Malware analysis setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	setup.exe
Full analysis:	https://app.any.run/tasks/ff300704-c83f-462e-93d5-e653c8672123
Verdict:	Malicious activity
Threats:	RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Malware Trends Tracker >>>
Analysis date:	September 28, 2024, 01:01:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	risepro
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:	F6C330BF80269E6A2CE60B6C173EDE5E
SHA1:	3A1EE94B51B65B73AE8694D407FEAE213CDFA0A3
SHA256:	DD41646C21ED512B30EAAD50ECA6E74A45ECD7C6C7BF9D1C6AA804C2EA845428
SSDEEP:	98304:Ce8Y8uefBQ1Pvfk9ZpygPy7JaUP8O27hMs5Nu7XqC/2p4D1HKLzIuN4AnXnAjIYj:C20j

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- RISEPRO has been detected (YARA)
  - RegAsm.exe (PID: 1076)
SUSPICIOUS
No suspicious indicators.
INFO
- Checks supported languages
  - setup.exe (PID: 6740)
  - RegAsm.exe (PID: 1076)
- Reads the computer name
  - setup.exe (PID: 6740)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RisePro

(PID) Process(1076) RegAsm.exe

C2 (1)193.233.132.253:50600

Strings (567)RoninWallet

\360Browser\Browser\User Data

NVIDIA

<.B}T

\CentBrowser\User Data

\config.json

\OpenVPN Connect

ejbalbakoplchlghecdalmeeeajnimhm

\Wallets

fihkakfobkmkjojpchpfgcmhfjnmnfpi

\ElectronCash\wallets

An uncaught exception occurred_ip0_2:

\uCozMedia\Uran\User Data

oeljdldpnmdbchonielidgobddffflal

%s\%s

\GoogleAccounts

\Autofill

DisplayVersion

\Local Storage

\Ethereum\wallets

cards

\Comodo\Dragon\User Data

\FeatherClient

aodkkagnadcbobfpggfnjeongemjbjca

HR" /sc HOURLY /rl HIGHEST

Coowon

\Epic Privacy Browser\User Data

\Electrum-LTC\wallets

Finnie

UQ12345678

D3D11.dll

agoakfejjabomempkjlepdflaleeobhb

E-MAIL: %s

ld_geo

IndexedDB

Leap Terra Wallet

mark_check_passwords

PolymeshWallet

\discordcanary

Florincoin

TronLink

ookjlbkiijinhpmnjffcofjonbfbgaoc

Avira Password Manager

\MultiDoge

ICONex

acmacodkjbdgmoleebolmdjonilkdbch

CyanoWallet

Steam

\Passwords.txt

CPU Count: %d

wbkED

mnfifefkajgofkcjkemidiaecocnkjeh

ALLUSERSPROFILE

NiftyWallet

egjidjbpglichdcondbcbdnbeeppgdph

\Monero

\Skype

Build: %s

ilgcnhelpchnceeipipijaljkblbcobl

EQUALWallet

Coinbase

\Guarda

Version: %s

CommonKey

iWallet

mark_domains

Terracoin

\discord.txt

nkbihfbeogaeaoehlefnkodbefgpgknn

exp_month

\Minecraft

ProcessorNameString

\screenshot.png

/ %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\atomic\Local Storage

fhilaheimglignddkjgofkcbgekhenbh

fnnegphlobjdpkhecapkijjdkgcjhkib

aflkmfhebedbjioipglgcbcmnbpgliof

ibnejdfjmmkpcnlpebklmnkoeoihofec

Battle.net

Megacoin

amkmjjmmflddogmhpjloimipbofnfjih

Solflare

ghijklmn

Infinitecoin

ld_autorun_scheduler

CryptoTab

admmjipmmciaobhojoghlmleefbicajg

Harmony

CentBrowser

\.lunarclient\settings\games\accounts.txt

\GoogleAccounts.txt

fhmfendgdocmcbmfikdcogofphimnkno

An uncaught exception occurred_ip0_1. The type was unknown so no information was available.

ProductName

\ElectronCash

LG" /sc ONLOGON /rl HIGHEST

Vivaldi

\.minecraft\launcher_msa_credentials.bin

360Browser

\Discord

flpiciilemghbmfalicajoolhkkenfel

Local Time: %d/%d/%d %d:%d:%d

gjagmgiddbbciopjhllkdnddhcglnemk

imloifkgjagghnncjkhggdhalmcnfklk

URL: %s

mgffkfbidihjpoaomajlbgchddlicgpn

\foxmail.txt

jbdaocneiiinmjbjlgalhcelgbejmnid

names

Namecoin

GoldCoin (GLD)

WavesKeeper

mkpegjkblkkefacfnmkajcjmabijhclg

Petra Aptos Wallet

jnlgamecbpmbajjfhmmmlhejkemejdma

VideoCard #%d: %s

Chrome

use_hvnc

\.purple

Backpack

grab_tg

\Maxthon3\User Data

\Binance\app-store.json

Dragon

MachineGuid

\Element

Exodus_E

Discord

Elements Browser

adobe

expirationDate

UserName: %s

\multidoge.wallet

ebfidpplhabeedpnhjnobghokpiioolj

gtokens

\.minecraft\launcher_profiles.json

\Torch\User Data

grab_ftp

NetboxBrowser

Chromodo

\Files

liebao

log_watermark_line_3

Epic Privacy Browser

\discorddevelopment

\Growtopia\save.dat

httpOnly

\WalletWasabi\Client\Wallets

NtTerminateProcess

aiifbnbfobpmeekipheeijimdpnlpgpp

\information.txt

fhbohimaelbohpjbbldcngcnapndodjp

grab_ihistory

mark_check_history

merge_google_tokens

MewCx

ZIP (Autofills): %s

Keplr

ojggmchlghnjlapmfbnjholfjkiidbch

exp_year

Processor: %s

grab_ds

iso_code

Splikity

Zcash

mark_countries

\Nichrome\User Data

Freicoin

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Opera Software\Opera Stable

**** **** ****

Trust Wallet

ax error

0123456789-_.

30123456789-_.

BBQCoin

EVER Wallet

DiscordDevelopment

Guarda

gojhcdgcpbpfigcaejpfhfegekdgiblk

Venom

merge_browser_data

autofill

download_history

EdgeMS

ffnbelfdoeiohenkjibnmadjiehjhajb

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

grab_screen

Opera Wallet

mark_check_cookies

\Uran\User Data

\Microsoft\Skype for Desktop\Local Storage

bhhhlbepdkbapadjdnnojkbgioiodbic

\Binance

Trezor Password Manager

\Chedot\User Data

\Sputnik\Sputnik\User Data

Eth and Polk Web3 Wallet

cjelfplplebdjjenllpjcblmjkfcffne

hmeobnfnfcmdkdcmlblgagmfpfboieaf

\save.dat

digitalcoin

\Atomic

User Name: %s

MetaMask Edge

C:\program files\steam

expiration_year

card_number

lpfcbjknijpeeillifnkikgncikgfhdo

\Bither\bither.db

BinanceChainWallet

domain

ChromePlus

jojhfeoedkpkglbfimdfabpdfjaoolaf

IOCoin

\Battle.net

Goblin wallet

\Kometa\User Data

Yoroi

012345678

Litecoin

Location: %s, %s

\accounts.xml

Kaikas

fnjhmkhhmkbjkkabndcnnogagogbneec

nhnkbkgjikgcigadomkphalanndcapjk

\Messengers

\Jaxx\Local Storage

WININET.DLL

service

\.feather\accounts.json

CreateDirect3D11DeviceFromDXGIDevice

\Growtopia

SaturnWallet

\Session Storage

hnfanknocfeofbddgcijnmhnfnkdnaad

bfnaelmomeimhlpmgjnjophhpkkoljpa

Storage: %s [%s]

LiqualityWallet

\IndexedDB

BraveWallet

AuroWallet

DiscordCanary

ld_autorun_registry

Torch

Local

Comodo

ChromiumViewer

\Pidgin

\passwords.txt

nanjmdknhkinifnkgdcggcfnhdaammmj

USERPROFILE

\discordptb

\Signal

ld_url

YZabcdefghijklmnopqrstuvwxyz0123456789-_.

