r20 full.exe

Internet Signup

OOO

While the file properties state the file is developed by 'Microsoft Corporation', this is not the case and it is designed just to look like a legitimate Microsoft system file. The application r20 full.exe by OOO has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from ska4ay.com.
Publisher:
Microsoft Corporation  (signed by OOO )

Product:
Microsoft® Windows® Operating System

Description:
Internet Signup

Version:
6.00.2600.0000 (xpclient.010817-1148)

MD5:
43e5407ececbb00fab5d9b4d0c2d5790

SHA-1:
46621a2fa42ddd972b82537c1512268729aeb559

SHA-256:
2c8c2fff983170842cada527f35123a2535ea8e1f7be77a9691e5abb3bf0c797

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
11/5/2024 10:50:26 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.9.2

File size:
607 KB (621,576 bytes)

Product version:
6.00.2600.0000

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
ISIGNUP.EXE

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\downloads\r20 full.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
6/22/2016 3:00:00 AM

Valid to:
6/23/2017 2:59:59 AM

Subject:
CN="OOO ""BAYKAL FORT AYTI""", O="OOO ""BAYKAL FORT AYTI""", STREET="Dzergynskogo, 25, of.511", L=Irkutsk, S=Irkutskaya, PostalCode=664011, C=RU

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3893027C66B26D657A5F538754DBCC25

File PE Metadata
Compilation timestamp:
7/7/2016 6:10:06 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:bwmbIH37hh/h4d5RJKt6Nuixdoy83zAh9rxxqGc7q2Wz8yG:bwmcH373K/UtMHdJ83zC9r+G0fWz3G

Entry address:
0x1030

Entry point:
55, 8B, EC, 81, EC, E8, 03, 00, 00, 68, 74, 14, 00, 00, A1, F4, 71, 49, 00, 50, FF, 15, F8, 60, 49, 00, 85, C0, 74, 07, 33, C0, E9, 22, 02, 00, 00, 8B, 4D, E0, 2B, 4D, E8, 89, 4D, E8, 8B, 55, CC, 8B, 4D, E8, D3, E2, 89, 55, F0, FF, 15, 0C, 61, 49, 00, 8B, 45, D8, C1, E0, 75, 89, 45, D4, 8B, 55, CC, 8B, 4D, C4, D3, EA, 89, 55, C8, 8B, 45, DC, 50, FF, 15, FC, 60, 49, 00, 8B, 4D, E4, 69, C9, FF, 92, 4C, 0A, 89, 4D, E4, 8B, 55, CC, 52, FF, 15, 00, 61, 49, 00, 68, 4C, 70, 49, 00, 6A, 00, FF, 15, 04, 61, 49, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
595 KB (609,280 bytes)

The file r20 full.exe has been seen being distributed by the following URL.

Remove r20 full.exe - Powered by Reason Core Security