File name:	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe
Full analysis:	https://app.any.run/tasks/e547c8ae-d297-4fd2-8ab2-ed62b7ab0ca1
Verdict:	Malicious activity
Analysis date:	September 29, 2024, 13:28:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pyinstaller
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:	6940A2574B9F6B57131A1FFFC99631C1
SHA1:	4D03F302532BAE46A39095648986C6201075C285
SHA256:	1393E44E7E78171E5D713D99972B5D80F816D6A1B32B3ABBCC3726D1F44F1E6F
SSDEEP:	196608:VTg/62egx3Uku5Q92CP9AoIDveNvYiVhq9vJUW+P:32DSyP9vIDveNvY0kUXP

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.4)
.dll	\|	Win32 Dynamic Link Library (generic) (13.5)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:18 17:13:29+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.5
CodeSize:	795648
InitializedDataSize:	198144
UninitializedDataSize:	-
EntryPoint:	0x16276
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	0.3.1.0
ProductVersionNumber:	0.3.1.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
ProductName:	MINA Overwatch 2 Server Blocker Setup
InternalName:	Setup MINA Overwatch 2 Server Selector v5.3.1
OriginalFileName:	Setup MINA Overwatch 2 Server Selector v5.3.1.exe
ProductVersion:	v5.3.1
FileVersion:	v5.3.1
CompanyName:	MINA Overwatch 2 Server Selector
Comments:	Created with InstallForge 1.4.4


(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:	write	Name:	Speaker Configuration
Value: 4
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Roaming\OverwatchServerBlocker\bin\LOGO_SMALL_APPLICATION.ico
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	UninstallString
Value: C:\Users\admin\AppData\Roaming\OverwatchServerBlocker\bin\Uninstall.exe
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	InstallDate
Value: 20240929
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Roaming\OverwatchServerBlocker\bin\
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	EstimatedSize
Value: 19539
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	NoModify
Value: 1
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	NoRepair
Value: 1
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	DisplayName
Value: MINA Overwatch 2 Server Blocker
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	DisplayVersion
Value: v5.3.1

PID	Process	Filename		Type
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\setupArchive.archive		—
		MD5:—	SHA256:—
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\setupConfiguration.archive		compressed
		MD5:1ED04F1E24D4FA4B1C0A2DF377FDB7DF	SHA256:180060A733573D2C244A23BBCCD7CE01637C1F945050F223114FB6A661CA5A3D
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\Desktop.dat		text
		MD5:CD62A014565BD37768BB75EB18E9B21B	SHA256:6283CD2407D5DEEEBC3B42B7551798E0F668F8A8410E47F86A2D5CF297D9C6E1
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\عربي.ifl		text
		MD5:E2C1EDD5D82047DB863AE8D681E5B308	SHA256:D6C9A3112EFE9F42783268E7EC66021B5CF3AC4BFE4522C57B2A96B58B0E4474
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\wizardImage.dat		image
		MD5:8224F9E1E4EE098CE2DAEA4A387A1C8E	SHA256:9DF14CF88C77B301C9EB60AD43545F850CEDB3F2B890FA15A43099384532BBF1
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\headerImage.dat		image
		MD5:1F8A555068BB43A7261974BE5CD9A756	SHA256:8C8988E06395FA7CF06BA0146EF971F3680E8A006E4286466C7B51F8AAC2FF03
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\OS.dat		text
		MD5:48D3C4D4CDC791B3C3E5B4432C3EA0BA	SHA256:38F778CBB7AA3D52F7FD5AB5CCF30B25962A6A5FECDFF6EFBB10501829459CA5
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\isps.dat		image
		MD5:8224F9E1E4EE098CE2DAEA4A387A1C8E	SHA256:9DF14CF88C77B301C9EB60AD43545F850CEDB3F2B890FA15A43099384532BBF1
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Roaming\OverwatchServerBlocker\bin\Uninstall.exe		executable
		MD5:C18C2BCC6E98372842F6F92FEDCD729A	SHA256:C805457B276D68B08BDD5A2B40C5CAF764F6D85E371EAE7670E71B075434A3CC
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\languages.dat		text
		MD5:9B19749D2B9A0BFCD91EC91E8294B94E	SHA256:250D7DFD1810D232F48AAB673AC62AA1A5B635F2E7DFC63F4BC136F2D223B526

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3916	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	13.69.116.109:443	https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3916	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3916	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3916	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.185.174	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
browser.pipe.aria.microsoft.com	20.189.173.16	whitelisted
www.google.com	142.250.184.228	whitelisted

General Info

Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe

6940A2574B9F6B57131A1FFFC99631C1

4D03F302532BAE46A39095648986C6201075C285

1393E44E7E78171E5D713D99972B5D80F816D6A1B32B3ABBCC3726D1F44F1E6F

196608:VTg/62egx3Uku5Q92CP9AoIDveNvYiVhq9vJUW+P:32DSyP9vIDveNvY0kUXP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Process drops python dynamic module

The process drops C-runtime libraries

Application launched itself

INFO

Checks supported languages

Reads the computer name

Manual execution by a user

PyInstaller has been detected (YARA)

Create files in a temporary directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings