home

cinemaplus-3.3c_updating_service.exe

The application cinemaplus-3.3c_updating_service.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address ip-50-63-202-62.ip.secureserver.net on port 80 using the HTTP protocol.
MD5:
8767be1e322e25155e6b2910d20c721b

SHA-1:
9193a118156a2bf8624122c9f28547d62d4e4d88

SHA-256:
d641c350662b86f1b99bf08252a1a00896469faebc70b5f29a03aca365739da7

Scanner detections:
1 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
11/5/2024 11:09:45 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Crossrider
16.2.1.16

File size:
219 KB (224,256 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\cinemaplus-3.3c\cinemaplus-3.3c_updating_service.exe

File PE Metadata
Compilation timestamp:
6/4/2015 5:05:35 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
3072:ENtHcQMQDnkJxkqtXpsdCcq4q1TMDPcfIF0jbOn4NPBfL3FvMxU:4t8QMWnAxkq5141yW+1pJWU

Entry address:
0x1138F

Entry point:
E8, D6, B8, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, 8B, 54, 24, 0C, 8B, 4C, 24, 04, 85, D2, 74, 7F, 0F, B6, 44, 24, 08, 0F, BA, 25, 90, 84, 43, 00, 01, 73, 0D, 8B, 4C, 24, 0C, 57, 8B, 7C, 24, 08, F3, AA, EB, 5D, 8B, 54, 24, 0C, 81, FA, 80, 00, 00, 00, 7C, 0E, 0F, BA, 25, 58, 67, 43, 00, 01, 0F, 82, B9, BA, 00, 00, 57, 8B, F9, 83, FA, 04, 72, 31, F7, D9, 83, E1, 03, 74, 0C, 2B, D1, 88, 07, 83, C7, 01, 83, E9, 01, 75, F6, 8B, C8, C1, E0, 08, 03, C1, 8B, C8, C1, E0, 10, 03, C1, 8B, CA, 83, E2...
 
[+]

Code size:
160.5 KB (164,352 bytes)

Scheduled Task
Task name:
cinemaplus-3.3c_updating_service

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to lb-212-247.above.com  (103.224.212.247:80)

TCP (HTTP):
Connects to ec2-50-17-200-93.compute-1.amazonaws.com  (50.17.200.93:80)

TCP (HTTP):
Connects to ip-50-63-202-62.ip.secureserver.net  (50.63.202.62:80)

TCP (HTTP):
Connects to ec2-54-243-49-80.compute-1.amazonaws.com  (54.243.49.80:80)

TCP (HTTP):
Connects to ec2-54-243-231-184.compute-1.amazonaws.com  (54.243.231.184:80)

TCP (HTTP):
Connects to ec2-54-235-132-90.compute-1.amazonaws.com  (54.235.132.90:80)

TCP (HTTP):
Connects to ec2-54-235-116-11.compute-1.amazonaws.com  (54.235.116.11:80)

TCP (HTTP):
Connects to ec2-54-235-103-131.compute-1.amazonaws.com  (54.235.103.131:80)

TCP (HTTP):
Connects to ec2-54-225-64-6.compute-1.amazonaws.com  (54.225.64.6:80)

TCP (HTTP):
Connects to ec2-54-225-216-119.compute-1.amazonaws.com  (54.225.216.119:80)

TCP (HTTP):
Connects to ec2-50-19-252-204.compute-1.amazonaws.com  (50.19.252.204:80)

TCP (HTTP):
Connects to ec2-50-17-240-68.compute-1.amazonaws.com  (50.17.240.68:80)

TCP (HTTP):
Connects to ec2-50-17-220-207.compute-1.amazonaws.com  (50.17.220.207:80)

TCP (HTTP):
Connects to ec2-50-17-185-127.compute-1.amazonaws.com  (50.17.185.127:80)

TCP (HTTP):
Connects to ec2-23-23-98-183.compute-1.amazonaws.com  (23.23.98.183:80)

TCP (HTTP):
Connects to ec2-23-23-162-52.compute-1.amazonaws.com  (23.23.162.52:80)

TCP (HTTP):
Connects to ec2-23-23-150-161.compute-1.amazonaws.com  (23.23.150.161:80)

TCP (HTTP):
Connects to ec2-23-23-109-78.compute-1.amazonaws.com  (23.23.109.78:80)

TCP (HTTP):
Connects to ec2-23-23-100-19.compute-1.amazonaws.com  (23.23.100.19:80)

TCP (HTTP):
Connects to ec2-23-21-224-177.compute-1.amazonaws.com  (23.21.224.177:80)

Remove cinemaplus-3.3c_updating_service.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.