File name:

wrsetup.exe

Full analysis: https://app.any.run/tasks/aa7e21f1-a252-42c5-b1ac-65942bfa07ae
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 13:51:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
netreactor
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1872229E6B90011742E0669504CC15A3

SHA1:

B4C889186A7CC1D94B5BB42229AD840EAA0E21E2

SHA256:

E1777C300861BFD8BC925D9FFF949A62257FAC1D3BDBD06325A534692AAB3762

SSDEEP:

98304:Arq3BdwsHnu6hFZVv+ffCnVf9ZXLCYJrXHWaLX1bukwNLLTD4V+U12ThpMQVKzhW:SrfvVJzCfthkOAlNdyJwfinfe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • csc.exe (PID: 8092)
      • csc.exe (PID: 8364)
      • csc.exe (PID: 8492)
      • csc.exe (PID: 8680)

    • Scans artifacts that could help determine the target

      • wrsetup.tmp (PID: 2112)

    • Actions looks like stealing of personal data

      • winrgr.exe (PID: 3112)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • csc.exe (PID: 8092)
      • csc.exe (PID: 8492)
      • csc.exe (PID: 8364)
      • csc.exe (PID: 8680)

    • Reads security settings of Internet Explorer

      • wrsetup.tmp (PID: 5624)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Reads the date of Windows installation

      • wrsetup.tmp (PID: 5624)
      • wrsetup.tmp (PID: 2112)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 720)

    • Uses TASKKILL.EXE to kill process

      • wrsetup.tmp (PID: 2112)

    • Checks Windows Trust Settings

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Process drops legitimate windows executable

      • wrsetup.tmp (PID: 2112)

    • The process drops C-runtime libraries

      • wrsetup.tmp (PID: 2112)

    • Reads the Windows owner or organization settings

      • wrsetup.tmp (PID: 2112)

    • Drops 7-zip archiver for unpacking

      • wrsetup.tmp (PID: 2112)

    • Write to the desktop.ini file (may be used to cloak folders)

      • winrgr.exe (PID: 3112)

    • Executes as Windows Service

      • VSSVC.exe (PID: 2736)
      • PresentationFontCache.exe (PID: 7476)

    • Starts POWERSHELL.EXE for commands execution

      • winrgr.exe (PID: 3112)
      • powershell.exe (PID: 8104)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 8104)

    • Application launched itself

      • powershell.exe (PID: 8104)

    • Reads browser cookies

      • winrgr.exe (PID: 3112)

  • INFO

    • Checks supported languages

      • wrsetup.tmp (PID: 5624)
      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • identity_helper.exe (PID: 7928)
      • csc.exe (PID: 8092)
      • winrgr.exe (PID: 3112)
      • csc.exe (PID: 8364)
      • cvtres.exe (PID: 8420)
      • cvtres.exe (PID: 8336)
      • csc.exe (PID: 8680)
      • cvtres.exe (PID: 8728)
      • csc.exe (PID: 8492)
      • cvtres.exe (PID: 8540)
      • PresentationFontCache.exe (PID: 7476)

    • Reads Environment values

      • wrsetup.tmp (PID: 5624)
      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • identity_helper.exe (PID: 7928)

    • Create files in a temporary directory

      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • csc.exe (PID: 8092)
      • cvtres.exe (PID: 8336)
      • csc.exe (PID: 8364)
      • cvtres.exe (PID: 8420)
      • csc.exe (PID: 8680)
      • csc.exe (PID: 8492)
      • cvtres.exe (PID: 8540)
      • cvtres.exe (PID: 8728)

    • Reads the computer name

      • wrsetup.tmp (PID: 5624)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • identity_helper.exe (PID: 7928)
      • PresentationFontCache.exe (PID: 7476)

    • Process checks computer location settings

      • wrsetup.tmp (PID: 5624)
      • wrsetup.tmp (PID: 2112)

    • Checks proxy server information

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Reads the machine GUID from the registry

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • csc.exe (PID: 8092)
      • cvtres.exe (PID: 8336)
      • csc.exe (PID: 8364)
      • csc.exe (PID: 8680)
      • cvtres.exe (PID: 8420)
      • csc.exe (PID: 8492)
      • cvtres.exe (PID: 8540)
      • cvtres.exe (PID: 8728)
      • PresentationFontCache.exe (PID: 7476)

    • Reads the software policy settings

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Creates files in the program directory

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Creates files or folders in the user directory

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Reads Microsoft Office registry keys

      • winrgr.exe (PID: 3112)
      • msedge.exe (PID: 1296)
      • msedge.exe (PID: 5836)

    • Application launched itself

      • msedge.exe (PID: 1296)
      • msedge.exe (PID: 5836)

    • Manual execution by a user

      • msedge.exe (PID: 5836)

