home

dh117a.exe

Installation helper

OpenCandy

The application dh117a.exe by OpenCandy has been detected as a potentially unwanted program by 4 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed and verified)

Product:
Installation helper

Version:
4.0.0.117

MD5:
f61adbe87b6f48b63c0f6c8dfdff2ebc

SHA-1:
52a279c586dca0a7d507cfe4810ca23f5c3d30d2

SHA-256:
3373036c74ec33cede8ea50175c2532f86dc233476ebfc235aeec145d5d643ef

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/23/2024 8:18:12 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
OpenCandy
2016.0.3134

herdProtect (fuzzy)
variant of dh120m.exe (PUP)
2015.7.21.6

Panda Antivirus
PUP/OpenCandy
15.04.19.08

Reason Heuristics
PUP.OpenCandy
15.4.19.15

File size:
194 KB (198,640 bytes)

Product version:
4.0.0.117

Copyright:
Copyright (c) 2008 - 2015

Original file name:
IHelper.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rheng\35c3a5fcd744453787847c31df809841\dh117a.exe

Digital Signature
Signed by:
OpenCandy

Authority:
COMODO CA Limited

Valid from:
8/26/2014 2:00:00 AM

Valid to:
8/27/2015 1:59:59 AM

Subject:
CN=OpenCandy, O=OpenCandy, STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
132982A2FBDC37FCDC8D57346010BC5F

File PE Metadata
Compilation timestamp:
4/17/2015 12:42:20 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:E1+cDh9lqCPy8E2BBO3AApSgUf3Ra4HSZnIml0/alCWLImk:E1+cDh9l1y/mpAp58RdSZIYlJLe

Entry address:
0x715D0

Entry point:
60, BE, 00, D0, 44, 00, 8D, BE, 00, 40, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
148 KB (151,552 bytes)

Remove dh117a.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.