home

dh292.exe

Installation helper

OpenCandy Inc.

The application dh292.exe by OpenCandy has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
OpenCandy  (signed by OpenCandy Inc.)

Product:
Installation helper

Version:
4.0.1.292

MD5:
89e4e2df0b827fdae50fe06e160053d6

SHA-1:
bda868f9fe5dd0269a4d39972903980b456e3a5c

SHA-256:
8f6f91a14f6651467d3ad69e2fa5c1d2152633c569bce39f5689f7027d4fd4ee

Scanner detections:
9 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
11/23/2024 4:15:11 AM UTC  (today)

Scan engine
Detection
Engine version

AhnLab V3 Security
PUP/Win32.OpenCandy
2015.10.16

AVG
OpenCandy.D
2016.0.2954

Dr.Web
Adware.OpenCandy.184
9.0.1.0289

ESET NOD32
Win32/OpenCandy.E potentially unsafe (variant)
9.12414

Malwarebytes
PUP.Optional.OpenCandy
v2015.10.16.08

Reason Heuristics
PUP.OpenCandy (M)
15.10.16.20

Sophos
OpenCandy (PUA)
4.98

SUPERAntiSpyware
PUP.OpenCandy/Variant
9565

VIPRE Antivirus
OpenCandy (PUA) (not malicious)
44562

File size:
193.6 KB (198,248 bytes)

Product version:
4.0.1.292

Copyright:
Copyright (c) 2008 - 2015

Original file name:
IHelper.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\rpeng\a224ae63a43f44508ad7c93f56c6755d\dh292.exe

Digital Signature
Signed by:
OpenCandy Inc.

Authority:
COMODO CA Limited

Valid from:
10/24/2014 2:00:00 AM

Valid to:
10/25/2015 1:59:59 AM

Subject:
CN=OpenCandy Inc., O=OpenCandy Inc., STREET="510 Market St #301", L=San Diego, S=CA, PostalCode=92101, C=US

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
0B88C871F68A9102FD1B743704369247

File PE Metadata
Compilation timestamp:
10/15/2015 11:13:48 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
3072:DUQBVYd9gpsl8sx7PKskl0F18eNXkJVYutTsM5Rxb4WEyTcdayw62/D1:IBd9gMJCH2F1CBsmUWUX25

Entry address:
0x728B0

Entry point:
60, BE, 00, E0, 44, 00, 8D, BE, 00, 30, FB, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
148 KB (151,552 bytes)

Remove dh292.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.