URL: | http://downloads.optimize-windows.net/en/pc-repair/def/pc-repair-setup.exe |
Full analysis: | https://app.any.run/tasks/be75b8f9-bf0a-4a7e-9ce7-a482b4237b63 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 31, 2020, 01:42:52 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 6ACD30B2FEF20DE407F6D8686B903ADE |
SHA1: | E1ED907CF102A483E123B47D341A362B78DFB021 |
SHA256: | 18B049B8191A829D581FD2A2ED4B3BFFED3BFD8D911DE44C567249522962BB21 |
SSDEEP: | 3:N1KaKE4L+MIg/3sVGvgtRAkA:CaG/sagtRAkA |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1756 | "C:\Program Files\Internet Explorer\iexplore.exe" http://downloads.optimize-windows.net/en/pc-repair/def/pc-repair-setup.exe | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3008 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1756 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3172 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\pc-repair-setup.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\pc-repair-setup.exe | — | iexplore.exe | |||||||||||
User: admin Company: Outbyte Integrity Level: MEDIUM Description: Outbyte PCRepair Installation File Exit code: 3221226540 Version: 1.0.3.20 Modules
| |||||||||||||||
2644 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\pc-repair-setup.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\pc-repair-setup.exe | iexplore.exe | ||||||||||||
User: admin Company: Outbyte Integrity Level: HIGH Description: Outbyte PCRepair Installation File Exit code: 0 Version: 1.0.3.20 Modules
| |||||||||||||||
3180 | "C:\Users\admin\AppData\Local\Temp\is-19484251.tmp\Installer.exe" /spid:2644 /splha:19409216 | C:\Users\admin\AppData\Local\Temp\is-19484251.tmp\Installer.exe | pc-repair-setup.exe | ||||||||||||
User: admin Company: Outbyte Integrity Level: HIGH Description: Installer Exit code: 0 Version: 1.0.3.20 Modules
| |||||||||||||||
2948 | "taskhost.exe" | C:\Windows\system32\taskhost.exe | — | services.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3872 | "taskhost.exe" | C:\Windows\system32\taskhost.exe | — | services.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Tasks Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1828 | "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Outbyte\PCRepair\BrowserCareHelper.Agent.x32.dll" | C:\Windows\system32\regsvr32.exe | — | Installer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2684 | "C:\Program Files\Outbyte\PCRepair\PCRepair.exe" /Install /SendInfo /AutoStart | C:\Program Files\Outbyte\PCRepair\PCRepair.exe | — | Installer.exe | |||||||||||
User: admin Company: Outbyte Integrity Level: HIGH Description: PC Repair Exit code: 0 Version: 1.0.3.20 Modules
| |||||||||||||||
2932 | "C:\Program Files\Outbyte\PCRepair\PCRepair.exe" /FromInstaller | C:\Program Files\Outbyte\PCRepair\PCRepair.exe | Installer.exe | ||||||||||||
User: admin Company: Outbyte Integrity Level: HIGH Description: PC Repair Version: 1.0.3.20 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3008 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\pc-repair-setup[1].exe | — | |
MD5:— | SHA256:— | |||
3008 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\pc-repair-setup.exe.i1f23ew.partial | — | |
MD5:— | SHA256:— | |||
1756 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8F10A14699012E37.TMP | — | |
MD5:— | SHA256:— | |||
1756 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\pc-repair-setup.exe.i1f23ew.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2644 | pc-repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-19484251.tmp\Lang\esp.lng | binary | |
MD5:B9B90AC1B4566D6147A86C42048934F5 | SHA256:F19B34D4206004642B8560EFD876547326471089E617DDDC56B8306AB98818A0 | |||
2644 | pc-repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-19484251.tmp\Lang\fra.lng | binary | |
MD5:BC7AC79912C082FC73180008DAF18A5E | SHA256:D00CFEA16EE88D51C2C18D551A9EDEB9D9119FD624943CF60A2F7AD67B9C1DE8 | |||
2644 | pc-repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-19484251.tmp\Lang\ptb.lng | binary | |
