theodore.exe

Theodore

The application theodore.exe has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named 36449444 triggered to execute each time a user logs in. While running, it connects to the Internet address server-52-84-145-15.yto50.r.cloudfront.net on port 80 using the HTTP protocol.
Publisher:
Theodore

Product:
Theodore

Version:
7.1.2.31

MD5:
769e73c43ceb88f6244a672fb1894fdf

SHA-1:
e2c95b9e8c4239471a38831fe0b3c0b1d8f6bf65

SHA-256:
f3a87adf59f0e09f230d359e3d2f16bbbf2fccde932133f22aaf6be5fe4a0df8

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 8:30:23 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
MSIL/Adware.Dotdo.AP application
6.3.12010.0

Reason Heuristics
Adware.Dotdo.ET (M)
17.2.11.15

File size:
11.5 KB (11,776 bytes)

Product version:
7.1.2.31

Copyright:
Copyright © Theodore 2017

Trademarks:
© 2017 Theodore

Original file name:
theodore.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\format\theodore.exe

File PE Metadata
Compilation timestamp:
2/11/2017 8:06:23 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

Entry address:
0x417E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
3.9603

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
8.5 KB (8,704 bytes)

Scheduled Task
Task name:
36449444

Trigger:
Logon (Runs on logon)

Description:
3644944436449444


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.hosted-by.miamidedicated.com  (162.222.193.86:80)

TCP (HTTP):
Connects to hosted-by.instantdedicated.com  (188.95.50.62:80)

TCP (HTTP):
Connects to server-52-84-145-15.yto50.r.cloudfront.net  (52.84.145.15:80)

TCP (HTTP):
Connects to server-52-85-77-130.lax3.r.cloudfront.net  (52.85.77.130:80)

TCP (HTTP):
Connects to ec2-52-86-186-156.compute-1.amazonaws.com  (52.86.186.156:80)

TCP (HTTP):
Connects to 46.c8.c0ad.ip4.static.sl-reverse.com  (173.192.200.70:80)

TCP (HTTP):
Connects to server-52-84-144-208.yto50.r.cloudfront.net  (52.84.144.208:80)

TCP (HTTP):
Connects to ec2-52-200-196-73.compute-1.amazonaws.com  (52.200.196.73:80)

TCP (HTTP):
Connects to ec2-34-194-100-186.compute-1.amazonaws.com  (34.194.100.186:80)

TCP (HTTP):
Connects to cdce.chg005.internap.com  (74.201.0.11:80)

TCP (HTTP):
Connects to ec2-52-5-219-205.compute-1.amazonaws.com  (52.5.219.205:80)

TCP (HTTP):
Connects to ec2-34-194-113-198.compute-1.amazonaws.com  (34.194.113.198:80)

TCP (HTTP SSL):
Connects to a23-72-55-119.deploy.static.akamaitechnologies.com  (23.72.55.119:443)

TCP (HTTP):
Connects to pr-east2.pbp.vip.bf1.yahoo.com  (72.30.3.42:80)

TCP (HTTP):
Connects to pr-bh.pbp.vip.bf1.yahoo.com  (72.30.2.182:80)

TCP (HTTP SSL):
Connects to ec2-52-9-71-182.us-west-1.compute.amazonaws.com  (52.9.71.182:443)

TCP (HTTP SSL):
Connects to ec2-52-86-23-40.compute-1.amazonaws.com  (52.86.23.40:443)

TCP (HTTP):
Connects to ec2-52-72-71-183.compute-1.amazonaws.com  (52.72.71.183:80)

TCP (HTTP SSL):
Connects to ec2-52-7-227-142.compute-1.amazonaws.com  (52.7.227.142:443)

TCP (HTTP):
Connects to ec2-52-206-69-230.compute-1.amazonaws.com  (52.206.69.230:80)

Remove theodore.exe - Powered by Reason Core Security