» keygen.exe
Overview
Analysis
File Details
Behaviors (1)

keygen.exe

Install

Shan Feng

The application keygen.exe by Shan Feng has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘9PObaaSNaOS09aO0’.

File name:

keygen.exe

Publisher:

Develop Ltd. (signed by Shan Feng)

Product:

Install

Version:

4,2,4,7

MD5:

409afdef79729d7d66937de28232b066

SHA-1:

5dfb03e6f3de122f2d3bcdfb9a82efd9cfcc4ab4

SHA-256:

a051bc69dccb6877aa7d4a5c51fd6d1f1558b07b9947bf2ab42ac13c03873041

Scanner detections:

3 / 68

Status:

Potentially unwanted

Analysis date:

11/16/2024 3:49:19 AM UTC (today)

Scan engine

Detection

Engine version

Dr.Web

Adware.Mutabaha.1252

9.0.1.05190

ESET NOD32

Win32/Filecoder.EZ trojan

8.0.319.0

Reason Heuristics

PUP.Elex.ShanFeng.Installer (M)

16.7.8.1

File size:

351.3 KB (359,704 bytes)

Product version:

2,7,3,1

Trademarks:

Original file name:

setup.exe

File type:

Executable application (Win32 EXE)

Language:

German (Germany)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\keygen.exe

Digital Signature

Signed by:

Shan Feng

Authority:

thawte, Inc.

Valid from:

2/4/2016 1:00:00 AM

Valid to:

2/4/2017 12:59:59 AM

Subject:

CN=Shan Feng, OU=Individual Developer, O=No Organization Affiliation, L=Beijing, S=Beijing, C=CN

Issuer:

CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:

35000007A9C98043CA459BAC1DA3B29C

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

6144:TzR3OWmpKaN00Qxe7vLtJ11+i3eLteIXMKFc/Zu6ssd7poZecI9rBy6tbu2SohVf:vRepX0Xe7zh1x3eAI8F/qsd76g/l9PhV

Entry address:

0x13B3

Entry point:

55, 89, E5, 83, EC, 08, C7, 05, F8, 7A, 45, 00, 01, 00, 00, 00, E8, 84, 77, 04, 00, C9, E9, 66, FD, FF, FF, 55, 89, E5, 83, EC, 08, C7, 05, F8, 7A, 45, 00, 00, 00, 00, 00, E8, 69, 77, 04, 00, C9, E9, 4B, FD, FF, FF, 90, 90, 90, 66, 90, 66, 90, 55, 89, E5, 83, EC, 18, A1, 68, D9, 44, 00, 85, C0, 74, 3C, C7, 04, 24, 00, E0, 44, 00, FF, 15, 00, 83, 45, 00, 83, EC, 04, 85, C0, BA, 00, 00, 00, 00, 74, 16, C7, 44, 24, 04, 0E, E0, 44, 00, 89, 04, 24, FF, 15, 04, 83, 45, 00, 83, EC, 08, 89, C2, 85, D2, 74, 09, C7... 
[+]

Code size:

294 KB (301,056 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

9PObaaSNaOS09aO0

Command:

"C:\users\{user}\appdata\local\temp\{random}.tmp\keygen.exe" \skipreg

Remove keygen.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.