b2e0fae2-7cef-450e-8ef7-0de243483f10-6.exe

CinemaP-1.8cV11.04

Cinema PlusV11.04

The application b2e0fae2-7cef-450e-8ef7-0de243483f10-6.exe, “CinemaP-1.8cV11.04 exe” has been detected as adware by 19 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension toolkit. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address dnsrev.romtelecom.net on port 80 using the HTTP protocol.
Publisher:
Cinema PlusV11.04

Product:
CinemaP-1.8cV11.04

Description:
CinemaP-1.8cV11.04 exe

Version:
1000.1000.1000.1000

MD5:
32be7d692332859591bf85a4e4a32e83

SHA-1:
2798c54cccc6357d5b4ca9f825a3154bfbdbec24

SHA-256:
8df863f14a341950a8950c59070227677ea1e24a7629ca8c9152c1dbf7f0f30c

Scanner detections:
19 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/24/2024 4:32:16 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Application.Heur.uz0@miBqWodi
664

AhnLab V3 Security
PUP/Win32.CrossRider
2015.04.14

Avira AntiVirus
ADWARE/CrossRider.Gen7
3.6.1.96

avast!
Win32:Trojan-gen
2014.9-150411

AVG
Crossrider
2016.0.3139

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.15415

Bitdefender
Gen:Application.Heur.uz0@miBqWodi
1.0.20.975

Emsisoft Anti-Malware
Gen:Application.Heur.uz0@miBqWodi
8.15.04.11.05

ESET NOD32
Win32/Toolbar.CrossRider.CD potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Riskware/CrossRider
4/15/2015

F-Secure
Riskware.Gen:Application.Heur.uz0@miBqWodi
11.2015-11-04_7

Malwarebytes
PUP.Optional.iCinema.A
v2015.04.15.05

MicroWorld eScan
Gen:Application.Heur.uz0@miBqWodi
16.0.0.585

Norman
Gen:Application.Heur.uz0@kiBqWodi
11.20150411

Reason Heuristics
Adware.Crossrider.Task
15.4.11.13

Rising Antivirus
PE:Malware.Adwapper!6.23ED
23.00.65.15413

Sophos
Generic PUA MG
4.98

SUPERAntiSpyware
Adware.CrossRider/Variant
9935

File size:
1.3 MB (1,390,080 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2016

Original file name:
CinemaP-1.8cV11.04.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

File PE Metadata
Compilation timestamp:
4/11/2015 2:06:38 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:mjMVhldwbeIxx5X6XtHXHqkKAWy+65NN7IVWaT4pSdzGJqy18y1r7O5Z:+8+eYbXehXHtWy+SGVWaT4pSdzGQy18x

Entry address:
0xB167D

Entry point:
E8, 0C, 01, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, 88, B9, 51, 00, E8, 6D, 76, 00, 00, E8, 34, 53, 00, 00, 0F, B7, F0, 6A, 02, E8, 9F, 00, 01, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 3D, 8D, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
903 KB (924,672 bytes)

Scheduled Task
Task name:
b2e0fae2-7cef-450e-8ef7-0de243483f10-6

Path:
C:\WINDOWS\Tasks\b2e0fae2-7cef-450e-8ef7-0de243483f10-6.job

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to hdc86-35-3-193.romtelecom.net  (86.35.3.193:80)

TCP (HTTP):
Connects to dnsrev.romtelecom.net  (86.35.3.192:80)

TCP (HTTP):
Connects to s3-website-us-east-1.amazonaws.com  (54.231.50.41:80)

TCP (HTTP):
Connects to ip-50-63-202-55.ip.secureserver.net  (50.63.202.55:80)

TCP (HTTP):
Connects to ip-50-63-202-54.ip.secureserver.net  (50.63.202.54:80)

TCP (HTTP):
Connects to ip-184-168-221-43.ip.secureserver.net  (184.168.221.43:80)

Remove b2e0fae2-7cef-450e-8ef7-0de243483f10-6.exe - Powered by Reason Core Security