» kmpaddedcode_searchprotect.exe
Overview
Analysis
File Details
Downloads (1)

kmpaddedcode_searchprotect.exe

Pandora TV Co., Ltd.

The application kmpaddedcode_searchprotect.exe by Pandora TV Co. has been detected as a potentially unwanted program by 11 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages. The file has been seen being downloaded from cdn.kmplayer.com.

File name:

Publisher:

Pandora TV Co., Ltd. (signed and verified)

MD5:

8797c8a63be2e1d3237060895421de12

SHA-1:

2bc383a89aaab03ac64e96e33e53c13e91deca3a

SHA-256:

4ae5a16171e85f777dbcfdcc134f79984972000e01e550f60aae45190415a109

Scanner detections:

11 / 68

Status:

Potentially unwanted

Analysis date:

4/25/2024 9:20:58 AM UTC (today)

Scan engine

Detection

Engine version

Baidu Antivirus

Adware.Win32.Toolbar

4.0.3.14115

Dr.Web

Adware.Downware.5053

9.0.1.0309

ESET NOD32

Win32/ClientConnect (variant)

8.10670

Fortinet FortiGate

Riskware/Agent

11/5/2014

K7 AntiVirus

Trojan

13.185.13888

Kaspersky

not-a-virus:WebToolbar.Win32.Agent

14.0.0.2994

Malwarebytes

PUP.Optional.SearchProtect.A

v2014.11.05.04

McAfee

Artemis!8797C8A63BE2

5600.6956

NANO AntiVirus

Riskware.Win32.Downware.diaugb

0.28.6.62995

Qihoo 360 Security

Win32/Virus.WebToolbar.659

1.0.0.1015

Sophos

Generic PUA CL

4.98

File size:

1.3 MB (1,383,792 bytes)

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Common path:

C:\users\{user}\appdata\local\temp\{random}.tmp\kmpaddedcode_searchprotect.exe

Digital Signature

Signed by:

Pandora TV Co., Ltd.

Authority:

Thawte, Inc.

Valid from:

5/11/2014 5:00:00 PM

Valid to:

5/11/2016 4:59:59 PM

Subject:

CN="Pandora TV Co., Ltd.", OU=IT Team, O="Pandora TV Co., Ltd.", L=Gangnam-gu, S=SEOUL, C=KR

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

2670E850C13552677FC3CFBA525E11B8

File PE Metadata

Compilation timestamp:

2/24/2012 12:19:59 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:oJgCqhoQKU5JOSwwWLPYQK/plXdrrU1kA4riqRVxy12h1BhfdYWRgUFoRlf7Mwe:eqhSUbOrQc1JqRV82h1BheW+CyRy

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Entropy:

7.9833

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file kmpaddedcode_searchprotect.exe has been seen being distributed by the following URL.

http://cdn.kmplayer.com/KMP/player/download/.../SearchProtect_20141030044908_2107.exe

Remove kmpaddedcode_searchprotect.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.