Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1578360
MD5:	ade1f73f0c1ffc7fba4fae119555c323
SHA1:	d71cce1e1e34739fb5f8cab1db7dee76566d1653
SHA256:	976150102b536e4147e65b830969773449eb5c9807b422bd40c497371ef65910
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	47
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Changes security center settings (notifications, updates, antivirus, firewall)

Enables network access during safeboot for specific services

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

Setup.exe (PID: 3880 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: ADE1F73F0C1FFC7FBA4FAE119555C323)

OTService.exe (PID: 6416 cmdline: "C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe" /install cserv://manage.opti-tune.com/client MD5: 4990C9A13A605CFF70E0A1B81D36114C)

conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6684 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 3532 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6880 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6892 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6968 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 5756 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6292 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

OTService.exe (PID: 6520 cmdline: "C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe" /runservice MD5: 4990C9A13A605CFF70E0A1B81D36114C)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000009.00000000.1297769607.0000000000715000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000003.1275745224.000000000287E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000003.1262880914.0000000002827000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6684, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Setup.exe

ReversingLabs: Detection: 33%

Compliance

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\Setup.exe

Window detected: < &BackI &AgreeCancel License AgreementPlease review the license terms before installing Adobe OptiTune Module.Press Page Down to see the rest of the agreement.End User License Agreement---------------------------CAREFULLY READ THE FOLLOWING LICENSE AGREEMENT. BY CLICKING ON THE "I AGREE" BUTTON YOU ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PARTY TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT CLICK THE "CANCEL" BUTTON AND IF APPLICABLE RETURN THIS PRODUCT TO THE PLACE OF PURCHASE FOR A FULL REFUND.License Grant---------------------------The package contains software ("Software") and related explanatory written materials ("Documentation"). "Software" includes any upgrades modified versions updates additions and copies of the Software. "You" means the person or company who is being licensed to use the Software or Documentation. "We" and "us" means Bravura Software LLC.If you have paid the license fee we hereby grant you a nonexclusive license to use one copy of the Software on four computers provided the Software is in use on only four computers at any time.If you have not paid the license fee we hereby grant you a nonexclusive license to use one copy of the Software (with reduced functionality) on two computers for a time period not to exceed 30 days provided the Software is in use on only one computer at any time.The Software is "in use" on a computer when it is loaded into temporary memory (RAM) or installed into the permanent memory of a computerfor example a hard disk CD-ROM or other storage device. Title---------------------------We remain the owner of all right title and interest in the Software and Documentation. Archival or Backup Copies---------------------------You may either: make one copy of the Software solely for backup or archival purposes; or transfer the Software to a single hard disk provided you keep the original solely for backup or archival purposes.Things You May Not Do---------------------------The Software and Documentation are protected by United States copyright laws and international treaties. You must treat the Software and Documentation like any other copyrighted material--for example a book. You may not: copy the Documentation; copy the Software except to make archival or backup copies as provided above; modify or adapt the Software or merge it into another program; reverse engineer disassemble decompile or make any attempt to discover the source code of the Software; place the Software onto a server so that it is accessible via a public network such as the Internet; or sublicense rent lease or lend any portion of the Software or Documentation.Transfers---------------------------You may transfer all your rights to use the Software and Documentation to another person or legal entity provided you transfer this Agreement the Software and Documentation including all copies updates and prior versions to such person or entity and that you retain no copies including copies stor

PE / OLE file has a valid certificate

Source: Setup.exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49709 version: TLS 1.2

Networking

Enables network access during safeboot for specific services

Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Registry value created: NULL Service
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Registry value created: NULL Service

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: manage.opti-tune.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 208.115.104.100:443 -> 192.168.2.16:49709 version: TLS 1.2

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Bravura
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Bravura\Logs
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Bravura\Logs\OTService.log

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.evad.winEXE@14/18@1/29

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\install.ico

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Users\user\Desktop\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\OTCinstallerMutex
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Mutant created: \BaseNamedObjects\Global\Bravura.OptiTuneEnterprise
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1472:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nspA229.tmp

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Setup.exe

ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe "C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe" /install cserv://manage.opti-tune.com/client
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe "C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe" /runservice
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe "C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe" /install cserv://manage.opti-tune.com/client
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: logoncli.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: pdh.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: msi.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: netapi32.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: logoncli.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: samcli.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\Setup.exe

File written: C:\Users\user\AppData\Local\Temp\nskA259.tmp\ioSpecial.ini

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\Setup.exe

PE / OLE file has a valid certificate

Source: Setup.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Setup.exe

Static file information: File size 7585760 > 1048576

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\RealtimeAgent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	File created: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	File created: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTPowerShell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	File created: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\RemoteService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	File created: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\BVScript.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	File created: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\System.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000009.00000000.1297769607.0000000000715000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1275745224.000000000287E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1262880914.0000000002827000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe, type: DROPPED

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskA259.tmp\RealtimeAgent.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskA259.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskA259.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTPowerShell.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\RemoteService.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\BVScript.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskA259.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskA259.tmp\System.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6808	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe TID: 4540	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe TID: 6452	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Setup.exe

Process created: C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe "C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe" /install cserv://manage.opti-tune.com/client

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation

Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Masquerading	OS Credential Dumping	3 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	3 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Virtualization/Sandbox Evasion	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
Setup.exe	33%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nskA259.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskA259.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskA259.tmp\UserInfo.dll	0%	ReversingLabs
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\BVScript.exe	0%	ReversingLabs
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTPowerShell.exe	0%	ReversingLabs
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe	0%	ReversingLabs
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\RemoteService.exe	0%	ReversingLabs
C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskA259.tmp\RealtimeAgent.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskA259.tmp\nsExec.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
manage.opti-tune.com	208.115.104.100	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.115.104.100	manage.opti-tune.com	United States		23033	WOWUS	false
23.218.208.109	unknown	United States		6453	AS6453US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578360
Start date and time:	2024-12-19 16:01:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal64.evad.winEXE@14/18@1/29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Setup.exe

Created / dropped Files

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\BVScript.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2687440
Entropy (8bit):	6.511930823132049
Encrypted:	false
SSDEEP:
MD5:	8ACC4A4E3D01AB4487EF6B34A3BDDB58
SHA1:	4DBCDFD749C85DD4A062F7C4E33D8AB4212655C8
SHA-256:	9D2FE8A4A229ED2990E33A0330A00C03A415435C3CABD9A42DD882673522BEE4
SHA-512:	90A44F5EA127DC2F5268DB3B80F3125A53ACCA2F5F81A1B068E55017F38B1B85BD3F40E20AF171FD486FD337A4C7A071E8459D4FF0610C5D22556D99F33290AD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..{5.{5.{5.....{5......{5.....{5....{5....{5...1.{5...6.{5...0..z5.{4.x5....{5...<.{5.....{5...7.{5.Rich.{5.................PE..L......d............................g........0....@.......................... ).....'.)...@..................................#%.@....`&.8.............(..Y...p&.`.....".p....................".....P.".@............0...............................text...`........................... ..`.rdata...&...0...(..................@..@.data........`%......F%.............@....rsrc...8....`&.......%.............@..@.reloc..`....p&.......&.............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTPowerShell.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	40400
Entropy (8bit):	6.924473616507174
Encrypted:	false
SSDEEP:
MD5:	F620D49E96573CDA14B18B8D65806C7D
SHA1:	B81A162D37F25C60116996C8BB69AD99198A55EE
SHA-256:	10A87144386B2869D1BBC40E50F6960D4EB4316D1FD1C1DF8708361A7B837B98
SHA-512:	3806185E05F1AD46B07DC4575C812D98A95B2CEC09A91FBF657C52788CAA5A1688E52BB09F87B8CFCA97E4E3468A7E643CB0216F7D7D1A400A999A0537F53F51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........."...0..8...........V... ...`....@.. ..............................e{....`.................................lV..O....`...............D...Y..........4U............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............B..............@..B.................V......H.......\....&......A.....................................................(....o....}.....(....o....}.....s....}.....(......}......{......{.....~.....r...p..{........s.....rE..ps....z.f.{.....o>....{.....o@....(...........s<...}.....(....(....(....(....(......{.......0...............r...p.r...p(....o....s......o.....+?.o......o....(!........o ...(!.......-.....)..o".....(#...o$....o%...-....,..o&.......*.........'.Kr.......0...............r...p.r...p(....o'....(

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7259592
Entropy (8bit):	6.321200451270022
Encrypted:	false
SSDEEP:
MD5:	4990C9A13A605CFF70E0A1B81D36114C
SHA1:	DD686E65293E8DC0A324C3755AB755E01B388BBF
SHA-256:	B5C63F895D27D0572289CB49058EA83B1E49C46A62CA51B4AB44D119111594A4
SHA-512:	7BC1DD1778B378EFC3311CFC0AB3C0C602A84B7C0E3DBF09D8AFB4C3DBF5964D54FE66076628F88CAA9B0FAEEAD8C257441E15FF13FEB6047AF1971B6486E7EF
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........CK.-..-..-.w....-.w...v.-.w....-.....-...)..-......-...(...-.....-..,.d.-......-.k.$.\|.-.k....-.k./..-.Rich.-.........................PE..L...#..d.................8H..\|&.....2gA......PH...@...........................n.....}Wo...@..................................a.D.....d.pd...........ln..Y....i......Y.p...................`.Y.....`.K.@............PH.....T.a.`....................text...@6H......8H................. ..`.rdata.......PH......<H.............@..@.data.........a..f....a.............@....rsrc...pd....d..f...2d.............@..@.reloc........i.......h.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\RemoteService.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4065744
Entropy (8bit):	6.44329433450523
Encrypted:	false
SSDEEP:
MD5:	E9C1EE100F88B58B7F2A114F2B5ED2F0
SHA1:	48FD999337284D1B4972DB4A948845398B4C0C7C
SHA-256:	4B6FF966EC6509E86C4A1CBF71D71BF434E08E0AAE097A57015AD493DB4A3912
SHA-512:	AD6DE4780602AA5BCA6D5115DBBD063752455FD665F14EC0D74DCE1CAAAB6ED20030DB7CE3C2040505781A13798D981A69E5FD11749A738616F3E078CC361CED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].....w...w...w.~....w.~...w.~....w.......w.......w.K.s...w.K.t...w.K.r.r.w...v.v.w.....2.w..~..w......w..u...w.Rich..w.................PE..L...K..d....................8......>>&..........@.......................... >......W>...@.................................Dl8.\|....p:.P.............=..Y....:.p...`.4.p.....................4.....`.-.@...................k8......................text...0......................... ..`.rdata..v............*.............@..@.data...L.....8..r....8.............@....rsrc...P....p:.......:.............@..@.reloc..p.....:.......:.............@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\nskA259.tmp\OTService.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9262544
Entropy (8bit):	6.601741468739004
Encrypted:	false
SSDEEP:
MD5:	68D6508E54B59DAE82FC98D7441195C2
SHA1:	0074B3092E437A50BBB7A0038363FF550D30B83D
SHA-256:	1EDE8D91DB625A605535488D1C36A5EA7BA3950194CABE7664FFA7ED6A9AAB45
SHA-512:	698D18397AD35EEB8693CD97952EE8CEE4F75EC44DB2B23F4E5B60E03C3A15FD894B2F4B9077D15135C6F5DFB60EB6F253AEC682A717C63C3A2695842DD2DF19
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+.S.+.S.+.Sn.QS.+.Sn.SSl+.Sn.RS.+.S.S$S.+.S.C.R.+.S.C.R.+.S.C.R.*.S.S#S.+.S.+.S>(.S.S3S.+.SrB.R.+.SrB_S.+.SrB.R.+.SRich.+.S........................PE..L...%..d.................$G.."F.......@......@G...@......................................@...................................`.l.....b.0.$..............Y...........mX.p...................pmX..... .J.@............@G.X...d.`.`....................text....#G......$G................. ..`.rdata.......@G......(G.............@..@.data........``..@...:`.............@....rsrc...0.$...b...$..zb.............@..@.reloc...............6..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\install.ico

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	67646
Entropy (8bit):	4.901397076236503
Encrypted:	false
SSDEEP:
MD5:	366A85354938740E70F112AD0D920FE6
SHA1:	39AA4530F4A79E31EFD0962CC01F1BD7EF763CC7
SHA-256:	8A6447C0EF36B5A3CCBF3B5B20A3E93A8D6E2EA6D484000E6484997485364F3F
SHA-512:	909BE41A0428EED0D97B43F6B4E2C007466BD840BA8496AFC244F20993C6723942E8ADCF10A65A9B941A2C6EA91AC361C1534122819025AD69FE077BE84E9C7C
Malicious:	false
Reputation:	unknown
Preview:	............ .(.......(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskA259.tmp\InstallOptions.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.550073716458996
Encrypted:	false
SSDEEP:
MD5:	0DC0CC7A6D9DB685BF05A7E5F3EA4781
SHA1:	5D8B6268EEEC9D8D904BC9D988A4B588B392213F
SHA-256:	8E287326F1CDD5EF2DCD7A72537C68CBE4299CEB1F820707C5820F3AA6D8206C
SHA-512:	814DD17EBB434F4A3356F716C783AB7F569F9EE34CE5274FA50392526925F044798F8006198AC7AFE3D1C2CA83A2CA8C472CA53FEC5F12BBFBBE0707ABACD6B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p..q.,.q.,.q.,.q.,@q.,.~C,.q.,\R.,.q.,\R/,.q.,.w.,.q.,.Q.,.q.,Rich.q.,........................PE..L.....J...........!.........<.......).......0.......................................................................8..p...81.......p..........................@....................................................0..8............................text...@........................... ..`.rdata.......0....... ..............@..@.data... (...@.....................@....rsrc........p.......2..............@..@.reloc...............4..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskA259.tmp\RealtimeAgent.exe

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3021768
Entropy (8bit):	6.4835538275447835
Encrypted:	false
SSDEEP:
MD5:	15E409E4F3FB6B6FB73ED48BD0A6C6F6
SHA1:	30A7B36BCDE611A6BF6A074651D8B3AC152B3283
SHA-256:	6A3072A2367329B564C9BF77302A5FBF66673FB471C22FC56A12E901C4D90477
SHA-512:	92BBDA856ED349A06916D38D450E04716E52CEE6FE0C8EEDF965EEB4A313C1AD13249629AF30B15925DB822A0322266F28F9F2FD4BB99813E072A211BE949684
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........rI..!I..!I..!.J.!_..!.J.!...!.J.!T..!.);!C..!.):!H..!... Z..!... P..!... ..!.)%!M..!.)>!a..!I..!...!@.f!J..!.. ...!..!H..!.. H..!RichI..!........................PE..L......d.................* ........._Z.......@ ...@..........................@.......[....@..................................).........c............-..Y...`+..... .&.p...................0.&.......&.@............@ .\............................text....) ...... ................. ..`.rdata...~...@ ....... .............@..@.data....#....).......).............@....rsrc....c......d.................@..@.reloc.......`+.......*.............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskA259.tmp\SupportCenter.chm

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	11111
Entropy (8bit):	3.2019073259603084
Encrypted:	false
SSDEEP:
MD5:	7423274FD842124E6CF600603B7344BA
SHA1:	E1E9FB7F169D0DE13C9B96848B0CEDF547A79993
SHA-256:	DCBB3AD4268A916A222CE3A914061202BB47D5251CC299651C4B7D8C20D841D0
SHA-512:	C6E3A9957CBE903F2AE6F8515FDC59B4FF6350D7C6A935901CAB7BE19186ADF1B1E974B48DCEEF9A62F45D2090CCF00D661FFFB7D4B658361DF380B2B9C34FF6
Malicious:	false
Reputation:	unknown
Preview:	ITSF....`.......R.K........\|.{.......".....\|.{......."..`...............x.......T.......................g+..............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR..$.../#ITBITS..../#IVB..A../#STRINGS..^O./#SYSTEM....A./#TOPICS..$../#URLSTR..@../#URLTBL..4../$FIftiMain....../$OBJINST..U.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property..Q../$WWKeywordLinks/..../$WWKeywordLinks/Property..M../HIDD_ROOT_DIALOG.HTM..z.G./SupportCenter.hhc..././SupportCenter.hhk../.K.::DataSpace/NameList..<(::DataSpace/Storage/MSCompressed/Content..G.$,::DataSpace/Storage/MSCompressed/ControlData.j.)::DataSpace/Storage/MSCompressed/SpanInfo.b./::DataSpace/Storage/MSCompressed/Transform/List.<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/...i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable..k0.............................

C:\Users\user\AppData\Local\Temp\nskA259.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.567124464313517
Encrypted:	false
SSDEEP:
MD5:	00A0194C20EE912257DF53BFE258EE4A
SHA1:	D7B4E319BC5119024690DC8230B9CC919B1B86B2
SHA-256:	DC4DA2CCADB11099076926B02764B2B44AD8F97CD32337421A4CC21A3F5448F3
SHA-512:	3B38A2C17996C3B77EBF7B858A6C37415615E756792132878D8EDDBD13CB06710B7DA0E8B58104768F8E475FC93E8B44B3B1AB6F70DDF52EDEE111AAF5EF5667
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L.....*J...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskA259.tmp\UserInfo.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3310978207829716
Encrypted:	false
SSDEEP:
MD5:	1E8E11F465AFDABE97F529705786B368
SHA1:	EA42BED65DF6618C5F5648567D81F3935E70A2A0
SHA-256:	7D099352C82612AB27DDFD7310C1AA049B58128FB04EA6EA55816A40A6F6487B
SHA-512:	16566A8C1738E26962139AAE893629098DC759E4AC87DF3E8EB9819DF4E0E422421836BB1E4240377E00FB2F4408CE40F40EEE413D0F6DD2F3A4E27A52D49A0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................4..............Rich..................PE..L.....*J...........!......................... ...............................P...................................... "......L ..<............................@..d.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...X....0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskA259.tmp\account.cert

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	7.816769734971736
Encrypted:	false
SSDEEP:
MD5:	67D9270D378461180D4B3465E51F5726
SHA1:	170B6809E86FFD77A882C150AE7D72CD0B2DF93A
SHA-256:	0A8812CBE692D329D77598EE7136888570B60106F31D4360D83EBFB5E20918AB
SHA-512:	9A6AC6F438A1F389BFAF674B349A8D339F8C10E42368244F1FF54FDCC71DDAD235149755F6E05D85B40203F970A97EF0F4DC08D3F58184C40FB7DA377CD78EEE
Malicious:	false
Reputation:	unknown
Preview:	.....w7{.~t..$..m.?.......{....!...2...r.f0..<B...#..j..N.g..`...9...cg~...b3\|.zQc..{6.U...\.H, ....?...."=...@t...v..[..FJ....A...G_.....i..W6....J..i.3...O$...<..../\..Zb.e..L..Z...i..T.p...0........NbW...#u.......3.g...(i....h..t0.M&7(.&#j...(J...9qz.n.\|.......c>..7:...@`6..+"..q......@h..IS../..2......vw5Zd......Rh..f..!..6.7E..n....T....~.3...'.T...G.h..K.....,.01...7"./...L.#.....P\.q.G....4.w..Ab\|...e.%&+..yN.a....:+.7.S....Y..kV.....f...].p..S.8[......f+.)....(B.``....3..r"...P.gM....E"..n.a.J]....^.W-.]...vv!..\|.'(k.".-p.pn{A...rm..\|.....\|.U@..........s.Q$.....>..b..Z..=./.U..\U...&.[..x.X....'..0..:..}.r\|...pp@. .............L....i.^..........K.#.v(t. ...je;bX5..P.PHn..Z. ..zok.........X...-....,p.......<...x.......D..P..s.i..9.....&j).8/..(..?. ke.Q..Y....v..&n...%.$....LL.5c.eJD .kk.........H..t............D/.f....O.c..=af(v6.:..Y.%.ey.q....Cx..B..cdi....8.O.u..7g..V&...lw..C.3;. ...cZ.Z[..T9 .).....D..Kt.....i....H..m.DUm..)

C:\Users\user\AppData\Local\Temp\nskA259.tmp\ioSpecial.ini

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	Generic INItialization configuration [Field 1]
Category:	modified
Size (bytes):	571
Entropy (8bit):	5.373837712551217
Encrypted:	false
SSDEEP:
MD5:	A753DBE5C95D7F88717A50178D5040BB
SHA1:	C178A8516E3B3AF6AD0DF2DB2393123024256DD5
SHA-256:	9BDF7AD8CB1512D9054F5A617FECD97984D6C32E790688E79F910A50E0D293B2
SHA-512:	BA560E9C4689B7B22C7029B8E9BD2B05FC788AD27C91D7B0934239CA93854661498D41828F64B94DCACDB2564B98549968B84BB9ACA8F776E55D6E429AE3D899
Malicious:	false
Reputation:	unknown
Preview:	[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=&Finish..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nskA259.tmp\modern-wizard.bmp..HWND=262892..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Completing the Adobe OptiTune Module Setup Wizard..Bottom=38..HWND=197344..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=Adobe OptiTune Module has been installed on your computer.\r\n\r\nClick Finish to close this wizard...HWND=197346..

C:\Users\user\AppData\Local\Temp\nskA259.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154490, resolution 2834 x 2834 px/m, cbSize 154544, bits offset 54
Category:	dropped
Size (bytes):	154544
Entropy (8bit):	6.963187688020362
Encrypted:	false
SSDEEP:
MD5:	364F43CD56678B8A38FFE9F0E7E43F7C
SHA1:	63EF2D60193C0AB6382AB1E506C0798C70D168BB
SHA-256:	92E95573F528430888D7DEE6B175DA94C42B379C5A3C394AF8901D04AFD4EFB3
SHA-512:	FB021FBD610010D11C23D5BBB59517295515B41806B4136E019A0A85337C5AAD2E4F2E145B2A1CD035EF3F3DE4F5C45708F3400CA386297D0D1E95231A82FFD6
Malicious:	false
Reputation:	unknown
Preview:	BM.[......6...(.......:...........z[....................w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..seeecdecdecdecdecdecdecdecdecdepkh....{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..xfffcdecdecdecdecdefff..x..{..{..{..{..{..{..{..{..{..{..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w..w.uigfcdecdecdecdecdecdecdecdedeepkh.~..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{..{.wjggcdecdecdecdecdec

C:\Users\user\AppData\Local\Temp\nskA259.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6656
Entropy (8bit):	5.035504427755808
Encrypted:	false
SSDEEP:
MD5:	E54EB27FB5048964E8D1EC7A1F72334B
SHA1:	2B76D7AEDAFD724DE96532B00FBC6C7C370E4609
SHA-256:	FF00F5F7B8D6CA6A79AEBD08F9625A5579AFFCD09F3A25FDF728A7942527A824
SHA-512:	C9DDD19484A6218F926295A88F8776AFF6C0A98565714290485F9B3B53E7B673724946DEFED0207064D6AB0B1BAA7CB3477952F61DBE22947238D3F5802FA4F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........PE..L.....*J...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text...H........................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.2456978655694906
Encrypted:	false
SSDEEP:
MD5:	CD0AAD64A5C6EF65409A1DFDE11A53F5
SHA1:	5FAC5EE6E2AB53A2C95AF199FE47A487F5C0F0A9
SHA-256:	F1463D784C7D6691B19A8AAE3DB68AA60F850313CDBFCE1294CBB11F6260B8A7
SHA-512:	FF4422C98C6987685DCE30B4ADA15BE19F385211CCD3BBEC8967174CE9088C7565C9D923F3916FCB2D0B6439389F8A61F1B8F6AD057E836D08D006C3A409340A
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.996890309600568
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	7'585'760 bytes
MD5:	ade1f73f0c1ffc7fba4fae119555c323
SHA1:	d71cce1e1e34739fb5f8cab1db7dee76566d1653
SHA256:	976150102b536e4147e65b830969773449eb5c9807b422bd40c497371ef65910
SHA512:	d2176aa1790589cebc75c932452762f518dcbaba23486f191315a0dca71137ca17c3df72c4fe48a82cce3262a771b00740f7d3a381992043bb1104901c9e0eee
SSDEEP:	196608:QPln9bHx+0F9dW330Km0Z6kTeBMNySr+osDYliRMAwcvu60:mvbVnE6kTouCUcmz
TLSH:	3F7633662B180D05CDB74A76636C7BB270BAEE6074D8203106256F1335B2E13EBC9B77
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L.....*J.................Z.........

File Icon


Icon Hash:	51525373611d461b

Static PE Info

General

Entrypoint:	0x4030cb
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4A2AE29C [Sat Jun 6 21:41:48 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	27/07/2022 20:00:00 27/07/2025 19:59:59
Subject Chain	CN=Bravura Software LLC, O=Bravura Software LLC, S=Washington, C=US
Version:	3
Thumbprint MD5:	8089D6A3413CCE6B24C6B25CBDD49676
Thumbprint SHA-1:	D58CE12BF09CED67778A393FB5E894BBA6897943
Thumbprint SHA-256:	BC7FEB4F462BAEA0ACFA47C338094674D015AB49A71074D27FDB4742DB64785A
Serial:	00AA07A3A7EBE58206EB7B7099672BCCB8

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F38h], eax
call 00007FDACC708186h
mov dword ptr [00423E84h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F430h
call dword ptr [00407158h]
push 00409154h
push 00423680h
call 00007FDACC707E39h
call dword ptr [004070ACh]
mov edi, 00429000h
push eax
push edi
call 00007FDACC707E27h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423E80h], eax
mov eax, edi
jne 00007FDACC70559Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FDACC70791Ah
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FDACC7055F5h
cmp cl, 00000020h
jne 00007FDACC705598h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FDACC70558Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x11cf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x736620	0x59c0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x58d2	0x5a00	c69726ed422d3dcfdec9731986daa752	False	0.665234375	data	6.4331003482809646	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	a2c7710fa66fcbb43c7ef0ab9eea5e9a	False	0.4453125	data	5.179763757809345	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af78	0x400	e59cdcb732e4bfbc84cc61dd68354f78	False	0.55078125	data	4.617802320695973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0xa000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e000	0x11cf8	0x11e00	0f7978b53a265d036d0886b2e4c941ba	False	0.21015898164335664	data	4.866648099248477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2e268	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m	English	United States	0.2025907961670413
RT_ICON	0x3ea90	0x568	data	English	United States	0.014450867052023121
RT_ICON	0x3eff8	0x128	data	English	United States	0.04391891891891892
RT_DIALOG	0x3f120	0xb4	data	English	United States	0.6111111111111112
RT_DIALOG	0x3f1d8	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x3f3e0	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x3f4d8	0xee	data	English	United States	0.6260504201680672
RT_GROUP_ICON	0x3f5c8	0x30	data	English	United States	1.0
RT_VERSION	0x3f5f8	0x33c	data			0.4323671497584541
RT_MANIFEST	0x3f938	0x3be	XML 1.0 document, ASCII text, with very long lines (958), with no line terminators	English	United States	0.5187891440501043

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\BVScript.exe

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTPowerShell.exe

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\OTService.exe

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\RemoteService.exe

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\SupportCenter.exe

C:\Program Files (x86)\Bravura\Optitune\ServiceClient\install.ico

C:\Users\user\AppData\Local\Temp\nskA259.tmp\InstallOptions.dll

C:\Users\user\AppData\Local\Temp\nskA259.tmp\RealtimeAgent.exe

C:\Users\user\AppData\Local\Temp\nskA259.tmp\SupportCenter.chm

C:\Users\user\AppData\Local\Temp\nskA259.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nskA259.tmp\UserInfo.dll

C:\Users\user\AppData\Local\Temp\nskA259.tmp\account.cert

C:\Users\user\AppData\Local\Temp\nskA259.tmp\ioSpecial.ini

C:\Users\user\AppData\Local\Temp\nskA259.tmp\modern-wizard.bmp

C:\Users\user\AppData\Local\Temp\nskA259.tmp\nsExec.dll

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Setup.exe