» wlygof.exe
Overview
Analysis
File Details
Downloads (1)

wlygof.exe

Julian Pankratov

The is the installer for the WebPick InstalleRex download manager which bundles applications with offers for additional 3rd party software, mostly unwanted adware, and may be installed without consent. The application wlygof.exe by Julian Pankratov has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from getguidegold.ru.

File name:

wlygof.exe

Publisher:

Julian Pankratov (signed and verified)

MD5:

6e5862809fae72f4afe7e2fd0afa6aee

SHA-1:

fd90b4ece9931ae4039f56d30be3792165116c5d

SHA-256:

357ed0ac264488f883f0192273d57c9742e5d80aeab57555439aaa50da00d405

Scanner detections:

1 / 68

Status:

Adware

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

5/16/2024 9:40:52 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.WebPick.JulianPa (M)

16.3.18.10

File size:

1.3 MB (1,362,840 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wlygof.exe

Digital Signature

Signed by:

Julian Pankratov

Authority:

COMODO CA Limited

Valid from:

10/14/2013 2:00:00 AM

Valid to:

10/15/2014 1:59:59 AM

Subject:

CN=Julian Pankratov, O=Julian Pankratov, STREET=Gagarіna 11, L=Kiev, S=Kiev, PostalCode=02094, C=UA

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00D14C8CC7422B7B416198EEB359191765

File PE Metadata

Compilation timestamp:

9/29/2013 3:06:43 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:zUavQvvO79zW3BbZZ8adHSAJVeIakg82aN6ssIleUmL5VdZCXpI:zUaYvmZzAbZZ8YHQIRxJN6Gw5HCI

Entry address:

0x1189F

Entry point:

E8, ED, 40, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, C0, 90, 42, 00, E8, 4B, 2A, 00, 00, E8, BA, 42, 00, 00, 0F, B7, F0, 6A, 02, E8, 80, 40, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 32, 21, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8... 
[+]

Entropy:

7.8621 (probably packed)

Code size:

135 KB (138,240 bytes)

The file wlygof.exe has been seen being distributed by the following URL.

http://getguidegold.ru/?e=vdx&publisher=438&dd=3&country=EG&ind=8456929006897896902&exid=0&ssd=5771214719799489923&hid=1595297082484293293&osid=601&channel=0&sfx=1&category_name=VaudiX&install_date=20121113

Remove wlygof.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.