49b435d938239975d31e20324d9866d51e7393e7ee95383ac1218b43fc21f959

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/04/2024, 02:52 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe
Size

1.5MB
MD5

02413a142a6ff850f4507f30e23984ad
SHA1

56f00cabfab5bb3c44928a1fe80e6ab6f33f733d
SHA256

49b435d938239975d31e20324d9866d51e7393e7ee95383ac1218b43fc21f959
SHA512

c434a5c6566e98a797ad9db5e8f2665e45a6e5860f3bee886811b7c2348a59107b4f118c81a78cab007a2b5b634d5d35a2bf20969a3f575cb92385830aa97181
SSDEEP

24576:W/5CxBM5TnPFGfOBb5Xwysf+QyzCIKWQpMGztVN7hrq0/e5pKgkMF4MOTTubGh/L:W/5CxBM5BGfU1wyshY5xWztVhdb8pKgU

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 44 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SDDS3.dll	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca384.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\su-setup32.exe	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\sof.dat	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SUL.dll	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca4.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\scf.dat	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SophosSetup_Stage2.exe	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\su-setup32.exe	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca4.crl	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\su-setup64.exe	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\manifest.dat	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\scf.dat	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca1.crt	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca1.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\manifest.dat	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca2.crl	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca4.crt	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca384.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca384.crl	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca2.crt	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca384.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\integrity.dat	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca2.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca2.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca4.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SophosACSenabledTest.exe	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SophosACSenabledTest.exe	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SophosSetup_Stage2.exe	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca1.crl	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SDDS3.dll	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\sof.dat	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\integrity.dat	Setup.exe
File created	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\su-setup64.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca1.crt	Setup.exe
File opened for modification	C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SUL.dll	Setup.exe

Executes dropped EXE 2 IoCs

pid	Process
320	Setup.exe
1564	SophosSetup_Stage2.exe

Loads dropped DLL 2 IoCs

pid	Process
2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe
320	Setup.exe

Modifies system certificate store 2 TTPs 14 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	1564	SophosSetup_Stage2.exe
Token: SeRestorePrivilege	1564	SophosSetup_Stage2.exe
Token: SeShutdownPrivilege	1564	SophosSetup_Stage2.exe
Token: SeBackupPrivilege	1564	SophosSetup_Stage2.exe
Token: SeRestorePrivilege	1564	SophosSetup_Stage2.exe
Token: SeSecurityPrivilege	1564	SophosSetup_Stage2.exe
Token: SeTakeOwnershipPrivilege	1564	SophosSetup_Stage2.exe
Token: SeBackupPrivilege	1564	SophosSetup_Stage2.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 320	2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe	28
PID 2340 wrote to memory of 320	2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe	28
PID 2340 wrote to memory of 320	2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe	28
PID 2340 wrote to memory of 320	2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe	28
PID 2340 wrote to memory of 320	2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe	28
PID 2340 wrote to memory of 320	2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe	28
PID 2340 wrote to memory of 320	2340	02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe	28
PID 320 wrote to memory of 1564	320	Setup.exe	29
PID 320 wrote to memory of 1564	320	Setup.exe	29
PID 320 wrote to memory of 1564	320	Setup.exe	29
PID 320 wrote to memory of 1564	320	Setup.exe	29
PID 320 wrote to memory of 1564	320	Setup.exe	29
PID 320 wrote to memory of 1564	320	Setup.exe	29
PID 320 wrote to memory of 1564	320	Setup.exe	29

C:\Users\Admin\AppData\Local\Temp\02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02413a142a6ff850f4507f30e23984ad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\sfl-20d167f0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\sfl-20d167f0\Setup.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Program Files (x86)\Sophos\CloudInstaller\SophosSetup_Stage2.exe
    "C:\Program Files (x86)\Sophos\CloudInstaller\SophosSetup_Stage2.exe" --mgmtserver="mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com" --logfile="C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20240427_025258.log" --parentpid="320" --products="all" --customertoken="f5286456-06b3-4ba3-9c28-3b5c27d2e3c7" --pipewritehandle="1340" --mcscustomerid="76206ae7-2575-3450-29ab-f27e2ce15b8b"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1564

Network

DNS

dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

Setup.exe

Remote address:

8.8.8.8:53

Request

dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

IN A

Response

dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

IN A

34.240.23.103

dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

IN A

52.209.81.0

dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

IN A

52.19.226.108
POST

https://dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/api/download/stage2-details/f5286456-06b3-4ba3-9c28-3b5c27d2e3c7

Setup.exe

Remote address:

34.240.23.103:443

Request

POST /api/download/stage2-details/f5286456-06b3-4ba3-9c28-3b5c27d2e3c7 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/json; charset=utf-8
User-Agent: Sophos Cloud Installer/1.9.100.0
Content-Length: 30
Host: dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

Response

HTTP/1.1 200

Date: Sat, 27 Apr 2024 02:53:03 GMT
Content-Type: application/json;charset=UTF-8
Content-Length: 303
Connection: keep-alive
vary: Origin
Set-Cookie: JSESSIONID=E8BC76E7DC0B10D061DA3E681A43C5DC; Path=/; Secure; HttpOnly
Cache-Control: no-store,no-cache,must-revalidate,max-age=0;
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
Content-Language: en-US
Server: -
DNS

downloads.sophos.com

Setup.exe

Remote address:

8.8.8.8:53

Request

downloads.sophos.com

IN A

Response

downloads.sophos.com

IN CNAME

prod-san-0-dd.sophosdelivery.edgekey.net

prod-san-0-dd.sophosdelivery.edgekey.net

IN CNAME

e13687.d.akamaiedge.net

e13687.d.akamaiedge.net

IN A

23.220.113.226
GET

https://downloads.sophos.com/full/central/windows/business/installer/stage2-1.19.68.0-6f07e43ad67c5cb69a55bac88932a503df3e4236aa86350e9558f5bf428a8882.tar.gz

Setup.exe

Remote address:

23.220.113.226:443

Request

GET /full/central/windows/business/installer/stage2-1.19.68.0-6f07e43ad67c5cb69a55bac88932a503df3e4236aa86350e9558f5bf428a8882.tar.gz HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: application/gzip
User-Agent: Sophos Cloud Installer/1.9.100.0
Host: downloads.sophos.com

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Type: application/x-gzip
ETag: "bdb3be4cab486c8a5f9574b94cbb438b:1695915613.879034"
Last-Modified: Thu, 28 Sep 2023 15:37:30 GMT
Server: AkamaiNetStorage
Content-Length: 3858959
Cache-Control: max-age=537
Expires: Sat, 27 Apr 2024 03:02:03 GMT
Date: Sat, 27 Apr 2024 02:53:06 GMT
Connection: keep-alive
DNS

mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com

SophosSetup_Stage2.exe

Remote address:

8.8.8.8:53

Request

mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com

IN A

Response

mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com

IN CNAME

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

52.50.221.226

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

34.251.213.215

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

52.210.81.136

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

63.35.63.182

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

52.16.140.177

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

54.72.143.238

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

54.170.2.108

mcs-lb-508418437.eu-west-1.elb.amazonaws.com

IN A

52.214.146.5
GET

https://mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com/sophos/management/ep/install

SophosSetup_Stage2.exe

Remote address:

52.50.221.226:443

Request

GET /sophos/management/ep/install HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Authorization: Basic ZjUyODY0NTYtMDZiMy00YmEzLTljMjgtM2I1YzI3ZDJlM2M3
User-Agent: Sophos Cloud Installer/1.19.68.0
Customer-ID: 76206ae7-2575-3450-29ab-f27e2ce15b8b
Host: mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com

Response

HTTP/1.1 200

Date: Sat, 27 Apr 2024 02:53:14 GMT
Content-Type: application/xml;charset=ISO-8859-1
Content-Length: 168
Connection: keep-alive
Content-Language: en-US
Server: -
POST

https://mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com/sophos/management/ep/install/deployment-info/3

SophosSetup_Stage2.exe

Remote address:

52.50.221.226:443

Request

POST /sophos/management/ep/install/deployment-info/3 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Authorization: Basic ZjUyODY0NTYtMDZiMy00YmEzLTljMjgtM2I1YzI3ZDJlM2M3
User-Agent: Sophos Cloud Installer/1.19.68.0
Customer-ID: 76206ae7-2575-3450-29ab-f27e2ce15b8b
Content-Length: 1356
Host: mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com

Response

HTTP/1.1 200

Date: Sat, 27 Apr 2024 02:53:14 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
vary: accept-encoding
Server: -

34.240.23.103:443

https://dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/api/download/stage2-details/f5286456-06b3-4ba3-9c28-3b5c27d2e3c7

tls, http

Setup.exe

1.3kB
6.9kB
10
11

HTTP Request

POST https://dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/api/download/stage2-details/f5286456-06b3-4ba3-9c28-3b5c27d2e3c7

HTTP Response

200
23.220.113.226:443

https://downloads.sophos.com/full/central/windows/business/installer/stage2-1.19.68.0-6f07e43ad67c5cb69a55bac88932a503df3e4236aa86350e9558f5bf428a8882.tar.gz

tls, http

Setup.exe

113.9kB
4.0MB
1975
2875

HTTP Request

GET https://downloads.sophos.com/full/central/windows/business/installer/stage2-1.19.68.0-6f07e43ad67c5cb69a55bac88932a503df3e4236aa86350e9558f5bf428a8882.tar.gz

HTTP Response

200
52.50.221.226:443

https://mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com/sophos/management/ep/install/deployment-info/3

tls, http

SophosSetup_Stage2.exe

3.3kB
5.5kB
13
12

HTTP Request

GET https://mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com/sophos/management/ep/install

HTTP Response

200

HTTP Request

POST https://mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com/sophos/management/ep/install/deployment-info/3

HTTP Response

200

8.8.8.8:53

dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

dns

Setup.exe

98 B
146 B
1
1

DNS Request

dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com

DNS Response

34.240.23.103

52.209.81.0

52.19.226.108
8.8.8.8:53

downloads.sophos.com

dns

Setup.exe

66 B
170 B
1
1

DNS Request

downloads.sophos.com

DNS Response

23.220.113.226
8.8.8.8:53

mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com

dns

SophosSetup_Stage2.exe

95 B
278 B
1
1

DNS Request

mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com

DNS Response

52.50.221.226

34.251.213.215

52.210.81.136

63.35.63.182

52.16.140.177

54.72.143.238

54.170.2.108

52.214.146.5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca1.crl

Filesize
525B

MD5
48ad0fbb2e473628ca6fbe5f40c1b335

SHA1
4faab71eaea67497af28a8c1fe59e783a431752f

SHA256
3484fe4376803d32c56ba6a850d330651be49e4b69e4de901b2100a80c25d9b9

SHA512
dca8268bb18f3219dbde371f59e6cbf5c622fedbc8ca450c433b03b2c1d87dd599da1c7bcd022ffbf6ac4d0d75b779603874ee1abd594a145214d05642f65f9d

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca1.crt

Filesize
1KB

MD5
9608edf834fe19c2bf34cc00f954eca5

SHA1
2277ed5594d385b4fdb3f532e3a48394c1c6f1a2

SHA256
653e1a599023b1eb88ab96137238d978529a070b828dd3309800bd131d8ffaf3

SHA512
a1cfefa8f12f54ab1d1b9e67e0893f2f4cc85bcfbcf9deac8f3eaef699bf336c11fead3ceb0e37453f3b5d7108134870c62494405349de4b0661725f5e0e8293

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca2.crl

Filesize
475B

MD5
4512cddf97293ca04baff2337da700b6

SHA1
84d37d4cf345d38182ddf54c928b7d981c75faed

SHA256
de2c59c12a1774610b6c0952ade122028f892dc14bc6b568a44b2220897320d7

SHA512
eb90655188ed2cbd8bfad3cc901c6a0b51cab84ac82201d87a8611366d61d12d96fea3a5ac1e4ec9f048906bb72dc16f1ab19ee1eaafe962c547458f57157bf9

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca2.crt

Filesize
1KB

MD5
450b9d35c9a0b33f80d9e8faa29a260a

SHA1
1f20ecb65ac24cb20512c9c4983dcd9bd0d05b6c

SHA256
92e6ccbe80f31db683e4c331b599efc91e593365af8895504a9360c087060d44

SHA512
4baa881f16f4acc75d71f79c36c503ab6e3008574e2dbd3714001cc217f72d0b430f651ac2b99cf5382b9d3f7eb625767a2820d62bcc3f00fff515425b6dfce0

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crl

Filesize
738B

MD5
9dec7dba2a6449fa5457740fbef79d01

SHA1
a8e7da73b454e2cb3031d8b45df4748541f56cdd

SHA256
d1fd764f8a1bbf5fceba137f1b09eb6b76ec8f868c60b176db43ecc0d40d2797

SHA512
fa91a1e75ce9ad1860f787e54a20c719498706eeca11d9fb14d5095c6b88be64afe836a772ce6bfd739a5c1ea385c353fc99704d5c82cb51c1b90c5e857d0c27

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca3.crt

Filesize
1KB

MD5
608b95a5138684796fe2b57ad00dac03

SHA1
0a2996f1d26f0e9e3a90c333dc7acc3830d3b365

SHA256
ab9dc99032c498691a788817d5af925ef0580f32904defe58b7a52d971d8bec4

SHA512
978c8743174ebe5de00eea6f8d0a9b45d8cc834c0dcd3050dd24d7386f81f8270c50094de5468d529765ab2ba6484378ec89f8b1b8a954845890168a9284c0c5

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca4.crl

Filesize
738B

MD5
4c6122725ca25070dc5352617795e105

SHA1
2a3aad2fc6e231e3109ed00467a77c2de570450d

SHA256
91a8b79af85e5a0d451e35ebb5214038777ad80421115e2d6b4f915fef1981a1

SHA512
75ec1d542e175e95b2d5a43aa0a855432e54993568bd6e95a1223deab3849cc102733628845ec02c68104d654e083ac59266da97f93ef321131be929fd3a7e34

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\Management Certs\sophosca4.crt

Filesize
1KB

MD5
150c183892de69bdcbea89e8f59ac9da

SHA1
a368d1bdc8c44eee589320656200ef2bf597d69f

SHA256
4d44a6ba0ce8fc3771c6bc95d385aaa944aabdcd2d908d87ef5ca20418bf5d90

SHA512
dbba7932d861b5dad1e2ed53a643c5d35baaf1460a58a10486de92b5c7d722a570af5fce631c0f96bf4f6d7f4c4de4e2980b0f34b0948bea9c7f0a15198eeb26

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca.crl

Filesize
678B

MD5
58a298e534a6774cb506e42eea00bbad

SHA1
45369afdfe2508ecfab66d68662bcf8aaf88486b

SHA256
671f4aae65c8fdc2e3d7f49a431adb36e24bd3c5c16e3d188763fd3f2c38028f

SHA512
c94c29e9b4f35a9fb004029b7f3f478e214ca65106bf5337c3ea17f38ec856245d340c3a74160730b2903a97b8512266fe57a5fd18c671b93e57a6aab156d75e

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca.crt

Filesize
1KB

MD5
9a151a43293fc19eedffd2a105962370

SHA1
42d3d2f8db2d57e5ae6d5618e01077135b955065

SHA256
311e7160a6812c6d4b552eb7cd282eb72a8f082bec8b51179794ab979173187c

SHA512
de3dd102e3c5ae35ea7e5784ec174548a5ffca7766c3d27c5bb548d5e8dce2decfe70837c0d26b5fd4475e88e0f0c008315075c3c39702cf64fac9f77053cf21

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca384.crl

Filesize
1KB

MD5
ee71956f99740a9e15bbbd4e71b76f2f

SHA1
2f848ca3ad9d0345ca9c08748a8f4f457ace08ad

SHA256
865c9e89a44090820ac85ef791428b807e023ae7ccd23aeeff7e3e98fe552ea5

SHA512
5d0393fef86ba0188b63842c37dc71adbdf71b87dbb29d41dcc68648272bf51f1c2f4054106fb33b2033ac4c6859bb2d3372aa33e61cf1eb547961d9886ae9e8

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\ManifestCerts\rootca384.crt

Filesize
2KB

MD5
75a97f3f179ccc3a1b8617b6938b38a2

SHA1
9f6c3e0a399e9ff5ad70a85ae6310a2a2367119e

SHA256
a034c29f8b46a303216f9e3a52aafbdedb864dede8cf632df05fd6d10e381fdb

SHA512
5488c0440716d37ea4dda10fad6ed4ce21d613c7aec9588741aa8740e2440e3f7ef1b6cd49de851b38153effe8943c8743aff8f57dcede25870528b7ab550250

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SDDS3.dll

Filesize
1.4MB

MD5
5bc3f80cebc8c48c3ee15f5b2e727eee

SHA1
12e8c962efeef7c82b59abfd01e5a64ac7439434

SHA256
bd721eee471feee64c758fadadf72ca9a684d95af00a24dc9c1b0894e4de6f6d

SHA512
39b5f2c2764c47c49ca4c009823b17d53f9a2337f73842178a230cd412fbc159adf1ab01d1074291627c077e2d0e3660dc995caaa8e41c60e62a4fd6e0318522

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SUL.dll

Filesize
1.5MB

MD5
8ac6eea1695b3edf7c38d3044ab4e956

SHA1
e4cff9fa489d3c570036a50c63f2180169e6ec2d

SHA256
8b605fa28fb4a85a4911db934b8c67175edc3751a0b410a72bd521007cbd189c

SHA512
6779e6cdc966fba8a7c89de5da0e9d0a813520ec87f9bf74fa88b7fe1df6b610e62d1035dca849eec231a28749be312bab317b63d98c855a5ff6377c6f31d94c

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SophosACSenabledTest.exe

Filesize
542KB

MD5
877d56f2d39a90e719d49205b7a2f98c

SHA1
832cf5ed60962452d2a621ac528b8b496f3b4c91

SHA256
48e939c0078ee9c85a12fcd806fdd3dc85c97091f41c01bcd757dc36ba741703

SHA512
230e46a7d10323b24389f4b8ae5b697a052ef653f498747d81540aab6f4499b5fa70bc5d87f3d5a2bc58d9a03f382d341c84725e3f172a052d8951b3d7ab51a4

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\SophosSetup_Stage2.exe

Filesize
2.4MB

MD5
672ea436a21a6cf21a377dce3682f0bc

SHA1
1541095a257ab3d421212d5391093d4142eca3c7

SHA256
0525eebcececccc1ea4ac38369454a7113d3853a168af6895219cc019aa8664b

SHA512
af3eadb731a0b387fa094476512b1e65166f70847ed17c8283d2a65c9c2d5c3a11848751549a105a20d8d8da564f01d0f265456560547831fef49b6327bb0190

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\integrity.dat

Filesize
1KB

MD5
ec5b701cd8513b6cc33bcdd46225f9dd

SHA1
5cd5348b961337d0dfa1f0f94da2bed2f0fbfc32

SHA256
b44d347974a2e7a2a48efbff88c00f50c4b73a86f7a03825926aa4d18dd03e42

SHA512
953730abcb4d81000d38bba04f5dbbe7722a0df25668fe2b4f7140b4501678ac1f1cec842b383a1fcf8a0b23033993078b5b4bb54470f9867d39ac29a1967ea6

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\manifest.dat

Filesize
10KB

MD5
37a163b5d914fc9999a72e4e7b6dc21c

SHA1
620f1ece3baa4896ee412582eff8daa28cca46b7

SHA256
c63727a6eafe7bb3c75462f4a07d5d4d8418b0da54273e7f39327bd4bd8f4eb8

SHA512
3af5448ccc6b5eabcfdfb59579eec3bff58b4c7a1ce30b674a536e1bacafabdb2f12ad5f60b9ed0b7d6352051ca47349d949d271333110596dbd033987717d08

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\scf.dat

Filesize
2KB

MD5
530485525bd99b771d5156dd23be5c1b

SHA1
54a90a630d15a0dfa599f93428b212a5c3c52755

SHA256
d5122977adc902fbceea40a20762801b00b7c090006e101a3a7e4fb6608405dd

SHA512
867bdf5691828cba5803ff36117b87a2332118d35215acd98f12eb6836fb6c04f4fcb01e9ce35ff1571d62910816a04d396cf547988f4c5fad17dbb59414c3d5

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\sof.dat

Filesize
2KB

MD5
69336b104353609b7ce0a05561cadfe6

SHA1
91c60feac646098637b0dddc285a7df6e47ba8de

SHA256
0ebd0aa29020b9c1fbcaacadabc0b7833a72540aa214c59b30f54e56b6409b04

SHA512
5c4814f26b7198316c4bdc37fbcb8ef4f0fcd8f86147abbc064934c5993389150fb3b6c44ea84cd135f8e417fcd30e3090af6577846974f056403a230ff70e2b

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\su-setup32.exe

Filesize
926KB

MD5
02c0ee597853e8cfb7923a402804a6bc

SHA1
61c13a6547192ca3d11be8e30cfc1a7e025335cf

SHA256
b5ee5cc0ab0391c21bde7ca46506d4b15cf1715687faaf14f3ea2372d863e260

SHA512
c82e5b631fbd2b60f15dc491f9fb00740f95a602e9f0b02dfb39f96b5bc13e89cccdc27797455051c3f32ed8200604d09dbb4e34436d13fd0305c5d4434531a5

Download Submit
C:\Program Files (x86)\Sophos\CloudInstaller\extract_cache\su-setup64.exe

Filesize
1.0MB

MD5
7dc71d41a389c282e35df495fee98244

SHA1
6a1b5f4f92db2aea5ac788ff185fd83b9732b091

SHA256
0e9a6b9d0481a0f9aa49e6f53bc87414ecb84a6d45ef301f6abfde07a8e894a4

SHA512
00096f743d0a671c9cb030e7b64b84445ae7899b843790318f176af416bedc462a8b74c68470b1b38fc845d3818fa490e742d216e69e2b0416cd678ac2c9d6f6

Download Submit
C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20240427_025258.log

Filesize
3KB

MD5
e0f6432447946e0cca1b9ba347de8cb7

SHA1
2314474ea3e7f8a172f7a1bd2cb3d73223ab63ad

SHA256
c95774605470aa2fe30b02c26987fa0a6262bb28e23cdd7f029f3adf307e570a

SHA512
ea9771817547ff9a98e13bea38047d2eae6c838ebe3b848daeecf32686e62ff939875b5e7babf5ec4ae142f563ced06fb48007e026ec8446c65dc6c5ced79797

Download Submit
C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20240427_025258.log

Filesize
4KB

MD5
7702bbf7fe6194a4729d2d5652b75af4

SHA1
4f0f2f21bc20763fea058d669d235ba70b329304

SHA256
68b12821815e116b14419eff1420d39f3682335717bc8611681b55e85486db2e

SHA512
bd18b00c87ff0d45e2a3d0f09e5e802dbe79f137fb05170b20f61e875aee4f7d18edd1cd9325b7fe6e5cbd42a22258f643e3c669cddae4ed9b05161271486fbc

Download Submit
C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20240427_025258.log

Filesize
8KB

MD5
9c75e7b53835eac0b4d90baabdffab5a

SHA1
6c20b1744d6bdf819d0ce1cac11b8cd5bee0d132

SHA256
5cfc861c280245b6632b098e1579018b4b97ac3126e9e39450adc6b34f57e405

SHA512
458c5b0f976e0dc096df60242f133d52f7d7b1d13d65fb042cbac11180a29227735927f6c7914b0cba4ce8556888668a147256c13557a7acca9e1cac4f2b79b1

Download Submit
C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20240427_025258.log

Filesize
1KB

MD5
e5512e781e0ce03bd19c07f88bc17a80

SHA1
bd373dd2b16a5d00c262d5ff512ee773a2099dc3

SHA256
e9b3183d2143d5ee1e2d65f5d289660f0e19a4ffc4b01a084410c71b219a36b0

SHA512
b9564ea44619d73d9881636ac8318fe95b993f2ed3514c56289c518fedfb1068a1a15d9fe5fd7edd1dc55e19b4b6efd91fde84c67d9ee96d15eb67aa44362e2d

Download Submit
C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20240427_025258.log

Filesize
1KB

MD5
3fed7df7c5037e3ecceafe704ae00e94

SHA1
1fe103deaeea98fa0e963eefa5d23b598670a9fd

SHA256
0f65373d0545b715a44d9f04952c04117d11636f6929849b1460df46ae082951

SHA512
4160212650321ad9a72ed3c4984c142bf45262a28a1fb4d0d28e2d57170f8c05871085c91653755e8b41c963733e5133d52f2361429cbd4200f592eae570f013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96b79bd2c06e41e08bc2f7592888764b

SHA1
c462d27fc6dd0d38f819374b2d6f72f571f8787e

SHA256
c05db603d3f8600dfeff3159e89efdf95e1c450f8ce02c6a65dbf2c53e1fab60

SHA512
21109af54f2bf33a49c7d3145f7df0972a95c7e3744c806047671c8ddc41aff5182d1e2884419794406673c509e837458d6151f162af1e88129e1dbf56819bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
663e63993cf9b76be801243ab91196f7

SHA1
94a3b60a05a70aa34dc887bd26fe6abc55bb6442

SHA256
37afe49b68d9b33764e9338a205c9dbaeb5c7da418e553d94a4f8b9a077ab65d

SHA512
1c6fcf64720e1d30bc425b5a2520bd381bbcacc375ac8dcd7df5ae4afe2d18aec2b91611e7346ce22e07773d07d620dc2771c6f9ade84591660e9e1dc8453fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E9A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1EAD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C23.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\sfl-20d167f0\Setup.exe

Filesize
1.4MB

MD5
b85fdcf416d12064cc8ec74c2f098f02

SHA1
934a61b9201bc13ce6b811cde8e948353bec4de4

SHA256
449b84b17c0ab938d00a8065f9a5328622aa190dae0224adb9b0477b0be21263

SHA512
32c7aa0adc30d38effbcf48d9d0190e10dd4081eb2c30307777e27ed0be2bc9706c803eb3db7fd69d0a35d10a24524d6b0e232321ed92cee11e637827fbc0dbc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.