File name:

Wise Care 365 Pro 7.1.0.692.exe

Full analysis: https://app.any.run/tasks/7b45a423-7b6c-4eb4-861a-3e3478b446ab
Verdict: Malicious activity
Analysis date: January 16, 2025, 08:39:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

1C7814BB99D7869AAB29FDF1AF3E83C7

SHA1:

32585F7EE35677983014141624DBCCD1C79C1FB6

SHA256:

E9CA3F4EB3A75CFC5115CED57E750D9CEE458CDD2F119D7E554C07DC6DF49E4E

SSDEEP:

98304:sP/mp7t3T4+B/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvkm6VLuuOcgk7DjYSWIs8:IJ9AjClMhSwo9VKHCmfSFvT4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • WiseTray.exe (PID: 5340)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • Wise Care 365 Pro 7.1.0.692.exe (PID: 6648)

    • Executable content was dropped or overwritten

      • Wise Care 365 Pro 7.1.0.692.exe (PID: 6648)
      • ~umjkffw.tmp (PID: 6688)
      • ~umjkffw.tmp (PID: 6708)

    • Reads the Windows owner or organization settings

      • ~umjkffw.tmp (PID: 6708)

    • Process drops legitimate windows executable

      • ~umjkffw.tmp (PID: 6708)

  • INFO

    • Checks supported languages

      • Wise Care 365 Pro 7.1.0.692.exe (PID: 6648)
      • ~umjkffw.tmp (PID: 6688)
      • ~umjkffw.tmp (PID: 6708)
      • WiseCare365.exe (PID: 1140)
      • WiseTray.exe (PID: 5340)

    • The sample compiled with english language support

      • Wise Care 365 Pro 7.1.0.692.exe (PID: 6648)
      • ~umjkffw.tmp (PID: 6708)

    • Reads mouse settings

      • Wise Care 365 Pro 7.1.0.692.exe (PID: 6648)

    • Reads the computer name

      • ~umjkffw.tmp (PID: 6688)
      • ~umjkffw.tmp (PID: 6708)

    • Create files in a temporary directory

      • ~umjkffw.tmp (PID: 6688)

    • Creates files in the program directory

      • ~umjkffw.tmp (PID: 6708)

    • The process uses AutoIt

      • Wise Care 365 Pro 7.1.0.692.exe (PID: 6648)

    • Manual execution by a user

      • WiseCare365.exe (PID: 4164)
      • WiseCare365.exe (PID: 1140)

    • Sends debugging messages

      • WiseCare365.exe (PID: 1140)

    • Reads the software policy settings

      • WiseCare365.exe (PID: 1140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (53.4)
.exe | Win64 Executable (generic) (35.5)
.exe | Win32 Executable (generic) (5.8)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:16 05:26:04+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 633856
InitializedDataSize: 15474176
UninitializedDataSize: -
EntryPoint: 0x20577
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 7.1.0.692
ProductVersionNumber: 7.1.0.692
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 7.1.0.692
Comments: SolidShare.Net Unattended Installer
FileDescription: SolidShare.Net Unattended Installer
LegalCopyright: © 2024 By KiNGHaZe
CompanyName: SolidShare TEAM
ProductName: Wise Care 365 Pro
ProductVersion: 7.1.0.692
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
8
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start wise care 365 pro 7.1.0.692.exe ~umjkffw.tmp ~umjkffw.tmp rundll32.exe no specs wisecare365.exe no specs wisecare365.exe wisetray.exe no specs wise care 365 pro 7.1.0.692.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140"C:\Program Files (x86)\Wise\Wise Care 365\WiseCare365.exe" C:\Program Files (x86)\Wise\Wise Care 365\WiseCare365.exe
explorer.exe
User:
admin
Company:
WiseCleaner.com
Integrity Level:
HIGH
Description:
Wise Care 365
Version:
7.1.0.692
Modules
Images
c:\program files (x86)\wise\wise care 365\wisecare365.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
4164"C:\Program Files (x86)\Wise\Wise Care 365\WiseCare365.exe" C:\Program Files (x86)\Wise\Wise Care 365\WiseCare365.exeexplorer.exe
User:
admin
Company:
WiseCleaner.com
Integrity Level:
MEDIUM
Description:
Wise Care 365
Exit code:
3221226540
Version:
7.1.0.692
Modules
Images
c:\program files (x86)\wise\wise care 365\wisecare365.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5340"C:\Program Files (x86)\Wise\Wise Care 365\WiseTray.exe" C:\Program Files (x86)\Wise\Wise Care 365\WiseTray.exeWiseCare365.exe
User:
admin
Company:
WiseCleaner.com
Integrity Level:
HIGH
Description:
Wise Care 365 Tray
Version:
7.0.8.403
Modules
Images
c:\program files (x86)\wise\wise care 365\wisetray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6164C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6496"C:\Users\admin\AppData\Local\Temp\Wise Care 365 Pro 7.1.0.692.exe" C:\Users\admin\AppData\Local\Temp\Wise Care 365 Pro 7.1.0.692.exeexplorer.exe
User:
admin
Company:
SolidShare TEAM
Integrity Level:
MEDIUM
Description:
SolidShare.Net Unattended Installer
Exit code:
3221226540
Version:
7.1.0.692
Modules
Images
c:\users\admin\appdata\local\temp\wise care 365 pro 7.1.0.692.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6648"C:\Users\admin\AppData\Local\Temp\Wise Care 365 Pro 7.1.0.692.exe" C:\Users\admin\AppData\Local\Temp\Wise Care 365 Pro 7.1.0.692.exe
explorer.exe
User:
admin
Company:
SolidShare TEAM
Integrity Level:
HIGH
Description:
SolidShare.Net Unattended Installer
Exit code:
0
Version:
7.1.0.692
Modules
Images
c:\users\admin\appdata\local\temp\wise care 365 pro 7.1.0.692.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6688"C:\Program Files (x86)\Common Files\~umjkffw.tmp" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-C:\Program Files (x86)\Common Files\~umjkffw.tmp
Wise Care 365 Pro 7.1.0.692.exe
User:
admin
Company:
WiseCleaner.com, Inc.
Integrity Level:
HIGH
Description:
Wise Care 365 Installer
Exit code:
0
Version:
7.1.0.692
Modules
Images
c:\program files (x86)\common files\~umjkffw.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
6708"C:\Users\admin\AppData\Local\Temp\is-R7SQI.tmp\~umjkffw.tmp" /SL5="$402D2,14087137,899584,C:\Program Files (x86)\Common Files\~umjkffw.tmp" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-C:\Users\admin\AppData\Local\Temp\is-R7SQI.tmp\~umjkffw.tmp
~umjkffw.tmp
User:
admin
Company:
WiseCleaner.com, Inc.
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-r7sqi.tmp\~umjkffw.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
4 430
Read events
4 391
Write events
34
Delete events
5

Modification events

(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:writeName:path
Value:
C:\Program Files (x86)\Wise\Wise Care 365
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:writeName:Product Name
Value:
Wise Care 365
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:delete valueName:User Name
Value:
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:writeName:User Name
Value:
WiseCleaner.com
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:delete valueName:User Email
Value:
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:writeName:User Email
Value:
info@wisecleaner.com
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:delete valueName:License Key
Value:
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:writeName:License Key
Value:
E74D-1436-0360D2-4E4E-50FC
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:delete valueName:Expire Date
Value:
(PID) Process:(6708) ~umjkffw.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\WiseCleaner\WiseCare365
Operation:writeName:Expire Date
Value:
00000000F01CE740
Executable files
36
Suspicious files
16
Text files
234
Unknown types
0

Dropped files

PID
Process
Filename
Type
6708~umjkffw.tmpC:\Users\admin\AppData\Local\Temp\is-M7KP1.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6688~umjkffw.tmpC:\Users\admin\AppData\Local\Temp\is-R7SQI.tmp\~umjkffw.tmpexecutable
MD5:DFB6FACC5215165A1A39A6BCC2B6D071
SHA256:68E762E98F0B5BD5C66833CD941DF0F43F69DBB97EF85EE10A52729A3E03074A
6708~umjkffw.tmpC:\Program Files (x86)\Wise\Wise Care 365\headers\a1.pngimage
MD5:65D419890C0B4AD328A1130442B0318B
SHA256:E45C5AD392B5088C5F5D287176669E376BB5DA0FF8B66EA2A4B43627DE6CB470
6708~umjkffw.tmpC:\Program Files (x86)\Wise\Wise Care 365\headers\is-2NQ1O.tmpimage
MD5:65D419890C0B4AD328A1130442B0318B
SHA256:E45C5AD392B5088C5F5D287176669E376BB5DA0FF8B66EA2A4B43627DE6CB470
6708~umjkffw.tmpC:\Program Files (x86)\Wise\Wise Care 365\unins000.exeexecutable
MD5:CCB25175D72B439F93EB01957F7E1B68
SHA256:866405C534DFF748B65F92B13F90BAAF2783440E274F64FDCAE2A2133E3FEE73
6648Wise Care 365 Pro 7.1.0.692.exeC:\Program Files (x86)\Common Files\~umjkffw.tmpexecutable
MD5:C8123C7D0AC839E698FAED54628C2F28
SHA256:C3EC8668A280EF16BA69E86C638B5A7CB9D4AE87E48D13111E97A0BC787DFAEB
6708~umjkffw.tmpC:\Program Files (x86)\Wise\Wise Care 365\headers\is-RB7E7.tmpimage
MD5:A7C9A5D6010B920F37FA6B3FE5B3BEEC
SHA256:F9A36D9C9728012B9DE006163F757838B443ADDBE62F61C2725C60026C2C9694
6648Wise Care 365 Pro 7.1.0.692.exeC:\Users\admin\AppData\Local\Temp\aut7274.tmpexecutable
MD5:C8123C7D0AC839E698FAED54628C2F28
SHA256:C3EC8668A280EF16BA69E86C638B5A7CB9D4AE87E48D13111E97A0BC787DFAEB
6708~umjkffw.tmpC:\Program Files (x86)\Wise\Wise Care 365\is-T9SH4.tmpexecutable
MD5:CCB25175D72B439F93EB01957F7E1B68
SHA256:866405C534DFF748B65F92B13F90BAAF2783440E274F64FDCAE2A2133E3FEE73
6708~umjkffw.tmpC:\Program Files (x86)\Wise\Wise Care 365\headers\is-M2T2T.tmpimage
MD5:BDE942DFE1395CEE629207AA51D19EAC
SHA256:0F914422B94FF7C2C090C2DE41A2D90837584731618A277FA8261CB1D3F4DE7F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
35
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1488
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1488
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2612
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6788
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
2612
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1488
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1488
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2.23.227.208:443
Ooredoo Q.S.C.
QA
unknown
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.221:443
Ooredoo Q.S.C.
QA
unknown
5064
SearchApp.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.74
  • 20.190.160.22
  • 40.126.32.133
  • 40.126.32.138
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
ai.wisecleaner.com
  • 23.224.25.138
whitelisted

Threats

No threats detected
Process
Message
WiseCare365.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Wise Care 365 Pro 7.1.0.692.exe