home

dtlite501-0406.exe

DAEMON Tools Lite

RICH MEDIA SYSTEMS INC.

The application dtlite501-0406.exe by RICH MEDIA SYSTEMS INC has been detected as a potentially unwanted program by 18 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from daemon-tools.1800download.com and multiple other hosts.
Publisher:
RICH MEDIA SYSTEMS INC.  (signed and verified)

Product:
DAEMON Tools Lite

Version:
1.0.0.0

MD5:
56381a19cad083539fd0570d485b97a4

SHA-1:
7aeb48764cea709b2c42085adc2bd97d5b00fc33

SHA-256:
951554d2384d8aeb190f50618cd7308da1cf1d4eab2b029f8cd383f23753b5f8

Scanner detections:
18 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
5/16/2025 10:31:57 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AVG
OpenCandy
2016.0.3005

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15826

Clam AntiVirus
Win.Trojan.Agent-855157
0.98/21511

Dr.Web
Adware.Downware.10304
9.0.1.0238

ESET NOD32
Win32/OpenCandy.C potentially unsafe (variant)
9.11671

Fortinet FortiGate
Riskware/OpenCandy
8/26/2015

G Data
Win32.Adware.OpenCandy
15.8.25

IKARUS anti.virus
AdWare.Win32.OpenCandy
t3scan.1.8.9.0

K7 AntiVirus
Trojan
13.204.16006

Malwarebytes
PUP.Optional.OpenCandy
v2015.08.26.10

McAfee
Artemis!56381A19CAD0
5600.6661

NANO AntiVirus
Riskware.Win32.Downloader.dqybkl
0.30.24.1636

Panda Antivirus
PUP/OpenCandy
15.08.26.10

Reason Heuristics
PUP.RICHMEDIASYSTEMS.Installer (M)
15.8.26.22

Sophos
OpenCandy
4.98

Trend Micro House Call
Suspicious_GEN.F47V0413
7.2.238

VIPRE Antivirus
Sevas-S Installer
40480

File size:
416 KB (425,936 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\dtlite501-0406.exe

Digital Signature
Signed by:
RICH MEDIA SYSTEMS INC.

Authority:
Symantec Corporation

Valid from:
2/17/2015 2:00:00 AM

Valid to:
2/18/2016 1:59:59 AM

Subject:
CN=RICH MEDIA SYSTEMS INC., O=RICH MEDIA SYSTEMS INC., L=HENDERSON, S=Nevada, C=US

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
3F87144C25AF8BCF29F29C5A1FEEF4BA

File PE Metadata
Compilation timestamp:
5/20/2013 1:53:00 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
12288:HiuWYgYiYUUXcQK81dJXFnSBHmIzpZLWE+f+8TUpu:ZWYmYrddJ1SAI1JWEPch

Entry address:
0x331C

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 30, 92, 40, 00, 89, 6C, 24, 14, FF, 15, 34, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, BC, 70, 40, 00, 55, FF, 15, AC, 72, 40, 00, 6A, 08, A3, 98, 92, 42, 00, E8, A8, 2E, 00, 00, A3, E4, 91, 42, 00, 55, 8D, 44, 24, 34, 68, B4, 02, 00, 00, 50, 55, 68, 90, 06, 42, 00, FF, 15, 7C, 71, 40, 00, 68, 7C, 93, 40, 00, 68, E0, 81, 42, 00, E8, 13, 2B, 00, 00, FF, 15, 34, 71, 40, 00, BB, 00, 40, 43, 00, 50, 53, E8, 01, 2B, 00, 00...
 
[+]

Entropy:
7.8451

Packer / compiler:
Nullsoft install system v2.x

Code size:
24 KB (24,576 bytes)

The file dtlite501-0406.exe has been seen being distributed by the following 4 URLs.

http://daemon-tools.1800download.com/get_azure_file/.../ZtukkrjyqsGMrwdoGJgTtbrHuajv8mRYNIGjVEeijGrw1xb5gxcGWRAaV9T2uVRqiqnD8gfTZpMuM1T8S5cA1g1RfVHKnDCAg3JY79WjwWWmLAOUI2syiPTQNergwLwoEcKX1XGg7PNzFZREjhrPlAC1mcof4w7J2HGL5uF3Fjrg1WsbiN4G8ZDJW3MuvRLBwjRZW54r3n1v7fKE2nS2mCd0Jt4T7Hyig9tPMiCdjbbdBT5ZpaCp 77y6WUU 0lWi3J5OECbzQFSnsZGnzQkvLHDGvW4Q1MvYfQ==

http://daemon-tools.1800download.com/get_azure_file/wUiS4WnYccXDyCf4UfO5CV530RJ0YyqsWxLzYtbB4bJjsDqgvywtlIdNP0ykYr32LSXjnAANcHGHWOOlEqczxqtrh8yZDR7HpnOtHk20snq3geeF6oWB1TZOoZQtg1FCUmjyQmtnn4Aj/.../9Wyc3zNiUMK7MxJQpJavvlXTl1fsTcJBkniKXtAC1mcof4w7J2HGL5uF3Fjrg1WsbiN4G8ZDJW3MuvXbBwjRZW54v3n1n6brh 1CalCd0et5OpSCDjspmb2SYjbaQaHNAvMjwpsui1HhlzhVW60ddWRmShX0 msZG9zQ4hPHvFsG0T3N3YfQ==

http://daemon-tools.1800download.com/get_azure_file/wUiS4WnYccXBwj sXP7oQkEsnl0kPTqiHBz7cteQv A8/yWn9np5iNENJ1XmarvuNDC2xF5KZDrQTvusW782y7NykILBXkjE i/5EUbzuH2h3r2EvNKbm2JLq4dk2hYCCCfuT3wphshq9Cr4UHHNEekBl5n8c2hYNPogJFsFMKXlDyMrasWNLBkonqLnAC1mcoP4w7tqUj3v8EjE3/.../QZpP5Z6xQn3rupORkishZr0AT4Y3KztnounkFxtrnBei3J5OESbzWU7hqNnuwAU3eSua7DVTnsvYfQ==

http://daemon-tools.1800download.com/get_azure_file/wUiS4WnYccXDyCf4UfO5CV530RJ0YyqsWxLzYtbB4bJjsDqgvywtlIdNP0ykYrn2LSz/.../rBQfh48Ow1QRmNHHOqmsW3cvYfQ==

Remove dtlite501-0406.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.