MD5:F749073288E014CE7CE40DF300DF508C | SHA256:6A28AA5A3F600A00A8C0D6F1ED308C876E95FA548222B13BC42F0DB141A01DC0 | |||
1756 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{F7967D39-72F0-11EA-972D-5254004A04AF}.dat | binary | |
MD5:B923393F40A1704150752447CDDF7559 | SHA256:FBBAFEBDF82ED6CE3711311EDD9552743087A9C6004F901E9744003756727766 | |||
1756 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\pc-repair-setup.exe | executable | |
MD5:4ADD15E8C09DE1C165CDC1C948B2003A | SHA256:89D42E6FF52DA66A26CBBA2549040099056B1780CC5272AF7E0228B30D53277B | |||
3008 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\pc-repair-setup[1].htm | html | |
MD5:860A7F118DE590E5A508C8958EECBC68 | SHA256:5BB80404D17ED6F72AD3E82E75D74C0D7D518464E1D51DB742087D97E94B36FA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3008 | iexplore.exe | GET | 200 | 151.139.237.160:80 | http://static.optimize-windows.net/en/pc-repair/def/pc-repair-setup.exe | US | executable | 20.8 Mb | suspicious |
3180 | Installer.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEChOOcFLOG2InHKZ5YzQWlc%3D | US | der | 727 b | whitelisted |
1756 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3180 | Installer.exe | POST | 200 | 172.217.18.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
3180 | Installer.exe | POST | 200 | 172.217.18.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
1756 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
1756 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3008 | iexplore.exe | GET | 302 | 149.56.19.59:80 | http://downloads.optimize-windows.net/en/pc-repair/def/pc-repair-setup.exe | CA | html | 161 b | suspicious |
3180 | Installer.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS83pEmglYTXfyF78OS%2BRiTRWadkgQULGn%2FgMmHkK404bTnTJOFmUDpp7ICEBK19AoQmh7woOkPJmoB2Rw%3D | US | der | 471 b | whitelisted |
3180 | Installer.exe | POST | 200 | 172.217.18.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1756 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3180 | Installer.exe | 45.79.210.152:443 | outbyte.com | Linode, LLC | US | unknown |
1756 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2932 | PCRepair.exe | 45.79.210.152:443 | outbyte.com | Linode, LLC | US | unknown |
3008 | iexplore.exe | 151.139.237.160:80 | static.optimize-windows.net | netDNA | US | suspicious |
3180 | Installer.exe | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
3180 | Installer.exe | 172.217.18.110:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
3008 | iexplore.exe | 149.56.19.59:80 | downloads.optimize-windows.net | OVH SAS | CA | suspicious |
1756 | iexplore.exe | 204.79.197.200:443 | ieonline.microsoft.com | Microsoft Corporation | US | whitelisted |
2932 | PCRepair.exe | 172.217.18.110:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
downloads.optimize-windows.net |
| suspicious |
static.optimize-windows.net |
| suspicious |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
outbyte.com |
| suspicious |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3008 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
---|---|
DISM.exe | PID=3244 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore |
DISM.exe | PID=3244 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect |
DISM.exe | PID=3244 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect |
DISM.exe | PID=3244 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider |
DISM.exe | PID=3244 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider |
DISM.exe | PID=3244 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider |
DISM.exe | PID=3244 Getting Provider OSServices - CDISMProviderStore::GetProvider |
DISM.exe | PID=3244 The requested provider was not found in the Provider Store. - CDISMProviderStore::Internal_GetProvider(hr:0x80004005) |
DISM.exe | PID=3244 Failed to get an OSServices provider. Must be running in local store. Falling back to checking alongside the log provider for wdscore.dll. - CDISMLogger::FindWdsCore(hr:0x80004005) |
dismhost.exe | PID=3040 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider |