» utility.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Downloads (1)

utility.exe

NightWish Center (Bright Circle Investments Ltd)

This adware is a web browser extension that will inject advertising in the browser in the form of unwanted banners and text-links which may link to malware sites and install unwanted software. The application utility.exe by NightWish Center (Bright Circle Investments) has been detected as adware by 13 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named Crossbrowse triggered to execute each time a user logs in. This file is typically installed with the program Crossbrowse by CLARALABSOFTWARE which is a potentially unwanted software program. This particular feature is designed to hijack the browser in an attempt to prevent other resources from modify the browser's search and home pages. It is part of the Brightcircle group of web-extensions that inject advertisements in the browser.

File name:

utility.exe

Publisher:

NightWish Center (Bright Circle Investments Ltd) (signed and verified)

Version:

104.0.0.0

MD5:

12227fc94a377df87b4ccb289eb35079

SHA-1:

f6c05bfb0a0a5a0b848949f3827937e5e243421c

SHA-256:

bf53eda68a8337dbff24bb35297ad8cbdf6a814539d50de47a1d96c35d919a01

Scanner detections:

13 / 68

Status:

Adware

Explanation:

May modify the web browser's settings including changing the homepage and search provider in addition to delivering ads (by injecting banner and text-links directly in the webpage).

Analysis date:

4/17/2025 11:43:32 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

AhnLab V3 Security

PUP/Win32.CrossRider

2015.04.07

Avira AntiVirus

TR/Trash.Gen

8.3.1.6

avast!

Win32:Malware-gen

150319-1

AVG

Win.Threat.High

2014.0.4311

Baidu Antivirus

Adware.Win32.CrossAd

4.0.3.1546

ESET NOD32

Win32/Toolbar.CrossRider.BM potentially unwanted application

7.0.302.0

herdProtect (fuzzy)

variant of 8372.exe

2015.7.10.7

IKARUS anti.virus

PUA.SearchProtect

t3scan.1.9.5.0

Kaspersky

HEUR:Trojan-Downloader.Win32.Generic

14.0.0.2230

Reason Heuristics

Adware.BrightCircle.NightWishCenterBrightCircleInvestments

15.4.11.23

Sophos

PUA 'AppRider' (of type Adware)

5.15

Vba32 AntiVirus

suspected of Trojan.Downloader.gen.h

3.12.26.3

VIPRE Antivirus

Threat.4789396

38882

File size:

1.7 MB (1,819,104 bytes)

Product version:

104.0.0.0

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\Program Files\crossbrowse\crossbrowse\application\utility.exe

Digital Signature

Signed by:

NightWish Center (Bright Circle Investments Ltd)

Authority:

COMODO CA Limited

Valid from:

12/15/2014 7:00:00 PM

Valid to:

12/16/2015 6:59:59 PM

Subject:

CN=NightWish Center (Bright Circle Investments Ltd), O=NightWish Center (Bright Circle Investments Ltd), STREET=Athinodorou 3, STREET=Dasoupoli Strovolos, L=Nicosia, S=Nicosia, PostalCode=2025, C=CY

Issuer:

CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:

00B30349E6AD66949988B51360F031BFB4

File PE Metadata

Compilation timestamp:

3/25/2015 1:19:54 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

49152:4d9zuD1k9KOEBGlW5SeYyBoaTXpSkLQN7Jz4nmeXtD:g9W1xIW59YyBode

Entry address:

0x119810

Entry point:

E8, D2, 10, 01, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, A4, 6D, 5A, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 48, AE, 59, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, A4, 6D, 5A, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03, 00, 00, 00, 0F, 85, B8, 01, 00, 00... 
[+]

Entropy:

6.6301

Code size:

1.3 MB (1,317,888 bytes)

Scheduled Task

Task name:

Crossbrowse

Trigger:

Logon (Runs on logon)

The file utility.exe has been discovered within the following program.

Crossbrowse by CLARALABSOFTWARE

87% remove it

The file utility.exe has been seen being distributed by the following URL.

http://dl.ourstaticdatastorage.com/69/all/cp/.../setup.exe

Remove utility.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.