home

dh143h.exe

Installation helper

OpenCandy

The application dh143h.exe by OpenCandy has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed and verified)

Product:
Installation helper

Version:
4.0.0.143

MD5:
e1a800d39c3e03f85bbc1e720bd0b72a

SHA-1:
93893146fb6aea1c7df367bb6b98466506a7d50b

SHA-256:
037cdd3c3fe2572c1186314cfb0d54863f5cc9387cc40a5e7d8d187d8cacfe1c

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/23/2024 8:18:33 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.OpenCandy (M)
15.7.3.9

File size:
195 KB (199,664 bytes)

Product version:
4.0.0.143

Copyright:
Copyright (c) 2008 - 2015

Original file name:
IHelper.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rheng\3f5ba2b41050411180b42c0c84cf51df\dh143h.exe

Digital Signature
Signed by:
OpenCandy

Authority:
COMODO CA Limited

Valid from:
8/26/2014 2:00:00 AM

Valid to:
8/27/2015 1:59:59 AM

Subject:
CN=OpenCandy, O=OpenCandy, STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00D8969D7474F2E05D880A6058A425B9A3

File PE Metadata
Compilation timestamp:
7/2/2015 1:26:50 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:EyI+R4OUowH1WJmLW+0jdeCF81xydhsTGkQJxkbrcuRsT/wfR0vh2Lzdcx+PrOrz:E9i6oww6W+yJm1xyV7grd+O0JF6OH

Entry address:
0x729A0

Entry point:
60, BE, 00, E0, 44, 00, 8D, BE, 00, 30, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
148 KB (151,552 bytes)

Remove dh143h.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.