setup10.exe

Id-Vvbkfyzti

CR7 Team (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application setup10.exe by CR7 Team (Bright Circle Investments) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the Nullsoft Install System installer. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from cdn.chironexfleckeriwhite.com. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.
Publisher:
Qxyzuxjyaopp & co.  (signed by CR7 Team (Bright Circle Investments Ltd))

Product:
Id-Vvbkfyzti

Description:
Pofryryqjv

Version:
16.3.9.25

MD5:
919a724a58800f03f695870c32436dba

SHA-1:
fbd233f0401d7f160d1301ccde97ace7e09142dd

SHA-256:
dda4ddd87ea40da7ee0abe322f0e624b72042040a0bbe2face644329b80f934c

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/24/2024 4:59:06 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.BrightCircle.CR7TeamBrightCircleInvestments.Installer (M)
16.1.19.21

File size:
12.7 MB (13,269,744 bytes)

Copyright:
Copyright Ytoschzghvpb

Trademarks:
Vvbkfyzti is a trademark of Kwxbppbmeukmx

File type:
Executable application (Win32 EXE)

Installer:
Nullsoft Install System

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\mqx09ha1ex\setup10.exe

Digital Signature
Authority:
COMODO CA Limited

Valid from:
12/15/2014 10:00:00 PM

Valid to:
12/16/2015 9:59:59 PM

Subject:
CN=CR7 Team (Bright Circle Investments Ltd), O=CR7 Team (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00FBFD4A5FBC2F4538E5DF7603F1B0A48C

File PE Metadata
Compilation timestamp:
12/4/2012 11:55:11 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
196608:bpGIwN4bOjxeFE8ECSVLtcLbUkacoe2oHngYg7TatCzrLKS1bnafaHNA49ZTIJ+Z:bpzCEOlU5SVLWXUkH2i6fKg+SvZTIo

Entry address:
0x412D

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, 73, 45, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, 74, 45, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, 74, 45, 00, 56, A3, F4, E7, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8B, 3B, 00, 00, A3, 50, E8, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, A9, B2, 40, 00, FF, 15, AC, 74, 45, 00, 83, EC, 14, C7, 44, 24, 04, AA, B2, 40, 00, C7...
 
[+]

Code size:
33.5 KB (34,304 bytes)

The file setup10.exe has been seen being distributed by the following URL.

Remove setup10.exe - Powered by Reason Core Security