wdsrvwrapper.exe

The application wdsrvwrapper.exe has been detected as a potentially unwanted program by 8 anti-malware scanners. The file has been seen being downloaded from numbercounters.com. While running, it connects to the Internet address dl19.clickmein.com on port 443.
MD5:
b827254865808e6da1c6ace8975fc42c

SHA-1:
3a9a181aa6d9bacd337b7ad2ad20d32ea3fe3e1d

SHA-256:
0edc38bfd729b31806caa1b3d7085ddac2a516b5f0b135ca2134ed600b4cc8cd

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 3:59:50 AM UTC  (today)

Scan engine
Detection
Engine version

AegisLab AV Signature
Adware.W32.Vopak!c
2.1.4+

Baidu Antivirus
NSIS.Adware.XXPackage
4.0.3.1734

Bkav FE
HW32.Packed
1.3.0.8876

Kaspersky
not-a-virus:AdWare.Win32.Vopak
15.0.2.529

McAfee
Artemis!B82725486580
5600.6105

Quick Heal
Pua.Vopak
3.17.14.00

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.s
3.12.26.4

Zillya! Antivirus
Adware.ConvertAd.Win32.48634
2.0.0.3221

File size:
46.8 KB (47,959 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\wdsrvwrapper.exe

File PE Metadata
Compilation timestamp:
7/25/2016 7:55:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

Entry address:
0x310F

Entry point:
81, EC, 84, 01, 00, 00, 53, 56, 57, 33, DB, 68, 01, 80, 00, 00, 89, 5C, 24, 18, C7, 44, 24, 10, 98, 91, 40, 00, 89, 5C, 24, 20, C6, 44, 24, 14, 20, FF, 15, A8, 70, 40, 00, FF, 15, A4, 70, 40, 00, 66, 3D, 06, 00, 74, 11, 53, E8, 7C, 2F, 00, 00, 3B, C3, 74, 07, 68, 00, 0C, 00, 00, FF, D0, BE, 98, 72, 40, 00, 56, E8, F8, 2E, 00, 00, 56, FF, 15, A0, 70, 40, 00, 8D, 74, 06, 01, 38, 1E, 75, EB, 55, 6A, 09, E8, 4F, 2F, 00, 00, 6A, 07, E8, 48, 2F, 00, 00, A3, 04, E4, 42, 00, FF, 15, 44, 70, 40, 00, 53, FF, 15, 88...
 
[+]

Entropy:
6.9359

Code size:
24 KB (24,576 bytes)

The file wdsrvwrapper.exe has been seen being distributed by the following URL.

https://numbercounters.com/.../WDSrvWrapper.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to dl19.clickmein.com  (50.7.184.162:443)

TCP (HTTP SSL):
Connects to dl21.clickmein.com  (216.227.128.186:443)

TCP (HTTP):
Connects to ch4plpkivs-v03.any.prod.ord1.secureserver.net  (50.63.243.230:80)

TCP (HTTP):
Connects to sg2plpkivs-v03.any.prod.sin2.secureserver.net  (182.50.136.239:80)

TCP (HTTP):
Connects to sg2plpkivs-v01.any.prod.sin2.secureserver.net  (182.50.136.237:80)

TCP (HTTP):
Connects to n1plpkivs-v01.any.prod.ams1.secureserver.net  (188.121.36.237:80)

Remove wdsrvwrapper.exe - Powered by Reason Core Security