snsv9ba3.tmp

The file snsv9ba3.tmp has been detected as a potentially unwanted program by 20 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Carbon Copy Sharpen”. The file has been seen being downloaded from d1mdi78qyff344.cloudfront.net. While running, it connects to the Internet address dl21.clickmein.com on port 80 using the HTTP protocol.
MD5:
e5f16696f3e05f131bc411566d605dfd

SHA-1:
108a05593698ce07a3a62728cd1c74f333b79fd2

SHA-256:
07339871f231c24f13836138453c52a06b211ebe22f7b56b7356b0f8e25de9e6

Scanner detections:
20 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 4:04:24 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.GenericKD.2711132
479

Agnitum Outpost
PUA.ConvertAd
7.1.1

Avira AntiVirus
ADWARE/ConvertAd.184832.1
8.3.2.2

Arcabit
Trojan.Generic.D295E5C
1.0.0.527

AVG
Generic6
2016.0.2957

Baidu Antivirus
Adware.Win32.ConvertAd
4.0.3.151013

Bitdefender
Trojan.GenericKD.2711132
1.0.20.1430

Dr.Web
Adware.ClickMeIn.2237
9.0.1.0286

Emsisoft Anti-Malware
Trojan.GenericKD.2711132
8.15.10.13.01

ESET NOD32
Win32/Adware.ConvertAd.ZB
9.12255

Fortinet FortiGate
Riskware/ConvertAd
10/13/2015

F-Secure
Trojan.GenericKD.2711132
11.2015-13-10_3

G Data
Trojan.GenericKD.2711132
15.10.25

K7 AntiVirus
Adware
13.210.17216

McAfee
Artemis!E5F16696F3E0
5600.6613

MicroWorld eScan
Trojan.GenericKD.2711132
16.0.0.858

NANO AntiVirus
Riskware.Win32.ConvertAd.dwuqvy
0.30.24.3283

nProtect
Trojan.GenericKD.2711132
15.09.15.01

Rising Antivirus
PE:Malware.Obscure/Heur!1.9E03[F1]
23.00.65.15906

VIPRE Antivirus
Trojan.Win32.Generic
43768

File size:
180.5 KB (184,832 bytes)

Common path:
C:\users\{user}\appdata\local\3044a2e0-1441742787-11e4-af62-740e3a1d1600\snsv9ba3.tmp

File PE Metadata
Compilation timestamp:
9/8/2015 4:24:02 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
3072:ls+ExOzkfaOUtgcmiKvJB+VYoJyIQ5Dyb8FExmNniGk9Mp7wmW:ldExOzmaOUvCJEVmPuYExsn5TW

Entry address:
0x6F0B

Entry point:
E8, 1C, 35, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 10, 63, 42, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 18, 61, 42, 00, C9, C2, 08, 00, 8B, FF, 55, 8B, EC, 8B, 55, 08, 56, 57, 85, D2, 74, 07, 8B, 7D, 0C, 85, FF, 75, 13, E8, 53, 06, 00, 00, 6A, 16, 5E, 89, 30, E8, 31, 1D, 00, 00, 8B, C6, EB, 33, 8B, 45...
 
[+]

Entropy:
6.5667

Code size:
146 KB (149,504 bytes)

Service
Display name:
Carbon Copy Sharpen

Service name:
fycuwoco

Description:
Expire Online

Type:
Win32OwnProcess


The file snsv9ba3.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to dl21.clickmein.com  (216.227.128.186:80)

Remove snsv9ba3.tmp - Powered by Reason Core Security