download:

/download/wicreset.exe

Full analysis: https://app.any.run/tasks/d0708c58-af18-4751-94d4-8b29d0c4fd90
Verdict: Malicious activity
Analysis date: May 19, 2024, 17:48:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A3BF50D833F10E1F976FA5E72997F45F

SHA1:

9C3CA9415074EB1BE0BEE075FE914DEA110A5B0F

SHA256:

483F2613F51E072FD645B047AE9311C6B6605A466EF81E05FFC0C04CB6E9F191

SSDEEP:

98304:o0MP1iC4bbdXTpzoE3j+K/0iCi4d/pMJaOcAg4carPAgavo1L0QblluLZw3uHFua:dJ8+vf4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • wicreset.exe (PID: 6484)
      • wicreset.exe (PID: 6580)
      • wicreset.tmp (PID: 6612)

    • Antivirus name has been found in the command line (generic signature)

      • wicreset.tmp (PID: 6612)
      • wicreset.exe (PID: 6484)
      • wicreset.exe (PID: 1172)
      • wicreset.tmp (PID: 6504)
      • wicreset.exe (PID: 6580)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • wicreset.exe (PID: 6484)
      • wicreset.exe (PID: 6580)
      • wicreset.tmp (PID: 6612)

    • Reads the Windows owner or organization settings

      • wicreset.tmp (PID: 6612)

    • Connects to unusual port

      • wicreset.exe (PID: 1172)

    • Reads security settings of Internet Explorer

      • wicreset.tmp (PID: 6504)

    • Reads the date of Windows installation

      • wicreset.tmp (PID: 6504)

  • INFO

    • Checks supported languages

      • wicreset.exe (PID: 6580)
      • wicreset.tmp (PID: 6612)
      • wicreset.exe (PID: 6484)
      • wicreset.tmp (PID: 6504)
      • wicreset.exe (PID: 1172)

    • Reads the computer name

      • wicreset.tmp (PID: 6612)
      • wicreset.exe (PID: 1172)
      • wicreset.tmp (PID: 6504)

    • Create files in a temporary directory

      • wicreset.exe (PID: 6580)
      • wicreset.exe (PID: 6484)
      • wicreset.tmp (PID: 6612)

    • Creates a software uninstall entry

      • wicreset.tmp (PID: 6612)

    • Creates files in the program directory

      • wicreset.tmp (PID: 6612)

    • Creates files or folders in the user directory

      • wicreset.exe (PID: 1172)

    • Process checks computer location settings

      • wicreset.tmp (PID: 6504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:06:14 13:27:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 66560
InitializedDataSize: 53760
UninitializedDataSize: -
EntryPoint: 0x1181c
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.90.0.0
ProductVersionNumber: 5.90.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: WWW.WIC.SUPPORT
FileDescription: WicReset Setup
FileVersion: 5.90.0.0
LegalCopyright:
ProductName: WicReset
ProductVersion: 5.90.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wicreset.exe wicreset.tmp no specs wicreset.exe wicreset.tmp filecoauth.exe no specs wicreset.exe

Process information

PID
CMD
Path
Indicators
Parent process
1172"C:\Program Files (x86)\WicReset\wicreset.exe"C:\Program Files (x86)\WicReset\wicreset.exe
wicreset.tmp
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\program files (x86)\wicreset\wicreset.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
6484"C:\Users\admin\Desktop\wicreset.exe" C:\Users\admin\Desktop\wicreset.exe
explorer.exe
User:
admin
Company:
WWW.WIC.SUPPORT
Integrity Level:
MEDIUM
Description:
WicReset Setup
Exit code:
0
Version:
5.90.0.0
Modules
Images
c:\users\admin\desktop\wicreset.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6504"C:\Users\admin\AppData\Local\Temp\is-37N9A.tmp\wicreset.tmp" /SL5="$401DE,2664001,121344,C:\Users\admin\Desktop\wicreset.exe" C:\Users\admin\AppData\Local\Temp\is-37N9A.tmp\wicreset.tmpwicreset.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-37n9a.tmp\wicreset.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6580"C:\Users\admin\Desktop\wicreset.exe" /SPAWNWND=$302B2 /NOTIFYWND=$401DE C:\Users\admin\Desktop\wicreset.exe
wicreset.tmp
User:
admin
Company:
WWW.WIC.SUPPORT
Integrity Level:
HIGH
Description:
WicReset Setup
Exit code:
0
Version:
5.90.0.0
Modules
Images
c:\users\admin\desktop\wicreset.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6612"C:\Users\admin\AppData\Local\Temp\is-5HV5P.tmp\wicreset.tmp" /SL5="$502B8,2664001,121344,C:\Users\admin\Desktop\wicreset.exe" /SPAWNWND=$302B2 /NOTIFYWND=$401DE C:\Users\admin\AppData\Local\Temp\is-5HV5P.tmp\wicreset.tmp
wicreset.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-5hv5p.tmp\wicreset.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7156C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
4 447
Read events
4 409
Write events
32
Delete events
6

Modification events

(PID) Process:(6612) wicreset.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
D4190000F73617D714AADA01
(PID) Process:(6612) wicreset.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
45560BC48659ED1906BAB59F408C85DF2B67F68EF831B90DE262802BCD50160C
(PID) Process:(6612) wicreset.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6612) wicreset.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files (x86)\WicReset\wicreset.exe
(PID) Process:(6612) wicreset.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
C15393A3109F4F5A1B5007B6CF3A8CA1FD8E7F1B4FA8CE6CFD1858F89316228E
(PID) Process:(6612) wicreset.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{20379D3A-321B-4830-96A6-37183B713AE8}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.6.1 (u)
(PID) Process:(6612) wicreset.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{20379D3A-321B-4830-96A6-37183B713AE8}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\WicReset
(PID) Process:(6612) wicreset.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{20379D3A-321B-4830-96A6-37183B713AE8}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\WicReset\
(PID) Process:(6612) wicreset.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{20379D3A-321B-4830-96A6-37183B713AE8}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
WicReset
(PID) Process:(6612) wicreset.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{20379D3A-321B-4830-96A6-37183B713AE8}_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
7
Suspicious files
65
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6484wicreset.exeC:\Users\admin\AppData\Local\Temp\is-37N9A.tmp\wicreset.tmpexecutable
MD5:34ACC2BDB45A9C436181426828C4CB49
SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
6612wicreset.tmpC:\Program Files (x86)\WicReset\is-62Q7N.tmpexecutable
MD5:58E7080D8B85EF01176F748BEAC723DA
SHA256:95EB04331863353260F569AB50E86E5CBEFE72022914FF1A15E9747AF5552C06
6612wicreset.tmpC:\Program Files (x86)\WicReset\unins000.exeexecutable
MD5:58E7080D8B85EF01176F748BEAC723DA
SHA256:95EB04331863353260F569AB50E86E5CBEFE72022914FF1A15E9747AF5552C06
6612wicreset.tmpC:\Program Files (x86)\WicReset\is-1PBG2.tmpexecutable
MD5:E0B28C2C8F2DA461107A3F7CE4926DB1
SHA256:40A3A679821A785F315B7CC954463712DC63DAE2F4A2642F3BD50214B8DC1960
6612wicreset.tmpC:\Users\admin\AppData\Local\Temp\is-4AM1G.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6612wicreset.tmpC:\Program Files (x86)\WicReset\wicreset.exeexecutable
MD5:E0B28C2C8F2DA461107A3F7CE4926DB1
SHA256:40A3A679821A785F315B7CC954463712DC63DAE2F4A2642F3BD50214B8DC1960
7156FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-19.1750.7156.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
6612wicreset.tmpC:\Program Files (x86)\WicReset\unins000.datbinary
MD5:3E88A56290D6FF739B6AD81F8CD48895
SHA256:202451096F07929B6A01B08AEADC2380C76B28C08E584B9C75179591FCDE9A9F
6580wicreset.exeC:\Users\admin\AppData\Local\Temp\is-5HV5P.tmp\wicreset.tmpexecutable
MD5:34ACC2BDB45A9C436181426828C4CB49
SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
6612wicreset.tmpC:\ProgramData\Microsoft\Windows\Start Menu\Programs\WicReset\WicReset.lnkbinary
MD5:9BB4923B7CD879F1DB9C3A28B085AEAB
SHA256:87BFA0A9AB3B248CCC74D92BEC563A67C677D502BCBEEFB445AA8EA03AC8F41B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
33
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1984
RUXIMICS.exe
GET
200
2.19.122.206:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1984
RUXIMICS.exe
GET
200
23.44.252.205:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1172
wicreset.exe
GET
200
176.9.157.164:80
http://www.2manuals.com/WIC/support_message.php
unknown
unknown
1172
wicreset.exe
GET
200
176.9.157.164:80
http://www.printhelp.info/data/redist/upgrades.zip
unknown
unknown
1172
wicreset.exe
GET
200
176.9.157.164:80
http://www.2manuals.com/WIC/banners/content.xml
unknown
unknown
1172
wicreset.exe
GET
200
176.9.157.164:80
http://www.printhelp.info/data/redist/upgrades.xml
unknown
unknown
1172
wicreset.exe
GET
200
176.9.157.164:80
http://www.2manuals.com/WIC/banners/u-csfwr.png
unknown
unknown
1172
wicreset.exe
GET
200
176.9.157.164:80
http://www.2manuals.com/WIC/wicfaq.rss
unknown
unknown
1172
wicreset.exe
GET
200
176.9.157.164:80
http://www.2manuals.com/WIC/wicreset.rss
unknown
unknown
POST
204
23.222.16.81:443
https://www.bing.com/threshold/xls.aspx
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5632
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1984
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1984
RUXIMICS.exe
2.19.122.206:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1984
RUXIMICS.exe
23.44.252.205:80
www.microsoft.com
Cellcom Fixed Line Communication L.P
IL
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
5456
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4680
SearchApp.exe
23.222.16.96:443
Akamai International B.V.
US
unknown
4680
SearchApp.exe
23.222.16.97:443
Akamai International B.V.
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.19.122.206
  • 2.19.122.202
whitelisted
www.microsoft.com
  • 23.44.252.205
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
wasteinkcounter.com
  • 62.112.10.39
unknown
www.printhelp.info
  • 176.9.157.164
malicious
www.2manuals.com
  • 176.9.157.164
malicious
self.events.data.microsoft.com
  • 13.69.239.73
whitelisted

Threats

No threats detected
Process
Message
wicreset.exe
d:\development\libraries\wx\src\msw\window.cpp(581): 'SetFocus' failed with error 0x00000057 (the parameter is incorrect.).
wicreset.exe
d:\development\libraries\wx\src\msw\window.cpp(581): 'SetFocus' failed with error 0x00000057 (the parameter is incorrect.).
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/download/wicreset.exe