File name:

wrsetup.exe

Full analysis: https://app.any.run/tasks/120561f3-98eb-47bd-a5fa-0c739ac4dde6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 31, 2024, 15:49:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
netreactor
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1872229E6B90011742E0669504CC15A3

SHA1:

B4C889186A7CC1D94B5BB42229AD840EAA0E21E2

SHA256:

E1777C300861BFD8BC925D9FFF949A62257FAC1D3BDBD06325A534692AAB3762

SSDEEP:

98304:Arq3BdwsHnu6hFZVv+ffCnVf9ZXLCYJrXHWaLX1bukwNLLTD4V+U12ThpMQVKzhW:SrfvVJzCfthkOAlNdyJwfinfe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • wrsetup.exe (PID: 6444)

    • Scans artifacts that could help determine the target

      • wrsetup.tmp (PID: 6560)

    • Actions looks like stealing of personal data

      • winrgr.exe (PID: 7108)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wrsetup.exe (PID: 6444)
      • wrsetup.exe (PID: 6536)
      • wrsetup.tmp (PID: 6560)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 6288)
      • csc.exe (PID: 4592)
      • csc.exe (PID: 5032)
      • csc.exe (PID: 8552)
      • csc.exe (PID: 8584)

    • Reads security settings of Internet Explorer

      • wrsetup.tmp (PID: 6464)
      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)

    • Reads the date of Windows installation

      • wrsetup.tmp (PID: 6464)
      • wrsetup.tmp (PID: 6560)

    • Reads the Windows owner or organization settings

      • wrsetup.tmp (PID: 6560)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 6596)

    • Uses TASKKILL.EXE to kill process

      • wrsetup.tmp (PID: 6560)

    • Executes as Windows Service

      • PresentationFontCache.exe (PID: 7360)
      • VSSVC.exe (PID: 7908)

    • Checks Windows Trust Settings

      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)

    • Starts POWERSHELL.EXE for commands execution

      • winrgr.exe (PID: 7108)
      • powershell.exe (PID: 6316)

    • Write to the desktop.ini file (may be used to cloak folders)

      • winrgr.exe (PID: 7108)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 6316)

    • Application launched itself

      • powershell.exe (PID: 6316)

    • Reads browser cookies

      • winrgr.exe (PID: 7108)

    • Searches for installed software

      • dllhost.exe (PID: 8044)

  • INFO

    • Create files in a temporary directory

      • wrsetup.exe (PID: 6444)
      • wrsetup.exe (PID: 6536)
      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)
      • csc.exe (PID: 8028)
      • cvtres.exe (PID: 6336)
      • csc.exe (PID: 6288)
      • cvtres.exe (PID: 3268)
      • csc.exe (PID: 4592)
      • cvtres.exe (PID: 8072)
      • csc.exe (PID: 5032)
      • cvtres.exe (PID: 8060)

    • Reads Environment values

      • wrsetup.exe (PID: 6444)
      • wrsetup.tmp (PID: 6464)
      • wrsetup.exe (PID: 6536)
      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)
      • identity_helper.exe (PID: 7516)

    • Checks supported languages

      • wrsetup.exe (PID: 6444)
      • wrsetup.tmp (PID: 6464)
      • wrsetup.exe (PID: 6536)
      • wrsetup.tmp (PID: 6560)
      • PresentationFontCache.exe (PID: 7360)
      • winrgr.exe (PID: 7108)
      • identity_helper.exe (PID: 7516)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 6288)
      • cvtres.exe (PID: 3268)
      • csc.exe (PID: 4592)
      • cvtres.exe (PID: 6336)
      • csc.exe (PID: 5032)
      • cvtres.exe (PID: 8072)
      • cvtres.exe (PID: 8060)

    • Reads the computer name

      • wrsetup.tmp (PID: 6464)
      • wrsetup.exe (PID: 6536)
      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)
      • PresentationFontCache.exe (PID: 7360)
      • identity_helper.exe (PID: 7516)

    • Process checks computer location settings

      • wrsetup.tmp (PID: 6464)
      • wrsetup.tmp (PID: 6560)

    • Reads the machine GUID from the registry

      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)
      • PresentationFontCache.exe (PID: 7360)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 6288)
      • cvtres.exe (PID: 3268)
      • csc.exe (PID: 4592)
      • cvtres.exe (PID: 8072)
      • cvtres.exe (PID: 6336)
      • cvtres.exe (PID: 8060)
      • csc.exe (PID: 5032)

    • Reads the software policy settings

      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)

    • Creates files or folders in the user directory

      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)

    • Creates a software uninstall entry

      • wrsetup.tmp (PID: 6560)

    • Creates files in the program directory

      • wrsetup.tmp (PID: 6560)
      • winrgr.exe (PID: 7108)

    • Checks proxy server information

      • winrgr.exe (PID: 7108)
      • wrsetup.tmp (PID: 6560)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6152)
      • winrgr.exe (PID: 7108)
      • msedge.exe (PID: 6052)

    • Application launched itself

      • msedge.exe (PID: 6152)
      • msedge.exe (PID: 6052)

    • Manual execution by a user

      • msedge.exe (PID: 6052)

    • .NET Reactor protector has been detected

      • winrgr.exe (PID: 7108)

    • Reads product name

      • winrgr.exe (PID: 7108)

    • Disables trace logs

      • winrgr.exe (PID: 7108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:10 14:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 243712
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.18
ProductVersionNumber: 1.0.0.18
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Bit Guardian GmbH
FileDescription: Win Riser Setup
FileVersion: 1.0.0.18
LegalCopyright: Copyright © 2019 Bit Guardian GmbH
OriginalFileName:
ProductName: Win Riser
ProductVersion: 1.0.0.18
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
207
Monitored processes
70
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wrsetup.exe wrsetup.tmp no specs wrsetup.exe wrsetup.tmp schtasks.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs THREAT winrgr.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs presentationfontcache.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs SPPSurrogate no specs vssvc.exe no specs csc.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs powershell.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs msedge.exe no specs SPPSurrogate no specs csc.exe conhost.exe no specs cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1488"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6756 --field-trial-handle=2192,i,11531265277920508005,6451936075790581953,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2088"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x314,0x318,0x31c,0x30c,0x324,0x7fffcda25fd8,0x7fffcda25fe4,0x7fffcda25ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2468C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3268C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC550.tmp" "c:\Users\admin\AppData\Local\Temp\CSCC54F.tmp"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.9672 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4592"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\pi6gve3x.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
winrgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
5032"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\nxcu7k5x.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
winrgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.9149 (WinRelRS6.050727-9100)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\windows\system32\gdi32.dll
5136"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7068 --field-trial-handle=2192,i,11531265277920508005,6451936075790581953,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5992"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3788 --field-trial-handle=2192,i,11531265277920508005,6451936075790581953,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6052"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --do-not-de-elevate --single-argument http://www.winriser.com/inw/install/win-riser/?utm_source=winrsrdft&utm_campaign=winrsrdft&utm_medium=winrsrdft&utm_pubid=&p=win5896_win5756_runt&bs=&ctx=&at=&msclkid=&gclid=&ud=-822675629621762678&xip=138.199.36.190&xdt=31-07-2024+15%3a49%3a30&ftc=0&acttype=1&productid=178C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6152"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.winriser.com/inw/install/win-riser/?utm_source=winrsrdft&utm_campaign=winrsrdft&utm_medium=winrsrdft&utm_pubid=&p=win5896_win5756_runt&bs=&ctx=&at=&msclkid=&gclid=&ud=-822675629621762678&xip=138.199.36.190&xdt=31-07-2024+15%3a49%3a30&ftc=0&acttype=1&productid=178C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exewinrgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
1
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
46 623
Read events
46 291
Write events
310
Delete events
22

Modification events

(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
A019000066BCFF3561E3DA01
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
3B2E86BC577E353C556E051843BEDD3A933D2168DAC5EAF5C1B300FFA3C0A02B
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6560) wrsetup.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:delete valueName:PendingFileRenameOperations
Value:
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6560) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
73
Suspicious files
166
Text files
124
Unknown types
36

