knsk5cd9.tmp

The file knsk5cd9.tmp has been detected as a potentially unwanted program by 16 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Footnote Command Line”.
MD5:
7500e5e1d19b12d473fccbe7776dad15

SHA-1:
7162dd729eb65cd52743842ce3e67b6a4e596526

SHA-256:
fea683d29dcb2de243dad3b8e7b6611279a3020eb67d06ba6ba9116f0fd62627

Scanner detections:
16 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 11:24:00 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Kazy.631110
539

AhnLab V3 Security
Adware/Win32.ConvertAd
2015.08.15

Arcabit
Trojan.Adware.Kazy.D9A146
1.0.0.425

Baidu Antivirus
Adware.Win32.ConvertAd
4.0.3.15815

Bitdefender
Gen:Variant.Adware.Kazy.631110
1.0.20.1135

Emsisoft Anti-Malware
Gen:Variant.Adware.Kazy.631110
8.15.08.15.08

ESET NOD32
Win32/Adware.ConvertAd.IE (variant)
9.12097

F-Secure
Gen:Variant.Adware.Kazy
11.2015-15-08_7

G Data
Gen:Variant.Adware.Kazy.631110
15.8.25

IKARUS anti.virus
PUA.ConvertAd
t3scan.1.9.5.0

MicroWorld eScan
Gen:Variant.Adware.Kazy.631110
16.0.0.681

Norman
Gen:Variant.Adware.Kazy.631110
11.20150816

Panda Antivirus
Trj/Genetic.gen
15.08.15.08

Reason Heuristics
Threat.Win.Reputation.IMP
15.8.15.23

Rising Antivirus
PE:Trojan.Win32.Generic.18F60A7F!418777727
23.00.65.15813

VIPRE Antivirus
LooksLike.Win32.Crowti.b
42902

File size:
714 KB (731,136 bytes)

Common path:
C:\Program Files\cd8faa80-1438115334-fcdc-1dad-5b95392e9785\knsk5cd9.tmp

File PE Metadata
Compilation timestamp:
8/15/2015 9:31:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:NqEUzJvTqup8SIr6xOu+qdddNGtFz5YGZ8ricP/LrTJrPmzMCyEIuCvP2i:NqEUNT9pHIr6xFrdd0FhZsicXNjmhyEj

Entry address:
0x846E1

Entry point:
E8, 32, 78, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 54, E5, 4A, 00, FF, 15, 80, A0, 49, 00, 85, C0, 75, 18, 56, E8, B7, 34, 00, 00, 8B, F0, FF, 15, 34, A0, 49, 00, 50, E8, 67, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 54, E5, 4A, 00, 00, 75, 18, E8, C6, 6F, 00, 00, 6A, 1E, E8, 10, 6E, 00, 00, 68, FF, 00, 00, 00, E8, CC, 6A, 00, 00, 59, 59, 85, DB, 74, 04, 8B, C3, EB, 03, 33, C0, 40...
 
[+]

Entropy:
6.3335

Code size:
611 KB (625,664 bytes)

Service
Display name:
Footnote Command Line

Service name:
wezysime

Description:
Hyperlink Session

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-1.amazonaws.com  (54.231.97.203:80)

TCP (HTTP):
Connects to ec2-54-235-132-107.compute-1.amazonaws.com  (54.235.132.107:80)

Remove knsk5cd9.tmp - Powered by Reason Core Security