home

windows_media_player.exe

Meresa

C.M.A.A.G Proactive And Investments Ltd

The application windows_media_player.exe, “Meresa Setup ” by C.M.A.A.G Proactive And Investments has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Inno Setup installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.towersstockfiles.com.
Publisher:
Femadih   (signed by C.M.A.A.G Proactive And Investments Ltd)

Product:
Meresa

Description:
Meresa Setup

Version:
3.1.1.0

MD5:
d04e5bad90c19d5d3fa6e586d78eba5e

SHA-1:
ee4663325363952660255e1f355ca73f344a76f8

SHA-256:
5795a52744afc0c61ff535a679bb2c1d698d8ecc590d9e75c8a788ac0727ce16

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
5/16/2024 4:20:52 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore (M)
17.3.16.13

File size:
973.6 KB (996,952 bytes)

Product version:
5.2

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\windows_media_player.exe

Digital Signature
Signed by:
C.M.A.A.G Proactive And Investments Ltd

Authority:
COMODO CA Limited

Valid from:
11/11/2015 5:30:00 AM

Valid to:
11/11/2016 5:29:59 AM

Subject:
CN=C.M.A.A.G Proactive And Investments Ltd, O=C.M.A.A.G Proactive And Investments Ltd, STREET=3 Mikonis Shmuel, L=TEL AVIV-JAFFA, S=Israel, PostalCode=6777212, C=IL

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
42BF94673750AF4A912BA52F4F25C320

File PE Metadata
Compilation timestamp:
6/20/1992 3:52:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xAA98

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 2E, 86, FF, FF, E8, 35, 98, FF, FF, E8, 9C, 9B, FF, FF, E8, B7, 9F, FF, FF, E8, 56, BF, FF, FF, E8, ED, E8, FF, FF, E8, 54, EA, FF, FF, 33, C0, 55, 68, 69, B1, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 32, B1, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, D0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, C2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, 24, 93, FF, FF, 8D, 55, F0, 33, C0, E8, 66, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9018

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
40.5 KB (41,472 bytes)

The file windows_media_player.exe has been seen being distributed by the following URL.

http://www.towersstockfiles.com/cR9DEvpmFCc1pWaCYJ0B6rE5Q_AvyOtT1gykjc3TcpkVbH2hQzNYMriU1JH_j_4WC3fao3dFLxyMv1WTkzuyRdceduWTcQCvoY_fPKLLd5t8W TunFykpaemezApcFkXZ49_7l5nveuDUZGv0ahZJ6gcpVAnsj5Zs005eDBvkDAQzEE0rjI1NroY1tWxk E_ClyZMUTLsXmBj1Vtsc WjawPE6v5tphCwUqIEcPHY0IhHj0XE27qV_psQa4N3ofHyQLwNv7l7f0dwgeptZ4bE26SIT_4re9A29i4 q9YneQ3kyWvx3 I9mOew6u10Ys8bHqcoG0VAKxts MaC9Hf8PcqaNvwv_XBoblMpZfwONfrYz_DNy106_estOY06tuFYKNXStslS2kfo86Qf7Us1VLByy DbmMqMKzb0zZS zolcJHuOU4azG2yLNfAF5mDBJ8UqNKbdVjoJ4ciqkYk FCYHIE1hvLmNpoN20z8US2EWEaNe _Xc32Y IVTyeE9DwNY1Bfy-G4YAAES3 X2ddlyj6xwREh4aaOrkgP3tp6LwnnAeW6AbCw_1wocgVpHbmHcDuugnw0Y0BLCeyY9G5f5z9XfW6zwKyz2ECLcDXZxXW9y6oCd4

Remove windows_media_player.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.