» Booking_helper.exe
Overview
Analysis
File Details
Behaviors (14)
Network (20)

Booking_helper.exe

The application Booking_helper.exe, “Booking_helper.exe” has been detected as a potentially unwanted program by 7 anti-malware scanners. It is installed within the context of Internet Explore as a BHO (Browser Helper Object) under the name ‘Linkey’. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. This is the uninstaller utility registered in the Windows Control Panel for the program Update for PriceFountain by Update for PriceFountain. It uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions.

File name:

Booking_helper.exe

Description:

Booking_helper.exe

Version:

1.52.0.0

MD5:

22daaa5a8bd71f82e7571e027bccdd6c

SHA-1:

6e1bab7a69f609974c6dfee1aa14aa2e93069015

SHA-256:

25e5cd6388d2c09abfed8ff3710b7c0ba3595ea93cd9656d81144a7f40d38809

Scanner detections:

7 / 68

Status:

Potentially unwanted

Explanation:

Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:

4/29/2024 3:59:28 PM UTC (today)

Scan engine

Detection

Engine version

Emsisoft Anti-Malware

Application.Downloader.AEQ

16.05.13

ESET NOD32

Win32/InstallCore.ADB potentially unwanted application

6.3.12010.0

F-Secure

Riskware.Application.Downloader.AEQ

5.15.154

Kaspersky

not-a-virus:AdWare.Win32.DealPly

15.0.2.529

Norman

Application.Downloader.AEQ

28.05.2016 15:32:18

Reason Heuristics

Win32.Generic

17.2.25.14

VIPRE Antivirus

Threat.4150696

48690

File size:

167 KB (171,008 bytes)

Product version:

1.0.0.0

Original file name:

Booking_helper.exe

File type:

Executable application (Win32 EXE)

Language:

Swedish (Sweden)

Common path:

C:\Program Files\booking.com\booking_helper.exe

File PE Metadata

Compilation timestamp:

6/20/1992 12:22:17 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

3072:mT3um01O9ip8a+tXkyPzPXnQMD1xVjO33d7fYHl4pvXYL2n21:mO1vGB5DXnnD1xVq33d7fYHmpvXYL221

Entry address:

0x106D0

Entry point:

55, 8B, EC, 83, C4, E0, 33, C0, 89, 45, E0, 89, 45, E4, 89, 45, E8, 89, 45, EC, B8, 58, 06, 41, 00, E8, A6, 41, FF, FF, 33, C0, 55, 68, 98, 07, 41, 00, 64, FF, 30, 64, 89, 20, E8, EB, 1F, FF, FF, 48, 7C, 79, E8, B7, E3, FF, FF, 8D, 55, EC, B8, AC, 07, 41, 00, E8, 7A, 57, FF, FF, 8B, 55, EC, B8, 5C, 2C, 41, 00, E8, A1, 31, FF, FF, 8D, 55, E8, B8, C4, 07, 41, 00, E8, 60, 57, FF, FF, 8B, 55, E8, B8, 58, 2C, 41, 00, E8, 87, 31, FF, FF, 8D, 55, E4, B8, DC, 07, 41, 00, E8, 46, 57, FF, FF, 8B, 55, E4, B8, 50, 2C... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

62.5 KB (64,000 bytes)

App Init DLL

Name:

booking_helper.exe

3 Internet Explorer BHOs

Display name:

Linkey

CLSID:

{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}

CLSID:

{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}

CLSID name:

Advanced SystemCare Surfing Protection

CLSID:

{312f84fb-8970-4fd3-bddb-7012eac4afc9}

CLSID name:

Toolbar BHO

Internet Explorer Menu Extension

Name:

E&xport to Microsoft Excel

Ini File Mappings System INI

Name:

APPINIT_DLLS

2 Program Uninstaller

Program name:

Update for PriceFountain

Display publisher:

Update for PriceFountain

Uninstall string:

C:\users\{user}\appdata\roaming\pricef~1\update~1\update~1.exe \uninstall

Program name:

Windows Driver Package - ASUS (AsusHID) Mouse (03/17/2014 3.0.0.27)

Display publisher:

ASUS

Display version:

03/17/2014 3.0.0.27

Uninstall string:

C:\PROGRA~1\DIFX\C23D574CE2673475\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\asushid.inf_x86_a2a4b75442d2d7d6\asushid.inf

46 Scheduled Tasks

Task name:

SMupdate1

Trigger:

Logon (Runs on logon)

Task name:

SMupdate2

Path:

\Microsoft\Windows\Maintenance\SMupdate2

Trigger:

Logon (Runs on logon)

Task name:

SMupdate3

Path:

\Microsoft\Windows\Multimedia\SMupdate3

Trigger:

Logon (Runs on logon)

Task name:

FL Studio

Trigger:

Logon (Runs on logon)

Task name:

Booking_helper

Trigger:

Daily (Runs daily at 08:57)

Task name:

At3

Path:

C:\WINDOWS\Tasks\At3.job

Trigger:

Daily (Runs daily at 23:16)

Description:

Criado por NetScheduleJobAdd.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-52-10-188-8.us-west-2.compute.amazonaws.com (52.10.188.8:80)

TCP (HTTP SSL):

Connects to ec2-54-243-111-150.compute-1.amazonaws.com (54.243.111.150:443)

TCP (HTTP):

Connects to ec2-54-148-169-231.us-west-2.compute.amazonaws.com (54.148.169.231:80)

TCP (HTTP SSL):

Connects to ec2-23-23-249-80.compute-1.amazonaws.com (23.23.249.80:443)

TCP (HTTP SSL):

Connects to ec2-54-225-193-189.compute-1.amazonaws.com (54.225.193.189:443)

TCP (HTTP):

Connects to s3-us-west-2-w.amazonaws.com (54.231.184.222:80)

TCP (HTTP):

Connects to ec2-52-214-247-42.eu-west-1.compute.amazonaws.com (52.214.247.42:80)

TCP (HTTP):

Connects to a23-52-21-163.deploy.static.akamaitechnologies.com (23.52.21.163:80)

TCP (HTTP):

Connects to a23-51-117-163.deploy.static.akamaitechnologies.com (23.51.117.163:80)

Remove Booking_helper.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.