| File name: | PatchCleaner_1.4.2.0.exe |
| Full analysis: | https://app.any.run/tasks/1801cf2c-f0b6-4d7b-8f68-264782f8dbb9 |
| Verdict: | Malicious activity |
| Threats: | Raccoon is an info stealer type malware available as a Malware as a Service. It can be obtained for a subscription and costs $200 per month. Raccoon malware has already infected over 100,000 devices and became one of the most mentioned viruses on the underground forums in 2019. |
| Analysis date: | March 19, 2024, 13:16:11 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 70D0BD7633D10C492839272C97B2544E |
| SHA1: | 4DA0E8C2FE1F06B13985D700FE15686A1015C3BB |
| SHA256: | 6472DE894C5CB6050FD80CDD893B8772AEF71F8BDB5C65A0175CF7CBB90E6EC6 |
| SSDEEP: | 49152:/hUhnNLygNCtZ7TbDQ/ukd5A7N3dIYjZXZceR9pv+MLwUUWOrud3u8QhEDsy/0JC:/hUhnN2ZtGuqA7NNVZp1+MLVYKd3xsEx |
MALICIOUS
Drops the executable file immediately after the start
- PatchCleaner_1.4.2.0.exe (PID: 2408)
Raccoon mutex has been detected
- PatchCleaner.exe (PID: 3192)
SUSPICIOUS
Reads the Internet Settings
- setup.exe (PID: 1824)
- PatchCleaner.exe (PID: 3192)
Executable content was dropped or overwritten
- PatchCleaner_1.4.2.0.exe (PID: 2408)
Drops 7-zip archiver for unpacking
- PatchCleaner_1.4.2.0.exe (PID: 2408)
Executes as Windows Service
- VSSVC.exe (PID: 2644)
Reads security settings of Internet Explorer
- setup.exe (PID: 1824)
- PatchCleaner.exe (PID: 3192)
The process executes VB scripts
- PatchCleaner.exe (PID: 3192)
Writes binary data to a Stream object (SCRIPT)
- cscript.exe (PID: 268)
- cscript.exe (PID: 2380)
Reads data from a binary Stream object (SCRIPT)
- cscript.exe (PID: 268)
- cscript.exe (PID: 2380)
Creates FileSystem object to access computer's file system (SCRIPT)
- cscript.exe (PID: 2380)
- cscript.exe (PID: 268)
Checks whether a specific file exists (SCRIPT)
- cscript.exe (PID: 2380)
- cscript.exe (PID: 268)
Process drops legitimate windows executable
- msiexec.exe (PID: 696)
Non-standard symbols in registry
- WINWORD.EXE (PID: 2992)
INFO
Checks supported languages
- setup.exe (PID: 1824)
- PatchCleaner_1.4.2.0.exe (PID: 2408)
- wmpnscfg.exe (PID: 3036)
- PatchCleaner.exe (PID: 3192)
Reads the machine GUID from the registry
- setup.exe (PID: 1824)
- PatchCleaner.exe (PID: 3192)
Create files in a temporary directory
- PatchCleaner_1.4.2.0.exe (PID: 2408)
- setup.exe (PID: 1824)
- PatchCleaner.exe (PID: 3192)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 696)
- cscript.exe (PID: 268)
- cscript.exe (PID: 2380)
Reads the computer name
- setup.exe (PID: 1824)
- wmpnscfg.exe (PID: 3036)
- PatchCleaner.exe (PID: 3192)
Executable content was dropped or overwritten
- msiexec.exe (PID: 696)
Manual execution by a user
- WINWORD.EXE (PID: 2992)
- PatchCleaner.exe (PID: 3192)
- wmpnscfg.exe (PID: 3036)
- PatchCleaner.exe (PID: 2344)
Reads the software policy settings
- msiexec.exe (PID: 696)
Creates files in the program directory
- PatchCleaner.exe (PID: 3192)
- cscript.exe (PID: 268)
- cscript.exe (PID: 2380)
Creates files or folders in the user directory
- PatchCleaner.exe (PID: 3192)
Reads Environment values
- PatchCleaner.exe (PID: 3192)
Drops the executable file immediately after the start
- msiexec.exe (PID: 696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2010:11:18 16:27:35+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 104960 |
| InitializedDataSize: | 45056 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14b04 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 9.20.0.0 |
| ProductVersionNumber: | 9.20.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Igor Pavlov |
| FileDescription: | 7z Setup SFX |
| FileVersion: | 9.2 |
| InternalName: | 7zS.sfx |
| LegalCopyright: | Copyright (c) 1999-2010 Igor Pavlov |
| OriginalFileName: | 7zS.sfx.exe |
| ProductName: | 7-Zip |
| ProductVersion: | 9.2 |
Total processes
60
Monitored processes
12
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 268 | "C:\Windows\System32\cscript.exe" //B //Nologo WMIProducts.vbs | C:\Windows\System32\cscript.exe | — | PatchCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 696 | "C:\Windows\system32\msiexec.exe" -I "C:\Users\admin\AppData\Local\Temp\7zS6D3C.tmp\PatchCleaner.msi" | C:\Windows\System32\msiexec.exe | setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1824 | .\setup.exe | C:\Users\admin\AppData\Local\Temp\7zS6D3C.tmp\setup.exe | — | PatchCleaner_1.4.2.0.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup Exit code: 0 Version: 14.0.23107.0 built by: D14REL Modules
| |||||||||||||||
| 2344 | "C:\Program Files\HomeDev\PatchCleaner\PatchCleaner.exe" | C:\Program Files\HomeDev\PatchCleaner\PatchCleaner.exe | — | explorer.exe | |||||||||||
User: admin Company: HomeDev Integrity Level: MEDIUM Description: PatchCleaner Exit code: 3221226540 Version: 1.4.2.0 Modules
| |||||||||||||||
| 2380 | "C:\Windows\System32\cscript.exe" //B //Nologo WMIProducts.vbs | C:\Windows\System32\cscript.exe | — | PatchCleaner.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2408 | "C:\Users\admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe" | C:\Users\admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe | explorer.exe | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z Setup SFX Exit code: 0 Version: 9.20 Modules
| |||||||||||||||
| 2644 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2992 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\independentjuly.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 3036 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3192 | "C:\Program Files\HomeDev\PatchCleaner\PatchCleaner.exe" | C:\Program Files\HomeDev\PatchCleaner\PatchCleaner.exe | explorer.exe | ||||||||||||
User: admin Company: HomeDev Integrity Level: HIGH Description: PatchCleaner Exit code: 0 Version: 1.4.2.0 Modules
| |||||||||||||||
Total events
18 606
Read events
17 906
Write events
382
Delete events
318
Modification events
| (PID) Process: | (1824) setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1824) setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1824) setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1824) setup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (696) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates |
| Operation: | delete value | Name: | 9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6 |
Value: | |||
| (PID) Process: | (696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6 |
| Operation: | write | Name: | Blob |
Value: 0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3 | |||
| (PID) Process: | (696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6 |
| Operation: | write | Name: | Blob |
Value: 1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3 | |||
| (PID) Process: | (696) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6 |
| Operation: | write | Name: | Blob |
Value: 190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB61400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D7200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3 | |||
| (PID) Process: | (2644) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000001E5C8AB4FF79DA01540A000048050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
4
Suspicious files
6
Text files
9
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRD472.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 2408 | PatchCleaner_1.4.2.0.exe | C:\Users\admin\AppData\Local\Temp\7zS6D3C.tmp\PatchCleaner.msi | executable | |
MD5:CA19DC264E480DB621D11429E08CA62B | SHA256:C43F57C1AFF7A3571FB89A6467247417BDF5B5AE2CD3AB60CE444490BC4DF164 | |||
| 696 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI724E.tmp | executable | |
MD5:79A1DC3E058699630F44EAEF8736D637 | SHA256:ADF737E044C8125286B7F0C2907597D840CA6F3DC92E8CB56A5BC20243C723D4 | |||
| 2992 | WINWORD.EXE | C:\Users\admin\Desktop\~$dependentjuly.rtf | binary | |
MD5:07EF56F13CFC70F5B902A6FB4A38BCE1 | SHA256:196D50D3A6CE27FE9C3C5B1FAD7F87D4CB602F19071B3A7877FD45DFE21C660A | |||
| 2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{318DD648-F7C8-4FFF-9DE5-52CF95C0F7A6}.tmp | smt | |
MD5:5D4D94EE7E06BBB0AF9584119797B23A | SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1 | |||
| 2992 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | ini | |
MD5:6703C9203A28D2F9762889BBB7EA2D83 | SHA256:C7EA70B275EADD2BAEC64B508768E1B4A20F688A9CAB7974DC31D7C1479B1B11 | |||
| 2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{C6ABC91F-669B-415E-99C1-BF6A08CC3A37}.tmp | binary | |
MD5:1C434A840DC0EF003594EEC43836C428 | SHA256:3705E7F2AFCC1506ABD3B1CDF7FCC23C2892075CC8087B90C3857EB1E0EB6FAD | |||
| 3192 | PatchCleaner.exe | C:\Users\admin\AppData\Local\HomeDev\PatchCleaner.exe_Url_dgtqfentktrphev14fflfkuaslqzfwxf\1.4.2.0\user.config | xml | |
MD5:471A89B7EB58CA4E703F456DA01A9F31 | SHA256:6E76F167E24B7E02386E79794015A5FEDB5EFE9AB5D25C60C6FE0A6F0013A048 | |||
| 2992 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\independentjuly.rtf.LNK | lnk | |
MD5:0AAEE3CB435C2A9B30E51DE93BA79BF2 | SHA256:5A603BFA2D24536D70E36FEE9CBA1F52F7C4915C81D31EF51BEA91928A96ADD3 | |||
| 2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{607DE995-C3C0-48A0-92DE-C63FF5ADDD3F}.tmp | dbf | |
MD5:CE06ED1E89D91AA85DC166430992708D | SHA256:F5EA64BF95CFA223FF930F3FF6E136D2BA8001BE725074856F639FB3F03FB9E4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3192 | PatchCleaner.exe | GET | 301 | 107.191.57.177:80 | http://www.homedev.com.au/Common/CurrentVersion/727da176-50bb-452c-8db5-96ee0a573ed4 | unknown | html | 208 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3192 | PatchCleaner.exe | 107.191.57.177:80 | www.homedev.com.au | AS-CHOOPA | US | unknown |
3192 | PatchCleaner.exe | 107.191.57.177:443 | www.homedev.com.au | AS-CHOOPA | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.homedev.com.au |
| unknown |
dns.msftncsi.com |
| shared |