File name:

WRCFree_11.1.7.722.exe

Full analysis: https://app.any.run/tasks/7df0f874-950b-4fc1-9b30-d321fc36cc4a
Verdict: Malicious activity
Analysis date: December 11, 2024, 16:32:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

A9EB33AE2B8800F07C0E34373936F09A

SHA1:

E938C2E6FE71F5C237F21E069CEAC98C312F1C76

SHA256:

553250801E523D8577BF14AAB5084E7470C6449E56117673A07A42F40A381BB3

SSDEEP:

98304:IbUk4fETp0kHAKN60bCo+EpRidwucN3GZW9qTcZGK21RFnM/5HVBv6DiYyugYL8M:7w8Ycjxj0Y5RWmETk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • WRCFree_11.1.7.722.exe (PID: 6588)
      • WRCFree_11.1.7.722.exe (PID: 6808)
      • WiseRegCleaner.exe (PID: 7120)
      • WiseRegCleaner.exe (PID: 6168)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WRCFree_11.1.7.722.exe (PID: 6588)
      • WRCFree_11.1.7.722.exe (PID: 6808)
      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • Reads the Windows owner or organization settings

      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • Process drops legitimate windows executable

      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • Reads security settings of Internet Explorer

      • WRCFree_11.1.7.722.tmp (PID: 6836)
      • WRCFree_11.1.7.722.tmp (PID: 6620)

    • Searches for installed software

      • WiseRegCleaner.exe (PID: 6168)

    • Checks for Java to be installed

      • WiseRegCleaner.exe (PID: 6168)

    • Reads Mozilla Firefox installation path

      • WiseRegCleaner.exe (PID: 6168)

  • INFO

    • Create files in a temporary directory

      • WRCFree_11.1.7.722.exe (PID: 6588)
      • WRCFree_11.1.7.722.exe (PID: 6808)
      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • Reads the computer name

      • WRCFree_11.1.7.722.tmp (PID: 6620)
      • WRCFree_11.1.7.722.tmp (PID: 6836)
      • CSTask.exe (PID: 6968)
      • WiseRegCleaner.exe (PID: 6168)

    • Checks supported languages

      • WRCFree_11.1.7.722.exe (PID: 6588)
      • WRCFree_11.1.7.722.exe (PID: 6808)
      • WRCFree_11.1.7.722.tmp (PID: 6620)
      • WRCFree_11.1.7.722.tmp (PID: 6836)
      • CSTask.exe (PID: 6968)
      • WiseRegCleaner.exe (PID: 6168)

    • Process checks computer location settings

      • WRCFree_11.1.7.722.tmp (PID: 6620)
      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • Creates files in the program directory

      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • The sample compiled with english language support

      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • Creates a software uninstall entry

      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • The process uses the downloaded file

      • WRCFree_11.1.7.722.tmp (PID: 6836)

    • Sends debugging messages

      • WiseRegCleaner.exe (PID: 6168)

    • Checks proxy server information

      • WiseRegCleaner.exe (PID: 6168)

    • Reads the software policy settings

      • WiseRegCleaner.exe (PID: 6168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:10:12 11:15:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 682496
InitializedDataSize: 105984
UninitializedDataSize: -
EntryPoint: 0xa7ed0
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.1.7.722
ProductVersionNumber: 11.1.7.722
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: WiseCleaner.com
FileDescription: Wise Registry Cleaner
FileVersion: 11.1.7
LegalCopyright: WiseCleaner.com
OriginalFileName:
ProductName: Wise Registry Cleaner
ProductVersion: 11.1.7
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
8
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wrcfree_11.1.7.722.exe wrcfree_11.1.7.722.tmp no specs wrcfree_11.1.7.722.exe wrcfree_11.1.7.722.tmp cstask.exe no specs conhost.exe no specs wiseregcleaner.exe no specs wiseregcleaner.exe

Process information

PID
CMD
Path
Indicators
Parent process
6168"C:\Program Files (x86)\Wise\Wise Registry Cleaner\WiseRegCleaner.exe" C:\Program Files (x86)\Wise\Wise Registry Cleaner\WiseRegCleaner.exe
WRCFree_11.1.7.722.tmp
User:
admin
Company:
WiseCleaner.com
Integrity Level:
HIGH
Description:
Wise Registry Cleaner
Exit code:
0
Version:
11.1.7.722
Modules
Images
c:\program files (x86)\wise\wise registry cleaner\wiseregcleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6588"C:\Users\admin\AppData\Local\Temp\WRCFree_11.1.7.722.exe" C:\Users\admin\AppData\Local\Temp\WRCFree_11.1.7.722.exe
explorer.exe
User:
admin
Company:
WiseCleaner.com
Integrity Level:
MEDIUM
Description:
Wise Registry Cleaner
Exit code:
0
Version:
11.1.7
Modules
Images
c:\users\admin\appdata\local\temp\wrcfree_11.1.7.722.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6620"C:\Users\admin\AppData\Local\Temp\is-HFFCS.tmp\WRCFree_11.1.7.722.tmp" /SL5="$802CC,5138742,789504,C:\Users\admin\AppData\Local\Temp\WRCFree_11.1.7.722.exe" C:\Users\admin\AppData\Local\Temp\is-HFFCS.tmp\WRCFree_11.1.7.722.tmpWRCFree_11.1.7.722.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-hffcs.tmp\wrcfree_11.1.7.722.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
6808"C:\Users\admin\AppData\Local\Temp\WRCFree_11.1.7.722.exe" /SPAWNWND=$5030E /NOTIFYWND=$802CC C:\Users\admin\AppData\Local\Temp\WRCFree_11.1.7.722.exe
WRCFree_11.1.7.722.tmp
User:
admin
Company:
WiseCleaner.com
Integrity Level:
HIGH
Description:
Wise Registry Cleaner
Exit code:
0
Version:
11.1.7
Modules
Images
c:\users\admin\appdata\local\temp\wrcfree_11.1.7.722.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6836"C:\Users\admin\AppData\Local\Temp\is-EH7KJ.tmp\WRCFree_11.1.7.722.tmp" /SL5="$8007E,5138742,789504,C:\Users\admin\AppData\Local\Temp\WRCFree_11.1.7.722.exe" /SPAWNWND=$5030E /NOTIFYWND=$802CC C:\Users\admin\AppData\Local\Temp\is-EH7KJ.tmp\WRCFree_11.1.7.722.tmp
WRCFree_11.1.7.722.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-eh7kj.tmp\wrcfree_11.1.7.722.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
6968"C:\Users\admin\AppData\Local\Temp\is-KP7DB.tmp\CSTask.exe" "WRCSkipUAC" "C:\Program Files (x86)\Wise\Wise Registry Cleaner\WiseRegCleaner.exe"C:\Users\admin\AppData\Local\Temp\is-KP7DB.tmp\CSTask.exeWRCFree_11.1.7.722.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\is-kp7db.tmp\cstask.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6976\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCSTask.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7120"C:\Program Files (x86)\Wise\Wise Registry Cleaner\WiseRegCleaner.exe" C:\Program Files (x86)\Wise\Wise Registry Cleaner\WiseRegCleaner.exeWRCFree_11.1.7.722.tmp
User:
admin
Company:
WiseCleaner.com
Integrity Level:
MEDIUM
Description:
Wise Registry Cleaner
Exit code:
3221226540
Version:
11.1.7.722
Modules
Images
c:\program files (x86)\wise\wise registry cleaner\wiseregcleaner.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
102 874
Read events
102 492
Write events
26
Delete events
356

Modification events

(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.0.3 (u)
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files (x86)\Wise\Wise Registry Cleaner
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files (x86)\Wise\Wise Registry Cleaner\
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Wise Registry Cleaner
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:Inno Setup: User
Value:
admin
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:Inno Setup: Language
Value:
english
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:DisplayName
Value:
Wise Registry Cleaner
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:DisplayIcon
Value:
C:\Program Files (x86)\Wise\Wise Registry Cleaner\WiseRegCleaner.exe
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:UninstallString
Value:
"C:\Program Files (x86)\Wise\Wise Registry Cleaner\unins000.exe"
(PID) Process:(6836) WRCFree_11.1.7.722.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wise Registry Cleaner_is1
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files (x86)\Wise\Wise Registry Cleaner\unins000.exe" /SILENT
Executable files
14
Suspicious files
14
Text files
98
Unknown types
1

