9096.exe

City Center Games (Extreme White Limited)

The application 9096.exe by City Center Games (Extreme White Limited) has been detected as adware by 8 anti-malware scanners. This is a setup program which is used to install the application. It runs as a scheduled task under the Windows Task Scheduler named Crossbrowse triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from download.allnetserveline.com. While running, it connects to the Internet address lb-182-252.above.com on port 80 using the HTTP protocol.
Publisher:

Version:
105.0.0.0

MD5:
fac89f28d1dd6523f96eed96ac635f1e

SHA-1:
3943aecd203eb468845ca512abbe0aabfbfadc6a

SHA-256:
18cbd624645f1006d99b74f7e7bf005e12cf38eec3dd76158cba16e032b6a505

Scanner detections:
8 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/4/2024 5:04:42 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15516

Dr.Web
Trojan.Crossrider1.29569
9.0.1.0136

ESET NOD32
Win32/Toolbar.CrossRider.CN potentially unwanted (variant)
9.11605

Malwarebytes
PUP.Optional.CrossBrowse
v2015.05.16.12

Reason Heuristics
Threat.Task.CityCenterGamesExtremeWhiteLimited
15.5.16.8

Sophos
AppRider
4.98

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.3

VIPRE Antivirus
Crossrider
40116

File size:
1.8 MB (1,895,512 bytes)

Product version:
105.0.0.0

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\9096.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 2:00:00 AM

Valid to:
4/15/2016 1:59:59 AM

Subject:
CN=City Center Games (Extreme White Limited), O=City Center Games (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00808728FFBF020E8929813B59AA2EC529

File PE Metadata
Compilation timestamp:
5/7/2015 12:23:45 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:OSIsw/tPyw3nXqyDRpzeT/pSdtuaqgBXL3O6HOzN461:Rvw/gAnX9DRdBlG

Entry address:
0x122EEE

Entry point:
E8, 48, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, C4, 9D, 5B, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, DE, 5A, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, C4, 9D, 5B, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Code size:
1.3 MB (1,367,040 bytes)

Scheduled Task
Task name:
Crossbrowse

Trigger:
Logon (Runs on logon)


The file 9096.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to lb-182-252.above.com  (103.224.182.252:80)

Remove 9096.exe - Powered by Reason Core Security