File name:	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe
Full analysis:	https://app.any.run/tasks/e547c8ae-d297-4fd2-8ab2-ed62b7ab0ca1
Verdict:	Malicious activity
Analysis date:	September 29, 2024, 13:28:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pyinstaller
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:	6940A2574B9F6B57131A1FFFC99631C1
SHA1:	4D03F302532BAE46A39095648986C6201075C285
SHA256:	1393E44E7E78171E5D713D99972B5D80F816D6A1B32B3ABBCC3726D1F44F1E6F
SSDEEP:	196608:VTg/62egx3Uku5Q92CP9AoIDveNvYiVhq9vJUW+P:32DSyP9vIDveNvY0kUXP

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.4)
.dll	\|	Win32 Dynamic Link Library (generic) (13.5)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:18 17:13:29+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	2.5
CodeSize:	795648
InitializedDataSize:	198144
UninitializedDataSize:	-
EntryPoint:	0x16276
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	0.3.1.0
ProductVersionNumber:	0.3.1.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
ProductName:	MINA Overwatch 2 Server Blocker Setup
InternalName:	Setup MINA Overwatch 2 Server Selector v5.3.1
OriginalFileName:	Setup MINA Overwatch 2 Server Selector v5.3.1.exe
ProductVersion:	v5.3.1
FileVersion:	v5.3.1
CompanyName:	MINA Overwatch 2 Server Selector
Comments:	Created with InstallForge 1.4.4


(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:	write	Name:	Speaker Configuration
Value: 4
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	DisplayIcon
Value: C:\Users\admin\AppData\Roaming\OverwatchServerBlocker\bin\LOGO_SMALL_APPLICATION.ico
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	UninstallString
Value: C:\Users\admin\AppData\Roaming\OverwatchServerBlocker\bin\Uninstall.exe
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	InstallDate
Value: 20240929
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Roaming\OverwatchServerBlocker\bin\
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	EstimatedSize
Value: 19539
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	NoModify
Value: 1
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	NoRepair
Value: 1
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	DisplayName
Value: MINA Overwatch 2 Server Blocker
(PID) Process:	(752) Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MINA Overwatch 2 Server Blocker
Operation:	write	Name:	DisplayVersion
Value: v5.3.1

PID	Process	Filename		Type
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\setupArchive.archive		—
		MD5:—	SHA256:—
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\SC.dat		text
		MD5:1F4107FA05F5058029931D7373D7E70A	SHA256:7C2EBF176D82646A8BD29D861C2AF23A58855FD4C13FFAC87296F4BB103139F4
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\English.ifl		text
		MD5:2922D0C758D9C3C10CBDC59F91979D0C	SHA256:20F6D12EAC29BD6DDC6A99DD276C5E200FAC25C976AB4293195B58EC164C253F
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\isps.dat		image
		MD5:8224F9E1E4EE098CE2DAEA4A387A1C8E	SHA256:9DF14CF88C77B301C9EB60AD43545F850CEDB3F2B890FA15A43099384532BBF1
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\Serials.dat		text
		MD5:465E2403B5F46A0B87261BB19B0BCA64	SHA256:F71F7B2D23D21C68E7F5C10A1A9F6244BD675727F3DB108767FB934F0CA4C011
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\Desktop.dat		text
		MD5:CD62A014565BD37768BB75EB18E9B21B	SHA256:6283CD2407D5DEEEBC3B42B7551798E0F668F8A8410E47F86A2D5CF297D9C6E1
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\wizardImage.dat		image
		MD5:8224F9E1E4EE098CE2DAEA4A387A1C8E	SHA256:9DF14CF88C77B301C9EB60AD43545F850CEDB3F2B890FA15A43099384532BBF1
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\setupConfiguration.archive		compressed
		MD5:1ED04F1E24D4FA4B1C0A2DF377FDB7DF	SHA256:180060A733573D2C244A23BBCCD7CE01637C1F945050F223114FB6A661CA5A3D
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\عربي.ifl		text
		MD5:E2C1EDD5D82047DB863AE8D681E5B308	SHA256:D6C9A3112EFE9F42783268E7EC66021B5CF3AC4BFE4522C57B2A96B58B0E4474
752	Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe	C:\Users\admin\AppData\Local\Temp\IF{CCDE57C0-1C8F-4768-A810-53B56F51EB04}\headerImage.dat		image
		MD5:1F8A555068BB43A7261974BE5CD9A756	SHA256:8C8988E06395FA7CF06BA0146EF971F3680E8A006E4286466C7B51F8AAC2FF03

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3916	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	13.69.116.109:443	https://browser.pipe.aria.microsoft.com/Collector/3.0/?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-CJS-1.2.0&x-apikey=33d70a864599496b982a39f036f71122-2064703e-3a9d-4d90-8362-eec08dffe8e8-7176	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3916	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3916	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3916	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
google.com	142.250.185.174	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
browser.pipe.aria.microsoft.com	20.189.173.16	whitelisted
www.google.com	142.250.184.228	whitelisted

General Info

Setup.MINA.Overwatch.2.Server.Selector.v5.3.1.exe

6940A2574B9F6B57131A1FFFC99631C1

4D03F302532BAE46A39095648986C6201075C285

1393E44E7E78171E5D713D99972B5D80F816D6A1B32B3ABBCC3726D1F44F1E6F

196608:VTg/62egx3Uku5Q92CP9AoIDveNvYiVhq9vJUW+P:32DSyP9vIDveNvY0kUXP

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Process drops python dynamic module

The process drops C-runtime libraries

Executable content was dropped or overwritten

Application launched itself

INFO

Reads the computer name

Create files in a temporary directory

Checks supported languages

Manual execution by a user

PyInstaller has been detected (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings