File name:

e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7

Full analysis: https://app.any.run/tasks/265ee15a-d60a-4320-9fe5-0285fa53985f
Verdict: Malicious activity
Threats:

RisePro, an information-stealing malware, targets a wide range of sensitive data, including credit cards, passwords, and cryptocurrency wallets. By compromising infected devices, RisePro can steal valuable information and potentially cause significant financial and personal losses for victims.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 14:20:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
risepro
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

BAC3DFFEF883860EA809BC59011A8143

SHA1:

B37DE5526397EF86B29F10A85D7E4C95F7F3F923

SHA256:

E4A2A9DC792BD2FDD98DC31133107F881580AFC0508EF788537CB900DEE7EFD7

SSDEEP:

98304:ln2v9XtRIOtM9303i1+QsKIKERJvhEB0kjNsgbuLVfArwrVoXOrlpfbGieXapNWE:nX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2Ht8075.exe (PID: 6572)

    • Changes the autorun value in the registry

      • 3GT80Ht.exe (PID: 1804)

    • Create files in the Startup directory

      • 3GT80Ht.exe (PID: 1804)

    • Uses Task Scheduler to run other applications

      • 3GT80Ht.exe (PID: 1804)

    • Uses Task Scheduler to autorun other applications

      • 3GT80Ht.exe (PID: 1804)

    • Risepro uses scheduled tasks to run itself

      • 3GT80Ht.exe (PID: 1804)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe (PID: 6344)
      • wj1VZ81.exe (PID: 4108)
      • lQ3Sx18.exe (PID: 2320)

    • Starts a Microsoft application from unusual location

      • lQ3Sx18.exe (PID: 2320)
      • e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe (PID: 6344)
      • ya1cq56.exe (PID: 6964)
      • wj1VZ81.exe (PID: 4108)

    • Executable content was dropped or overwritten

      • lQ3Sx18.exe (PID: 2320)
      • e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe (PID: 6344)
      • wj1VZ81.exe (PID: 4108)
      • ya1cq56.exe (PID: 6964)
      • 3GT80Ht.exe (PID: 1804)

    • Connects to unusual port

      • 3GT80Ht.exe (PID: 1804)
      • AppLaunch.exe (PID: 6740)

  • INFO

    • The sample compiled with english language support

      • e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe (PID: 6344)
      • lQ3Sx18.exe (PID: 2320)
      • wj1VZ81.exe (PID: 4108)

    • Create files in a temporary directory

      • e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe (PID: 6344)
      • lQ3Sx18.exe (PID: 2320)
      • wj1VZ81.exe (PID: 4108)
      • ya1cq56.exe (PID: 6964)
      • 3GT80Ht.exe (PID: 1804)

    • Checks supported languages

      • lQ3Sx18.exe (PID: 2320)
      • e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe (PID: 6344)
      • wj1VZ81.exe (PID: 4108)
      • ya1cq56.exe (PID: 6964)
      • AppLaunch.exe (PID: 6740)
      • 2Ht8075.exe (PID: 6572)
      • 3GT80Ht.exe (PID: 1804)

    • The sample compiled with swedish language support

      • ya1cq56.exe (PID: 6964)
      • 3GT80Ht.exe (PID: 1804)

    • Reads the computer name

      • 3GT80Ht.exe (PID: 1804)
      • AppLaunch.exe (PID: 6740)

    • Creates files in the program directory

      • 3GT80Ht.exe (PID: 1804)

    • Creates files or folders in the user directory

      • 3GT80Ht.exe (PID: 1804)

