» file_to_run.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

file_to_run.exe

InfoSpace Sales LLC

The application file_to_run.exe by InfoSpace Sales has been detected as a potentially unwanted program by 4 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “pcregservice Service”. According to AVG, this software downloads additional adware offers during setup. The file has been seen being downloaded from d18okb3pa33axu.cloudfront.net.

File name:

file_to_run.exe

Publisher:

InfoSpace Sales LLC (signed and verified)

MD5:

2091b657b01d836b081d60b27948870f

SHA-1:

149306a689fa7dc7466036a49bf54810393fa3d7

SHA-256:

9464007e1fa64041df6f945668a90607924044e80010eac31135d105048b6832

Scanner detections:

4 / 68

Status:

Potentially unwanted

Analysis date:

5/24/2024 3:14:34 AM UTC (today)

Scan engine

Detection

Engine version

AVG

Downloader.Generic13

2014.0.3640

Boost by Reason

Optional.Service.InfoSpaceSales.L

188163

K7 AntiVirus

Riskware

13.174.10306

Reason Heuristics

PUP.Service.InfoSpaceSales.L

14.3.1.2

File size:

30.6 KB (31,344 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\wrapper_inst\file_to_run.exe

Digital Signature

Signed by:

InfoSpace Sales LLC

Authority:

Symantec Corporation

Valid from:

5/6/2013 8:00:00 PM

Valid to:

5/7/2014 7:59:59 PM

Subject:

CN=InfoSpace Sales LLC, OU=Systems, O=InfoSpace Sales LLC, L=Bellevue, S=Washington, C=US, SERIALNUMBER=3305495, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US

Issuer:

CN=Symantec Class 3 Extended Validation Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:

5FFD216358B0FFE8AF4A6CECCA806958

File PE Metadata

Compilation timestamp:

9/1/2013 5:21:37 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows Console

Linker version:

10.0

CTPH (ssdeep):

768:3CGVlQrZe0nL8+2t0ALo4ooKQYQPbocyNGjLGVcEONugSd97o6Fj:SZe07OxSd9pj

Entry address:

0x39E0

Entry point:

E8, 44, 05, 00, 00, E9, B3, FD, FF, FF, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, B8, 81, 40, 00, 89, 0D, B4, 81, 40, 00, 89, 15, B0, 81, 40, 00, 89, 1D, AC, 81, 40, 00, 89, 35, A8, 81, 40, 00, 89, 3D, A4, 81, 40, 00, 66, 8C, 15, D0, 81, 40, 00, 66, 8C, 0D, C4, 81, 40, 00, 66, 8C, 1D, A0, 81, 40, 00, 66, 8C, 05, 9C, 81, 40, 00, 66, 8C, 25, 98, 81, 40, 00, 66, 8C, 2D, 94, 81, 40, 00, 9C, 8F, 05, C8, 81, 40, 00, 8B, 45, 00, A3, BC, 81, 40, 00, 8B, 45, 04, A3, C0, 81, 40, 00, 8D, 45, 08, A3, CC, 81, 40... 
[+]

Entropy:

6.3142

Code size:

12.5 KB (12,800 bytes)

Service

Display name:

pcregservice Service

Service name:

pcregservice

Type:

Win32OwnProcess

The file file_to_run.exe has been seen being distributed by the following URL.

http://d18okb3pa33axu.cloudfront.net/.../pcreg.exe

Remove file_to_run.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.