» qnsl1e89.tmp
Overview
Analysis
File Details
Behaviors (1)
Network (2)

qnsl1e89.tmp

The file qnsl1e89.tmp has been detected as a potentially unwanted program by 9 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Double Spaced Firewall”. While running, it connects to the Internet address dl19.clickmein.com on port 80 using the HTTP protocol.

File name:

qnsl1e89.tmp

MD5:

542199ec8faa7cb170b8f663d62ada99

SHA-1:

764a021a60890ec6e7156c8ae5d9ec34a909a40c

SHA-256:

be4317ddd6de0dbbdca11414ec0cc43e69038e056bad21a6738e39e397b80a42

Scanner detections:

9 / 68

Status:

Potentially unwanted

Analysis date:

5/10/2024 8:59:10 PM UTC (today)

Scan engine

Detection

Engine version

Avira AntiVirus

W32/Sality.AG

7.11.30.172

Dr.Web

Adware.ClickMeIn.5564

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Adware.ConvertAd.71

16.02.01

ESET NOD32

Win32/Adware.ConvertAd.AEX application

6.3

F-Secure

Variant.Adware.ConvertAd

5.15.96

Kaspersky

not-a-virus:AdWare.Win32.ConvertAd

15.0.0.562

Norman

Gen:Variant.Adware.ConvertAd.71

22.05.2016 07:18:28

Reason Heuristics

Adware.ConvertAd (M)

16.2.4.14

VIPRE Antivirus

Threat.4150696

46444

File size:

155 KB (158,720 bytes)

Common path:

C:\users\{user}\appdata\local\35444335-1451094896-4830-3754-544834324435\qnsl1e89.tmp

File PE Metadata

Compilation timestamp:

12/26/2015 12:59:01 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

3072:IeEZTEZoKpwev9yMhyNF8kEkfKEYKueeMhi1rE:IzhS99yMhyH8khfQKu48

Entry address:

0xD5FB

Entry point:

E8, CA, 71, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 8B, 45, 08, A3, B8, 52, 42, 00, 5D, C3, 8B, FF, 55, 8B, EC, 51, 56, FF, 35, B8, 52, 42, 00, FF, 15, 64, B0, 41, 00, 8B, F0, 8B, 45, 08, 85, C0, 75, 16, E8, B2, 05, 00, 00, 6A, 16, 5E, 89, 30, E8, 56, 05, 00, 00, 8B, C6, E9, BB, 00, 00, 00, 83, 20, 00, 57, 85, F6, 0F, 85, 8D, 00, 00, 00, 68, CC, E6, 41, 00, FF, 15, 20, B0, 41, 00, 89, 45, FC, 85, C0, 75, 16, E8, 7E, 05, 00, 00, 6A, 16, 5E, 89, 30, E8, 22, 05, 00, 00, 8B, C6, E9, 86, 00, 00, 00, 68... 
[+]

Entropy:

6.3697

Code size:

103 KB (105,472 bytes)

Service

Display name:

Double Spaced Firewall

Service name:

zigipyro

Description:

Field Web Directory

Type:

Win32OwnProcess

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to dl21.clickmein.com (216.227.128.186:80)

TCP (HTTP):

Connects to dl19.clickmein.com (50.7.184.162:80)

Remove qnsl1e89.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.