Malware analysis e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce Malicious activity

Add for printing

File name:	e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce
Full analysis:	https://app.any.run/tasks/c42b0ecf-c8bc-48c9-a34e-fb7f2655d6c3
Verdict:	Malicious activity
Threats:	RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims. Malware Trends Tracker >>>
Analysis date:	February 08, 2025, 10:23:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	risepro
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	8DEC67583F0D9D2F8C817C95E7B43AD0
SHA1:	A2091EDAB6705926CAD2181E949BCDFBC76BBFFC
SHA256:	E1C1638377D15168504C39B2A3D15C4151282A636C6A2053D1EEB49DBD8EB3CE
SSDEEP:	49152:+cwg0qrO42nPOIBPhpOBlEOP9BvuoPgPcRfVvWY830T64/tZIjMUVKoEElAcATJw:t9rO/PrB5UlEi9B/gPcFVk3xPVdECFAa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- RISEPRO has been detected (YARA)
  - RegAsm.exe (PID: 6856)
SUSPICIOUS
- There is functionality for taking screenshot (YARA)
  - RegAsm.exe (PID: 6856)
INFO
- Checks supported languages
  - RegAsm.exe (PID: 6856)
  - e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce.exe (PID: 6804)
- Reads the computer name
  - e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce.exe (PID: 6804)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

RisePro

(PID) Process(6856) RegAsm.exe

C2 (1)217.195.207.156:50500

Strings (565)Tokenpocket

ejbalbakoplchlghecdalmeeeajnimhm

.B}T"

Rabby

\Atomic

GuildWallet

profile

Dogecoin

ChromiumViewer

Trezor Password Manager

fmblappgoiilbgafhjklehhfifbdocee

ICONex

GoldCoin (GLD)

Opera GX

Venom

jhfjfclepacoldmjmkmdlmganfaalklb

EQUALWallet

Opera Wallet

dmkamcknogkgcdfhhbddcghachkejeap

Iridium

opcgpfmipidbgpenhmajoajpbobppdil

012345678

grab_tg

AuroWallet

xyz0123456789-_.

\ElectronCash

db-ip.com/demo/home.php?s=

%s [%s]

APPDATA

\Autofill

MachineID: %s

K-Melon

aeachknmefphepccionboohckonoeemg

password

grab_games

DiscordCanary

Litecoin

ld_autorun_scheduler

CloverWallet

admmjipmmciaobhojoghlmleefbicajg

Orbitum

egjidjbpglichdcondbcbdnbeeppgdph

Bolt X

\Exodus\exodus.wallet

DiscordPTB

jnkelfanjkeadonecabehalmbgpfodjm

[Hardware]

\Electrum

\FileZilla

An uncaught exception occurred1. The type was unknown so no information was available.

Chromodo

[Processes]

\Binance

adobe

\Plugins

Terra

\GoogleAccounts.txt

\liebao\User Data

Warning!

\google_tokens.txt

Braavos wallet

gtokens

GeroWallet

\OpenVPN Connect

UQ12345678

ookjlbkiijinhpmnjffcofjonbfbgaoc

Eternl

\config.json

pdadjkfkgcafgbceimcpbkalnfnepbnk

Splikity

nickname

\accounts.xml

\Vivaldi\User Data

Comodo

Namecoin

Solflare

\360Browser\Browser\User Data

Steam

\bither.db

lgmpcpglpngdoalbgeoldeajfclnhafa

lpfcbjknijpeeillifnkikgncikgfhdo

vwxyz0123456789-_.

history

oeljdldpnmdbchonielidgobddffflal

\LunarClient

\Epic Privacy Browser\User Data

An uncaught exception occurred_ip0_1. The type was unknown so no information was available.

\.minecraft\launcher_profiles.json

Reddcoin

Daedalus Mainnet

expirationDate

https://

\accounts.txt

Infinitecoin

Keplr

Maxthon3

\WalletWasabi\Client\Wallets

Sputnik

An uncaught exception occurred_ip4. The type was unknown so no information was available.

mkpegjkblkkefacfnmkajcjmabijhclg

\Coinomi

CreateDirect3D11DeviceFromDXGIDevice

Local State

Software\Microsoft\Windows\CurrentVersion\Run

hmeobnfnfcmdkdcmlblgagmfpfboieaf

Web Data

Temple

Opera

\Ethereum

Megacoin

\Steam

value

Battle.net

360Browser

\Exodus

Vivaldi

History

$(123

\config

Primecoin

grab_vpn

fhmfendgdocmcbmfikdcogofphimnkno

\7Star\7Star\User Data

\.purple

\Google(x86)\Chrome\User Data

12345678

api64.ipify.org/?format=json

QIP Surf

bhghoamapcdpbohphigoooaddinpkbai

imloifkgjagghnncjkhggdhalmcnfklk

\MapleStudio\ChromePlus\User Data

\databases

QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.

Yandex

countryCode

MetaMask Edge

ffnbelfdoeiohenkjibnmadjiehjhajb

Petra Aptos Wallet

eigblbgjknlfbajkfhopmcojidlgcehm

NiftyWallet

dkdedlpgdmmkkfjabffeganieamfklkm

MachineGuid

\Passwords.txt

jblndlipeogpafnldhgmapagcccfchpi

ld_autorun_registry

HARDWARE\DESCRIPTION\System\CentralProcessor\0

nkddgncdjgjfcddamfgcmfnlhccnimig

ProcessorNameString

cphhlgmgameodnhkjdmkpanlelnlohao

BitAppWallet

www.maxmind.com/geoip/v2.1/city/me

\K-Melon\User Data

igkpcodhieompeloncfnbekccinhapdb

\Opera Software\Opera Stable

Pontem Aptos Wallet

\Electrum-LTC\wallets

Yoroi

%s%llu

Bitcoin

cards

\History

\Battle.net

Franko

\save.dat

\Skype

\Session Storage

Display Resolution: %dx%d

7Star

ProductName

bfnaelmomeimhlpmgjnjophhpkkoljpa

Jaxx Liberty Extension

\ElectrumLTC

Brave

\Armory

IndexedDB

Dragon

PolymeshWallet

bmikpgodpkclnkgmnpphehdgcimmided

\Bither

\ICQ\0001

wb)sE

ipinfo.io/widget/demo/

secure

ld_marks

Terracoin

download_history

logins

billing_address_id

GUID: %s

jojhfeoedkpkglbfimdfabpdfjaoolaf

%s\%s

grab_screen

afbcbjpbpfadlkmhmclhkeeodmamcflc

\Cookies

nlbmnnijcnlegkjjpcfjclmcfggfefdm

\Coinomi\Coinomi\wallets

/ %s

\GHISLER\wcx_ftp.ini

User Name: %s

Date: %s

WavesKeeper

Discord

EOS Authenticator

^Qghijklmn

Coinbase

Chromium

epapihdplajcdnnkdeiahlgigofloibg

log_watermark_line_2

LOCALAPPDATA

Anoncoin

ibnejdfjmmkpcnlpebklmnkoeoihofec

Storage: %s [%s]

hcflpincpppdclinealmandijcmnkbgn

\Nichrome\User Data

Trust Wallet

\Opera Software

nkbihfbeogaeaoehlefnkodbefgpgknn

[Software]

\.lunarclient\settings\games\accounts.txt

An uncaught exception occurred_ip0_2:

\.minecraft\launcher_accounts.json

\com.liberty.jaxx

fnjhmkhhmkbjkkabndcnnogagogbneec

service

\Monero\wallets

Amigo

Chedot

" /tn "

ax error

baaaa

DisplayVersion

\Electrum\wallets

\TotalCommander

\launcher_accounts.json

Fewcha

BinanceChainWallet

WindowsCredentials

\Jaxx

\Jaxx Liberty

\Games

\.minecraft\launcher_msa_credentials.bin

MewCx

\uCozMedia\Uran\User Data

autofill

\CentBrowser\User Data

Display Language: %ws

mark_domains

Nichrome

MathWallet

ebfidpplhabeedpnhjnobghokpiioolj

bhhhlbepdkbapadjdnnojkbgioiodbic

Sollet

1.1.1.1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

demoInfo

This program is a virus. Do you really want to run it?

ZIP (Autofills): %s

C:\program files\steam

\discorddevelopment

use_hvnc

\Chedot\User Data

\app-store.json

devcoin

Norton Password Manager

Storage: %s

expiration_year

Mincoin

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

\TLauncher

YACoin

\Browsers

30123456789-_.

\CC.txt

\.feather\accounts.json

\Minecraft

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Profiles/

aodkkagnadcbobfpggfnjeongemjbjca

\Cookies.txt

mnfifefkajgofkcjkemidiaecocnkjeh

\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json

wbkED

Backpack

\Jaxx\Local Storage

YZabcdefghijklmnopqrstuvwxyz0123456789-_.

