername
encryptedPassword
PK11_Authenticat
\Local State
os_crypt
encrypted_key
Local Storage\leveldb
dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]*
dQw4w9WgXcQ:
discord.com/api/v9/users/@me
username
email
\CURRENT
\Sync Extension Settings\
\Local Extension Settings\
_0.indexeddb.leveldb\CURRENT
\IndexedDB\chrome-extension_
_0.indexeddb.leveldb
SELECT url, last_visit_time FROM(SELECT url, last_visit_time, id FROM urls ORDER BY id DESC LIMIT 2500) ORDER BY id ASC
\Network
Network\
SELECT host_key, is_httponly, path, is_secure, expires_utc, name, value, encrypted_value FROM cookies
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted, origin, billing_address_id, nickname FROM credit_cards
expiration_year
origin
SELECT name_on_card, exp_month, exp_year, last_four, nickname, bank_name, card_art_url, status, network FROM masked_credit_cards
SELECT tab_url, target_path FROM downloads
SELECT name, value FROM autofill
SELECT action_url, origin_url, username_value, password_value FROM logins
softokn3.dll
msvcp140.dll
vcruntime140.dll
An uncaught exception occurred3:
An uncaught exception occurred3. The type was unknown so no information was available.
api.myip.com
An uncaught exception occurred_ip0_1:
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
api64.ipify.org/?format=json
An uncaught exception occurred_ip0_2:
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
ipinfo.io/widget/demo/
country
An uncaught exception occurred_ip1:
An uncaught exception occurred_ip1. The type was unknown so no information was available.
db-ip.com/demo/home.php?s=
demoInfo
countryCode
freebl3.dll
mozglue.dll
\atomic\Local Storage
\Atomic
\Electrum\wallets
\Electrum
\Exodus\exodus.wallet
\Exodus
\Electrum-LTC\wallets
\ElectrumLTC
\Monero\wallets
\Monero
\com.liberty.jaxx
\Jaxx Liberty
\IndexedDB
\Local Storage
\Session Storage
\Jaxx\Local Storage
\Jaxx
\Coinomi\Coinomi\wallets
\Coinomi
\Armory
\WalletWasabi\Client\Wallets
\Wasabi
\Bither\bither.db
\Bither
\bither.db
\ElectronCash\wallets
\ElectronCash
\Binance\app-store.json
\wallet.dat
\wallets
\Authy Desktop
\Authy
Version: %s
Date: %s
Unknown
SOFTWARE\Microsoft\Cryptography
MachineGuid
MachineID: %s
GUID: %s
HWID: %s
Path: %s
Work Dir: %s
IP: %s
Location: %s, %s
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
Windows: %s [%s]
Computer Name: %s
User Name: %s
Display Resolution: %dx%d
Display Language: %ws
Display Language: Unknown
Keyboard Languages:
/ %s
Local Time: %d/%d/%d %d:%d:%d
TimeZone: UTC%d
[Hardware]
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
http://
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpSetTimeouts
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle

RisePro

(PID) Process(2740) 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
C2194.169.175.128
Strings (611).zip
WindowsCredentials
Vault_IE
grab_ihistory
grab_wallets
grab_ds
grab_tg
grab_screen
LocalSimba
LocalSimbl
wininet.dll
winhttp.dll
\Files
\screenshot.png
\Wallets
Local
Sync
IndexedDB
\Plugins
\FileZilla
Name: %s Nickname: %s Month: %s Year: %s Card: %s Address: %s
-
**** **** ****
\CC
%s %llu
\History
%s %s
\Downloads
%s %s
\Autofill
FALSE
TRUE
%s %s %s %s %llu %s %s
ab
.txt
\Cookies
Storage: %s UserName: %s E-MAIL: %s Token: %s
\discord.txt
Storage: %s [%s] URL: %s Login: %s Password: %s
\passwords.txt
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Trust Wallet
egjidjbpglichdcondbcbdnbeeppgdph
Leap Terra Wallet
aijcbedoijmgnlmjeegjaglmepbmpkpi
Finnie
cjmkndjhnagcfbpiemnkdpomccnjblmj
EMartian Aptos Wallet
efbglgofoippbgcjepnhiblaibcnclgk
Opera Wallet
gojhcdgcpbpfigcaejpfhfegekdgiblk
Petra Aptos Wallet
ejjladinnckdgjemekebdpeokbikhfci
Pontem Aptos Wallet
phkbamefinggmakgklpkljjmgibohnba
GeroWallet
bgpipimickeadkjlklgciifhnalhdjhe
Eternl
kmhcihpebfmpgmihbkipmjlmmioameka
Hashpack
gjagmgiddbbciopjhllkdnddhcglnemk
Sender Wallet
epapihdplajcdnnkdeiahlgigofloibg
OKX Wallet
mcohilncbfahbmgdjkbpemcciiolgcge
Eth and Polk Web3 Wallet
kkpllkodjeloidieedojogacfhpaihoh
Braavos wallet
jnlgamecbpmbajjfhmmmlhejkemejdma
Goby
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
KHC
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
afbcbjpbpfadlkmhmclhkeeodmamcflc
Exodus_E
aholpfdialjgjfhomihkjbmgjidlcdno
Nami
lpfcbjknijpeeillifnkikgncikgfhdo
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
Terra
aiifbnbfobpmeekipheeijimdpnlpgpp
coin98
aeachknmefphepccionboohckonoeemg
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
Maiar DeFi Wallet
dngmlblcodfobpdpecaadgfbcggfjfnm
XDEFI Wallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
ForboleX
fmblappgoiilbgafhjklehhfifbdocee
Bolt X
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen
fhilaheimglignddkjgofkcbgekhenbh
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
NiftyWallet
MathWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
SaturnWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet
kncchdigobghenbbaddojjnnaogfppfj
Jaxx Liberty Extension
cjelfplplebdjjenllpjcblmjkfcffne
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
An uncaught exception occurred1. The type was unknown so no information was available.
