du77a.exe

Installation helper

OpenCandy

The application du77a.exe by OpenCandy has been detected as a potentially unwanted program by 11 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed and verified)

Product:
Installation helper

Version:
4.0.0.77

MD5:
cfacaa0717d2b332f8dcf1e77c28ae53

SHA-1:
b97b6cb9d303a383f9488f560838b8cfe03ab32b

SHA-256:
cc077707cf646c12c55e286d2f81e08e597f18b6782a6e704de0430d7003500c

Scanner detections:
11 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/24/2024 12:26:56 PM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OpenCandy
2015.03.10

Avira AntiVirus
APPL/OpenCandy.308184
7.11.193.210

avast!
Win32:Adware-gen [Adw]
2014.9-150311

AVG
OpenCandy
2016.0.3212

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15311

Dr.Web
Adware.OpenCandy.73
9.0.1.070

ESET NOD32
Win32/OpenCandy (variant)
9.10868

Fortinet FortiGate
Riskware/OpenCandy
3/11/2015

G Data
Win32.Application.OpenCandy
15.3.24

Qihoo 360 Security
HEUR/QVM11.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.OpenCandy
15.1.31.14

File size:
158.5 KB (162,288 bytes)

Product version:
4.0.0.77

Copyright:
Copyright (c) 2008 - 2014

Original file name:
IHelper.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rheng\127cdd1b80684b72b7a0fcfbdb25038d\du77a.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/26/2014 2:00:00 AM

Valid to:
8/27/2015 1:59:59 AM

Subject:
CN=OpenCandy, O=OpenCandy, STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
132982A2FBDC37FCDC8D57346010BC5F

File PE Metadata
Compilation timestamp:
1/28/2015 6:45:58 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:KmNoKpwcxfm4rrwTID2icrqRA4hbN/kgww8wbLpF3arvIr:K6r2cxfm1s2rrybNXwkHpOw

Entry address:
0x66A90

Entry point:
60, BE, 00, 30, 44, 00, 8D, BE, 00, E0, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
144 KB (147,456 bytes)

Remove du77a.exe - Powered by Reason Core Security