home

TMain.exe

2947_cmi_mystartsearch

Xiaoqing Liu

The file TMain.exe by Xiaoqing Liu has been detected as adware by 11 anti-malware scanners. According to AVG, this software downloads additional adware offers during setup. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from d2drfrdurj6mvo.cloudfront.net.
Publisher:
TabMain  (signed by Xiaoqing Liu)

Product:
2947_cmi_mystartsearch

Description:
TabMain

Version:
6.3.76.1532

MD5:
2bf0ae8c8d492fd2a3a4710127c4520d

SHA-1:
9a7836676a116d3fb58ff42b06213eead7db4b91

SHA-256:
45b63edc593149e87aef29e664df720c4549f7632e7404f1192783b8ec11ccf8

Scanner detections:
11 / 68

Status:
Adware

Analysis date:
11/27/2024 1:10:42 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:Dropper-gen [Drp]
2014.9-150613

AVG
Potentially harmful program Downloader
2016.0.3080

Baidu Antivirus
Adware.Win32.ELEX
4.0.3.15613

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Mutabaha.228
9.0.1.0164

ESET NOD32
Win32/ELEX.CF potentially unwanted application
9.7.0.302.0

herdProtect (fuzzy)
variant of kmp_luckysearches.exe (Adware)
2015.6.13.3

K7 AntiVirus
Adware
13.204.16012

Malwarebytes
PUP.Optional.LuckySearches.A
v2015.03.06.12

Reason Heuristics
PUP.Li Mo
15.3.6.12

File size:
515.9 KB (528,328 bytes)

Product version:
6.3.76.1532

Copyright:
Copyright (C) 2014

Original file name:
TMain.exe

Language:
English (United Kingdom)

Common path:
C:\users\{user}\appdata\local\temp\nsq7476.tmp

Digital Signature
Signed by:
Xiaoqing Liu

Authority:
DigiCert Inc

Valid from:
8/13/2014 3:00:00 AM

Valid to:
8/17/2015 3:00:00 PM

Subject:
CN=Xiaoqing Liu, O=Xiaoqing Liu, L=Zaozhuang, S=Shandong, C=CN

Issuer:
CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0EBAB4AC38B70A33EE517D238BDE49D7

File PE Metadata
Compilation timestamp:
3/5/2015 9:50:45 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:AXAo1g3+tfZu4Y8LfiNpptAPXvR9bL7uY4yTdQx:A3k+NZoi6NntAB9bL7uYjTdQx

Entry address:
0x29EAE

Entry point:
E8, A1, C7, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 8B, 45, 08, 56, 57, 6A, 08, 59, BE, 50, A5, 45, 00, 8D, 7D, E0, F3, A5, 89, 45, F8, 8B, 45, 0C, 5F, 89, 45, FC, 5E, 85, C0, 74, 0C, F6, 00, 08, 74, 07, C7, 45, F4, 00, 40, 99, 01, 8D, 45, F4, 50, FF, 75, F0, FF, 75, E4, FF, 75, E0, FF, 15, 18, A1, 45, 00, C9, C2, 08, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8B, 4C, 24, 04, F7, C1, 03, 00, 00, 00, 74, 24, 8A, 01, 83, C1, 01, 84, C0, 74, 4E, F7, C1, 03, 00, 00, 00, 75, EF, 05...
 
[+]

Entropy:
6.4651

Code size:
353 KB (361,472 bytes)

The file TMain.exe has been seen being distributed by the following URL.

http://d2drfrdurj6mvo.cloudfront.net/.../cmi_mystartsearch.exe

Remove TMain.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.