Dropped files

PID
Process
Filename
Type
6560wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656binary
MD5:7B320F925F111ED133841CFA2328E38F
SHA256:
6536wrsetup.exeC:\Users\admin\AppData\Local\Temp\is-1QV6R.tmp\wrsetup.tmpexecutable
MD5:72B3171753CC4E0FADE36968DFACA035
SHA256:75985218D65B35B05905E8B85A0C49CBE4D7A5A23203C09A0C7960A7B7C76A1F
6560wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-EHLSL.tmp\WinRiserAPI.dllexecutable
MD5:6D42EA20CD52CC87E4692C4325B151AE
SHA256:9A0D6462884C9B34621DE5BD2B587F7C156F4E5F8C8FD6AC09F9A775D84AC2A3
6560wrsetup.tmpC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\english_promoapps[1].xmlhtml
MD5:70DB37B3FA1DA7F7B12F59D2739AE768
SHA256:C061268C15D2F0D189F33C553B604174ABA89EB08DC018387F0F5CDFB76740CC
6560wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-EHLSL.tmp\jsonconfig.dllexecutable
MD5:512F9298DAA0AF8CEB045045AA823837
SHA256:E7741760520E99E698FBE7AE519EE87FF319636033D95DB650D9AD168BFCF725
6560wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-EHLSL.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6560wrsetup.tmpC:\Users\admin\AppData\Roaming\Apps424\promoapps.xmlhtml
MD5:70DB37B3FA1DA7F7B12F59D2739AE768
SHA256:C061268C15D2F0D189F33C553B604174ABA89EB08DC018387F0F5CDFB76740CC
6444wrsetup.exeC:\Users\admin\AppData\Local\Temp\is-I39OR.tmp\wrsetup.tmpexecutable
MD5:72B3171753CC4E0FADE36968DFACA035
SHA256:75985218D65B35B05905E8B85A0C49CBE4D7A5A23203C09A0C7960A7B7C76A1F
6560wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656der
MD5:56E5BECC9A78F9EA6E4FF75DCAA8DCC7
SHA256:
6560wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517binary
MD5:3CD7A75E15B847C7BE2F7FC8E2D50DD4
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
129
DNS requests
146
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6560
wrsetup.tmp
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
unknown
6560
wrsetup.tmp
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
unknown
6560
wrsetup.tmp
GET
403
18.245.31.84:80
http://wgip.winriser.com/winrsr/138_199_36_190.txt
unknown
unknown
6560
wrsetup.tmp
GET
200
18.245.65.219:80
http://ocsp.r2m03.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQqHI%2BsdmapawQncL1rpCEZZ8gTSAQUVdkYX9IczAHhWLS%2Bq9lVQgHXLgICEAxQldEE1Uw8Jq%2Fl%2FfsRvMA%3D
unknown
unknown
6560
wrsetup.tmp
POST
200
191.101.166.8:80
http://evntr.winriser.com/tracker.svc/tkistlrof
unknown
unknown
6560
wrsetup.tmp
GET
200
154.27.69.89:80
http://cf.winriser.com/productprice.svc/gtipinfo
unknown
unknown
7108
winrgr.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAeEPa0BwRXCdO5BpygiRnk%3D
unknown
whitelisted
7108
winrgr.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTaNXNmTHzbP9V65Wk2FQENGUmtZwQUyfwQ71DIy2t%2FvQhE7zpik%2B1bXpoCEAycMm7sE3KeDd17LH4VI84%3D
unknown
whitelisted
7108
winrgr.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
5484
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4780
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3036
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3888
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
6560
wrsetup.tmp
13.35.58.47:443
cdn.winriser.com
US
unknown
6560
wrsetup.tmp
18.245.39.64:80
ocsp.rootca1.amazontrust.com
US
unknown
6560
wrsetup.tmp
154.27.69.89:80
cf.winriser.com
CLOUD-SOUTH
US
unknown
6560
wrsetup.tmp
18.245.31.84:443
wgip.winriser.com
US
unknown
6560
wrsetup.tmp
18.245.65.219:80
ocsp.r2m03.amazontrust.com
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
unknown
google.com
  • 142.250.184.206
unknown
cdn.winriser.com
  • 13.35.58.47
  • 13.35.58.128
  • 13.35.58.105
  • 13.35.58.74
unknown
ocsp.rootca1.amazontrust.com
  • 18.245.39.64
unknown
cf.winriser.com
  • 154.27.69.89
unknown
wgip.winriser.com
  • 18.245.31.84
  • 18.245.31.9
  • 18.245.31.17
  • 18.245.31.43
unknown
ocsp.r2m03.amazontrust.com
  • 18.245.65.219
unknown
evntr.winriser.com
  • 191.101.166.8
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
www.bing.com
  • 104.126.37.130
  • 104.126.37.160
  • 104.126.37.131
  • 104.126.37.186
  • 104.126.37.155
  • 104.126.37.162
  • 104.126.37.170
  • 104.126.37.128
  • 104.126.37.171
  • 2.23.209.185
  • 2.23.209.179
  • 2.23.209.176
  • 2.23.209.182
  • 2.23.209.156
  • 2.23.209.187
  • 2.23.209.160
  • 2.23.209.158
  • 2.23.209.183
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Process
Message
winrgr.exe
31-07-2024-03:49:34::C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Riser\Buy Win Riser.lnk
winrgr.exe
31-07-2024-03:49:34::Install Date: 7/31/2024 3:49:34 PM
winrgr.exe
31-07-2024-03:49:34::Register Date: 1/1/0001 12:00:00 AM
winrgr.exe
31-07-2024-03:49:35::before firing url as silent build :
winrgr.exe
31-07-2024-03:49:35::firing url as silent build : http://www.winriser.com/inw/install/win-riser/?
winrgr.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Win Riser\x64\SQLite.Interop.dll"...
winrgr.exe
31-07-2024-03:49:40::DriverClassLibrary|RefreshDrivers|Started
winrgr.exe
31-07-2024-03:49:41::DriverClassLibrary|RefreshDrivers|Success
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wrsetup.exe