An uncaught exception occurred1:
Login Data For Account
\Moonchild Productions\Pale Moon
Pale Moon
\NETGATE Technologies\BlackHaw
BlackHaw
\8pecxstudios\Cyberfox
Cyberfox
\Comodo\IceDragon
IceDragon
\Thunderbird
Thunderbird
\K-Meleon
K-Meleon
\Waterfox
Waterfox
\Mozilla\Firefox
Firefox
\NetboxBrowser\User Data
NetboxBrowser
\Mail.Ru\Atom\User Data
Atom
\Chromodo\User Data
Chromodo
\Uran\User Data
Uran
\CocCoc\Browser\User Data
CocCoc
\Nichrome\User Data
Nichrome
\Sputnik\Sputnik\User Data
Sputnik
\K-Melon\User Data
K-Melon
\Maxthon3\User Data
Maxthon3
\360Browser\Browser\User Data
360Browser
\Comodo\User Data
Comodo
\Torch\User Data
Torch
\Comodo\Dragon\User Data
Dragon
\Orbitum\User Data
Orbitum
\QIP Surf\User Data
QIP Surf
\liebao\User Data
liebao
\Coowon\Coowon\User Data
Coowon
\CatalinaGroup\Citrio\User Data
Citrio
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
ChromiumViewer
\uCozMedia\Uran\User Data
uCozMedia
\Epic Privacy Browser\User Data
Epic Privacy Browser
\Elements Browser\User Data
Elements Browser
\Kometa\User Data
Kometa
\Vivaldi\User Data
Vivaldi
\Chedot\User Data
Chedot
\CentBrowser\User Data
CentBrowser
\7Star\7Star\User Data
7Star
\MapleStudio\ChromePlus\User Data
ChromePlus
\Iridium\User Data
Iridium
\Amigo\User\User Data
Amigo
\Steam
Steam
\NVIDIA Corporation\NVIDIA GeForce Experience
NVIDIA
\Yandex\YandexBrowser\User Data
Yandex
\Google(x86)\Chrome\User Data
Chrome (x86)
\Chromium\User Data
Chromium
\Battle.net
Battle.net
\CryptoTab Browser\User Data
CryptoTab
\BraveSoftware\Brave-Browser\User Data
Brave
\Microsoft\Edge\User Data
Edge
\Google\Chrome\User Data
Chrome
\Opera Software
Opera
\discorddevelopment
DiscordDevelopment
\discordptb
DiscordPTB
\discordcanary
DiscordCanary
\Discord
Discord
(.*)
(.-)
*
%RECENT%
%LOCALAPPDATA%
%APPDATA%
%USERPROFILE%
%DOCUMENTS%
%DESKTOP%
,
:
rule_collect_recursv
rule_size_kb
rule_folder
rule_files
rule_exceptions
open
https://
vbs
bat
bmp
jpeg
jpg
png
docx
doc
txt
scr
msi
exe
.exe
.
mark_domains
mark_check_history
mark_check_passwords
mark_check_cookies
,
ld_url
ld_geo
ld_marks
ld_name
s
\Telegram
\maps
\key_datas
\tdata
\Telegram Desktop
VaultGetItem
VaultCloseVault
VaultOpenVault
VaultFree
VaultEnumerateVaults
VaultEnumerateItems
vaultcli.dll
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
\cookies.sqlite
file:///
)
SELECT url FROM moz_places WHERE (`id` =
SELECT place_id, content FROM moz_annos WHERE (`anno_attribute_id` = 1)
\places.sqlite
SELECT fieldname, value FROM moz_formhistory
\formhistory.sqlite
/
encryptedPassword
encryptedUsername
formSubmitURL
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\signons.sqlite
\logins.json
Path
Profile
\profiles.ini
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
.ldb
.log
Local Storage\leveldb
\Local State
dQw4w9WgXcQ:
dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]*
email
username
discord.com/api/v9/users/@me
_0.indexeddb.leveldb
_0.indexeddb.leveldb\CURRENT
\IndexedDB\chrome-extension_
\Local Extension Settings\
\CURRENT
\Sync Extension Settings\
time
history
expirationDate
secure
1
httpOnly
domain
Network\
\Network
cookies
Cookies
network
status
card_art_url
bank_name
last_four
exp_year
exp_month
nickname
billing_address_id
origin
card_number
expiration_year
expiration_month
name_on_card
cards
path
SELECT tab_url, target_path FROM downloads
download_history
History
value
name
SELECT name, value FROM autofill
autofill
Web Data
password
login
url
profile
SELECT action_url, origin_url, username_value, password_value FROM logins
encrypted_key
os_crypt
logins
Local State
Login Data
\*
v11
v10
3
90
An uncaught exception occurred3. The type was unknown so no information was available.
An uncaught exception occurred3:
ZZ
1.1.1.1
An uncaught exception occurred_ip4. The type was unknown so no information was available.
An uncaught exception occurred_ip4:
en
names
iso_code
www.maxmind.com/geoip/v2.1/city/me
An uncaught exception occurred_ip2. The type was unknown so no information was available.
An uncaught exception occurred_ip2:
countryCode
demoInfo
db-ip.com/demo/home.php?s=
An uncaught exception occurred_ip1. The type was unknown so no information was available.
An uncaught exception occurred_ip1:
city
country
data
ipinfo.io/widget/demo/
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
An uncaught exception occurred_ip0_2:
api64.ipify.org/?format=json
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
An uncaught exception occurred_ip0_1:
cc
ip
api.myip.com
softokn3.dll
nss3.dll
mozglue.dll
freebl3.dll
vcruntime140.dll
msvcp140.dll
DLL
://
mark_name
Ledger Live
Daedalus Mainnet
Reddcoin
Litecoin
digitalcoin
devcoin
Zcash
YACoin
Terracoin
Primecoin
Namecoin
Mincoin
Megacoin
Ixcoin
Infinitecoin
IOCoin
GoldCoin (GLD)
Freicoin
Franko
Florincoin
DashCore
BBQCoin
Anoncoin
Dogecoin
Bitcoin
\multidoge.wallet
\MultiDoge
\MultiDoge\multidoge.wallet
\Guarda
\Ethereum
\Ethereum\wallets
\app-store.json
\Binance
\Binance\app-store.json
\ElectronCash
\ElectronCash\wallets
\bither.db
\Bither
\Bither\bither.db
\Wasabi
\WalletWasabi\Client\Wallets
\Armory
\Coinomi
\Coinomi\Coinomi\wallets
\Jaxx
\Jaxx\Local Storage
\Jaxx Liberty
\com.liberty.jaxx
\Monero
\Monero\wallets
\ElectrumLTC
\Electrum-LTC\wallets
\Exodus
\Exodus\exodus.wallet
\Electrum
\Electrum\wallets
\Atomic
\atomic\Local Storage
\wallets
\wallet.dat
\
\Session Storage
\Local Storage
\IndexedDB
\Authy
\Authy Desktop
\*.*
%s [%s]
DisplayVersion
DisplayName
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
[Software]
%s [%d]
[Processes]
VideoCard #%d: %s
RAM: %u MB
CPU Count: %d
Processor: %s
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
[Hardware]
TimeZone: UTC%d
Local Time: %d/%d/%d %d:%d:%d
/ %s
Keyboard Languages:
Display Language: Unknown
Display Language: %ws
Display Resolution: %dx%d
User Name: %s
Computer Name: %s
x32
x64
Windows: %s [%s]
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Location: %s, %s
IP: %s
Work Dir: %s
Path: %s
HWID: %s
_
GUID: %s
MachineID: %s
MachineGuid
SOFTWARE\Microsoft\Cryptography
Unknown
Date: %s
Version: %s
wb
\information.txt
%X
RtlGetVersion
Ntdll.dll
rb
RisePro Telegram: https://t.me/RiseProSUPPORT
50500
0.1
?
/
http://
WinHttpSetTimeouts
WinHttpCloseHandle
WinHttpReadData
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryHeaders
WinHttpConnect
WINHTTP.dll
#
.dll
.
InternetCloseHandle
InternetReadFile
HttpSendRequestA
InternetQueryOptionA
HttpQueryInfoA
InternetOpenUrlA
InternetConnectA
HttpOpenRequestA
InternetSetOptionA
InternetOpenA
wb
HEAD
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2024:03:25 16:47:08
ZipCRC: 0xf5f115c5
ZipCompressedSize: 886870
ZipUncompressedSize: 1899008
ZipFileName: 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe no specs #PRIVATELOADER 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe

Process information

PID
CMD
Path
Indicators
Parent process
1288"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Prynt – Stealthy Malware.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2740"C:\Users\admin\AppData\Local\Temp\Rar$EXb1288.15193\4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1288.15193\4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
WinRAR.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Microsoft Office Installer
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb1288.15193\4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
PrivateLoader
(PID) Process(2740) 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
C2 (4)discord.com/api/v9/users/@me
api64.ipify.org/?format=json
ipinfo.io/widget/demo/
db-ip.com/demo/home.php?s=
Strings (303)winhttp.dll
wininet.dll
LocalSimbl
LocalSimba
grab_screen
grab_tg
grab_ds
grab_wallets
grab_ihistory
logins
Vault_IE
WindowsCredentials
\screenshot.png
\Files
\FileZilla
\Plugins
IndexedDB
Local
\Wallets
%s %llu
nickname
name_on_card
card_number
last_four
**** **** ****
billing_address_id
exp_month
exp_year
expiration_month
\Autofill
value
%s %s
\Downloads
%s %s
domain
expirationDate
secure
FALSE
httpOnly
%s %s %s %s %llu %s %s
\passwords.txt
login
password
profile
Storage: %s [%s] URL: %s Login: %s Password: %s
\discord.txt
Storage: %s UserName: %s E-MAIL: %s Token: %s
nss3.dll
autofill
download_history
cookies
history
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
Jaxx Liberty Extension
cjelfplplebdjjenllpjcblmjkfcffne
iWallet
kncchdigobghenbbaddojjnnaogfppfj
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
SaturnWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
Coinbase
Local State
Login Data
Login Data For Account
Web Data
History
cards
Cookies
An uncaught exception occurred1:
An uncaught exception occurred1. The type was unknown so no information was available.
\Mozilla\Firefox
Firefox
\Waterfox
Waterfox
\K-Meleon
K-Meleon
\Thunderbird
Thunderbird
\Comodo\IceDragon
IceDragon
\8pecxstudios\Cyberfox
Cyberfox
\NETGATE Technologies\BlackHaw
BlackHaw
\Moonchild Productions\Pale Moon
Pale Moon
\Discord
Discord
\discordcanary
DiscordCanary
\discordptb
DiscordPTB
\discorddevelopment
DiscordDevelopment
\Opera Software
Opera
\Google\Chrome\User Data
Chrome
\Microsoft\Edge\User Data
\BraveSoftware\Brave-Browser\User Data
Brave
\CryptoTab Browser\User Data
CryptoTab
\Battle.net
Battle.net
\Chromium\User Data
Chromium
\Google(x86)\Chrome\User Data
Chrome (x86)
\Yandex\YandexBrowser\User Data
Yandex
\NVIDIA Corporation\NVIDIA GeForce Experience
NVIDIA
\Steam
Steam
\Amigo\User\User Data
Amigo
\Iridium\User Data
Iridium
\MapleStudio\ChromePlus\User Data
ChromePlus
\7Star\7Star\User Data
rule_exceptions
rule_files
rule_folder
rule_size_kb
rule_collect_recursv
%DESKTOP%
%DOCUMENTS%
%USERPROFILE%
%APPDATA%
%LOCALAPPDATA%
%RECENT%
ld_marks
ld_geo
ld_url
mark_check_cookies
mark_check_passwords
mark_check_history
mark_domains
\Telegram Desktop
\tdata
\key_datas
\maps
\Telegram
VaultEnumerateItems
VaultEnumerateVaults
VaultGetItem
\profiles.ini
Profile
\places.sqlite
SELECT place_id, visit_date FROM(SELECT place_id, visit_date, id FROM moz_historyvisits ORDER BY id DESC LIMIT 2500) ORDER BY id ASC
SELECT url FROM moz_places WHERE (`id` =
\cookies.sqlite
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT place_id, content FROM moz_annos WHERE (`anno_attribute_id` = 1)
file:///
\formhistory.sqlite
SELECT fieldname, value FROM moz_formhistory
\logins.json
\signons.sqlite
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
formSubmitURL
encryptedUsername
encryptedPassword
PK11_Authenticat
\Local State
os_crypt
encrypted_key
Local Storage\leveldb
dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]*
dQw4w9WgXcQ:
discord.com/api/v9/users/@me
username
email
\CURRENT
\Sync Extension Settings\
\Local Extension Settings\
_0.indexeddb.leveldb\CURRENT
\IndexedDB\chrome-extension_
_0.indexeddb.leveldb
SELECT url, last_visit_time FROM(SELECT url, last_visit_time, id FROM urls ORDER BY id DESC LIMIT 2500) ORDER BY id ASC
\Network
Network\
SELECT host_key, is_httponly, path, is_secure, expires_utc, name, value, encrypted_value FROM cookies
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted, origin, billing_address_id, nickname FROM credit_cards
expiration_year
origin
SELECT name_on_card, exp_month, exp_year, last_four, nickname, bank_name, card_art_url, status, network FROM masked_credit_cards
SELECT tab_url, target_path FROM downloads
SELECT name, value FROM autofill
SELECT action_url, origin_url, username_value, password_value FROM logins
softokn3.dll
msvcp140.dll
vcruntime140.dll
An uncaught exception occurred3:
An uncaught exception occurred3. The type was unknown so no information was available.
api.myip.com
An uncaught exception occurred_ip0_1:
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
api64.ipify.org/?format=json
An uncaught exception occurred_ip0_2:
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
ipinfo.io/widget/demo/
country
An uncaught exception occurred_ip1:
An uncaught exception occurred_ip1. The type was unknown so no information was available.
db-ip.com/demo/home.php?s=
demoInfo
countryCode
freebl3.dll
mozglue.dll
\atomic\Local Storage
\Atomic
\Electrum\wallets
\Electrum
\Exodus\exodus.wallet
\Exodus
\Electrum-LTC\wallets
\ElectrumLTC
\Monero\wallets
\Monero
\com.liberty.jaxx
\Jaxx Liberty
\IndexedDB
\Local Storage
\Session Storage
\Jaxx\Local Storage
\Jaxx
\Coinomi\Coinomi\wallets
\Coinomi
\Armory
\WalletWasabi\Client\Wallets
\Wasabi
\Bither\bither.db
\Bither
\bither.db
\ElectronCash\wallets
\ElectronCash
\Binance\app-store.json
\wallet.dat
\wallets
\Authy Desktop
\Authy
Version: %s
Date: %s
Unknown
SOFTWARE\Microsoft\Cryptography
MachineGuid
MachineID: %s
GUID: %s
HWID: %s
Path: %s
Work Dir: %s
IP: %s
Location: %s, %s
SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName
Windows: %s [%s]
Computer Name: %s
User Name: %s
Display Resolution: %dx%d
Display Language: %ws
Display Language: Unknown
Keyboard Languages:
/ %s
Local Time: %d/%d/%d %d:%d:%d
TimeZone: UTC%d
[Hardware]
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
http://
WinHttpQueryDataAvailable
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpCloseHandle
WinHttpSetTimeouts
InternetQueryOptionA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
RisePro
(PID) Process(2740) 4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
C2194.169.175.128
Strings (611).zip
WindowsCredentials
Vault_IE
grab_ihistory
grab_wallets
grab_ds
grab_tg
grab_screen
LocalSimba
LocalSimbl
wininet.dll
winhttp.dll
\Files
\screenshot.png
\Wallets
Local
Sync
IndexedDB
\Plugins
\FileZilla
Name: %s Nickname: %s Month: %s Year: %s Card: %s Address: %s
-
**** **** ****
\CC
%s %llu
\History
%s %s
\Downloads
%s %s
\Autofill
FALSE
TRUE
%s %s %s %s %llu %s %s
ab
.txt
\Cookies
Storage: %s UserName: %s E-MAIL: %s Token: %s
\discord.txt
Storage: %s [%s] URL: %s Login: %s Password: %s
\passwords.txt
Trezor Password Manager
imloifkgjagghnncjkhggdhalmcnfklk
GAuth Authenticator
ilgcnhelpchnceeipipijaljkblbcobl
EOS Authenticator
oeljdldpnmdbchonielidgobddffflal
Trust Wallet
egjidjbpglichdcondbcbdnbeeppgdph
Leap Terra Wallet
aijcbedoijmgnlmjeegjaglmepbmpkpi
Finnie
cjmkndjhnagcfbpiemnkdpomccnjblmj
EMartian Aptos Wallet
efbglgofoippbgcjepnhiblaibcnclgk
Opera Wallet
gojhcdgcpbpfigcaejpfhfegekdgiblk
Petra Aptos Wallet
