knsreb00.tmpfs

The file knsreb00.tmpfs has been detected as a potentially unwanted program by 14 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “External Inkjet Printer”. While running, it connects to the Internet address server-54-192-192-226.iad53.r.cloudfront.net on port 80 using the HTTP protocol.
MD5:
97718c9771443c59d35ac28ae44b0ee5

SHA-1:
1912d01a111ccac73903ffbef6d1a11b6fe763cf

SHA-256:
1e080e5e4fcb218153014786f3e3044c74e00aa9613cd97fe7971ece7fce7c81

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 2:39:41 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Application.Kazy.642419
5926725

AhnLab V3 Security
Adware/Win32.ConvertAd
2015.08.11

Arcabit
Trojan.Application.Kazy.D9CD73
1.0.0.425

Baidu Antivirus
Adware.Win32.ConvertAd
4.0.3.15811

Bitdefender
Gen:Variant.Application.Kazy.642419
1.0.20.1115

Emsisoft Anti-Malware
Gen:Variant.Application.Kazy.642419
10.0.0.5366

ESET NOD32
Win32/Adware.ConvertAd.IE application
7.0.302.0

F-Secure
Riskware.Gen:Variant.Application.Kazy
5.14.151

G Data
Gen:Variant.Application.Kazy.642419
15.8.25

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1598

MicroWorld eScan
Gen:Variant.Application.Kazy.642419
16.0.0.669

Norman
Gen:Variant.Application.Kazy.642419
04.08.2015 10:30:46

Panda Antivirus
Trj/Genetic.gen
15.08.11.08

Reason Heuristics
Threat.Win.Reputation.IMP
15.8.12.20

File size:
237.5 KB (243,200 bytes)

Common path:
C:\Program Files\9acd0a80-1439275188-81e4-2323-f0795911a9a9\knsreb00.tmpfs

File PE Metadata
Compilation timestamp:
8/11/2015 4:11:23 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:bhkJtNiSBosA2MGCFHT4Nb0l5XOIHzUqWkEHn2f//LJaOfGKfJTduJMAy:qJPiSBtM/T4NoHOgzNWkEHnSk4zAMAy

Entry address:
0x1ADE1

Entry point:
E8, 18, 74, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 55, 08, 56, 57, 85, D2, 74, 07, 8B, 7D, 0C, 85, FF, 75, 13, E8, 23, 23, 00, 00, 6A, 16, 5E, 89, 30, E8, C7, 22, 00, 00, 8B, C6, EB, 33, 8B, 45, 10, 85, C0, 75, 04, 88, 02, EB, E2, 8B, F2, 2B, F0, 8A, 08, 88, 0C, 06, 40, 84, C9, 74, 03, 4F, 75, F3, 85, FF, 75, 11, C6, 02, 00, E8, ED, 22, 00, 00, 6A, 22, 59, 89, 08, 8B, F1, EB, C6, 33, C0, 5F, 5E, 5D, C3, 8B, FF, 55, 8B, EC, 53, 8B, 5D, 08, 83, FB, E0, 77, 6F, 56, 57, 83, 3D, 34, 94, 43, 00, 00...
 
[+]

Entropy:
6.3459

Code size:
167.5 KB (171,520 bytes)

Service
Display name:
External Inkjet Printer

Service name:
susiduzo

Description:
Internet Point

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-192-226.iad53.r.cloudfront.net  (54.192.192.226:80)

TCP (HTTP):
Connects to ec2-54-235-132-107.compute-1.amazonaws.com  (54.235.132.107:80)

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

Remove knsreb00.tmpfs - Powered by Reason Core Security