wewatcherproxy.exe

WeWatcherProxy.exe

P4hostcom

The application wewatcherproxy.exe by P4hostcom has been detected as adware by 9 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “WeWatcherProxy”. While running, it connects to the Internet address mail.inroadsweb.com on port 80 using the HTTP protocol.
Publisher:
WeWatcher  (signed by P4hostcom)

Product:
WeWatcherProxy.exe

Version:
2.3.4.5

MD5:
c11219b427881d14083c3ca31fc5eb76

SHA-1:
6130340a88ab2d12c5153955ce320f097c41c876

SHA-256:
21d0638d84d9dad5045aa34abb066e5591f34113ef68269d8af9b6e09b7887e4

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
11/23/2024 9:45:04 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Graftor.186320
630

AhnLab V3 Security
Adware/Win32.Komodia
2015.05.14

Bitdefender
Gen:Variant.Adware.Graftor.186320
1.0.20.675

Bkav FE
W32.HfsAdware
1.3.0.6379

Emsisoft Anti-Malware
Gen:Variant.Adware.Graftor.186320
8.15.05.15.04

F-Secure
Gen:Variant.Adware.Graftor
11.2015-15-05_6

G Data
Gen:Variant.Adware.Graftor.186320
15.5.25

MicroWorld eScan
Gen:Variant.Adware.Graftor.186320
16.0.0.405

NANO AntiVirus
Trojan.Win32.Superfish.dqodey
0.30.24.1357

File size:
1.8 MB (1,862,408 bytes)

Product version:
2.3.4.5

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\sysfiles\wewatcherproxy.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
12/10/2014 4:00:00 PM

Valid to:
12/11/2015 3:59:59 PM

Subject:
CN=P4hostcom, O=P4hostcom, STREET=15339 WYANDOTTE ST, L=VAN NUYS, S=California, PostalCode=91406, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
41454C8A0557125C4B0C373A489B1003

File PE Metadata
Compilation timestamp:
5/10/2015 9:09:47 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:1Jp80iIrR5O5W0KyJ9Q4Z+z7M7DhdVmJbM3UIWRmHYv0SCBwa09oaAbHRp/r31iM:HH55ON7+MnaM3saYFCCalauLLL68

Entry address:
0x52BB

Entry point:
E8, 6B, 75, 00, 00, E9, 78, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 55, 8B, EC, 57, 56, 8B, 75, 0C, 8B, 4D, 10, 8B, 7D, 08, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, A4, 01, 00, 00, 81, F9, 00, 01, 00, 00, 72, 1F, 83, 3D, 44, 31, 43, 00, 00, 74, 16, 57, 56, 83, E7, 0F, 83, E6, 0F, 3B, FE, 5E, 5F, 75, 08, 5E, 5F, 5D, E9, 31, 76, 00, 00, F7, C7, 03, 00, 00, 00, 75, 15, C1, E9, 02, 83, E2, 03, 83, F9, 08, 72, 2A, F3, A5, FF, 24, 95, 44, 54, 40, 00, 90, 8B, C7, BA, 03, 00, 00, 00...
 
[+]

Entropy:
7.9646  (probably packed)

Code size:
164.5 KB (168,448 bytes)

Service
Display name:
WeWatcherProxy

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yx-in-f95.1e100.net  (64.233.177.95:80)

TCP (HTTP):
Connects to yts1.yql.vip.bf1.yahoo.com  (98.137.200.255:80)

TCP (HTTP):
Connects to weebly.com  (74.115.50.110:80)

TCP (HTTP SSL):
Connects to qb-in-f95.1e100.net  (173.194.204.95:443)

TCP (HTTP SSL):
Connects to qb-in-f189.1e100.net  (173.194.204.189:443)

TCP (HTTP):
Connects to pages-wildcard.weebly.com  (199.34.228.100:80)

TCP (HTTP SSL):
Connects to ord31s21-in-f10.1e100.net  (216.58.216.202:443)

TCP (HTTP):
Connects to mail.inroadsweb.com  (23.252.64.120:80)

TCP (HTTP):
Connects to lga25s41-in-f3.1e100.net  (216.58.219.227:80)

TCP (HTTP SSL):
Connects to lga25s41-in-f238.1e100.net  (216.58.219.238:443)

TCP (HTTP SSL):
Connects to lga25s41-in-f229.1e100.net  (216.58.219.229:443)

TCP (HTTP SSL):
Connects to lga25s40-in-f206.1e100.net  (216.58.219.206:443)

TCP (HTTP SSL):
Connects to lga15s48-in-f4.1e100.net  (173.194.123.68:443)

TCP (HTTP SSL):
Connects to lga15s48-in-f22.1e100.net  (173.194.123.86:443)

TCP (HTTP SSL):
Connects to lga15s45-in-f3.1e100.net  (74.125.226.163:443)

TCP (HTTP SSL):
Connects to lga15s45-in-f12.1e100.net  (74.125.226.172:443)

TCP (HTTP SSL):
Connects to lga15s44-in-f24.1e100.net  (74.125.226.88:443)

TCP (HTTP SSL):
Connects to lga15s42-in-f11.1e100.net  (74.125.226.11:443)

TCP (HTTP SSL):
Connects to lga15s42-in-f10.1e100.net  (74.125.226.10:443)

TCP (HTTP SSL):
Connects to ipv4_1.cxl0.c266.nyc001.ix.nflxvideo.net  (23.246.6.166:443)

Remove wewatcherproxy.exe - Powered by Reason Core Security