» kmplayer_3.8.0.123.exe.exe
Overview
Analysis
File Details
Downloads (17)
Network (16)

kmplayer_3.8.0.123.exe.exe

The KMPlayer

PandoraTV

The application kmplayer_3.8.0.123.exe.exe, “The KMPlayer Setup/Install” by PandoraTV has been detected as a potentially unwanted program by 4 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer. The installer uses the OpenCandy monitzation platform which will donwload and install offers in the setup for potentially unwanted software including ad/search-supported toolbars. The file has been seen being downloaded from api2.tenlua.vn and multiple other hosts.

File name:

Publisher:

PandoraTV (signed and verified)

Product:

The KMPlayer

Description:

The KMPlayer Setup/Install

Version:

3.8.0.123

MD5:

3592cce76732ee8dad26eb766d79b820

SHA-1:

269ea2c71299328a51d98798ce62d99dfb1133b0

SHA-256:

c775d8c8d9c1ef5210b4b2f4cb7e4df2d92d95fee57ec855c7b0df51afcdde9b

Scanner detections:

4 / 68

Status:

Potentially unwanted

Explanation:

Packages the OpenCandy software bundler that offers to install additional software and may include web browser add-ons and toolbars which display advertising (based on publisher settings and geo context).

Analysis date:

4/26/2024 4:01:48 PM UTC (today)

Scan engine

Detection

Engine version

ESET NOD32

Win32/OpenCandy

8.9720

Reason Heuristics

PUP.OpenCandy.Installer (L)

16.11.29.19

Rising Antivirus

PE:PUF.OpenCandy!1.9DE5

23.00.65.14423

Trend Micro House Call

TROJ_GEN.F47V0423

7.2.115

File size:

31.3 MB (32,770,336 bytes)

Product version:

3.8

Trademarks:

Freeware

Original file name:

KMPlayer_3.8.0.123.exe

File type:

Executable application (Win32 EXE)

Installer:

NSIS (Nullsoft Scriptable Install System)

Language:

Language Neutral

Common path:

C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\kmplayer_3.8.0.123.exe.exe

Digital Signature

Signed by:

PandoraTV

Authority:

Thawte, Inc.

Valid from:

5/15/2012 2:00:00 AM

Valid to:

6/15/2014 1:59:59 AM

Subject:

CN=PandoraTV, O=PandoraTV, L=Gangnam-gu, S=Seoul, C=KR

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

2BF6AC6C0932526A56D17EB4F2C776C5

File PE Metadata

Compilation timestamp:

2/24/2012 8:19:59 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

786432:myvH9r8LyWGFiXvxzW8aGBzOV1bdhp9kTxh6Dnv1E8eNgjf+I77QzWeuKl:3B8GFQpzIL1bdhzYhidvefe7QzNuKl

Entry address:

0x39E3

Entry point:

81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, D8, 91, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B8, 80, 40, 00, 55, FF, 15, C0, 82, 40, 00, 6A, 08, A3, B8, 2E, 47, 00, E8, 37, 2A, 00, 00, 55, 68, B4, 02, 00, 00, A3, D0, 2D, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 1C, 93, 40, 00, FF, 15, 84, 81, 40, 00, 68, 04, 93, 40, 00, 68, C0, AD, 46, 00, E8, 19, 27, 00, 00, FF, 15, B4, 80, 40, 00, 50, BF, A0, 30, 4C, 00, 57, E8, 07, 27, 00, 00... 
[+]

Packer / compiler:

Nullsoft install system v2.x

Code size:

28 KB (28,672 bytes)

The file kmplayer_3.8.0.123.exe.exe has been seen being distributed by the following 17 URLs.

http://api2.tenlua.vn/filemanager/builddownload/.../?hash=0528ef77a30a6d464b77312470ac7d9f2761aa87f708ea49eb3596619f11561b622079f8e76d2fb11522f8f10d2e0c53443212dfbaf54e65765cc34ef480dc9fc599f587c94891f8fd22310bf9108261c7088124aa511c6a801a30ca1f7f3cffff30bc211f085c9f90ffed795a2cc17681498a1f541e257d0e3c3bc887f1f523f2c84229267dbfd0326bc2608fc628f0bf570882&url=0b3da36fa30172185e30306174fd75853636b390ad53eb4da0&down=0b3da36fa30172185e30306174fd75853636b390ad53fc55a0&jump_type=download&file=sinhvienit.net-kmplayer-3.8.0.123.exe

http://www.filehippo.com/download/file/.../

http://download005.fshare.vn/dl/.../SinhvienIT.Net-KMPlayer-3.8.0.123.exe

http://filehippo.com/download/file/.../

http://fs33.filehippo.com/2319/.../KMPlayer_3.8.0.123.exe.exe

http://filehippo.com/download/file/.../

http://www.cdrinfo.pl/download.php?filename=KMPlayer_3.8.0.123.exe&id=7288190518&baza=soft

http://dw.en.uptodown.com/dl/1426061014/.../kmplayer-3-8-0-123-es-en-br-fr-de-it-cn-jp-ar-ru-pl-fi-gr-kr-se-win.exe

http://file.sinhvienit.net/download/74da0c87/b9d87142520fe89ac6d1192f37138fff/2014/.../SinhVienIT.Net--KMPlayer-3.8.0.123.exe

http://fs40.filehippo.com/5371/.../KMPlayer_3.8.0.123.exe.exe

http://www.free-codecs.com/download_soft.php?d=7657&s=672&r=

http://download.informer.com/.../3.8.0.123_20140423104200.exe

http://113.171.224.170/.../3.8.0.123_20140423104200.exe

http://cdn.kmplayer.com/KMP/player/download/.../3.8.0.123_20140423104200.exe

http://update.kmpmedia.net/player/.../34

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-54-72-120-9.eu-west-1.compute.amazonaws.com (54.72.120.9:80)

TCP (HTTP):

Connects to ec2-54-200-224-121.us-west-2.compute.amazonaws.com (54.200.224.121:80)

TCP (HTTP):

Connects to ec2-52-214-2-242.eu-west-1.compute.amazonaws.com (52.214.2.242:80)

TCP (HTTP):

Connects to ec2-52-212-34-193.eu-west-1.compute.amazonaws.com (52.212.34.193:80)

TCP (HTTP):

Connects to ec2-52-16-144-184.eu-west-1.compute.amazonaws.com (52.16.144.184:80)

TCP (HTTP):

Connects to i0-h0-s79.p59-icn.cdngp.net (14.0.68.14:80)

TCP (HTTP):

Connects to i0-h0-s2054.p9-jfk.cdngp.net (174.35.73.140:80)

TCP (HTTP):

Connects to i0-h0-s2053.p9-jfk.cdngp.net (174.35.73.139:80)

TCP (HTTP):

Connects to i0-h0-s2034.p9-jfk.cdngp.net (174.35.73.103:80)

TCP (HTTP):

Connects to i0-h0-s2012.p9-jfk.cdngp.net (174.35.73.81:80)

TCP (HTTP):

Connects to ec2-54-171-30-150.eu-west-1.compute.amazonaws.com (54.171.30.150:80)

TCP (HTTP):

Connects to ec2-52-43-60-26.us-west-2.compute.amazonaws.com (52.43.60.26:80)

TCP (HTTP):

Connects to ec2-52-43-219-197.us-west-2.compute.amazonaws.com (52.43.219.197:80)

TCP (HTTP):

Connects to ec2-52-211-133-17.eu-west-1.compute.amazonaws.com (52.211.133.17:80)

TCP (HTTP):

Connects to ec2-52-208-71-216.eu-west-1.compute.amazonaws.com (52.208.71.216:80)

TCP (HTTP):

Connects to ec2-34-252-35-168.eu-west-1.compute.amazonaws.com (34.252.35.168:80)

Remove kmplayer_3.8.0.123.exe.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.