File name:

wrsetup.exe

Full analysis: https://app.any.run/tasks/aa7e21f1-a252-42c5-b1ac-65942bfa07ae
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 26, 2024, 13:51:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
installer
netreactor
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1872229E6B90011742E0669504CC15A3

SHA1:

B4C889186A7CC1D94B5BB42229AD840EAA0E21E2

SHA256:

E1777C300861BFD8BC925D9FFF949A62257FAC1D3BDBD06325A534692AAB3762

SSDEEP:

98304:Arq3BdwsHnu6hFZVv+ffCnVf9ZXLCYJrXHWaLX1bukwNLLTD4V+U12ThpMQVKzhW:SrfvVJzCfthkOAlNdyJwfinfe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • csc.exe (PID: 8092)
      • csc.exe (PID: 8364)
      • csc.exe (PID: 8492)
      • csc.exe (PID: 8680)

    • Scans artifacts that could help determine the target

      • wrsetup.tmp (PID: 2112)

    • Actions looks like stealing of personal data

      • winrgr.exe (PID: 3112)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • wrsetup.tmp (PID: 5624)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Executable content was dropped or overwritten

      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • csc.exe (PID: 8364)
      • csc.exe (PID: 8092)
      • csc.exe (PID: 8492)
      • csc.exe (PID: 8680)

    • Reads the date of Windows installation

      • wrsetup.tmp (PID: 5624)
      • wrsetup.tmp (PID: 2112)

    • Reads the Windows owner or organization settings

      • wrsetup.tmp (PID: 2112)

    • Uses TASKKILL.EXE to kill process

      • wrsetup.tmp (PID: 2112)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 720)

    • Checks Windows Trust Settings

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Process drops legitimate windows executable

      • wrsetup.tmp (PID: 2112)

    • The process drops C-runtime libraries

      • wrsetup.tmp (PID: 2112)

    • Drops 7-zip archiver for unpacking

      • wrsetup.tmp (PID: 2112)

    • Executes as Windows Service

      • PresentationFontCache.exe (PID: 7476)
      • VSSVC.exe (PID: 2736)

    • Write to the desktop.ini file (may be used to cloak folders)

      • winrgr.exe (PID: 3112)

    • Starts POWERSHELL.EXE for commands execution

      • winrgr.exe (PID: 3112)
      • powershell.exe (PID: 8104)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 8104)

    • Application launched itself

      • powershell.exe (PID: 8104)

    • Reads browser cookies

      • winrgr.exe (PID: 3112)

  • INFO

    • Reads Environment values

      • wrsetup.exe (PID: 6468)
      • wrsetup.tmp (PID: 5624)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • identity_helper.exe (PID: 7928)

    • Reads the computer name

      • wrsetup.tmp (PID: 5624)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • PresentationFontCache.exe (PID: 7476)
      • identity_helper.exe (PID: 7928)

    • Checks supported languages

      • wrsetup.exe (PID: 6468)
      • wrsetup.tmp (PID: 5624)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • PresentationFontCache.exe (PID: 7476)
      • csc.exe (PID: 8092)
      • identity_helper.exe (PID: 7928)
      • cvtres.exe (PID: 8336)
      • csc.exe (PID: 8364)
      • cvtres.exe (PID: 8420)
      • cvtres.exe (PID: 8540)
      • csc.exe (PID: 8492)
      • csc.exe (PID: 8680)
      • cvtres.exe (PID: 8728)

    • Create files in a temporary directory

      • wrsetup.exe (PID: 6468)
      • wrsetup.exe (PID: 4632)
      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • cvtres.exe (PID: 8336)
      • cvtres.exe (PID: 8420)
      • csc.exe (PID: 8364)
      • csc.exe (PID: 8492)
      • csc.exe (PID: 8092)
      • csc.exe (PID: 8680)
      • cvtres.exe (PID: 8540)
      • cvtres.exe (PID: 8728)

    • Process checks computer location settings

      • wrsetup.tmp (PID: 5624)
      • wrsetup.tmp (PID: 2112)

    • Checks proxy server information

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Reads the machine GUID from the registry

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)
      • PresentationFontCache.exe (PID: 7476)
      • csc.exe (PID: 8092)
      • cvtres.exe (PID: 8336)
      • csc.exe (PID: 8364)
      • cvtres.exe (PID: 8420)
      • csc.exe (PID: 8492)
      • cvtres.exe (PID: 8540)
      • csc.exe (PID: 8680)
      • cvtres.exe (PID: 8728)

    • Reads the software policy settings

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Creates files or folders in the user directory

      • wrsetup.tmp (PID: 2112)
      • winrgr.exe (PID: 3112)

    • Creates files in the program directory

      • winrgr.exe (PID: 3112)
      • wrsetup.tmp (PID: 2112)