\Yandex\YandexBrowser\User Data

IP: %s

mcohilncbfahbmgdjkbpemcciiolgcge

Mincoin

https://

FALSE

\Jaxx Liberty

\Coinomi\Coinomi\wallets

\QIP Surf\User Data

Reddcoin

mfgccjchihfkkindfppnaooecgfneiii

aholpfdialjgjfhomihkjbmgjidlcdno

Software\Microsoft\Windows\CurrentVersion\Run

\Elements Browser\User Data

An uncaught exception occurred_ip1:

WindowsCredentials

profile

Tokenpocket

Fewcha

Nichrome

ld_name

\Monero\wallets

GUID: %s

aijcbedoijmgnlmjeegjaglmepbmpkpi

\Orbitum\User Data

\7Star\7Star\User Data

Chrome (x86)

Citrio

nickname

OKX Wallet

\MultiDoge\multidoge.wallet

\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json

odbfpeeihdkbihmopkbjmoonfanlbfcl

grab_messengers

country

\Coinomi

\Opera Software

-.hsE

\Autofill.txt

Profiles/

\Cookies

Rabby

baaaa

\Browsers

\Element\Local Storage

GeroWallet

" /tn "

MetaMask

History

coin98

An uncaught exception occurred_ip4:

\NetboxBrowser\User Data

^Qghijklmn

C:\program files (x86)\steam

blnieiiffboillknjnepogjhkgnoapac

Oxygen

bhghoamapcdpbohphigoooaddinpkbai

CocCoc

\OpenVPN Connect\profiles

\Ledger Live

Eternl

%s [%s]

\Wasabi

heidi

hcflpincpppdclinealmandijcmnkbgn

MathWallet

grab_wallets

1.1.1.1

xyz0123456789-_.

12345678

lgmpcpglpngdoalbgeoldeajfclnhafa

Daedalus Mainnet

\CocCoc\Browser\User Data

\CatalinaGroup\Citrio\User Data

Hashpack

\NVIDIA Corporation\NVIDIA GeForce Experience

nkddgncdjgjfcddamfgcmfnlhccnimig

Primecoin

opcgpfmipidbgpenhmajoajpbobppdil

\MapleStudio\ChromePlus\User Data

\accounts.json

\Chromium\User Data

value

cjmkndjhnagcfbpiemnkdpomccnjblmj

Sputnik

\Downloads.txt

\Comodo\User Data

Kometa

\Mail.Ru\Atom\User Data

Braavos wallet

SOFTWARE\Microsoft\Cryptography

\Electrum\wallets

\Jaxx

Path: %s

uXVW_XH

devcoin

dkdedlpgdmmkkfjabffeganieamfklkm

EOS Authenticator

\CC.txt

An uncaught exception occurred_ip4. The type was unknown so no information was available.

efbglgofoippbgcjepnhiblaibcnclgk

\Chromodo\User Data

\Google\Chrome\User Data

KardiaChain

Display Resolution: %dx%d

\ICQ\0001

api.myip.com/

logins

cphhlgmgameodnhkjdmkpanlelnlohao

YZabcdefghijklmnopqrs3

AdobeUpdaterV

" /tr "

GAuth Authenticator

Maiar DeFi Wallet

\Cookies.txt

token

ld_autorun_shell

\com.liberty.jaxx

DiscordPTB

An uncaught exception occurred_ip0_2. The type was unknown so no information was available.

Chromium

db-ip.com/demo/home.php?s=

RAM: %u MB

igkpcodhieompeloncfnbekccinhapdb

fmblappgoiilbgafhjklehhfifbdocee

Orbitum

HVNC.dll

api64.ipify.org/?format=json

config

Jaxx Liberty Extension

An uncaught exception occurred_ip0_1:

ghpilmjholiicaobfjdkefcogmgaabif

Web Data

\TLauncher

\config

This program is a virus. Do you really want to run it?

\Armory

\Exodus\exodus.wallet

An uncaught exception occurred_ip2:

Local State

MachineID: %s

\launcher_accounts.json

password

\databases

Yandex

Password: %s

vwxyz0123456789-_.

\TotalCommander

\Amigo\User\User Data

Safepal

ghijklmnopqrs3

Anoncoin

phkbamefinggmakgklpkljjmgibohnba

@.B}T"

Ixcoin

caljgklbbfbcjjanaijlacgncafpegll

HWID: %s

PaliWallet

aeachknmefphepccionboohckonoeemg

Wombat

cgeeodpfagjceefieflmdfphplkenlfk

Opera GX

QIP Surf

DashCore

7Star

Date: %s

Storage: %s

Windows: %s [%s]

ld_buildname

Computer Name: %s [%s]

Chedot

Authenticator

Magic Eden Wallet

Maxthon3

\ElectrumLTC

lpilbniiabackdjcionkobglmddfbcjo

zuXVW_XH

YACoin

epapihdplajcdnnkdeiahlgigofloibg

NeoLine

afbcbjpbpfadlkmhmclhkeeodmamcflc

kpfopkelmapcoipemfendmdcghnegimn

Zoho Vault

%s [%d]

Work Dir: %s

\Bither

An uncaught exception occurred_ip2. The type was unknown so no information was available.

\Exodus

\BraveSoftware\Brave-Browser\User Data

YZabcdefghijklmnopqrst

[Software]

\K-Melon\User Data

wb)sE

\ey_tokens.txt

ipinfo.io/widget/demo/

Warning!

\tlauncher_profiles.json

GuildWallet

XMR.PT

TezBox

bmikpgodpkclnkgmnpphehdgcimmided

kkpllkodjeloidieedojogacfhpaihoh

>.B}T"

LOCALAPPDATA

Unknown

Outlook

billing_address_id

APPDATA

CloverWallet

bgpipimickeadkjlklgciifhnalhdjhe

Pontem Aptos Wallet

QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.

ld_marks

hpglfhgfnhbgpjdenjgmdgoeiappafln

Sollet

nlbmnnijcnlegkjjpcfjclmcfggfefdm

\Ethereum

MSIUpdaterV

HARDWARE\DESCRIPTION\System\CentralProcessor\0

Iridium

last_four

\wcx_ftp.ini

expiration_month

$(123

Temple

kmhcihpebfmpgmihbkipmjlmmioameka

\Plugins

schtasks /create /f /RU "

\History.txt

\Vivaldi\User Data

BitAppWallet

K-Melon

Keyboard Languages:

eigblbgjknlfbajkfhopmcojidlgcehm

\Games

Vault_IE

jnkelfanjkeadonecabehalmbgpfodjm

\FileZilla

\Coowon\Coowon\User Data

Opera

Terra

[Processes]

\launcher_msa_credentials.bin

\google_tokens.txt

jblndlipeogpafnldhgmapagcccfchpi

Bitcoin

grab_games

DisplayName

Franko

name_on_card

Norton Password Manager

An uncaught exception occurred1:

XDEFI Wallet

log_watermark_line_2

\.minecraft\launcher_accounts.json

ForboleX

\accounts.txt

dmkamcknogkgcdfhhbddcghachkejeap

\bither.db

\Iridium\User Data

chgfefjpcobfbnpmiokfjjaglahmnded

Brave

www.maxmind.com/geoip/v2.1/city/me

[Hardware]

Bolt X

\CryptoTab Browser\User Data

cnmamaachppnkjgnildpdmkaakejnhae

Token: %s

EMartian Aptos Wallet

dngmlblcodfobpdpecaadgfbcggfjfnm

\liebao\User Data

ejjladinnckdgjemekebdpeokbikhfci

Display Language: %ws

\LunarClient

\app-store.json

\launcher_profiles.json

countryCode

\Steam

\Microsoft\Edge\User Data

An uncaught exception occurred1. The type was unknown so no information was available.

.B}T"

history

Amigo

\Electrum

Phantom

Dogecoin

jhfjfclepacoldmjmkmdlmganfaalklb

Sender Wallet

%s%llu

winhttp.dll

\Downloads

\GHISLER\wcx_ftp.ini

\Google(x86)\Chrome\User Data

An uncaught exception occurred_ip1. The type was unknown so no information was available.

grab_vpn

demoInfo

kncchdigobghenbbaddojjnnaogfppfj

log_watermark_line_1

secure

\History

slickSlideAnd

pdadjkfkgcafgbceimcpbkalnfnepbnk

uCozMedia

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2048:12:16 08:44:04+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	2262528
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x32e6
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	1.0.0.3
ProductVersionNumber:	1.0.0.3
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	Codominants Stenotypists
FileVersion:	1.0.0.3
InternalName:	Company.exe
LegalCopyright:	Copyright © 2023
LegalTrademarks:	-
OriginalFileName:	Company.exe
ProductName:	Transferrin Hermitry
ProductVersion:	1.0.0.3
AssemblyVersion:	1.0.0.3

