home

c1bf95b7-9d21-4302-bbde-c1ab4ab9ccf5-1-6.exe

I - Cinema

iCinema

The application c1bf95b7-9d21-4302-bbde-c1ab4ab9ccf5-1-6.exe has been detected as adware by 19 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered to execute each time a user logs in. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. While running, it connects to the Internet address tlb.hwcdn.net on port 80 using the HTTP protocol.
Publisher:
iCinema

Product:
I - Cinema

Description:
I - Cinema exe

Version:
1000.1000.1000.1000

MD5:
785ad6b40f64c41722a271e24623a989

SHA-1:
74795a69c6500e3e3830a6b0e63bf006110842ea

SHA-256:
b63563fda151eec61f6103dca5a2c03b80276a8af7c9d37cc4363f656ef59937

Scanner detections:
19 / 68

Status:
Adware

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
7/8/2025 6:42:57 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.CrossRider.7
535

AhnLab V3 Security
PUP/Win32.CrossRider
2015.08.18

Avira AntiVirus
ADWARE/CrossRider.Gen7
8.3.1.6

Arcabit
Trojan.Adware.CrossRider.7
1.0.0.425

AVG
Generic_r
2016.0.3013

Bitdefender
Gen:Variant.Adware.CrossRider.7
1.0.20.1150

Dr.Web
Trojan.Crossrider1.42769
9.0.1.0234

Emsisoft Anti-Malware
Gen:Variant.Adware.CrossRider
8.15.08.18.03

ESET NOD32
Win32/Toolbar.CrossRider.CD potentially unwanted (variant)
9.12110

F-Secure
Gen:Variant.Adware.CrossRider
11.2015-18-08_3

G Data
Gen:Variant.Adware.CrossRider
15.8.25

Kaspersky
not-a-virus:HEUR:WebToolbar.Win32.CrossRider
14.0.0.1562

Malwarebytes
PUP.Optional.iCinema.A
v2015.08.18.03

McAfee
PUP-FTK
5600.6669

MicroWorld eScan
Gen:Variant.Adware.CrossRider.7
16.0.0.690

Panda Antivirus
Trj/Genetic.gen
15.08.18.03

Reason Heuristics
Adware.Crossrider.iCinema (M)
15.8.18.15

Rising Antivirus
PE:Malware.CrossRider!6.1CE1
23.00.65.15816

VIPRE Antivirus
Crossrider
42984

File size:
1.5 MB (1,571,328 bytes)

Product version:
1000.1000.1000.1000

Copyright:
Copyright 2016

Original file name:
I - Cinema.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\i - cinema\c1bf95b7-9d21-4302-bbde-c1ab4ab9ccf5-1-6.exe

File PE Metadata
Compilation timestamp:
8/18/2015 2:05:57 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
24576:PJKEx0jNYtq2IxSwE+IgWUlzlmH+aPynQND3A6wvUTEpSlZi1j7siTKUJq4tC:PnC0+IclJomt6/TEpSlZi1XpKUJq4tC

Entry address:
0xAE9D7

Entry point:
E8, 34, 5A, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, C8, 78, 53, 00, E8, B3, 93, 00, 00, E8, 6A, 61, 00, 00, 0F, B7, F0, 6A, 02, E8, C7, 59, 01, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, EE, B7, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Code size:
945.5 KB (968,192 bytes)

Scheduled Task
Task name:
c1bf95b7-9d21-4302-bbde-c1ab4ab9ccf5-1-6

Trigger:
Logon (Runs on logon)


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ec2-50-19-113-170.compute-1.amazonaws.com  (50.19.113.170:443)

TCP (HTTP SSL):
Connects to ec2-23-23-112-220.compute-1.amazonaws.com  (23.23.112.220:443)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to server-54-240-186-203.mad50.r.cloudfront.net  (54.240.186.203:80)

TCP (HTTP):
Connects to server-54-240-186-13.mad50.r.cloudfront.net  (54.240.186.13:80)

TCP (HTTP):
Connects to server-54-230-150-169.sin2.r.cloudfront.net  (54.230.150.169:80)

TCP (HTTP):
Connects to server-52-85-167-53.gig50.r.cloudfront.net  (52.85.167.53:80)

TCP (HTTP):
Connects to server-52-85-167-233.gig50.r.cloudfront.net  (52.85.167.233:80)

TCP (HTTP):
Connects to server-52-85-167-176.gig50.r.cloudfront.net  (52.85.167.176:80)

TCP (HTTP):
Connects to server-52-85-167-170.gig50.r.cloudfront.net  (52.85.167.170:80)

TCP (HTTP):
Connects to server-52-85-167-14.gig50.r.cloudfront.net  (52.85.167.14:80)

TCP (HTTP):
Connects to server-52-85-167-127.gig50.r.cloudfront.net  (52.85.167.127:80)

TCP (HTTP):
Connects to server-52-85-167-117.gig50.r.cloudfront.net  (52.85.167.117:80)

TCP (HTTP):
Connects to server-52-85-167-110.gig50.r.cloudfront.net  (52.85.167.110:80)

TCP (HTTP):
Connects to server-52-85-167-107.gig50.r.cloudfront.net  (52.85.167.107:80)

TCP (HTTP):
Connects to server-52-84-174-90.gru50.r.cloudfront.net  (52.84.174.90:80)

TCP (HTTP):
Connects to server-52-84-174-79.gru50.r.cloudfront.net  (52.84.174.79:80)

TCP (HTTP):
Connects to server-52-84-174-227.gru50.r.cloudfront.net  (52.84.174.227:80)

TCP (HTTP):
Connects to server-52-84-174-180.gru50.r.cloudfront.net  (52.84.174.180:80)

TCP (HTTP):
Connects to server-52-84-174-172.gru50.r.cloudfront.net  (52.84.174.172:80)

Remove c1bf95b7-9d21-4302-bbde-c1ab4ab9ccf5-1-6.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.