    • Reads Microsoft Office registry keys

      • winrgr.exe (PID: 3112)
      • msedge.exe (PID: 1296)
      • msedge.exe (PID: 5836)

    • Application launched itself

      • msedge.exe (PID: 1296)
      • msedge.exe (PID: 5836)

    • Manual execution by a user

      • msedge.exe (PID: 5836)

    • Creates a software uninstall entry

      • wrsetup.tmp (PID: 2112)

    • Disables trace logs

      • winrgr.exe (PID: 3112)

    • .NET Reactor protector has been detected

      • winrgr.exe (PID: 3112)

    • Reads product name

      • winrgr.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:10 14:47:11+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 685056
InitializedDataSize: 243712
UninitializedDataSize: -
EntryPoint: 0xa83bc
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.18
ProductVersionNumber: 1.0.0.18
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Bit Guardian GmbH
FileDescription: Win Riser Setup
FileVersion: 1.0.0.18
LegalCopyright: Copyright © 2019 Bit Guardian GmbH
OriginalFileName:
ProductName: Win Riser
ProductVersion: 1.0.0.18
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
201
Monitored processes
61
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wrsetup.exe wrsetup.tmp no specs wrsetup.exe wrsetup.tmp schtasks.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs slui.exe no specs THREAT winrgr.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs presentationfontcache.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs csc.exe conhost.exe no specs conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs powershell.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs SPPSurrogate no specs

Process information

PID
CMD
Path
Indicators
Parent process
528"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2472 --field-trial-handle=2476,i,2458615041855297694,5584626942618492909,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
720"C:\Windows\System32\schtasks.exe" /delete /tn "Win Riser_launcher" /fC:\Windows\SysWOW64\schtasks.exewrsetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
812"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x290,0x294,0x298,0x1e0,0x2a0,0x7ffef7fc5fd8,0x7ffef7fc5fe4,0x7ffef7fc5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
1296"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.winriser.com/inw/install/win-riser/?utm_source=winrsrdft&utm_campaign=winrsrdft&utm_medium=winrsrdft&utm_pubid=&p=win5896_win5756_runt&bs=&ctx=&at=&msclkid=&gclid=&ud=7241898940096849334&xip=84.17.49.16&xdt=26-07-2024+13%3a51%3a45&ftc=0&acttype=1&productid=178C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exewinrgr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\windows\system32\ntmarta.dll
c:\windows\system32\windows.internal.ui.shell.windowtabmanager.dll
c:\windows\system32\usermgrcli.dll
c:\windows\system32\sxs.dll
2112"C:\Users\admin\AppData\Local\Temp\is-PTRU8.tmp\wrsetup.tmp" /SL5="$17041A,11097109,929792,C:\Users\admin\AppData\Local\Temp\wrsetup.exe" /SPAWNWND=$1C01FA /NOTIFYWND=$1003C2 C:\Users\admin\AppData\Local\Temp\is-PTRU8.tmp\wrsetup.tmp
wrsetup.exe
User:
admin
Company:
Bit Guardian GmbH
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-ptru8.tmp\wrsetup.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2380\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
3112"C:\Program Files\Win Riser\winrgr.exe" flaunchC:\Program Files\Win Riser\winrgr.exe
wrsetup.tmp
User:
admin
Company:
Bit Guardian
Integrity Level:
HIGH
Description:
Win Riser
Version:
1.0.0.18
Modules
Images
c:\program files\win riser\winrgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3168"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2684 --field-trial-handle=2476,i,2458615041855297694,5584626942618492909,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
3848"C:\Windows\System32\taskkill.exe" /f /im "winrgr.exe"C:\Windows\SysWOW64\taskkill.exewrsetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
7 597
Read events
7 555
Write events
41
Delete events
1

Modification events

(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
400800008E9E1BE362DFDA01
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
F4330C794A0A3AD1BEAEC7213968548C06131A48650B08CA9587E02322C3F007
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2112) wrsetup.tmpKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:delete valueName:PendingFileRenameOperations
Value:
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2112) wrsetup.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
71
Suspicious files
88
Text files
91
Unknown types
19

