445018165fd106cc006922c18b33d5d8.exe

The application 445018165fd106cc006922c18b33d5d8.exe has been detected as a potentially unwanted program by 8 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49904 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Version:
2.39.2.11

MD5:
e848aafd5763b443c57568495dc0cc8d

SHA-1:
dc30ce67d51ffb94d1b572602084af6d89119a21

SHA-256:
64330828f876ab49b11e83957b4b3ecba3b7c75918acd1357d40d326ab80fc4d

Scanner detections:
8 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 11:35:45 AM UTC  (today)

Scan engine
Detection
Engine version

Arcabit
Trojan.Kazy.DBAD60
1.0.0.590

Bitdefender
Gen:Variant.Kazy.765280
1.0.20.1565

Emsisoft Anti-Malware
Gen:Variant.Kazy.765280
8.15.11.09.12

F-Secure
Gen:Variant.Kazy.765280
5.15.21

G Data
Gen:Variant.Kazy.765280
15.11.25

MicroWorld eScan
Gen:Variant.Kazy.765280
16.0.0.939

Norman
Gen:Variant.Kazy.765280
07.10.2015 03:16:12

Reason Heuristics
PUP.Wajam.Meta (M)
16.2.9.21

File size:
564 KB (577,536 bytes)

Product version:
2.39.2.11

Original file name:
NFPUEJ.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\wnetenhancer\wnetenhancer internet enhancer\445018165fd106cc006922c18b33d5d8.exe

File PE Metadata
Compilation timestamp:
11/5/2015 3:23:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:YoCibfrJ1JpC7dkfDfAGGRlzQOI+4/rIFkl2thzf1CG2pXay/uYPzDeybRs:Ycbfr2R7C7Fysk

Entry address:
0x8E4FE

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.8286

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
561.5 KB (574,976 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49904/

Local host port:
49904

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to tl-in-f154.1e100.net  (64.233.189.154:443)

TCP:
Connects to tk-in-f188.1e100.net  (64.233.188.188:5228)

TCP:
Connects to tj-in-f188.1e100.net  (64.233.187.188:5228)

TCP (HTTP SSL):
Connects to tj-in-f155.1e100.net  (64.233.187.155:443)

TCP (HTTP SSL):
Connects to th-in-f188.1e100.net  (74.125.203.188:443)

TCP (HTTP SSL):
Connects to static.vnpt.vn  (113.171.234.59:443)

TCP (HTTP SSL):
Connects to server-52-85-151-56.hkg51.r.cloudfront.net  (52.85.151.56:443)

TCP (HTTP SSL):
Connects to server-52-85-151-41.hkg51.r.cloudfront.net  (52.85.151.41:443)

TCP (HTTP SSL):
Connects to server-52-85-151-32.hkg51.r.cloudfront.net  (52.85.151.32:443)

TCP (HTTP SSL):
Connects to server-52-85-151-221.hkg51.r.cloudfront.net  (52.85.151.221:443)

TCP (HTTP SSL):
Connects to server-52-85-151-189.hkg51.r.cloudfront.net  (52.85.151.189:443)

TCP (HTTP SSL):
Connects to server-52-85-151-16.hkg51.r.cloudfront.net  (52.85.151.16:443)

TCP (HTTP):
Connects to server-52-84-246-62.sfo20.r.cloudfront.net  (52.84.246.62:80)

TCP (HTTP SSL):
Connects to server-52-84-246-244.sfo20.r.cloudfront.net  (52.84.246.244:443)

TCP (HTTP SSL):
Connects to server-52-84-246-197.sfo20.r.cloudfront.net  (52.84.246.197:443)

TCP (HTTP SSL):
Connects to server-52-84-246-134.sfo20.r.cloudfront.net  (52.84.246.134:443)

TCP (HTTP):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:80)

TCP (HTTP SSL):
Connects to hn.vtc.vn  (117.103.197.73:443)

TCP (HTTP SSL):
Connects to hkg12s11-in-f14.1e100.net  (216.58.200.14:443)

TCP (HTTP SSL):
Connects to hkg12s10-in-f35.1e100.net  (216.58.203.35:443)

Remove 445018165fd106cc006922c18b33d5d8.exe - Powered by Reason Core Security