nsld095.tmp

3170_face_istartsurf

Xiaoqing Liu

The file nsld095.tmp by Xiaoqing Liu has been detected as adware by 13 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from www.girlquzijin.com and multiple other hosts.
Publisher:
ylsn  (signed by Xiaoqing Liu)

Product:
3170_face_istartsurf

Description:
ylsn

Version:
6,3,7601,1995

MD5:
85ebe6c2b00c36e511ce2334bcbb696c

SHA-1:
35bdde5841c62e2644743eacbb926352b5c267f0

SHA-256:
d71733e97ccb4ad2d134c3263086ac0b76ca4283b5cc280b86f3aafa0f1d41bb

Scanner detections:
13 / 68

Status:
Adware

Analysis date:
12/25/2024 4:07:09 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.SearchHijacker
2015.03.26

avast!
Dropper-gen [Drp]
2014.9-150618

AVG
Downloader
2016.0.3128

Baidu Antivirus
PUA.Win32.ELEX
4.0.3.15618

ESET NOD32
Win32/ELEX.CE potentially unwanted
9.11340

Fortinet FortiGate
Riskware/Elex
4/26/2015

herdProtect (fuzzy)
2015.6.18.3

K7 AntiVirus
Trojan
13.201.15304

Malwarebytes
PUP.Optional.LuckySearches.A
v2015.04.26.06

McAfee
Artemis!935124FF033F
5600.6731

Qihoo 360 Security
HEUR/QVM41.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.Li Mo
15.3.11.16

Sophos
PUA 'Elex' (of type Adware)
5.12

File size:
322.9 KB (330,696 bytes)

Product version:
6,3,7601,1995

Copyright:
bsw

Original file name:
bsw

Language:
English

Common path:
C:\users\{user}\appdata\local\temp\nsld095.tmp

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
8/13/2014 2:00:00 AM

Valid to:
8/17/2015 2:00:00 PM

Subject:
CN=Xiaoqing Liu, O=Xiaoqing Liu, L=Zaozhuang, S=Shandong, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0EBAB4AC38B70A33EE517D238BDE49D7

File PE Metadata
Compilation timestamp:
3/9/2015 10:46:39 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
6144:aqlTU8709zV1R4bp7+nSOh0fJD/V8LHJ1PhhgVIE2:aVR1R4bp7ObQD/VQf5GVIE2

Entry address:
0x114D9

Entry point:
E8, 96, 6E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 74, A6, 42, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, C8, 80, 42, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 74, A6, 42, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00...
 
[+]

Code size:
115.5 KB (118,272 bytes)

The file nsld095.tmp has been seen being distributed by the following 2 URLs.

Remove nsld095.tmp - Powered by Reason Core Security