Dropped files

PID
Process
Filename
Type
2112wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656der
MD5:3D710A4C9537C6F3338BF8AFBF4F2320
SHA256:D0CE5E9A4DC7F755815393ABA7BC46828AB0CBA71E893A2CA55EDAB468DBB73B
2112wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-O9MPC.tmp\WinRiserAPI.dllexecutable
MD5:6D42EA20CD52CC87E4692C4325B151AE
SHA256:9A0D6462884C9B34621DE5BD2B587F7C156F4E5F8C8FD6AC09F9A775D84AC2A3
2112wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-O9MPC.tmp\jsonconfig.dllexecutable
MD5:512F9298DAA0AF8CEB045045AA823837
SHA256:E7741760520E99E698FBE7AE519EE87FF319636033D95DB650D9AD168BFCF725
2112wrsetup.tmpC:\Users\admin\AppData\Roaming\Apps511\gtipinfo.jsonbinary
MD5:8E8CC2070E1BD21155E0F110B341B8A8
SHA256:8FC7838417050C903BF0163037E3F977C2C99107EF6F54937287413784F14B03
2112wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-O9MPC.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
2112wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517binary
MD5:1751FE70356DB4EDDF11E1B74E3C1317
SHA256:F16B7554B60DA9F921C775E7912E552A7B4E7B90EE5DE167D7A619C65F973905
2112wrsetup.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83D863F495E7D991917B3ABB3E1EB382_E1043C9FB23D2ECEBB20C59BC9422904binary
MD5:64158880D590EFBBEF35A1057193394F
SHA256:A56119101A14867134054DA9170B99E2B577A09EDF9C3536C588950F8A4F3F95
2112wrsetup.tmpC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\english_promoapps[1].xmlhtml
MD5:921399FC5C8729CFDC645A3AF15869FB
SHA256:AAE2929AF92300BD65AC664AE40739722359E3D7EB03B3F1502ED9A91140A746
2112wrsetup.tmpC:\Users\admin\AppData\Local\Temp\is-O9MPC.tmp\finish.bmpimage
MD5:337ADAD59D5FEBA3A07056FAE5AC29A5
SHA256:7251174D4BE1CBB8B8B43A27980FFBDAD267C8AA8A1F2369E751AEB7D1657FB7
2112wrsetup.tmpC:\Users\admin\AppData\Roaming\Apps511\promoapps.xmlhtml
MD5:921399FC5C8729CFDC645A3AF15869FB
SHA256:AAE2929AF92300BD65AC664AE40739722359E3D7EB03B3F1502ED9A91140A746
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
126
DNS requests
96
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2112
wrsetup.tmp
GET
200
154.27.69.89:80
http://cf.winriser.com/productprice.svc/gtipinfo
unknown
unknown
2112
wrsetup.tmp
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkpLy9ROx7U76vGUhC06D6E%3D
unknown
unknown
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
2300
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
2112
wrsetup.tmp
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
unknown
2112
wrsetup.tmp
GET
200
18.238.246.206:80
http://ocsp.r2m03.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQqHI%2BsdmapawQncL1rpCEZZ8gTSAQUVdkYX9IczAHhWLS%2Bq9lVQgHXLgICEAxQldEE1Uw8Jq%2Fl%2FfsRvMA%3D
unknown
unknown
2112
wrsetup.tmp
GET
403
18.245.31.84:80
http://wgip.winriser.com/winrsr/84_17_49_16.txt
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
996
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
92.122.215.2:443
www.bing.com
Akamai International B.V.
DE
unknown
2988
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1516
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1328
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
2112
wrsetup.tmp
13.35.58.74:443
cdn.winriser.com
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
  • 4.231.128.59
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 92.122.215.2
  • 92.122.215.55
  • 92.122.215.52
  • 92.122.215.3
  • 92.122.215.56
  • 92.122.215.74
  • 92.122.215.54
  • 92.122.215.57
  • 92.122.215.93
  • 92.122.215.98
  • 92.122.215.96
  • 92.122.215.95
  • 2.23.209.161
  • 2.23.209.177
  • 2.23.209.158
  • 2.23.209.187
  • 2.23.209.176
  • 2.23.209.193
  • 2.23.209.130
  • 2.23.209.148
  • 2.23.209.150
whitelisted
google.com
  • 142.250.186.78
whitelisted
cdn.winriser.com
  • 13.35.58.74
  • 13.35.58.128
  • 13.35.58.47
  • 13.35.58.105
unknown
ocsp.rootca1.amazontrust.com
  • 18.245.39.64
shared
cf.winriser.com
  • 154.27.69.89
unknown
wgip.winriser.com
  • 18.245.31.84
  • 18.245.31.17
  • 18.245.31.9
  • 18.245.31.43
unknown
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.60
whitelisted

Threats

No threats detected
Process
Message
winrgr.exe
26-07-2024-01:51:54::C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Riser\Buy Win Riser.lnk
winrgr.exe
26-07-2024-01:51:55::Install Date: 7/26/2024 1:51:54 PM
winrgr.exe
26-07-2024-01:51:55::Register Date: 1/1/0001 12:00:00 AM
winrgr.exe
26-07-2024-01:51:55::before firing url as silent build :
winrgr.exe
26-07-2024-01:51:55::firing url as silent build : http://www.winriser.com/inw/install/win-riser/?
winrgr.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Win Riser\x64\SQLite.Interop.dll"...
winrgr.exe
26-07-2024-01:51:59::DriverClassLibrary|RefreshDrivers|Started
winrgr.exe
26-07-2024-01:52:00::DriverClassLibrary|RefreshDrivers|Success
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wrsetup.exe