Diagnostics.exe

M/s Tech AnB

The application Diagnostics.exe by M/s Tech AnB has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Diagnostics’. While running, it connects to the Internet address admarketplace.dmarc.lga1.atlanticmetro.net on port 80 using the HTTP protocol.
Publisher:
Diagnostics  (signed by M/s Tech AnB)

Product:
Diagnostics

Version:
1.0.0.1

MD5:
265ad98d8e0a26200e2888e9e5b208c5

SHA-1:
1deace04986eab58ca9b5e8d5ac624b4ce05de66

SHA-256:
d7d6e6d14419156dfca576929f5afb9a2eae95ea3be42e51cb89bb686be6da8f

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 12:41:48 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Startup.DoubleOpt Media
15.1.31.12

File size:
1.6 MB (1,727,104 bytes)

Product version:
1.0.0.1

Copyright:
Diagnostics. All rights reserved.

Original file name:
Diagnostics.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\software technical support\diagnostics.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
2/9/2014 7:00:00 PM

Valid to:
2/10/2015 6:59:59 PM

Subject:
CN=M/s Tech AnB, O=M/s Tech AnB, STREET="Plot No. F-125,", STREET="Sector 74,", STREET="Industrial Area, Phase 8B", L=Mohali, S=Punjab, PostalCode=160071, C=IN

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00C12161D8036677E0A09B9580299D979F

File PE Metadata
Compilation timestamp:
1/15/2015 6:11:53 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:SVvWrlUrUWKPuFMgBtD++/lUEHFFY+S/FrphLWbmtdE69TnyFC3U8IW:SSyrUWKfgBs+/lUEHFFY+S/1pdb9TnyQ

Entry address:
0x104AAA

Entry point:
E8, C6, A8, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 51, 53, 8B, 45, 0C, 83, C0, 0C, 89, 45, FC, 64, 8B, 1D, 00, 00, 00, 00, 8B, 03, 64, A3, 00, 00, 00, 00, 8B, 45, 08, 8B, 5D, 0C, 8B, 6D, FC, 8B, 63, FC, FF, E0, 5B, C9, C2, 08, 00, 58, 59, 87, 04, 24, FF, E0, 8B, FF, 55, 8B, EC, 51, 51, 53, 56, 57, 64, 8B, 35, 00, 00, 00, 00, 89, 75, FC, C7, 45, F8, 18, 4B, 50, 00, 6A, 00, FF, 75, 0C, FF, 75, F8, FF, 75, 08, E8, A4, 54, 01, 00, 8B, 45, 0C, 8B, 40, 04, 83, E0, FD, 8B, 4D, 0C, 89, 41, 04, 64, 8B, 3D...
 
[+]

Entropy:
6.4320

Code size:
1.2 MB (1,206,784 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Diagnostics

Command:
"C:\Program Files\software technical support\diagnostics.exe"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to admarketplace.dmarc.lga1.atlanticmetro.net  (108.60.149.202:80)

TCP (HTTP):
Connects to ec2-34-194-151-20.compute-1.amazonaws.com  (34.194.151.20:80)

Remove Diagnostics.exe - Powered by Reason Core Security