medical.exe

ping

The application medical.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named 72036353 triggered to execute each time a user logs in. According to AVG, this software downloads additional adware offers during setup. While running, it connects to the Internet address server-52-85-142-223.iad12.r.cloudfront.net on port 443.
Product:
ping

Version:
1.0.0.0

MD5:
8b91876e69e91373540d1b8b1525e9c3

SHA-1:
e9dabdb2ff095d6df4a122da72026a00ace8ebd8

SHA-256:
8278901a26dff00ad1c6e1f3edb45ebe6a172a6a6735018fbe7ae0eb6ec40e09

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 7:35:08 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Potentially harmful program Downloader.BGWP
2013.0.4477

ESET NOD32
MSIL/Adware.Dotdo.AP application
6.3.12010.0

Reason Heuristics
Adware.Dotdo.ET (M)
17.3.13.1

File size:
10.5 KB (10,752 bytes)

Product version:
1.0.0.0

Copyright:
Copyright © 2016

Original file name:
medical.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\sandro\medical.exe

File PE Metadata
Compilation timestamp:
1/6/2017 6:01:27 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

Entry address:
0x3F2E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.2292

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
8 KB (8,192 bytes)

Scheduled Task
Task name:
72036353

Trigger:
Logon (Runs on logon)

Description:
7203635372036353


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.hosted-by.miamidedicated.com  (162.222.193.17:80)

TCP (HTTP SSL):
Connects to server-52-85-142-223.iad12.r.cloudfront.net  (52.85.142.223:443)

TCP (HTTP):
Connects to server-52-84-126-187.iad16.r.cloudfront.net  (52.84.126.187:80)

TCP (HTTP):
Connects to server-52-84-125-177.iad16.r.cloudfront.net  (52.84.125.177:80)

TCP (HTTP):
Connects to hosted-by.instantdedicated.com  (188.95.50.62:80)

TCP (HTTP):
Connects to ec2-52-86-129-112.compute-1.amazonaws.com  (52.86.129.112:80)

TCP (HTTP):
Connects to ec2-52-54-171-173.compute-1.amazonaws.com  (52.54.171.173:80)

TCP (HTTP):
Connects to ec2-52-44-29-108.compute-1.amazonaws.com  (52.44.29.108:80)

TCP (HTTP):
Connects to ec2-34-200-134-167.compute-1.amazonaws.com  (34.200.134.167:80)

TCP (HTTP):
Connects to 46.c8.c0ad.ip4.static.sl-reverse.com  (173.192.200.70:80)

TCP (HTTP):
Connects to 198-178-122-193.static.hvvc.us  (198.178.122.193:80)

TCP (HTTP):
Connects to 162-254-148-148.static.hvvc.us  (162.254.148.148:80)

Remove medical.exe - Powered by Reason Core Security