home

AutoPico.exe

AutoPico

@ByELDI

The application AutoPico.exe by @ByELDI has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered to run every month at a specified time. While running, it connects to the Internet address time-d.nist.gov on port 13.
Publisher:
@ByELDI  (signed and verified)

Product:
AutoPico

Version:
12.1.0.0

MD5:
30a503c4e564748b0ca2ca4bed556812

SHA-1:
c7106ae0efe2d5c0768a68807b7211aaeb77daad

SHA-256:
c8c80ff8316d5d883ff154fe32cea1d013d66de4e4768fbc1eefe768338bb90f

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 6:05:55 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ByELDI.Meta
15.4.25.11

File size:
956.2 KB (979,136 bytes)

Product version:
12.1.0.0

Original file name:
AutoPico.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\windows\autopico.exe

Digital Signature
Signed by:
@ByELDI

Authority:
@ByELDI Certificate Authority

Valid from:
2/3/2014 5:17:06 PM

Valid to:
2/3/2044 5:17:06 PM

Subject:
CN=@ByELDI

Issuer:
CN=@ByELDI Certificate Authority

Serial number:
DC0E43711C7C40D18044372CAF69F6A1

File PE Metadata
Compilation timestamp:
3/9/2014 2:03:01 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:qfomT1omoVSl9TTxPA1geNHXTrw90HSPxHyl1EQ+ZeoGn:qZToYlx3Yjr28N+1Gn

Entry address:
0xEBB8E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 85, 66, 1C, 53, 00, 00, 00, 00, 02, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
935 KB (957,440 bytes)

Scheduled Task
Task name:
Windows Aktivierung

Path:
\Microsoft\Windows\Windows Activation Technologies\Windows Aktivierung

Trigger:
Monthly (Runs monthly on Tuesdays at 12:00)


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to time-d.nist.gov  (129.6.15.27:13)

TCP:
Connects to time-c.nist.gov  (129.6.15.30:13)

TCP:
Connects to nist1-lnk.binary.net  (216.229.0.179:13)

TCP:
Connects to 207_223_123_18.colo.teklinks.net  (207.223.123.18:13)

TCP:
Connects to time-a.nist.gov  (129.6.15.28:13)

TCP:
Connects to nist-time-server.eoni.com  (216.228.192.69:13)

TCP:
Connects to host-24-56-178-140.beyondbb.com  (24.56.178.140:13)

TCP:
Connects to utcnist2.colorado.edu  (128.138.141.172:13)

TCP:
Connects to nist.netservicesgroup.com  (64.113.32.5:13)

TCP:
Connects to india.colorado.edu  (128.138.140.44:13)

Remove AutoPico.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.