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

135

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1076

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Assembly Registration Utility

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

RisePro

(PID) Process(1076) RegAsm.exe

C2 (1)193.233.132.253:50600

Strings (567)RoninWallet

\360Browser\Browser\User Data

NVIDIA

<.B}T

\CentBrowser\User Data

\config.json

\OpenVPN Connect

ejbalbakoplchlghecdalmeeeajnimhm

\Wallets

fihkakfobkmkjojpchpfgcmhfjnmnfpi

\ElectronCash\wallets

An uncaught exception occurred_ip0_2:

\uCozMedia\Uran\User Data

oeljdldpnmdbchonielidgobddffflal

%s\%s

\GoogleAccounts

\Autofill

DisplayVersion

\Local Storage

\Ethereum\wallets

cards

\Comodo\Dragon\User Data

\FeatherClient

aodkkagnadcbobfpggfnjeongemjbjca

HR" /sc HOURLY /rl HIGHEST

Coowon

\Epic Privacy Browser\User Data

\Electrum-LTC\wallets

Finnie

UQ12345678

D3D11.dll

agoakfejjabomempkjlepdflaleeobhb

E-MAIL: %s

ld_geo

IndexedDB

Leap Terra Wallet

mark_check_passwords

PolymeshWallet

\discordcanary

Florincoin

TronLink

ookjlbkiijinhpmnjffcofjonbfbgaoc

Avira Password Manager

\MultiDoge

ICONex

acmacodkjbdgmoleebolmdjonilkdbch

CyanoWallet

Steam

\Passwords.txt

CPU Count: %d

wbkED

mnfifefkajgofkcjkemidiaecocnkjeh

ALLUSERSPROFILE

NiftyWallet

egjidjbpglichdcondbcbdnbeeppgdph

\Monero

\Skype

Build: %s

ilgcnhelpchnceeipipijaljkblbcobl

EQUALWallet

Coinbase

\Guarda

Version: %s

CommonKey

iWallet

mark_domains

Terracoin

\discord.txt

nkbihfbeogaeaoehlefnkodbefgpgknn

exp_month

\Minecraft

ProcessorNameString

\screenshot.png

/ %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\atomic\Local Storage

fhilaheimglignddkjgofkcbgekhenbh

fnnegphlobjdpkhecapkijjdkgcjhkib

aflkmfhebedbjioipglgcbcmnbpgliof

ibnejdfjmmkpcnlpebklmnkoeoihofec

Battle.net

Megacoin

amkmjjmmflddogmhpjloimipbofnfjih

Solflare

ghijklmn

Infinitecoin

ld_autorun_scheduler

CryptoTab

admmjipmmciaobhojoghlmleefbicajg

Harmony

CentBrowser

\.lunarclient\settings\games\accounts.txt

\GoogleAccounts.txt

fhmfendgdocmcbmfikdcogofphimnkno

An uncaught exception occurred_ip0_1. The type was unknown so no information was available.

ProductName

\ElectronCash

LG" /sc ONLOGON /rl HIGHEST

Vivaldi

\.minecraft\launcher_msa_credentials.bin

360Browser

\Discord

flpiciilemghbmfalicajoolhkkenfel

Local Time: %d/%d/%d %d:%d:%d

gjagmgiddbbciopjhllkdnddhcglnemk

imloifkgjagghnncjkhggdhalmcnfklk

URL: %s

mgffkfbidihjpoaomajlbgchddlicgpn

\foxmail.txt

jbdaocneiiinmjbjlgalhcelgbejmnid

names

Namecoin

GoldCoin (GLD)

