» opencandy_20141013035950_025.exe
Overview
Analysis
File Details
Downloads (1)

opencandy_20141013035950_025.exe

Pandora TV Co., Ltd.

The application opencandy_20141013035950_025.exe by Pandora TV Co. has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from cdn.kmplayer.com.

File name:

Publisher:

Pandora TV Co., Ltd. (signed and verified)

MD5:

1a4f617a8c43eb22b5a51884450f06f6

SHA-1:

b607e1eca8ba058fb963b5df017e7d0dfcf2b99f

SHA-256:

13f4ed88e4dc3166c76851502d77db7bb710a6cb898bdea49119739cd2cdc34e

Scanner detections:

5 / 68

Status:

Potentially unwanted

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

4/25/2024 7:27:44 AM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Adware.Win32.OpenCandy

4.0.3.141013

Dr.Web

Adware.Downware.5053

9.0.1.05190

ESET NOD32

Win32/OpenCandy.A potentially unsafe application

7.0.302.0

Fortinet FortiGate

Riskware/OpenCandy

10/13/2014

Malwarebytes

PUP.Optional.OpenCandy

v2014.10.13.07

File size:

459.1 KB (470,088 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\microsoft\windows\inetcache\content.ie5\qo4s50m2\opencandy_20141013035950_025.exe

Digital Signature

Signed by:

Pandora TV Co., Ltd.

Authority:

Thawte, Inc.

Valid from:

5/11/2014 5:00:00 PM

Valid to:

5/11/2016 4:59:59 PM

Subject:

CN="Pandora TV Co., Ltd.", OU=IT Team, O="Pandora TV Co., Ltd.", L=Gangnam-gu, S=SEOUL, C=KR

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

2670E850C13552677FC3CFBA525E11B8

File PE Metadata

Compilation timestamp:

2/24/2012 11:19:59 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:FEMyxXQXidn6xijngUgQRN587tWrp2JDTa30HIA5H:F8+idnPn9gQvKk6PEwr

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Entropy:

7.8246

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file opencandy_20141013035950_025.exe has been seen being distributed by the following URL.

http://cdn.kmplayer.com/KMP/player/download/.../OpenCandy_20141013035950_025.exe

Remove opencandy_20141013035950_025.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.