» gom-media_player.exe
Overview
Analysis
File Details
Downloads (8)

gom-media_player.exe

GOM Player

GRETECH

The application gom-media_player.exe, “GOM Player Setup File” by GRETECH has been detected as a potentially unwanted program by 5 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from cdn.gommediaplayerhosting.com and multiple other hosts.

File name:

Publisher:

Gretech Corporation (signed by GRETECH)

Product:

GOM Player

Description:

GOM Player Setup File

Version:

2.2

MD5:

05680770c1d57e8fedff89c7322b4112

SHA-1:

d1ab43854bcb2c8da924c6d24c59c347d3b02ae5

SHA-256:

d7445d48501517c1706cc3cedd6f897a03e4e20ee80e7c4ab0baceb25a641990

Scanner detections:

5 / 68

Status:

Potentially unwanted

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

4/25/2024 10:45:30 PM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Adware.Win32.OpenCandy

4.0.3.15813

Bkav FE

W32.HfsAdware

1.3.0.7062

Clam AntiVirus

SWF.Exploit.Kit-434

0.98/21511

Reason Heuristics

PUP.GRETECH.GretechC.Installer.Meta (L)

16.6.10.10

Trend Micro

PAK_Generic.005

10.465.13

File size:

19.5 MB (20,450,448 bytes)

Product version:

2.2.69.5228

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

English (United States)

Common path:

C:\users\{user}\downloads\gom-media_player.exe

Digital Signature

Signed by:

GRETECH

Authority:

VeriSign, Inc.

Valid from:

5/17/2015 5:00:00 PM

Valid to:

6/16/2017 4:59:59 PM

Subject:

CN=GRETECH, O=GRETECH, L=Gangnam-gu, S=Seoul, C=KR

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

11D67F2AF7440EBA275E7E62F6B634FF

File PE Metadata

Compilation timestamp:

12/5/2009 2:50:46 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

CTPH (ssdeep):

393216:Yj50vrsxSUGbiD09TctZ48GFKo9CgN5O8yB14iDCI+WELFz9k:eAs82D0Gw3gONMx34ix+Vz9k

Entry address:

0x323C

Entry point:

81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 30, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 58, 3F, 42, 00, E8, 09, 2C, 00, 00, A3, A4, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 58, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, B8, 91, 40, 00, 68, A0, 36, 42, 00, E8, BC, 28, 00, 00, FF, 15, B0, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, AA, 28, 00, 00... 
[+]

Entropy:

7.9998

Packer / compiler:

Nullsoft install system v2.x

Code size:

23 KB (23,552 bytes)

The file gom-media_player.exe has been seen being distributed by the following 8 URLs.

http://cdn.gommediaplayerhosting.com/c?x=62pLaxVi4xx8CEcgZDPkyNKOEgfXwsj4hsfbwysUufk=&c=yfG/JkE79uJ3HvnZpBaV8bbCt8GEHPjCaVH0L657y5vT4HhX8tGMErWSLF0gHD3gztCLYQkI13WQwDKgar6 JLvgLPMiFheRmiu5OFaS3exxlSeqesv2fmBWWDzQOiAYLHmDaRHSaY0nObG5nvHFJQ==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

http://cdn.gommediaplayerhosting.com/c?x=JDznBEgeycs9BdhHwhgV80lLz ruli0UMfT4xjkl4ng=&c=wleauyyFj7c l992hnVfg9QuOo67dCzo2LxBVxttWYWDmurWE5OpvMfHYF/H/JEpQlbEN7qEouFWA1zDEE3e3Jyw/xjnjzc d7Eb8qpBMCe2B8Ez5MIhyYS5XUl CzERG44RBKSROFaDuZPu2QppoA==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

http://cdn.gommediaplayerhosting.com/c?x=nCQ4Z3lwwseY7l6REs5ukd0OsW6HIfGbDVnr3cFV9hw=&c=jY yT2jW6aFf2bM4ddzP2U0FLsGg70p9vID8th88wNgQ /HF9gdyC NRukvAvPro hNB0YhwcNq aaylO4Mb/4fN60lZXHA4cjMG0CjNSTC/oHDxWcvqUBuz0XS8nMsU7IvddjFFFETUnsB87SIG9w==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

http://cdn.gommediaplayerhosting.com/c?x=G0GllXvlDmBc6 RlHBdnauMd1juvtvxWwNC0fLWm7p8=&c=qtYECjusrGK1i9J /ZKm9nFH4CUnp7w/CsUwPA78Q9ZGOphdV6J3xomcm9TtL/JByaPC8lrgH2PWqnIj6RSHIKIBFwlU9MCtmhf5QmRDtxL9z FYHH07X9Gm8TZP5ThJ7JUK4RtXUaFFyte3ISJ6Jg==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

http://cdn.gommediaplayerhosting.com/c?x=rRZPYUXMVxbgf6ua5yg0paReWJXahbOY3/EeL88EcsQ=&c=93y3iMwssfCZXuhuNLBI3RO3JL/ I4 KiZTTOtGjCFcvVSEF3RG93F9zZOd/CI4AELR0PNkKffXyxnNKnUBUhHAgp0Q4c1QVZZwAibEwJsoqiTbQj2rDU4kcDIEn7RhS47 Aph8Wk5Bo4B6BDvlTNQ==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

http://cdn.gommediaplayerhosting.com/c?x=I2zM21csGWIm7f9gru/aXlQxd8ygyMvBGOy9dUJrnbY=&c=TPzxPbIGpANk6aPTiPILYAkyLSbqbYA5yqJKNzf37/EVsWkfIp/m2VCu 7rWr3/8jci/uOA7c1NEZSA2khHisdLuUEYEmFRcEy2VqdAFHNhlAw974y49WeT/Ms ZGMmp9NzRPvOQCfunoj6TJTt1nA==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

http://cdn.gommediaplayerhosting.com/c?x=ibIQJ9SjONW7ese1ksChndc2wFwikiEbHd7famJ/ovk=&c=h3RA6Fcx9K8OjaFlub66U9FkS3alaUrLogRrURbTx7HJ8x6PMPISkYW3r12JP3j4mTaY7QY0JvAQLUUzNmMaumPqEhKrVmrnXi5TYmz5QdJ 8K45Ep6AjqhclkMVYC7xHQq evhHmtPLQOec3ITSvQ==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

http://cdn.gommediaplayerhosting.com/c?x=nTZsdqKiYC2i88v93sOVgagkeOhVopZFb4NpmyPZ44I=&c=8U7sxgsznHzWd4ptPuMDl6AnyFd1/H7hrQ21cIlzQ3ElKUK9ldpHvnRR5gHTiPCRr4X1Kw9f3tyDGb1jHnEeczZcVfD6utyb77JUUGeSpOEqvUlCN1vMmNmttefMy3ICwpSmMl4xkklvpi8sl/qRrw==&downloadAs=GOM-Media_Player.exe&fallback_url=http://download.cnet.com/.../3001-13632_4-10551786.html?hlndr=1

Remove gom-media_player.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.