Kaikas

\multidoge.wallet

Chrome

gjagmgiddbbciopjhllkdnddhcglnemk

BraveWallet

Wombat

Local

cgeeodpfagjceefieflmdfphplkenlfk

HR" /sc HOURLY /rl HIGHEST

NVIDIA

Coowon

\Google\Chrome\User Data

\Mail.Ru\Atom\User Data

LG" /sc ONLOGON /rl HIGHEST

An uncaught exception occurred_ip1:

Magic Eden Wallet

C:\program files (x86)\steam

\Discord

api.myip.com/

\Binance\app-store.json

\Microsoft\Edge\User Data

Authenticator

mgffkfbidihjpoaomajlbgchddlicgpn

liebao

Citrio

grab_ds

CPU Count: %d

Torch

Elements Browser

\information.txt

ghijklmnopqrs3

\NVIDIA Corporation\NVIDIA GeForce Experience

**** **** ****

\launcher_msa_credentials.bin

ghpilmjholiicaobfjdkefcogmgaabif

An uncaught exception occurred_ip2. The type was unknown so no information was available.

\discord.txt

\Elements Browser\User Data

dngmlblcodfobpdpecaadgfbcggfjfnm

Password: %s

uCozMedia

\Ledger Live

Path: %s

An uncaught exception occurred1:

Safepal

config

\NetboxBrowser\User Data

aiifbnbfobpmeekipheeijimdpnlpgpp

\QIP Surf\User Data

log_watermark_line_3

aflkmfhebedbjioipglgcbcmnbpgliof

\Guarda

schtasks /create /f /RU "

An uncaught exception occurred_ip0_1:

heidi

ld_autorun_shell

ChromePlus

An uncaught exception occurred_ip2:

Sender Wallet

SOFTWARE\Microsoft\Cryptography

\tlauncher_profiles.json

merge_google_tokens

NeoLine

amkmjjmmflddogmhpjloimipbofnfjih

kncchdigobghenbbaddojjnnaogfppfj

ilgcnhelpchnceeipipijaljkblbcobl

\foxmail.txt

\Chromium\User Data

\Amigo\User\User Data

cjelfplplebdjjenllpjcblmjkfcffne

Exodus_E

VideoCard #%d: %s

NetboxBrowser

CocCoc

\Iridium\User Data

exp_year

mfgccjchihfkkindfppnaooecgfneiii

Oxygen

ejjladinnckdgjemekebdpeokbikhfci

\CryptoTab Browser\User Data

kkpllkodjeloidieedojogacfhpaihoh

grab_wallets

Local Time: %d/%d/%d %d:%d:%d

Florincoin

Goblin wallet

name_on_card

WININET.DLL

\screenshot.png

acmacodkjbdgmoleebolmdjonilkdbch

An uncaught exception occurred_ip4:

httpOnly

jbdaocneiiinmjbjlgalhcelgbejmnid

BBQCoin

Harmony

ALLUSERSPROFILE

\FeatherClient

Build: %s

cjmkndjhnagcfbpiemnkdpomccnjblmj

fhbohimaelbohpjbbldcngcnapndodjp

NtTerminateProcess

Computer Name: %s [%s]

Windows: %s [%s]

country

\Autofill.txt

-.hsE

Zcash

\Uran\User Data

%s [%d]

IP: %s

token

Zoho Vault

Ixcoin

exp_month

\ey_tokens.txt

hnfanknocfeofbddgcijnmhnfnkdnaad

HWID: %s

aholpfdialjgjfhomihkjbmgjidlcdno

XDEFI Wallet

fhilaheimglignddkjgofkcbgekhenbh

Version: %s

E-MAIL: %s

\Pidgin

hpglfhgfnhbgpjdenjgmdgoeiappafln

MSIUpdaterV

ld_geo

\Coowon\Coowon\User Data

lpilbniiabackdjcionkobglmddfbcjo

\CocCoc\Browser\User Data

coin98

\passwords.txt

IOCoin

\launcher_profiles.json

OKX Wallet

Vault_IE

0123456789-_.

