File name:

9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe

Full analysis: https://app.any.run/tasks/f302b34d-3f38-4996-816f-90db5dc8b1f3
Verdict: Malicious activity
Threats:

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Malware Trends Tracker     >>>
Analysis date: June 20, 2024, 04:51:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
risepro
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F7D8785AA5E359848EBE4D771F3DE8D

SHA1:

70161505853A4CB3B2DC7EB690BDE8B0F23B4D82

SHA256:

9CF43D480F6319717934B1A3F97682A4454C1742E2409AA416BA719E606C34CA

SSDEEP:

98304:4z8ucjQtwYM7xYrZJccu9K8SFHT8S67waNrpFsXNv1MuKboOn6OmM4FZbEFyty5W:RhC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RISEPRO has been detected (YARA)

      • 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe (PID: 900)
      • RegAsm.exe (PID: 3800)

    • Drops the executable file immediately after the start

      • 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe (PID: 900)

  • SUSPICIOUS

    • Executes application which crashes

      • 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe (PID: 900)

  • INFO

    • Checks supported languages

      • 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe (PID: 900)
      • RegAsm.exe (PID: 3800)

    • Checks proxy server information

      • WerFault.exe (PID: 3724)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

RisePro

(PID) Process(900) 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe
C2 (1)5.42.67.8:50500
Strings (319)\Exodus\exodus.wallet
\Elements Browser\User Data
Software\Microsoft\Windows\CurrentVersion\Run
\save.dat
Language: Unknown
\NETGATE Technologies\BlackHawk
Privacy Browser
https://
Namecoin
\Mozilla\SeaMonkey
MachineGuid
\Ledger Live
\ElectronCash\wallets
nZLz>v
\Pidgin
\K-Meleon
:mJYDfp7
devcoin
VaultGetItem
[Hardware]
(CREATE TABLE
HR" /sc HOURLY /rl HIGHEST
Location: %s, %s
LocalPrefs.json
\Guarda
Exclusions_Extensions
Mincoin
\TLauncher
\Growtopia\save.dat
\Microsoft\Skype for Desktop\Local Storage
\NVIDIA Corporation\NVIDIA GeForce Experience
\8pecxstudios\Cyberfox
le.net
\Network
\atomic\Local Storage
Local Time: %d/%d/%d %d:%d:%d
NetboxBrowser
\Coinomi
WARE\Classes\Foxmail\shell\open\command
MachineID: %s
\K-Melon\User Data
S,{w_6
\FeatherClient
UaEt,
DisableBehaviorMonitoring
Processor: %s
\Electrum
;Yb.e
\IndexedDB\chrome-extension_
svchost
\accounts.txt
\wallet.dat
ProcessorNameString
\Steam
\.minecraft\launcher_msa_credentials.bin
Cyberfox
Chromodo
OperaConnect
MPGPH
\NetboxBrowser\User Data
Torch
frug?0
\multidoge.wallet
\Chedot\User Data
download_history
\Yandex\YandexBrowser\User Data
\Moonchild Productions\Pale Moon
\Opera Software\Opera Stable
DisableAntiSpyware
\Bither
\Telegram Desktop
Path: %s
\rage
J~|Hw
\Mozilla\Firefox
rb\maps
\Kometa\User Data
Work Dir: %s
VaultCloseVault
\Jaxx Liberty
\GHISLER\wcx_ftp.ini
\Element\Local Storage
\launcher_msa_credentials.bin
\Comodo\Dragon\User Data
\Ethereum\wallets
NtDuplicateObject
ZIP (Autofills): %s
LG" /sc ONLOGON /rl HIGHEST
Freicoin
\Wasabi
,XR\Z
\Chromodo\User Data
\tdata
\information.txt
\Battle.net
\Discord
rb\key_datas
CE[gwP7
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
[Processes]
digitalcoin
CocCoc
email
AK5'7
CPU Count: %d
Thunderbird
Maxthon3
\FileZilla
C:\program files\steam
DisableIOAVProtection
gtokens
\Authy Desktop
\Ethereum
\CryptoTab Browser\User Data
[Software]
\OpenVPN Connect
BlackHawk
!T00?
\bither.db
\databases
\Jaxx
Dragon
\app-store.json
LOCALAPPDATA
\wcx_ftp.ini
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
