» MF.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

MF.exe

Media Finder

The application MF.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Media Finder’. While running, it connects to the Internet address 195.64.154.22.ip.ukrnames.com on port 80 using the HTTP protocol.

File name:

MF.exe

Publisher:

Media Finder

Product:

Media Finder

Version:

1.0.9.81

MD5:

802b8079b4d7e82b8a210206856323a4

SHA-1:

0ce84e1db5de607179dfe978a7f2e295896c1484

Scanner detections:

21 / 68

Status:

Potentially unwanted

Analysis date:

4/25/2024 9:37:59 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.MediaFinder.D

786

Avira AntiVirus

Adware/Rogue.8588288

7.11.165.50

avast!

Win32:Adware-gen [Adw]

2014.9-141211

AVG

Generic5

2015.0.3264

Baidu Antivirus

Adware.Win32.MediaFinder

4.0.3.141211

Bitdefender

Adware.MediaFinder.D

1.0.20.1725

Comodo Security

ApplicUnwnt

19085

Dr.Web

Program.FileSearch.3

9.0.1.0345

Emsisoft Anti-Malware

Adware.MediaFinder

8.14.12.11.06

ESET NOD32

Win32/Adware.MediaFinder

8.10202

F-Secure

Adware.MediaFinder.D

11.2014-11-12_5

G Data

Adware.MediaFinder

14.12.24

IKARUS anti.virus

AdWare.MediaFinder

t3scan.1.6.1.0

K7 AntiVirus

Adware

13.182.12945

McAfee

Artemis!802B8079B4D7

5600.6920

MicroWorld eScan

Adware.MediaFinder.D

15.0.0.1035

NANO AntiVirus

Riskware.Win32.FileSearch.cylmrd

0.28.2.61349

nProtect

Adware.MediaFinder.D

14.08.04.01

Rising Antivirus

PE:Trojan.Win32.Generic.15BABFB1!364560305

23.00.65.141209

Sophos

Generic PUA AM

4.98

VIPRE Antivirus

Trojan.Win32.Generic

31924

File size:

8.2 MB (8,588,288 bytes)

Product version:

1.0.3.0

Original file name:

MF.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\media finder\mf.exe

File PE Metadata

Compilation timestamp:

4/20/2012 3:53:07 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

CTPH (ssdeep):

98304:VjJAmOhTfp1lU6uJ/Oug2x6Y55kn2ao4r2GMMpl/xroodt9SdrBc41rpUqK3pAyb:1QfZU6TA5kn2abecIsrWfINWHR

Entry address:

0x455188

Entry point:

55, 8B, EC, 83, C4, F0, 53, B8, 34, 5D, 84, 00, E8, F3, 67, BB, FF, 8B, 1D, E8, 0E, 88, 00, E8, A4, 09, FF, FF, 84, C0, 75, 5C, 8B, 03, E8, 89, F0, CB, FF, 8B, 03, B2, 01, E8, BC, 0D, CC, FF, 8B, 03, BA, 18, 52, 85, 00, E8, 90, EA, CB, FF, 8B, 0D, 80, 0B, 88, 00, 8B, 03, 8B, 15, B4, 17, 81, 00, E8, 79, F0, CB, FF, 8B, 0D, B4, 0F, 88, 00, 8B, 03, 8B, 15, C0, D0, 82, 00, E8, 66, F0, CB, FF, 8B, 0D, 24, 14, 88, 00, 8B, 03, 8B, 15, D0, AD, 83, 00, E8, 53, F0, CB, FF, 8B, 03, E8, 9C, F1, CB, FF, 5B, E8, 96, 17... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

4.3 MB (4,537,344 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

Media Finder

Command:

"C:\Program Files\media finder\mf.exe" \opentotray

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to 195.64.154.22.ip.ukrnames.com (195.64.154.22:80)

Remove MF.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.