home

dh140.exe

Install helper

OpenCandy Inc.

The application dh140.exe by OpenCandy has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed by OpenCandy Inc.)

Product:
Install helper

Version:
4.0.1.140

MD5:
8172568813cf2edc5399158753d26bf4

SHA-1:
b0f39e09b4165819dd7eddad3a70eaa9239d8c13

SHA-256:
1db833fbcee6a2cf163a0ff06541e0a6c69e5d0ae012b74ec8ad8362b7fcaf37

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/23/2024 4:44:29 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OpenCandy (M)
16.10.23.3

File size:
193.6 KB (198,248 bytes)

Product version:
4.0.1.140

Copyright:
Copyright (c) 2008 - 2015

Original file name:
InstHlpr.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\opencandy\249b6819891c4c04bebe485e5a7b5f0e\dh140.exe

Digital Signature
Signed by:
OpenCandy Inc.

Authority:
COMODO CA Limited

Valid from:
10/23/2014 10:00:00 PM

Valid to:
10/24/2015 9:59:59 PM

Subject:
CN=OpenCandy Inc., O=OpenCandy Inc., STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
3D96F95B7280804943B22EAAD87771E6

File PE Metadata
Compilation timestamp:
9/27/2015 3:14:48 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:pUQBVYrcVJdFSADxxeMEnY6m/POF+9fSER3CQG2CHOt0wPVYHfATM0m6:uBEJlxYnY6m/WF+9f3hG2COt0wPnMY

Entry address:
0x728B0

Entry point:
60, BE, 00, E0, 44, 00, 8D, BE, 00, 30, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
148 KB (151,552 bytes)

Remove dh140.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.