home

d84db4f481acf56ca6e2e1399ab1d273.exe

The application d84db4f481acf56ca6e2e1399ab1d273.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This executable runs as a local area network (LAN) Internet proxy server listening on port 53644 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Version:
2.40.2.58

MD5:
b48e56b257686fb4bfcf296c74487cb9

SHA-1:
e87361b93ef8b998de660454f925ea92ed489718

SHA-256:
feb878d67e08025b9c2a20b696fff5f29ab4980c974bcf381b597c5697a8523b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 1:59:51 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Wajam.Meta (M)
16.2.8.15

File size:
492 KB (503,808 bytes)

Product version:
2.40.2.58

Original file name:
7TXK9F.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\wanetworkenhancer\wanetworkenhancer internet enhancer\d84db4f481acf56ca6e2e1399ab1d273.exe

File PE Metadata
Compilation timestamp:
2/3/2016 10:28:15 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
12288:zUakfXc+PduJMibyqxGpjz8S3uhieUkKoHjx7FoverlybRs:zifzP13uhisf

Entry address:
0x7C49E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.8007

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
489.5 KB (501,248 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:53644/

Local host port:
53644

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to cache.google.com  (186.192.145.45:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-gru2.facebook.com  (31.13.85.8:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-gru2.facebook.com  (31.13.85.36:443)

TCP (HTTP SSL):
Connects to 189-1-145-12-wlan.lpnet.com.br  (189.1.145.12:443)

TCP (HTTP):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:80)

TCP (HTTP):
Connects to a23-4-181-163.deploy.static.akamaitechnologies.com  (23.4.181.163:80)

TCP (HTTP SSL):
Connects to dub406-m.hotmail.com  (157.56.194.23:443)

TCP (HTTP SSL):
Connects to 189-1-145-13-wlan.lpnet.com.br  (189.1.145.13:443)

TCP (HTTP):
Connects to a23-76-201-166.deploy.static.akamaitechnologies.com  (23.76.201.166:80)

TCP (HTTP SSL):
Connects to a23-1-112-60.deploy.static.akamaitechnologies.com  (23.1.112.60:443)

TCP (HTTP):
Connects to a23-4-245-178.deploy.static.akamaitechnologies.com  (23.4.245.178:80)

TCP (HTTP):
Connects to a189-1-145-137.deploy.akamaitechnologies.com  (189.1.145.137:80)

TCP (HTTP):
Connects to a-0003.a-msedge.net  (204.79.197.203:80)

Remove d84db4f481acf56ca6e2e1399ab1d273.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.