home

17014b3c3f5968411ceefd21073fe7fa.exe

The application 17014b3c3f5968411ceefd21073fe7fa.exe has been detected as a potentially unwanted program by 7 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 54447 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. While running, it connects to the Internet address bd.35.5177.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Version:
2.36.2.20

MD5:
b23dfc10f881e5b48c1dc3fd850adcb0

SHA-1:
eac0d270de833f8e79b579b20af9e24e1b2ffb2d

SHA-256:
b8763bc629298cc144f5a181699c8feca51e24f683e7a86fd85e4d3f2415f19a

Scanner detections:
7 / 68

Status:
Potentially unwanted

Analysis date:
2/26/2025 4:46:02 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
TR/Agent.393216.460
8.3.2.2

IKARUS anti.virus
Trojan.Agent
t3scan.1.9.5.0

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.1450

McAfee
Artemis!B23DFC10F881
5600.6612

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Quick Heal
AdWare.Agent.r3
10.15.14.00

Rising Antivirus
PE:Malware.RDM.32!5.26[F1]
23.00.65.151013

File size:
384 KB (393,216 bytes)

Product version:
2.36.2.20

Original file name:
T6ITK7.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\waintenhancer\waintenhancer internet enhancer\17014b3c3f5968411ceefd21073fe7fa.exe

File PE Metadata
Compilation timestamp:
9/10/2015 1:31:01 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
6144:ZZwa3L1ceK240UOuqJpBC0PKmmG2zoF2lUrv/uWYv8V6Xb8VDxcTqv0tpo7MhImg:bN3L1ceK24h8/BC0bmfEF26rv/ufzXbs

Entry address:
0x6154E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.9461

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
381.5 KB (390,656 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:54447/

Local host port:
54447

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to c4.3e.559e.ip4.static.sl-reverse.com  (158.85.62.196:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-sit4.facebook.com  (31.13.78.35:443)

TCP (HTTP):
Connects to us.redir.opera.com  (107.167.110.234:80)

TCP (HTTP):
Connects to server-54-230-216-212.mrs50.r.cloudfront.net  (54.230.216.212:80)

TCP (HTTP SSL):
Connects to fna-fbcdn-shv-01-fbom1.fbcdn.net  (157.240.191.17:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-sit4.facebook.com  (31.13.78.13:443)

TCP (HTTP):
Connects to ec2-54-235-244-28.compute-1.amazonaws.com  (54.235.244.28:80)

TCP (HTTP):
Connects to ec2-52-34-60-95.us-west-2.compute.amazonaws.com  (52.34.60.95:80)

TCP (HTTP):
Connects to bd.35.5177.ip4.static.sl-reverse.com  (119.81.53.189:80)

TCP (HTTP):
Connects to aez9.com  (216.144.226.153:80)

TCP (HTTP):
Connects to 97.47.37a9.ip4.static.sl-reverse.com  (169.55.71.151:80)

TCP (HTTP):
Connects to 61.53.5177.ip4.static.sl-reverse.com  (119.81.83.97:80)

TCP (HTTP SSL):
Connects to fna-fbcdn-shv-02-fbom1.fbcdn.net  (157.240.191.81:443)

Remove 17014b3c3f5968411ceefd21073fe7fa.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.