» xr.exe
Overview
Analysis
File Details
Behaviors (1)

xr.exe

Gameforge Live

Mpyre Software, Inc.

The executable xr.exe, “Gameforge Live Setup” has been detected as malware by 27 anti-virus scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘XT’.

File name:

xr.exe

Publisher:

Gameforge (signed by Mpyre Software, Inc.)

Product:

Gameforge Live

Description:

Gameforge Live Setup

Version:

2.0.3.1628

MD5:

bc6c6d5f12c01a50b7c38d0dafc60435

SHA-1:

d293c3d7d96747c764b4d7e4795d32941cf673b5

SHA-256:

35b75b4f080957092bbc2da5edf44a5a41ec9bf941416b2567fcab7d3e3deefb

Scanner detections:

27 / 68

Status:

Malware

Analysis date:

4/24/2024 10:14:34 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.NSIS.Androm.6

AegisLab AV Signature

DangerousObject.Multi.Gen.mgbt

2.1.4+

AhnLab V3 Security

Spyware/Win32.Limitail.N1349873944

3.7.4.14

Avira AntiVirus

TR/Rogue.338456

8.3.3.4

Arcabit

Trojan.NSIS.Androm.6

1.0.0.741

avast!

Win32:Malware-gen

2014.9-161214

AVG

Inject2

2017.0.2529

Bitdefender

Trojan.NSIS.Androm.6

1.0.20.1745

Comodo Security

UnclassifiedMalware

25362

Dr.Web

BackDoor.Comet.884

9.0.1.0349

Emsisoft Anti-Malware

Trojan.NSIS.Androm

8.16.12.14.06

Fortinet FortiGate

W32/Kryptik.CKFX!tr

12/14/2016

F-Secure

Trojan.NSIS.Androm.6

11.2016-14-12_4

G Data

Trojan.NSIS.Androm

16.12.25

K7 AntiVirus

Riskware

13.231.20086

Kaspersky

Trojan.NSIS.Inject

14.0.0.-859

McAfee

Artemis!BC6C6D5F12C0

5600.6185

Microsoft Security Essentials

Backdoor:Win32/Fynloski

1.1.12902.0

MicroWorld eScan

Trojan.NSIS.Androm.6

17.0.0.1047

NANO AntiVirus

Trojan.Win32.Inject.dgugfp

1.0.38.8984

nProtect

Trojan.NSIS.Androm.6

16.06.30.01

Panda Antivirus

Trj/CI.A

16.12.14.06

Qihoo 360 Security

QVM42.0.Malware.Gen

1.0.0.1120

Quick Heal

Trojan.NSIS.r5

12.16.14.00

Sophos

Mal/Generic-S

4.98

VIPRE Antivirus

Trojan.Win32.Generic

50494

Zillya! Antivirus

Backdoor.DarkKomet.Win32.23855

2.0.0.2934

File size:

330.5 KB (338,456 bytes)

Product version:

2.0.3.0

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Digital Signature

Signed by:

Mpyre Software, Inc.

Authority:

DigiCert Inc

Valid from:

9/18/2012 5:00:00 PM

Valid to:

9/30/2015 5:00:00 AM

Subject:

CN="Mpyre Software, Inc.", O="Mpyre Software, Inc.", L=Mississauga, S=Ontario, C=CA

Issuer:

CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

0B9F83CAA06EB3463CB393D128F62D70

File PE Metadata

Compilation timestamp:

5/11/2014 1:03:52 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x337C

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 14, C7, 44, 24, 10, 30, A2, 40, 00, 89, 6C, 24, 1C, FF, 15, 34, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 80, 40, 00, 55, FF, 15, AC, 82, 40, 00, 6A, 08, A3, 78, 4F, 43, 00, E8, B7, 2E, 00, 00, A3, C4, 4E, 43, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, F0, B1, 42, 00, FF, 15, 7C, 81, 40, 00, 68, 7C, A3, 40, 00, 68, C0, 3E, 43, 00, E8, 22, 2B, 00, 00, FF, 15, 34, 81, 40, 00, BB, 00, F0, 43, 00, 50, 53, E8, 10, 2B, 00, 00... 
[+]

Entropy:

7.9102

Packer / compiler:

Nullsoft install system v2.x

Code size:

24.5 KB (25,088 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Command:

C:\users\{user}\documents\xaz\xr.exe

Remove xr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.