home

forklifts.exe

network

windows

The application forklifts.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. While running, it connects to the Internet address pr-bh.pbp.vip.bf1.yahoo.com on port 80 using the HTTP protocol.
Publisher:
windows

Product:
network

Version:
1.0.2.0

MD5:
74ea7f2dbba0bc2b5fbcc90c4f87cbbd

SHA-1:
b7c5ed0ef71b31e6106d4f6680c00bbfbc76d32f

SHA-256:
99a1868887dfee8205a2f651752f2c69e4f2881b43a5aebb6eabe70f343c1842

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
1/14/2025 10:32:11 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Dotdo.133
9.0.1.05190

ESET NOD32
MSIL/Adware.Dotdo.AC application
6.3.12010.0

Reason Heuristics
Adware.Dotdo.DB (M)
17.2.20.21

File size:
297 KB (304,128 bytes)

Product version:
1.0.2.0

Copyright:
2015

Trademarks:
trade

Original file name:
forklifts.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\junkets\forklifts.exe

File PE Metadata
Compilation timestamp:
2/14/2017 6:18:17 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

Entry address:
0x4B946

Entry point:
FF, 25, 54, B9, 44, 00, 00, 00, 00, 00, 00, 00, 00, 00, 28, B9, 04, 00, 00, 00, 00, 00, 00, 00, 00, 00, 89, F5, A2, 58, 00, 00, 00, 00, 02, 00, 00, 00, 44, 00, 00, 00, 78, B9, 04, 00, 78, 9B, 04, 00, 52, 53, 44, 53, E7, 94, B3, A1, 43, F9, C0, 4D, AD, EA, B0, 49, F8, EF, F7, 34, 01, 00, 00, 00, 43, 3A, 5C, 77, 61, 6D, 70, 5C, 64, 6F, 74, 64, 6F, 5C, 64, 65, 6C, 69, 5C, 74, 6D, 70, 66, 69, 6C, 65, 73, 5C, 32, 5C, 66, 6F, 72, 6B, 6C, 69, 66, 74, 73, 2E, 70, 64, 62, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Code size:
294.5 KB (301,568 bytes)

Scheduled Task
Task name:
dc07A1tU41xrWPCPqjcxbl-ni-2017-02-16-ni-20705-ni-1

Trigger:
Daily (Runs daily at 15:35)

Description:
cc07A1tU41xrWPCPqjcxbl-ni-2017-02-16-ni-20705-ni-1


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-4-204-187.compute-1.amazonaws.com  (52.4.204.187:80)

TCP (HTTP):
Connects to ec2-52-15-114-252.us-east-2.compute.amazonaws.com  (52.15.114.252:80)

TCP (HTTP):
Connects to pr-bh.pbp.vip.bf1.yahoo.com  (72.30.2.182:80)

TCP (HTTP):
Connects to static-122-212-205-209.24shells.net  (209.205.212.122:80)

TCP (HTTP):
Connects to static-106-212-205-209.24shells.net  (209.205.212.106:80)

TCP (HTTP):
Connects to server-54-192-7-254.dfw3.r.cloudfront.net  (54.192.7.254:80)

TCP (HTTP):
Connects to server-54-192-7-192.dfw3.r.cloudfront.net  (54.192.7.192:80)

TCP (HTTP):
Connects to ec2-54-80-83-118.compute-1.amazonaws.com  (54.80.83.118:80)

TCP (HTTP):
Connects to ec2-54-165-74-198.compute-1.amazonaws.com  (54.165.74.198:80)

TCP (HTTP):
Connects to ec2-52-7-126-247.compute-1.amazonaws.com  (52.7.126.247:80)

TCP (HTTP):
Connects to ec2-52-6-249-90.compute-1.amazonaws.com  (52.6.249.90:80)

TCP (HTTP):
Connects to ec2-52-45-225-31.compute-1.amazonaws.com  (52.45.225.31:80)

TCP (HTTP):
Connects to ec2-52-20-76-66.compute-1.amazonaws.com  (52.20.76.66:80)

TCP (HTTP):
Connects to ec2-23-20-255-31.compute-1.amazonaws.com  (23.20.255.31:80)

TCP (HTTP):
Connects to ec2-174-129-12-59.compute-1.amazonaws.com  (174.129.12.59:80)

TCP (HTTP):
Connects to ec2-107-23-35-51.compute-1.amazonaws.com  (107.23.35.51:80)

TCP (HTTP):
Connects to a23-12-212-174.deploy.static.akamaitechnologies.com  (23.12.212.174:80)

TCP (HTTP):
Connects to 46.c8.c0ad.ip4.static.sl-reverse.com  (173.192.200.70:80)

TCP (HTTP):
Connects to 134.176.196.104.bc.googleusercontent.com  (104.196.176.134:80)

TCP (HTTP):
Connects to server-54-230-5-78.dfw3.r.cloudfront.net  (54.230.5.78:80)

Remove forklifts.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.