Multi-License Discount Quote

Change Region

English
Threat Database Adware Adware.PCmega

Adware.PCmega

By CagedTech in Adware

Threat Scorecard

Popularity Rank: 5,649
Threat Level: 20 % (Normal)
Infected Computers: 2,920
First Seen: January 8, 2013
Last Seen: April 2, 2026
OS(es) Affected: Windows

Analysis Report

General information

Family Name: Adware.PCmega
Signature status: Root Not Trusted

Known Samples

MD5: 44a6be6f6b5c177d1d6c829ea76f05c6
SHA1: 23db9c489a37d0f68e2a4904bb9c988fae632a59
SHA256: 3F9D7BD9C54D0D114795916747420449D002147E4050BD3BB1D05A15B522D650
File Size: 402.96 KB, 402960 bytes
MD5: 03eeb08124ed55f1779f9f4844f96af1
SHA1: 5994ac6e38aeed8088ca7a072754b55625408322
SHA256: BC3578F4AA65DF93CC5B108D09DECE2AD4E1D142179F87D06136C49C246883AD
File Size: 689.68 KB, 689680 bytes
MD5: 32b8bbf964fade9034e8e2317d754a11
SHA1: d40da1215821af5c67162ffca985ae0b3976a8e9
SHA256: 79AB018B435C95BB90A184D354AFF7766292E102B48254166B95DBB476AE913D
File Size: 398.75 KB, 398752 bytes
MD5: 3a79ad0796301a0b4a72ce559261b992
SHA1: caf4bd16e4afe22f66292b412e95fb19d893e8ff
SHA256: BE97C938337D922B8B5D51884372C297B3234D602E37267C907B1916CDFB8178
File Size: 689.68 KB, 689680 bytes
MD5: a6110b92e034c8f7f7ae4ac5babeb927
SHA1: 5e48cdba74efeb41188a2ae6b0aa738ca0baff82
SHA256: F6EB75910A6288C266A7E44E58DC2E2CFF447EADEDE2D6B18569FDF45A1B0700
File Size: 77.82 KB, 77816 bytes
Show More
MD5: 5605ef0c28ddce49e2e5c6bb4ceb4592
SHA1: a700a1dea3b487a414993e57768fc212c5064bda
SHA256: 00A13CF467E4EBC43F9AFD77B180E545E03800E23D28C8E05E6CC5D8557DD69E
File Size: 1.15 MB, 1149480 bytes
MD5: 56804ceb6023a43d3bad59066117905b
SHA1: 4da3c11d0499bd94bf538c787fa240b0d8ad6dc8
SHA256: C45FA3F70ECF0628D1F5985F2C11FEDFC989BBC64DB857DEF82CA7EE602FD8E0
File Size: 2.08 MB, 2080368 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has been packed
  • File has TLS information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.0.0
Company Name
  • PC MEGA RAPIDO LTDA
  • Yoondisk
File Description
  • ASSISTENTE DE DOWNLOAD
  • ¸Æ¾îµå·¹½º Á¤º¸¼öÁý
File Version
  • 3000.0.5.3002
  • 1.0.0.0
  • 1.0.0
Internal Name
  • ASSISTENTE DE DOWNLOAD
  • downloadf.exe
Legal Copyright
  • Copyright © 2012
  • Yoondisk
  • © PC MEGA RAPIDO LTDA
Original Filename
  • app_install.exe
  • downloadf.exe
  • pcmegarapido_babylon.exe
Product Name
  • ASSISTENTE DE DOWNLOAD
  • ¸Æ¾îµå·¹½º Á¤º¸¼öÁý
Product Version
  • 1.0.0.0
  • 1.0.0

Digital Signatures

Signer Root Status
BR SOFTWARE LLC BR SOFTWARE LLC Self Signed
Open Source Developer, BRSOFTWARE Certum CA Root Not Trusted
Open Source Developer, Michał Trojnara Certum CA Root Not Trusted
YBR INTERNET LTDA ME Go Daddy Secure Certification Authority Self Signed
YOONDISK.INC Symantec Class 3 SHA256 Code Signing CA Self Signed

File Traits

  • Installer Manifest
  • No Version Info
  • Nullsoft Installer
  • x86

Block Information

Similar Families

  • BadJoke.XA
  • Delf.XB
  • Downloader.AA
  • FareIt.LA
  • Injector.DFF
Show More
  • Injector.DGB
  • Injector.FCG
  • Injector.FHE
  • Injector.KFAD
  • Injector.KI
  • Injector.KKF
  • Injector.KZP
  • Injector.XN
  • MSIL.Agent.GDGC
  • MSIL.ArchSMS.A
  • MSIL.Downloader.Tiny.BM
  • MSIL.Injector.AHA
  • MSIL.Injector.XC
  • MSIL.Spy.RG

Files Modified

File Attributes
\device\namedpipe Generic Read,Write Attributes
\device\namedpipe Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\bin\libeay32.dll Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\bin\msvcr90.dll Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\bin\ssleay32.dll Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\bin\stunnel.exe Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\bin\zlib1.dll Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\config\stunnel.conf Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\config\stunnel.pem Generic Write,Read Attributes
c:\program files (x86)\yoondisk_mac\yoondisk_mac.exe Generic Write,Read Attributes
Show More
c:\program files (x86)\yoondisk_mac\yoondisk_mac.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsdcf5f.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\nstcf70.tmp\modern-wizard.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstcf70.tmp\system.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstcf70.tmp\userinfo.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nszb9ff.tmp\modern-header.bmp Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nszb9ff.tmp\nsexec.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pcmega_2.1a.exe Generic Write,Read Attributes
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\223de96ee265046957a660ed7c9dd9e7_eff9b9ba98deaa773f261fa85a0b1771 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\a4b782275dc1682e4dc39e697a49b151 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\b065fb6e1704b95faa47ee92dc32c8eb_7d16140a3c20f3ac2fa3bd77e3bf6ace Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\content\e783f63a3cdef446247b6099bd4a515c Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\223de96ee265046957a660ed7c9dd9e7_eff9b9ba98deaa773f261fa85a0b1771 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\a4b782275dc1682e4dc39e697a49b151 Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\b065fb6e1704b95faa47ee92dc32c8eb_7d16140a3c20f3ac2fa3bd77e3bf6ace Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\locallow\microsoft\cryptneturlcache\metadata\e783f63a3cdef446247b6099bd4a515c Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\getrighttogo\.data Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\getrighttogo\.data0 Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes
c:\windows\assembly Synchronize,Write Attributes

Registry Modifications

Key::Value Data API Name
HKCU\software\headlight\getrighttogo\customizedapps::  RegNtPreCreateKey
HKCU\software\headlight\getrighttogo\sharedconfig::busypause  RegNtPreCreateKey
HKCU\software\headlight\getrighttogo\sharedconfig::filecache RegNtPreCreateKey
HKCU\software\headlight\getrighttogo\sharedconfig::filecachekb d RegNtPreCreateKey
HKCU\software\headlight\getrighttogo\sharedconfig::rollback RegNtPreCreateKey
HKCU\software\headlight\getrighttogo\sharedconfig::dotgetright RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
Show More
HKLM\software\microsoft\systemcertificates\authroot\certificates\47beabc922eae80e78783462a79f45c254fde68b::blob  怵寤轫匶╰헑ʼ旙ဪ孤.ꖶ鄡㗳 T到ࠆثԁ܅ȃࠆثԁ܅̃ਆثЁ舁਷Ѓࠆثԁ܅Ѓࠆثԁ܅؃ࠆثԁ܅܃ࠆثԁ܅ăࠆثԁ܅ࠃ RGo Daddy Root Certificate Authority – G2S%⌰ℰଆ虠ň RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\47beabc922eae80e78783462a79f45c254fde68b::blob RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\47beabc922eae80e78783462a79f45c254fde68b::blob 퀡됈穻脪䏈͙퓞줤 怵寤轫匶╰헑ʼ旙ဪ孤.ꖶ鄡㗳 T到ࠆثԁ܅ȃࠆثԁ܅̃ਆثЁ舁਷Ѓࠆثԁ܅Ѓࠆثԁ܅؃ࠆثԁ܅܃ࠆثԁ܅ăࠆثԁ܅ࠃ RGo Daddy Root Certificate Authority – RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\47beabc922eae80e78783462a79f45c254fde68b::blob RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe ஃ朴ꖣǜ RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe 残棻ꖣǜ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
User Data Access
  • GetComputerName
  • GetUserObjectInformation
Other Suspicious
  • SetWindowsHookEx
Network Winsock2
  • WSAStartup
Encryption Used
  • BCryptOpenAlgorithmProvider
  • CryptAcquireContext
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlertThreadByThreadId
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClearEvent
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
Show More
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForAlertByThreadId
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Service Control
  • OpenSCManager
  • OpenService
Process Terminate
  • TerminateProcess
Keyboard Access
  • GetKeyState

Shell Command Execution

C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 1612
C:\Program Files (x86)\yoondisk_mac\yoondisk_mac.exe -k

Trending

Most Viewed

Loading...