home

c.exe

Pehet

The application c.exe, “Pehet Setup ” has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the installCore installer, however the file is not signed with an authenticode signature from a trusted source. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.dlmegacontent.com and multiple other hosts.
Product:
Pehet

Description:
Pehet Setup

Version:
2.6.3.8

MD5:
768f6760354c8e4bdf75e63f9b7edb20

SHA-1:
75e5ab5b33937b1a094d7336c5141f946df40bd8

SHA-256:
2dba4e1492ea5b34c29f86ec042d7bb68875e503baebc30cd8aa82f115195386

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/28/2024 12:01:13 PM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/InstallCore.AFS potentially unwanted application
8.0.319.0

Reason Heuristics
PUP.InstallCore.Bundler (M)
16.2.22.10

File size:
1.1 MB (1,133,343 bytes)

Product version:
1.5

Copyright:
program

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\c.exe

File PE Metadata
Compilation timestamp:
6/19/1992 5:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:Z0rD1f2b70CE4hfeMMLOM0u2+d4qXn9bDoqa:Z4hm71ML1l9mqND6

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.8763

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file c.exe has been seen being distributed by the following 4 URLs.

http://www.dlmegacontent.com/c?x=lbH1fDovPWtAp/y5G6NRyYq/B895F9K/gxR4dSEVENA=&c=yPwYcuurFbY 5AS7xENWXHkTMaE6HKnfGpM3PaJ H5KARbKZ53Y7kQuv OTWcXtw/wxB/FnrRQDDMNG5n/W9qkVLJdXucs5xFxAarx7GAqg zFDv/PHzuIyDgNWh0KdL&downloadAs=installer_ares_Spanish.exe&fallback_url=http://xmlinstcp-fpm.portal-factory.com/.../error_ic.php?xrip=189.231.74.70&countrya2=MX&partner=SEO&origen=SEO&program=Ares&3dparty_channel=SEO00Z9e110414de8ce21c7730e78acdf934a1&ou=http://ares.com.es&du=http://download.instseo.com/installers/down.php?key=94813&new=y&hostname=ares.com.es&url_download=&software=Ares&country=MX&lang=es&tb=babylonnewv4&langutf8=Spanish&addfavorites=n&premium_url=http%3A%2F%2Fpf.vitplatform.com%2Fcrawled_soft%2F2%2F2%2F22461-682862-ares.exe&partner_keyword=SEO&p2p=0&logourl=%2Ficoinstall%2Fprograms%2Ficono-ares-128x128.png&ud=lp&origen=SEO&ua=msie&ou=http://ares.com.es&http%3A%2F%

http://www.dlmegacontent.com/c?x=qYopkJjc61wvORMUaWM9hAd4/tMlkBIJY3K4madB9Ss=&c=Tlt4AHN dGcqcby4MWQSZhKeFYrGh2cdwQ0FpIk4NS0CNkSheuw/lAOPYCb35z317e4WHjQfRa8EoaX2 LmEeh8ZCXAqGl35tG1hR3yRbckgDwUkXkfcEl/xqplVNXfV&downloadAs=installer_ares_Spanish.exe&fallback_url=http://xmlinstcp-fpm.portal-factory.com/cmd/error_ic.php?xrip=187.208.152.112&countrya2=MX&partner=SEO&origen=SEO&program=Ares&3dparty_channel=SEO00Z9e110414de8ce21c7730e78acdf934a1&ou=http://ares.com.es&du=http://download.instseo.com/installers/down.php?key=94813&new=y&hostname=ares.com.es&url_download=&software=Ares&country=MX&lang=es&tb=babylonnewv4&langutf8=Spanish&addfavorites=n&premium_url=http://pf.vitplatform.com/crawled_soft/2/2/22461-682862-ares.exe&partner_keyword=SEO&p2p=0&logourl=/icoinstall/programs/icono-ares-128x128.png&ud=lp&origen=SEO&ua=msie&ou=http://ares.com.es&http:/%

http://www.dlmegacontent.com/c?x= ywOIeFbxkl3uhwl2Xsm29Nhs8LiQOkdjp898h8NwUo=&c=6eQTD2AYJ5 JYxFQnBxpOGNDCxkpPltdVTubXqJePZ7YNt7P2g0sFe0OA9jVesSm tvEdM9J66evKIqFqPXNhKa/Z/VnXHjvwp3nmyDRKbV7s6awlXI 4IaGCb6O539y&downloadAs=installer_ares_Spanish.exe&fallback_url=http://xmlinstcp-fpm.portal-factory.com/cmd/error_ic.php?xrip=187.144.223.126&countrya2=MX&partner=SEO&origen=SEO&program=Ares&3dparty_channel=SEO00Z9e110414de8ce21c7730e78acdf934a1&ou=http://ares.com.es&du=http://download.instseo.com/installers/down.php?key=94813&new=y&hostname=ares.com.es&url_download=&software=Ares&country=MX&lang=es&tb=babylonnewv4&langutf8=Spanish&addfavorites=n&premium_url=http://pf.vitplatform.com/crawled_soft/2/2/22461-682862-ares.exe&partner_keyword=SEO&p2p=0&logourl=/icoinstall/programs/icono-ares-128x128.png&ud=lp&origen=SEO&ua=msie&ou=http://ares.com.es&http:/%

http://www.centralconceptsapps.com/c?x=i7kShKmyBY5dsu8rh C0ErCE pRAuavHkTEwBWc/lpM=&c=qsK3D5Zq9B 8GdY3F/dk2EBNvCgyqlllJHOjuRiCc/A6dp3fy6Hi/Ti3vapIiswE8H8APT4cI9SJFrK/ Jac EqXwJWNIneFTUcYHA/h0xauamU/7D1jIjcbvSnc7VnU&downloadAs=installer_ares_Spanish.exe&fallback_url=http://xmlinstcp-fpm.portal-factory.com/cmd/error_ic.php?xrip=200.56.170.249&countrya2=MX&partner=SEO&origen=SEO&program=Ares&3dparty_channel=SEO00Z9e110414de8ce21c7730e78acdf934a1&ou=http://ares.com.es&du=http://download.instseo.com/installers/down.php?key=94813&new=y&hostname=ares.com.es&url_download=&software=Ares&country=MX&lang=es&tb=babylonnewv4&langutf8=Spanish&addfavorites=n&premium_url=http://pf.vitplatform.com/crawled_soft/2/2/22461-682862-ares.exe&partner_keyword=SEO&p2p=0&logourl=/icoinstall/programs/icono-ares-128x128.png&ud=lp&origen=SEO&ua=msie&ou=http://ares.com.es&http:%

Remove c.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.