USERPROFILE

digitalcoin

kmhcihpebfmpgmihbkipmjlmmioameka

\History.txt

fnnegphlobjdpkhecapkijjdkgcjhkib

\Element\Local Storage

efbglgofoippbgcjepnhiblaibcnclgk

CyanoWallet

blnieiiffboillknjnepogjhkgnoapac

\Kometa\User Data

Processor: %s

mcohilncbfahbmgdjkbpemcciiolgcge

\Comodo\Dragon\User Data

ghijklmn

\Growtopia\save.dat

grab_ihistory

kpfopkelmapcoipemfendmdcghnegimn

ld_url

Epic Privacy Browser

grab_messengers

\Monero

Work Dir: %s

iWallet

last_four

\MultiDoge

\ElectronCash\wallets

Keyboard Languages:

slickSlideAnd

\atomic\Local Storage

EMartian Aptos Wallet

CommonKey

<.B}T

names

An uncaught exception occurred_ip1. The type was unknown so no information was available.

Hashpack

\Bither\bither.db

Eth and Polk Web3 Wallet

YZabcdefghijklmnopqrst

ld_name

mark_check_history

XMR.PT

TezBox

mark_countries

D3D11.dll

winhttp.dll

\accounts.json

iso_code

\Wasabi

ld_buildname

\Element

\Files

DashCore

Guarda

\Messengers

\Ethereum\wallets

merge_browser_data

\discordptb

\Yandex\YandexBrowser\User Data

caljgklbbfbcjjanaijlacgncafpegll

\GoogleAccounts

\Local Storage

aijcbedoijmgnlmjeegjaglmepbmpkpi

GAuth Authenticator

Avira Password Manager

nhnkbkgjikgcigadomkphalanndcapjk

EVER Wallet

Finnie

zuXVW_XH

\Wallets

DiscordDevelopment

\discordcanary

agoakfejjabomempkjlepdflaleeobhb

\Orbitum\User Data

PaliWallet

UserName: %s

" /tr "

Outlook

\Growtopia

Unknown

\BraveSoftware\Brave-Browser\User Data

flpiciilemghbmfalicajoolhkkenfel

HVNC.dll

expiration_month

jnlgamecbpmbajjfhmmmlhejkemejdma

Kometa

\CatalinaGroup\Citrio\User Data

\IndexedDB

\Microsoft\Skype for Desktop\Local Storage

Token: %s

LiqualityWallet

grab_ftp

RAM: %u MB

URL: %s

odbfpeeihdkbihmopkbjmoonfanlbfcl

\Chromodo\User Data

\Downloads

Freicoin

EdgeMS

cnmamaachppnkjgnildpdmkaakejnhae

uXVW_XH

nanjmdknhkinifnkgdcggcfnhdaammmj

mark_check_cookies

card_number

\Comodo\User Data

AdobeUpdaterV

Phantom

ForboleX

ojggmchlghnjlapmfbnjholfjkiidbch

\MultiDoge\multidoge.wallet

SaturnWallet

log_watermark_line_1

Chrome (x86)

Location: %s, %s

RoninWallet

\Torch\User Data

\OpenVPN Connect\profiles

CentBrowser

CryptoTab

Maiar DeFi Wallet

gojhcdgcpbpfigcaejpfhfegekdgiblk

chgfefjpcobfbnpmiokfjjaglahmnded

MetaMask

bgpipimickeadkjlklgciifhnalhdjhe

\Signal

mark_check_passwords

\wcx_ftp.ini

fihkakfobkmkjojpchpfgcmhfjnmnfpi

phkbamefinggmakgklpkljjmgibohnba

FALSE

\Downloads.txt

Leap Terra Wallet

domain

An uncaught exception occurred_ip0_2. The type was unknown so no information was available.

DisplayName

TronLink

KardiaChain

\Maxthon3\User Data

\Sputnik\Sputnik\User Data

YZabcdefghijklmnopqrs3

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll	\|	Win32 Dynamic Link Library (generic) (7.4)
.exe	\|	Win32 Executable (generic) (5.1)
.exe	\|	Generic Win/DOS Executable (2.2)
.exe	\|	DOS Executable Generic (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2062:03:14 22:43:45+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	48
CodeSize:	1374208
InitializedDataSize:	2048
UninitializedDataSize:	-
EntryPoint:	0x325e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.3
ProductVersionNumber:	1.0.0.3
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	Codominants Stenotypists
FileVersion:	1.0.0.3
InternalName:	Current.exe
LegalCopyright:	Copyright © 2023
LegalTrademarks:	-
OriginalFileName:	Current.exe
ProductName:	Transferrin Hermitry
ProductVersion:	1.0.0.3
AssemblyVersion:	1.0.0.3

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

125

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6804

"C:\Users\admin\AppData\Local\Temp\e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce.exe"

C:\Users\admin\AppData\Local\Temp\e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Codominants Stenotypists

Exit code:

Version:

1.0.0.3

Modules

Images
c:\users\admin\appdata\local\temp\e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

6848

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

—

e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Assembly Registration Utility

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6856

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Assembly Registration Utility

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

RisePro

(PID) Process(6856) RegAsm.exe

C2 (1)217.195.207.156:50500

Strings (565)Tokenpocket

ejbalbakoplchlghecdalmeeeajnimhm

.B}T"

Rabby

\Atomic

GuildWallet

profile

Dogecoin

ChromiumViewer

Trezor Password Manager

fmblappgoiilbgafhjklehhfifbdocee

ICONex

GoldCoin (GLD)

Opera GX

Venom

jhfjfclepacoldmjmkmdlmganfaalklb

EQUALWallet

Opera Wallet

dmkamcknogkgcdfhhbddcghachkejeap

Iridium

opcgpfmipidbgpenhmajoajpbobppdil

012345678

grab_tg

AuroWallet

xyz0123456789-_.

\ElectronCash

db-ip.com/demo/home.php?s=

%s [%s]

APPDATA

\Autofill

MachineID: %s

K-Melon

aeachknmefphepccionboohckonoeemg

password

grab_games

DiscordCanary

Litecoin

ld_autorun_scheduler

CloverWallet

admmjipmmciaobhojoghlmleefbicajg

Orbitum

egjidjbpglichdcondbcbdnbeeppgdph

Bolt X

\Exodus\exodus.wallet

DiscordPTB

jnkelfanjkeadonecabehalmbgpfodjm

[Hardware]

\Electrum

\FileZilla

An uncaught exception occurred1. The type was unknown so no information was available.

Chromodo

[Processes]

\Binance

adobe

\Plugins

Terra

\GoogleAccounts.txt

\liebao\User Data

Warning!

\google_tokens.txt

Braavos wallet

gtokens

GeroWallet

\OpenVPN Connect

UQ12345678

ookjlbkiijinhpmnjffcofjonbfbgaoc

Eternl

\config.json

pdadjkfkgcafgbceimcpbkalnfnepbnk

Splikity

nickname

\accounts.xml

\Vivaldi\User Data

Comodo

Namecoin

Solflare

\360Browser\Browser\User Data

Steam

\bither.db

lgmpcpglpngdoalbgeoldeajfclnhafa

lpfcbjknijpeeillifnkikgncikgfhdo

vwxyz0123456789-_.

history

oeljdldpnmdbchonielidgobddffflal

\LunarClient

\Epic Privacy Browser\User Data

An uncaught exception occurred_ip0_1. The type was unknown so no information was available.

\.minecraft\launcher_profiles.json

Reddcoin

Daedalus Mainnet

expirationDate

https://

\accounts.txt

Infinitecoin

Keplr

Maxthon3

\WalletWasabi\Client\Wallets

Sputnik

An uncaught exception occurred_ip4. The type was unknown so no information was available.

mkpegjkblkkefacfnmkajcjmabijhclg

\Coinomi

CreateDirect3D11DeviceFromDXGIDevice

Local State

Software\Microsoft\Windows\CurrentVersion\Run

hmeobnfnfcmdkdcmlblgagmfpfboieaf

Web Data

Temple

Opera

\Ethereum

Megacoin

\Steam

value

Battle.net

360Browser

\Exodus

Vivaldi

History

$(123

\config

Primecoin

grab_vpn

fhmfendgdocmcbmfikdcogofphimnkno

\7Star\7Star\User Data

\.purple

\Google(x86)\Chrome\User Data

12345678

api64.ipify.org/?format=json

QIP Surf

bhghoamapcdpbohphigoooaddinpkbai

imloifkgjagghnncjkhggdhalmcnfklk

\MapleStudio\ChromePlus\User Data

\databases

QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.

Yandex

countryCode

MetaMask Edge

ffnbelfdoeiohenkjibnmadjiehjhajb

Petra Aptos Wallet

eigblbgjknlfbajkfhopmcojidlgcehm

NiftyWallet

dkdedlpgdmmkkfjabffeganieamfklkm

MachineGuid

\Passwords.txt

jblndlipeogpafnldhgmapagcccfchpi

ld_autorun_registry

HARDWARE\DESCRIPTION\System\CentralProcessor\0

nkddgncdjgjfcddamfgcmfnlhccnimig

ProcessorNameString

cphhlgmgameodnhkjdmkpanlelnlohao

BitAppWallet

www.maxmind.com/geoip/v2.1/city/me

\K-Melon\User Data

igkpcodhieompeloncfnbekccinhapdb

\Opera Software\Opera Stable

Pontem Aptos Wallet

\Electrum-LTC\wallets

Yoroi

%s%llu

Bitcoin

cards

\History

\Battle.net

Franko

\save.dat

\Skype

\Session Storage

Display Resolution: %dx%d

7Star

ProductName

bfnaelmomeimhlpmgjnjophhpkkoljpa

Jaxx Liberty Extension

\ElectrumLTC

Brave

\Armory

IndexedDB

Dragon

PolymeshWallet

bmikpgodpkclnkgmnpphehdgcimmided

\Bither

\ICQ\0001

wb)sE

ipinfo.io/widget/demo/

secure

ld_marks

Terracoin

download_history

logins

billing_address_id

GUID: %s

jojhfeoedkpkglbfimdfabpdfjaoolaf

%s\%s

grab_screen

afbcbjpbpfadlkmhmclhkeeodmamcflc

\Cookies

nlbmnnijcnlegkjjpcfjclmcfggfefdm

\Coinomi\Coinomi\wallets

/ %s

\GHISLER\wcx_ftp.ini

User Name: %s

Date: %s

WavesKeeper

Discord

EOS Authenticator

^Qghijklmn

Coinbase

Chromium

epapihdplajcdnnkdeiahlgigofloibg

log_watermark_line_2

LOCALAPPDATA

Anoncoin

ibnejdfjmmkpcnlpebklmnkoeoihofec

Storage: %s [%s]

hcflpincpppdclinealmandijcmnkbgn

\Nichrome\User Data

Trust Wallet

\Opera Software

nkbihfbeogaeaoehlefnkodbefgpgknn

[Software]

\.lunarclient\settings\games\accounts.txt

An uncaught exception occurred_ip0_2:

\.minecraft\launcher_accounts.json

\com.liberty.jaxx

fnjhmkhhmkbjkkabndcnnogagogbneec

service

\Monero\wallets

Amigo

Chedot

" /tn "

ax error

baaaa

DisplayVersion

\Electrum\wallets

\TotalCommander

\launcher_accounts.json

Fewcha

BinanceChainWallet

WindowsCredentials

\Jaxx

\Jaxx Liberty

\Games

\.minecraft\launcher_msa_credentials.bin

MewCx

\uCozMedia\Uran\User Data

autofill

\CentBrowser\User Data

Display Language: %ws

mark_domains

Nichrome

MathWallet

ebfidpplhabeedpnhjnobghokpiioolj

bhhhlbepdkbapadjdnnojkbgioiodbic

Sollet

1.1.1.1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

demoInfo

This program is a virus. Do you really want to run it?

ZIP (Autofills): %s

C:\program files\steam

\discorddevelopment

use_hvnc

\Chedot\User Data

\app-store.json

devcoin

Norton Password Manager

Storage: %s

expiration_year

Mincoin

\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer

\TLauncher

YACoin

\Browsers

30123456789-_.

\CC.txt

\.feather\accounts.json

\Minecraft

SOFTWARE\Microsoft\Windows NT\CurrentVersion

Profiles/

aodkkagnadcbobfpggfnjeongemjbjca

\Cookies.txt

mnfifefkajgofkcjkemidiaecocnkjeh

\.tlauncher\mcl\Minecraft\game\tlauncher_profiles.json

wbkED

Backpack

\Jaxx\Local Storage

YZabcdefghijklmnopqrstuvwxyz0123456789-_.

Kaikas

\multidoge.wallet

Chrome

gjagmgiddbbciopjhllkdnddhcglnemk

BraveWallet

Wombat

Local

cgeeodpfagjceefieflmdfphplkenlfk

HR" /sc HOURLY /rl HIGHEST

NVIDIA

Coowon

\Google\Chrome\User Data

\Mail.Ru\Atom\User Data

LG" /sc ONLOGON /rl HIGHEST

An uncaught exception occurred_ip1:

Magic Eden Wallet

C:\program files (x86)\steam

\Discord

api.myip.com/

\Binance\app-store.json

\Microsoft\Edge\User Data

Authenticator

mgffkfbidihjpoaomajlbgchddlicgpn

liebao

Citrio

grab_ds

CPU Count: %d

Torch

Elements Browser

\information.txt

ghijklmnopqrs3

\NVIDIA Corporation\NVIDIA GeForce Experience

**** **** ****

\launcher_msa_credentials.bin

ghpilmjholiicaobfjdkefcogmgaabif

An uncaught exception occurred_ip2. The type was unknown so no information was available.

\discord.txt

\Elements Browser\User Data

dngmlblcodfobpdpecaadgfbcggfjfnm

Password: %s

uCozMedia

\Ledger Live

Path: %s

An uncaught exception occurred1:

Safepal

config

\NetboxBrowser\User Data

aiifbnbfobpmeekipheeijimdpnlpgpp

\QIP Surf\User Data

log_watermark_line_3

aflkmfhebedbjioipglgcbcmnbpgliof

\Guarda

schtasks /create /f /RU "

An uncaught exception occurred_ip0_1:

heidi

ld_autorun_shell

ChromePlus

An uncaught exception occurred_ip2:

Sender Wallet

SOFTWARE\Microsoft\Cryptography

\tlauncher_profiles.json

merge_google_tokens

NeoLine

amkmjjmmflddogmhpjloimipbofnfjih

kncchdigobghenbbaddojjnnaogfppfj

ilgcnhelpchnceeipipijaljkblbcobl

\foxmail.txt

\Chromium\User Data

\Amigo\User\User Data

cjelfplplebdjjenllpjcblmjkfcffne

Exodus_E

VideoCard #%d: %s

NetboxBrowser

CocCoc

\Iridium\User Data

exp_year

mfgccjchihfkkindfppnaooecgfneiii

Oxygen

ejjladinnckdgjemekebdpeokbikhfci

\CryptoTab Browser\User Data

kkpllkodjeloidieedojogacfhpaihoh

grab_wallets

Local Time: %d/%d/%d %d:%d:%d

Florincoin

Goblin wallet

name_on_card

WININET.DLL

\screenshot.png

acmacodkjbdgmoleebolmdjonilkdbch

An uncaught exception occurred_ip4:

httpOnly

jbdaocneiiinmjbjlgalhcelgbejmnid

BBQCoin

Harmony

ALLUSERSPROFILE

\FeatherClient

Build: %s

cjmkndjhnagcfbpiemnkdpomccnjblmj

fhbohimaelbohpjbbldcngcnapndodjp

NtTerminateProcess

Computer Name: %s [%s]

Windows: %s [%s]

country

\Autofill.txt

-.hsE

Zcash

\Uran\User Data

%s [%d]

IP: %s

token

Zoho Vault

Ixcoin

exp_month

\ey_tokens.txt

hnfanknocfeofbddgcijnmhnfnkdnaad

HWID: %s

aholpfdialjgjfhomihkjbmgjidlcdno

XDEFI Wallet

fhilaheimglignddkjgofkcbgekhenbh

Version: %s

E-MAIL: %s

\Pidgin

hpglfhgfnhbgpjdenjgmdgoeiappafln

MSIUpdaterV

ld_geo

\Coowon\Coowon\User Data

lpilbniiabackdjcionkobglmddfbcjo

\CocCoc\Browser\User Data

coin98

\passwords.txt

IOCoin

\launcher_profiles.json

OKX Wallet

Vault_IE

0123456789-_.

USERPROFILE

digitalcoin

kmhcihpebfmpgmihbkipmjlmmioameka

\History.txt

fnnegphlobjdpkhecapkijjdkgcjhkib

\Element\Local Storage

efbglgofoippbgcjepnhiblaibcnclgk

CyanoWallet

blnieiiffboillknjnepogjhkgnoapac

\Kometa\User Data

Processor: %s

mcohilncbfahbmgdjkbpemcciiolgcge

\Comodo\Dragon\User Data

ghijklmn

\Growtopia\save.dat

grab_ihistory

kpfopkelmapcoipemfendmdcghnegimn

ld_url

Epic Privacy Browser

grab_messengers

\Monero

Work Dir: %s

iWallet

last_four

\MultiDoge

\ElectronCash\wallets

Keyboard Languages:

slickSlideAnd

\atomic\Local Storage

EMartian Aptos Wallet

CommonKey

<.B}T

names

An uncaught exception occurred_ip1. The type was unknown so no information was available.

