qnsl1e89.tmp

The file qnsl1e89.tmp has been detected as a potentially unwanted program by 9 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Double Spaced Firewall”. While running, it connects to the Internet address dl19.clickmein.com on port 80 using the HTTP protocol.
MD5:
542199ec8faa7cb170b8f663d62ada99

SHA-1:
764a021a60890ec6e7156c8ae5d9ec34a909a40c

SHA-256:
be4317ddd6de0dbbdca11414ec0cc43e69038e056bad21a6738e39e397b80a42

Scanner detections:
9 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 5:39:15 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
W32/Sality.AG
7.11.30.172

Dr.Web
Adware.ClickMeIn.5564
9.0.1.05190

Emsisoft Anti-Malware
Gen:Variant.Adware.ConvertAd.71
16.02.01

ESET NOD32
Win32/Adware.ConvertAd.AEX application
6.3

F-Secure
Variant.Adware.ConvertAd
5.15.96

Kaspersky
not-a-virus:AdWare.Win32.ConvertAd
15.0.0.562

Norman
Gen:Variant.Adware.ConvertAd.71
22.05.2016 07:18:28

Reason Heuristics
Adware.ConvertAd (M)
16.2.4.14

VIPRE Antivirus
Threat.4150696
46444

File size:
155 KB (158,720 bytes)

Common path:
C:\users\{user}\appdata\local\35444335-1451094896-4830-3754-544834324435\qnsl1e89.tmp

File PE Metadata
Compilation timestamp:
12/26/2015 12:59:01 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:IeEZTEZoKpwev9yMhyNF8kEkfKEYKueeMhi1rE:IzhS99yMhyH8khfQKu48

Entry address:
0xD5FB

Entry point:
E8, CA, 71, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, A3, B8, 52, 42, 00, 5D, C3, 8B, FF, 55, 8B, EC, 51, 56, FF, 35, B8, 52, 42, 00, FF, 15, 64, B0, 41, 00, 8B, F0, 8B, 45, 08, 85, C0, 75, 16, E8, B2, 05, 00, 00, 6A, 16, 5E, 89, 30, E8, 56, 05, 00, 00, 8B, C6, E9, BB, 00, 00, 00, 83, 20, 00, 57, 85, F6, 0F, 85, 8D, 00, 00, 00, 68, CC, E6, 41, 00, FF, 15, 20, B0, 41, 00, 89, 45, FC, 85, C0, 75, 16, E8, 7E, 05, 00, 00, 6A, 16, 5E, 89, 30, E8, 22, 05, 00, 00, 8B, C6, E9, 86, 00, 00, 00, 68...
 
[+]

Entropy:
6.3697

Code size:
103 KB (105,472 bytes)

Service
Display name:
Double Spaced Firewall

Service name:
zigipyro

Description:
Field Web Directory

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

TCP (HTTP):
Connects to dl19.clickmein.com  (50.7.184.162:80)

Remove qnsl1e89.tmp - Powered by Reason Core Security