nslea04.tmp

Search Protect

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The file nslea04.tmp by ClientConnect has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from sp-storage.spccinta.com. While running, it connects to the Internet address cms.dmccint.com on port 80 using the HTTP protocol.
Publisher:
Client Connect LTD  (signed by ClientConnect LTD)

Product:
Search Protect

Version:
2.13.3.38

MD5:
cc047acb582a2e844c5c92898d33b299

SHA-1:
04350eb379309c57d90c2943cd8d1fa1ca428ae9

SHA-256:
56dd9f0976a6c20ade68188e31e514506db7951ada210323c1ddbbdf41eab727

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
12/24/2024 5:22:14 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Conduit.ClientCo.Installer (M)
16.5.7.5

File size:
6 MB (6,335,544 bytes)

Product version:
2.13.3.38

Copyright:
© 2014 ClientConnect Ltd.

Original file name:
SearchProtect

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nslea04.tmp

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
2/2/2014 10:00:00 PM

Valid to:
2/4/2016 9:59:59 PM

Subject:
CN=ClientConnect LTD, OU=Digital ID Class 3 - Microsoft Software Validation v2, OU=Search Protect, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
173D1F00E27A9D60265B3AB0B87F2ED8

File PE Metadata
Compilation timestamp:
7/6/2011 11:31:20 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
196608:250aiLk1HZcLm0qdb6MSqnBO5xSFCPFs+8Em:250/8cLSHSqnQSCPFr8Em

Entry address:
0x354B

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

The file nslea04.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cms.dmccint.com  (23.67.242.80:80)

 
http://cms.dmccint.com/DynamicOffer/153896696/153917819/?mainofferId=153893262&CurrentStep=2&TotalSteps=4&DownloadBrowser=IE&CType=-1&UserMode=-1&DMVersion=1.3.5.53.153916685.01&Language=US-EN

Remove nslea04.tmp - Powered by Reason Core Security