nshc7dd.tmp

City Center Games (Extreme White Limited)

The file nshc7dd.tmp by City Center Games (Extreme White Limited) has been detected as adware by 13 anti-malware scanners. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from dl.ourstaticdatastorage.com and multiple other hosts. While running, it connects to the Internet address lb-182-252.above.com on port 80 using the HTTP protocol.
Publisher:

Version:
106.0.0.0

MD5:
b1d21013e91a57b0469651c82355e265

SHA-1:
03d605c6c01abccc0c55fc18fc0a17b928d92f9b

SHA-256:
384a5e6f56ab663807b218d04799e6d6475769b566c19168b1ac4fc26a4589b5

Scanner detections:
13 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
12/25/2024 3:45:56 PM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
PUA.Toolbar.CrossRider
7.1.1

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

AVG
Win32/DH{gRJlfRMDICIlV04}
2016.0.3085

Baidu Antivirus
Adware.Win32.CrossAd
4.0.3.1567

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Trojan.Crossrider1.31292
9.0.1.0158

ESET NOD32
Win32/Toolbar.CrossRider.CN potentially unwanted (variant)
9.11747

K7 AntiVirus
Unwanted-Program
13.204.16151

Kaspersky
HEUR:Trojan-Downloader.Win32.Generic
14.0.0.1921

Malwarebytes
PUP.Optional.CrossBrowse
v2015.06.07.05

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
PUP.installCore.CityCenterGamesExtremeWhiteLimited
15.6.7.13

Vba32 AntiVirus
suspected of Trojan.Downloader.gen.h
3.12.26.4

File size:
1.9 MB (1,957,976 bytes)

Product version:
106.0.0.0

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\nshc7dd.tmp

Digital Signature
Authority:
COMODO CA Limited

Valid from:
4/15/2015 2:00:00 AM

Valid to:
4/15/2016 1:59:59 AM

Subject:
CN=City Center Games (Extreme White Limited), O=City Center Games (Extreme White Limited), STREET=Tassou Papadopulu 6 (flat/office 22), L=Nicosia, S=Agios Dometios, PostalCode=2373, C=CY

Issuer:
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00808728FFBF020E8929813B59AA2EC529

File PE Metadata
Compilation timestamp:
5/28/2015 2:48:12 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
49152:MrZhre7NHjyywxJOr1SSkOTapSU/iI0L12HEz5hF8FTv:6rreB4xJq1zkiq

Entry address:
0x129CDE

Entry point:
E8, 58, 11, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, CE, 5B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 24, 8E, 5C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01...
 
[+]

Code size:
1.3 MB (1,402,368 bytes)

The file nshc7dd.tmp has been discovered within the following program.

Crossbrowse  by CLARALABSOFTWARE
87% remove it
 
Powered by Should I Remove It?

The file nshc7dd.tmp has been seen being distributed by the following 8 URLs.

http://dl.ourstaticdatastorage.com/69/all/cp/.../setup.exe

http://dl.newinputinfoservice.com/smt2b/all/hat/.../setup.exe

http://201.31.162.86/cache/dl.ourstaticdatastorage.com/69/all/cp/.../setup.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to lb-182-252.above.com  (103.224.182.252:80)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP):
Connects to ip-50-63-202-57.ip.secureserver.net  (50.63.202.57:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to ec2-75-101-133-248.compute-1.amazonaws.com  (75.101.133.248:80)

TCP (HTTP):
Connects to ec2-204-236-230-220.compute-1.amazonaws.com  (204.236.230.220:80)

TCP (HTTP):
Connects to ec2-75-101-162-66.compute-1.amazonaws.com  (75.101.162.66:80)

TCP (HTTP):
Connects to ec2-54-235-101-178.compute-1.amazonaws.com  (54.235.101.178:80)

TCP (HTTP):
Connects to ec2-50-17-196-191.compute-1.amazonaws.com  (50.17.196.191:80)

TCP (HTTP):
Connects to ec2-23-23-231-146.compute-1.amazonaws.com  (23.23.231.146:80)

TCP (HTTP):
Connects to ec2-23-21-50-56.compute-1.amazonaws.com  (23.21.50.56:80)

Remove nshc7dd.tmp - Powered by Reason Core Security