File name:

RisePro Stealer .bin

Full analysis: https://app.any.run/tasks/8e3d9ff4-8af9-48e3-b11c-96ed95990396
Verdict: Malicious activity
Threats:

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Malware Trends Tracker     >>>
Analysis date: April 25, 2025, 01:59:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
risepro
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

7D907DFB44D87310FCD5D7725166491E

SHA1:

42F5D8CE6654309CA9E9D63954E4E8B957AD2BC3

SHA256:

78C95DAE03D9D3D8A898CC4DE40ECF9F55F2AF08347343B011B2AF391C57D1CC

SSDEEP:

98304:fe1N8+90YAh+w8gYJatPru8SxsB8KusfjCfuV5a5BPNyqR/VPReDhnfxT4q7o1QZ:fDVJPo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • RisePro Stealer .bin.exe (PID: 6620)

    • Uses Task Scheduler to autorun other applications

      • RisePro Stealer .bin.exe (PID: 6620)

    • Changes the autorun value in the registry

      • RisePro Stealer .bin.exe (PID: 6620)

    • RISEPRO has been detected (YARA)

      • RisePro Stealer .bin.exe (PID: 6620)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RisePro Stealer .bin.exe (PID: 6620)

    • Reads the BIOS version

      • RisePro Stealer .bin.exe (PID: 6620)

    • Connects to unusual port

      • RisePro Stealer .bin.exe (PID: 6620)

  • INFO

    • Checks supported languages

      • RisePro Stealer .bin.exe (PID: 6620)

    • Creates files or folders in the user directory

      • RisePro Stealer .bin.exe (PID: 6620)

    • Creates files in the program directory

      • RisePro Stealer .bin.exe (PID: 6620)

    • Reads the computer name

      • RisePro Stealer .bin.exe (PID: 6620)

    • Create files in a temporary directory

      • RisePro Stealer .bin.exe (PID: 6620)

    • Themida protector has been detected

      • RisePro Stealer .bin.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RisePro

(PID) Process(6620) RisePro Stealer .bin.exe
C2 (1)193.233.132.62:58709
Strings (519)Coinbase
Jaxx Liberty Extension
Processor: %s
\Bither
History
\bither.db
\launcher_profiles.json
\discordcanary
User Name: %s
config
ilgcnhelpchnceeipipijaljkblbcobl
XDEFI Wallet
Ixcoin
\discordptb
mark_domains
\config.json
cards
formSubmitURL
\Nichrome\User Data
Rabby
gojhcdgcpbpfigcaejpfhfegekdgiblk
Litecoin
\Monero
DisplayName
DiscordDevelopment
MSIUpdaterV
Braavos wallet
NtTerminateProcess
\com.liberty.jaxx
Vivaldi
bfnaelmomeimhlpmgjnjophhpkkoljpa
kmhcihpebfmpgmihbkipmjlmmioameka
kncchdigobghenbbaddojjnnaogfppfj
Wombat
aflkmfhebedbjioipglgcbcmnbpgliof
GAuth Authenticator
mark_check_history
\CryptoTab Browser\User Data
\CocCoc\Browser\User Data
merge_browser_data
\Bither\bither.db
\CatalinaGroup\Citrio\User Data
An uncaught exception occurred1. The type was unknown so no information was available.
cert8.db
\FeatherClient
\CentBrowser\User Data
Path: %s
\Quantum_Certs
Megacoin
RoninWallet
os_crypt
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
\Torch\User Data
\wcx_ftp.ini
C:\program files (x86)\steam
WININET.DLL
api.myip.com/
\QIP Surf\User Data
Leap Terra Wallet
GuildWallet
Chromium
ipinfo.io/widget/demo/
cjmkndjhnagcfbpiemnkdpomccnjblmj
value
Opera
%s [%d]
SELECT host_key, is_httponly, path, is_secure, expires_utc, name, value, encrypted_value FROM cookies
Franko
hpglfhgfnhbgpjdenjgmdgoeiappafln
This program is a virus. Do you really want to run it?
schtasks /create /f /RU "
ld_autorun_scheduler
grab_ftp
WavesKeeper
Keyboard Languages:
country
ICONex
ForboleX
LOCALAPPDATA
LiqualityWallet
HVNC.dll
\Pidgin
\ElectronCash
\Battle.net
https://
\Mail.Ru\Atom\User Data
Elements Browser
\Network
countryCode
QIP Surf
ProcessorNameString
POP3 Password
cnmamaachppnkjgnildpdmkaakejnhae
iso_code
flpiciilemghbmfalicajoolhkkenfel
log_watermark_line_2
cookies
Trust Wallet
\google_tokens.txt
NeoLine
Dogecoin
\Google\Chrome\User Data
lpfcbjknijpeeillifnkikgncikgfhdo
Windows: %s [%s]
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Dragon
\7Star\7Star\User Data
gjagmgiddbbciopjhllkdnddhcglnemk
Terracoin
\.lunarclient\settings\games\accounts.txt
" /tr "
\Ethereum
\History
\Coinomi
Network\
\Iridium\User Data
Sender Wallet
PaliWallet
Opera GX
b.B}T
fihkakfobkmkjojpchpfgcmhfjnmnfpi
PolymeshWallet
egjidjbpglichdcondbcbdnbeeppgdph
fnjhmkhhmkbjkkabndcnnogagogbneec
SELECT action_url, origin_url, username_value, password_value FROM logins WHERE (COALESCE(blacklisted_by_user, 0) != 1)
bhhhlbepdkbapadjdnnojkbgioiodbic
demoInfo
C:\program files\steam
\ElectrumLTC
domain
Exodus_E
Maiar DeFi Wallet
An uncaught exception occurred_ip1:
HR" /sc HOURLY /rl HIGHEST
DiscordPTB
Zcash
An uncaught exception occurred_ip2. The type was unknown so no information was available.
\Games
\MultiDoge\multidoge.wallet
OKX Wallet
Solflare
liebao
\Elements Browser\User Data
\accounts.json
\Sync Extension Settings\
\information.txt
\Binance
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Network
dkdedlpgdmmkkfjabffeganieamfklkm
\TotalCommander
RAM: %u MB
encryptedUsername
HWID: %s
hmeobnfnfcmdkdcmlblgagmfpfboieaf
login
Comodo
IOCoin
Password: %s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
autofill
Trezor Password Manager
\.minecraft\launcher_msa_credentials.bin
%s [%s]
Reddcoin
Discord
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen
www.maxmind.com/geoip/v2.1/city/me
\Microsoft\Skype for Desktop\Local Storage
360Browser
\GoogleAccounts
winhttp.dll
Terra
EVER Wallet
Namecoin
BitAppWallet
\Exodus
7Star
MetaMask
\Yandex\YandexBrowser\User Data
EMartian Aptos Wallet
An uncaught exception occurred_ip1. The type was unknown so no information was available.
mark_check_cookies
grab_screen
\Skype
\Maxthon3\User Data
GoldCoin (GLD)
Local Time: %d/%d/%d %d:%d:%d
Hashpack
\Jaxx Liberty
[Software]
ld_marks
Ledger Live
aeachknmefphepccionboohckonoeemg
\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json
Maxthon3
\Chedot\User Data
\Electrum
An uncaught exception occurred_ip2:
\Steam
ALLUSERSPROFILE
Chrome
\Comodo\Dragon\User Data
EOS Authenticator
mcohilncbfahbmgdjkbpemcciiolgcge
Sputnik
Phantom
Location: %s, %s
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Chrome (x86)
Iridium
[Processes]
/ %s
TronLink
download_history
\Microsoft\Edge\User Data
\NetboxBrowser\User Data
An uncaught exception occurred_ip0_1:
amkmjjmmflddogmhpjloimipbofnfjih
\Growtopia
\GHISLER\wcx_ftp.ini
HARDWARE\DESCRIPTION\System\CentralProcessor\0
iWallet
\databases
\Guarda
\MultiDoge
Freicoin
ENC672*_
\Minecraft
ld_autorun_shell
\discorddevelopment
ChromePlus
\Epic Privacy Browser\User Data
\cert8.db
\Chromodo\User Data
\Armory
\cookies.sqlite
Eternl
\Local Storage
\CURRENT
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
ookjlbkiijinhpmnjffcofjonbfbgaoc
Login Data
Harmony
\Jaxx\Local Storage
ld_autorun_registry
Yandex
TezBox
\.minecraft\launcher_profiles.json
Infinitecoin
\key4.db
\.purple
Steam
\launcher_accounts.json
aodkkagnadcbobfpggfnjeongemjbjca
Backpack
\OpenVPN Connect
nkddgncdjgjfcddamfgcmfnlhccnimig
\ey_tokens.txt
\K-Melon\User Data
\Google(x86)\Chrome\User Data
\IndexedDB\chrome-extension_
An uncaught exception occurred_ip0_2:
\uCozMedia\Uran\User Data
profile
DiscordCanary
aholpfdialjgjfhomihkjbmgjidlcdno
Bitcoin
uCozMedia
\accounts.xml
DisplayVersion
Bolt X
\accounts.txt
Temple
encryptedPassword
nanjmdknhkinifnkgdcggcfnhdaammmj
An uncaught exception occurred_ip4:
Nichrome
MewCx
phkbamefinggmakgklpkljjmgibohnba
\Atomic
\Browsers
Daedalus Mainnet
SOFTWARE\Microsoft\Cryptography
Web Data
\Sputnik\Sputnik\User Data
\Monero\wallets
ejjladinnckdgjemekebdpeokbikhfci
use_hvnc
digitalcoin
\tlauncher_profiles.json
origin
\cert9.db
Citrio
ld_url
nkbihfbeogaeaoehlefnkodbefgpgknn
card_number
log_watermark_line_3
\Opera Software\Opera Stable
URL: %s
BinanceChainWallet
coin98
\Exodus\exodus.wallet
ibnejdfjmmkpcnlpebklmnkoeoihofec
[Hardware]
\Wasabi
ProductName
cgeeodpfagjceefieflmdfphplkenlfk
\save.dat
names
\Signal
\Coinomi\Coinomi\wallets
LocalPrefs.json
hcflpincpppdclinealmandijcmnkbgn
grab_wallets
CryptoTab
grab_tg
\Discord
bhghoamapcdpbohphigoooaddinpkbai
grab_games
VideoCard #%d: %s
\.minecraft\launcher_accounts.json
\Chromium\User Data
Outlook
Epic Privacy Browser
\Jaxx
\Opera Software
Amigo
jojhfeoedkpkglbfimdfabpdfjaoolaf
Date: %s
grab_messengers
fhbohimaelbohpjbbldcngcnapndodjp
Storage: %s [%s]
\passwords.txt
Local State
\TLauncher
jbdaocneiiinmjbjlgalhcelgbejmnid
\FileZilla
Version: %s