Dropped files

PID
Process
Filename
Type
6588WRCFree_11.1.7.722.exeC:\Users\admin\AppData\Local\Temp\is-HFFCS.tmp\WRCFree_11.1.7.722.tmpexecutable
MD5:F3059883BA12E5C9FCD7E26D6B9A80F6
SHA256:A3A34F6F67AA5AF6E179D40B901E53F87204FF21FDEC8AB060AAA8EE371607A5
6836WRCFree_11.1.7.722.tmpC:\Program Files (x86)\Wise\Wise Registry Cleaner\is-TFRE5.tmpexecutable
MD5:685D7E33A0968E52D6FDCE297CCC7D4E
SHA256:4F54A5C399C136FF25C63C68E0E8E057F946050B1B63A0C31B5BD26EE279EF5C
6836WRCFree_11.1.7.722.tmpC:\Program Files (x86)\Wise\Wise Registry Cleaner\is-Q1Q9D.tmpexecutable
MD5:7C88467822A9648654FA08F6F20EDA1A
SHA256:5494B196EC622D86D857F1B85F2D8A2ED2E315CE5FB8AEA7062A102F28959A58
6836WRCFree_11.1.7.722.tmpC:\Program Files (x86)\Wise\Wise Registry Cleaner\is-1V90D.tmptext
MD5:4A0F1A666912E64F1BA811FC24D7135F
SHA256:D6B418C619BA7456B594DFF10C3FACE4AC28609A64F2BF5E635292D7FF4F57E5
6836WRCFree_11.1.7.722.tmpC:\Users\admin\AppData\Local\Temp\is-KP7DB.tmp\CSTask.exeexecutable
MD5:183F106261F3A193E9F26A8B5EF11417
SHA256:68DEE14B0CA784A9C98FA8B09BF5DC0F9DC31734E953BA04345ADEAECCA9D32A
6836WRCFree_11.1.7.722.tmpC:\Users\admin\AppData\Local\Temp\is-KP7DB.tmp\is-V1D6L.tmpexecutable
MD5:183F106261F3A193E9F26A8B5EF11417
SHA256:68DEE14B0CA784A9C98FA8B09BF5DC0F9DC31734E953BA04345ADEAECCA9D32A
6836WRCFree_11.1.7.722.tmpC:\Users\admin\AppData\Local\Temp\is-KP7DB.tmp\license.txttext
MD5:4A0F1A666912E64F1BA811FC24D7135F
SHA256:D6B418C619BA7456B594DFF10C3FACE4AC28609A64F2BF5E635292D7FF4F57E5
6836WRCFree_11.1.7.722.tmpC:\Program Files (x86)\Wise\Wise Registry Cleaner\LiveUpdate.exeexecutable
MD5:7C88467822A9648654FA08F6F20EDA1A
SHA256:5494B196EC622D86D857F1B85F2D8A2ED2E315CE5FB8AEA7062A102F28959A58
6836WRCFree_11.1.7.722.tmpC:\Program Files (x86)\Wise\Wise Registry Cleaner\License.txttext
MD5:4A0F1A666912E64F1BA811FC24D7135F
SHA256:D6B418C619BA7456B594DFF10C3FACE4AC28609A64F2BF5E635292D7FF4F57E5
6836WRCFree_11.1.7.722.tmpC:\Program Files (x86)\Wise\Wise Registry Cleaner\is-RMPL3.tmpexecutable
MD5:F3059883BA12E5C9FCD7E26D6B9A80F6
SHA256:A3A34F6F67AA5AF6E179D40B901E53F87204FF21FDEC8AB060AAA8EE371607A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
37
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4716
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6168
WiseRegCleaner.exe
GET
200
104.26.3.143:80
http://info.wisecleaner.com/info_group/images/2024/12/10/093752959.png
unknown
whitelisted
3736
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3736
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5856
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.136:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
www.bing.com
  • 104.126.37.136
  • 104.126.37.130
  • 104.126.37.176
  • 104.126.37.178
  • 104.126.37.131
  • 104.126.37.179
  • 104.126.37.185
  • 104.126.37.163
  • 104.126.37.186
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.68
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.133
  • 20.190.160.22
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
ai.wisecleaner.com
  • 23.224.25.138
whitelisted
info.wisecleaner.com
  • 104.26.3.143
  • 172.67.68.11
  • 104.26.2.143
whitelisted

Threats

PID
Process
Class
Message
6168
WiseRegCleaner.exe
Potentially Bad Traffic
ET USER_AGENTS Suspicious User-Agent (Embarcadero URI Client/1.0)
Process
Message
WiseRegCleaner.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WiseRegCleaner.exe
HKEY_LOCAL_MACHINE\*\Software\Policies
WiseRegCleaner.exe
*\Windows\system32\drivers\RockUsb.sys
WiseRegCleaner.exe
HKEY_USERS\*\ActivatableClasses\*
WiseRegCleaner.exe
Software\Policies
WiseRegCleaner.exe
*HKEY_CLASSES_ROOT\Drive\shell\cmd*
WiseRegCleaner.exe
HKEY_CLASSES_ROOT\Drive\
WiseRegCleaner.exe
*{BA126AD7-2166-11D1-B1D0-00805FC1270E}*
WiseRegCleaner.exe
*{00021401-0000-0000-C000-000000000046}*
WiseRegCleaner.exe
*\VirtualStore*
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WRCFree_11.1.7.722.exe