An interesting discovery from VirusTotal

[Murasaki]

I was mostly bored and was digging around the information VT dumps about whatever file you're scanning. The "Behaviour" tab seemed like a juicy one to look at.

What I discovered under registry actions seemed odd.

Registry Keys Opened
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe

(Regedit can't find such a registry key nor does this file exist anywhere)

 

Theres also a bonus of

Processes Terminated
C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe

Now before you jump on the "omg malware" train, no it isn't. This registry call is seen in software from Google, Adobe and others including my own applications built with Visual Studio.

Example scan of GoogleUpdate.exe - https://www.virustotal.com/gui/file/542294724926b0e156224b9ebd33e6354d79da4c828fb52f7f4233df45e3f624/behavior/Tencent HABO

 

I have scoured the interwebs about this mysterious file and can't seem to find any useful information of what it is and what it does apart from your usual fake websites.

If someone can shed some light on this it would be pretty swell.

[Stu_Bear]

Did you try running it?  Open it and inspect it?

[Murasaki]

Just now, Stu_Bear said:

Did you try running it?  Open it and inspect it?

it doesnt exist, supposedly written temporarily at runtime perhaps? who knows