\Torch\User Data
\Bither\bither.db
\.purple
Florincoin
Comodo
HARDWARE\DESCRIPTION\System\CentralProcessor\0
toTab
\Vivaldi\User Data
\Monero\wallets
\Google\Chrome\User Data
ents Browser
country
DisplayName
\LunarClient
GoldCoin (GLD)
Sputnik
DisableScanOnRealtimeEnable
VideoCard #%d: %s
\TotalCommander
K-Meleon
VaultOpenVault
\360Browser\Browser\User Data
me (x86)
ordCanary
Pale Moon
LegalHelper
WSASend
\launcher_profiles.json
\Google(x86)\Chrome\User Data
\com.liberty.jaxx
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
\MultiDoge
GTAVI
\IndexedDB
\config
\wallets
\Games
\Atomic
ordDevelopment
DisableRealtimeMonitoring
Litecoin
Ixcoin
\CatalinaGroup\Citrio\User Data
Default
User Name: %s
\Coinomi\Coinomi\wallets
Franko
\Telegram
username
Infinitecoin
Version: %s
IEUpdater
\MultiDoge\multidoge.wallet
\Orbitum\User Data
\Jaxx\Local Storage
ntdll.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\uCozMedia\Uran\User Data
Display Resolution: %dx%d
BBQCoin
Dogecoin
Media
Waterfox
\profiles.ini
\Waterfox
Nichrome
Reddcoin
360Browser
IOCoin
DisableRoutinelyTakingAction
\Iridium\User Data
MP.tmp
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
\Monero
cards
%s [%d]
K-Melon
\Nichrome\User Data
\QIP Surf\User Data
[gwP7
System\CurrentControlSet\Services\Tcpip\Parameters
HWID: %s
C:\program files (x86)\steam
\Electrum\wallets
DisableRawWriteNotification
Display Language: %ws
Keyboard Languages:
\.minecraft\launcher_accounts.json
Computer Name: %s [%s]
\accounts.xml
\Amigo\User\User Data
schtasks /create /f /RU "
\Comodo\User Data
VMWARE
\.lunarclient\settings\games\accounts.txt
\discordcanary
\OpenVPN Connect\profiles
1.1.1.1
Bitcoin
\Binance
\Messengers
APPDATA
\Coowon\Coowon\User Data
mePlus
\Skype
\Local Storage
\WalletWasabi\Client\Wallets
\key_datas
\LocalPrefs.json
Daedalus Mainnet
lsass
\Element
;SELECT * FROM
SYSTEM\CurrentControlSet\Services\vmhgfs
Anoncoin
\Epic Privacy Browser\User Data
logins
\Authy
EnableSmartScreen
\Accounts\Account.rec0
\maps
autofill
\Session Storage
\tlauncher_profiles.json
\Growtopia
\Comodo\IceDragon
T2kN7BG
SOFTWARE\Microsoft\Windows NT\CurrentVersion
IceDragon
RageMP
ordPTB
ALLUSERSPROFILE
Megacoin
\Local State
Primecoin
ProductName
\discorddevelopment
history
Unknown
\Binance\app-store.json
\CocCoc\Browser\User Data
Zcash
YACoin
Browser
Build: %s
\config.json
\launcher_accounts.json
\Chromium\User Data
\.feather\accounts.json
\BraveSoftware\Brave-Browser\User Data
SYSTEM\CurrentControlSet\Services\VBoxGuest
SOFTWARE\Policies\Microsoft\Windows\System
tntdll.dll
\Armory
DisableOnAccessProtection
dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]*
\Maxthon3\User Data
\ElectrumLTC
\ICQ\0001
\Uran\User Data
\MapleStudio\ChromePlus\User Data
\Microsoft\Edge\User Data
RAM: %u MB
\liebao\User Data
\Electrum-LTC\wallets
SOFTWARE\Microsoft\Cryptography
SOFTWARE\Policies\Microsoft\Windows Defender
\Exodus
\Mail.Ru\Atom\User Data
discord.com/api/v9/users/@me
\ey_tokens.txt
DashCore
IP: %s
\discordptb
os_crypt
GUID: %s
\Storage
2nZ*B[
Terracoin
\accounts.json
miumViewer
\Thunderbird
WINHTTP.dll
\ElectronCash
cookies
\CentBrowser\User Data
\Minecraft
\Sputnik\Sputnik\User Data
tension Settings\
\Signal
\Opera Software
\.minecraft\launcher_profiles.json
\7Star\7Star\User Data
(PID) Process(3800) RegAsm.exe
C2 (1)5.42.67.8:50500
Strings (55)\Battle.net
\config
\Local Storage
\Skype
\LunarClient
S,{w_6
\Games
UaEt,
J~|Hw
\FeatherClient
\accounts.json
\OpenVPN Connect
\.feather\accounts.json
\save.dat
VaultCloseVault
C:\program files (x86)\steam
\databases
