pro83c2.tmp

The file pro83c2.tmp has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Tower Photograph”. The file has been seen being downloaded from livestatscounter.com and multiple other hosts.
MD5:
47f40568cffb31c78ab521defdbcf7bb

SHA-1:
682400b0154383871744d3d1a89eaaab3e18f575

SHA-256:
d9cf1c7250ab9c68a818f051dd487c4bf29bec2b8aebfc47ec0a4023aa0ef5b7

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 5:57:11 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Adware.ConvertAd.AJW application
6.3.12010.0

Reason Heuristics
PUP.ConvertAd.ET (M)
17.1.19.15

File size:
225 KB (230,400 bytes)

Common path:
C:\Program Files\a062ed80-1471399975-11e4-8f01-54bef791d319\pro83c2.tmp

File PE Metadata
Compilation timestamp:
1/19/2017 9:24:07 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0xEE1B

Entry point:
E8, AB, 0B, 00, 00, E9, 8E, FE, FF, FF, 55, 8B, EC, 5D, E9, C3, F6, FF, FF, 3B, 0D, 84, 70, 43, 00, F2, 75, 02, F2, C3, F2, E9, 25, 0D, 00, 00, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8...
 
[+]

Entropy:
6.5460

Code size:
148.5 KB (152,064 bytes)

Service
Display name:
Tower Photograph

Service name:
gemeloki

Description:
Use Feed

Type:
Win32OwnProcess


The file pro83c2.tmp has been seen being distributed by the following 50 URLs.

https://livestatscounter.com/.../wdsrv.php?sid=cd33a053-d214-432e-baf3-33e1c9f66fb2

https://livestatscounter.com/.../wdsrv.php?sid=b7aa2d87-6877-477a-9995-87f8d70b2fc4

https://numbercounters.com/.../wdsrv.php?sid=7ec3f02d-ea03-40be-8b75-ed999dfc324d

https://livestatscounter.com/.../wdsrv.php?sid=4af92406-5db6-492b-8e52-c8d405e81cd0

https://livestatscounter.com/.../wdsrv.php?sid=a95577ba-1de2-45ff-b882-ccffba776a85

https://livestatscounter.com/.../wdsrv.php?sid=e87d87b9-7181-479c-a1b2-0503b9383ec2

https://livestatscounter.com/.../wdsrv.php?sid=3433ce27-a445-421b-beb4-8e566b9177b6

https://livestatscounter.com/.../wdsrv.php?sid=df427fd8-d11f-4845-bc53-f3de6065ab66

https://livestatscounter.com/.../wdsrv.php?sid=33dc7868-b269-4bb7-8d1a-7ecf5814f0bd

https://livestatscounter.com/.../wdsrv.php?sid=30c6043f-4a26-4395-9620-932a2fb49557

https://livestatscounter.com/.../wdsrv.php?sid=0c0355bc-787d-430b-bfed-b32b88395ab5

https://livestatscounter.com/.../wdsrv.php?sid=c328021f-758b-4456-ab99-1bbd4605308a

https://livestatscounter.com/.../wdsrv.php?sid=680882ec-9674-44fc-98db-0590ddc8f458

https://livestatscounter.com/.../wdsrv.php?sid=6897a761-e6f7-4521-a3ec-ddbb9445bd69

https://livestatscounter.com/.../wdsrv.php?sid=7bc255c9-8ae1-403f-b244-9bd9a548ea45

https://livestatscounter.com/.../wdsrv.php?sid=2b751989-29ab-40b6-8a72-a03f03eadbf7

https://livestatscounter.com/.../wdsrv.php?sid=de70005a-a8b0-4033-8930-416a7e1eb35b

https://livestatscounter.com/.../wdsrv.php?sid=be173a8e-a85a-4cff-9197-4092091442e6

https://livestatscounter.com/.../wdsrv.php?sid=a3d71ee6-0ead-4021-92fb-52915dfe9677

https://livestatscounter.com/.../wdsrv.php?sid=74196209-3998-4d91-8ce0-d08711fa5c03

https://livestatscounter.com/.../wdsrv.php?sid=918154d5-788d-43d7-b0ac-56982d42a680

https://livestatscounter.com/.../wdsrv.php?sid=ecc78e24-1486-4cdd-9e85-41ad9afc502a

https://livestatscounter.com/.../wdsrv.php?sid=f0c58292-3c18-48d6-8c8d-f0b249f29ecb

https://livestatscounter.com/.../wdsrv.php?sid=3866d6c8-64e7-4527-8981-241b0329578b

https://livestatscounter.com/.../wdsrv.php?sid=82bca548-5281-480b-8da9-c5082e90896a

https://livestatscounter.com/.../wdsrv.php?sid=6ea560c6-5a57-4cca-b15d-5db547dadfaf

https://livestatscounter.com/.../wdsrv.php?sid=f63ace05-31c5-4084-8bca-9de5066b7a0c

https://livestatscounter.com/.../wdsrv.php?sid=06558242-6d08-4e46-97f9-54db2a660e50

https://livestatscounter.com/.../wdsrv.php?sid=49dd1a58-cc54-425c-a7f5-11bd0bf4993b

https://livestatscounter.com/.../wdsrv.php?sid=520bf037-e6fd-4cc0-8e7a-4a79470e1e48

Latest 30 of 1,934 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-52-45-168-108.compute-1.amazonaws.com  (52.45.168.108:80)

TCP (HTTP):
Connects to ec2-52-6-149-47.compute-1.amazonaws.com  (52.6.149.47:80)

TCP (HTTP):
Connects to ec2-54-83-176-117.compute-1.amazonaws.com  (54.83.176.117:80)

TCP (HTTP):
Connects to ec2-52-207-68-222.compute-1.amazonaws.com  (52.207.68.222:80)

TCP (HTTP SSL):
Connects to dl19.clickmein.com  (50.7.184.162:443)

TCP (HTTP SSL):
Connects to dl21.clickmein.com  (216.227.128.186:443)

Remove pro83c2.tmp - Powered by Reason Core Security