where.exe

Where

The application where.exe has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named 54679363 triggered to execute each time a user logs in.
Publisher:
Where

Product:
Where

Version:
9.1.4.29

MD5:
cc29b8d6b8ac6331f3e511da7d3d2505

SHA-1:
5d4ec5ee8e5ccbb10bbe57c94b4dfb58b5652e59

SHA-256:
a8851e69a8f3280611bb009ced164cbc5dfefaade335a6208903da34432bc20c

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 10:43:31 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
MSIL/Adware.Dotdo.AP application
6.3.12010.0

Reason Heuristics
Adware.Dotdo.ET (M)
17.2.25.2

File size:
10.5 KB (10,752 bytes)

Product version:
9.1.4.29

Copyright:
Copyright © Where 2017

Trademarks:
© 2017 Where

Original file name:
where.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\where.exe

File PE Metadata
Compilation timestamp:
2/24/2017 7:36:56 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

Entry address:
0x3FAE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 02, 00, 10, 00, 00, 00, 20, 00, 00, 80, 18, 00, 00, 00, 38, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.1183

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
8 KB (8,192 bytes)

Scheduled Task
Task name:
54679363

Trigger:
Logon (Runs on logon)

Description:
5467936354679363


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.hosted-by.miamidedicated.com  (162.222.193.86:80)

TCP (HTTP):
Connects to hosted-by.instantdedicated.com  (188.95.50.62:80)

TCP (HTTP):
Connects to static-106-212-205-209.24shells.net  (209.205.212.106:80)

TCP (HTTP SSL):
Connects to server-54-230-197-72.lhr50.r.cloudfront.net  (54.230.197.72:443)

TCP (HTTP SSL):
Connects to server-54-192-11-230.lhr3.r.cloudfront.net  (54.192.11.230:443)

TCP (HTTP SSL):
Connects to map2.hwcdn.net  (205.185.216.10:443)

TCP (HTTP):
Connects to ec2-54-89-12-163.compute-1.amazonaws.com  (54.89.12.163:80)

TCP (HTTP):
Connects to ec2-52-72-32-144.compute-1.amazonaws.com  (52.72.32.144:80)

TCP (HTTP):
Connects to ec2-52-71-221-69.compute-1.amazonaws.com  (52.71.221.69:80)

TCP (HTTP):
Connects to ec2-52-6-27-107.compute-1.amazonaws.com  (52.6.27.107:80)

TCP (HTTP):
Connects to ec2-52-30-200-21.eu-west-1.compute.amazonaws.com  (52.30.200.21:80)

TCP (HTTP SSL):
Connects to ec2-52-16-184-181.eu-west-1.compute.amazonaws.com  (52.16.184.181:443)

TCP (HTTP SSL):
Connects to ec2-52-15-98-168.us-east-2.compute.amazonaws.com  (52.15.98.168:443)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-34-199-235-54.compute-1.amazonaws.com  (34.199.235.54:80)

TCP (HTTP SSL):
Connects to 57.247.178.107.bc.googleusercontent.com  (107.178.247.57:443)

TCP (HTTP):
Connects to static-122-212-205-209.24shells.net  (209.205.212.122:80)

TCP (HTTP):
Connects to server-54-230-197-132.lhr50.r.cloudfront.net  (54.230.197.132:80)

TCP (HTTP):
Connects to server-54-192-11-43.lhr3.r.cloudfront.net  (54.192.11.43:80)

TCP (HTTP):
Connects to server-54-192-11-174.lhr3.r.cloudfront.net  (54.192.11.174:80)

Remove where.exe - Powered by Reason Core Security