home

nego.exe

Nego Facturation

PMEtool Sàrl

The application nego.exe, “Nego Facturation Setup ” by PMEtool Sàrl has been detected as a potentially unwanted program by 5 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from www.pmetool.com.
Publisher:
PMEtool Sàrl   (signed by PMEtool Sàrl)

Product:
Nego Facturation

Description:
Nego Facturation Setup

MD5:
37756b34a1512e8b332c1412beb0b9e7

SHA-1:
015ca107b4f594c06572d1358a55e342825d1347

SHA-256:
e1829e4580ebc042996fa94f016b2094f4868d736f11c53382a3ecdfe2f5bdd2

Scanner detections:
5 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/6/2024 4:42:05 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Eorezo.383
9.0.1.0240

ESET NOD32
Win32/InstallMonetizer.AQ potentially unwanted
9.12108

Fortinet FortiGate
Riskware/OpenCandy
8/28/2015

G Data
Win32.Application.OpenCandy
15.8.25

NANO AntiVirus
Riskware.Win32.Downware.dgkmsw
0.30.24.3079

File size:
21.7 MB (22,773,288 bytes)

Copyright:
Copyright © 2008-2015 PMEtool

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\nego.exe

Digital Signature
Signed by:
PMEtool Sàrl

Authority:
thawte, Inc.

Valid from:
1/2/2015 1:00:00 AM

Valid to:
1/2/2017 12:59:59 AM

Subject:
CN=PMEtool Sàrl, O=PMEtool Sàrl, L=Les Ponts-de-Martel, S=Nebraska, C=CH

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
1270631799F0D210A7DB3885A0075E00

File PE Metadata
Compilation timestamp:
7/9/2014 9:58:13 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
393216:glyxTr6/khjlvglAyQ1rTJ2TcPzKOaEOqs1pi0gtqPzn6UDmmC5RbxX/2Di5QVzO:ja/kXIqdFScPzKbTqsXi0gtmtpC5RtXl

Entry address:
0x113BC

Entry point:
55, 8B, EC, 83, C4, A4, 53, 56, 57, 33, C0, 89, 45, C4, 89, 45, C0, 89, 45, A4, 89, 45, D0, 89, 45, C8, 89, 45, CC, 89, 45, D4, 89, 45, D8, 89, 45, EC, B8, 2C, 00, 41, 00, E8, E8, 51, FF, FF, 33, C0, 55, 68, 9E, 1A, 41, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 5A, 1A, 41, 00, 64, FF, 32, 64, 89, 22, A1, 48, 5B, 41, 00, E8, 16, D8, FF, FF, E8, 65, D3, FF, FF, 80, 3D, DC, 2A, 41, 00, 00, 74, 0C, E8, 2B, D9, FF, FF, 33, C0, E8, 80, 32, FF, FF, 8D, 55, EC, 33, C0, E8, E2, A3, FF, FF, 8B, 55, EC, B8, 50, 86...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
63.5 KB (65,024 bytes)

The file nego.exe has been seen being distributed by the following URL.

http://www.pmetool.com/.../Nego.exe

Remove nego.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.