\TLauncher
\GHISLER\wcx_ftp.ini
\Growtopia\save.dat
\TotalCommander
\Element\Local Storage
\launcher_msa_credentials.bin
\Microsoft\Skype for Desktop\Local Storage
VaultOpenVault
\.minecraft\launcher_accounts.json
\Element
\accounts.xml
\wcx_ftp.ini
frug?0
\accounts.txt
\ey_tokens.txt
\.purple
WSASend
logins
\.lunarclient\settings\games\accounts.txt
\launcher_profiles.json
\Pidgin
\Minecraft
\OpenVPN Connect\profiles
\Steam
\Messengers
\FileZilla
C:\program files\steam
APPDATA
\.minecraft\launcher_msa_credentials.bin
\Signal
\Session Storage
\ICQ\0001
\.minecraft\launcher_profiles.json
\tlauncher_profiles.json
\config.json
VaultGetItem
\Growtopia
\launcher_accounts.json
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:18 22:33:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.39
CodeSize: 176128
InitializedDataSize: 1712640
UninitializedDataSize: -
EntryPoint: 0xb7b9
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #RISEPRO 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe #RISEPRO regasm.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
900"C:\Users\admin\AppData\Local\Temp\9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe" C:\Users\admin\AppData\Local\Temp\9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226356
Modules
Images
c:\users\admin\appdata\local\temp\9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
RisePro
(PID) Process(900) 9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe
C2 (1)5.42.67.8:50500
Strings (319)\Exodus\exodus.wallet
\Elements Browser\User Data
Software\Microsoft\Windows\CurrentVersion\Run
\save.dat
Language: Unknown
\NETGATE Technologies\BlackHawk
Privacy Browser
https://
Namecoin
\Mozilla\SeaMonkey
MachineGuid
\Ledger Live
\ElectronCash\wallets
nZLz>v
\Pidgin
\K-Meleon
:mJYDfp7
devcoin
VaultGetItem
[Hardware]
(CREATE TABLE
HR" /sc HOURLY /rl HIGHEST
Location: %s, %s
LocalPrefs.json
\Guarda
Exclusions_Extensions
Mincoin
\TLauncher
\Growtopia\save.dat
\Microsoft\Skype for Desktop\Local Storage
\NVIDIA Corporation\NVIDIA GeForce Experience
\8pecxstudios\Cyberfox
le.net
\Network
\atomic\Local Storage
Local Time: %d/%d/%d %d:%d:%d
NetboxBrowser
\Coinomi
WARE\Classes\Foxmail\shell\open\command
MachineID: %s
\K-Melon\User Data
S,{w_6
\FeatherClient
UaEt,
DisableBehaviorMonitoring
Processor: %s
\Electrum
;Yb.e
\IndexedDB\chrome-extension_
svchost
\accounts.txt
\wallet.dat
ProcessorNameString
\Steam
\.minecraft\launcher_msa_credentials.bin
Cyberfox
Chromodo
OperaConnect
MPGPH
\NetboxBrowser\User Data
Torch
frug?0
\multidoge.wallet
\Chedot\User Data
download_history
\Yandex\YandexBrowser\User Data
\Moonchild Productions\Pale Moon
\Opera Software\Opera Stable
DisableAntiSpyware
\Bither
\Telegram Desktop
Path: %s
\rage
J~|Hw
\Mozilla\Firefox
rb\maps
\Kometa\User Data
Work Dir: %s
VaultCloseVault
\Jaxx Liberty
\GHISLER\wcx_ftp.ini
\Element\Local Storage
\launcher_msa_credentials.bin
\Comodo\Dragon\User Data
\Ethereum\wallets
NtDuplicateObject
ZIP (Autofills): %s
LG" /sc ONLOGON /rl HIGHEST
Freicoin
\Wasabi
,XR\Z
\Chromodo\User Data
\tdata
\information.txt
\Battle.net
\Discord
rb\key_datas
CE[gwP7
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions
[Processes]
digitalcoin
CocCoc
email
AK5'7
CPU Count: %d
Thunderbird
Maxthon3
\FileZilla
C:\program files\steam
DisableIOAVProtection
gtokens
\Authy Desktop
\Ethereum
\CryptoTab Browser\User Data
[Software]
\OpenVPN Connect
BlackHawk
!T00?
\bither.db
\databases
\Jaxx
Dragon
\app-store.json
LOCALAPPDATA
\wcx_ftp.ini
SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
\Torch\User Data
\Bither\bither.db
\.purple
Florincoin
Comodo
HARDWARE\DESCRIPTION\System\CentralProcessor\0
toTab
\Vivaldi\User Data
\Monero\wallets
\Google\Chrome\User Data
ents Browser
country
DisplayName
\LunarClient
GoldCoin (GLD)
Sputnik
DisableScanOnRealtimeEnable
VideoCard #%d: %s
\TotalCommander
K-Meleon
VaultOpenVault
\360Browser\Browser\User Data
me (x86)
ordCanary
Pale Moon
LegalHelper
WSASend
\launcher_profiles.json
\Google(x86)\Chrome\User Data
\com.liberty.jaxx
\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer
\MultiDoge
GTAVI
\IndexedDB
\config
\wallets
\Games
\Atomic
ordDevelopment
DisableRealtimeMonitoring
Litecoin
Ixcoin
\CatalinaGroup\Citrio\User Data
Default
User Name: %s
\Coinomi\Coinomi\wallets
Franko
\Telegram
username
Infinitecoin
Version: %s
IEUpdater
\MultiDoge\multidoge.wallet
\Orbitum\User Data
\Jaxx\Local Storage
ntdll.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\uCozMedia\Uran\User Data
Display Resolution: %dx%d
BBQCoin
Dogecoin
Media
Waterfox
\profiles.ini
\Waterfox
Nichrome
Reddcoin
360Browser
IOCoin
DisableRoutinelyTakingAction
\Iridium\User Data
MP.tmp
SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
\Monero
cards
%s [%d]
K-Melon
\Nichrome\User Data
\QIP Surf\User Data
[gwP7
System\CurrentControlSet\Services\Tcpip\Parameters
HWID: %s
C:\program files (x86)\steam
\Electrum\wallets
DisableRawWriteNotification
Display Language: %ws
Keyboard Languages:
\.minecraft\launcher_accounts.json
Computer Name: %s [%s]
\accounts.xml
\Amigo\User\User Data
schtasks /create /f /RU "
\Comodo\User Data
VMWARE
\.lunarclient\settings\games\accounts.txt
\discordcanary
\OpenVPN Connect\profiles
1.1.1.1
Bitcoin
\Binance
\Messengers
APPDATA
\Coowon\Coowon\User Data
mePlus
\Skype
\Local Storage
\WalletWasabi\Client\Wallets
\key_datas
\LocalPrefs.json
Daedalus Mainnet
lsass
\Element
;SELECT * FROM
SYSTEM\CurrentControlSet\Services\vmhgfs
Anoncoin
\Epic Privacy Browser\User Data
logins
\Authy
EnableSmartScreen
\Accounts\Account.rec0
\maps
autofill
\Session Storage
\tlauncher_profiles.json
\Growtopia
\Comodo\IceDragon
T2kN7BG
SOFTWARE\Microsoft\Windows NT\CurrentVersion
IceDragon
RageMP
ordPTB
ALLUSERSPROFILE
Megacoin
\Local State
Primecoin
ProductName
\discorddevelopment
history
Unknown
\Binance\app-store.json
\CocCoc\Browser\User Data
Zcash
YACoin
Browser
Build: %s
\config.json
\launcher_accounts.json
\Chromium\User Data
\.feather\accounts.json
\BraveSoftware\Brave-Browser\User Data
SYSTEM\CurrentControlSet\Services\VBoxGuest
SOFTWARE\Policies\Microsoft\Windows\System
tntdll.dll
\Armory
DisableOnAccessProtection
dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]*
\Maxthon3\User Data
\ElectrumLTC
\ICQ\0001
\Uran\User Data
\MapleStudio\ChromePlus\User Data
\Microsoft\Edge\User Data
RAM: %u MB
\liebao\User Data
\Electrum-LTC\wallets
SOFTWARE\Microsoft\Cryptography
SOFTWARE\Policies\Microsoft\Windows Defender
\Exodus
\Mail.Ru\Atom\User Data
discord.com/api/v9/users/@me
\ey_tokens.txt
DashCore
IP: %s
\discordptb
os_crypt
GUID: %s
\Storage
2nZ*B[
Terracoin
\accounts.json
miumViewer
\Thunderbird
WINHTTP.dll
\ElectronCash
cookies
\CentBrowser\User Data
\Minecraft
\Sputnik\Sputnik\User Data
tension Settings\
\Signal
\Opera Software
\.minecraft\launcher_profiles.json
\7Star\7Star\User Data
3724C:\WINDOWS\SysWOW64\WerFault.exe -u -p 900 -s 296C:\Windows\SysWOW64\WerFault.exe
9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3800"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
RisePro
(PID) Process(3800) RegAsm.exe
C2 (1)5.42.67.8:50500
Strings (55)\Battle.net
\config
\Local Storage
\Skype
\LunarClient
S,{w_6
\Games
UaEt,
J~|Hw
\FeatherClient
\accounts.json
\OpenVPN Connect
\.feather\accounts.json
\save.dat
VaultCloseVault
C:\program files (x86)\steam
\databases
\TLauncher
\GHISLER\wcx_ftp.ini
\Growtopia\save.dat
\TotalCommander
\Element\Local Storage
\launcher_msa_credentials.bin
\Microsoft\Skype for Desktop\Local Storage
VaultOpenVault
\.minecraft\launcher_accounts.json
\Element
\accounts.xml
\wcx_ftp.ini
frug?0
\accounts.txt
\ey_tokens.txt
\.purple
WSASend
logins
\.lunarclient\settings\games\accounts.txt
\launcher_profiles.json
\Pidgin
\Minecraft
\OpenVPN Connect\profiles
\Steam
\Messengers
\FileZilla
C:\program files\steam
APPDATA
\.minecraft\launcher_msa_credentials.bin
\Signal
\Session Storage
\ICQ\0001
\.minecraft\launcher_profiles.json
\tlauncher_profiles.json
\config.json
VaultGetItem
\Growtopia
\launcher_accounts.json
Total events
3 600
Read events
3 600
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_9cf43d480f631971_f6bd1b20d22f6716bd959fd075c5f3a1f0824ba_63320027_1329ec36-5067-4512-9be9-0b0631f101da\Report.wer
MD5:
SHA256:
3724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE532.tmp.WERInternalMetadata.xmlxml
MD5:7612A455E636AC251063010FA559C9C8
SHA256:F4EE5BDA28352A726DB9E1C85182DB922D1AE7032613D3463BB863E95404CEB7
3724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE495.tmp.dmpdmp
MD5:62A78D29E6CB46F74338C646025D1B00
SHA256:15130E60F685C5A7C6695D7E9E56FC4DBFD1CB9028F1D8B39629B7DC7899BAC6
3724WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE571.tmp.xmlxml
MD5:92E77503332F076F5310FB879244D3DA
SHA256:12A218F40D5A56CDFD8CB12DBDE7EFFC58098372437563A3E50C9CC8867F5424
3724WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe.900.dmpbinary
MD5:B5E620CC24D928D4C42D8B1BFB52A3E8
SHA256:57CFCC9B5A88CD84CA84720F8D9CC8F081C88B58E2D8AAABE757B54CA19F1A40
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
68
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
2196
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
5080
SIHClient.exe
GET
200
23.211.9.92:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
5764
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
5080
SIHClient.exe
GET
200
23.211.9.92:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3748
MoUsoCoreWorker.exe
13.71.55.58:443
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
4
System
192.168.100.255:138
whitelisted
13.71.55.58:443
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
4032
svchost.exe
239.255.255.250:1900
unknown
6004
svchost.exe
13.71.55.58:443
MICROSOFT-CORP-MSN-AS-BLOCK
IN
unknown
1544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4656
SearchApp.exe
2.22.248.137:443
Akamai International B.V.
GB
unknown
1544
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
1060
svchost.exe
23.211.9.234:443
go.microsoft.com
AKAMAI-AS
DE
unknown
3040
OfficeClickToRun.exe
20.42.73.25:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 20.190.159.64
  • 20.190.159.0
  • 20.190.159.4
  • 20.190.159.75
  • 40.126.31.71
  • 40.126.31.69
  • 40.126.31.67
  • 40.126.31.73
whitelisted
go.microsoft.com
  • 23.211.9.234
whitelisted
self.events.data.microsoft.com
  • 20.42.73.25
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 23.211.9.92
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
watson.events.data.microsoft.com
  • 20.189.173.21
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
fd.api.iris.microsoft.com
  • 20.103.156.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9cf43d480f6319717934b1a3f97682a4454c1742e2409aa416ba719e606c34ca.exe