WavesKeeper

mkpegjkblkkefacfnmkajcjmabijhclg

Petra Aptos Wallet

jnlgamecbpmbajjfhmmmlhejkemejdma

VideoCard #%d: %s

Chrome

use_hvnc

\.purple

Backpack

grab_tg

\Maxthon3\User Data

\Binance\app-store.json

Dragon

MachineGuid

\Element

Exodus_E

Discord

Elements Browser

adobe

expirationDate

UserName: %s

\multidoge.wallet

ebfidpplhabeedpnhjnobghokpiioolj

gtokens

\.minecraft\launcher_profiles.json

\Torch\User Data

grab_ftp

NetboxBrowser

Chromodo

\Files

liebao

log_watermark_line_3

Epic Privacy Browser

\discorddevelopment

\Growtopia\save.dat

httpOnly

\WalletWasabi\Client\Wallets

NtTerminateProcess

aiifbnbfobpmeekipheeijimdpnlpgpp

\information.txt

fhbohimaelbohpjbbldcngcnapndodjp

grab_ihistory

mark_check_history

merge_google_tokens

MewCx

ZIP (Autofills): %s

Keplr

ojggmchlghnjlapmfbnjholfjkiidbch

exp_year

Processor: %s

grab_ds

iso_code

Splikity

Zcash

mark_countries

\Nichrome\User Data

Freicoin

SOFTWARE\Microsoft\Windows NT\CurrentVersion

\Opera Software\Opera Stable

**** **** ****

Trust Wallet

ax error

0123456789-_.

30123456789-_.

BBQCoin

EVER Wallet

DiscordDevelopment

Guarda

gojhcdgcpbpfigcaejpfhfegekdgiblk

Venom

merge_browser_data

autofill

download_history

EdgeMS

ffnbelfdoeiohenkjibnmadjiehjhajb

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

grab_screen

Opera Wallet

mark_check_cookies

\Uran\User Data

\Microsoft\Skype for Desktop\Local Storage

bhhhlbepdkbapadjdnnojkbgioiodbic

\Binance

Trezor Password Manager

\Chedot\User Data

\Sputnik\Sputnik\User Data

Eth and Polk Web3 Wallet

cjelfplplebdjjenllpjcblmjkfcffne

hmeobnfnfcmdkdcmlblgagmfpfboieaf

\save.dat

digitalcoin

\Atomic

User Name: %s

MetaMask Edge

C:\program files\steam

expiration_year

card_number

lpfcbjknijpeeillifnkikgncikgfhdo

\Bither\bither.db

BinanceChainWallet

domain

ChromePlus

jojhfeoedkpkglbfimdfabpdfjaoolaf

IOCoin

\Battle.net

Goblin wallet

\Kometa\User Data

Yoroi

012345678

Litecoin

Location: %s, %s

\accounts.xml

Kaikas

fnjhmkhhmkbjkkabndcnnogagogbneec

nhnkbkgjikgcigadomkphalanndcapjk

\Messengers

\Jaxx\Local Storage

WININET.DLL

service

\.feather\accounts.json

CreateDirect3D11DeviceFromDXGIDevice

\Growtopia

SaturnWallet

\Session Storage

hnfanknocfeofbddgcijnmhnfnkdnaad

bfnaelmomeimhlpmgjnjophhpkkoljpa

Storage: %s [%s]

LiqualityWallet

\IndexedDB

BraveWallet

AuroWallet

DiscordCanary

ld_autorun_registry

Torch

Local

Comodo

ChromiumViewer

\Pidgin

\passwords.txt

nanjmdknhkinifnkgdcggcfnhdaammmj

USERPROFILE

\discordptb

\Signal

ld_url

YZabcdefghijklmnopqrstuvwxyz0123456789-_.

\Yandex\YandexBrowser\User Data

IP: %s

mcohilncbfahbmgdjkbpemcciiolgcge

Mincoin

https://

FALSE

\Jaxx Liberty

\Coinomi\Coinomi\wallets

\QIP Surf\User Data

Reddcoin

mfgccjchihfkkindfppnaooecgfneiii

aholpfdialjgjfhomihkjbmgjidlcdno

Software\Microsoft\Windows\CurrentVersion\Run

\Elements Browser\User Data

An uncaught exception occurred_ip1:

WindowsCredentials

profile

Tokenpocket

Fewcha

Nichrome

ld_name

\Monero\wallets

GUID: %s

aijcbedoijmgnlmjeegjaglmepbmpkpi

\Orbitum\User Data

\7Star\7Star\User Data

Chrome (x86)

Citrio

nickname

OKX Wallet

\MultiDoge\multidoge.wallet

\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json

odbfpeeihdkbihmopkbjmoonfanlbfcl

grab_messengers

country

\Coinomi

\Opera Software

-.hsE

\Autofill.txt

Profiles/

\Cookies

Rabby

baaaa

\Browsers

\Element\Local Storage

GeroWallet

" /tn "

MetaMask

History

coin98

An uncaught exception occurred_ip4:

\NetboxBrowser\User Data

^Qghijklmn

C:\program files (x86)\steam

blnieiiffboillknjnepogjhkgnoapac

Oxygen

bhghoamapcdpbohphigoooaddinpkbai

CocCoc

\OpenVPN Connect\profiles

\Ledger Live

Eternl

%s [%s]

\Wasabi

heidi

hcflpincpppdclinealmandijcmnkbgn

MathWallet

grab_wallets

1.1.1.1

xyz0123456789-_.

12345678

lgmpcpglpngdoalbgeoldeajfclnhafa

Daedalus Mainnet

\CocCoc\Browser\User Data

\CatalinaGroup\Citrio\User Data

Hashpack

\NVIDIA Corporation\NVIDIA GeForce Experience

nkddgncdjgjfcddamfgcmfnlhccnimig

Primecoin

opcgpfmipidbgpenhmajoajpbobppdil

\MapleStudio\ChromePlus\User Data

\accounts.json

\Chromium\User Data

value

cjmkndjhnagcfbpiemnkdpomccnjblmj

Sputnik

\Downloads.txt

\Comodo\User Data

Kometa

\Mail.Ru\Atom\User Data

Braavos wallet

SOFTWARE\Microsoft\Cryptography

\Electrum\wallets

\Jaxx

Path: %s

uXVW_XH

devcoin

dkdedlpgdmmkkfjabffeganieamfklkm

EOS Authenticator

\CC.txt

An uncaught exception occurred_ip4. The type was unknown so no information was available.

efbglgofoippbgcjepnhiblaibcnclgk

\Chromodo\User Data

\Google\Chrome\User Data

KardiaChain

Display Resolution: %dx%d

\ICQ\0001

api.myip.com/

logins

cphhlgmgameodnhkjdmkpanlelnlohao

YZabcdefghijklmnopqrs3

AdobeUpdaterV

" /tr "

GAuth Authenticator

Maiar DeFi Wallet

\Cookies.txt

token

ld_autorun_shell

\com.liberty.jaxx

DiscordPTB

An uncaught exception occurred_ip0_2. The type was unknown so no information was available.

Chromium

db-ip.com/demo/home.php?s=

RAM: %u MB

igkpcodhieompeloncfnbekccinhapdb

fmblappgoiilbgafhjklehhfifbdocee

Orbitum

HVNC.dll

api64.ipify.org/?format=json

config

Jaxx Liberty Extension

An uncaught exception occurred_ip0_1:

ghpilmjholiicaobfjdkefcogmgaabif

Web Data

\TLauncher

\config

This program is a virus. Do you really want to run it?

\Armory

\Exodus\exodus.wallet

An uncaught exception occurred_ip2:

Local State

MachineID: %s

\launcher_accounts.json

password

\databases

Yandex

Password: %s

vwxyz0123456789-_.

\TotalCommander

\Amigo\User\User Data

Safepal

ghijklmnopqrs3

Anoncoin

phkbamefinggmakgklpkljjmgibohnba

@.B}T"

Ixcoin

caljgklbbfbcjjanaijlacgncafpegll

HWID: %s

PaliWallet

aeachknmefphepccionboohckonoeemg

Wombat

cgeeodpfagjceefieflmdfphplkenlfk

Opera GX

QIP Surf

DashCore

7Star

Date: %s

Storage: %s

Windows: %s [%s]

ld_buildname

Computer Name: %s [%s]

Chedot

Authenticator

Magic Eden Wallet

Maxthon3

\ElectrumLTC

lpilbniiabackdjcionkobglmddfbcjo

zuXVW_XH

YACoin

epapihdplajcdnnkdeiahlgigofloibg

NeoLine

afbcbjpbpfadlkmhmclhkeeodmamcflc

kpfopkelmapcoipemfendmdcghnegimn

Zoho Vault

%s [%d]

Work Dir: %s

\Bither

An uncaught exception occurred_ip2. The type was unknown so no information was available.

\Exodus

\BraveSoftware\Brave-Browser\User Data

YZabcdefghijklmnopqrst

[Software]

\K-Melon\User Data

wb)sE

\ey_tokens.txt

ipinfo.io/widget/demo/

Warning!

\tlauncher_profiles.json

GuildWallet

XMR.PT

TezBox

bmikpgodpkclnkgmnpphehdgcimmided

kkpllkodjeloidieedojogacfhpaihoh

>.B}T"

LOCALAPPDATA

Unknown

Outlook

billing_address_id

APPDATA

CloverWallet

bgpipimickeadkjlklgciifhnalhdjhe

Pontem Aptos Wallet

QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.

ld_marks

hpglfhgfnhbgpjdenjgmdgoeiappafln

Sollet

nlbmnnijcnlegkjjpcfjclmcfggfefdm

\Ethereum

MSIUpdaterV

HARDWARE\DESCRIPTION\System\CentralProcessor\0

Iridium

last_four

\wcx_ftp.ini

expiration_month

$(123

Temple

kmhcihpebfmpgmihbkipmjlmmioameka

\Plugins

schtasks /create /f /RU "

\History.txt

\Vivaldi\User Data

BitAppWallet

K-Melon

Keyboard Languages:

eigblbgjknlfbajkfhopmcojidlgcehm

\Games

Vault_IE

jnkelfanjkeadonecabehalmbgpfodjm

\FileZilla

\Coowon\Coowon\User Data

Opera

Terra

[Processes]

\launcher_msa_credentials.bin

\google_tokens.txt

jblndlipeogpafnldhgmapagcccfchpi

Bitcoin

grab_games

DisplayName

Franko

name_on_card

Norton Password Manager

An uncaught exception occurred1:

XDEFI Wallet

log_watermark_line_2

\.minecraft\launcher_accounts.json

ForboleX

\accounts.txt

dmkamcknogkgcdfhhbddcghachkejeap

\bither.db

\Iridium\User Data

chgfefjpcobfbnpmiokfjjaglahmnded

Brave

www.maxmind.com/geoip/v2.1/city/me

[Hardware]

Bolt X

\CryptoTab Browser\User Data

cnmamaachppnkjgnildpdmkaakejnhae

Token: %s

EMartian Aptos Wallet

dngmlblcodfobpdpecaadgfbcggfjfnm

\liebao\User Data

ejjladinnckdgjemekebdpeokbikhfci

Display Language: %ws

\LunarClient

\app-store.json

\launcher_profiles.json

countryCode

\Steam

\Microsoft\Edge\User Data

An uncaught exception occurred1. The type was unknown so no information was available.

.B}T"

history

Amigo

\Electrum

Phantom

Dogecoin

jhfjfclepacoldmjmkmdlmganfaalklb

Sender Wallet

%s%llu

winhttp.dll

\Downloads

\GHISLER\wcx_ftp.ini

\Google(x86)\Chrome\User Data

An uncaught exception occurred_ip1. The type was unknown so no information was available.

grab_vpn

demoInfo

kncchdigobghenbbaddojjnnaogfppfj

log_watermark_line_1

secure

\History

slickSlideAnd

pdadjkfkgcafgbceimcpbkalnfnepbnk

uCozMedia

6548

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

setup.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6740

"C:\Users\admin\AppData\Local\Temp\setup.exe"

C:\Users\admin\AppData\Local\Temp\setup.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Codominants Stenotypists

Exit code:

Version:

1.0.0.3

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5056	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4936	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
1020	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1020	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1672	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6300	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5056	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6300	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.250.185.78	whitelisted
www.microsoft.com	23.35.229.160 95.101.149.131	whitelisted
login.live.com	20.190.159.23 40.126.31.67 20.190.159.73 20.190.159.2 20.190.159.64 20.190.159.71 40.126.31.71 20.190.159.68	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.113.103.199	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
arc.msn.com	20.199.58.43	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

setup.exe

F6C330BF80269E6A2CE60B6C173EDE5E

3A1EE94B51B65B73AE8694D407FEAE213CDFA0A3

DD41646C21ED512B30EAAD50ECA6E74A45ECD7C6C7BF9D1C6AA804C2EA845428

98304:Ce8Y8uefBQ1Pvfk9ZpygPy7JaUP8O27hMs5Nu7XqC/2p4D1HKLzIuN4AnXnAjIYj:C20j

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RISEPRO has been detected (YARA)

SUSPICIOUS

INFO

Checks supported languages

Reads the computer name

Malware configuration

RisePro

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

RisePro

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings