» nsfabaa.tmp
Overview
Analysis
File Details
Behaviors (1)
Downloads (1)

nsfabaa.tmp

The file nsfabaa.tmp has been detected as a potentially unwanted program by 20 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Access Floppy Disk”. The file has been seen being downloaded from d2htwdv930b0cg.cloudfront.net.

File name:

nsfabaa.tmp

MD5:

fe708e7e7530730e90f714ce269788c9

SHA-1:

fc93beca56846f09dcc9c2e6818fe0fea450a781

SHA-256:

53c57950820547cc03d4160bbadbb49367e6d40d14335dfd84ce1aa1ba27a981

Scanner detections:

20 / 68

Status:

Potentially unwanted

Analysis date:

4/25/2024 10:58:58 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.GenericKD.2323820

625

Agnitum Outpost

PUA.ConvertAd

7.1.1

avast!

Win32:Adware-gen [Adw]

2014.9-150521

AVG

Generic6

2016.0.3103

Baidu Antivirus

Adware.Win32.ConvertAd

4.0.3.15521

Bitdefender

Trojan.GenericKD.2323820

1.0.20.705

Dr.Web

Adware.ClickMeIn.1233

9.0.1.0142

Emsisoft Anti-Malware

Trojan.GenericKD.2323820

8.15.05.21.06

ESET NOD32

Win32/Adware.ConvertAd.JM (variant)

9.11615

Fortinet FortiGate

Riskware/ConvertAd

5/21/2015

F-Secure

Trojan.GenericKD.2323820

11.2015-21-05_5

G Data

Trojan.GenericKD.2323820

15.5.25

Kaspersky

UDS:DangerousObject.Multi.Generic

14.0.0.2002

McAfee

Artemis!FE708E7E7530

5600.6759

MicroWorld eScan

Trojan.GenericKD.2323820

16.0.0.423

NANO AntiVirus

Riskware.Win32.ClickMeIn.driprz

0.30.24.1357

nProtect

Trojan.GenericKD.2323820

15.05.11.01

Reason Heuristics

Threat.Win.Reputation.IMP

15.5.22.10

Sophos

Generic PUA BK

4.98

VIPRE Antivirus

Trojan.Win32.Generic

40176

File size:

281 KB (287,744 bytes)

Common path:

C:\users\{user}\appdata\roaming\64b8b312-1429395655-11e4-b290-f80f41d1dd3a\nsfabaa.tmp

File PE Metadata

Compilation timestamp:

4/26/2015 11:10:16 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:vINouTq9PwKPaEHqI4ZJPhsHo4mYmZcbyq+A:gxTq9BaEHqrJJsHoPYIcW

Entry address:

0x17D37

Entry point:

E8, A2, 5D, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 84, 5D, 44, 00, FF, 15, 84, B0, 43, 00, 85, C0, 75, 18, 56, E8, C0, 11, 00, 00, 8B, F0, FF, 15, 30, B0, 43, 00, 50, E8, 70, 11, 00, 00, 59, 89, 06, 5E, 5D, C3, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 69, 33, C0, 8A, 44, 24, 08, 84, C0, 75, 16, 81, FA, 80, 00, 00, 00, 72, 0E, 83, 3D, 64, 74, 44, 00, 00, 74, 05, E9, CD, 5D, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83... 
[+]

Entropy:

6.5295

Code size:

229 KB (234,496 bytes)

Service

Display name:

Access Floppy Disk

Service name:

wogyzove

Description:

Socket Word Processor

Type:

Win32OwnProcess

The file nsfabaa.tmp has been seen being distributed by the following URL.

http://d2htwdv930b0cg.cloudfront.net/VOsrv.exe

Remove nsfabaa.tmp - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.