home

3.8.0.120_20140220053058.exe

The KMPlayer

PandoraTV

The application 3.8.0.120_20140220053058.exe, “The KMPlayer Setup/Install” by PandoraTV has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This file is typically installed with the program The KMPlayer (remove only) by Pandora.TV. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars.
Publisher:
PandoraTV  (signed and verified)

Product:
The KMPlayer

Description:
The KMPlayer Setup/Install

Version:
3.8.0.120

MD5:
5b627943579ee85c1644cef403464010

SHA-1:
b2b3d40528fa9cc8045cfd247507697fe5c4abda

SHA-256:
04fd5e331983ee1ab99876952b5c3b5243447236f2aed0c30a916dc01622f06e

Scanner detections:
3 / 68

Status:
Potentially unwanted

Explanation:
Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:
4/19/2024 7:23:07 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.OpenCandy.4
9.0.1.0116

ESET NOD32
Win32/OpenCandy
8.9672

Rising Antivirus
PE:PUF.OpenCandy!1.9DE5
23.00.65.14424

File size:
30.8 MB (32,271,136 bytes)

Product version:
3.8

Copyright:
Copyright PandoraTV 2013.

Trademarks:
Freeware

Original file name:
KMPlayer_3.8.0.120.exe

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\downloads\3.8.0.120_20140220053058.exe

Digital Signature
Signed by:
PandoraTV

Authority:
Thawte, Inc.

Valid from:
5/15/2012 2:00:00 AM

Valid to:
6/15/2014 1:59:59 AM

Subject:
CN=PandoraTV, O=PandoraTV, L=Gangnam-gu, S=Seoul, C=KR

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
2BF6AC6C0932526A56D17EB4F2C776C5

File PE Metadata
Compilation timestamp:
2/24/2012 8:19:59 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
786432:K3+bWKwSqbBCMFOhR9wCTxB6G1txvwBhNxLVXCYLHzCx:KObWKwrPOhD1cG1+xLppLTE

Entry address:
0x39E3

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00...
 
[+]

Packer / compiler:
Nullsoft install system v2.x

Code size:
28 KB (28,672 bytes)

The file 3.8.0.120_20140220053058.exe has been discovered within the following program.

The KMPlayer (remove only)  by Pandora.TV
Publisher's description - “KMPlayer is all in one media player, covering various formats such as VCD, DVD, AVI, MKV, Ogg Theora, OGM, 3GP, MPEG-1/2/4, WMV, RealMedia, QuickTime.”
www.kmplayer.com
55% remove it
 
Powered by Should I Remove It?

The file 3.8.0.120_20140220053058.exe has been seen being distributed by the following 8 URLs.

http://61.222.3.60/3799f07efe001b1327a42ac8c52dbe69/softking/soft/en/.../3.8.0.120_20140220053058.exe

http://61.222.3.60/1bb8c25123db9a4dbace07473e48faa7/softking/soft/en/.../3.8.0.120_20140220053058.exe

http://61.222.3.60/fc6a542fb26ba3aec696e1b9a5bb1546/softking/soft/en/.../3.8.0.120_20140220053058.exe

http://61.222.3.60/d4f6c31f70ff355e0f38bf566b9a26cd/softking/soft/en/.../3.8.0.120_20140220053058.exe

http://download.besplatnyeprogrammy.ru/KMPlayer_Rus_Setup.exe

http://61.222.3.60/ff3b972274bba3103a0106104c48459d/softking/soft/en/.../3.8.0.120_20140220053058.exe

http://cdn.kmplayer.com/KMP/player/download/.../3.8.0.120_20140220053058.exe

http://update.kmpmedia.net/player/.../34

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to i0-h0-s2011.p1-sea.cdngp.net  (174.35.52.184:80)

TCP (HTTP):
Connects to ec2-52-16-144-184.eu-west-1.compute.amazonaws.com  (52.16.144.184:80)

Remove 3.8.0.120_20140220053058.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.