» 6634.exe
Overview
Analysis
File Details
Network (3)

6634.exe

CinemaPlus-4.5vV07.07

Digit Network (Extreme White Limited)

The application 6634.exe, “CinemaPlus-4.5vV07.07 exe” by Digit Network (Extreme White Limited) has been detected as adware by 21 anti-malware scanners. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address ip-172-20-3-100.ec2.internal on port 8080.

File name:

6634.exe

Publisher:

Cinema PlusV07.07 (signed by Digit Network (Extreme White Limited))

Product:

CinemaPlus-4.5vV07.07

Description:

CinemaPlus-4.5vV07.07 exe

Version:

1000.1000.1000.1000

MD5:

25c4be34f0f33975c994183deffe1a06

SHA-1:

1211477b8e0de51e269b393af83236e5a91778ef

SHA-256:

3aba7ef39f38a4d2311bf7b7c3467fcc5c814c8ccdd98de1dc2a392a7eb6639f

Scanner detections:

21 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:

1/15/2025 7:56:51 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Graftor.188636

577

AhnLab V3 Security

PUP/Win32.CrossRider

2015.07.08

Avira AntiVirus

ADWARE/CrossRider.Gen7

8.3.1.6

Arcabit

Trojan.Adware.Graftor.D2E0DC

1.0.0.425

avast!

Win32:Adware-CMH [PUP]

2014.9-150707

AVG

Crossrider_r

2016.0.3055

Baidu Antivirus

Adware.Win32.CrossAd

4.0.3.1577

Bitdefender

Gen:Variant.Adware.Graftor.188636

1.0.20.940

Bkav FE

W32.HfsAdware

1.3.0.6979

Emsisoft Anti-Malware

Gen:Variant.Adware.Graftor.188636

8.15.07.07.07

ESET NOD32

Win32/Toolbar.CrossRider.CD potentially unwanted (variant)

9.11903

F-Secure

Gen:Variant.Adware.Graftor

11.2015-07-07_3

G Data

Gen:Variant.Adware.Graftor.188636

15.7.25

IKARUS anti.virus

Gen.AdWare.Plush

t3scan.1.9.5.0

K7 AntiVirus

Unwanted-Program

13.205.16486

Kaspersky

not-a-virus:WebToolbar.Win32.CrossRider

14.0.0.1771

Malwarebytes

PUP.Optional.CrossRider.A

v2015.07.07.07

MicroWorld eScan

Gen:Variant.Adware.Graftor.188636

16.0.0.564

Panda Antivirus

Trj/Genetic.gen

15.07.07.07

Reason Heuristics

PUP.ExtremeWhite.DigitNetworkExtremeWhiteLimited (M)

15.7.7.19

SUPERAntiSpyware

PUP.CrossRider/Variant

9767

File size:

1.5 MB (1,574,480 bytes)

Product version:

1000.1000.1000.1000

Original file name:

CinemaPlus-4.5vV07.07.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\local\temp\6634.exe

Digital Signature

Signed by:

Digit Network (Extreme White Limited)

Authority:

COMODO CA Limited

Valid from:

4/15/2015 2:00:00 AM

Valid to:

4/15/2016 1:59:59 AM

Subject:

CN=Digit Network (Extreme White Limited), O=Digit Network (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:

CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00F39F5E5096779B72822CF8381166A432

File PE Metadata

Compilation timestamp:

7/7/2015 2:06:09 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

11.0

CTPH (ssdeep):

24576:oY5Zd4mVLHEHgxeP+5gDCFBrgF03sEBuxldTipSje3RfHmusVMxyu9wqEWQr:1h9pmopgjdTipSje3tVsVMxyu9wrWQr

Entry address:

0xCDF6D

Entry point:

E8, 49, 06, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, B8, 19, 55, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 58, E1, 54, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, B8, 19, 55, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8... 
[+]

Entropy:

6.4800

Code size:

1020 KB (1,044,480 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ip-172-20-3-100.ec2.internal (172.20.3.100:8080)

TCP (HTTP):

Connects to s3-website-us-east-1.amazonaws.com (52.216.80.58:80)

Remove 6634.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.