    • Reads the machine GUID from the registry

      • AppLaunch.exe (PID: 6740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:24 22:49:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 2813952
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
14
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe lq3sx18.exe wj1vz81.exe ya1cq56.exe 2ht8075.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs applaunch.exe 3gt80ht.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1804C:\Users\admin\AppData\Local\Temp\IXP003.TMP\3GT80Ht.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\3GT80Ht.exe
ya1cq56.exe
User:
admin
Company:
CrystalDisk
Integrity Level:
MEDIUM
Description:
CrystalDiskInfo Setup
Version:
9.1.1.0
Modules
Images
c:\users\admin\appdata\local\temp\ixp003.tmp\3gt80ht.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2320C:\Users\admin\AppData\Local\Temp\IXP000.TMP\lQ3Sx18.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\lQ3Sx18.exe
e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\lq3sx18.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4108C:\Users\admin\AppData\Local\Temp\IXP001.TMP\wj1VZ81.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\wj1VZ81.exe
lQ3Sx18.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\ixp001.tmp\wj1vz81.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4608C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4620schtasks /create /f /RU "admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHESTC:\Windows\SysWOW64\schtasks.exe3GT80Ht.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5392"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6344"C:\Users\admin\AppData\Local\Temp\e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe" C:\Users\admin\AppData\Local\Temp\e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Version:
11.00.17763.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6572C:\Users\admin\AppData\Local\Temp\IXP003.TMP\2Ht8075.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2Ht8075.exeya1cq56.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ixp003.tmp\2ht8075.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
2 312
Read events
2 311
Write events
1
Delete events
0

Modification events

(PID) Process:(1804) 3GT80Ht.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MaxLoonaFest131
Value:
C:\Users\admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
Executable files
11
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
18043GT80Ht.exeC:\Users\admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exeexecutable
MD5:D4ED45CC37D5C2B0313B47EF91FB207A
SHA256:E8DEDA7FA5CDC72ED567A5B92AAC0F0C44AFD4A53E80696E31426108DB1EE00D
6344e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\6nh5ju6.exeexecutable
MD5:9334DAE660183B26AA1FC661306E4365
SHA256:3B1AD410405F81EF12EFA265487EB5B7C65DA0D7C582329DB244D43495DB7A9A
2320lQ3Sx18.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\wj1VZ81.exeexecutable
MD5:ABFF24BD9AC482F7C491A860B8E41177
SHA256:6D359132F947BD996C00D43449762E32E6AE08B173F112F857DC51B11A86992C
4108wj1VZ81.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\4Hb381Iy.exeexecutable
MD5:500CFFB16C625EB267EF31552EE92663
SHA256:76EB34808CEFB4FF345C280298E124F6167BC85ACE6B4BFB36448B0186E1A7B1
6964ya1cq56.exeC:\Users\admin\AppData\Local\Temp\IXP003.TMP\2Ht8075.exeexecutable
MD5:CD3B552829F8DC3C77E5B31C6507A739
SHA256:DC29BD7DA79095A221B74922B26B3625229A4977F22619E77DB34BE2A23D8C2F
2320lQ3Sx18.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\5GF9iF1.exeexecutable
MD5:B555DBF635A6B9866BFA85B283305BEF
SHA256:D976CE3DCB5081E1A038B00A100467219D42685DEE2AD0B5163E82EADBEFEEFE
6344e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\lQ3Sx18.exeexecutable
MD5:9DB96E51C67A914354A186F12B300C24
SHA256:183C0C320ACFB2A5C413DB9463823BB4B259C3654B53FB076034B12CF2AB7214
18043GT80Ht.exeC:\Users\admin\AppData\Local\Temp\FANBooster131\FANBooster131.exeexecutable
MD5:D4ED45CC37D5C2B0313B47EF91FB207A
SHA256:E8DEDA7FA5CDC72ED567A5B92AAC0F0C44AFD4A53E80696E31426108DB1EE00D
18043GT80Ht.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnkbinary
MD5:B04F2ACE370CC03FB86D39E16AE24E17
SHA256:E34DF520D4B7296801D0A3174565E02D5609CF7AC18BB4CC1D477DE6A5597A15
4108wj1VZ81.exeC:\Users\admin\AppData\Local\Temp\IXP002.TMP\ya1cq56.exeexecutable
MD5:43785FFA24A65A5664E072A843B40E20
SHA256:3A1041C06102B6D0A78420590EB8D0A97A79BE33694E2DA2E141310DDC241601
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4188
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4188
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 69.192.161.161
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.22
  • 20.190.160.66
  • 20.190.160.65
  • 20.190.160.67
  • 20.190.160.5
  • 20.190.160.17
  • 20.190.160.64
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e4a2a9dc792bd2fdd98dc31133107f881580afc0508ef788537cb900dee7efd7