File name:

HousecallLauncher64.exe

Full analysis: https://app.any.run/tasks/ff62d193-7706-424a-8eae-19ccaa3ed55a
Verdict: Malicious activity
Analysis date: September 01, 2024, 07:40:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
exploit
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

418E07B780152848328A5157F6AB9F1A

SHA1:

0F9FC8D36792DDAC8A4B5B121665206719E7AAD2

SHA256:

1837FC18D5B779A7B47BB9163A7C93C995A7C814C2B38CC16A0CF2419BF8D2D1

SSDEEP:

98304:reU69y3++14wqVujtwhJ4j8LG3P8a9vHqw/s4fp57GBQEK85PQUhf6AXbjzWMoTK:wv7t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EXPLOIT has been detected (SURICATA)

      • Setup.exe (PID: 4680)

  • SUSPICIOUS

    • The process verifies whether the antivirus software is installed

      • HousecallLauncher64.exe (PID: 3964)
      • conhost.exe (PID: 5476)
      • conhost.exe (PID: 6988)
      • Setup.exe (PID: 4680)
      • patch64.exe (PID: 6272)
      • hcpackage64.exe.tmp (PID: 6352)
      • housecall.bin (PID: 6484)

    • Drops the executable file immediately after the start

      • HousecallLauncher64.exe (PID: 3964)
      • Setup.exe (PID: 4680)
      • patch64.exe (PID: 6272)
      • hcpackage64.exe.tmp (PID: 6352)

    • Executable content was dropped or overwritten

      • HousecallLauncher64.exe (PID: 3964)
      • Setup.exe (PID: 4680)
      • hcpackage64.exe.tmp (PID: 6352)
      • patch64.exe (PID: 6272)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 4680)
      • housecall.bin (PID: 6484)

    • Checks Windows Trust Settings

      • Setup.exe (PID: 4680)
      • housecall.bin (PID: 6484)

    • Starts application with an unusual extension

      • Setup.exe (PID: 4680)

    • Process drops legitimate windows executable

      • hcpackage64.exe.tmp (PID: 6352)

    • Drops a system driver (possible attempt to evade defenses)

      • hcpackage64.exe.tmp (PID: 6352)

    • Adds/modifies Windows certificates

      • Setup.exe (PID: 4680)

    • Reads Internet Explorer settings

      • housecall.bin (PID: 6484)

    • Reads Microsoft Outlook installation path

      • housecall.bin (PID: 6484)

  • INFO

    • Creates files in the program directory

      • HousecallLauncher64.exe (PID: 3964)
      • Setup.exe (PID: 4680)
      • hcpackage64.exe.tmp (PID: 6352)
      • patch64.exe (PID: 6272)
      • housecall.bin (PID: 6484)

    • Checks supported languages

      • HousecallLauncher64.exe (PID: 3964)
      • Setup.exe (PID: 4680)
      • patch64.exe (PID: 6272)
      • hcpackage64.exe.tmp (PID: 6352)
      • housecall.bin (PID: 6484)

    • Reads the computer name

      • Setup.exe (PID: 4680)
      • housecall.bin (PID: 6484)

    • Reads the machine GUID from the registry

      • Setup.exe (PID: 4680)
      • housecall.bin (PID: 6484)

    • Checks proxy server information

      • Setup.exe (PID: 4680)
      • housecall.bin (PID: 6484)

    • Reads the software policy settings

      • Setup.exe (PID: 4680)
      • housecall.bin (PID: 6484)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 4680)
      • housecall.bin (PID: 6484)

    • Reads Environment values

      • housecall.bin (PID: 6484)

    • Reads product name

      • housecall.bin (PID: 6484)

    • Process checks Internet Explorer phishing filters

      • housecall.bin (PID: 6484)

    • Process checks computer location settings

      • housecall.bin (PID: 6484)

    • The process uses the downloaded file

      • housecall.bin (PID: 6484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2022:08:25 07:09:44+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.28
CodeSize: 483840
InitializedDataSize: 323072
UninitializedDataSize: -
EntryPoint: 0x27c34
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.62.1.1148
ProductVersionNumber: 1.62.1.1148
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Trend Micro Inc.
CoverageBuild: None
CompileOption: None
BuildType: Rel
FileDescription: Trend Micro Application Launcher
FileVersion: 1.62.1.1148
InternalName: AppLauncher.exe
LegalCopyright: Copyright (C) 2022 Trend Micro Incorporated. All rights reserved.
LegalTrademarks: Copyright (C) Trend Micro Inc.
OriginalFileName: 7zsfx.exe
ProductName: Trend Micro HouseCall
ProductVersion: 1.62
SpecialBuild: 1148
PrivateBuild: Build 1148 - None
Comments: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
10
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start housecalllauncher64.exe #EXPLOIT setup.exe hcpackage64.exe.tmp conhost.exe no specs patch64.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs housecall.bin housecalllauncher64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3660"C:\Users\admin\AppData\Local\Temp\HousecallLauncher64.exe" C:\Users\admin\AppData\Local\Temp\HousecallLauncher64.exeexplorer.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
MEDIUM
Description:
Trend Micro Application Launcher
Exit code:
3221226540
Version:
1.62.1.1148
Modules
Images
c:\users\admin\appdata\local\temp\housecalllauncher64.exe
c:\windows\system32\ntdll.dll
3964"C:\Users\admin\AppData\Local\Temp\HousecallLauncher64.exe" C:\Users\admin\AppData\Local\Temp\HousecallLauncher64.exe
explorer.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
HIGH
Description:
Trend Micro Application Launcher
Exit code:
0
Version:
1.62.1.1148
Modules
Images
c:\users\admin\appdata\local\temp\housecalllauncher64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4440C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4680.\setup.exeC:\Program Files\Trend Micro\7zSC7FD20D2\Setup.exe
HousecallLauncher64.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
HIGH
Description:
Trend Micro HouseCall Launcher
Exit code:
0
Version:
1.62.1.1148
Modules
Images
c:\program files\trend micro\7zsc7fd20d2\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\ucrtbase.dll
5476\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exehcpackage64.exe.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5920"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6272"C:\Program Files\Trend Micro\7zSC7FD20D2\AU\patch64.exe" "C:\Program Files\Trend Micro\7zSC7FD20D2\AU\AU_Data\AU_Temp\4680_6696" 0C:\Program Files\Trend Micro\7zSC7FD20D2\AU\patch64.exe
Setup.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
HIGH
Description:
patch program
Exit code:
0
Version:
2.86.0.4017
Modules
Images
c:\program files\trend micro\7zsc7fd20d2\au\patch64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\kernel.appcore.dll
6352exe.exe -yC:\Program Files\Trend Micro\HCBackup\hcpackage64.exe.tmp
Setup.exe
User:
admin
Company:
trend_company_name
Integrity Level:
HIGH
Description:
Trend Micro HouseCall
Exit code:
0
Version:
1.62.1.1162
Modules
Images
c:\program files\trend micro\hcbackup\hcpackage64.exe.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6484"housecall.bin" A9DA2DD0 C5FF3CEDC:\Program Files\Trend Micro\HouseCall\housecall.bin
Setup.exe
User:
admin
Company:
Trend Micro Inc.
Integrity Level:
HIGH
Description:
Trend Micro HouseCall
Version:
1.62.1.1162
Modules
Images
c:\program files\trend micro\housecall\housecall.bin
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6988\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepatch64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 036
Read events
14 007
Write events
24
Delete events
5

