home

dh222.exe

Installation helper

OpenCandy Inc.

The application dh222.exe by OpenCandy has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed by OpenCandy Inc.)

Product:
Installation helper

Version:
4.0.0.222

MD5:
9c7d726ed52f6e867c982bf4361569a0

SHA-1:
f74ada109f67d633af923f3f3d7454d07a5b0a4b

SHA-256:
fb638b06966c465974f00d5be5a3bed993c7caf0f3bbc91189a025f7b571d2cf

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/23/2024 4:00:23 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
PUP/Win32.OpenCandy
2015.08.11

AVG
Generic
2016.0.2964

Baidu Antivirus
Adware.Win32.OpenCandy
4.0.3.15106

Dr.Web
Adware.OpenCandy.170
9.0.1.0279

ESET NOD32
Win32/OpenCandy.E potentially unsafe (variant)
9.12074

Malwarebytes
PUP.Optional.OpenCandy
v2015.10.06.07

Reason Heuristics
PUP.OpenCandy (M)
15.10.6.19

VIPRE Antivirus
Opencandy
42782

File size:
195 KB (199,648 bytes)

Product version:
4.0.0.222

Copyright:
Copyright (c) 2008 - 2015

Original file name:
IHelper.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rpeng\1ac1f6294cfd4b81ae928b63469f5ae9\dh222.exe

Digital Signature
Signed by:
OpenCandy Inc.

Authority:
COMODO CA Limited

Valid from:
10/13/2014 3:00:00 AM

Valid to:
10/14/2015 2:59:59 AM

Subject:
CN=OpenCandy Inc., O=OpenCandy Inc., STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00BB7B40B95093A55585D1C267C0D46EE3

File PE Metadata
Compilation timestamp:
8/8/2015 1:10:10 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:O+yI+R4OqT+rweBaeK+JtasX5k51GdYFTpILLDLYk9JZY7Qroq5FkiO3Kb:X9iQT+rRaeKYKG5fYk9XrogOc

Entry address:
0x729A0

Entry point:
60, BE, 00, E0, 44, 00, 8D, BE, 00, 30, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.5797

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
148 KB (151,552 bytes)

Remove dh222.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.