| URL: | https://zscaler.error.code.081000.fixcomputerdrivers.org |
| Full analysis: | https://app.any.run/tasks/d29a3111-f076-4083-b546-438d88e0f11f |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | November 13, 2020, 13:10:41 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 06F2CFAF812078AA38C6DEDDAFB3DF1B |
| SHA1: | 5640E3B2898FB5D73FCB1643834ABB5C89FEFCFC |
| SHA256: | 71C28837D32C8793DF02FCB301D58D335CD33BA733E9429E3FD8DF19CDB9F3EF |
| SSDEEP: | 3:N8FyapskV/80VpxMTMXC:2Fymd8sE4XC |
MALICIOUS
Application was dropped or rewritten from another process
- ASR-Elite-Installer-E42.exe (PID: 3652)
- ASR-Elite-Installer-E42.exe (PID: 2152)
- asrrealtimesrv.exe (PID: 3392)
- asrrealtimesrv.exe (PID: 2588)
- AdvancedSystemRepairPro.exe (PID: 1340)
- dsutil.exe (PID: 700)
Loads the Task Scheduler COM API
- ASR-Elite-Installer-E42.exe (PID: 3652)
- AdvancedSystemRepairPro.exe (PID: 1340)
Loads dropped or rewritten executable
- asrrealtimesrv.exe (PID: 2588)
- dsutil.exe (PID: 700)
Changes settings of System certificates
- dsutil.exe (PID: 700)
- AdvancedSystemRepairPro.exe (PID: 1340)
Stealing of credential data
- AdvancedSystemRepairPro.exe (PID: 1340)
SUSPICIOUS
Modifies files in Chrome extension folder
- chrome.exe (PID: 2616)
Executable content was dropped or overwritten
- chrome.exe (PID: 2616)
- chrome.exe (PID: 652)
- asrrealtimesrv.exe (PID: 3392)
- ASR-Elite-Installer-E42.exe (PID: 3652)
- asrrealtimesrv.exe (PID: 2588)
Executes scripts
- ASR-Elite-Installer-E42.exe (PID: 3652)
Creates files in the driver directory
- asrrealtimesrv.exe (PID: 3392)
Creates files in the program directory
- asrrealtimesrv.exe (PID: 3392)
- ASR-Elite-Installer-E42.exe (PID: 3652)
- asrrealtimesrv.exe (PID: 2588)
- AdvancedSystemRepairPro.exe (PID: 1340)
- dsutil.exe (PID: 700)
Creates files in the Windows directory
- asrrealtimesrv.exe (PID: 3392)
Creates or modifies windows services
- asrrealtimesrv.exe (PID: 3392)
Adds / modifies Windows certificates
- dsutil.exe (PID: 700)
- AdvancedSystemRepairPro.exe (PID: 1340)
Executed as Windows Service
- asrrealtimesrv.exe (PID: 2588)
Creates a software uninstall entry
- ASR-Elite-Installer-E42.exe (PID: 3652)
Creates files in the user directory
- ASR-Elite-Installer-E42.exe (PID: 3652)
- wscript.exe (PID: 4004)
Reads Environment values
- dsutil.exe (PID: 700)
Reads Internet Cache Settings
- AdvancedSystemRepairPro.exe (PID: 1340)
Reads CPU info
- dsutil.exe (PID: 700)
INFO
Application launched itself
- chrome.exe (PID: 2616)
Reads settings of System Certificates
- chrome.exe (PID: 652)
- chrome.exe (PID: 2616)
- dsutil.exe (PID: 700)
Reads the hosts file
- chrome.exe (PID: 2616)
- chrome.exe (PID: 652)
Reads Internet Cache Settings
- chrome.exe (PID: 2616)
Dropped object may contain Bitcoin addresses
- dsutil.exe (PID: 700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
808
Monitored processes
401
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 256 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\msvcr110.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 408 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\mfc140fra.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 408 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\atl100.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 448 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\mssvp.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 448 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\srcore.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 544 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\mfc140ita.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 588 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\XpsGdiConverter.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 616 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 616 | C:\Windows\system32\sfc.exe /VERIFYFILE=C:\Windows\system32\wmploc.DLL | C:\Windows\system32\sfc.exe | — | AdvancedSystemRepairPro.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: System Integrity Check and Repair Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 652 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,13701586514630382564,4383371035253485499,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=12576066627179900895 --mojo-platform-channel-handle=1596 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
Total events
2 204
Read events
1 653
Write events
546
Delete events
5
Modification events
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (2848) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 2616-13249746656787875 |
Value: 259 | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 3252-13245750958665039 |
Value: 0 | |||
| (PID) Process: | (2616) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 2616-13249746656787875 |
Value: 259 | |||
Executable files
24
Suspicious files
36
Text files
628
Unknown types
17
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FAE85E1-A38.pma | — | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\3cfc106e-549e-4d7a-92d7-540f6a3279b5.tmp | — | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp | — | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF15ab6c.TMP | text | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabs | binary | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2616 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF15ad8f.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
68
DNS requests
21
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1340 | AdvancedSystemRepairPro.exe | GET | 200 | 192.227.82.55:80 | http://asrupdates.com/splittest/rep.php?test=asrapg&id=v2 | US | — | — | unknown |
— | — | HEAD | 200 | 8.248.125.254:80 | http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2011131312 | US | — | — | whitelisted |
652 | chrome.exe | GET | 302 | 8.26.21.195:80 | http://advancedsystemrepair.com/ASR-Elite-Installer-E42.exe | US | html | 244 b | suspicious |
2588 | asrrealtimesrv.exe | GET | 200 | 192.227.82.55:80 | http://asrupdates.com/db6/1.dat | US | binary | 5.94 Mb | unknown |
700 | dsutil.exe | POST | 200 | 173.244.200.90:80 | http://drv-updates.com/api/v5/updates | US | text | 11.5 Kb | malicious |
1340 | AdvancedSystemRepairPro.exe | GET | 200 | 192.227.82.55:80 | http://asrupdates.com/wr/view_d3.php?id=50394 | US | text | 28 b | unknown |
2588 | asrrealtimesrv.exe | POST | 200 | 136.243.134.112:83 | http://cloud.asrupdates.com:83/cloud | DE | text | 39 b | unknown |
1340 | AdvancedSystemRepairPro.exe | GET | 200 | 192.227.82.55:80 | http://asrupdates.com/al.php | US | binary | 1 b | unknown |
1340 | AdvancedSystemRepairPro.exe | GET | 404 | 192.227.82.55:80 | http://asrupdates.com/update19/null_redirect1 | US | html | 315 b | unknown |
1340 | AdvancedSystemRepairPro.exe | GET | 302 | 192.227.82.55:80 | http://asrupdates.com/app_upgrade/asr.php?a=asrm7&i=1605273117&r=0&v=75&l=1033 | US | binary | 1 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
652 | chrome.exe | 172.217.23.99:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
652 | chrome.exe | 216.58.212.132:443 | www.google.com | Google Inc. | US | whitelisted |
652 | chrome.exe | 104.22.52.65:443 | www.statcounter.com | Cloudflare Inc | US | unknown |
652 | chrome.exe | 50.31.64.13:443 | www.bestwindowserrorfixer.com | Steadfast | US | unknown |
652 | chrome.exe | 8.26.21.195:443 | advancedsystemrepair.com | Infolink Global Corporation | US | suspicious |
652 | chrome.exe | 54.69.133.20:443 | link.safecart.com | Amazon.com, Inc. | US | unknown |
652 | chrome.exe | 8.26.21.195:80 | advancedsystemrepair.com | Infolink Global Corporation | US | suspicious |
652 | chrome.exe | 172.217.16.206:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
652 | chrome.exe | 172.217.23.163:443 | www.gstatic.com | Google Inc. | US | whitelisted |
652 | chrome.exe | 172.217.22.46:443 | clients1.google.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| whitelisted |
zscaler.error.code.081000.fixcomputerdrivers.org |
| unknown |
accounts.google.com |
| shared |
clients2.google.com |
| whitelisted |
clients2.googleusercontent.com |
| whitelisted |
www.google.com |
| malicious |
ssl.gstatic.com |
| whitelisted |
www.statcounter.com |
| whitelisted |
c.statcounter.com |
| whitelisted |
www.bestwindowserrorfixer.com |
| unknown |
Threats
Process | Message |
|---|---|
AdvancedSystemRepairPro.exe | Object::connect: (sender name: 'treeMalware')
|
AdvancedSystemRepairPro.exe | Object::connect: (sender name: 'treeMalware')
|
AdvancedSystemRepairPro.exe | Object::connect: (receiver name: 'PopupPriv')
|
AdvancedSystemRepairPro.exe | Object::connect: No such slot PopupPriv::malwareItemClicked(QTreeWidgetItem *, int)
|
AdvancedSystemRepairPro.exe | Object::connect: (sender name: 'treeMalware')
|
AdvancedSystemRepairPro.exe | Object::connect: (receiver name: 'PopupPriv')
|
AdvancedSystemRepairPro.exe | Object::connect: No such slot PopupPriv::treeItemCollapsed(QTreeWidgetItem *)
|
AdvancedSystemRepairPro.exe | Object::connect: (sender name: 'treeMalware')
|
AdvancedSystemRepairPro.exe | Object::connect: (receiver name: 'PopupPriv')
|
AdvancedSystemRepairPro.exe | Object::connect: No such slot PopupPriv::treeItemExpanded(QTreeWidgetItem *)
|