3862.exe

City Center Games (Extreme White Limited)

The application 3862.exe by City Center Games (Extreme White Limited) has been detected as adware by 8 anti-malware scanners. This is a setup program which is used to install the application. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from download.allnetserveline.com. While running, it connects to the Internet address lb-182-252.above.com on port 80 using the HTTP protocol.
Publisher:

Version:
105.0.0.0

MD5:
4fc093106cf68fe61ab88295c0f4ba46

SHA-1:
aa2c8acfb73452546ff3747d05d0bd745b1b759c

SHA-256:
4efee8b124fe3f1b6566d4ed5497dc51a6ba04b59fdf9977100458f8149911e0

Scanner detections:
8 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/25/2024 4:22:46 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.Crossrider1.29263
9.0.1.0134

ESET NOD32
Win32/Toolbar.CrossRider.CN potentially unwanted (variant)
9.11599

herdProtect (fuzzy)
2015.8.3.13

Malwarebytes
PUP.Optional.CrossBrowse
v2015.05.14.08

Reason Heuristics
PUP.installCore.CityCenterGamesExtremeWhiteLimited
15.5.8.23

Sophos
AppRider
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

VIPRE Antivirus
Crossrider
39902

File size:
1.8 MB (1,893,976 bytes)

Product version:
105.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\3862.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 1:00:00 AM

Valid to:
4/15/2016 12:59:59 AM

Subject:
CN=City Center Games (Extreme White Limited), O=City Center Games (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00808728FFBF020E8929813B59AA2EC529

File PE Metadata
Compilation timestamp:
4/30/2015 3:32:26 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:yQ+7a9bjH7hdgXSfi2BXXrT7pSy9fi5oZRl2YxJ5iaN46N:D0a9NWSfBB4zg

Entry address:
0x122990

Entry point:
E8, 2B, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, C4, 9D, 5B, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, DE, 5A, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, C4, 9D, 5B, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00...
 
[+]

Code size:
1.3 MB (1,365,504 bytes)

The file 3862.exe has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file 3862.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to lb-182-252.above.com  (103.224.182.252:80)

Remove 3862.exe - Powered by Reason Core Security