home

mefogames.exe

Conduit Ltd.

The file belongs to the Conduit API platform, a utility that bundles and monetizes search toolbars and web browser extensions. The application mefogames.exe by Conduit has been detected as a potentially unwanted program by 7 anti-malware scanners. The program is a setup application that uses the Conduit Setup Manager installer. The file has been seen being downloaded from download.gamesrgb.com. While running, it connects to the Internet address cms.distributionengine.conduit-services.com on port 80 using the HTTP protocol.
Publisher:
Conduit  (signed by Conduit Ltd.)

Description:
3.0.7.18.3

Version:
10.13.20.29

MD5:
968be45877276e41f9dd4cfa228bf97b

SHA-1:
07c780ba78d985895312404d46c0ac01711f4c4d

SHA-256:
48be65bdebc53ac0b8916ad29b5f350276002b01ce3574c6deedbf7910f2cb89

Scanner detections:
7 / 68

Status:
Potentially unwanted

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/25/2024 1:59:57 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.Conduit.33
9.0.1.05190

ESET NOD32
Win32/Toolbar.Conduit potentially unwanted application
7.0.302.0

IKARUS anti.virus
PUA.ClientConnect
t3scan.1.6.1.0

Kaspersky
not-a-virus:WebToolbar.JS.Condonit
15.0.0.494

Panda Antivirus
PUP/Conduit.A
14.08.10.11

Reason Heuristics
PUP.307183.Conduit.J
14.8.10.10

VIPRE Antivirus
Threat.4786236
31208

File size:
3.3 MB (3,427,616 bytes)

Copyright:
Conduit Ltd.

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Conduit Setup Manager (using Nullsoft Install System)

Language:
Language Neutral

Common path:
C:\users\austin devlin\mefogames.exe

Digital Signature
Signed by:
Conduit Ltd.

Authority:
VeriSign, Inc.

Valid from:
2/17/2010 12:00:00 AM

Valid to:
3/29/2013 11:59:59 PM

Subject:
CN=Conduit Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Conduit Ltd., S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
3736DA15AF647632CCE61CD41B6577DD

File PE Metadata
Compilation timestamp:
12/5/2009 10:50:52 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
98304:a2F/OZhhBAPfk+6xYQokOewpwm/w8xBbe:a2ShhBIUFOewXwaY

Entry address:
0x30FA

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 18, EC, 42, 00, E8, F1, 2B, 00, 00, A3, 64, EB, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 98, 8F, 42, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 60, E3, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 40, 43, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
7.9986

Packer / compiler:
Nullsoft install system v2.x

Code size:
23.5 KB (24,064 bytes)

The file mefogames.exe has been seen being distributed by the following URL.

http://download.gamesrgb.com/.../MefoGames.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ude.conduit-data.com  (195.78.120.173:80)

TCP (HTTP):
Connects to offering.service.distributionengine.conduit-services.com  (199.101.114.147:80)

 
http://offering.service.distributionengine.conduit-services.com/DecisionEngine.ashx

TCP (HTTP):
Connects to cms.distributionengine.conduit-services.com  (54.243.251.51:80)

Remove mefogames.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.