    • Creates a software uninstall entry

      • wrsetup.tmp (PID: 2112)

    • Reads product name

      • winrgr.exe (PID: 3112)

    • .NET Reactor protector has been detected

      • winrgr.exe (PID: 3112)

    • Disables trace logs

      • winrgr.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:10 14:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 243712
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.18
ProductVersionNumber: 1.0.0.18
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Bit Guardian GmbH
FileDescription: Win Riser Setup
FileVersion: 1.0.0.18
LegalCopyright: Copyright © 2019 Bit Guardian GmbH
OriginalFileName:
ProductName: Win Riser
ProductVersion: 1.0.0.18
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
201
Monitored processes
61
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wrsetup.exe wrsetup.tmp no specs wrsetup.exe wrsetup.tmp schtasks.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs slui.exe no specs THREAT winrgr.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs presentationfontcache.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs csc.exe conhost.exe no specs conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs powershell.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs SPPSurrogate no specs

Process information

PID
CMD
Path
Indicators
Parent process
528"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2472 --field-trial-handle=2476,i,2458615041855297694,5584626942618492909,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
720"C:\Windows\System32\schtasks.exe" /delete /tn "Win Riser_launcher" /fC:\Windows\SysWOW64\schtasks.exewrsetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
812"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x1e0,0x2a0,0x7ffef7fc5fd8,0x7ffef7fc5fe4,0x7ffef7fc5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
1296"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.winriser.com/inw/install/win-riser/?utm_source=winrsrdft&utm_campaign=winrsrdft&utm_medium=winrsrdft&utm_pubid=&p=win5896_win5756_runt&bs=&ctx=&at=&msclkid=&gclid=&ud=7241898940096849334&xip=84.17.49.16&xdt=26-07-2024+13%3a51%3a45&ftc=0&acttype=1&productid=178C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exewinrgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\windows\system32\ntmarta.dll
c:\windows\system32\windows.internal.ui.shell.windowtabmanager.dll
c:\windows\system32\usermgrcli.dll
c:\windows\system32\sxs.dll
2112"C:\Users\admin\AppData\Local\Temp\is-PTRU8.tmp\wrsetup.tmp" /SL5="$17041A,11097109,929792,C:\Users\admin\AppData\Local\Temp\wrsetup.exe" /SPAWNWND=$1C01FA /NOTIFYWND=$1003C2 C:\Users\admin\AppData\Local\Temp\is-PTRU8.tmp\wrsetup.tmp
wrsetup.exe
User:
admin
Company:
Bit Guardian GmbH
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ptru8.tmp\wrsetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
3112"C:\Program Files\Win Riser\winrgr.exe" flaunchC:\Program Files\Win Riser\winrgr.exe
wrsetup.tmp
User:
admin
Company:
Bit Guardian
Integrity Level:
HIGH
Description:
Win Riser
Version:
1.0.0.18
Modules
Images
c:\program files\win riser\winrgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2684 --field-trial-handle=2476,i,2458615041855297694,5584626942618492909,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
3848"C:\Windows\System32\taskkill.exe" /f /im "winrgr.exe"C:\Windows\SysWOW64\taskkill.exewrsetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
7 597
Read events
7 555
Write events
41
Delete events
1

Modification events

(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
400800008E9E1BE362DFDA01
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
F4330C794A0A3AD1BEAEC7213968548C06131A48650B08CA9587E02322C3F007
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2112) wrsetup.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:delete valueName:PendingFileRenameOperations
Value:
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
71
Suspicious files
88
Text files
91
Unknown types
19

Dropped files

PID
Process
Filename
Type
2112wrsetup.tmpC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\english_promoapps[1].xmlhtml
MD5:921399FC5C8729CFDC645A3AF15869FB
SHA256:AAE2929AF92300BD65AC664AE40739722359E3D7EB03B3F1502ED9A91140A746
2112wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-O9MPC.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2112wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-O9MPC.tmp\jsonconfig.dllexecutable
MD5:512F9298DAA0AF8CEB045045AA823837
SHA256:E7741760520E99E698FBE7AE519EE87FF319636033D95DB650D9AD168BFCF725
4632wrsetup.exeC:\Users\admin\AppData\Local\Temp\is-PTRU8.tmp\wrsetup.tmpexecutable
MD5:72B3171753CC4E0FADE36968DFACA035
SHA256:75985218D65B35B05905E8B85A0C49CBE4D7A5A23203C09A0C7960A7B7C76A1F
2112wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83D863F495E7D991917B3ABB3E1EB382_E1043C9FB23D2ECEBB20C59BC9422904der
MD5:5815316A0B4D9C6BE8D21EB2F00D3B7D
SHA256:CAC0A715D8241235395C520CF7C194BD96A0CC2EDCFF86587CB5EBCEB7000A9E
2112wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-O9MPC.tmp\finish.bmpimage
MD5:337ADAD59D5FEBA3A07056FAE5AC29A5
SHA256:7251174D4BE1CBB8B8B43A27980FFBDAD267C8AA8A1F2369E751AEB7D1657FB7
2112wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517der
MD5:84E86168161FB3AD79DC88540FFEF19D
SHA256:DFC0E5ED3AC9D6E78517369C8F16FA0FA8A61FA9A77371B05A3B2F6AEE60B09F
2112wrsetup.tmpC:\Program Files\Win Riser\is-ORQCL.tmpexecutable
MD5:72B3171753CC4E0FADE36968DFACA035
SHA256:75985218D65B35B05905E8B85A0C49CBE4D7A5A23203C09A0C7960A7B7C76A1F
2112wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656binary
MD5:77504E0E8D9E6892665A57D66E901D09
SHA256:E00E87FA4E6622B0614F7E6DBD32892509344EA1652DA4CB1B5B752F81D18C0A
2112wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656der
MD5:3D710A4C9537C6F3338BF8AFBF4F2320
SHA256:D0CE5E9A4DC7F755815393ABA7BC46828AB0CBA71E893A2CA55EDAB468DBB73B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
126
DNS requests
96
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2112
wrsetup.tmp
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
unknown
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
2112
wrsetup.tmp
GET
200
18.238.246.206:80
http://ocsp.r2m03.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQqHI%2BsdmapawQncL1rpCEZZ8gTSAQUVdkYX9IczAHhWLS%2Bq9lVQgHXLgICEAxQldEE1Uw8Jq%2Fl%2FfsRvMA%3D
unknown
unknown
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
2112
wrsetup.tmp
POST
200
191.101.166.8:80
http://evntr.winriser.com/tracker.svc/tkistlrof
unknown
unknown
4632
msedge.exe
GET
301
154.27.69.89:80
http://www.winriser.com/inw/install/win-riser/?utm_source=winrsrdft&utm_campaign=winrsrdft&utm_medium=winrsrdft&utm_pubid=&p=win5896_win5756_runt&bs=&ctx=&at=&msclkid=&gclid=&ud=7241898940096849334&xip=84.17.49.16&xdt=26-07-2024+13%3a51%3a45&ftc=0&acttype=1&productid=178
unknown
unknown
3112
winrgr.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAeEPa0BwRXCdO5BpygiRnk%3D
unknown
whitelisted
2112
wrsetup.tmp
GET
200
154.27.69.89:80
http://cf.winriser.com/productprice.svc/gtipinfo
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
996
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
92.122.215.2:443
www.bing.com
Akamai International B.V.
DE
unknown
2988
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1516
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1328
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
2112
wrsetup.tmp
13.35.58.74:443
cdn.winriser.com
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 92.122.215.2
  • 92.122.215.55
  • 92.122.215.52
  • 92.122.215.3
  • 92.122.215.56
  • 92.122.215.74
  • 92.122.215.54
  • 92.122.215.57
  • 92.122.215.93
  • 92.122.215.98
  • 92.122.215.96
  • 92.122.215.95
  • 2.23.209.161
  • 2.23.209.177
  • 2.23.209.158
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.193
  • 2.23.209.130
  • 2.23.209.148
  • 2.23.209.150
whitelisted
google.com
  • 142.250.186.78
whitelisted
cdn.winriser.com
  • 13.35.58.74
  • 13.35.58.128
  • 13.35.58.47
  • 13.35.58.105
unknown
ocsp.rootca1.amazontrust.com
  • 18.245.39.64
shared
cf.winriser.com
  • 154.27.69.89
unknown
wgip.winriser.com
  • 18.245.31.84
  • 18.245.31.17
  • 18.245.31.9
  • 18.245.31.43
unknown
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.60
whitelisted

Threats

No threats detected
Process
Message
winrgr.exe
26-07-2024-01:51:54::C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Riser\Buy Win Riser.lnk
winrgr.exe
26-07-2024-01:51:55::Install Date: 7/26/2024 1:51:54 PM
winrgr.exe
26-07-2024-01:51:55::Register Date: 1/1/0001 12:00:00 AM
winrgr.exe
26-07-2024-01:51:55::before firing url as silent build :
winrgr.exe
26-07-2024-01:51:55::firing url as silent build : http://www.winriser.com/inw/install/win-riser/?
winrgr.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Win Riser\x64\SQLite.Interop.dll"...
winrgr.exe
26-07-2024-01:51:59::DriverClassLibrary|RefreshDrivers|Started
winrgr.exe
26-07-2024-01:52:00::DriverClassLibrary|RefreshDrivers|Success
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wrsetup.exe