File name:	setup-win32-bundle.exe
Full analysis:	https://app.any.run/tasks/2afa6bce-8303-41ef-b093-b3be5e6e7210
Verdict:	Malicious activity
Analysis date:	May 13, 2024, 10:21:34
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A47B9A738A7391837D36E84DC5ED2078
SHA1:	D2D229263CA34085D51C10258725FA982999E611
SHA256:	D67709AF6DEC9A253DB284635D6A54371E496C0DE16CF48C45425E0F35FCB1E0
SSDEEP:	24576:qLN9pggkHLWqnivnuhHqaEVYS/HDowwrBcEc:qLN9SgkHLWqnivnuhHqvVYSvDowwrBc3

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2019:09:17 05:33:38+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	299008
InitializedDataSize:	228352
UninitializedDataSize:	-
EntryPoint:	0x2df71
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	ivanovsasha224
FileDescription:	AdBlock Shield 1.0.0.0
FileVersion:	1.0.0.0
InternalName:	setup
LegalCopyright:	2023 (c) ivanovsasha224
OriginalFileName:	setup-win32-bundle.exe
ProductName:	AdBlock Shield 1.0.0.0
ProductVersion:	1.0.0.0


(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundleCachePath
Value: C:\Users\admin\AppData\Local\Package Cache\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}\setup-win32-bundle.exe
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundleUpgradeCode
Value: {E14F3FF7-FB63-42A4-9033-C433A21DE8CE}
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundleAddonCode
Value:
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundleDetectCode
Value:
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundlePatchCode
Value:
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundleVersion
Value: 1.0.0.0
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	VersionMajor
Value: 1
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	VersionMinor
Value: 0
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundleProviderKey
Value: {f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
(PID) Process:	(7004) setup-win32-bundle.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}
Operation:	write	Name:	BundleTag
Value:

PID	Process	Filename		Type
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Temp\{E57707CB-1D4C-4932-87C5-A6C267156173}\.be\setup-win32-bundle.exe		executable
		MD5:A47B9A738A7391837D36E84DC5ED2078	SHA256:D67709AF6DEC9A253DB284635D6A54371E496C0DE16CF48C45425E0F35FCB1E0
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Temp\{E57707CB-1D4C-4932-87C5-A6C267156173}\.ba\logoside.png		image
		MD5:6315DB25027BE0E79A0BC37A8D1FDBD9	SHA256:467A875B5497F5E64C7E57F9F794393BF9AA46875EEBA1E93DD3B989B5EA42EC
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Temp\{E57707CB-1D4C-4932-87C5-A6C267156173}\.ba\BootstrapperApplicationData.xml		xml
		MD5:383EC114E8BBBAE05E5A5EB8EEA590C6	SHA256:E0F89478595B09193C3580763D0ABA9F25419343CE94781FCD34B5F16B516440
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:3E549B5389BC9C0837D865F0FD5E6F76	SHA256:FFF9D6642902E0E72199831F2EFA86DEF70CC12C3647DC7907A1F10F07F37E01
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Temp\{E57707CB-1D4C-4932-87C5-A6C267156173}\.ba\logo.png		image
		MD5:DD4904CC8AE2C4B79A2AF5DAC0A90E59	SHA256:C3E77A92B70435144BEE04F948A68A3AFA6120B2885810DE784C9A644A95E06F
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Temp\{E57707CB-1D4C-4932-87C5-A6C267156173}\.ba\thm.xml		xml
		MD5:C782782276C9B777DE65154AB442BED5	SHA256:C9278956FCD92C66D51D5DB42CEF5D2D85F8A8232E2BBC0670B0A1355F69E8EC
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464		binary
		MD5:1EFAD9ADA3245672046C1BE68F95449B	SHA256:BDB6AA674EB3BD256266CD3BE93410CB2097297F2AD3F970E4464E532527BC62
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Package Cache\{f003d497-0bea-4e89-a61c-2a0e6cbb33ab}\state.rsm		binary
		MD5:BEF175B3FEB9F14C30087A8065CCAF92	SHA256:11E93485FEF2B6000D478CE3C86C091314EF260345CC95F4084CA9388AA4BF72
6980	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Temp\{E97D013A-6F3B-4BD0-B78E-418DBF585828}\.cr\setup-win32-bundle.exe		executable
		MD5:A47B9A738A7391837D36E84DC5ED2078	SHA256:D67709AF6DEC9A253DB284635D6A54371E496C0DE16CF48C45425E0F35FCB1E0
7004	setup-win32-bundle.exe	C:\Users\admin\AppData\Local\Temp\{E57707CB-1D4C-4932-87C5-A6C267156173}\.ba\wixstdba.dll		executable
		MD5:FE7E0BD53F52E6630473C31299A49FDD	SHA256:2BEA14D70943A42D344E09B7C9DE5562FA7E109946E1C615DD584DA30D06CC80

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7004	setup-win32-bundle.exe	GET	200	216.58.206.67:80	http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D	unknown	—	—	unknown
7004	setup-win32-bundle.exe	GET	200	216.58.206.67:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	unknown
2592	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
4680	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	—	—	unknown
6360	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
2908	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	unknown
428	SIHClient.exe	GET	200	104.79.89.142:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
428	SIHClient.exe	GET	200	104.79.89.142:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4856	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5140	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7004	setup-win32-bundle.exe	188.114.96.3:443	dl.fastcloudapp.com	CLOUDFLARENET	NL	unknown
7004	setup-win32-bundle.exe	216.58.206.67:80	ocsp.pki.goog	GOOGLE	US	whitelisted
5140	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2592	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
4680	SearchApp.exe	2.23.209.150:443	www.bing.com	Akamai International B.V.	GB	whitelisted

Domain	IP	Reputation
dl.fastcloudapp.com	188.114.96.3 188.114.97.3	unknown
ocsp.pki.goog	216.58.206.67	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted
login.live.com	40.126.32.68 40.126.32.138 40.126.32.74 40.126.32.136 40.126.32.72 20.190.160.22 20.190.160.20 40.126.32.134	whitelisted
www.bing.com	2.23.209.150 2.23.209.177 2.23.209.161 2.23.209.160 2.23.209.179 2.23.209.154 2.23.209.158 2.23.209.181 2.23.209.182	whitelisted
r.bing.com	2.23.209.181 2.23.209.158 2.23.209.154 2.23.209.161 2.23.209.182 2.23.209.179 2.23.209.150 2.23.209.160 2.23.209.177	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
arc.msn.com	20.223.35.26	whitelisted

General Info

setup-win32-bundle.exe

A47B9A738A7391837D36E84DC5ED2078

D2D229263CA34085D51C10258725FA982999E611

D67709AF6DEC9A253DB284635D6A54371E496C0DE16CF48C45425E0F35FCB1E0

24576:qLN9pggkHLWqnivnuhHqaEVYS/HDowwrBcEc:qLN9SgkHLWqnivnuhHqvVYSvDowwrBc3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts itself from another location

Checks Windows Trust Settings

Creates a software uninstall entry

Searches for installed software

INFO

Reads the machine GUID from the registry

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads the software policy settings

Creates files or folders in the user directory

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings