nsy39a8.tmp

The file nsy39a8.tmp has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from d16hr9n7t75k58.cloudfront.net.
MD5:
57d3f62c9c6a3932c2152218723cbea8

SHA-1:
cb98e3a8f97b1f22c3a2f91696e1b19a57645311

SHA-256:
b9c990a693bcebfd5f1e9744ac223656f27878c2caa73e6c8223df4ee122a849

Scanner detections:
4 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 6:54:37 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.VOPackage
2015.12.05

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1016

Qihoo 360 Security
QVM42.0.Malware.Gen
1.0.0.1077

Reason Heuristics
Adware.Downloader.KY (M)
16.2.29.18

File size:
53.2 KB (54,511 bytes)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\nsy39a8.tmp

File PE Metadata
Compilation timestamp:
12/5/2009 2:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
1536:upgpHzb9dZVX9fHMvG0D3XJuF0iuwa/o41ahfa:0gXdZt9P6D3XJuF0i2o4sk

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.1718

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file nsy39a8.tmp has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-53-86.jfk6.r.cloudfront.net  (54.230.53.86:443)

TCP (HTTP SSL):
Connects to server-54-230-39-184.jfk1.r.cloudfront.net  (54.230.39.184:443)

TCP (HTTP SSL):
Connects to server-54-230-38-208.jfk1.r.cloudfront.net  (54.230.38.208:443)

TCP (HTTP):
Connects to server-54-230-38-198.jfk1.r.cloudfront.net  (54.230.38.198:80)

TCP (HTTP):
Connects to server-54-192-55-17.jfk6.r.cloudfront.net  (54.192.55.17:80)

TCP (HTTP SSL):
Connects to server-54-192-55-164.jfk6.r.cloudfront.net  (54.192.55.164:443)

TCP (HTTP):
Connects to server-54-192-55-160.jfk6.r.cloudfront.net  (54.192.55.160:80)

TCP (HTTP):
Connects to server-54-192-55-16.jfk6.r.cloudfront.net  (54.192.55.16:80)

TCP (HTTP):
Connects to server-54-192-55-130.jfk6.r.cloudfront.net  (54.192.55.130:80)

TCP (HTTP SSL):
Connects to server-54-192-54-163.jfk6.r.cloudfront.net  (54.192.54.163:443)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

Remove nsy39a8.tmp - Powered by Reason Core Security