home

may7_3656_cor_do-search.exe

3656_cor_do-search

Li Mo

The application may7_3656_cor_do-search.exe by Li Mo has been detected as adware by 10 anti-malware scanners. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from mail.google.com.
Publisher:
Portmon/EE  (signed by Li Mo)

Product:
3656_cor_do-search

Description:
Portmon/EE

Version:
6.5.7605.1000

MD5:
3d39a2535fa73556c10f05976a711104

SHA-1:
d7a1d4d73991285fbf81a2c8c45795def72e66cb

SHA-256:
27f2b109274b3b9f6c31db7ddb6424ed8537a033e6a6ebde37220f462383de7f

Scanner detections:
10 / 68

Status:
Adware

Analysis date:
11/5/2024 10:14:48 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3022

Baidu Antivirus
PUA.Win32.LiMo
4.0.3.15512

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.380, Trojan.Siggen6.37628
9.0.1.0167

ESET NOD32
Win32/LiMo.C potentially unwanted application
9.7.0.302.0

G Data
Win32.Application.Elex
15.5.25

herdProtect (fuzzy)
variant of may7_3659_corfr_sweet-page.exe (Adware)
2015.8.9.21

Malwarebytes
PUP.Optional.MyStartSearch.A
v2015.06.16.12

Panda Antivirus
PUP/YAC
15.05.12.10

Reason Heuristics
PUP.Liyan Liu.LiMo
15.5.12.22

File size:
296.4 KB (303,480 bytes)

Product version:
6.5.7605.1000

Copyright:
Portmon/EE

Original file name:
portmon.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\2312517_stp\may7_3656_cor_do-search.exe

Digital Signature
Signed by:
Li Mo

Authority:
DigiCert Inc

Valid from:
8/3/2014 9:00:00 PM

Valid to:
8/12/2015 9:00:00 AM

Subject:
CN=Li Mo, O=Li Mo, L=Guilin, S=Guangxi, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0BF14271D8A8ADE8A541CE8C8E1D75A1

File PE Metadata
Compilation timestamp:
5/7/2015 8:17:46 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:WWeR0CBkEn4Ta/W+8D0PpIsx4hu4zA+AwSTZa7JJ5xrz6ljSoXU:NeR0i9B/WMya4hJExY+XU

Entry address:
0x1549D

Entry point:
E8, C4, A5, 00, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 56, 8B, 75, 08, 83, 3C, F5, 50, C5, 43, 00, 00, 75, 13, 56, E8, 71, 00, 00, 00, 59, 85, C0, 75, 08, 6A, 11, E8, B7, 2C, 00, 00, 59, FF, 34, F5, 50, C5, 43, 00, FF, 15, 10, C1, 42, 00, 5E, 5D, C3, 56, 57, BE, 50, C5, 43, 00, 8B, FE, 53, 8B, 1F, 85, DB, 74, 17, 83, 7F, 04, 01, 74, 11, 53, FF, 15, 18, C1, 42, 00, 53, E8, 90, AD, FF, FF, 83, 27, 00, 59, 83, C7, 08, 81, FF, 70, C6, 43, 00, 7C, D8, 5B, 83, 3E, 00, 74, 0E, 83, 7E, 04, 01, 75, 08, FF, 36, FF, 15...
 
[+]

Code size:
171 KB (175,104 bytes)

The file may7_3656_cor_do-search.exe has been seen being distributed by the following URL.

https://mail.google.com/mail/u/.../?ui=2&ik=d485ffbdc3&view=att&th=14d2e6c69cc14725&attid=0.2&disp=safe&zw

Remove may7_3656_cor_do-search.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.