knsad4f.tmp

The file knsad4f.tmp has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “Task Bar Ampersand”. The file has been seen being downloaded from livestatscounter.com.
MD5:
636c4b5f834fa41dc1ee1c47d7ca091d

SHA-1:
d128fe97c398443449d0f855940c84af0dd69cbd

SHA-256:
6c7b0e796c25afb39b85fcd4a6ba8017dcae2275afb81155a6186935ec0b4d6b

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/15/2024 4:38:01 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.ConvertAd
17.1.26.8

File size:
399 KB (408,576 bytes)

Common path:
C:\Program Files\2951d800-1480104679-81e0-2343-f46d0423a40e\knsad4f.tmp

File PE Metadata
Compilation timestamp:
1/26/2017 10:39:06 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0x2481A

Entry point:
E8, 4C, 06, 00, 00, E9, 8E, FE, FF, FF, 3B, 0D, 8C, 00, 46, 00, F2, 75, 02, F2, C3, F2, E9, BE, 07, 00, 00, 55, 8B, EC, 5D, E9, 34, F7, FF, FF, FF, 25, 7C, B1, 44, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, C0, FF, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, AF, FF, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 8C, 00, 46, 00, 33, C5, 50...
 
[+]

Code size:
293 KB (300,032 bytes)

Service
Display name:
Task Bar Ampersand

Service name:
qityluty

Description:
Top Up Trial Period

Type:
Win32OwnProcess


The file knsad4f.tmp has been seen being distributed by the following URL.

https://livestatscounter.com/.../vsrv.php?sid=ddec4481-5c88-457b-850c-9766621a128c

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-207-68-222.compute-1.amazonaws.com  (52.207.68.222:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.40.113:80)

TCP (HTTP):
Connects to dl19.clickmein.com  (50.7.184.162:80)

TCP (HTTP):
Connects to ec2-54-83-176-117.compute-1.amazonaws.com  (54.83.176.117:80)

TCP (HTTP):
Connects to ec2-52-6-149-47.compute-1.amazonaws.com  (52.6.149.47:80)

Remove knsad4f.tmp - Powered by Reason Core Security