TMain.exe

3039_cmi_mystartsearch

Xiaoqing Liu

The file TMain.exe by Xiaoqing Liu has been detected as adware by 11 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
TabMain  (signed by Xiaoqing Liu)

Product:
3039_cmi_mystartsearch

Description:
TabMain

Version:
6.3.76.1538

MD5:
b1f4d56eecfc4145644e2394fe29b82c

SHA-1:
395caedb5c1bf28705bf475e49a1937d0f86aacd

SHA-256:
1b8e87c62cd86740eae5adefd0cca9763264c119f92e978768865e89e02c7b53

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
12/25/2024 6:11:38 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:Malware-gen
2014.9-150308

AVG
Potentially harmful program Downloader
2016.0.3078

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15614

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.228
9.0.1.0165

ESET NOD32
Win32/ELEX.CF potentially unwanted application
9.7.0.302.0

herdProtect (fuzzy)
2015.6.14.16

K7 AntiVirus
Adware
13.204.15935

Malwarebytes
PUP.Optional.KeyFind.A
v2015.03.08.08

Reason Heuristics
PUP.Li Mo
15.3.8.8

File size:
515.9 KB (528,328 bytes)

Product version:
6.3.76.1538

Copyright:
Copyright (C) 2014

Original file name:
TMain.exe

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\nszd2ef.tmp

Digital Signature
Signed by:

Authority:
DigiCert Inc

Valid from:
8/12/2014 8:00:00 PM

Valid to:
8/17/2015 8:00:00 AM

Subject:
CN=Xiaoqing Liu, O=Xiaoqing Liu, L=Zaozhuang, S=Shandong, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0EBAB4AC38B70A33EE517D238BDE49D7

File PE Metadata
Compilation timestamp:
3/6/2015 7:15:11 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:jaLszYBZI09idmqTcc4x8vm5PnhtS0ru4ETdO4Qz:jVkBZI+U94yvmvtS0ru1TdObz

Entry address:
0x29F1E

Entry point:
E8, A1, C7, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 50, A5, 45, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 1C, A1, 45, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05...
 
[+]

Entropy:
6.4738

Code size:
353 KB (361,472 bytes)

The file TMain.exe has been seen being distributed by the following URL.

Remove TMain.exe - Powered by Reason Core Security