home

cmi_mystartsearch.exe

2864_cmi_mystartsearch

Xiaoqing Liu

The application cmi_mystartsearch.exe by Xiaoqing Liu has been detected as adware by 9 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from an Internet Explorer cache folder. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
TabMain  (signed by Xiaoqing Liu)

Product:
2864_cmi_mystartsearch

Description:
TabMain

Version:
6.3.76.1530

MD5:
998385208956f00a85ebb44cad50e2b5

SHA-1:
0850688f99c020808bccae8d435f7b1b87a6d14f

SHA-256:
2ec8d3f90ddbdaa6445e534107f2f707bc623dca2a98305b89102920ade65bd9

Scanner detections:
9 / 68

Status:
Adware

Analysis date:
11/23/2024 7:42:53 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
2014.9-150613

AVG
Potentially harmful program Downloader
2016.0.3080

Baidu Antivirus
PUA.Win32.ELEX
4.0.3.15613

Dr.Web
Adware.Mutabaha.228
9.0.1.0167

ESET NOD32
Win32/ELEX.CF potentially unwanted application
9.7.0.302.0

herdProtect (fuzzy)
variant of nsg45c4.tmp (Adware)
2015.6.13.0

K7 AntiVirus
Adware
13.202.15361

Malwarebytes
PUP.Optional.IStartSurf.A
v2015.03.06.10

Reason Heuristics
PUP.Li Mo
15.3.6.10

File size:
548.4 KB (561,608 bytes)

Product version:
6.3.76.1530

Copyright:
Copyright (C) 2014

Original file name:
TMain.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\temporary internet files\content.ie5\{random}\cmi_mystartsearch.exe

Digital Signature
Signed by:
Xiaoqing Liu

Authority:
DigiCert Inc

Valid from:
8/13/2014 1:00:00 AM

Valid to:
8/17/2015 1:00:00 PM

Subject:
CN=Xiaoqing Liu, O=Xiaoqing Liu, L=Zaozhuang, S=Shandong, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0EBAB4AC38B70A33EE517D238BDE49D7

File PE Metadata
Compilation timestamp:
3/4/2015 9:52:43 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:ywruOBP7y9zxCO8Ng8dX3CzG0fjMs/hO57UMfoRAa4kTp210t:K4gAHgDfjX/hWU+odNTp2yt

Entry address:
0x3117E

Entry point:
E8, 61, C7, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 50, 15, 46, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 18, 11, 46, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05...
 
[+]

Entropy:
6.4817

Code size:
383 KB (392,192 bytes)

The file cmi_mystartsearch.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../cmi_mystartsearch.exe

Remove cmi_mystartsearch.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.