» ywlui.exe
Overview
Analysis
File Details
Behaviors (1)
Network (16)

ywlui.exe

The executable ywlui.exe has been detected as malware by 23 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. While running, it connects to the Internet address server-54-192-48-141.jfk5.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

ywlui.exe

Version:

5.23.48185.29488

MD5:

f54347d03cba89bf34c16d0221715e53

SHA-1:

36efdd4b22e2f14571b826d0ce5c7219951c3dd8

SHA-256:

b67057186ecb186f1bb9ee9ccf672632d400c4b7aa4e10b0a1d642a02966fff6

Scanner detections:

23 / 68

Status:

Malware

Analysis date:

4/26/2024 12:02:42 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.12088188

776

AhnLab V3 Security

Trojan/Win32.Kovter

2014.11.05

Avira AntiVirus

TR/Crypt.ZPACK.106351

7.11.183.100

avast!

Win32:Dropper-gen [Drp]

141025-0

AVG

Win32/Cryptor

2014.0.4189

Bitdefender

Trojan.Generic.12088188

1.0.20.1770

Bkav FE

HW32.Packed

1.3.0.4959

Dr.Web

Trojan.Siggen6.22973

9.0.1.05190

Emsisoft Anti-Malware

Trojan.Generic.12088188

8.14.12.20.04

ESET NOD32

Win32/Kryptik.CPFY (variant)

8.10669

Fortinet FortiGate

W32/Kryptik.CJJL!tr

12/20/2014

F-Secure

Trojan.Generic.12088188

11.2014-20-12_7

G Data

Trojan.Generic.12088188

14.12.24

Kaspersky

Trojan.Win32.Yakes

15.0.0.494

Malwarebytes

Spyware.Passwords.ED

v2014.11.04.10

McAfee

Packed-CR!B6D45C6C5AF2

5600.6910

NANO AntiVirus

Trojan.Win32.Siggen6.didezr

0.28.6.62995

nProtect

Trojan.Generic.12088188

14.11.05.01

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.12.20.16

Rising Antivirus

PE:Malware.XPACK-LNR/Heur!1.5594

23.00.65.141102

Sophos

Troj/Yakes-AS

4.98

Vba32 AntiVirus

Heur.Trojan.Hlux

3.12.26.3

File size:

284.7 KB (291,520 bytes)

Product version:

5.23.48185.29488

Original file name:

mkosena.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\isivup\ywlui.exe

File PE Metadata

Compilation timestamp:

7/8/2011 11:20:10 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

6144:ViBdjLsI9+C2Gd9LAAg9QSyiZTZYfByD1V/mAaEJMXtsUG0TKeC:wDb97yLLZ9YZS1V+AaEJksU2Z

Entry address:

0xD708

Entry point:

55, 8B, EC, 81, EC, C4, 01, 00, 00, BA, A3, 00, 00, 00, EB, 27, 03, F3, 8B, 05, A0, 4A, 43, 00, F7, C6, 06, 1B, 00, 00, 75, 17, 33, F2, 3B, 35, 38, 4A, 43, 00, 74, 0D, 83, EE, 16, 3B, F0, 74, 06, 89, B5, 3C, FE, FF, FF, 53, 0B, C6, 3B, 85, 68, FE, FF, FF, 74, 08, 2B, C6, 89, 85, 6C, FE, FF, FF, 56, 83, F0, CE, 3B, C6, 75, 20, B9, 80, 00, 00, 00, 89, 85, 9C, FE, FF, FF, 33, CE, EB, 11, 83, C1, 99, 8B, FE, 89, 8D, 14, FF, FF, FF, 89, BD, BC, FE, FF, FF, 57, EB, 06, 89, 8D, 84, FE, FF, FF, EB, 05, EB, 03, 89... 
[+]

Entropy:

7.9052

Developed / compiled with:

Microsoft Visual C++

Code size:

100 KB (102,400 bytes)

Scheduled Task

Task name:

Security Center Update - 1347748440

Trigger:

Daily (Runs daily at 11:00 AM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to server-54-230-50-232.jfk5.r.cloudfront.net (54.230.50.232:80)

TCP (HTTP):

Connects to server-54-230-48-184.jfk5.r.cloudfront.net (54.230.48.184:80)

TCP (HTTP):

Connects to server-54-192-48-141.jfk5.r.cloudfront.net (54.192.48.141:80)

TCP (HTTP):

Connects to oasn04a.247realmedia.com (208.71.121.194:80)

TCP (HTTP):

Connects to na.gmtdmp.com (208.71.121.14:80)

TCP (HTTP):

Connects to lga15s43-in-f24.1e100.net (74.125.226.56:80)

TCP (HTTP):

Connects to ec2-54-243-236-69.compute-1.amazonaws.com (54.243.236.69:80)

TCP (HTTP):

Connects to ec2-54-243-107-161.compute-1.amazonaws.com (54.243.107.161:80)

TCP (HTTP):

Connects to ec2-23-21-105-35.compute-1.amazonaws.com (23.21.105.35:80)

TCP (HTTP):

Connects to a23-66-230-161.deploy.static.akamaitechnologies.com (23.66.230.161:80)

TCP (HTTP):

Connects to a23-62-236-128.deploy.static.akamaitechnologies.com (23.62.236.128:80)

TCP (HTTP):

Connects to a23-62-236-121.deploy.static.akamaitechnologies.com (23.62.236.121:80)

TCP (HTTP):

Connects to a23-44-121-208.deploy.static.akamaitechnologies.com (23.44.121.208:80)

TCP (HTTP):

Connects to a23-44-116-94.deploy.static.akamaitechnologies.com (23.44.116.94:80)

TCP (HTTP SSL):

Connects to a23-203-164-42.deploy.static.akamaitechnologies.com (23.203.164.42:443)

TCP (HTTP):

Connects to 114.37.198-178.dc74.net (198.37.114.178:80)

Remove ywlui.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.