Modification events

(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\HouseCall
Operation:writeName:VID
Value:
HC202100
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:742C3192E607E424EB4549542BE1BBC53E6174E2
Value:
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:writeName:Blob
Value:
04000000010000001000000010FC635DF6263E0DF325BE5F79CD67677E0000000100000008000000000010C51E92D2011D000000010000001000000027B3517667331CE2C1E74002B5FF2298620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E7009000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030119000000010000001000000091161B894B117ECDC257628DB460CC04030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E20F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD80B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D00610072007900200043004100000053000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C0140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB69777A000000010000000E000000300C060A2B0601040182375E010268000000010000000800000000003DB65BD9D5012000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
Operation:writeName:Blob
Value:
5C00000001000000040000000004000068000000010000000800000000003DB65BD9D5017A000000010000000E000000300C060A2B0601040182375E0102140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697753000000010000002400000030223020060A2B0601040182375E010130123010060A2B0601040182373C0101030200C00B000000010000004600000056006500720069005300690067006E00200043006C006100730073002000330020005000750062006C006900630020005000720069006D0061007200790020004300410000000F0000000100000010000000D7C63BE0837DBABF881D4FBF5F986AD8030000000100000014000000742C3192E607E424EB4549542BE1BBC53E6174E219000000010000001000000091161B894B117ECDC257628DB460CC0409000000010000002A000000302806082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070301620000000100000020000000E7685634EFACF69ACE939A6B255B7B4FABEF42935B50A265ACB5CB6027E44E701D000000010000001000000027B3517667331CE2C1E74002B5FF22987E0000000100000008000000000010C51E92D20104000000010000001000000010FC635DF6263E0DF325BE5F79CD67672000000001000000400200003082023C308201A5021070BAE41D10D92934B638CA7B03CCBABF300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3238303830313233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D010102050003818100BB4C122BCF2C26004F1413DDA6FBFC0A11848CF3281C67922F7CB6C5FADFF0E895BC1D8F6C2CA851CC73D8A4C053F04ED626C076015781925E21F1D1B1FFE7D02158CD6917E3441C9C194439895CDC9C000F568D0299EDA290454CE4BB10A43DF032030EF1CEF8E8C9518CE6629FE69FC07DB7729CC9363A6B9F4EA8FF640D64
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:4F65566336DB6598581D584A596C87934D5F2AB4
Value:
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
Operation:writeName:Blob
Value:
5C00000001000000040000000004000019000000010000001000000091161B894B117ECDC257628DB460CC040300000001000000140000004F65566336DB6598581D584A596C87934D5F2AB41D000000010000001000000027B3517667331CE2C1E74002B5FF2298140000000100000014000000E27F7BD877D5DF9E0A3F9EB4CB0E2EA9EFDB697709000000010000002A000000302806082B0601050507030406082B0601050507030206082B0601050507030306082B060105050703010B000000010000003800000056006500720069005300690067006E00200043006C006100730073002000330020005000720069006D006100720079002000430041000000040000000100000010000000782A02DFDB2E14D5A75F0ADFB68E9C5D0F0000000100000010000000F1BBAC2D9038DDEC8DB173C53BC72A2A2000000001000000410200003082023D308201A6021100E49EFDF33AE80ECFA5113E19A4240232300D06092A864886F70D0101020500305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F72697479301E170D3936303132393030303030305A170D3034303130373233353935395A305F310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E31373035060355040B132E436C6173732033205075626C6963205072696D6172792043657274696669636174696F6E20417574686F7269747930819F300D06092A864886F70D010101050003818D0030818902818100C95C599EF21B8A0114B410DF0440DBE357AF6A45408F840C0BD133D9D911CFEE02581F25F72AA84405AAEC031F787F9E93B99A00AA237DD6AC85A26345C77227CCF44CC67571D239EF4F42F075DF0A90C68E206F980FF8AC235F702936A4C986E7B19A20CB53A585E73DBE7D9AFE244533DC7615ED0FA271644C652E816845A70203010001300D06092A864886F70D0101020500038181006170EC2F3F9EFD2BE6685421B06779080C2096318A0D7ABEB626DF792C22694936E397776261A232D77A542136BA02C934E725DA4435B0D25C805DB394F8F9ACEEA460752A1F954923B14A7CF4B34772215B7E97AB54AC62E75DECAE9BD2C9B224FB82ADE967154BBAAAA6F097A0F6B0975700C80C3C09A08204BA41DAF799A4
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Value:
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Operation:writeName:Blob
Value:
040000000100000010000000A7F2E41606411150306B9CE3B49CB0C97E0000000100000008000000000063F58926D701140000000100000014000000DAED6474149C143CABDD99A9BD5B284D8B3CC9D8090000000100000022000000302006082B06010505070303060A2B0601040182370A030406082B06010505070308190000000100000010000000E843AC3B52EC8C297FA948C9B1FB2819030000000100000014000000E12DFB4B41D7D9C32B30514BAC1D81D8385E2D460F0000000100000014000000F45A0858C9CD920E647BAD539AB9F1CFC77F24CB0B000000010000002A0000005300650063007400690067006F0020002800550054004E0020004F0062006A00650063007400290000006200000001000000200000006FFF78E400A70C11011CD85977C459FB5AF96A3DF0540820D0F4B8607875E58F1D0000000100000010000000F919B9CCCE1E59C2E785F7DC2CCF670868000000010000000800000000409120D035D90120000000010000006A040000308204663082034EA003020102021044BE0C8B500024B411D3362DE0B35F1B300D06092A864886F70D0101050500308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A656374301E170D3939303730393138333132305A170D3139303730393138343033365A308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A65637430820122300D06092A864886F70D01010105000382010F003082010A0282010100CEAA813FA3A36178AA31005595119E270F1F1CDF3A9B826830C04A611DF12F0EFABE79F7A523EF55519684CDDBE3B96E3E31D80A2067C7F4D9BF94EB47043E02CE2AA25D870409F6309D188A97B2AA1CFC41D2A136CBFB3D91BAE7D97035FAE4E790C39BA39BD33CF5129977B1B709E068E61CB8F39463886A6AFE0B76C9BEF422E467B9AB1A5E77C18507DD0D6CBFEE06C7776A419EA70FD7FBEE9417B7FC85BEA4ABC41C31DDD7B6D1E4F0EFDF168FB25293D7A1D489A1072EBFE10112421E1AE1D89534DB647928FFBA2E11C2E5E85B9248FB470BC26CDAAD328341F3A5E54170FD65906DFAFA51C4F9BD962B19042CD36DA7DCF07F6F8365E26AAB8786750203010001A381AF3081AC300B0603551D0F0404030201C6300F0603551D130101FF040530030101FF301D0603551D0E04160414DAED6474149C143CABDD99A9BD5B284D8B3CC9D830420603551D1F043B30393037A035A0338631687474703A2F2F63726C2E7573657274727573742E636F6D2F55544E2D5553455246697273742D4F626A6563742E63726C30290603551D250422302006082B0601050507030306082B06010505070308060A2B0601040182370A0304300D06092A864886F70D01010505000382010100081F52B1374478DBFDCEB9DA959698AA556480B55A40DD21A5C5C1F35F2C4CC8475A69EAE8F03535F4D025F3C8A6A4874ABD1BB17308BDD4C3CAB635BB59867731CDA78014AE13EFFCB148F96B25252D51B62C6D45C198C88A565D3EEE434E3E6B278ED03A4B850B5FD3ED6AA775CBD15A872F3975135A72B002819FBEF00F845420626C69D4E14DC60D9943010D12968C789DBF50A2B144AA6ACF177ACF6F0FD4F824555FF0341649663E5046C96371383162B862B9F353AD6CB52BA212AA194F09DA5EE793C68E1408FEF0308018A086854DC87DD78B03FE6ED5F79D16AC922CA023E59C91521F94DF179473C3B3C1C17105200078BD13521DA83ECD001FC8
(PID) Process:(4680) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46
Operation:writeName:Blob
Value:
5C00000001000000040000000008000068000000010000000800000000409120D035D9011D0000000100000010000000F919B9CCCE1E59C2E785F7DC2CCF67086200000001000000200000006FFF78E400A70C11011CD85977C459FB5AF96A3DF0540820D0F4B8607875E58F0B000000010000002A0000005300650063007400690067006F0020002800550054004E0020004F0062006A00650063007400290000000F0000000100000014000000F45A0858C9CD920E647BAD539AB9F1CFC77F24CB030000000100000014000000E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46190000000100000010000000E843AC3B52EC8C297FA948C9B1FB2819090000000100000022000000302006082B06010505070303060A2B0601040182370A030406082B06010505070308140000000100000014000000DAED6474149C143CABDD99A9BD5B284D8B3CC9D87E0000000100000008000000000063F58926D701040000000100000010000000A7F2E41606411150306B9CE3B49CB0C920000000010000006A040000308204663082034EA003020102021044BE0C8B500024B411D3362DE0B35F1B300D06092A864886F70D0101050500308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A656374301E170D3939303730393138333132305A170D3139303730393138343033365A308195310B3009060355040613025553310B3009060355040813025554311730150603550407130E53616C74204C616B652043697479311E301C060355040A131554686520555345525452555354204E6574776F726B3121301F060355040B1318687474703A2F2F7777772E7573657274727573742E636F6D311D301B0603550403131455544E2D5553455246697273742D4F626A65637430820122300D06092A864886F70D01010105000382010F003082010A0282010100CEAA813FA3A36178AA31005595119E270F1F1CDF3A9B826830C04A611DF12F0EFABE79F7A523EF55519684CDDBE3B96E3E31D80A2067C7F4D9BF94EB47043E02CE2AA25D870409F6309D188A97B2AA1CFC41D2A136CBFB3D91BAE7D97035FAE4E790C39BA39BD33CF5129977B1B709E068E61CB8F39463886A6AFE0B76C9BEF422E467B9AB1A5E77C18507DD0D6CBFEE06C7776A419EA70FD7FBEE9417B7FC85BEA4ABC41C31DDD7B6D1E4F0EFDF168FB25293D7A1D489A1072EBFE10112421E1AE1D89534DB647928FFBA2E11C2E5E85B9248FB470BC26CDAAD328341F3A5E54170FD65906DFAFA51C4F9BD962B19042CD36DA7DCF07F6F8365E26AAB8786750203010001A381AF3081AC300B0603551D0F0404030201C6300F0603551D130101FF040530030101FF301D0603551D0E04160414DAED6474149C143CABDD99A9BD5B284D8B3CC9D830420603551D1F043B30393037A035A0338631687474703A2F2F63726C2E7573657274727573742E636F6D2F55544E2D5553455246697273742D4F626A6563742E63726C30290603551D250422302006082B0601050507030306082B06010505070308060A2B0601040182370A0304300D06092A864886F70D01010505000382010100081F52B1374478DBFDCEB9DA959698AA556480B55A40DD21A5C5C1F35F2C4CC8475A69EAE8F03535F4D025F3C8A6A4874ABD1BB17308BDD4C3CAB635BB59867731CDA78014AE13EFFCB148F96B25252D51B62C6D45C198C88A565D3EEE434E3E6B278ED03A4B850B5FD3ED6AA775CBD15A872F3975135A72B002819FBEF00F845420626C69D4E14DC60D9943010D12968C789DBF50A2B144AA6ACF177ACF6F0FD4F824555FF0341649663E5046C96371383162B862B9F353AD6CB52BA212AA194F09DA5EE793C68E1408FEF0308018A086854DC87DD78B03FE6ED5F79D16AC922CA023E59C91521F94DF179473C3B3C1C17105200078BD13521DA83ECD001FC8
(PID) Process:(6484) housecall.binKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
49
Suspicious files
94
Text files
266
Unknown types
4

Dropped files

PID
Process
Filename
Type
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\AU\x500.dbvc
MD5:89C5532ADFCEA2ED37898C60ECDB852D
SHA256:59D0C7A602CD0FC9021F76233B55FD1BC53949C7A00894195364931EF6626BB2
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\curl-ca-bundle.crttext
MD5:C658D9F253217D3C010B830D05973BB7
SHA256:193A35B6DE7EE049FF512599DD4E8290DC30C2F47F9A3818CA8F273FFCA683DB
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\Setup.exeexecutable
MD5:B820FF09EC68AB12E05D9734AEB5A39F
SHA256:2DADD9F15A34755C145B370A3E179509D1ED035E94C5168FF7EC033CD2544FFE
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\HouseCall_downloader.bmpbinary
MD5:50960AC419774A394710258261E2DC8B
SHA256:15224BC0D04B82FBA0DB9AD5D7AC283FF914208B8DF13E2DDDC6DCDEC3D127E9
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\dlstr.xmlxml
MD5:60E94A31FA1251D3AA133739D77FA17A
SHA256:14E72CF1853BD1FDDDB5A2FED569CFBA4C406CD704E03F652323EC60DC7FE792
4680Setup.exeC:\Program Files\Trend Micro\HCLauncher.logtext
MD5:B52EB0C1D4BC775A2CD93BEB6831ECD6
SHA256:E7D739FFC8861703F19540CA942486345D749726E9CFA5C95F3B22AB2673955D
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\AU\patch64.exeexecutable
MD5:6C552231F756555707B9AAC825BAC7E8
SHA256:B95991219D45381C2CBC8691DD7AAFF710F43E66F187D3394643B075763F6A16
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\AU\ciuas64.dllexecutable
MD5:8F693BB576A79C0BBEEBA28E9CC0D442
SHA256:A4EFCF7087E4C5927D999A61141CAEDF6DAC8529CF337C0CAF895F9DD67359B6
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\AU\cert5.dbbinary
MD5:9ACD3CE1042E886A670A31B28DA52D86
SHA256:89BE735EEBEBC0927CEDE1065FA9443C9332F707A2A8D341A680C9B778E32BCB
3964HousecallLauncher64.exeC:\Program Files\Trend Micro\7zSC7FD20D2\AU\TmUpdate64.dllexecutable
MD5:B63C61906BC9AA252710CB535B47C95A
SHA256:A2703CD2647D6F7362FF692E904493EF5A300C82D839FD9EEAA670D66B40A7AB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
42
DNS requests
22
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4680
Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D
unknown
whitelisted
4680
Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAWt5G2wKi94RiopNyfo2HQ%3D
unknown
whitelisted
4680
Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEALE0eWKSmgMVo2jBH5%2BTV8%3D
unknown
whitelisted
4680
Setup.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRm%2FrYSaqNr0YBIv29H4pMHhv2XmQQUl0gD6xUIa7myWCPMlC7xxmXSZI4CEA6g%2Fk37dMxkvDIUMQPCfIs%3D
unknown
whitelisted
4680
Setup.exe
HEAD
200
184.25.219.29:80
http://housecall-ctp-p.activeupdate.trendmicro.com:80/activeupdate/ini_xml.zip
unknown
whitelisted
4680
Setup.exe
GET
200
184.25.219.29:80
http://housecall-ctp-p.activeupdate.trendmicro.com:80/activeupdate/ini_xml.zip
unknown
whitelisted
2016
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4680
Setup.exe
GET
200
184.25.219.29:80
http://housecall-ctp-p.activeupdate.trendmicro.com:80/activeupdate/engine/engv_x64dll_v22610-1017.zip
unknown
whitelisted
4680
Setup.exe
GET
200
184.25.219.29:80
http://housecall-ctp-p.activeupdate.trendmicro.com:80/activeupdate/pattern/icrc/ioth1956300.zip
unknown
whitelisted
6120
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6612
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
6160
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4680
Setup.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4680
Setup.exe
184.30.20.162:443
ti-res.trendmicro.com
AKAMAI-AS
DE
whitelisted
4680
Setup.exe
184.25.219.29:80
housecall-ctp-p.activeupdate.trendmicro.com
AKAMAI-AS
DE
whitelisted
2016
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ti-res.trendmicro.com
  • 184.30.20.162
whitelisted
housecall-ctp-p.activeupdate.trendmicro.com
  • 184.25.219.29
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.22
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Attempted Administrator Privilege Gain
AV EXPLOIT Potential ZIP file exploiting CVE-2023-36413
Attempted Administrator Privilege Gain
AV EXPLOIT Potential ZIP file exploiting CVE-2023-36413
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
HousecallLauncher64.exe