microsoft_paint.exe

Bagugo

PlatformFlash (Alpha Criteria Ltd.)

The application microsoft_paint.exe, “Bagugo Setup ” by PlatformFlash (Alpha Criteria) has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. The program is a setup application that uses the installCore installer. The setup program uses the InstallCore engine which may bundle additional software offers including toolbars and browser extensions. The file has been seen being downloaded from www.toursbundletour.com.
Publisher:
PlatformFlash (Alpha Criteria Ltd.)  (signed and verified)

Product:
Bagugo

Description:
Bagugo Setup

MD5:
a338a6b8b02dd3b463612ebcc8284d2a

SHA-1:
e664d560b2bd815c6b7b6a29530c0ff3b85961c3

SHA-256:
699c1ffa354295e08d542c0b32880548cb585314ee98785a3be22c3739feb6b9

Scanner detections:
1 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/14/2024 3:09:57 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstallCore.AC (M)
17.3.4.13

File size:
969.7 KB (993,016 bytes)

Product version:
4.1

Copyright:
Stub wizard

File type:
Executable application (Win32 EXE)

Bundler/Installer:
installCore (using Inno Setup)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\microsoft_paint.exe

Digital Signature
Authority:
GlobalSign nv-sa

Valid from:
1/6/2016 6:49:33 AM

Valid to:
8/18/2016 6:17:41 AM

Subject:
CN=PlatformFlash (Alpha Criteria Ltd.), O=PlatformFlash (Alpha Criteria Ltd.), L=Tel Aviv, C=IL

Issuer:
CN=GlobalSign CodeSigning CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE

Serial number:
11215691C3B6E032A08894E88B37F278AE4B

File PE Metadata
Compilation timestamp:
6/19/1992 3:22:17 PM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

Entry address:
0xA5F8

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, CE, 8A, FF, FF, E8, D5, 9C, FF, FF, E8, 64, 9F, FF, FF, E8, 07, A0, FF, FF, E8, A6, BF, FF, FF, E8, 11, E9, FF, FF, E8, 78, EA, FF, FF, 33, C0, 55, 68, C9, AC, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, 92, AC, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 26, F5, FF, FF, E8, 11, F1, FF, FF, 80, 3D, 34, B2, 40, 00, 00, 74, 0C, E8, 23, F6, FF, FF, 33, C0, E8, C4, 97, FF, FF, 8D, 55, F0, 33, C0, E8, B6, C5, FF, FF, 8B, 55...
 
[+]

Entropy:
7.9012

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
39.5 KB (40,448 bytes)

The file microsoft_paint.exe has been seen being distributed by the following URL.

http://www.toursbundletour.com/7QXiWuhod6oDMEiTV3vy1GXp ZSQD2nsDxG63_JwNoc2DYRr3cbQgh_XadAVzWRM05GlIZ01ilghLBbk6mxmS2c2eK6Yo74VAvV2flIDklf4_2zjXbJ14_5lNDBJzmkFVsJfoAFYSqB3tCknVNbh2OhBkfIZ17y9ZaLdqoPJhENj92cpseX7Y0FRPADjGtxFTztfr14vloTsNuVBI3zI zLNWl7BQqul8jxJVCsiKVY6reyFgmhp76Er46v3ZBAfAu_u6bQD4tK DByn2l8mAglaQbwwjLa6iUD9wC8juqPTGqSkuz9tGJA9kRuDkknCCgz6fKPI K4iWEmsjAAQanPXi1EtXlpB9_L3wNH4WHIEcWL6MFEJnKtzlLPlGboHbn9pL0gZ eMqKWgzEvpHme1QCG2cQc4uM6ETurkQ6iEruTJfPUmT5VKl934cn2E05Qysdvj60or5QocJKnkVIMV1gYK3VAlyidBLHf0ZaTwH3IvtBgFydeI8mEGpmh0YSBo_WH6V-G3wAAES3 X2edlyj6xwREh4aWEJNDti79daavyccxxjUDocf1qITry0qpzHOChc1zzUdtdTa6498elT0H7N_8N2ubfBaIjYK3AFq0ar2PHnxLqAA

Remove microsoft_paint.exe - Powered by Reason Core Security