home

nloader.exe

ZZimaLauncher

Nival Inc.

This is a setup program which is used to install the application. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘qloader’. The file has been seen being downloaded from torrents.zzima.net and multiple other hosts.
Publisher:
Nival  (signed by Nival Inc.)

Product:
ZZimaLauncher

Description:
ZZima.com

Version:
1, 0, 3, 1

MD5:
810b4464785d8d007ca0c86c046ac0ef

SHA-1:
71144aed01b5d7bb82cb29627e0e2c011260170e

SHA-256:
b6cc3a4d454ffe1a67cb21f1eae8c8a07f44ff4630c292e87313de1ccb116106

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)

Analysis date:
4/26/2024 8:30:13 AM UTC  (today)

File size:
3.2 MB (3,311,440 bytes)

Product version:
1, 0, 3, 1

Copyright:
Copyright (C) ZZima 2014

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\zzima\zzima_loader\nloader.exe

Digital Signature
Signed by:
Nival Inc.

Authority:
Thawte, Inc.

Valid from:
12/4/2013 6:00:00 AM

Valid to:
12/5/2015 5:59:59 AM

Subject:
CN=Nival Inc., O=Nival Inc., L=Hallandale Beach, S=Florida, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
4BF018FBC074EB6F714FB317F4E80E80

File PE Metadata
Compilation timestamp:
5/30/2014 1:47:34 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:M2R/npTKvYbOoZImz/I7GJH7bm90KDpZtyaxc3WjiyWzEzo9z6yQa:rqYCQI6QCJH7i+KsaxcGOzEzk

Entry address:
0x1A2F8D

Entry point:
E8, 0B, D9, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 10, 53, FF, 75, 10, 8D, 4D, F0, E8, 38, FC, FF, FF, 8B, 5D, 08, 85, DB, 75, 26, E8, D0, 3C, 00, 00, C7, 00, 16, 00, 00, 00, E8, F8, AE, 00, 00, 38, 5D, FC, 74, 07, 8B, 45, F8, 83, 60, 70, FD, B8, FF, FF, FF, 7F, E9, BF, 00, 00, 00, 57, 8B, 7D, 0C, 85, FF, 75, 27, E8, A2, 3C, 00, 00, C7, 00, 16, 00, 00, 00, E8, CA, AE, 00, 00, 80, 7D, FC, 00, 74, 07, 8B, 45, F8, 83, 60, 70, FD, B8, FF, FF, FF, 7F, E9, 8F, 00, 00, 00, 8B, 45, F0, 83, 78, 14...
 
[+]

Code size:
2.2 MB (2,271,232 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
qloader

Command:
C:\users\{user}\appdata\roaming\zzima\zzima_loader\nloader.exe -a


The file nloader.exe has been seen being distributed by the following 4 URLs.

http://torrents.zzima.net/ZZimaLauncher_7Souls_qltvdb.exe

http://torrents.zzima.net/ZZimaLauncher_7Souls_q9k9d5.exe

http://torrents.zzima.net/ZZimaLauncher_7Souls_qlb0m0.exe

http://torrents.zzima.net/ZZimaLauncher_7Souls_qg7860.exe

Scan nloader.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.