Malware analysis SophosSetup.exe Malicious activity | ANY.RUN

Add for printing

File name:	SophosSetup.exe
Full analysis:	https://app.any.run/tasks/321aa4d3-77c2-4499-a49b-a4bf48fe9c6f
Verdict:	Malicious activity
Analysis date:	August 27, 2024, 17:32:41
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	python mimikatz tools api-base64 crypto-regex upx
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	0DC7BA590031512F011F1FEC30967119
SHA1:	8F61F9C5DB959DA42980EBA1A2B95330D9BC55B8
SHA256:	6A432BDD2CBF274B6C50413C6B353481AC27B490DAC3F9D47459F9AD84F69D80
SSDEEP:	98304:dDdEcEiN9/UTMNG3DcCzWi935jXE1gM4lF+QlXW/djfUmgN7GETTMN2:mrF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Antivirus name has been found in the command line (generic signature)
  - SophosHealth.exe (PID: 1332)
- Changes the autorun value in the registry
  - su-setup64.exe (PID: 5112)
- MIMIKATZ has been detected (YARA)
  - SophosFileScanner.exe (PID: 5000)
SUSPICIOUS
- Drops the executable file immediately after the start
  - SophosSetup.exe (PID: 6472)
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - AVRemoveW_.exe (PID: 6876)
  - su-setup64.exe (PID: 788)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - su-setup64.exe (PID: 7048)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
- Reads security settings of Internet Explorer
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - SophosSSEValidator.exe (PID: 4344)
  - SophosFSVerify.exe (PID: 1116)
  - su-setup64.exe (PID: 7048)
  - SophosFileScanner.exe (PID: 5000)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - Sophos UI.exe (PID: 7020)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - SophosSMEValidator.exe (PID: 904)
  - SophosSMEValidator.exe (PID: 6304)
  - SophosSMEValidator.exe (PID: 2568)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - SophosFileScanner.exe (PID: 3116)
  - su-setup64.exe (PID: 7152)
- Executable content was dropped or overwritten
  - SophosSetup.exe (PID: 6472)
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - AVRemoveW_.exe (PID: 6876)
  - su-setup64.exe (PID: 788)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - su-setup64.exe (PID: 7048)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
- Checks Windows Trust Settings
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - SSPService.exe (PID: 7104)
  - su-setup64.exe (PID: 5220)
  - McsAgent.exe (PID: 400)
  - su-setup64.exe (PID: 6012)
  - SophosSSEValidator.exe (PID: 4344)
  - su-setup64.exe (PID: 7048)
  - SophosFSVerify.exe (PID: 1116)
  - SophosFileScanner.exe (PID: 5000)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - Sophos UI.exe (PID: 7020)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - SophosSMEValidator.exe (PID: 904)
  - SophosSMEValidator.exe (PID: 2568)
  - SophosSMEValidator.exe (PID: 6304)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - SophosFileScanner.exe (PID: 3116)
  - su-setup64.exe (PID: 7152)
- Process drops legitimate windows executable
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
- Process drops python dynamic module
  - SophosSetup_Stage2.exe (PID: 6128)
- The process verifies whether the antivirus software is installed
  - su-setup64.exe (PID: 5556)
  - SophosSetup_Stage2.exe (PID: 6128)
  - Setup.exe (PID: 4876)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - SEDService.exe (PID: 6424)
  - SSPService.exe (PID: 7104)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - su-setup64.exe (PID: 7048)
  - SophosSSEValidator.exe (PID: 4344)
  - SophosFSVerify.exe (PID: 1116)
  - su-setup32.exe (PID: 7132)
  - SophosFileScanner.exe (PID: 5000)
  - su-setup64.exe (PID: 208)
  - SophosACSenabledTest.exe (PID: 1360)
  - Sophos UI.exe (PID: 7020)
  - su-setup64.exe (PID: 5112)
  - SophosSMEValidator.exe (PID: 6304)
  - SophosSMEValidator.exe (PID: 904)
  - SophosSMEValidator.exe (PID: 2568)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
  - SophosFileScanner.exe (PID: 3116)
  - SophosFS.exe (PID: 6804)
- Drops a system driver (possible attempt to evade defenses)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 788)
- The process drops C-runtime libraries
  - SophosSetup_Stage2.exe (PID: 6128)
- Starts CMD.EXE for commands execution
  - AVRemoveW_.exe (PID: 6876)
- Searches for installed software
  - AVRemoveW_.exe (PID: 6876)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - su-setup64.exe (PID: 7048)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
- Loads Python modules
  - AVRemoveW_.exe (PID: 6876)
- Creates a software uninstall entry
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - su-setup64.exe (PID: 7048)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
- Creates or modifies Windows services
  - su-setup64.exe (PID: 788)
  - SEDService.exe (PID: 6424)
  - SSPService.exe (PID: 7104)
- Creates files in the driver directory
  - su-setup64.exe (PID: 788)
- Executes as Windows Service
  - SEDService.exe (PID: 6424)
  - SSPService.exe (PID: 7104)
  - McsAgent.exe (PID: 400)
  - McsClient.exe (PID: 6432)
  - SophosFS.exe (PID: 6804)
  - SophosHealth.exe (PID: 1332)
  - SophosLiveQueryService.exe (PID: 3880)
- Application launched itself
  - SophosFileScanner.exe (PID: 4692)
  - SophosFileScanner.exe (PID: 6332)
- Creates/Modifies COM task schedule object
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
- Found regular expressions for crypto-addresses (YARA)
  - SophosFileScanner.exe (PID: 5000)
- There is functionality for communication over UDP network (YARA)
  - SophosFileScanner.exe (PID: 5000)
- Process checks is Powershell's Script Block Logging on
  - su-setup64.exe (PID: 7152)
INFO
- Checks supported languages
  - SophosSetup.exe (PID: 6472)
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - AVRemoveW.exe (PID: 1700)
  - AVRemoveW_.exe (PID: 6876)
  - SubmitTelem.exe (PID: 3268)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - SEDService.exe (PID: 6424)
  - SSPService.exe (PID: 7104)
  - su-setup64.exe (PID: 5220)
  - McsAgent.exe (PID: 400)
  - McsClient.exe (PID: 6432)
  - su-setup64.exe (PID: 6012)
  - SophosSSEValidator.exe (PID: 4344)
  - su-setup64.exe (PID: 7048)
  - SophosFSVerify.exe (PID: 1116)
  - SophosFS.exe (PID: 6804)
  - SophosFileScanner.exe (PID: 5000)
  - su-setup32.exe (PID: 7132)
  - SophosFileScanner.exe (PID: 4692)
  - SophosHealth.exe (PID: 1332)
  - su-setup64.exe (PID: 5112)
  - Sophos UI.exe (PID: 7020)
  - su-setup64.exe (PID: 208)
  - SophosACSenabledTest.exe (PID: 1360)
  - su-setup64.exe (PID: 6520)
  - SophosSMEValidator.exe (PID: 6304)
  - SophosSMEValidator.exe (PID: 904)
  - SophosSMEValidator.exe (PID: 2568)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
  - SophosFileScanner.exe (PID: 6332)
  - SophosFileScanner.exe (PID: 3116)
  - SophosLiveQueryService.exe (PID: 3880)
- Create files in a temporary directory
  - SophosSetup.exe (PID: 6472)
  - AVRemoveW_.exe (PID: 6876)
  - su-setup64.exe (PID: 5556)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - SophosSSEValidator.exe (PID: 4344)
  - su-setup64.exe (PID: 7048)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - SophosSMEValidator.exe (PID: 904)
  - SophosSMEValidator.exe (PID: 6304)
  - SophosSMEValidator.exe (PID: 2568)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
- Creates files in the program directory
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - SEDService.exe (PID: 6424)
  - SSPService.exe (PID: 7104)
  - McsAgent.exe (PID: 400)
  - su-setup64.exe (PID: 5220)
  - su-setup64.exe (PID: 6012)
  - McsClient.exe (PID: 6432)
  - su-setup64.exe (PID: 7048)
  - SophosFS.exe (PID: 6804)
  - SophosFileScanner.exe (PID: 4692)
  - su-setup32.exe (PID: 7132)
  - SophosHealth.exe (PID: 1332)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - SophosFileScanner.exe (PID: 6332)
  - su-setup64.exe (PID: 7152)
  - SophosLiveQueryService.exe (PID: 3880)
- Reads the machine GUID from the registry
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - AVRemoveW.exe (PID: 1700)
  - AVRemoveW_.exe (PID: 6876)
  - SubmitTelem.exe (PID: 3268)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - SSPService.exe (PID: 7104)
  - McsAgent.exe (PID: 400)
  - su-setup64.exe (PID: 5220)
  - McsClient.exe (PID: 6432)
  - su-setup64.exe (PID: 6012)
  - su-setup64.exe (PID: 7048)
  - SophosSSEValidator.exe (PID: 4344)
  - SophosFSVerify.exe (PID: 1116)
  - SophosFileScanner.exe (PID: 5000)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - Sophos UI.exe (PID: 7020)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - SophosSMEValidator.exe (PID: 904)
  - SophosSMEValidator.exe (PID: 6304)
  - SophosSMEValidator.exe (PID: 2568)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - SophosFileScanner.exe (PID: 3116)
  - su-setup64.exe (PID: 7152)
- Reads the computer name
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - AVRemoveW_.exe (PID: 6876)
  - SubmitTelem.exe (PID: 3268)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - SEDService.exe (PID: 6424)
  - SSPService.exe (PID: 7104)
  - su-setup64.exe (PID: 5220)
  - McsAgent.exe (PID: 400)
  - su-setup64.exe (PID: 6012)
  - McsClient.exe (PID: 6432)
  - su-setup64.exe (PID: 7048)
  - SophosFS.exe (PID: 6804)
  - SophosFileScanner.exe (PID: 4692)
  - SophosFileScanner.exe (PID: 5000)
  - su-setup32.exe (PID: 7132)
  - SophosHealth.exe (PID: 1332)
  - su-setup64.exe (PID: 5112)
  - Sophos UI.exe (PID: 7020)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - SophosFileScanner.exe (PID: 6332)
  - SophosLiveQueryService.exe (PID: 3880)
  - su-setup64.exe (PID: 7152)
- Reads the software policy settings
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - SubmitTelem.exe (PID: 3268)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - SSPService.exe (PID: 7104)
  - su-setup64.exe (PID: 5220)
  - McsAgent.exe (PID: 400)
  - su-setup64.exe (PID: 6012)
  - SophosSSEValidator.exe (PID: 4344)
  - McsClient.exe (PID: 6432)
  - su-setup64.exe (PID: 7048)
  - SophosFSVerify.exe (PID: 1116)
  - SophosFileScanner.exe (PID: 5000)
  - su-setup32.exe (PID: 7132)
  - su-setup64.exe (PID: 5112)
  - Sophos UI.exe (PID: 7020)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - SophosSMEValidator.exe (PID: 904)
  - SophosSMEValidator.exe (PID: 6304)
  - SophosSMEValidator.exe (PID: 2568)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - SophosFileScanner.exe (PID: 3116)
  - su-setup64.exe (PID: 7152)
- Reads product name
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - AVRemoveW.exe (PID: 1700)
  - AVRemoveW_.exe (PID: 6876)
  - SubmitTelem.exe (PID: 3268)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - su-setup64.exe (PID: 5220)
  - McsAgent.exe (PID: 400)
  - su-setup64.exe (PID: 6012)
  - McsClient.exe (PID: 6432)
  - su-setup64.exe (PID: 7048)
  - SophosFS.exe (PID: 6804)
  - su-setup32.exe (PID: 7132)
  - SophosHealth.exe (PID: 1332)
  - su-setup64.exe (PID: 5112)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
- Reads Environment values
  - Setup.exe (PID: 4876)
  - SophosSetup_Stage2.exe (PID: 6128)
  - su-setup64.exe (PID: 5556)
  - AVRemoveW.exe (PID: 1700)
  - AVRemoveW_.exe (PID: 6876)
  - SubmitTelem.exe (PID: 3268)
  - su-setup64.exe (PID: 5044)
  - su-setup64.exe (PID: 788)
  - su-setup64.exe (PID: 5220)
  - McsAgent.exe (PID: 400)
  - su-setup64.exe (PID: 6012)
  - McsClient.exe (PID: 6432)
  - su-setup64.exe (PID: 7048)
  - su-setup32.exe (PID: 7132)
  - SophosFS.exe (PID: 6804)
  - su-setup64.exe (PID: 5112)
  - SophosHealth.exe (PID: 1332)
  - su-setup64.exe (PID: 6520)
  - su-setup64.exe (PID: 208)
  - su-setup64.exe (PID: 7068)
  - su-setup64.exe (PID: 1084)
  - su-setup64.exe (PID: 6576)
  - su-setup64.exe (PID: 7152)
- Checks operating system version
  - AVRemoveW_.exe (PID: 6876)
- Reads CPU info
  - SEDService.exe (PID: 6424)
- Reads the time zone
  - SEDService.exe (PID: 6424)
- Creates files or folders in the user directory
  - Sophos UI.exe (PID: 7020)
- Checks proxy server information
  - Sophos UI.exe (PID: 7020)
- Manual execution by a user
  - Sophos UI.exe (PID: 7020)
- Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')
  - SophosFileScanner.exe (PID: 5000)
- Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')
  - SophosFileScanner.exe (PID: 5000)
- UPX packer has been detected
  - SophosFileScanner.exe (PID: 5000)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:05:17 15:23:27+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	222720
InitializedDataSize:	1732608
UninitializedDataSize:	-
EntryPoint:	0x18b00
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	1.20.627.0
ProductVersionNumber:	1.20.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode
Comments:	d767e1c6d9d6ee9844e17c59f1d00c2c411bc542
CompanyName:	Sophos Limited
FileDescription:	Sophos Setup
FileVersion:	1.20.627.0
InternalName:	SophosSetup.exe
LegalCopyright:	Copyright 1989-2024 Sophos Limited. All rights reserved.
OriginalFileName:	SophosSetup.exe
ProductName:	Sophos Setup
ProductVersion:	1.2

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

177

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\SEDcli.exe

—

su-setup64.exe

User:

admin

Company:

Sophos Limited

Integrity Level:

HIGH

Description:

Sophos Endpoint Defense Software

Exit code:

Version:

3.3.0.1755

Modules

Images
c:\programdata\sophos\autoupdate\cache\decoded\sed64\sedcli.exe
c:\windows\system32\ntdll.dll

208

"C:\Program Files (x86)\Sophos\CloudInstaller\su-setup64.exe" --quiet

C:\Program Files (x86)\Sophos\CloudInstaller\su-setup64.exe

SophosSetup_Stage2.exe

User:

admin

Company:

Sophos Limited

Integrity Level:

HIGH

Description:

Sophos Update 64-bit Setup Runner

Exit code:

Version:

6.17.985

Modules

Images
c:\program files (x86)\sophos\cloudinstaller\su-setup64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

400

"C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe"

C:\Program Files (x86)\Sophos\Management Communications System\Endpoint\McsAgent.exe

services.exe

User:

SYSTEM

Company:

Sophos Limited

Integrity Level:

SYSTEM

Description:

Sophos MCS Agent Service

Version:

2024.2.611

Modules

Images
c:\program files (x86)\sophos\management communications system\endpoint\mcsagent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

460

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

su-setup64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

788

"C:\Program Files (x86)\Sophos\CloudInstaller\su-setup64.exe" --quiet

C:\Program Files (x86)\Sophos\CloudInstaller\su-setup64.exe

SophosSetup_Stage2.exe

User:

admin

Company:

Sophos Limited

Integrity Level:

HIGH

Description:

Sophos Update 64-bit Setup Runner

Exit code:

Version:

6.17.985

Modules

Images
c:\program files (x86)\sophos\cloudinstaller\su-setup64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

904

"C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sme64\SophosSMEValidator.exe" "C:\Program Files\Sophos\Sophos ML Engine\ML1\docmodel\17247802577140511"

C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sme64\SophosSMEValidator.exe

—

su-setup64.exe

User:

admin

Company:

Sophos Limited

Integrity Level:

HIGH

Description:

Sophos ML Engine validator tool

Exit code:

Version:

1.9.0.154

Modules

Images
c:\programdata\sophos\autoupdate\cache\decoded\sme64\sophossmevalidator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1084

"C:\Program Files (x86)\Sophos\CloudInstaller\su-setup64.exe" --quiet

C:\Program Files (x86)\Sophos\CloudInstaller\su-setup64.exe

SophosSetup_Stage2.exe

User:

admin

Company:

Sophos Limited

Integrity Level:

HIGH

Description:

Sophos Update 64-bit Setup Runner

Exit code:

Version:

6.17.985

Modules

Images
c:\program files (x86)\sophos\cloudinstaller\su-setup64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1108

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

su-setup64.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1116

C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sfs64\SophosFSVerify.exe

—

su-setup64.exe

User:

admin

Company:

Sophos Limited

Integrity Level:

HIGH

Description:

Sophos File Scanner data verifier

Exit code:

Version:

1.12.0.313

Modules

Images
c:\programdata\sophos\autoupdate\cache\decoded\sfs64\sophosfsverify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1332

"C:\Program Files (x86)\Sophos\Health\SophosHealth.exe"

C:\Program Files (x86)\Sophos\Health\SophosHealth.exe

—

services.exe

User:

SYSTEM

Company:

Sophos Limited

Integrity Level:

SYSTEM

Description:

Sophos Health Service

Version:

2.14.338

Modules

Images
c:\program files (x86)\sophos\health\sophoshealth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

146 138

Read events

142 332

Write events

3 737

Delete events

Modification events


(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Components\INSTALLER
Operation:	write	Name:	IntegrityPath
Value: C:\Program Files (x86)\Sophos\CloudInstaller\integrity.dat
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Components\INSTALLER
Operation:	delete value	Name:	IntegrityDat
Value:
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Sophos Endpoint Defense\TamperProtection\Components\INSTALLER
Operation:	write	Name:	Enable
Value: 1
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Health\CloudInstaller
Operation:	write	Name:	IsInstalling
Value: 1
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus
Operation:	write	Name:	BlockUpdates
Value: 1
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate\UpdateStatus
Operation:	delete value	Name:	LastSyncedTime
Value:
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\AutoUpdate
Operation:	write	Name:	InstallIncomplete
Value: 1
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\Authority\20240827173644851952
Operation:	write	Name:	deviceId
Value: b450fe3a-f488-48a6-9905-93fc068027d0
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\Authority\20240827173644851952
Operation:	write	Name:	registration_token
Value: 688b397b8b458a1735d7f3f2bd48c1c24f528d2f5f0122ec3dc9c9c311b0e5e6
(PID) Process:	(6128) SophosSetup_Stage2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\Authority\20240827173644851952
Operation:	write	Name:	tenantId
Value: 090e5e2b-3c34-495a-a4f9-c7e0a7e27773

Add for printing

Executable files

847

Suspicious files

1 346

Text files

809

Unknown types

Dropped files

PID	Process	Filename		Type
6472	SophosSetup.exe	C:\Users\admin\AppData\Local\Temp\SophosSetup-290581812\Setup.exe		executable
		MD5:9F057CFE665C40AB2CE66953EC021A15	SHA256:D090AF7CC0C4B666C76CFD5C23213095133E9A3B4177D55846EEAD7A6B394968
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crl		der
		MD5:9DEC7DBA2A6449FA5457740FBEF79D01	SHA256:D1FD764F8A1BBF5FCEBA137F1B09EB6B76EC8F868C60B176DB43ECC0D40D2797
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca4.crt		der
		MD5:150C183892DE69BDCBEA89E8F59AC9DA	SHA256:4D44A6BA0CE8FC3771C6BC95D385AAA944AABDCD2D908D87EF5CA20418BF5D90
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crt		der
		MD5:608B95A5138684796FE2B57AD00DAC03	SHA256:AB9DC99032C498691A788817D5AF925EF0580F32904DEFE58B7A52D971D8BEC4
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca384.crl		text
		MD5:EE71956F99740A9E15BBBD4E71B76F2F	SHA256:865C9E89A44090820AC85EF791428B807E023AE7CCD23AEEFF7E3E98FE552EA5
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SDDS3.dll		executable
		MD5:1EC8B54B89D8545B6CAC00D9AC39EF5E	SHA256:2B0597513F71360AAC78F047C75A16C7693BBC50925587777D001A924849A9FD
4876	Setup.exe	C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20240827_173249.log		text
		MD5:FA30958FA3EEBBEE400A478BB59396A8	SHA256:CAF2CF6F594BB64D08F4BA0FDDB897D06705FD5FCF237C8D79C6206DAB1B44F1
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SophosACSenabledTest.exe		executable
		MD5:9BE4885AB94F7E72C9922E42F716A00E	SHA256:7EB2F4BFAFA455D1E6B32BEA5C860F72E7D6D2F7FAF657C6ED02D38190CCD39F
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca1.crt		der
		MD5:9608EDF834FE19C2BF34CC00F954ECA5	SHA256:653E1A599023B1EB88AB96137238D978529A070B828DD3309800BD131D8FFAF3
4876	Setup.exe	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\integrity.dat		text
		MD5:D84CDD1D0AA7AF11461FD904A2F8C361	SHA256:955918CA902367F9AE06828CC12344A9B953E5F06CD28E9E90BCB874CEDEB556

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3652	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6644	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7020	Sophos UI.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
6644	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7020	Sophos UI.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAnKajHVVe7kGFMvSuSsOMs%3D	unknown	—	—	whitelisted
7020	Sophos UI.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6012	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4876	Setup.exe	35.167.49.145:443	dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com	AMAZON-02	US	suspicious
3260	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4876	Setup.exe	23.32.101.218:443	downloads.sophos.com	AKAMAI-AS	SE	suspicious
3652	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3652	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6128	SophosSetup_Stage2.exe	52.36.116.97:443	mcs2-cloudstation-us-west-2.prod.hydra.sophos.com	AMAZON-02	US	suspicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	216.58.206.46	whitelisted
dzr-api-amzn-us-west-2-fa88.api-upe.p.hmr.sophos.com	35.167.49.145 44.231.218.76 35.155.235.33	unknown
client.wns.windows.com	40.113.103.199	whitelisted
downloads.sophos.com	23.32.101.218	unknown
login.live.com	20.190.159.64 20.190.159.23 40.126.31.71 20.190.159.68 20.190.159.71 40.126.31.69 20.190.159.73 20.190.159.75	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
mcs2-cloudstation-us-west-2.prod.hydra.sophos.com	52.36.116.97 35.167.108.100 44.236.37.221 35.82.200.5 35.164.115.124 35.81.138.165 54.191.26.217 52.89.196.94 34.213.68.175 54.149.203.221 52.34.189.221	unknown
sus.sophosupd.com	34.252.198.134 52.208.129.145 34.248.185.70	unknown
sdds3.sophosupd.com	23.197.125.59	unknown

Threats

No threats detected

Add for printing

Process	Message
McsAgent.exe	CorcAdapter entering DllMain
McsAgent.exe	CorcAdapter attaching process
McsAgent.exe	CorcAdapter leaving DllMain
McsAgent.exe	CoreEndpointAdapter entering DllMain
McsAgent.exe	CoreEndpointAdapter attaching process
McsAgent.exe	CoreEndpointAdapter leaving DllMain
McsAgent.exe	CorcAdapter entering DllMain
McsAgent.exe	CorcAdapter attaching thread
McsAgent.exe	CorcAdapter leaving DllMain
McsAgent.exe	CoreEndpointAdapter entering DllMain

General Info

SophosSetup.exe

0DC7BA590031512F011F1FEC30967119

8F61F9C5DB959DA42980EBA1A2B95330D9BC55B8

6A432BDD2CBF274B6C50413C6B353481AC27B490DAC3F9D47459F9AD84F69D80

98304:dDdEcEiN9/UTMNG3DcCzWi935jXE1gM4lF+QlXW/djfUmgN7GETTMN2:mrF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Antivirus name has been found in the command line (generic signature)

Changes the autorun value in the registry

MIMIKATZ has been detected (YARA)

SUSPICIOUS

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks Windows Trust Settings

Process drops legitimate windows executable

Process drops python dynamic module

The process verifies whether the antivirus software is installed

Drops a system driver (possible attempt to evade defenses)

The process drops C-runtime libraries

Starts CMD.EXE for commands execution

Searches for installed software

Loads Python modules

Creates a software uninstall entry

Creates or modifies Windows services

Creates files in the driver directory

Executes as Windows Service

Application launched itself

Creates/Modifies COM task schedule object

Found regular expressions for crypto-addresses (YARA)

There is functionality for communication over UDP network (YARA)

Process checks is Powershell's Script Block Logging on

INFO

Checks supported languages

Create files in a temporary directory

Creates files in the program directory

Reads the machine GUID from the registry

Reads the computer name

Reads the software policy settings

Reads product name

Reads Environment values

Checks operating system version

Reads CPU info

Reads the time zone

Creates files or folders in the user directory

Checks proxy server information

Manual execution by a user

Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')

Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information