ejjladinnckdgjemekebdpeokbikhfci
Pontem Aptos Wallet
phkbamefinggmakgklpkljjmgibohnba
GeroWallet
bgpipimickeadkjlklgciifhnalhdjhe
Eternl
kmhcihpebfmpgmihbkipmjlmmioameka
Hashpack
gjagmgiddbbciopjhllkdnddhcglnemk
Sender Wallet
epapihdplajcdnnkdeiahlgigofloibg
OKX Wallet
mcohilncbfahbmgdjkbpemcciiolgcge
Eth and Polk Web3 Wallet
kkpllkodjeloidieedojogacfhpaihoh
Braavos wallet
jnlgamecbpmbajjfhmmmlhejkemejdma
Goby
jnkelfanjkeadonecabehalmbgpfodjm
Temple
ookjlbkiijinhpmnjffcofjonbfbgaoc
TezBox
mnfifefkajgofkcjkemidiaecocnkjeh
KHC
hcflpincpppdclinealmandijcmnkbgn
CyanoWallet
dkdedlpgdmmkkfjabffeganieamfklkm
Solflare
bhhhlbepdkbapadjdnnojkbgioiodbic
WavesKeeper
lpilbniiabackdjcionkobglmddfbcjo
BraveWallet
odbfpeeihdkbihmopkbjmoonfanlbfcl
Rabby
acmacodkjbdgmoleebolmdjonilkdbch
EVER Wallet
cgeeodpfagjceefieflmdfphplkenlfk
ICONex
flpiciilemghbmfalicajoolhkkenfel
PolymeshWallet
jojhfeoedkpkglbfimdfabpdfjaoolaf
AuroWallet
cnmamaachppnkjgnildpdmkaakejnhae
Sollet
fhmfendgdocmcbmfikdcogofphimnkno
Keplr
dmkamcknogkgcdfhhbddcghachkejeap
afbcbjpbpfadlkmhmclhkeeodmamcflc
Exodus_E
aholpfdialjgjfhomihkjbmgjidlcdno
Nami
lpfcbjknijpeeillifnkikgncikgfhdo
Harmony
fnnegphlobjdpkhecapkijjdkgcjhkib
Terra
aiifbnbfobpmeekipheeijimdpnlpgpp
coin98
aeachknmefphepccionboohckonoeemg
KardiaChain
pdadjkfkgcafgbceimcpbkalnfnepbnk
Maiar DeFi Wallet
dngmlblcodfobpdpecaadgfbcggfjfnm
XDEFI Wallet
hmeobnfnfcmdkdcmlblgagmfpfboieaf
ForboleX
fmblappgoiilbgafhjklehhfifbdocee
Bolt X
aodkkagnadcbobfpggfnjeongemjbjca
PaliWallet
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen
fhilaheimglignddkjgofkcbgekhenbh
Phantom
bfnaelmomeimhlpmgjnjophhpkkoljpa
TronLink
ibnejdfjmmkpcnlpebklmnkoeoihofec
BinanceChainWallet
fhbohimaelbohpjbbldcngcnapndodjp
Yoroi
ffnbelfdoeiohenkjibnmadjiehjhajb
NiftyWallet
MathWallet
jbdaocneiiinmjbjlgalhcelgbejmnid
Coinbase
hnfanknocfeofbddgcijnmhnfnkdnaad
Guarda
hpglfhgfnhbgpjdenjgmdgoeiappafln
EQUALWallet
blnieiiffboillknjnepogjhkgnoapac
LiqualityWallet
kpfopkelmapcoipemfendmdcghnegimn
RoninWallet
fnjhmkhhmkbjkkabndcnnogagogbneec
NeoLine
cphhlgmgameodnhkjdmkpanlelnlohao
CloverWallet
nhnkbkgjikgcigadomkphalanndcapjk
Wombat
amkmjjmmflddogmhpjloimipbofnfjih
MewCx
nlbmnnijcnlegkjjpcfjclmcfggfefdm
GuildWallet
nanjmdknhkinifnkgdcggcfnhdaammmj
SaturnWallet
nkddgncdjgjfcddamfgcmfnlhccnimig
BitAppWallet
fihkakfobkmkjojpchpfgcmhfjnmnfpi
iWallet
kncchdigobghenbbaddojjnnaogfppfj
Jaxx Liberty Extension
cjelfplplebdjjenllpjcblmjkfcffne
MetaMask
nkbihfbeogaeaoehlefnkodbefgpgknn
Authenticator
bhghoamapcdpbohphigoooaddinpkbai
An uncaught exception occurred1. The type was unknown so no information was available.
An uncaught exception occurred1:
Login Data For Account
\Moonchild Productions\Pale Moon
Pale Moon
\NETGATE Technologies\BlackHaw
BlackHaw
\8pecxstudios\Cyberfox
Cyberfox
\Comodo\IceDragon
IceDragon
\Thunderbird
Thunderbird
\K-Meleon
K-Meleon
\Waterfox
Waterfox
\Mozilla\Firefox
Firefox
\NetboxBrowser\User Data
NetboxBrowser
\Mail.Ru\Atom\User Data
Atom
\Chromodo\User Data
Chromodo
\Uran\User Data
Uran
\CocCoc\Browser\User Data
CocCoc
\Nichrome\User Data
Nichrome
\Sputnik\Sputnik\User Data
Sputnik
\K-Melon\User Data
K-Melon
\Maxthon3\User Data
Maxthon3
\360Browser\Browser\User Data
360Browser
\Comodo\User Data
Comodo
\Torch\User Data
Torch
\Comodo\Dragon\User Data
Dragon
\Orbitum\User Data
Orbitum
\QIP Surf\User Data
QIP Surf
\liebao\User Data
liebao
\Coowon\Coowon\User Data
Coowon
\CatalinaGroup\Citrio\User Data
Citrio
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
ChromiumViewer
\uCozMedia\Uran\User Data
uCozMedia
\Epic Privacy Browser\User Data
Epic Privacy Browser
\Elements Browser\User Data
Elements Browser
\Kometa\User Data
Kometa
\Vivaldi\User Data
Vivaldi
\Chedot\User Data
Chedot
\CentBrowser\User Data
CentBrowser
\7Star\7Star\User Data
7Star
\MapleStudio\ChromePlus\User Data
ChromePlus
\Iridium\User Data
Iridium
\Amigo\User\User Data
Amigo
\Steam
Steam
\NVIDIA Corporation\NVIDIA GeForce Experience
NVIDIA
\Yandex\YandexBrowser\User Data
Yandex
\Google(x86)\Chrome\User Data
Chrome (x86)
\Chromium\User Data
Chromium
\Battle.net
Battle.net
\CryptoTab Browser\User Data
CryptoTab
\BraveSoftware\Brave-Browser\User Data
Brave
\Microsoft\Edge\User Data
Edge
\Google\Chrome\User Data
Chrome
\Opera Software
Opera
\discorddevelopment
DiscordDevelopment
\discordptb
DiscordPTB
\discordcanary
DiscordCanary
\Discord
Discord
(.*)
(.-)
*
%RECENT%
%LOCALAPPDATA%
%APPDATA%
%USERPROFILE%
%DOCUMENTS%
%DESKTOP%
,
:
rule_collect_recursv
rule_size_kb
rule_folder
rule_files
rule_exceptions
open
https://
vbs
bat
bmp
jpeg
jpg
png
docx
doc
txt
scr
msi
exe
.exe
.
mark_domains
mark_check_history
mark_check_passwords
mark_check_cookies
,
ld_url
ld_geo
ld_marks
ld_name
s
\Telegram
\maps
\key_datas
\tdata
\Telegram Desktop
VaultGetItem
VaultCloseVault
VaultOpenVault
VaultFree
VaultEnumerateVaults
VaultEnumerateItems
vaultcli.dll
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
\cookies.sqlite
file:///
)
SELECT url FROM moz_places WHERE (`id` =
SELECT place_id, content FROM moz_annos WHERE (`anno_attribute_id` = 1)
\places.sqlite
SELECT fieldname, value FROM moz_formhistory
\formhistory.sqlite
/
encryptedPassword
encryptedUsername
formSubmitURL
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\signons.sqlite
\logins.json
Path
Profile
\profiles.ini
PK11SDR_Decrypt
PK11_Authenticate
PK11_FreeSlot
PK11_GetInternalKeySlot
NSS_Shutdown
NSS_Init
.ldb
.log
Local Storage\leveldb
\Local State
dQw4w9WgXcQ:
dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]*
email
username
discord.com/api/v9/users/@me
_0.indexeddb.leveldb
_0.indexeddb.leveldb\CURRENT
\IndexedDB\chrome-extension_
\Local Extension Settings\
\CURRENT
\Sync Extension Settings\
time
history
expirationDate
secure
1
httpOnly
domain
Network\
\Network
cookies
Cookies
network
status
card_art_url
bank_name
last_four
exp_year
exp_month
nickname
billing_address_id
origin
card_number
expiration_year
expiration_month
name_on_card
cards
path
SELECT tab_url, target_path FROM downloads
download_history
History
value
name
SELECT name, value FROM autofill
autofill
Web Data
password
login
url
profile
SELECT action_url, origin_url, username_value, password_value FROM logins
encrypted_key
os_crypt
logins
Local State
Login Data
\*
v11
v10
3
90
An uncaught exception occurred3. The type was unknown so no information was available.
An uncaught exception occurred3:
ZZ
1.1.1.1
An uncaught exception occurred_ip4. The type was unknown so no information was available.
An uncaught exception occurred_ip4:
en
names
iso_code
www.maxmind.com/geoip/v2.1/city/me
An uncaught exception occurred_ip2. The type was unknown so no information was available.
An uncaught exception occurred_ip2:
countryCode
demoInfo
db-ip.com/demo/home.php?s=
An uncaught exception occurred_ip1. The type was unknown so no information was available.
An uncaught exception occurred_ip1:
city
country
data
ipinfo.io/widget/demo/
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
An uncaught exception occurred_ip0_2:
api64.ipify.org/?format=json
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
An uncaught exception occurred_ip0_1:
cc
ip
api.myip.com
softokn3.dll
nss3.dll
mozglue.dll
freebl3.dll
vcruntime140.dll
msvcp140.dll
DLL
://
mark_name
Ledger Live
Daedalus Mainnet
Reddcoin
Litecoin
digitalcoin
devcoin
Zcash
YACoin
Terracoin
Primecoin
Namecoin
Mincoin
Megacoin
Ixcoin
Infinitecoin
IOCoin
GoldCoin (GLD)
Freicoin
Franko
Florincoin
DashCore
BBQCoin
Anoncoin
Dogecoin
Bitcoin
\multidoge.wallet
\MultiDoge
\MultiDoge\multidoge.wallet
\Guarda
\Ethereum
\Ethereum\wallets
\app-store.json
\Binance
\Binance\app-store.json
\ElectronCash
\ElectronCash\wallets
\bither.db
\Bither
\Bither\bither.db
\Wasabi
\WalletWasabi\Client\Wallets
\Armory
\Coinomi
\Coinomi\Coinomi\wallets
\Jaxx
\Jaxx\Local Storage
\Jaxx Liberty
\com.liberty.jaxx
\Monero
\Monero\wallets
\ElectrumLTC
\Electrum-LTC\wallets
\Exodus
\Exodus\exodus.wallet
\Electrum
\Electrum\wallets
\Atomic
\atomic\Local Storage
\wallets
\wallet.dat
\
\Session Storage
\Local Storage
\IndexedDB
\Authy
\Authy Desktop
\*.*
%s [%s]
DisplayVersion
DisplayName
%s\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
[Software]
%s [%d]
[Processes]
VideoCard #%d: %s
RAM: %u MB
CPU Count: %d
Processor: %s
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
[Hardware]
TimeZone: UTC%d
Local Time: %d/%d/%d %d:%d:%d
/ %s
Keyboard Languages:
Display Language: Unknown
Display Language: %ws
Display Resolution: %dx%d
User Name: %s
Computer Name: %s
x32
x64
Windows: %s [%s]
ProductName
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Location: %s, %s
IP: %s
Work Dir: %s
Path: %s
HWID: %s
_
GUID: %s
MachineID: %s
MachineGuid
SOFTWARE\Microsoft\Cryptography
Unknown
Date: %s
Version: %s
wb
\information.txt
%X
RtlGetVersion
Ntdll.dll
rb
RisePro Telegram: https://t.me/RiseProSUPPORT
50500
0.1
?
/
http://
WinHttpSetTimeouts
WinHttpCloseHandle
WinHttpReadData
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpQueryDataAvailable
WinHttpOpenRequest
WinHttpOpen
WinHttpQueryHeaders
WinHttpConnect
WINHTTP.dll
#
.dll
.
InternetCloseHandle
InternetReadFile
HttpSendRequestA
InternetQueryOptionA
HttpQueryInfoA
InternetOpenUrlA
InternetConnectA
HttpOpenRequestA
InternetSetOptionA
InternetOpenA
wb
HEAD
3248"C:\Users\admin\AppData\Local\Temp\Rar$EXb1288.15193\4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb1288.15193\4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exeWinRAR.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Microsoft Office Installer
Exit code:
3221226540
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb1288.15193\4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
c:\windows\system32\ntdll.dll
Total events
4 860
Read events
4 840
Write events
20
Delete events
0

Modification events

(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1288) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Prynt – Stealthy Malware.zip
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1288WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb1288.15193\4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exeexecutable
MD5:E34AD9A826AA56C04CE0F10C800B789F
SHA256:4AA12984DE37AC1FB650F1196E88FB5A64707E571382D641E1C70CE82E89CF0A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2740
4aa12984de37ac1fb650f1196e88fb5a64707e571382d641e1c70ce82e89cf0a.exe
194.169.175.128:50500
US
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Prynt – Stealthy Malware.zip