Hashpack

\Bither\bither.db

Eth and Polk Web3 Wallet

YZabcdefghijklmnopqrst

ld_name

mark_check_history

XMR.PT

TezBox

mark_countries

D3D11.dll

winhttp.dll

\accounts.json

iso_code

\Wasabi

ld_buildname

\Element

\Files

DashCore

Guarda

\Messengers

\Ethereum\wallets

merge_browser_data

\discordptb

\Yandex\YandexBrowser\User Data

caljgklbbfbcjjanaijlacgncafpegll

\GoogleAccounts

\Local Storage

aijcbedoijmgnlmjeegjaglmepbmpkpi

GAuth Authenticator

Avira Password Manager

nhnkbkgjikgcigadomkphalanndcapjk

EVER Wallet

Finnie

zuXVW_XH

\Wallets

DiscordDevelopment

\discordcanary

agoakfejjabomempkjlepdflaleeobhb

\Orbitum\User Data

PaliWallet

UserName: %s

" /tr "

Outlook

\Growtopia

Unknown

\BraveSoftware\Brave-Browser\User Data

flpiciilemghbmfalicajoolhkkenfel

HVNC.dll

expiration_month

jnlgamecbpmbajjfhmmmlhejkemejdma

Kometa

\CatalinaGroup\Citrio\User Data

\IndexedDB

\Microsoft\Skype for Desktop\Local Storage

Token: %s

LiqualityWallet

grab_ftp

RAM: %u MB

URL: %s

odbfpeeihdkbihmopkbjmoonfanlbfcl

\Chromodo\User Data

\Downloads

Freicoin

EdgeMS

cnmamaachppnkjgnildpdmkaakejnhae

uXVW_XH

nanjmdknhkinifnkgdcggcfnhdaammmj

mark_check_cookies

card_number

\Comodo\User Data

AdobeUpdaterV

Phantom

ForboleX

ojggmchlghnjlapmfbnjholfjkiidbch

\MultiDoge\multidoge.wallet

SaturnWallet

log_watermark_line_1

Chrome (x86)

Location: %s, %s

RoninWallet

\Torch\User Data

\OpenVPN Connect\profiles

CentBrowser

CryptoTab

Maiar DeFi Wallet

gojhcdgcpbpfigcaejpfhfegekdgiblk

chgfefjpcobfbnpmiokfjjaglahmnded

MetaMask

bgpipimickeadkjlklgciifhnalhdjhe

\Signal

mark_check_passwords

\wcx_ftp.ini

fihkakfobkmkjojpchpfgcmhfjnmnfpi

phkbamefinggmakgklpkljjmgibohnba

FALSE

\Downloads.txt

Leap Terra Wallet

domain

An uncaught exception occurred_ip0_2. The type was unknown so no information was available.

DisplayName

TronLink

KardiaChain

\Maxthon3\User Data

\Sputnik\Sputnik\User Data

YZabcdefghijklmnopqrs3

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

No data

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
556	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6604	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
556	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
1176	svchost.exe	20.190.159.0:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
1076	svchost.exe	23.213.166.81:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
556	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
556	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
556	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3220	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6604	backgroundTaskHost.exe	20.31.169.57:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
login.live.com	20.190.159.0 20.190.159.75 40.126.31.3 40.126.31.71 40.126.31.129 40.126.31.1 40.126.31.131 20.190.159.4	whitelisted
go.microsoft.com	23.213.166.81	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
arc.msn.com	20.31.169.57	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
fd.api.iris.microsoft.com	20.31.169.57	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

e1c1638377d15168504c39b2a3d15c4151282a636c6a2053d1eeb49dbd8eb3ce

8DEC67583F0D9D2F8C817C95E7B43AD0

A2091EDAB6705926CAD2181E949BCDFBC76BBFFC

E1C1638377D15168504C39B2A3D15C4151282A636C6A2053D1EEB49DBD8EB3CE

49152:+cwg0qrO42nPOIBPhpOBlEOP9BvuoPgPcRfVvWY830T64/tZIjMUVKoEElAcATJw:t9rO/PrB5UlEi9B/gPcFVk3xPVdECFAa

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RISEPRO has been detected (YARA)

SUSPICIOUS

There is functionality for taking screenshot (YARA)

INFO

Checks supported languages

Reads the computer name

Malware configuration

RisePro

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

RisePro

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings