Malware analysis Setup.exe Malicious activity | ANY.RUN

Add for printing

File name:	Setup.exe
Full analysis:	https://app.any.run/tasks/35a92335-48d6-4d56-9b2c-c9c27cf97fe7
Verdict:	Malicious activity
Analysis date:	December 16, 2024, 13:22:01
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	ADE1F73F0C1FFC7FBA4FAE119555C323
SHA1:	D71CCE1E1E34739FB5F8CAB1DB7DEE76566D1653
SHA256:	976150102B536E4147E65B830969773449EB5C9807B422BD40C497371EF65910
SSDEEP:	98304:AIl5cHt9R83UehaGbQgtX6zp5WHzUMrCn7DZI/LmfsQ+1qukdMWnGb2b1i/SQcdN:RcQiujwPeEIFw1t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Antivirus name has been found in the command line (generic signature)
  - MpCmdRun.exe (PID: 6072)
  - MpCmdRun.exe (PID: 436)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - Setup.exe (PID: 6896)
- Creates a software uninstall entry
  - OTService.exe (PID: 6944)
  - Setup.exe (PID: 6896)
- Executes as Windows Service
  - OTService.exe (PID: 7004)
- Executable content was dropped or overwritten
  - OTService.exe (PID: 6944)
  - Setup.exe (PID: 6896)
- The process creates files with name similar to system file names
  - Setup.exe (PID: 6896)
  - OTService.exe (PID: 6944)
- Searches for installed software
  - OTService.exe (PID: 7004)
- Checks Windows Trust Settings
  - OTService.exe (PID: 7004)
INFO
- The sample compiled with english language support
  - OTService.exe (PID: 6944)
  - Setup.exe (PID: 6896)
- Create files in a temporary directory
  - Setup.exe (PID: 6896)
- Reads the computer name
  - OTService.exe (PID: 6944)
  - OTService.exe (PID: 7004)
  - Setup.exe (PID: 6896)
  - MpCmdRun.exe (PID: 6072)
- Checks supported languages
  - OTService.exe (PID: 6944)
  - OTService.exe (PID: 7004)
  - Setup.exe (PID: 6896)
  - MpCmdRun.exe (PID: 436)
  - MpCmdRun.exe (PID: 6072)
- Reads the software policy settings
  - OTService.exe (PID: 7004)
- Creates files in the program directory
  - OTService.exe (PID: 6944)
- The process uses the downloaded file
  - WINWORD.EXE (PID: 6972)
- Sends debugging messages
  - WINWORD.EXE (PID: 6972)
- Reads the machine GUID from the registry
  - OTService.exe (PID: 7004)
- Manual execution by a user
  - WINWORD.EXE (PID: 6972)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	NSIS - Nullsoft Scriptable Install System (94.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (3.4)
.dll	\|	Win32 Dynamic Link Library (generic) (0.7)
.exe	\|	Win32 Executable (generic) (0.5)
.exe	\|	Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:06:06 21:41:48+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	23040
InitializedDataSize:	119808
UninitializedDataSize:	1024
EntryPoint:	0x30cb
OSVersion:	4
ImageVersion:	6.1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	7.2.47.0
ProductVersionNumber:	7.2.47.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Windows, Latin1
Comments:	The setup program for Adobe OptiTune Module
CompanyName:	Adobe Inc.
FileDescription:	Adobe OptiTune Module Setup
FileVersion:	7.2.47.0
LegalCopyright:	© 2024 Adobe Inc.
LegalTrademarks:	Adobe OptiTune Module is a trademark of Adobe Inc.
ProductName:	Adobe OptiTune Module

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

148

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

436

"C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate

C:\Program Files\Windows Defender\MpCmdRun.exe

—

OTService.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Malware Protection Command Line Utility

Exit code:

Version:

4.18.1909.6 (WinBuild.160101.0800)

Modules

Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll

5556

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

MpCmdRun.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6072

"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

C:\Program Files\Windows Defender\MpCmdRun.exe

—

OTService.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft Malware Protection Command Line Utility

Exit code:

Version:

4.18.1909.6 (WinBuild.160101.0800)

Modules

Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll

6316

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

MpCmdRun.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6756

"C:\Users\admin\AppData\Local\Temp\Setup.exe"

C:\Users\admin\AppData\Local\Temp\Setup.exe

—

explorer.exe

User:

admin

Company:

Adobe Inc.

Integrity Level:

MEDIUM

Description:

Adobe OptiTune Module Setup

Exit code:

3221226540

Version:

7.2.47.0

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6868

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "17B804F6-266B-4271-9CF8-96B267BF1831" "E49F5A96-0BC0-466C-B1C0-4B9B946A37B0" "6972"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6896

"C:\Users\admin\AppData\Local\Temp\Setup.exe"

C:\Users\admin\AppData\Local\Temp\Setup.exe

explorer.exe

User:

admin

Company:

Adobe Inc.

Integrity Level:

HIGH

Description:

Adobe OptiTune Module Setup

Exit code:

Version:

7.2.47.0

Modules

Images
c:\users\admin\appdata\local\temp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6944

"C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\OTService.exe" /install cserv://manage.opti-tune.com/client

C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\OTService.exe

Setup.exe

User:

admin

Company:

Bravura Software LLC

Integrity Level:

HIGH

Description:

OptiTune Client

Exit code:

Version:

7.2.47.0

Modules

Images
c:\users\admin\appdata\local\temp\nsr761e.tmp\otservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

6952

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

OTService.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6972

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\Desktop\playeranti.rtf" /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

19 556

Read events

19 153

Write events

381

Delete events

Modification events


(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Bravura\OptiTune\ServiceClient
Operation:	write	Name:	Certificate
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000B4A970228D6AEA4294741F073D8738FB04000000020000000000106600000001000020000000DD74954C925BD62015FDFAAEF917F5A93AFC471F1F37481B865A325A40026CEA000000000E8000000002000020000000F9CC193D5119E5649AE87107BEB648F683F7EE674C850F665685B80C3688C8E9100400008189E95A379AF299236EBDE33B6EDB615509B2B6248DF23B0BAAE7AAB3214CCF69404A816EE639FCCACF6C252C51A8393E65073D6FD775F13700B0FD0B1F5FF32142E9B6176DFAD74417EC74256B044EEDD14D46628067BA765031BFF89C1147F2ADB8C90F92C871F2AE2C0413A1DBC7ACE7B9B5B1D67D552C882602AF687142894F36DFBE6DC74029C61F48AD0C4E1202487283C8DADE23772A55B73B35B3D766EC88455572963573427C15427E9D582FB0B6F0D84CC96AAF268052506F28551876B2BFF7AA3536C8E743CED328BA70D34930312EB0F4E2E8649A599174CCDEF45444C27381AB4FF0A7A2D6256C78479EDB1C0EA3CA8CDF843599D04802B0B0D6EDCE0102DA96A99F9E614D5ED896551FB6370B8128D0A6B8CD13DC259EEAE5229627DDE45938447F89A37478A94101A1EA1CC07F0E0B8D97851B385F7BAC701A6BF1097A7C4B2CFA93D559E36E8C5521D5E38367A9B6DA4A79DB20A4806759EA904BF9FE2CDF3BD8E90A3CA509F87CAB019DA6A8EFB383F0308D2EEA4BB0E462616B8E17FF57093B7F91E3A8D61651CE911F2908E1348B87EFCD65091594FDB686DCB78A5E94AE04CBB12068ECD3B7D98ADBC70B1EE7AA771DD0AAB286556313F5CDB345C98D9429EEFBE5F6855FCAF3191B0D997932641D57D11B12F9F2804E7C5A2314EB0AB2A65953FC5D97EDAF49A45EDEAC4E7B118C20DE9EE9ADD14218CE2773D3063ED7FECAAA9DB07F5389CDA82B22B867E1368F2C478A54EC30892BD783280F1C3682E38DD1542C9D64B20A56AAA1877A6F67ADFE2D87E59DC7DD4615BD4885BFA2E039CBE827EB2D5315B1AF5FEB3921B162F198FD5B6F85821FAD3BB14180776D597C6FC8733F660DA5493E7DEC13C689F241240A79308D5FED8726F0B5F041D49E217A552FEFFB9A39392B2947BA9A7D407376060B707345C800F2573E82AD8684CD7037144C758AE348F80193B745EE1C86AD8CD55E8BB17BD926DCCDBC09751710B42CAA6968F964C3E5AF170C72C166CD18A80AEB0E3899468B524E417036051DAE2B63C7DA9F2CD2A5808C0E5EDA4459AA2146A5132E78E9F2C7D499B55FF4A650D17577C16CDABA5ABD36455F41D6AE8164C11BDACDAF69059452C5866DD8849290A312033FD4C7312C74BB26D6DFF6E90CED9B454A80D8632BEA091485433AD24058B3695E00A0B0D3387DFED490A4356E4DAA5938055231C2619FC3969FD590BF69A96997EC1686107E236934F07C482AECF29CF1169C7DA0CEF52348B5969F3826CD4CD28F375BAD1436AAE8B8F2D97E9676D044D126069EAD71521120AA43328958DD94EF11C71EF7FB8F3618140BACB3CF72E3BD1A9935C08966D683E4637825FC4A20F2C60C71126F503925C5205EDEB903482810E39232FC764BF20AF853C02C831438275BEF64E9DF271485B82BD59F953A696B7CB383D317435EF451EE4DCC988A37400000002C8A775F4B3335C059E174848CB220DFB3703DDE7081686B9112FC90CCB4C5F8DD18D3CFF99781992E453AE6C5FA303427EB440B875B2442DA35ED3F68582445
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	DisplayName
Value: OptiTune Agent
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	DisplayIcon
Value: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	DisplayVersion
Value: 7.2.47.0
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	HelpLink
Value: http://www.bravurasoftware.com/optitune/support/
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	InstallDate
Value: 20241216
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	InstallLocation
Value: C:\Program Files (x86)\Bravura\Optitune\ServiceClient
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	Publisher
Value: Bravura Software LLC
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	UninstallString
Value: "C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe" /uninstall
(PID) Process:	(6944) OTService.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\OptiTune Client
Operation:	write	Name:	URLInfoAbout
Value: http://www.bravurasoftware.com/optitune/

Add for printing

Executable files

Suspicious files

132

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\UserInfo.dll		executable
		MD5:1E8E11F465AFDABE97F529705786B368	SHA256:7D099352C82612AB27DDFD7310C1AA049B58128FB04EA6EA55816A40A6F6487B
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\RealtimeAgent.exe		executable
		MD5:15E409E4F3FB6B6FB73ED48BD0A6C6F6	SHA256:6A3072A2367329B564C9BF77302A5FBF66673FB471C22FC56A12E901C4D90477
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\OTService.exe		executable
		MD5:4990C9A13A605CFF70E0A1B81D36114C	SHA256:B5C63F895D27D0572289CB49058EA83B1E49C46A62CA51B4AB44D119111594A4
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\modern-wizard.bmp		image
		MD5:364F43CD56678B8A38FFE9F0E7E43F7C	SHA256:92E95573F528430888D7DEE6B175DA94C42B379C5A3C394AF8901D04AFD4EFB3
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\System.dll		executable
		MD5:00A0194C20EE912257DF53BFE258EE4A	SHA256:DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\nsExec.dll		executable
		MD5:E54EB27FB5048964E8D1EC7A1F72334B	SHA256:FF00F5F7B8D6CA6A79AEBD08F9625A5579AFFCD09F3A25FDF728A7942527A824
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\BVScript.exe		executable
		MD5:8ACC4A4E3D01AB4487EF6B34A3BDDB58	SHA256:9D2FE8A4A229ED2990E33A0330A00C03A415435C3CABD9A42DD882673522BEE4
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\SupportCenter.chm		chm
		MD5:7423274FD842124E6CF600603B7344BA	SHA256:DCBB3AD4268A916A222CE3A914061202BB47D5251CC299651C4B7D8C20D841D0
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\SupportCenter.exe		executable
		MD5:68D6508E54B59DAE82FC98D7441195C2	SHA256:1EDE8D91DB625A605535488D1C36A5EA7BA3950194CABE7664FFA7ED6A9AAB45
6896	Setup.exe	C:\Users\admin\AppData\Local\Temp\nsr761E.tmp\RemoteService.exe		executable
		MD5:E9C1EE100F88B58B7F2A114F2B5ED2F0	SHA256:4B6FF966EC6509E86C4A1CBF71D71BF434E08E0AAE097A57015AD493DB4A3912

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

169

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6972	WINWORD.EXE	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4704	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4704	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5544	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7004	OTService.exe	GET	302	20.72.235.82:80	http://update.microsoft.com/redist/wuredist.cab	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	23.32.238.34:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	104.126.37.155:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1176	svchost.exe	40.126.31.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	23.218.210.69:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
google.com	216.58.206.46	whitelisted
crl.microsoft.com	23.32.238.34 2.19.198.194 23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
www.bing.com	104.126.37.155 104.126.37.138 104.126.37.131 104.126.37.130 104.126.37.152 104.126.37.139 104.126.37.144 104.126.37.146 104.126.37.153	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.73 20.190.159.64 20.190.159.23 20.190.159.73 40.126.31.69 20.190.159.75 20.190.159.4 20.190.159.71	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
manage.opti-tune.com	208.115.104.100	unknown
arc.msn.com	20.199.58.43	whitelisted

Threats

No threats detected

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

Setup.exe

ADE1F73F0C1FFC7FBA4FAE119555C323

D71CCE1E1E34739FB5F8CAB1DB7DEE76566D1653

976150102B536E4147E65B830969773449EB5C9807B422BD40C497371EF65910

98304:AIl5cHt9R83UehaGbQgtX6zp5WHzUMrCn7DZI/LmfsQ+1qukdMWnGb2b1i/SQcdN:RcQiujwPeEIFw1t

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Antivirus name has been found in the command line (generic signature)

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Creates a software uninstall entry

Executes as Windows Service

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Searches for installed software

Checks Windows Trust Settings

INFO

The sample compiled with english language support

Create files in a temporary directory

Reads the computer name

Checks supported languages

Reads the software policy settings

Creates files in the program directory

The process uses the downloaded file

Sends debugging messages

Reads the machine GUID from the registry

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings