50eyum1j.gvw.exe

doubleTwist Corporation

The application 50eyum1j.gvw.exe by doubleTwist has been detected as a potentially unwanted program by 16 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. It is also typically executed from the user's temporary directory.
Publisher:
doubleTwist Corporation  (signed and verified)

MD5:
d387c559c9d54180bf63d6e124153611

SHA-1:
854aeee110067ecf5757387f5a08f82ec8c88fe6

SHA-256:
b6af7180ddd963e3dffb9f5867e33001ad1f6122843c40973bae2914cf7aa49b

Scanner detections:
16 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/26/2024 1:05:44 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.OpenCandy
7.1.1

AVG
OpenCandy
2016.0.3032

Baidu Antivirus
Hacktool.Win32.OpenCandy
4.0.3.15730

Dr.Web
Adware.OpenCandy.128
9.0.1.0211

ESET NOD32
Win32/OpenCandy potentially unsafe
9.11743

Fortinet FortiGate
Adware/OpenCandy
7/30/2015

G Data
Win32.Adware.OpenCandy
15.7.25

K7 AntiVirus
Trojan
13.204.16151

Malwarebytes
PUP.Optional.OpenCandy
v2015.07.30.10

NANO AntiVirus
Riskware.Win32.OpenCandy.czxtqp
0.30.24.1636

Quick Heal
AdWare.OpenCandy.r5 (Not a Virus)
7.15.14.00

Reason Heuristics
PUP.doubleTwistCorporation.Installer (M)
15.7.30.22

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.15728

Vba32 AntiVirus
AdWare.OpenCandy
3.12.26.4

VIPRE Antivirus
Opencandy
40874

Zillya! Antivirus
Adware.OpenCandy.Win32.1
2.0.0.2208

File size:
1.2 MB (1,306,232 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\temp\50eyum1j.gvw.exe

Digital Signature
Authority:
Thawte, Inc.

Valid from:
4/26/2012 7:00:00 PM

Valid to:
4/27/2013 6:59:59 PM

Subject:
CN=doubleTwist Corporation, O=doubleTwist Corporation, L=San Francisco, S=California, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
76841B75BB05730DAF509BC51CB852FC

File PE Metadata
Compilation timestamp:
7/6/2011 9:31:20 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:SmJk0O671jIdBgVBY19b20w4dYcXt0LMao7Rv33RZhTn0sE9OHYXNpt/ojPT:SEfUTgy20zdYcXWZMBRZhoKHUIPT

Entry address:
0x354B

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 84, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, 06, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, 05, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 86, 40, 00, FF, 15, 80, 81, 40, 00, 68, 04, 86, 40, 00, 68, A0, 85, 46, 00, E8, 35, 26, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 10, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Entropy:
7.3374

Packer / compiler:
Nullsoft install system v2.x

Code size:
25 KB (25,600 bytes)

Remove 50eyum1j.gvw.exe - Powered by Reason Core Security