9751d01299270b84b646d5af4f68a29611af77555264124ef8b6cd5a6b3a2f33

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
Size

16.6MB
MD5

85663857ec7c70482d07af1483ddad0a
SHA1

051ca5dfc2d40b9f07a0b276be7f9df745af5d3b
SHA256

9751d01299270b84b646d5af4f68a29611af77555264124ef8b6cd5a6b3a2f33
SHA512

973a024451b0ed01852e2b0b460036d24a720d5caa30a088ba88659676ff657fc18903312af27d0926dd55e0f0eca71b7cae540b555434a7e609a5651d8800c1
SSDEEP

393216:zUpbmECWMXWGL4risPkBI2LL+AHT+WHEGjiH3b:wpbCWMerib9LraWHmr

Score

9^/10

discovery upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 38 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d27-195.dat	UPX
behavioral1/files/0x0006000000016d1f-232.dat	UPX
behavioral1/memory/2960-238-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/files/0x000500000001922d-237.dat	UPX
behavioral1/memory/2960-241-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2960-244-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2844-259-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2844-262-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2844-263-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2960-318-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2960-320-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2960-319-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2844-362-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2844-363-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2844-361-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2960-364-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2960-365-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2960-366-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/files/0x0006000000016d40-367.dat	UPX
behavioral1/memory/2960-369-0x0000000072FE0000-0x00000000730C9000-memory.dmp	UPX
behavioral1/memory/2960-374-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2960-375-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2960-379-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2960-382-0x0000000072FE0000-0x00000000730C9000-memory.dmp	UPX
behavioral1/memory/2960-381-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2960-380-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2844-384-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2844-385-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2844-383-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2960-386-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2960-388-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2960-390-0x0000000072DB0000-0x0000000072E99000-memory.dmp	UPX
behavioral1/memory/2960-420-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX
behavioral1/memory/2960-421-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2960-419-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2844-422-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	UPX
behavioral1/memory/2844-424-0x0000000073690000-0x0000000073A54000-memory.dmp	UPX
behavioral1/memory/2844-423-0x0000000073D60000-0x0000000073E7C000-memory.dmp	UPX

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000016d27-195.dat	acprotect
behavioral1/files/0x0006000000016d1f-232.dat	acprotect
behavioral1/files/0x000500000001922d-237.dat	acprotect
behavioral1/files/0x0006000000016d40-367.dat	acprotect

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016d27-195.dat	upx
behavioral1/files/0x0006000000016d1f-232.dat	upx
behavioral1/memory/2960-238-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/files/0x000500000001922d-237.dat	upx
behavioral1/memory/2960-241-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2960-244-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2844-259-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2844-262-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2844-263-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2960-318-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2960-320-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2960-319-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2844-362-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2844-363-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2844-361-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2960-364-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2960-365-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2960-366-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/files/0x0006000000016d40-367.dat	upx
behavioral1/memory/2960-369-0x0000000072FE0000-0x00000000730C9000-memory.dmp	upx
behavioral1/memory/2960-374-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2960-375-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2960-379-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2960-382-0x0000000072FE0000-0x00000000730C9000-memory.dmp	upx
behavioral1/memory/2960-381-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2960-380-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2844-384-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2844-385-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2844-383-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2960-386-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2960-388-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2960-390-0x0000000072DB0000-0x0000000072E99000-memory.dmp	upx
behavioral1/memory/2960-420-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx
behavioral1/memory/2960-421-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2960-419-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2844-422-0x0000000073EC0000-0x0000000073FBC000-memory.dmp	upx
behavioral1/memory/2844-424-0x0000000073690000-0x0000000073A54000-memory.dmp	upx
behavioral1/memory/2844-423-0x0000000073D60000-0x0000000073E7C000-memory.dmp	upx

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	SRAppPBSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	SRManagerSOS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	SRManagerSOS.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT	SRAppPBSOS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	SRAgentSOS.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Executes dropped EXE 7 IoCs

pid	Process
500	Launcher.exe
2960	SRManagerSOS.exe
2228	SRServerSOS.exe
2844	SRAgentSOS.exe
1896	SRAppPBSOS.exe
2348	SRFeatureSOS.exe
3008	SRUtilitySOS.exe

Loads dropped DLL 20 IoCs

pid	Process
500	Launcher.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2844	SRAgentSOS.exe
2960	SRManagerSOS.exe
2228	SRServerSOS.exe
2844	SRAgentSOS.exe
2844	SRAgentSOS.exe
2844	SRAgentSOS.exe
2960	SRManagerSOS.exe
2348	SRFeatureSOS.exe
2348	SRFeatureSOS.exe
2348	SRFeatureSOS.exe
2348	SRFeatureSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2036	schtasks.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	SRManagerSOS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "SRFeatureSOS.exe"	SRFeatureSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	SRServerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	SRFeatureSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	SRManagerSOS.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	SRManagerSOS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local"	SRServerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT	SRManagerSOS.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion	SRManagerSOS.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SRManagerSOS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	SRManagerSOS.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	SRManagerSOS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2844	SRAgentSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
3008	SRUtilitySOS.exe
3008	SRUtilitySOS.exe
3008	SRUtilitySOS.exe
3008	SRUtilitySOS.exe
3008	SRUtilitySOS.exe
3008	SRUtilitySOS.exe
1896	SRAppPBSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe
2960	SRManagerSOS.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2844	SRAgentSOS.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
2228	SRServerSOS.exe
1896	SRAppPBSOS.exe
1896	SRAppPBSOS.exe
2228	SRServerSOS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2652	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	28
PID 2172 wrote to memory of 2652	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	28
PID 2172 wrote to memory of 2652	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	28
PID 2172 wrote to memory of 2652	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	28
PID 2652 wrote to memory of 2560	2652	cmd.exe	30
PID 2652 wrote to memory of 2560	2652	cmd.exe	30
PID 2652 wrote to memory of 2560	2652	cmd.exe	30
PID 2172 wrote to memory of 1228	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	31
PID 2172 wrote to memory of 1228	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	31
PID 2172 wrote to memory of 1228	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	31
PID 2172 wrote to memory of 1228	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	31
PID 1228 wrote to memory of 2036	1228	cmd.exe	33
PID 1228 wrote to memory of 2036	1228	cmd.exe	33
PID 1228 wrote to memory of 2036	1228	cmd.exe	33
PID 2172 wrote to memory of 2108	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	34
PID 2172 wrote to memory of 2108	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	34
PID 2172 wrote to memory of 2108	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	34
PID 2172 wrote to memory of 2108	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	34
PID 2108 wrote to memory of 1856	2108	cmd.exe	36
PID 2108 wrote to memory of 1856	2108	cmd.exe	36
PID 2108 wrote to memory of 1856	2108	cmd.exe	36
PID 2172 wrote to memory of 1864	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	37
PID 2172 wrote to memory of 1864	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	37
PID 2172 wrote to memory of 1864	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	37
PID 2172 wrote to memory of 1864	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	37
PID 1864 wrote to memory of 1840	1864	cmd.exe	39
PID 1864 wrote to memory of 1840	1864	cmd.exe	39
PID 1864 wrote to memory of 1840	1864	cmd.exe	39
PID 2172 wrote to memory of 1356	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	41
PID 2172 wrote to memory of 1356	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	41
PID 2172 wrote to memory of 1356	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	41
PID 2172 wrote to memory of 1356	2172	2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe	41
PID 1356 wrote to memory of 1412	1356	cmd.exe	44
PID 1356 wrote to memory of 1412	1356	cmd.exe	44
PID 1356 wrote to memory of 1412	1356	cmd.exe	44
PID 1744 wrote to memory of 500	1744	taskeng.exe	43
PID 1744 wrote to memory of 500	1744	taskeng.exe	43
PID 1744 wrote to memory of 500	1744	taskeng.exe	43
PID 1744 wrote to memory of 500	1744	taskeng.exe	43
PID 1744 wrote to memory of 500	1744	taskeng.exe	43
PID 1744 wrote to memory of 500	1744	taskeng.exe	43
PID 1744 wrote to memory of 500	1744	taskeng.exe	43
PID 500 wrote to memory of 2960	500	Launcher.exe	46
PID 500 wrote to memory of 2960	500	Launcher.exe	46
PID 500 wrote to memory of 2960	500	Launcher.exe	46
PID 500 wrote to memory of 2960	500	Launcher.exe	46
PID 500 wrote to memory of 2960	500	Launcher.exe	46
PID 500 wrote to memory of 2960	500	Launcher.exe	46
PID 500 wrote to memory of 2960	500	Launcher.exe	46
PID 2960 wrote to memory of 2228	2960	SRManagerSOS.exe	47
PID 2960 wrote to memory of 2228	2960	SRManagerSOS.exe	47
PID 2960 wrote to memory of 2228	2960	SRManagerSOS.exe	47
PID 2960 wrote to memory of 2228	2960	SRManagerSOS.exe	47
PID 2960 wrote to memory of 2844	2960	SRManagerSOS.exe	48
PID 2960 wrote to memory of 2844	2960	SRManagerSOS.exe	48
PID 2960 wrote to memory of 2844	2960	SRManagerSOS.exe	48
PID 2960 wrote to memory of 2844	2960	SRManagerSOS.exe	48
PID 2960 wrote to memory of 2844	2960	SRManagerSOS.exe	48
PID 2960 wrote to memory of 2844	2960	SRManagerSOS.exe	48
PID 2960 wrote to memory of 2844	2960	SRManagerSOS.exe	48
PID 2960 wrote to memory of 1896	2960	SRManagerSOS.exe	49
PID 2960 wrote to memory of 1896	2960	SRManagerSOS.exe	49
PID 2960 wrote to memory of 1896	2960	SRManagerSOS.exe	49
PID 2960 wrote to memory of 1896	2960	SRManagerSOS.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-23_85663857ec7c70482d07af1483ddad0a_icedid.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\expand.exe
    C:\Windows\system32\expand.exe *.cab /f:* .\
    3⤵
    - Drops file in Windows directory
    PID:2560
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Creates scheduled task(s)
    PID:2036
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:1856
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:1412

C:\Windows\system32\taskeng.exe
taskeng.exe {1340449A-8D98-4E51-BF54-8D958A609A4A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe
  C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe SRManagerSOS.exe 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:500
- - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe
    "SRManagerSOS.exe"
    3⤵
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe
      SRServerSOS.exe -s
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe
      "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\Temp\bd2_request_dc37f198671f08.bat
        5⤵
        
        PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe
      "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe"
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe
      "C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      PID:2348
    - - C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe
        
        SRUtilitySOS.exe -r
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\splashtop\sos\01_sysinfo.txt

Filesize
445B

MD5
776dee4ed64ec77dff419d568e32cfc5

SHA1
5b399ed0528a13da0c87de41ebf33ae6e54c2b5f

SHA256
c3f4a8c6f0b8a6908ae5755a880433b09fac25efea62dc8367faa980febf7f29

SHA512
7d5119db05a0f13911bfa49652746b87f3c790c398e57e3887d383ea1ba6837fe1443f1ca3108851d6bdc045ce2778304ebfa8d3050bd17486b4985d1f36a0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
5KB

MD5
c6826207c4bf6c668e7aa00976c29c00

SHA1
49dd96892268f28800860664ee06a8f13c8d7c19

SHA256
bc62d8ceebdd849543349cae77aabf1046f3fff48b872c48345561b3ee840bdb

SHA512
c8a96ddfe0e1e2eecdc45b9ffbcdeca3d941cc17928bd355f18ebb76248d8375e6bfcdc5d866af091afb04ff7511208b11789e5f20cc1753844927a9b7b3631d

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check

Filesize
398B

MD5
f83957bb293fc2978e31680ab43537f5

SHA1
29ff05fa4a57023f651da151405d74608e78617f

SHA256
392a57a9e2558699420d80e295e8f62a4223dd5e0b4b2a919516432171dfdc82

SHA512
b0a56b8dd148ae58d52e91bafd3ba312622538a5858f3c36de843841783114b8a7b79976dbddc1e5b3cd5929caa32b104bcaf615f02add499b367a870a766f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.cloudbuild.check.rsa

Filesize
256B

MD5
e6269ee6949b35138f5402c8cabc2636

SHA1
2c37df0ed3fa671c1719422264aba5820d5aa461

SHA256
2369432752920d5d0063dbae8f015b80a4928761bda26aad888905c2bbb27a53

SHA512
bcbdf5ebc92f764515a553e2a71dac97bf063eed2bce7f12ae44487946fa360c8022ce8ee7251947c06da6f7a4b51ddebd673f77569d056cadfb42af9becaaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.config.json

Filesize
301B

MD5
fa42b7c1de13ab12835f2dff8aae701a

SHA1
cd4625374907ca24a2aef5c334009ba443d14e8b

SHA256
37535f7755a008d41e43f39861ee605939e99778e12e98c7a5e19e0efa1badc5

SHA512
8792bad9925a453e064e48dae8838010e30e5ff4fed96926aa6500c1a3564512d076dbed695fecda75f407bf2cae9eb2ae3b089b450da14e8d7cc58e52e8b550

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.init_setting.ini

Filesize
149B

MD5
fbe7f6b5c3b5dac2991f63deeee2fb90

SHA1
3f786b889db8eb6d6761f5b83b301b776f9bb0b6

SHA256
a85bf13feb451ec8cd59b24bf680e364014fb0b0cb96713cfbc5e8719c210b88

SHA512
e1f409d220a7b3928fbf3f152d0af3c700132df694b345eed694c63f3ae29b9253bafe77c0ab66b6a596c24a3dc93f844bd0a3b67b06c258e67cdfd0221b6b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\.splashtop.sostheme

Filesize
259KB

MD5
99868ffd7f9ab07f1eb57a29e72c575e

SHA1
1beb7b2f652a08da8b4cc0b7c820b5c36e369f22

SHA256
1af432236f8c9d323b13bb0bac5a0f1f3e85e87e1f4763e40041788d7f256db6

SHA512
da1a939cdf4deb4ce0c42c49259db0676581fce4667066e6d56a2745c5a5a335dccfdad6b18acde707f63f9566a89d547a75bbfd5db317645fc83ca36f28598d

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\ASOS.xml

Filesize
2KB

MD5
8ce869f7dbbb2e38c8de76716e49b8a5

SHA1
de73a6b80fca67b06a7e1fec1904095d61b7b864

SHA256
1008bce6f93a3863164b0fea34bea07bd6ce304dffafac5615dc52bbb675bd47

SHA512
98afa1fe513beb31bca44e56fe40f0a049d3bb0ccc7cf4997b8fb2631774131c7232072e733674a3ed6771201d53788e94d595e8254a5ffc4d6cc45ff93417af

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\Launcher.exe

Filesize
184KB

MD5
32a3a51737c2c4f3b9dee22232094281

SHA1
4339a2270046c212b98ebf34a11d3c44d3bb93a4

SHA256
88d8fcf859d87a7632bd6169bfcc0aa4a09e9f5e5f5e7f89f138c17c936bcbba

SHA512
df2f77b1f96786025460efd175e2eff247dac94f11400489d1471f70190119fdb75f4c65c60862798f972603ecdcb1d3a32593423573415d36c117d2b60f0811

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAgentSOS.exe

Filesize
1.9MB

MD5
d5e99fcfd957ba6595028b446a1f2ce0

SHA1
814da1b2a8624fe85f9ed2aff811fa02578ed5e6

SHA256
8905e07705ca098285ed47f46320c9c74324c94f9c587e6c9a4b9060abfa6573

SHA512
c7dbf4e5ef5e076c79d978df19ecad570bf1539545f6de462e3fec79ae056f9c7d885e6a02925fe4819d93eea1889cefaa4e3ae58b4cfa9fb96c373a8fb35a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRAppPBSOS.exe

Filesize
2.7MB

MD5
37a02488a13c46ac55507dd1ab6db8c2

SHA1
2ea871bac60664a62695c19f83370822a1275f0d

SHA256
a3809d0ca724019bdf2a255d4846a94bd89d8dbe97f596394a5e5e944625941b

SHA512
dd60203bedec4ea8c0fca24d8d97f8e41d2018c0defc5aeb82a9de607908a1c5c66a1c436b3d36128a3b5dbfe70e698292ec523122ddb43db0669bf62d68619c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRClient.pem

Filesize
5KB

MD5
a8b2b3d6c831f120ce624cff48156558

SHA1
202db3bd86f48c2a8779d079716b8cc5363edece

SHA256
33fe8889070b91c3c2e234db8494fcc174ecc69cfff3d0bc4f6a59b39c500484

SHA512
3b1fc8910b462ea2e3080418428795ca63075163e1e42a7136fa688aa2e130f5d3088ab27d18395c8c0a4d76bdc5ed95356255b8c29d49116e4743d269c97bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRFeatureSOS.exe

Filesize
4.6MB

MD5
60d2ee18e478806ff110a4fe193dcb98

SHA1
1516889362609647400130387795d307ab7e14f6

SHA256
8b5f07b1f657767aef3582ba65bcfdc57d875dce75badf1c94a792273e0e67c4

SHA512
a5fe610c7ed4488533d12d57a8eac70fcb7948a1073088df0c6eebb24c2124bcc71ab38006ee36c57f2dc4b260284c4751001d72ce66fcdd16a33ae16a4e7d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\SRManagerSOS.exe

Filesize
1.8MB

MD5
ef3d48811d4f0de86b52a2c475abd1c1

SHA1
abf323203580db1312d883d6895d745f17e10f50

SHA256
e32a1e2e82df93fdc06d8e27ef37d10ddc080499a885413614d8c24c5fcbe803

SHA512
b0cd96d492acde0d4127d920a2cb481a9b3ba2d62e89d2973dbee0dd9a0b6f964957c2eede8c0977c49595a1b22d0596ea9215060168d0b608ec046d6390b687

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\db\SRAgent.sqlite3

Filesize
80KB

MD5
f9259c32cd1270b51df1a9f7a1533996

SHA1
6488c281148b4bbb4f4333ae82ab33f5e55e079d

SHA256
c82f7df207f8bb29439d6f217eb90d073ed7aa7f64024a197451e774c26ed542

SHA512
c31ecb2097a3e51b8742ff95711d4e864df33ac557af9929ed11f1f1f889e6c031385ebb8618af681b1d761abedbb2db1fd9014742f82190987fd104018d0e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\default.ico

Filesize
26KB

MD5
ea50be5db2b49f722fe5b0d817c2a2f5

SHA1
d6a246584496802e8ff683ced328605555852d40

SHA256
357539fdf4e97024160b3140128374ffd9331545301050e22aa9bed8295fd67c

SHA512
9ea4da7d4b49da60d4bbc247990a15f607bc277cac3aa5c08146a930aad79365a3cb31cb566a8406a6d0f15803abca198cdd74ef720395edf98648d8c3e9ddbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcrypto-3.dll

Filesize
1.3MB

MD5
f58b304e6365803f23015a5167e17685

SHA1
2f58dc9e96777c88470ff0d2851ca2b87a5d87d3

SHA256
e3ca59af6ccef92364b5f45a62f51e27c1811e4e548b8f33abbdd881c89440b7

SHA512
74f54095d4728e1b35229830277df46b2035cf03f291268b74738805c2b4b2ba1d0eca27dae18005a7535c41b56f6e32f1f4d97e92edaaf93844f3d511645e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libcurl.dll

Filesize
365KB

MD5
278d7f9c9a7526f35e1774cca0059c36

SHA1
423f1ebd3cbd52046a16538d6baa17076610cb2f

SHA256
12177dae5e123526e96023a48752ae0cb47e9f6eeafc20960f5a95ca6052d1b8

SHA512
75f8c4856fb04b2d5e491f32584f0aaefa0d42356e12320cbcb67df48e59c7f644512c2c5146fd7791c2ccb770fd709a8d8e4c72eafb74c39e1336accb49a044

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\libssl-3.dll

Filesize
333KB

MD5
bfdb73b4a7fa7b3d27eaf8d2fd937200

SHA1
7cdafc8818f755f5a08f29c4832e1533619a8124

SHA256
88562d56a6267c22f33de322c45b96e7674afe992aaf1c36eaba9437b81329e9

SHA512
d7573491772bd6ca6e57530d7991957deeb1cc5b5f798ce94875a66a6033ba415281b44f0bb66a05424c29b5d1ac3cac3600adccfc871e218381a4e59f082cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\unpacksos\1\streamer1.cab

Filesize
16.0MB

MD5
ec263b3f34ec1eea687aaab1b13f56a3

SHA1
d11997c04672f3486818adaf271a59362d0956b6

SHA256
9432866a4966d2e613be7ec8819df33dde9e7f937a2a30a299843561bd870ced

SHA512
20a84a12f46a84ef1c327814cfef8f1bd1b23c0486046210d782e2c8b382fc72b1c8809b6fdd8d60de85339620dd6d4b75c83cd07887bac56162f89d027f8658

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Windows\Temp\Tar5B6E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\Temp\bd2_request_dc37f198671f08.bat

Filesize
160B

MD5
5b68d9952bc6f02deebf787b97955c42

SHA1
237823cd864a8ef8bfbba89308cc704ee0257c80

SHA256
af511923cdb88b99bd2d29ecbf6d3bc5061cf22c3288adda1107251fd88eba24

SHA512
6f9ec4e5b7ebc11873d7126eaab98de0a3b81b0892c69fa378798b8dd04cee055641c54f406d90c13b251ae17cf58e63c587af06cfb3599aeb5369424c26e016

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRServerSOS.exe

Filesize
5.1MB

MD5
e309206a05f66b69b335a26b9e36191e

SHA1
75c627e7d6daf69998a3a70e64d57ccb702162bd

SHA256
fc85cdc2eee8dbffddcbc7a2d6e79fc089d45bfeb9c72e7063c204389fa5396e

SHA512
2ef387a269048747ba3dfcdc24f14e3f80235f68300a1228a42ec595cbb98817da6a8c0d97ff8fa4bd58b5376f518878979583492955a8ffc50f2b002aa2f7e3

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRSocketCtrl.dll

Filesize
393KB

MD5
a8103e8faa022f5a5b523acd1f7a26d7

SHA1
06f6fb7de6dacfc963300231bfd55e063b86c710

SHA256
5c076c33385c1d5df228745e92583c0fcdf97bd86ee7e8958cb71bade9393d91

SHA512
498bb01d1ccd961ab0b36d06cf11763f8b528b78daa3ac9673769ed5342fe63b98033394094f2241314305b1134f5a48cf66521e032a21b516e48d3897aaf7c6

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\SRUtilitySOS.exe

Filesize
156KB

MD5
042d1c68ab126e5d2b7fba044502d779

SHA1
9229992bec3d2bf16373f9197d2e08ecd59e2b9a

SHA256
d615ccba493af0e7a21ccf5b344de265e0a582a5499150e5f443a74e64463fb5

SHA512
75074fe535ec18b6b72eac0e565b0b42f8b9ffb3178ec56e0526ddf6ab631dcf0544c531401fa416f435ee238c3cb14c275800024c54fd6209b86f9dde358a4f

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\avutil-55.dll

Filesize
548KB

MD5
a9a9d31764b50858a01b1fb228406f06

SHA1
7a313c46f049287045992f54f9d6eda9db568ef8

SHA256
c0babd7670124bb298d3ba6a8ee5ae33ad1030c08a18d8b8861f5d83003eb645

SHA512
164d5497aa91a5b4742a291f589400bc0b189af946615a2f04e6cfd1ed598a542f7521e4dd79aab99414846a3c391255309f911c247ef446a0483d9fab6efdfc

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\dbghelp.dll

Filesize
1.0MB

MD5
eeda10135ede6edb5c85df3bd878e557

SHA1
8a1059dfd641269945e7a2710b684881bb63e8d2

SHA256
4b890de3708716d81c1c719b498734339d417e8ffc4955d81483d1ebc0f84697

SHA512
a56bfc73537e36efba8e09ffd0b2f6bfc56bc4cb4fe90b52858c7afd5d67db23ccba51c8097befe4ecb5082ba66c2b2612e2975ef3448252c48b97f41d12d591

Download Submit
\Users\Admin\AppData\Local\Temp\unpacksos\1\swresample-2.dll

Filesize
190KB

MD5
4a2f597c15ad595cfd83f8a34a0ab07a

SHA1
7f6481be6ddd959adde53251fa7e9283a01f0962

SHA256
5e756f0f1164b7519d2269aa85e43b435b5c7b92e65ed84e6051e75502f31804

SHA512
0e868ad546a6081de76b4a5cdcc7d457b2f0fb7239dc676c17c46a988a02696b12a9c3a85f627c76e6524f9a3ed25f2d9b8e8764d7e18fc708ead4475591946f

Download Submit
memory/2844-262-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2844-259-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2844-423-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2844-424-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2844-422-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2844-383-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2844-263-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2844-385-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2844-362-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2844-363-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2844-361-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2844-384-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2960-241-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2960-238-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2960-365-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2960-369-0x0000000072FE0000-0x00000000730C9000-memory.dmp

Filesize
932KB

Download
memory/2960-374-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2960-375-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2960-379-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2960-382-0x0000000072FE0000-0x00000000730C9000-memory.dmp

Filesize
932KB

Download
memory/2960-381-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2960-380-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2960-364-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2960-366-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2960-244-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2960-386-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2960-388-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2960-390-0x0000000072DB0000-0x0000000072E99000-memory.dmp

Filesize
932KB

Download
memory/2960-420-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2960-421-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2960-419-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download
memory/2960-319-0x0000000073D60000-0x0000000073E7C000-memory.dmp

Filesize
1.1MB

Download
memory/2960-320-0x0000000073690000-0x0000000073A54000-memory.dmp

Filesize
3.8MB

Download
memory/2960-318-0x0000000073EC0000-0x0000000073FBC000-memory.dmp

Filesize
1008KB

Download