URL:

https://www.winriser.com/

Full analysis: https://app.any.run/tasks/df9bdb4f-206c-45f4-a245-7bc56293700d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 24, 2024, 15:17:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
stealer
Indicators:
MD5:

8F25D137457213F649A887399840E630

SHA1:

FF7738065FD6408718D794C2087AC44E16A9033F

SHA256:

FB3C1CECF20FD9C652A1F6360C8E22E93656292E83087551CA865AA4088C2A8A

SSDEEP:

3:N8DSLkXLR:2OLkbR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • wrsetup.exe (PID: 6700)
      • wrsetup.exe (PID: 1160)
      • wrsetup.tmp (PID: 7788)
      • csc.exe (PID: 8892)
      • csc.exe (PID: 8864)
      • csc.exe (PID: 4708)

    • Scans artifacts that could help determine the target

      • wrsetup.tmp (PID: 7788)

    • Actions looks like stealing of personal data

      • winrgr.exe (PID: 7648)

    • Steals credentials from Web Browsers

      • winrgr.exe (PID: 7648)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wrsetup.exe (PID: 6700)
      • wrsetup.exe (PID: 1160)
      • wrsetup.tmp (PID: 7788)
      • csc.exe (PID: 8892)
      • csc.exe (PID: 8864)
      • csc.exe (PID: 4708)

    • Reads security settings of Internet Explorer

      • wrsetup.tmp (PID: 5960)
      • wrsetup.tmp (PID: 7788)
      • winrgr.exe (PID: 7648)
      • ShellExperienceHost.exe (PID: 3056)

    • Reads the date of Windows installation

      • wrsetup.tmp (PID: 5960)
      • wrsetup.tmp (PID: 7788)
      • winrgr.exe (PID: 7648)

    • Reads the Windows owner or organization settings

      • wrsetup.tmp (PID: 7788)

    • Process drops legitimate windows executable

      • wrsetup.tmp (PID: 7788)

    • The process drops C-runtime libraries

      • wrsetup.tmp (PID: 7788)

    • Drops 7-zip archiver for unpacking

      • wrsetup.tmp (PID: 7788)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 1256)

    • Uses TASKKILL.EXE to kill process

      • wrsetup.tmp (PID: 7788)

    • Checks Windows Trust Settings

      • winrgr.exe (PID: 7648)

    • Adds/modifies Windows certificates

      • winrgr.exe (PID: 7648)

    • Executes as Windows Service

      • PresentationFontCache.exe (PID: 9064)
      • VSSVC.exe (PID: 9192)

    • Starts POWERSHELL.EXE for commands execution

      • winrgr.exe (PID: 7648)
      • powershell.exe (PID: 4432)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 4432)

    • Application launched itself

      • powershell.exe (PID: 4432)

    • Write to the desktop.ini file (may be used to cloak folders)

      • winrgr.exe (PID: 7648)

    • Reads browser cookies

      • winrgr.exe (PID: 7648)

    • Searches for installed software

      • dllhost.exe (PID: 8992)
      • reg.exe (PID: 9072)

    • The process exported the data from the registry

      • winrgr.exe (PID: 7648)

    • Checks for the .NET to be installed

      • reg.exe (PID: 9072)

    • Reads the history of recent RDP connections

      • reg.exe (PID: 9072)

    • Starts CMD.EXE for commands execution

      • winrgr.exe (PID: 7648)

    • The process checks if it is being run in the virtual environment

      • reg.exe (PID: 9072)

    • Reads Microsoft Outlook installation path

      • reg.exe (PID: 9072)

  • INFO

    • Checks proxy server information

      • slui.exe (PID: 1952)
      • wrsetup.tmp (PID: 7788)
      • winrgr.exe (PID: 7648)

    • Application launched itself

      • firefox.exe (PID: 5304)
      • firefox.exe (PID: 3888)
      • msedge.exe (PID: 6336)
      • msedge.exe (PID: 7272)

    • Reads the software policy settings

      • slui.exe (PID: 1952)
      • winrgr.exe (PID: 7648)
      • reg.exe (PID: 9072)

    • Drops the executable file immediately after the start

      • firefox.exe (PID: 3888)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 2508)

    • Disables trace logs

      • explorer.exe (PID: 2508)
      • winrgr.exe (PID: 7648)
      • reg.exe (PID: 9072)

    • Checks transactions between databases Windows and Oracle

      • explorer.exe (PID: 2508)
      • reg.exe (PID: 9072)

    • Create files in a temporary directory

      • wrsetup.exe (PID: 6700)
      • wrsetup.tmp (PID: 7788)
      • wrsetup.exe (PID: 1160)
      • winrgr.exe (PID: 7648)
      • csc.exe (PID: 8892)
      • cvtres.exe (PID: 8824)
      • csc.exe (PID: 8864)
      • cvtres.exe (PID: 6040)
      • reg.exe (PID: 9072)

    • Checks supported languages

      • ShellExperienceHost.exe (PID: 3056)
      • wrsetup.exe (PID: 6700)
      • wrsetup.tmp (PID: 5960)
      • wrsetup.exe (PID: 1160)
      • wrsetup.tmp (PID: 7788)
      • winrgr.exe (PID: 7648)
      • identity_helper.exe (PID: 8688)
      • PresentationFontCache.exe (PID: 9064)
      • TextInputHost.exe (PID: 8004)
      • csc.exe (PID: 8892)
      • cvtres.exe (PID: 8824)
      • csc.exe (PID: 8864)
      • cvtres.exe (PID: 6040)

    • Reads the computer name

      • TextInputHost.exe (PID: 8004)
      • wrsetup.tmp (PID: 5960)
      • wrsetup.tmp (PID: 7788)
      • winrgr.exe (PID: 7648)
      • identity_helper.exe (PID: 8688)
      • PresentationFontCache.exe (PID: 9064)
      • ShellExperienceHost.exe (PID: 3056)

    • Process checks computer location settings

      • wrsetup.tmp (PID: 5960)
      • wrsetup.tmp (PID: 7788)
      • winrgr.exe (PID: 7648)

    • Creates files in the program directory

      • wrsetup.tmp (PID: 7788)
      • winrgr.exe (PID: 7648)

    • Creates a software uninstall entry

      • wrsetup.tmp (PID: 7788)

    • Reads the machine GUID from the registry

      • winrgr.exe (PID: 7648)
      • PresentationFontCache.exe (PID: 9064)
      • csc.exe (PID: 8892)
      • cvtres.exe (PID: 8824)
      • csc.exe (PID: 8864)
      • cvtres.exe (PID: 6040)

    • Reads Microsoft Office registry keys

      • winrgr.exe (PID: 7648)
      • msedge.exe (PID: 7272)
      • msedge.exe (PID: 6336)
      • firefox.exe (PID: 3888)
      • reg.exe (PID: 9072)

    • Manual execution by a user

      • msedge.exe (PID: 7272)

    • Reads Environment values

      • winrgr.exe (PID: 7648)
      • identity_helper.exe (PID: 8688)

    • Creates files or folders in the user directory

      • winrgr.exe (PID: 7648)

    • Reads product name

      • winrgr.exe (PID: 7648)

    • .NET Reactor protector has been detected

      • winrgr.exe (PID: 7648)

    • The process uses the downloaded file

      • firefox.exe (PID: 3888)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3888)

    • Checks Windows language

      • reg.exe (PID: 9072)

    • Reads Windows Product ID

      • reg.exe (PID: 9072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
228
Monitored processes
78
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs slui.exe no specs slui.exe firefox.exe no specs shellexperiencehost.exe no specs textinputhost.exe no specs explorer.exe no specs Connection Manager LUA Host Object no specs wrsetup.exe wrsetup.tmp no specs wrsetup.exe wrsetup.tmp schtasks.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs THREAT winrgr.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs presentationfontcache.exe no specs SPPSurrogate no specs vssvc.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs SPPSurrogate no specs msedge.exe no specs msedge.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs srtasks.exe no specs conhost.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs reg.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4348 -childID 2 -isForBrowser -prefsHandle 4484 -prefMapHandle 4344 -prefsLen 36263 -prefMapSize 244343 -jsInitHandle 1320 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25754767-3d6c-4059-bbdf-9e171df4c949} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 1b3a9e36bd0 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
836C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1124"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x314,0x318,0x31c,0x310,0x324,0x7ffeedc85fd8,0x7ffeedc85fe4,0x7ffeedc85ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1132"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20240213221259 -prefsHandle 2184 -prefMapHandle 2180 -prefsLen 30537 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9b51dc7-4220-4e5e-b565-e95e62508478} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 1b39627ff10 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
1160"C:\Users\admin\Downloads\wrsetup.exe" /SPAWNWND=$302BE /NOTIFYWND=$4020E C:\Users\admin\Downloads\wrsetup.exe
wrsetup.tmp
User:
admin
Company:
Bit Guardian GmbH
Integrity Level:
HIGH
Description:
Win Riser Setup
Exit code:
0
Version:
1.0.0.7
Modules
Images
c:\users\admin\downloads\wrsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1256"C:\Windows\System32\schtasks.exe" /delete /tn "Win Riser_launcher" /fC:\Windows\SysWOW64\schtasks.exewrsetup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1952C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2128"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 26706 -prefMapSize 244343 -jsInitHandle 1320 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f12d273-8624-4d5f-b1c5-fc418e180872} 3888 "\\.\pipe\gecko-crash-server-pipe.3888" 1b3a7f63f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2508C:\WINDOWS\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll
2544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
499 653
Read events
499 078
Write events
540
Delete events
35

Modification events

(PID) Process:(5304) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
007118C500000000
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
49BC19C500000000
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
0
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Progress
Value:
1
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Installer\308046B0AF4A39CB
Operation:delete valueName:installer.taskbarpin.win10.enabled
Value:
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
0
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Theme
Value:
1
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Enabled
Value:
1
(PID) Process:(3888) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Default Browser Agent
Operation:writeName:C:\Program Files\Mozilla Firefox|DisableTelemetry
Value:
1
Executable files
71
Suspicious files
231
Text files
105
Unknown types
51

Dropped files

PID
Process
Filename
Type
3888firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.bindbf
MD5:3B156E12141F8CBCE9D60CDCE2077617
SHA256:E6287E44B44ABEA20E1B2E3F415D22B9E5E5FBBC155AD9DADBABA63951B2AF6F
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walbinary
MD5:373D06A2F2F77222AC5E5EE4D308116E
SHA256:BF8C0068FF521633452A3945412C888A4AF390148BF49FE45949D47A399236F8
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
3888firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\prefs-1.jstext
MD5:7A97B8DBC4F98D175F958C00F463A52A
SHA256:92074D2ED1AA1FD621287E35DB9EF1AE3DC04777EFAE5F09E7A3B4534C201548
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
139
DNS requests
135
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3888
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
3888
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
3888
firefox.exe
POST
200
142.250.185.67:80
http://o.pki.goog/wr2
unknown
3888
firefox.exe
POST
200
142.250.185.67:80
http://o.pki.goog/wr2
unknown
3888
firefox.exe
POST
200
142.250.185.67:80
http://o.pki.goog/wr2
unknown
3888
firefox.exe
POST
200
184.24.77.46:80
http://r11.o.lencr.org/
unknown
3888
firefox.exe
POST
200
184.24.77.46:80
http://r11.o.lencr.org/
unknown
3888
firefox.exe
POST
200
184.24.77.48:80
http://r3.o.lencr.org/
unknown
3888
firefox.exe
POST
200
184.24.77.59:80
http://r10.o.lencr.org/
unknown
3888
firefox.exe
POST
200
184.24.77.59:80
http://r10.o.lencr.org/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3060
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4512
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.179:443
Akamai International B.V.
DE
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
3888
firefox.exe
142.250.186.170:443
safebrowsing.googleapis.com
whitelisted
3888
firefox.exe
34.117.188.166:443
contile.services.mozilla.com
unknown
3888
firefox.exe
34.107.243.93:443
push.services.mozilla.com
unknown
3888
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.206
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
www.winriser.com
  • 154.27.69.89
unknown
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
winriser.com
  • 154.27.69.89
unknown
example.org
  • 93.184.215.14
whitelisted
ipv4only.arpa
  • 192.0.0.170
  • 192.0.0.171
whitelisted
contile.services.mozilla.com
  • 34.117.188.166
whitelisted
spocs.getpocket.com
  • 34.117.188.166
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
Process
Message
winrgr.exe
24-07-2024-03:19:00::C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Win Riser\Buy Win Riser.lnk
winrgr.exe
24-07-2024-03:19:00::Install Date: 7/24/2024 3:19:00 PM
winrgr.exe
24-07-2024-03:19:00::Register Date: 1/1/0001 12:00:00 AM
winrgr.exe
24-07-2024-03:19:01::before firing url as silent build :
winrgr.exe
24-07-2024-03:19:01::firing url as silent build : http://www.winriser.com/inw/install/win-riser/?
winrgr.exe
Native library pre-loader is trying to load native SQLite library "C:\Program Files\Win Riser\x64\SQLite.Interop.dll"...
winrgr.exe
24-07-2024-03:19:02::DriverClassLibrary|RefreshDrivers|Started
winrgr.exe
24-07-2024-03:19:03::DriverClassLibrary|RefreshDrivers|Success
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
winrgr.exe
NOT FOUND IN DB : IDS_SUF_MB
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.winriser.com/