qkseesvc.exe

Jinnan Wu

The application qkseesvc.exe by Jinnan Wu has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “qkseeService”. While running, it connects to the Internet address 8.81.6132.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
Jinnan Wu  (signed and verified)

Version:
5.0.0.0

MD5:
549526e0937e3edb67f1bc44d0c8f2c4

SHA-1:
5a6e4ec7a626502ca0899c597561ac6a39f3c234

SHA-256:
77189deecaab2f5397a9a65933896cb24e91d71096e409b430ff85048aa4ce0c

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 12:30:11 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Elex (M)
16.7.18.10

File size:
759.2 KB (777,464 bytes)

Product version:
5.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\qksee\qkseesvc.exe

Digital Signature
Signed by:

Authority:
thawte, Inc.

Valid from:
7/15/2016 2:00:00 AM

Valid to:
1/18/2017 12:59:59 AM

Subject:
CN=Jinnan Wu, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
131FD7F87BDAD135A6B681AD0FF5788D

File PE Metadata
Compilation timestamp:
7/15/2016 4:35:59 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
12288:augKTUeGNnHSVwhONtGM77pPDcBQfA6uu9TyluHsAuTc:auDUeGNphONttX9Dc4BF9Tyluoc

Entry address:
0x59C1C

Entry point:
E8, 08, EC, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 51, 83, 65, FC, 00, 56, 8D, 45, FC, 50, FF, 75, 0C, FF, 75, 08, E8, 6D, ED, 00, 00, 8B, F0, 83, C4, 0C, 85, F6, 75, 18, 39, 45, FC, 74, 13, E8, 34, 2F, 00, 00, 85, C0, 74, 0A, E8, 2B, 2F, 00, 00, 8B, 4D, FC, 89, 08, 8B, C6, 5E, C9, C3, 55, 8B, EC, 8B, 45, 0C, 8B, 4D, 08, 83, EC, 0C, 85, C0, 74, 02, 89, 08, 85, C9, 75, 14, E8, 06, 2F, 00, 00, C7, 00, 16, 00, 00, 00, E8, BE, 5F, 00, 00, 33, C0, C9, C3, 8B, 45, 10, 85, C0, 74, 0A, 83, F8, 02, 7C, E0, 83, F8...
 
[+]

Code size:
484 KB (495,616 bytes)

Service
Display name:
qkseeService

Type:
Win32OwnProcess

Group:
SchedulerGroup


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-230-141-112.sfo5.r.cloudfront.net  (54.230.141.112:80)

TCP (HTTP):
Connects to 8.81.6132.ip4.static.sl-reverse.com  (50.97.129.8:80)

TCP (HTTP):
Connects to server-54-192-3-92.lhr5.r.cloudfront.net  (54.192.3.92:80)

TCP (HTTP):
Connects to server-52-85-63-61.lhr50.r.cloudfront.net  (52.85.63.61:80)

TCP (HTTP):
Connects to server-52-85-63-19.lhr50.r.cloudfront.net  (52.85.63.19:80)

TCP (HTTP):
Connects to server-52-85-221-238.cdg50.r.cloudfront.net  (52.85.221.238:80)

TCP (HTTP):
Connects to server-54-230-163-175.jax1.r.cloudfront.net  (54.230.163.175:80)

TCP (HTTP):
Connects to server-54-192-19-134.iad12.r.cloudfront.net  (54.192.19.134:80)

TCP (HTTP):
Connects to server-54-192-129-85.ams50.r.cloudfront.net  (54.192.129.85:80)

TCP (HTTP):
Connects to server-54-192-129-8.ams50.r.cloudfront.net  (54.192.129.8:80)

TCP (HTTP):
Connects to server-54-192-129-252.ams50.r.cloudfront.net  (54.192.129.252:80)

TCP (HTTP):
Connects to server-54-192-129-157.ams50.r.cloudfront.net  (54.192.129.157:80)

TCP (HTTP):
Connects to server-54-192-129-136.ams50.r.cloudfront.net  (54.192.129.136:80)

Remove qkseesvc.exe - Powered by Reason Core Security