home

nso604c.tmp

The file nso604c.tmp has been detected as a potentially unwanted program by 15 anti-malware scanners. The program is a setup application that uses the Inno Setup installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from livestatscounter.com and multiple other hosts.
MD5:
b04cf5a6f7afbbd7e0534219b45a6c10

SHA-1:
5675f22fb337cfecea86c1d552abaab8d674a0cf

SHA-256:
8598db65b5caf73f6365f07429884ba6d3eb53ccde212e89aaf22d0a44258ea1

Scanner detections:
15 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
11/23/2024 8:04:26 AM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
PUA/InstallCore.Gen7
7.11.219.36

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.15420

Dr.Web
Trojan.DownLoader12.47681
9.0.1.0110

ESET NOD32
Win32/InstallCore.PK potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Riskware/InstallCore
4/20/2015

F-Prot
W32/A-95939616
v6.4.7.1.166

G Data
Win32.Application.AnyProtect
15.4.25

herdProtect (fuzzy)
variant of icreinstall_nso3146.tmp (Adware)
2015.7.22.9

K7 AntiVirus
Adware
13.202.15600

McAfee
Trojan.Artemis!B04CF5A6F7AF
5600.6789

Qihoo 360 Security
Win32/Virus.00e
1.0.0.1015

Sophos
Mal/Generic-S
4.98

Trend Micro House Call
TROJ_GEN.R047C0OCM15
7.2.110

Trend Micro
TROJ_GEN.R047C0OCM15
10.465.20

VIPRE Antivirus
Threat.4150696
39354

File size:
580.7 KB (594,668 bytes)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\nso604c.tmp

File PE Metadata
Compilation timestamp:
6/19/1992 6:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
12288:DmFaLILLcaAet8INFqkrBrBP2QnO1Zg0TrvhfBM2B2IU3KbL4pd:DmFqIfcaAePOEBr4QnO1NZZMWW

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, BF, A9, FF, FF, E8, 5E, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file nso604c.tmp has been seen being distributed by the following 2 URLs.

http://livestatscounter.com/.../dls.php?r=vu_vo2_SO&rr=C&sct=AGR&isnw=2&civ=1&pac=&gdp=&gda=&gdv=&pip=&pia=&piv=&pst=1427018004&sisn=1

http://mobilitydata5.com/.../dls.php?r=vu_vo2_SO&rr=C&sct=AGR&isnw=2&civ=1&pac=&gdp=&gda=&gdv=&pip=&pia=&piv=&pst=1426618673&sisn=1

Remove nso604c.tmp - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.