home

Setup.exe

Playtech PLC

The file Setup.exe, “Mansion Casino Installer” by Playtech PLC has been detected as a potentially unwanted program by 2 anti-malware scanners. The program is a setup application that uses the Nullsoft Install System installer. It is built using the Crossrider cross-browser extension platform. While the file utilizes the Crossrider framework and delivery services, it is not owned by Crossrider. This downloadble file is typically blocked through Google's Safe Browsing technology in Chrome web browser. The file has been seen being downloaded from www.mansion-casino.co and multiple other hosts.
Publisher:
Mansion Casino  (signed by Playtech PLC)

Product:
Mansion Casino

Description:
Mansion Casino Installer

Version:
1.1.1.28

MD5:
ba53cd897cda20b4a077810cf71253a8

SHA-1:
0e3d601a4b34a9fadda9f6d786dbb6114c0fcb89

SHA-256:
dda8fbf57f9ddc8c2b04ed65d59c59d054d8972e2c9890c24cc05dd72f6d5212

Scanner detections:
2 / 68

Status:
Potentially unwanted

Explanation:
The software may change the browser's home page and search provider settings as well as display advertisements.

Analysis date:
4/18/2024 4:17:26 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Crossrider.PlaytechPLC.Installer.Meta (M)
15.12.30.16

Vba32 AntiVirus
Trojan.GoogUpdate
3.12.26.3

File size:
833.3 KB (853,264 bytes)

Copyright:
Copyright 2014

Installer:
Nullsoft Install System

Language:
English (United States)

Common path:
C:\users\{user}\downloads\setup.exe

Digital Signature
Signed by:
Playtech PLC

Authority:
VeriSign, Inc.

Valid from:
2/20/2014 12:00:00 AM

Valid to:
1/15/2015 11:59:59 PM

Subject:
CN=Playtech PLC, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Playtech PLC, L=Douglas, S=IM, C=IM

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
764E6DB88B018BFEBD8F7B533DC3A6D3

File PE Metadata
Compilation timestamp:
12/4/2012 1:55:02 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.22

CTPH (ssdeep):
24576:DYCcAKG5liQT2xPvB7xhRItDjuvul9JMz:DXblnA7ZROJU

Entry address:
0x4323

Entry point:
55, 89, E5, 57, 56, 53, 81, EC, AC, 01, 00, 00, FF, 15, 74, C3, 44, 00, C7, 04, 24, 01, 80, 00, 00, FF, 15, 58, C4, 44, 00, 53, C7, 04, 24, 00, 00, 00, 00, FF, 15, 98, C4, 44, 00, 56, A3, 40, 3B, 44, 00, C7, 04, 24, 08, 00, 00, 00, E8, 8D, 3B, 00, 00, A3, 9C, 3B, 44, 00, 8D, 85, 84, FE, FF, FF, 57, C7, 44, 24, 10, 00, 00, 00, 00, C7, 44, 24, 0C, 60, 01, 00, 00, 89, 44, 24, 08, C7, 44, 24, 04, 00, 00, 00, 00, C7, 04, 24, 01, B3, 40, 00, FF, 15, AC, C4, 44, 00, 83, EC, 14, C7, 44, 24, 04, 02, B3, 40, 00, C7...
 
[+]

Entropy:
7.9046  (probably packed)

Code size:
34.5 KB (35,328 bytes)

The file Setup.exe has been seen being distributed by the following 5 URLs.

http://www.mansion-casino.co/go/.../mansion-casino

http://bannerpt.mansioncasino.com/installer/.../SetupCasino_60b821_en.exe

http://bannerpt.mansioncasino.com/installer/.../SetupCasino_cd2f98_en.exe

http://bannerpt.mansioncasino.com/.../SetupCasino.exe

http://banner.mansioncasino.com/.../SetupCasino.exe

Remove Setup.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.