bgpipimickeadkjlklgciifhnalhdjhe
jnlgamecbpmbajjfhmmmlhejkemejdma
\app-store.json
\.feather\accounts.json
Cookies
\LunarClient
password
efbglgofoippbgcjepnhiblaibcnclgk
blnieiiffboillknjnepogjhkgnoapac
imloifkgjagghnncjkhggdhalmcnfklk
\discord.txt
CocCoc
Work Dir: %s
\MapleStudio\ChromePlus\User Data
E-MAIL: %s
Warning!
fmblappgoiilbgafhjklehhfifbdocee
\Amigo\User\User Data
Opera Wallet
Login: %s
Petra Aptos Wallet
\Coowon\Coowon\User Data
CPU Count: %d
aiifbnbfobpmeekipheeijimdpnlpgpp
\Electrum\wallets
UserName: %s
Primecoin
\Growtopia\save.dat
\key3.db
log_watermark_line_1
afbcbjpbpfadlkmhmclhkeeodmamcflc
Yoroi
AdobeUpdaterV
hnfanknocfeofbddgcijnmhnfnkdnaad
fhilaheimglignddkjgofkcbgekhenbh
Chedot
SMTP Server
\Element\Local Storage
Torch
_0.indexeddb.leveldb\CURRENT
odbfpeeihdkbihmopkbjmoonfanlbfcl
slickSlideAnd
CyanoWallet
\config
AuroWallet
Florincoin
GeroWallet
Pontem Aptos Wallet
NVIDIA
ChromiumViewer
heidi
WindowsCredentials
Finnie
ld_buildname
api64.ipify.org/?format=json
Sollet
gtokens
\Kometa\User Data
\360Browser\Browser\User Data
NiftyWallet
dmkamcknogkgcdfhhbddcghachkejeap
kkpllkodjeloidieedojogacfhpaihoh
Magic Eden Wallet
YACoin
\Binance\app-store.json
Chromodo
Computer Name: %s [%s]
\Vivaldi\User Data
Storage: %s
\profiles.ini
ld_name
Token: %s
Unknown
grab_vpn
devcoin
grab_ihistory
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Element
Coowon
mnfifefkajgofkcjkemidiaecocnkjeh
%s\%s
\Session Storage
mark_countries
\Orbitum\User Data
\foxmail.txt
db-ip.com/demo/home.php?s=
history
SELECT name_on_card, exp_month, exp_year, last_four, nickname FROM masked_credit_cards
\Messengers
\Ethereum\wallets
dngmlblcodfobpdpecaadgfbcggfjfnm
Battle.net
mkpegjkblkkefacfnmkajcjmabijhclg
Brave
An uncaught exception occurred1:
nhnkbkgjikgcigadomkphalanndcapjk
Profiles/
ffnbelfdoeiohenkjibnmadjiehjhajb
1.1.1.1
Anoncoin
CentBrowser
\NVIDIA Corporation\NVIDIA GeForce Experience
\OpenVPN Connect\profiles
\Cookies.txt
key3.db
Eth and Polk Web3 Wallet
mark_check_passwords
\ICQ\0001
Login Data For Account
\Cookies
acmacodkjbdgmoleebolmdjonilkdbch
USERPROFILE
\atomic\Local Storage
cjelfplplebdjjenllpjcblmjkfcffne
BraveWallet
Authenticator
\IndexedDB
BBQCoin
pdadjkfkgcafgbceimcpbkalnfnepbnk
MachineGuid
\WalletWasabi\Client\Wallets
IP: %s
ld_geo
\Electrum-LTC\wallets
cphhlgmgameodnhkjdmkpanlelnlohao
EQUALWallet
HTTP Password
Vault_IE
Display Resolution: %dx%d
\LocalPrefs.json
\multidoge.wallet
Guarda
An uncaught exception occurred_ip4. The type was unknown so no information was available.
logins
billing_address_id
aijcbedoijmgnlmjeegjaglmepbmpkpi
hostname
epapihdplajcdnnkdeiahlgigofloibg
grab_ds
SMTP Password
\Passwords.txt
SaturnWallet
Keplr
\Comodo\User Data
\Uran\User Data
\BraveSoftware\Brave-Browser\User Data
lpilbniiabackdjcionkobglmddfbcjo
MathWallet
jnkelfanjkeadonecabehalmbgpfodjm
\ElectronCash\wallets
adobe
encrypted_key
Mincoin
fhmfendgdocmcbmfikdcogofphimnkno
Orbitum
expirationDate
DashCore
cert9.db
EdgeMS
merge_google_tokens
fnnegphlobjdpkhecapkijjdkgcjhkib
" /tn "
Display Language: %ws
K-Melon
aaaaa
CloverWallet
Kometa
Software\Microsoft\Windows\CurrentVersion\Run
KardiaChain
NetboxBrowser
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
\liebao\User Data
\launcher_msa_credentials.bin
LG" /sc ONLOGON /rl HIGHEST
kpfopkelmapcoipemfendmdcghnegimn
key4.db
oeljdldpnmdbchonielidgobddffflal
APPDATA
Default
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:19 14:53:45+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 1092608
InitializedDataSize: 214016
UninitializedDataSize: -
EntryPoint: 0x3a2000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 9.3.0.296
ProductVersionNumber: 9.3.0.296
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Advanced Micro Devices, Inc.
FileDescription: RAIDXpert2.exe
FileVersion: 9.3.0.296
InternalName: RAIDXpert2.exe
LegalCopyright: Copyright (c)2012-2021 Advanced Micro Devices, Inc.
OriginalFileName: RAIDXpert2.exe
ProductName: RAIDXpert2
ProductVersion: 9.3.0.296
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RISEPRO risepro stealer .bin.exe sppextcomobj.exe no specs slui.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2152\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2616schtasks /create /f /RU "admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTC:\Windows\SysWOW64\schtasks.exeRisePro Stealer .bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2852\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4452schtasks /create /f /RU "admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTC:\Windows\SysWOW64\schtasks.exeRisePro Stealer .bin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6040"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6620"C:\Users\admin\Desktop\RisePro Stealer .bin.exe" C:\Users\admin\Desktop\RisePro Stealer .bin.exe
explorer.exe
User:
admin
Company:
Advanced Micro Devices, Inc.
Integrity Level:
MEDIUM
Description:
RAIDXpert2.exe
Version:
9.3.0.296
Modules
Images
c:\users\admin\desktop\risepro stealer .bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.3636_none_c0df324c38bbc0ce\comctl32.dll
RisePro
(PID) Process(6620) RisePro Stealer .bin.exe
C2 (1)193.233.132.62:58709
Strings (519)Coinbase
Jaxx Liberty Extension
Processor: %s
\Bither
History
\bither.db
\launcher_profiles.json
\discordcanary
User Name: %s
config
ilgcnhelpchnceeipipijaljkblbcobl
XDEFI Wallet
Ixcoin
\discordptb
mark_domains
\config.json
cards
formSubmitURL
\Nichrome\User Data
Rabby
gojhcdgcpbpfigcaejpfhfegekdgiblk
Litecoin
\Monero
DisplayName
DiscordDevelopment
MSIUpdaterV
Braavos wallet
NtTerminateProcess
\com.liberty.jaxx
Vivaldi
bfnaelmomeimhlpmgjnjophhpkkoljpa
kmhcihpebfmpgmihbkipmjlmmioameka
kncchdigobghenbbaddojjnnaogfppfj
Wombat
aflkmfhebedbjioipglgcbcmnbpgliof
GAuth Authenticator
mark_check_history
\CryptoTab Browser\User Data
\CocCoc\Browser\User Data
merge_browser_data
\Bither\bither.db
\CatalinaGroup\Citrio\User Data
An uncaught exception occurred1. The type was unknown so no information was available.
cert8.db
\FeatherClient
\CentBrowser\User Data
Path: %s
\Quantum_Certs
Megacoin
RoninWallet
os_crypt
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
\Torch\User Data
\wcx_ftp.ini
C:\program files (x86)\steam
WININET.DLL
api.myip.com/
\QIP Surf\User Data
Leap Terra Wallet
GuildWallet
Chromium
ipinfo.io/widget/demo/
cjmkndjhnagcfbpiemnkdpomccnjblmj
value
Opera
%s [%d]
SELECT host_key, is_httponly, path, is_secure, expires_utc, name, value, encrypted_value FROM cookies
Franko
hpglfhgfnhbgpjdenjgmdgoeiappafln
This program is a virus. Do you really want to run it?
schtasks /create /f /RU "
ld_autorun_scheduler
grab_ftp
WavesKeeper
Keyboard Languages:
country
ICONex
ForboleX
LOCALAPPDATA
LiqualityWallet
HVNC.dll
\Pidgin
\ElectronCash
\Battle.net
https://
\Mail.Ru\Atom\User Data
Elements Browser
\Network
countryCode
QIP Surf
ProcessorNameString
POP3 Password
cnmamaachppnkjgnildpdmkaakejnhae
iso_code
flpiciilemghbmfalicajoolhkkenfel
log_watermark_line_2
cookies
Trust Wallet
\google_tokens.txt
NeoLine
Dogecoin
\Google\Chrome\User Data
lpfcbjknijpeeillifnkikgncikgfhdo
Windows: %s [%s]
nlbmnnijcnlegkjjpcfjclmcfggfefdm
Dragon
\7Star\7Star\User Data
gjagmgiddbbciopjhllkdnddhcglnemk
Terracoin
\.lunarclient\settings\games\accounts.txt
" /tr "
\Ethereum
\History
\Coinomi
Network\
\Iridium\User Data
Sender Wallet
PaliWallet
Opera GX
b.B}T
fihkakfobkmkjojpchpfgcmhfjnmnfpi
PolymeshWallet
egjidjbpglichdcondbcbdnbeeppgdph
fnjhmkhhmkbjkkabndcnnogagogbneec
SELECT action_url, origin_url, username_value, password_value FROM logins WHERE (COALESCE(blacklisted_by_user, 0) != 1)
bhhhlbepdkbapadjdnnojkbgioiodbic
demoInfo
C:\program files\steam
\ElectrumLTC
domain
Exodus_E
Maiar DeFi Wallet
An uncaught exception occurred_ip1:
HR" /sc HOURLY /rl HIGHEST
DiscordPTB
Zcash
An uncaught exception occurred_ip2. The type was unknown so no information was available.
\Games
\MultiDoge\multidoge.wallet
OKX Wallet
Solflare
liebao
\Elements Browser\User Data
\accounts.json
\Sync Extension Settings\
\information.txt
\Binance
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Network
dkdedlpgdmmkkfjabffeganieamfklkm
\TotalCommander
RAM: %u MB
encryptedUsername
HWID: %s
hmeobnfnfcmdkdcmlblgagmfpfboieaf
login
Comodo
IOCoin
Password: %s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
autofill
Trezor Password Manager
\.minecraft\launcher_msa_credentials.bin
%s [%s]
Reddcoin
Discord
mgffkfbidihjpoaomajlbgchddlicgpn
Oxygen
www.maxmind.com/geoip/v2.1/city/me
\Microsoft\Skype for Desktop\Local Storage
360Browser
\GoogleAccounts
winhttp.dll
Terra
EVER Wallet
Namecoin
BitAppWallet
\Exodus
7Star
MetaMask
\Yandex\YandexBrowser\User Data
EMartian Aptos Wallet
An uncaught exception occurred_ip1. The type was unknown so no information was available.
mark_check_cookies
grab_screen
\Skype
\Maxthon3\User Data
GoldCoin (GLD)
Local Time: %d/%d/%d %d:%d:%d
Hashpack
\Jaxx Liberty
[Software]
ld_marks
Ledger Live
aeachknmefphepccionboohckonoeemg
\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json
Maxthon3
\Chedot\User Data
\Electrum
An uncaught exception occurred_ip2:
\Steam
ALLUSERSPROFILE
Chrome
\Comodo\Dragon\User Data
EOS Authenticator
mcohilncbfahbmgdjkbpemcciiolgcge
Sputnik
Phantom
Location: %s, %s
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
Chrome (x86)
Iridium
[Processes]
/ %s
TronLink
download_history
\Microsoft\Edge\User Data
\NetboxBrowser\User Data
An uncaught exception occurred_ip0_1:
amkmjjmmflddogmhpjloimipbofnfjih
\Growtopia
\GHISLER\wcx_ftp.ini
HARDWARE\DESCRIPTION\System\CentralProcessor\0
iWallet
\databases
\Guarda
\MultiDoge
Freicoin
ENC672*_
\Minecraft
ld_autorun_shell
\discorddevelopment
ChromePlus
\Epic Privacy Browser\User Data
\cert8.db
\Chromodo\User Data
\Armory
\cookies.sqlite
Eternl
\Local Storage
\CURRENT
An uncaught exception occurred_ip0_1. The type was unknown so no information was available.
ookjlbkiijinhpmnjffcofjonbfbgaoc
Login Data
Harmony
\Jaxx\Local Storage
ld_autorun_registry
Yandex
TezBox
\.minecraft\launcher_profiles.json
Infinitecoin
\key4.db
\.purple
Steam
\launcher_accounts.json
aodkkagnadcbobfpggfnjeongemjbjca
Backpack
\OpenVPN Connect
nkddgncdjgjfcddamfgcmfnlhccnimig
\ey_tokens.txt
\K-Melon\User Data
\Google(x86)\Chrome\User Data
\IndexedDB\chrome-extension_
An uncaught exception occurred_ip0_2:
\uCozMedia\Uran\User Data
profile
DiscordCanary
aholpfdialjgjfhomihkjbmgjidlcdno
Bitcoin
uCozMedia
\accounts.xml
DisplayVersion
Bolt X
\accounts.txt
Temple
encryptedPassword
nanjmdknhkinifnkgdcggcfnhdaammmj
An uncaught exception occurred_ip4:
Nichrome
MewCx
phkbamefinggmakgklpkljjmgibohnba
\Atomic
\Browsers
Daedalus Mainnet
SOFTWARE\Microsoft\Cryptography
Web Data
\Sputnik\Sputnik\User Data
\Monero\wallets
ejjladinnckdgjemekebdpeokbikhfci
use_hvnc
digitalcoin
\tlauncher_profiles.json
origin
\cert9.db
Citrio
ld_url
nkbihfbeogaeaoehlefnkodbefgpgknn
card_number
log_watermark_line_3
\Opera Software\Opera Stable
URL: %s
BinanceChainWallet
coin98
\Exodus\exodus.wallet
ibnejdfjmmkpcnlpebklmnkoeoihofec
[Hardware]
\Wasabi
ProductName
cgeeodpfagjceefieflmdfphplkenlfk
\save.dat
names
\Signal
\Coinomi\Coinomi\wallets
LocalPrefs.json
hcflpincpppdclinealmandijcmnkbgn
grab_wallets
CryptoTab
grab_tg
\Discord
bhghoamapcdpbohphigoooaddinpkbai
grab_games
VideoCard #%d: %s
\.minecraft\launcher_accounts.json
\Chromium\User Data
Outlook
Epic Privacy Browser
\Jaxx
\Opera Software
Amigo
jojhfeoedkpkglbfimdfabpdfjaoolaf
Date: %s
grab_messengers
fhbohimaelbohpjbbldcngcnapndodjp
Storage: %s [%s]
\passwords.txt
Local State
\TLauncher
jbdaocneiiinmjbjlgalhcelgbejmnid
\FileZilla
Version: %s
bgpipimickeadkjlklgciifhnalhdjhe
jnlgamecbpmbajjfhmmmlhejkemejdma
\app-store.json
\.feather\accounts.json
Cookies
\LunarClient
password
efbglgofoippbgcjepnhiblaibcnclgk
blnieiiffboillknjnepogjhkgnoapac
imloifkgjagghnncjkhggdhalmcnfklk
\discord.txt
CocCoc
Work Dir: %s
\MapleStudio\ChromePlus\User Data
E-MAIL: %s
Warning!
fmblappgoiilbgafhjklehhfifbdocee
\Amigo\User\User Data
Opera Wallet
Login: %s
Petra Aptos Wallet
\Coowon\Coowon\User Data
CPU Count: %d
aiifbnbfobpmeekipheeijimdpnlpgpp
\Electrum\wallets
UserName: %s
Primecoin
\Growtopia\save.dat
\key3.db
log_watermark_line_1
afbcbjpbpfadlkmhmclhkeeodmamcflc
Yoroi
AdobeUpdaterV
hnfanknocfeofbddgcijnmhnfnkdnaad
fhilaheimglignddkjgofkcbgekhenbh
Chedot
SMTP Server
\Element\Local Storage
Torch
_0.indexeddb.leveldb\CURRENT
odbfpeeihdkbihmopkbjmoonfanlbfcl
slickSlideAnd
CyanoWallet
\config
AuroWallet
Florincoin
GeroWallet
Pontem Aptos Wallet
NVIDIA
ChromiumViewer
heidi
WindowsCredentials
Finnie
ld_buildname
api64.ipify.org/?format=json
Sollet
gtokens
\Kometa\User Data
\360Browser\Browser\User Data
NiftyWallet
dmkamcknogkgcdfhhbddcghachkejeap
kkpllkodjeloidieedojogacfhpaihoh
Magic Eden Wallet
YACoin
\Binance\app-store.json
Chromodo
Computer Name: %s [%s]
\Vivaldi\User Data
Storage: %s
\profiles.ini
ld_name
Token: %s
Unknown
grab_vpn
devcoin
grab_ihistory
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Element
Coowon
mnfifefkajgofkcjkemidiaecocnkjeh
%s\%s
\Session Storage
mark_countries
\Orbitum\User Data
\foxmail.txt
db-ip.com/demo/home.php?s=
history
SELECT name_on_card, exp_month, exp_year, last_four, nickname FROM masked_credit_cards
\Messengers
\Ethereum\wallets
dngmlblcodfobpdpecaadgfbcggfjfnm
Battle.net
mkpegjkblkkefacfnmkajcjmabijhclg
Brave
An uncaught exception occurred1:
nhnkbkgjikgcigadomkphalanndcapjk
Profiles/
ffnbelfdoeiohenkjibnmadjiehjhajb
1.1.1.1
Anoncoin
CentBrowser
\NVIDIA Corporation\NVIDIA GeForce Experience
\OpenVPN Connect\profiles
\Cookies.txt
key3.db
Eth and Polk Web3 Wallet
mark_check_passwords
\ICQ\0001
Login Data For Account
\Cookies
acmacodkjbdgmoleebolmdjonilkdbch
USERPROFILE
\atomic\Local Storage
cjelfplplebdjjenllpjcblmjkfcffne
BraveWallet
Authenticator
\IndexedDB
BBQCoin
pdadjkfkgcafgbceimcpbkalnfnepbnk
MachineGuid
\WalletWasabi\Client\Wallets
IP: %s
ld_geo
\Electrum-LTC\wallets
cphhlgmgameodnhkjdmkpanlelnlohao
EQUALWallet
HTTP Password
Vault_IE
Display Resolution: %dx%d
\LocalPrefs.json
\multidoge.wallet
Guarda
An uncaught exception occurred_ip4. The type was unknown so no information was available.
logins
billing_address_id
aijcbedoijmgnlmjeegjaglmepbmpkpi
hostname
epapihdplajcdnnkdeiahlgigofloibg
grab_ds
SMTP Password
\Passwords.txt
SaturnWallet
Keplr
\Comodo\User Data
\Uran\User Data
\BraveSoftware\Brave-Browser\User Data
lpilbniiabackdjcionkobglmddfbcjo
MathWallet
jnkelfanjkeadonecabehalmbgpfodjm
\ElectronCash\wallets
adobe
encrypted_key
Mincoin
fhmfendgdocmcbmfikdcogofphimnkno
Orbitum
expirationDate
DashCore
cert9.db
EdgeMS
merge_google_tokens
fnnegphlobjdpkhecapkijjdkgcjhkib
" /tn "
Display Language: %ws
K-Melon
aaaaa
CloverWallet
Kometa
Software\Microsoft\Windows\CurrentVersion\Run
KardiaChain
NetboxBrowser
An uncaught exception occurred_ip0_2. The type was unknown so no information was available.
\liebao\User Data
\launcher_msa_credentials.bin
LG" /sc ONLOGON /rl HIGHEST
kpfopkelmapcoipemfendmdcghnegimn
key4.db
oeljdldpnmdbchonielidgobddffflal
APPDATA
Default
6644C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
936
Read events
935
Write events
1
Delete events
0

Modification events

(PID) Process:(6620) RisePro Stealer .bin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RageMP131
Value:
C:\Users\admin\AppData\Local\RageMP131\RageMP131.exe
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6620RisePro Stealer .bin.exeC:\Users\admin\AppData\Local\Temp\rage131MP.tmptext
MD5:5388AE33E99FE5028CEA6B7EE120254B
SHA256:56AAC1381C674B82514DCA3A8F6167F6F4A5B67F21CB5AA7839DC7FD33CCC4CA
6620RisePro Stealer .bin.exeC:\ProgramData\MPGPH131\MPGPH131.exeexecutable
MD5:7D907DFB44D87310FCD5D7725166491E
SHA256:78C95DAE03D9D3D8A898CC4DE40ECF9F55F2AF08347343B011B2AF391C57D1CC
6620RisePro Stealer .bin.exeC:\Users\admin\AppData\Local\RageMP131\RageMP131.exeexecutable
MD5:7D907DFB44D87310FCD5D7725166491E
SHA256:78C95DAE03D9D3D8A898CC4DE40ECF9F55F2AF08347343B011B2AF391C57D1CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
20
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5024
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6620
RisePro Stealer .bin.exe
193.233.132.62:58709
ATT-INTERNET4
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RisePro Stealer .bin