» latestdlmgr.exe
Overview
Analysis
File Details
Network (4)

latestdlmgr.exe

OpenCandy recommendation downloader

OpenCandy Inc.

The application latestdlmgr.exe, “OpenCandy recommendation downloader p46” by OpenCandy has been detected as a potentially unwanted program by 40 anti-malware scanners. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. While running, it connects to the Internet address WIN-QTQ30GSEEHT on port 80 using the HTTP protocol.

File name:

latestdlmgr.exe

Publisher:

OpenCandy (signed by OpenCandy Inc.)

Product:

OpenCandy recommendation downloader

Description:

OpenCandy recommendation downloader p46

Version:

3.2.5.271

MD5:

37b32285d4295cf4ef2ceab2928f0083

SHA-1:

2c4e78cdf9ca4a5b43ad91715da16069c684dc67

SHA-256:

6e139837e762ae2b8a703bb2091a4ea343827f714eb0fb40814e8788b90f84a7

Scanner detections:

40 / 68

Status:

Potentially unwanted

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

4/25/2024 10:35:45 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Win32.Sality.N

876

Agnitum Outpost

Win32.Sality.AA

7.1.1

AhnLab V3 Security

Win-Trojan/Malpacked5.Gen

2014.07.31

Avira AntiVirus

W32/Sality.S

7.11.30.172

avast!

Win32:Sality-AM

2014.9-140911

AVG

Win32/Sality

2015.0.3354

Baidu Antivirus

Virus.Win32.Sality.$s

4.0.3.14911

Bitdefender

Win32.Sality.N

1.0.20.1270

Bkav FE

W32.SalityF.PE

1.3.0.4959

Clam AntiVirus

W32.Sality

0.98/19168

Comodo Security

Packed.Win32.MUPX.Gen

19028

Dr.Web

Win32.Sector.28682

9.0.1.0254

Emsisoft Anti-Malware

Win32.Sality.N

8.14.09.11.01

ESET NOD32

Win32/OpenCandy (variant)

7.9243

Fortinet FortiGate

W32/Sality.AL

9/11/2014

F-Prot

W32/Sality.AI

v6.4.6.5.141

F-Secure

Win32.Sality.N

11.2014-11-09_5

G Data

Win32.Sality

14.9.24

IKARUS anti.virus

P2P-Worm.Win32.Bacteraloh

t3scan.1.6.1.0

K7 AntiVirus

Virus

13.181.12898

Kaspersky

Virus.Win32.Sality

14.0.0.3267

Malwarebytes

PUP.Optional.OpenCandy.A

v2013.12.19.01

McAfee

W32/Sality.ac

5600.7010

Microsoft Security Essentials

Threat.Undefined

1.179.1619.0

MicroWorld eScan

Win32.Sality.N

15.0.0.762

NANO AntiVirus

Virus.Win32.Sality.eqco

0.28.2.61148

nProtect

Win32.Sality.N

14.07.30.01

Panda Antivirus

W32/Sality.Y

14.09.11.01

Qihoo 360 Security

Virus.Win32.Sality.F

1.0.0.1015

Quick Heal

W32.Sality.K

9.14.14.00

Reason Heuristics

PUP.OpenCandy.L

14.8.7.20

Rising Antivirus

PE:Win32.Sality.m!471630

23.00.65.14909

Sophos

W32/Sality-AD

4.98

Total Defense

Win32/Sality.S

37.0.11089

Trend Micro House Call

TROJ_GEN.F47V1011

7.2.353

Trend Micro

PE_SALITY.AL

10.465.11

Vba32 AntiVirus

Virus.Sality.309

3.12.26.3

VIPRE Antivirus

Threat.204212

31208

ViRobot

Win32.Sality.F

2011.4.7.4223

XVirus List

Win32.Detected

2.8.7

File size:

296.3 KB (303,400 bytes)

Product version:

3.2.5.271

Original file name:

OpenCandyU1Dlm.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\opencandy\b30339a1bce54dc59d7968f96431eef3\latestdlmgr.exe

Digital Signature

Signed by:

OpenCandy Inc.

Authority:

VeriSign, Inc.

Valid from:

1/25/2011 7:00:00 AM

Valid to:

3/15/2014 6:59:59 AM

Subject:

CN=OpenCandy Inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=OpenCandy Inc., L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

6FFC263A351134194CF16E1E6D0E0806

File PE Metadata

Compilation timestamp:

10/3/2013 1:15:06 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

6144:71agzPqFBvBqxeXakbZ++T7tIamVUSSLTErtwWDqn/Z7e2oSjhb:cgOFBsQKM2a78t3WZFoS1

Entry address:

0xB70D0

Entry point:

60, BE, 00, B0, 47, 00, 8D, BE, 00, 60, F8, FF, 57, 89, E5, 8D, 9C, 24, 80, C1, FF, FF, 31, C0, 50, 39, DC, 75, FB, 46, 46, 53, 68, E7, 5D, 0B, 00, 57, 83, C3, 04, 53, 68, CE, C0, 03, 00, 56, 83, C3, 04, 53, 50, C7, 03, 03, 00, 00, 00, 90, 90, 90, 90, 90, 55, 57, 56, 53, 83, EC, 7C, 8B, 94, 24, 90, 00, 00, 00, C7, 44, 24, 74, 00, 00, 00, 00, C6, 44, 24, 73, 00, 8B, AC, 24, 9C, 00, 00, 00, 8D, 42, 04, 89, 44, 24, 78, B8, 01, 00, 00, 00, 0F, B6, 4A, 02, 89, C3, D3, E3, 89, D9, 49, 89, 4C, 24, 6C, 0F, B6, 4A... 
[+]

Entropy:

7.8372 (probably packed)

Code size:

244 KB (249,856 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to WIN-QTQ30GSEEHT (113.171.224.167:80)

TCP (HTTP):

Connects to cdn-87-248-221-253.par.llnw.net (87.248.221.253:80)

TCP (HTTP):

Connects to cdn-87-248-217-253.frf.llnw.net (87.248.217.253:80)

TCP (HTTP):

Connects to cdn-208-111-160-6.iad.llnw.net (208.111.160.6:80)

Remove latestdlmgr.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.