URL: | https://www.tweaking.com/files/setups/tweaking.com_windows_repair_aio_setup.exe |
Full analysis: | https://app.any.run/tasks/e8d03be3-49d1-49f9-8ee6-aadf99b0de9f |
Verdict: | Malicious activity |
Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
Analysis date: | October 09, 2019, 18:57:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 66A921EDFF305214926F6F65FDC3EEF8 |
SHA1: | 0104474C28C5AD716D7C9C340BBD4A385AA6822B |
SHA256: | D861925A5E834465CBE580B91569BAA8361C7E36793D1FA0B84E5C9B2FB347D1 |
SSDEEP: | 3:N8DSL5EjLCx0KxAWKRzKC18zVlqQDh4A:2OL5EjLCLADzKC18zVoeh4A |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2884 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://www.tweaking.com/files/setups/tweaking.com_windows_repair_aio_setup.exe" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
928 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2884 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3060 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe | iexplore.exe | |
User: admin Company: Tweaking.com Integrity Level: MEDIUM Description: Setup Application Exit code: 0 Version: 4.6.0.0 | ||||
1828 | "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1803178 "__IRAFN:C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe" "__IRCT:3" "__IRTSS:39476756" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000" | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | — | tweaking.com_windows_repair_aio_setup[1].exe |
User: admin Company: Indigo Rose Corporation Integrity Level: MEDIUM Description: Setup Application Exit code: 3221226540 Version: 9.5.3.0 | ||||
1644 | "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1803178 "__IRAFN:C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe" "__IRCT:3" "__IRTSS:39476756" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000" | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | tweaking.com_windows_repair_aio_setup[1].exe | |
User: admin Company: Indigo Rose Corporation Integrity Level: HIGH Description: Setup Application Exit code: 0 Version: 9.5.3.0 | ||||
1668 | "C:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe" /traystartup | C:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe | — | irsetup.exe |
User: admin Company: Tweaking.com Integrity Level: HIGH Description: Tweaking.com - Windows Repair Exit code: 1 Version: 4.6.0.0 | ||||
1828 | "C:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe" | C:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe | irsetup.exe | |
User: admin Company: Tweaking.com Integrity Level: HIGH Description: Tweaking.com - Windows Repair Version: 4.6.0.0 | ||||
4044 | "C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Option /f | C:\Windows\System32\reg.exe | — | Repair_Windows.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2316 | "C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Option /f | C:\Windows\System32\reg.exe | — | Repair_Windows.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2656 | "C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /f | C:\Windows\System32\reg.exe | — | Repair_Windows.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFE6BB2A2215C609A7.TMP | — | |
MD5:— | SHA256:— | |||
928 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1KS7E6X7\tweaking.com_windows_repair_aio_setup[1].exe | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019092020190921\index.dat | — | |
MD5:— | SHA256:— | |||
1644 | irsetup.exe | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF39ECA9ED55740781.TMP | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BF214A8B-EAC6-11E9-837B-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
1644 | irsetup.exe | C:\Program Files\Tweaking.com\Windows Repair (All in One)\Uninstall\uni8360.tmp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1828 | Repair_Windows.exe | GET | 200 | 199.119.100.39:80 | http://www.tweaking.com/files/updates/windows_repair/update.htm | US | text | 5 b | suspicious |
1828 | Repair_Windows.exe | GET | 200 | 199.119.100.39:80 | http://update.tweaking.com/update4.php?fr=1&nt=61&k=Free_Version&v=4.6.0&r=na | US | text | 41 b | suspicious |
1644 | irsetup.exe | GET | 200 | 52.21.98.236:80 | http://track.tweaking.com/ev-install-start.php?type=install-start&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
1644 | irsetup.exe | GET | 200 | 52.21.98.236:80 | http://track.tweaking.com/ev-install-start.php?type=install-start&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
1644 | irsetup.exe | GET | 200 | 52.21.98.236:80 | http://track.tweaking.com/ev-install-end.php?type=install-end&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
1644 | irsetup.exe | GET | 200 | 52.21.98.236:80 | http://track.tweaking.com/ev-install-end.php?type=install-end&computer=S-1-5-21-1302019708-1500728564-335382590-1000 | US | text | 9 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2884 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1644 | irsetup.exe | 52.21.98.236:80 | track.tweaking.com | Amazon.com, Inc. | US | suspicious |
928 | iexplore.exe | 199.119.100.39:443 | www.tweaking.com | HIVELOCITY VENTURES CORP | US | suspicious |
1828 | Repair_Windows.exe | 199.119.100.39:80 | www.tweaking.com | HIVELOCITY VENTURES CORP | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.tweaking.com |
| suspicious |
www.bing.com |
| whitelisted |
track.tweaking.com |
| malicious |
update.tweaking.com |
| suspicious |