du109a.exe

Installation helper

OpenCandy

The application du109a.exe by OpenCandy has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed and verified)

Product:
Installation helper

Version:
4.0.0.109

MD5:
d1fed4a17784bdfe75b3b2101543f062

SHA-1:
e124d0f95d34e1c380182278001dc86951fb1841

SHA-256:
7a20d1920938cdd714f83979c3e4571786d37d3a54ee8fda2dfdcba32bfa7f98

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/24/2024 12:27:52 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
OpenCandy
2016.0.3136

ESET NOD32
Detection.Undefined
7.0.302.0

Reason Heuristics
PUP.OpenCandy
15.4.17.16

Sophos
Virus 'Mal/EncPk-AAK'
5.13

File size:
194 KB (198,640 bytes)

Product version:
4.0.0.109

Copyright:
Copyright (c) 2008 - 2015

Original file name:
IHelper.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rheng\071299be6d0b47a396a977e280818de6\du109a.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/25/2014 8:00:00 PM

Valid to:
8/26/2015 7:59:59 PM

Subject:
CN=OpenCandy, O=OpenCandy, STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
132982A2FBDC37FCDC8D57346010BC5F

File PE Metadata
Compilation timestamp:
3/26/2015 3:29:33 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:h80On2Hac56HTPDMGyhA+RFM8zvaZAg8utneIzRVJYY9qqHS6YsqxKCiLFP/:h80Oq56zPHHiFMpj1nzzRXBq819JLN

Entry address:
0x715E0

Entry point:
60, BE, 00, D0, 44, 00, 8D, BE, 00, 40, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.6021

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
148 KB (151,552 bytes)

Remove du109a.exe - Powered by Reason Core Security