download: | ntdll.dll_repair-setup.exe |
Full analysis: | https://app.any.run/tasks/f1dbced1-be07-48fc-99a8-1a1c3938128e |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 13:19:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 503F33DF63DDF4879F5F38CC081D9962 |
SHA1: | AD809C34AD1516C62D48AF2F4376CBD7561E9CD3 |
SHA256: | 47E466F1AEDE2D5C5DD66D935AA41A2B6D1F5F33EB3A45C8C54099923EEE9B9B |
SSDEEP: | 393216:JAr9+Ysc1MsqByxIyLoxu1eCZEXxrxihjALj+Uvx5Nnj+9NsVsYSJIVd:JAr9+YsctIbuXZvETjRsYdd |
.exe | | | Win32 EXE PECompact compressed (generic) (79.7) |
---|---|---|
.exe | | | Win32 Executable (generic) (8.6) |
.exe | | | Win16/32 Executable Delphi generic (3.9) |
.exe | | | Generic Win/DOS Executable (3.8) |
.exe | | | DOS Executable Generic (3.8) |
ProductVersion: | 1.x |
---|---|
ProductName: | PC Repair |
OriginalFileName: | Outbyte-pc-repair-setup.exe |
LegalCopyright: | Copyright © 2016-2019 Outbyte Computing Pty Ltd |
FileVersion: | 1.0.2.4 |
FileDescription: | Outbyte PC Repair Installation File |
CompanyName: | Outbyte |
Comments: | PC Repair |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.2.4 |
FileVersionNumber: | 1.0.2.4 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | 6 |
OSVersion: | 5 |
EntryPoint: | 0x24530 |
UninitializedDataSize: | - |
InitializedDataSize: | 330752 |
CodeSize: | 143360 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 2019:04:01 13:31:19+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Apr-2019 11:31:19 |
Detected languages: |
|
Comments: | PC Repair |
CompanyName: | Outbyte |
FileDescription: | Outbyte PC Repair Installation File |
FileVersion: | 1.0.2.4 |
LegalCopyright: | Copyright © 2016-2019 Outbyte Computing Pty Ltd |
OriginalFileName: | Outbyte-pc-repair-setup.exe |
ProductName: | PC Repair |
ProductVersion: | 1.x |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 11 |
Time date stamp: | 01-Apr-2019 11:31:19 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00022710 | 0x00022800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.36273 |
.itext | 0x00024000 | 0x00000630 | 0x00000800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.12848 |
.data | 0x00025000 | 0x000017B4 | 0x00001800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.63104 |
.bss | 0x00027000 | 0x00005D24 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0002D000 | 0x00000FF0 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.02571 |
.didata | 0x0002E000 | 0x000001F4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.47014 |
.edata | 0x0002F000 | 0x00000074 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.34766 |
.tls | 0x00030000 | 0x00000014 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00031000 | 0x0000005C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.33262 |
.reloc | 0x00032000 | 0x00003164 | 0x00003200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.52454 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.05611 | 1792 | Latin 1 / Western European | Russian - Russia | RT_MANIFEST |
2 | 4.2849 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 4.45962 | 4936 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 4.52914 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 4.64107 | 2848 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 4.64625 | 2440 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 4.79185 | 1720 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 4.75843 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
4089 | 2.01661 | 76 | Latin 1 / Western European | UNKNOWN | RT_STRING |
4090 | 3.40938 | 608 | Latin 1 / Western European | UNKNOWN | RT_STRING |
advapi32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 0x0002A628 |
__dbk_fcall_wrapper | 2 | 0x0000B598 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3680 | "C:\Users\admin\AppData\Local\Temp\ntdll.dll_repair-setup.exe" | C:\Users\admin\AppData\Local\Temp\ntdll.dll_repair-setup.exe | — | explorer.exe |
User: admin Company: Outbyte Integrity Level: MEDIUM Description: Outbyte PC Repair Installation File Exit code: 3221226540 Version: 1.0.2.4 | ||||
2860 | "C:\Users\admin\AppData\Local\Temp\ntdll.dll_repair-setup.exe" | C:\Users\admin\AppData\Local\Temp\ntdll.dll_repair-setup.exe | explorer.exe | |
User: admin Company: Outbyte Integrity Level: HIGH Description: Outbyte PC Repair Installation File Exit code: 0 Version: 1.0.2.4 | ||||
2656 | "C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Installer.exe" /spid:2860 /splha:19605824 | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Installer.exe | ntdll.dll_repair-setup.exe | |
User: admin Company: Outbyte Integrity Level: HIGH Description: Installer Exit code: 0 Version: 1.0.2.4 | ||||
3836 | "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Outbyte\PC Repair\BrowserCareHelper.Agent.x32.dll" | C:\Windows\system32\regsvr32.exe | — | Installer.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3864 | "C:\Program Files\Outbyte\PC Repair\PCRepair.exe" /Install /SendInfo /AutoStart | C:\Program Files\Outbyte\PC Repair\PCRepair.exe | — | Installer.exe |
User: admin Company: Outbyte Integrity Level: HIGH Description: PC Repair Exit code: 0 Version: 1.0.2.4 | ||||
1368 | "C:\Program Files\Outbyte\PC Repair\PCRepair.exe" /FromInstaller | C:\Program Files\Outbyte\PC Repair\PCRepair.exe | Installer.exe | |
User: admin Company: Outbyte Integrity Level: HIGH Description: PC Repair Version: 1.0.2.4 | ||||
2452 | "C:\Program Files\Outbyte\PC Repair\PCRepair.exe" | C:\Program Files\Outbyte\PC Repair\PCRepair.exe | — | explorer.exe |
User: admin Company: Outbyte Integrity Level: MEDIUM Description: PC Repair Exit code: 3221226540 Version: 1.0.2.4 | ||||
3832 | "C:\Program Files\Outbyte\PC Repair\PCRepair.exe" | C:\Program Files\Outbyte\PC Repair\PCRepair.exe | explorer.exe | |
User: admin Company: Outbyte Integrity Level: HIGH Description: PC Repair Version: 1.0.2.4 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Lang\ptb.lng | binary | |
MD5:F9E8B8E9D2DCDB7B519BDE13933A5C10 | SHA256:19A788A6902FFCEE298C675B1674BB5F095B397C60266BA17DDBB28FAA76EF41 | |||
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Lang\ita.lng | binary | |
MD5:478F0CDFFB71E5A2437254EE6F5391CB | SHA256:BF44EF751D782DC8FF85CB0D651D9D60BE86536E3E8656F3EAEE28F710B6E9DF | |||
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Lang\deu.lng | binary | |
MD5:C7D84D1EC9246B3C44D3CE85A1E1C5F3 | SHA256:73F999C4D879401CDB8AB09FC8D041C0CC4E2B93BE2BA61544C2293035596FDE | |||
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\EULA.rtf | text | |
MD5:B7F2FA63D7DE7F216C8D1B443AFBB1BA | SHA256:00B46F63FA9AEFFB2290B98D7A5AFFD1D9C1BC2A87A5ADFA149650088FDBAE76 | |||
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Lang\fra.lng | binary | |
MD5:5AF2F6333252A108F4F524C7E0E63335 | SHA256:E4CE64D4087F8685D7B459281577C161D9D5FB6431B4D4A0D7316FA2170D1721 | |||
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\SetupHelper.dll | executable | |
MD5:063AFAC37A104D6AFE50F3452A115013 | SHA256:F2A87AAE95B9465048A6352F95BCC0F03B7F6D70EB37D7C225E7B67F6611B0DE | |||
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Lang\enu.lng | binary | |
MD5:ED847FF63824762CFAA7A378E0E366E0 | SHA256:9FD5CCC01A20FF6BB3E5E89E37AC7BAB50E848FDCBA2D5F4608075031A72D7E8 | |||
2860 | ntdll.dll_repair-setup.exe | C:\Users\admin\AppData\Local\Temp\is-838689.tmp\Lang\esp.lng | binary | |
MD5:E456EE69A89D9F5D4F3D40D545A10A53 | SHA256:B15B4075E73D46E72C917F5000E71BB68FFB369CA6ECC0C0BEB24685D957BE5A | |||
2656 | Installer.exe | C:\ProgramData\Outbyte\PC Repair\1.x\$$Cookies138071611 | — | |
MD5:— | SHA256:— | |||
2656 | Installer.exe | C:\ProgramData\Outbyte\PC Repair\1.x\$$Databases.db138071642 | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
2656 | Installer.exe | POST | 200 | 172.217.22.110:80 | http://www.google-analytics.com/collect | US | image | 35 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2656 | Installer.exe | 172.217.22.110:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
1368 | PCRepair.exe | 45.79.210.152:443 | outbyte.com | Linode, LLC | US | unknown |
2656 | Installer.exe | 45.79.210.152:443 | outbyte.com | Linode, LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
outbyte.com |
| suspicious |
www.google-analytics.com |
| whitelisted |