dh143a.exe

Installation helper

OpenCandy

The application dh143a.exe by OpenCandy has been detected as a potentially unwanted program by 6 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed and verified)

Product:
Installation helper

Version:
4.0.0.143

MD5:
6a72d91d2d6b375f64bd19cf20beb71d

SHA-1:
cc87b391699bf70510825c5216051e495d9cb26a

SHA-256:
fe111f9d0a4722e8156ff17bae7dc0ddcdce55596c669be7babf75bf9b0a83a1

Scanner detections:
6 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
12/24/2024 11:12:37 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
OpenCandy
2016.0.3058

Dr.Web
Adware.OpenCandy.147
9.0.1.0185

Malwarebytes
PUP.Optional.OpenCandy
v2015.07.04.08

McAfee
Artemis!6A72D91D2D6B
5600.6714

Panda Antivirus
PUP/OpenCandy
15.07.04.08

Reason Heuristics
PUP.OpenCandy (M)
15.7.4.16

File size:
195 KB (199,664 bytes)

Product version:
4.0.0.143

Copyright:
Copyright (c) 2008 - 2015

Original file name:
IHelper.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rpeng\987eded3f4fc4c9a8a49960439131bdb\dh143a.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
8/26/2014 2:00:00 AM

Valid to:
8/27/2015 1:59:59 AM

Subject:
CN=OpenCandy, O=OpenCandy, STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
132982A2FBDC37FCDC8D57346010BC5F

File PE Metadata
Compilation timestamp:
7/2/2015 1:19:44 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:UyI+R4OOT+rweBaeK+JtasX5k51GdYFTpILLDLYk9JZY7Qroq5F04OrZ/:U9iQT+rRaeKYKG5fYk9Xro6OR

Entry address:
0x729A0

Entry point:
60, BE, 00, E0, 44, 00, 8D, BE, 00, 30, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.5797

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
148 KB (151,552 bytes)

Remove dh143a.exe - Powered by Reason Core Security